summaryrefslogtreecommitdiff
path: root/docs/docbook/manpages/smb.conf.5.sgml
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2001-02-22 15:43:18 +0000
committerGerald Carter <jerry@samba.org>2001-02-22 15:43:18 +0000
commit7fa7be07a1ba236c839136fbfddc9d9faddf560d (patch)
tree8b248374682c3c21e563d9b0fdda4e21fe68c1e7 /docs/docbook/manpages/smb.conf.5.sgml
parentd091506f68aef214994d34bcc3d39a85f7e5e8b4 (diff)
downloadsamba-7fa7be07a1ba236c839136fbfddc9d9faddf560d.tar.gz
samba-7fa7be07a1ba236c839136fbfddc9d9faddf560d.tar.bz2
samba-7fa7be07a1ba236c839136fbfddc9d9faddf560d.zip
housekeeping and a new SGML source file (findsmb)
(This used to be commit d509bb881da1fdad108a843fa35e2ed7248617e9)
Diffstat (limited to 'docs/docbook/manpages/smb.conf.5.sgml')
-rw-r--r--docs/docbook/manpages/smb.conf.5.sgml7435
1 files changed, 7435 insertions, 0 deletions
diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml
new file mode 100644
index 0000000000..a00ca178db
--- /dev/null
+++ b/docs/docbook/manpages/smb.conf.5.sgml
@@ -0,0 +1,7435 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="smb.conf">
+
+<refmeta>
+ <refentrytitle>smb.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>smb.conf</refname>
+ <refpurpose>The configuration file for the Samba suite</refpurpose>
+</refnamediv>
+
+<refsect1>
+ <title>SYNOPSIS</title>
+
+ <para>The <filename>smb.conf</filename> file is a configuration
+ file for the Samba suite. <filename>smb.conf</filename> contains
+ runtime configuration information for the Samba programs. The
+ <filename>smb.conf</filename> file is designed to be configured and
+ administered by the <ulink url="swat.8.html"><command>swat(8)</command>
+ </ulink> program. The complete description of the file format and
+ possible parameters held within are here for reference purposes.</para>
+</refsect1>
+
+<refsect1>
+ <title id="FILEFORMATSECT">FILE FORMAT</title>
+
+ <para>The file consists of sections and parameters. A section
+ begins with the name of the section in square brackets and continues
+ until the next section begins. Sections contain parameters of the
+ form</para>
+
+ <para><replaceable>name</replaceable> = <replaceable>value
+ </replaceable></para>
+
+ <para>The file is line-based - that is, each newline-terminated
+ line represents either a comment, a section name or a parameter.</para>
+
+ <para>Section and parameter names are not case sensitive.</para>
+
+ <para>Only the first equals sign in a parameter is significant.
+ Whitespace before or after the first equals sign is discarded.
+ Leading, trailing and internal whitespace in section and parameter
+ names is irrelevant. Leading and trailing whitespace in a parameter
+ value is discarded. Internal whitespace within a parameter value
+ is retained verbatim.</para>
+
+ <para>Any line beginning with a semicolon (';') or a hash ('#')
+ character is ignored, as are lines containing only whitespace.</para>
+
+ <para>Any line ending in a '\' is continued
+ on the next line in the customary UNIX fashion.</para>
+
+ <para>The values following the equals sign in parameters are all
+ either a string (no quotes needed) or a boolean, which may be given
+ as yes/no, 0/1 or true/false. Case is not significant in boolean
+ values, but is preserved in string values. Some items such as
+ create modes are numeric.</para>
+</refsect1>
+
+<refsect1>
+ <title>SECTION DESCRIPTIONS</title>
+
+ <para>Each section in the configuration file (except for the
+ [global] section) describes a shared resource (known
+ as a "share"). The section name is the name of the
+ shared resource and the parameters within the section define
+ the shares attributes.</para>
+
+ <para>There are three special sections, [global],
+ [homes] and [printers], which are
+ described under <emphasis>special sections</emphasis>. The
+ following notes apply to ordinary section descriptions.</para>
+
+ <para>A share consists of a directory to which access is being
+ given plus a description of the access rights which are granted
+ to the user of the service. Some housekeeping options are
+ also specifiable.</para>
+
+ <para>Sections are either filespace services (used by the
+ client as an extension of their native file systems) or
+ printable services (used by the client to access print services
+ on the host running the server).</para>
+
+ <para>Sections may be designated <emphasis>guest</emphasis> services,
+ in which case no password is required to access them. A specified
+ UNIX <emphasis>guest account</emphasis> is used to define access
+ privileges in this case.</para>
+
+ <para>Sections other than guest services will require a password
+ to access them. The client provides the username. As older clients
+ only provide passwords and not usernames, you may specify a list
+ of usernames to check against the password using the "user="
+ option in the share definition. For modern clients such as
+ Windows 95/98/ME/NT/2000, this should not be necessary.</para>
+
+ <para>Note that the access rights granted by the server are
+ masked by the access rights granted to the specified or guest
+ UNIX user by the host system. The server does not grant more
+ access than the host system grants.</para>
+
+ <para>The following sample section defines a file space share.
+ The user has write access to the path <filename>/home/bar</filename>.
+ The share is accessed via the share name "foo":</para>
+
+ <screen>
+ <computeroutput>
+ [foo]
+ path = /home/bar
+ writeable = true
+ </computeroutput>
+ </screen>
+
+ <para>The following sample section defines a printable share.
+ The share is readonly, but printable. That is, the only write
+ access permitted is via calls to open, write to and close a
+ spool file. The <emphasis>guest ok</emphasis> parameter means
+ access will be permitted as the default guest user (specified
+ elsewhere):</para>
+
+ <screen>
+ <computeroutput>
+ [aprinter]
+ path = /usr/spool/public
+ writeable = false
+ printable = true
+ guest ok = true
+ </computeroutput>
+ </screen>
+</refsect1>
+
+<refsect1>
+ <title>SPECIAL SECTIONS</title>
+
+ <refsect2>
+ <title>The [global] section</title>
+
+ <para>parameters in this section apply to the server
+ as a whole, or are defaults for sections which do not
+ specifically define certain items. See the notes
+ under paraMETERS for more information.</para>
+ </refsect2>
+
+ <refsect2>
+ <title id="HOMESECT">The [homes] section</title>
+
+ <para>If a section called homes is included in the
+ configuration file, services connecting clients to their
+ home directories can be created on the fly by the server.</para>
+
+ <para>When the connection request is made, the existing
+ sections are scanned. If a match is found, it is used. If no
+ match is found, the requested section name is treated as a
+ user name and looked up in the local password file. If the
+ name exists and the correct password has been given, a share is
+ created by cloning the [homes] section.</para>
+
+ <para>Some modifications are then made to the newly
+ created share:</para>
+
+ <itemizedlist>
+ <listitem><para>The share name is changed from homes to
+ the located username.</para></listitem>
+
+ <listitem><para>If no path was given, the path is set to
+ the user's home directory.</para></listitem>
+ </itemizedlist>
+
+ <para>If you decide to use a <emphasis>path=</emphasis> line
+ in your [homes] section then you may find it useful
+ to use the %S macro. For example :</para>
+
+ <para><userinput>path=/data/pchome/%S</userinput></para>
+
+ <para>would be useful if you have different home directories
+ for your PCs than for UNIX access.</para>
+
+ <para>This is a fast and simple way to give a large number
+ of clients access to their home directories with a minimum
+ of fuss.</para>
+
+ <para>A similar process occurs if the requested section
+ name is "homes", except that the share name is not
+ changed to that of the requesting user. This method of using
+ the [homes] section works well if different users share
+ a client PC.</para>
+
+ <para>The [homes] section can specify all the parameters
+ a normal service section can specify, though some make more sense
+ than others. The following is a typical and suitable [homes]
+ section:</para>
+
+ <screen>
+ <computeroutput>
+ [homes]
+ writeable = yes
+ </computeroutput>
+ </screen>
+
+ <para>An important point is that if guest access is specified
+ in the [homes] section, all home directories will be
+ visible to all clients <emphasis>without a password</emphasis>.
+ In the very unlikely event that this is actually desirable, it
+ would be wise to also specify <emphasis>read only
+ access</emphasis>.</para>
+
+ <para>Note that the <emphasis>browseable</emphasis> flag for
+ auto home directories will be inherited from the global browseable
+ flag, not the [homes] browseable flag. This is useful as
+ it means setting browseable=no in the [homes] section
+ will hide the [homes] share but make any auto home
+ directories visible.</para>
+ </refsect2>
+
+ <refsect2>
+ <title id="PRINTERSSECT">The [printers] section</title>
+
+ <para>This section works like [homes],
+ but for printers.</para>
+
+ <para>If a [printers] section occurs in the
+ configuration file, users are able to connect to any printer
+ specified in the local host's printcap file.</para>
+
+ <para>When a connection request is made, the existing sections
+ are scanned. If a match is found, it is used. If no match is found,
+ but a [homes] section exists, it is used as described
+ above. Otherwise, the requested section name is treated as a
+ printer name and the appropriate printcap file is scanned to see
+ if the requested section name is a valid printer share name. If
+ a match is found, a new printer share is created by cloning
+ the [printers] section.</para>
+
+ <para>A few modifications are then made to the newly created
+ share:</para>
+
+ <itemizedlist>
+ <listitem><para>The share name is set to the located printer
+ name</para></listitem>
+
+ <listitem><para>If no printer name was given, the printer name
+ is set to the located printer name</para></listitem>
+
+ <listitem><para>If the share does not permit guest access and
+ no username was given, the username is set to the located
+ printer name.</para></listitem>
+ </itemizedlist>
+
+ <para>Note that the [printers] service MUST be
+ printable - if you specify otherwise, the server will refuse
+ to load the configuration file.</para>
+
+ <para>Typically the path specified would be that of a
+ world-writeable spool directory with the sticky bit set on
+ it. A typical [printers] entry would look like
+ this:</para>
+
+ <screen><computeroutput>
+ [printers]
+ path = /usr/spool/public
+ guest ok = yes
+ printable = yes
+ </computeroutput></screen>
+
+ <para>All aliases given for a printer in the printcap file
+ are legitimate printer names as far as the server is concerned.
+ If your printing subsystem doesn't work like that, you will have
+ to set up a pseudo-printcap. This is a file consisting of one or
+ more lines like this:</para>
+
+ <screen>
+ <computeroutput>
+ alias|alias|alias|alias...
+ </computeroutput>
+ </screen>
+
+ <para>Each alias should be an acceptable printer name for
+ your printing subsystem. In the [global] section, specify
+ the new file as your printcap. The server will then only recognize
+ names found in your pseudo-printcap, which of course can contain
+ whatever aliases you like. The same technique could be used
+ simply to limit access to a subset of your local printers.</para>
+
+ <para>An alias, by the way, is defined as any component of the
+ first entry of a printcap record. Records are separated by newlines,
+ components (if there are more than one) are separated by vertical
+ bar symbols ('|').</para>
+
+ <para>NOTE: On SYSV systems which use lpstat to determine what
+ printers are defined on the system you may be able to use
+ "printcap name = lpstat" to automatically obtain a list
+ of printers. See the "printcap name" option
+ for more details.</para>
+ </refsect2>
+</refsect1>
+
+<refsect1>
+ <title>paraMETRS</title>
+
+ <para>parameters define the specific attributes of sections.</para>
+
+ <para>Some parameters are specific to the [global] section
+ (e.g., <emphasis>security</emphasis>). Some parameters are usable
+ in all sections (e.g., <emphasis>create mode</emphasis>). All others
+ are permissible only in normal sections. For the purposes of the
+ following descriptions the [homes] and [printers]
+ sections will be considered normal. The letter <emphasis>G</emphasis>
+ in parentheses indicates that a parameter is specific to the
+ [global] section. The letter <emphasis>S</emphasis>
+ indicates that a parameter can be specified in a service specific
+ section. Note that all <emphasis>S</emphasis> parameters can also be specified in
+ the [global] section - in which case they will define
+ the default behavior for all services.</para>
+
+ <para>parameters are arranged here in alphabetical order - this may
+ not create best bedfellows, but at least you can find them! Where
+ there are synonyms, the preferred synonym is described, others refer
+ to the preferred synonym.</para>
+</refsect1>
+
+<refsect1>
+ <title>VARIABLE SUBSTITUTIONS</title>
+
+ <para>Many of the strings that are settable in the config file
+ can take substitutions. For example the option "path =
+ /tmp/%u" would be interpreted as "path =
+ /tmp/john" if the user connected with the username john.</para>
+
+ <para>These substitutions are mostly noted in the descriptions below,
+ but there are some general substitutions which apply whenever they
+ might be relevant. These are:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>%S</term>
+ <listitem><para>the name of the current service, if any.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%P</term>
+ <listitem><para>the root directory of the current service,
+ if any.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%u</term>
+ <listitem><para>user name of the current service, if any.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%g</term>
+ <listitem><para>primary group name of %u.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%U</term>
+ <listitem><para>session user name (the user name that the client
+ wanted, not necessarily the same as the one they got).</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%G</term>
+ <listitem><para>primary group name of %U.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%H</term>
+ <listitem><para>the home directory of the user given
+ by %u.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%v</term>
+ <listitem><para>the Samba version.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%h</term>
+ <listitem><para>the internet hostname that Samba is running
+ on.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%m</term>
+ <listitem><para>the NetBIOS name of the client machine
+ (very useful).</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%L</term>
+ <listitem><para>the NetBIOS name of the server. This allows you
+ to change your config based on what the client calls you. Your
+ server can have a "dual personality".</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%M</term>
+ <listitem><para>the internet name of the client machine.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%N</term>
+ <listitem><para>the name of your NIS home directory server.
+ This is obtained from your NIS auto.map entry. If you have
+ not compiled Samba with the <emphasis>--with-automount</emphasis>
+ option then this value will be the same as %.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%p</term>
+ <listitem><para>the path of the service's home directory,
+ obtained from your NIS auto.map entry. The NIS auto.map entry
+ is split up as "%N:%p".</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%R</term>
+ <listitem><para>the selected protocol level after
+ protocol negotiation. It can be one of CORE, COREPLUS,
+ LANMAN1, LANMAN2 or NT1.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%d</term>
+ <listitem><para>The process id of the current server
+ process.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%a</term>
+ <listitem><para>the architecture of the remote
+ machine. Only some are recognized, and those may not be
+ 100% reliable. It currently recognizes Samba, WfWg,
+ WinNT and Win95. Anything else will be known as
+ "UNKNOWN". If it gets it wrong then sending a level
+ 3 log to <ulink url="mailto:samba@samba.org">samba@samba.org
+ </ulink> should allow it to be fixed.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%I</term>
+ <listitem><para>The IP address of the client machine.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%T</term>
+ <listitem><para>the current date and time.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%$(<replaceable>envvar</replaceable>)</term>
+ <listitem><para>The value of the environment variable
+ <replaceable>envar</replaceable>.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>There are some quite creative things that can be done
+ with these substitutions and other smb.conf options.</para
+</refsect1>
+
+<refsect1>
+ <title id="NAMEMANGLINGSECT">NAME MANGLING</title>
+
+ <para>Samba supports "name mangling" so that DOS and
+ Windows clients can use files that don't conform to the 8.3 format.
+ It can also be set to adjust the case of 8.3 format filenames.</para>
+
+ <para>There are several options that control the way mangling is
+ performed, and they are grouped here rather than listed separately.
+ For the defaults look at the output of the testparm program. </para>
+
+ <para>All of these options can be set separately for each service
+ (or globally, of course). </para>
+
+ <para>The options are: </para>
+
+ <variablelist>
+
+ <varlistentry>
+ <term>mangle case= yes/no</term>
+ <listitem><para> controls if names that have characters that
+ aren't of the "default" case are mangled. For example,
+ if this is yes then a name like "Mail" would be mangled.
+ Default <emphasis>no</emphasis>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>case sensitive = yes/no</term>
+ <listitem><para>controls whether filenames are case sensitive. If
+ they aren't then Samba must do a filename search and match on passed
+ names. Default <emphasis>no</emphasis>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>default case = upper/lower</term>
+ <listitem><para>controls what the default case is for new
+ filenames. Default <emphasis>lower</emphasis>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>preserve case = yes/no</term>
+ <listitem><para>controls if new files are created with the
+ case that the client passes, or if they are forced to be the
+ "default" case. Default <emphasis>yes</emphasis>.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>short preserve case = yes/no</term>
+ <listitem><para>controls if new files which conform to 8.3 syntax,
+ that is all in upper case and of suitable length, are created
+ upper case, or if they are forced to be the "default"
+ case. This option can be use with "preserve case = yes"
+ to permit long filenames to retain their case, while short names
+ are lowered. Default <emphasis>yes</emphasis>.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>By default, Samba 2.2 has the same semantics as a Windows
+ NT server, in that it is case insensitive but case preserving.</para>
+
+</refsect1>
+
+<refsect1>
+ <title id="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</title>
+
+ <para>There are a number of ways in which a user can connect
+ to a service. The server follows the following steps in determining
+ if it will allow a connection to a specified service. If all the
+ steps fail then the connection request is rejected. If one of the
+ steps pass then the following steps are not checked.</para>
+
+ <para>If the service is marked "guest only = yes" then
+ steps 1 to 5 are skipped.</para>
+
+ <orderedlist numeration="Arabic">
+ <listitem><para>If the client has passed a username/password
+ pair and that username/password pair is validated by the UNIX
+ system's password programs then the connection is made as that
+ username. Note that this includes the
+ \\server\service%<replaceable>username</replaceable> method of passing
+ a username.</para></listitem>
+
+ <listitem><para>If the client has previously registered a username
+ with the system and now supplies a correct password for that
+ username then the connection is allowed.</para></listitem>
+
+ <listitem><para>The client's netbios name and any previously
+ used user names are checked against the supplied password, if
+ they match then the connection is allowed as the corresponding
+ user.</para></listitem>
+
+ <listitem><para>If the client has previously validated a
+ username/password pair with the server and the client has passed
+ the validation token then that username is used. </para></listitem>
+
+ <listitem><para>If a "user = " field is given in the
+ <filename>smb.conf</filename> file for the service and the client
+ has supplied a password, and that password matches (according to
+ the UNIX system's password checking) with one of the usernames
+ from the "user=" field then the connection is made as
+ the username in the "user=" line. If one
+ of the username in the "user=" list begins with a
+ '@' then that name expands to a list of names in
+ the group of the same name.</para></listitem>
+
+ <listitem><para>If the service is a guest service then a
+ connection is made as the username given in the "guest
+ account =" for the service, irrespective of the
+ supplied password.</para></listitem>
+ </orderedlist>
+
+</refsect1>
+
+<refsect1>
+ <title>COMPLETE LIST OF GLOBAL PARAMETERS</title>
+
+ <para>Here is a list of all global parameters. See the section of
+ each parameter for details. Note that some are synonyms.</para>
+
+ <itemizedlist>
+ <listitem><para><parameter>add user script</parameter> </para></listitem>
+ <listitem><para><parameter>allow trusted domains</parameter> </para></listitem>
+ <listitem><para><parameter>announce as</parameter> </para></listitem>
+ <listitem><para><parameter>announce version</parameter> </para></listitem>
+ <listitem><para><parameter>auto services</parameter> </para></listitem>
+ <listitem><para><parameter>bind interfaces only</parameter> </para></listitem>
+ <listitem><para><parameter>browse list</parameter></para></listitem>
+ <listitem><para><parameter>change notify timeout</parameter> </para></listitem>
+ <listitem><para><parameter>character set</parameter> </para></listitem>
+ <listitem><para><parameter>client code page</parameter> </para></listitem>
+ <listitem><para><parameter>coding system</parameter></para></listitem>
+ <listitem><para><parameter>config file</parameter> </para></listitem>
+ <listitem><para><parameter>deadtime</parameter> </para></listitem>
+ <listitem><para><parameter>debug hires timestamp</parameter> </para></listitem>
+ <listitem><para><parameter>debug pid</parameter> </para></listitem>
+ <listitem><para><parameter>debug timestamp</parameter></para></listitem>
+ <listitem><para><parameter>debug uid</parameter> </para></listitem>
+ <listitem><para><parameter>debug level</parameter> </para></listitem>
+ <listitem><para><parameter>default</parameter> </para></listitem>
+ <listitem><para><parameter>default service</parameter> </para></listitem>
+ <listitem><para><parameter>delete user script</parameter> </para></listitem>
+ <listitem><para><parameter>dfree command</parameter> </para></listitem>
+ <listitem><para><parameter>dns proxy</parameter> </para></listitem>
+ <listitem><para><parameter>domain admin group</parameter> </para></listitem>
+ <listitem><para><parameter>domain admin users</parameter> </para></listitem>
+ <listitem><para><parameter>domain groups</parameter></para></listitem>
+ <listitem><para><parameter>domain guest group</parameter> </para></listitem>
+ <listitem><para><parameter>domain guest users</parameter> </para></listitem>
+ <listitem><para><parameter>domain logons</parameter> </para></listitem>
+ <listitem><para><parameter>domain master</parameter> </para></listitem>
+ <listitem><para><parameter>encrypt passwords</parameter> </para></listitem>
+ <listitem><para><parameter>getwd cache</parameter> </para></listitem>
+ <listitem><para><parameter>hide local users</parameter> </para></listitem>
+ <listitem><para><parameter>homedir map</parameter> </para></listitem>
+ <listitem><para><parameter>hosts equiv</parameter> </para></listitem>
+ <listitem><para><parameter>interfaces</parameter></para></listitem>
+ <listitem><para><parameter>keepalive</parameter> </para></listitem>
+ <listitem><para><parameter>kernel oplocks</parameter> </para></listitem>
+ <listitem><para><parameter>lm announce</parameter> </para></listitem>
+ <listitem><para><parameter>lm interval</parameter> </para></listitem>
+ <listitem><para><parameter>load printers</parameter></para></listitem>
+ <listitem><para><parameter>local master</parameter> </para></listitem>
+ <listitem><para><parameter>lock dir</parameter> </para></listitem>
+ <listitem><para><parameter>lock directory</parameter> </para></listitem>
+ <listitem><para><parameter>log file</parameter> </para></listitem>
+ <listitem><para><parameter>log level</parameter> </para></listitem>
+ <listitem><para><parameter>logon drive</parameter></para></listitem>
+ <listitem><para><parameter>logon home</parameter> </para></listitem>
+ <listitem><para><parameter>logon path</parameter> </para></listitem>
+ <listitem><para><parameter>logon script</parameter> </para></listitem>
+ <listitem><para><parameter>lpq cache time</parameter> </para></listitem>
+ <listitem><para><parameter>machine password timeout</parameter> </para></listitem>
+ <listitem><para><parameter>mangled stack</parameter> </para></listitem>
+ <listitem><para><parameter>map to guest</parameter> </para></listitem>
+ <listitem><para><parameter>max disk size</parameter> </para></listitem>
+ <listitem><para><parameter>max log size</parameter> </para></listitem>
+ <listitem><para><parameter>max mux</parameter> </para></listitem>
+ <listitem><para><parameter>max open files</parameter> </para></listitem>
+ <listitem><para><parameter>max packet</parameter> </para></listitem>
+ <listitem><para><parameter>max ttl</parameter> </para></listitem>
+ <listitem><para><parameter>max wins ttl</parameter> </para></listitem>
+ <listitem><para><parameter>max xmit</parameter> </para></listitem>
+ <listitem><para><parameter>message command</parameter> </para></listitem>
+ <listitem><para><parameter>min passwd length</parameter> </para></listitem>
+ <listitem><para><parameter>min password length</parameter> </para></listitem>
+ <listitem><para><parameter>min wins ttl</parameter> </para></listitem>
+ <listitem><para><parameter>name resolve order</parameter> </para></listitem>
+ <listitem><para><parameter>netbios aliases</parameter> </para></listitem>
+ <listitem><para><parameter>netbios name</parameter> </para></listitem>
+ <listitem><para><parameter>netbios scope</parameter> </para></listitem>
+ <listitem><para><parameter>nis homedir</parameter> </para></listitem>
+ <listitem><para><parameter>nt acl support</parameter> </para></listitem>
+ <listitem><para><parameter>nt pipe support</parameter> </para></listitem>
+ <listitem><para><parameter>nt smb support</parameter> </para></listitem>
+ <listitem><para><parameter>null passwords</parameter> </para></listitem>
+ <listitem><para><parameter>ole locking compatibility</parameter></para></listitem>
+ <listitem><para><parameter>oplock break wait time</parameter> </para></listitem>
+ <listitem><para><parameter>os level</parameter> </para></listitem>
+ <listitem><para><parameter>panic action</parameter> </para></listitem>
+ <listitem><para><parameter>passwd chat</parameter></para></listitem>
+ <listitem><para><parameter>passwd chat debug</parameter> </para></listitem>
+ <listitem><para><parameter>passwd program</parameter> </para></listitem>
+ <listitem><para><parameter>password level</parameter> </para></listitem>
+ <listitem><para><parameter>password server</parameter> </para></listitem>
+ <listitem><para><parameter>prefered master</parameter> </para></listitem>
+ <listitem><para><parameter>preferred master</parameter> </para></listitem>
+ <listitem><para><parameter>preload</parameter> </para></listitem>
+ <listitem><para><parameter>printcap</parameter> </para></listitem>
+ <listitem><para><parameter>printcap name</parameter> </para></listitem>
+ <listitem><para><parameter>printer driver file</parameter> </para></listitem>
+ <listitem><para><parameter>private dir</parameter> </para></listitem>
+ <listitem><para><parameter>protocol</parameter> </para></listitem>
+ <listitem><para><parameter>read bmpx</parameter> </para></listitem>
+ <listitem><para><parameter>read prediction</parameter> </para></listitem>
+ <listitem><para><parameter>read raw</parameter> </para></listitem>
+ <listitem><para><parameter>read size</parameter> </para></listitem>
+ <listitem><para><parameter>remote announce</parameter> </para></listitem>
+ <listitem><para><parameter>remote browse sync</parameter> </para></listitem>
+ <listitem><para><parameter>restrict anonymous</parameter> </para></listitem>
+ <listitem><para><parameter>root</parameter> </para></listitem>
+ <listitem><para><parameter>root dir</parameter> </para></listitem>
+ <listitem><para><parameter>root directory</parameter> </para></listitem>
+ <listitem><para><parameter>security</parameter> </para></listitem>
+ <listitem><para><parameter>server string</parameter> </para></listitem>
+ <listitem><para><parameter>shared mem size</parameter> </para></listitem>
+ <listitem><para><parameter>smb passwd file</parameter> </para></listitem>
+ <listitem><para><parameter>smbrun</parameter> </para></listitem>
+ <listitem><para><parameter>socket address</parameter> </para></listitem>
+ <listitem><para><parameter>socket options</parameter> </para></listitem>
+ <listitem><para><parameter>source environment</parameter> </para></listitem>
+ <listitem><para><parameter>ssl</parameter> </para></listitem>
+ <listitem><para><parameter>ssl CA certDir</parameter> </para></listitem>
+ <listitem><para><parameter>ssl CA certFile</parameter> </para></listitem>
+ <listitem><para><parameter>ssl ciphers</parameter> </para></listitem>
+ <listitem><para><parameter>ssl client cert</parameter> </para></listitem>
+ <listitem><para><parameter>ssl client key</parameter></para></listitem>
+ <listitem><para><parameter>ssl compatibility</parameter> </para></listitem>
+ <listitem><para><parameter>ssl hosts</parameter> </para></listitem>
+ <listitem><para><parameter>ssl hosts resign</parameter> </para></listitem>
+ <listitem><para><parameter>ssl require clientcert</parameter></para></listitem>
+ <listitem><para><parameter>ssl require servercert</parameter> </para></listitem>
+ <listitem><para><parameter>ssl server cert</parameter> </para></listitem>
+ <listitem><para><parameter>ssl server key</parameter> </para></listitem>
+ <listitem><para><parameter>ssl version</parameter> </para></listitem>
+ <listitem><para><parameter>stat cache</parameter> </para></listitem>
+ <listitem><para><parameter>stat cache size</parameter> </para></listitem>
+ <listitem><para><parameter>strip dot</parameter> </para></listitem>
+ <listitem><para><parameter>syslog</parameter> </para></listitem>
+ <listitem><para><parameter>syslog only</parameter> </para></listitem>
+ <listitem><para><parameter>template homedir</parameter></para></listitem>
+ <listitem><para><parameter>template shell</parameter> </para></listitem>
+ <listitem><para><parameter>time offset</parameter> </para></listitem>
+ <listitem><para><parameter>time server</parameter> </para></listitem>
+ <listitem><para><parameter>timestamp logs</parameter> </para></listitem>
+ <listitem><para><parameter>unix password sync</parameter> </para></listitem>
