Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##################################################### SAMBA .CONF FILE ##################################################
- #
- # Sample configuration file for the Samba suite for Debian GNU/Linux.
- #
- #
- # This is the main Samba configuration file. You should read the
- # smb.conf(5) manual page in order to understand the options listed
- # here. Samba has a huge number of configurable options most of which
- # are not shown in this example
- #
- # Some options that are often worth tuning have been included as
- # commented-out examples in this file.
- # - When such options are commented with ";", the proposed setting
- # differs from the default Samba behaviour
- # - When commented with "#", the proposed setting is the default
- # behaviour of Samba but the option is considered important
- # enough to be mentioned here
- #
- # NOTE: Whenever you modify this file you should run the command
- # "testparm" to check that you have not made any basic syntactic
- # errors.
- #======================= Global Settings =======================
- [global]
- ## Browsing/Identification ###
- # Change this to the workgroup/NT-domain name your Samba server will part of
- workgroup = DOMAIN
- #client singing = yes
- client use spnego = yes
- kerberos method = secrets and keytab
- realm = DOMAIN.local
- security = ads
- winbind use default domain = Yes
- winbind offline logon = true
- winbind enum users = Yes
- winbind enum groups = Yes
- template homedir = /home/%D/%U
- template shell = /bin/bash
- # server string is the equivalent of the NT Description field
- server string = %h server (Samba, Ubuntu)
- # Windows Internet Name Serving Support Section:
- # WINS Support - Tells the NMBD component of Samba to enable its WINS Server
- # wins support = no
- # WINS Server - Tells the NMBD components of Samba to be a WINS Client
- # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
- ; wins server = w.x.y.z
- # This will prevent nmbd to search for NetBIOS names through DNS.
- dns proxy = no
- #### Networking ####
- # The specific set of interfaces / networks to bind to
- # This can be either the interface name or an IP address/netmask;
- # interface names are normally preferred
- ; interfaces = 127.0.0.0/8 eth0
- # Only bind to the named interfaces and/or networks; you must use the
- # 'interfaces' option above to use this.
- # It is recommended that you enable this feature if your Samba machine is
- # not protected by a firewall or is a firewall itself. However, this
- # option cannot handle dynamic or non-broadcast interfaces correctly.
- ; bind interfaces only = yes
- #### Debugging/Accounting ####
- # This tells Samba to use a separate log file for each machine
- # that connects
- log file = /var/log/samba/log.%m
- # Cap the size of the individual log files (in KiB).
- max log size = 1000
- # If you want Samba to only log through syslog then set the following
- # parameter to 'yes'.
- # syslog only = no
- # We want Samba to log a minimum amount of information to syslog. Everything
- # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
- # through syslog you should set the following parameter to something higher.
- syslog = 0
- # Do something sensible when Samba crashes: mail the admin a backtrace
- panic action = /usr/share/samba/panic-action %d
- ####### Authentication #######
- # Server role. Defines in which mode Samba will operate. Possible
- # values are "standalone server", "member server", "classic primary
- # domain controller", "classic backup domain controller", "active
- # directory domain controller".
- #
- # Most people will want "standalone sever" or "member server".
- # Running as "active directory domain controller" will require first
- # running "samba-tool domain provision" to wipe databases and create a
- # new domain.
- server role = standalone server
- # If you are using encrypted passwords, Samba will need to know what
- # password database type you are using.
- passdb backend = tdbsam
- obey pam restrictions = yes
- # This boolean parameter controls whether Samba attempts to sync the Unix
- # password with the SMB password when the encrypted SMB password in the
- # passdb is changed.
- unix password sync = yes
- # For Unix password sync to work on a Debian GNU/Linux system, the following
- # parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
- # sending the correct chat script for the passwd program in Debian Sarge).
- passwd program = /usr/bin/passwd %u
- passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
- # This boolean controls whether PAM will be used for password changes
- # when requested by an SMB client instead of the program listed in
- # 'passwd program'. The default is 'no'.
