.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Final configuration of the smb.conf
  :keywords: smb.conf, RedHat10, Samba-AD

.. _samba_smb_conf:

###################################
Final configuration of the smb.conf
###################################

The final configuration of :file:`/etc/samba/smb.conf` should look like this.

.. note::

  This configuration is valid for Samba-AD in version |version|.

.. code-block:: ini

  [global]
    workgroup = MYDOMAIN
    realm = MYDOMAIN.LAN
    netbios name = SRVADS
    server role = active directory domain controller

    # Add FL 2016
    ad dc functional level = 2016    

    # we have a local named service listening on 127.0.0.1:5353
    dns forwarder = 127.0.0.1:5353 

    # disable null session
    restrict anonymous = 2

    # disable netbios
    disable netbios = yes
    smb ports = 445

    # disable printing services
    printcap name = /dev/null
    load printers = no
    disable spoolss = yes
    printing = bsd

    # enable extra hashes
    password hash userPassword schemes = CryptSHA256 CryptSHA512

    # install valid certificate
    tls enabled = yes
    tls keyfile = /etc/samba/tls/srvads.mydomain.lan.key
    tls certfile = /etc/samba/tls/srvads.mydomain.lan.crt
    tls cafile = /etc/samba/tls/mondomaine_CA.crt
    tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
    tls crlfile = /etc/samba/tls/mydomain_authentication.crl
    tls dhparams file = /etc/samba/tls/srvads.mydomain.lan.dhparams

    # enable audit log
    log level = 1 \
            auth_json_audit:3@/var/log/samba/auth_json_audit.log \
            dsdb_json_audit:5@/var/log/samba/dsdb_json_audit.log \
            dsdb_password_json_audit:9@/var/log/samba/dsdb_password_json_audit.log \
            dsdb_group_json_audit:9@/var/log/samba/dsdb_group_json_audit.log \
            kerberos:3@/var/log/samba/kerberos.log \
            dns:0

    # sysvol write log
    full_audit:failure = none
    full_audit:success = pwrite write renameat
    full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
    full_audit:facility = local7
    full_audit:priority = NOTICE

  [netlogon]
    path = /var/lib/samba/sysvol/mydomain.lan/scripts
    read only = No
    vfs objects = dfs_samba4, acl_xattr, full_audit

  [sysvol]
    path = /var/lib/samba/sysvol
    read only = No
    vfs objects = dfs_samba4, acl_xattr, full_audit
