linux:samba:setting

差分

このページの2つのバージョン間の差分を表示します。

この比較画面へのリンク

両方とも前のリビジョン 前のリビジョン
次のリビジョン		 前のリビジョン
linux:samba:setting [2021/12/10 06:23] ともやんlinux:samba:setting [2025/10/12 17:00] (現在) – [トラブルシューティング] ともやん
行 5: 行 5:
 <WRAP prewrap 100% mincode_long> <WRAP prewrap 100% mincode_long>
 <code autoconf /etc/samba/smb.conf> <code autoconf /etc/samba/smb.conf>
-# See smb.conf.example for a more detailed config file or 
-# read the smb.conf manpage. 
-# Run 'testparm' to verify the config is correct after 
-# you modified it. 
 # #
-Note: +Sample configuration file for the Samba suite for Debian GNU/Linux. 
-SMB1 is disabled by defaultThis means clients without support for SMB2 or +# 
-SMB3 are no longer able to connect to smbd (by default).+
 +# This is the main Samba configuration fileYou should read the 
 +# smb.conf(5) manual page in order to understand the options listed 
 +# here. Samba has a huge number of configurable options most of which 
 +# are not shown in this example 
 +
 +# Some options that are often worth tuning have been included as 
 +# commented-out examples in this file. 
 +#  - When such options are commented with ";", the proposed setting 
 +#    differs from the default Samba behaviour 
 +#  - When commented with "#", the proposed setting is the default 
 +#    behaviour of Samba but the option is considered important 
 +#    enough to be mentioned here 
 +
 +# NOTE: Whenever you modify this file you should run the command 
 +# "testparm" to check that you have not made any basic syntactic 
 +# errors. 
 + 
 +#======================= Global Settings =======================
  
 [global] [global]
- workgroup SAMBA +unix extensions no
- security = user+
  
- passdb backend tdbsam+# UIDとGIDについてUNIX属性の値が反映されるようにする 
 +#idmap_ldb:use rfc2307 yes
  