- pam password change = yes
- # This option controls how unsuccessful authentication attempts are mapped
- # to anonymous connections
- map untrusted to domain = Yes
- map to guest = bad user
- ########## Domains ###########
- #
- # The following settings only takes effect if 'server role = primary
- # classic domain controller', 'server role = backup domain controller'
- # or 'domain logons' is set
- #
- # It specifies the location of the user's
- # profile directory from the client point of view) The following
- # required a [profiles] share to be setup on the samba server (see
- # below)
- ; logon path = \\%N\profiles\%U
- # Another common choice is storing the profile in the user's home directory
- # (this is Samba's default)
- # logon path = \\%N\%U\profile
- # The following setting only takes effect if 'domain logons' is set
- # It specifies the location of a user's home directory (from the client
- # point of view)
- ; logon drive = H:
- # logon home = \\%N\%U
- # The following setting only takes effect if 'domain logons' is set
- # It specifies the script to run during logon. The script must be stored
- # in the [netlogon] share
- # NOTE: Must be store in 'DOS' file format convention
- ; logon script = logon.cmd
- # This allows Unix users to be created on the domain controller via the SAMR
- # RPC pipe. The example command creates a user account with a disabled Unix
- # password; please adapt to your needs
- ; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
- # This allows machine accounts to be created on the domain controller via the
- # SAMR RPC pipe.
- # The following assumes a "machines" group exists on the system
- ; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
- # This allows Unix groups to be created on the domain controller via the SAMR
- # RPC pipe.
- ; add group script = /usr/sbin/addgroup --force-badname %g
- ############ Misc ############
- # Using the following line enables you to customise your configuration
- # on a per machine basis. The %m gets replaced with the netbios name
- # of the machine that is connecting
- ; include = /home/samba/etc/smb.conf.%m
- # Some defaults for winbind (make sure you're not using the ranges
- # for something else.)
- idmap uid = 1000000000-4999999999
- idmap gid = 1000000000-4999999999
- template shell = /bin/bash
- ; idmap backend = TDB
- idmap config * : range = 1000000000-4999999999
- idmap config * : backend = tdb
- idmap config DOMAIN : backend = rid
- idmap config DOMAIN : range = 1000000000-4999999999
- # Setup usershare options to enable non-root users to share folders
- # with the net usershare command.
- # Maximum number of usershare. 0 (default) means that usershare is disabled.
- ; usershare max shares = 100
- # Allow users who've been granted usershare privileges to create
- # public shares, not just authenticated ones
- usershare allow guests = yes
- #======================= Share Definitions =======================
- # Un-comment the following (and tweak the other settings below to suit)
- # to enable the default home directory shares. This will share each
- # user's home directory as \\server\username
- ;[homes]
- ; comment = Home Directories
- ; browseable = no
- # By default, the home directories are exported read-only. Change the
- # next parameter to 'no' if you want to be able to write to them.
- ; read only = yes
- # File creation mask is set to 0700 for security reasons. If you want to
- # create files with group=rw permissions, set next parameter to 0775.
- ; create mask = 0700
- # Directory creation mask is set to 0700 for security reasons. If you want to
- # create dirs. with group=rw permissions, set next parameter to 0775.
- ; directory mask = 0700
- # By default, \\server\username shares can be connected to by anyone
- # with access to the samba server.
- # Un-comment the following parameter to make sure that only "username"
- # can connect to \\server\username
- # This might need tweaking when using external authentication schemes
- ; valid users = %S
- # Un-comment the following and create the netlogon directory for Domain Logons
- # (you need to configure Samba to act as a domain controller too.)
- ;[netlogon]
- ; comment = Network Logon Service
- ; path = /home/samba/netlogon
- ; guest ok = yes
- ; read only = yes
- # Un-comment the following and create the profiles directory to store
- # users profiles (see the "logon path" option above)
- # (you need to configure Samba to act as a domain controller too.)
- # The path below should be writable by all users so that their
- # profile directory may be created the first time they log on
- ;[profiles]
- ; comment = Users profiles
- ; path = /home/samba/profiles
- ; guest ok = no
- ; browseable = no
- ; create mask = 0600
- ; directory mask = 0700
- [printers]
- comment = All Printers
- browseable = no
- path = /var/spool/samba
- printable = yes
- guest ok = no
- read only = yes
- create mask = 0700
- # Windows clients look for this share name as a source of downloadable
- # printer drivers
- [print$]
- comment = Printer Drivers
- path = /var/lib/samba/printers
- browseable = yes
- read only = yes
- guest ok = no
- # Uncomment to allow remote administration of Windows print drivers.
- # You may need to replace 'lpadmin' with the name of the group your
- # admin users are members of.
