home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  



Robert Eckstein, David Collier-Brown, Peter Kelly
1st Edition November 1999, 1-56592-449-5, 416 pages

Previous: D. Downloading Samba with CVS Appendix E  
 

Appendix F. Sample Configuration File

This appendix gives an example of a production smb.conf file and looks at how many of the options are used in practice. The following is a slightly disguised version of one we used at a corporation with five Linux servers, five Windows for Workgroups clients and three NT Workstation clients:


# smb.conf -- File Server System for: 1 Example.COM  BSC & Management Office 
[globals]
	workgroup = 1EG_BSC
	interfaces = 10.10.1.14/24 

We provide this service on only one of the machine's interfaces. The interfaces option sets its address and netmask, where /24 is the same as using the netmask 255.255.255.0:


	comment = Samba ver. %v
	preexec = csh -c `echo /usr/samba/bin/smbclient \
                     -M %m -I %I` &

We use the preexec command to log information about all connections by machine name ( %m) and IP address ( %I):


	# smbstatus will output various info on current status
	status = yes
	browseable = yes
	printing = bsd

	# the username that will be used for access to services
	# specified with 'guest = ok'
	guest account = samba 

The default guest account was nobody, uid -1, which produced log messages on one of our machines saying "your server is being unfriendly," so we created a specific Samba guest account for browsing and printing:


	# superuser account - admin privilages to shares, with no
	# restrictions
	# WARNING - use this with care: files can be modified,
	# regardless of file permissions
	admin users = root

	# who is NOT allowed to connect to ANY service
	invalid users = @wheel, mail, deamon, adt

Daemons can't use Samba, only people. The invalid users option closes a security hole; it prevents intruders from breaking in by pretending to be a daemon process.


	# hosts that are ALLOWED or DENIED from connecting to ANY service
	hosts allow = 10.10.1.
	hosts deny = 10.10.1.6
	
	# where the lock files will be located
	lock directory = /var/lock/samba/locks
		
	# debug log files 
	# %m = separate log for each NetBIOS name (each machine)
	log file = /var/log/samba/log.%m

	# We send priority 0, 1 and 2 messages to the system logs
	syslog = 2
		
	# If a WinPopup message is sent to the server,
	# redirect it to a user via e-mail
	
	message command = /bin/mail -s 'message from #% on %m' \
						 pkelly < %s; rm %s

# ---------------------------------------------------
# [globals] Performance Tuning
# ---------------------------------------------------
	
	# caching algorithm to reduce time doing getwd() calls.  
	getwd cache = yes

	socket options = TCP_NODELAY

	# tell the server whether the client is present and
	# responding in seconds
	keep alive = 60

	# num minutes of inactivity before a connection is
	# considered dead
	dead time = 30 

	read prediction = yes
	share modes = yes
	max xmit = 17384 
	read size = 512

The share modes, max, xinit, and read size options are machine-specific (see Appendix B, Samba Performance Tuning):


	# locking is done by the server
	locking = yes

	# control whether dos style attributes should be mapped
	# to unix execute bits
	map hidden = yes
	map archive = yes
	map system = yes

The three map options will work only on shares with a create mode that includes the execute bits (0111). Our homes and printers shares won't honor them, but the [ www] share will:


# ---------------------------------------------------------
# [globals] Security and Domain Logon Services
# ---------------------------------------------------------	
# connections are made with UID and GID, not as shares
	security = user

# boolean variable that controls whether passwords
# will be encrypted
	encrypt passwords = yes
	passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*"
	passwd program = /usr/bin/passwd %u
	
# Always become the local master browser
	domain master = yes
	preferred master = yes
	os level = 34
	
# For domain logons to work correctly. Samba acts as a
# primary domain controller.
	domain logons = yes
	
# Logon script to run for user off the server each time
# username (%U) logs in.  Set the time, connect to shares,
# virus checks, etc.
	logon script = scripts\%U.bat

[netlogon]
	comment = "Domain Logon Services"
	path = /u/netlogon
	writable = yes
	create mode = 444
	guest ok = no
	volume = "Network"

This share, discussed in Chapter 6, Users, Security, and Domains , is required for Samba to work smoothly in a Windows NT domain:


# -----------------------------------------------------------
# [homes] User Home Directories
# -----------------------------------------------------------
[homes]
	comment = "Home Directory for : %u "
	path = /u/users/%u

The password file of the Samba server specifies each person's home directory as /home/ machine_name / person, which NFS converts to point to the actual physicl location under /u/users. The path option in the [homes] share tells Samba the actual (non-NFS) location:


	guest ok = no
	read only = no
	create mode = 644
	writable = yes
	browseable = no 

# -----------------------------------------------------------
# [printers] System Printers
# -----------------------------------------------------------
[printers]
	comment = "Printers"
	path = /var/spool/lpd/samba
	printcap name = /etc/printcap
	printable = yes
	public = no 
	writable = no

	lpq command = /usr/bin/lpq -P%p
	lprm command = /usr/bin/lprm -P%p %j
	lppause command = /usr/sbin/lpc stop %p
	lpresume command = /usr/sbin/lpc start %p

	create mode = 0700

	browseable = no 
	load printers = yes  

# -----------------------------------------------------------
# Specific Descriptions: [programs] [data] [retail]
# -----------------------------------------------------------
[programs]
	comment = "Shared Programs %T"
	volume = "programs"

Shared Programs shows up in the Network Neighborhood, and programs is the volume name you specify when an installation program wants to know the label of the CD-ROM from which it thinks it's loading:


	path = /u/programs
	public = yes
	writeable = yes
	printable = no
	create mode = 664
[cdrom]
	comment = "Unix CDROM"
	path = /u/cdrom
	public = no 
	writeable = no 
	printable = no
	volume = "cdrom"

[data]
	comment =  "Data Directories %T"
	path = /u/data
	public = no
	create mode = 770
	writeable = yes
	volume = "data"

[nt4]
	comment =  "NT4 Server"
	path = /u/systems/nt4
	public = yes 
	create mode = 770
	writeable = yes
	volume = "nt4_server"

[www]
	comment =  "WWW System"
	path = /usr/www/http
	public = yes 
	create mode = 775
	writeable = yes
	volume = "www_system"

The [www] share is the directory used on the Unix server to serve web pages. Samba makes the directory available to local PC users so the art department can update web pages.


Previous: D. Downloading Samba with CVS  
D. Downloading Samba with CVS Book Index