Given a development share, where files are added by multiple accessing users, it would be helpful if that share would create the files on the server using a single user and group. This can be accomplished per-share with the following two options:

[devel]
    ...
    force user = development
    force group = development
    ...

Note that this setting in Samba is stronger rather than setting the sticky group bit on the parent directory because samba will also maintain the user ownership. That is, all files created in the devel share, regardless by whom will be owned by the user development and group development.

None of the documentation provided by samba helps, instructions are given how create mask removes bits and force create mode adds bits but the documentation lacks examples where, in the most common case, you would want to set simple permissions for both files and folders created under a share.

This can be accomplied per-share using the following (excessive) options¹⁾:

[devel]
    ...
    ; newly created files will have 660 (rw-rw----)
    create mask = 660
    force create mode = 660
    security mask = 660
    force security mode = 660
    ; newly created directories will have 0770 (rwxrwx---)
    directory mask = 0770
    force directory mode = 0770
    directory security mask = 0770
    force directory security mode = 0770
    ...

which would be suitable in combination with the previous fuss - for example:

[devel]
    ; all files and directories created in the share
    ; will be owned by the development user and the
    ; development group from passwd / groups
    force user = development
    force group = development
    ; newly created files will have 660 (rw-rw----)
    create mask = 660
    force create mode = 660
    security mask = 660
    force security mode = 660
    ; newly created directories will have 0770 (rwxrwx---)
    directory mask = 0770
    force directory mode = 0770
    directory security mask = 0770
    force directory security mode = 0770
    ...

The reason to do this is that the directories and files on the server, created through samba will then only be accessible to the development user and development group. On the other hand, the share will be accessible to a range of users configured with valid users.

    set file permissions = ...
    set directory permissions = ...

Disabling UNIX extensions (facl & co.) and oplocks allows for better compatibility with OSX clients.

[global]
    # Better compatibility with OSX
    unix extensions = no
    max protocol = NT1
    min protocol = NT1

Samba version 4.x provides multiple authentication mechanisms which can be chosen as an option sec during the mount (retrieved from the manual page):

In case you get the following mount-errors (retrieved via dmesg):

[196525.842930] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
[196525.842942] CIFS VFS: Send error in SessSetup = -13
[196525.843076] CIFS VFS: cifs_mount failed w/return code = -13

for example, when trying to mount an Apple TimeCapsule share, then most likely the authentication mechanism was not well chosen.

For an Apple TimeCapsule, choosing ntlm as the authentication mechanism seems to be working:

mount -t cifs //capsule.dg/Sites /mnt/sites/ -o sec=ntlm

To enable the synchronization between shadow and Samba passwords install the libpam-smbpass module:

aptitude install libpam-smbpass

and copy /usr/share/doc/libpam-smbpass/examples/password-sync from the libpam-smbpass package to /etc/pam.d/.

In /etc/samba/smb.conf make sure that the following settings are made:

obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes

If the underlying filesystem supports shadow copies then Samba can be made to utilize shadow copies. On Debian, first install zfs-auto-snapshot:

aptitude install zfs-auto-snapshot

and then enable the shadow_copy2 vfs object:

[global]
...
    vfs_objects = shadow_copy2
    shadow: snapdir = .zfs/snapshot
    shadow: sort = desc
    shadow: format = zfs-auto-snap_%S-%Y-%m-%d-%H%M
    shadow:localtime = no

At the time of writing, ZFS does not have sendfile support, so make sure to disable it for a performance boost and particularly if timeouts are to be observed:

use sendfile = no

Web Service Discovery (WSDD) is the next generation host discovery after NetBIOS has been deprecated in Windows 10 version 1511. WSDD needs a script to be ran independently of Samba. Projects such as the wsdd python script can be downloaded and ran in the background in order to enable WSDD.

• %M - defined as the variable for the client hostname will not work unless the global configuration option hostname lookups = yes is set.
• %m - defined to expand to the client NETBIOS name and will not work unless smb ports = 139 is defined

Recent versions of Samba have the ability to cache files locally via the fsc mount option. This requires that the cachefilesd daemon is installed and running. In order to enable the filesystem cache to be used with Samba, install cachefilesd:

aptitude install cachefilesd

and then enable the daemon by editing /etc/defaults/cachefilesd in order to set:

RUN=yes

Finally, when mounting the Samba share from a client, pass the fsc parameter along with others parameters. For instance, from /etc/fstab:

//share.lan/share  /mnt/share     cifs    vers=3.1.1,fsc,username=...,password=...   0  0

The cache can then be monitored by reading the directory /var/cache/fscache/cache.

By enabling the recycle VFS object, Samba creates a Windows and Linux-compatible recycle bin such that files deleted on the share, regardless whether they are deleted from Windows or Linux, will end up copied first into a .recycle subfolder at the top level of the share.

The problem is that the recycle VFS object configuration does not include an option to clean up the .recycle subfolder such that all the space on the drive can end up used very quickly. One solution is to use a cron script to periodically delete files and directory that are older than a certain amount of days.

For example, the following script:

#!/usr/bin/env bash
###########################################################################
##  Copyright (C) Wizardry and Steamworks 2024 - License: MIT            ##
###########################################################################
 
###########################################################################
##                            CONFIGURATION                              ##
###########################################################################
 
# Should be set to the number of days that files will be kept. Any file
# found to be older than this amount of days will be deleted.
DELETE_OLDER_THAN_DAYS=5
 
# Samba mount paths with "vfs_recycle" enabled.
MOUNT_PATHS=( /mnt/archie /mnt/docker )
 
###########################################################################
##                              INTERNALS                                ##
###########################################################################
 
# Acquire a lock.
LOCK_FILE='/var/lock/cleanup-samba-trash'
if mkdir $LOCK_FILE 2>&1 >/dev/null; then
    trap '{ rm -rf $LOCK_FILE; }' KILL QUIT TERM EXIT INT HUP
else
    exit 0
fi
 
for MOUNT_PATH in "${MOUNT_PATHS[@]}"; do
    if [ ! -d "${MOUNT_PATH}"/.recycle ]; then
        echo "Mount path \"${MOUNT_PATH}\" has no recyle bin."
        continue
    fi
 
    find "${MOUNT_PATH}/.recycle/" \
        -depth \
        -type d -o -type f \
        -ctime +${DELETE_OLDER_THAN_DAYS} \
        -exec rm -rf '{}' \; 2>&1 2>/dev/null >/dev/null | true
done

can be dropped inside /etc/cron.daily and ran every day in order to maintain only a backlog of 5 day old files inside the .recycle folder. The script can be configured within the configuration section to set multiple Samba mount paths to be cleaned as well as the number of days after which files should be deleted.