diff options
author | Gerald Carter <jerry@samba.org> | 2001-04-19 21:07:17 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2001-04-19 21:07:17 +0000 |
commit | 3cfd1cb50b3fd71b8b523b26a3378eea4eb10130 (patch) | |
tree | cd9fb4c464108809b3af0bdb1174fbd229eb5670 | |
parent | 344787a4b7cb915cc4c442a425eaeb3ed6eddaa6 (diff) | |
download | samba-3cfd1cb50b3fd71b8b523b26a3378eea4eb10130.tar.gz samba-3cfd1cb50b3fd71b8b523b26a3378eea4eb10130.tar.bz2 samba-3cfd1cb50b3fd71b8b523b26a3378eea4eb10130.zip |
beginning of big merge of docs from 2.2
(This used to be commit 30e385a737e386015d4256f8b3e11b35a35b2268)
26 files changed, 0 insertions, 12079 deletions
diff --git a/docs/yodldocs/DOMAIN_MEMBER.yo b/docs/yodldocs/DOMAIN_MEMBER.yo deleted file mode 100644 index e13a2f2a58..0000000000 --- a/docs/yodldocs/DOMAIN_MEMBER.yo +++ /dev/null @@ -1,149 +0,0 @@ -mailto(samba@samba.org) - -article(Joining an NT Domain with Samba 2.0)(Jeremy Allison, Samba Team)(7th October 1999) - -center(Joining an NT Domain with Samba 2.0) -center(-----------------------------------) - -In order for a Samba-2 server to join an NT domain, you must first add -the NetBIOS name of the Samba server to the NT domain on the PDC using -Server Manager for Domains. This creates the machine account in the -domain (PDC) SAM. Note that you should add the Samba server as a "Windows -NT Workstation or Server", em(NOT) as a Primary or backup domain controller. - -Assume you have a Samba-2 server with a NetBIOS name of tt(SERV1) and are -joining an NT domain called tt(DOM), which has a PDC with a NetBIOS name -of tt(DOMPDC) and two backup domain controllers with NetBIOS names tt(DOMBDC1) -and tt(DOMBDC2). - -In order to join the domain, first stop all Samba daemons and run the -command - -tt(smbpasswd -j DOM -r DOMPDC) - -as we are joining the domain DOM and the PDC for that domain (the only -machine that has write access to the domain SAM database) is DOMPDC. If this is -successful you will see the message: - -tt(smbpasswd: Joined domain DOM.) - -in your terminal window. See the url(bf(smbpasswd))(smbpasswd.8.html) -man page for more details. - -This command goes through the machine account password change -protocol, then writes the new (random) machine account password for -this Samba server into a file in the same directory in which an -smbpasswd file would be stored - normally : - -tt(/usr/local/samba/private) - -The filename looks like this: - -tt(<NT DOMAIN NAME>.<Samba Server Name>.mac) - -The tt(.mac) suffix stands for machine account password file. So in -our example above, the file would be called: - -tt(DOM.SERV1.mac) - -This file is created and owned by root and is not readable by any -other user. It is the key to the domain-level security for your -system, and should be treated as carefully as a shadow password file. - -Now, before restarting the Samba daemons you must edit your -url(bf(smb.conf))(smb.conf.5.html) file to tell Samba it should now -use domain security. - -Change (or add) your - -url(bf("security ="))(smb.conf.5.html#security) - -line in the url(bf([global]))(smb.conf.5.html#global) section of your -url(bf(smb.conf))(smb.conf.5.html) to read: - -tt(security = domain) - -Next change the - -url(bf("workgroup ="))(smb.conf.5.html#workgroup) - -line in the url(bf([global]))(smb.conf.5.html#global) section to read: - -tt(workgroup = DOM) - -as this is the name of the domain we are joining. - -You must also have the parameter url(bf("encrypt passwords"))(smb.conf.5.html#encryptpasswords) -set to tt("yes") in order for your users to authenticate to the -NT PDC. - -Finally, add (or modify) a: - -url(bf("password server ="))(smb.conf.5.html#passwordserver) - -line in the url(bf([global]))(smb.conf.5.html#global) section to read: - -tt(password server = DOMPDC DOMBDC1 DOMBDC2) - -These are the primary and backup domain controllers Samba will attempt -to contact in order to authenticate users. Samba will try to contact -each of these servers in order, so you may want to rearrange this list -in order to spread out the authentication load among domain -controllers. - -Alternatively, if you want smbd to automatically determine the -list of Domain controllers to use for authentication, you may set this line to be : - -tt(password server = *) - -This method, which is new in Samba 2.0.6 and above, allows Samba -to use exactly the same mechanism that NT does. This method either broadcasts or -uses a WINS database in order to find domain controllers to -authenticate against. - -Finally, restart your Samba daemons and get ready for clients to begin -using domain security! - - -center(Why is this better than security = server?) -center(------------------------------------------) - -Currently, domain security in Samba doesn't free you from having to -create local Unix users to represent the users attaching to your -server. This means that if domain user tt(DOM\fred) attaches to your -domain security Samba server, there needs to be a local Unix user fred -to represent that user in the Unix filesystem. This is very similar to -the older Samba security mode url(bf("security=server"))(smb.conf.5.html#securityequalserver), where Samba would pass -through the authentication request to a Windows NT server in the same -way as a Windows 95 or Windows 98 server would. - -The advantage to domain-level security is that the authentication in -domain-level security is passed down the authenticated RPC channel in -exactly the same way that an NT server would do it. This means Samba -servers now participate in domain trust relationships in exactly the -same way NT servers do (i.e., you can add Samba servers into a -resource domain and have the authentication passed on from a resource -domain PDC to an account domain PDC. - -In addition, with url(bf("security=server"))(smb.conf.5.html#securityequalserver) every Samba daemon on a -server has to keep a connection open to the authenticating server for -as long as that daemon lasts. This can drain the connection resources -on a Microsoft NT server and cause it to run out of available -connections. With url(bf("security =domain"))(smb.conf.5.html#securityequaldomain), however, the Samba -daemons connect to the PDC/BDC only for as long as is necessary to -authenticate the user, and then drop the connection, thus conserving -PDC connection resources. - -And finally, acting in the same manner as an NT server authenticating -to a PDC means that as part of the authentication reply, the Samba -server gets the user identification information such as the user SID, -the list of NT groups the user belongs to, etc. All this information -will allow Samba to be extended in the future into a mode the -developers currently call appliance mode. In this mode, no local Unix -users will be necessary, and Samba will generate Unix uids and gids -from the information passed back from the PDC when a user is -authenticated, making a Samba server truly plug and play in an NT -domain environment. Watch for this code soon. - -em(NOTE:) Much of the text of this document was first published in the -Web magazine url(bf("LinuxWorld"))(http://www.linuxworld.com) as the article url(bf("Doing the NIS/NT Samba"))(http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html). diff --git a/docs/yodldocs/NT_Security.yo b/docs/yodldocs/NT_Security.yo deleted file mode 100644 index ab9f29f0dd..0000000000 --- a/docs/yodldocs/NT_Security.yo +++ /dev/null @@ -1,292 +0,0 @@ -mailto(samba@samba.org) - -article(Viewing and changing UNIX permissions using the NT security dialogs in Samba 2.0.4)(Jeremy Allison, Samba Team)(12th April 1999) - -center(bf(Viewing and changing UNIX permissions using the NT security dialogs))nl() -center(bf(-------------------------------------------------------------------)) - -New in the bf(Samba 2.0.4) release is the -ability for Windows NT clients to use their native security -settings dialog box to view and modify the underlying UNIX -permissions. - -Note that this ability is careful not to compromise the security -of the UNIX host Samba is running on, and still obeys all the -file permission rules that a Samba administrator can set. - -In Samba 2.0.4 and above the default value of the parameter -url(bf("nt acl support"))(smb.conf.5.html#ntaclsupport) has been -changed from "false" to "true", so manipulation of permissions is -turned on by default. - -bf(How to view file security on a Samba share)nl() -bf(------------------------------------------) - -From an NT 4.0 client, single-click with the right mouse button on -any file or directory in a Samba mounted drive letter or UNC path. -When the menu pops-up, click on the tt(Properties) entry at the -bottom of the menu. This brings up the normal file properties dialog -box, but with Samba 2.0.4 this will have a new tab along the top -marked tt(Security). Click on this tab and you will see three buttons, -em(Permissions), em(Auditing), and em(Ownership). The em(Auditing) -button will cause either an error message tt("A requested privilege is -not held by the client") to appear if the user is not the NT Administrator, -or a dialog which is intended to allow an Administrator to add -auditing requirements to a file if the user is logged on as the -NT Administrator. This dialog is non-functional with a Samba -share at this time, as the only useful button, the tt(Add) button -will not currently allow a list of users to be seen. - -bf(Viewing file ownership)nl() -bf(----------------------) - -Clicking on the tt("Ownership") button brings up a dialog box telling -you who owns the given file. The owner name will be of the form : - -tt("SERVER\user (Long name)") - -Where tt(SERVER) is the NetBIOS name of the Samba server, tt(user) -is the user name of the UNIX user who owns the file, and tt((Long name)) -is the discriptive string identifying the user (normally found in the -GECOS field of the UNIX password database). Click on the tt(Close) -button to remove this dialog. - -If the parameter url(bf("nt acl support"))(smb.conf.5.html#ntaclsupport) -is set to "false" then the file owner will be shown as the NT user -tt("Everyone"). - -The tt(Take Ownership) button will not allow you to change the -ownership of this file to yourself (clicking on it will display a -dialog box complaining that the user you are currently logged onto -the NT client cannot be found). The reason for this is that changing -the ownership of a file is a privilaged operation in UNIX, available -only to the em(root) user. As clicking on this button causes NT to -attempt to change the ownership of a file to the current user logged -into the NT client this will not work with Samba at this time. - -There is an NT chown command that will work with Samba and allow -a user with Administrator privillage connected to a Samba 2.0.4 -server as root to change the ownership of files on both a local NTFS -filesystem or remote mounted NTFS or Samba drive. This is available -as part of the bf(Seclib) NT security library written by Jeremy -Allison of the Samba Team, available from the main Samba ftp site. - -bf(Viewing file or directory permissions)nl() -bf(-------------------------------------) - -The third button is the tt("Permissions") button. Clicking on this -brings up a dialog box that shows both the permissions and the UNIX -owner of the file or directory. The owner is displayed in the form : - -tt("SERVER\user (Long name)") - -Where tt(SERVER) is the NetBIOS name of the Samba server, tt(user) -is the user name of the UNIX user who owns the file, and tt((Long name)) -is the discriptive string identifying the user (normally found in the -GECOS field of the UNIX password database). - -If the parameter url(bf("nt acl support"))(smb.conf.5.html#ntaclsupport) -is set to "false" then the file owner will be shown as the NT user -tt("Everyone") and the permissions will be shown as NT tt("Full Control"). - -The permissions field is displayed differently for files and directories, -so I'll describe the way file permissions are displayed first. - -bf(File Permissions)nl() -bf(----------------) - -The standard UNIX user/group/world triple and the correspinding -"read", "write", "execute" permissions triples are mapped by Samba -into a three element NT ACL with the 'r', 'w', and 'x' bits mapped -into the corresponding NT permissions. The UNIX world permissions are mapped -into the global NT group tt(Everyone), followed by the list of permissions -allowed for UNIX world. The UNIX owner and group permissions -are displayed as an NT tt(user) icon and an NT tt(local group) icon -respectively followed by the list of permissions allowed for the -UNIX user and group. - -As many UNIX permission sets don't map into common NT names such as -tt("read"), tt("change") or tt("full control") then usually the permissions -will be prefixed by the words tt("Special Access") in the NT display -list. - -But what happens if the file has no permissions allowed for a -particular UNIX user group or world component ? In order to -allow "no permissions" to be seen and modified then Samba overloads -the NT tt("Take Ownership") ACL attribute (which has no meaning in -UNIX) and reports a component with no permissions as having the NT -tt("O") bit set. This was chosen of course to make it look like a -zero, meaning zero permissions. More details on the decision behind -this will be given below. - -bf(Directory Permissions)nl() -bf(---------------------) - -Directories on an NT NTFS file system have two different sets of -permissions. The first set of permissions is the ACL set on the -directory itself, this is usually displayed in the first set of -parentheses in the normal tt("RW") NT style. This first set of -permissions is created by Samba in exactly the same way as normal -file permissions are, described above, and is displayed in the -same way. - -The second set of directory permissions has no real meaning in the -UNIX permissions world and represents the tt("inherited") permissions -that any file created within this directory would inherit. - -Samba synthesises these inherited permissions for NT by returning as -an NT ACL the UNIX permission mode that a new file created by Samba -on this share would receive. - -bf(Modifying file or directory permissions)nl() -bf(---------------------------------------) - -Modifying file and directory permissions is as simple as changing -the displayed permissions in the dialog box, and clicking the tt(OK) -button. However, there are limitations that a user needs to be aware -of, and also interactions with the standard Samba permission masks -and mapping of DOS attributes that need to also be taken into account. - -If the parameter url(bf("nt acl support"))(smb.conf.5.html#ntaclsupport) -is set to "false" then any attempt to set security permissions will -fail with an tt("Access Denied") message. - -The first thing to note is that the tt("Add") button will not return -a list of users in Samba 2.0.4 (it will give an error message of -tt("The remote proceedure call failed and did not execute")). This -means that you can only manipulate the current user/group/world -permissions listed in the dialog box. This actually works quite well -as these are the only permissions that UNIX actually has. - -If a permission triple (either user, group, or world) is removed from -the list of permissions in the NT dialog box, then when the tt("OK") -button is pressed it will be applied as "no permissions" on the UNIX -side. If you then view the permissions again the "no permissions" entry -will appear as the NT tt("O") flag, as described above. This allows you -to add permissions back to a file or directory once you have removed -them from a triple component. - -As UNIX supports only the "r", "w" and "x" bits of an NT ACL -then if other NT security attributes such as "Delete access" -are selected then they will be ignored when applied on the -Samba server. - -When setting permissions on a directory the second set of permissions -(in the second set of parentheses) is by default applied to all -files within that directory. If this is not what you want you -must uncheck the tt("Replace permissions on existing files") checkbox -in the NT dialog before clicking tt("OK"). - -If you wish to remove all permissions from a user/group/world -component then you may either highlight the component and click -the tt("Remove") button, or set the component to only have the special -tt("Take Ownership") permission (dsplayed as tt("O")) highlighted. - -bf(Interaction with the standard Samba create mask parameters)nl() -bf(----------------------------------------------------------) - -Note that with Samba 2.0.5 there are four new parameters to -control this interaction. - -These are : - -tt(security mask) -tt(force security mode) -tt(directory security mask) -tt(force directory security mode) - -Once a user clicks tt("OK") to apply the permissions Samba maps -the given permissions into a user/group/world r/w/x triple set, -and then will check the changed permissions for a file against -the bits set in the url(bf("security mask"))(smb.conf.5.html#securitymask) -parameter. Any bits that were changed that are not set to '1' -in this parameter are left alone in the file permissions. - -Essentially, zero bits in the url(bf("security mask"))(smb.conf.5.html#securitymask) -mask may be treated as a set of bits the user is em(not) allowed to change, -and one bits are those the user is allowed to change. - -If not set explicitly this parameter is set to the same value as the -url(bf("create mask"))(smb.conf.5.html#createmask) parameter to provide compatibility -with Samba 2.0.4 where this permission change facility was introduced. -To allow a user to modify all the user/group/world permissions on a file, -set this parameter to 0777. - -Next Samba checks the changed permissions for a file against the -bits set in the url(bf("force security mode"))(smb.conf.5.html#forcesecuritymode) -parameter. Any bits that were changed that correspond to bits set -to '1' in this parameter are forced to be set. - -Essentially, bits set in the url(bf("force security mode"))(smb.conf.5.html#forcesecuritymode) -parameter may be treated as a set of bits that, when modifying security on a file, the -user has always set to be 'on'. - -If not set explicitly this parameter is set to the same value as the -url(bf("force create mode"))(smb.conf.5.html#forcecreatemode) parameter to provide compatibility -with Samba 2.0.4 where the permission change facility was introduced. -To allow a user to modify all the user/group/world permissions on a file, -with no restrictions set this parameter to 000. - -The url(bf("security mask"))(smb.conf.5.html#securitymask) and -url(bf("force security mode"))(smb.conf.5.html#forcesecuritymode) parameters -are applied to the change request in that order. - -For a directory Samba will perform the same operations as described above -for a file except using the parameter url(bf("directory security mask"))(smb.conf.5.html#directorysecuritymask) -instead of url(bf("security mask"))(smb.conf.5.html#securitymask), and -url(bf("force directory security mode"))(smb.conf.5.html#forcedirectorysecuritymode) parameter instead -of url(bf("force security mode"))(smb.conf.5.html#forcesecuritymode). - -The url(bf("directory security mask"))(smb.conf.5.html#directorysecuritymask) -parameter by default is set to the same value as the url(bf("directory mask"))(smb.conf.5.html#directorymask) -parameter and the url(bf("force directory security mode"))(smb.conf.5.html#forcedirectorysecuritymode) -parameter by default is set to the same value as the -iurl(bf("force directory mode"))(smb.conf.5.html#forcedirectorymode) parameter -to provide compatibility with Samba 2.0.4 where the permission change facility was introduced. - -In this way Samba enforces the permission restrictions that an administrator -can set on a Samba share, whilst still allowing users to modify the -permission bits within that restriction. - -If you want to set up a share that allows users full control -in modifying the permission bits on their files and directories and -doesn't force any particular bits to be set 'on', then set the following -parameters in the url(bf(smb.conf.5))(smb.conf.5.html) file in -that share specific section : - -tt(security mask = 0777) -tt(force security mode = 0) -tt(directory security mask = 0777) -tt(force directory security mode = 0) - -As described, in Samba 2.0.4 the parameters : - -tt(create mask) -tt(force create mode) -tt(directory mask) -tt(force directory mode) - -were used instead of the parameters discussed here. - -bf(Interaction with the standard Samba file attribute mapping)nl() -bf(----------------------------------------------------------) - -Samba maps some of the DOS attribute bits (such as "read only") -into the UNIX permissions of a file. This means there can be a -conflict between the permission bits set via the security dialog -and the permission bits set by the file attribute mapping. - -One way this can show up is if a file has no UNIX read access -for the owner it will show up as "read only" in the standard -file attributes tabbed dialog. Unfortunately this dialog is -the same one that contains the security info in another tab. - -What this can mean is that if the owner changes the permissions -to allow themselves read access using the security dialog, clicks -tt("OK") to get back to the standard attributes tab dialog, and -then clicks tt("OK") on that dialog, then NT will set the file -permissions back to read-only (as that is what the attributes -still say in the dialog). This means that after setting permissions -and clicking tt("OK") to get back to the attributes dialog you -should always hit tt("Cancel") rather than tt("OK") to ensure -that your changes are not overridden. diff --git a/docs/yodldocs/findsmb.1.yo b/docs/yodldocs/findsmb.1.yo deleted file mode 100644 index 2eed8fd26c..0000000000 --- a/docs/yodldocs/findsmb.1.yo +++ /dev/null @@ -1,100 +0,0 @@ -mailto(samba@samba.org) - -manpage(findsmb htmlcommand((1)))(1)(2 May 2000)(Samba)(SAMBA) - -label(NAME) -manpagename(findsmb)(list info about machines that respond to SMB name queries on a subnet) - -label(SYNOPSIS) -manpagesynopsis() - -bf(findsmb) [link(subnet broadcast address)(subnetbroadcastaddress)] - -label(DESCRIPTION) -manpagedescription() - -This perl script is part of the bf(Samba) suite. - -bf(findsmb) is a perl script that prints out several pieces -of information about machines on a subnet that respond to SMB -name query requests. -It uses url(bf(nmblookup))(nmblookup.1.html) and -url(bf(smbclient))(smbclient.1.html) to obtain this information. - -label(OPTIONS) -manpageoptions() - -startdit() - -label(subnetbroadcastaddress) -dit(bf(subnet broadcast address)) Without this option, bf(findsmb) -will probe the subnet of the machine where bf(findsmb) is run. -This value is passed to bf(nmblookup) as part of the bf(-B) -option - -enddit() - -label(EXAMPLES) -manpagesection(EXAMPLES) - -The output of bf(findsmb) lists the following information for all -machines that respond to the initial bf(nmblookup) for any name: -IP address, NetBIOS name, Workgroup name, operating system, and -SMB server version. - -There will be a "+" in front of the workgroup name for machines that are -local master browsers for that workgroup. There will be an "*" in front -of the workgroup name for machines that are the domain master browser for -that workgroup. Machines that are running Windows, Windows 95 or Windows 98 -will not show any information about the operating system or server version. - -The command must be run on a system without -bf(nmbd) running. If bf(nmbd) is running on the system, you will only -get the IP address and the DNS name of the machine. To get proper responses -from Windows 95 and Windows 98 machines, the command must be run as root. - -For example running: - -tt(findsmb) - -on a machine without bf(nmbd) running would yield output similar -to the following - -verb( -IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION ---------------------------------------------------------------------- -192.168.35.10 MINESET-TEST1 [DMVENGR] -192.168.35.55 LINUXBOX *[MYGROUP] [Unix] [Samba 2.0.6] -192.168.35.56 HERBNT2 [HERB-NT] -192.168.35.63 GANDALF [MVENGR] [Unix] [Samba 2.0.5a for IRIX] -192.168.35.65 SAUNA [WORKGROUP] [Unix] [Samba 1.9.18p10] -192.168.35.71 FROGSTAR [ENGR] [Unix] [Samba 2.0.0 for IRIX] -192.168.35.78 HERBDHCP1 +[HERB] -192.168.35.88 SCNT2 +[MVENGR] [Windows NT 4.0] [NT LAN Manager 4.0] -192.168.35.93 FROGSTAR-PC [MVENGR] [Windows 5.0] [Windows 2000 LAN Manager] -192.168.35.97 HERBNT1 *[HERB-NT] [Windows NT 4.0] [NT LAN Manager 4.0] -) - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.0 of the Samba suite. - -label(SEEALSO) -manpageseealso() - -url(bf(nmblookup (1)))(nmblookup.1.html), url(bf(smbclient (1)))(smbclient.1.html) - -label(AUTHOR) -manpageauthor() - -This perl script was developed by Herb Lewis of SGI. - -The original Samba software and related utilities were created by -Andrew Tridgell email(samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. diff --git a/docs/yodldocs/lmhosts.5.yo b/docs/yodldocs/lmhosts.5.yo deleted file mode 100644 index e78ce508b0..0000000000 --- a/docs/yodldocs/lmhosts.5.yo +++ /dev/null @@ -1,94 +0,0 @@ -mailto(samba@samba.org) - -manpage(lmhosts htmlcommand((5)))(5)(23 Oct 1998)(Samba)(SAMBA) - -label(NAME) -manpagename(lmhosts)(The Samba NetBIOS hosts file) - -label(SYNOPSIS) -manpagesynopsis() - -lmhosts is the bf(Samba) NetBIOS name to IP address mapping file. - -label(DESCRIPTION) -manpagedescription() - -This file is part of the bf(Samba) suite. - -bf(lmhosts) is the bf(Samba) NetBIOS name to IP address mapping file. It -is very similar to the bf(/etc/hosts) file format, except that the -hostname component must correspond to the NetBIOS naming format. - -label(FILEFORMAT) -manpagesection(FILE FORMAT) - -It is an ASCII file containing one line for NetBIOS name. The two -fields on each line are separated from each other by white space. Any -entry beginning with # is ignored. Each line in the lmhosts file -contains the following information : - -startit() - -it() bf(IP Address) - in dotted decimal format. - -it() bf(NetBIOS Name) - This name format is a maximum fifteen -character host name, with an optional trailing tt('#') character -followed by the NetBIOS name type as two hexadecimal digits. - -If the trailing tt('#') is omitted then the given IP address will be -returned for all names that match the given name, whatever the NetBIOS -name type in the lookup. - -endit() - -An example follows : - -# nl() -# Sample Samba lmhosts file. nl() -# nl() -192.9.200.1 TESTPC nl() -192.9.200.20 NTSERVER#20 nl() -192.9.200.21 SAMBASERVER nl() - -Contains three IP to NetBIOS name mappings. The first and third will -be returned for any queries for the names tt("TESTPC") and -tt("SAMBASERVER") respectively, whatever the type component of the -NetBIOS name requested. - -The second mapping will be returned only when the tt("0x20") name type -for a name tt("NTSERVER") is queried. Any other name type will not be -resolved. - -The default location of the bf(lmhosts) file is in the same directory -as the url(bf(smb.conf))(smb.conf.html) file. - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.0 of the Samba suite. - -label(SEEALSO) -manpageseealso() - -url(bf(smb.conf (5)))(smb.conf.5.html#nameresolveorder), -url(bf(smbclient (1)))(smbclient.1.html#minusR), -url(bf(smbpasswd (8)))(smbpasswd.8.html#minusR), url(bf(samba (7)))(samba.7.html). - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell email(samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -and updated for the Samba2.0 release by Jeremy Allison. -email(samba@samba.org). - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. diff --git a/docs/yodldocs/make_smbcodepage.1.yo b/docs/yodldocs/make_smbcodepage.1.yo deleted file mode 100644 index 8919153020..0000000000 --- a/docs/yodldocs/make_smbcodepage.1.yo +++ /dev/null @@ -1,155 +0,0 @@ -mailto(samba@samba.org) - -manpage(make_smbcodepage htmlcommand((1)))(1)(23 Oct 1998)(Samba)(SAMBA) - -label(NAME) -manpagename(make_codepage)(Construct a codepage file for Samba) - -label(SYNOPSIS) -manpagesynopsis() - -bf(make_smbcodepage) [link(c|d)(cord)] link(codepage)(codepage) link(inputfile)(inputfile) link(outputfile)(outputfile) - -label(DESCRIPTION) -manpagedescription() - -This program is part of the bf(Samba) suite. - -bf(make_smbcodepage) compiles or de-compiles codepage files for use -with the internationalization features of Samba 2.0 - -label(OPTIONS) -manpageoptions() - -startdit() - -label(cord) -dit(c|d) This tells bf(make_smbcodepage) if it is compiling (bf(c)) a text -format code page file to binary, or (bf(d)) de-compiling a binary codepage -file to text. - -label(codepage) -dit(codepage) This is the codepage we are processing (a number, e.g. 850). - -label(inputfile) -dit(inputfile) This is the input file to process. In the 'bf(c)' case this -will be a text codepage definition file such as the ones found in the -Samba em(source/codepages) directory. In the 'bf(d)' case this will be the -binary format codepage definition file normally found in the -em(lib/codepages) directory in the Samba install directory path. - -label(outputfile) -dit(outputfile) This is the output file to produce. - -endit() - -label(SambaCodepageFiles) -manpagesection(Samba Codepage Files) - -A text Samba codepage definition file is a description that tells -Samba how to map from upper to lower case for characters greater than -ascii 127 in the specified DOS code page. Note that for certain DOS -codepages (437 for example) mapping from lower to upper case may be -non-symmetrical. For example, in code page 437 lower case a acute maps to -a plain upper case A when going from lower to upper case, but -plain upper case A maps to plain lower case a when lower casing a -character. - -A binary Samba codepage definition file is a binary representation of -the same information, including a value that specifies what codepage -this file is describing. - -As Samba does not yet use UNICODE (current for Samba version 2.0) you -must specify the client code page that your DOS and Windows clients -are using if you wish to have case insensitivity done correctly for -your particular language. The default codepage Samba uses is 850 -(Western European). Text codepage definition sample files are -provided in the Samba distribution for codepages 437 (USA), 737 -(Greek), 850 (Western European) 852 (MS-DOS Latin 2), 861 (Icelandic), -866 (Cyrillic), 932 (Kanji SJIS), 936 (Simplified Chinese), 949 -(Hangul) and 950 (Traditional Chinese). Users are encouraged to write -text codepage definition files for their own code pages and donate -them to email(samba@samba.org). All codepage files in the -Samba em(source/codepages) directory are compiled and installed when a -em('make install') command is issued there. - -The client codepage used by the url(bf(smbd))(smbd.8.html) server is -configured using the url(bf(client code -page))(smb.conf.5.html#clientcodepage) parameter in the -url(bf(smb.conf))(smb.conf.5.html) file. - -label(FILES) -manpagefiles() - -bf(codepage_def.<codepage>) - -These are the input (text) codepage files provided in the Samba -em(source/codepages) directory. - -A text codepage definition file consists of multiple lines -containing four fields. These fields are : - -startit() - -it() bf(lower): which is the (hex) lower case character mapped on this -line. - -it() bf(upper): which is the (hex) upper case character that the lower -case character will map to. - -it() bf(map upper to lower) which is a boolean value (put either True -or False here) which tells Samba if it is to map the given upper case -character to the given lower case character when lower casing a -filename. - -it() bf(map lower to upper) which is a boolean value (put either True -or False here) which tells Samba if it is to map the given lower case -character to the given upper case character when upper casing a -filename. - -endit() - -bf(codepage.<codepage>) These are the output (binary) codepage files -produced and placed in the Samba destination em(lib/codepage) -directory. - -label(INSTALLATION) -manpagesection(INSTALLATION) - -The location of the server and its support files is a matter for -individual system administrators. The following are thus suggestions -only. - -It is recommended that the bf(make_smbcodepage) program be installed -under the em(/usr/local/samba) hierarchy, in a directory readable by -all, writeable only by root. The program itself should be executable -by all. The program should NOT be setuid or setgid! - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.0 of the Samba suite. - -label(SEEALSO) -manpageseealso() - -url(bf(smb.conf(5)))(smb.conf.5.html), url(bf(smbd (8)))(smbd.8.html) - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell email(samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -and updated for the Samba2.0 release by Jeremy Allison. -email(samba@samba.org). - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. diff --git a/docs/yodldocs/nmbd.8.yo b/docs/yodldocs/nmbd.8.yo deleted file mode 100644 index c9031c0e6a..0000000000 --- a/docs/yodldocs/nmbd.8.yo +++ /dev/null @@ -1,232 +0,0 @@ -mailto(samba@samba.org) - -manpage(nmbd)(8)(23 Oct 1998)(Samba)(SAMBA) - -label(NAME) -manpagename(nmbd)(NetBIOS name server to provide NetBIOS over IP -naming services to clients) - -label(SYNOPSIS) -manpagesynopsis() - -bf(nmbd) [link(-D)(minusD)] [link(-a)(minusa)] [link(-o)(minuso)] [link(-h)(minush)] [link(-V)(minusV)] [link(-H lmhosts file)(minusH)] [link(-d debuglevel)(minusd)] [link(-l log file basename)(minusl)] [link(-n primary NetBIOS name)(minusn)] [link(-p port number)(minusp)] [link(-s configuration file)(minuss)] - -label(DESCRIPTION) -manpagedescription() - -This program is part of the bf(Samba) suite. - -bf(nmbd) is a server that understands and can reply to NetBIOS over IP -name service requests, like those produced by SMBD/CIFS clients such -as Windows 95/98, Windows NT and LanManager clients. It also -participates in the browsing protocols which make up the Windows -"Network Neighborhood" view. - -SMB/CIFS clients, when they start up, may wish to locate an SMB/CIFS -server. That is, they wish to know what IP number a specified host is -using. - -Amongst other services, bf(nmbd) will listen for such requests, -and if its own NetBIOS name is specified it will respond with the IP -number of the host it is running on. Its "own NetBIOS name" is by -default the primary DNS name of the host it is running on, but this -can be overridden with the bf(-n) option (see link(OPTIONS)(OPTIONS) below). Thus -bf(nmbd) will reply to broadcast queries for its own name(s). Additional -names for bf(nmbd) to respond on can be set via parameters in the -url(bf(smb.conf(5)))(smb.conf.5.html) configuration file. - -bf(nmbd) can also be used as a WINS (Windows Internet Name Server) -server. What this basically means is that it will act as a WINS -database server, creating a database from name registration requests -that it receives and replying to queries from clients for these names. - -In addition, bf(nmbd) can act as a WINS proxy, relaying broadcast queries -from clients that do not understand how to talk the WINS protocol to a -WIN server. - -label(OPTIONS) -manpageoptions() - -startdit() - -label(minusD) -dit(bf(-D)) If specified, this parameter causes bf(nmbd) to operate -as a daemon. That is, it detaches itself and runs in the background, -fielding requests on the appropriate port. By default, bf(nmbd) will -NOT operate as a daemon. nmbd can also be operated from the inetd -meta-daemon, although this is not recommended. - -label(minusa) -dit(bf(-a)) If this parameter is specified, each new connection will -append log messages to the log file. This is the default. - -label(minuso) -dit(bf(-o)) If this parameter is specified, the log files will be -overwritten when opened. By default, the log files will be appended -to. - -label(minush) -dit(bf(-h)) Prints the help information (usage) for bf(nmbd). - -label(minusV) -dit(bf(-V)) Prints the version number for bf(nmbd). - -label(minusH) -dit(bf(-H filename)) NetBIOS lmhosts file. - -The lmhosts file is a list of NetBIOS names to IP addresses that is -loaded by the nmbd server and used via the name resolution mechanism -url(bf(name resolve order))(smb.conf.5.html#nameresolveorder) described in -url(bf(smb.conf (5)))(smb.conf.5.html) to resolve any -NetBIOS name queries needed by the server. Note that the contents of -this file are em(NOT) used by bf(nmbd) to answer any name queries. Adding -a line to this file affects name NetBIOS resolution from this host -em(ONLY). - -The default path to this file is compiled into Samba as part of the -build process. Common defaults are em(/usr/local/samba/lib/lmhosts), -em(/usr/samba/lib/lmhosts) or em(/etc/lmhosts). See the -url(bf(lmhosts (5)))(lmhosts.5.html) man page for details on the contents of this file. - -label(minusd) -dit(bf(-d debuglevel)) debuglevel is an integer from 0 to 10. - -The default value if this parameter is not specified is zero. - -The higher this value, the more detail will be logged to the log files -about the activities of the server. At level 0, only critical errors -and serious warnings will be logged. Level 1 is a reasonable level for -day to day running - it generates a small amount of information about -operations carried out. - -Levels above 1 will generate considerable amounts of log data, and -should only be used when investigating a problem. Levels above 3 are -designed for use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic. - -Note that specifying this parameter here will override the url(bf(log -level))(smb.conf.5.html#loglevel) parameter in the url(bf(smb.conf -(5)))(smb.conf.5.html) file. - -label(minusl) -dit(bf(-l logfile)) The bf(-l) parameter specifies a path and base -filename into which operational data from the running nmbd server will -be logged. The actual log file name is generated by appending the -extension ".nmb" to the specified base name. For example, if the name -specified was "log" then the file log.nmb would contain the debugging -data. - -The default log file path is compiled into Samba as part of the -build process. Common defaults are em(/usr/local/samba/var/log.nmb), -em(/usr/samba/var/log.nmb) or em(/var/log/log.nmb). - -label(minusn) -dit(bf(-n primary NetBIOS name)) This option allows you to override -the NetBIOS name that Samba uses for itself. This is identical to -setting the url(bf(NetBIOS name))(smb.conf.5.html#netbiosname) parameter -in the url(bf(smb.conf))(smb.conf.5.html) file -but will override the setting in the url(bf(smb.conf))(smb.conf.5.html) file. - -label(minusp) -dit(bf(-p UDP port number)) UDP port number is a positive integer value. - -This option changes the default UDP port number (normally 137) that -bf(nmbd) responds to name queries on. Don't use this option unless you are -an expert, in which case you won't need help! - -label(minuss) -dit(bf(-s configuration file)) The default configuration file name is -set at build time, typically as em(/usr/local/samba/lib/smb.conf), but -this may be changed when Samba is autoconfigured. - -The file specified contains the configuration details required by the -server. See url(bf(smb.conf (5)))(smb.conf.5.html) for more information. - -endit() - -label(FILES) -manpagefiles() - -bf(/etc/inetd.conf) - -If the server is to be run by the inetd meta-daemon, this file must -contain suitable startup information for the meta-daemon. - -bf(/etc/rc) - -(or whatever initialization script your system uses). - -If running the server as a daemon at startup, this file will need to -contain an appropriate startup sequence for the server. - -bf(/usr/local/samba/lib/smb.conf) - -This is the default location of the -url(bf(smb.conf))(smb.conf.5.html) server configuration -file. Other common places that systems install this file are -em(/usr/samba/lib/smb.conf) and em(/etc/smb.conf). - -When run as a bf(WINS) server (see the url(bf(wins support))(smb.conf.5.html#winssupport) -parameter in the url(bf(smb.conf (5)))(smb.conf.5.html) man page), bf(nmbd) will -store the WINS database in the file tt(wins.dat) in the tt(var/locks) directory -configured under wherever Samba was configured to install itself. - -If bf(nmbd) is acting as a bf(browse master) (see the url(bf(local master))(smb.conf.5.html#localmaster) -parameter in the url(bf(smb.conf (5)))(smb.conf.5.html) man page), bf(nmbd) will -store the browsing database in the file tt(browse.dat) in the tt(var/locks) directory -configured under wherever Samba was configured to install itself. - -label(SIGNALS) -manpagesection(SIGNALS) - -To shut down an bf(nmbd) process it is recommended that SIGKILL (-9) -em(NOT) be used, except as a last resort, as this may leave the name -database in an inconsistent state. The correct way to terminate -bf(nmbd) is to send it a SIGTERM (-15) signal and wait for it to die on -its own. - -bf(nmbd) will accept SIGHUP, which will cause it to dump out it's -namelists into the file tt(namelist.debug) in the -em(/usr/local/samba/var/locks) directory (or the em(var/locks) -directory configured under wherever Samba was configured to install -itself). This will also cause bf(nmbd) to dump out it's server database in -the log.nmb file. In addition, the debug log level of nmbd may be raised -by sending it a SIGUSR1 (tt(kill -USR1 <nmbd-pid>)) and lowered by sending it a -SIGUSR2 (tt(kill -USR2 <nmbd-pid>)). This is to allow transient -problems to be diagnosed, whilst still running at a normally low log -level. - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.0 of the Samba suite. - -label(SEEALSO) -manpageseealso() - -bf(inetd (8)), url(bf(smbd (8)))(smbd.8.html), url(bf(smb.conf -(5)))(smb.conf.5.html), url(bf(smbclient (1)))(smbclient.1.html), -url(bf(testparm (1)))(testparm.1.html), url(bf(testprns -(1)))(testprns.1.html), and the Internet RFC's bf(rfc1001.txt), -bf(rfc1002.txt). In addition the CIFS (formerly SMB) specification is -available as a link from the Web page : -url(http://samba.org/cifs/)(http://samba.org/cifs/). - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell email(samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -and updated for the Samba2.0 release by Jeremy Allison. -email(samba@samba.org). - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. diff --git a/docs/yodldocs/nmblookup.1.yo b/docs/yodldocs/nmblookup.1.yo deleted file mode 100644 index f05cf3ea11..0000000000 --- a/docs/yodldocs/nmblookup.1.yo +++ /dev/null @@ -1,167 +0,0 @@ -mailto(samba@samba.org) - -manpage(nmblookup htmlcommand((1)))(1)(23 Oct 1998)(Samba)(SAMBA) - -label(NAME) -manpagename(nmblookup)(NetBIOS over TCP/IP client used to lookup NetBIOS names) - -label(SYNOPSIS) -manpagesynopsis() - -bf(nmblookup) [link(-M)(minusM)] [link(-R)(minusR)] [link(-S)(minusS)] [link(-r)(minusr)] [link(-A)(minusA)] [link(-h)(minush)] [link(-B broadcast address)(minusB)] [link(-U unicast address)(minusU)] [link(-d debuglevel)(minusd)] [link(-s smb config file)(minuss)] [link(-i NetBIOS scope)(minusi)] [link(-T)(minusT)] link(name)(name) - -label(DESCRIPTION) -manpagedescription() - -This program is part of the bf(Samba) suite. - -bf(nmblookup) is used to query NetBIOS names and map them to IP -addresses in a network using NetBIOS over TCP/IP queries. The options -allow the name queries to be directed at a particular IP broadcast area -or to a particular machine. All queries are done over UDP. - -label(OPTIONS) -manpageoptions() - -startdit() - -label(minusM) -dit(bf(-M)) Searches for a master browser by looking up the -NetBIOS name link(bf(name))(name) with a type of 0x1d. If link(bf(name))(name) -is tt("-") then it does a lookup on the special name tt(__MSBROWSE__). - -label(minusR) -dit(bf(-R)) Set the recursion desired bit in the packet to do a -recursive lookup. This is used when sending a name query to a machine -running a WINS server and the user wishes to query the names in the -WINS server. If this bit is unset the normal (broadcast responding) -NetBIOS processing code on a machine is used instead. See rfc1001, -rfc1002 for details. - -label(minusS) -dit(bf(-S)) Once the name query has returned an IP address then do a -node status query as well. A node status query returns the NetBIOS names -registered by a host. - -label(minusr) -dit(bf(-r)) Try and bind to UDP port 137 to send and receive UDP -datagrams. The reason for this option is a bug in Windows 95 where it -ignores the source port of the requesting packet and only replies to -UDP port 137. Unfortunately, on most UNIX systems root privilage is -needed to bind to this port, and in addition, if the -url(bf(nmbd))(nmbd.8.html) daemon is running on this machine it also -binds to this port. - -label(minusA) -dit(bf(-A)) Interpret <name> as an IP Address and do a node status -query on this address. - -label(minush) -dit(bf(-h)) Print a help (usage) message. - -label(minusB) -dit(bf(-B broadcast address)) Send the query to the given broadcast -address. Without this option the default behavior of nmblookup is to -send the query to the broadcast address of the network -interfaces as either auto-detected or defined in the -url(bf(interfaces))(smb.conf.5.html#interfaces) parameter of the -url(bf(smb.conf (5)))(smb.conf.5.html) file. - -label(minusU) -dit(bf(-U unicast address)) Do a unicast query to the specified -address or host tt("unicast address"). This option (along with the -link(bf(-R))(minusR) option) is needed to query a WINS server. - -label(minusd) -dit(bf(-d debuglevel)) debuglevel is an integer from 0 to 10. - -The default value if this parameter is not specified is zero. - -The higher this value, the more detail will be logged about the -activities of bf(nmblookup). At level 0, only critical errors and -serious warnings will be logged. - -Levels above 1 will generate considerable amounts of log data, and -should only be used when investigating a problem. Levels above 3 are -designed for use only by developers and generate HUGE amounts of -data, most of which is extremely cryptic. - -Note that specifying this parameter here will override the url(bf(log -level))(smb.conf.5.html#loglevel) parameter in the url(bf(smb.conf -(5)))(smb.conf.5.html) file. - -label(minuss) -dit(bf(-s smb.conf)) This parameter specifies the pathname to the -Samba configuration file, url(bf(smb.conf))(smb.conf.5.html). -This file controls all aspects of -the Samba setup on the machine. - -label(minusi) -dit(bf(-i scope)) This specifies a NetBIOS scope that bf(nmblookup) will use -to communicate with when generating NetBIOS names. For details on the -use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes -are em(very) rarely used, only set this parameter if you are the -system administrator in charge of all the NetBIOS systems you -communicate with. - -label(minusT) -dit(bf(-T)) This causes any IP addresses found in the lookup to be -looked up via a reverse DNS lookup into a DNS name, and printed out -before each tt("IP address NetBIOS name") pair that is the normal -output. - -label(name) -dit(bf(name)) This is the NetBIOS name being queried. Depending upon -the previous options this may be a NetBIOS name or IP address. If a -NetBIOS name then the different name types may be specified by -appending tt(#<type>) to the name. This name may also be tt("*"), -which will return all registered names within a broadcast area. - -enddit() - -label(EXAMPLES) -manpagesection(EXAMPLES) - -bf(nmblookup) can be used to query a WINS server (in the same way -bf(nslookup) is used to query DNS servers). To query a WINS server, -bf(nmblookup) must be called like this: - -tt(nmblookup -U server -R 'name') - -For example, running : - -tt(nmblookup -U samba.org -R IRIX#1B') - -would query the WINS server samba.org for the domain master -browser (1B name type) for the IRIX workgroup. - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.0 of the Samba suite. - -label(SEEALSO) -manpageseealso() - -url(bf(samba (7)))(samba.7.html), url(bf(nmbd (8)))(nmbd.8.html), -url(bf(smb.conf (5)))(smb.conf.5.html) - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell email(samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -and updated for the Samba2.0 release by Jeremy Allison. -email(samba@samba.org). - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. - diff --git a/docs/yodldocs/rpcclient.8.yo b/docs/yodldocs/rpcclient.8.yo deleted file mode 100644 index 52d29cc52f..0000000000 --- a/docs/yodldocs/rpcclient.8.yo +++ /dev/null @@ -1,263 +0,0 @@ -mailto(samba-bugs@samba.org) -manpage(RPCCLIENT)(8)(August 27, 2000)(Samba)(SAMBA) -label(NAME) -manpagename(rpcclient)(developer's tool to testing client side MS-RPC functions) -label(SYNOPSIS) -manpagesynopsis() -dit(bf(rpcclient)) [link(-d debuglevel)(minusd)] [link(-S server)(minusS)] [link(-l logbasename)(minusl)] [link(-n netbios name)(minusn)] [link(-N)(minusN)] -[link(-m maxprotocol)(minusl)] [link(-I destIP)(minusI)] [link(-E)(minusE)] [link(-U username)(minusU)] [link(-W workgroup)(minusW)] [link(-c `command string`)(minusc)] -[link(-t terminalcode)(minust)] [link(-i scope)(minusi)] [link(-O socket options)(minusO)] -[link(-s smb.conf)(minuss)] -label(DESCRIPTION) -manpagedescription() -dit(bf(rpcclient)) -is a utility for developers for executing various MS-RPC functions. It's -primary use is for testing Samba's own MS-RPC server implementation, however -many administrators have written scripts around it to manage Windows NT clients -from their UNIX workstation. -label(OPTIONS) -manpageoptions() - -startdit() - -label(minusd) -dit(bf(-d debuglevel)) -set the debuglevel. Debug level 0 is the lowest and 100 being the -highest. This should be set to 100 if you are planning on -submitting a bug report to the Samba team (see BUGS.txt). - -label(minusS) -dit(bf(-S server)) -NetBIOS name of Server to which you wish to connect. The server can be -any SMB/CIFS server. The name is resolved using either the "name resolve -order = " line or by using the bf(-R) option. - -label(minusl) -dit(bf(-l logbasename)) -File name for log/debug files. .client will be -appended. The log file is never removed by the client. - -label(minusn) -dit(bf(-n netbios name)) -NetBIOS name of the local machine. This option -is only needed if your Samba client cannot find -it automatically. Samba should use the uppercase of the machine's -hostname. - -label(minusN) -dit(bf(-N)) -tells rpcclient not to ask for a password. rpcclient will prompt -the user by default. - -label(minusI) -dit(bf(-I destIP)) -The IP address of the server specified with the bf(-S) -option. Only needed when the server's NetBIOS -name cannot be resolved using WINS or broadcast -and isn't found in the LMHOSTS file. - -label(minusE) -dit(bf(-E)) -causes regedit to write messages to stderr instead of stdout. - -label(minusU) -dit(bf(-U username[%pass])) -Sets the SMB username or username and password. If %pass is not -specified, The user will be prompted. The client will first check the USER -environment variable, then the LOGNAME variable and if either exist, the -string is uppercased. Anything in these variables following a % sign will be -treated as the password. If these environmental variables are not found, the -username GUEST is used. - -If the password is not included in these environment variables -(using the %pass syntax), rpcclient will look for a PASSWD environment -variable from which to read the password. - -A third option is to use a credentials file which contains -the plaintext of the username and password. This option is -mainly provided for scripts where the admin doesn't desire to -pass the credentials on the command line or via environment variables. -If this method is used, make certain that the permissions on the file -restrict access from unwanted users. See the bf(-A) for more details. - -Be cautious about including passwords in scripts or in the -tt(PASSWD) environment variable. Also, on many systems the command -line of a running process may be seen via the tt(ps) command to be -safe always allow smbclient to prompt for a password and type it in -directly. - -label(minusA) -dit(bf(-A <filename>)) This option allows you to specify a file from which -to read the username and password used in the connection. The format -of the file is - -tt(username = <value>) nl() -tt(password = <value>) nl() - -Make certain that the permissions on the file restrict access from -unwanted users. - -label(minusW) -dit(bf(-W domain)) -Set the SMB domain of the username. This overrides the default -domain which is the domain of the server specified with the -bt(-S) option. If the domain specified is the same as the server's -NetBIOS name, it causes the client to log on using the -server's local SAM (as opposed to the Domain SAM). - -label(minusP) -dit(bf(-P)) -operate in promptless mode. Without this mode (the default) -rpcclient displays a prompt of the form '[domain\username@host]$' - -label(minusc) -dit(bf(-c 'command string')) -execute semicolon separated commands (listed below)) - -label(minust) -dit(bf(-t terminalcode)) -This tells the Samba client how to interpret the incoming filenames, in regards -to character sets. The list here is not complete. For a complete list see your -local Samba source. Some valid options are sjis, euc, jis7, jis8, junet and hex. - -label(minusO) -dit(bf(-O socket options)) -These socket options are the same as in smb.conf (under the bt(socket options = ) -section). - -label(minuss) -dit(bf(-s smb.conf)) -Specifies the location of the all important smb.conf file. - -label(minusi) -dit(bf(-i scope)) -Defines the NetBIOS scope. For more information on NetBIOS scopes, see rfc1001 -and rfc1002. NetBIOS scopes are rarely used. - -enddit() - -label(COMMANDS) -manpagesection(COMMANDS) - -label(SPOOLSSCMD) -dit(bf(SPOOLSS Commands)) -dit(link(spoolenum)(SPOOLSSENUMPRINTERS)) -Execute an EnumPrinters call. This lists the various -installed and share printers. Refer to the MS Platform -SDK documentation for more details of the various -flags and calling options. - -dit(link(spoolenumports <level>)(SPOOLSSENUMPORTS)) -Executes an EnumPorts call using the specified info level. -Currently only info level 1 and 2 are supported. - -dit(link(spoolenumdata)(SPOOLSSENUMPRINTERDATA)) -Enumerate all printer setting data stored on the server. -On Windows NT clients, these values are stored -in the registry, while Samba servers store them in the printers -TDB. This command corresponds to the MS Platform SDK EnumPorts -function. - -dit(link(spooljobs <printer>)(SPOOLSSENUMJOBS)) -List the jobs and status of a given printer. This command -corresponds to the MS Platform SDK EnumJobs function. - -dit(link(spoolopen <printer>)(SPOOLSSOPENPRINTER)) -Execute an OpenPrinterEx() and ClosePrinter() -RPC against a given printer. - -dit(link(spoolgetdata)(SPOOLSSGETPRINTERDATA)) -Retrive the data for a given printer setting. See the -bf(spoolenumdata) command for more information. This command -corresponds to the GetPrinterData() MS Platform SDK function. - -dit(link(spoolgetprinter <printer>)(SPOOLSSGETPRINTER)) -Retrieve the current printer information. This command -sorresponds to the GetPrinter() MS Platform SDK function. - -dit(link(spoolgetprinterdriver <printer>)(SPOOLSGETPRINTERDRIVER)) -Retrive the printer driver information (such as driver file, -config file, dependent files, etc...) for the given printer. -This command corresponds to the GetPrinterDriver() MS Platform -SDK function. - -dit(link(spoolgetprinterdriverdir <arch>)(SPOOLSSGETPRINTERDRIVERDIR)) -Execute a GetPrinterDriverDirectory() RPC to retreive the -SMB share name and subdirectory for storing printer driver -files for a given architecture. Possible values for <arch> are -"Windows 4.0" (for Windows 95/98), "Windows NT x86", "Windows NT -PowerPC", "Windows Alpha_AXP", and "Windows NT R4000". - -dit(link(spooladdprinter <printername> <sharename> -<drivername> <port>)(SPOOLSSADDPRINTER)) -Add a printer on the remote server. This printer will be automatically -shared. Be aware that the printer driver must already be installed -on the server (see bf(addprinterdriver)) and the <port> must -be a valid port name. - -dit(link(spooladdprinterdriver <arch> <config>)(SPOOLSSADDPRINTERDRIVER)) -Execute an AddPrinterDriver() RPC to install the printer -driver information on the server. Note that the driver files -should already exist in the directort returned by -bf(spoolgetprinterdriverdir). Possible values for <arch> -are the same as those for the bf(spooolgetprintedriverdir) command. -The <config> parameter is defined as follows: - -dit()<Long Printer Name>:<Driver File Name>:<Data File Name>:\ - <Config File Name>:<Help File Name>:<Language Monitor Name>:\ - <Default Data Type>:<Comma Separated list of Files> - -dit()Any empty fields should be enter as the string "NULL". - -dit()Samba does not need to support the concept of Print Monitors -since these only apply to local printers whose driver can make use -of a bi-directional link for communication. This field should -be "NULL". On a remote NT print server, the Print Monitor for a driver -must already be installed prior to adding the driver or else the RPC -will fail. - -label(GENERALCMD) -dit(bf(General Commands)) -dit(link(set)(SET)) -Set miscellaneous rpcclient command line options during a running -session. - -dit(link(use)(USE)) -Connect to a rmeote SMB server. bf(rpcclient) has the ability -to maintain connections to multiple server simulaneously. - -dit(link(help)(HELP)) -Print a listing of all known commands or extended help -on a particular command. - -dit(link(quit)(QUIT)) -Exit rpcclient. - - -label(BUGS) -manpagesection(BUGS) -rpcclient is designed as a developer testing tool and may not be robust -in certain areas (such as command line parsing). It has been known to -generate a core dump upon failures when invalid parameters where -passed to the interpreter. - -From Luke Leighton's original rpcclient man page: -"WARNING! The MSRPC over SMB code has been developed from examining -Network traces. No documentation is available from the original creators -(Microsoft) on how MSRPC over SMB works, or how the individual MSRPC services -work. Microsoft's implementation of these services has been demonstrated -(and reported) to be... a bit flakey in places. - -The development of Samba's implementation is also a bit rough, and as more -of the services are understood, it can even result in versions of -bf(smbd(8)) and rpcclient that are incompatible for some commands or -services. Additionally, the developers are sending reports to Microsoft, -and problems found or reported to Microsoft are fixed in Service Packs, -which may result in incompatibilities." - -label(SEEALSO) -manpageseealso() -bf(samba (7)) -manpageauthor() -Samba is written by The Samba Team as Open Source. This man page was written -by Matthew Geddes, Luke Kenneth Casson, and Gerald Carter. diff --git a/docs/yodldocs/samba.7.yo b/docs/yodldocs/samba.7.yo deleted file mode 100644 index d50fa363d9..0000000000 --- a/docs/yodldocs/samba.7.yo +++ /dev/null @@ -1,145 +0,0 @@ -mailto(samba@samba.org) -manpage(Samba htmlcommand((7)))(7)(23 Oct 1998)(Samba)() - -label(NAME) -manpagename(Samba)(A Windows SMB/CIFS fileserver for UNIX) - -label(SYNOPSIS) -manpagesynopsis() -bf(Samba) - - -label(DESCRIPTION) -manpagedescription() - -The Samba software suite is a collection of programs that implements -the Server Message Block(commonly abbreviated as SMB) protocol for -UNIX systems. This protocol is sometimes also referred to as the -Common Internet File System (CIFS), LanManager or NetBIOS protocol. - -label(COMPONENTS) -manpagesection(COMPONENTS) - -The Samba suite is made up of several components. Each component is -described in a separate manual page. It is strongly recommended that -you read the documentation that comes with Samba and the manual pages -of those components that you use. If the manual pages aren't clear -enough then please send a patch or bug report -to email(samba@samba.org). - -startdit() - -dit(url(bf(smbd))(smbd.8.html)) nl() nl() The url(bf(smbd) -(8))(smbd.8.html) daemon provides the file and print services to SMB -clients, such as Windows 95/98, Windows NT, Windows for Workgroups or -LanManager. The configuration file for this daemon is described in -url(bf(smb.conf (5)))(smb.conf.5.html). - -dit(url(bf(nmbd))(nmbd.8.html)) nl() nl() The url(bf(nmbd) -(8))(nmbd.8.html) daemon provides NetBIOS nameserving and browsing -support. The configuration file for this daemon is described in -url(bf(smb.conf (5)))(smb.conf.5.html). - -dit(url(bf(smbclient))(smbclient.1.html)) nl() nl() The url(bf(smbclient) -(1))(smbclient.1.html) program implements a simple ftp-like -client. This is useful for accessing SMB shares on other compatible -servers (such as Windows NT), and can also be used to allow a UNIX box -to print to a printer attached to any SMB server (such as a PC running -Windows NT). - -dit(url(bf(testparm))(testparm.1.html)) nl() nl() The url(bf(testparm -(1)))(testparm.1.html) utility allows you to test your url(bf(smb.conf -(5)))(smb.conf.5.html) configuration file. - -dit(url(bf(testprns))(testprns.1.html)) nl() nl() the url(bf(testprns -(1)))(testprns.1.html) utility allows you to test the printers defined -in your printcap file. - -dit(url(bf(smbstatus))(smbstatus.1.html)) nl() nl() The url(bf(smbstatus) -(1))(smbstatus.1.html) utility allows you list current connections to the -url(bf(smbd (8)))(smbd.8.html) server. - -dit(url(bf(nmblookup))(nmblookup.1.html)) nl() nl() the -url(bf(nmblookup (1)))(nmblookup.1.html) utility allows NetBIOS name -queries to be made from the UNIX machine. - -dit(url(bf(make_smbcodepage))(make_smbcodepage.1.html)) nl() nl() The -url(bf(make_smbcodepage (1)))(make_smbcodepage.1.html) utility allows -you to create SMB code page definition files for your url(bf(smbd -(8)))(smbd.8.html) server. - -dit(url(bf(smbpasswd))(smbpasswd.8.html)) nl() nl() The url(bf(smbpasswd -(8)))(smbpasswd.8.html) utility allows you to change SMB encrypted -passwords on Samba and Windows NT(tm) servers. - -enddit() - -label(AVAILABILITY) -manpagesection(AVAILABILITY) - -The Samba software suite is licensed under the GNU Public License -(GPL). A copy of that license should have come with the package in the -file COPYING. You are encouraged to distribute copies of the Samba -suite, but please obey the terms of this license. - -The latest version of the Samba suite can be obtained via anonymous -ftp from samba.org in the directory pub/samba/. It is -also available on several mirror sites worldwide. - -You may also find useful information about Samba on the newsgroup -comp.protocols.smb and the Samba mailing list. Details on how to join -the mailing list are given in the README file that comes with Samba. - -If you have access to a WWW viewer (such as Netscape or Mosaic) then -you will also find lots of useful information, including back issues -of the Samba mailing list, at -url(http://samba.org/samba/)(http://samba.org/samba/). - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.0 of the Samba suite. - -label(CONTRIBUTIONS) -manpagesection(CONTRIBUTIONS) - -If you wish to contribute to the Samba project, then I suggest you -join the Samba mailing list at email(samba@samba.org). See the -Web page at url(http://lists.samba.org/)(http://lists.samba.org/) -for details on how to do this. - -If you have patches to submit or bugs to report then you may mail them -directly to email(samba@samba.org). Note, however, that due to -the enormous popularity of this package the Samba Team may take some -time to respond to mail. We prefer patches in em(diff -u) format. - -label(CREDITS) -manpagesection(CREDITS) - -Contributors to the project are now too numerous to mention here but -all deserve the thanks of all Samba users. To see a full list, look at -url(ftp://samba.org/pub/samba/alpha/change-log)(ftp://samba.org/pub/samba/alpha/change-log) -for the pre-CVS changes and at -url(ftp://samba.org/pub/samba/alpha/cvs.log)(ftp://samba.org/pub/samba/alpha/cvs.log) -for the contributors to Samba post-CVS. CVS is the Open Source source -code control system used by the Samba Team to develop Samba. The -project would have been unmanageable without it. - -In addition, several commercial organizations now help fund the Samba -Team with money and equipment. For details see the Samba Web pages at -url(http://samba.org/samba/samba-thanks.html)(http://samba.org/samba/samba-thanks.html). - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell email(samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -and updated for the Samba2.0 release by Jeremy Allison. -email(samba@samba.org). diff --git a/docs/yodldocs/smb.conf.5.yo b/docs/yodldocs/smb.conf.5.yo deleted file mode 100644 index 70603d15ce..0000000000 --- a/docs/yodldocs/smb.conf.5.yo +++ /dev/null @@ -1,7029 +0,0 @@ -mailto(samba@samba.org) - -manpage(smb.conf htmlcommand((5)))(5)(23 Oct 1998)(Samba)(SAMBA) - -label(NAME) -manpagename(smb.conf)(The configuration file for the Samba suite) - -label(SYNOPSIS) -manpagesynopsis() - -bf(smb.conf) The bf(smb.conf) file is a configuration file for the -Samba suite. bf(smb.conf) contains runtime configuration information -for the Samba programs. The bf(smb.conf) file is designed to be -configured and administered by the url(bf(swat (8)))(swat.8.html) -program. The complete description of the file format and possible -parameters held within are here for reference purposes. - -label(FILEFORMAT) -manpagesection(FILE FORMAT) - -The file consists of sections and parameters. A section begins with -the name of the section in square brackets and continues until the -next section begins. Sections contain parameters of the form - -tt('name = value') - -The file is line-based - that is, each newline-terminated line -represents either a comment, a section name or a parameter. - -Section and parameter names are not case sensitive. - -Only the first equals sign in a parameter is significant. Whitespace -before or after the first equals sign is discarded. Leading, trailing -and internal whitespace in section and parameter names is -irrelevant. Leading and trailing whitespace in a parameter value is -discarded. Internal whitespace within a parameter value is retained -verbatim. - -Any line beginning with a semicolon (';') or a hash ('#') character is -ignored, as are lines containing only whitespace. - -Any line ending in a tt('\') is "continued" on the next line in the -customary UNIX fashion. - -The values following the equals sign in parameters are all either a -string (no quotes needed) or a boolean, which may be given as yes/no, -0/1 or true/false. Case is not significant in boolean values, but is -preserved in string values. Some items such as create modes are -numeric. - -label(SECTIONDESCRIPTIONS) -manpagesection(SECTION DESCRIPTIONS) - -Each section in the configuration file (except for the -link(bf([global]))(global) section) describes a shared resource (known -as a em("share")). The section name is the name of the shared resource -and the parameters within the section define the shares attributes. - -There are three special sections, link(bf([global]))(global), -link(bf([homes]))(homes) and link(bf([printers]))(printers), which are -described under link(bf('special sections'))(SPECIALSECTIONS). The -following notes apply to ordinary section descriptions. - -A share consists of a directory to which access is being given plus -a description of the access rights which are granted to the user of -the service. Some housekeeping options are also specifiable. - -Sections are either filespace services (used by the client as an -extension of their native file systems) or printable services (used by -the client to access print services on the host running the server). - -Sections may be designated link(bf(guest))(guestok) services, in which -case no password is required to access them. A specified UNIX -link(bf(guest account))(guestaccount) is used to define access -privileges in this case. - -Sections other than guest services will require a password to access -them. The client provides the username. As older clients only provide -passwords and not usernames, you may specify a list of usernames to -check against the password using the link(bf("user="))(user) option in -the share definition. For modern clients such as Windows 95/98 and -Windows NT, this should not be necessary. - -Note that the access rights granted by the server are masked by the -access rights granted to the specified or guest UNIX user by the host -system. The server does not grant more access than the host system -grants. - -The following sample section defines a file space share. The user has -write access to the path tt(/home/bar). The share is accessed via -the share name "foo": - -verb( - - [foo] - path = /home/bar - writeable = true - -) - -The following sample section defines a printable share. The share -is readonly, but printable. That is, the only write access permitted -is via calls to open, write to and close a spool file. The -link(bf('guest ok'))(guestok) parameter means access will be permitted -as the default guest user (specified elsewhere): - -verb( - [aprinter] - path = /usr/spool/public - writeable = false - printable = true - guest ok = true -) - -label(SPECIALSECTIONS) -manpagesection(SPECIAL SECTIONS) - -startdit() - -label(global) -dit(bf(The [global] section)) - -Parameters in this section apply to the server as a whole, or are -defaults for sections which do not specifically define certain -items. See the notes under link(bf('PARAMETERS'))(PARAMETERS) for more -information. - -label(homes) -dit(bf(The [homes] section)) - -If a section called tt('homes') is included in the configuration file, -services connecting clients to their home directories can be created -on the fly by the server. - -When the connection request is made, the existing sections are -scanned. If a match is found, it is used. If no match is found, the -requested section name is treated as a user name and looked up in the -local password file. If the name exists and the correct password has -been given, a share is created by cloning the [homes] section. - -Some modifications are then made to the newly created share: - -startit() - -it() The share name is changed from tt('homes') to the located -username - -it() If no path was given, the path is set to the user's home -directory. - -endit() - -If you decide to use a link(bf(path=))(path) line in your [homes] -section then you may find it useful to use the link(bf(%S))(percentS) -macro. For example : - -tt(path=/data/pchome/%S) - -would be useful if you have different home directories for your PCs -than for UNIX access. - -This is a fast and simple way to give a large number of clients access -to their home directories with a minimum of fuss. - -A similar process occurs if the requested section name is tt("homes"), -except that the share name is not changed to that of the requesting -user. This method of using the [homes] section works well if different -users share a client PC. - -The [homes] section can specify all the parameters a normal service -section can specify, though some make more sense than others. The -following is a typical and suitable [homes] section: - -verb( - [homes] - writeable = yes -) - -An important point is that if guest access is specified in the [homes] -section, all home directories will be visible to all clients -bf(without a password). In the very unlikely event that this is -actually desirable, it would be wise to also specify link(bf(read only -access))(readonly). - -Note that the link(bf(browseable))(browseable) flag for auto home -directories will be inherited from the global browseable flag, not the -[homes] browseable flag. This is useful as it means setting -browseable=no in the [homes] section will hide the [homes] share but -make any auto home directories visible. - -label(printers) -dit(bf(The [printers] section)) - -This section works like link(bf([homes]))(homes), but for printers. - -If a bf([printers]) section occurs in the configuration file, users are -able to connect to any printer specified in the local host's printcap -file. - -When a connection request is made, the existing sections are -scanned. If a match is found, it is used. If no match is found, but a -link(bf([homes]))(homes) section exists, it is used as described -above. Otherwise, the requested section name is treated as a printer -name and the appropriate printcap file is scanned to see if the -requested section name is a valid printer share name. If a match is -found, a new printer share is created by cloning the bf([printers]) -section. - -A few modifications are then made to the newly created share: - -startit() - -it() The share name is set to the located printer name - -it() If no printer name was given, the printer name is set to the -located printer name - -it() If the share does not permit guest access and no username was -given, the username is set to the located printer name. - -endit() - -Note that the bf([printers]) service MUST be printable - if you specify -otherwise, the server will refuse to load the configuration file. - -Typically the path specified would be that of a world-writeable spool -directory with the sticky bit set on it. A typical bf([printers]) entry -would look like this: - -verb( - [printers] - path = /usr/spool/public - guest ok = yes - printable = yes -) - -All aliases given for a printer in the printcap file are legitimate -printer names as far as the server is concerned. If your printing -subsystem doesn't work like that, you will have to set up a -pseudo-printcap. This is a file consisting of one or more lines like -this: - -verb( alias|alias|alias|alias... ) - -Each alias should be an acceptable printer name for your printing -subsystem. In the link(bf([global]))(global) section, specify the new -file as your printcap. The server will then only recognize names -found in your pseudo-printcap, which of course can contain whatever -aliases you like. The same technique could be used simply to limit -access to a subset of your local printers. - -An alias, by the way, is defined as any component of the first entry -of a printcap record. Records are separated by newlines, components -(if there are more than one) are separated by vertical bar symbols -("|"). - -NOTE: On SYSV systems which use lpstat to determine what printers are -defined on the system you may be able to use link(bf("printcap name = -lpstat"))(printcapname) to automatically obtain a list of -printers. See the link(bf("printcap name"))(printcapname) option for -more details. - -enddit() - -label(PARAMETERS) -manpagesection(PARAMETERS) - -Parameters define the specific attributes of sections. - -Some parameters are specific to the link(bf([global]))(global) section -(e.g., link(bf(security))(security)). Some parameters are usable in -all sections (e.g., link(bf(create mode))(createmode)). All others are -permissible only in normal sections. For the purposes of the following -descriptions the link(bf([homes]))(homes) and -link(bf([printers]))(printers) sections will be considered normal. -The letter tt('G') in parentheses indicates that a parameter is -specific to the link(bf([global]))(global) section. The letter tt('S') -indicates that a parameter can be specified in a service specific -section. Note that all tt('S') parameters can also be specified in the -link(bf([global]))(global) section - in which case they will define -the default behavior for all services. - -Parameters are arranged here in alphabetical order - this may not -create best bedfellows, but at least you can find them! Where there -are synonyms, the preferred synonym is described, others refer to the -preferred synonym. - -label(VARIABLESUBSTITUTIONS) -manpagesection(VARIABLE SUBSTITUTIONS) - -Many of the strings that are settable in the config file can take -substitutions. For example the option link(bf(tt("path = -/tmp/%u")))(path) would be interpreted as tt("path = /tmp/john") if -the user connected with the username john. - -These substitutions are mostly noted in the descriptions below, but -there are some general substitutions which apply whenever they might -be relevant. These are: - -startit() - -label(percentS) -it() bf(%S) = the name of the current service, if any. - -label(percentP) -it() bf(%P) = the root directory of the current service, if any. - -label(percentu) -it() bf(%u) = user name of the current service, if any. - -label(percentg) -it() bf(%g) = primary group name of link(bf(%u))(percentu). - -label(percentU) -it() bf(%U) = session user name (the user name that -the client wanted, not necessarily the same as the one they got). - -label(percentG) -it() bf(%G) = primary group name of link(bf(%U))(percentU). - -label(percentH) -it() bf(%H) = the home directory of the user given by link(bf(%u))(percentu). - -label(percentv) -it() bf(%v) = the Samba version. - -label(percenth) -it() bf(%h) = the internet hostname that Samba is running on. - -label(percentm) -it() bf(%m) = the NetBIOS name of the client machine (very useful). - -label(percentL) -it() bf(%L) = the NetBIOS name of the server. This allows you to change your -config based on what the client calls you. Your server can have a "dual -personality". - -label(percentM) -it() bf(%M) = the internet name of the client machine. - -label(percentN) -it() bf(%N) = the name of your NIS home directory server. This is -obtained from your NIS auto.map entry. If you have not compiled Samba -with the bf(--with-automount) option then this value will be the same -as link(bf(%L))(percentL). - -label(percentp) -it() bf(%p) = the path of the service's home directory, obtained from your NIS -auto.map entry. The NIS auto.map entry is split up as "%N:%p". - -label(percentR) -it() bf(%R) = the selected protocol level after protocol -negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1. - -label(percentd) -it() bf(%d) = The process id of the current server process. - -label(percenta) -it() bf(%a) = the architecture of the remote -machine. Only some are recognized, and those may not be 100% -reliable. It currently recognizes Samba, WfWg, WinNT and -Win95. Anything else will be known as "UNKNOWN". If it gets it wrong -then sending a level 3 log to email(samba@samba.org) -should allow it to be fixed. - -label(percentI) -it() bf(%I) = The IP address of the client machine. - -label(percentT) -it() bf(%T) = the current date and time. - -label(percentDollar) -it() bf(%$(envvar)) = The value of the environment variable bf(envar). - -endit() - -There are some quite creative things that can be done with these -substitutions and other smb.conf options. - -label(NAMEMANGLING) -manpagesection(NAME MANGLING) - -Samba supports em("name mangling") so that DOS and Windows clients can -use files that don't conform to the 8.3 format. It can also be set to -adjust the case of 8.3 format filenames. - -There are several options that control the way mangling is performed, -and they are grouped here rather than listed separately. For the -defaults look at the output of the testparm program. - -All of these options can be set separately for each service (or -globally, of course). - -The options are: - -label(manglecaseoption) -bf("mangle case = yes/no") controls if names that have characters that -aren't of the "default" case are mangled. For example, if this is yes -then a name like tt("Mail") would be mangled. Default em(no). - -label(casesensitiveoption) -bf("case sensitive = yes/no") controls whether filenames are case -sensitive. If they aren't then Samba must do a filename search and -match on passed names. Default em(no). - -label(defaultcaseoption) -bf("default case = upper/lower") controls what the default case is for new -filenames. Default em(lower). - -label(preservecaseoption) -bf("preserve case = yes/no") controls if new files are created with the -case that the client passes, or if they are forced to be the tt("default") -case. Default em(Yes). - -label(shortpreservecaseoption) - -bf("short preserve case = yes/no") controls if new files which conform -to 8.3 syntax, that is all in upper case and of suitable length, are -created upper case, or if they are forced to be the tt("default") -case. This option can be use with link(bf("preserve case = -yes"))(preservecaseoption) to permit long filenames to retain their -case, while short names are lowered. Default em(Yes). - -By default, Samba 2.0 has the same semantics as a Windows NT -server, in that it is case insensitive but case preserving. - -label(NOTEABOUTUSERNAMEPASSWORDVALIDATION) -manpagesection(NOTE ABOUT USERNAME/PASSWORD VALIDATION) - -There are a number of ways in which a user can connect to a -service. The server follows the following steps in determining if it -will allow a connection to a specified service. If all the steps fail -then the connection request is rejected. If one of the steps pass then -the following steps are not checked. - -If the service is marked link(bf("guest only = yes"))(guestonly) then -steps 1 to 5 are skipped. - -starteit() - -eit() Step 1: If the client has passed a username/password pair and -that username/password pair is validated by the UNIX system's password -programs then the connection is made as that username. Note that this -includes the tt(\\server\service%username) method of passing a -username. - -eit() Step 2: If the client has previously registered a username with -the system and now supplies a correct password for that username then -the connection is allowed. - -eit() Step 3: The client's netbios name and any previously used user -names are checked against the supplied password, if they match then -the connection is allowed as the corresponding user. - -eit() Step 4: If the client has previously validated a -username/password pair with the server and the client has passed the -validation token then that username is used. - -eit() Step 5: If a link(bf("user = "))(user) field is given in the -smb.conf file for the service and the client has supplied a password, -and that password matches (according to the UNIX system's password -checking) with one of the usernames from the link(bf(user=))(user) -field then the connection is made as the username in the -link(bf("user="))(user) line. If one of the username in the -link(bf(user=))(user) list begins with a tt('@') then that name -expands to a list of names in the group of the same name. - -eit() Step 6: If the service is a guest service then a connection is -made as the username given in the link(bf("guest account -="))(guestaccount) for the service, irrespective of the supplied -password. - -endeit() - -label(COMPLETELISTOFGLOBALPARAMETERS) -manpagesection(COMPLETE LIST OF GLOBAL PARAMETERS) - -Here is a list of all global parameters. See the section of each -parameter for details. Note that some are synonyms. - -startit() - -it() link(bf(add user script))(adduserscript) - -it() link(bf(allow trusted domains))(allowtrusteddomains) - -it() link(bf(announce as))(announceas) - -it() link(bf(announce version))(announceversion) - -it() link(bf(auto services))(autoservices) - -it() link(bf(bind interfaces only))(bindinterfacesonly) - -it() link(bf(browse list))(browselist) - -it() link(bf(change notify timeout))(changenotifytimeout) - -it() link(bf(character set))(characterset) - -it() link(bf(client code page))(clientcodepage) - -it() link(bf(coding system))(codingsystem) - -it() link(bf(config file))(configfile) - -it() link(bf(deadtime))(deadtime) - -it() link(bf(debug hires timestamp))(debughirestimestamp) - -it() link(bf(debug pid))(debugpid) - -it() link(bf(debug timestamp))(debugtimestamp) - -it() link(bf(debug uid))(debuguid) - -it() link(bf(debug level))(debuglevel) - -it() link(bf(default))(default) - -it() link(bf(default service))(defaultservice) - -it() link(bf(delete user script))(deleteuserscript) - -it() link(bf(dfree command))(dfreecommand) - -it() link(bf(dns proxy))(dnsproxy) - -it() link(bf(domain admin group))(domainadmingroup) - -it() link(bf(domain admin users))(domainadminusers) - -it() link(bf(domain groups))(domaingroups) - -it() link(bf(domain guest group))(domainguestgroup) - -it() link(bf(domain guest users))(domainguestusers) - -it() link(bf(domain logons))(domainlogons) - -it() link(bf(domain master))(domainmaster) - -it() link(bf(encrypt passwords))(encryptpasswords) - -it() link(bf(enhanced browsing))(enhancedbrowsing) - -it() link(bf(getwd cache))(getwdcache) - -it() link(bf(hide local users))(hidelocalusers) - -it() link(bf(homedir map))(homedirmap) - -it() link(bf(hosts equiv))(hostsequiv) - -it() link(bf(interfaces))(interfaces) - -it() link(bf(keepalive))(keepalive) - -it() link(bf(kernel oplocks))(kerneloplocks) - -it() link(bf(ldap filter))(ldapfilter) - -it() link(bf(ldap port))(ldapport) - -it() link(bf(ldap root))(ldaproot) - -it() link(bf(ldap root passwd))(ldaprootpasswd) - -it() link(bf(ldap server))(ldapserver) - -it() link(bf(ldap suffix))(ldapsuffix) - -it() link(bf(lm announce))(lmannounce) - -it() link(bf(lm interval))(lminterval) - -it() link(bf(load printers))(loadprinters) - -it() link(bf(local master))(localmaster) - -it() link(bf(lock dir))(lockdir) - -it() link(bf(lock directory))(lockdirectory) - -it() link(bf(log file))(logfile) - -it() link(bf(log level))(loglevel) - -it() link(bf(logon drive))(logondrive) - -it() link(bf(logon home))(logonhome) - -it() link(bf(logon path))(logonpath) - -it() link(bf(logon script))(logonscript) - -it() link(bf(lpq cache time))(lpqcachetime) - -it() link(bf(machine password timeout))(machinepasswordtimeout) - -it() link(bf(mangled stack))(mangledstack) - -it() link(bf(map to guest))(maptoguest) - -it() link(bf(max disk size))(maxdisksize) - -it() link(bf(max log size))(maxlogsize) - -it() link(bf(max mux))(maxmux) - -it() link(bf(max open files))(maxopenfiles) - -it() link(bf(max packet))(maxpacket) - -it() link(bf(max ttl))(maxttl) - -it() link(bf(max wins ttl))(maxwinsttl) - -it() link(bf(max xmit))(maxxmit) - -it() link(bf(message command))(messagecommand) - -it() link(bf(min passwd length))(minpasswdlength) - -it() link(bf(min password length))(minpasswordlength) - -it() link(bf(min wins ttl))(minwinsttl) - -it() link(bf(name resolve order))(nameresolveorder) - -it() link(bf(netbios aliases))(netbiosaliases) - -it() link(bf(netbios name))(netbiosname) - -it() link(bf(netbios scope))(netbiosscope) - -it() link(bf(nis homedir))(nishomedir) - -it() link(bf(nt acl support))(ntaclsupport) - -it() link(bf(nt pipe support))(ntpipesupport) - -it() link(bf(nt smb support))(ntsmbsupport) - -it() link(bf(null passwords))(nullpasswords) - -it() link(bf(ole locking compatibility))(olelockingcompatibility) - -it() link(bf(oplock break wait time))(oplockbreakwaittime) - -it() link(bf(os level))(oslevel) - -it() link(bf(packet size))(packetsize) - -it() link(bf(panic action))(panicaction) - -it() link(bf(passwd chat))(passwdchat) - -it() link(bf(passwd chat debug))(passwdchatdebug) - -it() link(bf(passwd program))(passwdprogram) - -it() link(bf(password level))(passwordlevel) - -it() link(bf(password server))(passwordserver) - -it() link(bf(prefered master))(preferedmaster) - -it() link(bf(preferred master))(preferredmaster) - -it() link(bf(preload))(preload) - -it() link(bf(printcap))(printcap) - -it() link(bf(printcap name))(printcapname) - -it() link(bf(printer driver file))(printerdriverfile) - -it() link(bf(private dir))(privatedir) - -it() link(bf(protocol))(protocol) - -it() link(bf(read bmpx))(readbmpx) - -it() link(bf(read prediction))(readprediction) - -it() link(bf(read raw))(readraw) - -it() link(bf(read size))(readsize) - -it() link(bf(remote announce))(remoteannounce) - -it() link(bf(remote browse sync))(remotebrowsesync) - -it() link(bf(restrict anonymous))(restrictanonymous) - -it() link(bf(root))(root) - -it() link(bf(root dir))(rootdir) - -it() link(bf(root directory))(rootdirectory) - -it() link(bf(security))(security) - -it() link(bf(server string))(serverstring) - -it() link(bf(shared mem size))(sharedmemsize) - -it() link(bf(smb passwd file))(smbpasswdfile) - -it() link(bf(smbrun))(smbrun) - -it() link(bf(socket address))(socketaddress) - -it() link(bf(socket options))(socketoptions) - -it() link(bf(source environment))(sourceenvironment) - -it() link(bf(ssl))(ssl) - -it() link(bf(ssl CA certDir))(sslCAcertDir) - -it() link(bf(ssl CA certFile))(sslCAcertFile) - -it() link(bf(ssl ciphers))(sslciphers) - -it() link(bf(ssl client cert))(sslclientcert) - -it() link(bf(ssl client key))(sslclientkey) - -it() link(bf(ssl compatibility))(sslcompatibility) - -it() link(bf(ssl hosts))(sslhosts) - -it() link(bf(ssl hosts resign))(sslhostsresign) - -it() link(bf(ssl require clientcert))(sslrequireclientcert) - -it() link(bf(ssl require servercert))(sslrequireservercert) - -it() link(bf(ssl server cert))(sslservercert) - -it() link(bf(ssl server key))(sslserverkey) - -it() link(bf(ssl version))(sslversion) - -it() link(bf(stat cache))(statcache) - -it() link(bf(stat cache size))(statcachesize) - -it() link(bf(strip dot))(stripdot) - -it() link(bf(syslog))(syslog) - -it() link(bf(syslog only))(syslogonly) - -it() link(bf(template homedir))(templatehomedir) - -it() link(bf(template shell))(templateshell) - -it() link(bf(time offset))(timeoffset) - -it() link(bf(time server))(timeserver) - -it() link(bf(timestamp logs))(timestamplogs) - -it() link(bf(unix password sync))(unixpasswordsync) - -it() link(bf(unix realname))(unixrealname) - -it() link(bf(update encrypted))(updateencrypted) - -it() link(bf(use rhosts))(userhosts) - -it() link(bf(username level))(usernamelevel) - -it() link(bf(username map))(usernamemap) - -it() link(bf(utmp directory))(utmpdirectory) - -it() link(bf(valid chars))(validchars) - -it() link(bf(winbind cache time))(winbindcachetime) - -it() link(bf(winbind gid))(winbindgid) - -it() link(bf(winbind uid))(winbinduid) - -it() link(bf(wins hook))(winshook) - -it() link(bf(wins proxy))(winsproxy) - -it() link(bf(wins server))(winsserver) - -it() link(bf(wins support))(winssupport) - -it() link(bf(workgroup))(workgroup) - -it() link(bf(write raw))(writeraw) - -endit() - -label(COMPLETELISTOFSERVICEPARAMETERS) -manpagesection(COMPLETE LIST OF SERVICE PARAMETERS) - -Here is a list of all service parameters. See the section of each -parameter for details. Note that some are synonyms. - -startit() - -it() link(bf(admin users))(adminusers) - -it() link(bf(allow hosts))(allowhosts) - -it() link(bf(alternate permissions))(alternatepermissions) - -it() link(bf(available))(available) - -it() link(bf(blocking locks))(blockinglocks) - -it() link(bf(browsable))(browsable) - -it() link(bf(browseable))(browseable) - -it() link(bf(case sensitive))(casesensitive) - -it() link(bf(casesignames))(casesignames) - -it() link(bf(comment))(comment) - -it() link(bf(copy))(copy) - -it() link(bf(create mask))(createmask) - -it() link(bf(create mode))(createmode) - -it() link(bf(default case))(defaultcase) - -it() link(bf(delete readonly))(deletereadonly) - -it() link(bf(delete veto files))(deletevetofiles) - -it() link(bf(deny hosts))(denyhosts) - -it() link(bf(directory))(directory) - -it() link(bf(directory mask))(directorymask) - -it() link(bf(directory mode))(directorymode) - -it() link(bf(directory security mask))(directorysecuritymask) - -it() link(bf(dont descend))(dontdescend) - -it() link(bf(dos filetime resolution))(dosfiletimeresolution) - -it() link(bf(dos filetimes))(dosfiletimes) - -it() link(bf(exec))(exec) - -it() link(bf(fake directory create times))(fakedirectorycreatetimes) - -it() link(bf(fake oplocks))(fakeoplocks) - -it() link(bf(follow symlinks))(followsymlinks) - -it() link(bf(force create mode))(forcecreatemode) - -it() link(bf(force directory mode))(forcedirectorymode) - -it() link(bf(force directory security mode))(forcedirectorysecuritymode) - -it() link(bf(force group))(forcegroup) - -it() link(bf(force security mode))(forcesecuritymode) - -it() link(bf(force user))(forceuser) - -it() link(bf(fstype))(fstype) - -it() link(bf(group))(group) - -it() link(bf(guest account))(guestaccount) - -it() link(bf(guest ok))(guestok) - -it() link(bf(guest only))(guestonly) - -it() link(bf(hide dot files))(hidedotfiles) - -it() link(bf(hide files))(hidefiles) - -it() link(bf(hosts allow))(hostsallow) - -it() link(bf(hosts deny))(hostsdeny) - -it() link(bf(include))(include) - -it() link(bf(inherit permissions))(inheritpermissions) - -it() link(bf(invalid users))(invalidusers) - -it() link(bf(level2 oplocks))(level2oplocks) - -it() link(bf(locking))(locking) - -it() link(bf(lppause command))(lppausecommand) - -it() link(bf(lpq command))(lpqcommand) - -it() link(bf(lpresume command))(lpresumecommand) - -it() link(bf(lprm command))(lprmcommand) - -it() link(bf(magic output))(magicoutput) - -it() link(bf(magic script))(magicscript) - -it() link(bf(mangle case))(manglecase) - -it() link(bf(mangle locks))(manglelocks) - -it() link(bf(mangled map))(mangledmap) - -it() link(bf(mangled names))(manglednames) - -it() link(bf(mangling char))(manglingchar) - -it() link(bf(map archive))(maparchive) - -it() link(bf(map hidden))(maphidden) - -it() link(bf(map system))(mapsystem) - -it() link(bf(max connections))(maxconnections) - -it() link(bf(min print space))(minprintspace) - -it() link(bf(only guest))(onlyguest) - -it() link(bf(only user))(onlyuser) - -it() link(bf(oplock contention limit))(oplockcontentionlimit) - -it() link(bf(oplocks))(oplocks) - -it() link(bf(path))(path) - -it() link(bf(postexec))(postexec) - -it() link(bf(postscript))(postscript) - -it() link(bf(preexec))(preexec) - -it() link(bf(preexec close))(preexecclose) - -it() link(bf(preserve case))(preservecase) - -it() link(bf(print command))(printcommand) - -it() link(bf(print ok))(printok) - -it() link(bf(printable))(printable) - -it() link(bf(printer))(printer) - -it() link(bf(printer admin))(printer admin) - -it() link(bf(printer driver))(printerdriver) - -it() link(bf(printer driver location))(printerdriverlocation) - -it() link(bf(printer name))(printername) - -it() link(bf(printing))(printing) - -it() link(bf(public))(public) - -it() link(bf(queuepause command))(queuepausecommand) - -it() link(bf(queueresume command))(queueresumecommand) - -it() link(bf(read list))(readlist) - -it() link(bf(read only))(readonly) - -it() link(bf(root postexec))(rootpostexec) - -it() link(bf(root preexec))(rootpreexec) - -it() link(bf(root preexec close))(rootpreexecclose) - -it() link(bf(security mask))(securitymask) - -it() link(bf(set directory))(setdirectory) - -it() link(bf(share modes))(sharemodes) - -it() link(bf(short preserve case))(shortpreservecase) - -it() link(bf(status))(status) - -it() link(bf(strict locking))(strictlocking) - -it() link(bf(strict sync))(strictsync) - -it() link(bf(sync always))(syncalways) - -it() link(bf(user))(user) - -it() link(bf(username))(username) - -it() link(bf(users))(users) - -it() link(bf(utmp))(utmp) - -it() link(bf(valid users))(validusers) - -it() link(bf(veto files))(vetofiles) - -it() link(bf(veto oplock files))(vetooplockfiles) - -it() link(bf(volume))(volume) - -it() link(bf(wide links))(widelinks) - -it() link(bf(writable))(writable) - -it() link(bf(write cache size))(writecachesize) - -it() link(bf(write list))(writelist) - -it() link(bf(write ok))(writeok) - -it() link(bf(writeable))(writeable) - -endit() - -label(EXPLANATIONOFEACHPARAMETER) -manpagesection(EXPLANATION OF EACH PARAMETER) - -startdit() - -label(adduserscript) -dit(bf(add user script (G))) - -This is the full pathname to a script that will be run em(AS ROOT) by -url(bf(smbd (8)))(smbd.8.html) under special circumstances decribed -below. - -Normally, a Samba server requires that UNIX users are created for all -users accessing files on this server. For sites that use Windows NT -account databases as their primary user database creating these users -and keeping the user list in sync with the Windows NT PDC is an -onerous task. This option allows url(bf(smbd))(smbd.8.html) to create -the required UNIX users em(ON DEMAND) when a user accesses the Samba -server. - -In order to use this option, url(bf(smbd))(smbd.8.html) must be set to -link(bf(security=server))(securityequalserver) or -link(bf(security=domain))(securityequaldomain) and bf("add user script") -must be set to a full pathname for a script that will create a UNIX user -given one argument of bf(%u), which expands into the UNIX user name to -create. - -When the Windows user attempts to access the Samba server, at -em("login")(session setup in the SMB protocol) time, -url(bf(smbd))(smbd.8.html) contacts the link(bf(password -server))(passwordserver) and attempts to authenticate the given user -with the given password. If the authentication succeeds then -url(bf(smbd))(smbd.8.html) attempts to find a UNIX user in the UNIX -password database to map the Windows user into. If this lookup fails, -and bf("add user script") is set then url(bf(smbd))(smbd.8.html) will -call the specified script em(AS ROOT), expanding any bf(%u) argument -to be the user name to create. - -If this script successfully creates the user then -url(bf(smbd))(smbd.8.html) will continue on as though the UNIX user -already existed. In this way, UNIX users are dynamically created to -match existing Windows NT accounts. - -See also link(bf(security=server))(securityequalserver), -link(bf(security=domain))(securityequaldomain), link(bf(password -server))(passwordserver), link(bf(delete user -script))(deleteuserscript). - - bf(Default:) -tt( add user script = <empty string>) - - bf(Example:) -tt( add user script = /usr/local/samba/bin/add_user %u) - -label(adminusers) -dit(bf(admin users (S))) - -This is a list of users who will be granted administrative privileges -on the share. This means that they will do all file operations as the -super-user (root). - -You should use this option very carefully, as any user in this list -will be able to do anything they like on the share, irrespective of -file permissions. - - bf(Default:) nl() -tt( no admin users) - - bf(Example:) nl() -tt( admin users = jason) - -label(allow hosts) -dit(bf(allow hosts (S))) - -Synonym for link(bf(hosts allow))(hostsallow). - -label(allowtrusteddomains) -dit(bf(allow trusted domains (G))) - -This option only takes effect when the link(bf(security))(security) -option is set to bf(server) or bf(domain). If it is set to no, -then attempts to connect to a resource from a domain or workgroup other than -the one which smbd is running in will fail, even if that domain -is trusted by the remote server doing the authentication. - -This is useful if you only want your Samba server to serve resources -to users in the domain it is a member of. As an example, suppose that there are -two domains DOMA and DOMB. DOMB is trusted by DOMA, which contains -the Samba server. Under normal circumstances, a user with an account -in DOMB can then access the resources of a UNIX account with the same -account name on the Samba server even if they do not have an account -in DOMA. This can make implementing a security boundary difficult. - - bf(Default:) -tt( allow trusted domains = Yes) - - bf(Example:) -tt( allow trusted domains = No) - -label(alternatepermissions) -dit(bf(alternate permissions (S))) - -This is a deprecated parameter. It no longer has any effect in Samba2.0. -In previous versions of Samba it affected the way the DOS "read only" -attribute was mapped for a file. In Samba2.0 a file is marked "read only" -if the UNIX file does not have the 'w' bit set for the owner of the file, -regardless if the owner of the file is the currently logged on user or not. - -label(announceas) -dit(bf(announce as (G))) - -This specifies what type of server url(bf(nmbd))(nmbd.8.html) will -announce itself as, to a network neighborhood browse list. By default -this is set to Windows NT. The valid options are : "NT", which is a -synonym for "NT Server", "NT Server", "NT Workstation", "Win95" or -"WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95 -and Windows for Workgroups respectively. Do not change this parameter -unless you have a specific need to stop Samba appearing as an NT server -as this may prevent Samba servers from participating as browser servers correctly. - - bf(Default:) -tt( announce as = NT Server) - - bf(Example) -tt( announce as = Win95) - -label(announceversion) -dit(bf(announce version (G))) - -This specifies the major and minor version numbers that nmbd will use -when announcing itself as a server. The default is 4.2. Do not change -this parameter unless you have a specific need to set a Samba server -to be a downlevel server. - - bf(Default:) -tt( announce version = 4.2) - - bf(Example:) -tt( announce version = 2.0) - - -label(autoservices) -dit(bf(auto services (G))) - -This is a list of services that you want to be automatically added to -the browse lists. This is most useful for homes and printers services -that would otherwise not be visible. - -Note that if you just want all printers in your printcap file loaded -then the link(bf("load printers"))(loadprinters) option is easier. - - bf(Default:) -tt( no auto services) - - bf(Example:) -tt( auto services = fred lp colorlp) - -label(available) -dit(bf(available (S))) - -This parameter lets you em('turn off') a service. If tt('available = no'), -then em(ALL) attempts to connect to the service will fail. Such failures -are logged. - - bf(Default:) -tt( available = yes) - - bf(Example:) -tt( available = no) - -label(bindinterfacesonly) -dit(bf(bind interfaces only (G))) - -This global parameter allows the Samba admin to limit what interfaces -on a machine will serve smb requests. If affects file service -url(bf(smbd))(smbd.8.html) and name service url(bf(nmbd))(nmbd.8.html) -in slightly different ways. - -For name service it causes url(bf(nmbd))(nmbd.8.html) to bind to ports -137 and 138 on the interfaces listed in the -link(bf('interfaces'))(interfaces) -parameter. url(bf(nmbd))(nmbd.8.html) also binds to the 'all -addresses' interface (0.0.0.0) on ports 137 and 138 for the purposes -of reading broadcast messages. If this option is not set then -url(bf(nmbd))(nmbd.8.html) will service name requests on all of these -sockets. If bf("bind interfaces only") is set then -url(bf(nmbd))(nmbd.8.html) will check the source address of any -packets coming in on the broadcast sockets and discard any that don't -match the broadcast addresses of the interfaces in the -link(bf('interfaces'))(interfaces) parameter list. As unicast packets -are received on the other sockets it allows url(bf(nmbd))(nmbd.8.html) -to refuse to serve names to machines that send packets that arrive -through any interfaces not listed in the -link(bf("interfaces"))(interfaces) list. IP Source address spoofing -does defeat this simple check, however so it must not be used -seriously as a security feature for url(bf(nmbd))(nmbd.8.html). - -For file service it causes url(bf(smbd))(smbd.8.html) to bind only to -the interface list given in the link(bf('interfaces'))(interfaces) -parameter. This restricts the networks that url(bf(smbd))(smbd.8.html) -will serve to packets coming in those interfaces. Note that you -should not use this parameter for machines that are serving PPP or -other intermittent or non-broadcast network interfaces as it will not -cope with non-permanent interfaces. - -If bf("bind interfaces only") is set then unless the network address -em(127.0.0.1) is added to the link(bf('interfaces'))(interfaces) parameter -list url(bf(smbpasswd))(smbpasswd.8.html) and -url(bf(swat))(swat.8.html) may not work as expected due to the -reasons covered below. - -To change a users SMB password, the url(bf(smbpasswd))(smbpasswd.8.html) -by default connects to the em("localhost" - 127.0.0.1) address as an SMB -client to issue the password change request. If bf("bind interfaces only") -is set then unless the network address em(127.0.0.1) is added to the -link(bf('interfaces'))(interfaces) parameter list then -url(bf(smbpasswd))(smbpasswd.8.html) will fail to connect in it's -default mode. url(bf(smbpasswd))(smbpasswd.8.html) can be forced to -use the primary IP interface of the local host by using its -url(bf("-r remote machine"))(smbpasswd.8.html#minusr) parameter, with -bf("remote machine") set to the IP name of the primary interface -of the local host. - -The url(bf(swat))(swat.8.html) status page tries to connect with -url(bf(smbd))(smbd.8.html) and url(bf(nmbd))(nmbd.8.html) at the address -em(127.0.0.1) to determine if they are running. Not adding em(127.0.0.1) will cause -url(bf(smbd))(smbd.8.html) and url(bf(nmbd))(nmbd.8.html) to always show -"not running" even if they really are. This can prevent -url(bf(swat))(swat.8.html) from starting/stopping/restarting -url(bf(smbd))(smbd.8.html) and url(bf(nmbd))(nmbd.8.html). - - bf(Default:) -tt( bind interfaces only = False) - - bf(Example:) -tt( bind interfaces only = True) - -label(blockinglocks) -dit(bf(blocking locks (S))) - -This parameter controls the behavior of url(bf(smbd))(smbd.8.html) when -given a request by a client to obtain a byte range lock on a region -of an open file, and the request has a time limit associated with it. - -If this parameter is set and the lock range requested cannot be -immediately satisfied, Samba 2.0 will internally queue the lock -request, and periodically attempt to obtain the lock until the -timeout period expires. - -If this parameter is set to "False", then Samba 2.0 will behave -as previous versions of Samba would and will fail the lock -request immediately if the lock range cannot be obtained. - -This parameter can be set per share. - - bf(Default:) -tt( blocking locks = True) - - bf(Example:) -tt( blocking locks = False) - -label(browsable) -dit(bf(browsable (S))) - -Synonym for link(bf(browseable))(browseable). - -label(browselist) -dit(bf(browse list(G))) - -This controls whether url(bf(smbd))(smbd.8.html) will serve a browse -list to a client doing a NetServerEnum call. Normally set to true. You -should never need to change this. - - bf(Default:) -tt( browse list = Yes) - -label(browseable) -dit(bf(browseable)) - -This controls whether this share is seen in the list of available -shares in a net view and in the browse list. - - bf(Default:) -tt( browseable = Yes) - - bf(Example:) -tt( browseable = No) - -label(casesensitive) -dit(bf(case sensitive (S))) - -See the discussion in the section link(bf(NAME MANGLING))(NAMEMANGLING). - -label(casesignames) -dit(bf(casesignames (S))) - -Synonym for link(bf("case sensitive"))(casesensitive). - -label(changenotifytimeout) -dit(bf(change notify timeout (G))) - -One of the new NT SMB requests that Samba 2.0 supports is the -"ChangeNotify" requests. This SMB allows a client to tell a server to -em("watch") a particular directory for any changes and only reply to -the SMB request when a change has occurred. Such constant scanning of -a directory is expensive under UNIX, hence an -url(bf(smbd))(smbd.8.html) daemon only performs such a scan on each -requested directory once every bf(change notify timeout) seconds. - -bf(change notify timeout) is specified in units of seconds. - - bf(Default:) -tt( change notify timeout = 60) - - bf(Example:) -tt( change notify timeout = 300) - -Would change the scan time to every 5 minutes. - -label(characterset) -dit(bf(character set (G))) - -This allows a smbd to map incoming filenames from a DOS Code page (see -the link(bf(client code page))(clientcodepage) parameter) to several -built in UNIX character sets. The built in code page translations are: - -startit() - -it() bf(ISO8859-1) Western European UNIX character set. The parameter -link(bf(client code page))(clientcodepage) em(MUST) be set to code -page 850 if the bf(character set) parameter is set to iso8859-1 -in order for the conversion to the UNIX character set to be done -correctly. - -it() bf(ISO8859-2) Eastern European UNIX character set. The parameter -link(bf(client code page))(clientcodepage) em(MUST) be set to code -page 852 if the bf(character set) parameter is set to ISO8859-2 -in order for the conversion to the UNIX character set to be done -correctly. - -it() bf(ISO8859-5) Russian Cyrillic UNIX character set. The parameter -link(bf(client code page))(clientcodepage) em(MUST) be set to code -page 866 if the bf(character set) parameter is set to ISO8859-5 -in order for the conversion to the UNIX character set to be done -correctly. - -it() bf(ISO8859-7) Greek UNIX character set. The parameter -link(bf(client code page))(clientcodepage) em(MUST) be set to code -page 737 if the bf(character set) parameter is set to ISO8859-7 -in order for the conversion to the UNIX character set to be done -correctly. - -it() bf(KOI8-R) Alternate mapping for Russian Cyrillic UNIX -character set. The parameter link(bf(client code -page))(clientcodepage) em(MUST) be set to code page 866 if the -bf(character set) parameter is set to KOI8-R in order for the -conversion to the UNIX character set to be done correctly. - -endit() - -em(BUG). These MSDOS code page to UNIX character set mappings should -be dynamic, like the loading of MS DOS code pages, not static. - -See also link(bf(client code page))(clientcodepage). Normally this -parameter is not set, meaning no filename translation is done. - - bf(Default:) -tt( character set = <empty string>) - - bf(Example:) -tt( character set = ISO8859-1) - -label(clientcodepage) -dit(bf(client code page (G))) - -This parameter specifies the DOS code page that the clients accessing -Samba are using. To determine what code page a Windows or DOS client -is using, open a DOS command prompt and type the command "chcp". This -will output the code page. The default for USA MS-DOS, Windows 95, and -Windows NT releases is code page 437. The default for western european -releases of the above operating systems is code page 850. - -This parameter tells url(bf(smbd))(smbd.8.html) which of the -tt(codepage.XXX) files to dynamically load on startup. These files, -described more fully in the manual page url(bf(make_smbcodepage -(1)))(make_smbcodepage.1.html), tell url(bf(smbd))(smbd.8.html) how -to map lower to upper case characters to provide the case insensitivity -of filenames that Windows clients expect. - -Samba currently ships with the following code page files : - -startit() - -it() bf(Code Page 437 - MS-DOS Latin US) - -it() bf(Code Page 737 - Windows '95 Greek) - -it() bf(Code Page 850 - MS-DOS Latin 1) - -it() bf(Code Page 852 - MS-DOS Latin 2) - -it() bf(Code Page 861 - MS-DOS Icelandic) - -it() bf(Code Page 866 - MS-DOS Cyrillic) - -it() bf(Code Page 932 - MS-DOS Japanese SJIS) - -it() bf(Code Page 936 - MS-DOS Simplified Chinese) - -it() bf(Code Page 949 - MS-DOS Korean Hangul) - -it() bf(Code Page 950 - MS-DOS Traditional Chinese) - -endit() - -Thus this parameter may have any of the values 437, 737, 850, 852, -861, 932, 936, 949, or 950. If you don't find the codepage you need, -read the comments in one of the other codepage files and the -url(bf(make_smbcodepage (1)))(make_smbcodepage.1.html) man page and -write one. Please remember to donate it back to the Samba user -community. - -This parameter co-operates with the link(bf("valid -chars"))(validchars) parameter in determining what characters are -valid in filenames and how capitalization is done. If you set both -this parameter and the link(bf("valid chars"))(validchars) parameter -the bf("client code page") parameter em(MUST) be set before the -link(bf("valid chars"))(validchars) parameter in the bf(smb.conf) -file. The link(bf("valid chars"))(validchars) string will then augment -the character settings in the "client code page" parameter. - -If not set, bf("client code page") defaults to 850. - -See also : link(bf("valid chars"))(validchars) - - bf(Default:) -tt( client code page = 850) - - bf(Example:) -tt( client code page = 936) - -label(codingsystem) -dit(bf(codingsystem (G))) - -This parameter is used to determine how incoming Shift-JIS Japanese -characters are mapped from the incoming link(bf("client code -page"))(clientcodepage) used by the client, into file names in the -UNIX filesystem. Only useful if link(bf("client code -page"))(clientcodepage) is set to 932 (Japanese Shift-JIS). - -The options are : - -startit() - -it() bf(SJIS) Shift-JIS. Does no conversion of the incoming filename. - -it() bf(JIS8, J8BB, J8BH, J8@B, J8@J, J8@H ) Convert from incoming -Shift-JIS to eight bit JIS code with different shift-in, shift out -codes. - -it() bf(JIS7, J7BB, J7BH, J7@B, J7@J, J7@H ) Convert from incoming -Shift-JIS to seven bit JIS code with different shift-in, shift out -codes. - -it() bf(JUNET, JUBB, JUBH, JU@B, JU@J, JU@H ) Convert from incoming -Shift-JIS to JUNET code with different shift-in, shift out codes. - -it() bf(EUC) Convert an incoming Shift-JIS character to EUC code. - -it() bf(HEX) Convert an incoming Shift-JIS character to a 3 byte hex -representation, i.e. tt(:AB). - -it() bf(CAP) Convert an incoming Shift-JIS character to the 3 byte hex -representation used by the Columbia AppleTalk Program (CAP), -i.e. tt(:AB). This is used for compatibility between Samba and CAP. - -endit() - -label(comment) -dit(bf(comment (S))) - -This is a text field that is seen next to a share when a client does a -queries the server, either via the network neighborhood or via "net -view" to list what shares are available. - -If you want to set the string that is displayed next to the machine -name then see the server string command. - - bf(Default:) -tt( No comment string) - - bf(Example:) -tt( comment = Fred's Files) - -label(configfile) -dit(bf(config file (G))) - -This allows you to override the config file to use, instead of the -default (usually bf(smb.conf)). There is a chicken and egg problem -here as this option is set in the config file! - -For this reason, if the name of the config file has changed when the -parameters are loaded then it will reload them from the new config -file. - -This option takes the usual substitutions, which can be very useful. - -If the config file doesn't exist then it won't be loaded (allowing you -to special case the config files of just a few clients). - - bf(Example:) -tt( config file = /usr/local/samba/lib/smb.conf.%m) - -label(copy) -dit(bf(copy (S))) - -This parameter allows you to em('clone') service entries. The specified -service is simply duplicated under the current service's name. Any -parameters specified in the current section will override those in the -section being copied. - -This feature lets you set up a 'template' service and create similar -services easily. Note that the service being copied must occur earlier -in the configuration file than the service doing the copying. - - bf(Default:) -tt( none) - - bf(Example:) -tt( copy = otherservice) - -label(createmask) -dit(bf(create mask (S))) - -A synonym for this parameter is link(bf('create mode'))(createmode). - -When a file is created, the necessary permissions are calculated -according to the mapping from DOS modes to UNIX permissions, and the -resulting UNIX mode is then bit-wise 'AND'ed with this parameter. -This parameter may be thought of as a bit-wise MASK for the UNIX modes -of a file. Any bit em(*not*) set here will be removed from the modes set -on a file when it is created. - -The default value of this parameter removes the 'group' and 'other' -write and execute bits from the UNIX modes. - -Following this Samba will bit-wise 'OR' the UNIX mode created from -this parameter with the value of the "force create mode" parameter -which is set to 000 by default. - -This parameter does not affect directory modes. See the parameter -link(bf('directory mode'))(directorymode) for details. - -See also the link(bf("force create mode"))(forcecreatemode) parameter -for forcing particular mode bits to be set on created files. See also -the link(bf("directory mode"))(directorymode) parameter for masking -mode bits on created directories. -See also the link(bf("inherit permissions"))(inheritpermissions) parameter. - - bf(Default:) -tt( create mask = 0744) - - bf(Example:) -tt( create mask = 0775) - -label(createmode) -dit(bf(create mode (S))) - -This is a synonym for link(bf(create mask))(createmask). - -label(deadtime) -dit(bf(deadtime (G))) - -The value of the parameter (a decimal integer) represents the number -of minutes of inactivity before a connection is considered dead, and -it is disconnected. The deadtime only takes effect if the number of -open files is zero. - -This is useful to stop a server's resources being exhausted by a large -number of inactive connections. - -Most clients have an auto-reconnect feature when a connection is -broken so in most cases this parameter should be transparent to users. - -Using this parameter with a timeout of a few minutes is recommended -for most systems. - -A deadtime of zero indicates that no auto-disconnection should be -performed. - - bf(Default:) -tt( deadtime = 0) - - bf(Example:) -tt( deadtime = 15) - -label(debughirestimestamp) -dit(bf(debug hires timestamp (G))) - -Sometimes the timestamps in the log messages are needed with a -resolution of higher that seconds, this boolean parameter adds -microsecond resolution to the timestamp message header when turned on. - -Note that the parameter link(bf(debug timestamp))(debugtimestamp) -must be on for this to have an effect. - - bf(Default:) -tt( debug hires timestamp = No) - - bf(Example:) -tt( debug hires timestamp = Yes) - -label(debugtimestamp) -dit(bf(debug timestamp (G))) - -Samba2.0 debug log messages are timestamped by default. If you are -running at a high link(bf("debug level"))(debuglevel) these timestamps -can be distracting. This boolean parameter allows timestamping to be turned -off. - - bf(Default:) -tt( debug timestamp = Yes) - - bf(Example:) -tt( debug timestamp = No) - -label(debugpid) -dit(bf(debug pid (G))) - -When using only one log file for more then one forked smbd-process -there may be hard to follow which process outputs which message. -This boolean parameter is adds the process-id to the timestamp message -headers in the logfile when turned on. - -Note that the parameter link(bf(debug timestamp))(debugtimestamp) -must be on for this to have an effect. - - bf(Default:) -tt( debug pid = No) - - bf(Example:) -tt( debug pid = Yes) - -label(debuguid) -dit(bf(debug uid (G))) - -Samba is sometimes run as root and sometime run as the connected -user, this boolean parameter inserts the current euid, egid, uid -and gid to the timestamp message headers in the log file if turned on. - -Note that the parameter link(bf(debug timestamp))(debugtimestamp) -must be on for this to have an effect. - - bf(Default:) -tt( debug uid = No) - - bf(Example:) -tt( debug uid = Yes) - -label(debuglevel) -dit(bf(debug level (G))) - -The value of the parameter (an integer) allows the debug level -(logging level) to be specified in the bf(smb.conf) file. This is to -give greater flexibility in the configuration of the system. - -The default will be the debug level specified on the command line -or level zero if none was specified. - - bf(Example:) -tt( debug level = 3) - -label(default) -dit(bf(default (G))) - -A synonym for link(bf(default service))(defaultservice). - -label(defaultcase) -dit(bf(default case (S))) - -See the section on link(bf("NAME MANGLING"))(NAMEMANGLING). Also note -the link(bf("short preserve case"))(shortpreservecase) parameter. - -label(defaultservice) -dit(bf(default service (G))) - -This parameter specifies the name of a service which will be connected -to if the service actually requested cannot be found. Note that the -square brackets are em(NOT) given in the parameter value (see example -below). - -There is no default value for this parameter. If this parameter is not -given, attempting to connect to a nonexistent service results in an -error. - -Typically the default service would be a link(bf(guest ok))(guestok), -link(bf(read-only))(readonly) service. - -Also note that the apparent service name will be changed to equal that -of the requested service, this is very useful as it allows you to use -macros like link(bf(%S))(percentS) to make a wildcard service. - -Note also that any tt('_') characters in the name of the service used -in the default service will get mapped to a tt('/'). This allows for -interesting things. - - - bf(Example:) -verb( - default service = pub - - [pub] - path = /%S -) - -label(deleteuserscript) -dit(bf(delete user script (G))) - -This is the full pathname to a script that will be run em(AS ROOT) by -url(bf(smbd (8)))(smbd.8.html) under special circumstances decribed -below. - -Normally, a Samba server requires that UNIX users are created for all -users accessing files on this server. For sites that use Windows NT -account databases as their primary user database creating these users -and keeping the user list in sync with the Windows NT PDC is an -onerous task. This option allows url(bf(smbd))(smbd.8.html) to delete -the required UNIX users em(ON DEMAND) when a user accesses the Samba -server and the Windows NT user no longer exists. - -In order to use this option, url(bf(smbd))(smbd.8.html) must be set to -link(bf(security=domain))(securityequaldomain) and bf("delete user -script") must be set to a full pathname for a script that will delete -a UNIX user given one argument of bf(%u), which expands into the UNIX -user name to delete. em(NOTE) that this is different to the -link(bf(add user script))(adduserscript) which will work with the -link(bf(security=server))(securityequalserver) option as well as -link(bf(security=domain))(securityequaldomain). The reason for this -is only when Samba is a domain member does it get the information -on an attempted user logon that a user no longer exists. In the -link(bf(security=server))(securityequalserver) mode a missing user -is treated the same as an invalid password logon attempt. Deleting -the user in this circumstance would not be a good idea. - -When the Windows user attempts to access the Samba server, at -em("login")(session setup in the SMB protocol) time, -url(bf(smbd))(smbd.8.html) contacts the link(bf(password -server))(passwordserver) and attempts to authenticate the given user -with the given password. If the authentication fails with the specific -Domain error code meaning that the user no longer exists then -url(bf(smbd))(smbd.8.html) attempts to find a UNIX user in the UNIX -password database that matches the Windows user account. If this lookup succeeds, -and bf("delete user script") is set then url(bf(smbd))(smbd.8.html) will -call the specified script em(AS ROOT), expanding any bf(%u) argument -to be the user name to delete. - -This script should delete the given UNIX username. In this way, UNIX -users are dynamically deleted to match existing Windows NT accounts. - -See also link(bf(security=domain))(securityequaldomain), -link(bf(password server))(passwordserver), link(bf(add user -script))(adduserscript). - - bf(Default:) -tt( delete user script = <empty string>) - - bf(Example:) -tt( delete user script = /usr/local/samba/bin/del_user %u) - -label(deletereadonly) -dit(bf(delete readonly (S))) - -This parameter allows readonly files to be deleted. This is not -normal DOS semantics, but is allowed by UNIX. - -This option may be useful for running applications such as rcs, where -UNIX file ownership prevents changing file permissions, and DOS -semantics prevent deletion of a read only file. - - bf(Default:) -tt( delete readonly = No) - - bf(Example:) -tt( delete readonly = Yes) - -label(deletevetofiles) -dit(bf(delete veto files (S))) - -This option is used when Samba is attempting to delete a directory -that contains one or more vetoed directories (see the link(bf('veto -files'))(vetofiles) option). If this option is set to False (the -default) then if a vetoed directory contains any non-vetoed files or -directories then the directory delete will fail. This is usually what -you want. - -If this option is set to True, then Samba will attempt to recursively -delete any files and directories within the vetoed directory. This can -be useful for integration with file serving systems such as bf(NetAtalk), -which create meta-files within directories you might normally veto -DOS/Windows users from seeing (e.g. tt(.AppleDouble)) - -Setting tt('delete veto files = True') allows these directories to be -transparently deleted when the parent directory is deleted (so long -as the user has permissions to do so). - -See also the link(bf(veto files))(vetofiles) parameter. - - bf(Default:) -tt( delete veto files = False) - - bf(Example:) -tt( delete veto files = True) - -label(denyhosts) -dit(bf(deny hosts (S))) - -Synonym for link(bf(hosts deny))(hostsdeny). - -label(dfreecommand) -dit(bf(dfree command (G))) - -The dfree command setting should only be used on systems where a -problem occurs with the internal disk space calculations. This has -been known to happen with Ultrix, but may occur with other operating -systems. The symptom that was seen was an error of "Abort Retry -Ignore" at the end of each directory listing. - -This setting allows the replacement of the internal routines to -calculate the total disk space and amount available with an external -routine. The example below gives a possible script that might fulfill -this function. - -The external program will be passed a single parameter indicating a -directory in the filesystem being queried. This will typically consist -of the string tt("./"). The script should return two integers in -ascii. The first should be the total disk space in blocks, and the -second should be the number of available blocks. An optional third -return value can give the block size in bytes. The default blocksize -is 1024 bytes. - -Note: Your script should em(NOT) be setuid or setgid and should be -owned by (and writeable only by) root! - - bf(Default:) -tt( By default internal routines for determining the disk capacity -and remaining space will be used.) - - bf(Example:) -tt( dfree command = /usr/local/samba/bin/dfree) - -Where the script dfree (which must be made executable) could be: - -verb( - #!/bin/sh - df $1 | tail -1 | awk '{print $2" "$4}' -) - -or perhaps (on Sys V based systems): - -verb( - #!/bin/sh - /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' -) - - Note that you may have to replace the command names with full -path names on some systems. - -label(directory) -dit(bf(directory (S))) - -Synonym for link(bf(path))(path). - -label(directorymask) -dit(bf(directory mask (S))) - -This parameter is the octal modes which are used when converting DOS -modes to UNIX modes when creating UNIX directories. - -When a directory is created, the necessary permissions are calculated -according to the mapping from DOS modes to UNIX permissions, and the -resulting UNIX mode is then bit-wise 'AND'ed with this parameter. -This parameter may be thought of as a bit-wise MASK for the UNIX modes -of a directory. Any bit em(*not*) set here will be removed from the -modes set on a directory when it is created. - -The default value of this parameter removes the 'group' and 'other' -write bits from the UNIX mode, allowing only the user who owns the -directory to modify it. - -Following this Samba will bit-wise 'OR' the UNIX mode created from -this parameter with the value of the "force directory mode" -parameter. This parameter is set to 000 by default (i.e. no extra mode -bits are added). - -See the link(bf("force directory mode"))(forcedirectorymode) parameter -to cause particular mode bits to always be set on created directories. - -See also the link(bf("create mode"))(createmode) parameter for masking -mode bits on created files, and the link(bf("directory security mask"))(directorysecuritymask) -parameter. - -See also the link(bf("inherit permissions"))(inheritpermissions) parameter. - - bf(Default:) -tt( directory mask = 0755) - - bf(Example:) -tt( directory mask = 0775) - -label(directorymode) -dit(bf(directory mode (S))) - -Synonym for link(bf(directory mask))(directorymask). - -label(directorysecuritymask) -dit(bf(directory security mask (S))) - -This parameter controls what UNIX permission bits can be modified -when a Windows NT client is manipulating the UNIX permission on a -directory using the native NT security dialog box. - -This parameter is applied as a mask (AND'ed with) to the changed -permission bits, thus preventing any bits not in this mask from -being modified. Essentially, zero bits in this mask may be treated -as a set of bits the user is not allowed to change. - -If not set explicitly this parameter is set to the same value as the -link(bf(directory mask))(directorymask) parameter. To allow a user to -modify all the user/group/world permissions on a directory, set this -parameter to 0777. - -em(Note) that users who can access the Samba server through other -means can easily bypass this restriction, so it is primarily -useful for standalone "appliance" systems. Administrators of -most normal systems will probably want to set it to 0777. - -See also the link(bf(force directory security -mode))(forcedirectorysecuritymode), link(bf(security -mask))(securitymask), link(bf(force security mode))(forcesecuritymode) -parameters. - - bf(Default:) -tt( directory security mask = <same as directory mask>) - - bf(Example:) -tt( directory security mask = 0777) - -label(dnsproxy) -dit(bf(dns proxy (G))) - -Specifies that url(bf(nmbd))(nmbd.8.html) when acting as a WINS -server and finding that a NetBIOS name has not been registered, should -treat the NetBIOS name word-for-word as a DNS name and do a lookup -with the DNS server for that name on behalf of the name-querying -client. - -Note that the maximum length for a NetBIOS name is 15 characters, so -the DNS name (or DNS alias) can likewise only be 15 characters, -maximum. - -url(bf(nmbd))(nmbd.8.html) spawns a second copy of itself to do the -DNS name lookup requests, as doing a name lookup is a blocking action. - -See also the parameter link(bf(wins support))(winssupport). - - bf(Default:) -tt( dns proxy = yes) - -label(domainadmingroup) -bf(domain admin group (G)) - -This is an bf(EXPERIMENTAL) parameter that is part of the unfinished -Samba NT Domain Controller Code. It may be removed in a later release. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list bf(Samba-ntdom) available by visiting the web page at -url(http://lists.samba.org/)(http://lists.samba.org/) - -label(domainadminusers) -dit(bf(domain admin users (G))) - -This is an bf(EXPERIMENTAL) parameter that is part of the unfinished -Samba NT Domain Controller Code. It may be removed in a later release. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list bf(Samba-ntdom) available by visiting the web page at -url(http://lists.samba.org/)(http://lists.samba.org/) - -label(domaingroups) -dit(bf(domain groups (G))) - -This is an bf(EXPERIMENTAL) parameter that is part of the unfinished -Samba NT Domain Controller Code. It may be removed in a later release. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list bf(Samba-ntdom) available by visiting the web page at -url(http://lists.samba.org/)(http://lists.samba.org/) - -label(domainguestgroup) -dit(bf(domain guest group (G))) - -This is an bf(EXPERIMENTAL) parameter that is part of the unfinished -Samba NT Domain Controller Code. It may be removed in a later release. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list bf(Samba-ntdom) available by visiting the web page at -url(http://lists.samba.org/)(http://lists.samba.org/) - -label(domainguestusers) -dit(bf(domain guest users (G))) - -This is an bf(EXPERIMENTAL) parameter that is part of the unfinished -Samba NT Domain Controller Code. It may be removed in a later release. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list bf(Samba-ntdom) available by visiting the web page at -url(http://lists.samba.org/)(http://lists.samba.org/) - -label(domainlogons) -dit(bf(domain logons (G))) - -If set to true, the Samba server will serve Windows 95/98 Domain -logons for the link(bf(workgroup))(workgroup) it is in. For more -details on setting up this feature see the file DOMAINS.txt in the -Samba documentation directory tt(docs/) shipped with the source code. - -Note that Win95/98 Domain logons are em(NOT) the same as Windows -NT Domain logons. NT Domain logons require a Primary Domain Controller -(PDC) for the Domain. It is intended that in a future release Samba -will be able to provide this functionality for Windows NT clients -also. - - bf(Default:) -tt( domain logons = no) - -label(domainmaster) -dit(bf(domain master (G))) - -Tell url(bf(nmbd))(nmbd.8.html) to enable WAN-wide browse list -collation. Setting this option causes url(bf(nmbd))(nmbd.8.html) to -claim a special domain specific NetBIOS name that identifies it as a -domain master browser for its given -link(bf(workgroup))(workgroup). Local master browsers in the same -link(bf(workgroup))(workgroup) on broadcast-isolated subnets will give -this url(bf(nmbd))(nmbd.8.html) their local browse lists, and then -ask url(bf(smbd))(smbd.8.html) for a complete copy of the browse list -for the whole wide area network. Browser clients will then contact -their local master browser, and will receive the domain-wide browse -list, instead of just the list for their broadcast-isolated subnet. - -Note that Windows NT Primary Domain Controllers expect to be able to -claim this link(bf(workgroup))(workgroup) specific special NetBIOS -name that identifies them as domain master browsers for that -link(bf(workgroup))(workgroup) by default (i.e. there is no way to -prevent a Windows NT PDC from attempting to do this). This means that -if this parameter is set and url(bf(nmbd))(nmbd.8.html) claims the -special name for a link(bf(workgroup))(workgroup) before a Windows NT -PDC is able to do so then cross subnet browsing will behave strangely -and may fail. - - bf(Default:) -tt( domain master = no) - -label(dont descend) -dit(bf(dont descend (S))) - -There are certain directories on some systems (e.g., the tt(/proc) tree -under Linux) that are either not of interest to clients or are -infinitely deep (recursive). This parameter allows you to specify a -comma-delimited list of directories that the server should always show -as empty. - -Note that Samba can be very fussy about the exact format of the "dont -descend" entries. For example you may need tt("./proc") instead of -just tt("/proc"). Experimentation is the best policy :-) - - bf(Default:) -tt( none (i.e., all directories are OK to descend)) - - bf(Example:) -tt( dont descend = /proc,/dev) - -label(dosfiletimeresolution) -dit(bf(dos filetime resolution (S))) - -Under the DOS and Windows FAT filesystem, the finest granularity on -time resolution is two seconds. Setting this parameter for a share -causes Samba to round the reported time down to the nearest two second -boundary when a query call that requires one second resolution is made -to url(bf(smbd))(smbd.8.html). - -This option is mainly used as a compatibility option for Visual C++ -when used against Samba shares. If oplocks are enabled on a share, -Visual C++ uses two different time reading calls to check if a file -has changed since it was last read. One of these calls uses a -one-second granularity, the other uses a two second granularity. As -the two second call rounds any odd second down, then if the file has a -timestamp of an odd number of seconds then the two timestamps will not -match and Visual C++ will keep reporting the file has changed. Setting -this option causes the two timestamps to match, and Visual C++ is -happy. - - bf(Default:) -tt( dos filetime resolution = False) - - bf(Example:) -tt( dos filetime resolution = True) - -label(dos filetimes) -dit(bf(dos filetimes (S))) - -Under DOS and Windows, if a user can write to a file they can change -the timestamp on it. Under POSIX semantics, only the owner of the file -or root may change the timestamp. By default, Samba runs with POSIX -semantics and refuses to change the timestamp on a file if the user -smbd is acting on behalf of is not the file owner. Setting this option -to True allows DOS semantics and smbd will change the file timestamp as -DOS requires. - - bf(Default:) -tt( dos filetimes = False) - - bf(Example:) -tt( dos filetimes = True) - -label(encryptpasswords) -dit(bf(encrypt passwords (G))) - -This boolean controls whether encrypted passwords will be negotiated -with the client. Note that Windows NT 4.0 SP3 and above and also -Windows 98 will by default expect encrypted passwords unless a -registry entry is changed. To use encrypted passwords in Samba see the -file ENCRYPTION.txt in the Samba documentation directory tt(docs/) -shipped with the source code. - -In order for encrypted passwords to work correctly -url(bf(smbd))(smbd.8.html) must either have access to a local -url(bf(smbpasswd (5)))(smbpasswd.5.html) file (see the -url(bf(smbpasswd (8)))(smbpasswd.8.html) program for information on -how to set up and maintain this file), or set the -link(bf(security=))(security) parameter to either -link(bf("server"))(securityequalserver) or -link(bf("domain"))(securityequaldomain) which causes -url(bf(smbd))(smbd.8.html) to authenticate against another server. - -label(enhancedbrowsing) -dit(bf(enhanced browsing (G))) - -This option enables a couple of enhancements to cross-subnet browse -propogation that have been added in Samba but which are not standard -in Microsoft implementations. Enhanced browsing is enabled by -default, and can be diabled using "enhanced browsing = No". - -The first enhancement to browse propogation consists of a regular -wildcard query to a Samba WINS server for all Domain Master Browsers, -followed by a browse synchronisation with each of the returned -DMBs. The second enhancement consists of a regular randomised browse -synchronisation with all currently known DMBs. - -You may wish to disable this option if you have a problem with empty -workgroups not disappearing from browse lists. Due to the restrictions -of the browse protocols these enhancements can cause a empty workgroup -to stay around forever which can be annoying. - -In general you should leave this option enabled as it makes -cross-subnet browse propogation much more reliable. - -label(exec) -dit(bf(exec (S))) - -This is a synonym for link(bf(preexec))(preexec). - -label(fake directory create times) -dit(bf(fake directory create times (S))) - -NTFS and Windows VFAT file systems keep a create time for all files -and directories. This is not the same as the ctime - status change -time - that Unix keeps, so Samba by default reports the earliest of -the various times Unix does keep. Setting this parameter for a share -causes Samba to always report midnight 1-1-1980 as the create time for -directories. - -This option is mainly used as a compatibility option for Visual C++ -when used against Samba shares. Visual C++ generated makefiles have -the object directory as a dependency for each object file, and a make -rule to create the directory. Also, when NMAKE compares timestamps it -uses the creation time when examining a directory. Thus the object -directory will be created if it does not exist, but once it does exist -it will always have an earlier timestamp than the object files it -contains. - -However, Unix time semantics mean that the create time reported by -Samba will be updated whenever a file is created or deleted in the -directory. NMAKE therefore finds all object files in the object -directory bar the last one built are out of date compared to the -directory and rebuilds them. Enabling this option ensures directories -always predate their contents and an NMAKE build will proceed as -expected. - - bf(Default:) -tt( fake directory create times = False) - - bf(Example:) -tt( fake directory create times = True) - -label(fakeoplocks) -dit(bf(fake oplocks (S))) - -Oplocks are the way that SMB clients get permission from a server to -locally cache file operations. If a server grants an oplock -(opportunistic lock) then the client is free to assume that it is the -only one accessing the file and it will aggressively cache file -data. With some oplock types the client may even cache file open/close -operations. This can give enormous performance benefits. - -When you set tt("fake oplocks = yes") url(bf(smbd))(smbd.8.html) will -always grant oplock requests no matter how many clients are using the -file. - -It is generally much better to use the real link(bf(oplocks))(oplocks) -support rather than this parameter. - -If you enable this option on all read-only shares or shares that you -know will only be accessed from one client at a time such as -physically read-only media like CDROMs, you will see a big performance -improvement on many operations. If you enable this option on shares -where multiple clients may be accessing the files read-write at the -same time you can get data corruption. Use this option carefully! - -This option is disabled by default. - -label(followsymlinks) -dit(bf(follow symlinks (S))) - -This parameter allows the Samba administrator to stop -url(bf(smbd))(smbd.8.html) from following symbolic links in a -particular share. Setting this parameter to em("No") prevents any file -or directory that is a symbolic link from being followed (the user -will get an error). This option is very useful to stop users from -adding a symbolic link to tt(/etc/passwd) in their home directory for -instance. However it will slow filename lookups down slightly. - -This option is enabled (i.e. url(bf(smbd))(smbd.8.html) will follow -symbolic links) by default. - -label(forcecreatemode) -dit(bf(force create mode (S))) - -This parameter specifies a set of UNIX mode bit permissions that will -em(*always*) be set on a file by Samba. This is done by bitwise -'OR'ing these bits onto the mode bits of a file that is being created -or having its permissions changed. The default for this parameter is -(in octal) 000. The modes in this parameter are bitwise 'OR'ed onto -the file mode after the mask set in the link(bf("create -mask"))(createmask) parameter is applied. - -See also the parameter link(bf("create mask"))(createmask) for details -on masking mode bits on files. - -See also the link(bf("inherit permissions"))(inheritpermissions) parameter. - - bf(Default:) -tt( force create mode = 000) - - bf(Example:) -tt( force create mode = 0755) - -would force all created files to have read and execute permissions set -for 'group' and 'other' as well as the read/write/execute bits set for -the 'user'. - -label(forcedirectorymode) -dit(bf(force directory mode (S))) - -This parameter specifies a set of UNIX mode bit permissions that will -em(*always*) be set on a directory created by Samba. This is done by -bitwise 'OR'ing these bits onto the mode bits of a directory that is -being created. The default for this parameter is (in octal) 0000 which -will not add any extra permission bits to a created directory. This -operation is done after the mode mask in the parameter -link(bf("directory mask"))(directorymask) is applied. - -See also the parameter link(bf("directory mask"))(directorymask) for -details on masking mode bits on created directories. - -See also the link(bf("inherit permissions"))(inheritpermissions) parameter. - - bf(Default:) -tt( force directory mode = 000) - - bf(Example:) -tt( force directory mode = 0755) - -would force all created directories to have read and execute -permissions set for 'group' and 'other' as well as the -read/write/execute bits set for the 'user'. - -label(forcedirectorysecuritymode) -dit(bf(force directory security mode (S))) - -This parameter controls what UNIX permission bits can be modified when -a Windows NT client is manipulating the UNIX permission on a directory -using the native NT security dialog box. - -This parameter is applied as a mask (OR'ed with) to the changed -permission bits, thus forcing any bits in this mask that the user may -have modified to be on. Essentially, one bits in this mask may be -treated as a set of bits that, when modifying security on a directory, -the user has always set to be 'on'. - -If not set explicitly this parameter is set to the same value as the -link(bf(force directory mode))(forcedirectorymode) parameter. To allow -a user to modify all the user/group/world permissions on a directory, -with restrictions set this parameter to 000. - -em(Note) that users who can access the Samba server through other -means can easily bypass this restriction, so it is primarily -useful for standalone "appliance" systems. Administrators of -most normal systems will probably want to set it to 0000. - -See also the link(bf(directory security mask))(directorysecuritymask), -link(bf(security mask))(securitymask), link(bf(force security -mode))(forcesecuritymode) parameters. - - bf(Default:) -tt( force directory security mode = <same as force directory mode>) - - bf(Example:) -tt( force directory security mode = 0) - -label(forcegroup) -dit(bf(force group (S))) - -This specifies a UNIX group name that will be assigned as the default -primary group for all users connecting to this service. This is useful -for sharing files by ensuring that all access to files on service will -use the named group for their permissions checking. Thus, by assigning -permissions for this group to the files and directories within this -service the Samba administrator can restrict or allow sharing of these -files. - -In Samba 2.0.5 and above this parameter has extended functionality in the following -way. If the group name listed here has a '+' character prepended to it -then the current user accessing the share only has the primary group -default assigned to this group if they are already assigned as a member -of that group. This allows an administrator to decide that only users -who are already in a particular group will create files with group -ownership set to that group. This gives a finer granularity of ownership -assignment. For example, the setting tt(force group = +sys) means -that only users who are already in group sys will have their default -primary group assigned to sys when accessing this Samba share. All -other users will retain their ordinary primary group. - -If the link(bf("force user"))(forceuser) parameter is also set the -group specified in bf(force group) will override the primary group -set in link(bf("force user"))(forceuser). - -See also link(bf("force user"))(forceuser) - - bf(Default:) -tt( no forced group) - - bf(Example:) -tt( force group = agroup) - -label(forcesecuritymode) -dit(bf(force security mode (S))) - -This parameter controls what UNIX permission bits can be modified when -a Windows NT client is manipulating the UNIX permission on a file -using the native NT security dialog box. - -This parameter is applied as a mask (OR'ed with) to the changed -permission bits, thus forcing any bits in this mask that the user may -have modified to be on. Essentially, one bits in this mask may be -treated as a set of bits that, when modifying security on a file, the -user has always set to be 'on'. - -If not set explicitly this parameter is set to the same value as the -link(bf(force create mode))(forcecreatemode) parameter. To allow -a user to modify all the user/group/world permissions on a file, -with no restrictions set this parameter to 000. - -em(Note) that users who can access the Samba server through other -means can easily bypass this restriction, so it is primarily -useful for standalone "appliance" systems. Administrators of -most normal systems will probably want to set it to 0000. - -See also the link(bf(force directory security -mode))(forcedirectorysecuritymode), link(bf(directory security -mask))(directorysecuritymask), link(bf(security mask))(securitymask) -parameters. - - bf(Default:) -tt( force security mode = <same as force create mode>) - - bf(Example:) -tt( force security mode = 0) - -label(forceuser) -dit(bf(force user (S))) - -This specifies a UNIX user name that will be assigned as the default -user for all users connecting to this service. This is useful for -sharing files. You should also use it carefully as using it -incorrectly can cause security problems. - -This user name only gets used once a connection is established. Thus -clients still need to connect as a valid user and supply a valid -password. Once connected, all file operations will be performed as the -tt("forced user"), no matter what username the client connected as. - -This can be very useful. - -In Samba 2.0.5 and above this parameter also causes the primary -group of the forced user to be used as the primary group for all -file activity. Prior to 2.0.5 the primary group was left as the -primary group of the connecting user (this was a bug). - -See also link(bf("force group"))(forcegroup) - - bf(Default:) -tt( no forced user) - - bf(Example:) -tt( force user = auser) - -label(fstype) -dit(bf(fstype (S))) - -This parameter allows the administrator to configure the string that -specifies the type of filesystem a share is using that is reported by -url(bf(smbd))(smbd.8.html) when a client queries the filesystem type -for a share. The default type is bf("NTFS") for compatibility with -Windows NT but this can be changed to other strings such as "Samba" or -"FAT" if required. - - bf(Default:) -tt( fstype = NTFS) - - bf(Example:) -tt( fstype = Samba) - -label(getwdcache) -dit(bf(getwd cache (G))) - -This is a tuning option. When this is enabled a caching algorithm -will be used to reduce the time taken for getwd() calls. This can have -a significant impact on performance, especially when the -link(bf(widelinks))(widelinks) parameter is set to False. - - bf(Default:) -tt( getwd cache = No) - - bf(Example:) -tt( getwd cache = Yes) - -label(group) -dit(bf(group (S))) - -Synonym for link(bf("force group"))(forcegroup). - -label(guestaccount) -dit(bf(guest account (S))) - -This is a username which will be used for access to services which are -specified as link(bf('guest ok'))(guestok) (see below). Whatever -privileges this user has will be available to any client connecting to -the guest service. Typically this user will exist in the password -file, but will not have a valid login. The user account bf("ftp") is -often a good choice for this parameter. If a username is specified in -a given service, the specified username overrides this one. - -One some systems the default guest account "nobody" may not be able to -print. Use another account in this case. You should test this by -trying to log in as your guest user (perhaps by using the tt("su -") -command) and trying to print using the system print command such as -bf(lpr (1)) or bf(lp (1)). - - bf(Default:) -tt( specified at compile time, usually "nobody") - - bf(Example:) -tt( guest account = ftp) - -label(guestok) -dit(bf(guest ok (S))) - -If this parameter is em('yes') for a service, then no password is -required to connect to the service. Privileges will be those of the -link(bf(guest account))(guestaccount). - -See the section below on link(bf(security))(security) for more -information about this option. - - bf(Default:) -tt( guest ok = no) - - bf(Example:) -tt( guest ok = yes) - -label(guestonly) -dit(bf(guest only (S))) - -If this parameter is em('yes') for a service, then only guest -connections to the service are permitted. This parameter will have no -affect if link(bf("guest ok"))(guestok) or link(bf("public"))(public) -is not set for the service. - -See the section below on link(bf(security))(security) for more -information about this option. - - bf(Default:) -tt( guest only = no) - - bf(Example:) -tt( guest only = yes) - -label(hidedotfiles) -dit(bf(hide dot files (S))) - -This is a boolean parameter that controls whether files starting with -a dot appear as hidden files. - - bf(Default:) -tt( hide dot files = yes) - - bf(Example:) -tt( hide dot files = no) - - -label(hidefiles) -dit(bf(hide files(S))) - -This is a list of files or directories that are not visible but are -accessible. The DOS 'hidden' attribute is applied to any files or -directories that match. - -Each entry in the list must be separated by a tt('/'), which allows -spaces to be included in the entry. tt('*') and tt('?') can be used -to specify multiple files or directories as in DOS wildcards. - -Each entry must be a Unix path, not a DOS path and must not include the -Unix directory separator tt('/'). - -Note that the case sensitivity option is applicable in hiding files. - -Setting this parameter will affect the performance of Samba, as it -will be forced to check all files and directories for a match as they -are scanned. - -See also link(bf("hide dot files"))(hidedotfiles), link(bf("veto -files"))(vetofiles) and link(bf("case sensitive"))(casesensitive). - - bf(Default) -verb( - No files or directories are hidden by this option (dot files are - hidden by default because of the "hide dot files" option). -) - - bf(Example) -tt( hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/) - -The above example is based on files that the Macintosh SMB client -(DAVE) available from url(bf(Thursby))(http://www.thursby.com) creates for -internal use, and also still hides all files beginning with a dot. - -label(hidelocalusers) -dit(bf(hide local users(G))) - -This parameter toggles the hiding of local UNIX users (root, wheel, floppy, etc) -from remote clients. - - bf(Default:) -tt( hide local users = No) - - bf(Example:) -tt( hide local users = Yes) - -label(homedirmap) -dit(bf(homedir map (G))) - -If link(bf("nis homedir"))(nishomedir) is true, and -url(bf(smbd))(smbd.8.html) is also acting as a Win95/98 link(bf(logon -server))(domainlogons) then this parameter specifies the NIS (or YP) -map from which the server for the user's home directory should be -extracted. At present, only the Sun auto.home map format is -understood. The form of the map is: - -tt(username server:/some/file/system) - -and the program will extract the servername from before the first -tt(':'). There should probably be a better parsing system that copes -with different map formats and also Amd (another automounter) maps. - -NB: A working NIS is required on the system for this option to work. - -See also link(bf("nis homedir"))(nishomedir), link(bf(domain -logons))(domainlogons). - - bf(Default:) -tt( homedir map = auto.home) - - bf(Example:) -tt( homedir map = amd.homedir) - -label(hostsallow) -dit(bf(hosts allow (S))) - -A synonym for this parameter is link(bf('allow hosts'))(allowhosts) - -This parameter is a comma, space, or tab delimited set of hosts which -are permitted to access a service. - -If specified in the link(bf([global]))(global) section then it will -apply to all services, regardless of whether the individual service -has a different setting. - -You can specify the hosts by name or IP number. For example, you could -restrict access to only the hosts on a Class C subnet with something -like tt("allow hosts = 150.203.5."). The full syntax of the list is -described in the man page bf(hosts_access (5)). Note that this man -page may not be present on your system, so a brief description will -be given here also. - -Note that the localhost address 127.0.0.1 will always be allowed -access unless specifically denied by a "hosts deny" option. - -You can also specify hosts by network/netmask pairs and by netgroup -names if your system supports netgroups. The em(EXCEPT) keyword can also -be used to limit a wildcard list. The following examples may provide -some help: - -bf(Example 1): allow all IPs in 150.203.*.