+ <listitem><para><parameter>unix realname</parameter> </para></listitem>
+ <listitem><para><parameter>update encrypted</parameter> </para></listitem>
+ <listitem><para><parameter>use rhosts</parameter> </para></listitem>
+ <listitem><para><parameter>username level</parameter> </para></listitem>
+ <listitem><para><parameter>username map</parameter> </para></listitem>
+ <listitem><para><parameter>utmp directory</parameter> </para></listitem>
+ <listitem><para><parameter>valid chars</parameter> </para></listitem>
+ <listitem><para><parameter>winbind cache time</parameter> </para></listitem>
+ <listitem><para><parameter>winbind gid</parameter> </para></listitem>
+ <listitem><para><parameter>winbind uid</parameter> </para></listitem>
+ <listitem><para><parameter>wins hook</parameter> </para></listitem>
+ <listitem><para><parameter>wins proxy</parameter> </para></listitem>
+ <listitem><para><parameter>wins server</parameter> </para></listitem>
+ <listitem><para><parameter>wins support</parameter> </para></listitem>
+ <listitem><para><parameter>workgroup</parameter> </para></listitem>
+ <listitem><para><parameter>write raw</parameter> </para></listitem>
+ </itemizedlist>
+
+</refsect1>
+
+<refsect1>
+ <title>COMPLETE LIST OF SERVICE PARAMETERS</title>
+
+ <para>Here is a list of all service parameters. See the section of
+ each parameter for details. Note that some are synonyms.</para>
+
+ <itemizedlist>
+ <listitem><para><parameter>admin users</parameter> </para></listitem>
+ <listitem><para><parameter>allow hosts</parameter> </para></listitem>
+ <listitem><para><parameter>alternate permissions</parameter> </para></listitem>
+ <listitem><para><parameter>available</parameter> </para></listitem>
+ <listitem><para><parameter>blocking locks</parameter></para></listitem>
+ <listitem><para><parameter>browsable</parameter> </para></listitem>
+ <listitem><para><parameter>browseable</parameter> </para></listitem>
+ <listitem><para><parameter>case sensitive</parameter> </para></listitem>
+ <listitem><para><parameter>casesignames</parameter> </para></listitem>
+ <listitem><para><parameter>comment</parameter> </para></listitem>
+ <listitem><para><parameter>copy</parameter> </para></listitem>
+ <listitem><para><parameter>create mask</parameter> </para></listitem>
+ <listitem><para><parameter>create mode</parameter> </para></listitem>
+ <listitem><para><parameter>default case</parameter> </para></listitem>
+ <listitem><para><parameter>delete readonly</parameter> </para></listitem>
+ <listitem><para><parameter>delete veto files</parameter> </para></listitem>
+ <listitem><para><parameter>deny hosts</parameter> </para></listitem>
+ <listitem><para><parameter>directory</parameter> </para></listitem>
+ <listitem><para><parameter>directory mask</parameter> </para></listitem>
+ <listitem><para><parameter>directory mode</parameter> </para></listitem>
+ <listitem><para><parameter>directory security mask</parameter></para></listitem>
+ <listitem><para><parameter>dont descend</parameter> </para></listitem>
+ <listitem><para><parameter>dos filetime resolution</parameter> </para></listitem>
+ <listitem><para><parameter>dos filetimes</parameter> </para></listitem>
+ <listitem><para><parameter>exec</parameter> </para></listitem>
+ <listitem><para><parameter>fake directory create times</parameter> </para></listitem>
+ <listitem><para><parameter>fake oplocks</parameter> </para></listitem>
+ <listitem><para><parameter>follow symlinks</parameter> </para></listitem>
+ <listitem><para><parameter>force create mode</parameter> </para></listitem>
+ <listitem><para><parameter>force directory mode</parameter> </para></listitem>
+ <listitem><para><parameter>force directory security mode</parameter> </para></listitem>
+ <listitem><para><parameter>force group</parameter> </para></listitem>
+ <listitem><para><parameter>force security mode</parameter> </para></listitem>
+ <listitem><para><parameter>force user</parameter> </para></listitem>
+ <listitem><para><parameter>fstype</parameter> </para></listitem>
+ <listitem><para><parameter>group</parameter> </para></listitem>
+ <listitem><para><parameter>guest account</parameter> </para></listitem>
+ <listitem><para><parameter>guest ok</parameter> </para></listitem>
+ <listitem><para><parameter>guest only</parameter> </para></listitem>
+ <listitem><para><parameter>hide dot files</parameter></para></listitem>
+ <listitem><para><parameter>hide files</parameter> </para></listitem>
+ <listitem><para><parameter>hosts allow</parameter> </para></listitem>
+ <listitem><para><parameter>hosts deny</parameter> </para></listitem>
+ <listitem><para><parameter>include</parameter> </para></listitem>
+ <listitem><para><parameter>inherit permissions</parameter> </para></listitem>
+ <listitem><para><parameter>invalid users</parameter> </para></listitem>
+ <listitem><para><parameter>level2 oplocks</parameter> </para></listitem>
+ <listitem><para><parameter>locking</parameter> </para></listitem>
+ <listitem><para><parameter>lppause command</parameter> </para></listitem>
+ <listitem><para><parameter>lpq command</parameter> </para></listitem>
+ <listitem><para><parameter>lpresume command</parameter> </para></listitem>
+ <listitem><para><parameter>lprm command</parameter> </para></listitem>
+ <listitem><para><parameter>magic output</parameter> </para></listitem>
+ <listitem><para><parameter>magic script</parameter> </para></listitem>
+ <listitem><para><parameter>mangle case</parameter> </para></listitem>
+ <listitem><para><parameter>mangle locks</parameter> </para></listitem>
+ <listitem><para><parameter>mangled map</parameter> </para></listitem>
+ <listitem><para><parameter>mangled names</parameter> </para></listitem>
+ <listitem><para><parameter>mangling char</parameter> </para></listitem>
+ <listitem><para><parameter>map archive</parameter> </para></listitem>
+ <listitem><para><parameter>map hidden</parameter></para></listitem>
+ <listitem><para><parameter>map system</parameter> </para></listitem>
+ <listitem><para><parameter>max connections</parameter> </para></listitem>
+ <listitem><para><parameter>min print space</parameter> </para></listitem>
+ <listitem><para><parameter>only guest</parameter> </para></listitem>
+ <listitem><para><parameter>only user</parameter> </para></listitem>
+ <listitem><para><parameter>oplock contention limit</parameter> </para></listitem>
+ <listitem><para><parameter>oplocks</parameter> </para></listitem>
+ <listitem><para><parameter>path</parameter> </para></listitem>
+ <listitem><para><parameter>postexec</parameter> </para></listitem>
+ <listitem><para><parameter>postscript</parameter> </para></listitem>
+ <listitem><para><parameter>preexec</parameter> </para></listitem>
+ <listitem><para><parameter>preexec close</parameter> </para></listitem>
+ <listitem><para><parameter>preserve case</parameter> </para></listitem>
+ <listitem><para><parameter>print command</parameter> </para></listitem>
+ <listitem><para><parameter>print ok</parameter> </para></listitem>
+ <listitem><para><parameter>printable</parameter> </para></listitem>
+ <listitem><para><parameter>printer</parameter> </para></listitem>
+ <listitem><para><parameter>printer admin</parameter> </para></listitem>
+ <listitem><para><parameter>printer driver</parameter> </para></listitem>
+ <listitem><para><parameter>printer driver location</parameter> </para></listitem>
+ <listitem><para><parameter>printer name</parameter> </para></listitem>
+ <listitem><para><parameter>printing</parameter></para></listitem>
+ <listitem><para><parameter>public</parameter> </para></listitem>
+ <listitem><para><parameter>queuepause command</parameter> </para></listitem>
+ <listitem><para><parameter>queueresume command</parameter> </para></listitem>
+ <listitem><para><parameter>read list</parameter> </para></listitem>
+ <listitem><para><parameter>read only</parameter></para></listitem>
+ <listitem><para><parameter>root postexec</parameter> </para></listitem>
+ <listitem><para><parameter>root preexec</parameter> </para></listitem>
+ <listitem><para><parameter>root preexec close</parameter> </para></listitem>
+ <listitem><para><parameter>security mask</parameter> </para></listitem>
+ <listitem><para><parameter>set directory</parameter></para></listitem>
+ <listitem><para><parameter>share modes</parameter> </para></listitem>
+ <listitem><para><parameter>short preserve case</parameter> </para></listitem>
+ <listitem><para><parameter>status</parameter> </para></listitem>
+ <listitem><para><parameter>strict locking</parameter> </para></listitem>
+ <listitem><para><parameter>strict sync</parameter></para></listitem>
+ <listitem><para><parameter>sync always</parameter> </para></listitem>
+ <listitem><para><parameter>user</parameter> </para></listitem>
+ <listitem><para><parameter>username</parameter> </para></listitem>
+ <listitem><para><parameter>users</parameter> </para></listitem>
+ <listitem><para><parameter>utmp</parameter> </para></listitem>
+ <listitem><para><parameter>valid users</parameter> </para></listitem>
+ <listitem><para><parameter>veto files</parameter> </para></listitem>
+ <listitem><para><parameter>veto oplock files</parameter> </para></listitem>
+ <listitem><para><parameter>volume</parameter> </para></listitem>
+ <listitem><para><parameter>wide links</parameter> </para></listitem>
+ <listitem><para><parameter>writable</parameter> </para></listitem>
+ <listitem><para><parameter>write cache size</parameter> </para></listitem>
+ <listitem><para><parameter>write list</parameter></para></listitem>
+ <listitem><para><parameter>write ok</parameter> </para></listitem>
+ <listitem><para><parameter>writeable</parameter> </para></listitem>
+ </itemizedlist>
+
+</refsect1>
+
+<refsect1>
+ <title>EXPLANATION OF EACH PARAMETER</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><anchor id="ADDUSERSCRIPT">add user script (G)</term>
+ <listitem><para>This is the full pathname to a script that will
+ be run <emphasis>AS ROOT</emphasis> by <ulink url="smbd.8.html">smbd(8)
+ </ulink> under special circumstances decribed below.</para>
+
+ <para>Normally, a Samba server requires that UNIX users are
+ created for all users accessing files on this server. For sites
+ that use Windows NT account databases as their primary user database
+ creating these users and keeping the user list in sync with the
+ Windows NT PDC is an onerous task. This option allows <ulink
+ url="smbd.8.html">smbd</ulink> to create the required UNIX users
+ <emphasis>ON DEMAND</emphasis> when a user accesses the Samba server.</para>
+
+ <para>In order to use this option, <ulink url="smbd.8.html">smbd</ulink>
+ must be set to <parameter>security=server</parameter> or <parameter>
+ security=domain</parameter> and <parameter>add user script</parameter>
+ must be set to a full pathname for a script that will create a UNIX
+ user given one argument of <parameter>%u</parameter>, which expands into
+ the UNIX user name to create.</para>
+
+ <para>When the Windows user attempts to access the Samba server,
+ at login (session setup in the SMB protocol) time, <ulink url="smbd.8.html">
+ smbd</ulink> contacts the <parameter>password server</parameter> and
+ attempts to authenticate the given user with the given password. If the
+ authentication succeeds then <ulink url="smbd.8.html">smbd</ulink>
+ attempts to find a UNIX user in the UNIX password database to map the
+ Windows user into. If this lookup fails, and <parameter>add user script
+ </parameter> is set then <ulink url="smbd.8.html">smbd</ulink> will
+ call the specified script <emphasis>AS ROOT</emphasis>, expanding
+ any <parameter>%u</parameter> argument to be the user name to create.</para>
+
+ <para>If this script successfully creates the user then <ulink
+ url="smbd.8.html">smbd</ulink> will continue on as though the UNIX user
+ already existed. In this way, UNIX users are dynamically created to
+ match existing Windows NT accounts.</para>
+
+ <para>See also <ulink url="smb.conf.5.html#security"><parameter>
+ security</parameter></ulink>, <ulink url="smb.conf.5.html#passwordserver">
+ <parameter>password server</parameter></ulink>, <ulink
+ url="smb.conf.5.html#deleteuserscript"><parameter>delete user
+ script</parameter></ulink>.</para>
+
+ <para>Default: <command>add user script = &lt;empty string&gt;
+ </command></para>
+
+ <para>Example: <command>add user script = /usr/local/samba/bin/add_user
+ %u</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ADMINUSERS">admin users (S)</term>
+ <listitem><para>This is a list of users who will be granted
+ administrative privileges on the share. This means that they
+ will do all file operations as the super-user (root).</para>
+
+ <para>You should use this option very carefully, as any user in
+ this list will be able to do anything they like on the share,
+ irrespective of file permissions.</para>
+
+ <para>Default: <emphasis>no admin users</emphasis></para>
+
+ <para>Example: <command>admin users = jason</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ALLOWHOSTS">allow hosts (S)</term>
+ <listitem><para>Synonym for <ulink url="smb.conf.5.html#hostsallow">
+ <parameter>hosts allow</parameter></ulink>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ALLOWTRUSTEDDOMAINS">allow trusted domains (G)</term>
+ <listitem><para>This option only takes effect when the <ulink
+ url="smb.conf.5.html">security</ulink> option is set to
+ <parameter>server</parameter> or <parameter>domain</parameter>.
+ If it is set to no, then attempts to connect to a resource from
+ a domain or workgroup other than the one which smbd is running
+ in will fail, even if that domain is trusted by the remote server
+ doing the authentication.</para>
+
+ <para>This is useful if you only want your Samba server to
+ serve resources to users in the domain it is a member of. As
+ an example, suppose that there are two domains DOMA and DOMB. DOMB
+ is trusted by DOMA, which contains the Samba server. Under normal
+ circumstances, a user with an account in DOMB can then access the
+ resources of a UNIX account with the same account name on the
+ Samba server even if they do not have an account in DOMA. This
+ can make implementing a security boundary difficult.</para>
+
+ <para>Default: <command>allow trusted domains = yes</command></para>
+
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ANNOUNCEAS">announce as (G)</term>
+ <listitem><para>This specifies what type of server
+ <ulink url="nmbd.8.html"><command>nmbd</command></ulink>
+ will announce itself as, to a network neighborhood browse
+ list. By default this is set to Windows NT. The valid options
+ are : "NT" (which is a synonym for "NT Server"), "NT Server",
+ "NT Workstation", "Win95" or "WfW" meaning Windows NT Server,
+ Windows NT Workstation, Windows 95 and Windows for Workgroups
+ respectively. Do not change this parameter unless you have a
+ specific need to stop Samba appearing as an NT server as this
+ may prevent Samba servers from participating as browser servers
+ correctly.</para>
+
+ <para>Default: <command>announce as = NT Server</command></para>
+
+ <para>Example: <command>announce as = Win95</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ANNOUCEVERSION">annouce version (G)</term>
+ <listitem><para>This specifies the major and minor version numbers
+ that nmbd will use when announcing itself as a server. The default
+ is 4.2. Do not change this parameter unless you have a specific
+ need to set a Samba server to be a downlevel server.</para>
+
+ <para>Default: <command>announce version = 4.2</command></para>
+
+ <para>Example: <command>announce version = 2.0</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="AUTOSERVICES">auto services (G)</term>
+ <listitem><para>This is a list of services that you want to be
+ automatically added to the browse lists. This is most useful
+ for homes and printers services that would otherwise not be
+ visible.</para>
+
+ <para>Note that if you just want all printers in your
+ printcap file loaded then the <ulink url="smb.conf.5.html#loadprinters">
+ <parameter>load printers</parameter></ulink> option is easier.</para>
+
+ <para>Default: <emphasis>no auto services</emphasis></para>
+
+ <para>Example: <command>auto services = fred lp colorlp</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="AVAILABLE">available (S)</term>
+ <listitem><para>This parameter lets you "turn off" a service. If
+ <parameter>available = no</parameter>, then <emphasis>ALL</emphasis>
+ attempts to connect to the service will fail. Such failures are
+ logged.</para>
+
+ <para>Default: <command>available = yes</command></para>
+
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="BINDINTERFACESONLY">bind interfaces only (G)</term>
+ <listitem><para>This global parameter allows the Samba admin
+ to limit what interfaces on a machine will serve smb requests. If
+ affects file service <ulink url="smbd.8.html">smbd(8)</ulink> and
+ name service <ulink url="nmbd.8.html">nmbd(8)</ulink> in slightly
+ different ways.</para>
+
+ <para>For name service it causes <command>nmbd</command> to bind
+ to ports 137 and 138 on the interfaces listed in the <link
+ linkend="INTERFACES">interfaces</link> parameter. <command>nmbd
+ </command> also binds to the "all addresses" interface (0.0.0.0)
+ on ports 137 and 138 for the purposes of reading broadcast messages.
+ If this option is not set then <command>nmbd</command> will service
+ name requests on all of these sockets. If <parameter>bind interfaces
+ only</parameter> is set then <command>nmbd</command> will check the
+ source address of any packets coming in on the broadcast sockets
+ and discard any that don't match the broadcast addresses of the
+ interfaces in the <parameter>interfaces</parameter> parameter list.
+ As unicast packets are received on the other sockets it allows
+ <command>nmbd</command> to refuse to serve names to machines that
+ send packets that arrive through any interfaces not listed in the
+ <parameter>interfaces</parameter> list. IP Source address spoofing
+ does defeat this simple check, however so it must not be used
+ seriously as a security feature for <command>nmbd</command>.</para>
+
+ <para>For file service it causes <ulink url="smbd.8.html">smbd(8)</ulink>
+ to bind only to the interface list given in the <link linkend="INTERFACES">
+ interfaces</link> parameter. This restricts the networks that
+ <command>smbd</command> will serve to packets coming in those
+ interfaces. Note that you should not use this parameter for machines
+ that are serving PPP or other intermittent or non-broadcast network
+ interfaces as it will not cope with non-permanent interfaces.</para>
+
+ <para>If <parameter>bind interfaces only</parameter> is set then
+ unless the network address <emphasis>127.0.0.1</emphasis> is added
+ to the <parameter>interfaces</parameter> parameter list <ulink
+ url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink>
+ and <ulink url="swat.8.html"><command>swat(8)</command></ulink> may
+ not work as expected due to the reasons covered below.</para>
+
+ <para>To change a users SMB password, the <command>smbpasswd</command>
+ by default connects to the <emphasis>localhost - 127.0.0.1</emphasis>
+ address as an SMB client to issue the password change request. If
+ <parameter>bind interfaces only</parameter> is set then unless the
+ network address <emphasis>127.0.0.1</emphasis> is added to the
+ <parameter>interfaces</parameter> parameter list then <command>
+ smbpasswd</command> will fail to connect in it's default mode.
+ <command>smbpasswd</command> can be forced to use the primary IP interface
+ of the local host by using its <ulink url="smbpasswd.8.html#minusr">
+ <parameter>-r <replaceable>remote machine</replaceable></parameter>
+ </ulink> parameter, with <replaceable>remote machine</replaceable> set
+ to the IP name of the primary interface of the local host.</para>
+
+ <para>The <command>swat</command> status page tries to connect with
+ <command>smbd</command> and <command>nmbd</command> at the address
+ <emphasis>127.0.0.1</emphasis> to determine if they are running.
+ Not adding <emphasis>127.0.0.1</emphasis> will cause <command>
+ smbd</command> and <command>nmbd</command> to always show
+ "not running" even if they really are. This can prevent <command>
+ swat</command> from starting/stopping/restarting <command>smbd</command>
+ and <command>nmbd</command>.</para>
+
+ <para>Default: <command>bind interfaces only = no</command></para>
+
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="BLOCKINGLOCKS">blocking locks (S)</term>
+ <listitem><para>This parameter controls the behavior of <ulink
+ url="smbd.8.html">smbd(8)</ulink> when given a request by a client
+ to obtain a byte range lock on a region of an open file, and the
+ request has a time limit associated with it.</para>
+
+ <para>If this parameter is set and the lock range requested
+ cannot be immediately satisfied, Samba 2.2 will internally
+ queue the lock request, and periodically attempt to obtain
+ the lock until the timeout period expires.</para>
+
+ <para>If this parameter is set to <constant>False</constant>, then
+ Samba 2.2 will behave as previous versions of Samba would and
+ will fail the lock request immediately if the lock range
+ cannot be obtained.</para>
+
+ <para>Default: <command>blocking locks = yes</command></para>
+
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="BROWSABLE">browsable (S)</term>
+ <listitem><para>See the <link linkend="BROWSEABLE"><parameter>
+ browseable</parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="BROWSELIST">browse list (G)</term>
+ <listitem><para>This controls whether <ulink url="smbd.8.html">
+ <command>smbd(8)</command></ulink> will serve a browse list to
+ a client doing a <command>NetServerEnum</command> call. Normally
+ set to <constant>true</constant>. You should never need to change
+ this.</para>
+
+ <para>Default: <command>browse list = yes</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="BROWSEABLE">browseable (S)</term>
+ <listitem><para>This controls whether this share is seen in
+ the list of available shares in a net view and in the browse list.</para>
+
+ <para>Default: <command>browseable = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="CASESENSITIVE">case sensitive (S)</term>
+ <listitem><para>See the discussion in the section <link
+ linkend="NAMEMANGLINGSECT">NAME MANGLING</link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="CASESIGNAMES">casesignames (S)</term>
+ <listitem><para>Synonym for <link linkend="CASESENSITIVE">case
+ sensitive</link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="CHANGENOTIFYTIMEOUT">change notify timeout (G)</term>
+ <listitem><para>This SMB allows a client to tell a server to
+ "watch" a particular directory for any changes and only reply to
+ the SMB request when a change has occurred. Such constant scanning of
+ a directory is expensive under UNIX, hence an <ulink url="smbd.8.html">
+ <command>smbd(8)</command></ulink> daemon only performs such a scan
+ on each requested directory once every <parameter>change notify
+ timeout</parameter> seconds.</para>
+
+ <para>Default: <command>change notify timeout = 60</command></para>
+ <para>Example: <command>change notify timeout = 300</command></para>
+
+ <para>Would change the scan time to every 5 minutes.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="CHARACTERSET">character set (G)</term>
+ <listitem><para>This allows a smbd to map incoming filenames
+ from a DOS Code page (see the <link linkend="CLIENTCODEPAGE">client
+ code page</link> parameter) to several built in UNIX character sets.
+ The built in code page translations are:</para>
+
+ <itemizedlist>
+ <listitem><para><constant>ISO8859-1</constant> : Western European
+ UNIX character set. The parameter <parameter>client code page</parameter>
+ <emphasis>MUST</emphasis> be set to code page 850 if the
+ <parameter>character set</parameter> parameter is set to
+ <constant>ISO8859-1</constant> in order for the conversion to the
+ UNIX character set to be done correctly.</para></listitem>
+
+ <listitem><para><constant>ISO8859-2</constant> : Eastern European
+ UNIX character set. The parameter <parameter>client code page
+ </parameter> <emphasis>MUST</emphasis> be set to code page 852 if
+ the <parameter> character set</parameter> parameter is set
+ to <constant>ISO8859-2</constant> in order for the conversion
+ to the UNIX character set to be done correctly. </para></listitem>
+
+ <listitem><para><constant>ISO8859-5</constant> : Russian Cyrillic
+ UNIX character set. The parameter <parameter>client code page
+ </parameter> <emphasis>MUST</emphasis> be set to code page
+ 866 if the <parameter>character set </parameter> parameter is
+ set to <constant>ISO8859-5</constant> in order for the conversion
+ to the UNIX character set to be done correctly. </para></listitem>
+
+ <listitem><para><constant>ISO8859-7</constant> : Greek UNIX
+ character set. The parameter <parameter>client code page
+ </parameter> <emphasis>MUST</emphasis> be set to code page
+ 737 if the <parameter>character set</parameter> parameter is
+ set to <constant>ISO8859-7</constant> in order for the conversion
+ to the UNIX character set to be done correctly.</para></listitem>
+
+ <listitem><para><constant>KOI8-R</constant> : Alternate mapping
+ for Russian Cyrillic UNIX character set. The parameter
+ <parameter>client code page</parameter> <emphasis>MUST</emphasis>
+ be set to code page 866 if the <parameter>character set</parameter>
+ parameter is set to <constant>KOI8-R</constant> in order for the
+ conversion to the UNIX character set to be done correctly.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para><emphasis>BUG</emphasis>. These MSDOS code page to UNIX character
+ set mappings should be dynamic, like the loading of MS DOS code pages,
+ not static.</para>
+
+ <para>Normally this parameter is not set, meaning no filename
+ translation is done.</para>
+
+ <para>Default: <command>character set = &lt;empty string&gt;</command></para>
+ <para>Example: <command>character set = ISO8859-1</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="CLIENTCODEPAGE">client code page (G)</term>
+ <listitem><para>This parameter specifies the DOS code page
+ that the clients accessing Samba are using. To determine what code
+ page a Windows or DOS client is using, open a DOS command prompt
+ and type the command <command>chcp</command>. This will output
+ the code page. The default for USA MS-DOS, Windows 95, and
+ Windows NT releases is code page 437. The default for western
+ european releases of the above operating systems is code page 850.</para>
+
+ <para>This parameter tells <ulink url="smbd.8.html">smbd(8)</ulink>
+ which of the <filename>codepage.<replaceable>XXX</replaceable>
+ </filename> files to dynamically load on startup. These files,
+ described more fully in the manual page <ulink url="make_smbcodepage.1.html">
+ <command>make_smbcodepage(1)</command></ulink>, tell <command>
+ smbd</command> how to map lower to upper case characters to provide
+ the case insensitivity of filenames that Windows clients expect.</para>
+
+ <para>Samba currently ships with the following code page files :</para>
+
+ <itemizedlist>
+ <listitem><para>Code Page 437 - MS-DOS Latin US</para></listitem>
+ <listitem><para>Code Page 737 - Windows '95 Greek</para></listitem>
+ <listitem><para>Code Page 850 - MS-DOS Latin 1</para></listitem>
+ <listitem><para>Code Page 852 - MS-DOS Latin 2</para></listitem>
+ <listitem><para>Code Page 861 - MS-DOS Icelandic</para></listitem>
+ <listitem><para>Code Page 866 - MS-DOS Cyrillic</para></listitem>
+ <listitem><para>Code Page 932 - MS-DOS Japanese SJIS</para></listitem>
+ <listitem><para>Code Page 936 - MS-DOS Simplified Chinese</para></listitem>
+ <listitem><para>Code Page 949 - MS-DOS Korean Hangul</para></listitem>
+ <listitem><para>Code Page 950 - MS-DOS Traditional Chinese</para></listitem>
+ </itemizedlist>
+
+ <para>Thus this parameter may have any of the values 437, 737, 850, 852,
+ 861, 932, 936, 949, or 950. If you don't find the codepage you need,
+ read the comments in one of the other codepage files and the
+ <command>make_smbcodepage(1)</command> man page and write one. Please
+ remember to donate it back to the Samba user community.</para>
+
+ <para>This parameter co-operates with the <parameter>valid
+ chars</parameter> parameter in determining what characters are
+ valid in filenames and how capitalization is done. If you set both
+ this parameter and the <parameter>valid chars</parameter> parameter
+ the <parameter>client code page</parameter> parameter
+ <emphasis>MUST</emphasis> be set before the <parameter>valid
+ chars</parameter> parameter in the <filename>smb.conf</filename>
+ file. The <parameter>valid chars</parameter> string will then
+ augment the character settings in the <parameter>client code page</parameter>
+ parameter.</para>
+
+ <para>If not set, <parameter>client code page</parameter> defaults
+ to 850.</para>
+
+ <para>See also : <link linkend="VALIDCHARS"><parameter>valid
+ chars</parameter></link></para>
+
+ <para>Default: <command>client code page = 850</command></para>
+ <para>Example: <command>client code page = 936</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="CODINGSYSTEM">codingsystem (G)</term>
+ <listitem><para>This parameter is used to determine how incoming
+ Shift-JIS Japanese characters are mapped from the incoming <link
+ linkend="CLIENTCODEPAGE"><parameter>client code page</parameter>
+ </link> used by the client, into file names in the UNIX filesystem.
+ Only useful if <parameter>client code page</parameter> is set to
+ 932 (Japanese Shift-JIS). The options are :</para>
+
+ <itemizedlist>
+ <listitem><para><constant>SJIS</constant> - Shift-JIS. Does no
+ conversion of the incoming filename.</para></listitem>
+
+ <listitem><para><constant>JIS8, J8BB, J8BH, J8@B,
+ J8@J, J8@H </constant> - Convert from incoming Shift-JIS to eight
+ bit JIS code with different shift-in, shift out codes.</para></listitem>
+
+ <listitem><para><constant>JIS7, J7BB, J7BH, J7@B, J7@J,
+ J7@H </constant> - Convert from incoming Shift-JIS to seven bit
+ JIS code with different shift-in, shift out codes.</para></listitem>
+
+ <listitem><para><constant>JUNET, JUBB, JUBH, JU@B, JU@J, JU@H </constant>
+ - Convert from incoming Shift-JIS to JUNET code with different shift-in,
+ shift out codes.</para></listitem>
+
+
+ <listitem><para><constant>EUC</constant> - Convert an incoming
+ Shift-JIS character to EUC code.</para></listitem>
+
+ <listitem><para><constant>HEX</constant> - Convert an incoming
+ Shift-JIS character to a 3 byte hex representation, i.e.
+ <constant>:AB</constant>.</para></listitem>
+
+ <listitem><para><constant>CAP</constant> - Convert an incoming
+ Shift-JIS character to the 3 byte hex representation used by
+ the Columbia AppleTalk Program (CAP), i.e. <constant>:AB</constant>.
+ This is used for compatibility between Samba and CAP.</para></listitem>
+ </itemizedlist>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="COMMENT">comment (S)</term>
+ <listitem><para>This is a text field that is seen next to a share
+ when a client does a queries the server, either via the network
+ neighborhood or via <command>net view</command> to list what shares
+ are available.</para>
+
+ <para>If you want to set the string that is displayed next to the
+ machine name then see the <link linkend="SERVERSTRING"><parameter>
+ server string</parameter></link> parameter.</para>
+
+ <para>Default: <emphasis>No comment string</emphasis></para>
+ <para>Example: <command>comment = Fred's Files</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="CONFIGFILE">config file (G)</term>
+ <listitem><para>This allows you to override the config file
+ to use, instead of the default (usually <filename>smb.conf</filename>).
