# This smb.conf file is for Samba 3.0.33 on rome [global] # Things may work better if we are in our own workgroup ; netbios name = rome workgroup = ROMEGROUP # Be the domain and local master browser os level = 65 preferred master = Yes domain master = Yes local master = Yes # Default hostname lookups is No hostname lookups = Yes # Security settings # Allow any hosts (rely on password protection only)... ; hosts allow = p639.pc.maths.usyd.edu.au p624.pc.maths.usyd.edu.au 129.78.223.0/255.255.255.128 EXCEPT latium.maths.usyd.edu.au security = USER allow trusted domains = No # Win2k needs anonymous for domain logins... Win95 is happy without it. # See also http://support.microsoft.com/kb/246261 restrict anonymous = 0 encrypt passwords = Yes unix password sync = No passwd program = /disabled invalid users = root writeable = No # Guest access is needed for [IPC$], see below guest account = smbguest guest ok = No map to guest = Never ### BUG: Need to set browseable here. Setting it under [printers] is no use, ### nor is "load printers" or "preload" enough. browseable = Yes # Login settings domain logons = Yes # Home disk and directory for domain logins logon drive = h: logon home = \\%L\home # Roaming profiles for domain logins. Do not use [homes] but we do not # have that. Use distinct share name: see comments below. logon path = \\%L\profile\.profiles # The logon script is relative to the path of the [netlogon] service. # At 2.2.2 we need %G (%g would be root/system?)! logon script = %G.bat # Parameter "domain admin group" removed at 3.0.5. Instead, # create UNIX group smbadmin with pszwt mikewt robertwt dinkohwt # and use: # net groupmap add ntgroup='Domain Admins' unixgroup=smbadmin rid=512 type=d # net rpc rights grant 'ROMEGROUP\Domain Admins' SeMachineAccountPrivilege -U pszwt # To get a Windows 2000 PC to join the domain: # Create machine account with "smbpasswd -a -m Pxxx". # Log on as Administrator. Right-click on My Computer and select # Properties > Network Identification > Properties, choose Domain, # enter the domain name, press OK. Enter a user name and password # for a Domain Admin (see list above) and press OK. Wait for the # confirmation, reboot when prompted. # To leave the domain, you do not need anything special: # Log on as (local or remote) Administrator. Right-click on My Computer and # select Properties > Network Identification > Properties. Choose Workgroup, # enter the work group name (e.g. WORKGROUP) and follow the prompts. # Printing setup printing=LPRNG printcap name = /etc/printcap # Sometimes the WinPopup/Messenger fails, and this may interfere # with printing. Maybe should put something like # /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I &1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I; /bin/rm %s # Queue requests are too numerous (Win2k may do it every minute): # do not log, do not send message (need to 'tee' to client??) #lpq command = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'lpq -P%p for %u from %m (%M, %I)'; /usr/sms/bin/lpq -P%p 2>&1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I lpq command = /usr/sms/bin/lpq -P%p lprm command = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'lprm -P%p %j for %u from %m (%M, %I)'; /usr/sms/bin/lprm -P%p %j 2>&1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I printer admin = psz printer name = %m ### BUG: load printers may miss some of the printers: ### shows aolw-1 but not aolw-2; ### shows c610-h-w but not c610-w. ### Is this because we have too many printers? ### And of course shows all q-names which we do not want. ### Need to use preload with hard-coded names. load printers = No # Most printers... so they all can be accessed. # No -h-w or -w: probably not needed (Windows can set paper size). preload = aolw aolw-1 aolw-x aolw-1-x aolw-s aolw-m r7lw r7lw-1 r7lw-x r7lw-1-x r7lw-s r7lw-m colw colw-2 colw-s colw-m djlw djlw-1 djlw-s djlw-m f5lw f5lw-1 f5lw-s f5lw-m r5lw r5lw-1 r5lw-x r5lw-1-x r5lw-s r5lw-m brlw brlw-1 brlw-s brlw-m fylw fylw-1 fylw-s fylw-m lklw lklw-1 lklw-x lklw-1-x lklw-s lklw-m gllw gllw-1 gllw-s gllw-m mslw mslw-1 mslw-s mslw-m njlw njlw-1 njlw-s njlw-m otlw otlw-1 otlw-s otlw-m p6lw p6lw-1 p6lw-s p6lw-m rdlw rdlw-2 rdlw-s rdlw-m solw solw-1 solw-s solw-m rzlw rzlw-1 rzlw-s rzlw-m stlw pglw pglw-1 pglw-s pglw-m # Samba notices when a Win2k client (re)boots, can allow a long dead time deadtime = 600 lock directory = /usr/sms.host/samba/n/locks/ log file = /usr/sms.host/samba/n/logs/log.