Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 1 | # |
| 2 | # Sample configuration file for the Samba suite for Debian GNU/Linux. |
| 3 | # |
| 4 | # |
| 5 | # This is the main Samba configuration file. You should read the |
| 6 | # smb.conf(5) manual page in order to understand the options listed |
| 7 | # here. Samba has a huge number of configurable options most of which |
| 8 | # are not shown in this example |
| 9 | # |
| 10 | # Some options that are often worth tuning have been included as |
| 11 | # commented-out examples in this file. |
| 12 | # - When such options are commented with ";", the proposed setting |
| 13 | # differs from the default Samba behaviour |
| 14 | # - When commented with "#", the proposed setting is the default |
| 15 | # behaviour of Samba but the option is considered important |
| 16 | # enough to be mentioned here |
| 17 | # |
| 18 | # NOTE: Whenever you modify this file you should run the command |
| 19 | # "testparm" to check that you have not made any basic syntactic |
| 20 | # errors. |
| 21 | |
| 22 | #======================= Global Settings ======================= |
| 23 | |
| 24 | [global] |
| 25 | |
| 26 | ## Browsing/Identification ### |
| 27 | |
| 28 | # Change this to the workgroup/NT-domain name your Samba server will part of |
| 29 | workgroup = WORKGROUP |
| 30 | |
| 31 | # Windows Internet Name Serving Support Section: |
| 32 | # WINS Support - Tells the NMBD component of Samba to enable its WINS Server |
| 33 | # wins support = no |
| 34 | |
| 35 | # WINS Server - Tells the NMBD components of Samba to be a WINS Client |
| 36 | # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both |
| 37 | ; wins server = w.x.y.z |
| 38 | |
| 39 | # This will prevent nmbd to search for NetBIOS names through DNS. |
| 40 | dns proxy = no |
| 41 | |
| 42 | #### Networking #### |
| 43 | |
| 44 | # The specific set of interfaces / networks to bind to |
| 45 | # This can be either the interface name or an IP address/netmask; |
| 46 | # interface names are normally preferred |
| 47 | ; interfaces = 127.0.0.0/8 eth0 |
| 48 | |
| 49 | # Only bind to the named interfaces and/or networks; you must use the |
| 50 | # 'interfaces' option above to use this. |
| 51 | # It is recommended that you enable this feature if your Samba machine is |
| 52 | # not protected by a firewall or is a firewall itself. However, this |
| 53 | # option cannot handle dynamic or non-broadcast interfaces correctly. |
| 54 | ; bind interfaces only = yes |
| 55 | |
| 56 | |
| 57 | |
| 58 | #### Debugging/Accounting #### |
| 59 | |
| 60 | # This tells Samba to use a separate log file for each machine |
| 61 | # that connects |
| 62 | log file = /var/log/samba/log.%m |
| 63 | |
| 64 | # Cap the size of the individual log files (in KiB). |
| 65 | max log size = 1000 |
| 66 | |
| 67 | # If you want Samba to only log through syslog then set the following |
| 68 | # parameter to 'yes'. |
| 69 | # syslog only = no |
| 70 | |
| 71 | # We want Samba to log a minimum amount of information to syslog. Everything |
| 72 | # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log |
| 73 | # through syslog you should set the following parameter to something higher. |
| 74 | syslog = 0 |
| 75 | |
| 76 | # Do something sensible when Samba crashes: mail the admin a backtrace |
| 77 | panic action = /usr/share/samba/panic-action %d |
| 78 | |
| 79 | |
| 80 | ####### Authentication ####### |
| 81 | |
| 82 | # Server role. Defines in which mode Samba will operate. Possible |
| 83 | # values are "standalone server", "member server", "classic primary |
| 84 | # domain controller", "classic backup domain controller", "active |
| 85 | # directory domain controller". |
| 86 | # |
| 87 | # Most people will want "standalone server" or "member server". |
| 88 | # Running as "active directory domain controller" will require first |
| 89 | # running "samba-tool domain provision" to wipe databases and create a |
| 90 | # new domain. |
| 91 | server role = standalone server |
| 92 | |
| 93 | # If you are using encrypted passwords, Samba will need to know what |
| 94 | # password database type you are using. |
| 95 | passdb backend = tdbsam |
| 96 | |
| 97 | obey pam restrictions = yes |
| 98 | |
| 99 | # This boolean parameter controls whether Samba attempts to sync the Unix |
| 100 | # password with the SMB password when the encrypted SMB password in the |
| 101 | # passdb is changed. |
| 102 | unix password sync = yes |
| 103 | |
| 104 | # For Unix password sync to work on a Debian GNU/Linux system, the following |
| 105 | # parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for |
| 106 | # sending the correct chat script for the passwd program in Debian Sarge). |
| 107 | passwd program = /usr/bin/passwd %u |
| 108 | passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . |
| 109 | |
| 110 | # This boolean controls whether PAM will be used for password changes |
| 111 | # when requested by an SMB client instead of the program listed in |
| 112 | # 'passwd program'. The default is 'no'. |
| 113 | pam password change = yes |
| 114 | |
| 115 | # This option controls how unsuccessful authentication attempts are mapped |
| 116 | # to anonymous connections |
| 117 | map to guest = bad user |
| 118 | |
| 119 | ########## Domains ########### |
| 120 | |
| 121 | # |
| 122 | # The following settings only takes effect if 'server role = primary |
| 123 | # classic domain controller', 'server role = backup domain controller' |
| 124 | # or 'domain logons' is set |
| 125 | # |
| 126 | |
| 127 | # It specifies the location of the user's |
