[Samba] Please criticize my smb.conf

Rowland Penny rpenny at samba.org
Tue Oct 3 12:33:53 UTC 2017


See inline comments

On Mon, 2 Oct 2017 14:01:29 -0700
ToddAndMargo via samba <samba at lists.samba.org> wrote:

> On 10/02/2017 01:06 PM, Rowland Penny via samba wrote:
> > On Mon, 2 Oct 2017 12:38:19 -0700
> > ToddAndMargo via samba <samba at lists.samba.org> wrote:
> > 
> >> Hi All,
> >>
> >> You please look over my smb.conf and make
> >> criticism as appropriate?
> >>
> >> This is a workgroup server.

Well you could call it that, I would call it a standalone server ;-)

> >> winbind is running

Why, you do not need this on a standalone server.

> >> DDNS is also running (DNS [bind] talks to DHCPd)

Again why, you wouldn't do this on Windows client.

> > 
> 
> mumble ...
> 
> Server:
>     Fedora 26
>     samba-4.6.8-0.fc26.x86_64

Sorry, but I couldn't remember what version of Samba you are running.

> 
> Workstations (5 of them):
>     XP Pro SP3

That I could remember ;-)

OK, here is your smb.conf with my comments:

 [global]

    workgroup = xxxxx
    server string = Fedora Samba Server

    volume = Fedora Core, %v ~ this should really only be used on a share
    comment = Samba (NetBIOS) Server on FedoraServer.xxxxx.local
    netbios name = FedoraServer # You don't actually need this
    netbios aliases = Screws4U!

    interfaces = eno1 127.0.0.1

    hosts deny = ALL
    hosts allow = 192.168.255. 127.0.0.

    printcap name = /etc/printcap
    show add printer wizard = No
    load printers = yes # default setting
    printing = BSD

    guest account = pcguest
    log file = /var/log/samba/samba-log.%m
	log level = 4 passdb:10 auth:10

    follow symlinks = yes # default setting
    wide links = no # default setting
    locking = yes # default setting
    strict locking = no

    security = user

    smb passwd file = /etc/samba/smbpasswd

    unix password sync = Yes
    passwd program = /usr/bin/passwd %u

# passdb backend:
#  smbpasswd - The default smbpasswd backend. Takes a path  to
#              the smbpasswd file as an optional argument.

smbpasswd isn't the default anymore (hasn't been for a long time)
It is now tdbsam.

#  tdbsam    - The  TDB based password storage backend. Takes a
#              path to the  TDB  as  an  optional  argument  (defaults  to
#              passdb.tdb in the private dir directory.
#  ldapsam   - The LDAP based passdb backend. Takes an LDAP URL
#              as an optional argument (defaults to ldap://localhost)
#  Examples of use are:
#        passdb backend = tdbsam:/etc/samba/private/passdb.tdb
#        passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap- 2.example.com"
#  Default: passdb backend = smbpasswd
# Note: you can transfer smbpasswd to tdbsam with
#   pdbedit -i smbpasswd -e tdbsam
# Users can be added to tdbsam with
#   pdbedit -a -u username
#
;  passdb backend = tdbsam
    passdb backend = smbpasswd # suggest changing to tdbsam

# Unix users can map to different SMB User names
# touch /etc/samba/smbusers   to start
    username map = /etc/samba/smbusers

# add these if winbind is running
     idmap config * : backend        = tdb
     idmap config * : range          = 1000000-1999999

You seem to be running a standalone server, so don't need winbind, so 
don't need the above.

#  http://www.oreilly.com/openbook/samba/book/ch06_06.html
; run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
; run a specific logon batch file per username
;   logon script = %u.bat
; Note: this script's path is relative path to the [netlogon] path and uses forward slashes
#  logon script = scripts/%G.bat
    logon script = scripts/logon.bat # not used on a standalone server
    logon path = /exports/netlogon # not used on a standalone server
    logon drive = X: # not used on a standalone server


# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS 
Server
    wins support = yes
;    wins support = no

; name resolve order = lmhosts host wins bcast
; if winbind is running, use wins host bcast
    name resolve order = wins host bcast # wins has nothing to do with winbind

; dns proxy (G)
;          Specifies that nmbd(8) when acting as a WINS server and finding that
;          a NetBIOS name has not been registered,  should  treat  the NetBIOS
;          name word-for-word as a DNS name and do a lookup with the DNS server
;          for that name on behalf of the name-querying client.
;
;          Note that the maximum length for a NetBIOS name is 15 characters, so
;          the DNS name (or DNS alias) can likewise only be 15 characters, max-
;          imum.
;
;          nmbd spawns a second copy of  itself  to  do  the  DNS  name lookup
;          requests, as doing a name lookup is a blocking action.
;
;          Default: dns proxy = yes
;  dns proxy = no
    dns proxy = yes # default setting

;  note: deadtime is in minutes 1440=24hrs 2880=48hrs (2 days)  20160=14days
;  deadtime = 60
;  deadtime = 1440
    deadtime = 20160 # why do want connections to be held open for 2 weeks ?

