Please criticize my smb.conf

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Please criticize my smb.conf

Samba - General mailing list
Hi All,

You please look over my smb.conf and make
criticism as appropriate?

This is a workgroup server.
winbind is running
DDNS is also running (DNS [bind] talks to DHCPd)

Many thanks,
-T
Tony Ewell, B.S.E.E.
Owner, Rent-A-Nerd Computer Services
775-265-5150,  9:00 am to 5:00 pm PST/PDT


Warning, this is long winded!


<smb.conf>

; To test this file:  # testparm

; To operate with XP, add the following to the [global] section:
;    lanman auth = yes
;    ntlm auth = yes
; Alternatively, to avoid WannaCry, go to:
;     Enabling NTLMv2 on Windows XP Professional Computers
;     http://www.imss.caltech.edu/node/396
;     You have a shortened version over at
../MyCDs/Windows/XP/NTLMv2.Enable.txt


; To enable and (re)start Samba under RHEL 7:
;   # systemctl enable smb.service
;   # systemctl enable nmb.service
;   # systemctl start  smb.service
;   # systemctl start  nmb.service

; To enable Win Bind
;   # dnf install samba samba-winbind
;   # systemctl  enable  winbind.service
;   # systemctl  start  winbind.service


; To restart Samba:
;   # systemctl restart smb.service; systemctl restart nmb.service
;   or   # /home/linuxutil/RestartSamba.pl
;

; selinux notes: (gets rid of the access denied errors):
;    ## First, have someone try to log into Samba from a workstation
;
;    # cd /tmp
;    # grep denied /var/log/audit/audit.log > selinuxloginfails
;    # audit2allow -M samba4 -i selinuxloginfails
;    # semodule -i samba4
;    # setenforce 1; getenforce
;
;    # dnf installpolicycoreutils-gui
;    # chcon -t samba_share_t /exports
;    # /usr/sbin/semanage fcontext -a -t samba_share_t "/exports(/.*)?"
;    # /sbin/restorecon -R -v /exports
;    # ausearch -c 'nmbd' --raw | audit2allow -M my-nmbd
;    # semodule -X 300 -i my-nmbd.pp
;    # setsebool -P samba_enable_home_dirs 1
;    # setsebool -P samba_export_all_rw 1
;    # ausearch -c 'winbindd' --raw | audit2allow -M my-winbindd
;    # semodule -X 300 -i my-winbindd.pp
;    # setsebool -P samba_domain_controller on
;    # ausearch -c 'useradd' --raw | audit2allow -M my-useradd
;    # semodule -X 300 -i my-useradd.pp
;
;    to view your SELinux samba settings:
;    # getsebool -a | grep samba
;    # getsebool -a | grep smb



; Note: your need to add the name of the server into 127.0.0.1
/etc/hosts, e.g.
;       127.0.0.1      FedoraServer.xxxxx.local localhost ...


#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba-share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux
context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
#

;======================= Global Settings
=====================================
[global]

    workgroup = xxxxx
    server string = Fedora Samba Server

    volume = Fedora Core, %v
    comment = Samba (NetBIOS) Server on FedoraServer.xxxxx.local
    netbios name = FedoraServer
    netbios aliases = Screws4U!

; user only the specified inerfaces
    interfaces = eno1 127.0.0.1

; deny access to anyone outside the current domain
    hosts deny = ALL
    hosts allow = 192.168.255. 127.0.0.

; Todd note: the second name in the printcap will be the primary share name
;            ONLY if it contains no spaces
; Todd note: remember to use CAPS in the princap for the smb share name
;  printcap name = CUPS
; Note: default print command:   print command = lpr -r -P%p %s
    printcap name = /etc/printcap
    show add printer wizard = No
    load printers = yes
    printing = BSD

    guest account = pcguest
    log file = /var/log/samba/samba-log.%m
;  Example:  log level = 3 passdb:5 auth:10 winbind:2
        log level = 4 passdb:10 auth:10

; The following worked for Windows 95.  Kept for reference only:
;;  case sensitive = yes
;;  short preserve case = yes
;; mangle case = yes
;  preserve case = yes
;  default case = lower
;  short preserve case = yes
;  case sensitive = no

    follow symlinks = yes
    wide links = no
    locking = yes
;  strict locking = yes
    strict locking = no

    security = user
;  security = share

;  update encrypted = yes
;; encrypt passwords = no
;   encrypt passwords = yes
    smb passwd file = /etc/samba/smbpasswd

    unix password sync = Yes
    passwd program = /usr/bin/passwd %u

# passdb backend:
#  smbpasswd - The default smbpasswd backend. Takes a path  to
#              the smbpasswd file as an optional argument.
#  tdbsam    - The  TDB based password storage backend. Takes a
#              path to the  TDB  as  an  optional  argument  (defaults  to
#              passdb.tdb in the private dir directory.
#  ldapsam   - The LDAP based passdb backend. Takes an LDAP URL
#              as an optional argument (defaults to ldap://localhost)
#  Examples of use are:
#        passdb backend = tdbsam:/etc/samba/private/passdb.tdb
#        passdb backend = ldapsam:"ldap://ldap-1.example.com
ldap://ldap- 2.example.com"
#  Default: passdb backend = smbpasswd
# Note: you can transfer smbpasswd to tdbsam with
#   pdbedit -i smbpasswd -e tdbsam
# Users can be added to tdbsam with
#   pdbedit -a -u username
#
;  passdb backend = tdbsam
    passdb backend = smbpasswd