- printing cups +# Samba 高速化 
- printcap name = cups +#socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE 
- load printers = yes +socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120 TCP_KEEPINTVL=10 TCP_KEEPCNT=5 
- cups options = raw+#max protocol = SMB2 
 + 
 +## Browsing/Identification ### 
 + 
 +# Change this to the workgroup/NT-domain name your Samba server will part of 
 +#   workgroup WORKGROUP 
 +workgroup = MONSTERS-G 
 + 
 +#### Networking #### 
 + 
 +# The specific set of interfaces / networks to bind to 
 +# This can be either the interface name or an IP address/netmask; 
 +# interface names are normally preferred 
 +;   interfaces = 127.0.0.0/8 eth0 
 + 
 +# Only bind to the named interfaces and/or networks; you must use the 
 +# 'interfaces' option above to use this. 
 +# It is recommended that you enable this feature if your Samba machine is 
 +# not protected by a firewall or is a firewall itself.  However, this 
 +# option cannot handle dynamic or non-broadcast interfaces correctly. 
 +;   bind interfaces only = yes 
 + 
 + 
 + 
 +#### Debugging/Accounting #### 
 + 
 +# This tells Samba to use a separate log file for each machine 
 +# that connects 
 +   log file = /var/log/samba/log.%m 
 + 
 +# Cap the size of the individual log files (in KiB). 
 +   max log size = 1000 
 + 
 +# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}. 
 +# Append syslog@1 if you want important messages to be sent to syslog too. 
 +   logging = file 
 + 
 +# Do something sensible when Samba crashes: mail the admin a backtrace 
 +   panic action = /usr/share/samba/panic-action %d 
 + 
 + 
 +####### Authentication ####### 
 + 
 +# Server role. Defines in which mode Samba will operate. Possible 
 +# values are "standalone server", "member server", "classic primary 
 +# domain controller", "classic backup domain controller", "active 
 +# directory domain controller"
 +
 +# Most people will want "standalone server" or "member server"
 +# Running as "active directory domain controller" will require first 
 +# running "samba-tool domain provision" to wipe databases and create a 
 +# new domain. 
 +   server role = standalone server 
 + 
 +   obey pam restrictions = yes 
 + 
 +# This boolean parameter controls whether Samba attempts to sync the Unix 
 +# password with the SMB password when the encrypted SMB password in the 
 +# passdb is changed. 
 +   unix password sync = yes 
 + 
 +# For Unix password sync to work on a Debian GNU/Linux system, the following 
 +# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for 
 +# sending the correct chat script for the passwd program in Debian Sarge). 
 +   passwd program = /usr/bin/passwd %u 
 +   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . 
 + 
 +# This boolean controls whether PAM will be used for password changes 
 +# when requested by an SMB client instead of the program listed in 
 +# 'passwd program'. The default is 'no'
 +   pam password change = yes 
 + 
 +# This option controls how unsuccessful authentication attempts are mapped 
 +# to anonymous connections 
 +   map to guest = bad user 
 + 
 +########## Domains ########### 
 + 
 +
 +# The following settings only takes effect if 'server role = primary 
 +# classic domain controller', 'server role = backup domain controller' 
 +# or 'domain logons' is set 
 +
 + 
 +# It specifies the location of the user'
 +# profile directory from the client point of view) The following 
 +# required a [profiles] share to be setup on the samba server (see 
 +# below) 
 +;   logon path = \\%N\profiles\%U 
 +# Another common choice is storing the profile in the user's home directory 
 +# (this is Samba's default) 
 +#   logon path = \\%N\%U\profile 
 + 
 +# The following setting only takes effect if 'domain logons' is set 
 +# It specifies the location of a user's home directory (from the client 
 +# point of view) 
 +;   logon drive = H: 
 +#   logon home = \\%N\%U 
 + 
 +# The following setting only takes effect if 'domain logons' is set 
 +# It specifies the script to run during logon. The script must be stored 
 +# in the [netlogon] share 
 +# NOTE: Must be store in 'DOS' file format convention 
 +;   logon script = logon.cmd 
 + 
 +# This allows Unix users to be created on the domain controller via the SAMR 
 +# RPC pipe.  The example command creates a user account with a disabled Unix 
 +# password; please adapt to your needs 
 +; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u 
 + 
 +# This allows machine accounts to be created on the domain controller via the 
 +# SAMR RPC pipe. 
 +# The following assumes a "machines" group exists on the system 
 +; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u 
 + 
 +# This allows Unix groups to be created on the domain controller via the SAMR 
 +# RPC pipe. 
 +; add group script = /usr/sbin/addgroup --force-badname %g 
 + 
 +############ Misc ############ 
 + 
 +# Using the following line enables you to customise your configuration 
 +# on a per machine basis. The %m gets replaced with the netbios name 
 +# of the machine that is connecting 
 +;   include = /home/samba/etc/smb.conf.%m 
 + 
 +# Some defaults for winbind (make sure you're not using the ranges 
 +# for something else.) 
 +;   idmap config * :              backend = tdb 
 +;   idmap config * :              range   = 3000-7999 
 +;   idmap config YOURDOMAINHERE : backend = tdb 
 +;   idmap config YOURDOMAINHERE : range   = 100000-999999 
 +;   template shell = /bin/bash 
 + 
 +# Setup usershare options to enable non-root users to share folders 
 +# with the net usershare command. 
 + 
 +# Maximum number of usershare. 0 means that usershare is disabled. 
 +#   usershare max shares = 100 
 + 
 +# Allow users who've been granted usershare privileges to create 
 +# public shares, not just authenticated ones 
 +   usershare allow guests = yes 
 + 
 +#======================= Share Definitions =======================
  
 [homes] [homes]
- comment = Home Directories +   comment = Home Directories 
- valid users = %S, %D%w%S +#   browseable = no 
- browseable No +   browseable = yes 
- read only = No + 
- inherit acls Yes+# By default, the home directories are exported read-only. Change the 
 +# next parameter to 'no' if you want to be able to write to them. 
 +#   read only = yes 
 +   read only = no 
 + 
 +# File creation mask is set to 0700 for security reasons. If you want to 
 +# create files with group=rw permissions, set next parameter to 0775. 
 +   create mask = 0700 
 + 
 +# Directory creation mask is set to 0700 for security reasons. If you want to 
 +# create dirs. with group=rw permissions, set next parameter to 0775. 
 +   directory mask = 0700 
 + 
 +# By default, \\server\username shares can be connected to by anyone 
 +# with access to the samba server. 
 +# The following parameter makes sure that only "username" can connect 
 +# to \\server\username 
 +# This might need tweaking when using external authentication schemes 
 +   valid users = %S 
 + 
 +# Un-comment the following and create the netlogon directory for Domain Logons 
 +# (you need to configure Samba to act as a domain controller too.) 
 +;[netlogon] 
 +;   comment Network Logon Service 
 +;   path = /home/samba/netlogon 
 +;   guest ok = yes 
 +;   read only = yes 
 + 
 +# Un-comment the following and create the profiles directory to store 
 +# users profiles (see the "logon path" option above) 
 +# (you need to configure Samba to act as a domain controller too.) 
 +# The path below should be writable by all users so that their 
 +# profile directory may be created the first time they log on 
 +;[profiles] 
 +;   comment = Users profiles 
 +;   path = /home/samba/profiles 
 +;   guest ok = no 
 +;   browseable = no 
 +;   create mask = 0600 
 +;   directory mask 0700
  