- # Please note that you also need to set appropriate Unix permissions
- # to the drivers directory for these users to have write rights in it
- ; write list = root, @lpadmin
- ################################################## END OF SAMBA .CONF FILE ##############################################
- ################################################## SSSD .CONF FILE ######################################################
- [sssd]
- services = nss, pam
- config_file_version = 2
- domains = DOMAIN.LOCAL
- [nss]
- filter_groups = root
- filter_users = root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
- reconnection_retries = 3
- entry_cache_nowait_percentage = 50
- [pam]
- reconnection_retries = 3
- [domain/DOMAIN.LOCAL]
- id_provider = ad
- access_provider = ad
- dns_discovery_domain = domain.local
- auth_provider = ad
- access_provider = ad
- chpass_provider = none
- override_homedir = /home/%d/%u
- ad_domain = domain.local
- ad_enable_gc = false
- ldap_id_mapping = False
- ldap_use_tokengroups = true
- dyndns_update = False
- cache_credentials = False
- ldap_user_gecos = displayName
- ad_gpo_access_control=permissive
- default_shell = /bin/bash
- # Uncomment if the client machine hostname doesn't match the computer object on the DC.
- # ad_hostname = mymachine.myubuntu.example.com
- # Uncomment if DNS SRV resolution is not working
- # ad_server = dc.mydomain.example.com
- # Uncomment if the AD domain is named differently than the Samba domain
- # ad_domain = MYUBUNTU.EXAMPLE.COM
- # Enumeration is discouraged for performance reasons.
- enumerate = true
- #################################################### END OF SSSD .CONF FILE #############################################
- ################################################# KERBEROS .CONF FILE ###################################################
- [libdefaults]
- default_realm = DOMAIN.LOCAL
- # The following krb5.conf variables are only for MIT Kerberos.
- krb4_config = /etc/krb.conf
- krb4_realms = /etc/krb.realms
- kdc_timesync = 1
- ccache_type = 4
- forwardable = true
- proxiable = true
- # The following encryption type specification will be used by MIT Kerberos
- # if uncommented. In general, the defaults in the MIT Kerberos code are
- # correct and overriding these specifications only serves to disable new
- # encryption types as they are added, creating interoperability problems.
- #
- # Thie only time when you might need to uncomment these lines and change
- # the enctypes is if you have local software that will break on ticket
- # caches containing ticket encryption types it doesn't know about (such as
- # old versions of Sun Java).
- # default_tgs_enctypes = des3-hmac-sha1
- # default_tkt_enctypes = des3-hmac-sha1
- # permitted_enctypes = des3-hmac-sha1
- # The following libdefaults parameters are only for Heimdal Kerberos.
- v4_instance_resolve = false
- v4_name_convert = {
- host = {
- rcmd = host
- ftp = ftp
- }
- plain = {
- something = something-else
- }
- }
- fcc-mit-ticketflags = true
- default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
- default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
- preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
- dns_lookup_realm = true
- dns_lookup_kdc = true
- pkinit_kdc_hostname = <DNS>
- pkinit_anchors = DIR:/var/lib/likewise/trusted_certs
- pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
- pkinit_eku_checking = kpServerAuth
- pkinit_win2k_require_binding = false
- pkinit_identities = PKCS11:/usr/lib/likewise-open/libpkcs11.so
- default_keytab_name = /etc/krb5.keytab
- [realms]
- ATHENA.MIT.EDU = {
- kdc = kerberos.mit.edu:88
- kdc = kerberos-1.mit.edu:88
- kdc = kerberos-2.mit.edu:88
- admin_server = kerberos.mit.edu
- default_domain = mit.edu
- }
- MEDIA-LAB.MIT.EDU = {
- kdc = kerberos.media.mit.edu
- admin_server = kerberos.media.mit.edu
- }
- ZONE.MIT.EDU = {
