I don't know if this is the best configuration, but it's been what I've been using. It works with XP/2003/2008/7/etc. I've not been able to get Windows 8 working with Roaming Profiles, yet. I'm guessing there is a compatibility issue with Samba.
I use this config with Samba 3.6.24 on FreeBSD 9.2 (not Linux). Many options I take advantage of are the defaults with Samba and so they are not placed in my configuration file (to try and keep it simple).
Samba on FreeBSD takes advantage of the almost-perfect Windows ACLs and permissions on ZFS. As far as I know, this config only works on something like BSD or Solaris, as Linux doesn't have the support for NFSv4-style permissions and passthrough with Samba (make note of the "zfsacl" vfs module used below).
This configuration assumes a few things:
- Kerberos is functional.
- Winbind is functional.
- You're using ZFS w/ NFSv4-style ACLs (FreeBSD or Solaris).
The configuration supports SMB2, snapshots ("Previous Versions"), and authentication through Active Directory.
# # Samba 3.6.x config for BSD w/ ZFS (not Linux) # # /usr/local/etc/smb.conf # # modify log levels (1-10, 0 to disable) # good levels are 2 (less details) or 4 (more details) # higher levels will slow down Samba as it has to write a large amount of data # for every file operation log level = 2 # log file size in KB (25600 KB = 25 MB) max log size = 25600 # server information, this is the domain/workgroup workgroup = DOMAIN # Kerberos / authentication information realm = DOMAIN.LOCAL # this is usually the local hostname netbios name = Server # this is cosmetic (for Explorer) server string = "File Server" # security used (Active Directory) security = ads # default, catch-all (3.6+ format) # AD objects without a UID/GID will be mapped to these idmap config * : range = 50000-59999 idmap config * : backend = tdb # domain-specific, get info from AD idmap config DOMAIN : schema_mode = rfc2307 idmap config DOMAIN : backend = ad idmap config DOMAIN : range = 10000-19999 # don't try to self-promote to more than just a file server local master = no domain master = no # display names witout domain winbind use default domain = yes # disable printing and printing errors in logs load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # enable SMB2 (3.6+). some have seen this prevent Previous Versions from # working, but i've seen it make Previous Versions work more reliably in win7/2008r2+ max protocol = SMB2 # when other users browse a share they have access to # create file with parent folder's owner # this *must* be set or ACL inheritance breaks if an admin user # writes to a regular user's folder (verified) inherit owner = yes # store inherit & protected access control entries in xattr # this may not be needed # map acl inherit = yes # if a file/folder is written that belongs to a host user (but unknown # to the server), then auto-map the SID to the connected user. # this may not be needed, but prevents problems if a local user attempts # to copy files from a local system that belong to a non-domain user at the same # time they try to preserve permissions/ACLs on the files/folders (xcopy /o). force unknown acl user = yes # these users get read/write to all folders without having any # permission set! (this is a failsafe, only put a trusted admin here) admin users = email@example.com # hide special OS files or anything unreadable by the client, such as # "sockets, devices and fifo's in directory listings". # this may not be needed hide special files = yes hide unreadable = yes # extended attributes # if enabled, rename/delete can break with streams_xattr also enabled ea support = no # using "streams_xattr" prevents XP from giving an error on Summary info # but streams_xattr prevents rename/delete if "ea support" is enabled # Solaris + ZFS ACL (NFSv4 ACL) needs aclinherit=passthrough # the *order* of these are important! shadow_copy2 must be first! vfs objects = shadow_copy2, zfsacl, streams_xattr # NFSv4 options, per Sun/Oracle's recommendation nfs4:acedup = merge nfs4:chown = yes nfs4:mode = special # this must be set to No so that inheritance is correctly # applied by ZFS, not Samba/Windows inherit permissions = no # pass permissions to children, probably not needed here, but # may be functionally in effect due to other settings (ZFS). #inherit acls = yes # don't map "Full control" to rwx, this should be handled by ZFS. acl map full control = no # ZFS implements "write_acl" and "write_owner" permissions that # are compatible with Windows (NT) ACLs better than "dos filemode = yes" # this will allow anyone with write access the ability to modify permissions dos filemode = no # store DOS attributes like "hidden" in extended attributes store dos attributes = yes # attributes should be stored in xattr, not mapped to posix map archive = no map hidden = no map system = no map readonly = no # allow the system to delete files marked as read-only delete readonly = yes # don't mangle names, don't use short names (ie, drop 8.3 support) # this is a test, as some things may break with this. # it prevents names like "MYTEXT~1.TXT" for "My Text File.txt" mangled names = no # set up shadow copies (zfSnap format) shadow:format = %Y-%m-%d_%H.%M.%S--30d # windows may list snapshots out of order shadow:sort = desc # where to look for snapshots shadow:snapdir = .zfs/snapshot # timestamps are local, not UTC. this was needed for xp/2003 clients. shadow:localtime = yes # snapshots use symlinks follow symlinks = yes wide links = yes unix extensions = no # changing SO_RCVBUF = receive went from 90MB/sec to 100MB/sec (+12%). # changing SO_SNDBUF = no effect (stayed at 110MB/sec) +0% # using IPTOS_LOWDELAY helped bump send to 113MB/sec (+3%). # TCP_NODELAY is the default option #socket options = TCP_NODELAY SO_RCVBUF=131072 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 SO_KEEPALIVE # by default, every file system is read/write, with access controlled by # file system permissions (NFSv4 ACLs on ZFS) read only = no # ----- shares ----- [data] comment = Data Share path = /pool/data [home$] comment = Home Share path = /pool/home csc policy = disable # EoF