samba - Apr 2019 - The wisdom - or otherwise - of replacing outright rather than merely appending to the example smb.conf file shipped with SAMBA during new server commissioning?

I have a general question regarding smb.conf and I was hoping that some 
of the rather more knowledgeable and experienced people here could 
please comment please?

I am currently setting my various SAMBA systems up via some 
shell-scripts. Within these scripts, I remove the stock smb.conf shipped 
with Samba and replace this with an empty smb.conf file to which I add 
my own configuration options afterwards. Obviously I COULD instead 
simply append my changes to the existing file. However currently i just 
remove the existing smb.conf and start again with a blank file because 
the alternative seemed like more hassle!

Am I potentially risking the security of my systems by replacing the 
stock smb.conf shipped with Samba in this way? Obviously doing what I 
have just described will erase all the default configuration settings 
shipped in the installation.
Are any of the shipped default configuration parameters essential to 
have from a security perspective? Am I doing something stupid here?

Thanks
Stephen Ellwood

Hai, 

There is nothing wrong with replacing the smb.conf files. 
So do you thing, just try to filter out the server type and its specific
settings

For example, a AD-domain member smb.conf is NOT AD-DC compliant! 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stephen via samba
> Verzonden: dinsdag 16 april 2019 12:40
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] The wisdom - or otherwise - of replacing 
> outright rather than merely appending to the example smb.conf 
> file shipped with SAMBA during new server commissioning?
> 
> I have a general question regarding smb.conf and I was hoping 
> that some 
> of the rather more knowledgeable and experienced people here could 
> please comment please?
> 
> I am currently setting my various SAMBA systems up via some 
> shell-scripts. Within these scripts, I remove the stock 
> smb.conf shipped 
> with Samba and replace this with an empty smb.conf file to 
> which I add 
> my own configuration options afterwards. Obviously I COULD instead 
> simply append my changes to the existing file. However 
> currently i just 
> remove the existing smb.conf and start again with a blank 
> file because 
> the alternative seemed like more hassle!
> 
> Am I potentially risking the security of my systems by replacing the 
> stock smb.conf shipped with Samba in this way? Obviously doing what I 
> have just described will erase all the default configuration settings 
> shipped in the installation.
> Are any of the shipped default configuration parameters essential to 
> have from a security perspective? Am I doing something stupid here?
> 
> Thanks
> Stephen Ellwood
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Tue, 16 Apr 2019 11:40:10 +0100
Stephen via samba <samba at lists.samba.org> wrote:
> I have a general question regarding smb.conf and I was hoping that
> some of the rather more knowledgeable and experienced people here
> could please comment please?
> 
> I am currently setting my various SAMBA systems up via some 
> shell-scripts. Within these scripts, I remove the stock smb.conf
> shipped with Samba and replace this with an empty smb.conf file to
> which I add my own configuration options afterwards. Obviously I
> COULD instead simply append my changes to the existing file. However
> currently i just remove the existing smb.conf and start again with a
> blank file because the alternative seemed like more hassle!
I take it you mean you are doing something like this:

rm -f /etc/samba/smb.conf

cat > /etc/samba/smb.conf <<EOF
[global]
    whatever lines you want
    ............
    ...........
    ........

[ashare]
    ...........
    .......
    ....
EOF

There is no problem with doing this, unless you are doing this on a DC,
in which case I would use 'sed' to add lines into the existing smb.conf
> 
> Am I potentially risking the security of my systems by replacing the 
> stock smb.conf shipped with Samba in this way? Obviously doing what I 
> have just described will erase all the default configuration settings 
> shipped in the installation.
It wont actually, if a line isn't there, then a default setting may be
used and it might not be what you want.
 
> Are any of the shipped default configuration parameters essential to 
> have from a security perspective? Am I doing something stupid here?
Provided the required lines are in smb.conf before you start Samba,
you will not have a problem, but if a line is missing, then the
default setting will be used. For instance, if you do not enter a line
that begins 'workgroup =', then the default workgroup name
'WORKGROUP'
will be used.

Rowland

Thanks very  much for your advice Rowland and Louis. Much appreciated.

Stephen

On 16/04/2019 11:40, Stephen via samba wrote:
> I have a general question regarding smb.conf and I was hoping that 
> some of the rather more knowledgeable and experienced people here 
> could please comment please?
>
> I am currently setting my various SAMBA systems up via some 
> shell-scripts. Within these scripts, I remove the stock smb.conf 
> shipped with Samba and replace this with an empty smb.conf file to 
> which I add my own configuration options afterwards. Obviously I COULD 
> instead simply append my changes to the existing file. However 
> currently i just remove the existing smb.conf and start again with a 
> blank file because the alternative seemed like more hassle!
>
> Am I potentially risking the security of my systems by replacing the 
> stock smb.conf shipped with Samba in this way? Obviously doing what I 
> have just described will erase all the default configuration settings 
> shipped in the installation.
> Are any of the shipped default configuration parameters essential to 
> have from a security perspective? Am I doing something stupid here?
>
> Thanks
> Stephen Ellwood
>
>