smb.conf

1. # This is the main Samba configuration file. For detailed information about the
2. # options listed here, refer to the smb.conf(5) manual page. Samba has a huge
3. # number of configurable options, most of which are not shown in this example.
4. #
5. # The Official Samba 3.2.x HOWTO and Reference Guide contains step-by-step
6. # guides for installing, configuring, and using Samba:
7. # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
8. #
9. # The Samba-3 by Example guide has working examples for smb.conf. This guide is
10. # generated daily: http://www.samba.org/samba/docs/Samba-Guide.pdf
11. #
12. # In this file, lines starting with a semicolon (;) or a hash (#) are
13. # comments and are ignored. This file uses hashes to denote commentary and
14. # semicolons for parts of the file you may wish to configure.
15. #
16. # Note: Run the "testparm" command after modifying this file to check for basic
17. # syntax errors.
18. #
19. #---------------
20. # Security-Enhanced Linux (SELinux) Notes:
21. #
22. # Turn the samba_domain_controller Boolean on to allow Samba to use the useradd
23. # and groupadd family of binaries. Run the following command as the root user to
24. # turn this Boolean on:
25. # setsebool -P samba_domain_controller on
26. #
27. # Turn the samba_enable_home_dirs Boolean on if you want to share home
28. # directories via Samba. Run the following command as the root user to turn this
29. # Boolean on:
30. # setsebool -P samba_enable_home_dirs on
31. #
32. # If you create a new directory, such as a new top-level directory, label it
33. # with samba_share_t so that SELinux allows Samba to read and write to it. Do
34. # not label system directories, such as /etc/ and /home/, with samba_share_t, as
35. # such directories should already have an SELinux label.
36. #
37. # Run the "ls -ldZ /path/to/directory" command to view the current SELinux
38. # label for a given directory.
39. #
40. # Set SELinux labels only on files and directories you have created. Use the
41. # chcon command to temporarily change a label:
42. # chcon -t samba_share_t /path/to/directory
43. #
44. # Changes made via chcon are lost when the file system is relabeled or commands
45. # such as restorecon are run.
46. #
47. # Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
48. # directories. To share such directories and only allow read-only permissions:
49. # setsebool -P samba_export_all_ro on
50. # To share such directories and allow read and write permissions:
51. # setsebool -P samba_export_all_rw on
52. #
53. # To run scripts (preexec/root prexec/print command/...), copy them to the
54. # /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
55. # Note that if you move the scripts to /var/lib/samba/scripts/, they retain
56. # their existing SELinux labels, which may be labels that SELinux does not allow
57. # smbd to run. Copying the scripts will result in the correct SELinux labels.
58. # Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
59. # apply the correct SELinux labels to these files.
60. #
61. #--------------
62. #
63. #======================= Global Settings =====================================
64.  
65. [global]
66.  
67. # ----------------------- Network-Related Options -------------------------
68. #
69. # workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
70. #
71. # server string = the equivalent of the Windows NT Description field.
72. #
73. # netbios name = used to specify a server name that is not tied to the hostname.
74. #
75. # interfaces = used to configure Samba to listen on multiple network interfaces.
76. # If you have multiple interfaces, you can use the "interfaces =" option to
77. # configure which of those interfaces Samba listens on. Never omit the localhost
78. # interface (lo).
79. #
80. # hosts allow = the hosts allowed to connect. This option can also be used on a
81. # per-share basis.
82. #
83. # hosts deny = the hosts not allowed to connect. This option can also be used on
84. # a per-share basis.
85. #
86. # max protocol = used to define the supported protocol. The default is NT1. You
87. # can set it to SMB2 if you want experimental SMB2 support.
88. #
89. workgroup = HOMENET
90. server string = Samba Server Version %v
91.  
92. ; netbios name = MYSERVER
93.  
94. interfaces = lo eth0 192.168.1.6/24
95. hosts allow = 127. 192.168.1.
96.  
97. ; max protocol = SMB2
98.  