+ There is a chicken and egg problem here as this option is set
+ in the config file!</para>
+
+ <para>For this reason, if the name of the config file has changed
+ when the parameters are loaded then it will reload them from
+ the new config file.</para>
+
+ <para>This option takes the usual substitutions, which can
+ be very useful.</para>
+
+ <para>If the config file doesn't exist then it won't be loaded
+ (allowing you to special case the config files of just a few
+ clients).</para>
+
+ <para>Example: <command>config file = /usr/local/samba/lib/smb.conf.%m
+ </command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="COPY">copy (S)</term>
+ <listitem><para>This parameter allows you to "clone" service
+ entries. The specified service is simply duplicated under the
+ current service's name. Any parameters specified in the current
+ section will override those in the section being copied.</para>
+
+ <para>This feature lets you set up a 'template' service and
+ create similar services easily. Note that the service being
+ copied must occur earlier in the configuration file than the
+ service doing the copying.</para>
+
+ <para>Default: <emphasis>none</emphasis></para>
+ <para>Example: <command>copy = otherservice</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="CREATEMASK">create mask (S)</term>
+ <listitem><para>A synonym for this parameter is
+ <link linkend="CREATEMODE"><parameter>create mode</parameter>
+ </link>.</para>
+
+ <para>When a file is created, the necessary permissions are
+ calculated according to the mapping from DOS modes to UNIX
+ permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
+ with this parameter. This parameter may be thought of as a bit-wise
+ MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis>
+ set here will be removed from the modes set on a file when it is
+ created.</para>
+
+ <para>The default value of this parameter removes the
+ 'group' and 'other' write and execute bits from the UNIX modes.</para>
+
+ <para>Following this Samba will bit-wise 'OR' the UNIX mode created
+ from this parameter with the value of the <link
+ linkend="FORCECREATEMODE"><parameter>force create mode</parameter></link>
+ parameter which is set to 000 by default.</para>
+
+ <para>This parameter does not affect directory modes. See the
+ parameter <link linkend="DIRECTORYMODE"><parameter>directory mode
+ </parameter></link> for details.</para>
+
+ <para>See also the <link linkend="FORCECREATEMODE"><parameter>force
+ create mode</parameter></link> parameter for forcing particular mode
+ bits to be set on created files. See also the <link linkend="DIRECTORYMODE">
+ <parameter>directory mode"</parameter></link> parameter for masking
+ mode bits on created directories. See also the <link linkend="INHERITPERMISSIONS">
+ <parameter>inherit permissions</parameter></link> parameter.</para>
+
+ <para>Default: <command>create mask = 0744</command></para>
+ <para>Example: <command>create mask = 0775</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="CREATEMODE">create mode (S)</term>
+ <listitem><para>This is a synonym for <link linkend="CREATEMASK"><parameter>
+ create mask</parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEADTIME">deadtime (G)</term>
+ <listitem><para>The value of the parameter (a decimal integer)
+ represents the number of minutes of inactivity before a connection
+ is considered dead, and it is disconnected. The deadtime only takes
+ effect if the number of open files is zero.</para>
+
+ <para>This is useful to stop a server's resources being
+ exhausted by a large number of inactive connections.</para>
+
+ <para>Most clients have an auto-reconnect feature when a
+ connection is broken so in most cases this parameter should be
+ transparent to users.</para>
+
+ <para>Using this parameter with a timeout of a few minutes
+ is recommended for most systems.</para>
+
+ <para>A deadtime of zero indicates that no auto-disconnection
+ should be performed.</para>
+
+ <para>Default: <command>deadtime = 0</command></para>
+ <para>Example: <command>deadtime = 15</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEBUGHIRESTIMESTAMP">debug hires timestamp (G)</term>
+ <listitem><para>Sometimes the timestamps in the log messages
+ are needed with a resolution of higher that seconds, this
+ boolean parameter adds microsecond resolution to the timestamp
+ message header when turned on.</para>
+
+ <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter>
+ debug timestamp</parameter></link> must be on for this to have an
+ effect.</para>
+
+ <para>Default: <command>debug hires timestamp = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEBUGTIMESTAMP">debug timestamp (G)</term>
+ <listitem><para>Samba 2.2 debug log messages are timestamped
+ by default. If you are running at a high <link linkend="DEBUGLEVEL">
+ <parameter>debug level</parameter></link> these timestamps
+ can be distracting. This boolean parameter allows timestamping
+ to be turned off.</para>
+
+ <para>Default: <command>debug timestamp = yes</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEBUGPID">debug pid (G)</term>
+ <listitem><para>When using only one log file for more then one
+ forked smbd-process there may be hard to follow which process
+ outputs which message. This boolean parameter is adds the process-id
+ to the timestamp message headers in the logfile when turned on.</para>
+
+ <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter>
+ debug timestamp</parameter></link> must be on for this to have an
+ effect.</para>
+
+ <para>Default: <command>debug pid = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEBUGUID">debug uid (G)</term>
+ <listitem><para>Samba is sometimes run as root and sometime
+ run as the connected user, this boolean parameter inserts the
+ current euid, egid, uid and gid to the timestamp message headers
+ in the log file if turned on.</para>
+
+ <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter>
+ debug timestamp</parameter></link> must be on for this to have an
+ effect.</para>
+
+ <para>Default: <command>debug uid = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEBUGLEVEL">debug level (G)</term>
+ <listitem><para>The value of the parameter (an integer) allows
+ the debug level (logging level) to be specified in the
+ <filename>smb.conf</filename> file. This is to give greater
+ flexibility in the configuration of the system.</para>
+
+ <para>The default will be the debug level specified on
+ the command line or level zero if none was specified.</para>
+
+ <para>Example: <command>debug level = 3</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEFAULT">default (G)</term>
+ <listitem><para>A synonym for <link linkend="DEFAULTSERVICE"><parameter>
+ default service</parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEFAULTCASE">default case (S)</term>
+ <listitem><para>See the section on <link linkend="NAMEMANGLINGSECT">
+ NAME MANGLING"</link>. Also note the <link linkend="SHORTPRESERVECASE">
+ <parameter>short preserve case"</parameter></link> parameter.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEFAULTSERVICE">default service (G)</term>
+ <listitem><para>This parameter specifies the name of a service
+ which will be connected to if the service actually requested cannot
+ be found. Note that the square brackets are <emphasis>NOT</emphasis>
+ given in the parameter value (see example below).</para>
+
+ <para>There is no default value for this parameter. If this
+ parameter is not given, attempting to connect to a nonexistent
+ service results in an error.</para>
+
+ <para>Typically the default service would be a <link linkend="GUESTOK">
+ <parameter>guest ok</parameter></link>, <link linkend="READONLY">
+ <parameter>read-only</parameter></link> service.</para>
+
+ <para>Also note that the apparent service name will be changed
+ to equal that of the requested service, this is very useful as it
+ allows you to use macros like <parameter>%S</parameter> to make
+ a wildcard service.</para>
+
+ <para>Note also that any "_" characters in the name of the service
+ used in the default service will get mapped to a "/". This allows for
+ interesting things.</para>
+
+
+ <para>Example:</para>
+
+ <screen><computeroutput>
+ default service = pub
+
+ [pub]
+ path = /%S
+ </computeroutput></screen>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DELETEUSERSCRIPT">delete user script (G)</term>
+ <listitem><para>This is the full pathname to a script that will
+ be run <emphasis>AS ROOT</emphasis> by <ulink url="smbd.8.html">
+ <command>smbd(8)</command></ulink> under special circumstances
+ decribed below.</para>
+
+ <para>Normally, a Samba server requires that UNIX users are
+ created for all users accessing files on this server. For sites
+ that use Windows NT account databases as their primary user database
+ creating these users and keeping the user list in sync with the
+ Windows NT PDC is an onerous task. This option allows <command>
+ smbd</command> to delete the required UNIX users <emphasis>ON
+ DEMAND</emphasis> when a user accesses the Samba server and the
+ Windows NT user no longer exists.</para>
+
+ <para>In order to use this option, <command>smbd</command> must be
+ set to <parameter>security=domain</parameter> and <parameter>delete
+ user script</parameter> must be set to a full pathname for a script
+ that will delete a UNIX user given one argument of <parameter>%u
+ </parameter>, which expands into the UNIX user name to delete.
+ <emphasis>NOTE</emphasis> that this is different to the <link
+ linkend="ADDUSERSCRIPT"><parameter>add user script</parameter></link>
+ which will work with the <parameter>security=server</parameter> option
+ as well as <parameter>security=domain</parameter>. The reason for this
+ is only when Samba is a domain member does it get the information
+ on an attempted user logon that a user no longer exists. In the
+ <parameter>security=server</parameter> mode a missing user
+ is treated the same as an invalid password logon attempt. Deleting
+ the user in this circumstance would not be a good idea.</para>
+
+ <para>When the Windows user attempts to access the Samba server,
+ at <emphasis>login</emphasis> (session setup in the SMB protocol)
+ time, <command>smbd</command> contacts the <link linkend="PASSWORDSERVER">
+ <parameter>password server</parameter></link> and attempts to authenticate
+ the given user with the given password. If the authentication fails
+ with the specific Domain error code meaning that the user no longer
+ exists then <command>smbd</command> attempts to find a UNIX user in
+ the UNIX password database that matches the Windows user account. If
+ this lookup succeeds, and <parameter>delete user script</parameter> is
+ set then <command>smbd</command> will all the specified script
+ <emphasis>AS ROOT</emphasis>, expanding any <parameter>%u</parameter>
+ argument to be the user name to delete.</para>
+
+ <para>This script should delete the given UNIX username. In this way,
+ UNIX users are dynamically deleted to match existing Windows NT
+ accounts.</para>
+
+ <para>See also <link linkend="SECURITYEQUALSDOMAIN">security=domain</link>,
+ <link linkend="PASSWORDSERVER"><parameter>password server</parameter>
+ </link>, <link linkend="ADDUSERSCRIPT"><parameter>add user script</parameter>
+ </link>.</para>
+
+ <para>Default: <command>delete user script = &lt;empty string&gt;
+ </command></para>
+ <para>Example: <command>delete user script = /usr/local/samba/bin/del_user
+ %u</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DELETEREADONLY">delete readonly (S)</term>
+ <listitem><para>This parameter allows readonly files to be deleted.
+ This is not normal DOS semantics, but is allowed by UNIX.</para>
+
+ <para>This option may be useful for running applications such
+ as rcs, where UNIX file ownership prevents changing file
+ permissions, and DOS semantics prevent deletion of a read only file.</para>
+
+ <para>Default: <command>delete readonly = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DELETEVETOFILES">delete veto files (S)</term>
+ <listitem><para>This option is used when Samba is attempting to
+ delete a directory that contains one or more vetoed directories
+ (see the <link linkend="VETOFILES"><parameter>veto files</parameter></link>
+ option). If this option is set to False (the default) then if a vetoed
+ directory contains any non-vetoed files or directories then the
+ directory delete will fail. This is usually what you want.</para>
+
+ <para>If this option is set to <constant>True</constant>, then Samba
+ will attempt to recursively delete any files and directories within
+ the vetoed directory. This can be useful for integration with file
+ serving systems such as NetAtalk which create meta-files within
+ directories you might normally veto DOS/Windows users from seeing
+ (e.g. <filename>.AppleDouble</filename>)</para>
+
+ <para>Setting <command>delete veto files = yes</command> allows these
+ directories to be transparently deleted when the parent directory
+ is deleted (so long as the user has permissions to do so).</para>
+
+ <para>See also the <link linkend="VETOFILES"><parameter>veto
+ files</parameter></link> parameter.</para>
+
+ <para>Default: <command>delete veto files = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DENYHOSTS">deny hosts (S)</term>
+ <listitem><para>Synonym for <link linkend="HOSTSDENY"><parameter>hosts
+ deny</parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DFREECOMMAND">dfree command (G)</term>
+ <listitem><para>The <parameter>dfree command</parameter> setting should
+ only be used on systems where a problem occurs with the internal
+ disk space calculations. This has been known to happen with Ultrix,
+ but may occur with other operating systems. The symptom that was
+ seen was an error of "Abort Retry Ignore" at the end of each
+ directory listing.</para>
+
+ <para>This setting allows the replacement of the internal routines to
+ calculate the total disk space and amount available with an external
+ routine. The example below gives a possible script that might fulfill
+ this function.</para>
+
+ <para>The external program will be passed a single parameter indicating
+ a directory in the filesystem being queried. This will typically consist
+ of the string <filename>./</filename>. The script should return two
+ integers in ascii. The first should be the total disk space in blocks,
+ and the second should be the number of available blocks. An optional
+ third return value can give the block size in bytes. The default
+ blocksize is 1024 bytes.</para>
+
+ <para>Note: Your script should <emphasis>NOT</emphasis> be setuid or
+ setgid and should be owned by (and writeable only by) root!</para>
+
+ <para>Default: <emphasis>By default internal routines for
+ determining the disk capacity and remaining space will be used.
+ </emphasis></para>
+
+ <para>Example: <command>dfree command = /usr/local/samba/bin/dfree
+ </command></para>
+
+ <para>Where the script dfree (which must be made executable) could be:</para>
+
+ <para><programlisting>
+ #!/bin/sh
+ df $1 | tail -1 | awk '{print $2" "$4}'
+ </programlisting></para>
+
+ <para>or perhaps (on Sys V based systems):</para>
+
+ <para><programlisting>
+ #!/bin/sh
+ /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
+ </programlisting></para>
+
+ <para>Note that you may have to replace the command names
+ with full path names on some systems.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="DIRECTORY">directory (S)</term>
+ <listitem><para>Synonym for <link linkend="PATH"><parameter>path
+ </parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DIRECTORYMASK">directory mask (S)</term>
+ <listitem><para>This parameter is the octal modes which are
+ used when converting DOS modes to UNIX modes when creating UNIX
+ directories.</para>
+
+ <para>When a directory is created, the necessary permissions are
+ calculated according to the mapping from DOS modes to UNIX permissions,
+ and the resulting UNIX mode is then bit-wise 'AND'ed with this
+ parameter. This parameter may be thought of as a bit-wise MASK for
+ the UNIX modes of a directory. Any bit <emphasis>not</emphasis> set
+ here will be removed from the modes set on a directory when it is
+ created.</para>
+
+ <para>The default value of this parameter removes the 'group'
+ and 'other' write bits from the UNIX mode, allowing only the
+ user who owns the directory to modify it.</para>
+
+ <para>Following this Samba will bit-wise 'OR' the UNIX mode
+ created from this parameter with the value of the <link
+ linkend="FORCEDIRECTORYMODE"><parameter>force directory mode
+ </parameter></link> parameter. This parameter is set to 000 by
+ default (i.e. no extra mode bits are added).</para>
+
+ <para>See the <link linkend="FORCEDIRECTORYMODE"><parameter>force
+ directory mode</parameter></link> parameter to cause particular mode
+ bits to always be set on created directories.</para>
+
+ <para>See also the <link linkend="CREATEMODE"><parameter>create mode
+ </parameter></link> parameter for masking mode bits on created files,
+ and the <link linkend="DIRECTORYSECURITYMASK"><parameter>directory
+ security mask</parameter></link> parameter.</para>
+
+ <para>Also refer to the <link linkend="INHERITPERMISSIONS"><parameter>
+ inherit permissions</parameter></link> parameter.</para>
+
+ <para>Default: <command>directory mask = 0755</command></para>
+ <para>Example: <command>directory mask = 0775</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DIRECTORYMODE">directory mode (S)</term>
+ <listitem><para>Synonym for <link linkend="DIRECTORYMASK"><parameter>
+ directory mask</parameter></link></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DIRECTORYSECURITYMASK">directory security mask (S)</term>
+ <listitem><para>This parameter controls what UNIX permission bits
+ can be modified when a Windows NT client is manipulating the UNIX
+ permission on a directory using the native NT security dialog
+ box.</para>
+
+ <para>This parameter is applied as a mask (AND'ed with) to
+ the changed permission bits, thus preventing any bits not in
+ this mask from being modified. Essentially, zero bits in this
+ mask may be treated as a set of bits the user is not allowed
+ to change.</para>
+
+ <para>If not set explicitly this parameter is set to the same
+ value as the <link linkend="DIRECTORYMASK"><parameter>directory
+ mask</parameter></link> parameter. To allow a user to
+ modify all the user/group/world permissions on a directory, set
+ this parameter to 0777.</para>
+
+ <para><emphasis>Note</emphasis> that users who can access the
+ Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone "appliance" systems.
+ Administrators of most normal systems will probably want to set
+ it to 0777.</para>
+
+ <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"><parameter>
+ force directory security mode</parameter></link>, <link
+ linkend="SECURITYMASK"><parameter>security mask</parameter></link>,
+ <link linkend="FORCESECURITYMODE"><parameter>force security mode
+ </parameter></link> parameters.</para>
+
+ <para>Default: <command>directory security mask = &lt;same as
+ directory mask&gt;</command></para>
+ <para>Example: <command>directory security mask = 0777</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DNSPROXY">dns proxy (G)</term>
+ <listitem><para>Specifies that <ulink url="nmbd.8.html">nmbd(8)</ulink>
+ when acting as a WINS server and finding that a NetBIOS name has not
+ been registered, should treat the NetBIOS name word-for-word as a DNS
+ name and do a lookup with the DNS server for that name on behalf of
+ the name-querying client.</para>
+
+ <para>Note that the maximum length for a NetBIOS name is 15
+ characters, so the DNS name (or DNS alias) can likewise only be
+ 15 characters, maximum.</para>
+
+ <para><command>nmbd</command> spawns a second copy of itself to do the
+ DNS name lookup requests, as doing a name lookup is a blocking
+ action.</para>
+
+ <para>See also the parameter <link linkend="WINSSUPPORT"><parameter>
+ wins support</parameter></link>.</para>
+
+ <para>Default: <command>dns proxy = yes</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DOMAINADMINGROUP">domain admin group (G)</term>
+ <listitem><para>This is an <emphasis>EXPERIMENTAL</emphasis> parameter
+ that is part of the unfinished Samba NT Domain Controller Code. It may
+ be removed in a later release. To work with the latest code builds
+ that may have more support for Samba NT Domain Controller functionality
+ please subscribe to the mailing list <ulink
+ url="mailto:samba-ntdom@samba.org">samba-ntdom</ulink> available by
+ visiting the web page at <ulink url="http://lists.samba.org/">
+ http://lists.samba.org/</ulink>.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="DOMAINADMINUSERS">domain admin users (G)</term>
+ <listitem><para>This is an <emphasis>EXPERIMENTAL</emphasis> parameter
+ that is part of the unfinished Samba NT Domain Controller Code. It may
+ be removed in a later release. To work with the latest code builds
+ that may have more support for Samba NT Domain Controller functionality
+ please subscribe to the mailing list <ulink
+ url="mailto:samba-ntdom@samba.org">samba-ntdom</ulink> available by
+ visiting the web page at <ulink url="http://lists.samba.org/">
+ http://lists.samba.org/</ulink>.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="DOMAINGROUPS">domain groups (G)</term>
+ <listitem><para>This is an <emphasis>EXPERIMENTAL</emphasis> parameter
+ that is part of the unfinished Samba NT Domain Controller Code. It may
+ be removed in a later release. To work with the latest code builds
+ that may have more support for Samba NT Domain Controller functionality
+ please subscribe to the mailing list <ulink
+ url="mailto:samba-ntdom@samba.org">samba-ntdom</ulink> available by
+ visiting the web page at <ulink url="http://lists.samba.org/">
+ http://lists.samba.org/</ulink>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DOMAINGUESTGROUP">domain guest group (G)</term>
+ <listitem><para>This is an <emphasis>EXPERIMENTAL</emphasis> parameter
+ that is part of the unfinished Samba NT Domain Controller Code. It may
+ be removed in a later release. To work with the latest code builds
+ that may have more support for Samba NT Domain Controller functionality
+ please subscribe to the mailing list <ulink
+ url="mailto:samba-ntdom@samba.org">samba-ntdom</ulink> available by
+ visiting the web page at <ulink url="http://lists.samba.org/">
+ http://lists.samba.org/</ulink>.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="DOMAINGUESTUSERS">domain guest users (G)</term>
+ <listitem><para>This is an <emphasis>EXPERIMENTAL</emphasis> parameter
+ that is part of the unfinished Samba NT Domain Controller Code. It may
+ be removed in a later release. To work with the latest code builds
+ that may have more support for Samba NT Domain Controller functionality
+ please subscribe to the mailing list <ulink
+ url="mailto:samba-ntdom@samba.org">samba-ntdom</ulink> available by
+ visiting the web page at <ulink url="http://lists.samba.org/">
+ http://lists.samba.org/</ulink>.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="DOMAINLOGONS">domain logons (G)</term>
+ <listitem><para>If set to true, the Samba server will serve
+ Windows 95/98 Domain logons for the <link linkend="WORKGROUP">
+ <parameter>workgroup</parameter></link> it is in. Samba 2.2 also
+ has limited capability to act as a domain controller for Windows
+ NT 4 Domains. For more details on setting up this feature see
+ the file DOMAINS.txt in the Samba documentation directory <filename>docs/
+ </filename> shipped with the source code.</para>
+
+ <para>Default: <command>domain logons = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DOMAINMASTER">domain master (G)</term>
+ <listitem><para>Tell <ulink url="nmbd.8.html"><command>
+ nmbd(8)</command></ulink> to enable WAN-wide browse list
+ collation. Setting this option causes <command>nmbd</command> to
+ claim a special domain specific NetBIOS name that identifies
+ it as a domain master browser for its given <link linkend="WORKGROUP">
+ <parameter>workgroup</parameter></link>. Local master browsers
+ in the same <parameter>workgroup</parameter> on broadcast-isolated
+ subnets will give this <command>nmbd</command> their local browse lists,
+ and then ask <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>
+ for a complete copy of the browse list for the whole wide area
+ network. Browser clients will then contact their local master browser,
+ and will receive the domain-wide browse list, instead of just the list
+ for their broadcast-isolated subnet.</para>
+
+ <para>Note that Windows NT Primary Domain Controllers expect to be
+ able to claim this <parameter>workgroup</parameter> specific special
+ NetBIOS name that identifies them as domain master browsers for
+ that <parameter>workgroup</parameter> by default (i.e. there is no
+ way to prevent a Windows NT PDC from attempting to do this). This
+ means that if this parameter is set and <command>nmbd</command> claims
+ the special name for a <parameter>workgroup</parameter> before a Windows
+ NT PDC is able to do so then cross subnet browsing will behave
+ strangely and may fail.</para>
+
+ <para>Default: <command>domain master = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DONTDESCEND">dont descend (S)</term>
+ <listitem><para>There are certain directories on some systems
+ (e.g., the <filename>/proc</filename> tree under Linux) that are either not
+ of interest to clients or are infinitely deep (recursive). This
+ parameter allows you to specify a comma-delimited list of directories
+ that the server should always show as empty.</para>
+
+ <para>Note that Samba can be very fussy about the exact format
+ of the "dont descend" entries. For example you may need <filename>
+ ./proc</filename> instead of just <filename>/proc</filename>.
+ Experimentation is the best policy :-) </para>
+
+ <para>Default: <emphasis>none (i.e., all directories are OK
+ to descend)</emphasis></para>
+ <para>Example: <command>dont descend = /proc,/dev</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DOSFILETIMERESOLUTION">dos filetime resolution (S)</term>
+ <listitem><para>Under the DOS and Windows FAT filesystem, the finest
+ granularity on time resolution is two seconds. Setting this parameter
+ for a share causes Samba to round the reported time down to the
+ nearest two second boundary when a query call that requires one second
+ resolution is made to <ulink url="smbd.8.html"><command>smbd(8)</command>
+ </ulink>.</para>
+
+ <para>This option is mainly used as a compatibility option for Visual
+ C++ when used against Samba shares. If oplocks are enabled on a
+ share, Visual C++ uses two different time reading calls to check if a
+ file has changed since it was last read. One of these calls uses a
+ one-second granularity, the other uses a two second granularity. As
+ the two second call rounds any odd second down, then if the file has a
+ timestamp of an odd number of seconds then the two timestamps will not
+ match and Visual C++ will keep reporting the file has changed. Setting
+ this option causes the two timestamps to match, and Visual C++ is
+ happy.</para>
+
+ <para>Default: <command>dos filetime resolution = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DOSFILETIMES">dos filetimes (S)</term>
+ <listitem><para>Under DOS and Windows, if a user can write to a
+ file they can change the timestamp on it. Under POSIX semantics,
+ only the owner of the file or root may change the timestamp. By
+ default, Samba runs with POSIX semantics and refuses to change the
+ timestamp on a file if the user <command>smbd</command> is acting
+ on behalf of is not the file owner. Setting this option to <constant>
+ True</constant> allows DOS semantics and smbd will change the file
+ timestamp as DOS requires.</para>
+
+ <para>Default: <command>dos filetimes = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ENCRYPTPASSWORDS">encrypt passwords (G)</term>
+ <listitem><para>This boolean controls whether encrypted passwords
+ will be negotiated with the client. Note that Windows NT 4.0 SP3 and
+ above and also Windows 98 will by default expect encrypted passwords
+ unless a registry entry is changed. To use encrypted passwords in
+ Samba see the file ENCRYPTION.txt in the Samba documentation
+ directory <filename>docs/</filename> shipped with the source code.</para>
+
+ <para>In order for encrypted passwords to work correctly
+ <ulink url="smbd.8.html"><command>smbd(8)</command></ulink> must either
+ have access to a local <ulink url="smbpasswd.5.html"><filename>smbpasswd(5)
+ </filename></ulink> file (see the <ulink url="smbpasswd.8.html"><command>
+ smbpasswd(8)</command></ulink> program for information on how to set up
+ and maintain this file), or set the <link
+ linkend="SECURITY">security=[serve|domain]</link> parameter which
+ causes <command>smbd</command> to authenticate against another
+ server.</para>
+
+ <para>Default: <command>encrypt passwords = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="EXEC">exec (S)</term>
+ <listitem><para>This is a synonym for <link linkend="PREEXEC">
+ <parameter>preexec</parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FAKEDIRECTORYCREATETIMES">fake directory create times (S)</term>
+ <listitem><para>NTFS and Windows VFAT file systems keep a create
+ time for all files and directories. This is not the same as the
+ ctime - status change time - that Unix keeps, so Samba by default
+ reports the earliest of the various times Unix does keep. Setting
+ this parameter for a share causes Samba to always report midnight
+ 1-1-1980 as the create time for directories.</para>
+
+ <para>This option is mainly used as a compatibility option for
+ Visual C++ when used against Samba shares. Visual C++ generated
+ makefiles have the object directory as a dependency for each object
+ file, and a make rule to create the directory. Also, when NMAKE
+ compares timestamps it uses the creation time when examining a
+ directory. Thus the object directory will be created if it does not
+ exist, but once it does exist it will always have an earlier
+ timestamp than the object files it contains.</para>
+
+ <para>However, Unix time semantics mean that the create time
+ reported by Samba will be updated whenever a file is created or
+ deleted in the directory. NMAKE therefore finds all object files
+ in the object directory bar the last one built are out of date
+ compared to the directory and rebuilds them. Enabling this option
+ ensures directories always predate their contents and an NMAKE build
+ will proceed as expected.</para>
+
+ <para>Default: <command>fake directory create times = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FAKEOPLOCKS">fake oplocks (S)</term>
+ <listitem><para>Oplocks are the way that SMB clients get permission
+ from a server to locally cache file operations. If a server grants
+ an oplock (opportunistic lock) then the client is free to assume
+ that it is the only one accessing the file and it will aggressively
+ cache file data. With some oplock types the client may even cache
+ file open/close operations. This can give enormous performance benefits.
+ </para>
+
+ <para>When you set <command>fake oplocks = yes</command>, <ulink
+ url="smbd.8.html"><command>smbd(8)</command></ulink> will
+ always grant oplock requests no matter how many clients are using
+ the file.</para>
+
+ <para>It is generally much better to use the real <link
+ linkend="OPLOCKS"><parameter>oplocks</parameter></link> support rather
+ than this parameter.</para>
+
+ <para>If you enable this option on all read-only shares or
+ shares that you know will only be accessed from one client at a
+ time such as physically read-only media like CDROMs, you will see
+ a big performance improvement on many operations. If you enable
+ this option on shares where multiple clients may be accessing the
+ files read-write at the same time you can get data corruption. Use
+ this option carefully!</para>
+
+ <para>Default: <command>fake oplocks = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FOLLOWSYMLINKS">follow symlinks (S)</term>
+ <listitem><para>This parameter allows the Samba administrator
+ to stop <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>
+ from following symbolic links in a particular share. Setting this
+ parameter to <constant>no</constant> prevents any file or directory
+ that is a symbolic link from being followed (the user will get an
+ error). This option is very useful to stop users from adding a
+ symbolic link to <filename>/etc/passwd</filename> in their home
+ directory for instance. However it will slow filename lookups
+ down slightly.</para>
+
+ <para>This option is enabled (i.e. <command>smbd</command> will
+ follow symbolic links) by default.</para>
+
+ <para>Default: <command>follow symlinks = yes</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FORCECREATEMODE">force create mode (S)</term>
+ <listitem><para>This parameter specifies a set of UNIX mode bit
+ permissions that will <emphasis>always</emphasis> be set on a
+ file by Samba. This is done by bitwise 'OR'ing these bits onto
+ the mode bits of a file that is being created or having its
+ permissions changed. The default for this parameter is (in octal)
+ 000. The modes in this parameter are bitwise 'OR'ed onto the file
+ mode after the mask set in the <parameter>create mask</parameter>
+ parameter is applied.</para>
+
+ <para>See also the parameter <link linkend="CREATEMASK"><parameter>create
+ mask</parameter></link> for details on masking mode bits on files.</para>
+
+ <para>See also the <link linkend="INHERITPERMISSIONS"><parameter>inherit
+ permissions</parameter></link> parameter.</para>
+
+ <para>Default: <command>force create mode = 000</command></para>
+ <para>Example: <command>force create mode = 0755</command></para>
+
+ <para>would force all created files to have read and execute
+ permissions set for 'group' and 'other' as well as the
+ read/write/execute bits set for the 'user'.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FORCEDIRECTORYMODE">force directory mode (S)</term>
+ <listitem><para>This parameter specifies a set of UNIX mode bit
+ permissions that will <emphasis>always</emphasis> be set on a directory
+ created by Samba. This is done by bitwise 'OR'ing these bits onto the
+ mode bits of a directory that is being created. The default for this
+ parameter is (in octal) 0000 which will not add any extra permission
+ bits to a created directory. This operation is done after the mode
+ mask in the parameter <parameter>directory mask</parameter> is
+ applied.</para>
+
+ <para>See also the parameter <link linkend="DIRECTORYMASK"><parameter>
+ directory mask</parameter></link> for details on masking mode bits
+ on created directories.</para>
+
+ <para>See also the <link linkend="INHERITPERMISSIONS"><parameter>
+ inherit permissions</parameter></link> parameter.</para>
+
+ <para>Default: <command>force directory mode = 000</command></para>
+ <para>Example: <command>force directory mode = 0755</command></para>
+
+ <para>would force all created directories to have read and execute
+ permissions set for 'group' and 'other' as well as the
+ read/write/execute bits set for the 'user'.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FORCEDIRECTORYSECURITYMODE">force directory security mode (S)</term>
+ <listitem><para>This parameter controls what UNIX permission bits
+ can be modified when a Windows NT client is manipulating the UNIX
+ permission on a directory using the native NT security dialog box.</para>
+
+ <para>This parameter is applied as a mask (OR'ed with) to the
+ changed permission bits, thus forcing any bits in this mask that
+ the user may have modified to be on. Essentially, one bits in this
+ mask may be treated as a set of bits that, when modifying security
+ on a directory, the user has always set to be 'on'.</para>
+
+ <para>If not set explicitly this parameter is set to the same
+ value as the <link linkend="FORCEDIRECTORYMODE"><parameter>force
+ directory mode</parameter></link> parameter. To allow
+ a user to modify all the user/group/world permissions on a
+ directory, with restrictions set this parameter to 000.</para>
+
+ <para><emphasis>Note</emphasis> that users who can access the
+ Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone "appliance" systems.