; map archive owner execute bit must include 0100
; map system off  group execute bit must include 0010
; map hidden off  world execute bit must include 0001
; Note: after doing all the above map stuff, it is a good idea to do
;       a mass chmod to 2766 (Read Only=off, Archive=on, Hidden=off).
;       And, you definately want hidden to be turned off!!!

; Note: to do a mass attributes change (example):
;       for directories:
;          find /rla -type d -exec chmod 777 {} \;
;       for files:
;          find /rla -type f -exec chmod 766 {} \;

    force create mode = 0000
    create mode = 0777
    force directory mode = 0000
    directory mode = 0777

I would only add the above to shares.

    map archive = yes # default setting
    map system = yes
    map hidden = yes

I would only add the above to shares.

# [profiles]
#    # https://www.ccs.uky.edu/docs/samba.htm
#    # create mode = 0600
#    # directory mode = 0700
#    create mode = 0777
#    directory mode = 0777
#    path = /exports/profiles/
#    profile acls = yes
#    read only = no
#    writable = yes


[public]
    comment = Public on xxxxx FedoraServer -- Mount as F:
    path = /exports/public
    valid users = @users
    write list = @users
    force group = users
    force user = public

    locking = yes # default setting
    oplocks = no
    fake oplocks = no # default setting
    level2 oplocks = no
    strict locking = no
    blocking locks = no
    public = no # default setting
    writable = yes
    printable = no # default setting
    browseable = yes # default setting

    create mode = 0777
    force directory mode = 0000 # default setting
    directory mode = 0777
    map archive = yes # default setting
    map system = yes
    map hidden = yes



;note: %U replaces with the name of the session username (user's name in lower case)
;note: %u replaces with the name of the current service (user's UNIX name in mixed case)
[homes]
    comment = %u.%G' Home/Documents Directory -- Typically mount as G: (UH)
    path=/home/%u/Documents
    valid users = @users
    write list = @users
    read only = no
    create mode = 0750
    public = no # default setting
    writable = yes # this is the same as 'read only = no'
    printable = no # default setting
    browseable = no

    create mode = 0777
    force directory mode = 0000 # default setting
    directory mode = 0777
    map archive = yes # default setting
    map system = yes
    map hidden = yes

[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no # default setting
    public = yes
    writeable = no # default setting
    printable = yes
#  create mode = 0700


[netlogon]
# not being used as this is a now workgroup server.
# netlogon left in place to copy out the logon.bat to the user's start up.
# These entries left in place in case this server is used as a PDC
# in the future

#  http://www.oreilly.com/openbook/samba/book/ch06_06.html
#  %U session username (the username that the client wanted,
#     not necessarily the same as the one they got).
#  %u UNIX username
#  %S the name of the current service, if any.
#  %G primary group name of %U

; Note:   (G) logon script = scripts/logon.bat  (forward slash)
; controls what is run

    comment = Network Logon Service (X:)
    path = /exports/netlogon
##   public = no
##   writeable = no
##
##   # set browable to "no" if you don't want everyone to be able to browse the scripts
##   browsable = yes

    valid users = @users
    write list = @users
    read only = no
    create mode = 0750
    public = no
    writable = yes
    printable = no
    browseable = no

    create mode = 0777
    force directory mode = 0000
    directory mode = 0777
    map archive = yes
    map system = yes
    map hidden = yes

You might as well remove the entire [netlogon], it is not used on a standalone server

[rla]
    comment = rla root directory -- Typically mount as S:
    path = /rla
    valid users = @users
    write list = @users
    force group = users
    force user = rla
    public = no # default setting
    writeable = yes
    map archive = no
    map system = no
    map hidden = no
    browseable = yes
    printable = no # default setting

    create mode = 0777
    force directory mode = 0000 # default setting
    directory mode = 0777
    map archive = yes # default setting
    map system = yes
    map hidden = yes

[pub]
    comment = rla public client share -- Typically mount as R:
    path = /rla/pub
    valid users = @users
    write list = @users
    force group = users
    force user = rla
    writeable = yes
    map archive = no
    map system = no # default setting
    map hidden = no # default setting
    browseable = yes # default setting
    printable = no # default setting

    create mode = 0777
    force directory mode = 0000 # default setting
    directory mode = 0777
    map archive = yes # default setting
    map system = yes
    map hidden = yes

The above three parameters are set twice, but differently, which way do you
want them setting ? 

Any lines followed by '# default setting' can be removed and will not
affect Samba.

You will need to create all your windows users as Unix & Samba users on
the standalone server, with the same password as on the windows
machines.

You will need to create groups on the standalone server and map these
to your windows groups.

Sorry if some of these sound like teaching your grandmother to suck
eggs, but it is better to say them than not ;-)

Rowland



More information about the samba mailing list