# Unix users can map to different SMB User names
# touch /etc/samba/smbusers   to start
    username map = /etc/samba/smbusers

# add these if winbind is running
     idmap config * : backend        = tdb
     idmap config * : range          = 1000000-1999999


#  http://www.oreilly.com/openbook/samba/book/ch06_06.html
; run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
; run a specific logon batch file per username
;   logon script = %u.bat
; Note: this script's path is relative path to the [netlogon] path and
uses forward slashes
#  logon script = scripts/%G.bat
    logon script = scripts/logon.bat
    logon path = /exports/netlogon
    logon drive = X:


# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS
Server
    wins support = yes
;    wins support = no

; name resolve order = lmhosts host wins bcast
; if winbind is running, use wins host bcast
    name resolve order = wins host bcast

; dns proxy (G)
;          Specifies that nmbd(8) when acting as a WINS server and
finding that
;          a NetBIOS name has not been registered,  should  treat  the
NetBIOS
;          name word-for-word as a DNS name and do a lookup with the DNS
server
;          for that name on behalf of the name-querying client.
;
;          Note that the maximum length for a NetBIOS name is 15
characters, so
;          the DNS name (or DNS alias) can likewise only be 15
characters, max-
;          imum.
;
;          nmbd spawns a second copy of  itself  to  do  the  DNS  name
lookup
;          requests, as doing a name lookup is a blocking action.
;
;          Default: dns proxy = yes
;  dns proxy = no
    dns proxy = yes

;  note: deadtime is in minutes 1440=24hrs 2880=48hrs (2 days)  20160=14days
;  deadtime = 60
;  deadtime = 1440
    deadtime = 20160

; map archive owner execute bit must include 0100
; map system off  group execute bit must include 0010
; map hidden off  world execute bit must include 0001
; Note: after doing all the above map stuff, it is a good idea to do
;       a mass chmod to 2766 (Read Only=off, Archive=on, Hidden=off).
;       And, you definately want hidden to be turned off!!!

; Note: to do a mass attributes change (example):
;       for directories:
;          find /rla -type d -exec chmod 777 {} \;
;       for files:
;          find /rla -type f -exec chmod 766 {} \;

    force create mode = 0000
    create mode = 0777
    force directory mode = 0000
    directory mode = 0777
    map archive = yes
    map system = yes
    map hidden = yes


# [profiles]
#    # https://www.ccs.uky.edu/docs/samba.htm
#    # create mode = 0600
#    # directory mode = 0700
#    create mode = 0777
#    directory mode = 0777
#    path = /exports/profiles/
#    profile acls = yes
#    read only = no
#    writable = yes


[public]
    comment = Public on xxxxx FedoraServer -- Mount as F:
    path = /exports/public
    valid users = @users
    write list = @users
    force group = users
    force user = public

    locking = yes
    oplocks = no
    fake oplocks = no
    level2 oplocks = no
    strict locking = no
    blocking locks = no
    public = no
    writable = yes
    printable = no
    browseable = yes

    create mode = 0777
    force directory mode = 0000
    directory mode = 0777
    map archive = yes
    map system = yes
    map hidden = yes



;note: %U replaces with the name of the session username (user's name in
lower case)
;note: %u replaces with the name of the current service (user's UNIX
name in mixed case)
[homes]
    comment = %u.%G' Home/Documents Directory -- Typically mount as G: (UH)
    path=/home/%u/Documents
    valid users = @users
    write list = @users
    read only = no
    create mode = 0750
    public = no
    writable = yes
    printable = no
    browseable = no

    create mode = 0777
    force directory mode = 0000
    directory mode = 0777
    map archive = yes
    map system = yes
    map hidden = yes



[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no
    public = yes
    writeable = no
    printable = yes
#  create mode = 0700


[netlogon]
# not being used as this is a now workgroup server.
# netlogon left in place to copy out the logon.bat to the user's start up.
# These entries left in place in case this server is used as a PDC
# in the future

#  http://www.oreilly.com/openbook/samba/book/ch06_06.html
#  %U session username (the username that the client wanted,
#     not necessarily the same as the one they got).
#  %u UNIX username
#  %S the name of the current service, if any.
#  %G primary group name of %U