 [printers] [printers]
- comment = All Printers +   comment = All Printers 
- path = /var/tmp +   browseable = no 
- printable = Yes +   path = /var/spool/samba 
- create mask 0600 +   printable = yes 
- browseable No+   guest ok no 
 +   read only = yes 
 +   create mask 0700
  
 +# Windows clients look for this share name as a source of downloadable
 +# printer drivers
 [print$] [print$]
- comment = Printer Drivers +   comment = Printer Drivers 
- path = /var/lib/samba/drivers +   path = /var/lib/samba/printers 
- write list = @printadmin root +   browseable = yes 
- force group @printadmin +   read only = yes 
- create mask 0664 +   guest ok = no 
- directory mask 0775+# Uncomment to allow remote administration of Windows print drivers. 
 +# You may need to replace 'lpadmin' with the name of the group your 
 +# admin users are members of. 
 +# Please note that you also need to set appropriate Unix permissions 
 +# to the drivers directory for these users to have write rights in it 
 +;   write list = root, @lpadmin 
 +[root$] 
 +    comment System Root 
 +    path / 
 +#    browseable = yes 
 +    read only = no 
 +[DataShare] 
 +    comment = Data Share 
 +    path = /var/samba/DataShare 
 +    browseable = yes 
 +    read only = no 
 + 
 +    wide links yes
 </code> </code>
 +</WRAP>
 +
 +DietPi の設定例\\
 +<WRAP prewrap 100% mincode_long>
 +<code autoconf /etc/samba/smb.conf>
 +[global]
 +    unix extensions = no
 +
 +    # UIDとGIDについてUNIX属性の値が反映されるようにする
 +    #idmap_ldb:use rfc2307 = yes
 +
 +    # Samba 高速化
 +    #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
 +    socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120 TCP_KEEPINTVL=10 TCP_KEEPCNT=5
 +    #max protocol = SMB2
 +#    workgroup = WORKGROUP
 +    workgroup = MONSTERS-G
 +    server string = %h server
 +    dns proxy = no
 +    log file = /var/log/samba/log.%m
 +    max log size = 1000
 +    syslog only = no
 +    syslog = 0
 +
 +    panic action = /usr/share/samba/panic-action %d
 +
 +    security = user
 +    encrypt passwords = true
 +    passdb backend = tdbsam
 +    obey pam restrictions = yes
 +    unix password sync = yes
 +
 +    passwd program = /usr/bin/passwd %u
 +    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
 +    pam password change = yes
 +    map to guest = bad user
 +
 +    load printers = no
 +    printcap name = /dev/null
 +    disable spoolss = yes
 +
 +[homes]
 +   comment = Home Directories
 +#   browseable = no
 +   browseable = yes
 +#   read only = yes
 +   read only = no
 +
 +[DataShare]
 +    comment = Data Share
 +    path = /var/samba/DataShare
 +    browseable = yes
 +    read only = no
 +    wide links = yes
 +
 +[dietpi]
 +    comment = DietPi Share
 +    path = /mnt/dietpi_userdata
 +    browseable = yes
 +    create mask = 0664
 +    directory mask = 0775
 +    valid users = dietpi
 +    writeable = yes
 +    max connections = 2
 +</code>
 +</WRAP>
 +
 +===== シンボルリンクを辿る設定 =====
 +^  設定項目  ^  意味  ^
 +| ''follow symlinks''  | シンボリックリンクをフォロー(追跡)するかを制御。''yes'' でリンクをたどる。デフォルトは ''yes''。  |
 +| ''wide links''  | 共有ディレクトリ外へのシンボリックリンクを許可。''yes'' で外部リンクをたどる。デフォルトは ''no''。  |
 +| ''unix extensions''  | Unix特有の機能(シンボリックリンク、権限、UID/GID)を有効化。''yes'' で有効。デフォルトは ''yes''。  |
 +| ''allow insecure wide links''  | Samba 4.13以降で追加。''wide links = yes'' を強制的に有効化するが、セキュリティリスクが高い。デフォルトは ''no''。  |
 +
 +===== トラブルシューティング =====
 +
 +==== smb.conf に wide links = yes を設定するとファイル共有にアクセスできない😥 ====
 +<WRAP mincode>
 +<code autoconf /etc/samba/smb.conf>
 +
 +#### Debugging/Accounting ####
