Differences

This shows you the differences between two versions of the page.

--- linux:samba [2006/05/31 11:14]
greebo created
+++ linux:samba [2009/11/10 08:38]
greebo
@@ Line 1: / Line 1: @@
-root# pdbedit --pwd-must-change-time=timestamp username
+====== Samba ======
+''**/etc/fstab**''
+   //server/share     /media/cifs/  cifs    rw,user,auto,credentials=/home/username/.smbcredentials,uid=1000,gid=100 1 2
+   $ vim .smbcredentials
+''**.smbcredentials**''
+   username=foobar
+   password=blabla
+   $ chmod 600 .smbcredentials
+    [global]
+      add machine script = /usr/sbin/useradd -n -g machines -d /dev/null -s /sbin/nologin %u
+<html><pre>
+pdbedit --pwd-must-change-time=timestamp username
 timestamp je unix time ko mora spremenit password
 ce das to na 0 pol bo moral spremenit
+</pre></html>
+\\
+for i in `cat userlist`;do (echo $i ; echo $i) |pdbedit -a $i  -t --pwd-must-change-time=0  ;done\\
+\\
+smb.conf
+  strict syn = no
+  sync always = no
+  printable = no
+  load printers = no
+  preserve case = no
+  default case = lower
+  disable netbios = yes
+  deadtime = 15
+===== Tips =====
+   # mount -t cifs //server/hal /mnt -o user=hal,uid=hal,gid=hal   # mount and map ownerships
+   # umount /mnt                                                   # unmount file system
+<code>
+$ smbstatus
+Samba version 3.0.33-3.7.el5
+PID     Username      Group         Machine
+-------------------------------------------------------------------
+   hal           hal           elk          (192.168.4.1)
+   hal           hal           elk          (192.168.4.1)
+   laura         laura         wapiti       (192.168.4.2)
+Service      pid     machine       Connected at
+-------------------------------------------------------
+hal          32733   elk           Tue May 26 14:57:15 2009
+laura        5320    wapiti        Tue May 12 11:33:32 2009
+iTunes       5320    wapiti        Tue May 12 11:33:29 2009
+hal          32752   elk           Tue May 26 15:02:29 2009
+No locked files
+</code>
+  # smbcontrol 32733 close-share hal       # close a single share instance, PID 32733
+  # smbcontrol smbd close-share hal        # nuke all clients mounting "hal"
+===== Creating Recycle Bin for Samba storage =====
+The best option is to have a "Recycle bin" for every users on the samba server.
+Here is an example of modifying the home directories of your users in samba configuration file
+    [homes]
+    comment = Home Directory
+    valid users = %S
+    browsable = no
+    guest ok = no
+    read only = no
+    vfs object = recycle
+    recycle:repository = RecycleBin
+    recycle:keeptree = yes
+    recycle:exclude = *.tmp, *.bak
+The “vfs object” line calls in the plug-in that enables recycle bin capability.  On the other lines, you’re setting the name of the recycle bin directory, telling Samba to preserve the whole structure of any directories that a user may delete, and finally, telling it to not keep certain types of files.
+====  How can I list the currently active clients? ====
+The winbindd deamon can log its status to the winbind log file upon request using the signal USR2.
+If debuglevel is set to 2 or above, the windbindd dameon will also print the list of clients currently active.
+   # killall -USR2 winbindd
+The winbind log level can be set separately in the smb.conf (/etc/samba/smb.conf) file using the "log level" option, for example:
+    log level = 2 winbind:3
+<note important> **Reload the configuration in winbind by either sending a HUP signal to the winbindd daemon or by using "service winbind reload"**</note>
+   # service winbind reload
+===== samba + Windows Vista =====
+<note important>
+Microsoft's security policy on WIndwos Vista is interestingly set by default to exclude mapping to Samba shares. To fix this click **START | Run | secpol.msc**. Go to Local Policies | Security Options and find Network Security: LAN Manager authentication level \\
+Change the settings from Send NTLMv2 response only to Send LM & NTLM - use NTLMv2 session security if negotiated.
