[ipfire-3.x.git] / samba / smb.conf

# This is the main Samba configuration file. For detailed information about the
# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
# number of configurable options, most of which are not shown in this example.
#
# The Official Samba 3.2.x HOWTO and Reference Guide contains step-by-step
# guides for installing, configuring, and using Samba:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# The Samba-3 by Example guide has working examples for smb.conf. This guide is
# generated daily: http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# In this file, lines starting with a semicolon (;) or a hash (#) are
# comments and are ignored. This file uses hashes to denote commentary and
# semicolons for parts of the file you may wish to configure.
#
# Note: Run the "testparm" command after modifying this file to check for basic
# syntax errors.
#
#---------------
# Security-Enhanced Linux (SELinux) Notes:
#
# Turn the samba_domain_controller Boolean on to allow Samba to use the useradd
# and groupadd family of binaries. Run the following command as the root user to
# turn this Boolean on:
# setsebool -P samba_domain_controller on
#
# Turn the samba_enable_home_dirs Boolean on if you want to share home
# directories via Samba. Run the following command as the root user to turn this
# Boolean on:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory, such as a new top-level directory, label it
# with samba_share_t so that SELinux allows Samba to read and write to it. Do
# not label system directories, such as /etc/ and /home/, with samba_share_t, as
# such directories should already have an SELinux label.
#
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
# label for a given directory.
#
# Set SELinux labels only on files and directories you have created. Use the
# chcon command to temporarily change a label:
# chcon -t samba_share_t /path/to/directory
#
# Changes made via chcon are lost when the file system is relabeled or commands
# such as restorecon are run.
#
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
# directories. To share such directories and only allow read-only permissions:
# setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:
# setsebool -P samba_export_all_rw on
#
# To run scripts (preexec/root prexec/print command/...), copy them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
# their existing SELinux labels, which may be labels that SELinux does not allow
# smbd to run. Copying the scripts will result in the correct SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
# apply the correct SELinux labels to these files.
#
#--------------
#
#======================= Global Settings =====================================

[global]

# ----------------------- Network-Related Options -------------------------
#
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
#
# server string = the equivalent of the Windows NT Description field.
#
# netbios name = used to specify a server name that is not tied to the hostname.
#
# interfaces = used to configure Samba to listen on multiple network interfaces.
# If you have multiple interfaces, you can use the "interfaces =" option to
# configure which of those interfaces Samba listens on. Never omit the localhost
# interface (lo).
#
# hosts allow = the hosts allowed to connect. This option can also be used on a
# per-share basis.
#
# hosts deny = the hosts not allowed to connect. This option can also be used on
# a per-share basis.
#
# max protocol = used to define the supported protocol. The default is NT1. You
# can set it to SMB2 if you want experimental SMB2 support.
#
	workgroup = MYGROUP
	server string = Samba Server Version %v

;	netbios name = MYSERVER

;	interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
;	hosts allow = 127. 192.168.12. 192.168.13.

;	max protocol = SMB2

# --------------------------- Logging Options -----------------------------
#
# log file = specify where log files are written to and how they are split.
#
# max log size = specify the maximum size log files are allowed to reach. Log
# files are rotated when they reach the size specified with "max log size".
#

	# log files split per-machine:
	log file = /var/log/samba/log.%m
	# maximum size of 50KB per log file, then rotate:
	max log size = 50

# ----------------------- Standalone Server Options ------------------------
#
# security = the mode Samba runs in. This can be set to user, share
# (deprecated), or server (deprecated).
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#

	security = user
	passdb backend = tdbsam


# ----------------------- Domain Members Options ------------------------
#
# security = must be set to domain or ads.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# realm = only use the realm option when the "security = ads" option is set.
# The realm option specifies the Active Directory realm the host is a part of.
#
# password server = only use this option when the "security = server"
# option is set, or if you cannot use DNS to locate a Domain Controller. The
# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
#
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
#
# Use "password server = *" to automatically locate Domain Controllers.

