Samba 4.17.12-Debian 配置文件说明中英双语版

Debian GNU/Linux 的 Samba 套件的示例配置文件。

Sample configuration file for the Samba suite for Debian GNU/Linux.

这是主要的 Samba 配置文件。您应该阅读smb.conf (5) 手册页以了解此处列出的选项。 Samba 有大量可配置选项,其中大部分未在本示例中显示

This is the main Samba configuration file. You should read the smb.conf(5) manual page in order to understand the options listed here. Samba has a huge number of configurable options most of which are not shown in this example

一些通常值得调整的选项已作为注释掉的示例包含在该文件中。

Some options that are often worth tuning have been included as commented-out examples in this file.

- 当这些选项用";"注释时,建议的设置与默认的 Samba行为不同

- When such options are commented with ";", the proposed setting differs from the default Samba behaviour

- 当用"#"注释时,建议的设置是 Samba 的默认行为,但该选项被认为很重要,需要在此处提及

- When commented with "#", the proposed setting is the default behaviour of Samba, but the option is considered important to be mentioned here

注意:每当您修改此文件时,您都应该运行命令" testparm "来检查您是否没有犯任何基本的语法错误。

NOTE: Whenever you modify this file you should run the command "testparm" to check that you have not made any basic syntactic errors.

# 全局设置

#======================= Global Settings =======================

[global]

浏览/识别###

Browsing/Identification

将其更改为您的 Samba 服务器所属的工作组/NT 域名

Change this to the workgroup/NT-domain name your Samba server will part of

workgroup = WORKGROUP

联网####

Networking

绑定到此的特定接口/网络集可以是接口名称或 IP 地址/网络掩码;接口名称通常是首选

The specific set of interfaces / networks to bind to this can be either the interface name or an IP address/netmask; interface names are normally preferred

; interfaces = 127.0.0.0/8 eth0

仅绑定到指定的接口和/或网络;您必须使用上面的"接口"选项才能使用它。

Only bind to the named interfaces and/or networks; you must use the 'interfaces' option above to use this.

如果您的 Samba 机器受防火墙保护或者本身就是防火墙,建议您启用此功能。但是,此选项无法正确处理动态或非广播接口。

It is recommended that you enable this feature if your Samba machine is protected by a firewall or is a firewall itself. However, this option cannot handle dynamic or non-broadcast interfaces correctly.

; bind interfaces only = yes

调试/统计

Debugging/Accounting

这告诉 Samba 对每台连接的机器使用单独的日志文件

This tells Samba to use a separate log file for each machine connects

log file = /var/log/samba/log.%m

限制单个日志文件的大小(以 KiB 为单位)。

Cap the size of the individual log files (in KiB).

max log size = 1000

我们希望 Samba 仅记录到 /var/log/samba/log.{ smbd,nmbd }。

We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.

如果您希望将重要消息也发送到 syslog,请附加 syslog@1。

Append syslog@1 if you want important messages to be sent to syslog too.

logging = file

当 Samba 崩溃时做一些明智的事情:给管理员发送回溯邮件

Do something sensible when Samba crashes: mail the admin a backtrace

panic action = /usr/share/samba/panic-action %d

#验证

####### Authentication #######

服务器角色。定义 Samba 将在哪种模式下运行。可能的值为"独立服务器"、"成员服务器"、"经典主域控制器"、"经典备份域控制器"、"活动目录域控制器"。

Server role. Defines in which mode Samba will operate. Possible values are "standalone server", "member server", "classic primary domain controller", "classic backup domain controller", "active directory domain controller".

大多数人会想要"独立服务器"或"会员服务器"。

Most people will want "standalone server" or "member server".

作为"活动目录域控制器"运行将需要首先运行"samba-tool 域配置"来擦除数据库并创建新域。

Running as "active directory domain controller" will require first running "samba-tool domain provision" to wipe databases and create a new domain.

server role = standalone server

obey pam restrictions = yes

该布尔参数控制当passdb中的加密 SMB 密码更改时,Samba 是否尝试将 Unix 密码与 SMB 密码同步。

This boolean parameter controls whether Samba attempts to sync the Unix password with the SMB password when the encrypted SMB password in the passdb is changed.

