summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2001-02-22 13:03:24 +0000
committerGerald Carter <jerry@samba.org>2001-02-22 13:03:24 +0000
commit63c9afc82dca7c700c2f13feecc045679fe1b547 (patch)
tree21cb87df2024a75ae75b1094a09c4d798ec7fb46
parentb4096748dd5613f7c6f7d8c6d73c5ff0fba0c346 (diff)
downloadsamba-63c9afc82dca7c700c2f13feecc045679fe1b547.tar.gz
samba-63c9afc82dca7c700c2f13feecc045679fe1b547.tar.bz2
samba-63c9afc82dca7c700c2f13feecc045679fe1b547.zip
Whew! smb.conf.5.yo completely converted to DocBook (only after 2 & 1/2
days :) ). The man page generation is fine. Some anchor tags need to be tweaked to get the HTML generation correct. Also, I have done very little editing which means that we'll have to go through and verify acurracy of things like default values, etc... (This used to be commit 9fb11c5ec6d439544549060903ea0f275f5de9a9)
-rw-r--r--docs/docbook/smb.conf.5.sgml3077
1 files changed, 3057 insertions, 20 deletions
diff --git a/docs/docbook/smb.conf.5.sgml b/docs/docbook/smb.conf.5.sgml
index 16d72a01ce..6e44a7a59a 100644
--- a/docs/docbook/smb.conf.5.sgml
+++ b/docs/docbook/smb.conf.5.sgml
@@ -215,7 +215,7 @@
</refsect2>
<refsect2>
- <title id="printersect">The [printers] section</title>
+ <title id="printerssect">The [printers] section</title>
<para>This section works like [homes],
but for printers.</para>
@@ -529,7 +529,7 @@
</refsect1>
<refsect1>
- <title>NOTE ABOUT USERNAME/PASSWORD VALIDATION</title>
+ <title id="validationsect">NOTE ABOUT USERNAME/PASSWORD VALIDATION</title>
<para>There are a number of ways in which a user can connect
to a service. The server follows the following steps in determining
@@ -670,7 +670,6 @@
<listitem><para><parameter>ole locking compatibility</parameter></para></listitem>
<listitem><para><parameter>oplock break wait time</parameter> </para></listitem>
<listitem><para><parameter>os level</parameter> </para></listitem>
- <listitem><para><parameter>packet size</parameter> </para></listitem>
<listitem><para><parameter>panic action</parameter> </para></listitem>
<listitem><para><parameter>passwd chat</parameter></para></listitem>
<listitem><para><parameter>passwd chat debug</parameter> </para></listitem>
@@ -1596,7 +1595,7 @@
<term id="defaultcase">default case (S)</term>
<listitem><para>See the section on <link linkend="namemanglingsect">
NAME MANGLING"</link>. Also note the <link linkend="shortpreservecase">
- <parameter>short preserve case"</parameter>></link> parameter.</para>
+ <parameter>short preserve case"</parameter></link> parameter.</para>
</listitem>
</varlistentry>
@@ -1688,7 +1687,7 @@
UNIX users are dynamically deleted to match existing Windows NT
accounts.</para>
- <para>See also <link linkend="securitydomain">security=domain</link>,
+ <para>See also <link linkend="securityequalsdomain">security=domain</link>,
<link linkend="passwordserver"><parameter>password server</parameter>
</link>, <link linkend="adduserscript"><parameter>add user script</parameter>
</link>.</para>
@@ -2300,7 +2299,7 @@
it to 0000.</para>
<para>See also the <link linkend="directorysecuritymask"><parameter>
- directory security mask</parameter></link>, <link linkend="secduritymask">
+ directory security mask</parameter></link>, <link linkend="securitymask">
<parameter>security mask</parameter></link>,
<link linkend="forcesecuritymode"><parameter>force security mode
</parameter></link> parameters.</para>
@@ -3001,7 +3000,7 @@
<term id="loadprinters">load printers (G)</term>
<listitem><para>A boolean variable that controls whether all
printers in the printcap will be loaded for browsing by default.
- See the <link linkend="printersect">printers</link> section for
+ See the <link linkend="printerssect">printers</link> section for
more details.</para>
<para>Default: <command>load printers = yes</command></para></listitem>
@@ -3440,7 +3439,7 @@
<varlistentry>
<term id="machinepasswordtimeout">machine password timeout (G)</term>
<listitem><para>If a Samba server is a member of an Windows
- NT Domain (see the <link linkend="securitydomain">security=domain</link>)
+ NT Domain (see the <link linkend="securityequalsdomain">security=domain</link>)
parameter) then periodically a running <ulink url="smbd.8.html">
smbd(8)</ulink> process will try and change the MACHINE ACCOUNT
PASSWORD stored in the TDB called <filename>private/secrets.tdb
@@ -3449,7 +3448,7 @@
seconds), the same as a Windows NT Domain member server.</para>
<para>See also <ulink url="smbpasswd.8.html"><command>smbpasswd(8)
- </command></ulink>, and the <link linkend="securitydomain">
+ </command></ulink>, and the <link linkend="securityequalsdomain">
security=domain</link>) parameter.</para>
<para>Default: <command>machine password timeout = 604800</command></para>
@@ -3509,7 +3508,7 @@
<varlistentry>
<term id="manglecase">mangle case (S)</term>
- <listitem><para>See the section on <link linkend="manmaglingsect">
+ <listitem><para>See the section on <link linkend="namemanglingsect">
NAME MANGLING</link></para>
</listitem>
</varlistentry>
@@ -3841,15 +3840,6 @@
<varlistentry>
- <term id="maxpacket">max packet (G)</term>
- <listitem><para>Synonym for <link linkend="packetsize"><parameter>
- packet size</parameter></link>.</para>
- </listitem>
- </varlistentry>
-
-
-
- <varlistentry>
<term id="maxttl">max ttl (G)</term>
<listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)</ulink>
what the default 'time to live' of NetBIOS names should be (in seconds)
@@ -3866,7 +3856,7 @@
<varlistentry>
<term id="maxwinsttl">max wins ttl (G)</term>
<listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)
- </ulink> when acting as a WINS server (<link linkend="winsupport">
+ </ulink> when acting as a WINS server (<link linkend="winssupport">
<parameter>wins support=yes</parameter></link>) what the maximum
'time to live' of NetBIOS names that <command>nmbd</command>
will grant will be (in seconds). You should never need to change this
@@ -4332,6 +4322,3053 @@
</varlistentry>
+ <varlistentry>
+ <term id="oslevel">os level (G)</term>
+ <listitem><para>This integer value controls what level Samba
+ advertises itself as for browse elections. The value of this
+ parameter determines whether <ulink url="nmbd.8.html">nmbd(8)</ulink>
+ has a chance of becoming a local master browser for the <parameter>
+ WORKGROUP</parameter> in the local broadcast area. The default is
+ zero, which means <command>nmbd</command> will lose elections to
+ Windows machines. See <filename>BROWSING.txt</filename> in the
+ Samba <filename>docs/</filename> directory for details.</para>
+
+ <para>Default: <command>os level = 20</command></para>
+ <para>Example: <command>os level = 65 </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="panicaction">panic action (G)</term>
+ <listitem><para>This is a Samba developer option that allows a
+ system command to be called when either <ulink url="smbd.8.html">
+ smbd(8)</ulink> or <ulink url="nmbd.8.html">nmbd(8)</ulink>
+ crashes. This is usually used to draw attention to the fact that
+ a problem occurred.</para>
+
+ <para>Default: <command>panic action = &lt;empty string&gt;</command></para>
+ <para>Example: <command>panic action = "/bin/sleep 90000"</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term id="passwdchat">passwd chat (G)</term>
+ <listitem><para>This string controls the <emphasis>"chat"</emphasis>
+ conversation that takes places between <ulink
+ url="smbd.8.html">smbd</ulink> and the local password changing
+ program to change the users password. The string describes a
+ sequence of response-receive pairs that <ulink url="smbd.8.html">
+ smbd(8)</ulink> uses to determine what to send to the
+ <link linkend="passwdprogram"><parameter>passwd program</parameter>
+ </link> and what to expect back. If the expected output is not
+ received then the password is not changed.</para>
+
+ <para>This chat sequence is often quite site specific, depending
+ on what local methods are used for password control (such as NIS
+ etc).</para>
+
+ <para>The string can contain the macros <parameter>%o</parameter>
+ and <parameter>%n</parameter> which are substituted for the old
+ and new passwords respectively. It can also contain the standard
+ macros <constant>\n</constant>, <constant>\r</constant>, <constant>
+ \t</constant> and <constant>%s</constant> to give line-feed,
+ carriage-return, tab and space.</para>
+
+ <para>The string can also contain a '*' which matches
+ any sequence of characters.</para>
+
+ <para>Double quotes can be used to collect strings with spaces
+ in them into a single string.</para>
+
+ <para>If the send string in any part of the chat sequence
+ is a fullstop ".", then no string is sent. Similarly,
+ is the expect string is a fullstop then no string is expected.</para>
+
+ <para>Note that if the <link linkend="unixpasswordsync"><parameter>unix
+ password sync</parameter></link> parameter is set to true, then this
+ sequence is called <emphasis>AS ROOT</emphasis> when the SMB password
+ in the smbpasswd file is being changed, without access to the old
+ password cleartext. In this case the old password cleartext is set
+ to "" (the empty string).</para>
+
+ <para>See also <link linkend="unixpasswordsync"><parameter>unix password
+ sync</parameter></link>, <link linkend="passwdprogram"><parameter>
+ passwd program</parameter></link> and <link linkend="passwdchatdebug">
+ <parameter>passwd chat debug</parameter></link>.</para>
+
+ <para>Default: <command>passwd chat = *old*password* %o\n *new*
+ password* %n\n *new*password* %n\n *changed*</command></para>
+ <para>Example: <command>passwd chat = "*Enter OLD password*" %o\n
+ "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password
+ changed*"</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="passwdchatdebug">passwd chat debug (G)</term>
+ <listitem><para>This boolean specifies if the passwd chat script
+ parameter is run in <emphasis>debug</emphasis> mode. In this mode the
+ strings passed to and received from the passwd chat are printed
+ in the <ulink url="smbd.8.html">smbd(8)</ulink> log with a
+ <link linkend="debuglevel"><parameter>debug level</parameter></link>
+ of 100. This is a dangerous option as it will allow plaintext passwords
+ to be seen in the <command>smbd</command> log. It is available to help
+ Samba admins debug their <parameter>passwd chat</parameter> scripts
+ when calling the <parameter>passwd program</parameter> and should
+ be turned off after this has been done. This parameter is off by
+ default.</para>
+
+ <para>See also <<link linkend="passwdchat"><parameter>passwd chat</parameter>
+ </link>, <link linkend="passwdprogram"><parameter>passwd program</parameter>
+ </link>.</para>
+
+ <para>Default: <command>passwd chat debug = no</command></para>
+ <para>Example: <command>passwd chat debug = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="passwdprogram">passwd program (G)</term>
+ <listitem><para>The name of a program that can be used to set
+ UNIX user passwords. Any occurrences of <parameter>%u</parameter>
+ will be replaced with the user name. The user name is checked for
+ existence before calling the password changing program.</para>
+
+ <para>Also note that many passwd programs insist in <emphasis>reasonable
+ </emphasis> passwords, such as a minimum length, or the inclusion
+ of mixed case chars and digits. This can pose a problem as some clients
+ (such as Windows for Workgroups) uppercase the password before sending
+ it.</para>
+
+ <para><emphasis>Note</emphasis> that if the <parameter>unix
+ password sync</parameter> parameter is set to <constant>True
+ </constant> then this program is called <emphasis>AS ROOT</emphasis>
+ before the SMB password in the <ulink url="smbpasswd.5.html">smbpasswd(5)
+ </ulink> file is changed. If this UNIX password change fails, then
+ <command>smbd</command> will fail to change the SMB password also
+ (this is by design).</para>
+
+ <para>If the <parameter>unix password sync</parameter> parameter
+ is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis>
+ for <emphasis>ALL</emphasis> programs called, and must be examined
+ for security implications. Note that by default <parameter>unix
+ password sync</parameter> is set to <constant>False</constant>.</para>
+
+ <para>See also <link linkend="unixpasswordsync"><parameter>unix
+ password sync</parameter></link>.</para>
+
+ <para>Default: <command>passwd program = /bin/passwd</command></para>
+ <para>Example: <command>passwd program = /sbin/npasswd %u</command>
+ </para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="passwordlevel">password level (G)</term>
+ <listitem><para>Some client/server combinations have difficulty
+ with mixed-case passwords. One offending client is Windows for
+ Workgroups, which for some reason forces passwords to upper
+ case when using the LANMAN1 protocol, but leaves them alone when
+ using COREPLUS!</para>
+
+ <para>This parameter defines the maximum number of characters
+ that may be upper case in passwords.</para>
+
+ <para>For example, say the password given was "FRED". If <parameter>
+ password level</parameter> is set to 1, the following combinations
+ would be tried if "FRED" failed:</para>
+
+ <para>"Fred", "fred", "fRed", "frEd","freD"</para>
+
+ <para>If <parameter>password level</parameter> was set to 2,
+ the following combinations would also be tried: </para>
+
+ <para>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</para>
+
+ <para>And so on.</para>
+
+ <para>The higher value this parameter is set to the more likely
+ it is that a mixed case password will be matched against a single
+ case password. However, you should be aware that use of this
+ parameter reduces security and increases the time taken to
+ process a new connection.</para>
+
+ <para>A value of zero will cause only two attempts to be
+ made - the password as is and the password in all-lower case.</para>
+
+ <para>Default: <command>password level = 0</command></para>
+ <para>Example: <command>password level = 4</command</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="passwordserver">password server (G)</term>
+ <listitem><para>By specifying the name of another SMB server (such
+ as a WinNT box) with this option, and using <command>security = domain
+ </command> or <command>security = server</command> you can get Samba
+ to do all its username/password validation via a remote server.</para>
+
+ <para>This options sets the name of the password server to use.
