debian-edu-config 1.818+deb8u2 / etc / samba / smb-debian-edu.conf

#
# Skolelinux configuration file for the samba suite
#
# Please read the smb.conf(5) manual page
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not many any basic syntactic
# errors.
#

# Modified for use with skolelinux by Svein Magne Bang 2003/04/02

#======================= Global Settings =======================

[global]

# Do something sensible when Samba crashes: mail the admin a backtrace
;   panic action = /usr/share/samba/panic-action %d

# server name
   netbios name = TJENER
   available = yes
   # needed for samba 3.5.6 with XP (Svp3) clients...
   server signing = disabled 
   # server signing is broken with XP (Svp3) clients
   #server signing = auto
   server schannel = auto 

# disable IPv6 for Samba on Skolelinux systems
   interfaces = 127.0.0.1 10.0.2.2
   bind interfaces only = yes

# configure as NT4-style PDC
   server role = classic primary domain controller
   acl allow execute always = true

# server string/NT Description field
   server string = %h server (Debian Edu/Skolelinux Main Server)

# server mode

   security = USER

# security setting
   map to guest = Bad User
   guest ok = No

# server/client spnego
   client use spnego = yes

# Workgroup/NT-domain name

   workgroup = SKOLELINUX

# OpenLDAP configuration

   # should allways be set to 'true'
   encrypt passwords = true

   passdb backend = ldapsam:"ldap://ldap.intern"
   # divert libnss for posix users/groups lookups, rely completely on LDAP db integrity
   ldapsam:trusted = yes

   ldap suffix = dc=skole,dc=skolelinux,dc=no
   # with GOsa, we cannot use suffices here, we have to always search starting from the BaseDN
   ldap user suffix =
   ldap group suffix = 
   ldap machine suffix =
   ldap idmap suffix = 
   ldap admin dn = "cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no"
   ldap ssl = start_tls

   add machine script = /etc/samba/smbaddclient.sh "%u"

   ### If you plan to use winbind then you could use the following entries.
   ### NOTE: ldapsam:editposix and winbind id allocation break Samba's interaction
   ### with GOsa on a standard Debian Edu main server (aka tjener).
   ### However, from the position of Samba developers, this mechanism is the preferred.

   #ldapsam:editposix = yes
   #idmap alloc config:backend = ldap
   #idmap alloc config:ldap_url = ldap://ldap.intern/
   #idmap alloc config:ldap_base_dn = dc=skole,dc=skolelinux,dc=no
   #idmap alloc config:user_dn = cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
   #idmap uid = 40000-50000
   #idmap gid = 40000-50000
   #idmap config SCHULE:backend = ldap
   #idmap config SKOLELINUX:readonly = no
   #idmap config SKOLELINUX:default = yes
   #idmap config SKOLELINUX:ldap_base_dn = dc=skole,dc=skolelinux,dc=no
   #idmap config SKOLELINUX:ldap_user_dn = cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
   #idmap config SKOLELINUX:ldap_url = ldap://ldap.intern
   #idmap config SKOLELINUX:range = 40000-50000
   #winbind enum users = yes
   #winbind enum groups = yes 

# PAM setup
   obey pam restrictions = no 

# passwd sync

   # sync LDAP password
   ldap passwd sync = yes 

   # sync Kerberos password via kadmin.local
   unix password sync = yes
   passwd program = /usr/sbin/kadmin.local -q 'cpw %u'
   passwd chat = "Authenticating as principal*"\n"Enter password for principal *"%u"*:*" %n\n \n"Re-enter password for principal *"%u"*:*" %n\n \n"Password for *"%u"@* changed."\n
   # dangerous: if you set the below parameter 'passwd chat debug' to yes, Samba will reveal clear text password in Samba log files...
   passwd chat debug = no

# Printer settings

   load printers = yes
   printing = cups
   printcap name = cups
   printcap cache time = 750

# Network logon

   logon drive = h:
   logon script = debian-edu-login.bat

   # store profiles in the users' HOME shares
   logon path = \\TJENER\%U\.ntprofile
   # in case we have win9x clients around (very bad nowadays!)
   logon home = \\TJENER\%U\.win9xprofile

