diff options
author | Gerald Carter <jerry@samba.org> | 2001-02-22 13:03:24 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2001-02-22 13:03:24 +0000 |
commit | 63c9afc82dca7c700c2f13feecc045679fe1b547 (patch) | |
tree | 21cb87df2024a75ae75b1094a09c4d798ec7fb46 | |
parent | b4096748dd5613f7c6f7d8c6d73c5ff0fba0c346 (diff) | |
download | samba-63c9afc82dca7c700c2f13feecc045679fe1b547.tar.gz samba-63c9afc82dca7c700c2f13feecc045679fe1b547.tar.bz2 samba-63c9afc82dca7c700c2f13feecc045679fe1b547.zip |
Whew! smb.conf.5.yo completely converted to DocBook (only after 2 & 1/2
days :) ). The man page generation is fine. Some anchor tags
need to be tweaked to get the HTML generation correct.
Also, I have done very little editing which means that we'll have to go
through and verify acurracy of things like default values, etc...
(This used to be commit 9fb11c5ec6d439544549060903ea0f275f5de9a9)
-rw-r--r-- | docs/docbook/smb.conf.5.sgml | 3077 |
1 files changed, 3057 insertions, 20 deletions
diff --git a/docs/docbook/smb.conf.5.sgml b/docs/docbook/smb.conf.5.sgml index 16d72a01ce..6e44a7a59a 100644 --- a/docs/docbook/smb.conf.5.sgml +++ b/docs/docbook/smb.conf.5.sgml @@ -215,7 +215,7 @@ </refsect2> <refsect2> - <title id="printersect">The [printers] section</title> + <title id="printerssect">The [printers] section</title> <para>This section works like [homes], but for printers.</para> @@ -529,7 +529,7 @@ </refsect1> <refsect1> - <title>NOTE ABOUT USERNAME/PASSWORD VALIDATION</title> + <title id="validationsect">NOTE ABOUT USERNAME/PASSWORD VALIDATION</title> <para>There are a number of ways in which a user can connect to a service. The server follows the following steps in determining @@ -670,7 +670,6 @@ <listitem><para><parameter>ole locking compatibility</parameter></para></listitem> <listitem><para><parameter>oplock break wait time</parameter> </para></listitem> <listitem><para><parameter>os level</parameter> </para></listitem> - <listitem><para><parameter>packet size</parameter> </para></listitem> <listitem><para><parameter>panic action</parameter> </para></listitem> <listitem><para><parameter>passwd chat</parameter></para></listitem> <listitem><para><parameter>passwd chat debug</parameter> </para></listitem> @@ -1596,7 +1595,7 @@ <term id="defaultcase">default case (S)</term> <listitem><para>See the section on <link linkend="namemanglingsect"> NAME MANGLING"</link>. Also note the <link linkend="shortpreservecase"> - <parameter>short preserve case"</parameter>></link> parameter.</para> + <parameter>short preserve case"</parameter></link> parameter.</para> </listitem> </varlistentry> @@ -1688,7 +1687,7 @@ UNIX users are dynamically deleted to match existing Windows NT accounts.</para> - <para>See also <link linkend="securitydomain">security=domain</link>, + <para>See also <link linkend="securityequalsdomain">security=domain</link>, <link linkend="passwordserver"><parameter>password server</parameter> </link>, <link linkend="adduserscript"><parameter>add user script</parameter> </link>.</para> @@ -2300,7 +2299,7 @@ it to 0000.</para> <para>See also the <link linkend="directorysecuritymask"><parameter> - directory security mask</parameter></link>, <link linkend="secduritymask"> + directory security mask</parameter></link>, <link linkend="securitymask"> <parameter>security mask</parameter></link>, <link linkend="forcesecuritymode"><parameter>force security mode </parameter></link> parameters.</para> @@ -3001,7 +3000,7 @@ <term id="loadprinters">load printers (G)</term> <listitem><para>A boolean variable that controls whether all printers in the printcap will be loaded for browsing by default. - See the <link linkend="printersect">printers</link> section for + See the <link linkend="printerssect">printers</link> section for more details.</para> <para>Default: <command>load printers = yes</command></para></listitem> @@ -3440,7 +3439,7 @@ <varlistentry> <term id="machinepasswordtimeout">machine password timeout (G)</term> <listitem><para>If a Samba server is a member of an Windows - NT Domain (see the <link linkend="securitydomain">security=domain</link>) + NT Domain (see the <link linkend="securityequalsdomain">security=domain</link>) parameter) then periodically a running <ulink url="smbd.8.html"> smbd(8)</ulink> process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called <filename>private/secrets.tdb @@ -3449,7 +3448,7 @@ seconds), the same as a Windows NT Domain member server.</para> <para>See also <ulink url="smbpasswd.8.html"><command>smbpasswd(8) - </command></ulink>, and the <link linkend="securitydomain"> + </command></ulink>, and the <link linkend="securityequalsdomain"> security=domain</link>) parameter.</para> <para>Default: <command>machine password timeout = 604800</command></para> @@ -3509,7 +3508,7 @@ <varlistentry> <term id="manglecase">mangle case (S)</term> - <listitem><para>See the section on <link linkend="manmaglingsect"> + <listitem><para>See the section on <link linkend="namemanglingsect"> NAME MANGLING</link></para> </listitem> </varlistentry> @@ -3841,15 +3840,6 @@ <varlistentry> - <term id="maxpacket">max packet (G)</term> - <listitem><para>Synonym for <link linkend="packetsize"><parameter> - packet size</parameter></link>.</para> - </listitem> - </varlistentry> - - - - <varlistentry> <term id="maxttl">max ttl (G)</term> <listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)</ulink> what the default 'time to live' of NetBIOS names should be (in seconds) @@ -3866,7 +3856,7 @@ <varlistentry> <term id="maxwinsttl">max wins ttl (G)</term> <listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8) - </ulink> when acting as a WINS server (<link linkend="winsupport"> + </ulink> when acting as a WINS server (<link linkend="winssupport"> <parameter>wins support=yes</parameter></link>) what the maximum 'time to live' of NetBIOS names that <command>nmbd</command> will grant will be (in seconds). You should never need to change this @@ -4332,6 +4322,3053 @@ </varlistentry> + <varlistentry> + <term id="oslevel">os level (G)</term> + <listitem><para>This integer value controls what level Samba + advertises itself as for browse elections. The value of this + parameter determines whether <ulink url="nmbd.8.html">nmbd(8)</ulink> + has a chance of becoming a local master browser for the <parameter> + WORKGROUP</parameter> in the local broadcast area. The default is + zero, which means <command>nmbd</command> will lose elections to + Windows machines. See <filename>BROWSING.txt</filename> in the + Samba <filename>docs/</filename> directory for details.</para> + + <para>Default: <command>os level = 20</command></para> + <para>Example: <command>os level = 65 </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="panicaction">panic action (G)</term> + <listitem><para>This is a Samba developer option that allows a + system command to be called when either <ulink url="smbd.8.html"> + smbd(8)</ulink> or <ulink url="nmbd.8.html">nmbd(8)</ulink> + crashes. This is usually used to draw attention to the fact that + a problem occurred.</para> + + <para>Default: <command>panic action = <empty string></command></para> + <para>Example: <command>panic action = "/bin/sleep 90000"</command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="passwdchat">passwd chat (G)</term> + <listitem><para>This string controls the <emphasis>"chat"</emphasis> + conversation that takes places between <ulink + url="smbd.8.html">smbd</ulink> and the local password changing + program to change the users password. The string describes a + sequence of response-receive pairs that <ulink url="smbd.8.html"> + smbd(8)</ulink> uses to determine what to send to the + <link linkend="passwdprogram"><parameter>passwd program</parameter> + </link> and what to expect back. If the expected output is not + received then the password is not changed.</para> + + <para>This chat sequence is often quite site specific, depending + on what local methods are used for password control (such as NIS + etc).</para> + + <para>The string can contain the macros <parameter>%o</parameter> + and <parameter>%n</parameter> which are substituted for the old + and new passwords respectively. It can also contain the standard + macros <constant>\n</constant>, <constant>\r</constant>, <constant> + \t</constant> and <constant>%s</constant> to give line-feed, + carriage-return, tab and space.</para> + + <para>The string can also contain a '*' which matches + any sequence of characters.</para> + + <para>Double quotes can be used to collect strings with spaces + in them into a single string.</para> + + <para>If the send string in any part of the chat sequence + is a fullstop ".", then no string is sent. Similarly, + is the expect string is a fullstop then no string is expected.</para> + + <para>Note that if the <link linkend="unixpasswordsync"><parameter>unix + password sync</parameter></link> parameter is set to true, then this + sequence is called <emphasis>AS ROOT</emphasis> when the SMB password + in the smbpasswd file is being changed, without access to the old + password cleartext. In this case the old password cleartext is set + to "" (the empty string).</para> + + <para>See also <link linkend="unixpasswordsync"><parameter>unix password + sync</parameter></link>, <link linkend="passwdprogram"><parameter> + passwd program</parameter></link> and <link linkend="passwdchatdebug"> + <parameter>passwd chat debug</parameter></link>.</para> + + <para>Default: <command>passwd chat = *old*password* %o\n *new* + password* %n\n *new*password* %n\n *changed*</command></para> + <para>Example: <command>passwd chat = "*Enter OLD password*" %o\n + "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password + changed*"</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="passwdchatdebug">passwd chat debug (G)</term> + <listitem><para>This boolean specifies if the passwd chat script + parameter is run in <emphasis>debug</emphasis> mode. In this mode the + strings passed to and received from the passwd chat are printed + in the <ulink url="smbd.8.html">smbd(8)</ulink> log with a + <link linkend="debuglevel"><parameter>debug level</parameter></link> + of 100. This is a dangerous option as it will allow plaintext passwords + to be seen in the <command>smbd</command> log. It is available to help + Samba admins debug their <parameter>passwd chat</parameter> scripts + when calling the <parameter>passwd program</parameter> and should + be turned off after this has been done. This parameter is off by + default.</para> + + <para>See also <<link linkend="passwdchat"><parameter>passwd chat</parameter> + </link>, <link linkend="passwdprogram"><parameter>passwd program</parameter> + </link>.</para> + + <para>Default: <command>passwd chat debug = no</command></para> + <para>Example: <command>passwd chat debug = yes</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="passwdprogram">passwd program (G)</term> + <listitem><para>The name of a program that can be used to set + UNIX user passwords. Any occurrences of <parameter>%u</parameter> + will be replaced with the user name. The user name is checked for + existence before calling the password changing program.</para> + + <para>Also note that many passwd programs insist in <emphasis>reasonable + </emphasis> passwords, such as a minimum length, or the inclusion + of mixed case chars and digits. This can pose a problem as some clients + (such as Windows for Workgroups) uppercase the password before sending + it.</para> + + <para><emphasis>Note</emphasis> that if the <parameter>unix + password sync</parameter> parameter is set to <constant>True + </constant> then this program is called <emphasis>AS ROOT</emphasis> + before the SMB password in the <ulink url="smbpasswd.5.html">smbpasswd(5) + </ulink> file is changed. If this UNIX password change fails, then + <command>smbd</command> will fail to change the SMB password also + (this is by design).</para> + + <para>If the <parameter>unix password sync</parameter> parameter + is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis> + for <emphasis>ALL</emphasis> programs called, and must be examined + for security implications. Note that by default <parameter>unix + password sync</parameter> is set to <constant>False</constant>.</para> + + <para>See also <link linkend="unixpasswordsync"><parameter>unix + password sync</parameter></link>.</para> + + <para>Default: <command>passwd program = /bin/passwd</command></para> + <para>Example: <command>passwd program = /sbin/npasswd %u</command> + </para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="passwordlevel">password level (G)</term> + <listitem><para>Some client/server combinations have difficulty + with mixed-case passwords. One offending client is Windows for + Workgroups, which for some reason forces passwords to upper + case when using the LANMAN1 protocol, but leaves them alone when + using COREPLUS!</para> + + <para>This parameter defines the maximum number of characters + that may be upper case in passwords.</para> + + <para>For example, say the password given was "FRED". If <parameter> + password level</parameter> is set to 1, the following combinations + would be tried if "FRED" failed:</para> + + <para>"Fred", "fred", "fRed", "frEd","freD"</para> + + <para>If <parameter>password level</parameter> was set to 2, + the following combinations would also be tried: </para> + + <para>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</para> + + <para>And so on.</para> + + <para>The higher value this parameter is set to the more likely + it is that a mixed case password will be matched against a single + case password. However, you should be aware that use of this + parameter reduces security and increases the time taken to + process a new connection.</para> + + <para>A value of zero will cause only two attempts to be + made - the password as is and the password in all-lower case.</para> + + <para>Default: <command>password level = 0</command></para> + <para>Example: <command>password level = 4</command</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="passwordserver">password server (G)</term> + <listitem><para>By specifying the name of another SMB server (such + as a WinNT box) with this option, and using <command>security = domain + </command> or <command>security = server</command> you can get Samba + to do all its username/password validation via a remote server.</para> + + <para>This options sets the name of the password server to use. + It must be a NetBIOS name, so if the machine's NetBIOS name is + different from its internet name then you may have to add its NetBIOS + name to the lmhosts file which is stored in the same directory + as the <filename>smb.conf</filename> file.