+ It must be a NetBIOS name, so if the machine's NetBIOS name is
+ different from its internet name then you may have to add its NetBIOS
+ name to the lmhosts file which is stored in the same directory
+ as the <filename>smb.conf</filename> file.</para>
+
+ <para>The name of the password server is looked up using the
+ parameter <link linkend="nameresolveorder"><parameter>name
+ resolve order</parameter></link> and so may resolved
+ by any method and order described in that parameter.</para>
+
+ <para>The password server much be a machine capable of using
+ the "LM1.2X002" or the "LM NT 0.12" protocol, and it must be in
+ user level security mode.</para>
+
+ <para><emphasis>NOTE:</emphasis> Using a password server
+ means your UNIX box (running Samba) is only as secure as your
+ password server. <emphasis>DO NOT CHOOSE A PASSWORD SERVER THAT
+ YOU DON'T COMPLETELY TRUST</emphasis>.</para>
+
+ <para>Never point a Samba server at itself for password
+ serving. This will cause a loop and could lock up your Samba
+ server!</para>
+
+ <para>The name of the password server takes the standard
+ substitutions, but probably the only useful one is <parameter>%m
+ </parameter>, which means the Samba server will use the incoming
+ client as the passwordserver. If you use this then you better
+ trust your clients, and you better restrict them with hosts allow!</para>
+
+ <para>If the <parameter>security</parameter> parameter is set to
+ <constant>domain</constant>, then the list of machines in this
+ option must be a list of Primary or Backup Domain controllers for the
+ Domain or the character '*', as the Samba server is cryptographicly
+ in that domain, and will use cryptographicly authenticated RPC calls
+ to authenticate the user logging on. The advantage of using <command>
+ security = domain</command> is that if you list several hosts in the
+ <parameter>password server</parameter> option then <command>smbd
+ </command> will try each in turn till it finds one that responds. This
+ is useful in case your primary server goes down.</para>
+
+ <para>If the <parameter>password server</parameter> option is set
+ to the character '*', then Samba will attempt to auto-locate the
+ Primary or Backup Domain controllers to authenticate against by
+ doing a query for the name <constant>WORKGROUP&lt;1C&gt;</constant>
+ and then contacting each server returned in the list of IP
+ addresses from the name resolution source. </para>
+
+ <para>If the <parameter>security</parameter> parameter is
+ set to <constant>server</constant>, then there are different
+ restrictions that <command>security = domain</command> doesn't
+ suffer from:</para>
+
+ <itemizedlist>
+ <listitem><para>You may list several password servers in
+ the <parameter>password server</parameter> parameter, however if an
+ <command>smbd</command> makes a connection to a password server,
+ and then the password server fails, no more users will be able
+ to be authenticated from this <command>smbd</command>. This is a
+ restriction of the SMB/CIFS protocol when in <command>security=server
+ </command> mode and cannot be fixed in Samba.</para></listitem>
+
+ <listitem><para>If you are using a Windows NT server as your
+ password server then you will have to ensure that your users
+ are able to login from the Samba server, as when in <command>
+ security=server</command> mode the network logon will appear to
+ come from there rather than from the users workstation.</para></listitem>
+ </itemizedlist>
+
+ <para>See also the <link linkend="security"><parameter>security
+ </parameter></link> parameter.</para>
+
+ <para>Default: <command>password server = &lt;empty string&gt;</command>
+ </para>
+ <para>Example: <command>password server = NT-PDC, NT-BDC1, NT-BDC2
+ </command></para>
+ <para>Example: <command>password server = *</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="path">path (S)</term>
+ <listitem><para>This parameter specifies a directory to which
+ the user of the service is to be given access. In the case of
+ printable services, this is where print data will spool prior to
+ being submitted to the host for printing.</para>
+
+ <para>For a printable service offering guest access, the service
+ should be readonly and the path should be world-writeable and
+ have the sticky bit set. This is not mandatory of course, but
+ you probably won't get the results you expect if you do
+ otherwise.</para>
+
+ <para>Any occurrences of <parameter>%u</parameter> in the path
+ will be replaced with the UNIX username that the client is using
+ on this connection. Any occurrences of <parameter>%m</parameter>
+ will be replaced by the NetBIOS name of the machine they are
+ connecting from. These replacements are very useful for setting
+ up pseudo home directories for users.</para>
+
+ <para>Note that this path will be based on <link linkend="rootdir">
+ <parameter>root dir</parameter></link> if one was specified.</para>
+
+ <para>Default: <emphasis>none</emphasis></para>
+ <para>Example: <command>path = /home/fred</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="postexec">postexec (S)</term>
+ <listitem><para>This option specifies a command to be run
+ whenever the service is disconnected. It takes the usual
+ substitutions. The command may be run as the root on some
+ systems.</para>
+
+ <para>An interesting example may be do unmount server
+ resources:</para>
+
+ <para><command>postexec = /etc/umount /cdrom</command></para>
+
+ <para>See also <link linkend="preexec"><parameter>preexec</parameter>
+ </link>.</para>
+
+ <para>Default: <emphasis>none (no command executed)</emphasis>
+ </para>
+
+ <para>Example: <command>postexec = echo \"%u disconnected from %S
+ from %m (%I)\" &gt;&gt; /tmp/log</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="postscript">postscript (S)</term>
+ <listitem><para>This parameter forces a printer to interpret
+ the print files as postscript. This is done by adding a <constant>%!
+ </constant> to the start of print output.</para>
+
+ <para>This is most useful when you have lots of PCs that persist
+ in putting a control-D at the start of print jobs, which then
+ confuses your printer.</para>
+
+ <para>Default: <command>postscript = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="preexec">preexec (S)</term>
+ <listitem><para>This option specifies a command to be run whenever
+ the service is connected to. It takes the usual substitutions.</para>
+
+ <para>An interesting example is to send the users a welcome
+ message every time they log in. Maybe a message of the day? Here
+ is an example:</para>
+
+ <para><command>preexec = csh -c 'echo \"Welcome to %S!\" |
+ /usr/local/samba/bin/smbclient -M %m -I %I' & </command></para>
+
+ <para>Of course, this could get annoying after a while :-)</para>
+
+ <para>See also <link linkend="preexecclose"><parameter>preexec close
+ </parameter</link> and <link linkend="postexec"><parameter>postexec
+ </parameter></link>.</para>
+
+ <para>Default: <emphasis>none (no command executed)</emphasis></para>
+ <para>Example: <command>preexec = echo \"%u connected to %S from %m
+ (%I)\" &gt;&gt; /tmp/log</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="preexecclose">preexec close (S)</term>
+ <listitem><para>This boolean option controls whether a non-zero
+ return code from <link linkend="preexec"><parameter>preexec
+ </parameter></link> should close the service being connected to.</para>
+
+ <para>Default: <command>preexec close = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term id="preferredmaster">preferred master (G)</term>
+ <listitem><para>This boolean parameter controls if <ulink
+ url="nmbd.8.html">nmbd(8)</ulink> is a preferred master browser
+ for its workgroup.</para>
+
+ <para>If this is set to true, on startup, <command>nmbd</command>
+ will force an election, and it will have a slight advantage in
+ winning the election. It is recommended that this parameter is
+ used in conjunction with <command><link linkend="domainmaster"><parameter>
+ domain master</parameter></link> = yes</command>, so that <command>
+ nmbd</command> can guarantee becoming a domain master.</para>
+
+ <para>Use this option with caution, because if there are several
+ hosts (whether Samba servers, Windows 95 or NT) that are preferred
+ master browsers on the same subnet, they will each periodically
+ and continuously attempt to become the local master browser.
+ This will result in unnecessary broadcast traffic and reduced browsing
+ capabilities.</para>
+
+ <para>See also <link linkend="oslevel"><parameter>os level</parameter>
+ </link>.</para>
+
+ <para>Default: <command>preferred master = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="preferedmaster">prefered master (G)</term>
+ <listitem><para>Synonym for <link linkend="preferredmaster"><parameter>
+ preferred master</parameter></link> for people who cannot spell :-).</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="preload">preload</term>
+ <listitem><para>Synonym for <link linkend="autoservices"><parameter>
+ auto services</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term id="preservecase">preserve case (S)</term>
+ <listitem><para> This controls if new filenames are created
+ with the case that the client passes, or if they are forced to
+ be the <link linkend="defaultcase"><parameter>derault case
+ </parameter></link>.</para>
+
+ <para>Default: <command>preserve case = yes</command></para>
+
+ <para>See the section on <link linkend="namemanglingsect">NAME
+ MANGLING"</link> for a fuller discussion.</para
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="printcommand">print command (S)</term>
+ <listitem><para>After a print job has finished spooling to
+ a service, this command will be used via a <command>system()</command>
+ call to process the spool file. Typically the command specified will
+ submit the spool file to the host's printing subsystem, but there
+ is no requirement that this be the case. The server will not remove
+ the spool file, so whatever command you specify should remove the
+ spool file when it has been processed, otherwise you will need to
+ manually remove old spool files.</para>
+
+ <para>The print command is simply a text string. It will be used
+ verbatim, with two exceptions: All occurrences of <parameter>%s
+ </parameter> and <parameter>%f</parameter> will be replaced by the
+ appropriate spool file name, and all occurrences of <parameter>%p
+ </parameter> will be replaced by the appropriate printer name. The
+ spool file name is generated automatically by the server, the printer
+ name is discussed below.</para>
+
+ <para>The print command <emphasis>MUST</emphasis> contain at least
+ one occurrence of <parameter>%s</parameter> or <parameter>%f
+ </parameter> - the <parameter>%p</parameter> is optional. At the time
+ a job is submitted, if no printer name is supplied the <parameter>%p
+ </parameter> will be silently removed from the printer command.</para>
+
+ <para>If specified in the [global] section, the print command given
+ will be used for any printable service that does not have its own
+ print command specified.</para>
+
+ <para>If there is neither a specified print command for a
+ printable service nor a global print command, spool files will
+ be created but not processed and (most importantly) not removed.</para>
+
+ <para>Note that printing may fail on some UNIXs from the
+ <constant>nobody</constant> account. If this happens then create
+ an alternative guest account that can print and set the <link
+ linkend="guestaccount"><parameter>guest account</parameter></link>
+ in the [global] section.</para>
+
+ <para>You can form quite complex print commands by realizing
+ that they are just passed to a shell. For example the following
+ will log a print job, print the file, then remove it. Note that
+ ';' is the usual separator for command in shell scripts.</para>
+
+ <para><command>print command = echo Printing %s &gt;&gt;
+ /tmp/print.log; lpr -P %p %s; rm %s</command></para>
+
+ <para>You may have to vary this command considerably depending
+ on how you normally print files on your system. The default for
+ the parameter varies depending on the setting of the <link linkend="printing">
+ <parameter>printing</parameter></link> parameter.</para>
+
+ <para>Default: For <command>printing= BSD, AIX, QNX, LPRNG
+ or PLP :</command></para>
+ <para><command>print command = lpr -r -P%p %s</command></para>
+
+ <para>For <command>printing= SYS or HPUX :</command></para>
+ <para><command>print command = lp -c -d%p %s; rm %s</command></para>
+
+ <para>For <command>printing=SOFTQ :</command></para>
+ <para><command>print command = lp -d%p -s %s; rm %s</command></para>
+
+ <para>Example: <command>print command = /usr/local/samba/bin/myprintscript
+ %p %s</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="printok">print ok (S)</term>
+ <listitem><para>Synonym for <link linkend="printable">
+ <parameter>printable</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term id="printable">printable (S)</term>
+ <listitem><para>If this parameter is <constant>yes</constant>, then
+ clients may open, write to and submit spool files on the directory
+ specified for the service. </para>
+
+ <para>Note that a printable service will ALWAYS allow writing
+ to the service path (user privileges permitting) via the spooling
+ of print data. The <link linkend="writeable"><parameter>writeable
+ </parameter></link> parameter controls only non-printing access to
+ the resource.</para>
+
+ <para>Default: <command>printable = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="printcap">printcap (G)</term>
+ <listitem><para>Synonym for <link linkend="printcapname"><parameter>
+ printcap name</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term id="printeradmin">printer admin (S)</term>
+ <listitem><para>This is a list of users that can do anything to
