| # This is the main Samba configuration file. For detailed information about the |
| # options listed here, refer to the smb.conf(5) manual page. Samba has a huge |
| # number of configurable options, most of which are not shown in this example. |
| # |
| # The Samba Wiki contains a lot of step-by-step guides installing, configuring, |
| # and using Samba: |
| # https://wiki.samba.org/index.php/User_Documentation |
| # |
| # In this file, lines starting with a semicolon (;) or a hash ( |
| # comments and are ignored. This file uses hashes to denote commentary and |
| # semicolons for parts of the file you may wish to configure. |
| # |
| # NOTE: Run the "testparm" command after modifying this file to check for basic |
| # syntax errors. |
| # |
| #--------------- |
| # Security-Enhanced Linux (SELinux) Notes: |
| # |
| # Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the |
| # useradd and groupadd family of binaries. Run the following command as the |
| # root user to turn this Boolean on: |
| # setsebool -P samba_domain_controller on |
| # |
| # Turn the samba_enable_home_dirs Boolean on if you want to share home |
| # directories via Samba. Run the following command as the root user to turn this |
| # Boolean on: |
| # setsebool -P samba_enable_home_dirs on |
| # |
| # If you create a new directory, such as a new top-level directory, label it |
| # with samba_share_t so that SELinux allows Samba to read and write to it. Do |
| # not label system directories, such as /etc/ and /home/, with samba_share_t, as |
| # such directories should already have an SELinux label. |
| # |
| # Run the "ls -ldZ /path/to/directory" command to view the current SELinux |
| # label for a given directory. |
| # |
| # Set SELinux labels only on files and directories you have created. Use the |
| # chcon command to temporarily change a label: |
| # chcon -t samba_share_t /path/to/directory |
| # |
| # Changes made via chcon are lost when the file system is relabeled or commands |
| # such as restorecon are run. |
| # |
| # Use the samba_export_all_ro or samba_export_all_rw Boolean to share system |
| # directories. To share such directories and only allow read-only permissions: |
| # setsebool -P samba_export_all_ro on |
| # To share such directories and allow read and write permissions: |
| # setsebool -P samba_export_all_rw on |
| # |
| # To run scripts (preexec/root prexec/print command/...), copy them to the |
| # /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them. |
| # Note that if you move the scripts to /var/lib/samba/scripts/, they retain |
| # their existing SELinux labels, which may be labels that SELinux does not allow |
| # smbd to run. Copying the scripts will result in the correct SELinux labels. |
| # Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to |
| # apply the correct SELinux labels to these files. |
| # |
| #-------------- |
| # |
| #======================= Global Settings ===================================== |
| |
| [global] |
|
|
| # ----------------------- Network-Related Options ------------------------- |
| # |
| # workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP. |
| # |
| # server string = the equivalent of the Windows NT Description field. |
| # |
| # netbios name = used to specify a server name that is not tied to the hostname, |
| # maximum is 15 characters. |
| # |
| # interfaces = used to configure Samba to listen on multiple network interfaces. |
| # If you have multiple interfaces, you can use the "interfaces =" option to |
| # configure which of those interfaces Samba listens on. Never omit the localhost |
| # interface (lo). |
| # |
| # hosts allow = the hosts allowed to connect. This option can also be used on a |
| # per-share basis. |
| # |
| # hosts deny = the hosts not allowed to connect. This option can also be used on |
| # a per-share basis. |
| # |
| # max protocol = used to define the supported protocol. The default is NT1. You |
| # can set it to SMB2 if you want experimental SMB2 support. |
| # |
| workgroup = MYGROUP |
| server string = Samba Server Version %v |
| |
| ; netbios name = MYSERVER |
| |
| ; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 |
| ; hosts allow = 127. 192.168.12. 192.168.13. |
| |
| ; max protocol = SMB2 |
|
|
| # --------------------------- Logging Options ----------------------------- |
| # |
| # log file = specify where log files are written to and how they are split. |
| # |
| # max log size = specify the maximum size log files are allowed to reach. Log |
| # files are rotated when they reach the size specified with "max log size". |
| # |
|
|
| # log files split per-machine: |
| log file = /var/log/samba/log.%m |
| # maximum size of 50KB per log file, then rotate: |
| max log size = 50 |
|
|
| # ----------------------- Standalone Server Options ------------------------ |
| # |
| # security = the mode Samba runs in. This can be set to user, share |
| # (deprecated), or server (deprecated). |
| # |
| # passdb backend = the backend used to store user information in. New |
| # installations should use either tdbsam or ldapsam. No additional configuration |
| # is required for tdbsam. The "smbpasswd" utility is available for backwards |
| # compatibility. |
| # |
| |
| security = user |
| passdb backend = tdbsam |
|
|
| |
| # ----------------------- Domain Members Options ------------------------ |
| # |
| # security = must be set to domain or ads. |
| # |
| # passdb backend = the backend used to store user information in. New |
| # installations should use either tdbsam or ldapsam. No additional configuration |
| # is required for tdbsam. The "smbpasswd" utility is available for backwards |
| # compatibility. |
| # |
| # realm = only use the realm option when the "security = ads" option is set. |
| # The realm option specifies the Active Directory realm the host is a part of. |
| # |
| # password server = only use this option when the "security = server" |
| # option is set, or if you cannot use DNS to locate a Domain Controller. The |
| # argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]: |
| # |
| # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] |
| # |
| # Use "password server = *" to automatically locate Domain Controllers. |
