Sample 3.6.x Configuration

Linux and BSD


I don’t know if this is the best configuration, but it’s been what I’ve been using. It works with XP/2003/2008/7/etc. I’ve not been able to get Windows 8 working with Roaming Profiles, yet. I’m guessing there is a compatibility issue with Samba.

I use this config with Samba 3.6.24 on FreeBSD 9.2 (not Linux). Many options I take advantage of are the defaults with Samba and so they are not placed in my configuration file (to try and keep it simple).

Samba on FreeBSD takes advantage of the almost-perfect Windows ACLs and permissions on ZFS. As far as I know, this config only works on something like BSD or Solaris, as Linux doesn’t have the support for NFSv4-style permissions and passthrough with Samba (make note of the “zfsacl” vfs module used below).

This configuration assumes a few things:
– Kerberos is functional.
– Winbind is functional.
– You’re using ZFS w/ NFSv4-style ACLs (FreeBSD or Solaris).

The configuration supports SMB2, snapshots (“Previous Versions”), and authentication through Active Directory.


#
# Samba 3.6.x config for BSD w/ ZFS (not Linux)
#
# /usr/local/etc/smb.conf
# 

# modify log levels (1-10, 0 to disable)
# good levels are 2 (less details) or 4 (more details)
# higher levels will slow down Samba as it has to write a large amount of data
# for every file operation
log level = 2

# log file size in KB (25600 KB = 25 MB)
max log size = 25600

# server information, this is the domain/workgroup
workgroup = DOMAIN

# Kerberos / authentication information
realm = DOMAIN.LOCAL

# this is usually the local hostname
netbios name = Server

# this is cosmetic (for Explorer)
server string = "File Server"

# security used (Active Directory)
security = ads

# default, catch-all (3.6+ format)
# AD objects without a UID/GID will be mapped to these
idmap config * : range = 50000-59999
idmap config * : backend = tdb

# domain-specific, get info from AD
idmap config DOMAIN : schema_mode = rfc2307
idmap config DOMAIN : backend = ad
idmap config DOMAIN : range = 10000-19999

# don't try to self-promote to more than just a file server
local master = no
domain master = no

# display names witout domain
winbind use default domain = yes

# disable printing and printing errors in logs
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

# enable SMB2 (3.6+). some have seen this prevent Previous Versions from
# working, but i've seen it make Previous Versions work more reliably in win7/2008r2+
max protocol = SMB2

# when other users browse a share they have access to
# create file with parent folder's owner
# this *must* be set or ACL inheritance breaks if an admin user
# writes to a regular user's folder (verified)
inherit owner = yes

# store inherit & protected access control entries in xattr
# this may not be needed
# map acl inherit = yes

# if a file/folder is written that belongs to a host user (but unknown
# to the server), then auto-map the SID to the connected user.
# this may not be needed, but prevents problems if a local user attempts
# to copy files from a local system that belong to a non-domain user at the same
# time they try to preserve permissions/ACLs on the files/folders (xcopy /o).
force unknown acl user = yes

# these users get read/write to all folders without having any
# permission set! (this is a failsafe, only put a trusted admin here)
admin users = administrator@domain.local

# hide special OS files or anything unreadable by the client, such as
# "sockets, devices and fifo's in directory listings".
# this may not be needed
hide special files = yes
hide unreadable = yes

# extended attributes
# if enabled, rename/delete can break with streams_xattr also enabled
ea support = no

# using "streams_xattr" prevents XP from giving an error on Summary info
# but streams_xattr prevents rename/delete if "ea support" is enabled
# Solaris + ZFS ACL (NFSv4 ACL) needs aclinherit=passthrough
# the *order* of these are important! shadow_copy2 must be first!
vfs objects = shadow_copy2, zfsacl, streams_xattr

# NFSv4 options, per Sun/Oracle's recommendation
nfs4:acedup = merge
nfs4:chown = yes
nfs4:mode = special

# this must be set to No so that inheritance is correctly
# applied by ZFS, not Samba/Windows
inherit permissions = no

# pass permissions to children, probably not needed here, but
# may be functionally in effect due to other settings (ZFS).
#inherit acls = yes

# don't map "Full control" to rwx, this should be handled by ZFS.
acl map full control = no

# ZFS implements "write_acl" and "write_owner" permissions that
# are compatible with Windows (NT) ACLs better than "dos filemode = yes"
# this will allow anyone with write access the ability to modify permissions
dos filemode = no

# store DOS attributes like "hidden" in extended attributes
store dos attributes = yes

# attributes should be stored in xattr, not mapped to posix
map archive = no
map hidden = no
map system = no
map readonly = no

# allow the system to delete files marked as read-only
delete readonly = yes

# don't mangle names, don't use short names (ie, drop 8.3 support)
# this is a test, as some things may break with this.
# it prevents names like "MYTEXT~1.TXT" for "My Text File.txt"
mangled names = no

# set up shadow copies (zfSnap format)
shadow:format = %Y-%m-%d_%H.%M.%S--30d

# windows may list snapshots out of order
shadow:sort = desc

# where to look for snapshots
shadow:snapdir = .zfs/snapshot

# timestamps are local, not UTC. this was needed for xp/2003 clients.
shadow:localtime = yes

# snapshots use symlinks
follow symlinks = yes
wide links = yes
unix extensions = no

# changing SO_RCVBUF = receive went from 90MB/sec to 100MB/sec (+12%).
# changing SO_SNDBUF = no effect (stayed at 110MB/sec) +0%
# using IPTOS_LOWDELAY helped bump send to 113MB/sec (+3%).
# TCP_NODELAY is the default option
#socket options = TCP_NODELAY SO_RCVBUF=131072
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 SO_KEEPALIVE

# by default, every file system is read/write, with access controlled by
# file system permissions (NFSv4 ACLs on ZFS)
read only = no

# ----- shares -----

[data]
comment = Data Share
path = /pool/data

[home$]
comment = Home Share
path = /pool/home
csc policy = disable

# EoF