; Note:   (G) logon script = scripts/logon.bat  (forward slash)
; controls what is run

    comment = Network Logon Service (X:)
    path = /exports/netlogon
##   public = no
##   writeable = no
##
##   # set browable to "no" if you don't want everyone to be able to
browse the scripts
##   browsable = yes

    valid users = @users
    write list = @users
    read only = no
    create mode = 0750
    public = no
    writable = yes
    printable = no
    browseable = no

    create mode = 0777
    force directory mode = 0000
    directory mode = 0777
    map archive = yes
    map system = yes
    map hidden = yes


[rla]
    comment = rla root directory -- Typically mount as S:
    path = /rla
    valid users = @users
    write list = @users
    force group = users
    force user = rla
    public = no
    writeable = yes
    map archive = no
    map system = no
    map hidden = no
    browseable = yes
    printable = no

    create mode = 0777
    force directory mode = 0000
    directory mode = 0777
    map archive = yes
    map system = yes
    map hidden = yes

[pub]
    comment = rla public client share -- Typically mount as R:
    path = /rla/pub
    valid users = @users
    write list = @users
    force group = users
    force user = rla
    writeable = yes
    map archive = no
    map system = no
    map hidden = no
    browseable = yes
    printable = no

    create mode = 0777
    force directory mode = 0000
    directory mode = 0777
    map archive = yes
    map system = yes
    map hidden = yes





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Please criticize my smb.conf

Samba - General mailing list
On Mon, 2 Oct 2017 12:38:19 -0700
ToddAndMargo via samba <[hidden email]> wrote:

> Hi All,
>
> You please look over my smb.conf and make
> criticism as appropriate?
>
> This is a workgroup server.
> winbind is running
> DDNS is also running (DNS [bind] talks to DHCPd)
>
> Many thanks,
> -T
> Tony Ewell, B.S.E.E.
> Owner, Rent-A-Nerd Computer Services
> 775-265-5150,  9:00 am to 5:00 pm PST/PDT
>
>
> Warning, this is long winded!

Not long winded enough ;-)
You forgot to tell us what version of Samba.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Please criticize my smb.conf

Samba - General mailing list
On 10/02/2017 01:06 PM, Rowland Penny via samba wrote:

> On Mon, 2 Oct 2017 12:38:19 -0700
> ToddAndMargo via samba <[hidden email]> wrote:
>
>> Hi All,
>>
>> You please look over my smb.conf and make
>> criticism as appropriate?
>>
>> This is a workgroup server.
>> winbind is running
>> DDNS is also running (DNS [bind] talks to DHCPd)
>>
>> Many thanks,
>> -T
>> Tony Ewell, B.S.E.E.
>> Owner, Rent-A-Nerd Computer Services
>> 775-265-5150,  9:00 am to 5:00 pm PST/PDT
>>
>>
>> Warning, this is long winded!
>
> Not long winded enough ;-)
> You forgot to tell us what version of Samba.
>
> Rowland
>

mumble ...

Server:
    Fedora 26
    samba-4.6.8-0.fc26.x86_64

Workstations (5 of them):
    XP Pro SP3



--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computers are like air conditioners.
They malfunction when you open windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Please criticize my smb.conf

Samba - General mailing list

See inline comments

On Mon, 2 Oct 2017 14:01:29 -0700
ToddAndMargo via samba <[hidden email]> wrote:

> On 10/02/2017 01:06 PM, Rowland Penny via samba wrote:
> > On Mon, 2 Oct 2017 12:38:19 -0700
> > ToddAndMargo via samba <[hidden email]> wrote:
> >
> >> Hi All,
> >>
> >> You please look over my smb.conf and make
> >> criticism as appropriate?
> >>
> >> This is a workgroup server.

Well you could call it that, I would call it a standalone server ;-)

> >> winbind is running

Why, you do not need this on a standalone server.

> >> DDNS is also running (DNS [bind] talks to DHCPd)

Again why, you wouldn't do this on Windows client.

> >
>
> mumble ...
>
> Server:
>     Fedora 26
>     samba-4.6.8-0.fc26.x86_64

Sorry, but I couldn't remember what version of Samba you are running.

