1
2
3
4
5
6
7
8
9
10

[x] CUPS            CUPS printing system support
[x] FAM             File Alteration Monitor
[x] LDAP            LDAP client
[x] PROFILE         Profiling data
[x] QUOTAS          Disk quota support
[x] SYSLOG          Syslog logging support
[x] UTMP            UTMP accounting
[x] FRUIT           MacOSX and TimeMachine support
(*) GSSAPI_BUILTIN  GSSAPI support via bundled Heimdal
(*) AVAHI           Zeroconf support via Avahi

Configuration

Global section

The global section holds directives that will be applied to the whole server or that will be used as default values for other sections.

1

[global]

Log files

The part below shows the log level and the files to be used to save logs generated by Samba. The login/logout of users will not be stored in the utmp system file.

1
2
3
4
5

    # Logging
    log level           = 0
    log file            = /var/log/samba/%m.log
    max log size        = 50
    utmp                = no

Domain and workgroup

As no computer running OS/2 is expected, the LM announce necessary for the proper operation of these clients, will not be put in place.

1
2
3

    # Domain controller & Workgroups
    lm announce         = no
    min protocol        = NT1

A workgroup and a name are associated to the server.

1
2

    workgroup           = MYWORKGROUP
    server string       = My Server

Performance

To increase the file transfert speed , it’s possible to perform tuning on three different elements:

• the network layer, by disabling data aggregation and by increasing buffers size for reception/transmission,
• file transfer between disk and network, by performing the whole transfer in kernel mode,
• using asynchronous input/output for files above a certain size.

1
2
3
4

    # Network and disk tuning
    socket options      = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
#   use sendfile        = yes           # !!! Seems to create broken pipe
    aio read size       = 16384         # !!! Requires 'aio' kernel module

1

kldstat -q -m aio || kldload aio

1

aio_load="YES"

Currently, the use sendfile directive set to yes leads to errors (of broken pipe type) during some file transfer. That’s why it is shown here commented in the configuration file.

Restriction and security

If the server owns several interfaces, it can be necessary to limit the Samba process to listen to the interface effectively used for the selected network.

1
2
3

    # Network restriction
    bind interfaces only= yes
    interfaces          = 127.0.0.1 192.168.1.5/24 

If bind interface only is set up, it is advised to include the “loopback” (ie: 127.0.0.1) interface so to have a correct behaviour for the smbpasswd and swat programs.

The security model used is the one where the user is identified by a login/password to access resources. The Unix user account used for the guest user is chosen here as being: win.

1
2
3

    # Security model
    security            = user
    guest account       = win

File management

Veto

Files that have no meaning for Windows can be totally hidden from it (browsing only). It is generally used to hide directories generated by MacOS X (.DS_Store) or directories specific to ZFS (.zfs).

1
2
3

    # Veto files
    veto files          = /.DS_Store/
    delete veto files   = yes

The file separator for the veto files is the slash (“/”) character, as this character is forbidden in Windows file name.

Using the delete veto files directive allows to recursively delete files or directories marked as “veto” which are inside the directory to delete. This directive must be used wisely.

Shadow copy

Configuring the “shadow copy”: when the shadow_copy2 module is stacked in vfs objects, it then allows to access the file system snapshots from the Windows interface under the name “Previous versions”.

1
2
3
4

    # Shadow copy
    shadow:snapdir      = .zfs/snapshot
    shadow:format       = %Y-%m-%d
    shadow:sort         = desc

The module currently provided in the distribution needs to be slightly modified to:

• run without requiring to enable the wide links directive
• specify the format used by snapshot names (shadow:format) (for Samba <= 3.5)

The following patches need to be copied before compiling Samba: Version Patch Path Samba 3.6 1 file /usr/local/net/samba36/files/ Samba 3.5 4 files /usr/local/net/samba35/files/ DOS attributes

If the file system supports the extended attributes, this is the case for UFS2 and ZFS, it is then possible to store the attributes specific to NTFS without having to perform dodgy mapping to Unix rights.

1
2
3
4
5
6

   # Store DOS attributes in extended attributes (no mapping)
   map hidden           = no
   map system           = no
   map archive          = no
   map readonly         = no
   store dos attributes = yes

Extended attributes

The following configuration allows, if the file system supports it, to store extended attributes.

1

   ea support          = yes

ACLs

It is possible to take into account the NTFS ACLs either by storing them in extended attributes (acl_xattr module), or directly on the file system level in the case of ZFS (zfsacl module), this last one will be detailed here:

1
2
3
4
5
6

   # Behaviour when setting ACL
   #  => See README.nfs4acls.txt for more information
   nfs4:mode            = special   # Use OWNER@ and GROUP@ special IDs
   nfs4:acedup          = merge     # Merge duplicate ACEs
   nfs4:chown           = yes       # Enable changing owner and group
   map acl inherit      = yes

ZFS also need to be configured in passthrough mode:

1
2

zfs set aclmode=passthrough    share
zfs set aclinherit=passthrough share

This module is still experimental and can create problems, especially a “wrong permissions ordering” for ACL entries.

