[Samba] Please criticize my smb.conf

ToddAndMargo ToddAndMargo at zoho.com
Wed Oct 4 02:48:20 UTC 2017


On 10/03/2017 11:32 AM, ToddAndMargo via samba wrote:
> On 10/03/2017 05:33 AM, Rowland Penny via samba wrote:
>> Sorry if some of these sound like teaching your grandmother to suck
>> eggs, but it is better to say them than not;-)
>>
>> Rowland
> 
> Hi Rowland,
> 
>     I appreciate the the help!  You did exactly what I
> ask for, which was to let it rip.
> 
>     I will have to read over slowly several times.  Be nice
> to disable winbind too.
> 
>     My ego will survive.  :-)
> 
> -T
> 
> 

Hi Roland,

If you would be of a mind, would you let it rip again?  Please
do not hold back.  My feeling won't get hurt.

Server:
    Fedora 26
    samba-4.6.8-0.fc26.x86_64

Workstations (5 of them):
    XP Pro SP3

One Xerox Workcentre 3550 multifunction printer scanner that requires
      lanman auth = yes
      ntlm auth = yes

I turned off "winbind.service", which I presume is "wins":

     # systemctl stop winbind.service
     # systemctl disable winbind.service
     Removed /etc/systemd/system/multi-user.target.wants/winbind.service.

I turned off "wins" where ever I found it.

I kept the
     # note default "map archive" is "yes"
     map archive = yes
comment so I realize at a later date what remapping is going on.


Many thanks,
-T


; To test this file:  # testparm

; To operate with XP, add the following to the [global] section:
;    lanman auth = yes
;    ntlm auth = yes
; Alternatively, to avoid WannaCry, go to:
;     Enabling NTLMv2 on Windows XP Professional Computers
;     http://www.imss.caltech.edu/node/396
;     You have a shortened version over at 
../MyCDs/Windows/XP/NTLMv2.Enable.txt
; Note: the Xerox Workcentre 3550 multifunction printer scanner requires the
;       lanman stuff to be enabled


; To enable and (re)start Samba under RHEL 7:
;   # systemctl enable smb.service
;   # systemctl enable nmb.service
;   # systemctl start  smb.service
;   # systemctl start  nmb.service

; To enable Win Bind
;   # dnf install samba samba-winbind
;   # systemctl  enable  winbind.service
;   # systemctl  start  winbind.service


; To restart Samba:
;   # systemctl restart smb.service; systemctl restart nmb.service
;   or   # /home/linuxutil/RestartSamba.pl

; selinux notes: (gets rid of the access denied errors):
;    ## First, have someone try to log into Samba from a workstation
;mimetest.pl6
;    # cd /tmp
;    # grep denied /var/log/audit/audit.log > selinuxloginfails
;    # audit2allow -M samba4 -i selinuxloginfails
;    # semodule -i samba4
;    # setenforce 1; getenforce
;
;    # dnf installpolicycoreutils-gui
;    # chcon -t samba_share_t /exports
;    # /usr/sbin/semanage fcontext -a -t samba_share_t "/exports(/.*)?"
;    # /sbin/restorecon -R -v /exports
;    # ausearch -c 'nmbd' --raw | audit2allow -M my-nmbd
;    # semodule -X 300 -i my-nmbd.pp
;    # setsebool -P samba_enable_home_dirs 1
;    # setsebool -P samba_export_all_rw 1
;    # ausearch -c 'winbindd' --raw | audit2allow -M my-winbindd
;    # semodule -X 300 -i my-winbindd.pp
;    # setsebool -P samba_domain_controller on
;    # ausearch -c 'useradd' --raw | audit2allow -M my-useradd
;    # semodule -X 300 -i my-useradd.pp
;
;    to view your SELinux samba settings:
;    # getsebool -a | grep samba
;    # getsebool -a | grep smb
;
;    # cd /tmp
;    # grep denied /var/log/audit/audit.log > selinuxloginfails
;    # audit2allow -M samba4 -i selinuxloginfails
;    # semodule -i samba4
;    # setenforce 1



; Note: your need to add the name of the server into 127.0.0.1 
/etc/hosts, e.g.
;       127.0.0.1      FedoraServer.xxxxx.local localhost ...