+ Administrators of most normal systems will probably want to set
+ it to 0000.</para>
+
+ <para>See also the <link linkend="DIRECTORYSECURITYMASK"><parameter>
+ directory security mask</parameter></link>, <link linkend="SECURITYMASK">
+ <parameter>security mask</parameter></link>,
+ <link linkend="FORCESECURITYMODE"><parameter>force security mode
+ </parameter></link> parameters.</para>
+
+ <para>Default: <command>force directory security mode = &lt;same as
+ force directory mode&gt;</command></para>
+ <para>Example: <command>force directory security mode = 0</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="FORCEGROUP">force group (S)</term>
+ <listitem><para>This specifies a UNIX group name that will be
+ assigned as the default primary group for all users connecting
+ to this service. This is useful for sharing files by ensuring
+ that all access to files on service will use the named group for
+ their permissions checking. Thus, by assigning permissions for this
+ group to the files and directories within this service the Samba
+ administrator can restrict or allow sharing of these files.</para>
+
+ <para>In Samba 2.0.5 and above this parameter has extended
+ functionality in the following way. If the group name listed here
+ has a '+' character prepended to it then the current user accessing
+ the share only has the primary group default assigned to this group
+ if they are already assigned as a member of that group. This allows
+ an administrator to decide that only users who are already in a
+ particular group will create files with group ownership set to that
+ group. This gives a finer granularity of ownership assignment. For
+ example, the setting <filename>force group = +sys</filename> means
+ that only users who are already in group sys will have their default
+ primary group assigned to sys when accessing this Samba share. All
+ other users will retain their ordinary primary group.</para>
+
+ <para>If the <link linkend="FORCEUSER"><parameter>force user
+ </parameter></link> parameter is also set the group specified in
+ <parameter>force group</parameter> will override the primary group
+ set in <parameter>force user</parameter>.</para>
+
+ <para>See also <link linkend="FORCEUSER"><parameter>force
+ user</parameter></link>.</para>
+
+ <para>Default: <emphasis>no forced group</emphasis></para>
+ <para>Example: <command>force group = agroup</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FORCESECURITYMODE">force security mode (S)</term>
+ <listitem><para>This parameter controls what UNIX permission
+ bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a file using the native NT security dialog
+ box.</para>
+
+ <para>This parameter is applied as a mask (OR'ed with) to the
+ changed permission bits, thus forcing any bits in this mask that
+ the user may have modified to be on. Essentially, one bits in this
+ mask may be treated as a set of bits that, when modifying security
+ on a file, the user has always set to be 'on'.</para>
+
+ <para>If not set explicitly this parameter is set to the same
+ value as the <link linkend="FORCECREATEMODE"><parameter>force
+ create mode</parameter></link> parameter. To allow a user to
+ modify all the user/group/world permissions on a file, with no
+ restrictions set this parameter to 000.</para>
+
+ <para><emphasis>Note</emphasis> that users who can access
+ the Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone "appliance" systems.
+ Administrators of most normal systems will probably want to set
+ it to 0000.</para>
+
+ <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"><parameter>
+ force directory security mode</parameter></link>,
+ <link linkend="DIRECTORYSECURITYMASK"><parameter>directory security
+ mask</parameter></link>, <link linkend="SECURITYMASK"><parameter>
+ security mask</parameter></link> parameters.</para>
+
+ <para>Default: <command>force security mode = &lt;same as force
+ create mode&gt;</command></para>
+ <para>Example: <command>force security mode = 0</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FORCEUSER">force user (S)</term>
+ <listitem><para>This specifies a UNIX user name that will be
+ assigned as the default user for all users connecting to this service.
+ This is useful for sharing files. You should also use it carefully
+ as using it incorrectly can cause security problems.</para>
+
+ <para>This user name only gets used once a connection is established.
+ Thus clients still need to connect as a valid user and supply a
+ valid password. Once connected, all file operations will be performed
+ as the "forced user", no matter what username the client connected
+ as.</para>
+
+ <para>This can be very useful.</para>
+
+ <para>In Samba 2.0.5 and above this parameter also causes the
+ primary group of the forced user to be used as the primary group
+ for all file activity. Prior to 2.0.5 the primary group was left
+ as the primary group of the connecting user (this was a bug).</para>
+
+ <para>See also <link linkend="FORCEGROUP"><parameter>force group
+ </parameter></link></para>
+
+ <para>Default: <emphasis>no forced user</emphasis></para>
+ <para>Example: <command>force user = auser</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FSTYPE">fstype (S)</term>
+ <listitem><para>This parameter allows the administrator to
+ configure the string that specifies the type of filesystem a share
+ is using that is reported by <ulink url="smbd.8.html"><command>smbd(8)
+ </command></ulink> when a client queries the filesystem type
+ for a share. The default type is <constant>NTFS</constant> for
+ compatibility with Windows NT but this can be changed to other
+ strings such as <constant>Samba</constant> or <constant>FAT
+ </constant> if required.</para>
+
+ <para>Default: <command>fstype = NTFS</command></para>
+ <para>Example: <command>fstype = Samba</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="GETWDCACHE">getwd cache (G)</term>
+ <listitem><para>This is a tuning option. When this is enabled a
+ caching algorithm will be used to reduce the time taken for getwd()
+ calls. This can have a significant impact on performance, especially
+ when the <link linkend="WIDELINKS"><parameter>wide links</parameter>
+ </link>parameter is set to <constant>False</constant>.</para>
+
+ <para>Default: <command>getwd cache = No</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="GROUP">group (S)</term>
+ <listitem><para>Synonym for <link linkend="FORCEGROUP"><parameter>force
+ group</parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="GUESTACCOUNT">guest account (S)</term>
+ <listitem><para>This is a username which will be used for access
+ to services which are specified as <link linkend="GUESTOK"><parameter>
+ guest ok</parameter></link> (see below). Whatever privileges this
+ ser has will be available to any client connecting to the guest service.
+ Typically this user will exist in the password file, but will not
+ have a valid login. The user account "ftp" is often a good choice
+ for this parameter. If a username is specified in a given service,
+ the specified username overrides this one.</para>
+
+ <para>One some systems the default guest account "nobody" may not
+ be able to print. Use another account in this case. You should test
+ this by trying to log in as your guest user (perhaps by using the
+ <command>su -</command> command) and trying to print using the
+ system print command such as <command>lpr(1)</command> or <command>
+ lp(1)</command>.</para>
+
+ <para>Default: <emphasis>specified at compile time, usually
+ "nobody"</emphasis></para>
+
+ <para>Example: <command>guest account = ftp</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="GUESTOK">guest ok (S)</term>
+ <listitem><para>If this parameter is <constant>yes</constant> for
+ a service, then no password is equired to connect to the service.
+ Privileges will be those of the <link linkend="GUESTACCOUNT"><parameter>
+ guest account</parameter></link>.</para>
+
+ <para>See the section below on <link linkend="SECURITY"><parameter>
+ security</parameter></link> for more information about this option.
+ </para>
+
+ <para>Default: <command>guest ok = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="GUESTONLY">guest only (S)</term>
+ <listitem><para>If this parameter is <constant>yes</constant> for
+ a service, then only guest connections to the service are permitted.
+ This parameter will have no affect if <link linkend="GUESTOK">
+ <parameter>guest ok</parameter></link> is not set for the service.</para>
+
+ <para>See the section below on <link linkend="SECURITY"><parameter>
+ security</parameter></link> for more information about this option.
+ </para>
+
+ <para>Default: <command>guest only = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="HIDEDOTFILES">hide dot files (S)</term>
+ <listitem><para>This is a boolean parameter that controls whether
+ files starting with a dot appear as hidden files.</para>
+
+ <para>Default: <command>hide dot files = yes</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="HIDEFILES">hide files(S)</term>
+ <listitem><para>This is a list of files or directories that are not
+ visible but are accessible. The DOS 'hidden' attribute is applied
+ to any files or directories that match.</para>
+
+ <para>Each entry in the list must be separated by a '/',
+ which allows spaces to be included in the entry. '*'
+ and '?' can be used to specify multiple files or directories
+ as in DOS wildcards.</para>
+
+ <para>Each entry must be a Unix path, not a DOS path and must
+ not include the Unix directory separator '/'.</para>
+
+ <para>Note that the case sensitivity option is applicable
+ in hiding files.</para>
+
+ <para>Setting this parameter will affect the performance of Samba,
+ as it will be forced to check all files and directories for a match
+ as they are scanned.</para>
+
+ <para>See also <link linkend="HIDEDOTFILES"><parameter>hide
+ dot files</parameter></link>, <link linkend="VETOFILES"><parameter>
+ veto files</parameter></link> and <link linkend="CASESENSITIVE">
+ <parameter>case sensitive</parameter></link>.</para>
+
+ <para>Default: <emphasis>no file are hidden</emphasis></para>
+ <para>Example: <command>hide files =
+ /.*/DesktopFolderDB/TrashFor%m/resource.frk/</command></para>
+
+ <para>The above example is based on files that the Macintosh
+ SMB client (DAVE) available from <ulink url="http://www.thursby.com">
+ Thursby</ulink> creates for internal use, and also still hides
+ all files beginning with a dot.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="HIDELOCALUSERS">hide local users(G)</term>
+ <listitem><para>This parameter toggles the hiding of local UNIX
+ users (root, wheel, floppy, etc) from remote clients.</para>
+
+ <para>Default: <command>hide local users = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="HOMEDIRMAP">homedir map (G)</term>
+ <listitem><para>If<link linkend="NISHOMEDIR"><parameter>nis homedir
+ </parameter></link> is <constant>True</constant>, and <ulink
+ url="smbd.8.html"><command>smbd(8)</command></ulink> is also acting
+ as a Win95/98 <parameter>logon server</parameter> then this parameter
+ specifies the NIS (or YP) map from which the server for the user's
+ home directory should be extracted. At present, only the Sun
+ auto.home map format is understood. The form of the map is:</para>
+
+ <para><command>username server:/some/file/system</command></para>
+
+ <para>and the program will extract the servername from before
+ the first ':'. There should probably be a better parsing system
+ that copes with different map formats and also Amd (another
+ automounter) maps.</para>
+
+ <para><emphasis>NOTE :</emphasis>A working NIS client is required on
+ the system for this option to work.</para>
+
+ <para>See also <link linkend="NISHOMEDIR"><parameter>nis homedir</parameter>
+ </link>, <link linkend="DOMAINLOGONS"><parameter>domain logons</parameter>
+ </link>.</para>
+
+ <para>Default: <command>homedir map = auto.home</command></para>
+ <para>Example: <command>homedir map = amd.homedir</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="HOSTSALLOW">hosts allow (S)</term>
+ <listitem><para>A synonym for this parameter is <parameter>allow
+ hosts</parameter>.</para>
+
+ <para>This parameter is a comma, space, or tab delimited
+ set of hosts which are permitted to access a service.</para>
+
+ <para>If specified in the [global] section then it will
+ apply to all services, regardless of whether the individual
+ service has a different setting.</para>
+
+ <para>You can specify the hosts by name or IP number. For
+ example, you could restrict access to only the hosts on a
+ Class C subnet with something like <command>allow hosts = 150.203.5.
+ </command>. The full syntax of the list is described in the man
+ page <filename>hosts_access(5)</filename>. Note that this man
+ page may not be present on your system, so a brief description will
+ be given here also.</para>
+
+ <para>Note that the localhost address 127.0.0.1 will always
+ be allowed access unless specifically denied by a <link
+ linkend="HOSTSDENY"><parameter>hosts deny</parameter></link> option.</para>
+
+ <para>You can also specify hosts by network/netmask pairs and
+ by netgroup names if your system supports netgroups. The
+ <emphasis>EXCEPT</emphasis> keyword can also be used to limit a
+ wildcard list. The following examples may provide some help:</para>
+
+ <para>Example 1: allow all IPs in 150.203.*.*; except one</para>
+
+ <para><command>hosts allow = 150.203. EXCEPT 150.203.6.66</command></para>
+
+ <para>Example 2: allow hosts that match the given network/netmask</para>
+
+ <para><command>hosts allow = 150.203.15.0/255.255.255.0</command></para>
+
+ <para>Example 3: allow a couple of hosts</para>
+
+ <para><command>hosts allow = lapland, arvidsjaur</command></para>
+
+ <para>Example 4: allow only hosts in NIS netgroup "foonet", but
+ deny access from one particular host</para>
+
+ <para><command>hosts allow = @foonet</command></para>
+
+ <para><command>hosts deny = pirate</command></para>
+
+ <para>Note that access still requires suitable user-level passwords.</para>
+
+ <para>See <ulink url="testparm.1.html"><command>testparm(1)</command>
+ </ulink> for a way of testing your host access to see if it does
+ what you expect.</para>
+
+ <para>Default: <emphasis>none (i.e., all hosts permitted access)
+ </emphasis></para>
+
+ <para>Example: <command>allow hosts = 150.203.5. myhost.mynet.edu.au
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="HOSTSDENY">hosts deny (S)</term>
+ <listitem><para>The opposite of <parameter>hosts allow</parameter>
+ - hosts listed here are <emphasis>NOT</emphasis> permitted access to
+ services unless the specific services have their own lists to override
+ this one. Where the lists conflict, the <parameter>allow</parameter>
+ list takes precedence.</para>
+
+ <para>Default: <emphasis>none (i.e., no hosts specifically excluded)
+ </emphasis></para>
+
+ <para>Example: <command>hosts deny = 150.203.4. badhost.mynet.edu.au
+ </command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="HOSTSEQUIV">hosts equiv (G)</term>
+ <listitem><para>If this global parameter is a non-null string,
+ it specifies the name of a file to read for the names of hosts
+ and users who will be allowed access without specifying a password.
+ </para>
+
+ <para>This is not be confused with <link linkend="HOSTSALLOW">
+ <parameter>hosts allow</parameter></link> which is about hosts
+ access to services and is more useful for guest services. <parameter>
+ hosts equiv</parameter> may be useful for NT clients which will
+ not supply passwords to samba.</para>
+
+ <para><emphasis>NOTE :</emphasis> The use of <parameter>hosts equiv
+ </parameter> can be a major security hole. This is because you are
+ trusting the PC to supply the correct username. It is very easy to
+ get a PC to supply a false username. I recommend that the
+ <parameter>hosts equiv</parameter> option be only used if you really
+ know what you are doing, or perhaps on a home network where you trust
+ your spouse and kids. And only if you <emphasis>really</emphasis> trust
+ them :-).</para>
+
+ <para>Default: <emphasis>no host equivalences</emphasis></para>
+ <para>Example: <command>hosts equiv = /etc/hosts.equiv</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="INCLUDE">include (G)</term>
+ <listitem><para>This allows you to include one config file
+ inside another. The file is included literally, as though typed
+ in place.</para>
+
+ <para>It takes the standard substitutions, except <parameter>%u
+ </parameter>, <parameter>%P</parameter> and <parameter>%S</parameter>.
+ </para>
+
+ <para>Default: <emphasis>no file included</emphasis></para>
+ <para>Example: <command>include = /usr/local/samba/lib/admin_smb.conf
+ </command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="INHERITPERMISSIONS">inherit permissions (S)</term>
+ <listitem><para>The permissions on new files and directories
+ are normally governed by <link linkend="CREATEMASK"><parameter>
+ create mask</parameter></link>, <link linkend="DIRECTORYMASK">
+ <parameter>directory mask</parameter></link>, <link
+ linkend="FORCECREATEMODE"><parameter>force create mode</parameter>
+ </link> and <link linkend="FORCEDIRECTORYMODE"><parameter>force
+ directory mode</parameter></link> but the boolean inherit
+ permissions parameter overrides this.</para>
+
+ <para>New directories inherit the mode of the parent directory,
+ including bits such as setgid.</para>
+
+ <para>New files inherit their read/write bits from the parent
+ directory. Their execute bits continue to be determined by
+ <link linkend="MAPARCHIVE"><parameter>map archive</parameter>
+ </link>, <link linkend="MAPHIDDEN"><parameter>map hidden</parameter>
+ </link> and <link linkend="MAPSYSTEM"><parameter>map system</parameter>
+ </link> as usual.</para>
+
+ <para>Note that the setuid bit is <emphasis>never</emphasis> set via
+ inheritance (the code explicitly prohibits this).</para>
+
+ <para>This can be particularly useful on large systems with
+ many users, perhaps several thousand,to allow a single [homes]
+ share to be used flexibly by each user.</para>
+
+ <para>See also <link linkend="CREATEMASK"><parameter>create mask
+ </parameter></link>, <link linkend="DIRECTORYMASK"><parameter>
+ directory mask</parameter></link>, <link linkend="FORCECREATEMODE">
+ <parameter>force create mode</parameter></link> and <link
+ linkend="FORCEDIRECTORYMODE"><parameter>force directory mode</parameter>
+ </link>.</para>
+
+ <para>Default: <command>inherit permissions = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="INTERFACES">interfaces (G)</term>
+ <listitem><para>This option allows you to override the default
+ network interfaces list that Samba will use for browsing, name
+ registration and other NBT traffic. By default Samba will query
+ the kernel for the list of all active interfaces and use any
+ interfaces except 127.0.0.1 that are broadcast capable.</para>
+
+ <para>The option takes a list of interface strings. Each string
+ can be in any of the following forms:</para>
+
+ <itemizedlist>
+ <listitem><para>a network interface name (such as eth0).
+ This may include shell-like wildcards so eth* will match
+ any interface starting with the substring "eth"</para></listitem>
+
+ <listitem><para>an IP address. In this case the netmask is
+ determined from the list of interfaces obtained from the
+ kernel</para></listitem>
+
+ <listitem><para>an IP/mask pair. </para></listitem>
+
+ <listitem><para>a broadcast/mask pair.</para></listitem>
+ </itemizedlist>
+
+ <para>The "mask" parameters can either be a bit length (such
+ as 24 for a C class network) or a full netmask in dotted
+ decmal form.</para>
+
+ <para>The "IP" parameters above can either be a full dotted
+ decimal IP address or a hostname which will be looked up via
+ the OSes normal hostname resolution mechanisms.</para>
+
+ <para>For example, the following line:</para>
+
+ <para><command>interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
+ </command></para>
+
+ <para>would configure three network interfaces corresponding
+ to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
+ The netmasks of the latter two interfaces would be set to 255.255.255.0.</para>
+
+ <para>See also <link linkend="BINDINTERFACESONLY"><parameter>bind
+ interfaces only</parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="INVALIDUSERS">invalid users (S)</term>
+ <listitem><para>This is a list of users that should not be allowed
+ to login to this service. This is really a <emphasis>paranoid</emphasis>
+ check to absolutely ensure an improper setting does not breach
+ your security.</para>
+
+ <para>A name starting with a '@' is interpreted as an NIS
+ netgroup first (if your system supports NIS), and then as a UNIX
+ group if the name was not found in the NIS netgroup database.</para>
+
+ <para>A name starting with '+' is interpreted only
+ by looking in the UNIX group database. A name starting with
+ '&' is interpreted only by looking in the NIS netgroup database
+ (this requires NIS to be working on your system). The characters
+ '+' and '&' may be used at the start of the name in either order
+ so the value <parameter>+&amp;group</parameter> means check the
+ UNIX group database, followed by the NIS netgroup database, and
+ the value <parameter>&+group"</parameter> means check the NIS
+ netgroup database, followed by the UNIX group database (the
+ same as the '@' prefix).</para>
+
+ <para>The current servicename is substituted for <parameter>%S</parameter>.
+ This is useful in the [homes] section.</para>
+
+ <para>See also <link linkend="VALIDUSERS"><parameter>valid users
+ </parameter></link>.</para>
+
+ <para>Default: <emphasis>no invalid users</emphasis></para>
+ <para>Example: <command>invalid users = root fred admin @wheel
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="KEEPALIVE">keepalive (G)</term>
+ <listitem><para>The value of the parameter (an integer) represents
+ the number of seconds between <parameter>keepalive</parameter>
+ packets. If this parameter is zero, no keepalive packets will be
+ sent. Keepalive packets, if sent, allow the server to tell whether
+ a client is still present and responding.</para>
+
+ <para>Keepalives should, in general, not be needed if the socket
+ being used has the SO_KEEPALIVE attribute set on it (see <link
+ linkend="SOCKETOPTIONS"><parameter>socket options</parameter></link>).
+ Basically you should only use this option if you strike difficulties.</para>
+
+ <para>Default: <command>keepalive = 0</command></para>
+ <para>Example: <command>keepalive = 60</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="KERNELOPLOCKS">kernel oplocks (G)</term>
+ <listitem><para>For UNIXs that support kernel based <link
+ linkend="OPLOCKS"><parameter>oplocks</parameter></link>
+ (currently only IRIX and the Linux 2.4 kernel), this parameter
+ allows the use of them to be turned on or off.</para>
+
+ <para>Kernel oplocks support allows Samba <parameter>oplocks
+ </parameter> to be broken whenever a local UNIX process or NFS operation
+ accesses a file that <ulink url="smbd.8.html"><command>smbd(8)</command>
+ </ulink> has oplocked. This allows complete data consistency between
+ SMB/CIFS, NFS and local file access (and is a <emphasis>very</emphasis>
+ cool feature :-).</para>
+
+ <para>This parameter defaults to <constant>on</constant> on systems
+ that have the support, and <constant>off</constant> on systems that
+ don't. You should never need to touch this parameter.</para>
+
+ <para>See also the <link linkend="OPLOCKS"><parameter>oplocks</parameter>
+ </link> and <link linkend="LEVEL2OPLOCKS"><parameter>level2 oplocks
+ </parameter></link> parameters.</para>
+
+ <para>Default: <command>kernel oplocks = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LEVEL2OPLOCKS">level2 oplocks (S)</term>
+ <listitem><para>This parameter controls whether Samba supports
+ level2 (read-only) oplocks on a share.</para>
+
+ <para>Level2, or read-only oplocks allow Windows NT clients
+ that have an oplock on a file to downgrade from a read-write oplock
+ to a read-only oplock once a second client opens the file (instead
+ of releasing all oplocks on a second open, as in traditional,
+ exclusive oplocks). This allows all openers of the file that
+ support level2 oplocks to cache the file for read-ahead only (ie.
+ they may not cache writes or lock requests) and increases performance
+ for many acesses of files that are not commonly written (such as
+ application .EXE files).</para>
+
+ <para>Once one of the clients which have a read-only oplock
+ writes to the file all clients are notified (no reply is needed
+ or waited for) and told to break their oplocks to "none" and
+ delete any read-ahead caches.</para>
+
+ <para>It is recommended that this parameter be turned on
+ to speed access to shared executables (and also to test
+ the code :-).</para>
+
+ <para>For more discussions on level2 oplocks see the CIFS spec.</para>
+
+ <para>Currently, if <link linkend="KERNELOPLOCKS"><parameter>kernel
+ oplocks</parameter></link> are supported then level2 oplocks are
+ not granted (even if this parameter is set to <constant>yes</constant>).
+ Note also, the <link linkend="OPLOCKS"><parameter>oplocks</parameter>
+ </link> parameter must be set to "true" on this share in order for
+ this parameter to have any effect.</para>
+
+ <para>See also the <link linkend="OPLOCKS"><parameter>oplocks</parameter>
+ </link> and <link linkend="OPLOCKS"><parameter>kernel oplocks</parameter>
+ </link> parameters.</para>
+
+ <para>Default: <command>level2 oplocks = False</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LMANNOUNCE">lm announce (G)</term>
+ <listitem><para>This parameter determines if <ulink url="nmbd.8.html">
+ <command>nmbd(8)</command></ulink> will produce Lanman announce
+ broadcasts that are needed by OS/2 clients in order for them to see
+ the Samba server in their browse list. This parameter can have three
+ values, <constant>true</constant>, <constant>false</constant>, or
+ <constant>auto</constant>. The default is <constant>auto</constant>.
+ If set to <constant>false</constant> Samba will never produce these
+ broadcasts. If set to <constant>true</constant> Samba will produce
+ Lanman announce broadcasts at a frequency set by the parameter
+ <parameter>lm interval</parameter>. If set to <constant>auto</constant>
+ Samba will not send Lanman announce broadcasts by default but will
+ listen for them. If it hears such a broadcast on the wire it will
+ then start sending them at a frequency set by the parameter
+ <parameter>lm interval</parameter>.</para>
+
+ <para>See also <link linkend="LMINTERVAL"><parameter>lm interval
+ </parameter></link>.</para>
+
+ <para>Default: <command>lm announce = auto</command></para>
+ <para>Example: <command>lm announce = true</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LMINTERVAL">lm interval (G)</term>
+ <listitem><para>If Samba is set to produce Lanman announce
+ broadcasts needed by OS/2 clients (see the <link linkend="LMANNOUNCE">
+ <parameter>lm announce</parameter></link> parameter) then this
+ parameter defines the frequency in seconds with which they will be
+ made. If this is set to zero then no Lanman announcements will be
+ made despite the setting of the <parameter>lm announce</parameter>
+ parameter.</para>
+
+ <para>See also <link linkend="LMANNOUNCE"><parameter>lm
+ announce</parameter></link>.</para>
+
+ <para>Default: <command>lm interval = 60</command></para>
+ <para>Example: <command>lm interval = 120</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOADPRINTERS">load printers (G)</term>
+ <listitem><para>A boolean variable that controls whether all
+ printers in the printcap will be loaded for browsing by default.
+ See the <link linkend="PRINTERSSECT">printers</link> section for
+ more details.</para>
+
+ <para>Default: <command>load printers = yes</command></para></listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="LOCALMASTER">local master (G)</term>
+ <listitem><para>This option allows <ulink url="nmbd.8.html"><command>
+ nmbd(8)</command></ulink> to try and become a local master browser
+ on a subnet. If set to <constant>False</constant> then <command>
+ nmbd</command> will not attempt to become a local master browser
+ on a subnet and will also lose in all browsing elections. By
+ default this value is set to true. Setting this value to true doesn't
+ mean that Samba will <emphasis>become</emphasis> the local master
+ browser on a subnet, just that <command>nmbd</command> will <emphasis>
+ participate</emphasis> in elections for local master browser.</para>
+
+ <para>Setting this value to False will cause <command>nmbd</command>
+ <emphasis>never</emphasis> to become a local master browser.</para>
+
+ <para>Default: <command>local master = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOCKDIR">lock dir (G)</term>
+ <listitem><para>Synonym for <link linkend="LOCKDIRECTORY"><parameter>
+ lock directory</parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOCKDIRECTORY">lock directory (G)</term>
+ <listitem><para>This option specifies the directory where lock
+ files will be placed. The lock files are used to implement the
+ <link linkend="MAXCONNECTIONS"><parameter>max connections</parameter>
+ </link> option.</para>
+
+ <para>Default: <command>lock directory = /tmp/samba</command></para>
+ <para>Example: <command>lock directory = /usr/local/samba/var/locks</command>
+ </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOCKING">locking (S)</term>
+ <listitem><para>This controls whether or not locking will be
+ performed by the server in response to lock requests from the
+ client.</para>
+
+ <para>If <command>locking = no</command>, all lock and unlock requests
+ will appear to succeed and all lock queries will indicate that the
+ queried lock is clear.</para>
+
+ <para>If <command>locking = yes</command>, real locking will be performed
+ by the server.</para>
+
+ <para>This option <emphasis>may</emphasis> be useful for read-only
+ filesystems which <emphasis>may</emphasis> not need locking (such as
+ cdrom drives), although setting this parameter of <constant>no</constant>
+ is not really recommended even in this case.</para>
+
+ <para>Be careful about disabling locking either globally or in a
+ specific service, as lack of locking may result in data corruption.
+ You should never need to set this parameter.</para>
+
+ <para>Default: <command>locking = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOGFILE">log file (G)</term>
+ <listitem><para>This options allows you to override the name
+ of the Samba log file (also known as the debug file).</para>
+
+ <para>This option takes the standard substitutions, allowing
+ you to have separate log files for each user or machine.</para>
+
+ <para>Example: <command>log file = /usr/local/samba/var/log.%m
+ </command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOGLEVEL">log level (G)</term>
+ <listitem><para>Synonym for <link linkend="DEBUGLEVEL"><parameter>
+ debug level</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOGONDRIVE">logon drive (G)</term>
+ <listitem><para>This parameter specifies the local path to
+ which the home directory will be connected (see <link
+ linkend="LOGONHOME"><parameter>logon home</parameter></link>)
+ and is only used by NT Workstations. </para>
+
+ <para>Note that this option is only useful if Samba is set up as a
+ logon server.</para>
+
+ <para>Default: <command>logon drive = z:</command></para>
+ <para>Example: <command>logon drive = h:</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOGONHOME">logon home (G)</term>
+ <listitem><para>This parameter specifies the home directory
+ location when a Win95/98 or NT Workstation logs into a Samba PDC.
+ It allows you to do </para>
+
+ <para><prompt>C:\> </prompt><userinput>NET USE H: /HOME</userinput>
+ </para>
+
+ <para>from a command prompt, for example.</para>
+
+ <para>This option takes the standard substitutions, allowing
+ you to have separate logon scripts for each user or machine.</para>
+
+ <para>This parameter can be used with Win9X workstations to ensure
+ that roaming profiles are stored in a subdirectory of the user's
+ home directory. This is done in the following way:</para>
+
+ <para><command>logon home = \\%L\%U\profile</command></para>
+
+ <para>This tells Samba to return the above string, with
+ substitutions made when a client requests the info, generally
+ in a NetUserGetInfo request. Win9X clients truncate the info to
+ \\server\share when a user does <command>net use /home"</command>
+ but use the whole string when dealing with profiles.</para>
+
+ <para>Note that in prior versions of Samba, the <link linkend="LOGONPATH">
+ <parameter>logon path</parameter></link> was returned rather than
+ <parameter>logon home</parameter>. This broke <command>net use
+ /home</command> but allowed profiles outside the home directory.
+ The current implementation is correct, and can be used for
+ profiles if you use the above trick.</para>
+
+ <para>This option is only useful if Samba is set up as a logon
+ server.</para>
+
+ <para>Default: <command>logon home = "\\%N\%U"</command></para>
+ <para>Example: <command>logon home = "\\remote_smb_server\%U"</command>
+ </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="LOGONPATH">logon path (G)</term>
+ <listitem><para>This parameter specifies the home directory
+ where roaming profiles (NTuser.dat etc files for Windows NT) are
+ stored. Contrary to previous versions of these manual pages, it has
+ nothing to do with Win 9X roaming profiles. To find out how to
+ handle roaming profiles for Win 9X system, see the <link linkend="LOGONHOME">
+ <parameter>logon home</parameter></link> parameter.</para>
+
+ <para>This option takes the standard substitutions, allowing you
+ to have separate logon scripts for each user or machine. It also
+ specifies the directory from which the "Application Data",
+ (<filename>desktop</filename>, <filename>start menu</filename>,
+ <filename>network neighborhood</filename>, <filename>programs</filename>
+ and other folders, and their contents, are loaded and displayed on
+ your Windows NT client.</para>
+
+ <para>The share and the path must be readable by the user for
+ the preferences and directories to be loaded onto the Windows NT
+ client. The share must be writeable when the logs in for the first
+ time, in order that the Windows NT client can create the NTuser.dat
+ and other directories.</para>
+
+ <para>Thereafter, the directories and any of the contents can,
+ if required, be made read-only. It is not advisable that the
+ NTuser.dat file be made read-only - rename it to NTuser.man to
+ achieve the desired effect (a <emphasis>MAN</emphasis>datory
+ profile). </para>
+
+ <para>Windows clients can sometimes maintain a connection to
+ the [homes] share, even though there is no user logged in.