;	security = domain
;	passdb backend = tdbsam
;	realm = MY_REALM

;	password server = <NT-Server-Name>

# ----------------------- Domain Controller Options ------------------------
#
# security = must be set to user for domain controllers.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# domain master = specifies Samba to be the Domain Master Browser, allowing
# Samba to collate browse lists between subnets. Do not use the "domain master"
# option if you already have a Windows NT domain controller performing this task.
#
# domain logons = allows Samba to provide a network logon service for Windows
# workstations.
#
# logon script = specifies a script to run at login time on the client. These
# scripts must be provided in a share named NETLOGON.
#
# logon path = specifies (with a UNC path) where user profiles are stored.
#
#
;	security = user
;	passdb backend = tdbsam

;	domain master = yes
;	domain logons = yes

	# the following login script name is determined by the machine name
	# (%m):
;	logon script = %m.bat
	# the following login script name is determined by the UNIX user used:
;	logon script = %u.bat
;	logon path = \\%L\Profiles\%u
	# use an empty path to disable profile support:
;	logon path =

	# various scripts can be used on a domain controller or a stand-alone
	# machine to add or delete corresponding UNIX accounts:

;	add user script = /usr/sbin/useradd "%u" -n -g users
;	add group script = /usr/sbin/groupadd "%g"
;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
;	delete user script = /usr/sbin/userdel "%u"
;	delete user from group script = /usr/sbin/userdel "%u" "%g"
;	delete group script = /usr/sbin/groupdel "%g"


# ----------------------- Browser Control Options ----------------------------
#
# local master = when set to no, Samba does not become the master browser on
# your network. When set to yes, normal election rules apply.
#
# os level = determines the precedence the server has in master browser
# elections. The default value should be reasonable.
#
# preferred master = when set to yes, Samba forces a local browser election at
# start up (and gives itself a slightly higher chance of winning the election).
#
;	local master = no
;	os level = 33
;	preferred master = yes

#----------------------------- Name Resolution -------------------------------
#
# This section details the support for the Windows Internet Name Service (WINS).
#
# Note: Samba can be either a WINS server or a WINS client, but not both.
#
# wins support = when set to yes, the NMBD component of Samba enables its WINS
# server.
#
# wins server = tells the NMBD component of Samba to be a WINS client.
#
# wins proxy = when set to yes, Samba answers name resolution queries on behalf
# of a non WINS capable client. For this to work, there must be at least one
# WINS server on the network. The default is no.
#
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
# nslookups.

;	wins support = yes
;	wins server = w.x.y.z
;	wins proxy = yes

;	dns proxy = yes

# --------------------------- Printing Options -----------------------------
#
# The options in this section allow you to configure a non-default printing
# system.
#
# load printers = when set you yes, the list of printers is automatically
# loaded, rather than setting them up individually.
#
# cups options = allows you to pass options to the CUPS library. Setting this
# option to raw, for example, allows you to use drivers on your Windows clients.
#
# printcap name = used to specify an alternative printcap file.
#

	load printers = yes
	cups options = raw

;	printcap name = /etc/printcap
	# obtain a list of printers automatically on UNIX System V systems:
;	printcap name = lpstat
;	printing = cups

# --------------------------- File System Options ---------------------------
#
# The options in this section can be un-commented if the file system supports
# extended attributes, and those attributes are enabled (usually via the
# "user_xattr" mount option). These options allow the administrator to specify
# that DOS attributes are stored in extended attributes and also make sure that
# Samba does not change the permission bits.
#
# Note: These options can be used on a per-share basis. Setting them globally
# (in the [global] section) makes them the default for all shares.

