## Sample configuration file for the Samba suite for Debian GNU/Linux.##

1.  
2. #
3. # Sample configuration file for the Samba suite for Debian GNU/Linux.
4. #
5. #
6. # This is the main Samba configuration file. You should read the
7. # smb.conf(5) manual page in order to understand the options listed
8. # here. Samba has a huge number of configurable options most of which
9. # are not shown in this example
10. #
11. # Some options that are often worth tuning have been included as
12. # commented-out examples in this file.
13. # - When such options are commented with ";", the proposed setting
14. # differs from the default Samba behaviour
15. # - When commented with "#", the proposed setting is the default
16. # behaviour of Samba but the option is considered important
17. # enough to be mentioned here
18. #
19. # NOTE: Whenever you modify this file you should run the command
20. # "testparm" to check that you have not made any basic syntactic
21. # errors.
22. # A well-established practice is to name the original file
23. # "smb.conf.master" and create the "real" config file with
24. # testparm -s smb.conf.master >smb.conf
25. # This minimizes the size of the really used smb.conf file
26. # which, according to the Samba Team, impacts performance
27. # However, use this with caution if your smb.conf file contains nested
28. # "include" statements. See Debian bug #483187 for a case
29. # where using a master file is not a good idea.
30. #
31.  
32. #======================= Global Settings =======================
33.  
34. [global]
35.  
36. ## Browsing/Identification ###
37.  
38. # Change this to the workgroup/NT-domain name your Samba server will part of
39. workgroup = EXAMPLE.COM
40.  
41. # server string is the equivalent of the NT Description field
42. server string = %h server (Samba, Ubuntu)
43.  
44. # Windows Internet Name Serving Support Section:
45. # WINS Support - Tells the NMBD component of Samba to enable its WINS Server
46. # wins support = no
47.  
48. # WINS Server - Tells the NMBD components of Samba to be a WINS Client
49. # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
50. ; wins server = w.x.y.z
51.  
52. # This will prevent nmbd to search for NetBIOS names through DNS.
53. dns proxy = no
54.  
55. # What naming service and in what order should we use to resolve host names
56. # to IP addresses
57. ; name resolve order = lmhosts host wins bcast
58.  
59. #### Networking ####
60.  
61. # The specific set of interfaces / networks to bind to
62. # This can be either the interface name or an IP address/netmask;
63. # interface names are normally preferred
64. ; interfaces = 127.0.0.0/8 eth0
65.  
66. # Only bind to the named interfaces and/or networks; you must use the
67. # 'interfaces' option above to use this.
68. # It is recommended that you enable this feature if your Samba machine is
69. # not protected by a firewall or is a firewall itself. However, this
70. # option cannot handle dynamic or non-broadcast interfaces correctly.
71. ; bind interfaces only = yes
72.  
73.  
74.  
75.  
76. passdb backend = ldapsam:ldap://localhost
77. ldapsam:trusted=yes
78. ldapsam:editposix=yes
79. #enable privileges = yes
80. ldap suffix = dc=example,dc=com
81. ldap user suffix = ou=People
82. ldap group suffix = ou=Groups
83. ldap machine suffix = ou=Computers
84. ldap idmap suffix = ou=Idmap
85. ldap admin dn = cn=root,dc=example,dc=com
86. ;ldap ssl = start tls
87. ldap ssl = no
88. ldap passwd sync = yes
89. #add machine script = sudo smbldap-useradd -t 0 -w "%u"
90. idmap backend = ldap:"ldap://localhost"
91.  
92. idmap alloc backend = ldap
93. idmap alloc config:ldap_base_dn = ou=Idmap,dc=example,dc=com
94. idmap alloc config:ldap_user_dn = cn=root,dc=example,dc=com
95. idmap alloc config:ldap_url = ldap://localhost
96.  
97. #### Debugging/Accounting ####
98.  
99. # This tells Samba to use a separate log file for each machine
100. # that connects
101. log file = /var/log/samba/log.%m
102.  
103. # Cap the size of the individual log files (in KiB).
104. max log size = 1000
105. log level = 10
106.  
107. # If you want Samba to only log through syslog then set the following
108. # parameter to 'yes'.
109. # syslog only = no
110.  
111. # We want Samba to log a minimum amount of information to syslog. Everything
112. # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
113. # through syslog you should set the following parameter to something higher.
114. syslog = 0
115.  
116. # Do something sensible when Samba crashes: mail the admin a backtrace
117. panic action = /usr/share/samba/panic-action %d
118.  