| |
| ; security = domain |
| ; passdb backend = tdbsam |
| ; realm = MY_REALM |
| |
| ; password server = <NT-Server-Name> |
|
|
| # ----------------------- Domain Controller Options ------------------------ |
| # |
| # security = must be set to user for domain controllers. |
| # |
| # passdb backend = the backend used to store user information in. New |
| # installations should use either tdbsam or ldapsam. No additional configuration |
| # is required for tdbsam. The "smbpasswd" utility is available for backwards |
| # compatibility. |
| # |
| # domain master = specifies Samba to be the Domain Master Browser, allowing |
| # Samba to collate browse lists between subnets. Do not use the "domain master" |
| # option if you already have a Windows NT domain controller performing this task. |
| # |
| # domain logons = allows Samba to provide a network logon service for Windows |
| # workstations. |
| # |
| # logon script = specifies a script to run at login time on the client. These |
| # scripts must be provided in a share named NETLOGON. |
| # |
| # logon path = specifies (with a UNC path) where user profiles are stored. |
| # |
| # |
| ; security = user |
| ; passdb backend = tdbsam |
| |
| ; domain master = yes |
| ; domain logons = yes |
|
|
| # the following login script name is determined by the machine name |
| # (%m): |
| ; logon script = %m.bat |
| # the following login script name is determined by the UNIX user used: |
| ; logon script = %u.bat |
| ; logon path = \\%L\Profiles\%u |
| # use an empty path to disable profile support: |
| ; logon path = |
|
|
| # various scripts can be used on a domain controller or a stand-alone |
| # machine to add or delete corresponding UNIX accounts: |
| |
| ; add user script = /usr/sbin/useradd "%u" -n -g users |
| ; add group script = /usr/sbin/groupadd "%g" |
| ; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" |
| ; delete user script = /usr/sbin/userdel "%u" |
| ; delete user from group script = /usr/sbin/userdel "%u" "%g" |
| ; delete group script = /usr/sbin/groupdel "%g" |
|
|
| |
| # ----------------------- Browser Control Options ---------------------------- |
| # |
| # local master = when set to no, Samba does not become the master browser on |
| # your network. When set to yes, normal election rules apply. |
| # |
| # os level = determines the precedence the server has in master browser |
| # elections. The default value should be reasonable. |
| # |
| # preferred master = when set to yes, Samba forces a local browser election at |
| # start up (and gives itself a slightly higher chance of winning the election). |
| # |
| ; local master = no |
| ; os level = 33 |
| ; preferred master = yes |
|
|
| #----------------------------- Name Resolution ------------------------------- |
| # |
| # This section details the support for the Windows Internet Name Service (WINS). |
| # |
| # Note: Samba can be either a WINS server or a WINS client, but not both. |
| # |
| # wins support = when set to yes, the NMBD component of Samba enables its WINS |
| # server. |
| # |
| # wins server = tells the NMBD component of Samba to be a WINS client. |
| # |
| # wins proxy = when set to yes, Samba answers name resolution queries on behalf |
| # of a non WINS capable client. For this to work, there must be at least one |
| # WINS server on the network. The default is no. |
| # |
| # dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS |
| # nslookups. |
| |
| ; wins support = yes |
| ; wins server = w.x.y.z |
| ; wins proxy = yes |
| |
| ; dns proxy = yes |
|
|
| # --------------------------- Printing Options ----------------------------- |
| # |
| # The options in this section allow you to configure a non-default printing |
| # system. |
| # |
| # load printers = when set you yes, the list of printers is automatically |
| # loaded, rather than setting them up individually. |
| # |
| # cups options = allows you to pass options to the CUPS library. Setting this |
| # option to raw, for example, allows you to use drivers on your Windows clients. |
| # |
| # printcap name = used to specify an alternative printcap file. |
| # |
| |
| load printers = yes |
| cups options = raw |
| |
| ; printcap name = /etc/printcap |
| # obtain a list of printers automatically on UNIX System V systems: |
| ; printcap name = lpstat |
| ; printing = cups |
|
|
| # --------------------------- File System Options --------------------------- |
| # |
| # The options in this section can be un-commented if the file system supports |
| # extended attributes, and those attributes are enabled (usually via the |
| # "user_xattr" mount option). These options allow the administrator to specify |
| # that DOS attributes are stored in extended attributes and also make sure that |
| # Samba does not change the permission bits. |
| # |
| # Note: These options can be used on a per-share basis. Setting them globally |
| # (in the [global] section) makes them the default for all shares. |
| |
| ; map archive = no |
| ; map hidden = no |
| ; map read only = no |
| ; map system = no |
| ; store dos attributes = yes |
|
|
| #============================ Share Definitions ============================== |
| |
| [homes] |
| comment = Home Directories |
| browseable = no |
| writable = yes |
| ; valid users = %S |
| ; valid users = MYDOMAIN\%S |
| |
| [printers] |
| comment = All Printers |
| path = /var/spool/samba |
| browseable = no |
| guest ok = no |
| writable = no |
| printable = yes |
|
|
| # Un-comment the following and create the netlogon directory for Domain Logons: |
| ; [netlogon] |
| ; comment = Network Logon Service |
| ; path = /var/lib/samba/netlogon |
| ; guest ok = yes |
| ; writable = no |
| ; share modes = no |
|
|
| # Un-comment the following to provide a specific roaming profile share. |
| # The default is to use the user's home directory: |
| ; [Profiles] |
| ; path = /var/lib/samba/profiles |
| ; browseable = no |
| ; guest ok = yes |
|
|
| # A publicly accessible directory that is read only, except for users in the |
| # "staff" group (which have write permissions): |
| ; [public] |
| ; comment = Public Stuff |
| ; path = /home/samba |
| ; public = yes |
| ; writable = no |
| ; printable = no |
| ; write list = +staff |