# smb.conf - Samba 2.2.x configuration file
# From http://thegoldenear.org/toolbox/unices/
# Licence: GNU General Public License

######################################################################################
# CHANGELOG
######################################################################################
# 1.0.0 07/07/2006 - Removed 'keep alive' as the default of 600 (5 mins) is OK. (should have read 'keepalive' not 'keep alive'.
#                  - Removed printing section as it was outdated and never utilised.
#                  - Changed [profiles] 'create mask' to 'create mode' and 'directory mask' to 'directory mode'
#                    ('create mode' is a synonym for 'create mask' and we'd used create mode elsewhere so better to standardise)
#                  - Increased 'max log size' from 50 to 100
# 0.9.7 24/02/2005 - Changed [shared] path = '/home/workgroup/shared' to /home/organisation_name_goes_here/shared
# - Changed [shared] 'force create mode' to use '0660' rather than '0770' as files don't need to be executable
# 0.9.6 20/07/2004 - Replaced domain name 'workgroup' with 'domain_name_goes_here'
# 0.9.5 18/10/2003 - Replaced 'passwd program' and 'passwd chat' settings with 'pam password change = yes'
#                    to get password syncing between Windows and Samba working.
#                    Un-commented and amended 'hosts allow' and 'hosts deny' settings which now work, for increased security
# 0.9.4 17/10/2003 - 0.8.3's advice to use 'Unix' rather than 'UNIX' was wrong. This smb.conf didn't change anyway!
# 0.9.3 17/10/2003 - 'force create mode' should use 0770 rather than 3770
# 0.9.2 17/08/2003 - added 'SO_KEEPALIVE' to 'socket options'
# - changed SO_SNDBUF and SO_RCVBUF from 8192 to 14596 for potential performance gain
# - 'locking = no' on [cdrom] as its a read-only file system. previously this was suggested but commented out
# - tidied up comments
# 0.9.1 14/08/2003 - 'force create mask = 5770' should have been 'force create mode = 3770'
# and 'force directory mask = 5770' and 'force directory mode = 3770'
# 0.9.0 07/08/2003 - Added 'force create mask = 5770' and 'force directory mask = 5770' to
# [shared] to match changes to Unix permissions on shared directories.
# Changed /tge/ in [shared] share to /workgroup/ indicating more clearly
# in this example that it refers to the organisation name.
# 0.8.5 09/04/2003 - [programs] browseable = yes rather than 'no'
# 0.8.4 09/04/2003 - added [shared]
# - 'server' renamed 'file-server'
# 0.8.3 03/03/2003 - UNIX password sync command used 'Unix' rather than 'UNIX'
# 0.8.2 31/03/2003 - [programs] path = /usr/windows rather than /usr/windows/programs
# - removed 'wins support = yes' as Windows 2000 doesn't need a WINS server
######################################################################################

[global]
# The domain name
workgroup = domain_name_goes_here

# The server's name
netbios name = file-server

# Comment describing what the machine is
server string = the file server

# Workstations will set their time by this server
time server = yes

# SECURITY AND LOGGING SETTINGS

this must be 'user' on a PDC
security = user

# Allow connections only from the local machine and the 10.0.0.* address range:
# (you'll want to change this if your network uses a different addressing range)
hosts allow = 127.0.0.1 10.0.0.

# Don't allow connections from any other IP address ranges than defined by 'hosts allow':
hosts deny 0.0.0.0/0

# Only allow connections from ethernet cards and the loopback address:
interfaces = eth* lo
bind interfaces only = yes

# For Windows 2000/XP encrypted passwords
encrypt passwords = yes

# Provide logon scripts, home directories, etc as well as authentication
domain logons = yes

log file = /var/log/samba/log.%m

# log level = 2

# Put a capping on the size (in kB) of the log file
max log size = 100

# PDC and master browser settings
os level = 64 ; ensure this machine is consulted 1st regarding current browse list
preferred master = yes
local master = yes
domain master = yes ; This defines it as the Primary Domain Controller

# Automatedly add a Linux / Unix and Samba machine account when joining a machine to the domain
add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u


# User profiles and home directory.
# the local path to which the home ([HOMES]) directory will be connected
logon drive = H:

# Where 'profiles' = [profiles] further on
logon path = \\%L\profiles\%U

logon script = netlogon.bat ; the logon script, whose location is defined in [NETLOGON]

# Define user mappings between this system and Windows systems.
# Without this you get asked for a password even if none is required
# username map = /etc/samba/users.map
# but if you've created SMB users on here you don't need it

# Fine-tuning Samba for increased speed on Linux systems
# SO_KEEPALIVE - sends a probe every 4 hours to check that a connection is still active. if the connection does not respond, it is closed
# TCP_NODELAY -
# IPTOS_LOWDELAY -
# SO_SNDBUF=14596 - 14596 is roughly the best in most ciscumstances, it may be able to be tuned better for your system
# SO_RCVBUF=14596 - same reason as above
socket options = TCP_NODELAY, IPTOS_LOWDELAY, SO_KEEPALIVE, SO_SNDBUF=14596, SO_RCVBUF=14596

# Keep the case in file/directory names; when looking for a file
# matching is done without regard to case, as expected by Windows
preserve case = yes
short preserve case = yes
case sensitive = no

# Sync Unix passwords from Windows workstations using PAM
# (allows users to change their passwords)
unix password sync = yes
pam password change = yes


# --- shares ---

[profiles]
comment = Windows user profile directories
path = /home/samba/profiles
read only = no
browseable = no
create mode = 0600 ; rwx-xxx-xxx - only the user can read/write files
directory mode = 0700 ; rwx-xxx-xxx - directories must be executable if they are to be navigated

# [root]
# For administration purposes
# path = /
# browseable = no
# writeable = yes
# valid users = @admins


[homes]
# 'logon drive' won't work without this section

# If you want to set the home directory somewhere other than the Unix home:
# path =

volume = HOME
comment = home directories
read only = no
# Don't display a 'homes' share as well as the '%U' share
browseable = no
public = no
create mode = 0750


[programs]
# Map P: to this; use it to install programs to
# and to point programs to that don't like using UNC
comment = installed programs
path = /usr/windows
read only = yes
write list = @admins
browseable = yes


[shared]
comment = shared space for everyone
path = /home/organisation_name_goes_here/shared
read only = no
browseable = yes

# Match Unix permissions set on files
force create mode = 0660

# Match Unix permissions set on the directory
force directory mode = 3770


[cdrom]
comment = Server's CD-ROM
path = /cdrom
read only = yes

# Speed up file access as this is a read-only file system
locking = no


[NETLOGON]
# Required for Windows authentication

comment = The domain logon service
path = /home/netlogon
read only = yes
# 'read only' can be changed to 'no' whilst you edit this file
# but revert back to 'yes' for normal secure operation
browseable = no
write list = @admins