>
> Workstations (5 of them):
>     XP Pro SP3

That I could remember ;-)

OK, here is your smb.conf with my comments:

 [global]

    workgroup = xxxxx
    server string = Fedora Samba Server

    volume = Fedora Core, %v ~ this should really only be used on a share
    comment = Samba (NetBIOS) Server on FedoraServer.xxxxx.local
    netbios name = FedoraServer # You don't actually need this
    netbios aliases = Screws4U!

    interfaces = eno1 127.0.0.1

    hosts deny = ALL
    hosts allow = 192.168.255. 127.0.0.

    printcap name = /etc/printcap
    show add printer wizard = No
    load printers = yes # default setting
    printing = BSD

    guest account = pcguest
    log file = /var/log/samba/samba-log.%m
        log level = 4 passdb:10 auth:10

    follow symlinks = yes # default setting
    wide links = no # default setting
    locking = yes # default setting
    strict locking = no

    security = user

    smb passwd file = /etc/samba/smbpasswd

    unix password sync = Yes
    passwd program = /usr/bin/passwd %u

# passdb backend:
#  smbpasswd - The default smbpasswd backend. Takes a path  to
#              the smbpasswd file as an optional argument.

smbpasswd isn't the default anymore (hasn't been for a long time)
It is now tdbsam.

#  tdbsam    - The  TDB based password storage backend. Takes a
#              path to the  TDB  as  an  optional  argument  (defaults  to
#              passdb.tdb in the private dir directory.
#  ldapsam   - The LDAP based passdb backend. Takes an LDAP URL
#              as an optional argument (defaults to ldap://localhost)
#  Examples of use are:
#        passdb backend = tdbsam:/etc/samba/private/passdb.tdb
#        passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap- 2.example.com"
#  Default: passdb backend = smbpasswd
# Note: you can transfer smbpasswd to tdbsam with
#   pdbedit -i smbpasswd -e tdbsam
# Users can be added to tdbsam with
#   pdbedit -a -u username
#
;  passdb backend = tdbsam
    passdb backend = smbpasswd # suggest changing to tdbsam

# Unix users can map to different SMB User names
# touch /etc/samba/smbusers   to start
    username map = /etc/samba/smbusers

# add these if winbind is running
     idmap config * : backend        = tdb
     idmap config * : range          = 1000000-1999999

You seem to be running a standalone server, so don't need winbind, so
don't need the above.

#  http://www.oreilly.com/openbook/samba/book/ch06_06.html
; run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
; run a specific logon batch file per username
;   logon script = %u.bat
; Note: this script's path is relative path to the [netlogon] path and uses forward slashes
#  logon script = scripts/%G.bat
    logon script = scripts/logon.bat # not used on a standalone server
    logon path = /exports/netlogon # not used on a standalone server
    logon drive = X: # not used on a standalone server


# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS
Server
    wins support = yes
;    wins support = no

; name resolve order = lmhosts host wins bcast
; if winbind is running, use wins host bcast
    name resolve order = wins host bcast # wins has nothing to do with winbind

; dns proxy (G)
;          Specifies that nmbd(8) when acting as a WINS server and finding that
;          a NetBIOS name has not been registered,  should  treat  the NetBIOS
;          name word-for-word as a DNS name and do a lookup with the DNS server
;          for that name on behalf of the name-querying client.
;
;          Note that the maximum length for a NetBIOS name is 15 characters, so
;          the DNS name (or DNS alias) can likewise only be 15 characters, max-
;          imum.
;
;          nmbd spawns a second copy of  itself  to  do  the  DNS  name lookup
;          requests, as doing a name lookup is a blocking action.
;
;          Default: dns proxy = yes
;  dns proxy = no
    dns proxy = yes # default setting

;  note: deadtime is in minutes 1440=24hrs 2880=48hrs (2 days)  20160=14days
;  deadtime = 60
;  deadtime = 1440
    deadtime = 20160 # why do want connections to be held open for 2 weeks ?

; map archive owner execute bit must include 0100
; map system off  group execute bit must include 0010
; map hidden off  world execute bit must include 0001
; Note: after doing all the above map stuff, it is a good idea to do
;       a mass chmod to 2766 (Read Only=off, Archive=on, Hidden=off).
;       And, you definately want hidden to be turned off!!!

; Note: to do a mass attributes change (example):
;       for directories:
;          find /rla -type d -exec chmod 777 {} \;
;       for files:
;          find /rla -type f -exec chmod 766 {} \;

    force create mode = 0000
    create mode = 0777
    force directory mode = 0000
    directory mode = 0777

I would only add the above to shares.

    map archive = yes # default setting
    map system = yes
    map hidden = yes

I would only add the above to shares.

