~zulcss/samba/server-dailies-3.4

<indexterm id="appf-idx-993481-0" class="startofrange"><primary>configuration files</primary><secondary>sample of</secondary></indexterm>This appendix gives an example of a production <filename>smb.conf</filename> file and looks at how many of the options are used in practice. The following is a slightly disguised version of one we used at a corporation with five Linux servers, five Windows for Workgroups clients and three NT Workstation clients:</para>

<programlisting># smb.conf -- File Server System for: 1 Example.COM BSC & Management Office

[globals]

workgroup = 1EG_BSC

interfaces = 10.10.1.14/24</programlisting>

<para>We provide this service on only one of the machine's interfaces. The <literal>interfaces</literal> option sets its address and netmask, where <literal>/24</literal> is the same as using the netmask 255.255.255.0:</para>

<programlisting>comment = Samba ver. %v

preexec = csh -c `echo /usr/samba/bin/smbclient \

-M %m -I %I` &</programlisting>

<para>We use the <command>preexec</command> command to log information about all connections by machine name (<literal>%m</literal>) and IP address (<literal>%I)</literal>:</para>

<programlisting># smbstatus will output various info on current status

status = yes

browseable = yes

printing = bsd

# the username that will be used for access to services

# specified with 'guest = ok'

guest account = samba</programlisting>

<para>The default guest account was <literal>nobody</literal>, uid -1, which produced log messages on one of our machines saying "your server is being unfriendly," so we created a specific Samba guest account for browsing and printing:</para>

<programlisting># superuser account - admin privilages to shares, with no

# restrictions

# WARNING - use this with care: files can be modified,

# regardless of file permissions

admin users = root

# who is NOT allowed to connect to ANY service

invalid users = @wheel, mail, deamon, adt</programlisting>

<para>Daemons can't use Samba, only people. The <literal>invalid</literal> <literal>users</literal> option closes a security hole; it prevents intruders from breaking in by pretending to be a daemon process.</para>

<programlisting># hosts that are ALLOWED or DENIED from connecting to ANY service

hosts allow = 10.10.1.

hosts deny = 10.10.1.6

# where the lock files will be located

lock directory = /var/lock/samba/locks

# debug log files

# %m = separate log for each NetBIOS name (each machine)

log file = /var/log/samba/log.%m

# We send priority 0, 1 and 2 messages to the system logs

syslog = 2

# If a WinPopup message is sent to the server,

# redirect it to a user via e-mail

message command = /bin/mail -s 'message from #% on %m' \

pkelly < %s; rm %s

# ---------------------------------------------------

# [globals] Performance Tuning

# ---------------------------------------------------

# caching algorithm to reduce time doing getwd() calls.

getwd cache = yes

socket options = TCP_NODELAY

# tell the server whether the client is present and

# responding in seconds

keep alive = 60

# num minutes of inactivity before a connection is

# considered dead

dead time = 30

read prediction = yes

share modes = yes

max xmit = 17384

read size = 512</programlisting>

<para>The <literal>share</literal> <literal>modes</literal>, <literal>max</literal>, <literal>xinit</literal>, and <literal>read</literal> <literal>size</literal> options are machine-specific (see <link linkend="SAMBA-AP-B">Appendix B</link>):</para>

100

<programlisting># locking is done by the server

101

locking = yes

102

103

# control whether dos style attributes should be mapped

104

# to unix execute bits

105

map hidden = yes

106

map archive = yes

107

map system = yes</programlisting>

108

109

110

<para>The three <literal>map</literal> options will work only on shares with a create mode that includes the execute bits (0111). Our <literal>homes</literal> and <literal>printers</literal> shares won't honor them, but the [<literal>www]</literal> share will:</para>

111

112

113

<programlisting># ---------------------------------------------------------

114

# [globals] Security and Domain Logon Services

115

# ---------------------------------------------------------

116

# connections are made with UID and GID, not as shares

117

security = user

118

119

# boolean variable that controls whether passwords

120

# will be encrypted

121

encrypt passwords = yes

122

passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*"

123

passwd program = /usr/bin/passwd %u

124

125

# Always become the local master browser

126

domain master = yes

127

preferred master = yes

128

os level = 34

129

130

# For domain logons to work correctly. Samba acts as a

131

# primary domain controller.

132

domain logons = yes

133

134

# Logon script to run for user off the server each time

135

# username (%U) logs in. Set the time, connect to shares,

136

# virus checks, etc.

137

logon script = scripts\%U.bat

138

139

[netlogon]

140

comment = "Domain Logon Services"

141

path = /u/netlogon

142

writable = yes

143

create mode = 444

144

guest ok = no

145

volume = "Network"</programlisting>

146

147

148

<para>This share, discussed in <link linkend="SAMBA-CH-6">Chapter 6</link>, is required for Samba to work smoothly in a Windows NT domain:</para>

149

150

151

<programlisting># -----------------------------------------------------------

152

# [homes] User Home Directories

153

# -----------------------------------------------------------

154

[homes]

155

comment = "Home Directory for : %u "

156

path = /u/users/%u</programlisting>

157

158

159

<para>The password file of the Samba server specifies each person's home directory as <emphasis>/home/</emphasis><replaceable>machine_name</replaceable><emphasis>/</emphasis><replaceable>person</replaceable>, which NFS converts to point to the actual physicl location under <emphasis>/u/users</emphasis>. The <literal>path</literal> option in the <literal>[homes]</literal> share tells Samba the actual (non-NFS) location:</para>

160

161

162

<programlisting>guest ok = no

163

read only = no

164

create mode = 644

165

writable = yes

166

browseable = no

167

168

# -----------------------------------------------------------

169

# [printers] System Printers

170

# -----------------------------------------------------------

171

[printers]

172

comment = "Printers"

173

path = /var/spool/lpd/samba

174

printcap name = /etc/printcap

175

printable = yes

176

public = no

177

writable = no

178

179

lpq command = /usr/bin/lpq -P%p

180

lprm command = /usr/bin/lprm -P%p %j

181

lppause command = /usr/sbin/lpc stop %p

182

lpresume command = /usr/sbin/lpc start %p

183

184

create mode = 0700

185

186

browseable = no

187

load printers = yes

188

189

# -----------------------------------------------------------

190

# Specific Descriptions: [programs] [data] [retail]

191

# -----------------------------------------------------------

192

[programs]

193

comment = "Shared Programs %T"

194

volume = "programs"</programlisting>

195

196

197

<para>Shared Programs shows up in the Network Neighborhood, and <literal>programs</literal> is the volume name you specify when an installation program wants to know the label of the CD-ROM from which it thinks it's loading:</para>

198

199

200

<programlisting>path = /u/programs

201

public = yes

202

writeable = yes

203

printable = no

204

create mode = 664

205

[cdrom]

206

comment = "Unix CDROM"

207

path = /u/cdrom

208

public = no

209

writeable = no

210

printable = no

211

volume = "cdrom"

212

213

[data]

214

comment = "Data Directories %T"

215

path = /u/data

216

public = no

217

create mode = 770

218

writeable = yes

219

volume = "data"

220

221

[nt4]

222

comment = "NT4 Server"

223

path = /u/systems/nt4

224

public = yes

225

create mode = 770

226

writeable = yes

227

volume = "nt4_server"

228

229

[www]

230

comment = "WWW System"

231

path = /usr/www/http

232

public = yes

233

create mode = 775

234

writeable = yes

235

volume = "www_system"</programlisting>

236

237

238

<para>The <literal>[www]</literal> share is the directory used on the Unix server to serve web pages. Samba makes the directory available to local PC users so the art department can update web pages.</para>

239

240

241

242

243

244

245

246

247

248

249

250

</appendix>