Package: samba-common Severity: wishlist Okay, the default smb.conf is getting quite dated. Here's the pile of stuff I always have to change which would make sense as defaults:
- passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . + passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *passwd:\spassword\supdated\ssuccessfully* Not sure when this changed, but the old one doesn't work any more for me. + add machine script = /usr/sbin/adduser --disabled-password --force-badname --no-create-home --ingroup machines --gecos Machine --home /home/samba/machines --shell /bin/false %u + add user to group script = /usr/sbin/adduser %u %g + delete user from group script = /usr/sbin/deluser %u %g Those should be included, commented out. It would also be possible to provide samba add/delete user/group scripts, but I don't use them for anything. "add machine script" is the really important one here, that's necessary to get domain joins working. + hide special files = yes This makes life a little less confusing for windows lusers, and it doesn't bother smart windows lusers because they've already configured windows to show hidden files. + map acl inherit = yes + store dos attributes = yes These two require the filesystem to be mounted with the user_xattr option, but simply do nothing if it isn't set, so I can't see a good reason not to turn them on by default. They cause samba to (at last!) store the dos attributes correctly. This is necessary for storing winxp profiles on the samba server, as otherwise the 'hidden' and 'system' bits go astray and desktop.ini files stop working, which screws up the start menu. (There's an old hack for mapping them to the unix execute bits, but that just sucks; this is much better). + enable privileges = yes This one is seriously useful. It does nothing directly, but it allows the use of the 'net rpc rights' command. Let's assume that you've already used 'net groupmap' to associate a unix group to the domain admins group. Now we can properly empower that group as follows: net -U root rpc rights grant 'Domain Admins' SeMachineAccountPrivilege With this plus the 'add machine script' line above, any user who is a member of the domain admins group can get NT boxes to join the domain, instead of having to use the 'root' account. There's other useful rights; see chapter 14 of the howto collection. But that's the really important one for me. However, in a situation where you're a domain client and not a domain controller, you probably don't want this, as it grants all that stuff to the *real* domain admins. So it should be included, commented out. + time server = yes Always handy to sync windows clients; their NTP implementation is utter crap. + winbind nested groups = yes These are useful, and I can't think of a reason not to turn them on. + domain logons = yes + logon path = \\%N\%U\.profile + logon drive = Z: + logon script = logon.bat These are only for a PDC, but I always have to look them up. They should be included, commented out, next to 'domain master'. -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : http://www.debian.org/ | `. `' | `- -><- |
signature.asc
Description: Digital signature