+Vista defaults to only send the more secure NTLMv2 protocol, which Samba (and, incidentally, some NAS devices) do not support.
+</note>
+=== smb.conf ===
+<pre>
+#======================= Global Settings =======================
+[global]
+## Browsing/Identification ###
+# Change this to the workgroup/NT-domain name your Samba server will part of
+   workgroup = workgroup
+# server string is the equivalent of the NT Description field
+   server string = server
+        netbios name = server
+# Windows Internet Name Serving Support Section:
+# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
+        wins support = yes
+# WINS Server - Tells the NMBD components of Samba to be a WINS Client
+# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
+;   wins server = w.x.y.z
+# This will prevent nmbd to search for NetBIOS names through DNS.
+   dns proxy = no
+# What naming service and in what order should we use to resolve host names
+# to IP addresses
+        name resolve order = lmhosts host wins bcast
+#### Networking ####
+# The specific set of interfaces / networks to bind to
+# This can be either the interface name or an IP address/netmask;
+# interface names are normally preferred
+   interfaces = 127.0.0.1 eth1
+# Only bind to the named interfaces and/or networks; you must use the
+# 'interfaces' option above to use this.
+# It is recommended that you enable this feature if your Samba machine is
+# not protected by a firewall or is a firewall itself.  However, this
+# option cannot handle dynamic or non-broadcast interfaces correctly.
+   bind interfaces only = true
+##      hosts allow = 192.168.101. 127.
+        enable core files = no
+        use sendfile = yes
+#       smb ports = 445
+        disable netbios = yes
+        client lanman auth = no
+        lanman auth = no
+        client ntlmv2 auth = yes
+        client plaintext auth = no
+##      deadtime = 60
+##      enhanced browsing = no
+        time server = yes
+        wide links = no
+        log level = 3
+##      reset on zero vc = yes
+##      hostname lookups = no
+#       host msdfs = yes
+#       msdfs root = no S
+# Name mangling options
+   preserve case = yes
+   short preserve case = yes
+   dos charset = CP852
+   unix charset = UTF8
+#### Debugging/Accounting ####
+# This tells Samba to use a separate log file for each machine
+# that connects
+   log file = /var/log/samba/log.%m
+# Cap the size of the individual log files (in KiB).
+   max log size = 1000
+# If you want Samba to only log through syslog then set the following
+# parameter to 'yes'.
+;   syslog only = no
+# We want Samba to log a minimum amount of information to syslog. Everything
+# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
+# through syslog you should set the following parameter to something higher.
+   syslog = 0
+# Do something sensible when Samba crashes: mail the admin a backtrace
+   panic action = /usr/share/samba/panic-action %d
+####### Authentication #######
+# "security = user" is always a good idea. This will require a Unix account
+# in this server for every user accessing the server. See
+# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
+# in the samba-doc package for details.
+   security = user
+# You may wish to use password encryption.  See the section on
+# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
+   encrypt passwords = true
+# If you are using encrypted passwords, Samba will need to know what
+# password database type you are using.
+   passdb backend = tdbsam
+   obey pam restrictions = yes
+   guest account = nobody
+   ###!!!###invalid users = root, ftpdostop*,ftp
+   invalid users = ftpdostop*,ftp
+   username map = /etc/samba/users.map
+# This boolean parameter controls whether Samba attempts to sync the Unix
+# password with the SMB password when the encrypted SMB password in the
+# passdb is changed.
+   unix password sync = yes
+# For Unix password sync to work on a Debian GNU/Linux system, the following
+# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
+# sending the correct chat script for the passwd program in Debian Sarge).
+   passwd program = /usr/bin/passwd %u
+   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+# This boolean controls whether PAM will be used for password changes
+# when requested by an SMB client instead of the program listed in
+# 'passwd program'. The default is 'no'.
