From e1cf19b2d88aa5555e63087111820e09b899508f Mon Sep 17 00:00:00 2001 From: "Gerald (Jerry) Carter" Date: Tue, 27 May 2008 12:02:27 -0500 Subject: Adding initial copy of "Using Samba (3rd ed)" (This used to be commit b77c46a36366d25dcdbc476963fbf43aaa4b9801) --- docs-xml/using_samba/appf.xml | 250 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 250 insertions(+) create mode 100644 docs-xml/using_samba/appf.xml (limited to 'docs-xml/using_samba/appf.xml') diff --git a/docs-xml/using_samba/appf.xml b/docs-xml/using_samba/appf.xml new file mode 100644 index 0000000000..b4965f0d13 --- /dev/null +++ b/docs-xml/using_samba/appf.xml @@ -0,0 +1,250 @@ + +Sample Configuration File + + + + + +configuration filessample ofThis appendix gives an example of a production smb.conf file and looks at how many of the options are used in practice. The following is a slightly disguised version of one we used at a corporation with five Linux servers, five Windows for Workgroups clients and three NT Workstation clients: + + +# smb.conf -- File Server System for: 1 Example.COM BSC & Management Office +[globals] + workgroup = 1EG_BSC + interfaces = 10.10.1.14/24 + + +We provide this service on only one of the machine's interfaces. The interfaces option sets its address and netmask, where /24 is the same as using the netmask 255.255.255.0: + + +comment = Samba ver. %v + preexec = csh -c `echo /usr/samba/bin/smbclient \ + -M %m -I %I` & + + +We use the preexec command to log information about all connections by machine name (%m) and IP address (%I): + + +# smbstatus will output various info on current status + status = yes + browseable = yes + printing = bsd + + # the username that will be used for access to services + # specified with 'guest = ok' + guest account = samba + + +The default guest account was nobody, uid -1, which produced log messages on one of our machines saying "your server is being unfriendly," so we created a specific Samba guest account for browsing and printing: + + +# superuser account - admin privilages to shares, with no + # restrictions + # WARNING - use this with care: files can be modified, + # regardless of file permissions + admin users = root + + # who is NOT allowed to connect to ANY service + invalid users = @wheel, mail, deamon, adt + + +Daemons can't use Samba, only people. The invalid users option closes a security hole; it prevents intruders from breaking in by pretending to be a daemon process. + + +# hosts that are ALLOWED or DENIED from connecting to ANY service + hosts allow = 10.10.1. + hosts deny = 10.10.1.6 + + # where the lock files will be located + lock directory = /var/lock/samba/locks + + # debug log files + # %m = separate log for each NetBIOS name (each machine) + log file = /var/log/samba/log.%m + + # We send priority 0, 1 and 2 messages to the system logs + syslog = 2 + + # If a WinPopup message is sent to the server, + # redirect it to a user via e-mail + + message command = /bin/mail -s 'message from #% on %m' \ + pkelly < %s; rm %s + +# --------------------------------------------------- +# [globals] Performance Tuning +# --------------------------------------------------- + + # caching algorithm to reduce time doing getwd() calls. + getwd cache = yes + + socket options = TCP_NODELAY + + # tell the server whether the client is present and + # responding in seconds + keep alive = 60 + + # num minutes of inactivity before a connection is + # considered dead + dead time = 30 + + read prediction = yes + share modes = yes + max xmit = 17384 + read size = 512 + + +The share modes, max, xinit, and read size options are machine-specific (see Appendix B): + + +# locking is done by the server + locking = yes + + # control whether dos style attributes should be mapped + # to unix execute bits + map hidden = yes + map archive = yes + map system = yes + + +The three map options will work only on shares with a create mode that includes the execute bits (0111). Our homes and printers shares won't honor them, but the [www] share will: + + +# --------------------------------------------------------- +# [globals] Security and Domain Logon Services +# --------------------------------------------------------- +# connections are made with UID and GID, not as shares + security = user + +# boolean variable that controls whether passwords +# will be encrypted + encrypt passwords = yes + passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*" + passwd program = /usr/bin/passwd %u + +# Always become the local master browser + domain master = yes + preferred master = yes + os level = 34 + +# For domain logons to work correctly. Samba acts as a +# primary domain controller. + domain logons = yes + +# Logon script to run for user off the server each time +# username (%U) logs in. Set the time, connect to shares, +# virus checks, etc. + logon script = scripts\%U.bat + +[netlogon] + comment = "Domain Logon Services" + path = /u/netlogon + writable = yes + create mode = 444 + guest ok = no + volume = "Network" + + +This share, discussed in Chapter 6, is required for Samba to work smoothly in a Windows NT domain: + + +# ----------------------------------------------------------- +# [homes] User Home Directories +# ----------------------------------------------------------- +[homes] + comment = "Home Directory for : %u " + path = /u/users/%u + + +The password file of the Samba server specifies each person's home directory as /home/machine_name/person, which NFS converts to point to the actual physicl location under /u/users. The path option in the [homes] share tells Samba the actual (non-NFS) location: + + +guest ok = no + read only = no + create mode = 644 + writable = yes + browseable = no + +# ----------------------------------------------------------- +# [printers] System Printers +# ----------------------------------------------------------- +[printers] + comment = "Printers" + path = /var/spool/lpd/samba + printcap name = /etc/printcap + printable = yes + public = no + writable = no + + lpq command = /usr/bin/lpq -P%p + lprm command = /usr/bin/lprm -P%p %j + lppause command = /usr/sbin/lpc stop %p + lpresume command = /usr/sbin/lpc start %p + + create mode = 0700 + + browseable = no + load printers = yes + +# ----------------------------------------------------------- +# Specific Descriptions: [programs] [data] [retail] +# ----------------------------------------------------------- +[programs] + comment = "Shared Programs %T" + volume = "programs" + + +Shared Programs shows up in the Network Neighborhood, and programs is the volume name you specify when an installation program wants to know the label of the CD-ROM from which it thinks it's loading: + + +path = /u/programs + public = yes + writeable = yes + printable = no + create mode = 664 +[cdrom] + comment = "Unix CDROM" + path = /u/cdrom + public = no + writeable = no + printable = no + volume = "cdrom" + +[data] + comment = "Data Directories %T" + path = /u/data + public = no + create mode = 770 + writeable = yes + volume = "data" + +[nt4] + comment = "NT4 Server" + path = /u/systems/nt4 + public = yes + create mode = 770 + writeable = yes + volume = "nt4_server" + +[www] + comment = "WWW System" + path = /usr/www/http + public = yes + create mode = 775 + writeable = yes + volume = "www_system" + + +The [www] share is the directory used on the Unix server to serve web pages. Samba makes the directory available to local PC users so the art department can update web pages. + + + + + + + + + + + + -- cgit