#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba-share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux 
context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
#

;======================= Global Settings 
=====================================
[global]

    workgroup = xxxxx
    server string = Fedora Samba Server

    volume = Fedora Core, %v
    comment = Samba (NetBIOS) Server on FedoraServer.xxxxx.local
    netbios name = FedoraServer
    netbios aliases = Screws4U!

; user only the specified inerfaces
    interfaces = eno1 127.0.0.1

; deny access to anyone outside the current domain
    hosts deny = ALL
    hosts allow = 192.168.255. 127.0.0.

; Note: the Xerox WorkCentre 3550 requires this
     lanman auth = yes
     ntlm auth = yes

; Todd note: the second name in the printcap will be the primary share name
;            ONLY if it contains no spaces
; Todd note: remember to use CAPS in the princap for the smb share name
;  printcap name = CUPS
; Note: default print command:   print command = lpr -r -P%p %s
    printcap name = /etc/printcap
    show add printer wizard = No
    load printers = yes
    printing = BSD

    guest account = pcguest
    log file = /var/log/samba/samba-log.%m
;  Example:  log level = 3 passdb:5 auth:10 winbind:2
	log level = 4 passdb:10 auth:10

; The following worked for Windows 95.  Kept for reference only:
;;  case sensitive = yes
;;  short preserve case = yes
;; mangle case = yes
;  preserve case = yes
;  default case = lower
;  short preserve case = yes
;  case sensitive = no

    follow symlinks = yes
    wide links = no
    locking = yes
;  strict locking = yes
    strict locking = no

    security = user
;  security = share

;  update encrypted = yes
;; encrypt passwords = no
;   encrypt passwords = yes
    smb passwd file = /etc/samba/smbpasswd

    unix password sync = Yes
    passwd program = /usr/bin/passwd %u

# passdb backend:
#  smbpasswd - The default smbpasswd backend. Takes a path  to
#              the smbpasswd file as an optional argument.
#  tdbsam    - The  TDB based password storage backend. Takes a
#              path to the  TDB  as  an  optional  argument  (defaults  to
#              passdb.tdb in the private dir directory.
#  ldapsam   - The LDAP based passdb backend. Takes an LDAP URL
#              as an optional argument (defaults to ldap://localhost)
#  Examples of use are:
#        passdb backend = tdbsam:/etc/samba/private/passdb.tdb
#        passdb backend = ldapsam:"ldap://ldap-1.example.com 
ldap://ldap- 2.example.com"
#  Default: passdb backend = smbpasswd
# Note: you can transfer smbpasswd to tdbsam with
#   pdbedit -i smbpasswd -e tdbsam
# Users can be added to tdbsam with
#   pdbedit -a -u username
#
;  passdb backend = tdbsam
    passdb backend = smbpasswd

# Unix users can map to different SMB User names
# touch /etc/samba/smbusers   to start
    username map = /etc/samba/smbusers

# add these if winbind is running
;    idmap config * : backend        = tdb
;    idmap config * : range          = 1000000-1999999


#  http://www.oreilly.com/openbook/samba/book/ch06_06.html
; run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
; run a specific logon batch file per username
;   logon script = %u.bat
; Note: this script's path is relative path to the [netlogon] path and 
uses forward slashes
#  logon script = scripts/%G.bat
    logon script = scripts/logon.bat
    logon path = /exports/netlogon
    logon drive = X:


# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS 
Server
;    wins support = no

; name resolve order = lmhosts host wins bcast
; if winbind is running, use wins host bcast
;   name resolve order = wins host bcast
    name resolve order = host bcast

; dns proxy (G)
;          Specifies that nmbd(8) when acting as a WINS server and 
finding that
;          a NetBIOS name has not been registered,  should  treat  the 
NetBIOS
;          name word-for-word as a DNS name and do a lookup with the DNS 
server
;          for that name on behalf of the name-querying client.
;
;          Note that the maximum length for a NetBIOS name is 15 
characters, so
;          the DNS name (or DNS alias) can likewise only be 15 
characters, max-
;          imum.
;
;          nmbd spawns a second copy of  itself  to  do  the  DNS  name 
lookup
;          requests, as doing a name lookup is a blocking action.
;
;          Default: dns proxy = yes
;  dns proxy = no
    dns proxy = yes

;  note: deadtime is in minutes 1440=24hrs 2880=48hrs (2 days)  20160=14days
;  deadtime = 60
;  deadtime = 1440
    deadtime = 20160

; map archive owner execute bit must include 0100
; map system off  group execute bit must include 0010
; map hidden off  world execute bit must include 0001
; Note: after doing all the above map stuff, it is a good idea to do
;       a mass chmod to 2766 (Read Only=off, Archive=on, Hidden=off).
;       And, you definately want hidden to be turned off!!!