 +
 +# This tells Samba to use a separate log file for each machine
 +# that connects
 +   log file = /var/log/samba/log.%m
 +
 +[DataShare]
 +    comment = Data Share
 +    path = /var/samba/DataShare
 +    browseable = yes
 +    read only = no
 +    wide links = yes
 +</code>
 +</WRAP>
 +
 +samba のログを確認する🤔\\
 +<WRAP color_term>
 +<WRAP color_command><code>
 +$ sudo tail -f /var/log/samba/log.risky
 +</code></WRAP>
 +<WRAP color_result><html><pre>
 +<b class=RED>[2022/05/29 03:22:00.685617,  0] ../../source3/smbd/service.c:636(make_connection_snum)
 +  make_connection_snum: vfs_init failed for service DataShare
 +[2022/05/29 03:22:00.689388,  0] ../../lib/util/modules.c:49(load_module)
 +  Error loading module '/usr/lib/arm-linux-gnueabihf/samba/vfs/widelinks.so': /usr/lib/arm-linux-gnueabihf/samba/vfs/widelinks.so: cannot open shared object file: No such file or directory
 +[2022/05/29 03:22:00.689613,  0] ../../source3/smbd/vfs.c:185(vfs_init_custom)
 +  error probing vfs module 'widelinks': NT_STATUS_UNSUCCESSFUL
 +[2022/05/29 03:22:00.689764,  0] ../../source3/smbd/vfs.c:379(smbd_vfs_init)
 +  smbd_vfs_init: widelinks enabled and vfs_init_custom failed for vfs_widelinks module
 +[2022/05/29 03:22:00.689898,  0] ../../source3/smbd/service.c:636(make_connection_snum)
 +  make_connection_snum: vfs_init failed for service DataShare</b>
 +</pre></html></WRAP>
 +</WRAP>
 +**widelinks.so** が見つからないのでモジュールがロード出来ていない😱\\
 +
 +**widelinks.so** は **samba-vfs-modules** パッケージに含まれる。\\
 +<WRAP color_term>
 +<WRAP color_command><code>
 +$ apt-file search widelinks.so
 +</code></WRAP>
 +<WRAP color_result><code>
 +samba-vfs-modules: /usr/lib/arm-linux-gnueabihf/samba/vfs/widelinks.so
 +</code></WRAP>
 +</WRAP>
 +
 +**samba-vfs-modules** パッケージをインストールするとファイル共有にアクセス可能になる🥰\\
 +<WRAP color_term>
 +<WRAP color_command><code>
 +$ sudo apt install samba-vfs-modules
 +</code></WRAP>
 +<WRAP color_result><code>
 +Reading package lists... Done
 +Building dependency tree... Done
 +Reading state information... Done
 +The following additional packages will be installed:
 +  liburing1
 +Recommended packages:
 +  libcephfs2 libgfapi0
 +The following NEW packages will be installed:
 +  liburing1 samba-vfs-modules
 +0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
 +Need to get 466 kB of archives.
 +After this operation, 1,549 kB of additional disk space will be used.
 +Do you want to continue? [Y/n] y
 +Get:1 http://ftp.tsukuba.wide.ad.jp/Linux/raspbian/raspbian bullseye/main armhf liburing1 armhf 0.7-3 [7,708 B]
 +Get:2 http://raspbian.raspberrypi.org/raspbian bullseye/main armhf samba-vfs-modules armhf 2:4.13.13+dfsg-1~deb11u3 [458 kB]
 +Fetched 466 kB in 3s (166 kB/s)
 +debconf: delaying package configuration, since apt-utils is not installed
 +Selecting previously unselected package liburing1:armhf.
 +(Reading database ... 70828 files and directories currently installed.)
 +Preparing to unpack .../liburing1_0.7-3_armhf.deb ...
 +Unpacking liburing1:armhf (0.7-3) ...
 +Selecting previously unselected package samba-vfs-modules:armhf.
 +Preparing to unpack .../samba-vfs-modules_2%3a4.13.13+dfsg-1~deb11u3_armhf.deb ...
 +Unpacking samba-vfs-modules:armhf (2:4.13.13+dfsg-1~deb11u3) ...
 +Setting up liburing1:armhf (0.7-3) ...
 +Setting up samba-vfs-modules:armhf (2:4.13.13+dfsg-1~deb11u3) ...
 +Processing triggers for libc-bin (2.31-13+rpt2+rpi1+deb11u2) ...
 +</code></WRAP>
 </WRAP> </WRAP>
  
  • linux/samba/setting.1639084998.txt.gz
  • 最終更新: 2021/12/10 06:23
  • by ともやん