+ Therefore, it is vital that the logon path does not include a
+ reference to the homes share (i.e. setting this parameter to
+ \%N\%U\profile_path will cause problems).</para>
+
+ <para>This option takes the standard substitutions, allowing
+ you to have separate logon scripts for each user or machine.</para>
+
+ <para>Note that this option is only useful if Samba is set up
+ as a logon server.</para>
+
+ <para>Default: <command>logon path = \\%N\%U\profile</command></para>
+ <para>Example: <command>logon path = \\PROFILESERVER\PROFILE\%U</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOGONSCRIPT">logon script (G)</term>
+ <listitem><para>This parameter specifies the batch file (.bat) or
+ NT command file (.cmd) to be downloaded and run on a machine when
+ a user successfully logs in. The file must contain the DOS
+ style cr/lf line endings. Using a DOS-style editor to create the
+ file is recommended.</para>
+
+ <para>The script must be a relative path to the [netlogon]
+ service. If the [netlogon] service specifies a <link linkend="PATH">
+ <parameter>path</parameter></link> of <filename>/usr/local/samba/netlogon
+ </filename>, and <command>logon script = STARTUP.BAT</command>, then
+ the file that will be downloaded is:</para>
+
+ <para><filename>/usr/local/samba/netlogon/STARTUP.BAT</filename></para>
+
+ <para>The contents of the batch file is entirely your choice. A
+ suggested command would be to add <command>NET TIME \\SERVER /SET
+ /YES</command>, to force every machine to synchronize clocks with
+ the same time server. Another use would be to add <command>NET USE
+ U: \\SERVER\UTILS</command> for commonly used utilities, or <command>
+ NET USE Q: \\SERVER\ISO9001_QA</command> for example.</para>
+
+ <para>Note that it is particularly important not to allow write
+ access to the [netlogon] share, or to grant users write permission
+ on the batch files in a secure environment, as this would allow
+ the batch files to be arbitrarily modified and security to be
+ breached.</para>
+
+ <para>This option takes the standard substitutions, allowing you
+ to have separate logon scripts for each user or machine.</para>
+
+ <para>This option is only useful if Samba is set up as a logon
+ server.</para>
+
+ <para>Default: <emphasis>no logon script defined</emphasis></para>
+ <para>Example: <command>logon script = scripts\%U.bat</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LPPAUSECOMMAND">lppause command (S)</term>
+ <listitem><para>This parameter specifies the command to be
+ executed on the server host in order to stop printing or spooling
+ a specific print job.</para>
+
+ <para>This command should be a program or script which takes
+ a printer name and job number to pause the print job. One way
+ of implementing this is by using job priorities, where jobs
+ having a too low priority won't be sent to the printer.</para>
+
+ <para>If a <parameter>%p</parameter> is given then the printername
+ is put in its place. A <parameter>%j</parameter> is replaced with
+ the job number (an integer). On HPUX (see <parameter>printing=hpux
+ </parameter>), if the <parameter>-p%p</parameter> option is added
+ to the lpq command, the job will show up with the correct status, i.e.
+ if the job priority is lower than the set fence priority it will
+ have the PAUSED status, whereas if the priority is equal or higher it
+ will have the SPOOLED or PRINTING status.</para>
+
+ <para>Note that it is good practice to include the absolute path
+ in the lppause command as the PATH may not be available to the server.</para>
+
+ <para>See also the <link linkend="PRINTING"><parameter>printing
+ </parameter></link> parameter.</para>
+
+ <para>Default: Currently no default value is given to
+ this string, unless the value of the <parameter>printing</parameter>
+ parameter is <constant>SYSV</constant>, in which case the default is :</para>
+
+ <para><command>lp -i %p-%j -H hold</command></para>
+
+ <para>or if the value of the <parameter>printing</parameter> parameter
+ is <constant>SOFTQ</constant>, then the default is:</para>
+
+ <para><command>qstat -s -j%j -h</command></para>
+
+ <para>Example for HPUX: <command>lppause command = /usr/bin/lpalt
+ %p-%j -p0</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LPQCACHETIME">lpq cache time (G)</term>
+ <listitem><para>This controls how long lpq info will be cached
+ for to prevent the <command>lpq</command> command being called too
+ often. A separate cache is kept for each variation of the <command>
+ lpq</command> command used by the system, so if you use different
+ <command>lpq</command> commands for different users then they won't
+ share cache information.</para>
+
+ <para>The cache files are stored in <filename>/tmp/lpq.xxxx</filename>
+ where xxxx is a hash of the <command>lpq</command> command in use.</para>
+
+ <para>The default is 10 seconds, meaning that the cached results
+ of a previous identical <command>lpq</command> command will be used
+ if the cached data is less than 10 seconds old. A large value may
+ be advisable if your <command>lpq</command> command is very slow.</para>
+
+ <para>A value of 0 will disable caching completely.</para>
+
+ <para>See also the <link linkend="PRINTING"><parameter>printing
+ </parameter></link> parameter.</para>
+
+ <para>Default: <command>lpq cache time = 10</command></para>
+ <para>Example: <command>lpq cache time = 30</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LPQCOMMAND">lpq command (S)</term>
+ <listitem><para>This parameter specifies the command to be
+ executed on the server host in order to obtain <command>lpq
+ </command>-style printer status information.</para>
+
+ <para>This command should be a program or script which
+ takes a printer name as its only parameter and outputs printer
+ status information.</para>
+
+ <para>Currently eight styles of printer status information
+ are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ.
+ This covers most UNIX systems. You control which type is expected
+ using the <parameter>printing =</parameter> option.</para>
+
+ <para>Some clients (notably Windows for Workgroups) may not
+ correctly send the connection number for the printer they are
+ requesting status information about. To get around this, the
+ server reports on the first printer service connected to by the
+ client. This only happens if the connection number sent is invalid.</para>
+
+ <para>If a <parameter>%p</parameter> is given then the printername
+ is put in its place. Otherwise it is placed at the end of the
+ command.</para>
+
+ <para>Note that it is good practice to include the absolute path
+ in the <parameter>lpq command</parameter> as the PATH may not be
+ available to the server.</para>
+
+ <para>See also the <link linkend="PRINTING"><parameter>printing
+ </parameter></link> parameter.</para>
+
+ <para>Default: <emphasis>depends on the setting of <parameter>
+ printing</parameter></emphasis></para>
+
+ <para>Example: <command>lpq command = /usr/bin/lpq %p</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LPRESUMECOMMAND">lpresume command (S)</term>
+ <listitem><para>This parameter specifies the command to be
+ executed on the server host in order to restart or continue
+ printing or spooling a specific print job.</para>
+
+ <para>This command should be a program or script which takes
+ a printer name and job number to resume the print job. See
+ also the <link linkend="LPPAUSECOMMAND"><parameter>lppause command
+ </parameter></link> parameter.</para>
+
+ <para>If a <parameter>%p</parameter> is given then the printername
+ is put in its place. A <parameter>%j</parameter> is replaced with
+ the job number (an integer).</para>
+
+ <para>Note that it is good practice to include the absolute path
+ in the <parameter>lpresume command</parameter> as the PATH may not
+ be available to the server.</para>
+
+ <para>See also the <link linkend="PRINTING"><parameter>printing
+ </parameter></link> parameter.</para>
+
+ <para>Default: Currently no default value is given
+ to this string, unless the value of the <parameter>printing</parameter>
+ parameter is <constant>SYSV</constant>, in which case the default is :</para>
+
+ <para><command>lp -i %p-%j -H resume</command></para>
+
+ <para>or if the value of the <parameter>printing</parameter> parameter
+ is <constant>SOFTQ</constant>, then the default is:</para>
+
+ <para><command>qstat -s -j%j -r</command></para>
+
+ <para>Example for HPUX: <command>lpresume command = /usr/bin/lpalt
+ %p-%j -p2</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LPRMCOMMAND">lprm command (S)</term>
+ <listitem><para>This parameter specifies the command to be
+ executed on the server host in order to delete a print job.</para>
+
+ <para>This command should be a program or script which takes
+ a printer name and job number, and deletes the print job.</para>
+
+ <para>If a <parameter>%p</parameter> is given then the printername
+ is put in its place. A <parameter>%j</parameter> is replaced with
+ the job number (an integer).</para>
+
+ <para>Note that it is good practice to include the absolute
+ path in the <parameter>lprm command</parameter> as the PATH may not be
+ available to the server.</para>
+
+ <para>See also the <link linkend="PRINTING"><parameter>printing
+ </parameter></link> parameter.</para>
+
+ <para>Default: <emphasis>depends on the setting of <parameter>printing
+ </parameter></emphasis></para>
+
+ <para>Example 1: <command>lprm command = /usr/bin/lprm -P%p %j
+ </command></para>
+ <para>Example 2: <command>lprm command = /usr/bin/cancel %p-%j
+ </command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MACHINEPASSWORDTIMEOUT">machine password timeout (G)</term>
+ <listitem><para>If a Samba server is a member of an Windows
+ NT Domain (see the <link linkend="SECURITYEQUALSDOMAIN">security=domain</link>)
+ parameter) then periodically a running <ulink url="smbd.8.html">
+ smbd(8)</ulink> process will try and change the MACHINE ACCOUNT
+ PASSWORD stored in the TDB called <filename>private/secrets.tdb
+ </filename>. This parameter specifies how often this password
+ will be changed, in seconds. The default is one week (expressed in
+ seconds), the same as a Windows NT Domain member server.</para>
+
+ <para>See also <ulink url="smbpasswd.8.html"><command>smbpasswd(8)
+ </command></ulink>, and the <link linkend="SECURITYEQUALSDOMAIN">
+ security=domain</link>) parameter.</para>
+
+ <para>Default: <command>machine password timeout = 604800</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="MAGICOUTPUT">magic output (S)</term>
+ <listitem><para>This parameter specifies the name of a file
+ which will contain output created by a magic script (see the
+ <link linkend="MAGICSCRIPT"><parameter>magic script</parameter></link>
+ parameter below).</para>
+
+ <para>Warning: If two clients use the same <parameter>magic script
+ </parameter> in the same directory the output file content
+ is undefined.</para>
+
+ <para>Default: <command>magic output = &lt;magic script name&gt;.out
+ </command></para>
+
+ <para>Example: <command>magic output = myfile.txt</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAGICSCRIPT">magic script (S)</term>
+ <listitem><para>This parameter specifies the name of a file which,
+ if opened, will be executed by the server when the file is closed.
+ This allows a UNIX script to be sent to the Samba host and
+ executed on behalf of the connected user.</para>
+
+ <para>Scripts executed in this way will be deleted upon
+ completion, permissions permitting.</para>
+
+ <para>If the script generates output, output will be sent to
+ the file specified by the <link linkend="MAGICOUTPUT"><parameter>
+ magic output</parameter></link> parameter (see above).</para>
+
+ <para>Note that some shells are unable to interpret scripts
+ containing carriage-return-linefeed instead of linefeed as
+ the end-of-line marker. Magic scripts must be executable
+ <emphasis>as is</emphasis> on the host, which for some hosts and
+ some shells will require filtering at the DOS end.</para>
+
+ <para>Magic scripts are <emphasis>EXPERIMENTAL</emphasis> and
+ should <emphasis>NOT</emphasis> be relied upon.</para>
+
+ <para>Default: <emphasis>None. Magic scripts disabled.</emphasis></para>
+ <para>Example: <command>magic script = user.csh</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MANGLECASE">mangle case (S)</term>
+ <listitem><para>See the section on <link linkend="NAMEMANGLINGSECT">
+ NAME MANGLING</link></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="MANGLEDMAP">mangled map (S)</term>
+ <listitem><para>This is for those who want to directly map UNIX
+ file names which can not be represented on Windows/DOS. The mangling
+ of names is not always what is needed. In particular you may have
+ documents with file extensions that differ between DOS and UNIX.
+ For example, under UNIX it is common to use <filename>.html</filename>
+ for HTML files, whereas under Windows/DOS <filename>.htm</filename>
+ is more commonly used.</para>
+
+ <para>So to map <filename>html</filename> to <filename>htm</filename>
+ you would use:</para>
+
+ <para><command>mangled map = (*.html *.htm)</command></para>
+
+ <para>One very useful case is to remove the annoying <filename>;1
+ </filename> off the ends of filenames on some CDROMS (only visible
+ under some UNIXs). To do this use a map of (*;1 *;).</para>
+
+ <para>Default: <emphasis>no mangled map</emphasis></para>
+ <para>Example: <command>mangled map = (*;1 *;)</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="MANGLEDNAMES">mangled names (S)</term>
+ <listitem><para>This controls whether non-DOS names under UNIX
+ should be mapped to DOS-compatible names ("mangled") and made visible,
+ or whether non-DOS names should simply be ignored.</para>
+
+ <para>See the section on <link linkend="NAMEMANGLINGSECT">
+ NAME MANGLING</link> for details on how to control the mangling process.</para>
+
+ <para>If mangling is used then the mangling algorithm is as follows:</para>
+
+ <itemizedlist>
+ <listitem><para>The first (up to) five alphanumeric characters
+ before the rightmost dot of the filename are preserved, forced
+ to upper case, and appear as the first (up to) five characters
+ of the mangled name.</para></listitem>
+
+ <listitem><para>A tilde "~" is appended to the first part of the mangled
+ name, followed by a two-character unique sequence, based on the
+ original root name (i.e., the original filename minus its final
+ extension). The final extension is included in the hash calculation
+ only if it contains any upper case characters or is longer than three
+ characters.</para>
+
+ <para>Note that the character to use may be specified using
+ the <link linkend="MANGLINGCHAR"><parameter>mangling char</parameter>
+ </link> option, if you don't like '~'.</para></listitem>
+
+ <listitem><para>The first three alphanumeric characters of the final
+ extension are preserved, forced to upper case and appear as the
+ extension of the mangled name. The final extension is defined as that
+ part of the original filename after the rightmost dot. If there are no
+ dots in the filename, the mangled name will have no extension (except
+ in the case of "hidden files" - see below).</para></listitem>
+
+ <listitem><para>Files whose UNIX name begins with a dot will be
+ presented as DOS hidden files. The mangled name will be created as
+ for other filenames, but with the leading dot removed and "___" as
+ its extension regardless of actual original extension (that's three
+ underscores).</para></listitem>
+ </itemizedlist>
+
+ <para>The two-digit hash value consists of upper case
+ alphanumeric characters.</para>
+
+ <para>This algorithm can cause name collisions only if files
+ in a directory share the same first five alphanumeric characters.
+ The probability of such a clash is 1/1300.</para>
+
+ <para>The name mangling (if enabled) allows a file to be
+ copied between UNIX directories from Windows/DOS while retaining
+ the long UNIX filename. UNIX files can be renamed to a new extension
+ from Windows/DOS and will retain the same basename. Mangled names
+ do not change between sessions.</para>
+
+ <para>Default: <command>mangled names = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MANGLINGCHAR">mangling char (S)</term>
+ <listitem><para>This controls what character is used as
+ the <emphasis>magic</emphasis> character in <link
+ linkend="NAMEMANGLINGSECT">name mangling</link>. The default is a '~'
+ but this may interfere with some software. Use this option to set
+ it to whatever you prefer.</para>
+
+ <para>Default: <command>mangling char = ~</command></para>
+ <para>Example: <command>mangling char = ^</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MANGLEDSTACK">mangled stack (G)</term>
+ <listitem><para>This parameter controls the number of mangled names
+ that should be cached in the Samba server <ulink url="smbd.8.html">
+ smbd(8)</ulink>.</para>
+
+ <para>This stack is a list of recently mangled base names
+ (extensions are only maintained if they are longer than 3 characters
+ or contains upper case characters).</para>
+
+ <para>The larger this value, the more likely it is that mangled
+ names can be successfully converted to correct long UNIX names.
+ However, large stack sizes will slow most directory access. Smaller
+ stacks save memory in the server (each stack element costs 256 bytes).
+ </para>
+
+ <para>It is not possible to absolutely guarantee correct long
+ file names, so be prepared for some surprises!</para>
+
+ <para>Default: <command>mangled stack = 50</command></para>
+ <para>Example: <command>mangled stack = 100</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAPARCHIVE">map archive (S)</term>
+ <listitem><para>This controls whether the DOS archive attribute
+ should be mapped to the UNIX owner execute bit. The DOS archive bit
+ is set when a file has been modified since its last backup. One
+ motivation for this option it to keep Samba/your PC from making
+ any file it touches from becoming executable under UNIX. This can
+ be quite annoying for shared source code, documents, etc...</para>
+
+ <para>Note that this requires the <parameter>create mask</parameter>
+ parameter to be set such that owner execute bit is not masked out
+ (i.e. it must include 100). See the parameter <link linkend="CREATEMASK">
+ <parameter>create mask</parameter></link> for details.</para>
+
+ <para>Default: <command>map archive = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAPHIDDEN">map hidden (S)</term>
+ <listitem><para>This controls whether DOS style hidden files
+ should be mapped to the UNIX world execute bit.</para>
+
+ <para>Note that this requires the <parameter>create mask</parameter>
+ to be set such that the world execute bit is not masked out (i.e.
+ it must include 001). See the parameter <link linkend="CREATEMASK">
+ <parameter>create mask</parameter></link> for details.</para>
+
+ <para>Default: <command>map hidden = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="MAPSYSTEM">map system (S)</term>
+ <listitem><para>This controls whether DOS style system files
+ should be mapped to the UNIX group execute bit.</para>
+
+ <para>Note that this requires the <parameter>create mask</parameter>
+ to be set such that the group execute bit is not masked out (i.e.
+ it must include 010). See the parameter <link linkend="CREATEMASK">
+ <parameter>create mask</parameter></link> for details.</para>
+
+ <para>Default: <command>map system = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="MAPTOGUEST">map to guest (G)</term>
+ <listitem><para>This parameter is only useful in <link linkend="SECURITY">
+ security</link> modes other than <parameter>security=share</parameter>
+ - i.e. <constant>user</constant>, <constant>server</constant>,
+ and <constant>domain</constant>.</para>
+
+ <para>This parameter can take three different values, which tell
+ <ulink url="smbd.8.html">smbd(8)</ulink> what to do with user
+ login requests that don't match a valid UNIX user in some way.</para>
+
+ <para>The three settings are :</para>
+
+ <itemizedlist>
+ <listitem><para><constant>Never</constant> - Means user login
+ requests with an invalid password are rejected. This is the
+ default.</para></listitem>
+
+ <listitem><para><constant>Bad User</constant> - Means user
+ logins with an invalid password are rejected, unless the username
+ does not exist, in which case it is treated as a guest login and
+ mapped into the <link linkend="GUESTACCOUNT"><parameter>
+ guest account</parameter></link>.</para></listitem>
+
+ <listitem><para><constant>Bad Password</constant> - Means user logins
+ with an invalid password are treated as a guest login and mapped
+ into the <link linkend="GUESTACCOUNT">guest account</link>. Note that
+ this can cause problems as it means that any user incorrectly typing
+ their password will be silently logged on as a "guest" - and
+ will not know the reason they cannot access files they think
+ they should - there will have been no message given to them
+ that they got their password wrong. Helpdesk services will
+ <emphasis>hate</emphasis> you if you set the <parameter>map to
+ guest</parameter> parameter this way :-).</para></listitem>
+ </itemizedlist>
+
+ <para>Note that this parameter is needed to set up "Guest"
+ share services when using <parameter>security</parameter> modes other than
+ share. This is because in these modes the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client so the server
+ cannot make authentication decisions at the correct time (connection
+ to the share) for "Guest" shares.</para>
+
+ <para>For people familiar with the older Samba releases, this
+ parameter maps to the old compile-time setting of the <constant>
+ GUEST_SESSSETUP</constant> value in local.h.</para>
+
+ <para>Default: <command>map to guest = Never</command></para>
+ <para>Example: <command>map to guest = Bad User</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXCONNECTIONS">max connections (S)</term>
+ <listitem><para>This option allows the number of simultaneous
+ connections to a service to be limited. If <parameter>max connections
+ </parameter> is greater than 0 then connections will be refused if
+ this number of connections to the service are already open. A value
+ of zero mean an unlimited number of connections may be made.</para>
+
+ <para>Record lock files are used to implement this feature. The
+ lock files will be stored in the directory specified by the <link
+ linkend="LOCKDIRECTORY"><parameter>lock directory</parameter></link>
+ option.</para>
+
+ <para>Default: <command>max connections = 0</command></para>
+ <para>Example: <command>max connections = 10</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXDISKSIZE">max disk size (G)</term>
+ <listitem><para>This option allows you to put an upper limit
+ on the apparent size of disks. If you set this option to 100
+ then all shares will appear to be not larger than 100 MB in
+ size.</para>
+
+ <para>Note that this option does not limit the amount of
+ data you can put on the disk. In the above case you could still
+ store much more than 100 MB on the disk, but if a client ever asks
+ for the amount of free disk space or the total disk size then the
+ result will be bounded by the amount specified in <parameter>max
+ disk size</parameter>.</para>
+
+ <para>This option is primarily useful to work around bugs
+ in some pieces of software that can't handle very large disks,
+ particularly disks over 1GB in size.</para>
+
+ <para>A <parameter>max disk size</parameter> of 0 means no limit.</para>
+
+ <para>Default: <command>max disk size = 0</command></para>
+ <para>Example: <command>max disk size = 1000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXLOGSIZE">max log size (G)</term>
+ <listitem><para>This option (an integer in kilobytes) specifies
+ the max size the log file should grow to. Samba periodically checks
+ the size and if it is exceeded it will rename the file, adding
+ a <filename>.old</filename> extension.</para>
+
+ <para>A size of 0 means no limit.</para>
+
+ <para>Default: <command>max log size = 5000</command></para>
+ <para>Example: <command>max log size = 1000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXMUX">max mux (G)</term>
+ <listitem><para>This option controls the maximum number of
+ outstanding simultaneous SMB operations that samba tells the client
+ it will allow. You should never need to set this parameter.</para>
+
+ <para>Default: <command>max mux = 50</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXOPENFILES">max open files (G)</term>
+ <listitem><para>This parameter limits the maximum number of
+ open files that one <ulink url="smbd.8.html">smbd(8)</ulink> file
+ serving process may have open for a client at any one time. The
+ default for this parameter is set very high (10,000) as Samba uses
+ only one bit per unopened file.</para>
+
+ <para>The limit of the number of open files is usually set
+ by the UNIX per-process file descriptor limit rather than
+ this parameter so you should never need to touch this parameter.</para>
+
+ <para>Default: <command>max open files = 10000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXTTL">max ttl (G)</term>
+ <listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)</ulink>
+ what the default 'time to live' of NetBIOS names should be (in seconds)
+ when <command>nmbd</command> is requesting a name using either a
+ broadcast packet or from a WINS server. You should never need to
+ change this parameter. The default is 3 days.</para>
+
+ <para>Default: <command>max ttl = 259200</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXWINSTTL">max wins ttl (G)</term>
+ <listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)
+ </ulink> when acting as a WINS server (<link linkend="WINSSUPPORT">
+ <parameter>wins support=yes</parameter></link>) what the maximum
+ 'time to live' of NetBIOS names that <command>nmbd</command>
+ will grant will be (in seconds). You should never need to change this
+ parameter. The default is 6 days (518400 seconds).</para>
+
+ <para>See also the <link linkend="MINWINSTTL"><parameter>min
+ wins ttl"</parameter></link> parameter.</para>
+
+ <para>Default: <command>max wins ttl = 518400</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXXMIT">max xmit (G)</term>
+ <listitem><para>This option controls the maximum packet size
+ that will be negotiated by Samba. The default is 65535, which
+ is the maximum. In some cases you may find you get better performance
+ with a smaller value. A value below 2048 is likely to cause problems.
+ </para>
+
+ <para>Default: <command>max xmit = 65535</command></para>
+ <para>Example: <command>max xmit = 8192</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MESSAGECOMMAND">message command (G)</term>
+ <listitem><para>This specifies what command to run when the
+ server receives a WinPopup style message.</para>
+
+ <para>This would normally be a command that would
+ deliver the message somehow. How this is to be done is
+ up to your imagination.</para>
+
+ <para>An example is:</para>
+
+ <para><command>message command = csh -c 'xedit %s;rm %s' &</command>
+ </para>
+
+ <para>This delivers the message using <command>xedit</command>, then
+ removes it afterwards. <emphasis>NOTE THAT IT IS VERY IMPORTANT
+ THAT THIS COMMAND RETURN IMMEDIATELY</emphasis>. That's why I
+ have the '&' on the end. If it doesn't return immediately then
+ your PCs may freeze when sending messages (they should recover
+ after 30secs, hopefully).</para>
+
+ <para>All messages are delivered as the global guest user.
+ The command takes the standard substitutions, although <parameter>
+ %u</parameter> won't work (<parameter>%U</parameter> may be better
+ in this case).</para>
+
+ <para>Apart from the standard substitutions, some additional
+ ones apply. In particular:</para>
+
+ <itemizedlist>
+ <listitem><para><parameter>%s</parameter> = the filename containing
+ the message.</para></listitem>
+
+ <listitem><para><parameter>%t</parameter> = the destination that
+ the message was sent to (probably the server name).</para></listitem>
+
+ <listitem><para><parameter>%f</parameter> = who the message
+ is from.</para></listitem>
+ </itemizedlist>
+
+ <para>You could make this command send mail, or whatever else
+ takes your fancy. Please let us know of any really interesting
+ ideas you have.</para>
+
+
+ <para>Here's a way of sending the messages as mail to root:</para>
+
+ <para><command>message command = /bin/mail -s 'message from %f on
+ %m' root &lt; %s; rm %s</command></para>
+
+ <para>If you don't have a message command then the message
+ won't be delivered and Samba will tell the sender there was
+ an error. Unfortunately WfWg totally ignores the error code
+ and carries on regardless, saying that the message was delivered.
+ </para>
+
+ <para>If you want to silently delete it then try:</para>
+
+ <para><command>message command = rm %s</command></para>
+
+ <para>Default: <emphasis>no message command</emphasis></para>
+ <para>Example: <command>message command = csh -c 'xedit %s;
+ rm %s' &</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MINPRINTSPACE">min print space (S)</term>
+ <listitem><para>This sets the minimum amount of free disk
+ space that must be available before a user will be able to spool
+ a print job. It is specified in kilobytes. The default is 0, which
+ means a user can always spool a print job.</para>
+
+ <para>See also the <link linkend="PRINTING"><parameter>printing
+ </parameter></link> parameter.</para>
+
+ <para>Default: <command>min print space = 0</command></para>
+ <para>Example: <command>min print space = 2000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MINPASSWDLENGTH">min passwd length (G)</term>
+ <listitem><para>Synonym for <link linkend="MINPASSWORDLENGTH">
+ <parameter>min password length</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MINPASSWORDLENGTH">min password length (G)</term>
+ <listitem><para>This option sets the minimum length in characters
+ of a plaintext password than smbd will accept when performing
+ UNIX password changing.</para>
+
+ <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter>unix
+ password sync</parameter></link>, <link linkend="PASSWDPROGRAM">
+ <parameter>passwd program</parameter></link> and <link
+ linkend="PASSWDCHATDEBUG"><parameter>passwd chat debug</parameter>
+ </link>.</para>
+
+ <para>Default: <command>min password length = 5</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="MINWINSTTL">min wins ttl (G)</term>
+ <listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)</ulink>
+ when acting as a WINS server (<link linkend="WINSSUPPORT"><parameter>
+ wins support = yes</parameter></link>) what the minimum 'time to live'
+ of NetBIOS names that <command>nmbd</command> will grant will be (in
+ seconds). You should never need to change this parameter. The default
+ is 6 hours (21600 seconds).</para>
+
+ <para>Default: <command>min wins ttl = 21600</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="NAMERESOLVEORDER">name resolve order (G)</term>
+ <listitem><para>This option is used by the programs in the Samba
+ suite to determine what naming services and in what order to resolve
+ host names to IP addresses. The option takes a space separated
+ string of different name resolution options.</para>
+
+ <para>The options are :"lmhosts", "host", "wins" and "bcast". They
+ cause names to be resolved as follows :</para>
+
+ <itemizedlist>
+ <listitem><para><constant>lmhosts</constant> : Lookup an IP
+ address in the Samba lmhosts file. If the line in lmhosts has
+ no name type attached to the NetBIOS name (see the <ulink
+ url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
+ any name type matches for lookup.</para></listitem>
+
+ <listitem><para><constant>host</constant> : Do a standard host
+ name to IP address resolution, using the system <filename>/etc/hosts
+ </filename>, NIS, or DNS lookups. This method of name resolution
+ is operating system depended for instance on IRIX or Solaris this
+ may be controlled by the <filename>/etc/nsswitch.conf</filename>
+ file). Note that this method is only used if the NetBIOS name
+ type being queried is the 0x20 (server) name type, otherwise
+ it is ignored.</para></listitem>
+
+ <listitem><para><constant>wins</constant> : Query a name with
+ the IP address listed in the <link linkend="WINSSERVER"><parameter>
+ wins server</parameter></link> parameter. If no WINS server has
+ been specified this method will be ignored.</para></listitem>
+
+ <listitem><para><constant>bcast</constant> : Do a broadcast on
+ each of the known local interfaces listed in the <link
+ linkend="INTERFACES"><parameter>interfaces</parameter></link>
+ parameter. This is the least reliable of the name resolution
+ methods as it depends on the target host being on a locally
+ connected subnet.</para></listitem>
+ </itemizedlist>
+
+ <para>Default: <command>name resolve order = lmhosts host wins bcast
+ </command></para>
+ <para>Example: <command>name resolve order = lmhosts bcast host
+ </command></para>
+
+ <para>This will cause the local lmhosts file to be examined
+ first, followed by a broadcast attempt, followed by a normal
+ system hostname lookup.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="NETBIOSALIASES">netbios aliases (G)</term>
+ <listitem><para>This is a list of NetBIOS names that <ulink
+ url="nmbd.8.html">nmbd(8)</ulink> will advertise as additional
+ names by which the Samba server is known. This allows one machine
+ to appear in browse lists under multiple names. If a machine is
+ acting as a browse server or logon server none
+ of these names will be advertised as either browse server or logon
+ servers, only the primary name of the machine will be advertised
+ with these capabilities.</para>
+
+ <para>See also <link linkend="NETBIOSNAME"><parameter>netbios
+ name</parameter></link>.</para>
+
+ <para>Default: <emphasis>empty string (no additional names)</emphasis></para>
+ <para>Example: <command>netbios aliases = TEST TEST1 TEST2</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="NETBIOSNAME">netbios name (G)</term>
+ <listitem><para>This sets the NetBIOS name by which a Samba
+ server is known. By default it is the same as the first component
+ of the host's DNS name. If a machine is a browse server or
+ logon server this name (or the first component
+ of the hosts DNS name) will be the name that these services are
+ advertised under.</para>
+
+ <para>See also <link linkend="NETBIOSALIASES"><parameter>netbios
+ aliases</parameter></link>.</para>
+
+ <para>Default: <emphasis>machine DNS name</emphasis></para>
+ <para>Example: <command>netbios name = MYNAME</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="NETBIOSSCOPE">netbios scope (G)</term>
+ <listitem><para>This sets the NetBIOS scope that Samba will
+ operate under. This should not be set unless every machine
+ on your LAN also sets this value.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="NISHOMEDIR">nis homedir (G)</term>
+ <listitem><para>Get the home share server from a NIS map. For
+ UNIX systems that use an automounter, the user's home directory
+ will often be mounted on a workstation on demand from a remote
+ server. </para>
+
+ <para>When the Samba logon server is not the actual home directory
+ server, but is mounting the home directories via NFS then two
+ network hops would be required to access the users home directory
+ if the logon server told the client to use itself as the SMB server
+ for home directories (one over SMB and one over NFS). This can
+ be very slow.</para>
+
+ <para>This option allows Samba to return the home share as
+ being on a different server to the logon server and as
+ long as a Samba daemon is running on the home directory server,
+ it will be mounted on the Samba client directly from the directory
+ server. When Samba is returning the home share to the client, it
+ will consult the NIS map specified in <link linkend="HOMEDIRMAP">
+ <parameter>homedir map</parameter></link> and return the server
+ listed there.</para>
+
+ <para>Note that for this option to work there must be a working
+ NIS system and the Samba server with this option must also
+ be a logon server.</para>
+
+ <para>Default: <command>nis homedir = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="NTACLSUPPORT">nt acl support (G)</term>
+ <listitem><para>This boolean parameter controls whether
+ <ulink url="smbd.8.html">smbd(8)</ulink> will attempt to map
+ UNIX permissions into Windows NT access control lists.</para>
+
+ <para>Default: <command>nt acl support = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="NTPIPESUPPORT">nt pipe support (G)</term>
+ <listitem><para>This boolean parameter controls whether
+ <ulink url="smbd.8.html">smbd(8)</ulink> will allow Windows NT
+ clients to connect to the NT SMB specific <constant>IPC$</constant>
+ pipes. This is a developer debugging option and can be left
+ alone.</para>
+
+ <para>Default: <command>nt pipe support = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="NTSMBSUPPORT">nt smb support (G)</term>
+ <listitem><para>This boolean parameter controls whether <ulink
+ url="smbd.8.html">smbd(8)</ulink> will negotiate NT specific SMB
+ support with Windows NT clients. Although this is a developer
+ debugging option and should be left alone, benchmarking has discovered
+ that Windows NT clients give faster performance with this option
+ set to <constant>no</constant>. This is still being investigated.