| 128 | # profile directory from the client point of view) The following |
| 129 | # required a [profiles] share to be setup on the samba server (see |
| 130 | # below) |
| 131 | ; logon path = \\%N\profiles\%U |
| 132 | # Another common choice is storing the profile in the user's home directory |
| 133 | # (this is Samba's default) |
| 134 | # logon path = \\%N\%U\profile |
| 135 | |
| 136 | # The following setting only takes effect if 'domain logons' is set |
| 137 | # It specifies the location of a user's home directory (from the client |
| 138 | # point of view) |
| 139 | ; logon drive = H: |
| 140 | # logon home = \\%N\%U |
| 141 | |
| 142 | # The following setting only takes effect if 'domain logons' is set |
| 143 | # It specifies the script to run during logon. The script must be stored |
| 144 | # in the [netlogon] share |
| 145 | # NOTE: Must be store in 'DOS' file format convention |
| 146 | ; logon script = logon.cmd |
| 147 | |
| 148 | # This allows Unix users to be created on the domain controller via the SAMR |
| 149 | # RPC pipe. The example command creates a user account with a disabled Unix |
| 150 | # password; please adapt to your needs |
| 151 | ; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u |
| 152 | |
| 153 | # This allows machine accounts to be created on the domain controller via the |
| 154 | # SAMR RPC pipe. |
| 155 | # The following assumes a "machines" group exists on the system |
| 156 | ; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u |
| 157 | |
| 158 | # This allows Unix groups to be created on the domain controller via the SAMR |
| 159 | # RPC pipe. |
| 160 | ; add group script = /usr/sbin/addgroup --force-badname %g |
| 161 | |
| 162 | ############ Misc ############ |
| 163 | |
| 164 | # Using the following line enables you to customise your configuration |
| 165 | # on a per machine basis. The %m gets replaced with the netbios name |
| 166 | # of the machine that is connecting |
| 167 | ; include = /home/samba/etc/smb.conf.%m |
| 168 | |
| 169 | # Some defaults for winbind (make sure you're not using the ranges |
| 170 | # for something else.) |
| 171 | ; idmap uid = 10000-20000 |
| 172 | ; idmap gid = 10000-20000 |
| 173 | ; template shell = /bin/bash |
| 174 | |
| 175 | # Setup usershare options to enable non-root users to share folders |
| 176 | # with the net usershare command. |
| 177 | |
| 178 | # Maximum number of usershare. 0 (default) means that usershare is disabled. |
| 179 | ; usershare max shares = 100 |
| 180 | |
| 181 | # Allow users who've been granted usershare privileges to create |
| 182 | # public shares, not just authenticated ones |
| 183 | usershare allow guests = yes |
| 184 | |
| 185 | #======================= Share Definitions ======================= |
| 186 | |
| 187 | [homes] |
| 188 | comment = Home Directories |
| 189 | browseable = no |
| 190 | |
| 191 | # By default, the home directories are exported read-only. Change the |
| 192 | # next parameter to 'no' if you want to be able to write to them. |
| 193 | read only = yes |
| 194 | |
| 195 | # File creation mask is set to 0700 for security reasons. If you want to |
| 196 | # create files with group=rw permissions, set next parameter to 0775. |
| 197 | create mask = 0700 |
| 198 | |
| 199 | # Directory creation mask is set to 0700 for security reasons. If you want to |
| 200 | # create dirs. with group=rw permissions, set next parameter to 0775. |
| 201 | directory mask = 0700 |
| 202 | |
| 203 | # By default, \\server\username shares can be connected to by anyone |
| 204 | # with access to the samba server. |
| 205 | # The following parameter makes sure that only "username" can connect |
| 206 | # to \\server\username |
| 207 | # This might need tweaking when using external authentication schemes |
| 208 | valid users = %S |
| 209 | |
| 210 | # Un-comment the following and create the netlogon directory for Domain Logons |
| 211 | # (you need to configure Samba to act as a domain controller too.) |
| 212 | ;[netlogon] |
| 213 | ; comment = Network Logon Service |
| 214 | ; path = /home/samba/netlogon |
| 215 | ; guest ok = yes |
| 216 | ; read only = yes |
| 217 | |
| 218 | # Un-comment the following and create the profiles directory to store |
| 219 | # users profiles (see the "logon path" option above) |
| 220 | # (you need to configure Samba to act as a domain controller too.) |
| 221 | # The path below should be writable by all users so that their |
| 222 | # profile directory may be created the first time they log on |
| 223 | ;[profiles] |
| 224 | ; comment = Users profiles |
| 225 | ; path = /home/samba/profiles |
| 226 | ; guest ok = no |
| 227 | ; browseable = no |
| 228 | ; create mask = 0600 |
| 229 | ; directory mask = 0700 |
| 230 | |
| 231 | [printers] |
| 232 | comment = All Printers |
| 233 | browseable = no |
| 234 | path = /var/spool/samba |
| 235 | printable = yes |
| 236 | guest ok = no |
| 237 | read only = yes |
| 238 | create mask = 0700 |
| 239 | |
| 240 | # Windows clients look for this share name as a source of downloadable |
| 241 | # printer drivers |
| 242 | [print$] |
| 243 | comment = Printer Drivers |
| 244 | path = /var/lib/samba/printers |
| 245 | browseable = yes |
| 246 | read only = yes |
| 247 | guest ok = no |
| 248 | # Uncomment to allow remote administration of Windows print drivers. |
| 249 | # You may need to replace 'lpadmin' with the name of the group your |
| 250 | # admin users are members of. |
| 251 | # Please note that you also need to set appropriate Unix permissions |
| 252 | # to the drivers directory for these users to have write rights in it |
| 253 | ; write list = root, @lpadmin |
| 254 | |