[Samba] The wisdom - or otherwise - of replacing outright rather than merely appending to the example smb.conf file shipped with SAMBA during new server commissioning?

Rowland Penny rpenny at samba.org
Tue Apr 16 11:16:49 UTC 2019 

On Tue, 16 Apr 2019 11:40:10 +0100
Stephen via samba <samba at lists.samba.org> wrote:

> I have a general question regarding smb.conf and I was hoping that
> some of the rather more knowledgeable and experienced people here
> could please comment please?
> 
> I am currently setting my various SAMBA systems up via some 
> shell-scripts. Within these scripts, I remove the stock smb.conf
> shipped with Samba and replace this with an empty smb.conf file to
> which I add my own configuration options afterwards. Obviously I
> COULD instead simply append my changes to the existing file. However
> currently i just remove the existing smb.conf and start again with a
> blank file because the alternative seemed like more hassle!

I take it you mean you are doing something like this:

rm -f /etc/samba/smb.conf

cat > /etc/samba/smb.conf <<EOF
[global]
    whatever lines you want
    ............
    ...........
    ........

[ashare]
    ...........
    .......
    ....
EOF

There is no problem with doing this, unless you are doing this on a DC,
in which case I would use 'sed' to add lines into the existing smb.conf

> 
> Am I potentially risking the security of my systems by replacing the 
> stock smb.conf shipped with Samba in this way? Obviously doing what I 
> have just described will erase all the default configuration settings 
> shipped in the installation.

It wont actually, if a line isn't there, then a default setting may be
used and it might not be what you want.
 
> Are any of the shipped default configuration parameters essential to 
> have from a security perspective? Am I doing something stupid here?

Provided the required lines are in smb.conf before you start Samba,
you will not have a problem, but if a line is missing, then the
default setting will be used. For instance, if you do not enter a line
that begins 'workgroup =', then the default workgroup name 'WORKGROUP'
will be used.

Rowland

More information about the samba mailing list