# [profiles]
#    # https://www.ccs.uky.edu/docs/samba.htm
#    # create mode = 0600
#    # directory mode = 0700
#    create mode = 0777
#    directory mode = 0777
#    path = /exports/profiles/
#    profile acls = yes
#    read only = no
#    writable = yes


[public]
    comment = Public on xxxxx FedoraServer -- Mount as F:
    path = /exports/public
    valid users = @users
    write list = @users
    force group = users
    force user = public

    locking = yes # default setting
    oplocks = no
    fake oplocks = no # default setting
    level2 oplocks = no
    strict locking = no
    blocking locks = no
    public = no # default setting
    writable = yes
    printable = no # default setting
    browseable = yes # default setting

    create mode = 0777
    force directory mode = 0000 # default setting
    directory mode = 0777
    map archive = yes # default setting
    map system = yes
    map hidden = yes



;note: %U replaces with the name of the session username (user's name in lower case)
;note: %u replaces with the name of the current service (user's UNIX name in mixed case)
[homes]
    comment = %u.%G' Home/Documents Directory -- Typically mount as G: (UH)
    path=/home/%u/Documents
    valid users = @users
    write list = @users
    read only = no
    create mode = 0750
    public = no # default setting
    writable = yes # this is the same as 'read only = no'
    printable = no # default setting
    browseable = no

    create mode = 0777
    force directory mode = 0000 # default setting
    directory mode = 0777
    map archive = yes # default setting
    map system = yes
    map hidden = yes

[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no # default setting
    public = yes
    writeable = no # default setting
    printable = yes
#  create mode = 0700


[netlogon]
# not being used as this is a now workgroup server.
# netlogon left in place to copy out the logon.bat to the user's start up.
# These entries left in place in case this server is used as a PDC
# in the future

#  http://www.oreilly.com/openbook/samba/book/ch06_06.html
#  %U session username (the username that the client wanted,
#     not necessarily the same as the one they got).
#  %u UNIX username
#  %S the name of the current service, if any.
#  %G primary group name of %U

; Note:   (G) logon script = scripts/logon.bat  (forward slash)
; controls what is run

    comment = Network Logon Service (X:)
    path = /exports/netlogon
##   public = no
##   writeable = no
##
##   # set browable to "no" if you don't want everyone to be able to browse the scripts
##   browsable = yes

    valid users = @users
    write list = @users
    read only = no
    create mode = 0750
    public = no
    writable = yes
    printable = no
    browseable = no

    create mode = 0777
    force directory mode = 0000
    directory mode = 0777
    map archive = yes
    map system = yes
    map hidden = yes

You might as well remove the entire [netlogon], it is not used on a standalone server

[rla]
    comment = rla root directory -- Typically mount as S:
    path = /rla
    valid users = @users
    write list = @users
    force group = users
    force user = rla
    public = no # default setting
    writeable = yes
    map archive = no
    map system = no
    map hidden = no
    browseable = yes
    printable = no # default setting

    create mode = 0777
    force directory mode = 0000 # default setting
    directory mode = 0777
    map archive = yes # default setting
    map system = yes
    map hidden = yes

[pub]
    comment = rla public client share -- Typically mount as R:
    path = /rla/pub
    valid users = @users
    write list = @users
    force group = users
    force user = rla
    writeable = yes
    map archive = no
    map system = no # default setting
    map hidden = no # default setting
    browseable = yes # default setting
    printable = no # default setting

    create mode = 0777
    force directory mode = 0000 # default setting
    directory mode = 0777
    map archive = yes # default setting
    map system = yes
    map hidden = yes

The above three parameters are set twice, but differently, which way do you
want them setting ?

Any lines followed by '# default setting' can be removed and will not
affect Samba.

You will need to create all your windows users as Unix & Samba users on
the standalone server, with the same password as on the windows
machines.

You will need to create groups on the standalone server and map these
to your windows groups.

Sorry if some of these sound like teaching your grandmother to suck
eggs, but it is better to say them than not ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Please criticize my smb.conf

Samba - General mailing list
On 10/03/2017 05:33 AM, Rowland Penny via samba wrote:
> Sorry if some of these sound like teaching your grandmother to suck
> eggs, but it is better to say them than not;-)
>
> Rowland

Hi Rowland,

    I appreciate the the help!  You did exactly what I
ask for, which was to let it rip.

    I will have to read over slowly several times.  Be nice
to disable winbind too.

    My ego will survive.  :-)

-T


--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computers are like air conditioners.
They malfunction when you open windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Please criticize my smb.conf

Samba - General mailing list
On 10/03/2017 11:32 AM, ToddAndMargo via samba wrote:

> On 10/03/2017 05:33 AM, Rowland Penny via samba wrote:
>> Sorry if some of these sound like teaching your grandmother to suck
>> eggs, but it is better to say them than not;-)
>>
>> Rowland
>
> Hi Rowland,
>
>     I appreciate the the help!  You did exactly what I
> ask for, which was to let it rip.
>
>     I will have to read over slowly several times.  Be nice
> to disable winbind too.
>
>     My ego will survive.  :-)
>
> -T
>
>

Hi Roland,

If you would be of a mind, would you let it rip again?  Please
do not hold back.  My feeling won't get hurt.