* except one - -tt( hosts allow = 150.203. EXCEPT 150.203.6.66) - -bf(Example 2): allow hosts that match the given network/netmask - -tt( hosts allow = 150.203.15.0/255.255.255.0) - -bf(Example 3): allow a couple of hosts - -tt( hosts allow = lapland, arvidsjaur) - -bf(Example 4): allow only hosts in NIS netgroup "foonet", but -deny access from one particular host - -tt( hosts allow = @foonet) - -tt( hosts deny = pirate) - -Note that access still requires suitable user-level passwords. - -See url(bf(testparm (1)))(testparm.1.html) for a way of testing your -host access to see if it does what you expect. - - bf(Default:) -tt( none (i.e., all hosts permitted access)) - - bf(Example:) -tt( allow hosts = 150.203.5. myhost.mynet.edu.au) - - -label(hostsdeny) -dit(bf(hosts deny (S))) - -The opposite of link(bf('hosts allow'))(hostsallow) - hosts listed -here are em(NOT) permitted access to services unless the specific -services have their own lists to override this one. Where the lists -conflict, the link(bf('allow'))(hostsallow) list takes precedence. - - bf(Default:) -tt( none (i.e., no hosts specifically excluded)) - - bf(Example:) -tt( hosts deny = 150.203.4. badhost.mynet.edu.au) - -label(hostsequiv) -dit(bf(hosts equiv (G))) - -If this global parameter is a non-null string, it specifies the name -of a file to read for the names of hosts and users who will be allowed -access without specifying a password. - -This is not be confused with link(bf(hosts allow))(hostsallow) which -is about hosts access to services and is more useful for guest -services. bf(hosts equiv) may be useful for NT clients which will not -supply passwords to samba. - -NOTE: The use of bf(hosts equiv) can be a major security hole. This is -because you are trusting the PC to supply the correct username. It is -very easy to get a PC to supply a false username. I recommend that the -bf(hosts equiv) option be only used if you really know what you are -doing, or perhaps on a home network where you trust your spouse and -kids. And only if you em(really) trust them :-). - - bf(Default) -tt( No host equivalences) - - bf(Example) -tt( hosts equiv = /etc/hosts.equiv) - -label(include) -dit(bf(include (G))) - -This allows you to include one config file inside another. The file -is included literally, as though typed in place. - -It takes the standard substitutions, except link(bf(%u))(percentu), -link(bf(%P))(percentP) and link(bf(%S))(percentS). - -label(inheritpermissions) -dit(bf(inherit permissions (S))) - -The permissions on new files and directories are normally governed by -link(bf("create mask"))(createmask), -link(bf("directory mask"))(directorymask), -link(bf("force create mode"))(forcecreatemode) and -link(bf("force directory mode"))(forcedirectorymode) -but the boolean inherit permissions parameter overrides this. - -New directories inherit the mode of the parent directory, -including bits such as setgid. - -New files inherit their read/write bits from the parent directory. -Their execute bits continue to be determined by -link(bf("map archive"))(maparchive), -link(bf("map hidden"))(maphidden) and -link(bf("map system"))(mapsystem) as usual. - -Note that the setuid bit is *never* set via inheritance -(the code explicitly prohibits this). - -This can be particularly useful on large systems with many users, -perhaps several thousand, -to allow a single bf([homes]) share to be used flexibly by each user. - -See also link(bf("create mask"))(createmask), link(bf("directory mask"))(directorymask), -link(bf("force create mode"))(forcecreatemode) and -link(bf("force directory mode"))(forcedirectorymode). - - bf(Default) -tt( inherit permissions = no) - - bf(Example) -tt( inherit permissions = yes) - -label(interfaces) -dit(bf(interfaces (G))) - -This option allows you to override the default network interfaces list -that Samba will use for browsing, name registration and other NBT -traffic. By default Samba will query the kernel for the list of all -active interfaces and use any interfaces except 127.0.0.1 that are -broadcast capable. - -The option takes a list of interface strings. Each string can be in -any of the following forms: - -startit() -it() a network interface name (such as eth0). This may include - shell-like wildcards so eth* will match any interface starting - with the substring "eth" -it() an IP address. In this case the netmask is determined - from the list of interfaces obtained from the kernel -it() an IP/mask pair. -it() a broadcast/mask pair. -endit() - -The "mask" parameters can either be a bit length (such as 24 for a C -class network) or a full netmask in dotted decmal form. - -The "IP" parameters above can either be a full dotted decimal IP -address or a hostname which will be looked up via the OSes normal -hostname resolution mechanisms. - -For example, the following line: - -tt(interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0) - -would configure three network interfaces corresponding to the eth0 -device and IP addresses 192.168.2.10 and 192.168.3.10. The netmasks of -the latter two interfaces would be set to 255.255.255.0. - -See also link(bf("bind interfaces only"))(bindinterfacesonly). - -label(invalidusers) -dit(bf(invalid users (S))) - -This is a list of users that should not be allowed to login to this -service. This is really a em("paranoid") check to absolutely ensure an -improper setting does not breach your security. - -A name starting with a tt('@') is interpreted as an NIS netgroup first -(if your system supports NIS), and then as a UNIX group if the name -was not found in the NIS netgroup database. - -A name starting with tt('+') is interpreted only by looking in the -UNIX group database. A name starting with tt('&') is interpreted only -by looking in the NIS netgroup database (this requires NIS to be -working on your system). The characters tt('+') and tt('&') may be -used at the start of the name in either order so the value -tt("+&group") means check the UNIX group database, followed by the NIS -netgroup database, and the value tt("&+group") means check the NIS -netgroup database, followed by the UNIX group database (the same as -the tt('@') prefix). - -The current servicename is substituted for -link(bf(%S))(percentS). This is useful in the link(bf([homes]))(homes) -section. - -See also link(bf("valid users"))(validusers). - - bf(Default:) -tt( No invalid users) - - bf(Example:) -tt( invalid users = root fred admin @wheel) - -label(keepalive) -dit(bf(keepalive (G))) - -The value of the parameter (an integer) represents the number of -seconds between bf('keepalive') packets. If this parameter is zero, no -keepalive packets will be sent. Keepalive packets, if sent, allow the -server to tell whether a client is still present and responding. - -Keepalives should, in general, not be needed if the socket being used -has the SO_KEEPALIVE attribute set on it (see link(bf("socket -options"))(socketoptions)). Basically you should only use this option -if you strike difficulties. - - bf(Default:) -tt( keepalive = 0) - - bf(Example:) -tt( keepalive = 60) - -label(kerneloplocks) -dit(bf(kernel oplocks (G))) - -For UNIXs that support kernel based link(bf(oplocks))(oplocks) -(currently only IRIX but hopefully also Linux and FreeBSD soon) this -parameter allows the use of them to be turned on or off. - -Kernel oplocks support allows Samba link(bf(oplocks))(oplocks) to be -broken whenever a local UNIX process or NFS operation accesses a file -that url(bf(smbd))(smbd.8.html) has oplocked. This allows complete -data consistency between SMB/CIFS, NFS and local file access (and is a -em(very) cool feature :-). - -This parameter defaults to em("On") on systems that have the support, -and em("off") on systems that don't. You should never need to touch -this parameter. - -See also the link(bf("oplocks"))(oplocks) and link(bf("level2 oplocks"))(level2oplocks) -parameters. - -label(ldapfilter) -dit(bf(ldap filter (G))) - -This parameter is part of the em(EXPERIMENTAL) Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the bf(--with-ldap) option. - -This parameter specifies an LDAP search filter used to search for a -user name in the LDAP database. It must contain the string -link(bf(%u))(percentU) which will be replaced with the user being -searched for. - - bf(Default:) -tt( empty string.) - -label(ldapport) -dit(bf(ldap port (G))) - -This parameter is part of the em(EXPERIMENTAL) Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the bf(--with-ldap) option. - -This parameter specifies the TCP port number to use to contact -the LDAP server on. - - bf(Default:) -tt( ldap port = 389.) - -label(ldaproot) -dit(bf(ldap root (G))) - -This parameter is part of the em(EXPERIMENTAL) Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the bf(--with-ldap) option. - -This parameter specifies the entity to bind to the LDAP server -as (essentially the LDAP username) in order to be able to perform -queries and modifications on the LDAP database. - -See also link(bf(ldap root passwd))(ldaprootpasswd). - - bf(Default:) -tt( empty string (no user defined)) - -label(ldaprootpasswd) -dit(bf(ldap root passwd (G))) - -This parameter is part of the em(EXPERIMENTAL) Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the bf(--with-ldap) option. - -This parameter specifies the password for the entity to bind to the -LDAP server as (the password for this LDAP username) in order to be -able to perform queries and modifications on the LDAP database. - -em(BUGS:) This parameter should em(NOT) be a readable parameter -in the bf(smb.conf) file and will be removed once a correct -storage place is found. - -See also link(bf(ldap root))(ldaproot). - - bf(Default:) -tt( empty string.) - -label(ldapserver) -dit(bf(ldap server (G))) - -This parameter is part of the em(EXPERIMENTAL) Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the bf(--with-ldap) option. - -This parameter specifies the DNS name of the LDAP server to use -for SMB/CIFS authentication purposes. - - bf(Default:) -tt( ldap server = localhost) - -label(ldapsuffix) -dit(bf(ldap suffix (G))) - -This parameter is part of the em(EXPERIMENTAL) Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the bf(--with-ldap) option. - -This parameter specifies the tt("dn") or LDAP em("distinguished name") -that tells url(bf(smbd))(smbd.8.html) to start from when searching -for an entry in the LDAP password database. - - bf(Default:) -tt( empty string.) - -label(level2oplocks) -dit(bf(level2 oplocks (S))) - -This parameter (new in Samba 2.0.5) controls whether Samba supports -level2 (read-only) oplocks on a share. In Samba 2.0.5 this parameter -defaults to "False" as the code is new, but will default to "True" -in a later release. - -Level2, or read-only oplocks allow Windows NT clients that have an -oplock on a file to downgrade from a read-write oplock to a read-only -oplock once a second client opens the file (instead of releasing all -oplocks on a second open, as in traditional, exclusive oplocks). This -allows all openers of the file that support level2 oplocks to cache -the file for read-ahead only (ie. they may not cache writes or lock -requests) and increases performance for many acesses of files that -are not commonly written (such as application .EXE files). - -Once one of the clients which have a read-only oplock writes to -the file all clients are notified (no reply is needed or waited -for) and told to break their oplocks to "none" and delete any -read-ahead caches. - -It is recommended that this parameter be turned on to speed access -to shared executables (and also to test the code :-). - -For more discussions on level2 oplocks see the CIFS spec. - -Currently, if link(bf("kernel oplocks"))(kerneloplocks) are supported -then level2 oplocks are not granted (even if this parameter is set -to tt("true")). Note also, the link(bf("oplocks"))(oplocks) parameter must -be set to "true" on this share in order for this parameter to have any -effect. - -See also the link(bf("oplocks"))(oplocks) and link(bf("kernel oplocks"))(kerneloplocks) parameters. - - bf(Default:) -tt( level2 oplocks = False) - - bf(Example:) -tt( level2 oplocks = True) - -label(lmannounce) -dit(bf(lm announce (G))) - -This parameter determines if url(bf(nmbd))(nmbd.8.html) will produce -Lanman announce broadcasts that are needed by bf(OS/2) clients in order -for them to see the Samba server in their browse list. This parameter -can have three values, tt("true"), tt("false"), or tt("auto"). The -default is tt("auto"). If set to tt("false") Samba will never produce -these broadcasts. If set to tt("true") Samba will produce Lanman -announce broadcasts at a frequency set by the parameter link(bf("lm -interval"))(lminterval). If set to tt("auto") Samba will not send Lanman -announce broadcasts by default but will listen for them. If it hears -such a broadcast on the wire it will then start sending them at a -frequency set by the parameter link(bf("lm interval"))(lminterval). - -See also link(bf("lm interval"))(lminterval). - - bf(Default:) -tt( lm announce = auto) - - bf(Example:) -tt( lm announce = true) - -label(lminterval) -dit(bf(lm interval (G))) - -If Samba is set to produce Lanman announce broadcasts needed by -bf(OS/2) clients (see the link(bf("lm announce"))(lmannounce) -parameter) then this parameter defines the frequency in seconds with -which they will be made. If this is set to zero then no Lanman -announcements will be made despite the setting of the link(bf("lm -announce"))(lmannounce) parameter. - -See also link(bf("lm announce"))(lmannounce). - - bf(Default:) -tt( lm interval = 60) - - bf(Example:) -tt( lm interval = 120) - -label(loadprinters) -dit(bf(load printers (G))) - -A boolean variable that controls whether all printers in the printcap -will be loaded for browsing by default. See the -link(bf("printers"))(printers) section for more details. - - bf(Default:) -tt( load printers = yes) - - bf(Example:) -tt( load printers = no) - -label(localmaster) -dit(bf(local master (G))) - -This option allows url(bf(nmbd))(nmbd.8.html) to try and become a -local master browser on a subnet. If set to False then -url(bf(nmbd))(nmbd.8.html) will not attempt to become a local master -browser on a subnet and will also lose in all browsing elections. By -default this value is set to true. Setting this value to true doesn't -mean that Samba will em(become) the local master browser on a subnet, -just that url(bf(nmbd))(nmbd.8.html) will em(participate) in -elections for local master browser. - -Setting this value to False will cause url(bf(nmbd))(nmbd.8.html) -em(never) to become a local master browser. - - bf(Default:) -tt( local master = yes) - -label(lock dir) -dit(bf(lock dir (G))) - -Synonym for link(bf("lock directory"))(lockdirectory). - -label(lockdirectory) -dit(bf(lock directory (G))) - -This option specifies the directory where lock files will be placed. -The lock files are used to implement the link(bf("max -connections"))(maxconnections) option. - - bf(Default:) -tt( lock directory = /tmp/samba) - - bf(Example:) -tt( lock directory = /usr/local/samba/var/locks) - -label(locking) -dit(bf(locking (S))) - -This controls whether or not locking will be performed by the server -in response to lock requests from the client. - -If tt("locking = no"), all lock and unlock requests will appear to -succeed and all lock queries will indicate that the queried lock is -clear. - -If tt("locking = yes"), real locking will be performed by the server. - -This option em(may) be useful for read-only filesystems which em(may) -not need locking (such as cdrom drives), although setting this -parameter of tt("no") is not really recommended even in this case. - -Be careful about disabling locking either globally or in a specific -service, as lack of locking may result in data corruption. You should -never need to set this parameter. - - bf(Default:) -tt( locking = yes) - - bf(Example:) -tt( locking = no) - -label(logfile) -dit(bf(log file (G))) - -This options allows you to override the name of the Samba log file -(also known as the debug file). - -This option takes the standard substitutions, allowing you to have -separate log files for each user or machine. - - bf(Example:) -tt( log file = /usr/local/samba/var/log.%m) - -label(loglevel) -dit(bf(log level (G))) - -Synonym for link(bf("debug level"))(debuglevel). - -label(logondrive) -dit(bf(logon drive (G))) - -This parameter specifies the local path to which the home directory -will be connected (see link(bf("logon home"))(logonhome)) and is only -used by NT Workstations. - -Note that this option is only useful if Samba is set up as a -link(bf(logon server))(domainlogons). - - bf(Example:) -tt( logon drive = h:) - -label(logonhome) -dit(bf(logon home (G))) - -This parameter specifies the home directory location when a Win95/98 or -NT Workstation logs into a Samba PDC. It allows you to do - -tt("NET USE H: /HOME") - -from a command prompt, for example. - -This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine. - -This parameter can be used with Win9X workstations to ensure that -roaming profiles are stored in a subdirectory of the user's home -directory. This is done in the following way: - -tt(" logon home = \\%L\%U\profile") - -This tells Samba to return the above string, with substitutions made -when a client requests the info, generally in a NetUserGetInfo request. -Win9X clients truncate the info to \\server\share when a user does tt("net use /home"), -but use the whole string when dealing with profiles. - -Note that in prior versions of Samba, the tt("logon path") was returned rather than -tt("logon home"). This broke tt("net use /home") but allowed profiles outside the -home directory. The current implementation is correct, and can be used for profiles -if you use the above trick. - -Note that this option is only useful if Samba is set up as a -link(bf(logon server))(domainlogons). - - bf(Example:) -tt( logon home = "\\remote_smb_server\%U") - - bf(Default:) -tt( logon home = "\\%N\%U") - -label(logonpath) -dit(bf(logon path (G))) - -This parameter specifies the home directory where roaming profiles -(NTuser.dat etc files for Windows NT) are stored. Contrary to previous -versions of these manual pages, it has nothing to do with Win 9X roaming -profiles. To find out how to handle roaming profiles for Win 9X system, see -the tt("logon home") parameter. - -This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine. It also specifies -the directory from which the tt("application data"), (tt("desktop"), tt("start menu"), -tt("network neighborhood"), tt("programs") and other folders, and their -contents, are loaded and displayed on your Windows NT client. - -The share and the path must be readable by the user for the -preferences and directories to be loaded onto the Windows NT -client. The share must be writeable when the logs in for the first -time, in order that the Windows NT client can create the NTuser.dat -and other directories. - -Thereafter, the directories and any of the contents can, if required, be -made read-only. It is not advisable that the NTuser.dat file be made -read-only - rename it to NTuser.man to achieve the desired effect (a -em(MAN)datory profile). - -Windows clients can sometimes maintain a connection to the [homes] -share, even though there is no user logged in. Therefore, it is vital -that the logon path does not include a reference to the homes share -(i.e. setting this parameter to tt(\\%N\HOMES\profile_path) will cause -problems). - -This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine. - -Note that this option is only useful if Samba is set up as a -link(bf(logon server))(domainlogons). - - bf(Default:) -tt( logon path = \\%N\%U\profile) - - bf(Example:) -tt( logon path = \\PROFILESERVER\HOME_DIR\%U\PROFILE) - -label(logonscript) -dit(bf(logon script (G))) - -This parameter specifies the batch file (.bat) or NT command file -(.cmd) to be downloaded and run on a machine when a user successfully -logs in. The file must contain the DOS style cr/lf line endings. -Using a DOS-style editor to create the file is recommended. - -The script must be a relative path to the tt([netlogon]) service. If -the tt([netlogon]) service specifies a link(bf(path))(path) of -/usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the -file that will be downloaded is: - -tt(/usr/local/samba/netlogon/STARTUP.BAT) - -The contents of the batch file is entirely your choice. A suggested -command would be to add tt(NET TIME \\SERVER /SET /YES), to force every -machine to synchronize clocks with the same time server. Another use -would be to add tt(NET USE U: \\SERVER\UTILS) for commonly used -utilities, or tt(NET USE Q: \\SERVER\ISO9001_QA) for example. - -Note that it is particularly important not to allow write access to -the tt([netlogon]) share, or to grant users write permission on the -batch files in a secure environment, as this would allow the batch -files to be arbitrarily modified and security to be breached. - -This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine. - -Note that this option is only useful if Samba is set up as a -link(bf(logon server))(domainlogons). - - bf(Example:) -tt( logon script = scripts\%U.bat) - -label(lppausecommand) -dit(bf(lppause command (S))) - -This parameter specifies the command to be executed on the server host -in order to stop printing or spooling a specific print job. - -This command should be a program or script which takes a printer name -and job number to pause the print job. One way of implementing this is -by using job priorities, where jobs having a too low priority won't be -sent to the printer. - -If a tt("%p") is given then the printername is put in its place. A -tt("%j") is replaced with the job number (an integer). On HPUX (see -link(bf(printing=hpux))(printing)), if the tt("-p%p") option is added -to the lpq command, the job will show up with the correct status, -i.e. if the job priority is lower than the set fence priority it will -have the PAUSED status, whereas if the priority is equal or higher it -will have the SPOOLED or PRINTING status. - -Note that it is good practice to include the absolute path in the -lppause command as the PATH may not be available to the server. - -See also the link(bf("printing"))(printing) parameter. - - bf(Default:) - Currently no default value is given to this string, unless the -value of the link(bf("printing"))(printing) parameter is tt(SYSV), in -which case the default is : - -tt( lp -i %p-%j -H hold) - -or if the value of the link(bf("printing"))(printing) parameter is tt(softq), -then the default is: - -tt( qstat -s -j%j -h) - - bf(Example for HPUX:) - lppause command = /usr/bin/lpalt %p-%j -p0 - -label(lpqcachetime) -dit(bf(lpq cache time (G))) - -This controls how long lpq info will be cached for to prevent the -bf(lpq) command being called too often. A separate cache is kept for -each variation of the bf(lpq) command used by the system, so if you -use different bf(lpq) commands for different users then they won't -share cache information. - -The cache files are stored in tt(/tmp/lpq.xxxx) where xxxx is a hash of -the bf(lpq) command in use. - -The default is 10 seconds, meaning that the cached results of a -previous identical bf(lpq) command will be used if the cached data is -less than 10 seconds old. A large value may be advisable if your -bf(lpq) command is very slow. - -A value of 0 will disable caching completely. - -See also the link(bf("printing"))(printing) parameter. - - bf(Default:) -tt( lpq cache time = 10) - - bf(Example:) -tt( lpq cache time = 30) - -label(lpqcommand) -dit(bf(lpq command (S))) - -This parameter specifies the command to be executed on the server host -in order to obtain tt("lpq")-style printer status information. - -This command should be a program or script which takes a printer name -as its only parameter and outputs printer status information. - -Currently eight styles of printer status information are supported; -BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ. This covers most UNIX -systems. You control which type is expected using the -link(bf("printing ="))(printing) option. - -Some clients (notably Windows for Workgroups) may not correctly send -the connection number for the printer they are requesting status -information about. To get around this, the server reports on the first -printer service connected to by the client. This only happens if the -connection number sent is invalid. - -If a tt(%p) is given then the printername is put in its place. Otherwise -it is placed at the end of the command. - -Note that it is good practice to include the absolute path in the bf(lpq -command) as the PATH may not be available to the server. - -See also the link(bf("printing"))(printing) parameter. - - bf(Default:) -tt( depends on the setting of printing =) - - bf(Example:) -tt( lpq command = /usr/bin/lpq %p) - -label(lpresumecommand) -dit(bf(lpresume command (S))) - -This parameter specifies the command to be executed on the server host -in order to restart or continue printing or spooling a specific print -job. - -This command should be a program or script which takes a printer name -and job number to resume the print job. See also the link(bf("lppause -command"))(lppausecommand) parameter. - -If a tt(%p) is given then the printername is put in its place. A -tt(%j) is replaced with the job number (an integer). - -Note that it is good practice to include the absolute path in the bf(lpresume -command) as the PATH may not be available to the server. - -See also the link(bf("printing"))(printing) parameter. - - bf(Default:) - - Currently no default value is given to this string, unless the -value of the link(bf("printing"))(printing) parameter is tt(SYSV), in -which case the default is : - -tt( lp -i %p-%j -H resume) - -or if the value of the link(bf("printing"))(printing) parameter is tt(softq), -then the default is: - -tt( qstat -s -j%j -r) - - bf(Example for HPUX:) -tt( lpresume command = /usr/bin/lpalt %p-%j -p2) - -label(lprmcommand) -dit(bf(lprm command (S))) - -This parameter specifies the command to be executed on the server host -in order to delete a print job. - -This command should be a program or script which takes a printer name -and job number, and deletes the print job. - -If a tt(%p) is given then the printername is put in its place. A -tt(%j) is replaced with the job number (an integer). - -Note that it is good practice to include the absolute path in the -bf(lprm command) as the PATH may not be available to the server. - -See also the link(bf("printing"))(printing) parameter. - - bf(Default:) -tt( depends on the setting of "printing =") - - bf(Example 1:) -tt( lprm command = /usr/bin/lprm -P%p %j) - - bf(Example 2:) -tt( lprm command = /usr/bin/cancel %p-%j) - -label(machinepasswordtimeout) -dit(bf(machine password timeout (G))) - -If a Samba server is a member of an Windows NT Domain (see the -link(bf("security=domain"))(securityequaldomain)) parameter) then -periodically a running url(bf(smbd))(smbd.8.html) process will try and -change the bf(MACHINE ACCOUNT PASWORD) stored in the file called -tt(<Domain>.<Machine>.mac) where tt(<Domain>) is the name of the -Domain we are a member of and tt(<Machine>) is the primary -link(bf("NetBIOS name"))(netbiosname) of the machine -url(bf(smbd))(smbd.8.html) is running on. This parameter specifies how -often this password will be changed, in seconds. The default is one -week (expressed in seconds), the same as a Windows NT Domain member -server. - -See also url(bf(smbpasswd (8)))(smbpasswd.8.html), and the -link(bf("security=domain"))(securityequaldomain)) parameter. - - bf(Default:) -tt( machine password timeout = 604800) - -label(magicoutput) -dit(bf(magic output (S))) - -This parameter specifies the name of a file which will contain output -created by a magic script (see the link(bf("magic -script"))(magicscript) parameter below). - -Warning: If two clients use the same link(bf("magic -script"))(magicscript) in the same directory the output file content -is undefined. - - bf(Default:) -tt( magic output = <magic script name>.out) - - bf(Example:) -tt( magic output = myfile.txt) - -label(magicscript) -dit(bf(magic script (S))) - -This parameter specifies the name of a file which, if opened, will be -executed by the server when the file is closed. This allows a UNIX -script to be sent to the Samba host and executed on behalf of the -connected user. - -Scripts executed in this way will be deleted upon completion, -permissions permitting. - -If the script generates output, output will be sent to the file -specified by the link(bf("magic output"))(magicoutput) parameter (see -above). - -Note that some shells are unable to interpret scripts containing -carriage-return-linefeed instead of linefeed as the end-of-line -marker. Magic scripts must be executable em("as is") on the host, -which for some hosts and some shells will require filtering at the DOS -end. - -Magic scripts are em(EXPERIMENTAL) and should em(NOT) be relied upon. - - bf(Default:) -tt( None. Magic scripts disabled.) - - bf(Example:) -tt( magic script = user.csh) - -label(manglecase) -dit(bf(mangle case (S))) - -See the section on link(bf("NAME MANGLING"))(NAMEMANGLING). - -label(manglelocks) -dit(bf(mangle locks (S))) - -This option is was introduced with Samba 2.0.4 and above and has been -removed in Samba 2.0.6 as Samba now dynamically configures such things -on 32 bit systems. - -label(mangledmap) -dit(bf(mangled map (S))) - -This is for those who want to directly map UNIX file names which can -not be represented on Windows/DOS. The mangling of names is not always -what is needed. In particular you may have documents with file -extensions that differ between DOS and UNIX. For example, under UNIX -it is common to use tt(".html") for HTML files, whereas under -Windows/DOS tt(".htm") is more commonly used. - -So to map tt("html") to tt("htm") you would use: - -tt( mangled map = (*.html *.htm)) - -One very useful case is to remove the annoying tt(";1") off the ends -of filenames on some CDROMS (only visible under some UNIXs). To do -this use a map of (*;1 *). - - bf(default:) -tt( no mangled map) - - bf(Example:) -tt( mangled map = (*;1 *)) - -label(manglednames) -dit(bf(mangled names (S))) - -This controls whether non-DOS names under UNIX should be mapped to -DOS-compatible names ("mangled") and made visible, or whether non-DOS -names should simply be ignored. - -See the section on link(bf("NAME MANGLING"))(NAMEMANGLING) for details -on how to control the mangling process. - -If mangling is used then the mangling algorithm is as follows: - -startit() - -it() The first (up to) five alphanumeric characters before the -rightmost dot of the filename are preserved, forced to upper case, and -appear as the first (up to) five characters of the mangled name. - -it() A tilde tt("~") is appended to the first part of the mangled -name, followed by a two-character unique sequence, based on the -original root name (i.e., the original filename minus its final -extension). The final extension is included in the hash calculation -only if it contains any upper case characters or is longer than three -characters. - -Note that the character to use may be specified using the -link(bf("mangling char"))(manglingchar) option, if you don't like -tt('~'). - -it() The first three alphanumeric characters of the final extension -are preserved, forced to upper case and appear as the extension of the -mangled name. The final extension is defined as that part of the -original filename after the rightmost dot. If there are no dots in the -filename, the mangled name will have no extension (except in the case -of link(bf("hidden files"))(hidefiles) - see below). - -it() Files whose UNIX name begins with a dot will be presented as DOS -hidden files. The mangled name will be created as for other filenames, -but with the leading dot removed and tt("___") as its extension regardless -of actual original extension (that's three underscores). - -endit() - -The two-digit hash value consists of upper case alphanumeric -characters. - -This algorithm can cause name collisions only if files in a directory -share the same first five alphanumeric characters. The probability of -such a clash is 1/1300. - -The name mangling (if enabled) allows a file to be copied between UNIX -directories from Windows/DOS while retaining the long UNIX -filename. UNIX files can be renamed to a new extension from -Windows/DOS and will retain the same basename. Mangled names do not -change between sessions. - - bf(Default:) -tt( mangled names = yes) - - bf(Example:) -tt( mangled names = no) - -label(manglingchar) -dit(bf(mangling char (S))) - -This controls what character is used as the em("magic") character in -link(bf(name mangling))(manglednames). The default is a tt('~') but -this may interfere with some software. Use this option to set it to -whatever you prefer. - - bf(Default:) -tt( mangling char = ~) - - bf(Example:) -tt( mangling char = ^) - -label(mangledstack) -dit(bf(mangled stack (G))) - -This parameter controls the number of mangled names that should be -cached in the Samba server url(bf(smbd))(smbd.8.html). - -This stack is a list of recently mangled base names (extensions are -only maintained if they are longer than 3 characters or contains upper -case characters). - -The larger this value, the more likely it is that mangled names can be -successfully converted to correct long UNIX names. However, large -stack sizes will slow most directory access. Smaller stacks save -memory in the server (each stack element costs 256 bytes). - -It is not possible to absolutely guarantee correct long file names, so -be prepared for some surprises! - - bf(Default:) -tt( mangled stack = 50) - - bf(Example:) -tt( mangled stack = 100) - -label(maparchive) -dit(bf(map archive (S))) - -This controls whether the DOS archive attribute should be mapped to -the UNIX owner execute bit. The DOS archive bit is set when a file -has been modified since its last backup. One motivation for this -option it to keep Samba/your PC from making any file it touches from -becoming executable under UNIX. This can be quite annoying for shared -source code, documents, etc... - -Note that this requires the link(bf("create mask"))(createmask) -parameter to be set such that owner execute bit is not masked out -(i.e. it must include 100). See the parameter link(bf("create -mask"))(createmask) for details. - - bf(Default:) -tt( map archive = yes) - - bf(Example:) -tt( map archive = no) - -label(maphidden) -dit(bf(map hidden (S))) - -This controls whether DOS style hidden files should be mapped to the -UNIX world execute bit. - -Note that this requires the link(bf("create mask"))(createmask) to be -set such that the world execute bit is not masked out (i.e. it must -include 001). See the parameter link(bf("create mask"))(createmask) -for details. - - bf(Default:) -tt( map hidden = no) - - bf(Example:) -tt( map hidden = yes) - -label(mapsystem) -dit(bf(map system (S))) - -This controls whether DOS style system files should be mapped to the -UNIX group execute bit. - -Note that this requires the link(bf("create mask"))(createmask) to be -set such that the group execute bit is not masked out (i.e. it must -include 010). See the parameter link(bf("create mask"))(createmask) -for details. - - bf(Default:) -tt( map system = no) - - bf(Example:) -tt( map system = yes) - -label(maptoguest) -dit(bf(map to guest (G))) - -This parameter is only useful in link(bf(security))(security) modes -other than link(bf("security=share"))(securityequalshare) - i.e. user, -server, and domain. - -This parameter can take three different values, which tell -url(bf(smbd))(smbd.8.html) what to do with user login requests that -don't match a valid UNIX user in some way. - -The three settings are : - -startit() - -it() bf("Never") - Means user login requests with an invalid password -are rejected. This is the default. - -it() bf("Bad User") - Means user logins with an invalid password are -rejected, unless the username does not exist, in which case it is -treated as a guest login and mapped into the link(bf("guest -account"))(guestaccount). - -it() bf("Bad Password") - Means user logins with an invalid -password are treated as a guest login and mapped into the -link(bf("guest account"))(guestaccount). Note that this can -cause problems as it means that any user incorrectly typing their -password will be silently logged on a bf("guest") - and -will not know the reason they cannot access files they think -they should - there will have been no message given to them -that they got their password wrong. Helpdesk services will -em(*hate*) you if you set the bf("map to guest") parameter -this way :-). - -endit() - -Note that this parameter is needed to set up bf("Guest") share -services when using link(bf(security))(security) modes other than -share. This is because in these modes the name of the resource being -requested is em(*not*) sent to the server until after the server has -successfully authenticated the client so the server cannot make -authentication decisions at the correct time (connection to the -share) for bf("Guest") shares. - -For people familiar with the older Samba releases, this parameter -maps to the old compile-time setting of the GUEST_SESSSETUP value -in local.h. - - bf(Default:) -tt( map to guest = Never) - bf(Example): -tt( map to guest = Bad User) - -label(maxconnections) -dit(bf(max connections (S))) - -This option allows the number of simultaneous connections to a service -to be limited. If bf("max connections") is greater than 0 then -connections will be refused if this number of connections to the -service are already open. A value of zero mean an unlimited number of -connections may be made. - -Record lock files are used to implement this feature. The lock files -will be stored in the directory specified by the link(bf("lock -directory"))(lockdirectory) option. - - bf(Default:) -tt( max connections = 0) - - bf(Example:) -tt( max connections = 10) - -label(maxdisksize) -dit(bf(max disk size (G))) - -This option allows you to put an upper limit on the apparent size of -disks. If you set this option to 100 then all shares will appear to be -not larger than 100 MB in size. - -Note that this option does not limit the amount of data you can put on -the disk. In the above case you could still store much more than 100 -MB on the disk, but if a client ever asks for the amount of free disk -space or the total disk size then the result will be bounded by the -amount specified in bf("max disk size"). - -This option is primarily useful to work around bugs in some pieces of -software that can't handle very large disks, particularly disks over -1GB in size. - -A bf("max disk size") of 0 means no limit. - - bf(Default:) -tt( max disk size = 0) - - bf(Example:) -tt( max disk size = 1000) - -label(maxlogsize) -dit(bf(max log size (G))) - -This option (an integer in kilobytes) specifies the max size the log -file should grow to. Samba periodically checks the size and if it is -exceeded it will rename the file, adding a tt(".old") extension. - -A size of 0 means no limit. - - bf(Default:) -tt( max log size = 5000) - - bf(Example:) -tt( max log size = 1000) - -label(maxmux) -dit(bf(max mux (G))) - -This option controls the maximum number of outstanding simultaneous -SMB operations that samba tells the client it will allow. You should -never need to set this parameter. - - bf(Default:) -tt( max mux = 50) - -label(maxopenfiles) -dit(bf(max open files (G))) - -This parameter limits the maximum number of open files that one -url(bf(smbd))(smbd.8.html) file serving process may have open for -a client at any one time. The default for this parameter is set -very high (10,000) as Samba uses only one bit per unopened file. - -The limit of the number of open files is usually set by the -UNIX per-process file descriptor limit rather than this parameter -so you should never need to touch this parameter. - - bf(Default:) -tt( max open files = 10000) - -label(maxpacket) -dit(bf(max packet (G))) - -Synonym for link(bf("packet size"))(packetsize). - -label(maxttl) -dit(bf(max ttl (G))) - -This option tells url(bf(nmbd))(nmbd.8.html) what the default 'time -to live' of NetBIOS names should be (in seconds) when -url(bf(nmbd))(nmbd.8.html) is requesting a name using either a -broadcast packet or from a WINS server. You should never need to -change this parameter. The default is 3 days. - - bf(Default:) -tt( max ttl = 259200) - -label(maxwinsttl) -dit(bf(max wins ttl (G))) - -This option tells url(bf(nmbd))(nmbd.8.html) when acting as a WINS -server link(bf((wins support =true)))(winssupport) what the maximum -'time to live' of NetBIOS names that url(bf(nmbd))(nmbd.8.html) will -grant will be (in seconds). You should never need to change this -parameter. The default is 6 days (518400 seconds). - -See also the link(bf("min wins ttl"))(minwinsttl) parameter. - - bf(Default:) -tt( max wins ttl = 518400) - -label(maxxmit) -dit(bf(max xmit (G))) - -This option controls the maximum packet size that will be negotiated -by Samba. The default is 65535, which is the maximum. In some cases -you may find you get better performance with a smaller value. A value -below 2048 is likely to cause problems. - - bf(Default:) -tt( max xmit = 65535) - - bf(Example:) -tt( max xmit = 8192) - -label(messagecommand) -dit(bf(message command (G))) - -This specifies what command to run when the server receives a WinPopup -style message. - -This would normally be a command that would deliver the message -somehow. How this is to be done is up to your imagination. - -An example is: - -tt( message command = csh -c 'xedit %s;rm %s' &) - -This delivers the message using bf(xedit), then removes it -afterwards. em(NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN -IMMEDIATELY). That's why I have the tt('&') on the end. If it doesn't -return immediately then your PCs may freeze when sending messages -(they should recover after 30secs, hopefully). - -All messages are delivered as the global guest user. The command takes -the standard substitutions, although link(bf(%u))(percentu) won't work -(link(bf(%U))(percentU) may be better in this case). - -Apart from the standard substitutions, some additional ones apply. In -particular: - -startit() - -it() tt("%s") = the filename containing the message. - -it() tt("%t") = the destination that the message was sent to (probably the server -name). - -it() tt("%f") = who the message is from. - -endit() - -You could make this command send mail, or whatever else takes your -fancy. Please let us know of any really interesting ideas you have. - -Here's a way of sending the messages as mail to root: - -tt(message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s) - -If you don't have a message command then the message won't be -delivered and Samba will tell the sender there was an -error. Unfortunately WfWg totally ignores the error code and carries -on regardless, saying that the message was delivered. - -If you want to silently delete it then try: - -tt("message command = rm %s"). - - bf(Default:) -tt( no message command) - - bf(Example:) -tt( message command = csh -c 'xedit %s;rm %s' &) - -label(minprintspace) -dit(bf(min print space (S))) - -This sets the minimum amount of free disk space that must be available -before a user will be able to spool a print job. It is specified in -kilobytes. The default is 0, which means a user can always spool a print -job. - -See also the link(bf(printing))(printing) parameter. - - bf(Default:) -tt( min print space = 0) - - bf(Example:) -tt( min print space = 2000) - -label(minpasswdlength) -dit(bf(min passwd length (G))) - -Synonym for link(bf("min password length"))(minpasswordlength). - -label(minpasswordlength) -dit(bf(min password length (G))) - -This option sets the minimum length in characters of a plaintext password -than smbd will accept when performing UNIX password changing. - -See also link(bf("unix password sync"))(unixpasswordsync), -link(bf("passwd program"))(passwdprogram) and link(bf("passwd chat -debug"))(passwdchatdebug). - - bf(Default:) -tt( min password length = 5) - - -label(minwinsttl) -dit(bf(min wins ttl (G))) - -This option tells url(bf(nmbd))(nmbd.8.html) when acting as a WINS -server link(bf((wins support = true)))(winssupport) what the minimum -'time to live' of NetBIOS names that url(bf(nmbd))(nmbd.8.html) will -grant will be (in seconds). You should never need to change this -parameter. The default is 6 hours (21600 seconds). - - bf(Default:) -tt( min wins ttl = 21600) - - -label(nameresolveorder) -dit(bf(name resolve order (G))) - -This option is used by the programs in the Samba suite to determine -what naming services and in what order to resolve host names to IP -addresses. The option takes a space separated string of different name -resolution options. - -The options are :"lmhosts", "host", "wins" and "bcast". They cause -names to be resolved as follows : - -startit() - -it() bf(lmhosts) : Lookup an IP address in the Samba lmhosts file. -If the line in lmhosts has no name type attached to the NetBIOS -name (see the url(bf(lmhosts (5)))(lmhosts.5.html) for details) then -any name type matches for lookup. - -it() bf(host) : Do a standard host name to IP address resolution, -using the system /etc/hosts, NIS, or DNS lookups. This method of name -resolution is operating system depended for instance on IRIX or -Solaris this may be controlled by the em(/etc/nsswitch.conf) file). -Note that this method is only used if the NetBIOS name type being -queried is the 0x20 (server) name type, otherwise it is ignored. - -it() bf(wins) : Query a name with the IP address listed in the -link(bf(wins server))(winsserver) parameter. If no WINS server has -been specified this method will be ignored. - -it() bf(bcast) : Do a broadcast on each of the known local interfaces -listed in the link(bf(interfaces))(interfaces) parameter. This is the -least reliable of the name resolution methods as it depends on the -target host being on a locally connected subnet. - -endit() - - bf(Default:) -tt( name resolve order = lmhosts host wins bcast) - - bf(Example:) -tt( name resolve order = lmhosts bcast host) - -This will cause the local lmhosts file to be examined first, followed -by a broadcast attempt, followed by a normal system hostname lookup. - -label(netbiosaliases) -dit(bf(netbios aliases (G))) - -This is a list of NetBIOS names that url(bf(nmbd))(nmbd.8.html) will -advertise as additional names by which the Samba server is known. This -allows one machine to appear in browse lists under multiple names. If -a machine is acting as a link(bf(browse server))(localmaster) or -link(bf(logon server))(domainlogons) none of these names will be -advertised as either browse server or logon servers, only the primary -name of the machine will be advertised with these capabilities. - -See also link(bf("netbios name"))(netbiosname). - - bf(Default:) -tt( empty string (no additional names)) - - bf(Example:) -tt( netbios aliases = TEST TEST1 TEST2) - -label(netbiosname) -dit(bf(netbios name (G))) - -This sets the NetBIOS name by which a Samba server is known. By -default it is the same as the first component of the host's DNS name. -If a machine is a link(bf(browse server))(localmaster) or -link(bf(logon server))(domainlogons) this name (or the first component -of the hosts DNS name) will be the name that these services are -advertised under. - -See also link(bf("netbios aliases"))(netbiosaliases). - - bf(Default:) -tt( Machine DNS name.) - - bf(Example:) -tt( netbios name = MYNAME) - -label(netbiosscope) -dit(bf(netbios scope (G))) - -This sets the NetBIOS scope that Samba will operate under. This should -not be set unless every machine on your LAN also sets this value. - -label(nishomedir) -dit(bf(nis homedir (G))) - -Get the home share server from a NIS map. For UNIX systems that use an -automounter, the user's home directory will often be mounted on a -workstation on demand from a remote server. - -When the Samba logon server is not the actual home directory server, -but is mounting the home directories via NFS then two network hops -would be required to access the users home directory if the logon -server told the client to use itself as the SMB server for home -directories (one over SMB and one over NFS). This can be very -slow. - -This option allows Samba to return the home share as being on a -different server to the logon server and as long as a Samba daemon is -running on the home directory server, it will be mounted on the Samba -client directly from the directory server. When Samba is returning the -home share to the client, it will consult the NIS map specified in -link(bf("homedir map"))(homedirmap) and return the server listed -there. - -Note that for this option to work there must be a working NIS -system and the Samba server with this option must also be a -link(bf(logon server))(domainlogons). - - bf(Default:) -tt( nis homedir = false) - - bf(Example:) -tt( nis homedir = true) - -label(ntaclsupport) -dit(bf(nt acl support (G))) - -This boolean parameter controls whether url(bf(smbd))(smbd.8.html) -will attempt to map UNIX permissions into Windows NT access control lists. - - bf(Default:) -tt( nt acl support = yes) - - bf(Example:) -tt( nt acl support = no) - -label(ntpipesupport) -dit(bf(nt pipe support (G))) - -This boolean parameter controls whether url(bf(smbd))(smbd.8.html) -will allow Windows NT clients to connect to the NT SMB specific -tt(IPC$) pipes. This is a developer debugging option and can be left -alone. - - bf(Default:) -tt( nt pipe support = yes) - -label(ntsmbsupport) -dit(bf(nt smb support (G))) - -This boolean parameter controls whether url(bf(smbd))(smbd.8.html) -will negotiate NT specific SMB support with Windows NT -clients. Although this is a developer debugging option and should be -left alone, benchmarking has discovered that Windows NT clients give -faster performance with this option set to tt("no"). This is still -being investigated. If this option is set to tt("no") then Samba -offers exactly the same SMB calls that versions prior to Samba2.0 -offered. This information may be of use if any users are having -problems with NT SMB support. - - bf(Default:) -tt( nt support = yes) - -label(nullpasswords) -dit(bf(null passwords (G))) - -Allow or disallow client access to accounts that have null passwords. - -See also url(bf(smbpasswd (5)))(smbpasswd.5.html). - - bf(Default:) -tt( null passwords = no) - - bf(Example:) -tt( null passwords = yes) - -label(olelockingcompatibility) -dit(bf(ole locking compatibility (G))) - -This parameter allows an administrator to turn off the byte range lock -manipulation that is done within Samba to give compatibility for OLE -applications. Windows OLE applications use byte range locking as a -form of inter-process communication, by locking ranges of bytes around -the 2^32 region of a file range. This can cause certain UNIX lock -managers to crash or otherwise cause problems. Setting this parameter -to tt("no") means you trust your UNIX lock manager to handle such cases -correctly. - - bf(Default:) -tt( ole locking compatibility = yes) - - bf(Example:) -tt( ole locking compatibility = no) - -label(onlyguest) -dit(bf(only guest (S))) - -A synonym for link(bf("guest only"))(guestonly). - -label(onlyuser) -dit(bf(only user (S))) - -This is a boolean option that controls whether connections with -usernames not in the link(bf(user=))(user) list will be allowed. By -default this option is disabled so a client can supply a username to -be used by the server. - -Note that this also means Samba won't try to deduce usernames from the -service name. This can be annoying for the link(bf([homes]))(homes) -section. To get around this you could use "link(bf(user))(user) = -link(bf(%S))(percentS)" which means your link(bf("user"))(user) list -will be just the service name, which for home directories is the name -of the user. - -See also the link(bf(user))(user) parameter. - - bf(Default:) -tt( only user = False) - - bf(Example:) -tt( only user = True) - -label(oplocks) -dit(bf(oplocks (S))) - -This boolean option tells smbd whether to issue oplocks (opportunistic -locks) to file open requests on this share. The oplock code can -dramatically (approx. 30% or more) improve the speed of access to files -on Samba servers. It allows the clients to aggressively cache files -locally and you may want to disable this option for unreliable network -environments (it is turned on by default in Windows NT Servers). For -more information see the file Speed.txt in the Samba docs/ directory. - -Oplocks may be selectively turned off on certain files on a per share basis. -See the 'veto oplock files' parameter. On some systems oplocks are recognized -by the underlying operating system. This allows data synchronization between -all access to oplocked files, whether it be via Samba or NFS or a local -UNIX process. See the link(bf(kernel oplocks))(kerneloplocks) parameter -for details. - -See also the link(bf("kernel oplocks"))(kerneloplocks) and -link(bf("level2 oplocks"))(level2oplocks) parameters. - - bf(Default:) -tt( oplocks = True) - - bf(Example:) -tt( oplocks = False) - -label(oplockbreakwaittime) -dit(bf(oplock break wait time (G))) - -This is a tuning parameter added due to bugs in both Windows 9x and WinNT. -If Samba responds to a client too quickly when that client issues an SMB that -can cause an oplock break request, then the client redirector can fail and -not respond to the break request. This tuning parameter (which is set in -milliseconds) is the amount of time Samba will wait before sending an -oplock break request to such (broken) clients. - -em(DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA -OPLOCK CODE). - - bf(Default:) -tt( oplock break wait time = 10) - -label(oplockcontentionlimit) -dit(bf(oplock contention limit (S))) - -This is a em(very) advanced url(bf(smbd))(smbd.8.html) tuning option to improve -the efficiency of the granting of oplocks under multiple client contention for the same file. - -In brief it specifies a number, which causes smbd not to grant an oplock even -when requested if the approximate number of clients contending for an oplock on -the same file goes over this limit. This causes url(bf(smbd))(smbd.8.html) to -behave in a similar way to Windows NT. - -em(DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA -OPLOCK CODE). - - bf(Default:) -tt( oplock contention limit = 2) - -label(oslevel) -dit(bf(os level (G))) - -This integer value controls what level Samba advertises itself as for -browse elections. The value of this parameter determines whether -url(bf(nmbd))(nmbd.8.html) has a chance of becoming a local master -browser for the link(bf(WORKGROUP))(workgroup) in the local broadcast -area. The default is zero, which means url(bf(nmbd))(nmbd.8.html) will -lose elections to Windows machines. See BROWSING.txt in the Samba -docs/ directory for details. - - bf(Default:) -tt( os level = 20) - - bf(Example:) -tt( os level = 65 ; This will win against any NT Server) - -label(packetsize) -dit(bf(packet size (G))) - -This is a deprecated parameter that has no effect on the current -Samba code. It is left in the parameter list to prevent breaking -old bf(smb.conf) files. - -label(panicaction) -dit(bf(panic action (G))) - -This is a Samba developer option that allows a system command to be -called when either url(bf(smbd))(smbd.8.html) or -url(bf(nmbd))(nmbd.8.html) crashes. This is usually used to draw -attention to the fact that a problem occurred. - - bf(Default:) -tt( panic action = <empty string>) - -label(passwdchat) -dit(bf(passwd chat (G))) - -This string controls the em("chat") conversation that takes places -between url(bf(smbd))(smbd.8.html) and the local password changing -program to change the users password. The string describes a sequence -of response-receive pairs that url(bf(smbd))(smbd.8.html) uses to -determine what to send to the link(bf(passwd))(passwdprogram) program -and what to expect back. If the expected output is not received then -the password is not changed. - -This chat sequence is often quite site specific, depending on what -local methods are used for password control (such as NIS etc). - -The string can contain the macros tt("%o") and tt("%n") which are -substituted for the old and new passwords respectively. It can also -contain the standard macros tt("\n"), tt("\r"), tt("\t") and tt("\s") -to give line-feed, carriage-return, tab and space. - -The string can also contain a tt('*') which matches any sequence of -characters. - -Double quotes can be used to collect strings with spaces in them into -a single string. - -If the send string in any part of the chat sequence is a fullstop -tt(".") then no string is sent. Similarly, is the expect string is a -fullstop then no string is expected. - -Note that if the link(bf("unix password sync"))(unixpasswordsync) -parameter is set to true, then this sequence is called em(*AS ROOT*) -when the SMB password in the smbpasswd file is being changed, without -access to the old password cleartext. In this case the old password -cleartext is set to tt("") (the empty string). - -See also link(bf("unix password sync"))(unixpasswordsync), -link(bf("passwd program"))(passwdprogram) and link(bf("passwd chat -debug"))(passwdchatdebug). - - bf(Example:) -verb( passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n \ - "*Reenter NEW password*" %n\n "*Password changed*" -) - - bf(Default:) -verb( passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed*) - -label(passwdchatdebug) -dit(bf(passwd chat debug (G))) - -This boolean specifies if the passwd chat script parameter is run in -tt("debug") mode. In this mode the strings passed to and received from -the passwd chat are printed in the url(bf(smbd))(smbd.8.html) log with -a link(bf("debug level"))(debuglevel) of 100. This is a dangerous -option as it will allow plaintext passwords to be seen in the -url(bf(smbd))(smbd.8.html) log. It is available to help Samba admins -debug their link(bf("passwd chat"))(passwdchat) scripts when calling -the link(bf("passwd program"))(passwdprogram) and should be turned off -after this has been done. This parameter is off by default. - -See also link(bf("passwd chat"))(passwdchat), link(bf("passwd -program"))(passwdprogram). - - bf(Example:) -tt( passwd chat debug = True) - - bf(Default:) -tt( passwd chat debug = False) - -label(passwdprogram) -dit(bf(passwd program (G))) - -The name of a program that can be used to set UNIX user passwords. -Any occurrences of link(bf(%u))(percentu) will be replaced with the -user name. The user name is checked for existence before calling the -password changing program. - -Also note that many passwd programs insist in em("reasonable") -passwords, such as a minimum length, or the inclusion of mixed case -chars and digits. This can pose a problem as some clients (such as -Windows for Workgroups) uppercase the password before sending it. - -em(Note) that if the link(bf("unix password sync"))(unixpasswordsync) -parameter is set to tt("True") then this program is called em(*AS -ROOT*) before the SMB password in the -url(bf(smbpasswd))(smbpasswd.5.html) file is changed. If this UNIX -password change fails, then url(bf(smbd))(smbd.8.html) will fail to -change the SMB password also (this is by design). - -If the link(bf("unix password sync"))(unixpasswordsync) parameter is -set this parameter em(MUST USE ABSOLUTE PATHS) for em(ALL) programs -called, and must be examined for security implications. Note that by -default link(bf("unix password sync"))(unixpasswordsync) is set to -tt("False"). - -See also link(bf("unix password sync"))(unixpasswordsync). - - bf(Default:) -tt( passwd program = /bin/passwd) - - bf(Example:) -tt( passwd program = /sbin/passwd %u) - -label(passwordlevel) -dit(bf(password level (G))) - -Some client/server combinations have difficulty with mixed-case -passwords. One offending client is Windows for Workgroups, which for -some reason forces passwords to upper case when using the LANMAN1 -protocol, but leaves them alone when using COREPLUS! - -This parameter defines the maximum number of characters that may be -upper case in passwords. - -For example, say the password given was tt("FRED"). If bf(password -level) is set to 1, the following combinations would be tried if -tt("FRED") failed: - -tt("Fred"), tt("fred"), tt("fRed"), tt("frEd"), tt("freD") - -If bf(password level) was set to 2, the following combinations would -also be tried: - -tt("FRed"), tt("FrEd"), tt("FreD"), tt("fREd"), tt("fReD"), -tt("frED"), tt(..) - -And so on. - -The higher value this parameter is set to the more likely it is that a -mixed case password will be matched against a single case -password. However, you should be aware that use of this parameter -reduces security and increases the time taken to process a new -connection. - -A value of zero will cause only two attempts to be made - the password -as is and the password in all-lower case. - - bf(Default:) -tt( password level = 0) - - bf(Example:) -tt( password level = 4) - -label(passwordserver) -dit(bf(password server (G))) - -By specifying the name of another SMB server (such as a WinNT box) -with this option, and using link(bf("security = domain"))(security) or -link(bf("security = server"))(security) you can get Samba to do all -its username/password validation via a remote server. - -This options sets the name of the password server to use. It must be a -NetBIOS name, so if the machine's NetBIOS name is different from its -internet name then you may have to add its NetBIOS name to the lmhosts -file which is stored in the same directory as the bf(smb.conf) file. - -The name of the password server is looked up using the parameter -link(bf("name resolve order="))(nameresolveorder) and so may resolved -by any method and order described in that parameter. - -The password server much be a machine capable of using the "LM1.2X002" -or the "LM NT 0.12" protocol, and it must be in user level security -mode. - -NOTE: Using a password server means your UNIX box (running Samba) is -only as secure as your password server. em(DO NOT CHOOSE A PASSWORD -SERVER THAT YOU DON'T COMPLETELY TRUST). - -Never point a Samba server at itself for password serving. This will -cause a loop and could lock up your Samba server! - -The name of the password server takes the standard substitutions, but -probably the only useful one is link(bf(%m))(percentm), which means -the Samba server will use the incoming client as the password -server. If you use this then you better trust your clients, and you -better restrict them with hosts allow! - -If the link(bf("security"))(security) parameter is set to -bf("domain"), then the list of machines in this option must be a list -of Primary or Backup Domain controllers for the -link(bf(Domain))(workgroup) or the character tt(*), as the Samba server is cryptographicly -in that domain, and will use cryptographicly authenticated RPC calls -to authenticate the user logging on. The advantage of using -link(bf("security=domain"))(securityequaldomain) is that if you list -several hosts in the bf("password server") option then -url(bf(smbd))(smbd.8.html) will try each in turn till it finds one -that responds. This is useful in case your primary server goes down. - -If the bf("password server") option is set to the character tt(*), -then Samba will attempt to auto-locate the Primary or Backup Domain controllers -to authenticate against by doing a query for the name tt(WORKGROUP<1C>) -and then contacting each server returned in the list of IP addresses -from the link(bf(name resolution))(nameresolveorder) source. - -If the link(bf("security"))(security) parameter is set to -link(bf("server"))(securityequalserver), then there are different -restrictions that link(bf("security=domain"))(securityequaldomain) -doesn't suffer from: - -startit() - -it() You may list several password servers in the bf("password server") -parameter, however if an url(bf(smbd))(smbd.8.html) makes a connection -to a password server, and then the password server fails, no more -users will be able to be authenticated from this -url(bf(smbd))(smbd.8.html). This is a restriction of the SMB/CIFS -protocol when in link(bf("security=server"))(securityequalserver) mode -and cannot be fixed in Samba. - -it() If you are using a Windows NT server as your password server then -you will have to ensure that your users are able to login from the -Samba server, as when in -link(bf("security=server"))(securityequalserver) mode the network -logon will appear to come from there rather than from the users -workstation. - -endit() - -See also the link(bf("security"))(security) parameter. - - bf(Default:) -tt( password server = <empty string>) - - bf(Example:) -tt( password server = NT-PDC, NT-BDC1, NT-BDC2) - - bf(Example:) -tt( password server = *) - -label(path) -dit(bf(path (S))) - -This parameter specifies a directory to which the user of the service -is to be given access. In the case of printable services, this is -where print data will spool prior to being submitted to the host for -printing. - -For a printable service offering guest access, the service should be -readonly and the path should be world-writeable and have the sticky bit -set. This is not mandatory of course, but you probably won't get the -results you expect if you do otherwise. - -Any occurrences of link(bf(%u))(percentu) in the path will be replaced -with the UNIX username that the client is using on this -connection. Any occurrences of link(bf(%m))(percentm) will be replaced -by the NetBIOS name of the machine they are connecting from. These -replacements are very useful for setting up pseudo home directories -for users. - -Note that this path will be based on link(bf("root dir"))(rootdir) if -one was specified. - - bf(Default:) -tt( none) - - bf(Example:) -tt( path = /home/fred) - -label(postexec) -dit(bf(postexec (S))) - -This option specifies a command to be run whenever the service is -disconnected. It takes the usual substitutions. The command may be run -as the root on some systems. - -An interesting example may be do unmount server resources: - -tt(postexec = /etc/umount /cdrom) - -See also link(bf(preexec))(preexec). - - bf(Default:) -tt( none (no command executed)) - - bf(Example:) -tt( postexec = echo "%u disconnected from %S from %m (%I)" >> /tmp/log) - -label(postscript) -dit(bf(postscript (S))) - -This parameter forces a printer to interpret the print files as -postscript. This is done by adding a tt(%!) to the start of print output. - -This is most useful when you have lots of PCs that persist in putting -a control-D at the start of print jobs, which then confuses your -printer. - - bf(Default:) -tt( postscript = False) - - bf(Example:) -tt( postscript = True) - -label(preexec) -dit(bf(preexec (S))) - -This option specifies a command to be run whenever the service is -connected to. It takes the usual substitutions. - -An interesting example is to send the users a welcome message every -time they log in. Maybe a message of the day? Here is an example: - -verb( - preexec = csh -c 'echo \"Welcome to %S!\" | \ - /usr/local/samba/bin/smbclient -M %m -I %I' & -) - -Of course, this could get annoying after a while :-) - -See also link(bf(preexec close))(preexecclose) and link(bf(postexec))(postexec). - - bf(Default:) -tt( none (no command executed)) - - bf(Example:) -tt( preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log) - -label(preexecclose) -dit(bf(preexec close (S))) - -This boolean option controls whether a non-zero return code from -link(bf("preexec"))(preexec) should close the service being connected to. - - bf(Default:) -tt( preexec close = no) - - bf(Example:) -tt( preexec close = yes) - -label(preferredmaster) -dit(bf(preferred master (G))) - -This boolean parameter controls if url(bf(nmbd))(nmbd.8.html) is a -preferred master browser for its workgroup. - -If this is set to true, on startup, url(bf(nmbd))(nmbd.8.html) will -force an election, and it will have a slight advantage in winning the -election. It is recommended that this parameter is used in -conjunction with link(bf("domain master = yes"))(domainmaster), so -that url(bf(nmbd))(nmbd.8.html) can guarantee becoming a domain -master. - -Use this option with caution, because if there are several hosts -(whether Samba servers, Windows 95 or NT) that are preferred master -browsers on the same subnet, they will each periodically and -continuously attempt to become the local master browser. This will -result in unnecessary broadcast traffic and reduced browsing -capabilities. - -See also link(bf(os level))(oslevel). - - bf(Default:) -tt( preferred master = no) - - bf(Example:) -tt( preferred master = yes) - -label(preferedmaster) -dit(bf(prefered master (G))) - -Synonym for link(bf("preferred master"))(preferredmaster) for people -who cannot spell :-). - -label(preload) -dit(bf(preload)) -Synonym for link(bf("auto services"))(autoservices). - -label(preservecase) -dit(bf(preserve case (S))) - -This controls if new filenames are created with the case that the -client passes, or if they are forced to be the tt("default") case. - - bf(Default:) -tt( preserve case = yes) - -See the section on link(bf("NAME MANGLING"))(NAMEMANGLING) for a -fuller discussion. - -label(printcommand) -dit(bf(print command (S))) - -After a print job has finished spooling to a service, this command -will be used via a tt(system()) call to process the spool -file. Typically the command specified will submit the spool file to -the host's printing subsystem, but there is no requirement that this -be the case. The server will not remove the spool file, so whatever -command you specify should remove the spool file when it has been -processed, otherwise you will need to manually remove old spool files. - -The print command is simply a text string. It will be used verbatim, -with two exceptions: All occurrences of tt("%s") and tt("%f") will be -replaced by the appropriate spool file name, and all occurrences of -tt("%p") will be replaced by the appropriate printer name. The spool -file name is generated automatically by the server, the printer name -is discussed below. - -The print command em(MUST) contain at least one occurrence of tt("%s") -or tt("%f") - the tt("%p") is optional. At the time a job is -submitted, if no printer name is supplied the tt("%p") will be -silently removed from the printer command. - -If specified in the link(bf("[global]"))(global) section, the print -command given will be used for any printable service that does not -have its own print command specified. - -If there is neither a specified print command for a printable service -nor a global print command, spool files will be created but not -processed and (most importantly) not removed. - -Note that printing may fail on some UNIXs from the tt("nobody") -account. If this happens then create an alternative guest account that -can print and set the link(bf("guest account"))(guestaccount) in the -link(bf("[global]"))(global) section. - -You can form quite complex print commands by realizing that they are -just passed to a shell. For example the following will log a print -job, print the file, then remove it. Note that tt(';') is the usual -separator for command in shell scripts. - -tt(print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s) - -You may have to vary this command considerably depending on how you -normally print files on your system. The default for the parameter -varies depending on the setting of the link(bf("printing="))(printing) -parameter. - - bf(Default:) - For link(bf("printing="))(printing) BSD, AIX, QNX, LPRNG or PLP : -tt( print command = lpr -r -P%p %s) - - For link(bf("printing="))(printing) SYS or HPUX : -tt( print command = lp -c -d%p %s; rm %s) - - For link(bf("printing="))(printing) SOFTQ : -tt( print command = lp -d%p -s %s; rm %s) - - bf(Example:) -tt( print command = /usr/local/samba/bin/myprintscript %p %s) - -label(printok) -dit(bf(print ok (S))) - -Synonym for link(bf(printable))(printable). - -label(printable) -dit(bf(printable (S))) - -If this parameter is tt("yes"), then clients may open, write to and -submit spool files on the directory specified for the service. - -Note that a printable service will ALWAYS allow writing to the service -path (user privileges permitting) via the spooling of print data. The -link(bf("writeable"))(writeable) parameter controls only non-printing -access to the resource. - - bf(Default:) -tt( printable = no) - - bf(Example:) -tt( printable = yes) - -label(printcap) -dit(bf(printcap (G))) - -Synonym for link(bf(printcapname))(printcapname). - -label(printer admin) -dit(bf(printer admin (S))) - -This is a list of users that can do anything to printers via the -remote administration interfaces offered by MSRPC (usually using a NT -workstation). Note that the root user always has admin rights. - - bf(Default:) -tt( printer admin = <empty string>) - - bf(Example:) -tt( printer admin = admin, @staff) - -label(printcapname) -dit(bf(printcap name (G))) - -This parameter may be used to override the compiled-in default -printcap name used by the server (usually /etc/printcap). See the -discussion of the link(bf([printers]))(printers) section above for -reasons why you might want to do this. - -On System V systems that use bf(lpstat) to list available printers you -can use tt("printcap name = lpstat") to automatically obtain lists of -available printers. This is the default for systems that define SYSV -at configure time in Samba (this includes most System V based -systems). If bf("printcap name") is set to bf(lpstat) on these systems -then Samba will launch tt("lpstat -v") and attempt to parse the output -to obtain a printer list. - -A minimal printcap file would look something like this: - -verb( - print1|My Printer 1 - print2|My Printer 2 - print3|My Printer 3 - print4|My Printer 4 - print5|My Printer 5 -) - -where the tt('|') separates aliases of a printer. The fact that the -second alias has a space in it gives a hint to Samba that it's a -comment. - -em(NOTE): Under AIX the default printcap name is -tt("/etc/qconfig"). Samba will assume the file is in AIX tt("qconfig") -format if the string tt("/qconfig") appears in the printcap filename. - - bf(Default:) -tt( printcap name = /etc/printcap) - - bf(Example:) -tt( printcap name = /etc/myprintcap) - -label(printer) -dit(bf(printer (S))) - -This parameter specifies the name of the printer to which print jobs -spooled through a printable service will be sent. - -If specified in the link(bf([global]))(global) section, the printer -name given will be used for any printable service that does not have -its own printer name specified. - - bf(Default:) - none (but may be tt("lp") on many systems) - - bf(Example:) - printer name = laserwriter - -label(printerdriver) -dit(bf(printer driver (S))) - -This option allows you to control the string that clients receive when -they ask the server for the printer driver associated with a -printer. If you are using Windows95 or WindowsNT then you can use this -to automate the setup of printers on your system. - -You need to set this parameter to the exact string (case sensitive) -that describes the appropriate printer driver for your system. If you -don't know the exact string to use then you should first try with no -bf("printer driver") option set and the client will give you a list of -printer drivers. The appropriate strings are shown in a scrollbox -after you have chosen the printer manufacturer. - -See also link(bf("printer driver file"))(printerdriverfile). - - bf(Example:) - printer driver = HP LaserJet 4L - -label(printerdriverfile) -dit(bf(printer driver file (G))) - -This parameter tells Samba where the printer driver definition file, -used when serving drivers to Windows 95 clients, is to be found. If -this is not set, the default is : - -tt(SAMBA_INSTALL_DIRECTORY/lib/printers.def) - -This file is created from Windows 95 tt("msprint.inf") files found on -the Windows 95 client system. For more details on setting up serving -of printer drivers to Windows 95 clients, see the documentation file -in the docs/ directory, PRINTER_DRIVER.txt. - - bf(Default:) -tt( None (set in compile).) - - bf(Example:) -tt( printer driver file = /usr/local/samba/printers/drivers.def) - -See also link(bf("printer driver location"))(printerdriverlocation). - -label(printerdriverlocation) -dit(bf(printer driver location (S))) - -This parameter tells clients of a particular printer share where to -find the printer driver files for the automatic installation of -drivers for Windows 95 machines. If Samba is set up to serve printer -drivers to Windows 95 machines, this should be set to - -tt(\\MACHINE\PRINTER$) - -Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$ -is a share you set up for serving printer driver files. For more -details on setting this up see the documentation file in the docs/ -directory, PRINTER_DRIVER.txt. - - bf(Default:) -tt( None) - - bf(Example:) -tt( printer driver location = \\MACHINE\PRINTER$) - -See also link(bf("printer driver file"))(printerdriverfile). - -label(printername) -dit(bf(printer name (S))) - -Synonym for link(bf(printer))(printer). - -label(printing) -dit(bf(printing (S))) - -This parameters controls how printer status information is interpreted -on your system. It also affects the default values for the -link(bf("print command"))(printcommand), link(bf("lpq -command"))(lpqcommand) link(bf("lppause command"))(lppausecommand), -link(bf("lpresume command"))(lpresumecommand), and link(bf("lprm -command"))(lprmcommand) if specified in the link(bf([global]))(global) -section. - -Currently eight printing styles are supported. They are -bf("printing=BSD"), bf("printing=AIX"), -bf("printing=LPRNG"), bf("printing=PLP"), bf("printing=SYSV"), -bf("printing="HPUX"), bf("printing=QNX"), bf("printing=SOFTQ"), -and bf("printing=CUPS"). - -To see what the defaults are for the other print commands when using -the various options use the url(bf("testparm"))(testparm.1.html) program. - -This option can be set on a per printer basis - -See also the discussion in the link(bf([printers]))(printers) section. - -label(privatedir) -dit(bf(private dir(G))) - -The bf(private dir) parameter allows an administator to define a -directory path used to hold the various databases Samba will use -to store things like a the machine trust account information -when acting as a domain member (i.e. where the secrets.tdb file will -be located), where the passdb.tbd file will stored in the case -of using the experiemental tdbsam support, etc... - - bf(Default:) -tt( private dir = <compile time location of smbpasswd>) - - bf(Example:) -tt( private dir = /etc/smbprivate) - -label(protocol) -dit(bf(protocol (G))) - -The value of the parameter (a string) is the highest protocol level -that will be supported by the server. - -Possible values are : - -startit() - -it() CORE: Earliest version. No concept of user names. - -it() COREPLUS: Slight improvements on CORE for efficiency. - -it() LANMAN1: First em("modern") version of the protocol. Long -filename support. - -it() LANMAN2: Updates to Lanman1 protocol. - -it() NT1: Current up to date version of the protocol. Used by Windows -NT. Known as CIFS. - -endit() - -Normally this option should not be set as the automatic negotiation -phase in the SMB protocol takes care of choosing the appropriate -protocol. - - bf(Default:) -tt( protocol = NT1) - - bf(Example:) -tt( protocol = LANMAN1) - -label(public) -dit(bf(public (S))) - -Synonym for link(bf("guest ok"))(guestok). - -label(queuepausecommand) -dit(bf(queuepause command (S))) - -This parameter specifies the command to be executed on the server host -in order to pause the printerqueue. - -This command should be a program or script which takes a printer name -as its only parameter and stops the printerqueue, such that no longer -jobs are submitted to the printer. - -This command is not supported by Windows for Workgroups, but can be -issued from the Printer's window under Windows 95 & NT. - -If a tt("%p") is given then the printername is put in its -place. Otherwise it is placed at the end of the command. - -Note that it is good practice to include the absolute path in the -command as the PATH may not be available to the server. - - bf(Default:) -tt( depends on the setting of "printing =") - - bf(Example:) -tt( queuepause command = disable %p) - -label(queueresumecommand) -dit(bf(queueresume command (S))) - -This parameter specifies the command to be executed on the server host -in order to resume the printerqueue. It is the command to undo the -behavior that is caused by the previous parameter -(link(bf("queuepause command))(queuepausecommand)). - -This command should be a program or script which takes a printer name -as its only parameter and resumes the printerqueue, such that queued -jobs are resubmitted to the printer. - -This command is not supported by Windows for Workgroups, but can be -issued from the Printer's window under Windows 95 & NT. - -If a tt("%p") is given then the printername is put in its -place. Otherwise it is placed at the end of the command. - -Note that it is good practice to include the absolute path in the -command as the PATH may not be available to the server. - - bf(Default:) -tt( depends on the setting of "printing =") - - bf(Example:) -tt( queuepause command = enable %p) - -label(read bmpx) -dit(bf(read bmpx (G))) - -This boolean parameter controls whether url(bf(smbd))(smbd.8.html) -will support the "Read Block Multiplex" SMB. This is now rarely used -and defaults to off. You should never need to set this parameter. - - bf(Default:) - read bmpx = No - -label(readlist) -dit(bf(read list (S))) - -This is a list of users that are given read-only access to a -service. If the connecting user is in this list then they will not be -given write access, no matter what the link(bf("writeable"))(writeable) -option is set to. The list can include group names using the syntax -described in the link(bf("invalid users"))(invalidusers) parameter. - -See also the link(bf("write list"))(writelist) parameter and -the link(bf("invalid users"))(invalidusers) parameter. - - bf(Default:) -tt( read list = <empty string>) - - bf(Example:) -tt( read list = mary, @students) - -label(readonly) -dit(bf(read only (S))) - -Note that this is an inverted synonym for -link(bf("writeable"))(writeable). - -label(readprediction) -dit(bf(read prediction (G))) - -em(NOTE): This code is currently disabled in Samba2.0 and -may be removed at a later date. Hence this parameter has -no effect. - -This options enables or disables the read prediction code used to -speed up reads from the server. When enabled the server will try to -pre-read data from the last accessed file that was opened read-only -while waiting for packets. - - bf(Default:) -tt( read prediction = False) - -label(readraw) -dit(bf(read raw (G))) - -This parameter controls whether or not the server will support the raw -read SMB requests when transferring data to clients. - -If enabled, raw reads allow reads of 65535 bytes in one packet. This -typically provides a major performance benefit. - -However, some clients either negotiate the allowable block size -incorrectly or are incapable of supporting larger block sizes, and for -these clients you may need to disable raw reads. - -In general this parameter should be viewed as a system tuning tool and left -severely alone. See also link(bf("write raw"))(writeraw). - - bf(Default:) -tt( read raw = yes) - -label(readsize) -dit(bf(read size (G))) - -The option bf("read size") affects the overlap of disk reads/writes -with network reads/writes. If the amount of data being transferred in -several of the SMB commands (currently SMBwrite, SMBwriteX and -SMBreadbraw) is larger than this value then the server begins writing -the data before it has received the whole packet from the network, or -in the case of SMBreadbraw, it begins writing to the network before -all the data has been read from disk. - -This overlapping works best when the speeds of disk and network access -are similar, having very little effect when the speed of one is much -greater than the other. - -The default value is 16384, but very little experimentation has been -done yet to determine the optimal value, and it is likely that the -best value will vary greatly between systems anyway. A value over -65536 is pointless and will cause you to allocate memory -unnecessarily. - - bf(Default:) -tt( read size = 16384) - - bf(Example:) -tt( read size = 8192) - -label(remoteannounce) -dit(bf(remote announce (G))) - -This option allows you to setup url(bf(nmbd))(nmbd.8.html) to -periodically announce itself to arbitrary IP addresses with an -arbitrary workgroup name. - -This is useful if you want your Samba server to appear in a remote -workgroup for which the normal browse propagation rules don't -work. The remote workgroup can be anywhere that you can send IP -packets to. - -For example: - -tt( remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF) - -the above line would cause nmbd to announce itself to the two given IP -addresses using the given workgroup names. If you leave out the -workgroup name then the one given in the -link(bf("workgroup"))(workgroup) parameter is used instead. - -The IP addresses you choose would normally be the broadcast addresses -of the remote networks, but can also be the IP addresses of known -browse masters if your network config is that stable. - -See the documentation file BROWSING.txt in the docs/ directory. - - bf(Default:) -tt( remote announce = <empty string>) - - bf(Example:) -tt( remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF) - -label(remotebrowsesync) -dit(bf(remote browse sync (G))) - -This option allows you to setup url(bf(nmbd))(nmbd.8.html) to -periodically request synchronization of browse lists with the master -browser of a samba server that is on a remote segment. This option -will allow you to gain browse lists for multiple workgroups across -routed networks. This is done in a manner that does not work with any -non-samba servers. - -This is useful if you want your Samba server and all local clients to -appear in a remote workgroup for which the normal browse propagation -rules don't work. The remote workgroup can be anywhere that you can -send IP packets to. - -For example: - -tt( remote browse sync = 192.168.2.255 192.168.4.255) - -the above line would cause url(bf(nmbd))(nmbd.8.html) to request the -master browser on the specified subnets or addresses to synchronize -their browse lists with the local server. - -The IP addresses you choose would normally be the broadcast addresses -of the remote networks, but can also be the IP addresses of known -browse masters if your network config is that stable. If a machine IP -address is given Samba makes NO attempt to validate that the remote -machine is available, is listening, nor that it is in fact the browse -master on it's segment. - - bf(Default:) -tt( remote browse sync = <empty string>) - - bf(Example:) -tt( remote browse sync = 192.168.2.255 192.168.4.255) - - -label(restrict anonymous) -dit(bf(restrict anonymous (G))) - -This is a boolean parameter. If it is true, then anonymous access -to the server will be restricted, namely in the case where the server -is expecting the client to send a username, but it doesn't. Setting -it to true will force these anonymous connections to be denied, and -the client will be required to always supply a username and password -when connecting. Use of this parameter is only recommened for homogenous -NT client environments. - -This parameter makes the use of macro expansions that rely -on the username (%U, %G, etc) consistant. NT 4.0 likes to use -anonymous connections when refreshing the share list, and this -is a way to work around that. - -When restrict anonymous is true, all anonymous connections are denied -no matter what they are for. This can effect the ability of a machine -to access the samba Primary Domain Controller to revalidate it's machine -account after someone else has logged on the client interactively. The -NT client will display a message saying that the machine's account in -the domain doesn't exist or the password is bad. The best way to deal -with this is to reboot NT client machines between interactive logons, -using "Shutdown and Restart", rather than "Close all programs and logon -as a different user". - - bf(Default:) -tt( restrict anonymous = false) - - bf(Example:) -tt( restrict anonymous = true) - -label(root) -dit(bf(root (G))) - -Synonym for link(bf("root directory"))(rootdirectory). - -label(rootdir) -dit(bf(root dir (G))) - -Synonym for link(bf("root directory"))(rootdirectory). - -label(rootdirectory) -dit(bf(root directory (G))) - -The server will tt("chroot()") (i.e. Change it's root directory) to -this directory on startup. This is not strictly necessary for secure -operation. Even without it the server will deny access to files not in -one of the service entries. It may also check for, and deny access to, -soft links to other parts of the filesystem, or attempts to use -tt("..") in file names to access other directories (depending on the -setting of the link(bf("wide links"))(widelinks) parameter). - -Adding a bf("root directory") entry other than tt("/") adds an extra -level of security, but at a price. It absolutely ensures that no -access is given to files not in the sub-tree specified in the bf("root -directory") option, em(*including*) some files needed for complete -operation of the server. To maintain full operability of the server -you will need to mirror some system files into the bf("root -directory") tree. In particular you will need to mirror /etc/passwd -(or a subset of it), and any binaries or configuration files needed -for printing (if required). The set of files that must be mirrored is -operating system dependent. - - bf(Default:) -tt( root directory = /) - -bf(Example:) -tt( root directory = /homes/smb) - -label(rootpostexec) -dit(bf(root postexec (S))) - -This is the same as the link(bf("postexec"))(postexec) parameter -except that the command is run as root. This is useful for unmounting -filesystems (such as cdroms) after a connection is closed. - -See also link(bf("postexec"))(postexec). - -label(rootpreexec) -dit(bf(root preexec (S))) - -This is the same as the link(bf("preexec"))(preexec) parameter except -that the command is run as root. This is useful for mounting -filesystems (such as cdroms) before a connection is finalized. - -See also link(bf("preexec"))(preexec) -and link(bf("root preexec close"))(rootpreexecclose). - -label(rootpreexecclose) -dit(bf(root preexec close (S))) - -This is the same as the link(bf("preexec close"))(preexecclose) parameter -except that the command is run as root. - -See also link(bf("preexec"))(preexec), link(bf("preexec close"))(preexecclose). - -label(security) -dit(bf(security (G))) - -This option affects how clients respond to Samba and is one of the most -important settings in the bf(smb.conf) file. - -The option sets the tt("security mode bit") in replies to protocol -negotiations with url(bf(smbd))(smbd.8.html) to turn share level -security on or off. Clients decide based on this bit whether (and how) -to transfer user and password information to the server. - -The default is link("security=user")(securityequaluser), as this is -the most common setting needed when talking to Windows 98 and Windows -NT. - -The alternatives are link(bf("security = share"))(securityequalshare), -link(bf("security = server"))(securityequalserver) or -link(bf("security=domain"))(securityequaldomain). - -em(*****NOTE THAT THIS DEFAULT IS DIFFERENT IN SAMBA2.0 THAN FOR -PREVIOUS VERSIONS OF SAMBA *******). - -In previous versions of Samba the default was -link(bf("security=share"))(securityequalshare) mainly because that was -the only option at one stage. - -There is a bug in WfWg that has relevance to this setting. When in -user or server level security a WfWg client will totally ignore the -password you type in the "connect drive" dialog box. This makes it -very difficult (if not impossible) to connect to a Samba service as -anyone except the user that you are logged into WfWg as. - -If your PCs use usernames that are the same as their usernames on the -UNIX machine then you will want to use bf("security = user"). If you -mostly use usernames that don't exist on the UNIX box then use -bf("security = share"). - -You should also use link(bf(security=share))(securityequalshare) if -you want to mainly setup shares without a password (guest -shares). This is commonly used for a shared printer server. It is more -difficult to setup guest shares with -link(bf(security=user))(securityequaluser), see the link(bf("map to -guest"))(maptoguest)parameter for details. - -It is possible to use url(bf(smbd))(smbd.8.html) in a em("hybrid -mode") where it is offers both user and share level security under -different link(bf(NetBIOS aliases))(netbiosaliases). See the -link(bf(NetBIOS aliases))(netbiosaliases) and the -link(bf(include))(include) parameters for more information. - -The different settings will now be explained. - -startdit() - -label(securityequalshare) -dit(bf("security=share")) When clients connect to a share level -security server then need not log onto the server with a valid -username and password before attempting to connect to a shared -resource (although modern clients such as Windows 95/98 and Windows NT -will send a logon request with a username but no password when talking -to a bf(security=share) server). Instead, the clients send -authentication information (passwords) on a per-share basis, at the -time they attempt to connect to that share. - -Note that url(bf(smbd))(smbd.8.html) em(*ALWAYS*) uses a valid UNIX -user to act on behalf of the client, even in bf("security=share") -level security. - -As clients are not required to send a username to the server -in share level security, url(bf(smbd))(smbd.8.html) uses several -techniques to determine the correct UNIX user to use on behalf -of the client. - -A list of possible UNIX usernames to match with the given -client password is constructed using the following methods : - -startit() - -it() If the link(bf("guest only"))(guestonly) parameter is set, then -all the other stages are missed and only the link(bf("guest -account"))(guestaccount) username is checked. - -it() Is a username is sent with the share connection request, then -this username (after mapping - see link(bf("username -map"))(usernamemap)), is added as a potential username. - -it() If the client did a previous em("logon") request (the -SessionSetup SMB call) then the username sent in this SMB -will be added as a potential username. - -it() The name of the service the client requested is added -as a potential username. - -it() The NetBIOS name of the client is added to the list as a -potential username. - -it() Any users on the link(bf("user"))(user) list are added -as potential usernames. - -endit() - -If the link(bf("guest only"))(guestonly) parameter is not set, then -this list is then tried with the supplied password. The first user for -whom the password matches will be used as the UNIX user. - -If the link(bf("guest only"))(guestonly) parameter is set, or no -username can be determined then if the share is marked as available to -the link(bf("guest account"))(guestaccount), then this guest user will -be used, otherwise access is denied. - -Note that it can be em(*very*) confusing in share-level security as to -which UNIX username will eventually be used in granting access. - -See also the section link(bf("NOTE ABOUT USERNAME/PASSWORD -VALIDATION"))(NOTEABOUTUSERNAMEPASSWORDVALIDATION). - -label(securityequaluser) -dit(bf("security=user")) - -This is the default security setting in Samba2.0. With user-level -security a client must first tt("log-on") with a valid username and -password (which can be mapped using the link(bf("username -map"))(usernamemap) parameter). Encrypted passwords (see the -link(bf("encrypted passwords"))(encryptpasswords) parameter) can also -be used in this security mode. Parameters such as -link(bf("user"))(user) and link(bf("guest only"))(guestonly), if set -are then applied and may change the UNIX user to use on this -connection, but only after the user has been successfully -authenticated. - -em(Note) that the name of the resource being requested is -em(*not*) sent to the server until after the server has successfully -authenticated the client. This is why guest shares don't work in user -level security without allowing the server to automatically map unknown -users into the link(bf("guest account"))(guestaccount). See the -link(bf("map to guest"))(maptoguest) parameter for details on -doing this. - -See also the section link(bf("NOTE ABOUT USERNAME/PASSWORD -VALIDATION"))(NOTEABOUTUSERNAMEPASSWORDVALIDATION). - -label(securityequalserver) -dit(bf("security=server")) - -In this mode Samba will try to validate the username/password by -passing it to another SMB server, such as an NT box. If this fails it -will revert to bf("security = user"), but note that if encrypted -passwords have been negotiated then Samba cannot revert back to -checking the UNIX password file, it must have a valid smbpasswd file -to check users against. See the documentation file in the docs/ -directory ENCRYPTION.txt for details on how to set this up. - -em(Note) that from the clients point of view bf("security=server") is -the same as link(bf("security=user"))(securityequaluser). It only -affects how the server deals with the authentication, it does not in -any way affect what the client sees. - -em(Note) that the name of the resource being requested is -em(*not*) sent to the server until after the server has successfully -authenticated the client. This is why guest shares don't work in server -level security without allowing the server to automatically map unknown -users into the link(bf("guest account"))(guestaccount). See the -link(bf("map to guest"))(maptoguest) parameter for details on -doing this. - -See also the section link(bf("NOTE ABOUT USERNAME/PASSWORD -VALIDATION"))(NOTEABOUTUSERNAMEPASSWORDVALIDATION). - -See also the link(bf("password server"))(passwordserver) parameter. -and the link(bf("encrypted passwords"))(encryptpasswords) parameter. - -label(securityequaldomain) -dit(bf("security=domain")) - -This mode will only work correctly if -url(bf(smbpasswd))(smbpasswd.8.html) has been used to add this machine -into a Windows NT Domain. It expects the link(bf("encrypted -passwords"))(encryptpasswords) parameter to be set to tt("true"). In -this mode Samba will try to validate the username/password by passing -it to a Windows NT Primary or Backup Domain Controller, in exactly the -same way that a Windows NT Server would do. - -em(Note) that a valid UNIX user must still exist as well as the -account on the Domain Controller to allow Samba to have a valid -UNIX account to map file access to. - -em(Note) that from the clients point of view bf("security=domain") is -the same as link(bf("security=user"))(securityequaluser). It only -affects how the server deals with the authentication, it does not in -any way affect what the client sees. - -em(Note) that the name of the resource being requested is -em(*not*) sent to the server until after the server has successfully -authenticated the client. This is why guest shares don't work in domain -level security without allowing the server to automatically map unknown -users into the link(bf("guest account"))(guestaccount). See the -link(bf("map to guest"))(maptoguest) parameter for details on -doing this. - -em(BUG:) There is currently a bug in the implementation of -bf("security=domain) with respect to multi-byte character -set usernames. The communication with a Domain Controller -must be done in UNICODE and Samba currently does not widen -multi-byte user names to UNICODE correctly, thus a multi-byte -username will not be recognized correctly at the Domain Controller. -This issue will be addressed in a future release. - -See also the section link(bf("NOTE ABOUT USERNAME/PASSWORD -VALIDATION"))(NOTEABOUTUSERNAMEPASSWORDVALIDATION). - -See also the link(bf("password server"))(passwordserver) parameter. -and the link(bf("encrypted passwords"))(encryptpasswords) parameter. - -enddit() - - bf(Default:) -tt( security = USER) - - bf(Example:) -tt( security = DOMAIN) - -label(securitymask) -dit(bf(security mask (S))) - -This parameter controls what UNIX permission bits can be modified -when a Windows NT client is manipulating the UNIX permission on a -file using the native NT security dialog box. - -This parameter is applied as a mask (AND'ed with) to the changed -permission bits, thus preventing any bits not in this mask from -being modified. Essentially, zero bits in this mask may be treated -as a set of bits the user is not allowed to change. - -If not set explicitly this parameter is set to the same value as the -link(bf(create mask))(createmask) parameter. To allow a user to -modify all the user/group/world permissions on a file, set this -parameter to 0777. - -em(Note) that users who can access the Samba server through other -means can easily bypass this restriction, so it is primarily -useful for standalone "appliance" systems. Administrators of -most normal systems will probably want to set it to 0777. - -See also the link(bf(force directory security -mode))(forcedirectorysecuritymode), link(bf(directory security -mask))(directorysecuritymask), link(bf(force security -mode))(forcesecuritymode) parameters. - - bf(Default:) -tt( security mask = <same as create mask>) - - bf(Example:) -tt( security mask = 0777) - - -label(serverstring) -dit(bf(server string (G))) - -This controls what string will show up in the printer comment box in -print manager and next to the IPC connection in tt("net view"). It can be -any string that you wish to show to your users. - -It also sets what will appear in browse lists next to the machine -name. - -A tt("%v") will be replaced with the Samba version number. - -A tt("%h") will be replaced with the hostname. - - bf(Default:) -tt( server string = Samba %v) - - bf(Example:) -tt( server string = University of GNUs Samba Server) - -label(setdirectory) -dit(bf(set directory (S))) - -If tt("set directory = no"), then users of the service may not use the -setdir command to change directory. - -The setdir command is only implemented in the Digital Pathworks -client. See the Pathworks documentation for details. - - bf(Default:) -tt( set directory = no) - - bf(Example:) -tt( set directory = yes) - -label(sharemodes) -dit(bf(share modes (S))) - -This enables or disables the honoring of the tt("share modes") during a -file open. These modes are used by clients to gain exclusive read or -write access to a file. - -These open modes are not directly supported by UNIX, so they are -simulated using shared memory, or lock files if your UNIX doesn't -support shared memory (almost all do). - -The share modes that are enabled by this option are DENY_DOS, -DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB. - -This option gives full share compatibility and enabled by default. - -You should em(*NEVER*) turn this parameter off as many Windows -applications will break if you do so. - - bf(Default:) -tt( share modes = yes) - -label(sharedmemsize) -dit(bf(shared mem size (G))) - -It specifies the size of the shared memory (in bytes) to use between -url(bf(smbd))(smbd.8.html) processes. This parameter defaults to one -megabyte of shared memory. It is possible that if you have a large -server with many files open simultaneously that you may need to -increase this parameter. Signs that this parameter is set too low are -users reporting strange problems trying to save files (locking errors) -and error messages in the smbd log looking like tt("ERROR -smb_shm_alloc : alloc of XX bytes failed"). - -If your OS refuses the size that Samba asks for then Samba will try a -smaller size, reducing by a factor of 0.8 until the OS accepts it. - - bf(Default:) -tt( shared mem size = 1048576) - - bf(Example:) -tt( shared mem size = 5242880 ; Set to 5mb for a large number of files.) - -label(shortpreservecase) -dit(bf(short preserve case (S))) - -This boolean parameter controls if new files which conform to 8.3 -syntax, that is all in upper case and of suitable length, are created -upper case, or if they are forced to be the tt("default") case. This -option can be use with link(bf("preserve case -=yes"))(preservecaseoption) to permit long filenames to retain their -case, while short names are lowered. Default em(Yes). - -See the section on link(bf(NAME MANGLING))(NAMEMANGLING). - - bf(Default:) -tt( short preserve case = yes) - -label(smbpasswdfile) -dit(bf(smb passwd file (G))) - -This option sets the path to the encrypted smbpasswd file. By default -the path to the smbpasswd file is compiled into Samba. - - bf(Default:) -tt( smb passwd file= <compiled default>) - - bf(Example:) -tt( smb passwd file = /usr/samba/private/smbpasswd) - -label(smbrun) -dit(bf(smbrun (G))) - -This sets the full path to the bf(smbrun) binary. This defaults to the -value in the Makefile. - -You must get this path right for many services to work correctly. - -You should not need to change this parameter so long as Samba -is installed correctly. - - bf(Default:) -tt( smbrun=<compiled default>) - - bf(Example:) -tt( smbrun = /usr/local/samba/bin/smbrun) - -label(socketaddress) -dit(bf(socket address (G))) - -This option allows you to control what address Samba will listen for -connections on. This is used to support multiple virtual interfaces on -the one server, each with a different configuration. - -By default samba will accept connections on any address. - - bf(Example:) -tt( socket address = 192.168.2.20) - -label(socketoptions) -dit(bf(socket options (G))) - -This option allows you to set socket options to be used when talking -with the client. - -Socket options are controls on the networking layer of the operating -systems which allow the connection to be tuned. - -This option will typically be used to tune your Samba server for -optimal performance for your local network. There is no way that Samba -can know what the optimal parameters are for your net, so you must -experiment and choose them yourself. We strongly suggest you read the -appropriate documentation for your operating system first (perhaps -bf("man setsockopt") will help). - -You may find that on some systems Samba will say "Unknown socket -option" when you supply an option. This means you either incorrectly -typed it or you need to add an include file to includes.h for your OS. -If the latter is the case please send the patch to -email(samba@samba.org). - -Any of the supported socket options may be combined in any way you -like, as long as your OS allows it. - -This is the list of socket options currently settable using this -option: - -startit() - -it() SO_KEEPALIVE - -it() SO_REUSEADDR - -it() SO_BROADCAST - -it() TCP_NODELAY - -it() IPTOS_LOWDELAY - -it() IPTOS_THROUGHPUT - -it() SO_SNDBUF * - -it() SO_RCVBUF * - -it() SO_SNDLOWAT * - -it() SO_RCVLOWAT * - -endit() - -Those marked with a tt(*) take an integer argument. The others can -optionally take a 1 or 0 argument to enable or disable the option, by -default they will be enabled if you don't specify 1 or 0. - -To specify an argument use the syntax SOME_OPTION=VALUE for example -tt(SO_SNDBUF=8192). Note that you must not have any spaces before or after -the = sign. - -If you are on a local network then a sensible option might be - -tt(socket options = IPTOS_LOWDELAY) - -If you have a local network then you could try: - -tt(socket options = IPTOS_LOWDELAY TCP_NODELAY) - -If you are on a wide area network then perhaps try setting -IPTOS_THROUGHPUT. - -Note that several of the options may cause your Samba server to fail -completely. Use these options with caution! - - bf(Default:) -tt( socket options = TCP_NODELAY) - - bf(Example:) -tt( socket options = IPTOS_LOWDELAY) - -label(sourceenvironment) -dit(bf(source environment (G))) - -This parameter causes Samba to set environment variables as per the -content of the file named. - -If the value of this parameter starts with a "|" character then Samba will -treat that value as a pipe command to open and will set the environment -variables from the output of the pipe. - -The contents of the file or the output of the pipe should be formatted -as the output of the standard Unix env(1) command. This is of the form : - -Example environment entry: -tt( SAMBA_NETBIOS_NAME=myhostname ) - - bf(Default:) -tt(No default value) - - bf(Examples:) - -tt( source environment = |/etc/smb.conf.sh) - -tt( source environment = /usr/local/smb_env_vars) - -label(ssl) -dit(bf(ssl (G))) - -This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option tt("--with-ssl") was given at configure time. - -em(Note) that for export control reasons this code is em(**NOT**) -enabled by default in any current binary version of Samba. - -This variable enables or disables the entire SSL mode. If it is set to -"no", the SSL enabled samba behaves exactly like the non-SSL samba. If -set to "yes", it depends on the variables link(bf("ssl -hosts"))(sslhosts) and link(bf("ssl hosts resign"))(sslhostsresign) -whether an SSL connection will be required. - - bf(Default:) -tt( ssl=no) - bf(Example:) -tt( ssl=yes) - -label(sslCAcertDir) -dit(bf(ssl CA certDir (G))) - -This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option tt("--with-ssl") was given at configure time. - -em(Note) that for export control reasons this code is em(**NOT**) -enabled by default in any current binary version of Samba. - -This variable defines where to look up the Certification -Authorities. The given directory should contain one file for each CA -that samba will trust. The file name must be the hash value over the -"Distinguished Name" of the CA. How this directory is set up is -explained later in this document. All files within the directory that -don't fit into this naming scheme are ignored. You don't need this -variable if you don't verify client certificates. - - bf(Default:) -tt( ssl CA certDir = /usr/local/ssl/certs) - -label(sslCAcertFile) -dit(bf(ssl CA certFile (G))) - -This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option tt("--with-ssl") was given at configure time. - -em(Note) that for export control reasons this code is em(**NOT**) -enabled by default in any current binary version of Samba. - -This variable is a second way to define the trusted CAs. The -certificates of the trusted CAs are collected in one big file and this -variable points to the file. You will probably only use one of the two -ways to define your CAs. The first choice is preferable if you have -many CAs or want to be flexible, the second is preferable if you only -have one CA and want to keep things simple (you won't need to create -the hashed file names). You don't need this variable if you don't -verify client certificates. - - bf(Default:) -tt( ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem) - -label(sslciphers) -dit(bf(ssl ciphers (G))) - -This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option tt("--with-ssl") was given at configure time. - -em(Note) that for export control reasons this code is em(**NOT**) -enabled by default in any current binary version of Samba. - -This variable defines the ciphers that should be offered during SSL -negotiation. You should not set this variable unless you know what you -are doing. - -label(sslclientcert) -dit(bf(ssl client cert (G))) - -This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option tt("--with-ssl") was given at configure time. - -em(Note) that for export control reasons this code is em(**NOT**) -enabled by default in any current binary version of Samba. - -The certificate in this file is used by -url(bf(smbclient))(smbclient.1.html) if it exists. It's needed if the -server requires a client certificate. - - bf(Default:) -tt( ssl client cert = /usr/local/ssl/certs/smbclient.pem) - -label(sslclientkey) -dit(bf(ssl client key (G))) - -This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option tt("--with-ssl") was given at configure time. - -em(Note) that for export control reasons this code is em(**NOT**) -enabled by default in any current binary version of Samba. - -This is the private key for url(bf(smbclient))(smbclient.1.html). It's -only needed if the client should have a certificate. - - bf(Default:) -tt( ssl client key = /usr/local/ssl/private/smbclient.pem) - -label(sslcompatibility) -dit(bf(ssl compatibility (G))) - -This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option tt("--with-ssl") was given at configure time. - -em(Note) that for export control reasons this code is em(**NOT**) -enabled by default in any current binary version of Samba. - -This variable defines whether SSLeay should be configured for bug -compatibility with other SSL implementations. This is probably not -desirable because currently no clients with SSL implementations other -than SSLeay exist. - - bf(Default:) -tt( ssl compatibility = no) - -label(sslhosts) -dit(bf(ssl hosts (G))) - -See link(bf("ssl hosts resign"))(sslhostsresign). - -label(sslhostsresign) -dit(bf(ssl hosts resign (G))) - -This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option tt("--with-ssl") was given at configure time. - -em(Note) that for export control reasons this code is em(**NOT**) -enabled by default in any current binary version of Samba. - -These two variables define whether samba will go into SSL mode or -not. If none of them is defined, samba will allow only SSL -connections. If the link(bf("ssl hosts"))(sslhosts) variable lists -hosts (by IP-address, IP-address range, net group or name), only these -hosts will be forced into SSL mode. If the bf("ssl hosts resign") -variable lists hosts, only these hosts will NOT be forced into SSL -mode. The syntax for these two variables is the same as for the -link(bf("hosts allow"))(hostsallow) and link(bf("hosts -deny"))(hostsdeny) pair of variables, only that the subject of the -decision is different: It's not the access right but whether SSL is -used or not. See the link(bf("allow hosts"))(allowhosts) parameter for -details. The example below requires SSL connections from all hosts -outside the local net (which is 192.168.*.*). - - bf(Default:) -tt( ssl hosts = <empty string>) -tt( ssl hosts resign = <empty string>) - - bf(Example:) -tt( ssl hosts resign = 192.168.) - -label(sslrequireclientcert) -dit(bf(ssl require clientcert (G))) - -This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option tt("--with-ssl") was given at configure time. - -em(Note) that for export control reasons this code is em(**NOT**) -enabled by default in any current binary version of Samba. - -If this variable is set to tt("yes"), the server will not tolerate -connections from clients that don't have a valid certificate. The -directory/file given in link(bf("ssl CA certDir"))(sslCAcertDir) and -link(bf("ssl CA certFile"))(sslCAcertFile) will be used to look up the -CAs that issued the client's certificate. If the certificate can't be -verified positively, the connection will be terminated. If this -variable is set to tt("no"), clients don't need certificates. Contrary -to web applications you really em(*should*) require client -certificates. In the web environment the client's data is sensitive -(credit card numbers) and the server must prove to be trustworthy. In -a file server environment the server's data will be sensitive and the -clients must prove to be trustworthy. - - bf(Default:) -tt( ssl require clientcert = no) - -label(sslrequireservercert) -dit(bf(ssl require servercert (G))) - -This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option tt("--with-ssl") was given at configure time. - -em(Note) that for export control reasons this code is em(**NOT**) -enabled by default in any current binary version of Samba. - -If this variable is set to tt("yes"), the -url(bf(smbclient))(smbclient.1.html) will request a certificate from -the server. Same as link(bf("ssl require -clientcert"))(sslrequireclientcert) for the server. - - bf(Default:) -tt( ssl require servercert = no) - -label(sslservercert) -dit(bf(ssl server cert (G))) - -This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option tt("--with-ssl") was given at configure time. - -em(Note) that for export control reasons this code is em(**NOT**) -enabled by default in any current binary version of Samba. - -This is the file containing the server's certificate. The server _must_ -have a certificate. The file may also contain the server's private key. -See later for how certificates and private keys are created. - - bf(Default:) -tt( ssl server cert = <empty string>) - -label(sslserverkey) -dit(bf(ssl server key (G))) - -This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option tt("--with-ssl") was given at configure time. - -em(Note) that for export control reasons this code is em(**NOT**) -enabled by default in any current binary version of Samba. - -This file contains the private key of the server. If this variable is -not defined, the key is looked up in the certificate file (it may be -appended to the certificate). The server em(*must*) have a private key -and the certificate em(*must*) match this private key. - - bf(Default:) -tt( ssl server key = <empty string>) - -label(sslversion) -dit(bf(ssl version (G))) - -This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option tt("--with-ssl") was given at configure time. - -em(Note) that for export control reasons this code is em(**NOT**) -enabled by default in any current binary version of Samba. - -This enumeration variable defines the versions of the SSL protocol -that will be used. tt("ssl2or3") allows dynamic negotiation of SSL v2 -or v3, tt("ssl2") results in SSL v2, tt("ssl3") results in SSL v3 and -"tls1" results in TLS v1. TLS (Transport Layer Security) is the -(proposed?) new standard for SSL. - - bf(Default:) -tt( ssl version = "ssl2or3") - -label(statcache) -dit(bf(stat cache (G))) - -This parameter determines if url(bf(smbd))(smbd.8.html) will use a -cache in order to speed up case insensitive name mappings. You should -never need to change this parameter. - - bf(Default:) -tt( stat cache = yes) - -label(statcachesize) -dit(bf(stat cache size (G))) - -This parameter determines the number of entries in the link(bf(stat -cache))(statcache). You should never need to change this parameter. - - bf(Default:) -tt( stat cache size = 50) - -label(status) -dit(bf(status (G))) - -This enables or disables logging of connections to a status file that -url(bf(smbstatus))(smbstatus.1.html) can read. - -With this disabled url(bf(smbstatus))(smbstatus.1.html) won't be able -to tell you what connections are active. You should never need to -change this parameter. - - bf(Default:) - status = yes - -label(strictlocking) -dit(bf(strict locking (S))) - -This is a boolean that controls the handling of file locking in the -server. When this is set to tt("yes") the server will check every read and -write access for file locks, and deny access if locks exist. This can -be slow on some systems. - -When strict locking is tt("no") the server does file lock checks only -when the client explicitly asks for them. - -Well behaved clients always ask for lock checks when it is important, -so in the vast majority of cases bf("strict locking = no") is -preferable. - - bf(Default:) -tt( strict locking = no) - - bf(Example:) -tt( strict locking = yes) - -label(strictsync) -dit(bf(strict sync (S))) - -Many Windows applications (including the Windows 98 explorer shell) -seem to confuse flushing buffer contents to disk with doing a sync to -disk. Under UNIX, a sync call forces the process to be suspended until -the kernel has ensured that all outstanding data in kernel disk -buffers has been safely stored onto stable storage. This is very slow -and should only be done rarely. Setting this parameter to "no" (the -default) means that smbd ignores the Windows applications requests for -a sync call. There is only a possibility of losing data if the -operating system itself that Samba is running on crashes, so there is -little danger in this default setting. In addition, this fixes many -performance problems that people have reported with the new Windows98 -explorer shell file copies. - -See also the link(bf("sync always"))(syncalways) parameter. - - bf(Default:) -tt( strict sync = no) - - bf(Example:) -tt( strict sync = yes) - -label(stripdot) -dit(bf(strip dot (G))) - -This is a boolean that controls whether to strip trailing dots off -UNIX filenames. This helps with some CDROMs that have filenames ending -in a single dot. - - bf(Default:) -tt( strip dot = no) - - bf(Example:) -tt( strip dot = yes) - -label(syncalways) -dit(bf(sync always (S))) - -This is a boolean parameter that controls whether writes will always -be written to stable storage before the write call returns. If this is -false then the server will be guided by the client's request in each -write call (clients can set a bit indicating that a particular write -should be synchronous). If this is true then every write will be -followed by a fsync() call to ensure the data is written to disk. -Note that the link(bf("strict sync"))(strictsync) parameter must be -set to tt("yes") in order for this parameter to have any affect. - -See also the link(bf("strict sync"))(strictsync) parameter. - - bf(Default:) -tt( sync always = no) - - bf(Example:) -tt( sync always = yes) - -label(syslog) -dit(bf(syslog (G))) - -This parameter maps how Samba debug messages are logged onto the -system syslog logging levels. Samba debug level zero maps onto syslog -LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps -onto LOG_NOTICE, debug level three maps onto LOG_INFO. All higher -levels are mapped to LOG_DEBUG. - -This paramter sets the threshold for sending messages to syslog. -Only messages with debug level less than this value will be sent -to syslog. - - bf(Default:) -tt( syslog = 1) - -label(syslogonly) -dit(bf(syslog only (G))) - -If this parameter is set then Samba debug messages are logged into the -system syslog only, and not to the debug log files. - - bf(Default:) -tt( syslog only = no) - -label(templatehomedir) -dit(bf(template homedir (G))) - -NOTE: this parameter is only available in Samba 3.0. - -When filling out the user information for a Windows NT user, the -url(bf(winbindd))(winbindd.8.html) daemon uses this parameter to fill in -the home directory for that user. If the string tt(%D) is present it is -substituted with the user's Windows NT domain name. If the string tt(%U) -is present it is substituted with the user's Windows NT user name. - - bf(Default:) -tt( template homedir = /home/%D/%U) - -label(templateshell) -dit(bf(template shell (G))) - -NOTE: this parameter is only available in Samba 3.0. - -When filling out the user information for a Windows NT user, the -url(bf(winbindd))(winbindd.8.html) daemon uses this parameter to fill in -the login shell for that user. - - bf(Default:) -tt( template shell = /bin/false) - -label(timeoffset) -dit(bf(time offset (G))) - -This parameter is a setting in minutes to add to the normal GMT to -local time conversion. This is useful if you are serving a lot of PCs -that have incorrect daylight saving time handling. - - bf(Default:) -tt( time offset = 0) - - bf(Example:) -tt( time offset = 60) - -label(timeserver) - -dit(bf(time server (G))) - -This parameter determines if url(bf(nmbd))(nmbd.8.html) advertises -itself as a time server to Windows clients. The default is False. - - bf(Default:) -tt( time server = False) - - bf(Example:) -tt( time server = True) - -label(timestamplogs) -dit(bf(timestamp logs (G))) - -Synonym for url(bf("debug timestamp"))(debugtimestamp). - -label(unixpasswordsync) -dit(bf(unix password sync (G))) - -This boolean parameter controls whether Samba attempts to synchronize -the UNIX password with the SMB password when the encrypted SMB -password in the smbpasswd file is changed. If this is set to true the -program specified in the link(bf("passwd program"))(passwdprogram) -parameter is called em(*AS ROOT*) - to allow the new UNIX password to be -set without access to the old UNIX password (as the SMB password has -change code has no access to the old password cleartext, only the -new). By default this is set to tt("false"). - -See also link(bf("passwd program"))(passwdprogram), link(bf("passwd -chat"))(passwdchat). - - bf(Default:) -tt( unix password sync = False) - - bf(Example:) -tt( unix password sync = True) - -label(unixrealname) -dit(bf(unix realname (G))) - -This boolean parameter when set causes samba to supply the real name -field from the unix password file to the client. This is useful for -setting up mail clients and WWW browsers on systems used by more than -one person. - - bf(Default:) -tt( unix realname = no) - - bf(Example:) -tt( unix realname = yes) - -label(updateencrypted) -dit(bf(update encrypted (G))) - -This boolean parameter allows a user logging on with a plaintext -password to have their encrypted (hashed) password in the smbpasswd -file to be updated automatically as they log on. This option allows a -site to migrate from plaintext password authentication (users -authenticate with plaintext password over the wire, and are checked -against a UNIX account database) to encrypted password authentication -(the SMB challenge/response authentication mechanism) without forcing -all users to re-enter their passwords via smbpasswd at the time the -change is made. This is a convenience option to allow the change over -to encrypted passwords to be made over a longer period. Once all users -have encrypted representations of their passwords in the smbpasswd -file this parameter should be set to tt("off"). - -In order for this parameter to work correctly the link(bf("encrypt -passwords"))(encryptpasswords) parameter must be set to tt("no") when -this parameter is set to tt("yes"). - -Note that even when this parameter is set a user authenticating to -smbd must still enter a valid password in order to connect correctly, -and to update their hashed (smbpasswd) passwords. - - bf(Default:) -tt( update encrypted = no) - - bf(Example:) -tt( update encrypted = yes) - -label(userhosts) -dit(bf(use rhosts (G))) - -If this global parameter is a true, it specifies that the UNIX users -tt(".rhosts") file in their home directory will be read to find the -names of hosts and users who will be allowed access without specifying -a password. - -NOTE: The use of bf(use rhosts) can be a major security hole. This is -because you are trusting the PC to supply the correct username. It is -very easy to get a PC to supply a false username. I recommend that the -bf(use rhosts) option be only used if you really know what you are -doing. - - bf(Default:) -tt( use rhosts = no) - - bf(Example:) -tt( use rhosts = yes) - -label(user) -dit(bf(user (S))) - -Synonym for link(bf("username"))(username). - -label(users) -dit(bf(users (S))) - -Synonym for link(bf("username"))(username). - -label(username) -dit(bf(username (S))) - -Multiple users may be specified in a comma-delimited list, in which -case the supplied password will be tested against each username in -turn (left to right). - -The bf(username=) line is needed only when the PC is unable to supply -its own username. This is the case for the COREPLUS protocol or where -your users have different WfWg usernames to UNIX usernames. In both -these cases you may also be better using the tt(\\server\share%user) -syntax instead. - -The bf(username=) line is not a great solution in many cases as it -means Samba will try to validate the supplied password against each of -the usernames in the username= line in turn. This is slow and a bad -idea for lots of users in case of duplicate passwords. You may get -timeouts or security breaches using this parameter unwisely. - -Samba relies on the underlying UNIX security. This parameter does not -restrict who can login, it just offers hints to the Samba server as to -what usernames might correspond to the supplied password. Users can -login as whoever they please and they will be able to do no more -damage than if they started a telnet session. The daemon runs as the -user that they log in as, so they cannot do anything that user cannot -do. - -To restrict a service to a particular set of users you can use the -link(bf("valid users="))(validusers) parameter. - -If any of the usernames begin with a tt('@') then the name will be -looked up first in the yp netgroups list (if Samba is compiled with -netgroup support), followed by a lookup in the UNIX groups database -and will expand to a list of all users in the group of that name. - -If any of the usernames begin with a tt('+') then the name will be -looked up only in the UNIX groups database and will expand to a list -of all users in the group of that name. - -If any of the usernames begin with a tt('&') then the name will be -looked up only in the yp netgroups database (if Samba is compiled with -netgroup support) and will expand to a list of all users in the -netgroup group of that name. - -Note that searching though a groups database can take quite some time, -and some clients may time out during the search. - -See the section link(bf("NOTE ABOUT USERNAME/PASSWORD -VALIDATION"))(NOTEABOUTUSERNAMEPASSWORDVALIDATION) for more -information on how this parameter determines access to the services. - - bf(Default:) -tt( The guest account if a guest service, else the name of the service.) - - bf(Examples:) -verb( - username = fred - username = fred, mary, jack, jane, @users, @pcgroup -) - -label(usernamelevel) -dit(bf(username level (G))) - -This option helps Samba to try and 'guess' at the real UNIX username, -as many DOS clients send an all-uppercase username. By default Samba -tries all lowercase, followed by the username with the first letter -capitalized, and fails if the username is not found on the UNIX -machine. - -If this parameter is set to non-zero the behavior changes. This -parameter is a number that specifies the number of uppercase -combinations to try whilst trying to determine the UNIX user name. The -higher the number the more combinations will be tried, but the slower -the discovery of usernames will be. Use this parameter when you have -strange usernames on your UNIX machine, such as tt("AstrangeUser"). - - bf(Default:) -tt( username level = 0) - - bf(Example:) -tt( username level = 5) - -label(usernamemap) -dit(bf(username map (G))) - -This option allows you to specify a file containing a mapping of -usernames from the clients to the server. This can be used for several -purposes. The most common is to map usernames that users use on DOS or -Windows machines to those that the UNIX box uses. The other is to map -multiple users to a single username so that they can more easily share -files. - -The map file is parsed line by line. Each line should contain a single -UNIX username on the left then a tt('=') followed by a list of -usernames on the right. The list of usernames on the right may contain -names of the form @group in which case they will match any UNIX -username in that group. The special client name tt('*') is a wildcard -and matches any name. Each line of the map file may be up to 1023 -characters long. - -The file is processed on each line by taking the supplied username and -comparing it with each username on the right hand side of the tt('=') -signs. If the supplied name matches any of the names on the right hand -side then it is replaced with the name on the left. Processing then -continues with the next line. - -If any line begins with a tt('#') or a tt(';') then it is ignored - -If any line begins with an tt('!') then the processing will stop after -that line if a mapping was done by the line. Otherwise mapping -continues with every line being processed. Using tt('!') is most -useful when you have a wildcard mapping line later in the file. - -For example to map from the name tt("admin") or tt("administrator") to -the UNIX name tt("root") you would use: - - -tt( root = admin administrator) - -Or to map anyone in the UNIX group tt("system") to the UNIX name -tt("sys") you would use: - -tt( sys = @system) - -You can have as many mappings as you like in a username map file. - -If your system supports the NIS NETGROUP option then the netgroup -database is checked before the tt(/etc/group) database for matching -groups. - -You can map Windows usernames that have spaces in them by using double -quotes around the name. For example: - -tt( tridge = "Andrew Tridgell") - -would map the windows username tt("Andrew Tridgell") to the unix -username tridge. - -The following example would map mary and fred to the unix user sys, -and map the rest to guest. Note the use of the tt('!') to tell Samba -to stop processing if it gets a match on that line. - -verb( - !sys = mary fred - guest = * -) - -Note that the remapping is applied to all occurrences of -usernames. Thus if you connect to tt("\\server\fred") and tt("fred") -is remapped to tt("mary") then you will actually be connecting to -tt("\\server\mary") and will need to supply a password suitable for -tt("mary") not tt("fred"). The only exception to this is the username -passed to the link(bf("password server"))(passwordserver) (if you have -one). The password server will receive whatever username the client -supplies without modification. - -Also note that no reverse mapping is done. The main effect this has is -with printing. Users who have been mapped may have trouble deleting -print jobs as PrintManager under WfWg will think they don't own the -print job. - - bf(Default:) -tt( no username map) - - bf(Example:) -tt( username map = /usr/local/samba/lib/users.map) - -label(utmp) -dit(bf(utmp (S))) - -This boolean parameter is only available if Samba has been configured and compiled -with the option tt(--with-utmp). If set to True then Samba will attempt -to add utmp or utmpx records (depending on the UNIX system) whenever a -connection is made to a Samba server. Sites may use this to record the -user connecting to a Samba share. - -See also the link(bf("utmp directory"))(utmpdirectory) parameter. - - bf(Default:) -tt(utmp = False) - - bf(Example:) -tt(utmp = True) - -label(utmpdirectory) -dit(bf(utmp directory(G))) - -This parameter is only available if Samba has been configured and compiled -with the option tt(--with-utmp). It specifies a directory pathname that is -used to store the utmp or utmpx files (depending on the UNIX system) that -record user connections to a Samba server. See also the link(bf("utmp"))(utmp) -parameter. By default this is not set, meaning the system will use whatever -utmp file the native system is set to use (usually /var/run/utmp on Linux). - - bf(Default:) -tt(no utmp directory) - - bf(Example:) -tt(utmp directory = /var/adm/) - -label(winbindcachetime) -dit(winbind cache time) - -NOTE: this parameter is only available in Samba 3.0. - -This parameter specifies the number of seconds the -url(bf(winbindd))(winbindd.8.html) daemon will cache user and group -information before querying a Windows NT server again. - - bf(Default:) -tt( winbind cache type = 15) - -label(winbindgid) -dit(winbind gid) - -NOTE: this parameter is only available in Samba 3.0. - -The winbind gid parameter specifies the range of group ids that are -allocated by the url(bf(winbindd))(winbindd.8.html) daemon. This range of -group ids should have no existing local or nis groups within it as strange -conflicts can occur otherwise. - - bf(Default:) -tt( winbind gid = <empty string>) - - bf(Example:) -tt( winbind gid = 10000-20000) - -label(winbinduid) -dit(winbind uid) - -NOTE: this parameter is only available in Samba 3.0. - -The winbind uid parameter specifies the range of user ids that are -allocated by the url(bf(winbindd))(winbindd.8.html) daemon. This range of -ids should have no existing local or nis users within it as strange -conflicts can occur otherwise. - - bf(Default:) -tt( winbind uid = <empty string>) - - bf(Example:) -tt( winbind uid = 10000-20000) - -label(validchars) -dit(bf(valid chars (G))) - -The option allows you to specify additional characters that should be -considered valid by the server in filenames. This is particularly -useful for national character sets, such as adding u-umlaut or a-ring. - -The option takes a list of characters in either integer or character -form with spaces between them. If you give two characters with a colon -between them then it will be taken as an lowercase:uppercase pair. - -If you have an editor capable of entering the characters into the -config file then it is probably easiest to use this method. Otherwise -you can specify the characters in octal, decimal or hexadecimal form -using the usual C notation. - -For example to add the single character tt('Z') to the charset (which -is a pointless thing to do as it's already there) you could do one of -the following - -verb( - valid chars = Z - valid chars = z:Z - valid chars = 0132:0172 -) - -The last two examples above actually add two characters, and alter the -uppercase and lowercase mappings appropriately. - -Note that you MUST specify this parameter after the link(bf("client -code page"))(clientcodepage) parameter if you have both set. If -link(bf("client code page"))(clientcodepage) is set after the -bf("valid chars") parameter the bf("valid chars") settings will be -overwritten. - -See also the link(bf("client code page"))(clientcodepage) parameter. - - bf(Default:) -verb( - Samba defaults to using a reasonable set of valid characters - for English systems -) - - bf(Example) -tt( valid chars = 0345:0305 0366:0326 0344:0304) - -The above example allows filenames to have the Swedish characters in -them. - -NOTE: It is actually quite difficult to correctly produce a bf("valid -chars") line for a particular system. To automate the process -email(tino@augsburg.net) has written a package called bf("validchars") -which will automatically produce a complete bf("valid chars") line for -a given client system. Look in the examples/validchars/ subdirectory -of your Samba source code distribution for this package. - -label(validusers) -dit(bf(valid users (S))) - -This is a list of users that should be allowed to login to this -service. Names starting with tt('@'), tt('+') and tt('&') are -interpreted using the same rules as described in the link(bf("invalid -users"))(invalidusers) parameter. - -If this is empty (the default) then any user can login. If a username -is in both this list and the link(bf("invalid users"))(invalidusers) -list then access is denied for that user. - -The current servicename is substituted for -link(bf("%S"))(percentS). This is useful in the -link(bf([homes]))(homes) section. - -See also link(bf("invalid users"))(invalidusers). - - bf(Default:) -tt( No valid users list. (anyone can login)) - - bf(Example:) -tt( valid users = greg, @pcusers) - -label(vetofiles) -dit(bf(veto files(S))) - -This is a list of files and directories that are neither visible nor -accessible. Each entry in the list must be separated by a tt('/'), -which allows spaces to be included in the entry. tt('*') and tt('?') -can be used to specify multiple files or directories as in DOS -wildcards. - -Each entry must be a unix path, not a DOS path and must em(*not*) include the -unix directory separator tt('/'). - -Note that the link(bf("case sensitive"))(casesensitive) option is -applicable in vetoing files. - -One feature of the veto files parameter that it is important to be -aware of, is that if a directory contains nothing but files that match -the veto files parameter (which means that Windows/DOS clients cannot -ever see them) is deleted, the veto files within that directory *are -automatically deleted* along with it, if the user has UNIX permissions -to do so. - -Setting this parameter will affect the performance of Samba, as it -will be forced to check all files and directories for a match as they -are scanned. - -See also link(bf("hide files"))(hidefiles) and link(bf("case -sensitive"))(casesensitive). - - bf(Default:) -tt( No files or directories are vetoed.) - - bf(Examples:) - - Example 1. - -verb( - - Veto any files containing the word Security, - any ending in .tmp, and any directory containing the - word root. - - veto files = /*Security*/*.tmp/*root*/ -) - - Example 2. - -verb( - Veto the Apple specific files that a NetAtalk server - creates. - - veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ -) - -label(vetooplockfiles) -dit(bf(veto oplock files (S))) - -This parameter is only valid when the link(bf("oplocks"))(oplocks) -parameter is turned on for a share. It allows the Samba administrator -to selectively turn off the granting of oplocks on selected files that -match a wildcarded list, similar to the wildcarded list used in the -link(bf("veto files"))(vetofiles) parameter. - - bf(Default:) -tt( No files are vetoed for oplock grants.) - - bf(Examples:) - -You might want to do this on files that you know will be heavily -contended for by clients. A good example of this is in the NetBench -SMB benchmark program, which causes heavy client contention for files -ending in tt(".SEM"). To cause Samba not to grant oplocks on these -files you would use the line (either in the link(bf([global]))(global) -section or in the section for the particular NetBench share : - -tt( veto oplock files = /*.SEM/) - -label(volume) -dit(bf(volume (S))) - -This allows you to override the volume label returned for a -share. Useful for CDROMs with installation programs that insist on a -particular volume label. - -The default is the name of the share. - -label(widelinks) -dit(bf(wide links (S))) - -This parameter controls whether or not links in the UNIX file system -may be followed by the server. Links that point to areas within the -directory tree exported by the server are always allowed; this -parameter controls access only to areas that are outside the directory -tree being exported. - -Note that setting this parameter can have a negative effect on your -server performance due to the extra system calls that Samba has to -do in order to perform the link checks. - - bf(Default:) -tt( wide links = yes) - - bf(Example:) -tt( wide links = no) - -label(winsproxy) -dit(bf(wins proxy (G))) - -This is a boolean that controls if url(bf(nmbd))(nmbd.8.html) will -respond to broadcast name queries on behalf of other hosts. You may -need to set this to tt("yes") for some older clients. - - bf(Default:) -tt( wins proxy = no) - -label(winsserver) -dit(bf(wins server (G))) - -This specifies the IP address (or DNS name: IP address for preference) -of the WINS server that url(bf(nmbd))(nmbd.8.html) should register with. -If you have a WINS server on your network then you should set this to -the WINS server's IP. - -You should point this at your WINS server if you have a -multi-subnetted network. - -em(NOTE). You need to set up Samba to point to a WINS server if you -have multiple subnets and wish cross-subnet browsing to work correctly. - -See the documentation file BROWSING.txt in the docs/ directory of your -Samba source distribution. - - bf(Default:) -tt( wins server = ) - - bf(Example:) -tt( wins server = 192.9.200.1) - -label(winshook) -dit(bf(wins hook (G))) - -When Samba is running as a WINS server this allows you to call an -external program for all changes to the WINS database. The primary use -for this option is to allow the dynamic update of external name -resolution databases such as dynamic DNS. - -The wins hook parameter specifies the name of a script or executable -that will be called as follows: - - wins_hook operation name nametype ttl IP_list - -The first argument is the operation and is one of "add", "delete", -or "refresh". In most cases the operation can be ignored as the rest -of the parameters provide sufficient information. Note that "refresh" -may sometimes be called when the name has not previously been added, -in that case it should be treated as an add. - -The second argument is the netbios name. If the name is not a legal -name then the wins hook is not called. Legal names contain only -letters, digits, hyphens, underscores and periods. - -The third argument is the netbios name type as a 2 digit hexadecimal -number. - -The fourth argument is the TTL (time to live) for the name in seconds. - -The fifth and subsequent arguments are the IP addresses currently -registered for that name. If this list is empty then the name should -be deleted. - -An example script that calls the BIND dynamic DNS update program -"nsupdate" is provided in the examples directory of the Samba source -code. - -label(winssupport) -dit(bf(wins support (G))) - -This boolean controls if the url(bf(nmbd))(nmbd.8.html) process in -Samba will act as a WINS server. You should not set this to true -unless you have a multi-subnetted network and you wish a particular -url(bf(nmbd))(nmbd.8.html) to be your WINS server. Note that you -should em(*NEVER*) set this to true on more than one machine in your -network. - - bf(Default:) -tt( wins support = no) - -label(workgroup) -dit(bf(workgroup (G))) - -This controls what workgroup your server will appear to be in when -queried by clients. Note that this parameter also controls the Domain -name used with the link(bf("security=domain"))(securityequaldomain) -setting. - - bf(Default:) -tt( set at compile time to WORKGROUP) - - bf(Example:) - workgroup = MYGROUP - -label(writable) -dit(bf(writable (S))) - -Synonym for link(bf("writeable"))(writeable) for people who can't spell :-). - -label(writelist) -dit(bf(write list (S))) - -This is a list of users that are given read-write access to a -service. If the connecting user is in this list then they will be -given write access, no matter what the link(bf("writeable"))(writeable) -option is set to. The list can include group names using the @group -syntax. - -Note that if a user is in both the read list and the write list then -they will be given write access. - -See also the link(bf("read list"))(readlist) option. - - bf(Default:) -tt( write list = <empty string>) - - bf(Example:) -tt( write list = admin, root, @staff) - -label(writecachesize) -dit(bf(write cache size (S))) - -This integer parameter (new with Samba 2.0.7) if set to non-zero causes Samba to create an in-memory -cache for each oplocked file (it does bf(not) do this for non-oplocked files). All -writes that the client does not request to be flushed directly to disk will be -stored in this cache if possible. The cache is flushed onto disk when a write -comes in whose offset would not fit into the cache or when the file is closed -by the client. Reads for the file are also served from this cache if the data -is stored within it. - -This cache allows Samba to batch client writes into a more efficient write -size for RAID disks (ie. writes may be tuned to be the RAID stripe size) and -can improve performance on systems where the disk subsystem is a bottleneck -but there is free memory for userspace programs. - -The integer parameter specifies the size of this cache (per oplocked file) -in bytes. - - bf(Default:) -tt( write cache size = 0) - - bf(Example:) -tt( write cache size = 262144) -for a 256k cache size per file. - -label(writeok) -dit(bf(write ok (S))) - -Synonym for link(bf(writeable))(writeable). - -label(writeraw) -dit(bf(write raw (G))) - -This parameter controls whether or not the server will support raw -writes SMB's when transferring data from clients. You should never -need to change this parameter. - - bf(Default:) -tt( write raw = yes) - -label(writeable) -dit(bf(writeable)) - -An inverted synonym is link(bf("read only"))(readonly). - -If this parameter is tt("no"), then users of a service may not create -or modify files in the service's directory. - -Note that a printable service link(bf(("printable = yes")))(printable) -will em(*ALWAYS*) allow writing to the directory (user privileges -permitting), but only via spooling operations. - - bf(Default:) -tt( writeable = no) - - bf(Examples:) -verb( - read only = no - writeable = yes - write ok = yes -) - -endit() - -label(WARNINGS) -manpagesection(WARNINGS) - -Although the configuration file permits service names to contain -spaces, your client software may not. Spaces will be ignored in -comparisons anyway, so it shouldn't be a problem - but be aware of the -possibility. - -On a similar note, many clients - especially DOS clients - limit -service names to eight characters. url(bf(Smbd))(smbd.8.html) has no -such limitation, but attempts to connect from such clients will fail -if they truncate the service names. For this reason you should -probably keep your service names down to eight characters in length. - -Use of the link(bf([homes]))(homes) and link(bf([printers]))(printers) -special sections make life for an administrator easy, but the various -combinations of default attributes can be tricky. Take extreme care -when designing these sections. In particular, ensure that the -permissions on spool directories are correct. - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.0 of the Samba suite. - -label(SEEALSO) -manpagesection(SEE ALSO) - -url(bf(smbd (8)))(smbd.8.html), url(bf(smbclient (1)))(smbclient.1.html), -url(bf(nmbd (8)))(nmbd.8.html), url(bf(testparm (1)))(testparm.1.html), -url(bf(testprns (1)))(testprns.1.html), url(bf(Samba))(samba.7.html), -url(bf(nmblookup (1)))(nmblookup.1.html), url(bf(smbpasswd (5)))(smbpasswd.5.html), -url(bf(smbpasswd (8)))(smbpasswd.8.html). - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell email(samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -and updated for the Samba2.0 release by Jeremy Allison. -email(samba@samba.org). - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. diff --git a/docs/yodldocs/smbcacls.1.yo b/docs/yodldocs/smbcacls.1.yo deleted file mode 100644 index e8be5a4d28..0000000000 --- a/docs/yodldocs/smbcacls.1.yo +++ /dev/null @@ -1,208 +0,0 @@ -manpage(smbcacls htmlcommand((1)))(1)(22 Dec 2000)(Samba)(SAMBA) - -label(NAME) -manpagename(smbcacls)(Set or get ACLs on an NT file or directory ) - -label(SYNOPSIS) -manpagesynopsis() - -bf(smbcacls) //server/share filename [link(-U username)(minusU)] -[link(-A acls)(minusA)] [link(-M acls)(minusM)] -[link(-D acls)(minusD)] [link(-S acls)(minusS)] -[link(-C name)(minusC)] [link(-G name)(minusG)] -[link(-n)(minusn)] [link(-h)(minush)] - -label(DESCRIPTION) -manpagedescription() - -The bf(smbcacls) program manipulates NT Access Control Lists (ACLs) on -SMB file shares. - -label(OPTIONS) -manpageoptions() - -The following options are available to the bf(smbcacls) program. The -format of ACLs is described in the section link(ACL FORMAT)(ACLFORMAT) - -startdit() - -label(minusA) -dit(bf(-A acls)) - -Add the ACLs specified to the ACL list. Existing access control entries -are unchanged. - -label(minusM) -dit(bf(-M acls)) - -Modify the mask value (permissions) for the ACLs specified on the command -line. An error will be printed for each ACL specified that was not already -present in the ACL list. - -label(minusD) -dit(bf(-D acls)) - -Delete any ACLs specfied on the command line. An error will be printed for -each ACL specified that was not already present in the ACL list. - -label(minusS) -dit(bf(-S acls)) - -This command sets the ACLs on the file with only the ones specified on the -command line. All other ACLs are erased. Note that the ACL specified must -contain at least a revision, type, owner and group for the call to succeed. - -label(minusC) -dit(bf(-C username)) - -This command sets the owner of the file to the given username. Note that -the user you connect to the server as must have the permissions to modify -the ownership of a file. Unlike the NT take ownership dialog box this command -can modify the owner of a file to any arbitrary user. - -label(minusG) -dit(bf(-G username)) - -This command sets the primary group owner of the file to the given username. Note that -the user you connect to the server as must have the permissions to modify -the group ownership of a file. As this attribute is only used in the NT POSIX -subsystem there is no equivalent NT dialog box. - -label(minusU) -dit(bf(-U username)) - -Specifies a username used to connect to the specified service. The -username may be of the form tt(username) in which case the user is -prompted to enter in a password and the workgroup specified in the -url(bf(smb.conf))(smb.conf.5.html) file is used, or tt(username%password) -or tt(DOMAIN\username%password) and the password and workgroup names are -used as provided. - -label(minusC) -dit(bf(-C name)) - -The owner of a file or directory can be changed to the name given -using the -C option. The name can be a sid in the form tt(S-1-x-y-z) or a -name resolved against the server specified in the first argument. - -This command is a shortcut for tt(-M OWNER:name). - -label(minusG) -dit(bf(-G name)) - -The group owner of a file or directory can be changed to the name given -using the -G option. The name can be a sid in the form tt(S-1-x-y-z) or a -name resolved against the server specified in the first argument. - -This command is a shortcut for tt(-M GROUP:name). - -label(minusn) -dit(bf(-n)) - -This option displays all ACL information in numeric format. The default is -to convert SIDs to names and ACE types and masks to a readable string -format. - -label(minush) -dit(bf(-h)) - -Print usage information on the bf(smbcacls) program - -enddit() - -label(ACLFORMAT) -manpagesection(ACL FORMAT) - -The format of an ACL is one or more ACL entries separated by either -commas or newlines. An ACL entry is one of the following: - -verb(REVISION:<revision number> -OWNER:<sid or name> -GROUP:<sid or name> -ACL:<sid or name>:<type>/<flags>/<mask>) - -The revision of the ACL specifies the internal Windows NT ACL revision for -the security descriptor. If not specified it defaults to 1. Using values -other than 1 may cause strange behaviour. - -The owner and group specify the owner and group sids for the object. If a -SID in the format tt(S-1-x-y-z) is specified this is used, otherwise -the name specified is resolved using the server on which the file or -directory resides. - -ACLs specify permissions granted to the SID. This SID again can be -specified in tt(S-1-x-y-z) format or as a name in which case it is resolved -against the server on which the file or directory resides. The type, flags -and mask values determine the type of access granted to the SID. - -The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to -the SID. The flags values are generally zero for file ACLs and either 9 or -2 for directory ACLs. Some common flags are: - -verb(#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1 -#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2 -#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4 -#define SEC_ACE_FLAG_INHERIT_ONLY 0x8) - -At present flags can only be specified as decimal or hexadecimal values. - -The mask is a value which expresses the access right granted to the SID. -It can be given as a decimal or hexadecimal value, or by using one of the -following text strings which map to the NT file permissions of the same -name. - -startdit() - -dit() tt(R) Allow read access - -dit() tt(W) Allow write access - -dit() tt(X) Execute permission on the object - -dit() tt(D) Delete the object - -dit() tt(P) Change permissions - -dit() tt(O) Take ownership - -enddit() - -The following combined permissions can be specified: - -startdit() - -dit() tt(READ) - -Equivalent to tt(RX) permissions - -dit() tt(CHANGE) - -Equivalent to tt(RXWD) permissions - -dit() tt(FULL) - -Equivalent to tt(RWXDPO) permissions - -enddit() - -label(EXITSTATUS) -manpagesection(EXIT STATUS) - -The bf(smbcacls) program sets the exit status depending on the success or -otherwise of the operations performed. The exit status may be one of the -following values. - -If the operation succeded, bf(smbcacls) returns and exit status of 0. If -bf(smbcacls) couldn't connect to the specified server, or there was an -error getting or setting the ACLs, an exit status of 1 is returned. If -there was an error parsing any command line arguments, an exit status of 2 -is returned. - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell. Samba is now developed by the Samba Team as an Open -Source project. - -bf(smbcacls) was written by Andrew Tridgell and Tim Potter. diff --git a/docs/yodldocs/smbclient.1.yo b/docs/yodldocs/smbclient.1.yo deleted file mode 100644 index 8b42f281ff..0000000000 --- a/docs/yodldocs/smbclient.1.yo +++ /dev/null @@ -1,767 +0,0 @@ -mailto(samba@samba.org) - -manpage(smbclient htmlcommand((1)))(1)(23 Oct 1998)(Samba)(SAMBA) - -label(NAME) -manpagename(smbclient)(ftp-like client to access SMB/CIFS resources on servers) - -label(SYNOPSIS) -manpagesynopsis() - -bf(smbclient) link(servicename)(servicename) [link(-s smb.conf)(minuss)] [link(-O socket options)(minusO)][link(-R name resolve order)(minusR)] [link(-M NetBIOS name)(minusM)] [link(-i scope)(minusi)] [link(-N)(minusN)] [link(-n NetBIOS name)(minusn)] [link(-d debuglevel)(minusd)] [link(-P)(minusP)] [link(-p port)(minusp)] [link(-l log basename)(minusl)] [link(-h)(minush)] [link(-I dest IP)(minusI)] [link(-E)(minusE)] [link(-U username)(minusU)] [link(-L NetBIOS name)(minusL)] [link(-t terminal code)(minust)] [link(-m max protocol)(minusm)] [link(-b buffersize)(minusb)] [link(-W workgroup)(minusW)] [link(-T<c|x>IXFqgbNan)(minusT)] [link(-D directory)(minusD)] [link(-c command string)(minusc)] - -label(DESCRIPTION) -manpagedescription() - -This program is part of the bf(Samba) suite. - -bf(smbclient) is a client that can 'talk' to an SMB/CIFS server. It -offers an interface similar to that of the ftp program (see bf(ftp -(1))). Operations include things like getting files from the server -to the local machine, putting files from the local machine to the -server, retrieving directory information from the server and so on. - -label(OPTIONS) -manpageoptions() - -startdit() - -label(servicename) -dit(bf(servicename)) servicename is the name of the service you want -to use on the server. A service name takes the form -tt(//server/service) where em(server) is the NetBIOS name of the SMB/CIFS -server offering the desired service and em(service) is the name -of the service offered. Thus to connect to the service em(printer) on -the SMB/CIFS server em(smbserver), you would use the servicename - -tt(//smbserver/printer) - -Note that the server name required is NOT necessarily the IP (DNS) -host name of the server ! The name required is a NetBIOS server name, -which may or may not be the same as the IP hostname of the machine -running the server. - -The server name is looked up according to either the -link(bf(-R))(minusR) parameter to bf(smbclient) or using the -url(bf(name resolve order))(smb.conf.5.html#nameresolveorder) -parameter in the smb.conf file, allowing an administrator to change -the order and methods by which server names are looked up. - -label(password) -dit(bf(password)) password is the password required to access the -specified service on the specified server. If this parameter is -supplied, the link(bf(-N))(minusN) option (suppress password prompt) is assumed. - -There is no default password. If no password is supplied on the -command line (either by using this parameter or adding a password to -the link(bf(-U))(minusU) option (see below)) and the link(bf(-N))(minusN) option is not specified, -the client will prompt for a password, even if the desired service -does not require one. (If no password is required, simply press ENTER -to provide a null password.) - -Note: Some servers (including OS/2 and Windows for Workgroups) insist -on an uppercase password. Lowercase or mixed case passwords may be -rejected by these servers. - -Be cautious about including passwords in scripts. - -label(minuss) -dit(bf(-s smb.conf)) This parameter specifies the pathname to the -Samba configuration file, smb.conf. This file controls all aspects of -the Samba setup on the machine and smbclient also needs to read this -file. - -label(minusO) -dit(bf(-O socket options)) TCP socket options to set on the client -socket. See the url(socket options)(smb.conf.5.html#socketoptions) -parameter in the url(bf(smb.conf (5)))(smb.conf.5.html) manpage for -the list of valid options. - -label(minusR) -dit(bf(-R name resolve order)) This option allows the user of -smbclient to determine what name resolution services to use when -looking up the NetBIOS name of the host being connected to. - -The options are :"lmhosts", "host", "wins" and "bcast". They cause -names to be resolved as follows : - -startit() - -it() bf(lmhosts) : Lookup an IP address in the Samba lmhosts file. -The lmhosts file is stored in the same directory as the -url(bf(smb.conf))(smb.conf.5.html) file. - -it() bf(host) : Do a standard host name to IP address resolution, -using the system /etc/hosts, NIS, or DNS lookups. This method of name -resolution is operating system depended for instance on IRIX or -Solaris this may be controlled by the em(/etc/nsswitch.conf) file). - -it() bf(wins) : Query a name with the IP address listed in the url(bf(wins -server))(smb.conf.5.html#winsserver) parameter in the smb.conf file. If -no WINS server has been specified this method will be ignored. - -it() bf(bcast) : Do a broadcast on each of the known local interfaces -listed in the url(bf(interfaces))(smb.conf.5.html#interfaces) parameter -in the smb.conf file. This is the least reliable of the name resolution -methods as it depends on the target host being on a locally connected -subnet. - -endit() - -If this parameter is not set then the name resolve order defined -in the url(bf(smb.conf))(smb.conf.5.html) file parameter -url((bf(name resolve order)))(smb.conf.5.html#nameresolveorder) -will be used. - -The default order is lmhosts, host, wins, bcast and without this -parameter or any entry in the url(bf("name resolve -order"))(smb.conf.5.html#nameresolveorder) parameter of the -url(bf(smb.conf))(smb.conf.5.html) file the name resolution methods -will be attempted in this order. - -label(minusM) -dit(bf(-M NetBIOS name)) This options allows you to send messages, -using the "WinPopup" protocol, to another computer. Once a connection -is established you then type your message, pressing ^D (control-D) to -end. - -If the receiving computer is running WinPopup the user will receive -the message and probably a beep. If they are not running WinPopup the -message will be lost, and no error message will occur. - -The message is also automatically truncated if the message is over -1600 bytes, as this is the limit of the protocol. - -One useful trick is to cat the message through bf(smbclient). -For example: - -tt(cat mymessage.txt | smbclient -M FRED) - -will send the message in the file em(mymessage.txt) to the machine FRED. - -You may also find the link(bf(-U))(minusU) and link(bf(-I))(minusI) options useful, as they allow -you to control the FROM and TO parts of the message. - -See the url(bf(message command))(smb.conf.5.html#messagecommand) -parameter in the bf(smb.conf (5)) for a description of how to handle -incoming WinPopup messages in Samba. - -Note: Copy WinPopup into the startup group on your WfWg PCs if you -want them to always be able to receive messages. - -label(minusi) -dit(bf(-i scope)) This specifies a NetBIOS scope that smbclient will use -to communicate with when generating NetBIOS names. For details on the -use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes -are em(very) rarely used, only set this parameter if you are the -system administrator in charge of all the NetBIOS systems you -communicate with. - -label(minusN) -dit(bf(-N)) If specified, this parameter suppresses the normal -password prompt from the client to the user. This is useful when -accessing a service that does not require a password. - -Unless a password is specified on the command line or this parameter -is specified, the client will request a password. - -label(minusn) -dit(bf(-n NetBIOS name)) By default, the client will use the local -machine's hostname (in uppercase) as its NetBIOS name. This parameter -allows you to override the host name and use whatever NetBIOS name you -wish. - -label(minusd) -dit(bf(-d debuglevel)) debuglevel is an integer from 0 to 10, or the -letter 'A'. - -The default value if this parameter is not specified is zero. - -The higher this value, the more detail will be logged to the log files -about the activities of the client. At level 0, only critical errors -and serious warnings will be logged. Level 1 is a reasonable level for -day to day running - it generates a small amount of information about -operations carried out. - -Levels above 1 will generate considerable amounts of log data, and -should only be used when investigating a problem. Levels above 3 are -designed for use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic. If debuglevel is set to the -letter 'A', then em(all) debug messages will be printed. This setting -is for developers only (and people who em(really) want to know how the -code works internally). - -Note that specifying this parameter here will override the url(bf(log -level))(smb.conf.5.html#loglevel) parameter in the url(bf(smb.conf -(5)))(smb.conf.5.html) file. - -label(minusP) -dit(bf(-P)) This option is no longer used. The code in Samba2.0 -now lets the server decide the device type, so no printer specific -flag is needed. - -label(minusp) -dit(bf(-p port)) This number is the TCP port number that will be used -when making connections to the server. The standard (well-known) TCP -port number for an SMB/CIFS server is 139, which is the default. - -label(minusl) -dit(bf(-l logfilename)) If specified, logfilename specifies a base -filename into which operational data from the running client will be -logged. - -The default base name is specified at compile time. - -The base name is used to generate actual log file names. For example, -if the name specified was "log", the debug file would be -tt(log.client). - -The log file generated is never removed by the client. - -label(minush) -dit(bf(-h)) Print the usage message for the client. - -label(minusI) -dit(bf(-I IP address)) IP address is the address of the server to -connect to. It should be specified in standard "a.b.c.d" notation. - -Normally the client would attempt to locate a named SMB/CIFS server by -looking it up via the NetBIOS name resolution mechanism described -above in the link(bf(name resolve order))(minusR) parameter -above. Using this parameter will force the client to assume that the -server is on the machine with the specified IP address and the NetBIOS -name component of the resource being connected to will be ignored. - -There is no default for this parameter. If not supplied, it will be -determined automatically by the client as described above. - -label(minusE) -dit(bf(-E)) This parameter causes the client to write messages to the -standard error stream (stderr) rather than to the standard output -stream. - -By default, the client writes messages to standard output - typically -the user's tty. - -label(minusU) -dit(bf(-U username)) This specifies the user name that will be used by -the client to make a connection, assuming your server is not a downlevel -server that is running a protocol level that uses passwords on shares, -not on usernames. - -Some servers are fussy about the case of this name, and some insist -that it must be a valid NetBIOS name. - -If no username is supplied, it will default to an uppercase version of -the environment variable tt(USER) or tt(LOGNAME) in that order. If no -username is supplied and neither environment variable exists the -username "GUEST" will be used. - -If the tt(USER) environment variable contains a '%' character, -everything after that will be treated as a password. This allows you -to set the environment variable to be tt(USER=username%password) so -that a password is not passed on the command line (where it may be -seen by the ps command). - -You can specify a domain name as part of the username by using a -username of the form "DOMAIN/user" or "DOMAIN\user". - -If the service you are connecting to requires a password, it can be -supplied using the link(bf(-U))(minusU) option, by appending a percent symbol ("%") -then the password to username. For example, to attach to a service as -user tt("fred") with password tt("secret"), you would specify. nl() - -tt(-U fred%secret) nl() - -on the command line. Note that there are no spaces around the percent -symbol. - -If you specify the password as part of username then the link(bf(-N))(minusN) option -(suppress password prompt) is assumed. - -If you specify the password as a parameter em(AND) as part of username -then the password as part of username will take precedence. Putting -nothing before or nothing after the percent symbol will cause an empty -username or an empty password to be used, respectively. - -The password may also be specified by setting up an environment -variable called tt(PASSWD) that contains the users password. Note -that this may be very insecure on some systems but on others allows -users to script smbclient commands without having a password appear in -the command line of a process listing. - -A third option is to use a credentials file which contains -the plaintext of the username and password. This option is -mainly provided for scripts where the admin doesn't desire to -pass the credentials on the command line or via environment variables. -If this method is used, make certain that the permissions on the file -restrict access from unwanted users. See the bf(-A) for more details. - -Note: Some servers (including OS/2 and Windows for Workgroups) insist -on an uppercase password. Lowercase or mixed case passwords may be -rejected by these servers. - -Be cautious about including passwords in scripts or in the -tt(PASSWD) environment variable. Also, on many systems the command -line of a running process may be seen via the tt(ps) command to be -safe always allow smbclient to prompt for a password and type it in -directly. - -label(minusA) -dit(bf(-A <filename>)) This option allows you to specify a file from which -to read the username and password used in the connection. The format -of the file is - -tt(username = <value>) nl() -tt(password = <value>) nl() - -Make certain that the permissions on the file restrict access from -unwanted users. - -label(minusL) -dit(bf(-L)) This option allows you to look at what services are -available on a server. You use it as tt("smbclient -L host") and a -list should appear. The link(bf(-I))(minusI) option may be useful if your NetBIOS -names don't match your tcp/ip dns host names or if you are trying to -reach a host on another network. - -label(minust) -dit(bf(-t terminal code)) This option tells smbclient how to interpret -filenames coming from the remote server. Usually Asian language -multibyte UNIX implementations use different character sets than -SMB/CIFS servers (em(EUC) instead of em(SJIS) for example). Setting -this parameter will let smbclient convert between the UNIX filenames -and the SMB filenames correctly. This option has not been seriously -tested and may have some problems. - -The terminal codes include tt(sjis), tt(euc), tt(jis7), tt(jis8), -tt(junet), tt(hex), tt(cap). This is not a complete list, check the -Samba source code for the complete list. - -label(minusm) -dit(bf(-m max protocol level)) With the new code in Samba2.0, -bf(smbclient) always attempts to connect at the maximum -protocols level the server supports. This parameter is -preserved for backwards compatibility, but any string -following the bf(-m) will be ignored. - -label(minusb) -dit(bf(-b buffersize)) This option changes the transmit/send buffer -size when getting or putting a file from/to the server. The default -is 65520 bytes. Setting this value smaller (to 1200 bytes) has been -observed to speed up file transfers to and from a Win9x server. - -label(minusW) -dit(bf(-W WORKGROUP)) Override the default workgroup specified in the -url(bf(workgroup))(smb.conf.5.html#workgroup) parameter of the -url(bf(smb.conf))(smb.conf.5.html) file for this connection. This may -be needed to connect to some servers. - -label(minusT) dit(bf(-T tar options)) smbclient may be used to create -bf(tar (1)) compatible backups of all the files on an SMB/CIFS -share. The secondary tar flags that can be given to this option are : - - startdit() - - dit(bf(c)) Create a tar file on UNIX. Must be followed by the - name of a tar file, tape device or tt("-") for standard output. If - using standard output you must turn the log level to its lowest value - tt(-d0) to avoid corrupting your tar file. This flag is - mutually exclusive with the bf(x) flag. - - dit(bf(x)) Extract (restore) a local tar file back to a - share. Unless the link(bf(-D))(minusD) option is given, the tar files will be - restored from the top level of the share. Must be followed by the name - of the tar file, device or tt("-") for standard input. Mutually exclusive - with the bf(c) flag. Restored files have their creation times (mtime) - set to the date saved in the tar file. Directories currently do not - get their creation dates restored properly. - - dit(bf(I)) Include files and directories. Is the default - behavior when filenames are specified above. Causes tar files to - be included in an extract or create (and therefore everything else to - be excluded). See example below. Filename globbing works - in one of two ways. See bf(r) below. - - dit(bf(X)) Exclude files and directories. Causes tar files to - be excluded from an extract or create. See example below. Filename - globbing works in one of two ways now. See bf(r) below. - - dit(bf(b)) Blocksize. Must be followed by a valid (greater than - zero) blocksize. Causes tar file to be written out in - blocksize*TBLOCK (usually 512 byte) blocks. - - dit(bf(g)) Incremental. Only back up files that have the - archive bit set. Useful only with the bf(c) flag. - - dit(bf(q)) Quiet. Keeps tar from printing diagnostics as it - works. This is the same as tarmode quiet. - - dit(bf(r)) Regular expression include or exclude. Uses regular - regular expression matching for excluding or excluding files if - compiled with HAVE_REGEX_H. However this mode can be very slow. If - not compiled with HAVE_REGEX_H, does a limited wildcard match on * and - ?. - - dit(bf(N)) Newer than. Must be followed by the name of a file - whose date is compared against files found on the share during a - create. Only files newer than the file specified are backed up to the - tar file. Useful only with the bf(c) flag. - - dit(bf(a)) Set archive bit. Causes the archive bit to be reset - when a file is backed up. Useful with the bf(g) and bf(c) flags. - - enddit() - -em(Tar Long File Names) - -smbclient's tar option now supports long file names both on backup and -restore. However, the full path name of the file must be less than -1024 bytes. Also, when a tar archive is created, smbclient's tar -option places all files in the archive with relative names, not -absolute names. - -em(Tar Filenames) - -All file names can be given as DOS path names (with tt(\) as the -component separator) or as UNIX path names (with tt(/) as the -component separator). - -em(Examples) - -startit() - -it() Restore from tar file backup.tar into myshare on mypc (no password on share). - - tt(smbclient //mypc/myshare "" -N -Tx backup.tar) - -it() Restore everything except users/docs - - tt(smbclient //mypc/myshare "" -N -TXx backup.tar users/docs) - -it() Create a tar file of the files beneath users/docs. - - tt(smbclient //mypc/myshare "" -N -Tc backup.tar users/docs) - -it() Create the same tar file as above, but now use a DOS path name. - - tt(smbclient //mypc/myshare "" -N -tc backup.tar users\edocs) - -it() Create a tar file of all the files and directories in the share. - - tt(smbclient //mypc/myshare "" -N -Tc backup.tar *) - -endit() - -label(minusD) -dit(bf(-D initial directory)) Change to initial directory before -starting. Probably only of any use with the tar link(bf(-T))(minusT) option. - -label(minusc) -dit(bf(-c command string)) command string is a semicolon separated -list of commands to be executed instead of prompting from stdin. -link(bf(-N))(minusN) is implied by bf(-c). - -This is particularly useful in scripts and for printing stdin to the -server, e.g. tt(-c 'print -'). - -enddit() - -label(OPERATIONS) -manpagesection(OPERATIONS) - -Once the client is running, the user is presented with a prompt : - -tt(smb:\>) - -The backslash ("\") indicates the current working directory on the -server, and will change if the current working directory is changed. - -The prompt indicates that the client is ready and waiting to carry out -a user command. Each command is a single word, optionally followed by -parameters specific to that command. Command and parameters are -space-delimited unless these notes specifically state otherwise. All -commands are case-insensitive. Parameters to commands may or may not -be case sensitive, depending on the command. - -You can specify file names which have spaces in them by quoting the -name with double quotes, for example "a long file name". - -Parameters shown in square brackets (e.g., "[parameter]") are -optional. If not given, the command will use suitable -defaults. Parameters shown in angle brackets (e.g., "<parameter>") are -required. - -Note that all commands operating on the server are actually performed -by issuing a request to the server. Thus the behavior may vary from -server to server, depending on how the server was implemented. - -The commands available are given here in alphabetical order. - -startdit() - -label(questionmark) dit(bf(? [command])) If "command" is specified, -the bf(?) command will display a brief informative message about the -specified command. If no command is specified, a list of available -commands will be displayed. - -label(exclaimationmark) dit(bf(! [shell command])) If "shell command" -is specified, the bf(!) command will execute a shell locally and run -the specified shell command. If no command is specified, a local shell -will be run. - -label(cd) dit(bf(cd [directory name])) If "directory name" is -specified, the current working directory on the server will be changed -to the directory specified. This operation will fail if for any reason -the specified directory is inaccessible. - -If no directory name is specified, the current working directory on -the server will be reported. - -label(del) dit(bf(del <mask>)) The client will request that the server -attempt to delete all files matching "mask" from the current working -directory on the server. - -label(dir) dit(bf(dir <mask>)) A list of the files matching "mask" in -the current working directory on the server will be retrieved from the -server and displayed. - -label(exit) dit(bf(exit)) Terminate the connection with the server and -exit from the program. - -label(get) dit(bf(get <remote file name> [local file name])) Copy the -file called "remote file name" from the server to the machine running -the client. If specified, name the local copy "local file name". Note -that all transfers in smbclient are binary. See also the -link(bf(lowercase))(lowercase) command. - -label(help) dit(bf(help [command])) See the link(bf(?))(questionmark) -command above. - -label(lcd) dit(bf(lcd [directory name])) If "directory name" is -specified, the current working directory on the local machine will -be changed to the directory specified. This operation will fail if for -any reason the specified directory is inaccessible. - -If no directory name is specified, the name of the current working -directory on the local machine will be reported. - -label(lowercase) dit(bf(lowercase)) Toggle lowercasing of filenames -for the link(bf(get))(get) and link(bf(mget))(mget) commands. - -When lowercasing is toggled ON, local filenames are converted to -lowercase when using the link(bf(get))(get) and link(bf(mget))(mget) -commands. This is often useful when copying (say) MSDOS files from a -server, because lowercase filenames are the norm on UNIX systems. - -label(ls) dit(bf(ls <mask>)) See the link(bf(dir))(dir) command above. - -label(mask) dit(bf(mask <mask>)) This command allows the user to set -up a mask which will be used during recursive operation of the -link(bf(mget))(mget) and link(bf(mput))(mput) commands. - -The masks specified to the link(bf(mget))(mget) and -link(bf(mput))(mput) commands act as filters for directories rather -than files when recursion is toggled ON. - -The mask specified with the .B mask command is necessary to filter -files within those directories. For example, if the mask specified in -an link(bf(mget))(mget) command is "source*" and the mask specified -with the mask command is "*.c" and recursion is toggled ON, the -link(bf(mget))(mget) command will retrieve all files matching "*.c" in -all directories below and including all directories matching "source*" -in the current working directory. - -Note that the value for mask defaults to blank (equivalent to "*") and -remains so until the mask command is used to change it. It retains the -most recently specified value indefinitely. To avoid unexpected -results it would be wise to change the value of .I mask back to "*" -after using the link(bf(mget))(mget) or link(bf(mput))(mput) commands. - -label(md) dit(bf(md <directory name>)) See the link(bf(mkdir))(mkdir) -command. - -label(mget) dit(bf(mget <mask>)) Copy all files matching mask from the -server to the machine running the client. - -Note that mask is interpreted differently during recursive operation -and non-recursive operation - refer to the link(bf(recurse))(recurse) -and link(bf(mask))(mask) commands for more information. Note that all -transfers in .B smbclient are binary. See also the -link(bf(lowercase))(lowercase) command. - -label(mkdir) dit(bf(mkdir <directory name>)) Create a new directory on -the server (user access privileges permitting) with the specified -name. - -label(mput) dit(bf(mput <mask>)) Copy all files matching mask in -the current working directory on the local machine to the current -working directory on the server. - -Note that mask is interpreted differently during recursive operation -and non-recursive operation - refer to the link(bf(recurse))(recurse) -and link(bf(mask))(mask) commands for more information. Note that all -transfers in .B smbclient are binary. - -label(print) dit(bf(print <file name>)) Print the specified file -from the local machine through a printable service on the server. - -See also the link(bf(printmode))(printmode) command. - -label(printmode) dit(bf(printmode <graphics or text>)) Set the print -mode to suit either binary data (such as graphical information) or -text. Subsequent print commands will use the currently set print -mode. - -label(prompt) dit(bf(prompt)) Toggle prompting for filenames during -operation of the link(bf(mget))(mget) and link(bf(mput))(mput) -commands. - -When toggled ON, the user will be prompted to confirm the transfer of -each file during these commands. When toggled OFF, all specified files -will be transferred without prompting. - -label(put) dit(bf(put <local file name> [remote file name])) Copy the -file called "local file name" from the machine running the client to -the server. If specified, name the remote copy "remote file name". -Note that all transfers in smbclient are binary. See also the -link(bf(lowercase))(lowercase) command. - -label(queue) dit(bf(queue)) Displays the print queue, showing the job -id, name, size and current status. - -label(quit) dit(bf(quit)) See the link(bf(exit))(exit) command. - -label(rd) dit(bf(rd <directory name>)) See the link(bf(rmdir))(rmdir) -command. - -label(recurse) dit(bf(recurse)) Toggle directory recursion for the -commands link(bf(mget))(mget) and link(bf(mput))(mput). - -When toggled ON, these commands will process all directories in the -source directory (i.e., the directory they are copying .IR from ) and -will recurse into any that match the mask specified to the -command. Only files that match the mask specified using the -link(bf(mask))(mask) command will be retrieved. See also the -link(bf(mask))(mask) command. - -When recursion is toggled OFF, only files from the current working -directory on the source machine that match the mask specified to the -link(bf(mget))(mget) or link(bf(mput))(mput) commands will be copied, -and any mask specified using the link(bf(mask))(mask) command will be -ignored. - -label(rm) dit(bf(rm <mask>)) Remove all files matching mask from -the current working directory on the server. - -label(rmdir) dit(bf(rmdir <directory name>)) Remove the specified -directory (user access privileges permitting) from the server. - -label(tar) dit(bf(tar <c|x>[IXbgNa])) Performs a tar operation - see -the link(bf(-T))(minusT) command line option above. Behavior may be -affected by the link(bf(tarmode))(tarmode) command (see below). Using -g (incremental) and N (newer) will affect tarmode settings. Note that -using the "-" option with tar x may not work - use the command line -option instead. - -label(blocksize) dit(bf(blocksize <blocksize>)) Blocksize. Must be -followed by a valid (greater than zero) blocksize. Causes tar file to -be written out in blocksize*TBLOCK (usually 512 byte) blocks. - -label(tarmode) dit(bf(tarmode <full|inc|reset|noreset>)) Changes tar's -behavior with regard to archive bits. In full mode, tar will back up -everything regardless of the archive bit setting (this is the default -mode). In incremental mode, tar will only back up files with the -archive bit set. In reset mode, tar will reset the archive bit on all -files it backs up (implies read/write share). - -label(setmode) dit(bf(setmode <filename> <perm=[+|\-]rsha>)) A version -of the DOS attrib command to set file permissions. For example: - -tt(setmode myfile +r) - -would make myfile read only. - -enddit() - -label(NOTES) -manpagesection(NOTES) - -Some servers are fussy about the case of supplied usernames, -passwords, share names (AKA service names) and machine names. If you -fail to connect try giving all parameters in uppercase. - -It is often necessary to use the link(bf(-n))(minusn) option when connecting to some -types of servers. For example OS/2 LanManager insists on a valid -NetBIOS name being used, so you need to supply a valid name that would -be known to the server. - -smbclient supports long file names where the server supports the -LANMAN2 protocol or above. - -label(ENVIRONMENTVARIABLES) -manpagesection(ENVIRONMENT VARIABLES) - -The variable bf(USER) may contain the username of the person using the -client. This information is used only if the protocol level is high -enough to support session-level passwords. - -The variable bf(PASSWD) may contain the password of the person using -the client. This information is used only if the protocol level is -high enough to support session-level passwords. - -label(INSTALLATION) -manpagesection(INSTALLATION) - -The location of the client program is a matter for individual system -administrators. The following are thus suggestions only. - -It is recommended that the smbclient software be installed in the -/usr/local/samba/bin or /usr/samba/bin directory, this directory -readable by all, writeable only by root. The client program itself -should be executable by all. The client should em(NOT) be setuid or -setgid! - -The client log files should be put in a directory readable and -writeable only by the user. - -To test the client, you will need to know the name of a running -SMB/CIFS server. It is possible to run url(bf(smbd (8)))(smbd.8.html) -an ordinary user - running that server as a daemon on a -user-accessible port (typically any port number over 1024) would -provide a suitable test server. - -label(DIAGNOSTICS) -manpagesection(DIAGNOSTICS) - -Most diagnostics issued by the client are logged in a specified log -file. The log file name is specified at compile time, but may be -overridden on the command line. - -The number and nature of diagnostics available depends on the debug -level used by the client. If you have problems, set the debug level to -3 and peruse the log files. - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.0 of the Samba suite. - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell email(samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -and updated for the Samba2.0 release by Jeremy Allison. -email(samba@samba.org). - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. diff --git a/docs/yodldocs/smbcontrol.1.yo b/docs/yodldocs/smbcontrol.1.yo deleted file mode 100644 index 9edfc97570..0000000000 --- a/docs/yodldocs/smbcontrol.1.yo +++ /dev/null @@ -1,112 +0,0 @@ -mailto(samba@samba.org) - -manpage(smbcontrol htmlcommand((1)))(1)(29 Sep 2000)(Samba)(SAMBA) - -label(NAME) -manpagename(smbcontrol)(send messages to smbd or nmbd processes) - -label(SYNOPSIS) -manpagesynopsis() - -bf(smbcontrol) link(-i)(minusi) - -bf(smbcontrol) link(destination)(destination) link(message-type)(messagetype) link(parameters)(parameters) - -label(DESCRIPTION) -manpagedescription() - -This program is part of the bf(Samba) suite. - -bf(smbcontrol) is a very small program, which sends messages to an -url(bf(smbd))(smbd.8.html) or an url(bf(nmbd))(nmbd.8.html) daemon -running on the system. - -label(OPTIONS) -manpageoptions() - -startdit() - -label(minusi) -dit(bf(-i)) Run interactively. Individual commands of the form -link(destination)(destination) link(message-type)(messagetype) link(parameters)(parameters) -can be entered on STDIN. An empty command line or a "q" will quit the program. - -label(destination) -dit(bf(destination)) is one of "nmbd", "smbd" or a process ID. - -The bf(smbd) destination causes the message to be "broadcast" to all -smbd daemons. - -The bf(nmbd) destination causes the message to be sent to the nmbd -daemon specified in the bf(nmbd.pid) file. - -If a single process ID is given, the message is sent to only that -process. - -label(messagetype) -dit(bf(message-type)) is one of: debug, force-election, ping, profile, -debuglevel, profilelevel, or printer-notify. - -The bf(debug) message-type allows the debug level to be set to the value -specified by the parameter. This can be sent to any of the destinations. - -The bf(force-election) message-type can only be sent to the bf(nmbd) -destination. This message causes the bf(nmbd) daemon to force a -new browse master election. - -The bf(ping) message-type sends the number of "ping" messages specified -by the parameter and waits for the same number of -reply "pong" messages. This can be sent to any of the destinations. - -The bf(profile) message-type sends a message to an smbd to change the profile -settings based on the parameter. The parameter can be "on" to turn on -profile stats collection, "off" to turn off profile stats collection, "count" -to enable only collection of count stats (time stats are disabled), and -"flush" to zero the current profile stats. -This can be sent to any of the destinations. - -The bf(debuglevel) message-type sends a "request debug level" message. -The current debug level setting is returned by a -"debuglevel" message. This can be sent to any of the destinations. - -The bf(profilelevel) message-type sends a "request profile level" message. -The current profile level setting is returned by a -"profilelevel" message. This can be sent to any of the destinations. - -The bf(printer-notify) message-type sends a message to smbd which in turn -sends a printer notify message to any Windows NT clients connected to -a printer. This message-type takes an argument of the printer name to -send notify messages to. This message can only be sent to smbd. - -label(parameters) -dit(bf(parameters)) is any parameters required for the message-type - -enddit() - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.2.0 of the Samba suite. - -label(SEEALSO) -manpageseealso() - -url(bf(smbd (8)))(smbd.8.html), url(bf(nmbd (8)))(nmbd.8.html) - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell email(samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -This man page source was written in YODL format (another excellent piece of Open -Source software, available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -for the Samba 2.2.0 release by Herb Lewis. -email(samba@samba.org). - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. diff --git a/docs/yodldocs/smbd.8.yo b/docs/yodldocs/smbd.8.yo deleted file mode 100644 index 2a8cbfbefa..0000000000 --- a/docs/yodldocs/smbd.8.yo +++ /dev/null @@ -1,443 +0,0 @@ -mailto(samba@samba.org) - -manpage(smbd htmlcommand((8)))(8)(23 Oct 1998)(Samba)(SAMBA) - -label(NAME) -manpagename(smbd)(server to provide SMB/CIFS services to clients) - -label(SYNOPSIS) -manpagesynopsis() - -bf(smbd) [link(-D)(minusD)] [link(-a)(minusa)] [link(-o)(minuso)] [link(-P)(minusP)] [link(-h)(minush)] [link(-V)(minusV)] [link(-d debuglevel)(minusd)] [link(-l log file)(minusl)] [link(-p port number)(minusp)] [link(-O socket options)(minusO)] [link(-s configuration file)(minuss)] - -label(DESCRIPTION) -manpagedescription() - -This program is part of the bf(Samba) suite. - -bf(smbd) is the server daemon that provides filesharing and printing -services to -Windows clients. The server provides filespace and printer services to -clients using the SMB (or CIFS) protocol. This is compatible with the -LanManager protocol, and can service LanManager clients. These -include MSCLIENT 3.0 for DOS, Windows for Workgroups, Windows 95, -Windows NT, OS/2, DAVE for Macintosh, and smbfs for Linux. - -An extensive description of the services that the server can provide -is given in the man page for the configuration file controlling the -attributes of those services (see -url(bf(smb.conf (5)))(smb.conf.5.html). This man page -will not describe the services, but will concentrate on the -administrative aspects of running the server. - -Please note that there are significant security implications to -running this server, and the -url(bf(smb.conf (5)))(smb.conf.5.html) manpage should be -regarded as mandatory reading before proceeding with installation. - -A session is created whenever a client requests one. Each client gets -a copy of the server for each session. This copy then services all -connections made by the client during that session. When all -connections from its client are closed, the copy of the server for -that client terminates. - -The configuration file, and any files that it includes, are -automatically reloaded every minute, if they change. You can force a -reload by sending a SIGHUP to the server. Reloading the configuration -file will not affect connections to any service that is already -established. Either the user will have to disconnect from the -service, or smbd killed and restarted. - -label(OPTIONS) -manpageoptions() - -startdit() - -label(minusD) -dit(bf(-D)) If specified, this parameter causes the server to operate as a -daemon. That is, it detaches itself and runs in the background, -fielding requests on the appropriate port. Operating the server as a -daemon is the recommended way of running smbd for servers that provide -more than casual use file and print services. - -By default, the server will NOT operate as a daemon. - -label(minusa) -dit(bf(-a)) If this parameter is specified, each new connection will -append log messages to the log file. This is the default. - -label(minuso) -dit(bf(-o)) If this parameter is specified, the log files will be -overwritten when opened. By default, the log files will be appended -to. - -label(minusP) -dit(bf(-P)) Passive option. Causes smbd not to send any network traffic -out. Used for debugging by the developers only. - -label(minush) -dit(bf(-h)) Prints the help information (usage) for bf(smbd). - -label(minusV) -dit(bf(-V)) Prints the version number for bf(smbd). - -label(minusd) -dit(bf(-d debuglevel)) debuglevel is an integer from 0 to 10. - -The default value if this parameter is not specified is zero. - -The higher this value, the more detail will be logged to the log files -about the activities of the server. At level 0, only critical errors -and serious warnings will be logged. Level 1 is a reasonable level for -day to day running - it generates a small amount of information about -operations carried out. - -Levels above 1 will generate considerable amounts of log data, and -should only be used when investigating a problem. Levels above 3 are -designed for use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic. - -Note that specifying this parameter here will override the url(bf(log -level))(smb.conf.5.html#loglevel) parameter in the url(bf(smb.conf -(5)))(smb.conf.5.html) file. - -label(minusl) -dit(bf(-l log file)) If specified, em(log file) specifies -a log filename into which informational and debug messages from the -running server will be logged. The log file generated is never removed -by the server although its size may be controlled by the url(bf(max -log size))(smb.conf.5.html#maxlogsize) option in the url(bf(smb.conf -(5)))(smb.conf.5.html) file. The default log file name is specified -at compile time. - -label(minusO) -dit(bf(-O socket options)) See the url(bf(socket -options))(smb.conf.5.html#socketoptions) parameter in the -url(bf(smb.conf (5)))(smb.conf.5.html) file for details. - -label(minusp) -dit(bf(-p port number)) port number is a positive integer value. The -default value if this parameter is not specified is 139. - -This number is the port number that will be used when making -connections to the server from client software. The standard -(well-known) port number for the SMB over TCP is 139, hence the -default. If you wish to run the server as an ordinary user rather than -as root, most systems will require you to use a port number greater -than 1024 - ask your system administrator for help if you are in this -situation. - -In order for the server to be useful by most clients, should you -configure it on a port other than 139, you will require port -redirection services on port 139, details of which are outlined in -rfc1002.txt section 4.3.5. - -This parameter is not normally specified except in the above -situation. - -label(minuss) -dit(bf(-s configuration file)) -The file specified contains the configuration details required by the -server. The information in this file includes server-specific -information such as what printcap file to use, as well as descriptions -of all the services that the server is to provide. See bf(smb.conf -(5)) for more information. -The default configuration file name is determined at compile time. - -endit() - -label(FILES) -manpagefiles() - -bf(/etc/inetd.conf) - -If the server is to be run by the inetd meta-daemon, this file must -contain suitable startup information for the meta-daemon. See the -section link(INSTALLATION)(INSTALLATION) below. - -bf(/etc/rc) - -(or whatever initialization script your system uses). - -If running the server as a daemon at startup, this file will need to -contain an appropriate startup sequence for the server. See the -section link(INSTALLATION)(INSTALLATION) below. - -bf(/etc/services) - -If running the server via the meta-daemon inetd, this file must -contain a mapping of service name (e.g., netbios-ssn) to service port -(e.g., 139) and protocol type (e.g., tcp). See the section -link(INSTALLATION)(INSTALLATION) below. - -bf(/usr/local/samba/lib/smb.conf) - -This is the default location of the em(smb.conf) server configuration -file. Other common places that systems install this file are -em(/usr/samba/lib/smb.conf) and em(/etc/smb.conf). - -This file describes all the services the server is to make available -to clients. See url(bf(smb.conf (5)))(smb.conf.5.html) for more information. - -label(LIMITATIONS) -manpagesection(LIMITATIONS) - -On some systems bf(smbd) cannot change uid back to root after a -setuid() call. Such systems are called "trapdoor" uid systems. If you -have such a system, you will be unable to connect from a client (such -as a PC) as two different users at once. Attempts to connect the -second user will result in "access denied" or similar. - -label(ENVIRONMENTVARIABLES) -manpagesection(ENVIRONMENT VARIABLES) - -bf(PRINTER) - -If no printer name is specified to printable services, most systems -will use the value of this variable (or "lp" if this variable is not -defined) as the name of the printer to use. This is not specific to -the server, however. - -label(INSTALLATION) -manpagesection(INSTALLATION) - - The location of the server and its support files is a matter for -individual system administrators. The following are thus suggestions -only. - -It is recommended that the server software be installed under the -/usr/local/samba hierarchy, in a directory readable by all, writeable -only by root. The server program itself should be executable by all, -as users may wish to run the server themselves (in which case it will -of course run with their privileges). The server should NOT be -setuid. On some systems it may be worthwhile to make smbd setgid to an -empty group. This is because some systems may have a security hole -where daemon processes that become a user can be attached to with a -debugger. Making the smbd file setgid to an empty group may prevent -this hole from being exploited. This security hole and the suggested -fix has only been confirmed on old versions (pre-kernel 2.0) of Linux -at the time this was written. It is possible that this hole only -exists in Linux, as testing on other systems has thus far shown them -to be immune. - -The server log files should be put in a directory readable and -writeable only by root, as the log files may contain sensitive -information. - -The configuration file should be placed in a directory readable and -writeable only by root, as the configuration file controls security for -the services offered by the server. The configuration file can be made -readable by all if desired, but this is not necessary for correct -operation of the server and is not recommended. A sample configuration -file "smb.conf.sample" is supplied with the source to the server - -this may be renamed to "smb.conf" and modified to suit your needs. - -The remaining notes will assume the following: - -startit() - -it() bf(smbd) (the server program) installed in /usr/local/samba/bin - -it() bf(smb.conf) (the configuration file) installed in /usr/local/samba/lib - -it() log files stored in /var/adm/smblogs - -endit() - -The server may be run either as a daemon by users or at startup, or it -may be run from a meta-daemon such as inetd upon request. If run as a -daemon, the server will always be ready, so starting sessions will be -faster. If run from a meta-daemon some memory will be saved and -utilities such as the tcpd TCP-wrapper may be used for extra security. -For serious use as file server it is recommended that bf(smbd) be run -as a daemon. - -When you've decided, continue with either -link(RUNNING THE SERVER AS A DAEMON)(RUNNINGTHESERVERASADAEMON) or -link(RUNNING THE SERVER ON REQUEST)(RUNNINGTHESERVERONREQUEST). - -label(RUNNINGTHESERVERASADAEMON) -manpagesection(RUNNING THE SERVER AS A DAEMON) - -To run the server as a daemon from the command line, simply put the -link(bf(-D))(minusD) option on the command line. There is no need to place an -ampersand at the end of the command line - the link(bf(-D))(minusD) option causes -the server to detach itself from the tty anyway. - -Any user can run the server as a daemon (execute permissions -permitting, of course). This is useful for testing purposes, and may -even be useful as a temporary substitute for something like ftp. When -run this way, however, the server will only have the privileges of the -user who ran it. - -To ensure that the server is run as a daemon whenever the machine is -started, and to ensure that it runs as root so that it can serve -multiple clients, you will need to modify the system startup -files. Wherever appropriate (for example, in /etc/rc), insert the -following line, substituting port number, log file location, -configuration file location and debug level as desired: - -tt(/usr/local/samba/bin/smbd -D -l /var/adm/smblogs/log -s /usr/local/samba/lib/smb.conf) - -(The above should appear in your initialization script as a single line. -Depending on your terminal characteristics, it may not appear that way in -this man page. If the above appears as more than one line, please treat any -newlines or indentation as a single space or TAB character.) - -If the options used at compile time are appropriate for your system, -all parameters except link(bf(-D))(minusD) may be -omitted. See the section link(OPTIONS)(OPTIONS) above. - -label(RUNNINGTHESERVERONREQUEST) -manpagesection(RUNNING THE SERVER ON REQUEST) - - If your system uses a meta-daemon such as bf(inetd), you can arrange to -have the smbd server started whenever a process attempts to connect to -it. This requires several changes to the startup files on the host -machine. If you are experimenting as an ordinary user rather than as -root, you will need the assistance of your system administrator to -modify the system files. - -You will probably want to set up the NetBIOS name server url(bf(nmbd))(nmbd.8.html) at -the same time as bf(smbd). To do this refer to the man page for -url(bf(nmbd (8)))(nmbd.8.html). - -First, ensure that a port is configured in the file tt(/etc/services). The -well-known port 139 should be used if possible, though any port may be -used. - -Ensure that a line similar to the following is in tt(/etc/services): - -tt(netbios-ssn 139/tcp) - -Note for NIS/YP users - you may need to rebuild the NIS service maps -rather than alter your local tt(/etc/services file). - -Next, put a suitable line in the file tt(/etc/inetd.conf) (in the unlikely -event that you are using a meta-daemon other than inetd, you are on -your own). Note that the first item in this line matches the service -name in tt(/etc/services). Substitute appropriate values for your system -in this line (see bf(inetd (8))): - -tt(netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd -d1 -l/var/adm/smblogs/log -s/usr/local/samba/lib/smb.conf) - -(The above should appear in tt(/etc/inetd.conf) as a single -line. Depending on your terminal characteristics, it may not appear -that way in this man page. If the above appears as more than one -line, please treat any newlines or indentation as a single space or -TAB character.) - -Note that there is no need to specify a port number here, even if you -are using a non-standard port number. - -Lastly, edit the configuration file to provide suitable services. To -start with, the following two services should be all you need: - -verb( - -[homes] - writeable = yes - -[printers] - writeable = no - printable = yes - path = /tmp - public = yes - -) - -This will allow you to connect to your home directory and print to any -printer supported by the host (user privileges permitting). - -label(TESTINGTHEINSTALLATION) -manpagesection(TESTING THE INSTALLATION) - -If running the server as a daemon, execute it before proceeding. If -using a meta-daemon, either restart the system or kill and restart the -meta-daemon. Some versions of inetd will reread their configuration -tables if they receive a HUP signal. - -If your machine's name is "fred" and your name is "mary", you should -now be able to connect to the service tt(\\fred\mary). - -To properly test and experiment with the server, we recommend using -the smbclient program (see -url(bf(smbclient (1)))(smbclient.1.html)) and also going through -the steps outlined in the file em(DIAGNOSIS.txt) in the em(docs/) -directory of your Samba installation. - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.0 of the Samba suite. - -label(DIAGNOSTICS) -manpagesection(DIAGNOSTICS) - -Most diagnostics issued by the server are logged in a specified log -file. The log file name is specified at compile time, but may be -overridden on the command line. - -The number and nature of diagnostics available depends on the debug -level used by the server. If you have problems, set the debug level to -3 and peruse the log files. - -Most messages are reasonably self-explanatory. Unfortunately, at the time -this man page was created, there are too many diagnostics available -in the source code to warrant describing each and every diagnostic. At -this stage your best bet is still to grep the source code and inspect -the conditions that gave rise to the diagnostics you are seeing. - -label(SIGNALS) -manpagesection(SIGNALS) - -Sending the smbd a SIGHUP will cause it to re-load its smb.conf -configuration file within a short period of time. - -To shut down a users smbd process it is recommended that SIGKILL (-9) -em(NOT) be used, except as a last resort, as this may leave the shared -memory area in an inconsistent state. The safe way to terminate an -smbd is to send it a SIGTERM (-15) signal and wait for it to die on -its own. - -The debug log level of smbd may be raised -by sending it a SIGUSR1 tt((kill -USR1 <smbd-pid>)) and lowered by -sending it a SIGUSR2 tt((kill -USR2 <smbd-pid>)). This is to allow -transient problems to be diagnosed, whilst still running at a normally -low log level. - -Note that as the signal handlers send a debug write, they are not -re-entrant in smbd. This you should wait until smbd is in a state of -waiting for an incoming smb before issuing them. It is possible to -make the signal handlers safe by un-blocking the signals before the -select call and re-blocking them after, however this would affect -performance. - -label(SEEALSO) -manpageseealso() - -bf(hosts_access (5)), bf(inetd (8)), url(bf(nmbd (8)))(nmbd.8.html), -url(bf(smb.conf (5)))(smb.conf.5.html), url(bf(smbclient -(1)))(smbclient.1.html), url(bf(testparm (1)))(testparm.1.html), -url(bf(testprns (1)))(testprns.1.html), and the Internet RFC's -bf(rfc1001.txt), bf(rfc1002.txt). In addition the CIFS (formerly SMB) -specification is available as a link from the Web page : -url(http://samba.org/cifs/)(http://samba.org/cifs/). - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell email(samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -and updated for the Samba2.0 release by Jeremy Allison. -email(samba@samba.org). - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full list of contributors -and details on how to submit bug reports, comments etc. diff --git a/docs/yodldocs/smbpasswd.5.yo b/docs/yodldocs/smbpasswd.5.yo deleted file mode 100644 index 53350645c9..0000000000 --- a/docs/yodldocs/smbpasswd.5.yo +++ /dev/null @@ -1,213 +0,0 @@ -mailto(samba@samba.org) - -manpage(smbpasswd htmlcommand((5)))(5)(23 Oct 1998)(Samba)(SAMBA) - -label(NAME) -manpagename(smbpasswd)(The Samba encrypted password file) - -label(SYNOPSIS) -manpagesynopsis() - -smbpasswd is the bf(Samba) encrypted password file. - -label(DESCRIPTION) -manpagedescription() - -This file is part of the bf(Samba) suite. - -smbpasswd is the bf(Samba) encrypted password file. It contains -the username, Unix user id and the SMB hashed passwords of the -user, as well as account flag information and the time the password -was last changed. This file format has been evolving with Samba -and has had several different formats in the past. - -label(FILEFORMAT) -manpagesection(FILE FORMAT) - -The format of the smbpasswd file used by Samba 2.0 is very similar to -the familiar Unix bf(passwd (5)) file. It is an ASCII file containing -one line for each user. Each field within each line is separated from -the next by a colon. Any entry beginning with # is ignored. The -smbpasswd file contains the following information for each user: - -startit() - -label(name) -dit(bf(name)) nl() nl() - - This is the user name. It must be a name that already exists - in the standard UNIX passwd file. - -label(uid) -dit(bf(uid)) nl() nl() - - This is the UNIX uid. It must match the uid field for the same - user entry in the standard UNIX passwd file. If this does not - match then Samba will refuse to recognize this bf(smbpasswd) file entry - as being valid for a user. - -label(LanmanPasswordHash) -dit(bf(Lanman Password Hash)) nl() nl() - - This is the em(LANMAN) hash of the users password, encoded as 32 hex - digits. The em(LANMAN) hash is created by DES encrypting a well known - string with the users password as the DES key. This is the same - password used by Windows 95/98 machines. Note that this password hash - is regarded as weak as it is vulnerable to dictionary attacks and if - two users choose the same password this entry will be identical (i.e. - the password is not em("salted") as the UNIX password is). If the - user has a null password this field will contain the characters - tt("NO PASSWORD") as the start of the hex string. If the hex string - is equal to 32 tt('X') characters then the users account is marked as - em(disabled) and the user will not be able to log onto the Samba - server. - - em(WARNING !!). Note that, due to the challenge-response nature of the - SMB/CIFS authentication protocol, anyone with a knowledge of this - password hash will be able to impersonate the user on the network. - For this reason these hashes are known as em("plain text equivalent") - and must em(NOT) be made available to anyone but the root user. To - protect these passwords the bf(smbpasswd) file is placed in a - directory with read and traverse access only to the root user and the - bf(smbpasswd) file itself must be set to be read/write only by root, - with no other access. - -label(NTPasswordHash) -dit(bf(NT Password Hash)) nl() nl() - - This is the em(Windows NT) hash of the users password, encoded as 32 - hex digits. The em(Windows NT) hash is created by taking the users - password as represented in 16-bit, little-endian UNICODE and then - applying the em(MD4) (internet rfc1321) hashing algorithm to it. - - This password hash is considered more secure than the link(bf(Lanman - Password Hash))(LanmanPasswordHash) as it preserves the case of the - password and uses a much higher quality hashing algorithm. However, it - is still the case that if two users choose the same password this - entry will be identical (i.e. the password is not em("salted") as the - UNIX password is). - - em(WARNING !!). Note that, due to the challenge-response nature of the - SMB/CIFS authentication protocol, anyone with a knowledge of this - password hash will be able to impersonate the user on the network. - For this reason these hashes are known as em("plain text equivalent") - and must em(NOT) be made available to anyone but the root user. To - protect these passwords the bf(smbpasswd) file is placed in a - directory with read and traverse access only to the root user and the - bf(smbpasswd) file itself must be set to be read/write only by root, - with no other access. - -label(AccountFlags) -dit(bf(Account Flags)) nl() nl() - - This section contains flags that describe the attributes of the users - account. In the bf(Samba2.0) release this field is bracketed by tt('[') - and tt(']') characters and is always 13 characters in length (including - the tt('[') and tt(']') characters). The contents of this field may be - any of the characters. - - startit() - - label(capU) - it() bf('U') This means this is a em("User") account, i.e. an ordinary - user. Only bf(User) and link(bf(Workstation Trust))(capW) accounts are - currently supported in the bf(smbpasswd) file. - - label(capN) - it() bf('N') This means the account has em(no) password (the passwords - in the fields link(bf(Lanman Password Hash))(LanmanPasswordHash) and - link(bf(NT Password Hash))(NTPasswordHash) are ignored). Note that this - will only allow users to log on with no password if the - url(bf(null passwords))(smb.conf.5.html#nullpasswords) parameter is set - in the url(bf(smb.conf (5)))(smb.conf.5.html) config file. - - label(capD) - it() bf('D') This means the account is disabled and no SMB/CIFS logins - will be allowed for this user. - - label(capW) - it() bf('W') This means this account is a em("Workstation Trust") account. - This kind of account is used in the Samba PDC code stream to allow Windows - NT Workstations and Servers to join a Domain hosted by a Samba PDC. - - endit() - - Other flags may be added as the code is extended in future. The rest of - this field space is filled in with spaces. - -label(LastChangeTime) -dit(bf(Last Change Time)) nl() nl() - - This field consists of the time the account was last modified. It consists of - the characters tt(LCT-) (standing for em("Last Change Time")) followed by a numeric - encoding of the UNIX time in seconds since the epoch (1970) that the last change - was made. - -dit(bf(Following fields)) nl() nl() - - All other colon separated fields are ignored at this time. - -enddit() - -label(NOTES) -manpagesection(NOTES) - -In previous versions of Samba (notably the 1.9.18 series) this file -did not contain the link(bf(Account Flags))(AccountFlags) or -link(bf(Last Change Time))(LastChangeTime) fields. The Samba 2.0 -code will read and write these older password files but will not be able to -modify the old entries to add the new fields. New entries added with -url(bf(smbpasswd (8)))(smbpasswd.8.html) will contain the new fields -in the added accounts however. Thus an older bf(smbpasswd) file used -with Samba 2.0 may end up with some accounts containing the new fields -and some not. - -In order to convert from an old-style bf(smbpasswd) file to a new -style, run the script bf(convert_smbpasswd), installed in the -Samba tt(bin/) directory (the same place that the url(bf(smbd))(smbd.8.html) -and url(bf(nmbd))(nmbd.8.html) binaries are installed) as follows: - -verb( - - cat old_smbpasswd_file | convert_smbpasswd > new_smbpasswd_file - -) - -The bf(convert_smbpasswd) script reads from stdin and writes to stdout -so as not to overwrite any files by accident. - -Once this script has been run, check the contents of the new smbpasswd -file to ensure that it has not been damaged by the conversion script -(which uses bf(awk)), and then replace the tt(<old smbpasswd file>) -with the tt(<new smbpasswd file>). - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.0 of the Samba suite. - -label(SEEALSO) -manpageseealso() - -url(bf(smbpasswd (8)))(smbpasswd.8.html), url(bf(samba -(7)))(samba.7.html), and the Internet RFC1321 for details on the MD4 -algorithm. - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell email(samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -and updated for the Samba2.0 release by Jeremy -Allison, email(samba@samba.org). - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. diff --git a/docs/yodldocs/smbpasswd.8.yo b/docs/yodldocs/smbpasswd.8.yo deleted file mode 100644 index 3d418e4953..0000000000 --- a/docs/yodldocs/smbpasswd.8.yo +++ /dev/null @@ -1,319 +0,0 @@ -mailto(samba@samba.org) - -manpage(smbpasswd htmlcommand((8)))(8)(23 Oct 1998)(Samba)(SAMBA) - -label(NAME) -manpagename(smbpasswd)(change a users SMB password) - -label(SYNOPSIS) -manpagesynopsis() - -bf(smbpasswd) [link(-a)(minusa)] [link(-x)(minusx)] [link(-d)(minusd)] [link(-e)(minuse)] [link(-D debug level)(minusD)] [link(-n)(minusn)] [link(-r remote_machine)(minusr)] [link(-R name resolve order)(minusR)] [link(-m)(minusm)] [link(-j DOMAIN)(minusj)] [link(-U username)(minusU)] [link(-h)(minush)] [link(-s)(minuss)] link(username)(username) - -label(DESCRIPTION) -manpagedescription() - -This program is part of the bf(Samba) suite. - -The bf(smbpasswd) program has several different functions, depending -on whether it is run by the em(root) user or not. When run as a normal -user it allows the user to change the password used for their SMB -sessions on any machines that store SMB passwords. - -By default (when run with no arguments) it will attempt to change the -current users SMB password on the local machine. This is similar to -the way the bf(passwd (1)) program works. bf(smbpasswd) differs from how -the bf(passwd) program works however in that it is not em(setuid root) -but works in a client-server mode and communicates with a locally -running url(bf(smbd))(smbd.8.html). As a consequence in order for this -to succeed the url(bf(smbd))(smbd.8.html) daemon must be running on -the local machine. On a UNIX machine the encrypted SMB passwords are -usually stored in the url(bf(smbpasswd (5)))(smbpasswd.5.html) file. - -When run by an ordinary user with no options. bf(smbpasswd) will -prompt them for their old smb password and then ask them for their new -password twice, to ensure that the new password was typed -correctly. No passwords will be echoed on the screen whilst being -typed. If you have a blank smb password (specified by the string "NO -PASSWORD" in the url(bf(smbpasswd))(smbpasswd.5.html) file) then just -press the <Enter> key when asked for your old password. - -bf(smbpasswd) can also be used by a normal user to change their SMB -password on remote machines, such as Windows NT Primary Domain -Controllers. See the link((bf(-r)))(minusr) and -link(bf(-U))(minusU) options below. - -When run by root, bf(smbpasswd) allows new users to be added and -deleted in the url(bf(smbpasswd))(smbpasswd.5.html) file, as well as -allows changes to the attributes of the user in this file to be made. When -run by root, bf(smbpasswd) accesses the local -url(bf(smbpasswd))(smbpasswd.5.html) file directly, thus enabling -changes to be made even if url(bf(smbd))(smbd.8.html) is not running. - -label(OPTIONS) -manpageoptions() - -startdit() - -label(minusa) -dit(bf(-a)) This option specifies that the username following should -be added to the local url(bf(smbpasswd))(smbpasswd.5.html) file, with -the new password typed (type <Enter> for the old password). This -option is ignored if the username following already exists in the -url(bf(smbpasswd))(smbpasswd.5.html) file and it is treated like a -regular change password command. Note that the user to be added -bf(must) already exist in the system password file (usually /etc/passwd) -else the request to add the user will fail. - -This option is only available when running bf(smbpasswd) as -root. - -label(minusx) -dit(bf(-x)) This option specifies that the username following should -be deleted from the local url(bf(smbpasswd))(smbpasswd.5.html) file. - -This option is only available when running bf(smbpasswd) as -root. - -label(minusd) -dit(bf(-d)) This option specifies that the username following should be -em(disabled) in the local url(bf(smbpasswd))(smbpasswd.5.html) file. -This is done by writing a em('D') flag into the account control space -in the url(bf(smbpasswd))(smbpasswd.5.html) file. Once this is done -all attempts to authenticate via SMB using this username will fail. - -If the url(bf(smbpasswd))(smbpasswd.5.html) file is in the 'old' -format (pre-Samba 2.0 format) there is no space in the users password -entry to write this information and so the user is disabled by writing -'X' characters into the password space in the -url(bf(smbpasswd))(smbpasswd.5.html) file. See url(bf(smbpasswd -(5)))(smbpasswd.5.html) for details on the 'old' and new password file -formats. - -This option is only available when running bf(smbpasswd) as root. - -label(minuse) -dit(bf(-e)) This option specifies that the username following should be -em(enabled) in the local url(bf(smbpasswd))(smbpasswd.5.html) file, -if the account was previously disabled. If the account was not -disabled this option has no effect. Once the account is enabled -then the user will be able to authenticate via SMB once again. - -If the smbpasswd file is in the 'old' format then bf(smbpasswd) will -prompt for a new password for this user, otherwise the account will be -enabled by removing the em('D') flag from account control space in the -url(bf(smbpasswd))(smbpasswd.5.html) file. See url(bf(smbpasswd -(5)))(smbpasswd.5.html) for details on the 'old' and new password file -formats. - -This option is only available when running bf(smbpasswd) as root. - -label(minusD) -dit(bf(-D debuglevel)) debuglevel is an integer from 0 -to 10. The default value if this parameter is not specified is zero. - -The higher this value, the more detail will be logged to the log files -about the activities of smbpasswd. At level 0, only critical errors -and serious warnings will be logged. - -Levels above 1 will generate considerable amounts of log data, and -should only be used when investigating a problem. Levels above 3 are -designed for use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic. - -label(minusn) -dit(bf(-n)) This option specifies that the username following should -have their password set to null (i.e. a blank password) in the local -url(bf(smbpasswd))(smbpasswd.5.html) file. This is done by writing the -string "NO PASSWORD" as the first part of the first password stored in -the url(bf(smbpasswd))(smbpasswd.5.html) file. - -Note that to allow users to logon to a Samba server once the password -has been set to "NO PASSWORD" in the -url(bf(smbpasswd))(smbpasswd.5.html) file the administrator must set -the following parameter in the [global] section of the -url(bf(smb.conf))(smb.conf.5.html) file : - -url(null passwords = true)(smb.conf.5.html#nullpasswords) - -This option is only available when running bf(smbpasswd) as root. - -label(minusr) -dit(bf(-r remote machine name)) This option allows a -user to specify what machine they wish to change their password -on. Without this parameter bf(smbpasswd) defaults to the local -host. The em("remote machine name") is the NetBIOS name of the -SMB/CIFS server to contact to attempt the password change. This name -is resolved into an IP address using the standard name resolution -mechanism in all programs of the url(bf(Samba))(samba.7.html) -suite. See the link(bf(-R name resolve order))(minusR) parameter for details on changing this resolving -mechanism. - -The username whose password is changed is that of the current UNIX -logged on user. See the link(bf(-U username))(minusU) -parameter for details on changing the password for a different -username. - -Note that if changing a Windows NT Domain password the remote machine -specified must be the Primary Domain Controller for the domain (Backup -Domain Controllers only have a read-only copy of the user account -database and will not allow the password change). - -em(Note) that Windows 95/98 do not have a real password database -so it is not possible to change passwords specifying a Win95/98 -machine as remote machine target. - -label(minusR) -dit(bf(-R name resolve order)) This option allows the user of -smbclient to determine what name resolution services to use when -looking up the NetBIOS name of the host being connected to. - -The options are :link("lmhosts")(lmhosts), link("host")(host), -link("wins")(wins) and link("bcast")(bcast). They cause names to be -resolved as follows : - -startit() - -label(lmhosts) -it() bf(lmhosts) : Lookup an IP address in the Samba lmhosts file. - -label(host) -it() bf(host) : Do a standard host name to IP address resolution, -using the system /etc/hosts, NIS, or DNS lookups. This method of name -resolution is operating system dependent. For instance on IRIX or -Solaris, this may be controlled by the em(/etc/nsswitch.conf) file). - -label(wins) -it() bf(wins) : Query a name with the IP address listed in the -url(bf(wins server))(smb.conf.5.html#winsserver) parameter in the -url(bf(smb.conf file))(smb.conf.5.html). If -no WINS server has been specified this method will be ignored. - -label(bcast) -it() bf(bcast) : Do a broadcast on each of the known local interfaces -listed in the url(bf(interfaces))(smb.conf.5.html#interfaces) parameter -in the smb.conf file. This is the least reliable of the name resolution -methods as it depends on the target host being on a locally connected -subnet. - -endit() - -If this parameter is not set then the name resolve order defined -in the url(bf(smb.conf))(smb.conf.5.html) file parameter -url(bf(name resolve order))(smb.conf.5.html#nameresolveorder) -will be used. - -The default order is lmhosts, host, wins, bcast and without this -parameter or any entry in the url(bf(smb.conf))(smb.conf.5.html) -file the name resolution methods will be attempted in this order. - -label(minusm) -dit(bf(-m)) This option tells bf(smbpasswd) that the account being -changed is a em(MACHINE) account. Currently this is used when Samba is -being used as an NT Primary Domain Controller. PDC support is not a -supported feature in Samba2.0 but will become supported in a later -release. If you wish to know more about using Samba as an NT PDC then -please subscribe to the mailing list -email(samba-ntdom@samba.org). - -This option is only available when running bf(smbpasswd) as root. - -label(minusj) -dit(bf(-j DOMAIN)) This option is used to add a Samba server into a -Windows NT Domain, as a Domain member capable of authenticating user -accounts to any Domain Controller in the same way as a Windows NT -Server. See the url(bf(security=domain))(smb.conf.5.html#security) -option in the url(bf(smb.conf (5)))(smb.conf.5.html) man page. - -In order to be used in this way, the Administrator for the Windows -NT Domain must have used the program em("Server Manager for Domains") -to add the url(primary NetBIOS name)(smb.conf.5.html#netbiosname) of -the Samba server as a member of the Domain. - -After this has been done, to join the Domain invoke bf(smbpasswd) with -this parameter. bf(smbpasswd) will then look up the Primary Domain -Controller for the Domain (found in the -url(bf(smb.conf))(smb.conf.5.html) file in the parameter -url(bf(password server))(smb.conf.5.html#passwordserver) and change -the machine account password used to create the secure Domain -communication. This password is then stored by bf(smbpasswd) in a -file, read only by root, called tt(<Domain>.<Machine>.mac) where -tt(<Domain>) is the name of the Domain we are joining and tt(<Machine>) -is the primary NetBIOS name of the machine we are running on. - -Once this operation has been performed the -url(bf(smb.conf))(smb.conf.5.html) file may be updated to set the -url(bf(security=domain))(smb.conf.5.html#security) option and all -future logins to the Samba server will be authenticated to the Windows -NT PDC. - -Note that even though the authentication is being done to the PDC all -users accessing the Samba server must still have a valid UNIX account -on that machine. - -This option is only available when running bf(smbpasswd) as root. - -label(minusU) -dit(bf(-U username)) This option may only be used in -conjunction with the link(bf(-r))(minusr) -option. When changing a password on a remote machine it allows the -user to specify the user name on that machine whose password will be -changed. It is present to allow users who have different user names on -different systems to change these passwords. - -label(minush) -dit(bf(-h)) This option prints the help string for bf(smbpasswd), -selecting the correct one for running as root or as an ordinary user. - -label(minuss) -dit(bf(-s)) This option causes bf(smbpasswd) to be silent (i.e. not -issue prompts) and to read it's old and new passwords from standard -input, rather than from tt(/dev/tty) (like the bf(passwd (1)) program -does). This option is to aid people writing scripts to drive bf(smbpasswd) - -label(username) -dit(bf(username)) This specifies the username for all of the em(root -only) options to operate on. Only root can specify this parameter as -only root has the permission needed to modify attributes directly -in the local url(bf(smbpasswd))(smbpasswd.5.html) file. - -label(NOTES) -manpagesection(NOTES) - -Since bf(smbpasswd) works in client-server mode communicating with a -local url(bf(smbd))(smbd.8.html) for a non-root user then the bf(smbd) -daemon must be running for this to work. A common problem is to add a -restriction to the hosts that may access the bf(smbd) running on the -local machine by specifying a url(bf("allow -hosts"))(smb.conf.5.html#allowhosts) or url(bf("deny -hosts"))(smb.conf.5.html#denyhosts) entry in the -url(bf(smb.conf))(smb.conf.5.html) file and neglecting to allow -em("localhost") access to the bf(smbd). - -In addition, the bf(smbpasswd) command is only useful if bf(Samba) has -been set up to use encrypted passwords. See the file bf(ENCRYPTION.txt) -in the docs directory for details on how to do this. - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.0 of the Samba suite. - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell email(samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -and updated for the Samba2.0 release by Jeremy Allison. -email(samba@samba.org). - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. diff --git a/docs/yodldocs/smbrun.1.yo b/docs/yodldocs/smbrun.1.yo deleted file mode 100644 index d9fff9b7a1..0000000000 --- a/docs/yodldocs/smbrun.1.yo +++ /dev/null @@ -1,81 +0,0 @@ -mailto(samba@samba.org) - -manpage(smbrun htmlcommand((1)))(1)(23 Oct 1998)(Samba)(SAMBA) - -label(NAME) -manpagename(smbrun)(interface program between smbd and external programs) - -label(SYNOPSIS) -manpagesynopsis() - -bf(smbrun) link(shell-command)(shellcommand) - -label(DESCRIPTION) -manpagedescription() - -This program is part of the bf(Samba) suite. - -bf(smbrun) is a very small 'glue' program, which runs shell commands -for the url(bf(smbd))(smbd.8.html) daemon url(bf(smbd -(8)))(smbd.8.html). - -It first changes to the highest effective user and group ID that it -can, then runs the command line provided using the system() call. This -program is necessary to allow some operating systems to run external -programs as non-root. - -label(OPTIONS) -manpageoptions() - -startdit() - -label(shellcommand) -dit(bf(shell-command)) The shell command to execute. The command -should have a fully-qualified path. - -enddit() - -label(ENVIRONMENTVARIABLES) -manpagesection(ENVIRONMENT VARIABLES) - -The em(PATH) variable set for the environment in which bf(smbrun) is -executed will affect what executables are located and executed if a -fully-qualified path is not given in the command. - -label(DIAGNOSTICS) -manpagesection(DIAGNOSTICS) - -If bf(smbrun) cannot be located or cannot be executed by -url(bf(smbd))(smbd.8.html) then appropriate messages will be found in -the url(bf(smbd))(smbd.8.html) logs. Other diagnostics are dependent -on the shell-command being run. It is advisable for your shell -commands to issue suitable diagnostics to aid trouble-shooting. - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.0 of the Samba suite. - -label(SEEALSO) -manpageseealso() - -url(bf(smb.conf (5)))(smb.conf.5.html), url(bf(smbd (8)))(smbd.8.html) - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell email(samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -and updated for the Samba2.0 release by Jeremy Allison. -email(samba@samba.org). - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. diff --git a/docs/yodldocs/smbsh.1.yo b/docs/yodldocs/smbsh.1.yo deleted file mode 100644 index acf3392939..0000000000 --- a/docs/yodldocs/smbsh.1.yo +++ /dev/null @@ -1,87 +0,0 @@ -mailto(samba@samba.org) - -manpage(smbsh htmlcommand((1)))(1)(23 Oct 1998)(Samba)(SAMBA) - -label(NAME) -manpagename(smbsh)(Allows access to Windows NT filesystem using UNIX commands) - -label(SYNOPSIS) -manpagesynopsis() - -bf(smbsh) - -label(DESCRIPTION) -manpagedescription() - -This program is part of the bf(Samba) suite. - -bf(smbsh) allows you to access an NT filesystem using UNIX commands -such as bf(ls), bf(egrep), and bf(rcp). You must use a shell that -is dynmanically linked in order for bf(smbsh) to work correctly. - -To use the bf(smbsh) command, execute bf(smbsh) from the prompt and -enter the username and password that authenticate you to the -machine running the Windows NT operating system. - -verb( -system% smbsh -Username: user -Password: -) - -Any dynamically linked command you execute from this shell will -access the bf(/smb) directory using the smb protocol. -For example, the command - -tt(ls /smb) - -will show all the machines in your workgroup. -The command - -tt(ls /smb/<machine-name>) - -will show the share names for that machine. You could then, for example, use the -bf(cd) command to change directories, bf(vi) to edit files, and bf(rcp) - to copy files. - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for the 2.0.3 of the Samba suite. - -label(BUGS) -manpagebugs() - -bf(smbsh) works by intercepting the standard libc calls with the dynamically loaded -versions in bf(smbwrapper.o). Not all calls have been "wrapped" so some programs -may not function correctly under bf(smbsh). - -Programs which are not dynamically linked cannot make use of bf(smbsh)'s -functionality. Most versions of UNIX have a bf(file) command that will describe how -a program was linked. - -label(SEEALSO) -manpageseealso() - -url(bf(smb.conf (5)))(smb.conf.5.html), -url(bf(smbd (8)))(smbd.8.html). - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell (samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -and updated for the Samba2.0 release by Jeremy Allison. -email(samba@samba.org). - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. - diff --git a/docs/yodldocs/smbspool.8.yo b/docs/yodldocs/smbspool.8.yo deleted file mode 100644 index 53388601a5..0000000000 --- a/docs/yodldocs/smbspool.8.yo +++ /dev/null @@ -1,89 +0,0 @@ -mailto(samba@samba.org) - -manpage(smbspool htmlcommand((1)))(1)(11 October 1999)(Samba)(SAMBA) - -label(NAME) -manpagename(smbspool)(send print file to an SMB printer) - -label(SYNOPSIS) -manpagesynopsis() -bf(smbspool) job user title copies options [filename] - -label(DESCRIPTION) -manpagedescription() - -This program is part of the Samba suite. - -smbspool is a very small print spooling program that sends a print -file to an SMB printer. The command-line arguments are position-dependent for -compatibility with the Common UNIX Printing System, but you can use -smbspool with any printing system or from a program or script. - -manpagesection(DEVICE URI) - -smbspool specifies the destination using a Uniform Resource Identifier -("URI") with a method of "smb". This string can take a number of -forms: - -startit() -it() smb://server/printer - -it() smb://workgroup/server/printer - -it() smb://username:password@server/printer - -it() smb://username:password@workgroup/server/printer - -endit() - -smbspool tries to get the URI from argv[0]. If argv[0] contains the -name of the program then it looks in the DEVICE_URI environment variable. - -Programs using the exec(2) functions can pass the URI in argv[0], -while shell scripts must set the DEVICE_URI environment variable prior to -running smbspool. - -manpagesection(OPTIONS) - -The job argument (argv[1]) contains the job ID number and is presently -not used by smbspool. - -The user argument (argv[2]) contains the print user's name and is -presently not used by smbspool. - -The title argument (argv[3]) contains the job title string and is -passed as the remote file name when sending the print job. - -The copies argument (argv[4]) contains the number of copies to be -printed of the named file. If no filename is provided than this argument is -not used by smbspool. - -The options argument (argv[5]) contains the print options in a single -string and is presently not used by smbspool. - -The filename argument (argv[6]) contains the name of the file to print. -If this argument is not specified then the print file is read from the -standard input. - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.0 of the Samba suite. - -label(SEEALSO) -manpagesection(SEE ALSO) -url(bf(smbd (8)))(smbd.8.html) - -label(AUTHOR) -manpageauthor() - -smbspool was written by Michael Sweet at Easy Software Products. - -The original Samba software and related utilities were created by -Andrew Tridgell samba@samba.org. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -See samba (7) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. diff --git a/docs/yodldocs/smbstatus.1.yo b/docs/yodldocs/smbstatus.1.yo deleted file mode 100644 index 8e571d0714..0000000000 --- a/docs/yodldocs/smbstatus.1.yo +++ /dev/null @@ -1,85 +0,0 @@ -mailto(samba@samba.org) - -manpage(smbstatus htmlcommand((1)))(1)(23 Oct 1998)(Samba)(SAMBA) - -label(NAME) -manpagename(smbstatus)(report on current Samba connections) - -label(SYNOPSIS) -manpagesynopsis() - -bf(smbstatus) [link(-P)(minusP)] [link(-b)(minusb)] [link(-d)(minusd)] [link(-L)(minusL)] [link(-p)(minusp)] [link(-S)(minusS)] [link(-s configuration file)(minuss)] [link(-u username)(minusu)] - -label(DESCRIPTION) -manpagedescription() - -This program is part of the bf(Samba) suite. - -bf(smbstatus) is a very simple program to list the current Samba -connections. - -label(OPTIONS) -manpageoptions() - -startdit() - -label(minusP) -dit(bf(-P)) If samba has been compiled with the profiling option, -print only the contents of the profiling shared memory area. - -label(minusb) -dit(bf(-b)) gives brief output. - -label(minusd) -dit(bf(-d)) gives verbose output. - -label(minusL) -dit(bf(-L)) causes smbstatus to only list locks. - -label(minusp) -dit(bf(-p)) print a list of url(bf(smbd))(smbd.8.html) -processes and exit. Useful for scripting. - -label(minusS) -dit(bf(-S)) causes smbstatus to only list shares. - -label(minuss) -dit(bf(-s configuration file)) The default configuration file name is -determined at compile time. The file specified contains the -configuration details required by the server. See url(bf(smb.conf -(5)))(smb.conf.5.html) for more information. - -label(minusu) -dit(bf(-u username)) selects information relevant to em(username) -only. - -enddit() - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.0 of the Samba suite. - -label(SEEALSO) -manpageseealso() - -url(bf(smb.conf (5)))(smb.conf.5.html), url(bf(smbd (8)))(smbd.8.html) - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell email(samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -and updated for the Samba2.0 release by Jeremy Allison. -email(samba@samba.org). - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. diff --git a/docs/yodldocs/smbtar.1.yo b/docs/yodldocs/smbtar.1.yo deleted file mode 100644 index 9c321d3853..0000000000 --- a/docs/yodldocs/smbtar.1.yo +++ /dev/null @@ -1,140 +0,0 @@ -mailto(samba@samba.org) - -manpage(smbtar htmlcommand((1)))(1)(23 Oct 1998)(Samba)(SAMBA) - -label(NAME) -manpagename(smbtar)(shell script for backing up SMB/CIFS shares directly to UNIX tape drives) - -label(SYNOPSIS) -manpagesynopsis() - -bf(smbtar) link(-s server)(minuss) [link(-p password)(minusp)] [link(-x service)(minusx)] [link(-X)(minusX)] [link(-d directory)(minusd)] [link(-u user)(minusu)] [link(-t tape)(minust)] [link(-b blocksize)(minusb)] [link(-N filename)(minusN)] [link(-i)(minusi)] [link(-r)(minusr)] [link(-l log level)(minusl)] [link(-v)(minusv)] filenames - -label(DESCRIPTION) -manpagedescription() - -This program is part of the bf(Samba) suite. - -bf(smbtar) is a very small shell script on top of -url(bf(smbclient))(smbclient.1.html) which dumps SMB shares directly -to tape. - -label(OPTIONS) -manpageoptions() - -startdit() - -label(minuss) -dit(bf(-s server)) The SMB/CIFS server that the share resides upon. - -label(minusx) -dit(bf(-x service)) The share name on the server to connect -to. The default is tt(backup). - -label(minusX) -dit(bf(-X)) Exclude mode. Exclude filenames... from tar create or -restore. - -label(minusd) -dit(bf(-d directory)) Change to initial em(directory) before restoring -/ backing up files. - -label(minusv) -dit(bf(-v)) Verbose mode. - -label(minusp) -dit(bf(-p password)) The password to use to access a share. Default: -none - -label(minusu) -dit(bf(-u user)) The user id to connect as. Default: UNIX login name. - -label(minust) -dit(bf(-t tape)) Tape device. May be regular file or tape -device. Default: em(TAPE) environmental variable; if not set, a file -called tt(tar.out). - -label(minusb) -dit(bf(-b blocksize)) Blocking factor. Defaults to 20. See bf(tar (1)) -for a fuller explanation. - -label(minusN) -dit(bf(-N filename)) Backup only files newer than filename. Could be -used (for example) on a log file to implement incremental backups. - -label(minusi) -dit(bf(-i)) Incremental mode; tar files are only backed up if they -have the archive bit set. The archive bit is reset after each file is -read. - -label(minusr) -dit(bf(-r)) Restore. Files are restored to the share from the tar -file. - -label(minusl) -dit(bf(-l log level)) Log (debug) level. Corresponds to the -url(bf(-d))(smbclient.1.html#minusd) flag of url(bf(smbclient -(1)))(smbclient.1.html). - -enddit() - -label(ENVIRONMENTVARIABLES) -manpagesection(ENVIRONMENT VARIABLES) - -The TAPE variable specifies the default tape device to write to. May -be overridden with the link(bf(-t))(minust) option. - -label(BUGS) -manpagesection(BUGS) - -The bf(smbtar) script has different options from ordinary tar and tar -called from url(bf(smbclient))(smbclient.1.html). - -label(CAVEATS) -manpagesection(CAVEATS) - -Sites that are more careful about security may not like the way the -script handles PC passwords. Backup and restore work on entire shares, -should work on file lists. bf(smbtar) works best with GNU tar and may -not work well with other versions. - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.0 of the Samba suite. - -label(SEEALSO) -manpageseealso() - -url(bf(smbclient (1)))(smbclient.1.html), url(bf(smb.conf -(5)))(smb.conf.5.html) - -label(DIAGNOSTICS) -manpagesection(DIAGNOSTICS) - -See the url(bf(DIAGNOSTICS))(smbclient.1.html#DIAGNOSTICS) section for -the url(bf(smbclient))(smbclient.1.html) command. - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell email(samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -Ricky Poulten email(poultenr@logica.co.uk) wrote the tar extension and -this man page. The bf(smbtar) script was heavily rewritten and -improved by Martin Kraemer email(Martin.Kraemer@mch.sni.de). Many -thanks to everyone who suggested extensions, improvements, bug fixes, -etc. The man page sources were converted to YODL format (another -excellent piece of Open Source software available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -and updated for the Samba2.0 release by Jeremy Allison, -email(samba@samba.org). - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. - - diff --git a/docs/yodldocs/swat.8.yo b/docs/yodldocs/swat.8.yo deleted file mode 100644 index d320a090d2..0000000000 --- a/docs/yodldocs/swat.8.yo +++ /dev/null @@ -1,162 +0,0 @@ -mailto(samba@samba.org) - -manpage(swat htmlcommand((8)))(8)(23 Oct 1998)(Samba)(SAMBA) - -label(NAME) -manpagename(swat)(Samba Web Administration Tool) - -label(SYNOPSIS) -manpagesynopsis() - -bf(swat) [link(-s smb config file)(minuss)] [link(-a)(minusa)] - -label(DESCRIPTION) -manpagedescription() - -This program is part of the bf(Samba) suite. - -bf(swat) allows a Samba administrator to configure the complex -url(bf(smb.conf))(smb.conf.5.html) file via a Web browser. In -addition, a swat configuration page has help links to all the -configurable options in the url(bf(smb.conf))(smb.conf.5.html) file -allowing an administrator to easily look up the effects of any change. - -bf(swat) is run from bf(inetd) - -label(OPTIONS) -manpageoptions() - -startdit() - -label(minuss) -dit(bf(-s smb configuration file)) The default configuration file path is -determined at compile time. - -The file specified contains the configuration details required by the -url(bf(smbd))(smbd.8.html) server. This is the file that bf(swat) will -modify. The information in this file includes server-specific -information such as what printcap file to use, as well as descriptions -of all the services that the server is to provide. See url(smb.conf -(5))(smb.conf.5.html) for more information. - -label(minusa) -dit(bf(-a)) - -This option disables authentication and puts bf(swat) in demo mode. In -that mode anyone will be able to modify the -url(bf(smb.conf))(smb.conf.5.html) file. - -Do NOT enable this option on a production server. - -endit() - -label(INSTALLATION) -manpagesection(INSTALLATION) - -After you compile SWAT you need to run tt("make install") to install the -swat binary and the various help files and images. A default install -would put these in: - -verb( -/usr/local/samba/bin/swat -/usr/local/samba/swat/images/* -/usr/local/samba/swat/help/* -) - -label(INETD) -manpagesection(INETD INSTALLATION) - -You need to edit your tt(/etc/inetd.conf) and tt(/etc/services) to -enable bf(SWAT) to be launched via inetd. - -In tt(/etc/services) you need to add a line like this: - -tt(swat 901/tcp) - -Note for NIS/YP users - you may need to rebuild the NIS service maps -rather than alter your local tt(/etc/services) file. - -the choice of port number isn't really important except that it should -be less than 1024 and not currently used (using a number above 1024 -presents an obscure security hole depending on the implementation -details of your bf(inetd) daemon). - -In tt(/etc/inetd.conf) you should add a line like this: - -tt(swat stream tcp nowait.400 root /usr/local/samba/bin/swat swat) - -One you have edited tt(/etc/services) and tt(/etc/inetd.conf) you need -to send a HUP signal to inetd. To do this use tt("kill -1 PID") where -PID is the process ID of the inetd daemon. - -label(LAUNCHING) -manpagesection(LAUNCHING) - -To launch bf(swat) just run your favorite web browser and point it at -tt(http://localhost:901/). - -bf(Note that you can attach to bf(swat) from any IP connected machine but -connecting from a remote machine leaves your connection open to -password sniffing as passwords will be sent in the clear over the -wire.) - -manpagefiles() - -bf(/etc/inetd.conf) - -This file must contain suitable startup information for the -meta-daemon. - -bf(/etc/services) - -This file must contain a mapping of service name (e.g., swat) to -service port (e.g., 901) and protocol type (e.g., tcp). - -bf(/usr/local/samba/lib/smb.conf) - -This is the default location of the em(smb.conf) server configuration -file that bf(swat) edits. Other common places that systems install -this file are em(/usr/samba/lib/smb.conf) and em(/etc/smb.conf). - -This file describes all the services the server is to make available -to clients. See bf(smb.conf (5)) for more information. - -label(WARNINGS) -manpagesection(WARNINGS) - -bf(swat) will rewrite your url(bf(smb.conf))(smb.conf.5.html) file. It -will rearrange the entries and delete all comments, -url(bf("include="))(smb.conf.5.html#include) and -url(bf("copy="))(smb.conf.5.html#copy) options. If you have a -carefully crafted url(bf(smb.conf))(smb.conf.5.html) then back it up -or don't use bf(swat)! - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.0 of the Samba suite. - -label(SEEALSO) -manpageseealso() - -bf(inetd (8)), url(bf(nmbd (8)))(nmbd.8.html), -url(bf(smb.conf (5)))(smb.conf.5.html). - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell (samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -and updated for the Samba2.0 release by Jeremy Allison. -email(samba@samba.org). - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. diff --git a/docs/yodldocs/testparm.1.yo b/docs/yodldocs/testparm.1.yo deleted file mode 100644 index 573f855c3e..0000000000 --- a/docs/yodldocs/testparm.1.yo +++ /dev/null @@ -1,116 +0,0 @@ -mailto(samba@samba.org) - -manpage(testparm htmlcommand((1)))(1)(23 Oct 1998)(Samba)(SAMBA) - -label(NAME) -manpagename(testparm)(check an smb.conf configuration file for internal correctness) - -label(SYNOPSIS) -manpagesynopsis() - -bf(testparm) [link(-s)(minuss)] [link(-h)(minush)] [link(-L servername)(minusL)] [link(configfilename)(configfilename)] [link(hostname)(hostname) link(hostIP)(hostIP)] - -label(DESCRIPTION) -manpagedescription() - -This program is part of the bf(Samba) suite. - -bf(testparm) is a very simple test program to check an -url(bf(smbd))(smbd.8.html) configuration file for internal -correctness. If this program reports no problems, you can use the -configuration file with confidence that url(bf(smbd))(smbd.8.html) -will successfully load the configuration file. - -Note that this is em(NOT) a guarantee that the services specified in the -configuration file will be available or will operate as expected. - -If the optional host name and host IP address are specified on the -command line, this test program will run through the service entries -reporting whether the specified host has access to each service. - -If bf(testparm) finds an error in the url(bf(smb.conf))(smb.conf.5.html) -file it returns an exit code of 1 to the calling program, else it returns -an exit code of 0. This allows shell scripts to test the output from -bf(testparm). - -label(OPTIONS) -manpageoptions() - -startdit() - -label(minuss) -dit(bf(-s)) Without this option, bf(testparm) will prompt for a -carriage return after printing the service names and before dumping -the service definitions. - -label(minush) -dit(bf(-h)) Print usage message - -label(minusL) -dit(bf(-L servername)) Sets the value of the %L macro to servername. This -is useful for testing include files specified with the %L macro. - -label(configfilename) -dit(bf(configfilename)) This is the name of the configuration file to -check. If this parameter is not present then the default -url(bf(smb.conf))(smb.conf.5.html) file will be checked. - -label(hostname) -dit(bf(hostname)) If this parameter and the following are specified, -then testparm will examine the url(bf("hosts -allow"))(smb.conf.5.html#hostsallow) and url(bf("hosts -deny"))(smb.conf.5.html#hostsdeny) parameters in the -url(bf(smb.conf))(smb.conf.5.html) file to determine if the hostname -with this IP address would be allowed access to the -url(bf(smbd))(smbd.8.html) server. If this parameter is supplied, the -link(hostIP)(hostIP) parameter must also be supplied. - -label(hostIP) -dit(bf(hostIP)) This is the IP address of the host specified in the -previous parameter. This address must be supplied if the hostname -parameter is supplied. - -enddit() - -label(FILES) -manpagesection(FILES) - -url(bf(smb.conf))(smb.conf.5.html). This is usually the name of the -configuration file used by url(bf(smbd))(smbd.8.html). - -label(DIAGNOSTICS) -manpagesection(DIAGNOSTICS) - -The program will issue a message saying whether the configuration file -loaded OK or not. This message may be preceded by errors and warnings -if the file did not load. If the file was loaded OK, the program then -dumps all known service details to stdout. - -label(VERSION) -manpagesection(VERSION) - -This man page is correct for version 2.0 of the Samba suite. - -label(SEEALSO) -manpageseealso() - -url(bf(smb.conf (5)))(smb.conf.5.html), url(bf(smbd (8)))(smbd.8.html) - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell email(samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -and updated for the Samba2.0 release by Jeremy Allison. -email(samba@samba.org). - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. diff --git a/docs/yodldocs/testprns.1.yo b/docs/yodldocs/testprns.1.yo deleted file mode 100644 index d9311ffd82..0000000000 --- a/docs/yodldocs/testprns.1.yo +++ /dev/null @@ -1,98 +0,0 @@ -mailto(samba@samba.org) - -manpage(testprns htmlcommand((1)))(1)(23 Oct 1998)(Samba)(SAMBA) - -label(NAME) -manpagename(testprns)(check printer name for validity with smbd ) - -label(SYNOPSIS) -manpagesynopsis() - -bf(testprns) link(printername)(printername) [link(printcapname)(printcapname)] - -label(DESCRIPTION) -manpagedescription() - -This program is part of the bf(Samba) suite. - -bf(testprns) is a very simple test program to determine whether a -given printer name is valid for use in a service to be provided by -url(bf(smbd))(smbd.8.html). - -"Valid" in this context means "can be found in the printcap -specified". This program is very stupid - so stupid in fact that it -would be wisest to always specify the printcap file to use. - -label(OPTIONS) -manpageoptions() - -startdit() - -label(printername) -dit(bf(printername)) The printer name to validate. - -Printer names are taken from the first field in each record in the -printcap file, single printer names and sets of aliases separated by -vertical bars ("|") are recognized. Note that no validation or -checking of the printcap syntax is done beyond that required to -extract the printer name. It may be that the print spooling system is -more forgiving or less forgiving than bf(testprns). However, if -bf(testprns) finds the printer then url(bf(smbd))(smbd.8.html) should -do so as well. - -label(printcapname) -dit(bf(printcapname)) This is the name of the printcap file within -which to search for the given printer name. - -If no printcap name is specified bf(testprns) will attempt to scan the -printcap file name specified at compile time. - -enddit() - -label(FILES) -manpagesection(FILES) - -bf(/etc/printcap) This is usually the default printcap file to -scan. See bf(printcap (5)). - -label(DIAGNOSTICS) -manpagesection(DIAGNOSTICS) - -If a printer is found to be valid, the message "Printer name -<printername> is valid" will be displayed. - -If a printer is found to be invalid, the message "Printer name -<printername> is not valid" will be displayed. - -All messages that would normally be logged during operation of the -url(bf(Samba))(samba.7.html) daemons are logged by this program to the -file tt(test.log) in the current directory. The program runs at -debuglevel 3, so quite extensive logging information is written. The -log should be checked carefully for errors and warnings. - -Other messages are self-explanatory. - -label(SEEALSO) -manpageseealso() - -bf(printcap (5)), url(bf(smbd (8)))(smbd.8.html), url(bf(smbclient -(1)))(smbclient.1.html) - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell email(samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. - -The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/)) -and updated for the Samba2.0 release by Jeremy Allison. -email(samba@samba.org). - -See url(bf(samba (7)))(samba.7.html) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. diff --git a/docs/yodldocs/wbinfo.1.yo b/docs/yodldocs/wbinfo.1.yo deleted file mode 100644 index 159d2e8c7b..0000000000 --- a/docs/yodldocs/wbinfo.1.yo +++ /dev/null @@ -1,133 +0,0 @@ -mailto(samba-bugs@samba.org) -manpage(wbinfo htmlcommand((1)))(1)(13 Jun 2000)(Samba)(SAMBA) - -label(NAME) -manpagename(wbinfo)(Query information from winbind daemon) - -label(SYNOPSIS) -manpagesynopsis() - -bf(wbinfo) link(-u)(minusu) [link(-g)(minusg)] [link(-n name)(minusn)] -[link(-s sid)(minuss)] [link(-U uid)(minusU)] [link(-G gid)(minusG)] -[link(-S sid)(minusS)] [link(-Y sid)(minusY)] [link(-t)(minust)] -[link(-m)(minusm)] - -label(DESCRIPTION) -manpagedescription() - -This program is part of the bf(Samba) suite version 3.0 and describes -functionality not yet implemented in the main version of Samba. - -The bf(wbinfo) program queries and returns information created and used by -the url(bf(winbindd(8)))(winbindd.8.html) daemon. - -The url(bf(winbindd(8)))(winbindd.8.html) daemon must be configured and -running for the bf(wbinfo) program to be able to return information. - -label(OPTIONS) -manpageoptions() - -The following options are available to the bf(wbinfo) program: - -startdit() - -label(minusu) -dit(bf(-u)) - -This option will list all users available in the Windows NT domain for -which the url(bf(winbindd(8)))(winbindd.8.html) daemon is operating in. -Users in all trusted domains will also be listed. Note that this operation -does not assign user ids to any users that have not already been seen by -url(bf(winbindd(8)))(winbindd.8.html). - -label(minusg) -dit(bf(-g)) - -This option will list all groups available in the Windows NT domain for -which the url(bf(winbindd(8)))(winbindd.8.html) daemon is operating in. -Groups in all trusted domains will also be listed. Note that this -operation does not assign group ids to any groups that have not already -been seen by url(bf(winbindd(8)))(winbindd.8.html). - -label(minusn) -dit(bf(-n name)) - -The bf(-n) option queries url(bf(winbindd(8)))(winbindd.8.html) for the SID -associated with the name specified. Domain names can be specified before -the user name by using the winbind separator character. For example -tt(DOM1/Administrator) refers to the tt(Administrator) user in the domain -tt(DOM1). If no domain is specified then the domain used is the one -specified in the bf(smb.conf) bf(workgroup) parameter. - -label(minuss) -dit(bf(-s sid)) - -Use bf(-s) to resolve a SID to a name. This is the inverse of the bf(-n) -option above. SIDs must be specified as ASCII strings in the traditional -Microsoft format. For example -tt(S-1-5-21-1455342024-3071081365-2475485837-500). - -label(minusU) -dit(bf(-U uid)) - -Try to convert a UNIX user id to a Windows NT SID. If the uid specified -does not refer to one within the bf(winbind uid range) then the operation -will fail. - -label(minusG) -dit(bf(-G gid)) - -Try to convert a UNIX group id to a Windows NT SID. If the gid specified -does not refer to one within the bf(winbind gid range) then the operation -will fail. - -label(minusS) -dit(bf(-S sid)) - -Convert a SID to a UNIX user id. If the SID does not correspond to a UNIX -user mapped by url(bf(winbindd(8)))(winbindd.8.html) then the operation -will fail. - -label(minusY) -dit(bf(-Y sid)) - -Convert a SID to a UNIX group id. If the SID does not correspond to a UNIX -group mapped by url(bf(winbindd(8)))(winbindd.8.html) then the operation -will fail. - -label(minust) -dit(bf(-t)) - -Verify that the workstation trust account created when the Samba server is -added to the Windows NT domain is working. - -label(minusm) -dit(bf(-m)) - -Produce a list of domains trusted by the Windows NT server -url(bf(winbindd(8)))(winbindd.8.html) contacts when resolving names. This -list does not include the Windows NT domain the server is a Primary Domain -Controller for. - -enddit() - -label(EXIT STATUS) -manpagesection(EXIT STATUS) - -The bf(wbinfo) program returns 0 if the operation succeeded, or 1 if -the operation failed. If the url(bf(winbindd(8)))(winbindd.8.html) daemon -is not working bf(wbinfo) will always return failure. - -label(SEEALSO) -manpageseealso() - -url(bf(winbindd(8)))(winbindd.8.html) - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell. Samba is now developed by the Samba Team as an Open -Source project. - -bf(wbinfo) was written by Tim Potter. diff --git a/docs/yodldocs/winbindd.8.yo b/docs/yodldocs/winbindd.8.yo deleted file mode 100644 index 59547d76d3..0000000000 --- a/docs/yodldocs/winbindd.8.yo +++ /dev/null @@ -1,400 +0,0 @@ -mailto(samba-bugs@samba.org) -manpage(winbindd htmlcommand((8)))(8)(13 Jun 2000)(Samba)(SAMBA) - -label(NAME) -manpagename(winbindd)(Name Service Switch daemon for resolving names from NT servers) - -label(SYNOPSIS) -manpagesynopsis() - -bf(winbindd) [link(-d debuglevel)(minusd)] [link(-i)(minusi)] - -label(DESCRIPTION) -manpagedescription() - -This program is part of the bf(Samba) suite version 3.0 and describes -functionality not yet implemented in the main version of Samba. - -bf(winbindd) is a daemon that provides a service for the Name Service -Switch capability that is present in most modern C libraries. The Name -Service Switch allows user and system information to be obtained from -different databases services such as NIS or DNS. The exact behaviour can -be configured throught the tt(/etc/nsswitch.conf) file. Users and groups -are allocated as they are resolved to a range of user and group ids -specified by the administrator of the Samba system. - -The service provided by bf(winbindd) is called `winbind' and can be -used to resolve user and group information from a Windows NT server. -The service can also provide authentication services via an associated -PAM module. - -The following nsswitch databases are implemented by the bf(winbindd) -service: - -startdit() - -dit(passwd) - -User information traditionally stored in the bf(passwd(5)) file and used by -bf(getpwent(3)) functions. - -dit(group) - -Group information traditionally stored in the bf(group(5)) file and used by -bf(getgrent(3)) functions. - -enddit() - -For example, the following simple configuration in the -tt(/etc/nsswitch.conf) file can be used to initially resolve user and group -information from tt(/etc/passwd) and tt(/etc/group) and then from the -Windows NT server. - -verb( - passwd: files winbind - group: files winbind -) - -label(OPTIONS) -manpageoptions() - -The following options are available to the bf(winbindd) daemon: - -startdit() - -label(minusd) -dit(bf(-d debuglevel)) -Sets the debuglevel to an integer between 0 and 100. 0 is for no debugging -and 100 is for reams and reams. To submit a bug report to the Samba Team, -use debug level 100 (see bf(BUGS.txt)). - -label(minusi) -dit(bf(-i)) -Tells bf(winbindd) to not become a daemon and detach from the current terminal. -This option is used by developers when interactive debugging of bf(winbindd) is -required. - -enddit() - -label(NAMEANDIDRESOLUTION) -manpagesection(NAME AND ID RESOLUTION) - -Users and groups on a Windows NT server are assigned a relative id (rid) -which is unique for the domain when the user or group is created. To -convert the Windows NT user or group into a unix user or group, a mapping -between rids and unix user and group ids is required. This is one of the -jobs that bf(winbindd) performs. - -As bf(winbindd) users and groups are resolved from a server, user and group -ids are allocated from a specified range. This is done on a first come, -first served basis, although all existing users and groups will be mapped -as soon as a client performs a user or group enumeration command. The -allocated unix ids are stored in a database file under the Samba lock -directory and will be remembered. - -WARNING: The rid to unix id database is the only location where the user -and group mappings are stored by bf(winbindd). If this file is deleted or -corrupted, there is no way for bf(winbindd) to determine which user and -group ids correspond to Windows NT user and group rids. - -label(CONFIGURATION) -manpagesection(CONFIGURATION) - -Configuration of the bf(winbindd) daemon is done through configuration -parameters in the url(bf(smb.conf))(smb.conf.5.html) file. All parameters -should be specified in the [global] section of -url(bf(smb.conf))(smb.conf.5.html). - -startdit() - -dit(winbind separator) - -The winbind separator option allows you to specify how NT domain names -and user names are combined into unix user names when presented to -users. By default winbind will use the traditional \ separator so -that the unix user names look like DOMAIN\username. In some cases -this separator character may cause problems as the \ character has -special meaning in unix shells. In that case you can use the winbind -separator option to specify an alternative sepataror character. Good -alternatives may be / (although that conflicts with the unix directory -separator) or a + character. The + character appears to be the best -choice for 100% compatibility with existing unix utilities, but may be -an aesthetically bad choice depending on your taste. - - bf(Default:) -tt( winbind separator = \) - - bf(Example:) -tt( winbind separator = +) - -dit(winbind uid) - -The winbind uid parameter specifies the range of user ids that are -allocated by the bf(winbindd) daemon. This range of -ids should have no existing local or nis users within it as strange -conflicts can occur otherwise. - - bf(Default:) -tt( winbind uid = <empty string>) - - bf(Example:) -tt( winbind uid = 10000-20000) - -dit(winbind gid) - -The winbind gid parameter specifies the range of group ids that are -allocated by the bf(winbindd) daemon. This range of group ids should have -no existing local or nis groups within it as strange conflicts can occur -otherwise. - - bf(Default:) -tt( winbind gid = <empty string>) - - bf(Example:) -tt( winbind gid = 10000-20000) - -dit(winbind cache time) - -This parameter specifies the number of seconds the bf(winbindd) daemon will -cache user and group information before querying a Windows NT server -again. When a item in the cache is older than this time bf(winbindd) will ask -the domain controller for the sequence number of the servers account -database. If the sequence number has not changed then the cached item is -marked as valid for a further "winbind cache time" seconds. Otherwise the -item is fetched from the server. This means that as long as the account -database is not actively changing bf(winbindd) will only have to send one -sequence number query packet every "winbind cache time" seconds. - - bf(Default:) -tt( winbind cache time = 15) - -dit(winbind enum users) - -On large installations it may be necessary to suppress the enumeration of -users through the tt(setpwent), tt(getpwent) and tt(endpwent) group of -system calls. If the tt(winbind enum users) parameter is false, calls to -the tt(getpwent) system call will not return any data. - -Warning: Turning off user enumeration may cause some programs to behave -oddly. For example, the finger program relies on having access to the full -user list when searching for matching usernames. - - bf(Default:) -tt( winbind enum users = true) - -dit(winbind enum groups) - -On large installations it may be necessary to suppress the enumeration of -groups through the tt(setgrent), tt(getgrent) and tt(endgrent) group of -system calls. If the tt(winbind enum groups) parameter is false, calls to -the tt(getgrent) system call will not return any data. - -Warning: Turning off group enumeration may cause some programs to behave -oddly. - - bf(Default:) -tt( winbind enum groups = true) - -dit(template homedir) - -When filling out the user information for a Windows NT user, the -bf(winbindd) daemon uses this parameter to fill in the home directory for -that user. If the string tt(%D) is present it is substituted with the -user's Windows NT domain name. If the string tt(%U) is present it is -substituted with the user's Windows NT user name. - - bf(Default:) -tt( template homedir = /home/%D/%U) - -dit(template shell) - -When filling out the user information for a Windows NT user, the -bf(winbindd) daemon uses this parameter to fill in the shell for that user. - - bf(Default:) -tt( template shell = /bin/false) - -enddit() - - -label(EXAMPLESETUP) -manpagesection(EXAMPLE SETUP) - -To setup bf(winbindd) for user and group lookups plus authentication from -a domain controller use something like the following setup. This was -tested on a RedHat 6.2 Linux box. - -In tt(/etc/nsswitch.conf) put the following: -verb( - passwd: files winbind - group: files winbind -) - -In tt(/etc/pam.d/*) replace the tt(auth) lines with something like this: -verb( - auth required /lib/security/pam_securetty.so - auth required /lib/security/pam_nologin.so - auth sufficient /lib/security/pam_winbind.so - auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok -) - -Note in particular the use of the tt(sufficient) keyword and the -tt(use_first_pass) keyword. - -Now replace the account lines with this: -verb( - account required /lib/security/pam_winbind.so -) - -The next step is to join the domain. To do that use the samedit -program like this: -verb( - samedit -S '*' -W DOMAIN -UAdministrator -) - -The username after the -U can be any Domain user that has administrator -priviliges on the machine. Next from within samedit, run the command: -verb( - createuser MACHINE$ -j DOMAIN -L -) - -This assumes your domain is called tt(DOMAIN) and your Samba workstation -is called tt(MACHINE). - -Next copy tt(libnss_winbind.so.2) to tt(/lib) and tt(pam_winbind.so) to -tt(/lib/security). - -Finally, setup a smb.conf containing directives like the following: -verb( - [global] - winbind separator = + - winbind cache time = 10 - template shell = /bin/bash - template homedir = /home/%D/%U - winbind uid = 10000-20000 - winbind gid = 10000-20000 - workgroup = DOMAIN - security = domain - password server = * -) - -Now start bf(winbindd) and you should find that your user and group -database is expanded to include your NT users and groups, and that you -can login to your unix box as a domain user, using the tt(DOMAIN+user) -syntax for the username. You may wish to use the commands "getent -passwd" and "getent group" to confirm the correct operation of -bf(winbindd). - -label(NOTES) -manpagesection(NOTES) - -The following notes are useful when configuring and running bf(winbindd): - -startdit() - -dit() -url(bf(nmbd))(nmbd.8.html) must be running on the local machine for -bf(winbindd) to work. - -dit() -bf(winbindd) queries the list of trusted domains for the Windows NT server -on startup and when a SIGHUP is received. Thus, for a running bf(winbindd) -to become aware of new trust relationships between servers, it must be sent -a SIGHUP signal. - -dit() -Client processes resolving names through the bf(winbindd) nsswitch module -read an environment variable named tt(WINBINDD_DOMAIN). If this variable -contains a comma separated list of Windows NT domain names, then bf(winbindd) -will only resolve users and groups within those Windows NT domains. - -dit() -PAM is really easy to misconfigure. Make sure you know what you are doing -when modifying PAM configuration files. It is possible to set up PAM -such that you can no longer log into your system. - -dit() -If more than one UNIX machine is running bf(winbindd), then in general the -user and groups ids allocated by bf(winbindd) will not be the same. The -user and group ids will only be valid for the local machine. - -dit() -If the the Windows NT RID to UNIX user and group id mapping file -is damaged or destroyed then the mappings will be lost. - -enddit() - -label(SIGNALS) -manpagesection(SIGNALS) - -The following signals can be used to manipulate the bf(winbindd) daemon. - -startdit() - -dit(tt(SIGHUP)) - -Reload the tt(smb.conf) file and apply any parameter changes to the running -version of bf(winbindd). This signal also clears any cached user and group -information. The list of other domains trusted by bf(winbindd) is also -reloaded. - -dit(tt(SIGUSR1)) - -The tt(SIGUSR1) signal will cause bf(winbindd) to write status information -to the winbind log file including information about the number of user and -group ids allocated by bf(winbindd). - -Log files are stored in the filename specified by the bf(log file) parameter. - -enddit() - -label(FILES) -manpagefiles() - -The following files are relevant to the operation of the bf(winbindd) -daemon. - -startdit() - -dit(/etc/nsswitch.conf(5)) - -Name service switch configuration file. - -dit(/tmp/.winbindd/pipe) - -The UNIX pipe over which clients communicate with the bf(winbindd) program. -For security reasons, the winbind client will only attempt to connect to the -bf(winbindd) daemon if both the tt(/tmp/.winbindd) directory and -tt(/tmp/.winbindd/pipe) file are owned by root. - -dit(/lib/libnss_winbind.so.X) - -Implementation of name service switch library. - -dit($LOCKDIR/winbindd_idmap.tdb) - -Storage for the Windows NT rid to UNIX user/group id mapping. The lock -directory is specified when Samba is initially compiled using the -tt(--with-lockdir) option. This directory is by default -tt(/usr/local/samba/var/locks). - -dit($LOCKDIR/winbindd_cache.tdb) - -Storage for cached user and group information. - -enddit() - -label(SEEALSO) -manpageseealso() - -url(bf(samba(7)))(samba.7.html), url(bf(smb.conf(5)))(smb.conf.5.html), -bf(nsswitch.conf(5)), url(bf(wbinfo(1)))(wbinfo.1.html) - -label(AUTHOR) -manpageauthor() - -The original Samba software and related utilities were created by -Andrew Tridgell. Samba is now developed by the Samba Team as an Open -Source project. - -bf(winbindd) was written by Tim Potter. |