BertMueller18 · September 18, 2018 13:01
diff --git a/smb4.conf b/smb4.conf
 # /usr/local/etc/smb4.conf
 # Samba 4.1 Configuration file

 [global]

        # Basic settings
        workgroup               = IMPERIALMFG
        realm                   = IMPERIALMFG.LOCAL
        server string           = Network Storage Server
        server role             = member server
        security                = domain
        netbios name            = ZFS0
        hostname lookups        = yes
        #hosts allow            = 192.168.10.0/255.255.255.0
        name resolve order      = bcast lmhosts hosts wins
        #wins server             = 192.168.10.6

        interfaces              = lagg0 192.168.10.12/24

        server max protocol     = SMB2_02

        # Enable logging of connections
        max log size            = 8192
        log file                = /var/log/samba4/samba4.log
        log level               = 3
        nmbd:log level          = 1

        # Add VFS modules (ordering is somewhat important)
        vfs objects = shadow_copy2, zfsacl, acl_xattr, crossrename, aio_pthread


        # Disable printer loading (prevents log spam)
        load printers           = no
        printcap name           = /dev/null
        disable spoolss         = yes


        # Prevent the samba server from attempting to become the master browser
        local master            = no
        domain master           = no


        # Integration with Active Directory
        #winbind separator       =
        winbind cache time      = 10
        winbind enum users      = Yes
        winbind enum groups     = Yes
        winbind nss info        = rfc2307
        winbind refresh tickets = Yes
        winbind offline logon   = Yes
        winbind use default domain = yes
        nsupdate command        = /usr/local/bin/samba-nsupdate -g


        # Mapping local UNIX users to AD users.
        idmap config *:range                    = 70000-79999
        idmap config *:backend                  = tdb
        idmap config IMPERIALMFG:range          = 500-60000
        idmap config IMPERIALMFG:backend        = ad
        idmap config IMPERIALMFG:schema_mode    = rfc2307

        # Script to automatically create local accounts to map to AD Machine Trust Accounts
        add machine script      = /usr/sbin/pw user add "%u" -w no -d /nonexistent -s /sbin/nologin -c "Domain Computer" | echo


        # Security options
        #(Hide shares from users who don't have access)
        access based share enum = no
        #(Hide files that the user doesn't have Read access to)
        hide unreadable         = no


        # Kerberos authentication setup
        kerberos method         = dedicated keytab
        dedicated keytab file   = /etc/krb5.keytab

        client use spnego       = yes
        client ntlmv2 auth      = yes
        encrypt passwords       = yes


        # Allow samba to properly store NTFS-style ACLs
        map archive             = no
        map readonly            = no
        map hidden              = no

        nfs4:mode               = special
        nfs4:acedup             = merge
        nfs4:chown              = yes

        inherit permissions     = Yes
        inherit acls            = Yes
        inherit owner           = yes
        dos filemode            = Yes
        ea support              = yes
        store dos attributes    = yes

        # workaround
        #acl:search             = no

        # Disable unix extensions because there are no unix clients
        # connecting to this samba server.
        unix extensions         = no


        # Configure shares for snapshot support
        shadow:snapdir          = .zfs/snapshot
        shadow:sort             = desc
        #shadow:snapdirseverywhere = yes
        #shadow:localtime       = yes
        #shadow:fixinodes       = yes
        shadow:format           = GMT-%Y.%m.%d-%H.%M.%S

        wide links              = yes
        follow symlinks         = yes


        # Performance enhancements
        #use sendfile            = Yes
        socket options          = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
        aio read size           = 16384
        aio write size          = 16384

 [logs]
        path                    = /var/log
        writable                = no
        browsable               = no

 #[profiles]
 #       path                    = /tank/shares/profiles/%USERNAME%
 #       writable                = yes
 #       browsable               = no
 #       #root preexec           =

 [hyperv]
        path                    = /tank/hyperv
        writable                = yes
        browsable               = yes

 [setup]
        path                    = /tank/shares/setup
        writable                = yes
        browsable               = yes

 [database]
        path                    = /tank/shares/database
        writable                = yes
        locking                 = yes

