#
# Fiddle with this file, then do:
#
#   root #> smbcontrol all reload-config
#

# Global parameters
[global]
 workgroup = DOMAINSERVER
 server string = Domain Server
 netbios name = nb_DOMAINSERVER
 netbios aliases = nb_DOMAINSERVER
 username map = /etc/samba/smbusers

 # used to have more than one interface, hence:
 interfaces = eth0, lo
 bind interfaces only = yes

 #socket options = IPTOS_LOWDELAY TCP_NODELAY
 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072

 # Logging, what, how much, etc
 log level = 1
 syslog = 0
 log file = /var/log/samba/samba.log
 max log size = 10000000

 # Auditing
 # This is the default
 # it can be overwritten for each of the shares below.
 # you must specify the next one within the shares:
 #    full_audit:success = rename unlink rmdir mkdir write pwrite link
 vfs objects = full_audit
 full_audit:prefix = %u|%I|%m|%S
 full_audit:failure = none
 full_audit:facility = LOCAL4
 full_audit:priority = NOTICE
 full_audit:success = none
 full_audit:failure = none

 # adding users
 add user script = /usr/sbin/useradd -m %u
 delete user script = /usr/sbin/userdel -r %u
 add group script = /usr/sbin/groupadd %g
 delete group script = /usr/sbin/groupdel %g
 add user to group script = /usr/sbin/usermod -G %g %u
 add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u

 # passwd stuff
 private dir =  /var/lib/samba/private
 passdb backend = smbpasswd:/var/lib/samba/private/smbpasswd
 pam password change = Yes
 passwd program = /usr/bin/passwd %u
 unix password sync = yes
 passwd chat = *password* %n\n *password* %n\n *successfully* 
 # passwd chat = *new*password* %n\n *new*password*(again) %n\n *password*changed
 # passwd chat debug = Yes 

 # old
 #  idmap uid = 500-10000000 
 #  idmap gid = 500-10000000
 # new
 idmap config *: backend       = tdb
 idmap config *: range         = 1000000-1999999
 idmap config DOMAINSERVER : default = Yes
 idmap config DOMAINSERVER : backend = <idmap backend>
 idmap config DOMAINSERVER : range   = 500-999999

 winbind use default domain = Yes
 winbind nested groups = Yes
 winbind normalize names = no

 # domain stuff
 logon script = user.cmd
 logon path = \\DOMAINSERVER\profiles\%u
 logon drive = Z:
 logon home = \\DOMAINSERVER\%u\samba-homeshare
 domain logons = Yes
 os level = 200
 domain master = Yes
 preferred master = Yes
 dns proxy = Yes
 wins support = Yes
 security = user
 encrypt passwords = Yes
 hosts allow = 192.168.0., 127.
 guest account = nobody
 usershare allow guests = No
 name resolve order = hosts wins bcast lmhosts 

 # printer setup
 load printers = Yes
 printing = cups
 printcap name = cups
 printcap = cups
 printcap cache time = 750
 cups options = raw
 read raw = yes 
 write raw = yes
 oplocks = yes
 max xmit = 65535
 dead time = 15
 getwd cache = yes

 # unix extensions = yes
 unix extensions = no

 # protocol versions
 # Stop using SMB1, period.
 # server min protocol' is the same as 'min protocol', hence
 min protocol = SMB2

[printers]
  comment = "All Printer Spool Area"
  path = /var/spool/samba
  valid users = @domainusers, @domainadministrators
  create mask = 0600
  printable = Yes
  browseable = No
  writelist = @domainadministrators
  guest ok = Yes

[print$]
  comment = "Printer Driver Download Area"
  path = /samba/PrinterDriverShare
  valid users = @domainusers, @domainadministrators
  create mask = 0775
  force create mode = 0775
  directory mask = 0775
  force directory mode = 06775
  readonly = Yes
  writelist = @domainadministrators
  guest ok = Yes

#########################################################################
#
# Printers
#
#########################################################################

[Lexmark]
  comment = "B&W, 40ppm, A4, Duplex Unit, 550 tray"
  path = /var/spool/samba
  browseable = yes
  printable = yes
  writable = no
  guest ok = no
  use client driver = No
  valid users = @domainusers, @domainadministrators, @printops
  admin users = @domainadministrators, @printops

#########################################################################
#
# SERVER SHARES
#
#########################################################################

[netlogon]
  comment = Network Logon Service
  path = /samba/NetLogon
  browseable = Yes
  guest ok = yes
  admin users = root
  full_audit:success = none
  full_audit:failure = none
  # this is required for log files to be written to
  read only = No
  write list = @domainusers, @domainadministrators, clientadmin

[profiles]
  comment = Roaming Profile Share
  path = /samba/Profiles/
  read only = No
  create mask = 0600
  directory mask = 0700
  browseable = yes
  # you MUST disable caching on shares that have roaming profiles stored
  csc policy = disable
  guest ok = no
  valid users = @domainusers, @domainadministrators, score, scanuser, template, everybody
  admin users = root
  store dos attributes = yes
  profile acls = yes
  full_audit:success = none
  full_audit:failure = none
  # The next option is a workaround for windows7/10 with SSD
  # Windows? does not tend to ensure that all locks for the user profile (ntuser.dat and ntuser.ini) are broken on a fast shut down.
  # Another method is to install a delay for the shutdown process of Windows by using a GPO Script.
  oplocks = no

[homes]
  comment = Home Directories
  writable = yes
  #valid users = %u
  browseable = yes
  #read only = No
  #admin users = @domainadministrators
  #hide dot files = Yes
  #follow symlinks = yes
  #wide links = yes
  #guest ok = no
  hide files = /desktop.ini/RECYCLER/desktop/$RECYCLE.BIN/

#########################################################################
#
# USER SHARES
#
#########################################################################

[Docs]
  comment = "Shared Directory for Documents"
  path = /samba/Documents
  valid users = @domainusers
  admin users = root
  read only = No
  create mask = 0660
  force create mode = 0770
  directory mask = 0770
  force directory mode = 06770
  browseable = Yes
  follow symlinks = yes
  wide links = yes
  guest ok = no
  #full_audit:success = open close unlink mkdir write pwrite read pread link
  full_audit:success  = none
  full_audit:failure  = none
  vfs object          = recycle
   recycle:repository  = .recycle/%U/%S
   recycle:keeptree    = yes
   recycle:versions    = yes
   recycle:touch_mtime = yes
   recycle:maxsize     = 104857600

[tmp]
  comment = "tmp"
  path = /tmp/
  valid users = root
  admin users = root
  browseable = No
  full_audit:success = none
  full_audit:failure = none

############################################################################## FINI