+ If this option is set to <constant>no</constant> then Samba offers
+ exactly the same SMB calls that versions prior to Samba 2.0 offered.
+ This information may be of use if any users are having problems
+ with NT SMB support.</para>
+
+ <para>Default: <command>nt support = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="NULLPASSWORDS">null passwords (G)</term>
+ <listitem><para>Allow or disallow client access to accounts
+ that have null passwords. </para>
+
+ <para>See also <ulink url="smbpasswd.5.html">smbpasswd (5)</ulink>.</para>
+
+ <para>Default: <command>null passwords = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="OLELOCKINGCOMPATIBILITY">ole locking compatibility (G)</term>
+ <listitem><para>This parameter allows an administrator to turn
+ off the byte range lock manipulation that is done within Samba to
+ give compatibility for OLE applications. Windows OLE applications
+ use byte range locking as a form of inter-process communication, by
+ locking ranges of bytes around the 2^32 region of a file range. This
+ can cause certain UNIX lock managers to crash or otherwise cause
+ problems. Setting this parameter to <constant>no</constant> means you
+ trust your UNIX lock manager to handle such cases correctly.</para>
+
+ <para>Default: <command>ole locking compatibility = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ONLYGUEST">only guest (S)</term>
+ <listitem><para>A synonym for <link linkend="GUESTONLY"><parameter>
+ guest only</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ONLYUSER">only user (S)</term>
+ <listitem><para>This is a boolean option that controls whether
+ connections with usernames not in the <parameter>user</parameter>
+ list will be allowed. By default this option is disabled so a client
+ can supply a username to be used by the server.</para>
+
+ <para>Note that this also means Samba won't try to deduce
+ usernames from the service name. This can be annoying for
+ the [homes] section. To get around this you could use <command>user =
+ %S</command> which means your <parameter>user</parameter> list
+ will be just the service name, which for home directories is the
+ name of the user.</para>
+
+ <para>See also the <link linkend="USER"><parameter>user</parameter>
+ </link> parameter.</para>
+
+ <para>Default: <command>only user = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="OPLOCKS">oplocks (S)</term>
+ <listitem><para>This boolean option tells smbd whether to
+ issue oplocks (opportunistic locks) to file open requests on this
+ share. The oplock code can dramatically (approx. 30% or more) improve
+ the speed of access to files on Samba servers. It allows the clients
+ to aggressively cache files ocally and you may want to disable this
+ option for unreliable network environments (it is turned on by
+ default in Windows NT Servers). For more information see the file
+ <filename>Speed.txt</filename> in the Samba <filename>docs/</filename>
+ directory.</para>
+
+ <para>Oplocks may be selectively turned off on certain files on
+ a per share basis. See the <link linkend="VETOOPLOCKFILES"><parameter>
+ veto oplock files</parameter></link> parameter. On some systems
+ oplocks are recognized by the underlying operating system. This
+ allows data synchronization between all access to oplocked files,
+ whether it be via Samba or NFS or a local UNIX process. See the
+ <parameter>kernel oplocks</parameter> parameter for details.</para>
+
+ <para>See also the <link linkend="KERNELOPLOCKS"><parameter>kernel
+ oplocks</parameter></link> and <link linkend="LEVEL2OPLOCKS"><parameter>
+ level2 oplocks</parameter></link> parameters.</para>
+
+ <para>Default: <command>oplocks = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="OPLOCKBREAKWAITTIME">oplock break wait time (G)</term>
+ <listitem><para>This is a tuning parameter added due to bugs in
+ both Windows 9x and WinNT. If Samba responds to a client too
+ quickly when that client issues an SMB that can cause an oplock
+ break request, then the client redirector can fail and not respond
+ to the break request. This tuning parameter (which is set in milliseconds)
+ is the amount of time Samba will wait before sending an oplock break
+ request to such (broken) clients.</para>
+
+ <para><emphasis>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
+ AND UNDERSTOOD THE SAMBA OPLOCK CODE</emphasis>.</para>
+
+ <para>Default: <command>oplock break wait time = 10</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="OPLOCKCONTENTIONLIMIT">oplock contention limit (S)</term>
+ <listitem><para>This is a <emphasis>very</emphasis> advanced
+ <ulink url="smbd.8.html">smbd(8)</ulink> tuning option to
+ improve the efficiency of the granting of oplocks under multiple
+ client contention for the same file.</para>
+
+ <para>In brief it specifies a number, which causes smbd not to
+ grant an oplock even when requested if the approximate number of
+ clients contending for an oplock on the same file goes over this
+ limit. This causes <command>smbd</command> to behave in a similar
+ way to Windows NT.</para>
+
+ <para><emphasis>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
+ AND UNDERSTOOD THE SAMBA OPLOCK CODE</emphasis>.</para>
+
+ <para>Default: <command>oplock contention limit = 2</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="OSLEVEL">os level (G)</term>
+ <listitem><para>This integer value controls what level Samba
+ advertises itself as for browse elections. The value of this
+ parameter determines whether <ulink url="nmbd.8.html">nmbd(8)</ulink>
+ has a chance of becoming a local master browser for the <parameter>
+ WORKGROUP</parameter> in the local broadcast area. The default is
+ zero, which means <command>nmbd</command> will lose elections to
+ Windows machines. See <filename>BROWSING.txt</filename> in the
+ Samba <filename>docs/</filename> directory for details.</para>
+
+ <para>Default: <command>os level = 20</command></para>
+ <para>Example: <command>os level = 65 </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PANICACTION">panic action (G)</term>
+ <listitem><para>This is a Samba developer option that allows a
+ system command to be called when either <ulink url="smbd.8.html">
+ smbd(8)</ulink> or <ulink url="nmbd.8.html">nmbd(8)</ulink>
+ crashes. This is usually used to draw attention to the fact that
+ a problem occurred.</para>
+
+ <para>Default: <command>panic action = &lt;empty string&gt;</command></para>
+ <para>Example: <command>panic action = "/bin/sleep 90000"</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="PASSWDCHAT">passwd chat (G)</term>
+ <listitem><para>This string controls the <emphasis>"chat"</emphasis>
+ conversation that takes places between <ulink
+ url="smbd.8.html">smbd</ulink> and the local password changing
+ program to change the users password. The string describes a
+ sequence of response-receive pairs that <ulink url="smbd.8.html">
+ smbd(8)</ulink> uses to determine what to send to the
+ <link linkend="PASSWDPROGRAM"><parameter>passwd program</parameter>
+ </link> and what to expect back. If the expected output is not
+ received then the password is not changed.</para>
+
+ <para>This chat sequence is often quite site specific, depending
+ on what local methods are used for password control (such as NIS
+ etc).</para>
+
+ <para>The string can contain the macros <parameter>%o</parameter>
+ and <parameter>%n</parameter> which are substituted for the old
+ and new passwords respectively. It can also contain the standard
+ macros <constant>\n</constant>, <constant>\r</constant>, <constant>
+ \t</constant> and <constant>%s</constant> to give line-feed,
+ carriage-return, tab and space.</para>
+
+ <para>The string can also contain a '*' which matches
+ any sequence of characters.</para>
+
+ <para>Double quotes can be used to collect strings with spaces
+ in them into a single string.</para>
+
+ <para>If the send string in any part of the chat sequence
+ is a fullstop ".", then no string is sent. Similarly,
+ is the expect string is a fullstop then no string is expected.</para>
+
+ <para>Note that if the <link linkend="UNIXPASSWORDSYNC"><parameter>unix
+ password sync</parameter></link> parameter is set to true, then this
+ sequence is called <emphasis>AS ROOT</emphasis> when the SMB password
+ in the smbpasswd file is being changed, without access to the old
+ password cleartext. In this case the old password cleartext is set
+ to "" (the empty string).</para>
+
+ <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter>unix password
+ sync</parameter></link>, <link linkend="PASSWDPROGRAM"><parameter>
+ passwd program</parameter></link> and <link linkend="PASSWDCHATDEBUG">
+ <parameter>passwd chat debug</parameter></link>.</para>
+
+ <para>Default: <command>passwd chat = *old*password* %o\n *new*
+ password* %n\n *new*password* %n\n *changed*</command></para>
+ <para>Example: <command>passwd chat = "*Enter OLD password*" %o\n
+ "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password
+ changed*"</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PASSWDCHATDEBUG">passwd chat debug (G)</term>
+ <listitem><para>This boolean specifies if the passwd chat script
+ parameter is run in <emphasis>debug</emphasis> mode. In this mode the
+ strings passed to and received from the passwd chat are printed
+ in the <ulink url="smbd.8.html">smbd(8)</ulink> log with a
+ <link linkend="DEBUGLEVEL"><parameter>debug level</parameter></link>
+ of 100. This is a dangerous option as it will allow plaintext passwords
+ to be seen in the <command>smbd</command> log. It is available to help
+ Samba admins debug their <parameter>passwd chat</parameter> scripts
+ when calling the <parameter>passwd program</parameter> and should
+ be turned off after this has been done. This parameter is off by
+ default.</para>
+
+ <para>See also <<link linkend="PASSWDCHAT"><parameter>passwd chat</parameter>
+ </link>, <link linkend="PASSWDPROGRAM"><parameter>passwd program</parameter>
+ </link>.</para>
+
+ <para>Default: <command>passwd chat debug = no</command></para>
+ <para>Example: <command>passwd chat debug = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PASSWDPROGRAM">passwd program (G)</term>
+ <listitem><para>The name of a program that can be used to set
+ UNIX user passwords. Any occurrences of <parameter>%u</parameter>
+ will be replaced with the user name. The user name is checked for
+ existence before calling the password changing program.</para>
+
+ <para>Also note that many passwd programs insist in <emphasis>reasonable
+ </emphasis> passwords, such as a minimum length, or the inclusion
+ of mixed case chars and digits. This can pose a problem as some clients
+ (such as Windows for Workgroups) uppercase the password before sending
+ it.</para>
+
+ <para><emphasis>Note</emphasis> that if the <parameter>unix
+ password sync</parameter> parameter is set to <constant>True
+ </constant> then this program is called <emphasis>AS ROOT</emphasis>
+ before the SMB password in the <ulink url="smbpasswd.5.html">smbpasswd(5)
+ </ulink> file is changed. If this UNIX password change fails, then
+ <command>smbd</command> will fail to change the SMB password also
+ (this is by design).</para>
+
+ <para>If the <parameter>unix password sync</parameter> parameter
+ is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis>
+ for <emphasis>ALL</emphasis> programs called, and must be examined
+ for security implications. Note that by default <parameter>unix
+ password sync</parameter> is set to <constant>False</constant>.</para>
+
+ <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter>unix
+ password sync</parameter></link>.</para>
+
+ <para>Default: <command>passwd program = /bin/passwd</command></para>
+ <para>Example: <command>passwd program = /sbin/npasswd %u</command>
+ </para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PASSWORDLEVEL">password level (G)</term>
+ <listitem><para>Some client/server combinations have difficulty
+ with mixed-case passwords. One offending client is Windows for
+ Workgroups, which for some reason forces passwords to upper
+ case when using the LANMAN1 protocol, but leaves them alone when
+ using COREPLUS!</para>
+
+ <para>This parameter defines the maximum number of characters
+ that may be upper case in passwords.</para>
+
+ <para>For example, say the password given was "FRED". If <parameter>
+ password level</parameter> is set to 1, the following combinations
+ would be tried if "FRED" failed:</para>
+
+ <para>"Fred", "fred", "fRed", "frEd","freD"</para>
+
+ <para>If <parameter>password level</parameter> was set to 2,
+ the following combinations would also be tried: </para>
+
+ <para>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</para>
+
+ <para>And so on.</para>
+
+ <para>The higher value this parameter is set to the more likely
+ it is that a mixed case password will be matched against a single
+ case password. However, you should be aware that use of this
+ parameter reduces security and increases the time taken to
+ process a new connection.</para>
+
+ <para>A value of zero will cause only two attempts to be
+ made - the password as is and the password in all-lower case.</para>
+
+ <para>Default: <command>password level = 0</command></para>
+ <para>Example: <command>password level = 4</command</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PASSWORDSERVER">password server (G)</term>
+ <listitem><para>By specifying the name of another SMB server (such
+ as a WinNT box) with this option, and using <command>security = domain
+ </command> or <command>security = server</command> you can get Samba
+ to do all its username/password validation via a remote server.</para>
+
+ <para>This options sets the name of the password server to use.
+ It must be a NetBIOS name, so if the machine's NetBIOS name is
+ different from its internet name then you may have to add its NetBIOS
+ name to the lmhosts file which is stored in the same directory
+ as the <filename>smb.conf</filename> file.</para>
+
+ <para>The name of the password server is looked up using the
+ parameter <link linkend="NAMERESOLVEORDER"><parameter>name
+ resolve order</parameter></link> and so may resolved
+ by any method and order described in that parameter.</para>
+
+ <para>The password server much be a machine capable of using
+ the "LM1.2X002" or the "LM NT 0.12" protocol, and it must be in
+ user level security mode.</para>
+
+ <para><emphasis>NOTE:</emphasis> Using a password server
+ means your UNIX box (running Samba) is only as secure as your
+ password server. <emphasis>DO NOT CHOOSE A PASSWORD SERVER THAT
+ YOU DON'T COMPLETELY TRUST</emphasis>.</para>
+
+ <para>Never point a Samba server at itself for password
+ serving. This will cause a loop and could lock up your Samba
+ server!</para>
+
+ <para>The name of the password server takes the standard
+ substitutions, but probably the only useful one is <parameter>%m
+ </parameter>, which means the Samba server will use the incoming
+ client as the passwordserver. If you use this then you better
+ trust your clients, and you better restrict them with hosts allow!</para>
+
+ <para>If the <parameter>security</parameter> parameter is set to
+ <constant>domain</constant>, then the list of machines in this
+ option must be a list of Primary or Backup Domain controllers for the
+ Domain or the character '*', as the Samba server is cryptographicly
+ in that domain, and will use cryptographicly authenticated RPC calls
+ to authenticate the user logging on. The advantage of using <command>
+ security = domain</command> is that if you list several hosts in the
+ <parameter>password server</parameter> option then <command>smbd
+ </command> will try each in turn till it finds one that responds. This
+ is useful in case your primary server goes down.</para>
+
+ <para>If the <parameter>password server</parameter> option is set
+ to the character '*', then Samba will attempt to auto-locate the
+ Primary or Backup Domain controllers to authenticate against by
+ doing a query for the name <constant>WORKGROUP&lt;1C&gt;</constant>
+ and then contacting each server returned in the list of IP
+ addresses from the name resolution source. </para>
+
+ <para>If the <parameter>security</parameter> parameter is
+ set to <constant>server</constant>, then there are different
+ restrictions that <command>security = domain</command> doesn't
+ suffer from:</para>
+
+ <itemizedlist>
+ <listitem><para>You may list several password servers in
+ the <parameter>password server</parameter> parameter, however if an
+ <command>smbd</command> makes a connection to a password server,
+ and then the password server fails, no more users will be able
+ to be authenticated from this <command>smbd</command>. This is a
+ restriction of the SMB/CIFS protocol when in <command>security=server
+ </command> mode and cannot be fixed in Samba.</para></listitem>
+
+ <listitem><para>If you are using a Windows NT server as your
+ password server then you will have to ensure that your users
+ are able to login from the Samba server, as when in <command>
+ security=server</command> mode the network logon will appear to
+ come from there rather than from the users workstation.</para></listitem>
+ </itemizedlist>
+
+ <para>See also the <link linkend="SECURITY"><parameter>security
+ </parameter></link> parameter.</para>
+
+ <para>Default: <command>password server = &lt;empty string&gt;</command>
+ </para>
+ <para>Example: <command>password server = NT-PDC, NT-BDC1, NT-BDC2
+ </command></para>
+ <para>Example: <command>password server = *</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PATH">path (S)</term>
+ <listitem><para>This parameter specifies a directory to which
+ the user of the service is to be given access. In the case of
+ printable services, this is where print data will spool prior to
+ being submitted to the host for printing.</para>
+
+ <para>For a printable service offering guest access, the service
+ should be readonly and the path should be world-writeable and
+ have the sticky bit set. This is not mandatory of course, but
+ you probably won't get the results you expect if you do
+ otherwise.</para>
+
+ <para>Any occurrences of <parameter>%u</parameter> in the path
+ will be replaced with the UNIX username that the client is using
+ on this connection. Any occurrences of <parameter>%m</parameter>
+ will be replaced by the NetBIOS name of the machine they are
+ connecting from. These replacements are very useful for setting
+ up pseudo home directories for users.</para>
+
+ <para>Note that this path will be based on <link linkend="ROOTDIR">
+ <parameter>root dir</parameter></link> if one was specified.</para>
+
+ <para>Default: <emphasis>none</emphasis></para>
+ <para>Example: <command>path = /home/fred</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="POSTEXEC">postexec (S)</term>
+ <listitem><para>This option specifies a command to be run
+ whenever the service is disconnected. It takes the usual
+ substitutions. The command may be run as the root on some
+ systems.</para>
+
+ <para>An interesting example may be do unmount server
+ resources:</para>
+
+ <para><command>postexec = /etc/umount /cdrom</command></para>
+
+ <para>See also <link linkend="PREEXEC"><parameter>preexec</parameter>
+ </link>.</para>
+
+ <para>Default: <emphasis>none (no command executed)</emphasis>
+ </para>
+
+ <para>Example: <command>postexec = echo \"%u disconnected from %S
+ from %m (%I)\" &gt;&gt; /tmp/log</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="POSTSCRIPT">postscript (S)</term>
+ <listitem><para>This parameter forces a printer to interpret
+ the print files as postscript. This is done by adding a <constant>%!
+ </constant> to the start of print output.</para>
+
+ <para>This is most useful when you have lots of PCs that persist
+ in putting a control-D at the start of print jobs, which then
+ confuses your printer.</para>
+
+ <para>Default: <command>postscript = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PREEXEC">preexec (S)</term>
+ <listitem><para>This option specifies a command to be run whenever
+ the service is connected to. It takes the usual substitutions.</para>
+
+ <para>An interesting example is to send the users a welcome
+ message every time they log in. Maybe a message of the day? Here
+ is an example:</para>
+
+ <para><command>preexec = csh -c 'echo \"Welcome to %S!\" |
+ /usr/local/samba/bin/smbclient -M %m -I %I' & </command></para>
+
+ <para>Of course, this could get annoying after a while :-)</para>
+
+ <para>See also <link linkend="PREEXECCLOSE"><parameter>preexec close
+ </parameter</link> and <link linkend="POSTEXEC"><parameter>postexec
+ </parameter></link>.</para>
+
+ <para>Default: <emphasis>none (no command executed)</emphasis></para>
+ <para>Example: <command>preexec = echo \"%u connected to %S from %m
+ (%I)\" &gt;&gt; /tmp/log</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PREEXECCLOSE">preexec close (S)</term>
+ <listitem><para>This boolean option controls whether a non-zero
+ return code from <link linkend="PREEXEC"><parameter>preexec
+ </parameter></link> should close the service being connected to.</para>
+
+ <para>Default: <command>preexec close = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="PREFERREDMASTER">preferred master (G)</term>
+ <listitem><para>This boolean parameter controls if <ulink
+ url="nmbd.8.html">nmbd(8)</ulink> is a preferred master browser
+ for its workgroup.</para>
+
+ <para>If this is set to true, on startup, <command>nmbd</command>
+ will force an election, and it will have a slight advantage in
+ winning the election. It is recommended that this parameter is
+ used in conjunction with <command><link linkend="DOMAINMASTER"><parameter>
+ domain master</parameter></link> = yes</command>, so that <command>
+ nmbd</command> can guarantee becoming a domain master.</para>
+
+ <para>Use this option with caution, because if there are several
+ hosts (whether Samba servers, Windows 95 or NT) that are preferred
+ master browsers on the same subnet, they will each periodically
+ and continuously attempt to become the local master browser.
+ This will result in unnecessary broadcast traffic and reduced browsing
+ capabilities.</para>
+
+ <para>See also <link linkend="OSLEVEL"><parameter>os level</parameter>
+ </link>.</para>
+
+ <para>Default: <command>preferred master = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PREFEREDMASTER">prefered master (G)</term>
+ <listitem><para>Synonym for <link linkend="PREFERREDMASTER"><parameter>
+ preferred master</parameter></link> for people who cannot spell :-).</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PRELOAD">preload</term>
+ <listitem><para>Synonym for <link linkend="AUTOSERVICES"><parameter>
+ auto services</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="PRESERVECASE">preserve case (S)</term>
+ <listitem><para> This controls if new filenames are created
+ with the case that the client passes, or if they are forced to
+ be the <link linkend="DEFAULTCASE"><parameter>derault case
+ </parameter></link>.</para>
+
+ <para>Default: <command>preserve case = yes</command></para>
+
+ <para>See the section on <link linkend="NAMEMANGLINGSECT">NAME
+ MANGLING"</link> for a fuller discussion.</para
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTCOMMAND">print command (S)</term>
+ <listitem><para>After a print job has finished spooling to
+ a service, this command will be used via a <command>system()</command>
+ call to process the spool file. Typically the command specified will
+ submit the spool file to the host's printing subsystem, but there
+ is no requirement that this be the case. The server will not remove
+ the spool file, so whatever command you specify should remove the
+ spool file when it has been processed, otherwise you will need to
+ manually remove old spool files.</para>
+
+ <para>The print command is simply a text string. It will be used
+ verbatim, with two exceptions: All occurrences of <parameter>%s
+ </parameter> and <parameter>%f</parameter> will be replaced by the
+ appropriate spool file name, and all occurrences of <parameter>%p
+ </parameter> will be replaced by the appropriate printer name. The
+ spool file name is generated automatically by the server, the printer
+ name is discussed below.</para>
+
+ <para>The print command <emphasis>MUST</emphasis> contain at least
+ one occurrence of <parameter>%s</parameter> or <parameter>%f
+ </parameter> - the <parameter>%p</parameter> is optional. At the time
+ a job is submitted, if no printer name is supplied the <parameter>%p
+ </parameter> will be silently removed from the printer command.</para>
+
+ <para>If specified in the [global] section, the print command given
+ will be used for any printable service that does not have its own
+ print command specified.</para>
+
+ <para>If there is neither a specified print command for a
+ printable service nor a global print command, spool files will
+ be created but not processed and (most importantly) not removed.</para>
+
+ <para>Note that printing may fail on some UNIXs from the
+ <constant>nobody</constant> account. If this happens then create
+ an alternative guest account that can print and set the <link
+ linkend="GUESTACCOUNT"><parameter>guest account</parameter></link>
+ in the [global] section.</para>
+
+ <para>You can form quite complex print commands by realizing
+ that they are just passed to a shell. For example the following
+ will log a print job, print the file, then remove it. Note that
+ ';' is the usual separator for command in shell scripts.</para>
+
+ <para><command>print command = echo Printing %s &gt;&gt;
+ /tmp/print.log; lpr -P %p %s; rm %s</command></para>
+
+ <para>You may have to vary this command considerably depending
+ on how you normally print files on your system. The default for
+ the parameter varies depending on the setting of the <link linkend="PRINTING">
+ <parameter>printing</parameter></link> parameter.</para>
+
+ <para>Default: For <command>printing= BSD, AIX, QNX, LPRNG
+ or PLP :</command></para>
+ <para><command>print command = lpr -r -P%p %s</command></para>
+
+ <para>For <command>printing= SYS or HPUX :</command></para>
+ <para><command>print command = lp -c -d%p %s; rm %s</command></para>
+
+ <para>For <command>printing=SOFTQ :</command></para>
+ <para><command>print command = lp -d%p -s %s; rm %s</command></para>
+
+ <para>Example: <command>print command = /usr/local/samba/bin/myprintscript
+ %p %s</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTOK">print ok (S)</term>
+ <listitem><para>Synonym for <link linkend="PRINTABLE">
+ <parameter>printable</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTABLE">printable (S)</term>
+ <listitem><para>If this parameter is <constant>yes</constant>, then
+ clients may open, write to and submit spool files on the directory
+ specified for the service. </para>
+
+ <para>Note that a printable service will ALWAYS allow writing
+ to the service path (user privileges permitting) via the spooling
+ of print data. The <link linkend="WRITEABLE"><parameter>writeable
+ </parameter></link> parameter controls only non-printing access to
+ the resource.</para>
+
+ <para>Default: <command>printable = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTCAP">printcap (G)</term>
+ <listitem><para>Synonym for <link linkend="PRINTCAPNAME"><parameter>
+ printcap name</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTERADMIN">printer admin (S)</term>
+ <listitem><para>This is a list of users that can do anything to
+ printers via the remote administration interfaces offered by MSRPC
+ (usually using a NT workstation). Note that the root user always
+ has admin rights.</para>
+
+ <para>Default: <command>printer admin = &lt;empty string&gt;</command>
+ </para>
+ <para>Example: <command>printer admin = admin, @staff</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTCAPNAME">printcap name (G)</term>
+ <listitem><para>This parameter may be used to override the
+ compiled-in default printcap name used by the server (usually <filename>
+ /etc/printcap</filename>). See the discussion of the <link
+ linkend="PRINTERSSECT">[printers]</link> section above for reasons
+ why you might want to do this.</para>
+
+ <para>On System V systems that use <command>lpstat</command> to
+ list available printers you can use <command>printcap name = lpstat
+ </command> to automatically obtain lists of available printers. This
+ is the default for systems that define SYSV at configure time in
+ Samba (this includes most System V based systems). If <parameter>
+ printcap name</parameter> is set to <command>lpstat</command> on
+ these systems then Samba will launch <command>lpstat -v</command> and
+ attempt to parse the output to obtain a printer list.</para>
+
+ <para>A minimal printcap file would look something like this:</para>
+
+ <para><programlisting>
+ print1|My Printer 1
+ print2|My Printer 2
+ print3|My Printer 3
+ print4|My Printer 4
+ print5|My Printer 5
+ </programlisting></para>
+
+ <para>where the '|' separates aliases of a printer. The fact
+ that the second alias has a space in it gives a hint to Samba
+ that it's a comment.</para>
+
+ <para><emphasis>NOTE</emphasis>: Under AIX the default printcap
+ name is <filename>/etc/qconfig</filename>. Samba will assume the
+ file is in AIX <filename>qconfig</filename> format if the string
+ <filename>qconfig</filename> appears in the printcap filename.</para>
+
+ <para>Default: <command>printcap name = /etc/printcap</command></para>
+ <para>Example: <command>printcap name = /etc/myprintcap</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTER">printer (S)</term>
+ <listitem><para>This parameter specifies the name of the printer
+ to which print jobs spooled through a printable service will be sent.</para>
+
+ <para>If specified in the [global] section, the printer
+ name given will be used for any printable service that does
+ not have its own printer name specified.</para>
+
+ <para>Default: <emphasis>none (but may be <constant>lp</constant>
+ on many systems)</emphasis></para>
+
+ <para>Example: <command>printer name = laserwriter</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTERDRIVER">printer driver (S)</term>
+ <listitem><para>This option allows you to control the string
+ that clients receive when they ask the server for the printer driver
+ associated with a printer. If you are using Windows95 or WindowsNT
+ then you can use this to automate the setup of printers on your
+ system.</para>
+
+ <para>You need to set this parameter to the exact string (case
+ sensitive) that describes the appropriate printer driver for your
+ system. If you don't know the exact string to use then you should
+ first try with no <link linkend="PRINTERDRIVER"><parameter>
+ printer driver</parameter></link> option set and the client will
+ give you a list of printer drivers. The appropriate strings are
+ shown in a scrollbox after you have chosen the printer manufacturer.</para>
+
+ <para>See also <link linkend="PRINTERDRIVERFILE"><parameter>printer
+ driver file</parameter></link>.</para>
+
+ <para>Example: <command>printer driver = HP LaserJet 4L</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTERDRIVERFILE">printer driver file (G)</term>
+ <listitem><para>This parameter tells Samba where the printer driver
+ definition file, used when serving drivers to Windows 95 clients, is
+ to be found. If this is not set, the default is :</para>
+
+ <para><filename><replaceable>SAMBA_INSTALL_DIRECTORY</replaceable>
+ /lib/printers.def</filename></para>
+
+ <para>This file is created from Windows 95 <filename>msprint.inf
+ </filename> files found on the Windows 95 client system. For more
+ details on setting up serving of printer drivers to Windows 95
+ clients, see the documentation file in the <filename>docs/</filename>
+ directory, <filename>PRINTER_DRIVER.txt</filename>.</para>
+
+ <para>See also <link linkend="PRINTERDRIVERLOCATION"><parameter>
+ printer driver location</parameter></link>.</para>
+
+ <para>Default: <emphasis>None (set in compile).</emphasis></para>
+
+ <para>Example: <command>printer driver file =
+ /usr/local/samba/printers/drivers.def</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTERDRIVERLOCATION">printer driver location (S)</term>
+ <listitem><para>This parameter tells clients of a particular printer
+ share where to find the printer driver files for the automatic
+ installation of drivers for Windows 95 machines. If Samba is set up
+ to serve printer drivers to Windows 95 machines, this should be set to</para>
+
+ <para><command>\\MACHINE\PRINTER$</command></para>
+
+ <para>Where MACHINE is the NetBIOS name of your Samba server,
+ and PRINTER$ is a share you set up for serving printer driver
+ files. For more details on setting this up see the documentation
+ file in the <filename>docs/</filename> directory, <filename>
+ PRINTER_DRIVER.txt</filename>.</para>
+
+ <para>See also <link linkend="PRINTERDRIVERFILE"><parameter>
+ printer driver file</parameter></link>.</para>
+
+ <para>Default: <command>none</command></para>
+ <para>Example: <command>printer driver location = \\MACHINE\PRINTER$
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTERNAME">printer name (S)</term>
+ <listitem><para>Synonym for <link linkend="PRINTER"><parameter>
+ printer</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTING">printing (S)</term>
+ <listitem><para>This parameters controls how printer status
+ information is interpreted on your system. It also affects the
+ default values for the <parameter>print command</parameter>,
+ <parameter>lpq command</parameter>, <parameter>lppause command
+ </parameter>, <parameter>lpresume command</parameter>, and
+ <parameter>lprm command</parameter> if specified in the
+ [global]f> section.</para>
+
+ <para>Currently eight printing styles are supported. They are
+ <constant>BSD</constant>, <constant>AIX</constant>,
+ <constant>LPRNG</constant>, <constant>PLP</constant>,
+ <constant>SYSV</constant>, <constant>HPUX</constant>,
+ <constant>QNX</constant>, <constant>SOFTQ</constant>,
+ and <constant>CUPS</constant>.</para>
+
+ <para>To see what the defaults are for the other print
+ commands when using the various options use the <ulink
+ url="testparm.1.html">testparm(1)</ulink> program.</para>
+
+ <para>This option can be set on a per printer basis</para>
+
+ <para>See also the discussion in the <link linkend="PRINTERSSECT">
+ [printers]</link> section.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PRIVATEDIR">private dir(G)</term>
+ <listitem><para>The <parameter>private dir</parameter> parameter
+ allows an administator to define a directory path used to hold the
+ various databases Samba will use to store things like a the machine
+ trust account information when acting as a domain member (i.e. where
+ the secrets.tdb file will be located), where the passdb.tbd file
+ will stored in the case of using the experiemental tdbsam support,
+ etc...</para>
+
+ <para>Default: <command>private dir = &lt;compile time location
+ of smbpasswd&gt;</command></para>
+ <para>Example: <command>private dir = /etc/smbprivate</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PROTOCOL">protocol (G)</term>
+ <listitem><para>The value of the parameter (a string) is the highest
+ protocol level that will be supported by the server.</para>
+
+ <para>Possible values are :</para>
+ <itemizedlist>
+ <listitem><para><constant>CORE</constant>: Earliest version. No
+ concept of user names.</para></listitem>
+
+ <listitem><para><constant>COREPLUS</constant>: Slight improvements on
+ CORE for efficiency.</para></listitem>
+
+ <listitem><para><constant>LANMAN1</constant>: First <emphasis>
+ modern</emphasis> version of the protocol. Long filename
+ support.</para></listitem>
+
+ <listitem><para><constant>LANMAN2</constant>: Updates to Lanman1 protocol.
