BertMueller18 · September 18, 2018 13:04
diff --git a/smb4.conf b/smb4.conf
 # /usr/local/etc/smb4.conf
 # Samba 4.1 Configuration file

 [global]
        # SPECIFIC SETTINGS FOR THIS MACHINE
        netbios name            = ZNAS1

        # Basic settings
        workgroup               = MYDOMAIN
        realm                   = MYDOMAIN.local
        server string           = Network Storage Server
        server role             = member server
        security                = ads
        hostname lookups        = no
        #name resolve order      = bcast lmhosts hosts wins
        guest account           = nobody

        # Fix / workaround for *potential* ZFS deadlock issues
        kernel change notify    = no

        # Only bind samba to LAN interface, leave SAN interfaces alone.
        interfaces              = lagg0
        bind interfaces only    = yes


        # Enable logging of connections
        max log size            = 8192
        log file                = /var/log/samba4/samba4.%m.log
        log level               = 1

        # Add VFS modules (ordering is somewhat important)
        vfs objects                     = shadow_copy2, zfsacl, streams_xattr
        #vfs objects                    = shadow_copy2, zfsacl, streams_xattr, acl_xattr

        # Configure shares for snapshot support
        shadow: snapdir         = .zfs/snapshot
        shadow: sort            = desc
        shadow: localtime       = yes
        shadow: format          = auto-%Y.%m.%d-%H.%M

        allow insecure wide links = yes

        wide links              = yes
        follow symlinks         = yes


        # Disable printer loading (prevents log spam)
        load printers           = no
        printing                = bsd
        printcap name           = /dev/null
        disable spoolss         = yes


        # Prevent the samba server from attempting to become the master browser
        local master            = no
        domain master           = no
        preferred master        = no
        os level                = 0


        # Integration with Active Directory
        #winbind separator       = +
        winbind cache time      = 300
        winbind enum users      = Yes
        winbind enum groups     = Yes
        winbind refresh tickets = Yes
        winbind offline logon   = Yes
        winbind nested groups   = yes
        winbind expand groups   = yes


        nsupdate command        = /usr/local/bin/samba-nsupdate -g


        # Mapping local UNIX users to AD users.
        idmap config *:backend  = autorid
        idmap config *:range    = 1000000-1999999

        #idmap config *:backend = rid
        #idmap config *:range   = 1500-40000

        map untrusted to domain = yes

        # Security options
        #(Hide shares from users who don't have access)
        access based share enum = no
        #(Hide files that the user doesn't have Read access to)
        hide unreadable         = no

        kerberos method         = dedicated keytab
        dedicated keytab file   = /etc/krb5.keytab

        # Kerberos ticket timeouts
        kdc:service ticket lifetime     = 24
        kdc:user ticket lifetime        = 24
        kdc:renewal lifetime            = 120

        # Allow samba to properly store NTFS-style ACLs
        map archive             = no
        map readonly            = no
        map hidden              = no
        map system              = no

        nfs4:mode               = special
        nfs4:acedup             = merge
        nfs4:chown              = yes
        zfsacl:acesort          = dontcare

        nt acl support          = yes
        map acl inherit         = yes
        inherit permissions     = yes
        inherit acls            = yes
        inherit owner           = yes

        store dos attributes    = yes
        dos filemode            = no
        ea support              = yes
        case sensitive          = no

        csc policy              = disable
        # Add microsecond resolution to file timestamp
        debug hires timestamp   = yes

        # Disable unix extensions because there are no unix clients
        # connecting to this samba server.
        unix extensions         = no


        # Performance enhancements
        min receivefile size    = 16384
        use sendfile            = no
        socket options          = TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072 SO_KEEPALIVE
        aio read size           = 1
        aio write size          = 1
        #block size             = 4096

        # Send a keepalive packet every 15 seconds
        #keepalive              = 15

        # Value (in minutes) after which a connection with 0 open files is considered dead.
        #deadtime               = 600

        # Uncomment this to enable per-client samba configuration
        #       (the %m gets replaced by the hostname of the client)
        include                 = /usr/local/etc/smb4.%m.conf

        # ------------------
        # Share options applied globally
        # ------------------

        admin users             = @"MYDOMAIN\domain admins"

 # ========================
 # ==  Share Definitions ==
 # ========================
 [logs]
 # Share the system logs with administrators
        path                    = /var/log
        writable                = no
        browsable               = no

 [setup]
        path                    = /bulk/shares/setup
        writable                = yes
        browsable               = yes

        acl allow execute always = yes

 [backups]
        path                    = /bulk/shares/backups
        writable                = yes
        browsable               = yes

 [scans]
        path                    = /bulk/shares/scans
        writable                = yes
        browsable               = yes
        #guest ok                = yes

 [users]
        # Share that user folders (Documents, Favorites, etc.) are redirected to.
        path                    = /bulk/shares/users
        root preexec            = /bulk/shares/users/preexec.sh %U

        shadow: snapdirseverywhere = yes
        shadow: snapdir         = .zfs/snapshot

        writable                = yes
        browsable               = yes

        create mask             = 2770
        directory mask          = 2770

        # workaround because the lack of +x on a file will prevent things from running off the share.
        acl allow execute always = true

        # Allows writes to be batched to fit ZFS recordsize
        write cache size        = 131072

        # Prevent computer accounts from accidentally creating "profiles"
        invalid users           = "@MYDOMAIN\domain computers"

 [corp]
        path                    = /bulk/shares/corp
        browsable               = yes
        writable                = yes

        #dos filemode           = yes
        #create mask            = 2770
        #directory mask         = 2770

        acl allow execute always        = true

 [temp]
        path                    = /bulk/shares/temp
        browsable               = yes
        writable                = yes

