1<html> 2<body bgcolor="#ffffff"> 3 4<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76" 5hspace="10" align="left" /> 6<h1 class="head0">Appendix A. Example Configuration Files</h1> 7 8 9<p>Earlier in this book, we provided information on how to set 10parameters inside the Samba configuration file, but rarely have we 11shown an example of a complete file that can actually be used to run 12a server. In this appendix, we provide examples of complete 13configuration files for running Samba in the various modes 14we've discussed. Using one of these examples, you 15can run Samba as a workgroup authentication server, workgroup server, 16primary domain controller, or domain member server.</p> 17 18<p>We have kept the examples simple so that they have the most universal 19application. They can be used as starting templates, which you can 20easily modify to fit your own needs, to get a Samba server up and 21running with minimal delay. The comments inside the files indicate 22what needs to be changed, and how, to work on a particular system on 23your network.</p> 24 25 26 27<div class="sect1"><a name="samba2-APP-A-SECT-1"/> 28 29<h2 class="head1">Samba in a Workgroup</h2> 30 31<p>If your network is configured as a workgroup, adding a Samba server 32is pretty simple. Samba even lets you add features, such as 33user-level security and WINS, that would normally require an 34expensive Windows NT/2000 Server.</p> 35 36 37<div class="sect2"><a name="samba2-APP-A-SECT-1.1"/> 38 39<h3 class="head2">Authentication and WINS Server</h3> 40 41<p>In a workgroup environment, Samba can be set up with share-level 42security and without offering WINS name service. This works and is 43simple, but we generally recommend that user-level security be 44enabled to allow Windows 95/98/Me systems to make use of it. Also, it 45only takes a single parameter to enable Samba as a WINS server, 46resulting in far better network efficiency. 47<a name="INDEX-1"/><a name="INDEX-2"/><a name="INDEX-3"/>Here is the configuration file 48that does it:</p> 49 50<blockquote><pre class="code">[global] 51 # replace "toltec" with your system's hostname 52 53 netbios name = toltec 54 55 # replace "METRAN" with the name of your workgroup 56 57 workgroup = METRAN 58 59 security = user 60 encrypt passwords = yes 61 62 # Run a WINS server 63 64 wins support = yes 65 66 # The following three lines ensure that the Samba 67 # server will maintain the role of master browser. 68 # Make sure no other Samba server has its OS level 69 # set higher than it is here. 70 71 local master = yes 72 preferred master = yes 73 os level = 65 74 75# Make home directories on the server available to users. 76 77[homes] 78 comment = %u's Home Directory 79 browsable = no 80 read only = no 81 map archive = yes 82 83# This is a shared directory, accessible by all 84# users. Use your own share name and path. 85 86[d] 87 path = /d 88 create mask = 0700 89 read only = no</pre></blockquote> 90 91<p>Generally, you will use a configuration file similar to this one when 92<a name="INDEX-4"/><a name="INDEX-5"/>adding your first Samba server to the 93workgroup.</p> 94 95 96</div> 97 98 99<div class="sect2"><a name="samba2-APP-A-SECT-1.2"/> 100 101<h3 class="head2">Workgroup Server</h3> 102 103<p><a name="INDEX-6"/><a name="INDEX-7"/>Things are a 104little different if another system—either a Samba server or 105Windows NT/2000 server—is already handling WINS and/or 106authentication. In this case, Samba is configured to use that server 107for WINS. Here is a configuration file that does this:</p> 108 109<blockquote><pre class="code">[global] 110 # replace "mixtec" with your system's hostname 111 112 netbios name = mixtec 113 114 # replace "METRAN" with your workgroup name 115 116 workgroup = METRAN 117 118 security = user 119 encrypt passwords = yes 120 121 # Replace "172.16.1.1" with the IP address 122 # of your WINS server. If there is none, 123 # omit this line. 124 125 wins server = 172.16.1.1 126 127 # The OS level is set to 17 to allow 128 # this system to win over all Windows 129 # versions, but not the Samba server 130 # that uses the configuration file 131 # in the previous section. 132 133 os level = 17 134 135[homes] 136 comment = %u's Home Directory 137 browsable = no 138 read only = no 139 140# This is a shared directory, accessible by all 141# users. Use your own share name and path. 142 143[d] 144 path = /d 145 create mask = 0700 146 read only = no</pre></blockquote> 147 148<p>Once you have a server in your workgroup handling authentication and 149WINS, this is the configuration file to use when adding additional 150Samba servers to the workgroup.</p> 151 152 153</div> 154 155 156</div> 157 158 159 160<div class="sect1"><a name="samba2-APP-A-SECT-2"/> 161 162<h2 class="head1">Samba in a Windows NT Domain</h2> 163 164<p>When operating in a Windows NT domain, Samba can act either as a 165primary domain controller or as a domain member server.