+ </para></listitem>
+
+ <listitem><para><constant>NT1</constant>: Current up to date version of
+ the protocol. Used by Windows NT. Known as CIFS.</para></listitem>
+ </itemizedlist>
+
+ <para>Normally this option should not be set as the automatic
+ negotiation phase in the SMB protocol takes care of choosing
+ the appropriate protocol.</para>
+
+ <para>Default: <command>protocol = NT1</command></para>
+ <para>Example: <command>protocol = LANMAN1</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="PUBLIC">public (S)</term>
+ <listitem><para>Synonym for <link linkend="GUESTOK"><parameter>guest
+ ok</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="QUEUEPAUSECOMMAND">queuepause command (S)</term>
+ <listitem><para>This parameter specifies the command to be
+ executed on the server host in order to pause the printerqueue.</para>
+
+ <para>This command should be a program or script which takes
+ a printer name as its only parameter and stops the printerqueue,
+ such that no longer jobs are submitted to the printer.</para>
+
+ <para>This command is not supported by Windows for Workgroups,
+ but can be issued from the Printer's window under Windows 95
+ and NT.</para>
+
+ <para>If a <parameter>%p</parameter> is given then the printername
+ is put in its place. Otherwise it is placed at the end of the command.
+ </para>
+
+ <para>Note that it is good practice to include the absolute
+ path in the command as the PATH may not be available to the
+ server.</para>
+
+ <para>Default: <emphasis>depends on the setting of <parameter>printing
+ </parameter></emphasis></para>
+ <para>Example: <command>queuepause command = disable %p</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="QUEUERESUMECOMMAND">queueresume command (S)</term>
+ <listitem><para>This parameter specifies the command to be
+ executed on the server host in order to resume the printerqueue. It
+ is the command to undo the behavior that is caused by the
+ previous parameter (<link linkend="QUEUEPAUSECOMMAND"><parameter>
+ queuepause command</parameter></link>).</para>
+
+ <para>This command should be a program or script which takes
+ a printer name as its only parameter and resumes the printerqueue,
+ such that queued jobs are resubmitted to the printer.</para>
+
+ <para>This command is not supported by Windows for Workgroups,
+ but can be issued from the Printer's window under Windows 95
+ and NT.</para>
+
+ <para>If a <parameter>%p</parameter> is given then the printername
+ is put in its place. Otherwise it is placed at the end of the
+ command.</para>
+
+ <para>Note that it is good practice to include the absolute
+ path in the command as the PATH may not be available to the
+ server.</para>
+
+ <para>Default: <emphasis>depends on the setting of <link
+ linkend="PRINTING"><parameter>printing</parameter></link></emphasis>
+ </para>
+
+ <para>Example: <command>queuepause command = enable %p
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="READBMPX">read bmpx (G)</term>
+ <listitem><para>This boolean parameter controls whether <ulink
+ url="smbd.8.html">smbd(8)</ulink> will support the "Read
+ Block Multiplex" SMB. This is now rarely used and defaults to
+ <constant>no</constant>. You should never need to set this
+ parameter.</para>
+
+ <para>Default: <command>read bmpx = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="READLIST">read list (S)</term>
+ <listitem><para>This is a list of users that are given read-only
+ access to a service. If the connecting user is in this list then
+ they will not be given write access, no matter what the <link
+ linkend="WRITEABLE"><parameter>writeable</parameter></link>
+ option is set to. The list can include group names using the
+ syntax described in the <link linkend="INVALIDUSERS"><parameter>
+ invalid users</parameter></link> parameter.</para>
+
+ <para>See also the <link linkend="WRITELIST"><parameter>
+ write list</parameter></link> parameter and the <link
+ linkend="INVALIDUSERS"><parameter>invalid users</parameter>
+ </link> parameter.</para>
+
+ <para>Default: <command>read list = &lt;empty string&gt;</command></para>
+ <para>Example: <command>read list = mary, @students</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="READONLY">read only (S)</term>
+ <listitem><para>Note that this is an inverted synonym for <link
+ linkend="WRITEABLE"><parameter>writeable</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="READRAW">read raw (G)</term>
+ <listitem><para>This parameter controls whether or not the server
+ will support the raw read SMB requests when transferring data
+ to clients.</para>
+
+ <para>If enabled, raw reads allow reads of 65535 bytes in
+ one packet. This typically provides a major performance benefit.
+ </para>
+
+ <para>However, some clients either negotiate the allowable
+ block size incorrectly or are incapable of supporting larger block
+ sizes, and for these clients you may need to disable raw reads.</para>
+
+ <para>In general this parameter should be viewed as a system tuning
+ tool and left severely alone. See also <link linkend="WRITERAW">
+ <parameter>write raw</parameter></link>.</para>
+
+ <para>Default: <command>read raw = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="READSIZE">read size (G)</term>
+ <listitem><para>The option <parameter>read size</parameter>
+ affects the overlap of disk reads/writes with network reads/writes.
+ If the amount of data being transferred in several of the SMB
+ commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
+ than this value then the server begins writing the data before it
+ has received the whole packet from the network, or in the case of
+ SMBreadbraw, it begins writing to the network before all the data
+ has been read from disk.</para>
+
+ <para>This overlapping works best when the speeds of disk and
+ network access are similar, having very little effect when the
+ speed of one is much greater than the other.</para>
+
+ <para>The default value is 16384, but very little experimentation
+ has been done yet to determine the optimal value, and it is likely
+ that the best value will vary greatly between systems anyway.
+ A value over 65536 is pointless and will cause you to allocate
+ memory unnecessarily.</para>
+
+ <para>Default: <command>read size = 16384</command></para>
+ <para>Example: <command>read size = 8192</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="REMOTEANNOUNCE">remote announce (G)</term>
+ <listitem><para>This option allows you to setup <ulink
+ url="nmbd.8.html">nmbd(8)</ulink> to periodically announce itself
+ to arbitrary IP addresses with an arbitrary workgroup name.</para>
+
+ <para>This is useful if you want your Samba server to appear
+ in a remote workgroup for which the normal browse propagation
+ rules don't work. The remote workgroup can be anywhere that you
+ can send IP packets to.</para>
+
+ <para>For example:</para>
+
+ <para><command>remote announce = 192.168.2.255/SERVERS
+ 192.168.4.255/STAFF</command></para>
+
+ <para>the above line would cause nmbd to announce itself
+ to the two given IP addresses using the given workgroup names.
+ If you leave out the workgroup name then the one given in
+ the <link linkend="WORKGROUP"><parameter>workgroup</parameter></link>
+ parameter is used instead.</para>
+
+ <para>The IP addresses you choose would normally be the broadcast
+ addresses of the remote networks, but can also be the IP addresses
+ of known browse masters if your network config is that stable.</para>
+
+ <para>See the documentation file <filename>BROWSING.txt</filename>
+ in the <filename>docs/</filename> directory.</para>
+
+ <para>Default: <command>remote announce = &lt;empty string&gt;
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="REMOTEBROWSESYNC">remote browse sync (G)</term>
+ <listitem><para>This option allows you to setup <ulink
+ url="nmbd.8.html">nmbd(8)</ulink> to periodically request
+ synchronization of browse lists with the master browser of a samba
+ server that is on a remote segment. This option will allow you to
+ gain browse lists for multiple workgroups across routed networks. This
+ is done in a manner that does not work with any non-samba servers.</para>
+
+ <para>This is useful if you want your Samba server and all local
+ clients to appear in a remote workgroup for which the normal browse
+ propagation rules don't work. The remote workgroup can be anywhere
+ that you can send IP packets to.</para>
+
+ <para>For example:</para>
+
+ <para><command>remote browse sync = 192.168.2.255 192.168.4.255
+ </command></para>
+
+ <para>the above line would cause <command>nmbd</command> to request
+ the master browser on the specified subnets or addresses to
+ synchronize their browse lists with the local server.</para>
+
+ <para>The IP addresses you choose would normally be the broadcast
+ addresses of the remote networks, but can also be the IP addresses
+ of known browse masters if your network config is that stable. If
+ a machine IP address is given Samba makes NO attempt to validate
+ that the remote machine is available, is listening, nor that it
+ is in fact the browse master on it's segment.</para>
+
+ <para>Default: <command>remote browse sync = &lt;empty string&gt;
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="RESTRICTANONYMOUS">restrict anonymous (G)</term>
+ <listitem><para>This is a boolean parameter. If it is true, then
+ anonymous access to the server will be restricted, namely in the
+ case where the server is expecting the client to send a username,
+ but it doesn't. Setting it to true will force these anonymous
+ connections to be denied, and the client will be required to always
+ supply a username and password when connecting. Use of this parameter
+ is only recommened for homogenous NT client environments.</para>
+
+ <para>This parameter makes the use of macro expansions that rely
+ on the username (%U, %G, etc) consistant. NT 4.0
+ likes to use anonymous connections when refreshing the share list,
+ and this is a way to work around that.</para>
+
+ <para>When restrict anonymous is true, all anonymous connections
+ are denied no matter what they are for. This can effect the ability
+ of a machine to access the samba Primary Domain Controller to revalidate
+ it's machine account after someone else has logged on the client
+ interactively. The NT client will display a message saying that
+ the machine's account in the domain doesn't exist or the password is
+ bad. The best way to deal with this is to reboot NT client machines
+ between interactive logons, using "Shutdown and Restart", rather
+ than "Close all programs and logon as a different user".</para>
+
+ <para>Default: <command>restrict anonymous = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ROOT">root (G)</term>
+ <listitem><para>Synonym for <link linkend="ROOTDIRECTORY">
+ <parameter>root directory"</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ROOTDIR">root dir (G)</term>
+ <listitem><para>Synonym for <link linkend="ROOTDIRECTORY">
+ <parameter>root directory"</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="ROOTDIRECTORY">root directory (G)</term>
+ <listitem><para>The server will <command>chroot()</command> (i.e.
+ Change it's root directory) to this directory on startup. This is
+ not strictly necessary for secure operation. Even without it the
+ server will deny access to files not in one of the service entries.
+ It may also check for, and deny access to, soft links to other
+ parts of the filesystem, or attempts to use ".." in file names
+ to access other directories (depending on the setting of the <link
+ linkend="WIDELINKS"><parameter>wide links</parameter></link>
+ parameter).</para>
+
+ <para>Adding a <parameter>root directory</parameter> entry other
+ than "/" adds an extra level of security, but at a price. It
+ absolutely ensures that no access is given to files not in the
+ sub-tree specified in the <parameter>root directory</parameter>
+ option, <emphasis>including</emphasis> some files needed for
+ complete operation of the server. To maintain full operability
+ of the server you will need to mirror some system files
+ into the <parameter>root directory</parameter> tree. In particular
+ you will need to mirror <filename>/etc/passwd</filename> (or a
+ subset of it), and any binaries or configuration files needed for
+ printing (if required). The set of files that must be mirrored is
+ operating system dependent.</para>
+
+ <para>Default: <command>root directory = /</command></para>
+ <para>Example: <command>root directory = /homes/smb</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ROOTPOSTEXEC">root postexec (S)</term>
+ <listitem><para>This is the same as the <parameter>postexec</parameter>
+ parameter except that the command is run as root. This
+ is useful for unmounting filesystems
+ (such as cdroms) after a connection is closed.</para>
+
+ <para>See also <link linkend="POSTEXEC"><parameter>
+ postexec</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><anchor id="ROOTPREEXEC">root preexec (S)</term>
+ <listitem><para>This is the same as the <parameter>preexec</parameter>
+ parameter except that the command is run as root. This
+ is useful for mounting filesystems
+ (such as cdroms) after a connection is closed.</para>
+
+ <para>See also <link linkend="PREEXEC"><parameter>
+ preexec</parameter></link> and <link linkend="PREEXECCLOSE">
+ <parameter>preexec close</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ROOTPREEXECCLOSE">root preexec close (S)</term>
+ <listitem><para>This is the same as the <parameter>preexec close
+ </parameter> parameter except that the command is run as root.</para>
+
+ <para>See also <link linkend="PREEXEC"><parameter>
+ preexec</parameter></link> and <link linkend="PREEXECCLOSE">
+ <parameter>preexec close</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="SECURITY">security (G)</term>
+ <listitem><para>This option affects how clients respond to
+ Samba and is one of the most important settings in the <filename>
+ smb.conf</filename> file.</para>
+
+ <para>The option sets the "security mode bit" in replies to
+ protocol negotiations with <ulink url="smbd.8.html">smbd(8)
+ </ulink> to turn share level security on or off. Clients decide
+ based on this bit whether (and how) to transfer user and password
+ information to the server.</para>
+
+
+ <para>The default is <command>security = user</command>, as this is
+ the most common setting needed when talking to Windows 98 and
+ Windows NT.</para>
+
+ <para>The alternatives are <command>security = share</command>,
+ <command>security = server</command> or <command>security=domain
+ </command>.</para>
+
+ <para>In versions of Samba prior to 2..0, the default was
+ <command>security = share</command> mainly because that was
+ the only option at one stage.</para>
+
+ <para>There is a bug in WfWg that has relevance to this
+ setting. When in user or server level security a WfWg client
+ will totally ignore the password you type in the "connect
+ drive" dialog box. This makes it very difficult (if not impossible)
+ to connect to a Samba service as anyone except the user that
+ you are logged into WfWg as.</para>
+
+ <para>If your PCs use usernames that are the same as their
+ usernames on the UNIX machine then you will want to use
+ <command>security = user</command>. If you mostly use usernames
+ that don't exist on the UNIX box then use <command>security =
+ share</command>.</para>
+
+ <para>You should also use <command>security = share</command> if you
+ want to mainly setup shares without a password (guest shares). This
+ is commonly used for a shared printer server. It is more difficult
+ to setup guest shares with <command>security = user</command>, see
+ the <link linkend="MAPTOGUEST"><parameter>map to guest</parameter>
+ </link>parameter for details.</para>
+
+ <para>It is possible to use <command>smbd</command> in a <emphasis>
+ hybrid mode</emphasis> where it is offers both user and share
+ level security under different <link linkend="NETBIOSALIASES">
+ <parameter>NetBIOS aliases</parameter></link>. </para>
+
+ <para>The different settings will now be explained.</para>
+
+
+ <para><anchor id="SECURITYEQUALSHARE"><emphasis>SECURITY = SHARE
+ </emphasis></para>
+
+ <para>When clients connect to a share level security server then
+ need not log onto the server with a valid username and password before
+ attempting to connect to a shared resource (although modern clients
+ such as Windows 95/98 and Windows NT will send a logon request with
+ a username but no password when talking to a <command>security = share
+ </command> server). Instead, the clients send authentication information
+ (passwords) on a per-share basis, at the time they attempt to connect
+ to that share.</para>
+
+ <para>Note that <command>smbd</command> <emphasis>ALWAYS</emphasis>
+ uses a valid UNIX user to act on behalf of the client, even in
+ <command>security = share</command> level security.</para>
+
+ <para>As clients are not required to send a username to the server
+ in share level security, <command>smbd</command> uses several
+ techniques to determine the correct UNIX user to use on behalf
+ of the client.</para>
+
+ <para>A list of possible UNIX usernames to match with the given
+ client password is constructed using the following methods :</para>
+
+ <itemizedlist>
+ <listitem><para>If the <link linkend="GUESTONLY"><parameter>guest
+ only</parameter></link> parameter is set, then all the other
+ stages are missed and only the <link linkend="GUESTACCOUNT">
+ <parameter>guest account</parameter></link> username is checked.
+ </para></listitem>
+
+ <listitem><para>Is a username is sent with the share connection
+ request, then this username (after mapping - see <link
+ linkend="USERNAMEMAP"><parameter>username map</parameter></link>),
+ is added as a potential username.</para></listitem>
+
+ <listitem><para>If the client did a previous <emphasis>logon
+ </emphasis> request (the SessionSetup SMB call) then the
+ username sent in this SMB will be added as a potential username.
+ </para></listitem>
+
+ <listitem><para>The name of the service the client requested is
+ added as a potential username.</para></listitem>
+
+ <listitem><para>The NetBIOS name of the client is added to
+ the list as a potential username.</para></listitem>
+
+ <listitem><para>Any users on the <link linkend="USER"><parameter>
+ user</parameter></link> list are added as potential usernames.
+ </para></listitem>
+ </itemizedlist>
+
+ <para>If the <parameter>guest only</parameter> parameter is
+ not set, then this list is then tried with the supplied password.
+ The first user for whom the password matches will be used as the
+ UNIX user.</para>
+
+ <para>If the <parameter>guest only</parameter> parameter is
+ set, or no username can be determined then if the share is marked
+ as available to the <parameter>guest account</parameter>, then this
+ guest user will be used, otherwise access is denied.</para>
+
+ <para>Note that it can be <emphasis>very</emphasis> confusing
+ in share-level security as to which UNIX username will eventually
+ be used in granting access.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para><anchor id="SECURITYEQUALUSER"><emphasis>SECURIYT = USER
+ </emphasis></para>
+
+ <para>This is the default security setting in Samba 2.2.
+ With user-level security a client must first "log=on" with a
+ valid username and password (which can be mapped using the <link
+ linkend="USERNAMEMAP"><parameter>username map</parameter></link>
+ parameter). Encrypted passwords (see the <link linkend="ENCRYPTPASSWORDS">
+ <parameter>encrypted passwords</parameter></link> parameter) can also
+ be used in this security mode. Parameters such as <link linkend="USER">
+ <parameter>user</parameter></link> and <link linkend="GUESTONLY">
+ <parameter>guest only</parameter></link> if set are then applied and
+ may change the UNIX user to use on this connection, but only after
+ the user has been successfully authenticated.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <link
+ linkend="GUESTACCOUNT"><parameter>guest account</parameter></link>.
+ See the <link linkend="MAPTOGUEST"><parameter>map to guest</parameter>
+ </link> parameter for details on doing this.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para><anchor id="SECURITYEQUALSERVER"><emphasis>SECURITY = SERVER
+ </emphasis></para>
+
+ <para>In this mode Samba will try to validate the username/password
+ by passing it to another SMB server, such as an NT box. If this
+ fails it will revert to <command>security = user</command>, but note
+ that if encrypted passwords have been negotiated then Samba cannot
+ revert back to checking the UNIX password file, it must have a valid
+ <filename>smbpasswd</filename> file to check users against. See the
+ documentation file in the <filename>docs/</filename> directory
+ <filename>ENCRYPTION.txt</filename> for details on how to set this
+ up.</para>
+
+ <para><emphasis>Note</emphasis> that from the clients point of
+ view <command>security = server</command> is the same as <command>
+ security = user</command>. It only affects how the server deals
+ with the authentication, it does not in any way affect what the
+ client sees.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <link
+ linkend="GUESTACCOUNT"><parameter>guest account</parameter></link>.
+ See the <link linkend="MAPTOGUEST"><parameter>map to guest</parameter>
+ </link> parameter for details on doing this.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para>See also the <link linkend="PASSWORDSERVER"><parameter>password
+ server</parameter></link> parameter and the <link
+ linkend="ENCRYPTPASSWORDS"><parameter>encrypted passwords</parameter>
+ </link> parameter.</para>
+
+ <para><anchor id="SECURITYEQUALSDOMAIN"><emphasis>SECURITY = DOMAIN
+ </emphasis></para>
+
+ <para>This mode will only work correctly if <ulink
+ url="smbpasswd.8.html">smbpasswd(8)</ulink> has been used to add this
+ machine into a Windows NT Domain. It expects the <link
+ linkend="ENCRYPTPASSWORDS"><parameter>encrypted passwords</parameter>
+ </link> parameter to be set to <constant>true</constant>. In this
+ mode Samba will try to validate the username/password by passing
+ it to a Windows NT Primary or Backup Domain Controller, in exactly
+ the same way that a Windows NT Server would do.</para>
+
+ <para><emphasis>Note</emphasis> that a valid UNIX user must still
+ exist as well as the account on the Domain Controller to allow
+ Samba to have a valid UNIX account to map file access to.</para>
+
+ <para><emphasis>Note</emphasis> that from the clients point
+ of view <command>security = domain</command> is the same as <command>security = user
+ </command>. It only affects how the server deals with the authentication,
+ it does not in any way affect what the client sees.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <link
+ linkend="GUESTACCOUNT"><parameter>guest account</parameter></link>.
+ See the <link linkend="MAPTOGUEST"><parameter>map to guest</parameter>
+ </link> parameter for details on doing this.</para>
+
+ <para><emphasis>BUG:</emphasis> There is currently a bug in the
+ implementation of <command>security = domain</command> with respect
+ to multi-byte character set usernames. The communication with a
+ Domain Controller must be done in UNICODE and Samba currently
+ does not widen multi-byte user names to UNICODE correctly, thus
+ a multi-byte username will not be recognized correctly at the
+ Domain Controller. This issue will be addressed in a future release.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para>See also the <link linkend="PASSWORDSERVER"><parameter>password
+ server</parameter></link> parameter and the <link
+ linkend="ENCRYPTPASSWORDS"><parameter>encrypted passwords</parameter>
+ </link> parameter.</para>
+
+ <para>Default: <command>security = USER</command></para>
+ <para>Example: <command>security = DOMAIN</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SECURITYMASK">security mask (S)</term>
+ <listitem><para>This parameter controls what UNIX permission
+ bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a file using the native NT security
+ dialog box.</para>
+
+ <para>This parameter is applied as a mask (AND'ed with) to
+ the changed permission bits, thus preventing any bits not in
+ this mask from being modified. Essentially, zero bits in this
+ mask may be treated as a set of bits the user is not allowed
+ to change.</para>
+
+ <para>If not set explicitly this parameter is set to the same
+ value as the <link linkend="CREATEMASK"><parameter>create mask
+ </parameter></link> parameter. To allow a user to modify all the
+ user/group/world permissions on a file, set this parameter to
+ 0777.</para>
+
+ <para><emphasis>Note</emphasis> that users who can access the
+ Samba server through other means can easily bypass this
+ restriction, so it is primarily useful for standalone
+ "appliance" systems. Administrators of most normal systems will
+ probably want to set it to 0777.</para>
+
+ <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE">
+ <parameter>force directory security mode</parameter></link>,
+ <link linkend="DIRECTORYSECURITYMASK"><parameter>directory
+ security mask</parameter></link>, <link linkend="FORCESECURITYMODE">
+ <parameter>force security mode</parameter></link> parameters.</para>
+
+ <para>Default: <command>security mask = &lt;same as create mask&gt;
+ </command></para>
+ <para>Example: <command>security mask = 0777</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="SERVERSTRING">server string (G)</term>
+ <listitem><para>This controls what string will show up in the
+ printer comment box in print manager and next to the IPC connection
+ in <command>net view"</command>. It can be any string that you wish
+ to show to your users.</para>
+
+ <para>It also sets what will appear in browse lists next
+ to the machine name.</para>
+
+ <para>A <parameter>%v</parameter> will be replaced with the Samba
+ version number.</para>
+
+ <para>A <parameter>%h</parameter> will be replaced with the
+ hostname.</para>
+
+ <para>Default: <command>server string = Samba %v</command></para>
+
+ <para>Example: <command>server string = University of GNUs Samba
+ Server</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SETDIRECTORY">set directory (S)</term>
+ <listitem><para>If <command>set directory = no</command>, then
+ users of the service may not use the setdir command to change
+ directory.</para>
+
+ <para>The <command>setdir</command> command is only implemented
+ in the Digital Pathworks client. See the Pathworks documentation
+ for details.</para>
+
+ <para>Default: <command>set directory = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="SHAREMODES">share modes (S)</term>
+ <listitem><para>This enables or disables the honoring of
+ the <parameter>share modes</parameter> during a file open. These
+ modes are used by clients to gain exclusive read or write access
+ to a file.</para>
+
+ <para>These open modes are not directly supported by UNIX, so
+ they are simulated using shared memory, or lock files if your
+ UNIX doesn't support shared memory (almost all do).</para>
+
+ <para>The share modes that are enabled by this option are
+ <constant>DENY_DOS</constant>, <constant>DENY_ALL</constant>,
+ <constant>DENY_READ</constant>, <constant>DENY_WRITE</constant>,
+ <constant>DENY_NONE</constant> and <constant>DENY_FCB</constant>.