- kdc = casio.mit.edu
- kdc = seiko.mit.edu
- admin_server = casio.mit.edu
- }
- MOOF.MIT.EDU = {
- kdc = three-headed-dogcow.mit.edu:88
- kdc = three-headed-dogcow-1.mit.edu:88
- admin_server = three-headed-dogcow.mit.edu
- }
- CSAIL.MIT.EDU = {
- kdc = kerberos-1.csail.mit.edu
- kdc = kerberos-2.csail.mit.edu
- admin_server = kerberos.csail.mit.edu
- default_domain = csail.mit.edu
- krb524_server = krb524.csail.mit.edu
- }
- IHTFP.ORG = {
- kdc = kerberos.ihtfp.org
- admin_server = kerberos.ihtfp.org
- }
- GNU.ORG = {
- kdc = kerberos.gnu.org
- kdc = kerberos-2.gnu.org
- kdc = kerberos-3.gnu.org
- admin_server = kerberos.gnu.org
- }
- 1TS.ORG = {
- kdc = kerberos.1ts.org
- admin_server = kerberos.1ts.org
- }
- GRATUITOUS.ORG = {
- kdc = kerberos.gratuitous.org
- admin_server = kerberos.gratuitous.org
- }
- DOOMCOM.ORG = {
- kdc = kerberos.doomcom.org
- admin_server = kerberos.doomcom.org
- }
- ANDREW.CMU.EDU = {
- kdc = kerberos.andrew.cmu.edu
- kdc = kerberos2.andrew.cmu.edu
- kdc = kerberos3.andrew.cmu.edu
- admin_server = kerberos.andrew.cmu.edu
- default_domain = andrew.cmu.edu
- }
- CS.CMU.EDU = {
- kdc = kerberos.cs.cmu.edu
- kdc = kerberos-2.srv.cs.cmu.edu
- admin_server = kerberos.cs.cmu.edu
- }
- DEMENTIA.ORG = {
- kdc = kerberos.dementix.org
- kdc = kerberos2.dementix.org
- admin_server = kerberos.dementix.org
- }
- stanford.edu = {
- kdc = krb5auth1.stanford.edu
- kdc = krb5auth2.stanford.edu
- kdc = krb5auth3.stanford.edu
- master_kdc = krb5auth1.stanford.edu
- admin_server = krb5-admin.stanford.edu
- default_domain = stanford.edu
- }
- UTORONTO.CA = {
- kdc = kerberos1.utoronto.ca
- kdc = kerberos2.utoronto.ca
- kdc = kerberos3.utoronto.ca
- admin_server = kerberos1.utoronto.ca
- default_domain = utoronto.ca
- }
- DOMAIN.LOCAL = {
- kdc = dc.domain.local
- kdc = dc.domain.local
- }
- MY-MACHINE.DOMAIN.LOCAL = {
- auth_to_local = RULE:[1:$0\$1](^MY-MACHINE\.DOMAIN\.LOCAL\\.*)s/^MY-MACHINE\.DOMAIN\.LOCAL/MY-MACHINE/
- auth_to_local = DEFAULT
- }
- [domain_realm]
- .mit.edu = ATHENA.MIT.EDU
- mit.edu = ATHENA.MIT.EDU
- .media.mit.edu = MEDIA-LAB.MIT.EDU
- media.mit.edu = MEDIA-LAB.MIT.EDU
- .csail.mit.edu = CSAIL.MIT.EDU
- csail.mit.edu = CSAIL.MIT.EDU
- .whoi.edu = ATHENA.MIT.EDU
- whoi.edu = ATHENA.MIT.EDU
- .stanford.edu = stanford.edu
- .slac.stanford.edu = SLAC.STANFORD.EDU
- .toronto.edu = UTORONTO.CA
- .utoronto.ca = UTORONTO.CA
- .domain.local = DOMAIN.local
- domain.local = DOMAIN.local
- .my-machine.domain.local = MY-MACHINE.DOMAIN.LOCAL
- [login]
- krb4_convert = true
- krb4_get_tickets = false
- [appdefaults]
- pam = {
- mappings = MY-MACHINE\\(.*) $1@MY-MACHINE.DOMAIN.LOCAL
- forwardable = true
- validate = true
- }
- httpd = {
- mappings = MY-MACHINE\\(.*) $1@MY-MACHINE.DOMAIN.LOCAL
- reverse_mappings = (.*)@MY-MACHINE\.DOMAIN\.LOCAL MY-MACHINE\$1
- }
- ############################################ END OF KERBEROS .CONF FILE #################################################
- ############################################### NSSWITCH.CONF FILE ######################################################
- # /etc/nsswitch.conf
- #
- # Example configuration of GNU Name Service Switch functionality.
- # If you have the `glibc-doc-reference' and `info' packages installed, try:
- # `info libc "Name Service Switch"' for information about this file.
- passwd: compat ldap lsass sss
- passwd_compat: ldap
- group: compat ldap lsass sss winbind
- shadow: compat sss winbind
- gshadow: files
- hosts: files mdns4_minimal dns mdns4 wins
- #hosts: files mdsn4 mdns4_minimal [NOTFOUND=return] dns
- networks: files
- protocols: db files
- services: db files sss
- ethers: db files
- rpc: db files
- netgroup: nis sss
- sudoers: files sss
- ################################################### END OF NSSWITCH.CONF FILE ###########################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement