Standalone file server
System configuration
Install the Samba server for Windows Backup and Time Machine:
sudo apt install samba
Lock down the configuration in /etc/samba/smb.conf
a little bit:
- Synchronise user passwords set with
smbpasswd
with the corresponding system user accounts. - Disable guest access.
- Disable user home directory access.
- Disable printer access as far as possible.
- Disable browsing the printer driver share.
- Obey PAM account and session management configuration.
- Disable access to home shares.
This configuration also provides enhanced support for macOS clients.
[global]
workgroup = EMERALD
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = no min protocol = SMB3
vfs objects = acl_xattr catia fruit streams_xattr
fruit:aapl = yes
fruit:metadata = stream
fruit:model = Windows
fruit:posix_rename = yes
fruit:veto_appledouble = no
fruit:zero_file_id = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:delete_empty_adfiles = yes
[homes]
comment = User Homes
browseable = no
writable = no
create mask = 0000
directory mask = 0000
invalid users = %S
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = no
read only = yes
guest ok = no
Per-share
Finally, add per-user/device shares:
[$user-$machine]
path = /backups/$user/$machine
browseable = yes
read only = no
force create mode = 0640
force directory mode = 0750
valid users = $user
Backlinks