+ printers via the remote administration interfaces offered by MSRPC
+ (usually using a NT workstation). Note that the root user always
+ has admin rights.</para>
+
+ <para>Default: <command>printer admin = &lt;empty string&gt;</command>
+ </para>
+ <para>Example: <command>printer admin = admin, @staff</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+
+ <varlistentry>
+ <term id="printcapname">printcap name (G)</term>
+ <listitem><para>This parameter may be used to override the
+ compiled-in default printcap name used by the server (usually <filename>
+ /etc/printcap</filename>). See the discussion of the <link
+ linkend="printerssect">[printers]</link> section above for reasons
+ why you might want to do this.</para>
+
+ <para>On System V systems that use <command>lpstat</command> to
+ list available printers you can use <command>printcap name = lpstat
+ </command> to automatically obtain lists of available printers. This
+ is the default for systems that define SYSV at configure time in
+ Samba (this includes most System V based systems). If <parameter>
+ printcap name</parameter> is set to <command>lpstat</command> on
+ these systems then Samba will launch <command>lpstat -v</command> and
+ attempt to parse the output to obtain a printer list.</para>
+
+ <para>A minimal printcap file would look something like this:</para>
+
+ <para><programlisting>
+ print1|My Printer 1
+ print2|My Printer 2
+ print3|My Printer 3
+ print4|My Printer 4
+ print5|My Printer 5
+ </programlisting></para>
+
+ <para>where the '|' separates aliases of a printer. The fact
+ that the second alias has a space in it gives a hint to Samba
+ that it's a comment.</para>
+
+ <para><emphasis>NOTE</emphasis>: Under AIX the default printcap
+ name is <filename>/etc/qconfig</filename>. Samba will assume the
+ file is in AIX <filename>qconfig</filename> format if the string
+ <filename>qconfig</filename> appears in the printcap filename.</para>
+
+ <para>Default: <command>printcap name = /etc/printcap</command></para>
+ <para>Example: <command>printcap name = /etc/myprintcap</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="printer">printer (S)</term>
+ <listitem><para>This parameter specifies the name of the printer
+ to which print jobs spooled through a printable service will be sent.</para>
+
+ <para>If specified in the [global] section, the printer
+ name given will be used for any printable service that does
+ not have its own printer name specified.</para>
+
+ <para>Default: <emphasis>none (but may be <constant>lp</constant>
+ on many systems)</emphasis></para>
+
+ <para>Example: <command>printer name = laserwriter</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="printerdriver">printer driver (S)</term>
+ <listitem><para>This option allows you to control the string
+ that clients receive when they ask the server for the printer driver
+ associated with a printer. If you are using Windows95 or WindowsNT
+ then you can use this to automate the setup of printers on your
+ system.</para>
+
+ <para>You need to set this parameter to the exact string (case
+ sensitive) that describes the appropriate printer driver for your
+ system. If you don't know the exact string to use then you should
+ first try with no <link linkend="printerdriver"><parameter>
+ printer driver</parameter></link> option set and the client will
+ give you a list of printer drivers. The appropriate strings are
+ shown in a scrollbox after you have chosen the printer manufacturer.</para>
+
+ <para>See also <link linkend="printerdriverfile"><parameter>printer
+ driver file</parameter></link>.</para>
+
+ <para>Example: <command>printer driver = HP LaserJet 4L</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="printerdriverfile">printer driver file (G)</term>
+ <listitem><para>This parameter tells Samba where the printer driver
+ definition file, used when serving drivers to Windows 95 clients, is
+ to be found. If this is not set, the default is :</para>
+
+ <para><filename><replaceable>SAMBA_INSTALL_DIRECTORY</replaceable>
+ /lib/printers.def</filename></para>
+
+ <para>This file is created from Windows 95 <filename>msprint.inf
+ </filename> files found on the Windows 95 client system. For more
+ details on setting up serving of printer drivers to Windows 95
+ clients, see the documentation file in the <filename>docs/</filename>
+ directory, <filename>PRINTER_DRIVER.txt</filename>.</para>
+
+ <para>See also <link linkend="printerdriverlocation"><parameter>
+ printer driver location</parameter></link>.</para>
+
+ <para>Default: <emphasis>None (set in compile).</emphasis></para>
+
+ <para>Example: <command>printer driver file =
+ /usr/local/samba/printers/drivers.def</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term id="printerdriverlocation">printer driver location (S)</term>
+ <listitem><para>This parameter tells clients of a particular printer
+ share where to find the printer driver files for the automatic
+ installation of drivers for Windows 95 machines. If Samba is set up
+ to serve printer drivers to Windows 95 machines, this should be set to</para>
+
+ <para><command>\\MACHINE\PRINTER$</command></para>
+
+ <para>Where MACHINE is the NetBIOS name of your Samba server,
+ and PRINTER$ is a share you set up for serving printer driver
+ files. For more details on setting this up see the documentation
+ file in the <filename>docs/</filename> directory, <filename>
+ PRINTER_DRIVER.txt</filename>.</para>
+
+ <para>See also <link linkend="printerdriverfile"><parameter>
+ printer driver file</parameter></link>.</para>
+
+ <para>Default: <command>none</command></para>
+ <para>Example: <command>printer driver location = \\MACHINE\PRINTER$
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="printername">printer name (S)</term>
+ <listitem><para>Synonym for <link linkend="printer"><parameter>
+ printer</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="printing">printing (S)</term>
+ <listitem><para>This parameters controls how printer status
+ information is interpreted on your system. It also affects the
+ default values for the <parameter>print command</parameter>,
+ <parameter>lpq command</parameter>, <parameter>lppause command
+ </parameter>, <parameter>lpresume command</parameter>, and
+ <parameter>lprm command</parameter> if specified in the
+ [global]f> section.</para>
+
+ <para>Currently eight printing styles are supported. They are
+ <constant>BSD</constant>, <constant>AIX</constant>,
+ <constant>LPRNG</constant>, <constant>PLP</constant>,
+ <constant>SYSV</constant>, <constant>HPUX</constant>,
+ <constant>QNX</constant>, <constant>SOFTQ</constant>,
+ and <constant>CUPS</constant>.</para>
+
+ <para>To see what the defaults are for the other print
+ commands when using the various options use the <ulink
+ url="testparm.1.html">testparm(1)</ulink> program.</para>
+
+ <para>This option can be set on a per printer basis</para>
+
+ <para>See also the discussion in the <link linkend="printerssect">
+ [printers]</link> section.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="privatedir">private dir(G)</term>
+ <listitem><para>The <parameter>private dir</parameter> parameter
+ allows an administator to define a directory path used to hold the
+ various databases Samba will use to store things like a the machine
+ trust account information when acting as a domain member (i.e. where
+ the secrets.tdb file will be located), where the passdb.tbd file
+ will stored in the case of using the experiemental tdbsam support,
+ etc...</para>
+
+ <para>Default: <command>private dir = &lt;compile time location
+ of smbpasswd&gt;</command></para>
+ <para>Example: <command>private dir = /etc/smbprivate</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="protocol">protocol (G)</term>
+ <listitem><para>The value of the parameter (a string) is the highest
+ protocol level that will be supported by the server.</para>
+
+ <para>Possible values are :</para>
+ <itemizedlist>
+ <listitem><para><constant>CORE</constant>: Earliest version. No
+ concept of user names.</para></listitem>
+
+ <listitem><para><constant>COREPLUS</constant>: Slight improvements on
+ CORE for efficiency.</para></listitem>
+
+ <listitem><para><constant>LANMAN1</constant>: First <emphasis>
+ modern</emphasis> version of the protocol. Long filename
+ support.</para></listitem>
+
+ <listitem><para><constant>LANMAN2</constant>: Updates to Lanman1 protocol.
+ </para></listitem>
+
+ <listitem><para><constant>NT1</constant>: Current up to date version of
+ the protocol. Used by Windows NT. Known as CIFS.</para></listitem>
+ </itemizedlist>
+
+ <para>Normally this option should not be set as the automatic
+ negotiation phase in the SMB protocol takes care of choosing
+ the appropriate protocol.</para>
+
+ <para>Default: <command>protocol = NT1</command></para>
+ <para>Example: <command>protocol = LANMAN1</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term id="public">public (S)</term>
+ <listitem><para>Synonym for <link linkend="guestok"><parameter>guest
+ ok</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="queuepausecommand">queuepause command (S)</term>
+ <listitem><para>This parameter specifies the command to be
+ executed on the server host in order to pause the printerqueue.</para>
+
+ <para>This command should be a program or script which takes
+ a printer name as its only parameter and stops the printerqueue,
+ such that no longer jobs are submitted to the printer.</para>
+
+ <para>This command is not supported by Windows for Workgroups,
+ but can be issued from the Printer's window under Windows 95
+ and NT.</para>
+
+ <para>If a <parameter>%p</parameter> is given then the printername
+ is put in its place. Otherwise it is placed at the end of the command.
+ </para>
+
+ <para>Note that it is good practice to include the absolute
+ path in the command as the PATH may not be available to the
+ server.</para>
+
+ <para>Default: <emphasis>depends on the setting of <parameter>printing
+ </parameter></emphasis></para>
+ <para>Example: <command>queuepause command = disable %p</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="queueresumecommand">queueresume command (S)</term>
+ <listitem><para>This parameter specifies the command to be
+ executed on the server host in order to resume the printerqueue. It
+ is the command to undo the behavior that is caused by the
+ previous parameter (<link linkend="queuepausecommand"><parameter>
+ queuepause command</parameter></link>).</para>
+
+ <para>This command should be a program or script which takes
+ a printer name as its only parameter and resumes the printerqueue,
+ such that queued jobs are resubmitted to the printer.</para>
+
+ <para>This command is not supported by Windows for Workgroups,
+ but can be issued from the Printer's window under Windows 95
+ and NT.</para>
+
+ <para>If a <parameter>%p</parameter> is given then the printername
+ is put in its place. Otherwise it is placed at the end of the
+ command.</para>
+
+ <para>Note that it is good practice to include the absolute
+ path in the command as the PATH may not be available to the
+ server.</para>
+
+ <para>Default: <emphasis>depends on the setting of <link
+ linkend="printing"><parameter>printing</parameter></link></emphasis>
+ </para>
+
+ <para>Example: <command>queuepause command = enable %p
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="readbmpx">read bmpx (G)</term>
+ <listitem><para>This boolean parameter controls whether <ulink
+ url="smbd.8.html">smbd(8)</ulink> will support the "Read
+ Block Multiplex" SMB. This is now rarely used and defaults to
+ <constant>no</constant>. You should never need to set this
+ parameter.</para>
+
+ <para>Default: <command>read bmpx = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term id="readlist">read list (S)</term>
+ <listitem><para>This is a list of users that are given read-only
+ access to a service. If the connecting user is in this list then
+ they will not be given write access, no matter what the <link
+ linkend="writeable"><parameter>writeable</parameter></link>
+ option is set to. The list can include group names using the
+ syntax described in the <link linkend="invalidusers"><parameter>
+ invalid users</parameter></link> parameter.</para>
+
+ <para>See also the <link linkend="writelist"><parameter>
+ write list</parameter></link> parameter and the <link
+ linkend="invalidusers"><parameter>invalid users</parameter>
+ </link> parameter.</para>
+
+ <para>Default: <command>read list = &lt;empty string&gt;</command></para>
+ <para>Example: <command>read list = mary, @students</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="readonly">read only (S)</term>
+ <listitem><para>Note that this is an inverted synonym for <link
+ linkend="writeable"><parameter>writeable</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="readraw">read raw (G)</term>
+ <listitem><para>This parameter controls whether or not the server
+ will support the raw read SMB requests when transferring data
+ to clients.</para>
+
+ <para>If enabled, raw reads allow reads of 65535 bytes in
+ one packet. This typically provides a major performance benefit.
+ </para>
+
+ <para>However, some clients either negotiate the allowable
+ block size incorrectly or are incapable of supporting larger block
+ sizes, and for these clients you may need to disable raw reads.</para>
+
+ <para>In general this parameter should be viewed as a system tuning
+ tool and left severely alone. See also <link linkend="writeraw">
+ <parameter>write raw</parameter></link>.</para>
+
+ <para>Default: <command>read raw = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term id="readsize">read size (G)</term>
+ <listitem><para>The option <parameter>read size</parameter>
+ affects the overlap of disk reads/writes with network reads/writes.
+ If the amount of data being transferred in several of the SMB
+ commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
+ than this value then the server begins writing the data before it
+ has received the whole packet from the network, or in the case of
+ SMBreadbraw, it begins writing to the network before all the data
+ has been read from disk.</para>
+
+ <para>This overlapping works best when the speeds of disk and
+ network access are similar, having very little effect when the
+ speed of one is much greater than the other.</para>
+
+ <para>The default value is 16384, but very little experimentation
+ has been done yet to determine the optimal value, and it is likely
+ that the best value will vary greatly between systems anyway.
+ A value over 65536 is pointless and will cause you to allocate
+ memory unnecessarily.</para>
+
+ <para>Default: <command>read size = 16384</command></para>
+ <para>Example: <command>read size = 8192</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="remoteannounce">remote announce (G)</term>
+ <listitem><para>This option allows you to setup <ulink
+ url="nmbd.8.html">nmbd(8)</ulink> to periodically announce itself
+ to arbitrary IP addresses with an arbitrary workgroup name.</para>
+
+ <para>This is useful if you want your Samba server to appear
+ in a remote workgroup for which the normal browse propagation
+ rules don't work. The remote workgroup can be anywhere that you
+ can send IP packets to.</para>
+
+ <para>For example:</para>
+
+ <para><command>remote announce = 192.168.2.255/SERVERS
+ 192.168.4.255/STAFF</command></para>
+
+ <para>the above line would cause nmbd to announce itself
+ to the two given IP addresses using the given workgroup names.
+ If you leave out the workgroup name then the one given in
+ the <link linkend="workgroup"><parameter>workgroup</parameter></link>
+ parameter is used instead.</para>
+
+ <para>The IP addresses you choose would normally be the broadcast
+ addresses of the remote networks, but can also be the IP addresses
+ of known browse masters if your network config is that stable.</para>
+
+ <para>See the documentation file <filename>BROWSING.txt</filename>
+ in the <filename>docs/</filename> directory.</para>
+
+ <para>Default: <command>remote announce = &lt;empty string&gt;
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="remotebrowsesync">remote browse sync (G)</term>
+ <listitem><para>This option allows you to setup <ulink
+ url="nmbd.8.html">nmbd(8)</ulink> to periodically request
+ synchronization of browse lists with the master browser of a samba
+ server that is on a remote segment. This option will allow you to
+ gain browse lists for multiple workgroups across routed networks. This
+ is done in a manner that does not work with any non-samba servers.</para>
+
+ <para>This is useful if you want your Samba server and all local
+ clients to appear in a remote workgroup for which the normal browse
+ propagation rules don't work. The remote workgroup can be anywhere
+ that you can send IP packets to.</para>
+
+ <para>For example:</para>
+
+ <para><command>remote browse sync = 192.168.2.255 192.168.4.255
+ </command></para>
+
+ <para>the above line would cause <command>nmbd</command> to request
+ the master browser on the specified subnets or addresses to
+ synchronize their browse lists with the local server.</para>
+
+ <para>The IP addresses you choose would normally be the broadcast
+ addresses of the remote networks, but can also be the IP addresses
+ of known browse masters if your network config is that stable. If
+ a machine IP address is given Samba makes NO attempt to validate
+ that the remote machine is available, is listening, nor that it
+ is in fact the browse master on it's segment.</para>
+
+ <para>Default: <command>remote browse sync = &lt;empty string&gt;
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="restrictanonymous">restrict anonymous (G)</term>
+ <listitem><para>This is a boolean parameter. If it is true, then
+ anonymous access to the server will be restricted, namely in the
+ case where the server is expecting the client to send a username,
+ but it doesn't. Setting it to true will force these anonymous
+ connections to be denied, and the client will be required to always
+ supply a username and password when connecting. Use of this parameter
+ is only recommened for homogenous NT client environments.</para>
+
+ <para>This parameter makes the use of macro expansions that rely
+ on the username (%U, %G, etc) consistant. NT 4.0
+ likes to use anonymous connections when refreshing the share list,
+ and this is a way to work around that.</para>
+
+ <para>When restrict anonymous is true, all anonymous connections
+ are denied no matter what they are for. This can effect the ability
+ of a machine to access the samba Primary Domain Controller to revalidate
+ it's machine account after someone else has logged on the client
+ interactively. The NT client will display a message saying that
+ the machine's account in the domain doesn't exist or the password is
+ bad. The best way to deal with this is to reboot NT client machines
+ between interactive logons, using "Shutdown and Restart", rather
+ than "Close all programs and logon as a different user".</para>
+
+ <para>Default: <command>restrict anonymous = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="root">root (G)</term>
+ <listitem><para>Synonym for <link linkend="rootdirectory">
+ <parameter>root directory"</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="rootdir">root dir (G)</term>
+ <listitem><para>Synonym for <link linkend="rootdirectory">
+ <parameter>root directory"</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term id="rootdirectory">root directory (G)</term>
+ <listitem><para>The server will <command>chroot()</command> (i.e.
+ Change it's root directory) to this directory on startup. This is
+ not strictly necessary for secure operation. Even without it the
+ server will deny access to files not in one of the service entries.
+ It may also check for, and deny access to, soft links to other
+ parts of the filesystem, or attempts to use ".." in file names
+ to access other directories (depending on the setting of the <link
+ linkend="widelinks"><parameter>wide links</parameter></link>
+ parameter).</para>
+
+ <para>Adding a <parameter>root directory</parameter> entry other
+ than "/" adds an extra level of security, but at a price. It
+ absolutely ensures that no access is given to files not in the
+ sub-tree specified in the <parameter>root directory</parameter>
+ option, <emphasis>including</emphasis> some files needed for
+ complete operation of the server. To maintain full operability
+ of the server you will need to mirror some system files
+ into the <parameter>root directory</parameter> tree. In particular
+ you will need to mirror <filename>/etc/passwd</filename> (or a
+ subset of it), and any binaries or configuration files needed for
+ printing (if required). The set of files that must be mirrored is
+ operating system dependent.</para>
+
+ <para>Default: <command>root directory = /</command></para>
+ <para>Example: <command>root directory = /homes/smb</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="rootpostexec">root postexec (S)</term>
+ <listitem><para>This is the same as the <parameter>postexec</parameter>
+ parameter except that the command is run as root. This
+ is useful for unmounting filesystems
+ (such as cdroms) after a connection is closed.</para>
+
+ <para>See also <link linkend="postexec"><parameter>
+ postexec</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term id="rootpreexec">root preexec (S)</term>
+ <listitem><para>This is the same as the <parameter>preexec</parameter>
+ parameter except that the command is run as root. This
+ is useful for mounting filesystems
+ (such as cdroms) after a connection is closed.</para>
+
+ <para>See also <link linkend="preexec"><parameter>
+ preexec</parameter></link> and <link linkend="preexecclose">
+ <parameter>preexec close</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="rootpreexecclose">root preexec close (S)</term>
+ <listitem><para>This is the same as the <parameter>preexec close
+ </parameter> parameter except that the command is run as root.</para>
+
+ <para>See also <link linkend="preexec"><parameter>
+ preexec</parameter></link> and <link linkend="preexecclose">
+ <parameter>preexec close</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term id="security">security (G)</term>
+ <listitem><para>This option affects how clients respond to
+ Samba and is one of the most important settings in the <filename>
+ smb.conf</filename> file.</para>
+
+ <para>The option sets the "security mode bit" in replies to
+ protocol negotiations with <ulink url="smbd.8.html">smbd(8)
+ </ulink> to turn share level security on or off. Clients decide
+ based on this bit whether (and how) to transfer user and password
+ information to the server.</para>
+
+
+ <para>The default is <command>security = user</command>, as this is
+ the most common setting needed when talking to Windows 98 and
+ Windows NT.</para>
+
+ <para>The alternatives are <command>security = share</command>,
+ <command>security = server</command> or <command>security=domain
+ </command>.</para>
+
+ <para>In versions of Samba prior to 2..0, the default was
+ <command>security = share</command> mainly because that was
+ the only option at one stage.</para>
+
+ <para>There is a bug in WfWg that has relevance to this
+ setting. When in user or server level security a WfWg client
+ will totally ignore the password you type in the "connect
+ drive" dialog box. This makes it very difficult (if not impossible)
+ to connect to a Samba service as anyone except the user that
+ you are logged into WfWg as.</para>
+
+ <para>If your PCs use usernames that are the same as their
+ usernames on the UNIX machine then you will want to use
+ <command>security = user</command>. If you mostly use usernames
+ that don't exist on the UNIX box then use <command>security =
+ share</command>.</para>
+
+ <para>You should also use <command>security = share</command> if you
+ want to mainly setup shares without a password (guest shares). This
+ is commonly used for a shared printer server. It is more difficult
+ to setup guest shares with <command>security = user</command>, see
+ the <link linkend="maptoguest"><parameter>map to guest</parameter>
+ </link>parameter for details.</para>
+
+ <para>It is possible to use <command>smbd</command> in a <emphasis>
+ hybrid mode</emphasis> where it is offers both user and share
+ level security under different <link linkend="netbiosaliases">
+ <parameter>NetBIOS aliases</parameter></link>. </para>
+
+ <para>The different settings will now be explained.</para>
+
+
+ <para><anchor id="securityequalshare"><emphasis>SECURITY = SHARE
+ </emphasis></para>
+
+ <para>When clients connect to a share level security server then
+ need not log onto the server with a valid username and password before
+ attempting to connect to a shared resource (although modern clients
+ such as Windows 95/98 and Windows NT will send a logon request with
+ a username but no password when talking to a <command>security = share
+ </command> server). Instead, the clients send authentication information
+ (passwords) on a per-share basis, at the time they attempt to connect
+ to that share.</para>
+
+ <para>Note that <command>smbd</command> <emphasis>ALWAYS</emphasis>
+ uses a valid UNIX user to act on behalf of the client, even in
+ <command>security = share</command> level security.</para>
+
+ <para>As clients are not required to send a username to the server
+ in share level security, <command>smbd</command> uses several
+ techniques to determine the correct UNIX user to use on behalf
+ of the client.</para>
+
+ <para>A list of possible UNIX usernames to match with the given
+ client password is constructed using the following methods :</para>
+
+ <itemizedlist>
+ <listitem><para>If the <link linkend="guestonly"><parameter>guest
+ only</parameter></link> parameter is set, then all the other
+ stages are missed and only the <link linkend="guestaccount">
+ <parameter>guest account</parameter></link> username is checked.
+ </para></listitem>
+
+ <listitem><para>Is a username is sent with the share connection
+ request, then this username (after mapping - see <link
+ linkend="usernamemap"><parameter>username map</parameter></link>),
+ is added as a potential username.</para></listitem>
+
+ <listitem><para>If the client did a previous <emphasis>logon
+ </emphasis> request (the SessionSetup SMB call) then the
+ username sent in this SMB will be added as a potential username.
+ </para></listitem>
+
+ <listitem><para>The name of the service the client requested is
+ added as a potential username.</para></listitem>
+
+ <listitem><para>The NetBIOS name of the client is added to
+ the list as a potential username.</para></listitem>
+
+ <listitem><para>Any users on the <link linkend="user"><parameter>
+ user</parameter></link> list are added as potential usernames.
+ </para></listitem>
+ </itemizedlist>
+
+ <para>If the <parameter>guest only</parameter> parameter is
+ not set, then this list is then tried with the supplied password.
+ The first user for whom the password matches will be used as the
+ UNIX user.</para>
+
+ <para>If the <parameter>guest only</parameter> parameter is
+ set, or no username can be determined then if the share is marked
+ as available to the <parameter>guest account</parameter>, then this
+ guest user will be used, otherwise access is denied.</para>
+
+ <para>Note that it can be <emphasis>very</emphasis> confusing
+ in share-level security as to which UNIX username will eventually
+ be used in granting access.</para>
+
+ <para>See also the section <link linkend="validationsect">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para><anchor id="securityequaluser"><emphasis>SECURIYT = USER
+ </emphasis></para>
+
+ <para>This is the default security setting in Samba 2.2.
+ With user-level security a client must first "log=on" with a
+ valid username and password (which can be mapped using the <link
+ linkend="usernamemap"><parameter>username map</parameter></link>
+ parameter). Encrypted passwords (see the <link linkend="encryptpasswords">
+ <parameter>encrypted passwords</parameter></link> parameter) can also
+ be used in this security mode. Parameters such as <link linkend="user">
+ <parameter>user</parameter></link> and <link linkend="guestonly">
+ <parameter>guest only</parameter></link> if set are then applied and
+ may change the UNIX user to use on this connection, but only after
+ the user has been successfully authenticated.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <link
+ linkend="guestaccount"><parameter>guest account</parameter></link>.
