infra/roles/samba/templates/smb.conf.j2

# distributed from ansible
#
{% if inventory_hostname in wg_clients %}
{# wireguard_cidr #}
{# this should probably just be either the ip withuot the cidr block, or the ip with the cidr block, both only one of either, and one in each cidr block if used #}
{% set wg_interfaces = [wg_clients[inventory_hostname].ip + "/" + wireguard_cidr.split("/")[1]] %}
{% else %}
{% set wg_interfaces = [] %}
{% endif %}

{# set wg_interfaces = [wg_clients[inventory_hostname].ip] | default([]) #}
{% set interfaces = [samba_interfaces, wg_interfaces, ansible_default_ipv4.address] | flatten | unique | ansible.utils.ipaddr('private') %}

#======================= Global Settings =======================

[global]

   {% set hostname = inventory_hostname.split(".")[0] -%}
   {% set hostname_parts = hostname.split("-") -%}
   {% if hostname_parts|length == 3 and hostname_parts[0]|length == 3 -%}
   {% if samba_netbios_name|default(false) -%}
   netbios name = {{ hostname_parts[1] }}
   {% endif -%}
   #netbios name = {{ hostname_parts[1] }}
   {% else -%}
   netbios name = {{ hostname | replace("-", "") }}
   {% endif -%}

   # interfaces
   interfaces = 127.0.0.0/8 {{ interfaces| join(" ")}}

   #hosts allow = 192.168.21. 10.102.47.
   server string = {{ inventory_hostname.split('.')[0] }}
   unix charset = UTF-8
   workgroup = WORKGROUP

   bind interfaces only = yes

   {% if samba_allow_ntlmv1|default(false) -%}
   server min protocol = NT1
   ntlm auth = ntlmv1-permitted
   {% endif %}

   log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file

   streams_xattr:store_stream_type = yes
   streams_xattr:prefix = user.DosStream.

   ## time for inactive connections to-be closed in minutes
   ## 2880 mins = 2 days
   deadtime = 2880

   ## disable core dumps
   enable core files = no

   # possible values: auto, user, domain, ads
   security = user
   invalid users = root
   map to guest = Bad User
   null passwords = no
   passdb backend = smbpasswd
   unix password sync = no
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   # This boolean controls whether PAM will be used for password changes
   # when requested by an SMB client instead of the program listed in
   # 'passwd program'. The default is 'no'.
   # pam password change = yes

   socket options = IPTOS_LOWDELAY TCP_NODELAY

   load printers = yes
   printcap name = /dev/usb/lp0
   disable spoolss = yes
   # printing = cups
   {% if samba_cups %}
   printing = CUPS
   {% endif %}
   # printcap name = sambacap
   # printcap = cups

   ## Allows the server name that is advertised through MDNS to be set to the hostname rather than the Samba NETBIOS name.
   ## This allows an administrator to make Samba registered MDNS records match the case of the hostname rather than being in all capitals.
   ## (netbios, mdns)
   # mdns name = mdns

   ## Clients that only support netbios won't be able to see your samba server when netbios support is disabled.
   disable netbios = No

   #domain master = yes
   ## Setting this value to no will cause nmbd never to become a local master browser.
   local master = yes

   ## (auto, yes) If this is set to yes, on startup, nmbd will force
   ## an election, and it will have a slight advantage in winning the
   ## election. It is recommended that this parameter is used in
   ## conjunction with domain master = yes, so that nmbd can guarantee
   ## becoming a domain master.
   preferred master = no

   ## This is a list of files and directories that are neither visible nor accessible.
   ## Each entry in the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' can be used to specify multiple files or directories as in DOS wildcards.
   veto files = /Thumbs.db/.DS_Store/._.DS_Store/.apdisk/
   ## If a directory that is to be deleted contains nothing but veto files this deletion will fail unless you also set the delete veto files parameter to yes.
   delete veto files = yes

   # Possible values are "standalone server", "member server",
   # "classic primary domain controller", "classic backup domain
   # controller", "active directory domain controller".
   server role = standalone server

   obey pam restrictions = yes

   # here



   # Samba attempts to sync the Unix password with the SMB password when the
   # sets unix pass to smb pass

   panic action = /usr/share/samba/panic-action %d



########## Domains ###########

#
# The following settings only takes effect if 'server role = classic
# primary domain controller', 'server role = classic backup domain controller'
# or 'domain logons' is set
#

# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
#   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
;   logon drive = H:
#   logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
;   logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.
; add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap config * :              backend = tdb
;   idmap config * :              range   = 3000-7999
;   idmap config YOURDOMAINHERE : backend = tdb
;   idmap config YOURDOMAINHERE : range   = 100000-999999
;   template shell = /bin/bash

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 means that usershare is disabled.
#   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = no

#======================= Share Definitions =======================

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   read only = yes

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
;   comment = Users profiles
;   path = /home/samba/profiles
;   guest ok = no
;   browseable = no
;   create mask = 0600
;   directory mask = 0700
{% if samba_cups %}

[drivers]
    comment = printer files
    path = /srv/samba/drivers
    guest ok = yes
    browsable = yes
    read only = yes
    writable = no

[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = yes
    # to allow user 'guest account' to print.
    guest ok = yes
    writable = no
    printable = yes
    create mode = 0700

# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
   write list = root, @lpadmin


# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   guest ok = yes
   browseable = yes
   read only = no
   writable = yes
{% endif %}

# Enables the default home directory shares. This will share each
# user's home directory as \\server\username
[homes]
    valid users = %S
    comment = Home Directories
    browseable = no
    create mask = 0660
    directory mask = 0770
    read only = no
    guest ok = no
    inherit owner = yes
{% for item in samba_shares %}

[{{ item.name }}]
{% set guest_ok = "yes" if item.guest_ok|default(false) else "no" %}
{% set read_only = "yes" if item.read_only|default(false) else "no" %}
{% set browseable = "yes" if item.browseable|default(false) else "no" %}
    path = {{ item.path }}
    {% if 'valid_users' in item -%}
    valid users = {{ item.valid_users }}
    {% endif -%}
    {% if 'comment' in item -%}
    comment = {{ item.comment }}
    {% endif -%}
    browseable = {{ browseable }}
    create mask = 0660
    {% if item.guest_ok|default(false) == true -%}
    directory mask = 0775
    {% else -%}
    directory mask = 0770
    {% endif -%}
    read only = {{ read_only }}
    guest ok = {{ guest_ok }}
    inherit owner = yes

{% endfor %}