Server:
    Fedora 26
    samba-4.6.8-0.fc26.x86_64

Workstations (5 of them):
    XP Pro SP3

One Xerox Workcentre 3550 multifunction printer scanner that requires
      lanman auth = yes
      ntlm auth = yes

I turned off "winbind.service", which I presume is "wins":

     # systemctl stop winbind.service
     # systemctl disable winbind.service
     Removed /etc/systemd/system/multi-user.target.wants/winbind.service.

I turned off "wins" where ever I found it.

I kept the
     # note default "map archive" is "yes"
     map archive = yes
comment so I realize at a later date what remapping is going on.


Many thanks,
-T


; To test this file:  # testparm

; To operate with XP, add the following to the [global] section:
;    lanman auth = yes
;    ntlm auth = yes
; Alternatively, to avoid WannaCry, go to:
;     Enabling NTLMv2 on Windows XP Professional Computers
;     http://www.imss.caltech.edu/node/396
;     You have a shortened version over at
../MyCDs/Windows/XP/NTLMv2.Enable.txt
; Note: the Xerox Workcentre 3550 multifunction printer scanner requires the
;       lanman stuff to be enabled


; To enable and (re)start Samba under RHEL 7:
;   # systemctl enable smb.service
;   # systemctl enable nmb.service
;   # systemctl start  smb.service
;   # systemctl start  nmb.service

; To enable Win Bind
;   # dnf install samba samba-winbind
;   # systemctl  enable  winbind.service
;   # systemctl  start  winbind.service


; To restart Samba:
;   # systemctl restart smb.service; systemctl restart nmb.service
;   or   # /home/linuxutil/RestartSamba.pl

; selinux notes: (gets rid of the access denied errors):
;    ## First, have someone try to log into Samba from a workstation
;mimetest.pl6
;    # cd /tmp
;    # grep denied /var/log/audit/audit.log > selinuxloginfails
;    # audit2allow -M samba4 -i selinuxloginfails
;    # semodule -i samba4
;    # setenforce 1; getenforce
;
;    # dnf installpolicycoreutils-gui
;    # chcon -t samba_share_t /exports
;    # /usr/sbin/semanage fcontext -a -t samba_share_t "/exports(/.*)?"
;    # /sbin/restorecon -R -v /exports
;    # ausearch -c 'nmbd' --raw | audit2allow -M my-nmbd
;    # semodule -X 300 -i my-nmbd.pp
;    # setsebool -P samba_enable_home_dirs 1
;    # setsebool -P samba_export_all_rw 1
;    # ausearch -c 'winbindd' --raw | audit2allow -M my-winbindd
;    # semodule -X 300 -i my-winbindd.pp
;    # setsebool -P samba_domain_controller on
;    # ausearch -c 'useradd' --raw | audit2allow -M my-useradd
;    # semodule -X 300 -i my-useradd.pp
;
;    to view your SELinux samba settings:
;    # getsebool -a | grep samba
;    # getsebool -a | grep smb
;
;    # cd /tmp
;    # grep denied /var/log/audit/audit.log > selinuxloginfails
;    # audit2allow -M samba4 -i selinuxloginfails
;    # semodule -i samba4
;    # setenforce 1



; Note: your need to add the name of the server into 127.0.0.1
/etc/hosts, e.g.
;       127.0.0.1      FedoraServer.xxxxx.local localhost ...


#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba-share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux
context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
#

;======================= Global Settings
=====================================
[global]

    workgroup = xxxxx
    server string = Fedora Samba Server

    volume = Fedora Core, %v
    comment = Samba (NetBIOS) Server on FedoraServer.xxxxx.local
    netbios name = FedoraServer
    netbios aliases = Screws4U!

; user only the specified inerfaces
    interfaces = eno1 127.0.0.1

; deny access to anyone outside the current domain
    hosts deny = ALL
    hosts allow = 192.168.255. 127.0.0.

; Note: the Xerox WorkCentre 3550 requires this
     lanman auth = yes
     ntlm auth = yes

; Todd note: the second name in the printcap will be the primary share name
;            ONLY if it contains no spaces
; Todd note: remember to use CAPS in the princap for the smb share name
;  printcap name = CUPS
; Note: default print command:   print command = lpr -r -P%p %s
    printcap name = /etc/printcap
    show add printer wizard = No
    load printers = yes
    printing = BSD

    guest account = pcguest
    log file = /var/log/samba/samba-log.%m
;  Example:  log level = 3 passdb:5 auth:10 winbind:2
        log level = 4 passdb:10 auth:10