        # Disable oplocks only on Access backend files.
        veto oplock files       = /*.mdb/*.MDB/*.accdb/*.ACCDB/

 [backups]
        path                    = /tank/shares/backups
        writable                = yes
        browsable               = yes

 # fin.
	# /usr/local/etc/smb4.conf
	# Samba 4.1 Configuration file

	[global]

	# Basic settings
	workgroup = IMPERIALMFG
	realm = IMPERIALMFG.LOCAL
	server string = Network Storage Server
	server role = member server
	security = domain
	netbios name = ZFS0
	hostname lookups = yes
	#hosts allow = 192.168.10.0/255.255.255.0
	name resolve order = bcast lmhosts hosts wins
	#wins server = 192.168.10.6

	interfaces = lagg0 192.168.10.12/24

	server max protocol = SMB2_02

	# Enable logging of connections
	max log size = 8192
	log file = /var/log/samba4/samba4.log
	log level = 3
	nmbd:log level = 1

	# Add VFS modules (ordering is somewhat important)
	vfs objects = shadow_copy2, zfsacl, acl_xattr, crossrename, aio_pthread


	# Disable printer loading (prevents log spam)
	load printers = no
	printcap name = /dev/null
	disable spoolss = yes


	# Prevent the samba server from attempting to become the master browser
	local master = no
	domain master = no


	# Integration with Active Directory
	#winbind separator =
	winbind cache time = 10
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind nss info = rfc2307
	winbind refresh tickets = Yes
	winbind offline logon = Yes
	winbind use default domain = yes
	nsupdate command = /usr/local/bin/samba-nsupdate -g


	# Mapping local UNIX users to AD users.
	idmap config *:range = 70000-79999
	idmap config *:backend = tdb
	idmap config IMPERIALMFG:range = 500-60000
	idmap config IMPERIALMFG:backend = ad
	idmap config IMPERIALMFG:schema_mode = rfc2307

	# Script to automatically create local accounts to map to AD Machine Trust Accounts
	add machine script = /usr/sbin/pw user add "%u" -w no -d /nonexistent -s /sbin/nologin -c "Domain Computer" \| echo


	# Security options
	#(Hide shares from users who don't have access)
	access based share enum = no
	#(Hide files that the user doesn't have Read access to)
	hide unreadable = no


	# Kerberos authentication setup
	kerberos method = dedicated keytab
	dedicated keytab file = /etc/krb5.keytab

	client use spnego = yes
	client ntlmv2 auth = yes
	encrypt passwords = yes


	# Allow samba to properly store NTFS-style ACLs
	map archive = no
	map readonly = no
	map hidden = no

	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = yes

	inherit permissions = Yes
	inherit acls = Yes
	inherit owner = yes
	dos filemode = Yes
	ea support = yes
	store dos attributes = yes

	# workaround
	#acl:search = no

	# Disable unix extensions because there are no unix clients
	# connecting to this samba server.
	unix extensions = no


	# Configure shares for snapshot support
	shadow:snapdir = .zfs/snapshot
	shadow:sort = desc
	#shadow:snapdirseverywhere = yes
	#shadow:localtime = yes
	#shadow:fixinodes = yes
	shadow:format = GMT-%Y.%m.%d-%H.%M.%S

	wide links = yes
	follow symlinks = yes


	# Performance enhancements
	#use sendfile = Yes
	socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
	aio read size = 16384
	aio write size = 16384

	[logs]
	path = /var/log
	writable = no
	browsable = no

	#[profiles]
	# path = /tank/shares/profiles/%USERNAME%
	# writable = yes
	# browsable = no
	# #root preexec =

	[hyperv]
	path = /tank/hyperv
	writable = yes
	browsable = yes

	[setup]
	path = /tank/shares/setup
	writable = yes
	browsable = yes

	[database]
	path = /tank/shares/database
	writable = yes
	locking = yes

	# Disable oplocks only on Access backend files.
	veto oplock files = /.mdb/.MDB/.accdb/.ACCDB/

	[backups]
	path = /tank/shares/backups
	writable = yes
	browsable = yes

	# fin.