</para> + + <para>The name of the password server is looked up using the + parameter <link linkend="nameresolveorder"><parameter>name + resolve order</parameter></link> and so may resolved + by any method and order described in that parameter.</para> + + <para>The password server much be a machine capable of using + the "LM1.2X002" or the "LM NT 0.12" protocol, and it must be in + user level security mode.</para> + + <para><emphasis>NOTE:</emphasis> Using a password server + means your UNIX box (running Samba) is only as secure as your + password server. <emphasis>DO NOT CHOOSE A PASSWORD SERVER THAT + YOU DON'T COMPLETELY TRUST</emphasis>.</para> + + <para>Never point a Samba server at itself for password + serving. This will cause a loop and could lock up your Samba + server!</para> + + <para>The name of the password server takes the standard + substitutions, but probably the only useful one is <parameter>%m + </parameter>, which means the Samba server will use the incoming + client as the passwordserver. If you use this then you better + trust your clients, and you better restrict them with hosts allow!</para> + + <para>If the <parameter>security</parameter> parameter is set to + <constant>domain</constant>, then the list of machines in this + option must be a list of Primary or Backup Domain controllers for the + Domain or the character '*', as the Samba server is cryptographicly + in that domain, and will use cryptographicly authenticated RPC calls + to authenticate the user logging on. The advantage of using <command> + security = domain</command> is that if you list several hosts in the + <parameter>password server</parameter> option then <command>smbd + </command> will try each in turn till it finds one that responds. This + is useful in case your primary server goes down.</para> + + <para>If the <parameter>password server</parameter> option is set + to the character '*', then Samba will attempt to auto-locate the + Primary or Backup Domain controllers to authenticate against by + doing a query for the name <constant>WORKGROUP<1C></constant> + and then contacting each server returned in the list of IP + addresses from the name resolution source. </para> + + <para>If the <parameter>security</parameter> parameter is + set to <constant>server</constant>, then there are different + restrictions that <command>security = domain</command> doesn't + suffer from:</para> + + <itemizedlist> + <listitem><para>You may list several password servers in + the <parameter>password server</parameter> parameter, however if an + <command>smbd</command> makes a connection to a password server, + and then the password server fails, no more users will be able + to be authenticated from this <command>smbd</command>. This is a + restriction of the SMB/CIFS protocol when in <command>security=server + </command> mode and cannot be fixed in Samba.</para></listitem> + + <listitem><para>If you are using a Windows NT server as your + password server then you will have to ensure that your users + are able to login from the Samba server, as when in <command> + security=server</command> mode the network logon will appear to + come from there rather than from the users workstation.</para></listitem> + </itemizedlist> + + <para>See also the <link linkend="security"><parameter>security + </parameter></link> parameter.</para> + + <para>Default: <command>password server = <empty string></command> + </para> + <para>Example: <command>password server = NT-PDC, NT-BDC1, NT-BDC2 + </command></para> + <para>Example: <command>password server = *</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="path">path (S)</term> + <listitem><para>This parameter specifies a directory to which + the user of the service is to be given access. In the case of + printable services, this is where print data will spool prior to + being submitted to the host for printing.</para> + + <para>For a printable service offering guest access, the service + should be readonly and the path should be world-writeable and + have the sticky bit set. This is not mandatory of course, but + you probably won't get the results you expect if you do + otherwise.</para> + + <para>Any occurrences of <parameter>%u</parameter> in the path + will be replaced with the UNIX username that the client is using + on this connection. Any occurrences of <parameter>%m</parameter> + will be replaced by the NetBIOS name of the machine they are + connecting from. These replacements are very useful for setting + up pseudo home directories for users.</para> + + <para>Note that this path will be based on <link linkend="rootdir"> + <parameter>root dir</parameter></link> if one was specified.</para> + + <para>Default: <emphasis>none</emphasis></para> + <para>Example: <command>path = /home/fred</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="postexec">postexec (S)</term> + <listitem><para>This option specifies a command to be run + whenever the service is disconnected. It takes the usual + substitutions. The command may be run as the root on some + systems.</para> + + <para>An interesting example may be do unmount server + resources:</para> + + <para><command>postexec = /etc/umount /cdrom</command></para> + + <para>See also <link linkend="preexec"><parameter>preexec</parameter> + </link>.</para> + + <para>Default: <emphasis>none (no command executed)</emphasis> + </para> + + <para>Example: <command>postexec = echo \"%u disconnected from %S + from %m (%I)\" >> /tmp/log</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="postscript">postscript (S)</term> + <listitem><para>This parameter forces a printer to interpret + the print files as postscript. This is done by adding a <constant>%! + </constant> to the start of print output.</para> + + <para>This is most useful when you have lots of PCs that persist + in putting a control-D at the start of print jobs, which then + confuses your printer.</para> + + <para>Default: <command>postscript = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="preexec">preexec (S)</term> + <listitem><para>This option specifies a command to be run whenever + the service is connected to. It takes the usual substitutions.</para> + + <para>An interesting example is to send the users a welcome + message every time they log in. Maybe a message of the day? Here + is an example:</para> + + <para><command>preexec = csh -c 'echo \"Welcome to %S!\" | + /usr/local/samba/bin/smbclient -M %m -I %I' & </command></para> + + <para>Of course, this could get annoying after a while :-)</para> + + <para>See also <link linkend="preexecclose"><parameter>preexec close + </parameter</link> and <link linkend="postexec"><parameter>postexec + </parameter></link>.</para> + + <para>Default: <emphasis>none (no command executed)</emphasis></para> + <para>Example: <command>preexec = echo \"%u connected to %S from %m + (%I)\" >> /tmp/log</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="preexecclose">preexec close (S)</term> + <listitem><para>This boolean option controls whether a non-zero + return code from <link linkend="preexec"><parameter>preexec + </parameter></link> should close the service being connected to.</para> + + <para>Default: <command>preexec close = no</command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="preferredmaster">preferred master (G)</term> + <listitem><para>This boolean parameter controls if <ulink + url="nmbd.8.html">nmbd(8)</ulink> is a preferred master browser + for its workgroup.</para> + + <para>If this is set to true, on startup, <command>nmbd</command> + will force an election, and it will have a slight advantage in + winning the election. It is recommended that this parameter is + used in conjunction with <command><link linkend="domainmaster"><parameter> + domain master</parameter></link> = yes</command>, so that <command> + nmbd</command> can guarantee becoming a domain master.</para> + + <para>Use this option with caution, because if there are several + hosts (whether Samba servers, Windows 95 or NT) that are preferred + master browsers on the same subnet, they will each periodically + and continuously attempt to become the local master browser. + This will result in unnecessary broadcast traffic and reduced browsing + capabilities.</para> + + <para>See also <link linkend="oslevel"><parameter>os level</parameter> + </link>.</para> + + <para>Default: <command>preferred master = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="preferedmaster">prefered master (G)</term> + <listitem><para>Synonym for <link linkend="preferredmaster"><parameter> + preferred master</parameter></link> for people who cannot spell :-).</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="preload">preload</term> + <listitem><para>Synonym for <link linkend="autoservices"><parameter> + auto services</parameter></link>.</para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="preservecase">preserve case (S)</term> + <listitem><para> This controls if new filenames are created + with the case that the client passes, or if they are forced to + be the <link linkend="defaultcase"><parameter>derault case + </parameter></link>.</para> + + <para>Default: <command>preserve case = yes</command></para> + + <para>See the section on <link linkend="namemanglingsect">NAME + MANGLING"</link> for a fuller discussion.</para + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="printcommand">print command (S)</term> + <listitem><para>After a print job has finished spooling to + a service, this command will be used via a <command>system()</command> + call to process the spool file. Typically the command specified will + submit the spool file to the host's printing subsystem, but there + is no requirement that this be the case. The server will not remove + the spool file, so whatever command you specify should remove the + spool file when it has been processed, otherwise you will need to + manually remove old spool files.</para> + + <para>The print command is simply a text string. It will be used + verbatim, with two exceptions: All occurrences of <parameter>%s + </parameter> and <parameter>%f</parameter> will be replaced by the + appropriate spool file name, and all occurrences of <parameter>%p + </parameter> will be replaced by the appropriate printer name. The + spool file name is generated automatically by the server, the printer + name is discussed below.</para> + + <para>The print command <emphasis>MUST</emphasis> contain at least + one occurrence of <parameter>%s</parameter> or <parameter>%f + </parameter> - the <parameter>%p</parameter> is optional. At the time + a job is submitted, if no printer name is supplied the <parameter>%p + </parameter> will be silently removed from the printer command.</para> + + <para>If specified in the [global] section, the print command given + will be used for any printable service that does not have its own + print command specified.</para> + + <para>If there is neither a specified print command for a + printable service nor a global print command, spool files will + be created but not processed and (most importantly) not removed.</para> + + <para>Note that printing may fail on some UNIXs from the + <constant>nobody</constant> account. If this happens then create + an alternative guest account that can print and set the <link + linkend="guestaccount"><parameter>guest account</parameter></link> + in the [global] section.</para> + + <para>You can form quite complex print commands by realizing + that they are just passed to a shell. For example the following + will log a print job, print the file, then remove it. Note that + ';' is the usual separator for command in shell scripts.</para> + + <para><command>print command = echo Printing %s >> + /tmp/print.log; lpr -P %p %s; rm %s</command></para> + + <para>You may have to vary this command considerably depending + on how you normally print files on your system. The default for + the parameter varies depending on the setting of the <link linkend="printing"> + <parameter>printing</parameter></link> parameter.</para> + + <para>Default: For <command>printing= BSD, AIX, QNX, LPRNG + or PLP :</command></para> + <para><command>print command = lpr -r -P%p %s</command></para> + + <para>For <command>printing= SYS or HPUX :</command></para> + <para><command>print command = lp -c -d%p %s; rm %s</command></para> + + <para>For <command>printing=SOFTQ :</command></para> + <para><command>print command = lp -d%p -s %s; rm %s</command></para> + + <para>Example: <command>print command = /usr/local/samba/bin/myprintscript + %p %s</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="printok">print ok (S)</term> + <listitem><para>Synonym for <link linkend="printable"> + <parameter>printable</parameter></link>.</para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="printable">printable (S)</term> + <listitem><para>If this parameter is <constant>yes</constant>, then + clients may open, write to and submit spool files on the directory + specified for the service. </para> + + <para>Note that a printable service will ALWAYS allow writing + to the service path (user privileges permitting) via the spooling + of print data. The <link linkend="writeable"><parameter>writeable + </parameter></link> parameter controls only non-printing access to + the resource.</para> + + <para>Default: <command>printable = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="printcap">printcap (G)</term> + <listitem><para>Synonym for <link linkend="printcapname"><parameter> + printcap name</parameter></link>.</para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="printeradmin">printer admin (S)</term> + <listitem><para>This is a list of users that can do anything to + printers via the remote administration interfaces offered by MSRPC + (usually using a NT workstation). Note that the root user always + has admin rights.</para> + + <para>Default: <command>printer admin = <empty string></command> + </para> + <para>Example: <command>printer admin = admin, @staff</command></para> + </listitem> + </varlistentry> + + + + + + + <varlistentry> + <term id="printcapname">printcap name (G)</term> + <listitem><para>This parameter may be used to override the + compiled-in default printcap name used by the server (usually <filename> + /etc/printcap</filename>). See the discussion of the <link + linkend="printerssect">[printers]</link> section above for reasons + why you might want to do this.</para> + + <para>On System V systems that use <command>lpstat</command> to + list available printers you can use <command>printcap name = lpstat + </command> to automatically obtain lists of available printers. This + is the default for systems that define SYSV at configure time in + Samba (this includes most System V based systems). If <parameter> + printcap name</parameter> is set to <command>lpstat</command> on + these systems then Samba will launch <command>lpstat -v</command> and + attempt to parse the output to obtain a printer list.</para> + + <para>A minimal printcap file would look something like this:</para> + + <para><programlisting> + print1|My Printer 1 + print2|My Printer 2 + print3|My Printer 3 + print4|My Printer 4 + print5|My Printer 5 + </programlisting></para> + + <para>where the '|' separates aliases of a printer. The fact + that the second alias has a space in it gives a hint to Samba + that it's a comment.</para> + + <para><emphasis>NOTE</emphasis>: Under AIX the default printcap + name is <filename>/etc/qconfig</filename>. Samba will assume the + file is in AIX <filename>qconfig</filename> format if the string + <filename>qconfig</filename> appears in the printcap filename.</para> + + <para>Default: <command>printcap name = /etc/printcap</command></para> + <para>Example: <command>printcap name = /etc/myprintcap</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="printer">printer (S)</term> + <listitem><para>This parameter specifies the name of the printer + to which print jobs spooled through a printable service will be sent.</para> + + <para>If specified in the [global] section, the printer + name given will be used for any printable service that does + not have its own printer name specified.</para> + + <para>Default: <emphasis>none (but may be <constant>lp</constant> + on many systems)</emphasis></para> + + <para>Example: <command>printer name = laserwriter</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="printerdriver">printer driver (S)</term> + <listitem><para>This option allows you to control the string + that clients receive when they ask the server for the printer driver + associated with a printer. If you are using Windows95 or WindowsNT + then you can use this to automate the setup of printers on your + system.</para> + + <para>You need to set this parameter to the exact string (case + sensitive) that describes the appropriate printer driver for your + system. If you don't know the exact string to use then you should + first try with no <link linkend="printerdriver"><parameter> + printer driver</parameter></link> option set and the client will + give you a list of printer drivers. The appropriate strings are + shown in a scrollbox after you have chosen the printer manufacturer.</para> + + <para>See also <link linkend="printerdriverfile"><parameter>printer + driver file</parameter></link>.</para> + + <para>Example: <command>printer driver = HP LaserJet 4L</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="printerdriverfile">printer driver file (G)</term> + <listitem><para>This parameter tells Samba where the printer driver + definition file, used when serving drivers to Windows 95 clients, is + to be found. If this is not set, the default is :</para> + + <para><filename><replaceable>SAMBA_INSTALL_DIRECTORY</replaceable> + /lib/printers.def</filename></para> + + <para>This file is created from Windows 95 <filename>msprint.inf + </filename> files found on the Windows 95 client system. For more + details on setting up serving of printer drivers to Windows 95 + clients, see the documentation file in the <filename>docs/</filename> + directory, <filename>PRINTER_DRIVER.txt</filename>.</para> + + <para>See also <link linkend="printerdriverlocation"><parameter> + printer driver location</parameter></link>.</para> + + <para>Default: <emphasis>None (set in compile).</emphasis></para> + + <para>Example: <command>printer driver file = + /usr/local/samba/printers/drivers.def</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="printerdriverlocation">printer driver location (S)</term> + <listitem><para>This parameter tells clients of a particular printer + share where to find the printer driver files for the automatic + installation of drivers for Windows 95 machines. If Samba is set up + to serve printer drivers to Windows 95 machines, this should be set to</para> + + <para><command>\\MACHINE\PRINTER$</command></para> + + <para>Where MACHINE is the NetBIOS name of your Samba server, + and PRINTER$ is a share you set up for serving printer driver + files. For more details on setting this up see the documentation + file in the <filename>docs/</filename> directory, <filename> + PRINTER_DRIVER.txt</filename>.</para> + + <para>See also <link linkend="printerdriverfile"><parameter> + printer driver file</parameter></link>.</para> + + <para>Default: <command>none</command></para> + <para>Example: <command>printer driver location = \\MACHINE\PRINTER$ + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="printername">printer name (S)</term> + <listitem><para>Synonym for <link linkend="printer"><parameter> + printer</parameter></link>.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="printing">printing (S)</term> + <listitem><para>This parameters controls how printer status + information is interpreted on your system. It also affects the + default values for the <parameter>print command</parameter>, + <parameter>lpq command</parameter>, <parameter>lppause command + </parameter>, <parameter>lpresume command</parameter>, and + <parameter>lprm command</parameter> if specified in the + [global]f> section.</para> + + <para>Currently eight printing styles are supported. They are + <constant>BSD</constant>, <constant>AIX</constant>, + <constant>LPRNG</constant>, <constant>PLP</constant>, + <constant>SYSV</constant>, <constant>HPUX</constant>, + <constant>QNX</constant>, <constant>SOFTQ</constant>, + and <constant>CUPS</constant>.</para> + + <para>To see what the defaults are for the other print + commands when using the various options use the <ulink + url="testparm.1.html">testparm(1)</ulink> program.</para> + + <para>This option can be set on a per printer basis</para> + + <para>See also the discussion in the <link linkend="printerssect"> + [printers]</link> section.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="privatedir">private dir(G)</term> + <listitem><para>The <parameter>private dir</parameter> parameter + allows an administator to define a directory path used to hold the + various databases Samba will use to store things like a the machine + trust account information when acting as a domain member (i.e. where + the secrets.tdb file will be located), where the passdb.tbd file + will stored in the case of using the experiemental tdbsam support, + etc...</para> + + <para>Default: <command>private dir = <compile time location + of smbpasswd></command></para> + <para>Example: <command>private dir = /etc/smbprivate</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="protocol">protocol (G)</term> + <listitem><para>The value of the parameter (a string) is the highest + protocol level that will be supported by the server.</para> + + <para>Possible values are :</para> + <itemizedlist> + <listitem><para><constant>CORE</constant>: Earliest version. No + concept of user names.</para></listitem> + + <listitem><para><constant>COREPLUS</constant>: Slight improvements on + CORE for efficiency.</para></listitem> + + <listitem><para><constant>LANMAN1</constant>: First <emphasis> + modern</emphasis> version of the protocol. Long filename + support.</para></listitem> + + <listitem><para><constant>LANMAN2</constant>: Updates to Lanman1 protocol. + </para></listitem> + + <listitem><para><constant>NT1</constant>: Current up to date version of + the protocol. Used by Windows NT. Known as CIFS.</para></listitem> + </itemizedlist> + + <para>Normally this option should not be set as the automatic + negotiation phase in the SMB protocol takes care of choosing + the appropriate protocol.</para> + + <para>Default: <command>protocol = NT1</command></para> + <para>Example: <command>protocol = LANMAN1</command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="public">public (S)</term> + <listitem><para>Synonym for <link linkend="guestok"><parameter>guest + ok</parameter></link>.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="queuepausecommand">queuepause command (S)</term> + <listitem><para>This parameter specifies the command to be + executed on the server host in order to pause the printerqueue.</para> + + <para>This command should be a program or script which takes + a printer name as its only parameter and stops the printerqueue, + such that no longer jobs are submitted to the printer.</para> + + <para>This command is not supported by Windows for Workgroups, + but can be issued from the Printer's window under Windows 95 + and NT.</para> + + <para>If a <parameter>%p</parameter> is given then the printername + is put in its place. Otherwise it is placed at the end of the command. + </para> + + <para>Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server.</para> + + <para>Default: <emphasis>depends on the setting of <parameter>printing + </parameter></emphasis></para> + <para>Example: <command>queuepause command = disable %p</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="queueresumecommand">queueresume command (S)</term> + <listitem><para>This parameter specifies the command to be + executed on the server host in order to resume the printerqueue. It + is the command to undo the behavior that is caused by the + previous parameter (<link linkend="queuepausecommand"><parameter> + queuepause command</parameter></link>).</para> + + <para>This command should be a program or script which takes + a printer name as its only parameter and resumes the printerqueue, + such that queued jobs are resubmitted to the printer.</para> + + <para>This command is not supported by Windows for Workgroups, + but can be issued from the Printer's window under Windows 95 + and NT.</para> + + <para>If a <parameter>%p</parameter> is given then the printername + is put in its place. Otherwise it is placed at the end of the + command.</para> + + <para>Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server.</para> + + <para>Default: <emphasis>depends on the setting of <link + linkend="printing"><parameter>printing</parameter></link></emphasis> + </para> + + <para>Example: <command>queuepause command = enable %p + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="readbmpx">read bmpx (G)</term> + <listitem><para>This boolean parameter controls whether <ulink + url="smbd.8.html">smbd(8)</ulink> will support the "Read + Block Multiplex" SMB. This is now rarely used and defaults to + <constant>no</constant>. You should never need to set this + parameter.</para> + + <para>Default: <command>read bmpx = no</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="readlist">read list (S)</term> + <listitem><para>This is a list of users that are given read-only + access to a service. If the connecting user is in this list then + they will not be given write access, no matter what the <link + linkend="writeable"><parameter>writeable</parameter></link> + option is set to. The list can include group names using the + syntax described in the <link linkend="invalidusers"><parameter> + invalid users</parameter></link> parameter.</para> + + <para>See also the <link linkend="writelist"><parameter> + write list</parameter></link> parameter and the <link + linkend="invalidusers"><parameter>invalid users</parameter> + </link> parameter.</para> + + <para>Default: <command>read list = <empty string></command></para> + <para>Example: <command>read list = mary, @students</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="readonly">read only (S)</term> + <listitem><para>Note that this is an inverted synonym for <link + linkend="writeable"><parameter>writeable</parameter></link>.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="readraw">read raw (G)</term> + <listitem><para>This parameter controls whether or not the server + will support the raw read SMB requests when transferring data + to clients.</para> + + <para>If enabled, raw reads allow reads of 65535 bytes in + one packet. This typically provides a major performance benefit. + </para> + + <para>However, some clients either negotiate the allowable + block size incorrectly or are incapable of supporting larger block + sizes, and for these clients you may need to disable raw reads.</para> + + <para>In general this parameter should be viewed as a system tuning + tool and left severely alone. See also <link linkend="writeraw"> + <parameter>write raw</parameter></link>.</para> + + <para>Default: <command>read raw = yes</command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="readsize">read size (G)</term> + <listitem><para>The option <parameter>read size</parameter> + affects the overlap of disk reads/writes with network reads/writes. + If the amount of data being transferred in several of the SMB + commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger + than this value then the server begins writing the data before it + has received the whole packet from the network, or in the case of + SMBreadbraw, it begins writing to the network before all the data + has been read from disk.</para> + + <para>This overlapping works best when the speeds of disk and + network access are similar, having very little effect when the + speed of one is much greater than the other.</para> + + <para>The default value is 16384, but very little experimentation + has been done yet to determine the optimal value, and it is likely + that the best value will vary greatly between systems anyway. + A value over 65536 is pointless and will cause you to allocate + memory unnecessarily.</para> + + <para>Default: <command>read size = 16384</command></para> + <para>Example: <command>read size = 8192</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="remoteannounce">remote announce (G)</term> + <listitem><para>This option allows you to setup <ulink + url="nmbd.8.html">nmbd(8)</ulink> to periodically announce itself + to arbitrary IP addresses with an arbitrary workgroup name.</para> + + <para>This is useful if you want your Samba server to appear + in a remote workgroup for which the normal browse propagation + rules don't work. The remote workgroup can be anywhere that you + can send IP packets to.</para> + + <para>For example:</para> + + <para><command>remote announce = 192.168.2.255/SERVERS + 192.168.4.255/STAFF</command></para> + + <para>the above line would cause nmbd to announce itself + to the two given IP addresses using the given workgroup names. + If you leave out the workgroup name then the one given in + the <link linkend="workgroup"><parameter>workgroup</parameter></link> + parameter is used instead.</para> + + <para>The IP addresses you choose would normally be the broadcast + addresses of the remote networks, but can also be the IP addresses + of known browse masters if your network config is that stable.</para> + + <para>See the documentation file <filename>BROWSING.txt</filename> + in the <filename>docs/</filename> directory.</para> + + <para>Default: <command>remote announce = <empty string> + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="remotebrowsesync">remote browse sync (G)</term> + <listitem><para>This option allows you to setup <ulink + url="nmbd.8.html">nmbd(8)</ulink> to periodically request + synchronization of browse lists with the master browser of a samba + server that is on a remote segment. This option will allow you to + gain browse lists for multiple workgroups across routed networks. This + is done in a manner that does not work with any non-samba servers.</para> + + <para>This is useful if you want your Samba server and all local + clients to appear in a remote workgroup for which the normal browse + propagation rules don't work. The remote workgroup can be anywhere + that you can send IP packets to.</para> + + <para>For example:</para> + + <para><command>remote browse sync = 192.168.2.255 192.168.4.255 + </command></para> + + <para>the above line would cause <command>nmbd</command> to request + the master browser on the specified subnets or addresses to + synchronize their browse lists with the local server.</para> + + <para>The IP addresses you choose would normally be the broadcast + addresses of the remote networks, but can also be the IP addresses + of known browse masters if your network config is that stable. If + a machine IP address is given Samba makes NO attempt to validate + that the remote machine is available, is listening, nor that it + is in fact the browse master on it's segment.</para> + + <para>Default: <command>remote browse sync = <empty string> + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="restrictanonymous">restrict anonymous (G)</term> + <listitem><para>This is a boolean parameter. If it is true, then + anonymous access to the server will be restricted, namely in the + case where the server is expecting the client to send a username, + but it doesn't. Setting it to true will force these anonymous + connections to be denied, and the client will be required to always + supply a username and password when connecting. Use of this parameter + is only recommened for homogenous NT client environments.</para> + + <para>This parameter makes the use of macro expansions that rely + on the username (%U, %G, etc) consistant. NT 4.0 + likes to use anonymous connections when refreshing the share list, + and this is a way to work around that.</para> + + <para>When restrict anonymous is true, all anonymous connections + are denied no matter what they are for. This can effect the ability + of a machine to access the samba Primary Domain Controller to revalidate + it's machine account after someone else has logged on the client + interactively. The NT client will display a message saying that + the machine's account in the domain doesn't exist or the password is + bad. The best way to deal with this is to reboot NT client machines + between interactive logons, using "Shutdown and Restart", rather + than "Close all programs and logon as a different user".</para> + + <para>Default: <command>restrict anonymous = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="root">root (G)</term> + <listitem><para>Synonym for <link linkend="rootdirectory"> + <parameter>root directory"</parameter></link>.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="rootdir">root dir (G)</term> + <listitem><para>Synonym for <link linkend="rootdirectory"> + <parameter>root directory"</parameter></link>.</para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="rootdirectory">root directory (G)</term> + <listitem><para>The server will <command>chroot()</command> (i.e. + Change it's root directory) to this directory on startup. This is + not strictly necessary for secure operation. Even without it the + server will deny access to files not in one of the service entries. + It may also check for, and deny access to, soft links to other + parts of the filesystem, or attempts to use ".." in file names + to access other directories (depending on the setting of the <link + linkend="widelinks"><parameter>wide links</parameter></link> + parameter).</para> + + <para>Adding a <parameter>root directory</parameter> entry other + than "/" adds an extra level of security, but at a price. It + absolutely ensures that no access is given to files not in the + sub-tree specified in the <parameter>root directory</parameter> + option, <emphasis>including</emphasis> some files needed for + complete operation of the server. To maintain full operability + of the server you will need to mirror some system files + into the <parameter>root directory</parameter> tree. In particular + you will need to mirror <filename>/etc/passwd</filename> (or a + subset of it), and any binaries or configuration files needed for + printing (if required). The set of files that must be mirrored is + operating system dependent.</para> + + <para>Default: <command>root directory = /</command></para> + <para>Example: <command>root directory = /homes/smb</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="rootpostexec">root postexec (S)</term> + <listitem><para>This is the same as the <parameter>postexec</parameter> + parameter except that the command is run as root. This + is useful for unmounting filesystems + (such as cdroms) after a connection is closed.</para> + + <para>See also <link linkend="postexec"><parameter> + postexec</parameter></link>.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term id="rootpreexec">root preexec (S)</term> + <listitem><para>This is the same as the <parameter>preexec</parameter> + parameter except that the command is run as root. This + is useful for mounting filesystems + (such as cdroms) after a connection is closed.</para> + + <para>See also <link linkend="preexec"><parameter> + preexec</parameter></link> and <link linkend="preexecclose"> + <parameter>preexec close</parameter></link>.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="rootpreexecclose">root preexec close (S)</term> + <listitem><para>This is the same as the <parameter>preexec close + </parameter> parameter except that the command is run as root.</para> + + <para>See also <link linkend="preexec"><parameter> + preexec</parameter></link> and <link linkend="preexecclose"> + <parameter>preexec close</parameter></link>.</para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="security">security (G)</term> + <listitem><para>This option affects how clients respond to + Samba and is one of the most important settings in the <filename> + smb.conf</filename> file.</para> + + <para>The option sets the "security mode bit" in replies to + protocol negotiations with <ulink url="smbd.8.html">smbd(8) + </ulink> to turn share level security on or off. Clients decide + based on this bit whether (and how) to transfer user and password + information to the server.</para> + + + <para>The default is <command>security = user</command>, as this is + the most common setting needed when talking to Windows 98 and + Windows NT.</para> + + <para>The alternatives are <command>security = share</command>, + <command>security = server</command> or <command>security=domain + </command>.</para> + + <para>In versions of Samba prior to 2..0, the default was + <command>security = share</command> mainly because that was + the only option at one stage.</para> + + <para>There is a bug in WfWg that has relevance to this + setting. When in user or server level security a WfWg client + will totally ignore the password you type in the "connect + drive" dialog box. This makes it very difficult (if not impossible) + to connect to a Samba service as anyone except the user that + you are logged into WfWg as.</para> + + <para>If your PCs use usernames that are the same as their + usernames on the UNIX machine then you will want to use + <command>security = user</command>. If you mostly use usernames + that don't exist on the UNIX box then use <command>security = + share</command>.</para> + + <para>You should also use <command>security = share</command> if you + want to mainly setup shares without a password (guest shares). This + is commonly used for a shared printer server. It is more difficult + to setup guest shares with <command>security = user</command>, see + the <link linkend="maptoguest"><parameter>map to guest</parameter> + </link>parameter for details.</para> + + <para>It is possible to use <command>smbd</command> in a <emphasis> + hybrid mode</emphasis> where it is offers both user and share + level security under different <link linkend="netbiosaliases"> + <parameter>NetBIOS aliases</parameter></link>. </para> + + <para>The different settings will now be explained.</para> + + + <para><anchor id="securityequalshare"><emphasis>SECURITY = SHARE + </emphasis></para> + + <para>When clients connect to a share level security server then + need not log onto the server with a valid username and password before + attempting to connect to a shared resource (although modern clients + such as Windows 95/98 and Windows NT will send a logon request with + a username but no password when talking to a <command>security = share + </command> server). Instead, the clients send authentication information + (passwords) on a per-share basis, at the time they attempt to connect + to that share.</para> + + <para>Note that <command>smbd</command> <emphasis>ALWAYS</emphasis> + uses a valid UNIX user to act on behalf of the client, even in + <command>security = share</command> level security.</para> + + <para>As clients are not required to send a username to the server + in share level security, <command>smbd</command> uses several + techniques to determine the correct UNIX user to use on behalf + of the client.</para> + + <para>A list of possible UNIX usernames to match with the given + client password is constructed using the following methods :</para> + + <itemizedlist> + <listitem><para>If the <link linkend="guestonly"><parameter>guest + only</parameter></link> parameter is set, then all the other + stages are missed and only the <link linkend="guestaccount"> + <parameter>guest account</parameter></link> username is checked. + </para></listitem> + + <listitem><para>Is a username is sent with the share connection + request, then this username (after mapping - see <link + linkend="usernamemap"><parameter>username map</parameter></link>), + is added as a potential username.</para></listitem> + + <listitem><para>If the client did a previous <emphasis>logon + </emphasis> request (the SessionSetup SMB call) then the + username sent in this SMB will be added as a potential username. + </para></listitem> + + <listitem><para>The name of the service the client requested is + added as a potential username.</para></listitem> + + <listitem><para>The NetBIOS name of the client is added to + the list as a potential username.</para></listitem> + + <listitem><para>Any users on the <link linkend="user"><parameter> + user</parameter></link> list are added as potential usernames. + </para></listitem> + </itemizedlist> + + <para>If the <parameter>guest only</parameter> parameter is + not set, then this list is then tried with the supplied password. + The first user for whom the password matches will be used as the + UNIX user.</para> + + <para>If the <parameter>guest only</parameter> parameter is + set, or no username can be determined then if the share is marked + as available to the <parameter>guest account</parameter>, then this + guest user will be used, otherwise access is denied.</para> + + <para>Note that it can be <emphasis>very</emphasis> confusing + in share-level security as to which UNIX username will eventually + be used in granting access.</para> + + <para>See also the section <link linkend="validationsect"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> + + <para><anchor id="securityequaluser"><emphasis>SECURIYT = USER + </emphasis></para> + + <para>This is the default security setting in Samba 2.2. + With user-level security a client must first "log=on" with a + valid username and password (which can be mapped using the <link + linkend="usernamemap"><parameter>username map</parameter></link> + parameter). Encrypted passwords (see the <link linkend="encryptpasswords"> + <parameter>encrypted passwords</parameter></link> parameter) can also + be used in this security mode. Parameters such as <link linkend="user"> + <parameter>user</parameter></link> and <link linkend="guestonly"> + <parameter>guest only</parameter></link> if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated.</para> + + <para><emphasis>Note</emphasis> that the name of the resource being + requested is <emphasis>not</emphasis> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <link + linkend="guestaccount"><parameter>guest account</parameter></link>. + See the <link linkend="maptoguest"><parameter>map to guest</parameter> + </link> parameter for details on doing this.</para> + + <para>See also the section <link linkend="validationsect"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> + + <para><anchor id="securityequalserver"><emphasis>SECURITY = SERVER + </emphasis></para> + + <para>In this mode Samba will try to validate the username/password + by passing it to another SMB server, such as an NT box. If this + fails it will revert to <command>security = user</command>, but note + that if encrypted passwords have been negotiated then Samba cannot + revert back to checking the UNIX password file, it must have a valid + <filename>smbpasswd</filename> file to check users against. See the + documentation file in the <filename>docs/</filename> directory + <filename>ENCRYPTION.txt</filename> for details on how to set this + up.</para> + + <para><emphasis>Note</emphasis> that from the clients point of + view <command>security = server</command> is the same as <command> + security = user</command>. It only affects how the server deals + with the authentication, it does not in any way affect what the + client sees.</para> + + <para><emphasis>Note</emphasis> that the name of the resource being + requested is <emphasis>not</emphasis> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <link + linkend="guestaccount"><parameter>guest account</parameter></link>. + See the <link linkend="maptoguest"><parameter>map to guest</parameter> + </link> parameter for details on doing this.</para> + + <para>See also the section <link linkend="validationsect"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> + + <para>See also the <link linkend="passwordserver"><parameter>password + server</parameter></link> parameter and the <link + linkend="encryptpasswords"><parameter>encrypted passwords</parameter> + </link> parameter.</para> + + <para><anchor id="securityequalsdomain"><emphasis>SECURITY = DOMAIN + </emphasis></para> + + <para>This mode will only work correctly if <ulink + url="smbpasswd.8.html">smbpasswd(8)</ulink> has been used to add this + machine into a Windows NT Domain. It expects the <link + linkend="encryptpasswords"><parameter>encrypted passwords</parameter> + </link> parameter to be set to <constant>true</constant>. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do.</para> + + <para><emphasis>Note</emphasis> that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to.</para> + + <para><emphasis>Note</emphasis> that from the clients point + of view <command>security = domain</command> is the same as <command>security = user + </command>. It only affects how the server deals with the authentication, + it does not in any way affect what the client sees.</para> + + <para><emphasis>Note</emphasis> that the name of the resource being + requested is <emphasis>not</emphasis> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <link + linkend="guestaccount"><parameter>guest account</parameter></link>. + See the <link linkend="maptoguest"><parameter>map to guest</parameter> + </link> parameter for details on doing this.</para> + + <para><emphasis>BUG:</emphasis> There is currently a bug in the + implementation of <command>security = domain</command> with respect + to multi-byte character set usernames. The communication with a + Domain Controller must be done in UNICODE and Samba currently + does not widen multi-byte user names to UNICODE correctly, thus + a multi-byte username will not be recognized correctly at the + Domain Controller. This issue will be addressed in a future release.</para> + + <para>See also the section <link linkend="validationsect"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> + + <para>See also the <link linkend="passwordserver"><parameter>password + server</parameter></link> parameter and the <link + linkend="encryptpasswords"><parameter>encrypted passwords</parameter> + </link> parameter.</para> + + <para>Default: <command>security = USER</command></para> + <para>Example: <command>security = DOMAIN</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="securitymask">security mask (S)</term> + <listitem><para>This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security + dialog box.</para> + + <para>This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change.</para> + + <para>If not set explicitly this parameter is set to the same + value as the <link linkend="createmask"><parameter>create mask + </parameter></link> parameter. To allow a user to modify all the + user/group/world permissions on a file, set this parameter to + 0777.</para> + + <para><emphasis>Note</emphasis> that users who can access the + Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone + "appliance" systems. Administrators of most normal systems will + probably want to set it to 0777.</para> + + <para>See also the <link linkend="forcedirectorysecuritymode"> + <parameter>force directory security mode</parameter></link>, + <link linkend="directorysecuritymask"><parameter>directory + security mask</parameter></link>, <link linkend="forcesecuritymode"> + <parameter>force security mode</parameter></link> parameters.</para> + + <para>Default: <command>security mask = <same as create mask> + </command></para> + <para>Example: <command>security mask = 0777</command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="serverstring">server string (G)</term> + <listitem><para>This controls what string will show up in the + printer comment box in print manager and next to the IPC connection + in <command>net view"</command>. It can be any string that you wish + to show to your users.</para> + + <para>It also sets what will appear in browse lists next + to the machine name.</para> + + <para>A <parameter>%v</parameter> will be replaced with the Samba + version number.</para> + + <para>A <parameter>%h</parameter> will be replaced with the + hostname.</para> + + <para>Default: <command>server string = Samba %v</command></para> + + <para>Example: <command>server string = University of GNUs Samba + Server</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="setdirectory">set directory (S)</term> + <listitem><para>If <command>set directory = no</command>, then + users of the service may not use the setdir command to change + directory.</para> + + <para>The <command>setdir</command> command is only implemented + in the Digital Pathworks client. See the Pathworks documentation + for details.</para> + + <para>Default: <command>set directory = no</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="sharemodes">share modes (S)</term> + <listitem><para>This enables or disables the honoring of + the <parameter>share modes</parameter> during a file open. These + modes are used by clients to gain exclusive read or write access + to a file.</para> + + <para>These open modes are not directly supported by UNIX, so + they are simulated using shared memory, or lock files if your + UNIX doesn't support shared memory (almost all do).</para> + + <para>The share modes that are enabled by this option are + <constant>DENY_DOS</constant>, <constant>DENY_ALL</constant>, + <constant>DENY_READ</constant>, <constant>DENY_WRITE</constant>, + <constant>DENY_NONE</constant> and <constant>DENY_FCB</constant>. + </para> + + <para>This option gives full share compatibility and enabled + by default.</para> + + <para>You should <emphasis>NEVER</emphasis> turn this parameter + off as many Windows applications will break if you do so.</para> + + <para>Default: <command>share modes = yes</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="sharedmemsize">shared mem size (G)</term> + <listitem><para>It specifies the size of the shared memory (in + bytes) to use between <ulink url="smbd.8.html">smbd(8)</ulink> + processes. This parameter defaults to one megabyte of shared + memory. It is possible that if you have a large erver with many + files open simultaneously that you may need to increase this + parameter. Signs that this parameter is set too low are users + reporting strange problems trying to save files (locking errors) + and error messages in the smbd log looking like <emphasis>ERROR + smb_shm_alloc : alloc of XX bytes failed</emphasis>.</para> + + <para>If your OS refuses the size that Samba asks for then + Samba will try a smaller size, reducing by a factor of 0.8 until + the OS accepts it.</para> + + <para>Default: <command>shared mem size = 1048576</command></para> + <para>Example: <command>shared mem size = 5242880 ; Set to 5mb for a + large number of files.</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="shortpreservecase">short preserve case (S)</term> + <listitem><para>This boolean parameter controls if new files + which conform to 8.3 syntax, that is all in upper case and of + suitable length, are created upper case, or if they are forced + to be the <link linkend="defaultcase"><parameter>default case + </parameter></link>. This option can be use with <link + linkend="preservecase"><command>preserve case = yes</command> + </link> to permit long filenames to retain their case, while short + names are lowered. </para> + + <para>See the section on <link linkend="namemanglingsect"> + NAME MANGLING</link>.</para> + + <para>Default: <command>short preserve case = yes</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="smbpasswdfile">smb passwd file (G)</term> + <listitem><para>This option sets the path to the encrypted + smbpasswd file. By default the path to the smbpasswd file + is compiled into Samba.</para> + + <para>Default: <command>smb passwd file= <compiled + default></command></para> + + <para>Example: <command>smb passwd file = /usr/samba/private/smbpasswd + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="smbrun">smbrun (G)</term> + <listitem><para>This sets the full path to the <command>smbrun + </command> binary. This defaults to the value in the <filename> + Makefile</filename>.</para> + + <para>You must get this path right for many services + to work correctly.</para> + + <para>You should not need to change this parameter so + long as Samba is installed correctly.</para> + + <para>Default: <command>smbrun=<compiled default> + </command></para> + + <para>Example: <command>smbrun = /usr/local/samba/bin/smbrun + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="socketaddress">socket address (G)</term> + <listitem><para>This option allows you to control what + address Samba will listen for connections on. This is used to + support multiple virtual interfaces on the one server, each + with a different configuration.</para> + + <para>By default samba will accept connections on any + address.</para> + + <para>Example: <command>socket address = 192.168.2.20</command> + </para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="socketoptions">socket options (G)</term> + <listitem><para>This option allows you to set socket options + to be used when talking with the client.</para> + + <para>Socket options are controls on the networking layer + of the operating systems which allow the connection to be + tuned.</para> + + <para>This option will typically be used to tune your Samba + server for optimal performance for your local network. There is + no way that Samba can know what the optimal parameters are for + your net, so you must experiment and choose them yourself. We + strongly suggest you read the appropriate documentation for your + operating system first (perhaps <command>man setsockopt</command> + will help).</para> + + <para>You may find that on some systems Samba will say + "Unknown socket option" when you supply an option. This means you + either incorrectly typed it or you need to add an include file + to includes.h for your OS. If the latter is the case please + send the patch to <ulink url="mailto:samba@samba.org"> + samba@samba.org</ulink>.</para> + + <para>Any of the supported socket options may be combined + in any way you like, as long as your OS allows it.</para> + + <para>This is the list of socket options currently settable + using this option:</para> + + <itemizedlist> + <listitem><para>SO_KEEPALIVE</para></listitem> + <listitem><para>SO_REUSEADDR</para></listitem> + <listitem><para>SO_BROADCAST</para></listitem> + <listitem><para>TCP_NODELAY</para></listitem> + <listitem><para>IPTOS_LOWDELAY</para></listitem> + <listitem><para>IPTOS_THROUGHPUT</para></listitem> + <listitem><para>SO_SNDBUF *</para></listitem> + <listitem><para>SO_RCVBUF *</para></listitem> + <listitem><para>SO_SNDLOWAT *</para></listitem> + <listitem><para>SO_RCVLOWAT *</para></listitem> + </itemizedlist> + + <para>Those marked with a <emphasis>'*'</emphasis> take an integer + argument. The others can optionally take a 1 or 0 argument to enable + or disable the option, by default they will be enabled if you + don't specify 1 or 0.</para> + + <para>To specify an argument use the syntax SOME_OPTION=VALUE + for example <command>SO_SNDBUF=8192</command>. Note that you must + not have any spaces before or after the = sign.</para> + + <para>If you are on a local network then a sensible option + might be</para> + <para><command>socket options = IPTOS_LOWDELAY</command></para> + + <para>If you have a local network then you could try:</para> + <para><command>socket options = IPTOS_LOWDELAY TCP_NODELAY</command></para> + + <para>If you are on a wide area network then perhaps try + setting IPTOS_THROUGHPUT. </para> + + <para>Note that several of the options may cause your Samba + server to fail completely. Use these options with caution!</para> + + <para>Default: <command>socket options = TCP_NODELAY</command></para> + <para>Example: <command>socket options = IPTOS_LOWDELAY</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="sourceenvironment">source environment (G)</term> + <listitem><para>This parameter causes Samba to set environment + variables as per the content of the file named.</para> + + <para>If the value of this parameter starts with a "|" character + then Samba will treat that value as a pipe command to open and + will set the environment variables from the output of the pipe.</para> + + <para>The contents of the file or the output of the pipe should + be formatted as the output of the standard Unix <command>env(1) + </command> command. This is of the form :</para> + <para>Example environment entry:</para> + <para><command>SAMBA_NETBIOS_NAME=myhostname</command></para> + + <para>Default: <emphasis>No default value</emphasis></para> + <para>Examples: <command>source environment = |/etc/smb.conf.sh + </command></para> + + <para>Example: <command>source environment = + /usr/local/smb_env_vars</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="ssl">ssl (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This variable enables or disables the entire SSL mode. If + it is set to <constant>no</constant>, the SSL enabled samba behaves + exactly like the non-SSL samba. If set to <constant>yes</constant>, + it depends on the variables <link linkend="sslhosts"><parameter> + ssl hosts</parameter></link> and <link linkend="sslhostsresign"> + <parameter>ssl hosts resign</parameter></link> whether an SSL + connection will be required.</para> + + <para>Default: <command>ssl=no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="sslCAcertDir">ssl CA certDir (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This variable defines where to look up the Certification + Authorities. The given directory should contain one file for + each CA that samba will trust. The file name must be the hash + value over the "Distinguished Name" of the CA. How this directory + is set up is explained later in this document. All files within the + directory that don't fit into this naming scheme are ignored. You + don't need this variable if you don't verify client certificates.</para> + + <para>Default: <command>ssl CA certDir = /usr/local/ssl/certs + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="sslCAcertFile">ssl CA certFile (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This variable is a second way to define the trusted CAs. + The certificates of the trusted CAs are collected in one big + file and this variable points to the file. You will probably + only use one of the two ways to define your CAs. The first choice is + preferable if you have many CAs or want to be flexible, the second + is preferable if you only have one CA and want to keep things + simple (you won't need to create the hashed file names). You + don't need this variable if you don't verify client certificates.</para> + + <para>Default: <command>ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry><term id="sslciphers">ssl ciphers (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This variable defines the ciphers that should be offered + during SSL negotiation. You should not set this variable unless + you know what you are doing.</para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="sslclientcert">ssl client cert (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>The certificate in this file is used by <ulink url="smbclient.1.html"> + <command>smbclient(1)</command></ulink> if it exists. It's needed + if the server requires a client certificate.</para> + + <para>Default: <command>ssl client cert = /usr/local/ssl/certs/smbclient.pem + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="sslclientkey">ssl client key (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This is the private key for <ulink url="smbclient.1.html"> + <command>smbclient(1)</command></ulink>. It's only needed if the + client should have a certificate. </para> + + <para>Default: <command>ssl client key = /usr/local/ssl/private/smbclient.pem + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="sslcompatibility">ssl compatibility (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This variable defines whether SSLeay should be configured + for bug compatibility with other SSL implementations. This is + probably not desirable because currently no clients with SSL + implementations other than SSLeay exist.</para> + + <para>Default: <command>ssl compatibility = no</command></para> + </listitem> + </varlistentry> + + + <varlistentry><term id="sslhosts">ssl hosts (G)</term> + <listitem><para>See <link linkend="sslhostsresign"><parameter> + ssl hosts resign</parameter></link>.</para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="sslhostsresign">ssl hosts resign (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>These two variables define whether samba will go + into SSL mode or not. If none of them is defined, samba will + allow only SSL connections. If the <link linkend="sslhosts"> + <parameter>ssl hosts</parameter></link> variable lists + hosts (by IP-address, IP-address range, net group or name), + only these hosts will be forced into SSL mode. If the <parameter> + ssl hosts resign</parameter> variable lists hosts, only these + hosts will NOT be forced into SSL mode. The syntax for these two + variables is the same as for the <link linkend="hostsallow"><parameter> + hosts allow</parameter></link> and <link linkend="hostsdeny"> + <parameter>hosts deny</parameter></link> pair of variables, only + that the subject of the decision is different: It's not the access + right but whether SSL is used or not. </para> + + <para>The example below requires SSL connections from all hosts + outside the local net (which is 192.168.*.*).</para> + + <para>Default: <command>ssl hosts = <empty string></command></para> + <para><command>ssl hosts resign = <empty string></command></para> + + <para>Example: <command>ssl hosts resign = 192.168.</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="sslrequireclientcert">ssl require clientcert (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>If this variable is set to <constant>yes</constant>, the + server will not tolerate connections from clients that don't + have a valid certificate. The directory/file given in <link + linkend="sslcacertdir"><parameter>ssl CA certDir</parameter> + </link> and <link linkend="sslcacertfile"><parameter>ssl CA certFile + </parameter></link> will be used to look up the CAs that issued + the client's certificate. If the certificate can't be verified + positively, the connection will be terminated. If this variable + is set to <constant>no</constant>, clients don't need certificates. + Contrary to web applications you really <emphasis>should</emphasis> + require client certificates. In the web environment the client's + data is sensitive (credit card numbers) and the server must prove + to be trustworthy. In a file server environment the server's data + will be sensitive and the clients must prove to be trustworthy.</para> + + <para>Default: <command>ssl require clientcert = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="sslrequireservercert">ssl require servercert (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>If this variable is set to <constant>yes</constant>, the + <ulink url="smbclient.1.html"><command>smbclient(1)</command> + </ulink> will request a certificate from the server. Same as + <link linkend="sslrequireclientcert"><parameter>ssl require + clientcert</parameter></link> for the server.</para> + + <para>Default: <command>ssl require servercert = no</command> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term id="sslservercert">ssl server cert (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This is the file containing the server's certificate. + The server <emphasis>must</emphasis> have a certificate. The + file may also contain the server's private key. See later for + how certificates and private keys are created.</para> + + <para>Default: <command>ssl server cert = <empty string> + </command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="sslserverkey">ssl server key (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This file contains the private key of the server. If + this variable is not defined, the key is looked up in the + certificate file (it may be appended to the certificate). + The server <emphasis>must</emphasis> have a private key + and the certificate <emphasis>must</emphasis> + match this private key.</para> + + <para>Default: <command>ssl server key = <empty string> + </command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="sslversion">ssl version (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This enumeration variable defines the versions of the + SSL protocol that will be used. <constant>ssl2or3</constant> allows + dynamic negotiation of SSL v2 or v3, <constant>ssl2</constant> results + in SSL v2, <constant>ssl3</constant> results in SSL v3 and + <constant>tls1</constant> results in TLS v1. TLS (Transport Layer + Security) is the new standard for SSL.</para> + + <para>Default: <command>ssl version = "ssl2or3"</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="statcache">stat cache (G)</term> + <listitem><para>This parameter determines if <ulink + url="smbd.8.html">smbd(8)</ulink> will use a cache in order to + speed up case insensitive name mappings. You should never need + to change this parameter.</para> + + <para>Default: <command>stat cache = yes</command></para> + </listitem> + </varlistentry> + + <varlistentry> + <term id="statcachesize">stat cache size (G)</term> + <listitem><para>This parameter determines the number of + entries in the <parameter>stat cache</parameter>. You should + never need to change this parameter.</para> + + <para>Default: <command>stat cache size = 50</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="status">status (G)</term> + <listitem><para>This enables or disables logging of connections + to a status file that <ulink url="smbstatus.1.html">smbstatus(1)</ulink> + can read.</para> + + <para>With this disabled <command>smbstatus</command> won't be able + to tell you what connections are active. You should never need to + change this parameter.</para> + + <para>Default: <command>status = yes</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="strictlocking">strict locking (S)</term> + <listitem><para>This is a boolean that controls the handling of + file locking in the server. When this is set to <constant>yes</constant> + the server will check every read and write access for file locks, and + deny access if locks exist. This can be slow on some systems.</para> + + <para>When strict locking is <constant>no</constant> the server does file + lock checks only when the client explicitly asks for them.</para> + + <para>Well behaved clients always ask for lock checks when it + is important, so in the vast majority of cases <command>strict + locking = no</command> is preferable.</para> + + <para>Default: <command>strict locking = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="strictsync">strict sync (S)</term> + <listitem><para>Many Windows applications (including the Windows + 98 explorer shell) seem to confuse flushing buffer contents to + disk with doing a sync to disk. Under UNIX, a sync call forces + the process to be suspended until the kernel has ensured that + all outstanding data in kernel disk buffers has been safely stored + onto stable storage. This is very slow and should only be done + rarely. Setting this parameter to <constant>no</constant> (the + default) means that smbd ignores the Windows applications requests for + a sync call. There is only a possibility of losing data if the + operating system itself that Samba is running on crashes, so there is + little danger in this default setting. In addition, this fixes many + performance problems that people have reported with the new Windows98 + explorer shell file copies.</para> + + <para>See also the <link linkend="syncalways"><parameter>sync + always></parameter></link> parameter.</para> + + <para>Default: <command>strict sync = no</command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="stripdot">strip dot (G)</term> + <listitem><para>This is a boolean that controls whether to + strip trailing dots off UNIX filenames. This helps with some + CDROMs that have filenames ending in a single dot.</para> + + <para>Default: <command>strip dot = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="syncalways">sync always (S)</term> + <listitem><para>This is a boolean parameter that controls + whether writes will always be written to stable storage before + the write call returns. If this is false then the server will be + guided by the client's request in each write call (clients can + set a bit indicating that a particular write should be synchronous). + If this is true then every write will be followed by a <command>fsync() + </command> call to ensure the data is written to disk. Note that + the <parameter>strict sync</parameter> parameter must be set to + <constant>yes</constant> in order for this parameter to have + any affect.</para> + + <para>See also the <link linkend="strictsync"><parameter>strict + sync</parameter></link> parameter.</para> + + <para>Default: <command>sync always = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="syslog">syslog (G)</term> + <listitem><para>This parameter maps how Samba debug messages + are logged onto the system syslog logging levels. Samba debug + level zero maps onto syslog <constant>LOG_ERR</constant>, debug + level one maps onto <constant>LOG_WARNING</constant>, debug level + two maps onto <constant>LOG_NOTICE</constant>, debug level three + maps onto LOG_INFO. All higher levels are mapped to <constant> + LOG_DEBUG</constant>.</para> + + <para>This paramter sets the threshold for sending messages + to syslog. Only messages with debug level less than this value + will be sent to syslog.</para> + + <para>Default: <command>syslog = 1</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="syslogonly">syslog only (G)</term> + <listitem><para>If this parameter is set then Samba debug + messages are logged into the system syslog only, and not to + the debug log files.</para> + + <para>Default: <command>syslog only = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="templatehomedir">template homedir (G)</term> + <listitem><para><emphasis>NOTE:</emphasis> this parameter is + only available in Samba 3.0.</para> + + <para>When filling out the user information for a Windows NT + user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon + uses this parameter to fill in the home directory for that user. + If the string <parameter>%D</parameter> is present it is substituted + with the user's Windows NT domain name. If the string <parameter>%U + </parameter> is present it is substituted with the user's Windows + NT user name.</para> + + <para>Default: <command>template homedir = /home/%D/%U</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="templateshell">template shell (G)</term> + <listitem><para><emphasis>NOTE:</emphasis> this parameter is + only available in Samba 3.0.</para> + + <para>When filling out the user information for a Windows NT + user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon + uses this parameter to fill in the login shell for that user.</para> + + <para>Default: <command>template shell = /bin/false</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="timeoffset">time offset (G)</term> + <listitem><para>This parameter is a setting in minutes to add + to the normal GMT to local time conversion. This is useful if + you are serving a lot of PCs that have incorrect daylight + saving time handling.</para> + + <para>Default: <command>time offset = 0</command></para> + <para>Example: <command>time offset = 60</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="timeserver">time server (G)</term> + <listitem><para>This parameter determines if <ulink url="nmbd.8.html"> + nmbd(8)</ulink> advertises itself as a time server to Windows + clients.</para> + + <para>Default: <command>time server = no</command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="timestamplogs">timestamp logs (G)</term> + <listitem><para>Synonym for <link linkend="debugtimestamp"><parameter> + debug timestamp</parameter></link>.</para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="unixpasswordsync">unix password sync (G)</term> + <listitem><para>This boolean parameter controls whether Samba + attempts to synchronize the UNIX password with the SMB password + when the encrypted SMB password in the smbpasswd file is changed. + If this is set to true the program specified in the <parameter>passwd + program</parameter>parameter is called <emphasis>AS ROOT</emphasis> - + to allow the new UNIX password to be set without access to the + old UNIX password (as the SMB password has change code has no + access to the old password cleartext, only the new).</para> + + <para>See also <link linkend="passwdprogram"><parameter>passwd + program</parameter></link>, <link linkend="passwdchat"><parameter> + passwd chat</parameter></link>.</para> + + <para>Default: <command>unix password sync = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="unixrealname">unix realname (G)</term> + <listitem><para>This boolean parameter when set causes samba + to supply the real name field from the unix password file to + the client. This isuseful for setting up mail clients and WWW + browsers on systems used by more than one person.</para> + + <para>Default: <command>unix realname = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="updateencrypted">update encrypted (G)</term> + <listitem><para>This boolean parameter allows a user logging + on with a plaintext password to have their encrypted (hashed) + password in the smbpasswd file to be updated automatically as + they log on. This option allows a site to migrate from plaintext + password authentication (users authenticate with plaintext + password over the wire, and are checked against a UNIX account + database) to encrypted password authentication (the SMB + challenge/response authentication mechanism) without forcing + all users to re-enter their passwords via smbpasswd at the time the + change is made. This is a convenience option to allow the change over + to encrypted passwords to be made over a longer period. Once all users + have encrypted representations of their passwords in the smbpasswd + file this parameter should be set to <constant>no</constant>.</para> + + <para>In order for this parameter to work correctly the <link + linkend="encryptpasswords"><parameter>encrypt passwords</parameter> + </link> parameter must be set to <constant>no</constant> when + this parameter is set to <constant>yes</constant>.</para> + + <para>Note that even when this parameter is set a user + authenticating to <command>smbd</command> must still enter a valid + password in order to connect correctly, and to update their hashed + (smbpasswd) passwords.</para> + + <para>Default: <command>update encrypted = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="userhosts">use rhosts (G)</term> + <listitem><para>If this global parameter is a true, it specifies + that the UNIX users <filename>.rhosts</filename> file in their home directory + will be read to find the names of hosts and users who will be allowed + access without specifying a password.</para> + + <para><emphasis>NOTE:</emphasis> The use of <parameter>use rhosts + </parameter> can be a major security hole. This is because you are + trusting the PC to supply the correct username. It is very easy to + get a PC to supply a false username. I recommend that the <parameter> + use rhosts</parameter> option be only used if you really know what + you are doing.</para> + + <para>Default: <command>use rhosts = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="user">user (S)</term> + <listitem><para>Synonym for <link linkend="username"><parameter> + username</parameter></link>.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="users">users (S)</term> + <listitem><para>Synonym for <link linkend="username"><parameter> + username</parameter></link>.</para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="username">username (S)</term> + <listitem><para>Multiple users may be specified in a comma-delimited + list, in which case the supplied password will be tested against + each username in turn (left to right).</para> + + <para>The <parameter>username</parameter> line is needed only when + the PC is unable to supply its own username. This is the case + for the COREPLUS protocol or where your users have different WfWg + usernames to UNIX usernames. In both these cases you may also be + better using the \\server\share%user syntax instead.</para> + + <para>The <parameter>username</parameter> line is not a great + solution in many cases as it means Samba will try to validate + the supplied password against each of the usernames in the + <parameter>username</parameter> line in turn. This is slow and + a bad idea for lots of users in case of duplicate passwords. + You may get timeouts or security breaches using this parameter + unwisely.</para> + + <para>Samba relies on the underlying UNIX security. This + parameter does not restrict who can login, it just offers hints + to the Samba server as to what usernames might correspond to the + supplied password. Users can login as whoever they please and + they will be able to do no more damage than if they started a + telnet session. The daemon runs as the user that they log in as, + so they cannot do anything that user cannot do.</para> + + <para>To restrict a service to a particular set of users you + can use the <link linkend="validusers"><parameter>valid users + </parameter></link> parameter.</para> + + <para>If any of the usernames begin with a '@' then the name + will be looked up first in the yp netgroups list (if Samba + is compiled with netgroup support), followed by a lookup in + the UNIX groups database and will expand to a list of all users + in the group of that name.</para> + + <para>If any of the usernames begin with a '+' then the name + will be looked up only in the UNIX groups database and will + expand to a list of all users in the group of that name.</para> + + <para>If any of the usernames begin with a '&'then the name + will be looked up only in the yp netgroups database (if Samba + is compiled with netgroup support) and will expand to a list + of all users in the netgroup group of that name.</para> + + <para>Note that searching though a groups database can take + quite some time, snd some clients may time out during the + search.</para> + + <para>See the section <link linkend="validationsect">NOTE ABOUT + USERNAME/PASSWORD VALIDATION</link> for more information on how + this parameter determines access to the services.</para> + + <para>Default: <command>The guest account if a guest service, + else the name of the service.</command></para> + + <para>Examples:<command>username = fred, mary, jack, jane, + @users, @pcgroup</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="usernamelevel">username level (G)</term> + <listitem><para>This option helps Samba to try and 'guess' at + the real UNIX username, as many DOS clients send an all-uppercase + username. By default Samba tries all lowercase, followed by the + username with the first letter capitalized, and fails if the + username is not found on the UNIX machine.</para> + + <para>If this parameter is set to non-zero the behavior changes. + This parameter is a number that specifies the number of uppercase + combinations to try whilst trying to determine the UNIX user name. The + higher the number the more combinations will be tried, but the slower + the discovery of usernames will be. Use this parameter when you have + strange usernames on your UNIX machine, such as <constant>AstrangeUser + </constant>.</para> + + <para>Default: <command>username level = 0</command></para> + <para>Example: <command>username level = 5</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="usernamemap">username map (G)</term> + <listitem><para>This option allows you to specify a file containing + a mapping of usernames from the clients to the server. This can be + used for several purposes. The most common is to map usernames + that users use on DOS or Windows machines to those that the UNIX + box uses. The other is to map multiple users to a single username + so that they can more easily share files.</para> + + <para>The map file is parsed line by line. Each line should + contain a single UNIX username on the left then a '=' followed + by a list of usernames on the right. The list of usernames on the + right may contain names of the form @group in which case they + will match any UNIX username in that group. The special client + name '*' is a wildcard and matches any name. Each line of the + map file may be up to 1023 characters long.</para> + + <para>The file is processed on each line by taking the + supplied username and comparing it with each username on the right + hand side of the '=' signs. If the supplied name matches any of + the names on the right hand side then it is replaced with the name + on the left. Processing then continues with the next line.</para> + + <para>If any line begins with a '#' or a ';' then it is + ignored</para> + + <para>If any line begins with an '!' then the processing + will stop after that line if a mapping was done by the line. + Otherwise mapping continues with every line being processed. + Using '!' is most useful when you have a wildcard mapping line + later in the file.</para> + + <para>For example to map from the name <constant>admin</constant> + or <constant>administrator</constant> to the UNIX name <constant> + root</constant> you would use:</para> + + <para><command>root = admin administrator</command></para> + + <para>Or to map anyone in the UNIX group <constant>system</constant> + to the UNIX name <constant>sys</constant> you would use:</para> + + <para><command>sys = @system</command></para> + + <para>You can have as many mappings as you like in a username + map file.</para> + + + <para>If your system supports the NIS NETGROUP option then + the netgroup database is checked before the <filename>/etc/group + </filename> database for matching groups.</para> + + <para>You can map Windows usernames that have spaces in them + by using double quotes around the name. For example:</para> + + <para><command>tridge = "Andrew Tridgell"</command></para> + + <para>would map the windows username "Andrew Tridgell" to the + unix username "tridge".</para> + + <para>The following example would map mary and fred to the + unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on + that line.</para> + + <para><programlisting> + !sys = mary fred + guest = * + </programlisting></para> + + <para>Note that the remapping is applied to all occurrences + of usernames. Thus if you connect to \\server\fred and <constant> + fred</constant> is remapped to <constant>mary</constant> then you + will actually be connecting to \\server\mary and will need to + supply a password suitable for <constant>mary</constant> not + <constant>fred</constant>. The only exception to this is the + username passed to the <link linkend="passwordserver"><parameter> + password server</parameter></link> (if you have one). The password + server will receive whatever username the client supplies without + modification.</para> + + <para>Also note that no reverse mapping is done. The main effect + this has is with printing. Users who have been mapped may have + trouble deleting print jobs as PrintManager under WfWg will think + they don't own the print job.</para> + + <para>Default: <emphasis>no username map</emphasis></para> + <para>Example: <command>username map = /usr/local/samba/lib/users.map + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="utmp">utmp (S)</term> + <listitem><para>This boolean parameter is only available if + Samba has been configured and compiled with the option <command> + --with-utmp</command>. If set to True then Samba will attempt + to add utmp or utmpx records (depending on the UNIX system) whenever a + connection is made to a Samba server. Sites may use this to record the + user connecting to a Samba share.</para> + + <para>See also the <link linkend="utmpdirectory"><parameter> + utmp directory</parameter></link> parameter.</para> + + <para>Default: <command>utmp = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="utmpdirectory">utmp directory(G)</term> + <listitem><para>This parameter is only available if Samba has + been configured and compiled with the option <command> + --with-utmp</command>. It specifies a directory pathname that is + used to store the utmp or utmpx files (depending on the UNIX system) that + record user connections to a Samba server. See also the <link linkend="utmp"> + <parameter>utmp</parameter></link> parameter. By default this is + not set, meaning the system will use whatever utmp file the + native system is set to use (usually + <filename>/var/run/utmp</filename> on Linux).</para> + + <para>Default: <emphasis>no utmp directory</emphasis></para> + </listitem> + </varlistentry> + + + + <varlistentry><term id="winbindcachetime">winbind cache time</term> + <listitem><para><emphasis>NOTE:</emphasis> this parameter is only + available in Samba 3.0.</para> + + <para>This parameter specifies the number of seconds the + <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon will cache + user and group information before querying a Windows NT server + again.</para> + + <para>Default: <command>winbind cache type = 15</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry><term id="winbindgid">winbind gid</term> + <listitem><para><emphasis>NOTE:</emphasis> this parameter is only + available in Samba 3.0.</para> + + <para>The winbind gid parameter specifies the range of group + ids that are allocated by the <ulink url="winbindd.8.html"> + winbindd(8)</ulink> daemon. This range of group ids should have no + existing local or nis groups within it as strange conflicts can + occur otherwise.</para> + + <para>Default: <command>winbind gid = <empty string> + </command></para> + + <para>Example: <command>winbind gid = 10000-20000</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="winbinduid">winbind uid</term> + <listitem><para><emphasis>NOTE:</emphasis> this parameter is only + available in Samba 3.0.</para> + + <para>The winbind gid parameter specifies the range of group + ids that are allocated by the <ulink url="winbindd.8.html"> + winbindd(8)</ulink> daemon. This range of ids should have no + existing local or nis users within it as strange conflicts can + occur otherwise.</para> + + <para>Default: <command>winbind uid = <empty string> + </command></para> + + <para>Example: <command>winbind uid = 10000-20000</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="validchars">valid chars (G)</term> + <listitem><para>The option allows you to specify additional + characters that should be considered valid by the server in + filenames. This is particularly useful for national character + sets, such as adding u-umlaut or a-ring.</para> + + <para>The option takes a list of characters in either integer + or character form with spaces between them. If you give two + characters with a colon between them then it will be taken as + an lowercase:uppercase pair.</para> + + <para>If you have an editor capable of entering the characters + into the config file then it is probably easiest to use this + method. Otherwise you can specify the characters in octal, + decimal or hexadecimal form using the usual C notation.</para> + + <para>For example to add the single character 'Z' to the charset + (which is a pointless thing to do as it's already there) you could + do one of the following</para> + + <para><programlisting> + valid chars = Z + valid chars = z:Z + valid chars = 0132:0172 + </programlisting></para> + + <para>The last two examples above actually add two characters, + and alter the uppercase and lowercase mappings appropriately.</para> + + <para>Note that you <emphasis>MUST</emphasis> specify this parameter + after the <parameter>client code page</parameter> parameter if you + have both set. If <parameter>client code page</parameter> is set after + the <parameter>valid chars</parameter> parameter the <parameter>valid + chars</parameter> settings will be overwritten.</para> + + <para>See also the <link linkend="clientcodepage"><parameter>client + code page</parameter></link> parameter.</para> + + <para>Default: <emphasis>Samba defaults to using a reasonable set + of valid characters for English systems</emphasis></para> + + <para>Example: <command>valid chars = 0345:0305 0366:0326 0344:0304 + </command></para> + + <para>The above example allows filenames to have the Swedish + characters in them.</para> + + <para><emphasis>NOTE:</emphasis> It is actually quite difficult to + correctly produce a <parameter>valid chars</parameter> line for + a particular system. To automate the process <ulink + url="mailto:tino@augsburg.net">tino@augsburg.net</ulink> has written + a package called <command>validchars</command> which will automatically + produce a complete <parameter>valid chars</parameter> line for + a given client system. Look in the <filename>examples/validchars/ + </filename> subdirectory of your Samba source code distribution + for this package.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="validusers">valid users (S)</term> + <listitem><para>This is a list of users that should be allowed + to login to this service. Names starting with '@', '+' and '&' + are interpreted using the same rules as described in the + <parameter>invalid users</parameter> parameter.</para> + + <para>If this is empty (the default) then any user can login. + If a username is in both this list and the <parameter>invalid + users</parameter> list then access is denied for that user.</para> + + <para>The current servicename is substituted for <parameter>%S + </parameter>. This is useful in the [homes] section.</para> + + <para>See also <link linkend="invalidusers"><parameter>invalid users + </parameter></link></para> + + <para>Default: <emphasis>No valid users list (anyone can login) + </emphasis></para> + + <para>Example: <command>valid users = greg, @pcusers</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="vetofiles">veto files(S)</term> + <listitem><para>This is a list of files and directories that + are neither visible nor accessible. Each entry in the list must + be separated by a '/', which allows spaces to be included + in the entry. '*' and '?' can be used to specify multiple files + or directories as in DOS wildcards.</para> + + <para>Each entry must be a unix path, not a DOS path and + must <emphasis>not</emphasis> include the unix directory + separator '/'.</para> + + <para>Note that the <parameter>case sensitive</parameter> option + is applicable in vetoing files.</para> + + <para>One feature of the veto files parameter that it is important + to be aware of, is that if a directory contains nothing but files + that match the veto files parameter (which means that Windows/DOS + clients cannot ever see them) is deleted, the veto files within + that directory <emphasis>are automatically deleted</emphasis> along + with it, if the user has UNIX permissions to do so.</para> + + <para>Setting this parameter will affect the performance + of Samba, as it will be forced to check all files and directories + for a match as they are scanned.</para> + + <para>See also <link linkend="hidefiles"><parameter>hide files + </parameter></link> and <link linkend="casesensitive"><parameter> + case sensitive</parameter></link>.</para> + + <para>Default: <emphasis>No files or directories are vetoed. + </emphasis></para> + + <para>Examples:<programlisting> + ; Veto any files containing the word Security, + ; any ending in .tmp, and any directory containing the + ; word root. + veto files = /*Security*/*.tmp/*root*/ + + ; Veto the Apple specific files that a NetAtalk server + ; creates. + veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ + </programlisting></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="vetooplockfiles">veto oplock files (S)</term> + <listitem><para>This parameter is only valid when the <link + linkend="oplocks"><parameter>oplocks</parameter></link> + parameter is turned on for a share. It allows the Samba administrator + to selectively turn off the granting of oplocks on selected files that + match a wildcarded list, similar to the wildcarded list used in the + <link linkend="vetofiles"><parameter>veto files</parameter></link> + parameter.</para> + + <para>Default: <emphasis>No files are vetoed for oplock + grants</emphasis></para> + + <para>You might want to do this on files that you know will + be heavily contended for by clients. A good example of this + is in the NetBench SMB benchmark program, which causes heavy + client contention for files ending in <filename>.SEM</filename>. + To cause Samba not to grant oplocks on these files you would use + the line (either in the [global] section or in the section for + the particular NetBench share :</para> + + <para>Example: <command>veto oplock files = /*;.SEM/ + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="volume">volume (S)</term> + <listitem><para> This allows you to override the volume label + returned for a share. Useful for CDROMs with installation programs + that insist on a particular volume label.</para> + + <para>Default: <emphasis>the name of the share</emphasis></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="widelinks">wide links (S)</term> + <listitem><para>This parameter controls whether or not links + in the UNIX file system may be followed by the server. Links + that point to areas within the directory tree exported by the + server are always allowed; this parameter controls access only + to areas that are outside the directory tree being exported.</para> + + <para>Note that setting this parameter can have a negative + effect on your server performance due to the extra system calls + that Samba has to do in order to perform the link checks.</para> + + <para>Default: <command>wide links = yes</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="winsproxy">wins proxy (G)</term> + <listitem><para>This is a boolean that controls if <ulink + url="nmbd.8.html">nmbd(8)</ulink> will respond to broadcast name + queries on behalf of other hosts. You may need to set this + to <constant>yes</constant> for some older clients.</para> + + <para>Default: <command>wins proxy = no</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="winsserver">wins server (G)</term> + <listitem><para>This specifies the IP address (or DNS name: IP + address for preference) of the WINS server that <ulink url="nmbd.8.html"> + nmbd(8)</ulink> should register with. If you have a WINS server on + your network then you should set this to the WINS server's IP.</para> + + <para>You should point this at your WINS server if you have a + multi-subnetted network.</para> + + <para><emphasis>NOTE</emphasis>. You need to set up Samba to point + to a WINS server if you have multiple subnets and wish cross-subnet + browsing to work correctly.</para> + + <para>See the documentation file <filename>BROWSING.txt</filename> + in the docs/ directory of your Samba source distribution.</para> + + <para>Default: <emphasis>not enabled</emphasis></para> + <para>Example: <command>wins server = 192.9.200.1</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="winshook">wins hook (G)</term> + <listitem><para>When Samba is running as a WINS server this + allows you to call an external program for all changes to the + WINS database. The primary use for this option is to allow the + dynamic update of external name resolution databases such as + dynamic DNS.</para> + + <para>The wins hook parameter specifies the name of a script + or executable that will be called as follows:</para> + + <para><command>wins_hook operation name nametype ttl IP_list + </command></para> + + <itemizedlist> + <listitem><para>The first argument is the operation and is one + of "add", "delete", or "refresh". In most cases the operation can + be ignored as the rest of the parameters provide sufficient + information. Note that "refresh" may sometimes be called when the + name has not previously been added, in that case it should be treated + as an add.</para></listitem> + + <listitem><para>The second argument is the netbios name. If the + name is not a legal name then the wins hook is not called. + Legal names contain only letters, digits, hyphens, underscores + and periods.</para></listitem> + + <listitem><para>The third argument is the netbios name + type as a 2 digit hexadecimal number. </para></listitem> + + <listitem><para>The fourth argument is the TTL (time to live) + for the name in seconds.</para></listitem> + + <listitem><para>The fifth and subsequent arguments are the IP + addresses currently registered for that name. If this list is + empty then the name should be deleted.</para></listitem> + </itemizedlist> + + <para>An example script that calls the BIND dynamic DNS update + program <command>nsupdate</command> is provided in the examples + directory of the Samba source code. </para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="winssupport">wins support (G)</term> + <listitem><para>This boolean controls if the <ulink url="nmbd.8.html"> + nmbd(8)</ulink> process in Samba will act as a WINS server. You should + not set this to true unless you have a multi-subnetted network and + you wish a particular <command>nmbd</command> to be your WINS server. + Note that you should <emphasis>NEVER</emphasis> set this to true + on more than one machine in your network.</para> + + <para>Default: <command>wins support = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry><term id="workgroup">workgroup (G)</term> + <listitem><para>This controls what workgroup your server will + appear to be in when queried by clients. Note that this parameter + also controls the Domain name used with the <link + linkend="workgroup"><command>security=domain</command></link> + setting.</para> + + <para>Default: <emphasis>set at compile time to WORKGROUP</emphasis></para> + <para>Example: <command>workgroup = MYGROUP</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="writable">writable (S)</term> + <listitem><para>Synonym for <link linkend="writeable"><parameter> + writeable</parameter></link> for people who can't spell :-).</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="writelist">write list (S)</term> + <listitem><para>This is a list of users that are given read-write + access to a service. If the connecting user is in this list then + they will be given write access, no matter what the <link + linkend="writeable"><parameter>writeable</parameter></link> + option is set to. The list can include group names using the + @group syntax.</para> + + <para>Note that if a user is in both the read list and the + write list then they will be given write access.</para> + + <para>See also the <link linkend="readlist"><parameter>read list + </parameter></link> option.</para> + + <para>Default: <command>write list = <empty string> + </command></para> + + <para>Example: <command>write list = admin, root, @staff + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="writecachesize">write cache size (S)</term> + <listitem><para>This integer parameter (new with Samba 2.0.7) + if set to non-zero causes Samba to create an in-memory cache for + each oplocked file (it does <emphasis>not</emphasis> do this for + non-oplocked files). All writes that the client does not request + to be flushed directly to disk will be stored in this cache if possible. + The cache is flushed onto disk when a write comes in whose offset + would not fit into the cache or when the file is closed by the client. + Reads for the file are also served from this cache if the data is stored + within it.</para> + + <para>This cache allows Samba to batch client writes into a more + efficient write size for RAID disks (ie. writes may be tuned to + be the RAID stripe size) and can improve performance on systems + where the disk subsystem is a bottleneck but there is free + memory for userspace programs.</para> + + <para>The integer parameter specifies the size of this cache + (per oplocked file) in bytes.</para> + + <para>Default: <command>write cache size = 0</command></para> + <para>Example: <command>write cache size = 262144</command></para> + + <para>for a 256k cache size per file.</para> + </listitem> + </varlistentry> + + + + + + + <varlistentry> + <term id="writeok">write ok (S)</term> + <listitem><para>Synonym for <link linkend="writeable"><parameter> + writeable</parameter></link>.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="writeraw">write raw (G)</term> + <listitem><para>This parameter controls whether or not the server + will support raw writes SMB's when transferring data from clients. + You should never need to change this parameter.</para> + + <para>Default: <command>write raw = yes</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="writeable">writeable (S)</term> + <listitem><para>An inverted synonym is <link linkend="readonly"> + <parameter>read only</parameter></link>.</para> + + <para>If this parameter is <constant>no</constant>, then users + of a service may not create or modify files in the service's + directory.</para> + + <para>Note that a printable service (<command>printable = yes</command>) + will <emphasis>ALWAYS</emphasis> allow writing to the directory + (user privileges permitting), but only via spooling operations.</para> + + <para>Default: <command>writeable = no</command></para> + </listitem> + </varlistentry> + + </variablelist> </refsect1> |