This appendix gives an example of a production
smb.conf file and looks at how many of the options are used in practice. The following is a slightly disguised version of one we used at a corporation with five Linux servers, five Windows for Workgroups clients and three NT Workstation clients:
# smb.conf -- File Server System for: 1 Example.COM BSC & Management Office
[globals]
workgroup = 1EG_BSC
interfaces = 10.10.1.14/24
We provide this service on only one of the machine's interfaces. The
interfaces
option sets its address and netmask, where
/24
is the same as using the netmask 255.255.255.0:
comment = Samba ver. %v
preexec = csh -c `echo /usr/samba/bin/smbclient \
-M %m -I %I` &
We use the
preexec command to log information about all connections by machine name (
%m
) and IP address (
%I)
:
# smbstatus will output various info on current status
status = yes
browseable = yes
printing = bsd
# the username that will be used for access to services
# specified with 'guest = ok'
guest account = samba
The default guest account was
nobody
, uid -1, which produced log messages on one of our machines saying "your server is being unfriendly," so we created a specific Samba guest account for browsing and printing:
# superuser account - admin privilages to shares, with no
# restrictions
# WARNING - use this with care: files can be modified,
# regardless of file permissions
admin users = root
# who is NOT allowed to connect to ANY service
invalid users = @wheel, mail, deamon, adt
Daemons can't use Samba, only people. The
invalid
users
option closes a security hole; it prevents intruders from breaking in by pretending to be a daemon process.
# hosts that are ALLOWED or DENIED from connecting to ANY service
hosts allow = 10.10.1.
hosts deny = 10.10.1.6
# where the lock files will be located
lock directory = /var/lock/samba/locks
# debug log files
# %m = separate log for each NetBIOS name (each machine)
log file = /var/log/samba/log.%m
# We send priority 0, 1 and 2 messages to the system logs
syslog = 2
# If a WinPopup message is sent to the server,
# redirect it to a user via e-mail
message command = /bin/mail -s 'message from #% on %m' \
pkelly < %s; rm %s
# ---------------------------------------------------
# [globals] Performance Tuning
# ---------------------------------------------------
# caching algorithm to reduce time doing getwd() calls.
getwd cache = yes
socket options = TCP_NODELAY
# tell the server whether the client is present and
# responding in seconds
keep alive = 60
# num minutes of inactivity before a connection is
# considered dead
dead time = 30
read prediction = yes
share modes = yes
max xmit = 17384
read size = 512
The
share
modes
,
max
,
xinit
, and
read
size
options are machine-specific (see Appendix B,
Samba Performance Tuning):
# locking is done by the server
locking = yes
# control whether dos style attributes should be mapped
# to unix execute bits
map hidden = yes
map archive = yes
map system = yes
The three
map
options will work only on shares with a create mode that includes the execute bits (0111). Our
homes
and
printers
shares won't honor them, but the [
www]
share will:
# ---------------------------------------------------------
# [globals] Security and Domain Logon Services
# ---------------------------------------------------------
# connections are made with UID and GID, not as shares
security = user
# boolean variable that controls whether passwords
# will be encrypted
encrypt passwords = yes
passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*"
passwd program = /usr/bin/passwd %u
# Always become the local master browser
domain master = yes
preferred master = yes
os level = 34
# For domain logons to work correctly. Samba acts as a
# primary domain controller.
domain logons = yes
# Logon script to run for user off the server each time
# username (%U) logs in. Set the time, connect to shares,
# virus checks, etc.
logon script = scripts\%U.bat
[netlogon]
comment = "Domain Logon Services"
path = /u/netlogon
writable = yes
create mode = 444
guest ok = no
volume = "Network"
This share, discussed in Chapter 6,
Users, Security, and Domains , is required for Samba to work smoothly in a Windows NT domain:
# -----------------------------------------------------------
# [homes] User Home Directories
# -----------------------------------------------------------
[homes]
comment = "Home Directory for : %u "
path = /u/users/%u
The password file of the Samba server specifies each person's home directory as
/home/
machine_name
/
person
, which NFS converts to point to the actual physicl location under
/u/users. The
path
option in the
[homes]
share tells Samba the actual (non-NFS) location:
guest ok = no
read only = no
create mode = 644
writable = yes
browseable = no
# -----------------------------------------------------------
# [printers] System Printers
# -----------------------------------------------------------
[printers]
comment = "Printers"
path = /var/spool/lpd/samba
printcap name = /etc/printcap
printable = yes
public = no
writable = no
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
lppause command = /usr/sbin/lpc stop %p
lpresume command = /usr/sbin/lpc start %p
create mode = 0700
browseable = no
load printers = yes
# -----------------------------------------------------------
# Specific Descriptions: [programs] [data] [retail]
# -----------------------------------------------------------
[programs]
comment = "Shared Programs %T"
volume = "programs"
Shared Programs shows up in the Network Neighborhood, and
programs
is the volume name you specify when an installation program wants to know the label of the CD-ROM from which it thinks it's loading:
path = /u/programs
public = yes
writeable = yes
printable = no
create mode = 664
[cdrom]
comment = "Unix CDROM"
path = /u/cdrom
public = no
writeable = no
printable = no
volume = "cdrom"
[data]
comment = "Data Directories %T"
path = /u/data
public = no
create mode = 770
writeable = yes
volume = "data"
[nt4]
comment = "NT4 Server"
path = /u/systems/nt4
public = yes
create mode = 770
writeable = yes
volume = "nt4_server"
[www]
comment = "WWW System"
path = /usr/www/http
public = yes
create mode = 775
writeable = yes
volume = "www_system"
The
[www]
share is the directory used on the Unix server to serve web pages. Samba makes the directory available to local PC users so the art department can update web pages.