 [kbase]
        path                    = /bulk/shares/kbase
        browsable               = yes
        writable                = yes

 [kbase-dev]
        path                    = /bulk/shares/kbase-dev
        browsable               = yes
        writable                = yes

 # fin.
	# /usr/local/etc/smb4.conf
	# Samba 4.1 Configuration file

	[global]
	# SPECIFIC SETTINGS FOR THIS MACHINE
	netbios name = ZNAS1

	# Basic settings
	workgroup = MYDOMAIN
	realm = MYDOMAIN.local
	server string = Network Storage Server
	server role = member server
	security = ads
	hostname lookups = no
	#name resolve order = bcast lmhosts hosts wins
	guest account = nobody

	# Fix / workaround for potential ZFS deadlock issues
	kernel change notify = no

	# Only bind samba to LAN interface, leave SAN interfaces alone.
	interfaces = lagg0
	bind interfaces only = yes


	# Enable logging of connections
	max log size = 8192
	log file = /var/log/samba4/samba4.%m.log
	log level = 1

	# Add VFS modules (ordering is somewhat important)
	vfs objects = shadow_copy2, zfsacl, streams_xattr
	#vfs objects = shadow_copy2, zfsacl, streams_xattr, acl_xattr

	# Configure shares for snapshot support
	shadow: snapdir = .zfs/snapshot
	shadow: sort = desc
	shadow: localtime = yes
	shadow: format = auto-%Y.%m.%d-%H.%M

	allow insecure wide links = yes

	wide links = yes
	follow symlinks = yes


	# Disable printer loading (prevents log spam)
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes


	# Prevent the samba server from attempting to become the master browser
	local master = no
	domain master = no
	preferred master = no
	os level = 0


	# Integration with Active Directory
	#winbind separator = +
	winbind cache time = 300
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind refresh tickets = Yes
	winbind offline logon = Yes
	winbind nested groups = yes
	winbind expand groups = yes


	nsupdate command = /usr/local/bin/samba-nsupdate -g


	# Mapping local UNIX users to AD users.
	idmap config *:backend = autorid
	idmap config *:range = 1000000-1999999

	#idmap config *:backend = rid
	#idmap config *:range = 1500-40000

	map untrusted to domain = yes

	# Security options
	#(Hide shares from users who don't have access)
	access based share enum = no
	#(Hide files that the user doesn't have Read access to)
	hide unreadable = no

	kerberos method = dedicated keytab
	dedicated keytab file = /etc/krb5.keytab

	# Kerberos ticket timeouts
	kdc:service ticket lifetime = 24
	kdc:user ticket lifetime = 24
	kdc:renewal lifetime = 120

	# Allow samba to properly store NTFS-style ACLs
	map archive = no
	map readonly = no
	map hidden = no
	map system = no

	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = yes
	zfsacl:acesort = dontcare

	nt acl support = yes
	map acl inherit = yes
	inherit permissions = yes
	inherit acls = yes
	inherit owner = yes

	store dos attributes = yes
	dos filemode = no
	ea support = yes
	case sensitive = no

	csc policy = disable
	# Add microsecond resolution to file timestamp
	debug hires timestamp = yes

	# Disable unix extensions because there are no unix clients
	# connecting to this samba server.
	unix extensions = no


	# Performance enhancements
	min receivefile size = 16384
	use sendfile = no
	socket options = TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072 SO_KEEPALIVE
	aio read size = 1
	aio write size = 1
	#block size = 4096

	# Send a keepalive packet every 15 seconds
	#keepalive = 15

	# Value (in minutes) after which a connection with 0 open files is considered dead.
	#deadtime = 600

	# Uncomment this to enable per-client samba configuration
	# (the %m gets replaced by the hostname of the client)
	include = /usr/local/etc/smb4.%m.conf

	# ------------------
	# Share options applied globally
	# ------------------

	admin users = @"MYDOMAIN\domain admins"

	# ========================
	# == Share Definitions ==
	# ========================
	[logs]
	# Share the system logs with administrators
	path = /var/log
	writable = no
	browsable = no

	[setup]
	path = /bulk/shares/setup
	writable = yes
	browsable = yes

	acl allow execute always = yes

	[backups]
	path = /bulk/shares/backups
	writable = yes
	browsable = yes

	[scans]
	path = /bulk/shares/scans
	writable = yes
	browsable = yes
	#guest ok = yes

	[users]
	# Share that user folders (Documents, Favorites, etc.) are redirected to.
	path = /bulk/shares/users
	root preexec = /bulk/shares/users/preexec.sh %U

	shadow: snapdirseverywhere = yes
	shadow: snapdir = .zfs/snapshot

	writable = yes
	browsable = yes

	create mask = 2770
	directory mask = 2770

	# workaround because the lack of +x on a file will prevent things from running off the share.
	acl allow execute always = true

	# Allows writes to be batched to fit ZFS recordsize
	write cache size = 131072

	# Prevent computer accounts from accidentally creating "profiles"
	invalid users = "@MYDOMAIN\domain computers"

	[corp]
	path = /bulk/shares/corp
	browsable = yes
	writable = yes

	#dos filemode = yes
	#create mask = 2770
	#directory mask = 2770

	acl allow execute always = true

	[temp]
	path = /bulk/shares/temp
	browsable = yes
	writable = yes

	[kbase]
	path = /bulk/shares/kbase
	browsable = yes
	writable = yes

	[kbase-dev]
	path = /bulk/shares/kbase-dev
	browsable = yes
	writable = yes

	# fin.