; Note: to do a mass attributes change (example):
;       for directories:
;          find /rla -type d -exec chmod 777 {} \;
;       for files:
;          find /rla -type f -exec chmod 766 {} \;



# The below kept for reference only:
# [profiles]
#    # https://www.ccs.uky.edu/docs/samba.htm
#    # create mode = 0600
#    # directory mode = 0700
#    create mode = 0777
#    directory mode = 0777
#    path = /exports/profiles/
#    profile acls = yes
#    read only = no
#    writable = yes


[public]
     comment = Public on xxxxx FedoraServer -- Mount as F:
     path = /exports/public
     valid users = @users
     write list = @users
     force group = users
     force user = public

     locking = yes
     oplocks = no
     fake oplocks = no
     level2 oplocks = no
     strict locking = no
     blocking locks = no
     public = no
     writable = yes
     printable = no
     browseable = yes

     force create mode = 0000
     create mode = 0777
     force directory mode = 0000
     directory mode = 0777
     # note default "map archive" is "yes"
     map archive = yes
     map system = yes
     map hidden = yes


;note: %U replaces with the name of the session username (user's name in 
lower case)
;note: %u replaces with the name of the current service (user's UNIX 
name in mixed case)
[homes]
     comment = %u.%G' Home/Documents Directory -- Typically mount as G: (UH)
     path=/home/%u/Documents
     valid users = @users
     write list = @users
     read only = no
     create mode = 0750
     public = no
     writable = yes
     printable = no
     browseable = no

     force create mode = 0000
     create mode = 0777
     force directory mode = 0000
     directory mode = 0777
     # note default "map archive" is "yes"
     map archive = yes
     map system = yes
     map hidden = yes


[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no
    public = yes
    writeable = no
    printable = yes
#  create mode = 0700


[netlogon]
# not being used as this is a now workgroup server.
# netlogon left in place to copy out the logon.bat to the user's start up.
# These entries left in place in case this server is used as a PDC
# in the future

#  http://www.oreilly.com/openbook/samba/book/ch06_06.html
#  %U session username (the username that the client wanted,
#     not necessarily the same as the one they got).
#  %u UNIX username
#  %S the name of the current service, if any.
#  %G primary group name of %U

; Note:   (G) logon script = scripts/logon.bat  (forward slash)
; controls what is run

    comment = Network Logon Service (X:)
    path = /exports/netlogon
##   public = no
##   writeable = no
##
##   # set browable to "no" if you don't want everyone to be able to 
browse the scripts
##   browsable = yes

     valid users = @users
     write list = @users
     read only = no
     public = no
     writable = yes
     printable = no
     browseable = no

     force create mode = 0000
     create mode = 0777
     force directory mode = 0000
     directory mode = 0777
     # note default "map archive" is "yes"
     map archive = yes
     map system = yes
     map hidden = yes


[rla]
     comment = rla root directory -- Typically mount as S:
     path = /rla
     valid users = @users
     write list = @users
     force group = users
     force user = rla
     public = no
     writeable = yes
     map archive = no
     map system = no
     map hidden = no
     browseable = yes
     printable = no

     force create mode = 0000
     create mode = 0777
     force directory mode = 0000
     directory mode = 0777
     # note default "map archive" is "yes"
     map archive = yes
     map system = yes
     map hidden = yes


[pub]
     comment = rla public client share -- Typically mount as R:
     path = /rla/pub
     valid users = @users
     write list = @users
     force group = users
     force user = rla
     writeable = yes
     map archive = no
     map system = no
     map hidden = no
     browseable = yes
     printable = no

     force create mode = 0000
     create mode = 0777
     force directory mode = 0000
     directory mode = 0777
     # note default "map archive" is "yes"
     map archive = yes
     map system = yes
     map hidden = yes





More information about the samba mailing list