Unix specificities

The UNIX file system on which relies Samba has differences compared to NTFS file system. Some options will be setup to:

• avoid security problems due to the use of symbolic links from Unix,
• allow a Unix client mounting a Samba share to access elements of the file system otherwise not available,
• specify the encoding used for the file names.

1
2
3
4

    # Unix specific
    wide links          = no
    unix extensions     = yes
    unix charset        = UTF8 

LDAP

An LDAP directory already exists for managing users, so Samba will use it to manage the users, groups, and computers. However with added restriction on the directory use:

• user (DN entry) will not be removed but only its samba attributes
• password modification will be done through the exop LDAP operation.

1
2
3
4
5
6
7
8
9
10
11
12
13

    # LDAP
    passdb backend      = ldapsam:ldapi://%2fvar%2frun%2fopenldap%2fldapi/
    ldap admin dn       = uid=root,ou=Admins,dc=example,dc=com
    ldap ssl            = no
    ldap user suffix    = ou=People
    ldap group suffix   = ou=Groups
    ldap machine suffix = ou=Hosts
    ldap idmap suffix   = ou=Idmaps
    ldap suffix         = dc=example,dc=com
    ldap delete dn      = no
    ldap passwd sync    = only
    ldapsam:editposix   = no
    ldapsam:trusted     = yes

ldapsam:trusted

The yes value implies that Samba won’t perform requests to nss (Network Service Switch) to resolve user names or groups, all of them must been known from LDAP in particular for the user defined with the guest account directive.

ldap passwd sync

The only value allows Samba to pass the password modification by using the LDAP password modification (Password Modify Extended Operation), instead of modifying the corresponding entries.

ldap delete dn

The no value specifies that during a delete operation only the samba specific attributes must be deleted instead of the complete entry.

Password to access the LDAP directory is not defined in the configuration file, it is necessary to enter it later using the following command:

1

smbpasswd -w password

Miscellaneous services

To keep the exact time on the Windows machines, Samba is configured to act as a time server.

1
2

    # Time server
    time server         = yes

The name resolution mechanism used by Samba to resolve NetBIOS names are those of the DNS and broadcast. In addition, Samba is configured to not act as a WINS server for name resolution on behalf of Windows clients.

1
2
3

    # Name resolution
    name resolve order  = host bcast
    wins support        = no

Share

homes

The homes section is special as it will be used as a template for the client connecting to their home directories. Thus, if the name of the share is not defined by a section, that the name matches a user name and that the password allows to correctly authenticate the user, then this section is used.

1
2

[homes]
   comment              = %u home directory

A basic configuration consists in:

• not showing this share in the list of available shares,
• giving write access to the user (of course this will also depend on the access rights present on the native file system).

1
2

   browseable           = no
   writeable            = yes

A more advanced configuration is done by stacking additional modules:

1

   vfs objects          = streams_xattr shadow_copy2

zfsacl

Allows the use of NFSv4-style ACLs that are compatible with the ACL used by NTFS. The native file system must of course be of a ZFS type.

streams_xattr

Allows creation of alternate data streams in Windows (ie: NTFS alternate data streams), providing greater compatibility with the NTFS file system.

shadow_copy2

Provides access to file system snapshots from the Windows interface as “Previous version”, ZFS is well suited to the shadow copy mechanism.

Creation of alternate data streams can be used to hide viruses. You must therefore think carefully before stacking the streams_xattr module.

data

Below is described an example of a share available to all, un-identified users will take the identity of the guest user (previously defined by guest account), access rights to the native file system still apply:

1
2
3
4
5
6

[data]
   comment              = Data
   path                 = /data
   public               = yes
   guest ok             = yes
   writeable            = yes

Printing

Loads all the printers from the CUPS printing system:

1
2
3
4
5

[global]
   load printers        = yes
   printing             = cups
   printcap name        = cups
   cups options         = "media=a4"

The printers section is special as it is used as a template for various printers (in the same way as the homes section is used for the user’s home). The printers will only be available to the identified users.

1
2
3
4
5
6
7

[printers]
   comment              = All printers
   path                 = /var/spool/samba
   printable            = yes
   writable             = no
   browseable           = no
   guest ok             = no

This section allows Windows to download the corresponding driver during printer installation by the client. Only the admin user will be allowed to store the driver. This is done in CUPS by using the cupsaddsmb command detailed further.

1
2
3
4
5
6
7

[print$]
   comment             = Printer drivers
   path                = /var/windows/print
   browseable          = yes
   guest ok            = no
   writable            = no
   write list          = admin

The admin user must also have the right to write in the /var/windows/print/ directory.