-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathsmb.conf
67 lines (56 loc) · 1.76 KB
/
smb.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
[global]
netbios name = DC
realm = EXAMPLE.TLD
server role = active directory domain controller
server services = -dns
server string = Samba4 %v AD DC
workgroup = EXAMPLE
idmap_ldb:use rfc2307 = yes
ldap server require strong auth = no
nsupdate command = /usr/bin/nsupdate -g
interfaces = lo eth0
wins support = yes
server signing = mandatory
server min protocol = SMB3
client signing = mandatory
# disable printing services
printing = bsd
printcap name = /dev/null
load printers = no
disable spoolss = yes
# enable extra hashes
password hash userPassword schemes = CryptSHA256 CryptSHA512
# disable null session
restrict anonymous = 2
# disable netbios
disable netbios = yes
smb ports = 445
# disable NTLMv1
ntlm auth = mschapv2-and-ntlmv2-only
# limit virtual ports
rpc server dynamic port range = 50000-55000
# ldap starttls support
tls enabled = yes
tls keyfile = /etc/samba/tls/dc.example.tld.key
tls certfile = /etc/samba/tls/dc.example.tld.crt
tls cafile = /etc/samba/tls/example_CA.crt
# enable audit log
log level = 1 auth_json_audit:3@/var/log/samba/samba_audit.log
# sysvol write log
full_audit:failure = none
full_audit:success = pwrite write rename
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local7
full_audit:priority = NOTICE
[netlogon]
path = /var/lib/samba/sysvol/example.tld/scripts
read only = No
create mask = 0700
directory mask = 0644
vfs objects = dfs_samba4, acl_xattr, full_audit
[sysvol]
path = /var/lib/samba/sysvol
read only = No
create mask = 0700
directory mask = 0644
vfs objects = dfs_samba4, acl_xattr, full_audit