Web lists-archives.com

[Samba] Please criticize my smb.conf




Hi All,

You please look over my smb.conf and make
criticism as appropriate?

This is a workgroup server.
winbind is running
DDNS is also running (DNS [bind] talks to DHCPd)

Many thanks,
-T
Tony Ewell, B.S.E.E.
Owner, Rent-A-Nerd Computer Services
775-265-5150,  9:00 am to 5:00 pm PST/PDT


Warning, this is long winded!


<smb.conf>

; To test this file:  # testparm

; To operate with XP, add the following to the [global] section:
;    lanman auth = yes
;    ntlm auth = yes
; Alternatively, to avoid WannaCry, go to:
;     Enabling NTLMv2 on Windows XP Professional Computers
;     http://www.imss.caltech.edu/node/396
; You have a shortened version over at ../MyCDs/Windows/XP/NTLMv2.Enable.txt


; To enable and (re)start Samba under RHEL 7:
;   # systemctl enable smb.service
;   # systemctl enable nmb.service
;   # systemctl start  smb.service
;   # systemctl start  nmb.service

; To enable Win Bind
;   # dnf install samba samba-winbind
;   # systemctl  enable  winbind.service
;   # systemctl  start  winbind.service


; To restart Samba:
;   # systemctl restart smb.service; systemctl restart nmb.service
;   or   # /home/linuxutil/RestartSamba.pl
;

; selinux notes: (gets rid of the access denied errors):
;    ## First, have someone try to log into Samba from a workstation
;
;    # cd /tmp
;    # grep denied /var/log/audit/audit.log > selinuxloginfails
;    # audit2allow -M samba4 -i selinuxloginfails
;    # semodule -i samba4
;    # setenforce 1; getenforce
;
;    # dnf installpolicycoreutils-gui
;    # chcon -t samba_share_t /exports
;    # /usr/sbin/semanage fcontext -a -t samba_share_t "/exports(/.*)?"
;    # /sbin/restorecon -R -v /exports
;    # ausearch -c 'nmbd' --raw | audit2allow -M my-nmbd
;    # semodule -X 300 -i my-nmbd.pp
;    # setsebool -P samba_enable_home_dirs 1
;    # setsebool -P samba_export_all_rw 1
;    # ausearch -c 'winbindd' --raw | audit2allow -M my-winbindd
;    # semodule -X 300 -i my-winbindd.pp
;    # setsebool -P samba_domain_controller on
;    # ausearch -c 'useradd' --raw | audit2allow -M my-useradd
;    # semodule -X 300 -i my-useradd.pp
;
;    to view your SELinux samba settings:
;    # getsebool -a | grep samba
;    # getsebool -a | grep smb



; Note: your need to add the name of the server into 127.0.0.1 /etc/hosts, e.g.
;       127.0.0.1      FedoraServer.xxxxx.local localhost ...


#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba-share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
#

;======================= Global Settings =====================================
[global]

   workgroup = xxxxx
   server string = Fedora Samba Server

   volume = Fedora Core, %v
   comment = Samba (NetBIOS) Server on FedoraServer.xxxxx.local
   netbios name = FedoraServer
   netbios aliases = Screws4U!

; user only the specified inerfaces
   interfaces = eno1 127.0.0.1

; deny access to anyone outside the current domain
   hosts deny = ALL
   hosts allow = 192.168.255. 127.0.0.

; Todd note: the second name in the printcap will be the primary share name
;            ONLY if it contains no spaces
; Todd note: remember to use CAPS in the princap for the smb share name
;  printcap name = CUPS
; Note: default print command:   print command = lpr -r -P%p %s
   printcap name = /etc/printcap
   show add printer wizard = No
   load printers = yes
   printing = BSD

   guest account = pcguest
   log file = /var/log/samba/samba-log.%m
;  Example:  log level = 3 passdb:5 auth:10 winbind:2
	log level = 4 passdb:10 auth:10

; The following worked for Windows 95.  Kept for reference only:
;;  case sensitive = yes
;;  short preserve case = yes
;; mangle case = yes
;  preserve case = yes
;  default case = lower
;  short preserve case = yes
;  case sensitive = no

   follow symlinks = yes
   wide links = no
   locking = yes
;  strict locking = yes
   strict locking = no

   security = user
;  security = share

;  update encrypted = yes
;; encrypt passwords = no
;   encrypt passwords = yes
   smb passwd file = /etc/samba/smbpasswd

   unix password sync = Yes
   passwd program = /usr/bin/passwd %u

# passdb backend:
#  smbpasswd - The default smbpasswd backend. Takes a path  to
#              the smbpasswd file as an optional argument.
#  tdbsam    - The  TDB based password storage backend. Takes a
#              path to the  TDB  as  an  optional  argument  (defaults  to
#              passdb.tdb in the private dir directory.
#  ldapsam   - The LDAP based passdb backend. Takes an LDAP URL
#              as an optional argument (defaults to ldap://localhost)
#  Examples of use are:
#        passdb backend = tdbsam:/etc/samba/private/passdb.tdb
# passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap- 2.example.com"
#  Default: passdb backend = smbpasswd
# Note: you can transfer smbpasswd to tdbsam with
#   pdbedit -i smbpasswd -e tdbsam
# Users can be added to tdbsam with
#   pdbedit -a -u username
#
;  passdb backend = tdbsam
   passdb backend = smbpasswd