%M max log size = 50 utmp = Yes mangled names = No # Would like case sensitive, but it confuses Win98 case sensitive = No map archive = No map hidden = No map system = No message command = /usr/bin/mailx -s 'message from %f (%u) on %m (%M, %I)' psz < %s; /bin/rm %s # Not used any more: ## root preexec: check who is allowed to connect as smbadmin. Seems that ## printers or printing are not protected by this, nor by "invalid users". ## Any "login preexec" would need a patch in samba. #root preexec = /usr/sms/sbin/smbadmin-check '%S' '%m' '%M' '%u' '%U' #root preexec close = Yes # preexec and postexec commands are run as the user preexec = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'Connect %S for %u from %m (%M, %I)' postexec = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'Disconnect %S for %u from %m (%M, %I)' debug pid = Yes debug uid = Yes # syslog only = No level2 oplocks = Yes ## On 20Feb08 after etch upgrade and with 2.6.18 kernel, on rome ## we get "delayed write failed" and corrupt profiles on logout; ## things are fine with old 2.6.8 kernel; and they were fine ## on bianco that was upgraded much earlier, only on 3Apr08 Sonia ## complains about occasional problems. # ## As per http://www.tek-tips.com/viewthread.cfm?qid=1011936&page=1 #socket options = SO_RCVBUF=8192 TCP_NODELAY #write raw = no ## but does not help # ## As per http://lists.samba.org/archive/samba/2005-May/105422.html #client signing = Disabled #server signing = Disabled ## but does not help # ## As per http://lists.samba.org/archive/samba/2007-June/133410.html strict locking = no ## and this fixes things. ## I do not see what causes the actual underlying issue: if the file ## is not locked, why would GETLK return "read-locked by PID 0" ## (could be an NFS thing, but seems this occurs on bianco also). ## Needed both with and without PREEMPT kernel configs. # Help Mac clients (Holger Dullin): # http://www.rc.au.net/blog/2007/11/19/fixing-the-smb-symlink-problem-with-mac-os-x-105-leopard/ # http://ubuntuforums.org/archive/index.php/t-207278.html # http://discussions.apple.com/thread.jspa?threadID=1202427 unix extensions = no ## Help software (photoshop?) that does not understand large disks... ## http://marc.info/?l=samba&m=109781830607071&w=2 #max disk size = 200000 ## Problem with Word2003 for Neville starting Dec2008 (why then? ## what changed?), but does not help. socket options = TCP_NODELAY wins support = Yes name resolve order = wins lmhosts bcast host time server = Yes dont descend = /proc,/dev # Useful (needed for [profile]?) for WinXP (only??!!) csc policy = disable # Needed for a domain controller [netlogon] comment = Network Logon Service path = /usr/sms.host/samba/n/netlogon writable = No # This is essentially copy of [home]: needed because stupid Win2k gets # permissions hopelessly wrong. Neither "create mask" and similar, nor setacl, # settings seem to put it right. Some Samba documentation hints at # restrict acl with mask = Yes # Maybe at 2.2.1a we could use # security mask = 0000 # directory security mask = 0000 # force security mode = 0600 # force directory security mode = 0700 # Until then we pre-create some of the tree with sensible permissions. See # http://lists.samba.org/pipermail/samba-ntdom/2001-May/033247.html for details. # At 2.2.2 see docs/README.Win2kSP2 for details including "nt acl support". # Do not use "path = /users/%g/%u/.profiles" until that directory exists... # We even set up a default Netscape prefs.js file... # # At 2.2.1a, on occasions Jim found that there has been a pause during "Loading # your personal settings" with messages similar to (with Gray or Color.ico): # 09:05:11 smbd[384739]: [] smbd/oplock.c:(797) # 09:05:11 smbd[384739]: oplock_break: no break received from client within 30 seconds. # 09:05:11 smbd[384739]: oplock_break failed for file .profiles/Application Data/Adobe/Acrobat/Whapi/SearchPDFWinGray.ico (dev = 8100002, inode = 41982). # 09:05:11 smbd[384739]: [] smbd/oplock.c:(843) # 09:05:11 smbd[384739]: oplock_break: client failure in oplock break in file .profiles/Application Data/Adobe/Acrobat/Whapi/SearchPDFWinGray.ico # 09:05:11 smbd[384739]: [] smbd/reply.c:(4450) # 09:05:11 smbd[384739]: reply_lockingX: Error : oplock break from client for fnum = 7946 and no oplock granted on this file (.profiles/Application Data/Adobe/Acrobat/Whapi/SearchPDFWinGray.ico). # Try to avoid this: do not oplock .ico files?? # Later he found similar problems with # .profiles/Application Data/Adobe/Acrobat/Whapi/WHAppList.xml # so now we have no oplocks at all. I wonder if this is fixed in 2.2.2? [profile] # On bianco this says "(copy of home directory)" and # has "path = /users/%g/%u" comment = Above your .profiles (either home or template directory) path = /usr/sms/win/profile/%g/%u writeable = Yes create mask = 0600 directory mask = 0700 force create mode = 0600 force directory mode = 0700 # restrict acl with mask = Yes nt acl support = No # Seems that from 3.0.25b (but not yet in 3.0.12), # preexec commands are NOT fed to /bin/sh # (while print commands and the like still are). preexec = sh -c "/usr/bin/logger -pdaemon.info -t 'samba[%d]' 'Connect %S for %u from %m (%M, %I)'; /usr/sms/sbin/setup-profile /users/%g/%u/.profiles" postexec = sh -c "/usr/bin/logger -pdaemon.info -t 'samba[%d]' 'Disconnect %S for %u from %m (%M, %I)'; /usr/sms/sbin/unset-profile /users/%g/%u/.profiles" level2 oplocks = No oplocks = No ; veto oplock files = /*.ico/ [home] comment = Your (rome/pisa) home directory path = /users/%g/%u writeable = Yes [nobackup] comment = Your (rome/pisa) nobackup directory path = /nb/%u writeable = Yes [wwwfd] comment = Your web front directory (personal web pages) path = /users/misc/httpd/htdocs/u/%u writeable = Yes ## Samba does not like the permissions on mail... #[mail] # comment = Mail spool directory (select your own file) # path = /var/mail # writeable = Yes [sms] comment = UNIX /usr/sms path = /usr/sms # Some of Mike's login scripts run before the user is logged on guest ok = Yes ### writable on bianco only (and is that still needed on 14 Feb 05?) ## For example, /usr/sms/win/db/data -> /users/misc/admin/db/data is meant to be writable... #writable = Yes ### For backwards compatibility, keep the [local] name also... [local] comment = UNIX /usr/sms (please use sms) path = /usr/sms # Some of Mike's login scripts run before the user is logged on guest ok = Yes ## Not used(?), commented out 14 Feb 05. Un-commented 29 May 06 for jeany. # Handin works, but is ugly. Force failure to ensure we get first connection. # Clients to use /usr/sms/win/bin/handin.bat . [handin] comment = Use L:\win\bin\handin.bat to access path = /users/%g/%u preexec = sh -c "/usr/bin/logger -pdaemon.info -t 'samba[%d]' 'Connect %S for %u from %m (%M, %I)'; ( cd /users/%g/%u; /usr/sms/sbin/handin-samba; ) 2>&1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I; exit 1" preexec close = Yes ## No [shared] on rome #[shared] # comment = Shared (admin writable) files # path = /users/misc/shared # writeable = Yes # create mask = 0660 # directory mask = 0770 # force create mode = 0660 # force directory mode = 0770 # # This is protected (both from Windows and UNIX users) with # # group admin access. For Windows, we could allow world access # # and protect with 'valid users'; but it may not then be possible # # to protect from UNIX users. # # Users need to beware of lack of file locking: two people editing # # simultaneously can easily lose one edit or totally corrupt the file. [printers] comment = UNIX printers # Path must be world-writable. Do not create another one... path = /tmp printable = Yes ### BUG: setting browseable here is no use... even testparm shows it being off # browseable = Yes # Default (nearest) printers [lab] comment = Default (nearest) lab printer path = /tmp printable = Yes print command = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'lpr -lab %s for %u from %m (%M, %I)'; DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lpr -lab %s 2>&1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I; /bin/rm %s lpq command = DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lpq -lab lprm command = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'lprm -lab %j for %u from %m (%M, %I)'; DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lprm -lab %j 2>&1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I [nearest] comment = Default (nearest) printer path = /tmp printable = Yes print command = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'lpr %s for %u from %m (%M, %I)'; DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lpr %s 2>&1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I; /bin/rm %s lpq command = DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lpq lprm command = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'lprm %j for %u from %m (%M, %I)'; DISPLAY='%M'; export DISPLAY; /usr/sms/bin/lprm %j 2>&1 | /usr/sms/share/samba/n/bin/smbclient -U %u -M %m -I %I # See htmldocs/howto/printing.html # # To install drivers, psz needs (write) access to this whole tree, but # not to files (ntdrivers.tdb or printing.tdb?) in the locks directory # (taken care of by the "printer admin" setting?). # From a Win98 machine: seems cannot be done. Will need to install each # driver manually, locally. # From a Win2k machine: browse to \\rome, then Printers, right-click # on a printer and choose Properties; say NO to installing driver now; # select Advanced, select NewDriver, choose driver, get INF files from # \win2k\inf, APPLY, OK. # # Once a driver is installed, you can set it for other printers with # rpcclient rome -U psz%pwd -c 'setdriver c705 "Epson LQ-2500"' # You need to preload all printers to set drivers for them... # # Do not use "HP LaserJet 4050 Series PS" driver for the HP printers, use # "Apple LaserWriter Select 360" instead: it would confuse Win98 machines. # They use the same PSCRIPT driver anyway. # For Win2k you could "install" the duplex unit, but cannot make that the # default ("printing preferences" seem local to the machine). We could get # prf to ignore the PS command to set single-sided (but do not yet). # # Need the "HP Color LaserJet 4550 PS" driver for the colour printer # (otherwise it prints in B/W only). Used the drivers from the HP4550 CD; # the Win98 drivers are copied to L:\win\sfwinst\drivers\HP4550\Win9x . # # After installing printers, set "device options": A4 paper, duplex etc # (ControlPanel > Printers > right-click on printer > Properties; # recorded in the tdb files). # Beware of registry settings (that may get corrupted) # (use 41 00 34 00 00 00 00 00 in regedit): # REGEDIT4 # ; Set printers to have only A4 paper available (and ready). # [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Providers\LanMan Print Services\Servers\ROME\Printers\fylw\DsDriver] # "printMediaSupported"=hex(7):41,34,00,00 # "printMediaReady"=hex(7):41,34,00,00 # [print$] comment = Printer drivers path = /usr/sms.host/samba/n/print browseable = Yes write list = psz [IPC$] # I do not think we use a path, but Samba likes to have one... path = /tmp # Guest access is needed so our workgroup, and us within, are visible guest ok = Yes invalid users = root #VARIABLE SUBSTITUTIONS # # o %S = the name of the current service, if any. # o %P = the root directory of the current service, if any. # o %u = user name of the current service, if any. # o %g = primary group name of %u. # o %U = session user name (the user name that the client wanted, not # necessarily the same as the one they got). # o %G = primary group name of %U. # o %H = the home directory of the user given by %u. # o %v = the Samba version. # o %h = the internet hostname that Samba is running on. # o %m = the NetBIOS name of the client machine (very useful). # o %L = the NetBIOS name of the server. This allows you to change your # config based on what the client calls you. Your server can have a # "dual personality". # o %M = the internet name of the client machine. # o %N = the name of your NIS home directory server. This is obtained # from your NIS auto.map entry. If you have not compiled Samba with the # --with-automount option then this value will be the same as %L. # o %p = the path of the service's home directory, obtained from your NIS # auto.map entry. The NIS auto.map entry is split up as "%N:%p". # o %R = the selected protocol level after protocol negotiation. It can be # one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1. # o %d = The process id of the current server process. # o %a = the architecture of the remote machine. Only some are recognized, # and those may not be 100% reliable. It currently recognizes Samba, # WfWg, WinNT and Win95. Anything else will be known as "UNKNOWN". If it # gets it wrong then sending a level 3 log to samba@samba.org should # allow it to be fixed. # o %I = The IP address of the client machine. # o %T = the current date and time.