+   pam password change = no
+# This option controls how nsuccessful authentication attempts are mapped
+# to anonymous connections
+map to guest = bad user
+########## Domains ###########
+os level = 69
+# Is this machine able to authenticate users. Both PDC and BDC
+# must have this setting enabled. If you are the BDC you must
+# change the 'domain master' setting to no
+#
+   domain logons = yes
+        local master = yes
+# Domain Master specifies Samba to be the Domain Master Browser. If this
+# machine will be configured as a BDC (a secondary logon server), you
+# must set this to 'no'; otherwise, the default behavior is recommended.
+   domain master = yes
+preferred master = yes
+#
+# The following setting only takes effect if 'domain logons' is set
+# It specifies the location of the user's profile directory
+# from the client point of view)
+# The following required a [profiles] share to be setup on the
+# samba server (see below)
+;   logon path = \\%N\profiles\%U
+# Another common choice is storing the profile in the user's home directory
+   #logon path = \\%N\%U\.winprofile
+   logon path = \\server\%U\.winprofile
+#logon path = \\%L\profiles\%U
+   logon drive = H:
+   #logon home = \\%N\%U
+   logon home = \\server\%U
+   logon script = logon.cmd
+# This allows Unix users to be created on the domain controller via the SAMR
+# RPC pipe.  The example command creates a user account with a disabled Unix
+# password; please adapt to your needs
+add user script = /usr/sbin/adduser --quiet --disabled-password -s /bin/false  --gecos "" %u
+add machine script = /usr/sbin/adduser --force-badname --no-create-home  --disabled-password --disabled-login --gid 118 --gecos "" --home /dev/null --shell /bin/false %u
+########## Printing ##########
+# If you want to automatically load your printer list rather
+# than setting them up individually then you'll need this
+        load printers = no
+        show add printer wizard = no
+# lpr(ng) printing. You may wish to override the location of the
+# printcap file
+   printing = bsd
+;   printcap name = /etc/printcap
+   printcap name = /dev/null
+# CUPS printing.  See also the cupsaddsmb(8) manpage in the
+# cupsys-client package.
+;   printing = cups
+;   printcap name = cups
+############ Misc ############
+# Using the following line enables you to customise your configuration
+# on a per machine basis. The %m gets replaced with the netbios name
+# of the machine that is connecting
+;   include = /home/samba/etc/smb.conf.%m
+# Most people will find that this option gives better performance.
+# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html
+# for details
+# You may want to add the following on a Linux system:
+   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=111616 SO_SNDBUF=111616
+# The following parameter is useful only if you have the linpopup package
+# installed. The samba maintainer and the linpopup maintainer are
+# working to ease installation and configuration of linpopup and samba.
+;   message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
+# Some defaults for winbind (make sure you're not using the ranges
+# for something else.)
+;   idmap uid = 10000-20000
+;   idmap gid = 10000-20000
+;   template shell = /bin/bash
+# The following was the default behaviour in sarge,
+# but samba upstream reverted the default because it might induce
+# performance issues in large organizations.
+# See Debian bug #368251 for some of the consequences of *not*
+# having this setting and smb.conf(5) for details.
+;   winbind enum groups = yes
+;   winbind enum users = yes
+# Setup usershare options to enable non-root users to share folders
+# with the net usershare command.
+# Maximum number of usershare. 0 (default) means that usershare is disabled.
+;   usershare max shares = 100
+# Allow users who've been granted usershare privileges to create
+# public shares, not just authenticated ones
+   usershare allow guests = yes
+#======================= Share Definitions =======================
+# Un-comment the following (and tweak the other settings below to suit)
+# to enable the default home directory shares.  This will share each
+# user's home directory as \\server\username
+[homes]
+   comment = Home Directories
+   browseable = no
+# By default, the home directories are exported read-only. Change the
+# next parameter to 'no' if you want to be able to write to them.
