Mind Dump, Tech And Life Blog
written by Ivan Alenko
published under license Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)copy! share!
posted in category Systems Software / Samba
posted at 28. Sep '21

Modern Samba Config For 2021

A couple of weeks ago I upgraded from Debian 10 Buster to Debian 11 Bullseye and I saw some deprecation warnings coming from Samba. It was time to update config created in 2003 and served as “domain login” for machines with Windows 98 SE, in recent years not domain controller, but only as authenticated shared folders. Most of the changes were in role and disable old SMB protocols, require Windows 8 and higher, disable wins and dns proxy.

I’m posting this mainly because the documentation is erratic, wiki very good, but half done - like you can set this with this, but won’t tell all options what it means - what the fuck is “log level = 1”? How verbose? Not even explained in man smb.conf….Also there are blogposts from 2016 and older…

Wanted:

  • users have their shared folders
  • no guests allowed
[global]

######## Networking ########

  # years ago I had to add this, otherwise sharing didn't work
  # for XP SP3 or Win7, don't remember exactly
  smb ports = 139 445
  # listen only internal interfaces
  interfaces = lo eth0
  hosts deny = all
  hosts allow = 127.0.0.0/8 10.0.0.0/21
  bind interfaces only = true

######## Browsing #######

  # browsing groups from Win 10 doesn't even work,
  # possible only with old protocols for some reason
  # at least Windows said, I wouldn't trust to be honest
  workgroup = WORKGROUP
  netbios name = HONEYBADGER
  os level = 100

  preferred master = yes
  local master = yes
  dns proxy = no

  # Use either NetBIOS broadcast for name resolution or entries in the /etc/hosts file
  name resolve order = bcast host
 
  # Always advertise the shares automatically
  auto services = global

#### Debugging/Accounting ####

  log file = /var/log/samba/log.%m
  max log size = 20000
  log level = 1
  panic action = /usr/share/samba/panic-action %d
  utmp = yes

####### Authentication #######

  # always require password
  security = user
  # users and passwords are in TDB file
  # passwords have to be in NTLM format, in addition to bcrypt/yescrypt in /etc/shadow
  # not sure if still needed
  passdb backend = tdbsam
  invalid users = root
  server role = standalone server
  obey pam restrictions = yes
  unix password sync = no
  pam password change = no
  map to guest = never

  # Require at least SMB3
  # SMB 3 (previously known as SMB2.2 dialect) was introduced with Windows 8 and Windows Server 2012.
  # SMB3 support in the kernel was much improved in kernel version 3.12
  server min protocol = SMB2_10
  client min protocol = SMB2_10

########## Printing ##########

   load printers = no
#   printing = cups
#   printcap name = cups

######## File sharing ########

   preserve case = yes
   short preserve case = yes
   hide dot files = true

############ Misc ############

   template shell = /usr/bin/rssh

#======================= Share Definitions =======================

[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   create mask = 0700
   directory mask = 0700
   veto files = /public_html/Maildir/.?*/
   path = /network/home/%u/


# shared folder for management group
[topdogs]
  path = /network/topdogs
  browseable = yes
  writeable = yes
  public = yes
  valid users = @management
  write list = @management
  admin users = @management

The config file is probably not perfect, but works nicely. The documentation is really bad. Is everything really cloud and shit now or in the corporate domain controllers and nobody shares their secrets?

Add Comment