# Unix users can map to different SMB User names
# touch /etc/samba/smbusers   to start
   username map = /etc/samba/smbusers

# add these if winbind is running
    idmap config * : backend        = tdb
    idmap config * : range          = 1000000-1999999


#  http://www.oreilly.com/openbook/samba/book/ch06_06.html
; run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
; run a specific logon batch file per username
;   logon script = %u.bat
; Note: this script's path is relative path to the [netlogon] path and uses forward slashes
#  logon script = scripts/%G.bat
   logon script = scripts/logon.bat
   logon path = /exports/netlogon
   logon drive = X:


# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
   wins support = yes
;    wins support = no

; name resolve order = lmhosts host wins bcast
; if winbind is running, use wins host bcast
   name resolve order = wins host bcast

; dns proxy (G)
; Specifies that nmbd(8) when acting as a WINS server and finding that ; a NetBIOS name has not been registered, should treat the NetBIOS ; name word-for-word as a DNS name and do a lookup with the DNS server
;          for that name on behalf of the name-querying client.
;
; Note that the maximum length for a NetBIOS name is 15 characters, so ; the DNS name (or DNS alias) can likewise only be 15 characters, max-
;          imum.
;
; nmbd spawns a second copy of itself to do the DNS name lookup
;          requests, as doing a name lookup is a blocking action.
;
;          Default: dns proxy = yes
;  dns proxy = no
   dns proxy = yes

;  note: deadtime is in minutes 1440=24hrs 2880=48hrs (2 days)  20160=14days
;  deadtime = 60
;  deadtime = 1440
   deadtime = 20160

; map archive owner execute bit must include 0100
; map system off  group execute bit must include 0010
; map hidden off  world execute bit must include 0001
; Note: after doing all the above map stuff, it is a good idea to do
;       a mass chmod to 2766 (Read Only=off, Archive=on, Hidden=off).
;       And, you definately want hidden to be turned off!!!

; Note: to do a mass attributes change (example):
;       for directories:
;          find /rla -type d -exec chmod 777 {} \;
;       for files:
;          find /rla -type f -exec chmod 766 {} \;

   force create mode = 0000
   create mode = 0777
   force directory mode = 0000
   directory mode = 0777
   map archive = yes
   map system = yes
   map hidden = yes


# [profiles]
#    # https://www.ccs.uky.edu/docs/samba.htm
#    # create mode = 0600
#    # directory mode = 0700
#    create mode = 0777
#    directory mode = 0777
#    path = /exports/profiles/
#    profile acls = yes
#    read only = no
#    writable = yes


[public]
   comment = Public on xxxxx FedoraServer -- Mount as F:
   path = /exports/public
   valid users = @users
   write list = @users
   force group = users
   force user = public

   locking = yes
   oplocks = no
   fake oplocks = no
   level2 oplocks = no
   strict locking = no
   blocking locks = no
   public = no
   writable = yes
   printable = no
   browseable = yes

   create mode = 0777
   force directory mode = 0000
   directory mode = 0777
   map archive = yes
   map system = yes
   map hidden = yes



;note: %U replaces with the name of the session username (user's name in lower case) ;note: %u replaces with the name of the current service (user's UNIX name in mixed case)
[homes]
   comment = %u.%G' Home/Documents Directory -- Typically mount as G: (UH)
   path=/home/%u/Documents
   valid users = @users
   write list = @users
   read only = no
   create mode = 0750
   public = no
   writable = yes
   printable = no
   browseable = no

   create mode = 0777
   force directory mode = 0000
   directory mode = 0777
   map archive = yes
   map system = yes
   map hidden = yes



[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   public = yes
   writeable = no
   printable = yes
#  create mode = 0700


[netlogon]
# not being used as this is a now workgroup server.
# netlogon left in place to copy out the logon.bat to the user's start up.
# These entries left in place in case this server is used as a PDC
# in the future

#  http://www.oreilly.com/openbook/samba/book/ch06_06.html
#  %U session username (the username that the client wanted,
#     not necessarily the same as the one they got).
#  %u UNIX username
#  %S the name of the current service, if any.
#  %G primary group name of %U

; Note:   (G) logon script = scripts/logon.bat  (forward slash)
; controls what is run

   comment = Network Logon Service (X:)
   path = /exports/netlogon
##   public = no
##   writeable = no
##
## # set browable to "no" if you don't want everyone to be able to browse the scripts
##   browsable = yes

   valid users = @users
   write list = @users
   read only = no
   create mode = 0750
   public = no
   writable = yes
   printable = no
   browseable = no

   create mode = 0777
   force directory mode = 0000
   directory mode = 0777
   map archive = yes
   map system = yes
   map hidden = yes


[rla]
   comment = rla root directory -- Typically mount as S:
   path = /rla
   valid users = @users
   write list = @users
   force group = users
   force user = rla
   public = no
   writeable = yes
   map archive = no
   map system = no
   map hidden = no
   browseable = yes
   printable = no

   create mode = 0777
   force directory mode = 0000
   directory mode = 0777
   map archive = yes
   map system = yes
   map hidden = yes

[pub]
   comment = rla public client share -- Typically mount as R:
   path = /rla/pub
   valid users = @users
   write list = @users
   force group = users
   force user = rla
   writeable = yes
   map archive = no
   map system = no
   map hidden = no
   browseable = yes
   printable = no

   create mode = 0777
   force directory mode = 0000
   directory mode = 0777
   map archive = yes
   map system = yes
   map hidden = yes





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba