samba:smb.conf

# Global parameters
[global]
security = ADS
workgroup = MAD
realm = MAD.CAPONATO.ES
server role = member server
log file = /var/log/samba/%m.log
bind interfaces only = yes
# Please substitute your own physical eth adapter here:
interfaces = lo ens3

# winbind config:
winbind use default domain = yes

# The following options are only useful for testing. Comment out in production.    
# winbind enum users = yes  
# winbind enum groups = yes

# Kerberos
winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

# Configure share's security (Windows ACLs) using extended attributes (XATTR)
# Needed for Linux, as it does not support NFS4 ACLs
vfs objects = acl_xattr 
map acl inherit = yes

# When you have configured the share's security (Windows ACLs) with XATTRs 
# from a Windows computer you can safely uncomment the following. Not before 
acl_xattr:ignore system acls = yes

# Veto Files (do not allow these files in the server)
veto files = /Thumbs.db/.DS_Store/._.DS_Store/.com.apple*/.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/:2e*/$/._
delete veto files = yes

# Default ID mapping configuration for local BUILTIN accounts
idmap config * : backend = tdb
idmap config * : range = 3000-7999

# If you want to use ad idmap backend, change the following lines accordingly. See "idmap-backends" entry
# idmap config for the MAD domain using the rid backend
idmap config MAD : backend = rid
idmap config MAD : range = 10000-999999

Global Parameters

security = ADS: This sets the security mode to Active Directory Security (ADS). It means that Samba is configured to join an Active Directory domain as a domain member. This allows the Samba server to use AD for authentication and integrate with Windows systems more seamlessly.
workgroup = MAD: Specifies the name of the workgroup or domain that the Samba server is part of. In an Active Directory environment, this should match the AD domain name. In this case, it is set to MAD.
realm = MAD.CAPONATO.ES: The Kerberos realm used for authentication. This should match the domain name of the Active Directory, in uppercase. This parameter allows Samba to communicate with the AD server using Kerberos for authentication.
server role = member server: This sets the role of the Samba server. As a member server, it means that the server is part of an AD domain but is not a domain controller. It relies on the domain controller for authentication and other services.
log file = /var/log/samba/%m.log: Specifies the location and naming convention for Samba’s log files. The %m is a variable that gets replaced with the client’s machine name, so each client that connects can have a separate log file. This helps in debugging and monitoring.
bind interfaces only = yes: Tells Samba to listen for connections only on the specified network interfaces. This is a security measure to prevent Samba from accepting connections on unintended interfaces.
interfaces = lo ens3: Lists the network interfaces that Samba will bind to. Here, lo represents the loopback interface (localhost), and ens3 is the name of a physical network interface on the server. You would replace ens3 with the actual name of your network interface. This parameter works with bind interfaces only to restrict the network interfaces that Samba will use.

Winbind Configuration

winbind use default domain = yes: This parameter simplifies the user and group name resolution when using Winbind, a component of Samba that allows for domain accounts and groups to be recognized on a Unix/Linux system. Behavior: When set to yes, Winbind will remove the domain prefix from user and group names. For example, instead of having to use MAD\username, you can simply use username.
winbind enum users = yes & winbind enum groups = yes: This parameter allows Winbind to enumerate all users (groups) from the domain. When set to yes, the getent passwd command will list all domain users as if they were local users on the Linux system. This enumeration makes it possible to view all domain users in local user management tools. Enabling enumeration can result in significant performance issues, and can be commented out in production.

Kerberos configuration:

winbind refresh tickets = Yes: This parameter instructs Winbind to automatically renew Kerberos tickets before they expire. When set to yes, Winbind will attempt to renew Kerberos tickets periodically to ensure that service tickets remain valid and that the system can continue to authenticate users without interruption.
dedicated keytab file = /etc/krb5.keytab: Specifies the location of the Kerberos keytab file, which contains the keys used by the server to authenticate to the Kerberos realm. The keytab file at the specified location (/etc/krb5.keytab) is used by Samba to authenticate to the Kerberos realm as needed. This file should be secure and only readable by the appropriate system processes.
kerberos method = secrets and keytab: Defines how Samba should obtain Kerberos credentials for authentication. This setting allows Samba to use both a keytab file and an internal secrets database for Kerberos authentication. This provides flexibility in how Kerberos credentials are managed.

Extended Attributes configuration

vfs objects = acl_xattr : The `vfs objects = acl_xattr` parameter enables the use of the `acl_xattr` virtual file system (VFS) module in Samba. This module allows Samba to store Windows ACLs in extended file attributes on the file system.

map acl inherit = yes: The `map acl inherit = yes` parameter controls whether ACL inheritance from parent directories is mapped onto child objects within Samba. This parameter is important for environments where it is necessary to replicate Windows-style ACL inheritance.

acl_xattr:ignore system acls = yes: Instructs Samba to ignore the underlying POSIX ACLs and use only the ACLs stored in extended attributes, ensuring that Windows-style permissions are consistently applied without interference from the native file system's ACLs.

See this article for more info.

Housekeeping settings

veto files = […]: The `veto files` parameter in Samba specifies patterns of files to hide from clients, preventing them from being displayed or accessed over the network.
delete veto files = yes: Setting `delete veto files = yes` allows Samba to delete files that match the `veto files` patterns, even though they are hidden from clients.

ID Mapping

idmap config * : backend = tdb : specifies that Samba uses the TDB (Trivial Database) backend for mapping UNIX IDs to Windows security identifiers (SIDs) for local BUILTIN accounts.
idmap config * : range = 3000-7999: defines the numerical range of UNIX IDs that Samba allocates for mapping local BUILTIN accounts.
idmap config MAD : backend = rid: specifies that Samba uses the RID backend for mapping Windows SIDs to UNIX IDs for the MAD domain.
idmap config MAD : range = 10000-999999 defines the range of UNIX IDs that Samba allocates for mapping accounts in the MAD domain.

See this article for more info.

Caponato's Samba notebook. Start here or else Main menu