+   writable = yes
+# File creation mask is set to 0700 for security reasons. If you want to
+# create files with group=rw permissions, set next parameter to 0775.
+   create mask = 0700
+# Directory creation mask is set to 0700 for security reasons. If you want to
+# create dirs. with group=rw permissions, set next parameter to 0775.
+   directory mask = 0700
+# By default, \\server\username shares can be connected to by anyone
+# with access to the samba server.  Un-comment the following parameter
+# to make sure that only "username" can connect to \\server\username
+# This might need tweaking when using external authentication schemes
+   valid users = %S
+ ; uporabniki ne rabijo nic delat
+   ; z Maildir direktorijem
+     hide files = /.*/Maildir/
+# Un-comment the following and create the netlogon directory for Domain Logons
+# (you need to configure Samba to act as a domain controller too.)
+[netlogon]
+   comment = Network Logon Service
+   path = /home/netlogon
+   guest ok = yes
+   read only = yes
+   share modes = no
+   locking  = no
+   browsable = no
+# If you have problems, try adding the following line
+ acl check permissions = no
+# Un-comment the following and create the profiles directory to store
+# users profiles (see the "logon path" option above)
+# (you need to configure Samba to act as a domain controller too.)
+# The path below should be writable by all users so that their
+# profile directory may be created the first time they log on
+;[profiles]
+;   comment = Users profiles
+;   path = /home/samba/profiles
+;   guest ok = no
+;   browseable = no
+;   create mask = 0600
+;   directory mask = 0700
+# read only = No
+# store dos attributes = Yes
+# printable = no
+# hide files = /desktop.ini/outlook*.lnk/*Briefcase*/
+#[printers]
+#   comment = All Printers
+#   browseable = no
+#   path = /var/spool/samba
+#   printable = yes
+#   guest ok = no
+#   read only = yes
+#   create mask = 0700
+# Windows clients look for this share name as a source of downloadable
+# printer drivers
+[print$]
+   comment = Printer Drivers
+   path = /var/lib/samba/printers
+   browseable = yes
+   read only = yes
+   guest ok = no
+# Uncomment to allow remote administration of Windows print drivers.
+# Replace 'ntadmin' with the name of the group your admin users are
+# members of.
+;   write list = root, @ntadmin
+# A sample share for sharing your CD-ROM with others.
+;[cdrom]
+;   comment = Samba server's CD-ROM
+;   read only = yes
+;   locking = no
+;   path = /cdrom
+;   guest ok = yes
+# The next two parameters show how to auto-mount a CD-ROM when the
+#       cdrom share is accesed. For this to work /etc/fstab must contain
+#       an entry like this:
+#
+#       /dev/scd0   /cdrom  iso9660 defaults,noauto,ro,user   0 0
+#
+# The CD-ROM gets unmounted automatically after the connection to the
+#
+# If you don't want to use auto-mounting/unmounting make sure the CD
+#       is mounted on /cdrom
+#
+;   preexec = /bin/mount /cdrom
+;   postexec = /bin/umount /cdrom
+[$homes]
+   comment = Home dirs
+   path = /home
+   guest ok = no
+   browseable = yes
+   writable = yes
+   create mask = 0600
+   directory mask = 0700
+#csc policy = disable
+#vfs objects =  recycle
+#      recycle:keeptree = yes
+#      recycle:versions = yes
+#      recycle:touch = yes
+#      recycle:exclude = ?~$*,~$*,*.tmp,index*.pl,index*.htm*,*.temp,*.TMP
+#      recycle:exclude_dir=  /tmp,/temp,/cache
+#      recycle:repository = .recycle/.recycle.%u
+#      recycle:noversions = *.doc,*.xls,*.ppt
+#      #hide files = /.recycle.*/.recycle/
+#      #veto files = /.recycle.*/.recycle/
+</pre>