;	map archive = no
;	map hidden = no
;	map read only = no
;	map system = no
;	store dos attributes = yes


#============================ Share Definitions ==============================

[homes]
	comment = Home Directories
	browseable = no
	writable = yes
;	valid users = %S
;	valid users = MYDOMAIN\%S

[printers]
	comment = All Printers
	path = /var/spool/samba
	browseable = no
	guest ok = no
	writable = no
	printable = yes

# Un-comment the following and create the netlogon directory for Domain Logons:
;	[netlogon]
;	comment = Network Logon Service
;	path = /var/lib/samba/netlogon
;	guest ok = yes
;	writable = no
;	share modes = no

# Un-comment the following to provide a specific roving profile share.
# The default is to use the user's home directory:
;	[Profiles]
;	path = /var/lib/samba/profiles
;	browseable = no
;	guest ok = yes

# A publicly accessible directory that is read only, except for users in the
# "staff" group (which have write permissions):
;	[public]
;	comment = Public Stuff
;	path = /home/samba
;	public = yes
;	writable = yes
;	printable = no
;	write list = +staff
Commit	Line	Data
093d622f CS	1	# This is the main Samba configuration file. For detailed information about the
	2	# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
	3	# number of configurable options, most of which are not shown in this example.
	4	#
	5	# The Official Samba 3.2.x HOWTO and Reference Guide contains step-by-step
	6	# guides for installing, configuring, and using Samba:
	7	# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
	8	#
	9	# The Samba-3 by Example guide has working examples for smb.conf. This guide is
	10	# generated daily: http://www.samba.org/samba/docs/Samba-Guide.pdf
	11	#
	12	# In this file, lines starting with a semicolon (;) or a hash (#) are
	13	# comments and are ignored. This file uses hashes to denote commentary and
	14	# semicolons for parts of the file you may wish to configure.
	15	#
	16	# Note: Run the "testparm" command after modifying this file to check for basic
	17	# syntax errors.
	18	#
	19	#---------------
	20	# Security-Enhanced Linux (SELinux) Notes:
	21	#
	22	# Turn the samba_domain_controller Boolean on to allow Samba to use the useradd
	23	# and groupadd family of binaries. Run the following command as the root user to
	24	# turn this Boolean on:
	25	# setsebool -P samba_domain_controller on
	26	#
	27	# Turn the samba_enable_home_dirs Boolean on if you want to share home
	28	# directories via Samba. Run the following command as the root user to turn this
	29	# Boolean on:
	30	# setsebool -P samba_enable_home_dirs on
	31	#
	32	# If you create a new directory, such as a new top-level directory, label it
	33	# with samba_share_t so that SELinux allows Samba to read and write to it. Do
	34	# not label system directories, such as /etc/ and /home/, with samba_share_t, as
	35	# such directories should already have an SELinux label.
	36	#
	37	# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
	38	# label for a given directory.
	39	#
	40	# Set SELinux labels only on files and directories you have created. Use the
	41	# chcon command to temporarily change a label:
	42	# chcon -t samba_share_t /path/to/directory
	43	#
	44	# Changes made via chcon are lost when the file system is relabeled or commands
	45	# such as restorecon are run.
	46	#
	47	# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
	48	# directories. To share such directories and only allow read-only permissions:
	49	# setsebool -P samba_export_all_ro on
	50	# To share such directories and allow read and write permissions:
	51	# setsebool -P samba_export_all_rw on
	52	#
	53	# To run scripts (preexec/root prexec/print command/...), copy them to the
	54	# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
	55	# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
	56	# their existing SELinux labels, which may be labels that SELinux does not allow
	57	# smbd to run. Copying the scripts will result in the correct SELinux labels.
	58	# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
	59	# apply the correct SELinux labels to these files.
	60	#
	61	#--------------
	62	#
	63	#======================= Global Settings =====================================
	64
65	[global]
66
67	# ----------------------- Network-Related Options -------------------------
68	#
69	# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
70	#
71	# server string = the equivalent of the Windows NT Description field.
72	#
73	# netbios name = used to specify a server name that is not tied to the hostname.
74	#