+ See the <link linkend="maptoguest"><parameter>map to guest</parameter>
+ </link> parameter for details on doing this.</para>
+
+ <para>See also the section <link linkend="validationsect">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para><anchor id="securityequalserver"><emphasis>SECURITY = SERVER
+ </emphasis></para>
+
+ <para>In this mode Samba will try to validate the username/password
+ by passing it to another SMB server, such as an NT box. If this
+ fails it will revert to <command>security = user</command>, but note
+ that if encrypted passwords have been negotiated then Samba cannot
+ revert back to checking the UNIX password file, it must have a valid
+ <filename>smbpasswd</filename> file to check users against. See the
+ documentation file in the <filename>docs/</filename> directory
+ <filename>ENCRYPTION.txt</filename> for details on how to set this
+ up.</para>
+
+ <para><emphasis>Note</emphasis> that from the clients point of
+ view <command>security = server</command> is the same as <command>
+ security = user</command>. It only affects how the server deals
+ with the authentication, it does not in any way affect what the
+ client sees.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <link
+ linkend="guestaccount"><parameter>guest account</parameter></link>.
+ See the <link linkend="maptoguest"><parameter>map to guest</parameter>
+ </link> parameter for details on doing this.</para>
+
+ <para>See also the section <link linkend="validationsect">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para>See also the <link linkend="passwordserver"><parameter>password
+ server</parameter></link> parameter and the <link
+ linkend="encryptpasswords"><parameter>encrypted passwords</parameter>
+ </link> parameter.</para>
+
+ <para><anchor id="securityequalsdomain"><emphasis>SECURITY = DOMAIN
+ </emphasis></para>
+
+ <para>This mode will only work correctly if <ulink
+ url="smbpasswd.8.html">smbpasswd(8)</ulink> has been used to add this
+ machine into a Windows NT Domain. It expects the <link
+ linkend="encryptpasswords"><parameter>encrypted passwords</parameter>
+ </link> parameter to be set to <constant>true</constant>. In this
+ mode Samba will try to validate the username/password by passing
+ it to a Windows NT Primary or Backup Domain Controller, in exactly
+ the same way that a Windows NT Server would do.</para>
+
+ <para><emphasis>Note</emphasis> that a valid UNIX user must still
+ exist as well as the account on the Domain Controller to allow
+ Samba to have a valid UNIX account to map file access to.</para>
+
+ <para><emphasis>Note</emphasis> that from the clients point
+ of view <command>security = domain</command> is the same as <command>security = user
+ </command>. It only affects how the server deals with the authentication,
+ it does not in any way affect what the client sees.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <link
+ linkend="guestaccount"><parameter>guest account</parameter></link>.
+ See the <link linkend="maptoguest"><parameter>map to guest</parameter>
+ </link> parameter for details on doing this.</para>
+
+ <para><emphasis>BUG:</emphasis> There is currently a bug in the
+ implementation of <command>security = domain</command> with respect
+ to multi-byte character set usernames. The communication with a
+ Domain Controller must be done in UNICODE and Samba currently
+ does not widen multi-byte user names to UNICODE correctly, thus
+ a multi-byte username will not be recognized correctly at the
+ Domain Controller. This issue will be addressed in a future release.</para>
+
+ <para>See also the section <link linkend="validationsect">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para>See also the <link linkend="passwordserver"><parameter>password
+ server</parameter></link> parameter and the <link
+ linkend="encryptpasswords"><parameter>encrypted passwords</parameter>
+ </link> parameter.</para>
+
+ <para>Default: <command>security = USER</command></para>
+ <para>Example: <command>security = DOMAIN</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="securitymask">security mask (S)</term>
+ <listitem><para>This parameter controls what UNIX permission
+ bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a file using the native NT security
+ dialog box.</para>
+
+ <para>This parameter is applied as a mask (AND'ed with) to
+ the changed permission bits, thus preventing any bits not in
+ this mask from being modified. Essentially, zero bits in this
+ mask may be treated as a set of bits the user is not allowed
+ to change.</para>
+
+ <para>If not set explicitly this parameter is set to the same
+ value as the <link linkend="createmask"><parameter>create mask
+ </parameter></link> parameter. To allow a user to modify all the
+ user/group/world permissions on a file, set this parameter to
+ 0777.</para>
+
+ <para><emphasis>Note</emphasis> that users who can access the
+ Samba server through other means can easily bypass this
+ restriction, so it is primarily useful for standalone
+ "appliance" systems. Administrators of most normal systems will
+ probably want to set it to 0777.</para>
+
+ <para>See also the <link linkend="forcedirectorysecuritymode">
+ <parameter>force directory security mode</parameter></link>,
+ <link linkend="directorysecuritymask"><parameter>directory
+ security mask</parameter></link>, <link linkend="forcesecuritymode">
+ <parameter>force security mode</parameter></link> parameters.</para>
+
+ <para>Default: <command>security mask = &lt;same as create mask&gt;
+ </command></para>
+ <para>Example: <command>security mask = 0777</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term id="serverstring">server string (G)</term>
+ <listitem><para>This controls what string will show up in the
+ printer comment box in print manager and next to the IPC connection
+ in <command>net view"</command>. It can be any string that you wish
+ to show to your users.</para>
+
+ <para>It also sets what will appear in browse lists next
+ to the machine name.</para>
+
+ <para>A <parameter>%v</parameter> will be replaced with the Samba
+ version number.</para>
+
+ <para>A <parameter>%h</parameter> will be replaced with the
+ hostname.</para>
+
+ <para>Default: <command>server string = Samba %v</command></para>
+
+ <para>Example: <command>server string = University of GNUs Samba
+ Server</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="setdirectory">set directory (S)</term>
+ <listitem><para>If <command>set directory = no</command>, then
+ users of the service may not use the setdir command to change
+ directory.</para>
+
+ <para>The <command>setdir</command> command is only implemented
+ in the Digital Pathworks client. See the Pathworks documentation
+ for details.</para>
+
+ <para>Default: <command>set directory = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term id="sharemodes">share modes (S)</term>
+ <listitem><para>This enables or disables the honoring of
+ the <parameter>share modes</parameter> during a file open. These
+ modes are used by clients to gain exclusive read or write access
+ to a file.</para>
+
+ <para>These open modes are not directly supported by UNIX, so
+ they are simulated using shared memory, or lock files if your
+ UNIX doesn't support shared memory (almost all do).</para>
+
+ <para>The share modes that are enabled by this option are
+ <constant>DENY_DOS</constant>, <constant>DENY_ALL</constant>,
+ <constant>DENY_READ</constant>, <constant>DENY_WRITE</constant>,
+ <constant>DENY_NONE</constant> and <constant>DENY_FCB</constant>.
+ </para>
+
+ <para>This option gives full share compatibility and enabled
+ by default.</para>
+
+ <para>You should <emphasis>NEVER</emphasis> turn this parameter
+ off as many Windows applications will break if you do so.</para>
+
+ <para>Default: <command>share modes = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="sharedmemsize">shared mem size (G)</term>
+ <listitem><para>It specifies the size of the shared memory (in
+ bytes) to use between <ulink url="smbd.8.html">smbd(8)</ulink>
+ processes. This parameter defaults to one megabyte of shared
+ memory. It is possible that if you have a large erver with many
+ files open simultaneously that you may need to increase this
+ parameter. Signs that this parameter is set too low are users
+ reporting strange problems trying to save files (locking errors)
+ and error messages in the smbd log looking like <emphasis>ERROR
+ smb_shm_alloc : alloc of XX bytes failed</emphasis>.</para>
+
+ <para>If your OS refuses the size that Samba asks for then
+ Samba will try a smaller size, reducing by a factor of 0.8 until
+ the OS accepts it.</para>
+
+ <para>Default: <command>shared mem size = 1048576</command></para>
+ <para>Example: <command>shared mem size = 5242880 ; Set to 5mb for a
+ large number of files.</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="shortpreservecase">short preserve case (S)</term>
+ <listitem><para>This boolean parameter controls if new files
+ which conform to 8.3 syntax, that is all in upper case and of
+ suitable length, are created upper case, or if they are forced
+ to be the <link linkend="defaultcase"><parameter>default case
+ </parameter></link>. This option can be use with <link
+ linkend="preservecase"><command>preserve case = yes</command>
+ </link> to permit long filenames to retain their case, while short
+ names are lowered. </para>
+
+ <para>See the section on <link linkend="namemanglingsect">
+ NAME MANGLING</link>.</para>
+
+ <para>Default: <command>short preserve case = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="smbpasswdfile">smb passwd file (G)</term>
+ <listitem><para>This option sets the path to the encrypted
+ smbpasswd file. By default the path to the smbpasswd file
+ is compiled into Samba.</para>
+
+ <para>Default: <command>smb passwd file= &lt;compiled
+ default&gt;</command></para>
+
+ <para>Example: <command>smb passwd file = /usr/samba/private/smbpasswd
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="smbrun">smbrun (G)</term>
+ <listitem><para>This sets the full path to the <command>smbrun
+ </command> binary. This defaults to the value in the <filename>
+ Makefile</filename>.</para>
+
+ <para>You must get this path right for many services
+ to work correctly.</para>
+
+ <para>You should not need to change this parameter so
+ long as Samba is installed correctly.</para>
+
+ <para>Default: <command>smbrun=&lt;compiled default&gt;
+ </command></para>
+
+ <para>Example: <command>smbrun = /usr/local/samba/bin/smbrun
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="socketaddress">socket address (G)</term>
+ <listitem><para>This option allows you to control what
+ address Samba will listen for connections on. This is used to
+ support multiple virtual interfaces on the one server, each
+ with a different configuration.</para>
+
+ <para>By default samba will accept connections on any
+ address.</para>
+
+ <para>Example: <command>socket address = 192.168.2.20</command>
+ </para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="socketoptions">socket options (G)</term>
+ <listitem><para>This option allows you to set socket options
+ to be used when talking with the client.</para>
+
+ <para>Socket options are controls on the networking layer
+ of the operating systems which allow the connection to be
+ tuned.</para>
+
+ <para>This option will typically be used to tune your Samba
+ server for optimal performance for your local network. There is
+ no way that Samba can know what the optimal parameters are for
+ your net, so you must experiment and choose them yourself. We
+ strongly suggest you read the appropriate documentation for your
+ operating system first (perhaps <command>man setsockopt</command>
+ will help).</para>
+
+ <para>You may find that on some systems Samba will say
+ "Unknown socket option" when you supply an option. This means you
+ either incorrectly typed it or you need to add an include file
+ to includes.h for your OS. If the latter is the case please
+ send the patch to <ulink url="mailto:samba@samba.org">
+ samba@samba.org</ulink>.</para>
+
+ <para>Any of the supported socket options may be combined
+ in any way you like, as long as your OS allows it.</para>
+
+ <para>This is the list of socket options currently settable
+ using this option:</para>
+
+ <itemizedlist>
+ <listitem><para>SO_KEEPALIVE</para></listitem>
+ <listitem><para>SO_REUSEADDR</para></listitem>
+ <listitem><para>SO_BROADCAST</para></listitem>
+ <listitem><para>TCP_NODELAY</para></listitem>
+ <listitem><para>IPTOS_LOWDELAY</para></listitem>
+ <listitem><para>IPTOS_THROUGHPUT</para></listitem>
+ <listitem><para>SO_SNDBUF *</para></listitem>
+ <listitem><para>SO_RCVBUF *</para></listitem>
+ <listitem><para>SO_SNDLOWAT *</para></listitem>
+ <listitem><para>SO_RCVLOWAT *</para></listitem>
+ </itemizedlist>
+
+ <para>Those marked with a <emphasis>'*'</emphasis> take an integer
+ argument. The others can optionally take a 1 or 0 argument to enable
+ or disable the option, by default they will be enabled if you
+ don't specify 1 or 0.</para>
+
+ <para>To specify an argument use the syntax SOME_OPTION=VALUE
+ for example <command>SO_SNDBUF=8192</command>. Note that you must
+ not have any spaces before or after the = sign.</para>
+
+ <para>If you are on a local network then a sensible option
+ might be</para>
+ <para><command>socket options = IPTOS_LOWDELAY</command></para>
+
+ <para>If you have a local network then you could try:</para>
+ <para><command>socket options = IPTOS_LOWDELAY TCP_NODELAY</command></para>
+
+ <para>If you are on a wide area network then perhaps try
+ setting IPTOS_THROUGHPUT. </para>
+
+ <para>Note that several of the options may cause your Samba
+ server to fail completely. Use these options with caution!</para>
+
+ <para>Default: <command>socket options = TCP_NODELAY</command></para>
+ <para>Example: <command>socket options = IPTOS_LOWDELAY</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term id="sourceenvironment">source environment (G)</term>
+ <listitem><para>This parameter causes Samba to set environment
+ variables as per the content of the file named.</para>
+
+ <para>If the value of this parameter starts with a "|" character
+ then Samba will treat that value as a pipe command to open and
+ will set the environment variables from the output of the pipe.</para>
+
+ <para>The contents of the file or the output of the pipe should
+ be formatted as the output of the standard Unix <command>env(1)
+ </command> command. This is of the form :</para>
+ <para>Example environment entry:</para>
+ <para><command>SAMBA_NETBIOS_NAME=myhostname</command></para>
+
+ <para>Default: <emphasis>No default value</emphasis></para>
+ <para>Examples: <command>source environment = |/etc/smb.conf.sh
+ </command></para>
+
+ <para>Example: <command>source environment =
+ /usr/local/smb_env_vars</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="ssl">ssl (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This variable enables or disables the entire SSL mode. If
+ it is set to <constant>no</constant>, the SSL enabled samba behaves
+ exactly like the non-SSL samba. If set to <constant>yes</constant>,
+ it depends on the variables <link linkend="sslhosts"><parameter>
+ ssl hosts</parameter></link> and <link linkend="sslhostsresign">
+ <parameter>ssl hosts resign</parameter></link> whether an SSL
+ connection will be required.</para>
+
+ <para>Default: <command>ssl=no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="sslCAcertDir">ssl CA certDir (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This variable defines where to look up the Certification
+ Authorities. The given directory should contain one file for
+ each CA that samba will trust. The file name must be the hash
+ value over the "Distinguished Name" of the CA. How this directory
+ is set up is explained later in this document. All files within the
+ directory that don't fit into this naming scheme are ignored. You
+ don't need this variable if you don't verify client certificates.</para>
+
+ <para>Default: <command>ssl CA certDir = /usr/local/ssl/certs
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="sslCAcertFile">ssl CA certFile (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This variable is a second way to define the trusted CAs.
+ The certificates of the trusted CAs are collected in one big
+ file and this variable points to the file. You will probably
+ only use one of the two ways to define your CAs. The first choice is
+ preferable if you have many CAs or want to be flexible, the second
+ is preferable if you only have one CA and want to keep things
+ simple (you won't need to create the hashed file names). You
+ don't need this variable if you don't verify client certificates.</para>
+
+ <para>Default: <command>ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry><term id="sslciphers">ssl ciphers (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This variable defines the ciphers that should be offered
+ during SSL negotiation. You should not set this variable unless
+ you know what you are doing.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term id="sslclientcert">ssl client cert (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>The certificate in this file is used by <ulink url="smbclient.1.html">
+ <command>smbclient(1)</command></ulink> if it exists. It's needed
+ if the server requires a client certificate.</para>
+
+ <para>Default: <command>ssl client cert = /usr/local/ssl/certs/smbclient.pem
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="sslclientkey">ssl client key (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This is the private key for <ulink url="smbclient.1.html">
+ <command>smbclient(1)</command></ulink>. It's only needed if the
+ client should have a certificate. </para>
+
+ <para>Default: <command>ssl client key = /usr/local/ssl/private/smbclient.pem
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="sslcompatibility">ssl compatibility (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This variable defines whether SSLeay should be configured
+ for bug compatibility with other SSL implementations. This is
+ probably not desirable because currently no clients with SSL
+ implementations other than SSLeay exist.</para>
+
+ <para>Default: <command>ssl compatibility = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry><term id="sslhosts">ssl hosts (G)</term>
+ <listitem><para>See <link linkend="sslhostsresign"><parameter>
+ ssl hosts resign</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term id="sslhostsresign">ssl hosts resign (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>These two variables define whether samba will go
+ into SSL mode or not. If none of them is defined, samba will
+ allow only SSL connections. If the <link linkend="sslhosts">
+ <parameter>ssl hosts</parameter></link> variable lists
+ hosts (by IP-address, IP-address range, net group or name),
+ only these hosts will be forced into SSL mode. If the <parameter>
+ ssl hosts resign</parameter> variable lists hosts, only these
+ hosts will NOT be forced into SSL mode. The syntax for these two
+ variables is the same as for the <link linkend="hostsallow"><parameter>
+ hosts allow</parameter></link> and <link linkend="hostsdeny">
+ <parameter>hosts deny</parameter></link> pair of variables, only
+ that the subject of the decision is different: It's not the access
+ right but whether SSL is used or not. </para>
+
+ <para>The example below requires SSL connections from all hosts
+ outside the local net (which is 192.168.*.*).</para>
+
+ <para>Default: <command>ssl hosts = &lt;empty string&gt;</command></para>
+ <para><command>ssl hosts resign = &lt;empty string&gt;</command></para>
+
+ <para>Example: <command>ssl hosts resign = 192.168.</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="sslrequireclientcert">ssl require clientcert (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>If this variable is set to <constant>yes</constant>, the
+ server will not tolerate connections from clients that don't
+ have a valid certificate. The directory/file given in <link
+ linkend="sslcacertdir"><parameter>ssl CA certDir</parameter>
+ </link> and <link linkend="sslcacertfile"><parameter>ssl CA certFile
+ </parameter></link> will be used to look up the CAs that issued
+ the client's certificate. If the certificate can't be verified
+ positively, the connection will be terminated. If this variable
+ is set to <constant>no</constant>, clients don't need certificates.
+ Contrary to web applications you really <emphasis>should</emphasis>
+ require client certificates. In the web environment the client's
+ data is sensitive (credit card numbers) and the server must prove
+ to be trustworthy. In a file server environment the server's data
+ will be sensitive and the clients must prove to be trustworthy.</para>
+
+ <para>Default: <command>ssl require clientcert = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="sslrequireservercert">ssl require servercert (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>If this variable is set to <constant>yes</constant>, the
+ <ulink url="smbclient.1.html"><command>smbclient(1)</command>
+ </ulink> will request a certificate from the server. Same as
+ <link linkend="sslrequireclientcert"><parameter>ssl require
+ clientcert</parameter></link> for the server.</para>
+
+ <para>Default: <command>ssl require servercert = no</command>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term id="sslservercert">ssl server cert (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This is the file containing the server's certificate.
+ The server <emphasis>must</emphasis> have a certificate. The
+ file may also contain the server's private key. See later for
+ how certificates and private keys are created.</para>
+
+ <para>Default: <command>ssl server cert = &lt;empty string&gt;
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term id="sslserverkey">ssl server key (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This file contains the private key of the server. If
+ this variable is not defined, the key is looked up in the
+ certificate file (it may be appended to the certificate).
+ The server <emphasis>must</emphasis> have a private key
+ and the certificate <emphasis>must</emphasis>
+ match this private key.</para>
+
+ <para>Default: <command>ssl server key = &lt;empty string&gt;
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term id="sslversion">ssl version (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This enumeration variable defines the versions of the
+ SSL protocol that will be used. <constant>ssl2or3</constant> allows
+ dynamic negotiation of SSL v2 or v3, <constant>ssl2</constant> results
+ in SSL v2, <constant>ssl3</constant> results in SSL v3 and
+ <constant>tls1</constant> results in TLS v1. TLS (Transport Layer
+ Security) is the new standard for SSL.</para>
+
+ <para>Default: <command>ssl version = "ssl2or3"</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="statcache">stat cache (G)</term>
+ <listitem><para>This parameter determines if <ulink
+ url="smbd.8.html">smbd(8)</ulink> will use a cache in order to
+ speed up case insensitive name mappings. You should never need
+ to change this parameter.</para>
+
+ <para>Default: <command>stat cache = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term id="statcachesize">stat cache size (G)</term>
+ <listitem><para>This parameter determines the number of
+ entries in the <parameter>stat cache</parameter>. You should
+ never need to change this parameter.</para>
+
+ <para>Default: <command>stat cache size = 50</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="status">status (G)</term>
+ <listitem><para>This enables or disables logging of connections
+ to a status file that <ulink url="smbstatus.1.html">smbstatus(1)</ulink>
+ can read.</para>
+
+ <para>With this disabled <command>smbstatus</command> won't be able
+ to tell you what connections are active. You should never need to
+ change this parameter.</para>
+
+ <para>Default: <command>status = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="strictlocking">strict locking (S)</term>
+ <listitem><para>This is a boolean that controls the handling of
+ file locking in the server. When this is set to <constant>yes</constant>
+ the server will check every read and write access for file locks, and
+ deny access if locks exist. This can be slow on some systems.</para>
+
+ <para>When strict locking is <constant>no</constant> the server does file
+ lock checks only when the client explicitly asks for them.</para>
+
+ <para>Well behaved clients always ask for lock checks when it
+ is important, so in the vast majority of cases <command>strict
+ locking = no</command> is preferable.</para>
+
+ <para>Default: <command>strict locking = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="strictsync">strict sync (S)</term>
+ <listitem><para>Many Windows applications (including the Windows
+ 98 explorer shell) seem to confuse flushing buffer contents to
+ disk with doing a sync to disk. Under UNIX, a sync call forces
+ the process to be suspended until the kernel has ensured that
+ all outstanding data in kernel disk buffers has been safely stored
+ onto stable storage. This is very slow and should only be done
+ rarely. Setting this parameter to <constant>no</constant> (the
+ default) means that smbd ignores the Windows applications requests for
+ a sync call. There is only a possibility of losing data if the
+ operating system itself that Samba is running on crashes, so there is
+ little danger in this default setting. In addition, this fixes many
+ performance problems that people have reported with the new Windows98
+ explorer shell file copies.</para>
+
+ <para>See also the <link linkend="syncalways"><parameter>sync
+ always></parameter></link> parameter.</para>
+
+ <para>Default: <command>strict sync = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term id="stripdot">strip dot (G)</term>
+ <listitem><para>This is a boolean that controls whether to
+ strip trailing dots off UNIX filenames. This helps with some
+ CDROMs that have filenames ending in a single dot.</para>
+
+ <para>Default: <command>strip dot = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="syncalways">sync always (S)</term>
+ <listitem><para>This is a boolean parameter that controls
+ whether writes will always be written to stable storage before
+ the write call returns. If this is false then the server will be
+ guided by the client's request in each write call (clients can
+ set a bit indicating that a particular write should be synchronous).
+ If this is true then every write will be followed by a <command>fsync()
+ </command> call to ensure the data is written to disk. Note that
+ the <parameter>strict sync</parameter> parameter must be set to
+ <constant>yes</constant> in order for this parameter to have
+ any affect.</para>
+
+ <para>See also the <link linkend="strictsync"><parameter>strict
+ sync</parameter></link> parameter.</para>
+
+ <para>Default: <command>sync always = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="syslog">syslog (G)</term>
+ <listitem><para>This parameter maps how Samba debug messages
+ are logged onto the system syslog logging levels. Samba debug
+ level zero maps onto syslog <constant>LOG_ERR</constant>, debug
+ level one maps onto <constant>LOG_WARNING</constant>, debug level
+ two maps onto <constant>LOG_NOTICE</constant>, debug level three
+ maps onto LOG_INFO. All higher levels are mapped to <constant>
+ LOG_DEBUG</constant>.</para>
+
+ <para>This paramter sets the threshold for sending messages
+ to syslog. Only messages with debug level less than this value
+ will be sent to syslog.</para>
+
+ <para>Default: <command>syslog = 1</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="syslogonly">syslog only (G)</term>
+ <listitem><para>If this parameter is set then Samba debug
+ messages are logged into the system syslog only, and not to
+ the debug log files.</para>
+
+ <para>Default: <command>syslog only = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="templatehomedir">template homedir (G)</term>
+ <listitem><para><emphasis>NOTE:</emphasis> this parameter is
+ only available in Samba 3.0.</para>
+
+ <para>When filling out the user information for a Windows NT
+ user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon
+ uses this parameter to fill in the home directory for that user.
+ If the string <parameter>%D</parameter> is present it is substituted
+ with the user's Windows NT domain name. If the string <parameter>%U
+ </parameter> is present it is substituted with the user's Windows
+ NT user name.</para>
+
+ <para>Default: <command>template homedir = /home/%D/%U</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="templateshell">template shell (G)</term>
+ <listitem><para><emphasis>NOTE:</emphasis> this parameter is
+ only available in Samba 3.0.</para>
+
+ <para>When filling out the user information for a Windows NT
+ user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon
+ uses this parameter to fill in the login shell for that user.</para>
+
+ <para>Default: <command>template shell = /bin/false</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="timeoffset">time offset (G)</term>
+ <listitem><para>This parameter is a setting in minutes to add
+ to the normal GMT to local time conversion. This is useful if
+ you are serving a lot of PCs that have incorrect daylight
+ saving time handling.</para>
+
+ <para>Default: <command>time offset = 0</command></para>
+ <para>Example: <command>time offset = 60</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="timeserver">time server (G)</term>
+ <listitem><para>This parameter determines if <ulink url="nmbd.8.html">
+ nmbd(8)</ulink> advertises itself as a time server to Windows
+ clients.</para>
+
+ <para>Default: <command>time server = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term id="timestamplogs">timestamp logs (G)</term>
+ <listitem><para>Synonym for <link linkend="debugtimestamp"><parameter>
+ debug timestamp</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term id="unixpasswordsync">unix password sync (G)</term>
+ <listitem><para>This boolean parameter controls whether Samba
+ attempts to synchronize the UNIX password with the SMB password
+ when the encrypted SMB password in the smbpasswd file is changed.
+ If this is set to true the program specified in the <parameter>passwd
+ program</parameter>parameter is called <emphasis>AS ROOT</emphasis> -
+ to allow the new UNIX password to be set without access to the
+ old UNIX password (as the SMB password has change code has no
+ access to the old password cleartext, only the new).</para>
+
+ <para>See also <link linkend="passwdprogram"><parameter>passwd
+ program</parameter></link>, <link linkend="passwdchat"><parameter>
+ passwd chat</parameter></link>.</para>
+
+ <para>Default: <command>unix password sync = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="unixrealname">unix realname (G)</term>
+ <listitem><para>This boolean parameter when set causes samba
+ to supply the real name field from the unix password file to
+ the client. This isuseful for setting up mail clients and WWW
+ browsers on systems used by more than one person.</para>
+
+ <para>Default: <command>unix realname = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="updateencrypted">update encrypted (G)</term>
+ <listitem><para>This boolean parameter allows a user logging
+ on with a plaintext password to have their encrypted (hashed)
+ password in the smbpasswd file to be updated automatically as
+ they log on. This option allows a site to migrate from plaintext
+ password authentication (users authenticate with plaintext
+ password over the wire, and are checked against a UNIX account
+ database) to encrypted password authentication (the SMB
+ challenge/response authentication mechanism) without forcing
+ all users to re-enter their passwords via smbpasswd at the time the
+ change is made. This is a convenience option to allow the change over
+ to encrypted passwords to be made over a longer period. Once all users
+ have encrypted representations of their passwords in the smbpasswd
+ file this parameter should be set to <constant>no</constant>.</para>
+
+ <para>In order for this parameter to work correctly the <link
+ linkend="encryptpasswords"><parameter>encrypt passwords</parameter>
+ </link> parameter must be set to <constant>no</constant> when
+ this parameter is set to <constant>yes</constant>.</para>
+
+ <para>Note that even when this parameter is set a user
+ authenticating to <command>smbd</command> must still enter a valid
+ password in order to connect correctly, and to update their hashed
+ (smbpasswd) passwords.</para>
+
+ <para>Default: <command>update encrypted = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="userhosts">use rhosts (G)</term>
+ <listitem><para>If this global parameter is a true, it specifies
+ that the UNIX users <filename>.rhosts</filename> file in their home directory
+ will be read to find the names of hosts and users who will be allowed
+ access without specifying a password.</para>
+
+ <para><emphasis>NOTE:</emphasis> The use of <parameter>use rhosts
+ </parameter> can be a major security hole. This is because you are
+ trusting the PC to supply the correct username. It is very easy to
+ get a PC to supply a false username. I recommend that the <parameter>
+ use rhosts</parameter> option be only used if you really know what
+ you are doing.</para>
+
+ <para>Default: <command>use rhosts = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="user">user (S)</term>
+ <listitem><para>Synonym for <link linkend="username"><parameter>
+ username</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="users">users (S)</term>
+ <listitem><para>Synonym for <link linkend="username"><parameter>
+ username</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term id="username">username (S)</term>
+ <listitem><para>Multiple users may be specified in a comma-delimited
+ list, in which case the supplied password will be tested against
+ each username in turn (left to right).</para>
+
+ <para>The <parameter>username</parameter> line is needed only when
+ the PC is unable to supply its own username. This is the case
+ for the COREPLUS protocol or where your users have different WfWg
+ usernames to UNIX usernames. In both these cases you may also be
+ better using the \\server\share%user syntax instead.</para>
+
+ <para>The <parameter>username</parameter> line is not a great
+ solution in many cases as it means Samba will try to validate
+ the supplied password against each of the usernames in the
+ <parameter>username</parameter> line in turn. This is slow and
+ a bad idea for lots of users in case of duplicate passwords.
+ You may get timeouts or security breaches using this parameter
+ unwisely.</para>
+
+ <para>Samba relies on the underlying UNIX security. This
+ parameter does not restrict who can login, it just offers hints
+ to the Samba server as to what usernames might correspond to the
+ supplied password. Users can login as whoever they please and
+ they will be able to do no more damage than if they started a
+ telnet session. The daemon runs as the user that they log in as,
+ so they cannot do anything that user cannot do.</para>
+
+ <para>To restrict a service to a particular set of users you
+ can use the <link linkend="validusers"><parameter>valid users
+ </parameter></link> parameter.</para>
+
+ <para>If any of the usernames begin with a '@' then the name
+ will be looked up first in the yp netgroups list (if Samba
+ is compiled with netgroup support), followed by a lookup in
+ the UNIX groups database and will expand to a list of all users
+ in the group of that name.</para>
+
+ <para>If any of the usernames begin with a '+' then the name
+ will be looked up only in the UNIX groups database and will
+ expand to a list of all users in the group of that name.</para>
+
+ <para>If any of the usernames begin with a '&'then the name
+ will be looked up only in the yp netgroups database (if Samba
+ is compiled with netgroup support) and will expand to a list
+ of all users in the netgroup group of that name.</para>
+
+ <para>Note that searching though a groups database can take
+ quite some time, snd some clients may time out during the
+ search.</para>
+
+ <para>See the section <link linkend="validationsect">NOTE ABOUT
+ USERNAME/PASSWORD VALIDATION</link> for more information on how
+ this parameter determines access to the services.</para>
+
+ <para>Default: <command>The guest account if a guest service,
+ else the name of the service.</command></para>
+
+ <para>Examples:<command>username = fred, mary, jack, jane,
+ @users, @pcgroup</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="usernamelevel">username level (G)</term>
+ <listitem><para>This option helps Samba to try and 'guess' at
+ the real UNIX username, as many DOS clients send an all-uppercase
+ username. By default Samba tries all lowercase, followed by the
+ username with the first letter capitalized, and fails if the
+ username is not found on the UNIX machine.</para>
+
+ <para>If this parameter is set to non-zero the behavior changes.
+ This parameter is a number that specifies the number of uppercase
+ combinations to try whilst trying to determine the UNIX user name. The
+ higher the number the more combinations will be tried, but the slower
+ the discovery of usernames will be. Use this parameter when you have
+ strange usernames on your UNIX machine, such as <constant>AstrangeUser
+ </constant>.</para>
+
+ <para>Default: <command>username level = 0</command></para>
+ <para>Example: <command>username level = 5</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="usernamemap">username map (G)</term>
+ <listitem><para>This option allows you to specify a file containing
+ a mapping of usernames from the clients to the server. This can be
+ used for several purposes. The most common is to map usernames
+ that users use on DOS or Windows machines to those that the UNIX
+ box uses. The other is to map multiple users to a single username
+ so that they can more easily share files.</para>
+
+ <para>The map file is parsed line by line. Each line should
+ contain a single UNIX username on the left then a '=' followed
+ by a list of usernames on the right. The list of usernames on the
+ right may contain names of the form @group in which case they
+ will match any UNIX username in that group. The special client
+ name '*' is a wildcard and matches any name. Each line of the
+ map file may be up to 1023 characters long.</para>
+
+ <para>The file is processed on each line by taking the
+ supplied username and comparing it with each username on the right
+ hand side of the '=' signs. If the supplied name matches any of
+ the names on the right hand side then it is replaced with the name
+ on the left. Processing then continues with the next line.</para>
+
+ <para>If any line begins with a '#' or a ';' then it is
+ ignored</para>
+
+ <para>If any line begins with an '!' then the processing
+ will stop after that line if a mapping was done by the line.
+ Otherwise mapping continues with every line being processed.
+ Using '!' is most useful when you have a wildcard mapping line
+ later in the file.</para>
+
+ <para>For example to map from the name <constant>admin</constant>
+ or <constant>administrator</constant> to the UNIX name <constant>
+ root</constant> you would use:</para>
+
+ <para><command>root = admin administrator</command></para>
+
+ <para>Or to map anyone in the UNIX group <constant>system</constant>
+ to the UNIX name <constant>sys</constant> you would use:</para>
+
+ <para><command>sys = @system</command></para>
+
+ <para>You can have as many mappings as you like in a username
+ map file.</para>
+
+
+ <para>If your system supports the NIS NETGROUP option then
+ the netgroup database is checked before the <filename>/etc/group
+ </filename> database for matching groups.</para>
+
+ <para>You can map Windows usernames that have spaces in them
+ by using double quotes around the name. For example:</para>
+
+ <para><command>tridge = "Andrew Tridgell"</command></para>
+
+ <para>would map the windows username "Andrew Tridgell" to the
+ unix username "tridge".</para>
+
+ <para>The following example would map mary and fred to the
+ unix user sys, and map the rest to guest. Note the use of the
+ '!' to tell Samba to stop processing if it gets a match on
+ that line.</para>
+
+ <para><programlisting>
+ !sys = mary fred
+ guest = *
+ </programlisting></para>
+
+ <para>Note that the remapping is applied to all occurrences
+ of usernames. Thus if you connect to \\server\fred and <constant>
+ fred</constant> is remapped to <constant>mary</constant> then you
+ will actually be connecting to \\server\mary and will need to
+ supply a password suitable for <constant>mary</constant> not
+ <constant>fred</constant>. The only exception to this is the
+ username passed to the <link linkend="passwordserver"><parameter>
+ password server</parameter></link> (if you have one). The password
+ server will receive whatever username the client supplies without
+ modification.</para>
+
+ <para>Also note that no reverse mapping is done. The main effect
+ this has is with printing. Users who have been mapped may have
+ trouble deleting print jobs as PrintManager under WfWg will think
+ they don't own the print job.</para>
+
+ <para>Default: <emphasis>no username map</emphasis></para>
+ <para>Example: <command>username map = /usr/local/samba/lib/users.map
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="utmp">utmp (S)</term>
+ <listitem><para>This boolean parameter is only available if
+ Samba has been configured and compiled with the option <command>
+ --with-utmp</command>. If set to True then Samba will attempt
+ to add utmp or utmpx records (depending on the UNIX system) whenever a
+ connection is made to a Samba server. Sites may use this to record the
+ user connecting to a Samba share.</para>
+
+ <para>See also the <link linkend="utmpdirectory"><parameter>
+ utmp directory</parameter></link> parameter.</para>
+
+ <para>Default: <command>utmp = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="utmpdirectory">utmp directory(G)</term>
+ <listitem><para>This parameter is only available if Samba has
+ been configured and compiled with the option <command>
+ --with-utmp</command>. It specifies a directory pathname that is
+ used to store the utmp or utmpx files (depending on the UNIX system) that
+ record user connections to a Samba server. See also the <link linkend="utmp">
+ <parameter>utmp</parameter></link> parameter. By default this is
+ not set, meaning the system will use whatever utmp file the
+ native system is set to use (usually
+ <filename>/var/run/utmp</filename> on Linux).</para>
+
+ <para>Default: <emphasis>no utmp directory</emphasis></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry><term id="winbindcachetime">winbind cache time</term>
+ <listitem><para><emphasis>NOTE:</emphasis> this parameter is only
+ available in Samba 3.0.</para>
+
+ <para>This parameter specifies the number of seconds the
+ <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon will cache
+ user and group information before querying a Windows NT server
+ again.</para>
+
+ <para>Default: <command>winbind cache type = 15</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry><term id="winbindgid">winbind gid</term>
+ <listitem><para><emphasis>NOTE:</emphasis> this parameter is only
+ available in Samba 3.0.</para>
+
+ <para>The winbind gid parameter specifies the range of group
+ ids that are allocated by the <ulink url="winbindd.8.html">
+ winbindd(8)</ulink> daemon. This range of group ids should have no
+ existing local or nis groups within it as strange conflicts can
+ occur otherwise.</para>
+
+ <para>Default: <command>winbind gid = &lt;empty string&gt;
+ </command></para>
+
+ <para>Example: <command>winbind gid = 10000-20000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="winbinduid">winbind uid</term>
+ <listitem><para><emphasis>NOTE:</emphasis> this parameter is only
+ available in Samba 3.0.</para>
+
+ <para>The winbind gid parameter specifies the range of group
+ ids that are allocated by the <ulink url="winbindd.8.html">
+ winbindd(8)</ulink> daemon. This range of ids should have no
+ existing local or nis users within it as strange conflicts can
+ occur otherwise.</para>
+
+ <para>Default: <command>winbind uid = &lt;empty string&gt;
+ </command></para>
+
+ <para>Example: <command>winbind uid = 10000-20000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="validchars">valid chars (G)</term>
+ <listitem><para>The option allows you to specify additional
+ characters that should be considered valid by the server in
+ filenames. This is particularly useful for national character
+ sets, such as adding u-umlaut or a-ring.</para>
+
+ <para>The option takes a list of characters in either integer
+ or character form with spaces between them. If you give two
+ characters with a colon between them then it will be taken as
+ an lowercase:uppercase pair.</para>
+
+ <para>If you have an editor capable of entering the characters
+ into the config file then it is probably easiest to use this
+ method. Otherwise you can specify the characters in octal,
+ decimal or hexadecimal form using the usual C notation.</para>
+
+ <para>For example to add the single character 'Z' to the charset
+ (which is a pointless thing to do as it's already there) you could
+ do one of the following</para>
+
+ <para><programlisting>
+ valid chars = Z
+ valid chars = z:Z
+ valid chars = 0132:0172
+ </programlisting></para>
+
+ <para>The last two examples above actually add two characters,
+ and alter the uppercase and lowercase mappings appropriately.</para>
+
+ <para>Note that you <emphasis>MUST</emphasis> specify this parameter
+ after the <parameter>client code page</parameter> parameter if you
+ have both set. If <parameter>client code page</parameter> is set after
+ the <parameter>valid chars</parameter> parameter the <parameter>valid
+ chars</parameter> settings will be overwritten.</para>
+
+ <para>See also the <link linkend="clientcodepage"><parameter>client
+ code page</parameter></link> parameter.</para>
+
+ <para>Default: <emphasis>Samba defaults to using a reasonable set
+ of valid characters for English systems</emphasis></para>
+
+ <para>Example: <command>valid chars = 0345:0305 0366:0326 0344:0304
+ </command></para>
+
+ <para>The above example allows filenames to have the Swedish
+ characters in them.</para>
+
+ <para><emphasis>NOTE:</emphasis> It is actually quite difficult to
+ correctly produce a <parameter>valid chars</parameter> line for
+ a particular system. To automate the process <ulink
+ url="mailto:tino@augsburg.net">tino@augsburg.net</ulink> has written
+ a package called <command>validchars</command> which will automatically
+ produce a complete <parameter>valid chars</parameter> line for
+ a given client system. Look in the <filename>examples/validchars/
+ </filename> subdirectory of your Samba source code distribution
+ for this package.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="validusers">valid users (S)</term>
+ <listitem><para>This is a list of users that should be allowed
+ to login to this service. Names starting with '@', '+' and '&'
+ are interpreted using the same rules as described in the
+ <parameter>invalid users</parameter> parameter.</para>
+
+ <para>If this is empty (the default) then any user can login.