; The following worked for Windows 95.  Kept for reference only:
;;  case sensitive = yes
;;  short preserve case = yes
;; mangle case = yes
;  preserve case = yes
;  default case = lower
;  short preserve case = yes
;  case sensitive = no

    follow symlinks = yes
    wide links = no
    locking = yes
;  strict locking = yes
    strict locking = no

    security = user
;  security = share

;  update encrypted = yes
;; encrypt passwords = no
;   encrypt passwords = yes
    smb passwd file = /etc/samba/smbpasswd

    unix password sync = Yes
    passwd program = /usr/bin/passwd %u

# passdb backend:
#  smbpasswd - The default smbpasswd backend. Takes a path  to
#              the smbpasswd file as an optional argument.
#  tdbsam    - The  TDB based password storage backend. Takes a
#              path to the  TDB  as  an  optional  argument  (defaults  to
#              passdb.tdb in the private dir directory.
#  ldapsam   - The LDAP based passdb backend. Takes an LDAP URL
#              as an optional argument (defaults to ldap://localhost)
#  Examples of use are:
#        passdb backend = tdbsam:/etc/samba/private/passdb.tdb
#        passdb backend = ldapsam:"ldap://ldap-1.example.com
ldap://ldap- 2.example.com"
#  Default: passdb backend = smbpasswd
# Note: you can transfer smbpasswd to tdbsam with
#   pdbedit -i smbpasswd -e tdbsam
# Users can be added to tdbsam with
#   pdbedit -a -u username
#
;  passdb backend = tdbsam
    passdb backend = smbpasswd

# Unix users can map to different SMB User names
# touch /etc/samba/smbusers   to start
    username map = /etc/samba/smbusers

# add these if winbind is running
;    idmap config * : backend        = tdb
;    idmap config * : range          = 1000000-1999999


#  http://www.oreilly.com/openbook/samba/book/ch06_06.html
; run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
; run a specific logon batch file per username
;   logon script = %u.bat
; Note: this script's path is relative path to the [netlogon] path and
uses forward slashes
#  logon script = scripts/%G.bat
    logon script = scripts/logon.bat
    logon path = /exports/netlogon
    logon drive = X:


# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS
Server
;    wins support = no

; name resolve order = lmhosts host wins bcast
; if winbind is running, use wins host bcast
;   name resolve order = wins host bcast
    name resolve order = host bcast

; dns proxy (G)
;          Specifies that nmbd(8) when acting as a WINS server and
finding that
;          a NetBIOS name has not been registered,  should  treat  the
NetBIOS
;          name word-for-word as a DNS name and do a lookup with the DNS
server
;          for that name on behalf of the name-querying client.
;
;          Note that the maximum length for a NetBIOS name is 15
characters, so
;          the DNS name (or DNS alias) can likewise only be 15
characters, max-
;          imum.
;
;          nmbd spawns a second copy of  itself  to  do  the  DNS  name
lookup
;          requests, as doing a name lookup is a blocking action.
;
;          Default: dns proxy = yes
;  dns proxy = no
    dns proxy = yes

;  note: deadtime is in minutes 1440=24hrs 2880=48hrs (2 days)  20160=14days
;  deadtime = 60
;  deadtime = 1440
    deadtime = 20160

; map archive owner execute bit must include 0100
; map system off  group execute bit must include 0010
; map hidden off  world execute bit must include 0001
; Note: after doing all the above map stuff, it is a good idea to do
;       a mass chmod to 2766 (Read Only=off, Archive=on, Hidden=off).
;       And, you definately want hidden to be turned off!!!

; Note: to do a mass attributes change (example):
;       for directories:
;          find /rla -type d -exec chmod 777 {} \;
;       for files:
;          find /rla -type f -exec chmod 766 {} \;



# The below kept for reference only:
# [profiles]
#    # https://www.ccs.uky.edu/docs/samba.htm
#    # create mode = 0600
#    # directory mode = 0700
#    create mode = 0777
#    directory mode = 0777
#    path = /exports/profiles/
#    profile acls = yes
#    read only = no
#    writable = yes


[public]
     comment = Public on xxxxx FedoraServer -- Mount as F:
     path = /exports/public
     valid users = @users
     write list = @users
     force group = users
     force user = public

     locking = yes
     oplocks = no
     fake oplocks = no
     level2 oplocks = no
     strict locking = no
     blocking locks = no
     public = no
     writable = yes
     printable = no
     browseable = yes

     force create mode = 0000
     create mode = 0777
     force directory mode = 0000
     directory mode = 0777
     # note default "map archive" is "yes"
     map archive = yes
     map system = yes
     map hidden = yes


;note: %U replaces with the name of the session username (user's name in
lower case)
;note: %u replaces with the name of the current service (user's UNIX
name in mixed case)
[homes]
     comment = %u.%G' Home/Documents Directory -- Typically mount as G: (UH)
     path=/home/%u/Documents
     valid users = @users
     write list = @users
     read only = no
     create mode = 0750
     public = no
     writable = yes
     printable = no
     browseable = no

     force create mode = 0000
     create mode = 0777
     force directory mode = 0000
     directory mode = 0777
     # note default "map archive" is "yes"
     map archive = yes
     map system = yes
     map hidden = yes