75	# interfaces = used to configure Samba to listen on multiple network interfaces.
76	# If you have multiple interfaces, you can use the "interfaces =" option to
77	# configure which of those interfaces Samba listens on. Never omit the localhost
78	# interface (lo).
79	#
80	# hosts allow = the hosts allowed to connect. This option can also be used on a
81	# per-share basis.
82	#
83	# hosts deny = the hosts not allowed to connect. This option can also be used on
84	# a per-share basis.
85	#
86	# max protocol = used to define the supported protocol. The default is NT1. You
87	# can set it to SMB2 if you want experimental SMB2 support.
88	#
89	workgroup = MYGROUP
90	server string = Samba Server Version %v
91
92	; netbios name = MYSERVER
93
94	; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
95	; hosts allow = 127. 192.168.12. 192.168.13.
96
97	; max protocol = SMB2
98
99	# --------------------------- Logging Options -----------------------------
100	#
101	# log file = specify where log files are written to and how they are split.
102	#
103	# max log size = specify the maximum size log files are allowed to reach. Log
104	# files are rotated when they reach the size specified with "max log size".
105	#
106
107	# log files split per-machine:
108	log file = /var/log/samba/log.%m
109	# maximum size of 50KB per log file, then rotate:
110	max log size = 50
111
112	# ----------------------- Standalone Server Options ------------------------
113	#
114	# security = the mode Samba runs in. This can be set to user, share
115	# (deprecated), or server (deprecated).
116	#
117	# passdb backend = the backend used to store user information in. New
118	# installations should use either tdbsam or ldapsam. No additional configuration
119	# is required for tdbsam. The "smbpasswd" utility is available for backwards
120	# compatibility.
121	#
122
123	security = user
124	passdb backend = tdbsam
125
126
127	# ----------------------- Domain Members Options ------------------------
128	#
129	# security = must be set to domain or ads.
130	#
131	# passdb backend = the backend used to store user information in. New
132	# installations should use either tdbsam or ldapsam. No additional configuration
133	# is required for tdbsam. The "smbpasswd" utility is available for backwards
134	# compatibility.
135	#
136	# realm = only use the realm option when the "security = ads" option is set.
137	# The realm option specifies the Active Directory realm the host is a part of.
138	#
139	# password server = only use this option when the "security = server"
140	# option is set, or if you cannot use DNS to locate a Domain Controller. The
141	# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
142	#
143	# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
144	#
145	# Use "password server = *" to automatically locate Domain Controllers.
146
147	; security = domain
148	; passdb backend = tdbsam
149	; realm = MY_REALM
150
151	; password server = <NT-Server-Name>
152
153	# ----------------------- Domain Controller Options ------------------------
154	#
155	# security = must be set to user for domain controllers.
156	#
157	# passdb backend = the backend used to store user information in. New
158	# installations should use either tdbsam or ldapsam. No additional configuration
159	# is required for tdbsam. The "smbpasswd" utility is available for backwards
160	# compatibility.
161	#
162	# domain master = specifies Samba to be the Domain Master Browser, allowing
163	# Samba to collate browse lists between subnets. Do not use the "domain master"
164	# option if you already have a Windows NT domain controller performing this task.
165	#
166	# domain logons = allows Samba to provide a network logon service for Windows
167	# workstations.
168	#
169	# logon script = specifies a script to run at login time on the client. These
170	# scripts must be provided in a share named NETLOGON.
171	#
172	# logon path = specifies (with a UNC path) where user profiles are stored.
173	#
174	#
175	; security = user
176	; passdb backend = tdbsam
177
178	; domain master = yes
179	; domain logons = yes
180
181	# the following login script name is determined by the machine name
182	# (%m):
183	; logon script = %m.bat
184	# the following login script name is determined by the UNIX user used:
185	; logon script = %u.bat
186	; logon path = \\%L\Profiles\%u
187	# use an empty path to disable profile support:
188	; logon path =
189
190	# various scripts can be used on a domain controller or a stand-alone
191	# machine to add or delete corresponding UNIX accounts:
192
193	; add user script = /usr/sbin/useradd "%u" -n -g users
194	; add group script = /usr/sbin/groupadd "%g"
195	; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
196	; delete user script = /usr/sbin/userdel "%u"
197	; delete user from group script = /usr/sbin/userdel "%u" "%g"
198	; delete group script = /usr/sbin/groupdel "%g"
199
200
201	# ----------------------- Browser Control Options ----------------------------
202	#
203	# local master = when set to no, Samba does not become the master browser on
204	# your network. When set to yes, normal election rules apply.
205	#
206	# os level = determines the precedence the server has in master browser
207	# elections. The default value should be reasonable.
208	#
209	# preferred master = when set to yes, Samba forces a local browser election at
210	# start up (and gives itself a slightly higher chance of winning the election).
211	#
212	; local master = no
213	; os level = 33
214	; preferred master = yes
215
216	#----------------------------- Name Resolution -------------------------------
217	#
218	# This section details the support for the Windows Internet Name Service (WINS).
219	#
220	# Note: Samba can be either a WINS server or a WINS client, but not both.
221	#
222	# wins support = when set to yes, the NMBD component of Samba enables its WINS
223	# server.
224	#
225	# wins server = tells the NMBD component of Samba to be a WINS client.
226	#
227	# wins proxy = when set to yes, Samba answers name resolution queries on behalf
228	# of a non WINS capable client. For this to work, there must be at least one
229	# WINS server on the network. The default is no.
230	#
231	# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
232	# nslookups.
233
234	; wins support = yes
235	; wins server = w.x.y.z
236	; wins proxy = yes
237
238	; dns proxy = yes
239
240	# --------------------------- Printing Options -----------------------------
241	#
242	# The options in this section allow you to configure a non-default printing
243	# system.
244	#
245	# load printers = when set you yes, the list of printers is automatically
246	# loaded, rather than setting them up individually.
247	#
248	# cups options = allows you to pass options to the CUPS library. Setting this
249	# option to raw, for example, allows you to use drivers on your Windows clients.
250	#
251	# printcap name = used to specify an alternative printcap file.
252	#
253
254	load printers = yes
255	cups options = raw
256
257	; printcap name = /etc/printcap
258	# obtain a list of printers automatically on UNIX System V systems:
259	; printcap name = lpstat
260	; printing = cups
261
262	# --------------------------- File System Options ---------------------------
263	#
264	# The options in this section can be un-commented if the file system supports
265	# extended attributes, and those attributes are enabled (usually via the
266	# "user_xattr" mount option). These options allow the administrator to specify
267	# that DOS attributes are stored in extended attributes and also make sure that
268	# Samba does not change the permission bits.
269	#
270	# Note: These options can be used on a per-share basis. Setting them globally
271	# (in the [global] section) makes them the default for all shares.
272
273	; map archive = no
274	; map hidden = no
275	; map read only = no
276	; map system = no
277	; store dos attributes = yes
278
279
280	#============================ Share Definitions ==============================
281
282	[homes]
283	comment = Home Directories
284	browseable = no
285	writable = yes
286	; valid users = %S
287	; valid users = MYDOMAIN\%S
288
289	[printers]
290	comment = All Printers
291	path = /var/spool/samba
292	browseable = no
293	guest ok = no
294	writable = no
295	printable = yes
296
297	# Un-comment the following and create the netlogon directory for Domain Logons:
298	; [netlogon]
299	; comment = Network Logon Service
300	; path = /var/lib/samba/netlogon
301	; guest ok = yes
302	; writable = no
303	; share modes = no
304
305	# Un-comment the following to provide a specific roving profile share.
306	# The default is to use the user's home directory:
307	; [Profiles]
308	; path = /var/lib/samba/profiles
309	; browseable = no
310	; guest ok = yes
311
312	# A publicly accessible directory that is read only, except for users in the
313	# "staff" group (which have write permissions):
314	; [public]
315	; comment = Public Stuff
316	; path = /home/samba
317	; public = yes
318	; writable = yes
319	; printable = no
320	; write list = +staff