unix password sync = yes

要使 Unix 密码同步在 Debian GNU/Linux 系统上工作,必须设置以下参数(感谢 Ian Kahan <<kahan@informatik.tu-muenchen.de> 为 Debian 中的 passwd 程序发送正确的聊天脚本中士)。

For Unix password sync to work on a Debian GNU/Linux system, the following parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for sending the correct chat script for the passwd program in Debian Sarge).

passwd program = /usr/bin/passwd %u

passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

当 SMB 客户端请求时,此布尔值控制是否使用 PAM 来更改密码,而不是使用"passwd 程序"中列出的程序。默认为"否"。

This boolean controls whether PAM will be used for password changes when requested by an SMB client instead of the program listed in 'passwd program'. The default is 'no'.

pam password change = yes

此选项控制如何将不成功的身份验证尝试映射到匿名连接

This option controls how unsuccessful authentication attempts are mapped to anonymous connections

map to guest = bad user

#域

########## Domains ###########

以下设置仅在设置了"服务器角色=经典主域控制器"、"服务器角色=经典备份域控制器"或"域登录"时才生效

The following settings only takes effect if 'server role = classic primary domain controller', 'server role = classic backup domain controller' or 'domain logons' is set

从客户端角度指定用户配置文件目录的位置)以下要求在 samba 服务器上设置 [profiles] 共享(见下文)

It specifies the location of the user's profile directory from the client point of view) The following required a [profiles] share to be setup on the samba server (see below)

; logon path = \\%N\profiles\%U

另一个常见的选择是将配置文件存储在用户的主目录中(这是 Samba 的默认目录)

Another common choice is storing the profile in the user's home directory (this is Samba's default)

logon path = \\%N\%U\profile

以下设置仅在设置了 'domain logons' 时才生效 它指定用户主目录的位置(从客户端角度来看)

The following setting only takes effect if 'domain logons' is set It specifies the location of a user's home directory (from the client point of view)

; logon drive = H:

logon home = \\%N\%U

以下设置仅在设置"domain logons"时才生效 它指定登录期间运行的脚本。该脚本必须存储在 [ netlogon ] 共享

The following setting only takes effect if 'domain logons' is set It specifies the script to run during logon. The script must be stored in the [netlogon] share

注意:必须以"DOS"文件格式约定存储

NOTE: Must be store in 'DOS' file format convention

; logon script = logon.cmd

这允许通过 SAMR RPC 管道在域控制器上创建 Unix 用户。按照您的需求,该示例命令创建一个具有禁用 Unix 密码的用户帐户

This allows Unix users to be created on the domain controller via the SAMR RPC pipe. The example command creates a user account with a disabled Unix password; please adapt to your needs

; add user script = /usr/sbin/useradd --create-home %u

这允许通过 SAMR RPC 管道在域控制器上创建计算机帐户。

This allows machine accounts to be created on the domain controller via the SAMR RPC pipe.

以下假设系统上存在"machines"组

The following assumes a "machines" group exists on the system

; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

这允许通过 SAMR RPC 管道在域控制器上创建 Unix 组。

This allows Unix groups to be created on the domain controller via the SAMR RPC pipe.

; add group script = /usr/sbin/addgroup --force-badname %g

#其他

############ Misc ############

使用以下行可以让您在每台机器的基础上自定义配置。 %m 被替换为正在连接的机器的netbios名称

Using the following line enables you to customise your configuration on a per machine basis. The %m gets replaced with the netbios name of the machine that is connecting

; include = /home/samba/etc/smb.conf.%m

winbind的一些默认值(确保您没有将这些范围用于其他用途。)

Some defaults for winbind (make sure you're not using the ranges for something else.)

; idmap config * : backend = tdb

; idmap config * : range = 3000-7999

; idmap config YOURDOMAINHERE : backend = tdb

; idmap config YOURDOMAINHERE : range = 100000-999999

; template shell = /bin/bash

设置usershare选项,使非 root 用户能够使用 net usershare命令共享文件夹。

Setup usershare options to enable non-root users to share folders with the net usershare command.