[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no
    public = yes
    writeable = no
    printable = yes
#  create mode = 0700


[netlogon]
# not being used as this is a now workgroup server.
# netlogon left in place to copy out the logon.bat to the user's start up.
# These entries left in place in case this server is used as a PDC
# in the future

#  http://www.oreilly.com/openbook/samba/book/ch06_06.html
#  %U session username (the username that the client wanted,
#     not necessarily the same as the one they got).
#  %u UNIX username
#  %S the name of the current service, if any.
#  %G primary group name of %U

; Note:   (G) logon script = scripts/logon.bat  (forward slash)
; controls what is run

    comment = Network Logon Service (X:)
    path = /exports/netlogon
##   public = no
##   writeable = no
##
##   # set browable to "no" if you don't want everyone to be able to
browse the scripts
##   browsable = yes

     valid users = @users
     write list = @users
     read only = no
     public = no
     writable = yes
     printable = no
     browseable = no

     force create mode = 0000
     create mode = 0777
     force directory mode = 0000
     directory mode = 0777
     # note default "map archive" is "yes"
     map archive = yes
     map system = yes
     map hidden = yes


[rla]
     comment = rla root directory -- Typically mount as S:
     path = /rla
     valid users = @users
     write list = @users
     force group = users
     force user = rla
     public = no
     writeable = yes
     map archive = no
     map system = no
     map hidden = no
     browseable = yes
     printable = no

     force create mode = 0000
     create mode = 0777
     force directory mode = 0000
     directory mode = 0777
     # note default "map archive" is "yes"
     map archive = yes
     map system = yes
     map hidden = yes


[pub]
     comment = rla public client share -- Typically mount as R:
     path = /rla/pub
     valid users = @users
     write list = @users
     force group = users
     force user = rla
     writeable = yes
     map archive = no
     map system = no
     map hidden = no
     browseable = yes
     printable = no

     force create mode = 0000
     create mode = 0777
     force directory mode = 0000
     directory mode = 0777
     # note default "map archive" is "yes"
     map archive = yes
     map system = yes
     map hidden = yes



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Please criticize my smb.conf

Samba - General mailing list

See inline comments:

On Tue, 3 Oct 2017 19:48:20 -0700
ToddAndMargo via samba <[hidden email]> wrote:

> Server:
>     Fedora 26
>     samba-4.6.8-0.fc26.x86_64
>
> Workstations (5 of them):
>     XP Pro SP3
>
> One Xerox Workcentre 3550 multifunction printer scanner that requires
>       lanman auth = yes
>       ntlm auth = yes
>
> I turned off "winbind.service", which I presume is "wins":

'wins' or to give it its full name 'Windows Internet Name Service' has
nothing to do with winbind.

>
>      # systemctl stop winbind.service
>      # systemctl disable winbind.service
>      Removed /etc/systemd/system/multi-user.target.wants/winbind.service.
>
> I turned off "wins" where ever I found it.

You can if you wish turn it back on again, because you might need it :)

>
> I kept the
>      # note default "map archive" is "yes"
>      map archive = yes
> comment so I realize at a later date what remapping is going on.

OK



    volume = Fedora Core, %v
    comment = Samba (NetBIOS) Server on FedoraServer.xxxxx.local

The above two lines are only really useful in a share

    netbios name = FedoraServer

You do not need the above line, Samba will fill it in for you
If you do not have it, you can transplant the smb.conf to another
computer and get the same results.

    follow symlinks = yes
    wide links = no
    locking = yes

The above three lines are default settings and as such, you might as
well remove them.

#  smbpasswd - The old, deprecated passwd backend. Takes a path  to
#              the smbpasswd file as an optional argument.
#  tdbsam    - The  default password storage backend.

    passdb backend = smbpasswd

You really should use 'tdbsam'

>
> # Unix users can map to different SMB User names
> # touch /etc/samba/smbusers   to start
>     username map = /etc/samba/smbusers

You don't need a usermap on a standalone server

>     logon script = scripts/logon.bat
>     logon path = /exports/netlogon
>     logon drive = X:

The above will do nothing on a standalone server

>
> ; name resolve order = lmhosts host wins bcast
> ; if winbind is running, use wins host bcast
> ;   name resolve order = wins host bcast
>     name resolve order = host bcast

You may have problems if you don't use 'wins'

> ;  note: deadtime is in minutes 1440=24hrs 2880=48hrs (2 days)
> 20160=14days ;  deadtime = 60
> ;  deadtime = 1440
>     deadtime = 20160

I will be a bit blunter this time, waiting for 2 weeks before an idle
connection is disconnected is just plain stupid.

The shares don't seem to have changed, so see my previous comments.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Please criticize my smb.conf

Samba - General mailing list
Thank you!


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba