I've backed up my old config, pulled a fresh default copy, carried over some of my earlier work, and referenced this guide
My new smb.conf looks something like this:
Code:
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = DUMBVANILLAWORKGROUP
# server string is the equivalent of the NT Description field
server string = %h server (Samba, Ubuntu)
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
# wins support = no
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
wins server = 192.168.0.200
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
netbios name = DELL_FSERVER
netbios aliases = fileserver
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# interfaces = eth0 eth1 br0 lo
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch12_:_Samba_Security_and_Troubleshooting
hosts deny = ALL
hosts allow = 192.168.0.0/24 172.16.0.0/16 127.
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 10240
# syslog only = no
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
server role = standalone server
# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
; encrypt passwords = true
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
########## Domains ###########
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set
#
;# - later...
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Setup usershare options to enable non-root users to share folders
# with the net usershare command.
# Maximum number of usershare. 0 (default) means that usershare is disabled.
; usershare max shares = 100
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
### OTHER COMMON SETTINGS FOR ALL SHARES & CUSTOMIZATION HACKS ###
#https://wiki.samba.org/index.php/Public_Samba_Server
#kill all printing
load printers = no
printing = bsd
printcap name = /dev/null
printcap cache time = 0
disable spoolss = yes
#Asynchronous IO tweak
aio read size = 1
aio write size = 1
aio write behind = false # true can cause corruption
#https://wiki.amahi.org/index.php/Make_Samba_Go_Faster - optionally
# socket options=SO_RCVBUF=131072 SO_SNDBUF=131072 TCP_NODELAY
# min receivefile size = 16384
# use sendfile = true
# aio read size = 16384
# aio write size = 16384
#kill stale/interrupted connections
reset on zero vc = yes
#http://oreilly.com/catalog/samba/chapter/book/appb_02.html
read raw = yes
write raw = yes
force user = nobody
force group = nogroup
#/me don't like this rather lax posture - risk is being mitigated elsewhere
directory mask = 0775
create mask = 0775
force directory mode = 0775
force create mode = 0775
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
guest ok = yes
read only = no
; guest account = nobody
#======================= Share Definitions =======================
#http://oreilly.com/openbook/samba/book/ch05_05.html
#http://oreilly.com/openbook/samba/book/appc_01.html
[documents]
comment = all documents
path = /fileserver/docs
[CAD]
comment = CAD files
path = /fileserver/CAD
#deal with concurrent connections oplock issues
level2 oplocks = No
oplocks = False
veto oplock files = /*.dw*/
[Temp]
comment = Temporary Files
path = /fileserver/temp
[Scans]
comment = Scanned documents & drawings
path = /fileserver/docs/SCANS
I'll be keeping an eye on it, waiting for things to settle down, but early indications are, via `tail -n5 /var/log/samba/log.*`, that the problem still persist, despite effectively omitting the security portions.
I've kept as close to the original config & I've cautiously applied info from the wiki, but I think I'm missing something crucial.
Mind taking a look & inform me where I went wrong, please?
(As I may have mentioned before), Samba is not something I mess around with regularly - it's typically something that I simply set&forget & don't touch once it's working, which this box has been doing remarkably well for a very long time - far longer than I would've like to have kept it in use.