</p> 166 167 168<div class="sect2"><a name="samba2-APP-A-SECT-2.1"/> 169 170<h3 class="head2">Primary Domain Controller</h3> 171 172<p><a name="INDEX-8"/><a name="INDEX-9"/>Setting up Samba as a primary domain 173controller is more complicated than the other configurations. 174However, the extra difficulty is offset by having a more secure 175network and additional features such as logon scripts and roaming 176profiles. In the following configuration file, we also include 177support for a Microsoft Dfs share:</p> 178 179<blockquote><pre class="code">[global] 180 # Replace "toltec" with the hostname of your system. 181 182 netbios name = toltec 183 184 # Replace "METRAN" with the name of your Windows NT domain. 185 186 workgroup = METRAN 187 188 # Run a WINS server 189 190 wins support = yes 191 192 # Always act as the local master browser 193 # and domain master browser. Do not allow 194 # any other system to take over these roles! 195 196 domain master = yes 197 local master = yes 198 preferred master = yes 199 os level = 255 200 201 # Perform domain authentication. 202 203 security = user 204 encrypt passwords = yes 205 domain logons = yes 206 207 # The location of user profiles for Windows NT/2000/XP. 208 209 logon path = \\%L\profiles\%u\%m 210 211 # Users' Windows home directories and storage of Win95/98/Me roaming profiles. 212 213 logon drive = G: 214 logon home = \\toltec\%u\.win_profile\%m 215 216 # The following line is optional because 217 # Samba always offers NetBIOS time service. 218 # This causes it to also be advertised: 219 220 time server = yes 221 222 # The logon script used for all users, 223 # Relative to [netlogon] share directory. 224 225 logon script = logon.bat 226 227 # The group identifying administrative users. 228 # If you have domain users in the Domain Admins 229 # group, use them here instead of "jay". 230 231 domain admin group = root jay 232 233 # For adding machine accounts automatically. 234 # This example works on Linux. For other host 235 # operating systems, you might need a different 236 # command. 237 238 add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u 239 240 # Provide Microsoft Dfs support. 241 242 host msdfs = yes 243 244# The netlogon share is required for 245# functioning as the primary domain controller. 246# Make sure the directory used for the path exists. 247 248[netlogon] 249 path = /usr/local/samba/lib/netlogon 250 writable = no 251 browsable = no 252 253# The profiles share is for storing 254# Windows NT/2000/XP roaming profiles. 255# Use your own path, and make sure 256# the directory exists. 257 258[profiles] 259 path = /home/samba-ntprof 260 writable = yes 261 create mask = 0600 262 directory mask = 0700 263 browsable = no 264 265[homes] 266 comment = Home Directory 267 browsable = no 268 read only = no 269 map archive = yes 270 271# The Dfs share. 272# Use your own path, making 273# sure the directory exists. 274 275[dfs] 276 comment = Dfs share 277 path = /usr/local/samba/dfs 278 msdfs root = yes 279 280# A shared directory, accessible by all domain users. 281# Use your own share name and path. 282 283[d] 284 comment = %u's Home Directory 285 path = /d 286 create mask = 0700 287 read only = no</pre></blockquote> 288 289<p>See <a href="ch04.html">Chapter 4</a> for more information on configuring 290Samba as a primary domain controller, and see <a href="ch08.html">Chapter 8</a> for more information about setting up a 291Microsoft Dfs share. <a name="INDEX-10"/><a name="INDEX-11"/></p> 292 293 294</div> 295 296 297<div class="sect2"><a name="samba2-APP-A-SECT-2.2"/> 298 299<h3 class="head2">Domain Member Server</h3> 300 301<p><a name="INDEX-12"/><a name="INDEX-13"/>In a domain that 302already has either a Samba PDC or Windows NT/2000 Server PDC, 303additional Samba servers can be added as domain member servers using 304the following configuration file:</p> 305 306<blockquote><pre class="code">[global] 307 # Replace "mixtec" with the system's hostname. 308 309 netbios name = mixtec 310 311 # Replace "METRAN" with the name of your domain. 312 313 workgroup = METRAN 314 315 # Replace "172.16.1.1" with the 316 # IP address of your WINS server. 317 318 wins server = 172.16.1.1 319 320 os level = 33 321 322 security = domain 323 encrypt passwords = yes 324 password server = * 325 326# Home directories. 327 328[homes] 329 comment = %u's Home Directory 330 browsable = no 331 read only = no 332 map archive = yes 333 334# This is an example printers 335# share, which works for Linux. 336 337[printers] 338 printable = yes 339 printing = BSD 340 print command = /usr/bin/lpr -P%p %s 341 path = /var/tmp 342 min print space = 2000 343 344# A shared directory, accessible by all domain users. 345# Use your own share name and path. 346 347[d] 348 path = /d 349 create mask = 0755 350 read only = no</pre></blockquote> 351 352<p>See <a href="ch10.html">Chapter 10</a> for more information on sharing 353printers with Samba.</p> 354 355 356</div> 357 358 359</div> 360 361<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4> 362</body></html> 363
