From fd29cdb7a72e4d2b8bfacd38f105fc25812d6f7f Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Sat, 26 Jan 2019 23:45:10 +0300 Subject: [PATCH] ROSA default config Inspired by Ubuntu/Debian smb.conf --- examples/smb.conf.default | 134 +++++++++++++++++++++++++++++++------- 1 file changed, 109 insertions(+), 25 deletions(-) diff --git a/examples/smb.conf.default b/examples/smb.conf.default index 2f207209018..c63554aeb3a 100644 --- a/examples/smb.conf.default +++ b/examples/smb.conf.default @@ -23,10 +23,10 @@ [global] # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH - workgroup = MYGROUP + workgroup = WORKGROUP # server string is the equivalent of the NT Description field - server string = Samba Server + server string = Samba on %h (ROSA GNU/Linux @ROSA_PLATFORM@) # Server role. Defines in which mode Samba will operate. Possible # values are "standalone server", "member server", "classic primary @@ -52,10 +52,10 @@ # this tells Samba to use a separate log file for each machine # that connects - log file = /usr/local/samba/var/log.%m +; log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). - max log size = 50 + max log size = 20480 # Specifies the Kerberos or Active Directory realm the host is part of ; realm = MY_REALM @@ -63,7 +63,7 @@ # Backend to store user information in. New installations should # use either tdbsam or ldapsam. smbpasswd is available for backwards # compatibility. tdbsam requires no further configuration. -; passdb backend = tdbsam + passdb backend = tdbsam # Using the following line enables you to customise your configuration # on a per machine basis. The %m gets replaced with the netbios name @@ -99,21 +99,92 @@ # via DNS nslookups. The default is NO. dns proxy = no +# This parameter will control whether or not Samba should obey PAM's account +# and session management directives. The default behavior is to use PAM for +# clear text authentication only and to ignore any account or session management. +# Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes. +# The reason is that PAM modules cannot support the challenge/response authentication +# mechanism needed in the presence of SMB password encryption. + obey pam restrictions = yes + +# This boolean parameter controls whether Samba attempts to sync the Unix +# password with the SMB password when the encrypted SMB password in the +# passdb is changed. + unix password sync = yes + +# 'yes' allows plain-text authorization if needed (we don't recommend using it!) + client plaintext auth = yes + # These scripts are used on a domain controller or stand-alone # machine to add or delete corresponding unix accounts -; add user script = /usr/sbin/useradd %u -; add group script = /usr/sbin/groupadd %g -; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u -; delete user script = /usr/sbin/userdel %u -; delete user from group script = /usr/sbin/deluser %u %g -; delete group script = /usr/sbin/groupdel %g - - + add user script = /usr/sbin/useradd %u + add group script = /usr/sbin/groupadd %g + add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u + delete user script = /usr/sbin/userdel %u + delete user from group script = /usr/bin/gpasswd %u %g + delete group script = /usr/sbin/groupdel %g + +# This boolean controls whether PAM will be used for password changes +# when requested by an SMB client instead of the program listed in +# 'passwd program'. The default is 'no'. + pam password change = yes + +# This option controls how unsuccessful authentication attempts are mapped +# to anonymous connections + map to guest = bad user + +# Setup usershare options to enable non-root users to share folders +# with the net usershare command (including share plugins for Dolphin, Thunar, Nautilus etc.). + +# Maximum number of usershare. 0 (default) means that usershare is disabled. + usershare max shares = 100 + +# Controls if usershares can permit guest access + usershare allow guests = yes + +# Asolute path of the directory on the filesystem used to store +# the user defined share definition files. +# This directory must be owned by root, and have no access for other, +# and be writable only by the group owner. In addition the "sticky" bit must +# also be set, restricting rename and delete to owners of a file +# (in the same way the /tmp directory is usually configured). Members of the group +# owner of this directory are the users allowed to create usershares. +# On ROSA, users must be in the group 'sambashare'. + usershare path = @smb_usershare_dir@ + +# This controls whether shares are seen in the list of available shares +# in a net view and in the browse list. + browseable = yes + +# Anonymous connections are mapped to this user + guest account = nobody + #============================ Share Definitions ============================== -[homes] - comment = Home Directories - browseable = no - writable = yes +# Un-comment the following (and tweak the other settings below to suit) +# to enable the default home directory shares. This will share each +# user's home directory as \\server\username +;[homes] +; comment = Home Directories +; browseable = no + +# By default, the home directories are exported read-only. Change the +# next parameter to 'no' if you want to be able to write to them. +; read only = yes + +# File creation mask is set to 0700 for security reasons. If you want to +# create files with group=rw permissions, set next parameter to 0775. +; create mask = 0700 + +# Directory creation mask is set to 0700 for security reasons. If you want to +# create dirs. with group=rw permissions, set next parameter to 0775. +; directory mask = 0700 + +# By default, \\server\username shares can be connected to by anyone +# with access to the samba server. +# Un-comment the following parameter to make sure that only "username" +# can connect to \\server\username +# This might need tweaking when using external authentication schemes +; valid users = %S # Un-comment the following and create the netlogon directory for Domain Logons ; [netlogon] @@ -131,17 +202,30 @@ ; browseable = no ; guest ok = yes - -# NOTE: If you have a BSD-style print system there is no need to -# specifically define each individual printer [printers] comment = All Printers - path = /usr/spool/samba - browseable = no -# Set public = yes to allow user 'guest account' to print - guest ok = no - writable = no + browseable = yes + path = /var/spool/samba printable = yes +# change to 'guest ok = no' to block unauthenticated printing from inside network + guest ok = yes + read only = yes + create mask = 0700 + +# Windows clients look for this share name as a source of downloadable +# printer drivers +[print$] + comment = Printer Drivers + path = /var/lib/samba/printers + browseable = yes + read only = yes + guest ok = no +# Uncomment to allow remote administration of Windows print drivers. +# You may need to replace 'lpadmin' with the name of the group your +# admin users are members of. +# Please note that you also need to set appropriate Unix permissions +# to the drivers directory for these users to have write rights in it +; write list = root, @lpadmin # This one is useful for people to share files ;[tmp] -- 2.17.1