# Logfiles

   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 10 
   log level = 0

# Networking options

   socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
   keepalive = 600
   dead time = 15

# Browser Control Options / PDC setup

   local master = yes
   domain logons = yes
   domain master = yes
   preferred master = yes

   lanman auth = yes
   ntlm auth = yes

   os level = 127 

   name resolve order = bcast host lmhosts wins

# WINS Support

   wins support = yes

# DNS proxy for NetBIOS

   dns proxy = yes

# Add NT clients

   ###
   ### NTFS ACL handling
   ###

   # WARNING: for full and correct NTFS ACL handling, it is required that the underlying
   # filesystem has acl and xattr capability. For ext3 you have to specify extra mount
   # options (acl, user_xattr). If you use xfs as unterlying filesystem, then both features
   # will be available by default. Please, also refer to: man 8 mount

   #acl map full control = true
   #acl group control = yes
   #map acl inherit = yes
   #inherit acls = yes
   map read only = Permissions
   dos filemode = no
   max xmit = 65535
   nt acl support = yes
   invalid users = root

   # case mangling
   case sensitive = no
   preserve case = yes
   short preserve case = yes

   # mapping of file attributes
   map system = no
   map archive = no
   map hidden = no

   getwd cache = yes
   read raw = yes
   write raw = yes

   # no offline cache of shares
   csc policy = disable

   # CLSID protection and protection against Nimba Worm
   veto files = /*.scr/*.scf/*.sct/*.pif/*.exe/*.bas/*.bat/*.com/*.ade/*.adp/*.asp/*.asx/*.chm/*.cmd/*.dll/*.vbs/*.eml/*.nws/riched20.dll/*.{*}/
   delete veto files = yes

   # hide desktop.ini files + lost&found folders
   hide files = /desktop.ini/Desktop.ini/lost+found/
   hide special files = yes
   hide dot files = yes
   hide unreadable = yes

   # by default we do not allow access from LTSP thin client networks to the Samba services.
   hosts allow = 10.0.0.0/8 localhost
   hosts deny = ALL

#======================= Share Definitions =======================

[homes]
   valid users = %S
   comment = Home directories
   browseable = no
   writable = yes

   # provide read access to homes and their content
   #create mask = 0644
   #directory mask = 2755

   # or rather keep them private (recommended)
   create mask = 0600
   directory mask = 0700

   # if using a filesystem with ACL support, instead of create mask and directory mask
   # you can use these options
   #inherit owner = yes
   #inherit acls = yes

   nt acl support = yes
   veto files = /*.scr/*.sct/*.pif/*.exe/*.bas/*.bat/*.com/*.ade/*.adp/*.asp/*.asx/*.chm/*.cmd/*.dll/*.vbs/*.eml/*.nws/riched20.dll/*.{*}/

[netlogon]
   invalid users = root Administrator
   comment = Network Logon Service
   path = /etc/samba/netlogon
   guest ok = yes
   writable = no
   # allowing .cmd, .bat, .exe, .com, .vbs on netlogon share
   veto files = /*.scr/*.scf/*.sct/*.pif/*.bas/*.ade/*.adp/*.asp/*.asx/*.chm/*.dll/*.eml/*.nws/riched20.dll/*.{*}/

[printers] 
   invalid users = root Administrator
   comment = All Printers
   browseable = no
   path = /tmp
   printable = yes
   public = no
   writable = no
   create mode = 0700

###
### Shared filespace
###

# Make sure you have this line in /etc/fstab for this share (options: acl, user_xattr)
# /dev/mapper/skole+tjener+shared /skole/tjener/shared ext3 defaults,acl,user_xattr 0 2
#

#[shared-teachers]
#   invalid users = Administrator root
#   comment = Shared Folders
#   path = /skole/tjener/shared/teachers
#   guest ok = no
#   writable = yes
#   acl map full control = true
#   acl group control = yes
#   map acl inherit = yes
#   inherit acls = yes
#   valid users = @teachers

#[shared-students]
#   invalid users = Administrator root
#   comment = Shared Folders
#   path = /skole/tjener/shared/students
#   guest ok = no
#   writable = yes
#   acl map full control = true
#   acl group control = yes
#   map acl inherit = yes
#   inherit acls = yes
#   valid users = @teachers @students