119.  
120. ####### Authentication #######
121.  
122. # "security = user" is always a good idea. This will require a Unix account
123. # in this server for every user accessing the server. See
124. # /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
125. # in the samba-doc package for details.
126. security = user
127.  
128. # You may wish to use password encryption. See the section on
129. # 'encrypt passwords' in the smb.conf(5) manpage before enabling.
130. encrypt passwords = true
131.  
132. # If you are using encrypted passwords, Samba will need to know what
133. # password database type you are using.
134. # passdb backend = tdbsam
135.  
136. obey pam restrictions = yes
137.  
138. # This boolean parameter controls whether Samba attempts to sync the Unix
139. # password with the SMB password when the encrypted SMB password in the
140. # passdb is changed.
141. ;unix password sync = yes
142. ;unix password sync = no
143.  
144. # For Unix password sync to work on a Debian GNU/Linux system, the following
145. # parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
146. # sending the correct chat script for the passwd program in Debian Sarge).
147. passwd program = /usr/bin/passwd %u
148. passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
149.  
150. # This boolean controls whether PAM will be used for password changes
151. # when requested by an SMB client instead of the program listed in
152. # 'passwd program'. The default is 'no'.
153. pam password change = yes
154.  
155. # This option controls how unsuccessful authentication attempts are mapped
156. # to anonymous connections
157. map to guest = bad user
158.  
159. ########## Domains ###########
160.  
161. # Is this machine able to authenticate users. Both PDC and BDC
162. # must have this setting enabled. If you are the BDC you must
163. # change the 'domain master' setting to no
164. #
165. domain logons = yes
166. #
167. # The following setting only takes effect if 'domain logons' is set
168. # It specifies the location of the user's profile directory
169. # from the client point of view)
170. # The following required a [profiles] share to be setup on the
171. # samba server (see below)
172. ; logon path = \\%N\profiles\%U
173. # Another common choice is storing the profile in the user's home directory
174. # (this is Samba's default)
175. logon path = \\%N\%U\profile
176.  
177. # The following setting only takes effect if 'domain logons' is set
178. # It specifies the location of a user's home directory (from the client
179. # point of view)
180. logon drive = H:
181. logon home = \\%N\%U
182.  
183. # The following setting only takes effect if 'domain logons' is set
184. # It specifies the script to run during logon. The script must be stored
185. # in the [netlogon] share
186. # NOTE: Must be store in 'DOS' file format convention
187. logon script = logon.cmd
188.  
189. # This allows Unix users to be created on the domain controller via the SAMR
190. # RPC pipe. The example command creates a user account with a disabled Unix
191. # password; please adapt to your needs
192. ; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
193. add machine script = sudo smbldap-useradd -t 0 -w "%u"
194. # This allows machine accounts to be created on the domain controller via the
195. # SAMR RPC pipe.
196. # The following assumes a "machines" group exists on the system
197. # add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
198.  
199. # This allows Unix groups to be created on the domain controller via the SAMR
200. # RPC pipe.
201. ; add group script = /usr/sbin/addgroup --force-badname %g
202.  
203. ########## Printing ##########
204.  
205. # If you want to automatically load your printer list rather
206. # than setting them up individually then you'll need this
207. # load printers = yes
208.  
209. # lpr(ng) printing. You may wish to override the location of the
210. # printcap file
211. ; printing = bsd
212. ; printcap name = /etc/printcap
213.  
214. # CUPS printing. See also the cupsaddsmb(8) manpage in the
215. # cupsys-client package.
216. ; printing = cups
217. ; printcap name = cups
218.  
219. ############ Misc ############
220.  
221. # Using the following line enables you to customise your configuration
222. # on a per machine basis. The %m gets replaced with the netbios name
223. # of the machine that is connecting
224. ; include = /home/samba/etc/smb.conf.%m
225.  
226. # Most people will find that this option gives better performance.
227. # See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html
228. # for details
229. # You may want to add the following on a Linux system:
230. # SO_RCVBUF=8192 SO_SNDBUF=8192
231. # socket options = TCP_NODELAY
232.  
233. # The following parameter is useful only if you have the linpopup package
234. # installed. The samba maintainer and the linpopup maintainer are
235. # working to ease installation and configuration of linpopup and samba.
236. ; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
237.  
238. # Domain Master specifies Samba to be the Domain Master Browser. If this
239. # machine will be configured as a BDC (a secondary logon server), you
240. # must set this to 'no'; otherwise, the default behavior is recommended.