99. # --------------------------- Logging Options -----------------------------
100. #
101. # log file = specify where log files are written to and how they are split.
102. #
103. # max log size = specify the maximum size log files are allowed to reach. Log
104. # files are rotated when they reach the size specified with "max log size".
105. #
106.  
107. # log files split per-machine:
108. log file = /var/log/samba/log.%m
109. # maximum size of 50KB per log file, then rotate:
110. max log size = 50
111.  
112. # ----------------------- Standalone Server Options ------------------------
113. #
114. # security = the mode Samba runs in. This can be set to user, share
115. # (deprecated), or server (deprecated).
116. #
117. # passdb backend = the backend used to store user information in. New
118. # installations should use either tdbsam or ldapsam. No additional configuration
119. # is required for tdbsam. The "smbpasswd" utility is available for backwards
120. # compatibility.
121. #
122.  
123. security = user
124. passdb backend = tdbsam
125.  
126.  
127. # ----------------------- Domain Members Options ------------------------
128. #
129. # security = must be set to domain or ads.
130. #
131. # passdb backend = the backend used to store user information in. New
132. # installations should use either tdbsam or ldapsam. No additional configuration
133. # is required for tdbsam. The "smbpasswd" utility is available for backwards
134. # compatibility.
135. #
136. # realm = only use the realm option when the "security = ads" option is set.
137. # The realm option specifies the Active Directory realm the host is a part of.
138. #
139. # password server = only use this option when the "security = server"
140. # option is set, or if you cannot use DNS to locate a Domain Controller. The
141. # argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
142. #
143. # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
144. #
145. # Use "password server = *" to automatically locate Domain Controllers.
146.  
147. ; security = domain
148. ; passdb backend = tdbsam
149. ; realm = MY_REALM
150.  
151. ; password server = <NT-Server-Name>
152.  
153. # ----------------------- Domain Controller Options ------------------------
154. #
155. # security = must be set to user for domain controllers.
156. #
157. # passdb backend = the backend used to store user information in. New
158. # installations should use either tdbsam or ldapsam. No additional configuration
159. # is required for tdbsam. The "smbpasswd" utility is available for backwards
160. # compatibility.
161. #
162. # domain master = specifies Samba to be the Domain Master Browser, allowing
163. # Samba to collate browse lists between subnets. Do not use the "domain master"
164. # option if you already have a Windows NT domain controller performing this task.
165. #
166. # domain logons = allows Samba to provide a network logon service for Windows
167. # workstations.
168. #
169. # logon script = specifies a script to run at login time on the client. These
170. # scripts must be provided in a share named NETLOGON.
171. #
172. # logon path = specifies (with a UNC path) where user profiles are stored.
173. #
174. #
175. ; security = user
176. ; passdb backend = tdbsam
177.  
178. ; domain master = yes
179. ; domain logons = yes
180.  
181. # the following login script name is determined by the machine name
182. # (%m):
183. ; logon script = %m.bat
184. # the following login script name is determined by the UNIX user used:
185. ; logon script = %u.bat
186. ; logon path = \\%L\Profiles\%u
187. # use an empty path to disable profile support:
188. ; logon path =
189.  
190. # various scripts can be used on a domain controller or a stand-alone
191. # machine to add or delete corresponding UNIX accounts:
192.  
193. ; add user script = /usr/sbin/useradd "%u" -n -g users
194. ; add group script = /usr/sbin/groupadd "%g"
195. ; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
196. ; delete user script = /usr/sbin/userdel "%u"
197. ; delete user from group script = /usr/sbin/userdel "%u" "%g"
198. ; delete group script = /usr/sbin/groupdel "%g"
199.  
200.  
201. # ----------------------- Browser Control Options ----------------------------
202. #
203. # local master = when set to no, Samba does not become the master browser on
204. # your network. When set to yes, normal election rules apply.
205. #
206. # os level = determines the precedence the server has in master browser
207. # elections. The default value should be reasonable.
208. #
209. # preferred master = when set to yes, Samba forces a local browser election at
210. # start up (and gives itself a slightly higher chance of winning the election).
211. #
212. ; local master = no
213. ; os level = 33
214. ; preferred master = yes
215.  
216. #----------------------------- Name Resolution -------------------------------
217. #
218. # This section details the support for the Windows Internet Name Service (WINS).
219. #
220. # Note: Samba can be either a WINS server or a WINS client, but not both.
221. #
222. # wins support = when set to yes, the NMBD component of Samba enables its WINS
223. # server.
224. #
225. # wins server = tells the NMBD component of Samba to be a WINS client.
226. #
227. # wins proxy = when set to yes, Samba answers name resolution queries on behalf
228. # of a non WINS capable client. For this to work, there must be at least one
229. # WINS server on the network. The default is no.
230. #
231. # dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
232. # nslookups.
233.  
234. ; wins support = yes
235. ; wins server = w.x.y.z
236. ; wins proxy = yes
237.  
238. ; dns proxy = yes
239.  
240. # --------------------------- Printing Options -----------------------------
241. #
242. # The options in this section allow you to configure a non-default printing
243. # system.
244. #
245. # load printers = when set you yes, the list of printers is automatically
246. # loaded, rather than setting them up individually.
247. #
248. # cups options = allows you to pass options to the CUPS library. Setting this
249. # option to raw, for example, allows you to use drivers on your Windows clients.
250. #
251. # printcap name = used to specify an alternative printcap file.
252. #
253.  
254. load printers = yes
255. cups options = raw
256.  
257. ; printcap name = /etc/printcap
258. # obtain a list of printers automatically on UNIX System V systems:
259. ; printcap name = lpstat
260. ; printing = cups
261.  
262. # --------------------------- File System Options ---------------------------
263. #
264. # The options in this section can be un-commented if the file system supports
265. # extended attributes, and those attributes are enabled (usually via the
266. # "user_xattr" mount option). These options allow the administrator to specify
267. # that DOS attributes are stored in extended attributes and also make sure that
268. # Samba does not change the permission bits.
269. #
270. # Note: These options can be used on a per-share basis. Setting them globally
271. # (in the [global] section) makes them the default for all shares.
272.  
273. ; map archive = no
274. ; map hidden = no
275. ; map read only = no
276. ; map system = no
277. ; store dos attributes = yes
278.  
279.  
280. #============================ Share Definitions ==============================
281.  
282. [homes]
283. comment = Home Directories
284. browseable = no
285. writable = yes
286. ; valid users = %S
287. ; valid users = MYDOMAIN\%S
288. create mode = 0664
289. directory mode = 0775
290.  
291. [printers]
292. comment = All Printers
293. path = /var/spool/samba
294. browseable = no
295. # Set public = yes to allow user 'guest account' to print
296. public = yes
297. guest ok = yes
298. writable = no
299. printable = yes
300. use client driver = yes
301.  
302. # Un-comment the following and create the netlogon directory for Domain Logons:
303. ; [netlogon]
304. ; comment = Network Logon Service
305. ; path = /var/lib/samba/netlogon
306. ; guest ok = yes
307. ; writable = no
308. ; share modes = no
309.  
310. # Un-comment the following to provide a specific roving profile share.
311. # The default is to use the user's home directory:
312. ; [Profiles]
313. ; path = /var/lib/samba/profiles
314. ; browseable = no
315. ; guest ok = yes
316.  
317. # This one is useful for people to share files
318. [vartmp]
319. comment = Temporary file space in var
320. path = /var/tmp
321. read only = no
322. public = yes
323.  
324. # A publicly accessible directory that is read only, except for users in the
325. # "staff" group (which have write permissions):
326. ; [public]
327. ; comment = Public Stuff
328. ; path = /home/samba
329. ; public = yes
330. ; writable = yes
331. ; printable = no
332. ; write list = +staff