+ If a username is in both this list and the <parameter>invalid
+ users</parameter> list then access is denied for that user.</para>
+
+ <para>The current servicename is substituted for <parameter>%S
+ </parameter>. This is useful in the [homes] section.</para>
+
+ <para>See also <link linkend="invalidusers"><parameter>invalid users
+ </parameter></link></para>
+
+ <para>Default: <emphasis>No valid users list (anyone can login)
+ </emphasis></para>
+
+ <para>Example: <command>valid users = greg, @pcusers</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term id="vetofiles">veto files(S)</term>
+ <listitem><para>This is a list of files and directories that
+ are neither visible nor accessible. Each entry in the list must
+ be separated by a '/', which allows spaces to be included
+ in the entry. '*' and '?' can be used to specify multiple files
+ or directories as in DOS wildcards.</para>
+
+ <para>Each entry must be a unix path, not a DOS path and
+ must <emphasis>not</emphasis> include the unix directory
+ separator '/'.</para>
+
+ <para>Note that the <parameter>case sensitive</parameter> option
+ is applicable in vetoing files.</para>
+
+ <para>One feature of the veto files parameter that it is important
+ to be aware of, is that if a directory contains nothing but files
+ that match the veto files parameter (which means that Windows/DOS
+ clients cannot ever see them) is deleted, the veto files within
+ that directory <emphasis>are automatically deleted</emphasis> along
+ with it, if the user has UNIX permissions to do so.</para>
+
+ <para>Setting this parameter will affect the performance
+ of Samba, as it will be forced to check all files and directories
+ for a match as they are scanned.</para>
+
+ <para>See also <link linkend="hidefiles"><parameter>hide files
+ </parameter></link> and <link linkend="casesensitive"><parameter>
+ case sensitive</parameter></link>.</para>
+
+ <para>Default: <emphasis>No files or directories are vetoed.
+ </emphasis></para>
+
+ <para>Examples:<programlisting>
+ ; Veto any files containing the word Security,
+ ; any ending in .tmp, and any directory containing the
+ ; word root.
+ veto files = /*Security*/*.tmp/*root*/
+
+ ; Veto the Apple specific files that a NetAtalk server
+ ; creates.
+ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
+ </programlisting></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term id="vetooplockfiles">veto oplock files (S)</term>
+ <listitem><para>This parameter is only valid when the <link
+ linkend="oplocks"><parameter>oplocks</parameter></link>
+ parameter is turned on for a share. It allows the Samba administrator
+ to selectively turn off the granting of oplocks on selected files that
+ match a wildcarded list, similar to the wildcarded list used in the
+ <link linkend="vetofiles"><parameter>veto files</parameter></link>
+ parameter.</para>
+
+ <para>Default: <emphasis>No files are vetoed for oplock
+ grants</emphasis></para>
+
+ <para>You might want to do this on files that you know will
+ be heavily contended for by clients. A good example of this
+ is in the NetBench SMB benchmark program, which causes heavy
+ client contention for files ending in <filename>.SEM</filename>.
+ To cause Samba not to grant oplocks on these files you would use
+ the line (either in the [global] section or in the section for
+ the particular NetBench share :</para>
+
+ <para>Example: <command>veto oplock files = /*;.SEM/
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="volume">volume (S)</term>
+ <listitem><para> This allows you to override the volume label
+ returned for a share. Useful for CDROMs with installation programs
+ that insist on a particular volume label.</para>
+
+ <para>Default: <emphasis>the name of the share</emphasis></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="widelinks">wide links (S)</term>
+ <listitem><para>This parameter controls whether or not links
+ in the UNIX file system may be followed by the server. Links
+ that point to areas within the directory tree exported by the
+ server are always allowed; this parameter controls access only
+ to areas that are outside the directory tree being exported.</para>
+
+ <para>Note that setting this parameter can have a negative
+ effect on your server performance due to the extra system calls
+ that Samba has to do in order to perform the link checks.</para>
+
+ <para>Default: <command>wide links = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="winsproxy">wins proxy (G)</term>
+ <listitem><para>This is a boolean that controls if <ulink
+ url="nmbd.8.html">nmbd(8)</ulink> will respond to broadcast name
+ queries on behalf of other hosts. You may need to set this
+ to <constant>yes</constant> for some older clients.</para>
+
+ <para>Default: <command>wins proxy = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term id="winsserver">wins server (G)</term>
+ <listitem><para>This specifies the IP address (or DNS name: IP
+ address for preference) of the WINS server that <ulink url="nmbd.8.html">
+ nmbd(8)</ulink> should register with. If you have a WINS server on
+ your network then you should set this to the WINS server's IP.</para>
+
+ <para>You should point this at your WINS server if you have a
+ multi-subnetted network.</para>
+
+ <para><emphasis>NOTE</emphasis>. You need to set up Samba to point
+ to a WINS server if you have multiple subnets and wish cross-subnet
+ browsing to work correctly.</para>
+
+ <para>See the documentation file <filename>BROWSING.txt</filename>
+ in the docs/ directory of your Samba source distribution.</para>
+
+ <para>Default: <emphasis>not enabled</emphasis></para>
+ <para>Example: <command>wins server = 192.9.200.1</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="winshook">wins hook (G)</term>
+ <listitem><para>When Samba is running as a WINS server this
+ allows you to call an external program for all changes to the
+ WINS database. The primary use for this option is to allow the
+ dynamic update of external name resolution databases such as
+ dynamic DNS.</para>
+
+ <para>The wins hook parameter specifies the name of a script
+ or executable that will be called as follows:</para>
+
+ <para><command>wins_hook operation name nametype ttl IP_list
+ </command></para>
+
+ <itemizedlist>
+ <listitem><para>The first argument is the operation and is one
+ of "add", "delete", or "refresh". In most cases the operation can
+ be ignored as the rest of the parameters provide sufficient
+ information. Note that "refresh" may sometimes be called when the
+ name has not previously been added, in that case it should be treated
+ as an add.</para></listitem>
+
+ <listitem><para>The second argument is the netbios name. If the
+ name is not a legal name then the wins hook is not called.
+ Legal names contain only letters, digits, hyphens, underscores
+ and periods.</para></listitem>
+
+ <listitem><para>The third argument is the netbios name
+ type as a 2 digit hexadecimal number. </para></listitem>
+
+ <listitem><para>The fourth argument is the TTL (time to live)
+ for the name in seconds.</para></listitem>
+
+ <listitem><para>The fifth and subsequent arguments are the IP
+ addresses currently registered for that name. If this list is
+ empty then the name should be deleted.</para></listitem>
+ </itemizedlist>
+
+ <para>An example script that calls the BIND dynamic DNS update
+ program <command>nsupdate</command> is provided in the examples
+ directory of the Samba source code. </para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="winssupport">wins support (G)</term>
+ <listitem><para>This boolean controls if the <ulink url="nmbd.8.html">
+ nmbd(8)</ulink> process in Samba will act as a WINS server. You should
+ not set this to true unless you have a multi-subnetted network and
+ you wish a particular <command>nmbd</command> to be your WINS server.
+ Note that you should <emphasis>NEVER</emphasis> set this to true
+ on more than one machine in your network.</para>
+
+ <para>Default: <command>wins support = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry><term id="workgroup">workgroup (G)</term>
+ <listitem><para>This controls what workgroup your server will
+ appear to be in when queried by clients. Note that this parameter
+ also controls the Domain name used with the <link
+ linkend="workgroup"><command>security=domain</command></link>
+ setting.</para>
+
+ <para>Default: <emphasis>set at compile time to WORKGROUP</emphasis></para>
+ <para>Example: <command>workgroup = MYGROUP</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term id="writable">writable (S)</term>
+ <listitem><para>Synonym for <link linkend="writeable"><parameter>
+ writeable</parameter></link> for people who can't spell :-).</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="writelist">write list (S)</term>
+ <listitem><para>This is a list of users that are given read-write
+ access to a service. If the connecting user is in this list then
+ they will be given write access, no matter what the <link
+ linkend="writeable"><parameter>writeable</parameter></link>
+ option is set to. The list can include group names using the
+ @group syntax.</para>
+
+ <para>Note that if a user is in both the read list and the
+ write list then they will be given write access.</para>
+
+ <para>See also the <link linkend="readlist"><parameter>read list
+ </parameter></link> option.</para>
+
+ <para>Default: <command>write list = &lt;empty string&gt;
+ </command></para>
+
+ <para>Example: <command>write list = admin, root, @staff
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="writecachesize">write cache size (S)</term>
+ <listitem><para>This integer parameter (new with Samba 2.0.7)
+ if set to non-zero causes Samba to create an in-memory cache for
+ each oplocked file (it does <emphasis>not</emphasis> do this for
+ non-oplocked files). All writes that the client does not request
+ to be flushed directly to disk will be stored in this cache if possible.
+ The cache is flushed onto disk when a write comes in whose offset
+ would not fit into the cache or when the file is closed by the client.
+ Reads for the file are also served from this cache if the data is stored
+ within it.</para>
+
+ <para>This cache allows Samba to batch client writes into a more
+ efficient write size for RAID disks (ie. writes may be tuned to
+ be the RAID stripe size) and can improve performance on systems
+ where the disk subsystem is a bottleneck but there is free
+ memory for userspace programs.</para>
+
+ <para>The integer parameter specifies the size of this cache
+ (per oplocked file) in bytes.</para>
+
+ <para>Default: <command>write cache size = 0</command></para>
+ <para>Example: <command>write cache size = 262144</command></para>
+
+ <para>for a 256k cache size per file.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+
+ <varlistentry>
+ <term id="writeok">write ok (S)</term>
+ <listitem><para>Synonym for <link linkend="writeable"><parameter>
+ writeable</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="writeraw">write raw (G)</term>
+ <listitem><para>This parameter controls whether or not the server
+ will support raw writes SMB's when transferring data from clients.
+ You should never need to change this parameter.</para>
+
+ <para>Default: <command>write raw = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term id="writeable">writeable (S)</term>
+ <listitem><para>An inverted synonym is <link linkend="readonly">
+ <parameter>read only</parameter></link>.</para>
+
+ <para>If this parameter is <constant>no</constant>, then users
+ of a service may not create or modify files in the service's
+ directory.</para>
+
+ <para>Note that a printable service (<command>printable = yes</command>)
+ will <emphasis>ALWAYS</emphasis> allow writing to the directory
+ (user privileges permitting), but only via spooling operations.</para>
+
+ <para>Default: <command>writeable = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
</variablelist>
</refsect1>