241. # domain master = auto
242.  
243. # Some defaults for winbind (make sure you're not using the ranges
244. # for something else.)
245. ; idmap uid = 10000-20000
246. ; idmap gid = 10000-20000
247. ; template shell = /bin/bash
248.  
249. # The following was the default behaviour in sarge,
250. # but samba upstream reverted the default because it might induce
251. # performance issues in large organizations.
252. # See Debian bug #368251 for some of the consequences of *not*
253. # having this setting and smb.conf(5) for details.
254. ; winbind enum groups = yes
255. ; winbind enum users = yes
256.  
257. # Setup usershare options to enable non-root users to share folders
258. # with the net usershare command.
259.  
260. # Maximum number of usershare. 0 (default) means that usershare is disabled.
261. ; usershare max shares = 100
262.  
263. # Allow users who've been granted usershare privileges to create
264. # public shares, not just authenticated ones
265. usershare allow guests = yes
266.  
267. #======================= Share Definitions =======================
268.  
269. # Un-comment the following (and tweak the other settings below to suit)
270. # to enable the default home directory shares. This will share each
271. # user's home director as \\server\username
272. [homes]
273. comment = Home Directories
274. browseable = no
275. # read only = no
276. # create mask = 0700
277. # directory mask = 0700
278. # valid users = %S
279.  
280. # By default, the home directories are exported read-only. Change the
281. # next parameter to 'no' if you want to be able to write to them.
282. read only = yes
283.  
284. # File creation mask is set to 0700 for security reasons. If you want to
285. # create files with group=rw permissions, set next parameter to 0775.
286. create mask = 0700
287.  
288. # Directory creation mask is set to 0700 for security reasons. If you want to
289. # create dirs. with group=rw permissions, set next parameter to 0775.
290. directory mask = 0700
291.  
292. # By default, \\server\username shares can be connected to by anyone
293. # with access to the samba server. Un-comment the following parameter
294. # to make sure that only "username" can connect to \\server\username
295. # The following parameter makes sure that only "username" can connect
296. #
297. # This might need tweaking when using external authentication schemes
298. valid users = %S
299.  
300. # Un-comment the following and create the netlogon directory for Domain Logons
301. # (you need to configure Samba to act as a domain controller too.)
302. [netlogon]
303. comment = Network Logon Service
304. path = /home/samba/netlogon
305. guest ok = yes
306. read only = yes
307. share modes = no
308.  
309. # Un-comment the following and create the profiles directory to store
310. # users profiles (see the "logon path" option above)
311. # (you need to configure Samba to act as a domain controller too.)
312. # The path below should be writable by all users so that their
313. # profile directory may be created the first time they log on
314. ;[profiles]
315. ; comment = Users profiles
316. ; path = /home/samba/profiles
317. ; guest ok = no
318. ; browseable = no
319. ; create mask = 0600
320. ; directory mask = 0700
321.  
322. [printers]
323. comment = All Printers
324. browseable = no
325. path = /var/spool/samba
326. printable = yes
327. guest ok = no
328. read only = yes
329. create mask = 0700
330.  
331. # Windows clients look for this share name as a source of downloadable
332. # printer drivers
333. [print$]
334. comment = Printer Drivers
335. path = /var/lib/samba/printers
336. browseable = yes
337. read only = yes
338. guest ok = no
339. # Uncomment to allow remote administration of Windows print drivers.
340. # You may need to replace 'lpadmin' with the name of the group your
341. # admin users are members of.
342. # Please note that you also need to set appropriate Unix permissions
343. # to the drivers directory for these users to have write rights in it
344. ; write list = root, @lpadmin
345.  
346. # A sample share for sharing your CD-ROM with others.
347. ;[cdrom]
348. ; comment = Samba server's CD-ROM
349. ; read only = yes
350. ; locking = no
351. ; path = /cdrom
352. ; guest ok = yes
353.  
354. # The next two parameters show how to auto-mount a CD-ROM when the
355. # cdrom share is accesed. For this to work /etc/fstab must contain
356. # an entry like this:
357. #
358. # /dev/scd0 /cdrom iso9660 defaults,noauto,ro,user 0 0
359. #
360. # The CD-ROM gets unmounted automatically after the connection to the
361. #
362. # If you don't want to use auto-mounting/unmounting make sure the CD
363. # is mounted on /cdrom
364. #
365. ; preexec = /bin/mount /cdrom
366. ; postexec = /bin/umount /cdrom