用户共享的最大数量。 0 表示禁用用户共享。

Maximum number of usershare. 0 means that usershare is disabled.

usershare max shares = 100

允许被授予usershare权限的用户创建公共共享,而不仅仅是经过身份验证的共享

Allow users who've been granted usershare privileges to create public shares, not just authenticated ones

usershare allow guests = yes

#共享定义

#======================= Share Definitions =======================

[homes]

comment = Home Directories

browseable = no

默认情况下,主目录导出为只读。如果您希望能够写入它们,请将下一个参数更改为"no"。

By default, the home directories are exported read-only. Change the next parameter to 'no' if you want to be able to write to them.

read only = yes

出于安全原因,文件创建掩码设置为 0700。如果要创建具有 group= rw权限的文件,请将下一个参数设置为 0775。

File creation mask is set to 0700 for security reasons. If you want to create files with group=rw permissions, set next parameter to 0775.

create mask = 0700

出于安全原因,目录创建掩码设置为 0700。如果你想创建目录。使用 group= rw权限,将下一个参数设置为 0775。

Directory creation mask is set to 0700 for security reasons. If you want to create dirs. with group=rw permissions, set next parameter to 0775.

directory mask = 0700

默认情况下,任何有权访问 samba 服务器的人都可以连接到 \\server\username 共享。

By default, \\server\username shares can be connected to by anyone with access to the samba server.

以下参数确保只有"username"可以连接到\\server\username

The following parameter makes sure that only "username" can connect to \\server\username

使用外部身份验证方案时可能需要调整

This might need tweaking when using external authentication schemes

valid users = %S

取消注释以下内容并为域登录创建netlogon目录(您还需要将 Samba 配置为充当域控制器。)

Un-comment the following and create the netlogon directory for Domain Logons (you need to configure Samba to act as a domain controller too.)

;[netlogon]

; comment = Network Logon Service

; path = /home/samba/netlogon

; guest ok = yes

; read only = yes

取消注释以下内容并创建配置文件目录来存储用户配置文件(请参阅上面的"登录路径"选项)(您还需要将 Samba 配置为充当域控制器。)

Un-comment the following and create the profiles directory to store users profiles (see the "logon path" option above) (you need to configure Samba to act as a domain controller too.)

下面的路径应该对所有用户都是可写的,以便他们的配置文件目录可以在他们第一次登录时创建

The path below should be writable by all users so that their profile directory may be created the first time they log on

;[profiles]

; comment = Users profiles

; path = /home/samba/profiles

; guest ok = no

; browseable = no

; create mask = 0600

; directory mask = 0700

[printers]

comment = All Printers

browseable = no

path = /var/tmp

printable = yes

guest ok = no

read only = yes

create mask = 0700

Windows 客户端查找此共享名作为可下载打印机驱动程序的来源

Windows clients look for this share name as a source of downloadable printer drivers

[print$]

comment = Printer Drivers

path = /var/lib/samba/printers

browseable = yes

read only = yes

guest ok = no

取消注释以允许远程管理 Windows 打印驱动程序。

Uncomment to allow remote administration of Windows print drivers.

您可能需要将" lpadmin "替换为您的管理员用户所属组的名称。

You may need to replace 'lpadmin' with the name of the group your admin users are members of.

请注意,您还需要为 drivers 目录设置适当的 Unix 权限,以便这些用户具有写入权限

Please note that you also need to set appropriate Unix permissions to the drivers directory for these users to have write rights in it

; write list = root, @lpadmin

相关推荐
小安运维日记8 分钟前
CKA认证 | Day3 K8s管理应用生命周期(上)
运维·云原生·容器·kubernetes·云计算·k8s
小han的日常35 分钟前
接口自动化环境搭建
运维·自动化
小扳37 分钟前
Docker 篇-Docker 详细安装、了解和使用 Docker 核心功能(数据卷、自定义镜像 Dockerfile、网络)
运维·spring boot·后端·mysql·spring cloud·docker·容器
运维小文41 分钟前
服务器硬件介绍
运维·服务器·计算机网络·缓存·硬件架构
小周不摆烂1 小时前
丹摩征文活动 | 丹摩智算平台:服务器虚拟化的璀璨明珠与实战秘籍
大数据·服务器
中云DDoS CC防护蔡蔡1 小时前
为什么海外服务器IP会被封
服务器·经验分享
是安迪吖1 小时前
nfs服务器
运维·服务器
鱼骨不是鱼翅1 小时前
模拟回显服务器
运维·服务器
运维佬1 小时前
CentOS 9 配置网卡
linux·centos
轩轩曲觞阁1 小时前
Linux网络——网络初识
linux·网络