+ </para>
+
+ <para>This option gives full share compatibility and enabled
+ by default.</para>
+
+ <para>You should <emphasis>NEVER</emphasis> turn this parameter
+ off as many Windows applications will break if you do so.</para>
+
+ <para>Default: <command>share modes = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SHAREDMEMSIZE">shared mem size (G)</term>
+ <listitem><para>It specifies the size of the shared memory (in
+ bytes) to use between <ulink url="smbd.8.html">smbd(8)</ulink>
+ processes. This parameter defaults to one megabyte of shared
+ memory. It is possible that if you have a large erver with many
+ files open simultaneously that you may need to increase this
+ parameter. Signs that this parameter is set too low are users
+ reporting strange problems trying to save files (locking errors)
+ and error messages in the smbd log looking like <emphasis>ERROR
+ smb_shm_alloc : alloc of XX bytes failed</emphasis>.</para>
+
+ <para>If your OS refuses the size that Samba asks for then
+ Samba will try a smaller size, reducing by a factor of 0.8 until
+ the OS accepts it.</para>
+
+ <para>Default: <command>shared mem size = 1048576</command></para>
+ <para>Example: <command>shared mem size = 5242880 ; Set to 5mb for a
+ large number of files.</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SHORTPRESERVECASE">short preserve case (S)</term>
+ <listitem><para>This boolean parameter controls if new files
+ which conform to 8.3 syntax, that is all in upper case and of
+ suitable length, are created upper case, or if they are forced
+ to be the <link linkend="DEFAULTCASE"><parameter>default case
+ </parameter></link>. This option can be use with <link
+ linkend="PRESERVECASE"><command>preserve case = yes</command>
+ </link> to permit long filenames to retain their case, while short
+ names are lowered. </para>
+
+ <para>See the section on <link linkend="NAMEMANGLINGSECT">
+ NAME MANGLING</link>.</para>
+
+ <para>Default: <command>short preserve case = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SMBPASSWDFILE">smb passwd file (G)</term>
+ <listitem><para>This option sets the path to the encrypted
+ smbpasswd file. By default the path to the smbpasswd file
+ is compiled into Samba.</para>
+
+ <para>Default: <command>smb passwd file= &lt;compiled
+ default&gt;</command></para>
+
+ <para>Example: <command>smb passwd file = /usr/samba/private/smbpasswd
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SMBRUN">smbrun (G)</term>
+ <listitem><para>This sets the full path to the <command>smbrun
+ </command> binary. This defaults to the value in the <filename>
+ Makefile</filename>.</para>
+
+ <para>You must get this path right for many services
+ to work correctly.</para>
+
+ <para>You should not need to change this parameter so
+ long as Samba is installed correctly.</para>
+
+ <para>Default: <command>smbrun=&lt;compiled default&gt;
+ </command></para>
+
+ <para>Example: <command>smbrun = /usr/local/samba/bin/smbrun
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SOCKETADDRESS">socket address (G)</term>
+ <listitem><para>This option allows you to control what
+ address Samba will listen for connections on. This is used to
+ support multiple virtual interfaces on the one server, each
+ with a different configuration.</para>
+
+ <para>By default samba will accept connections on any
+ address.</para>
+
+ <para>Example: <command>socket address = 192.168.2.20</command>
+ </para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SOCKETOPTIONS">socket options (G)</term>
+ <listitem><para>This option allows you to set socket options
+ to be used when talking with the client.</para>
+
+ <para>Socket options are controls on the networking layer
+ of the operating systems which allow the connection to be
+ tuned.</para>
+
+ <para>This option will typically be used to tune your Samba
+ server for optimal performance for your local network. There is
+ no way that Samba can know what the optimal parameters are for
+ your net, so you must experiment and choose them yourself. We
+ strongly suggest you read the appropriate documentation for your
+ operating system first (perhaps <command>man setsockopt</command>
+ will help).</para>
+
+ <para>You may find that on some systems Samba will say
+ "Unknown socket option" when you supply an option. This means you
+ either incorrectly typed it or you need to add an include file
+ to includes.h for your OS. If the latter is the case please
+ send the patch to <ulink url="mailto:samba@samba.org">
+ samba@samba.org</ulink>.</para>
+
+ <para>Any of the supported socket options may be combined
+ in any way you like, as long as your OS allows it.</para>
+
+ <para>This is the list of socket options currently settable
+ using this option:</para>
+
+ <itemizedlist>
+ <listitem><para>SO_KEEPALIVE</para></listitem>
+ <listitem><para>SO_REUSEADDR</para></listitem>
+ <listitem><para>SO_BROADCAST</para></listitem>
+ <listitem><para>TCP_NODELAY</para></listitem>
+ <listitem><para>IPTOS_LOWDELAY</para></listitem>
+ <listitem><para>IPTOS_THROUGHPUT</para></listitem>
+ <listitem><para>SO_SNDBUF *</para></listitem>
+ <listitem><para>SO_RCVBUF *</para></listitem>
+ <listitem><para>SO_SNDLOWAT *</para></listitem>
+ <listitem><para>SO_RCVLOWAT *</para></listitem>
+ </itemizedlist>
+
+ <para>Those marked with a <emphasis>'*'</emphasis> take an integer
+ argument. The others can optionally take a 1 or 0 argument to enable
+ or disable the option, by default they will be enabled if you
+ don't specify 1 or 0.</para>
+
+ <para>To specify an argument use the syntax SOME_OPTION=VALUE
+ for example <command>SO_SNDBUF=8192</command>. Note that you must
+ not have any spaces before or after the = sign.</para>
+
+ <para>If you are on a local network then a sensible option
+ might be</para>
+ <para><command>socket options = IPTOS_LOWDELAY</command></para>
+
+ <para>If you have a local network then you could try:</para>
+ <para><command>socket options = IPTOS_LOWDELAY TCP_NODELAY</command></para>
+
+ <para>If you are on a wide area network then perhaps try
+ setting IPTOS_THROUGHPUT. </para>
+
+ <para>Note that several of the options may cause your Samba
+ server to fail completely. Use these options with caution!</para>
+
+ <para>Default: <command>socket options = TCP_NODELAY</command></para>
+ <para>Example: <command>socket options = IPTOS_LOWDELAY</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="SOURCEENVIRONMENT">source environment (G)</term>
+ <listitem><para>This parameter causes Samba to set environment
+ variables as per the content of the file named.</para>
+
+ <para>If the value of this parameter starts with a "|" character
+ then Samba will treat that value as a pipe command to open and
+ will set the environment variables from the output of the pipe.</para>
+
+ <para>The contents of the file or the output of the pipe should
+ be formatted as the output of the standard Unix <command>env(1)
+ </command> command. This is of the form :</para>
+ <para>Example environment entry:</para>
+ <para><command>SAMBA_NETBIOS_NAME=myhostname</command></para>
+
+ <para>Default: <emphasis>No default value</emphasis></para>
+ <para>Examples: <command>source environment = |/etc/smb.conf.sh
+ </command></para>
+
+ <para>Example: <command>source environment =
+ /usr/local/smb_env_vars</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSL">ssl (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This variable enables or disables the entire SSL mode. If
+ it is set to <constant>no</constant>, the SSL enabled samba behaves
+ exactly like the non-SSL samba. If set to <constant>yes</constant>,
+ it depends on the variables <link linkend="SSLHOSTS"><parameter>
+ ssl hosts</parameter></link> and <link linkend="SSLHOSTSRESIGN">
+ <parameter>ssl hosts resign</parameter></link> whether an SSL
+ connection will be required.</para>
+
+ <para>Default: <command>ssl=no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSLCACERTDIR">ssl CA certDir (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This variable defines where to look up the Certification
+ Authorities. The given directory should contain one file for
+ each CA that samba will trust. The file name must be the hash
+ value over the "Distinguished Name" of the CA. How this directory
+ is set up is explained later in this document. All files within the
+ directory that don't fit into this naming scheme are ignored. You
+ don't need this variable if you don't verify client certificates.</para>
+
+ <para>Default: <command>ssl CA certDir = /usr/local/ssl/certs
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSLCACERTFILE">ssl CA certFile (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This variable is a second way to define the trusted CAs.
+ The certificates of the trusted CAs are collected in one big
+ file and this variable points to the file. You will probably
+ only use one of the two ways to define your CAs. The first choice is
+ preferable if you have many CAs or want to be flexible, the second
+ is preferable if you only have one CA and want to keep things
+ simple (you won't need to create the hashed file names). You
+ don't need this variable if you don't verify client certificates.</para>
+
+ <para>Default: <command>ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSLCIPHERS">ssl ciphers (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This variable defines the ciphers that should be offered
+ during SSL negotiation. You should not set this variable unless
+ you know what you are doing.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="SSLCLIENTCERT">ssl client cert (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>The certificate in this file is used by <ulink url="smbclient.1.html">
+ <command>smbclient(1)</command></ulink> if it exists. It's needed
+ if the server requires a client certificate.</para>
+
+ <para>Default: <command>ssl client cert = /usr/local/ssl/certs/smbclient.pem
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSLCLIENTKEY">ssl client key (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This is the private key for <ulink url="smbclient.1.html">
+ <command>smbclient(1)</command></ulink>. It's only needed if the
+ client should have a certificate. </para>
+
+ <para>Default: <command>ssl client key = /usr/local/ssl/private/smbclient.pem
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSLCOMPATIBILITY">ssl compatibility (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This variable defines whether SSLeay should be configured
+ for bug compatibility with other SSL implementations. This is
+ probably not desirable because currently no clients with SSL
+ implementations other than SSLeay exist.</para>
+
+ <para>Default: <command>ssl compatibility = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="SSLHOSTS">ssl hosts (G)</term>
+ <listitem><para>See <link linkend="SSLHOSTSRESIGN"><parameter>
+ ssl hosts resign</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="SSLHOSTSRESIGN">ssl hosts resign (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>These two variables define whether samba will go
+ into SSL mode or not. If none of them is defined, samba will
+ allow only SSL connections. If the <link linkend="SSLHOSTS">
+ <parameter>ssl hosts</parameter></link> variable lists
+ hosts (by IP-address, IP-address range, net group or name),
+ only these hosts will be forced into SSL mode. If the <parameter>
+ ssl hosts resign</parameter> variable lists hosts, only these
+ hosts will NOT be forced into SSL mode. The syntax for these two
+ variables is the same as for the <link linkend="HOSTSALLOW"><parameter>
+ hosts allow</parameter></link> and <link linkend="HOSTSDENY">
+ <parameter>hosts deny</parameter></link> pair of variables, only
+ that the subject of the decision is different: It's not the access
+ right but whether SSL is used or not. </para>
+
+ <para>The example below requires SSL connections from all hosts
+ outside the local net (which is 192.168.*.*).</para>
+
+ <para>Default: <command>ssl hosts = &lt;empty string&gt;</command></para>
+ <para><command>ssl hosts resign = &lt;empty string&gt;</command></para>
+
+ <para>Example: <command>ssl hosts resign = 192.168.</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSLREQUIRECLIENTCERT">ssl require clientcert (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>If this variable is set to <constant>yes</constant>, the
+ server will not tolerate connections from clients that don't
+ have a valid certificate. The directory/file given in <link
+ linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter>
+ </link> and <link linkend="SSLCACERTFILE"><parameter>ssl CA certFile
+ </parameter></link> will be used to look up the CAs that issued
+ the client's certificate. If the certificate can't be verified
+ positively, the connection will be terminated. If this variable
+ is set to <constant>no</constant>, clients don't need certificates.
+ Contrary to web applications you really <emphasis>should</emphasis>
+ require client certificates. In the web environment the client's
+ data is sensitive (credit card numbers) and the server must prove
+ to be trustworthy. In a file server environment the server's data
+ will be sensitive and the clients must prove to be trustworthy.</para>
+
+ <para>Default: <command>ssl require clientcert = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSLREQUIRESERVERCERT">ssl require servercert (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>If this variable is set to <constant>yes</constant>, the
+ <ulink url="smbclient.1.html"><command>smbclient(1)</command>
+ </ulink> will request a certificate from the server. Same as
+ <link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require
+ clientcert</parameter></link> for the server.</para>
+
+ <para>Default: <command>ssl require servercert = no</command>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><anchor id="SSLSERVERCERT">ssl server cert (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This is the file containing the server's certificate.
+ The server <emphasis>must</emphasis> have a certificate. The
+ file may also contain the server's private key. See later for
+ how certificates and private keys are created.</para>
+
+ <para>Default: <command>ssl server cert = &lt;empty string&gt;
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="SSLSERVERKEY">ssl server key (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This file contains the private key of the server. If
+ this variable is not defined, the key is looked up in the
+ certificate file (it may be appended to the certificate).
+ The server <emphasis>must</emphasis> have a private key
+ and the certificate <emphasis>must</emphasis>
+ match this private key.</para>
+
+ <para>Default: <command>ssl server key = &lt;empty string&gt;
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="SSLVERSION">ssl version (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para><emphasis>Note</emphasis> that for export control reasons
+ this code is <emphasis>NOT</emphasis> enabled by default in any
+ current binary version of Samba.</para>
+
+ <para>This enumeration variable defines the versions of the
+ SSL protocol that will be used. <constant>ssl2or3</constant> allows
+ dynamic negotiation of SSL v2 or v3, <constant>ssl2</constant> results
+ in SSL v2, <constant>ssl3</constant> results in SSL v3 and
+ <constant>tls1</constant> results in TLS v1. TLS (Transport Layer
+ Security) is the new standard for SSL.</para>
+
+ <para>Default: <command>ssl version = "ssl2or3"</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="STATCACHE">stat cache (G)</term>
+ <listitem><para>This parameter determines if <ulink
+ url="smbd.8.html">smbd(8)</ulink> will use a cache in order to
+ speed up case insensitive name mappings. You should never need
+ to change this parameter.</para>
+
+ <para>Default: <command>stat cache = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><anchor id="STATCACHESIZE">stat cache size (G)</term>
+ <listitem><para>This parameter determines the number of
+ entries in the <parameter>stat cache</parameter>. You should
+ never need to change this parameter.</para>
+
+ <para>Default: <command>stat cache size = 50</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="STATUS">status (G)</term>
+ <listitem><para>This enables or disables logging of connections
+ to a status file that <ulink url="smbstatus.1.html">smbstatus(1)</ulink>
+ can read.</para>
+
+ <para>With this disabled <command>smbstatus</command> won't be able
+ to tell you what connections are active. You should never need to
+ change this parameter.</para>
+
+ <para>Default: <command>status = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="STRICTLOCKING">strict locking (S)</term>
+ <listitem><para>This is a boolean that controls the handling of
+ file locking in the server. When this is set to <constant>yes</constant>
+ the server will check every read and write access for file locks, and
+ deny access if locks exist. This can be slow on some systems.</para>
+
+ <para>When strict locking is <constant>no</constant> the server does file
+ lock checks only when the client explicitly asks for them.</para>
+
+ <para>Well behaved clients always ask for lock checks when it
+ is important, so in the vast majority of cases <command>strict
+ locking = no</command> is preferable.</para>
+
+ <para>Default: <command>strict locking = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="STRICTSYNC">strict sync (S)</term>
+ <listitem><para>Many Windows applications (including the Windows
+ 98 explorer shell) seem to confuse flushing buffer contents to
+ disk with doing a sync to disk. Under UNIX, a sync call forces
+ the process to be suspended until the kernel has ensured that
+ all outstanding data in kernel disk buffers has been safely stored
+ onto stable storage. This is very slow and should only be done
+ rarely. Setting this parameter to <constant>no</constant> (the
+ default) means that smbd ignores the Windows applications requests for
+ a sync call. There is only a possibility of losing data if the
+ operating system itself that Samba is running on crashes, so there is
+ little danger in this default setting. In addition, this fixes many
+ performance problems that people have reported with the new Windows98
+ explorer shell file copies.</para>
+
+ <para>See also the <link linkend="SYNCALWAYS"><parameter>sync
+ always></parameter></link> parameter.</para>
+
+ <para>Default: <command>strict sync = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="STRIPDOT">strip dot (G)</term>
+ <listitem><para>This is a boolean that controls whether to
+ strip trailing dots off UNIX filenames. This helps with some
+ CDROMs that have filenames ending in a single dot.</para>
+
+ <para>Default: <command>strip dot = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SYNCALWAYS">sync always (S)</term>
+ <listitem><para>This is a boolean parameter that controls
+ whether writes will always be written to stable storage before
+ the write call returns. If this is false then the server will be
+ guided by the client's request in each write call (clients can
+ set a bit indicating that a particular write should be synchronous).
+ If this is true then every write will be followed by a <command>fsync()
+ </command> call to ensure the data is written to disk. Note that
+ the <parameter>strict sync</parameter> parameter must be set to
+ <constant>yes</constant> in order for this parameter to have
+ any affect.</para>
+
+ <para>See also the <link linkend="STRICTSYNC"><parameter>strict
+ sync</parameter></link> parameter.</para>
+
+ <para>Default: <command>sync always = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SYSLOG">syslog (G)</term>
+ <listitem><para>This parameter maps how Samba debug messages
+ are logged onto the system syslog logging levels. Samba debug
+ level zero maps onto syslog <constant>LOG_ERR</constant>, debug
+ level one maps onto <constant>LOG_WARNING</constant>, debug level
+ two maps onto <constant>LOG_NOTICE</constant>, debug level three
+ maps onto LOG_INFO. All higher levels are mapped to <constant>
+ LOG_DEBUG</constant>.</para>
+
+ <para>This paramter sets the threshold for sending messages
+ to syslog. Only messages with debug level less than this value
+ will be sent to syslog.</para>
+
+ <para>Default: <command>syslog = 1</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SYSLOGONLY">syslog only (G)</term>
+ <listitem><para>If this parameter is set then Samba debug
+ messages are logged into the system syslog only, and not to
+ the debug log files.</para>
+
+ <para>Default: <command>syslog only = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="TEMPLATEHOMEDIR">template homedir (G)</term>
+ <listitem><para><emphasis>NOTE:</emphasis> this parameter is
+ only available in Samba 3.0.</para>
+
+ <para>When filling out the user information for a Windows NT
+ user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon
+ uses this parameter to fill in the home directory for that user.
+ If the string <parameter>%D</parameter> is present it is substituted
+ with the user's Windows NT domain name. If the string <parameter>%U
+ </parameter> is present it is substituted with the user's Windows
+ NT user name.</para>
+
+ <para>Default: <command>template homedir = /home/%D/%U</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="TEMPLATESHELL">template shell (G)</term>
+ <listitem><para><emphasis>NOTE:</emphasis> this parameter is
+ only available in Samba 3.0.</para>
+
+ <para>When filling out the user information for a Windows NT
+ user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon
+ uses this parameter to fill in the login shell for that user.</para>
+
+ <para>Default: <command>template shell = /bin/false</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="TIMEOFFSET">time offset (G)</term>
+ <listitem><para>This parameter is a setting in minutes to add
+ to the normal GMT to local time conversion. This is useful if
+ you are serving a lot of PCs that have incorrect daylight
+ saving time handling.</para>
+
+ <para>Default: <command>time offset = 0</command></para>
+ <para>Example: <command>time offset = 60</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="TIMESERVER">time server (G)</term>
+ <listitem><para>This parameter determines if <ulink url="nmbd.8.html">
+ nmbd(8)</ulink> advertises itself as a time server to Windows
+ clients.</para>
+
+ <para>Default: <command>time server = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="TIMESTAMPLOGS">timestamp logs (G)</term>
+ <listitem><para>Synonym for <link linkend="DEBUGTIMESTAMP"><parameter>
+ debug timestamp</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="UNIXPASSWORDSYNC">unix password sync (G)</term>
+ <listitem><para>This boolean parameter controls whether Samba
+ attempts to synchronize the UNIX password with the SMB password
+ when the encrypted SMB password in the smbpasswd file is changed.
+ If this is set to true the program specified in the <parameter>passwd
+ program</parameter>parameter is called <emphasis>AS ROOT</emphasis> -
+ to allow the new UNIX password to be set without access to the
+ old UNIX password (as the SMB password has change code has no
+ access to the old password cleartext, only the new).</para>
+
+ <para>See also <link linkend="PASSWDPROGRAM"><parameter>passwd
+ program</parameter></link>, <link linkend="PASSWDCHAT"><parameter>
+ passwd chat</parameter></link>.</para>
+
+ <para>Default: <command>unix password sync = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="UNIXREALNAME">unix realname (G)</term>
+ <listitem><para>This boolean parameter when set causes samba
+ to supply the real name field from the unix password file to
+ the client. This isuseful for setting up mail clients and WWW
+ browsers on systems used by more than one person.</para>
+
+ <para>Default: <command>unix realname = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="UPDATEENCRYPTED">update encrypted (G)</term>
+ <listitem><para>This boolean parameter allows a user logging
+ on with a plaintext password to have their encrypted (hashed)
+ password in the smbpasswd file to be updated automatically as
+ they log on. This option allows a site to migrate from plaintext
+ password authentication (users authenticate with plaintext
+ password over the wire, and are checked against a UNIX account
+ database) to encrypted password authentication (the SMB
+ challenge/response authentication mechanism) without forcing
+ all users to re-enter their passwords via smbpasswd at the time the
+ change is made. This is a convenience option to allow the change over
+ to encrypted passwords to be made over a longer period. Once all users
+ have encrypted representations of their passwords in the smbpasswd
+ file this parameter should be set to <constant>no</constant>.</para>
+
+ <para>In order for this parameter to work correctly the <link
+ linkend="ENCRYPTPASSWORDS"><parameter>encrypt passwords</parameter>
+ </link> parameter must be set to <constant>no</constant> when
+ this parameter is set to <constant>yes</constant>.</para>
+
+ <para>Note that even when this parameter is set a user
+ authenticating to <command>smbd</command> must still enter a valid
+ password in order to connect correctly, and to update their hashed
+ (smbpasswd) passwords.</para>
+
+ <para>Default: <command>update encrypted = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="USERHOSTS">use rhosts (G)</term>
+ <listitem><para>If this global parameter is a true, it specifies
+ that the UNIX users <filename>.rhosts</filename> file in their home directory
+ will be read to find the names of hosts and users who will be allowed
+ access without specifying a password.</para>
+
+ <para><emphasis>NOTE:</emphasis> The use of <parameter>use rhosts
+ </parameter> can be a major security hole. This is because you are
+ trusting the PC to supply the correct username. It is very easy to
+ get a PC to supply a false username. I recommend that the <parameter>
+ use rhosts</parameter> option be only used if you really know what
+ you are doing.</para>
+
+ <para>Default: <command>use rhosts = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="USER">user (S)</term>
+ <listitem><para>Synonym for <link linkend="USERNAME"><parameter>
+ username</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="USERS">users (S)</term>
+ <listitem><para>Synonym for <link linkend="USERNAME"><parameter>
+ username</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="USERNAME">username (S)</term>
+ <listitem><para>Multiple users may be specified in a comma-delimited
+ list, in which case the supplied password will be tested against
+ each username in turn (left to right).</para>
+
+ <para>The <parameter>username</parameter> line is needed only when
+ the PC is unable to supply its own username. This is the case
+ for the COREPLUS protocol or where your users have different WfWg
+ usernames to UNIX usernames. In both these cases you may also be
+ better using the \\server\share%user syntax instead.</para>
+
+ <para>The <parameter>username</parameter> line is not a great
+ solution in many cases as it means Samba will try to validate
+ the supplied password against each of the usernames in the
+ <parameter>username</parameter> line in turn. This is slow and
+ a bad idea for lots of users in case of duplicate passwords.
+ You may get timeouts or security breaches using this parameter
+ unwisely.</para>
+
+ <para>Samba relies on the underlying UNIX security. This
+ parameter does not restrict who can login, it just offers hints
+ to the Samba server as to what usernames might correspond to the
+ supplied password. Users can login as whoever they please and
+ they will be able to do no more damage than if they started a
+ telnet session. The daemon runs as the user that they log in as,
+ so they cannot do anything that user cannot do.</para>
+
+ <para>To restrict a service to a particular set of users you
+ can use the <link linkend="VALIDUSERS"><parameter>valid users
+ </parameter></link> parameter.</para>
+
+ <para>If any of the usernames begin with a '@' then the name
+ will be looked up first in the yp netgroups list (if Samba
+ is compiled with netgroup support), followed by a lookup in
+ the UNIX groups database and will expand to a list of all users
+ in the group of that name.</para>
+
+ <para>If any of the usernames begin with a '+' then the name
+ will be looked up only in the UNIX groups database and will
+ expand to a list of all users in the group of that name.</para>
+
+ <para>If any of the usernames begin with a '&'then the name
+ will be looked up only in the yp netgroups database (if Samba
+ is compiled with netgroup support) and will expand to a list
+ of all users in the netgroup group of that name.</para>
+
+ <para>Note that searching though a groups database can take
+ quite some time, snd some clients may time out during the
+ search.</para>
+
+ <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT
+ USERNAME/PASSWORD VALIDATION</link> for more information on how
+ this parameter determines access to the services.</para>
+
+ <para>Default: <command>The guest account if a guest service,
+ else the name of the service.</command></para>
+
+ <para>Examples:<command>username = fred, mary, jack, jane,
+ @users, @pcgroup</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="USERNAMELEVEL">username level (G)</term>
+ <listitem><para>This option helps Samba to try and 'guess' at
+ the real UNIX username, as many DOS clients send an all-uppercase
+ username. By default Samba tries all lowercase, followed by the
+ username with the first letter capitalized, and fails if the
+ username is not found on the UNIX machine.</para>
+
+ <para>If this parameter is set to non-zero the behavior changes.
+ This parameter is a number that specifies the number of uppercase
+ combinations to try whilst trying to determine the UNIX user name. The
+ higher the number the more combinations will be tried, but the slower
+ the discovery of usernames will be. Use this parameter when you have
+ strange usernames on your UNIX machine, such as <constant>AstrangeUser
+ </constant>.</para>
+
+ <para>Default: <command>username level = 0</command></para>
+ <para>Example: <command>username level = 5</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="USERNAMEMAP">username map (G)</term>
+ <listitem><para>This option allows you to specify a file containing
+ a mapping of usernames from the clients to the server. This can be
+ used for several purposes. The most common is to map usernames
+ that users use on DOS or Windows machines to those that the UNIX
+ box uses. The other is to map multiple users to a single username
+ so that they can more easily share files.</para>
+
+ <para>The map file is parsed line by line. Each line should
+ contain a single UNIX username on the left then a '=' followed
+ by a list of usernames on the right. The list of usernames on the
+ right may contain names of the form @group in which case they
+ will match any UNIX username in that group. The special client
+ name '*' is a wildcard and matches any name. Each line of the
+ map file may be up to 1023 characters long.</para>
+
+ <para>The file is processed on each line by taking the
+ supplied username and comparing it with each username on the right
+ hand side of the '=' signs. If the supplied name matches any of
+ the names on the right hand side then it is replaced with the name
+ on the left. Processing then continues with the next line.</para>
+
+ <para>If any line begins with a '#' or a ';' then it is
+ ignored</para>
+
+ <para>If any line begins with an '!' then the processing
+ will stop after that line if a mapping was done by the line.
+ Otherwise mapping continues with every line being processed.
+ Using '!' is most useful when you have a wildcard mapping line
+ later in the file.</para>
+
+ <para>For example to map from the name <constant>admin</constant>
+ or <constant>administrator</constant> to the UNIX name <constant>
+ root</constant> you would use:</para>
+
+ <para><command>root = admin administrator</command></para>
+
+ <para>Or to map anyone in the UNIX group <constant>system</constant>
+ to the UNIX name <constant>sys</constant> you would use:</para>
+
+ <para><command>sys = @system</command></para>
+
+ <para>You can have as many mappings as you like in a username
+ map file.</para>
+
+
+ <para>If your system supports the NIS NETGROUP option then
+ the netgroup database is checked before the <filename>/etc/group
+ </filename> database for matching groups.</para>
+
+ <para>You can map Windows usernames that have spaces in them
+ by using double quotes around the name. For example:</para>
+
+ <para><command>tridge = "Andrew Tridgell"</command></para>
+
+ <para>would map the windows username "Andrew Tridgell" to the
+ unix username "tridge".</para>
+
+ <para>The following example would map mary and fred to the
+ unix user sys, and map the rest to guest. Note the use of the
+ '!' to tell Samba to stop processing if it gets a match on
+ that line.</para>
+
+ <para><programlisting>
+ !sys = mary fred
+ guest = *
+ </programlisting></para>
+
+ <para>Note that the remapping is applied to all occurrences
+ of usernames. Thus if you connect to \\server\fred and <constant>
+ fred</constant> is remapped to <constant>mary</constant> then you
+ will actually be connecting to \\server\mary and will need to
+ supply a password suitable for <constant>mary</constant> not
+ <constant>fred</constant>. The only exception to this is the
+ username passed to the <link linkend="PASSWORDSERVER"><parameter>
+ password server</parameter></link> (if you have one). The password
+ server will receive whatever username the client supplies without
+ modification.</para>
+
+ <para>Also note that no reverse mapping is done. The main effect
+ this has is with printing. Users who have been mapped may have
+ trouble deleting print jobs as PrintManager under WfWg will think
+ they don't own the print job.</para>
+
+ <para>Default: <emphasis>no username map</emphasis></para>
+ <para>Example: <command>username map = /usr/local/samba/lib/users.map
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="UTMP">utmp (S)</term>
+ <listitem><para>This boolean parameter is only available if
+ Samba has been configured and compiled with the option <command>
+ --with-utmp</command>. If set to True then Samba will attempt
+ to add utmp or utmpx records (depending on the UNIX system) whenever a
+ connection is made to a Samba server. Sites may use this to record the
+ user connecting to a Samba share.</para>
+
+ <para>See also the <link linkend="UTMPDIRECTORY"><parameter>
+ utmp directory</parameter></link> parameter.</para>
+
+ <para>Default: <command>utmp = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="UTMPDIRECTORY">utmp directory(G)</term>
+ <listitem><para>This parameter is only available if Samba has
+ been configured and compiled with the option <command>
+ --with-utmp</command>. It specifies a directory pathname that is
+ used to store the utmp or utmpx files (depending on the UNIX system) that
+ record user connections to a Samba server. See also the <link linkend="UTMP">
+ <parameter>utmp</parameter></link> parameter. By default this is
+ not set, meaning the system will use whatever utmp file the
+ native system is set to use (usually
+ <filename>/var/run/utmp</filename> on Linux).</para>
+
+ <para>Default: <emphasis>no utmp directory</emphasis></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="WINBINDCACHETIME">winbind cache time</term>
+ <listitem><para><emphasis>NOTE:</emphasis> this parameter is only
+ available in Samba 3.0.</para>
+
+ <para>This parameter specifies the number of seconds the
+ <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon will cache
+ user and group information before querying a Windows NT server
+ again.</para>
+
+ <para>Default: <command>winbind cache type = 15</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="WINBINDGID">winbind gid</term>
+ <listitem><para><emphasis>NOTE:</emphasis> this parameter is only
+ available in Samba 3.0.</para>
+
+ <para>The winbind gid parameter specifies the range of group
+ ids that are allocated by the <ulink url="winbindd.8.html">
+ winbindd(8)</ulink> daemon. This range of group ids should have no
+ existing local or nis groups within it as strange conflicts can
+ occur otherwise.</para>
+
+ <para>Default: <command>winbind gid = &lt;empty string&gt;
+ </command></para>
+
+ <para>Example: <command>winbind gid = 10000-20000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="WINBINDUID">winbind uid</term>
+ <listitem><para><emphasis>NOTE:</emphasis> this parameter is only
+ available in Samba 3.0.</para>
+
+ <para>The winbind gid parameter specifies the range of group
+ ids that are allocated by the <ulink url="winbindd.8.html">
+ winbindd(8)</ulink> daemon. This range of ids should have no
+ existing local or nis users within it as strange conflicts can
+ occur otherwise.</para>
+
+ <para>Default: <command>winbind uid = &lt;empty string&gt;
+ </command></para>
+
+ <para>Example: <command>winbind uid = 10000-20000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="VALIDCHARS">valid chars (G)</term>
+ <listitem><para>The option allows you to specify additional
+ characters that should be considered valid by the server in
+ filenames. This is particularly useful for national character
+ sets, such as adding u-umlaut or a-ring.</para>
+
+ <para>The option takes a list of characters in either integer
+ or character form with spaces between them. If you give two
+ characters with a colon between them then it will be taken as
+ an lowercase:uppercase pair.</para>
+
+ <para>If you have an editor capable of entering the characters
+ into the config file then it is probably easiest to use this
+ method. Otherwise you can specify the characters in octal,
+ decimal or hexadecimal form using the usual C notation.</para>
+
+ <para>For example to add the single character 'Z' to the charset
+ (which is a pointless thing to do as it's already there) you could
+ do one of the following</para>
+
+ <para><programlisting>
+ valid chars = Z
+ valid chars = z:Z
+ valid chars = 0132:0172
+ </programlisting></para>
+
+ <para>The last two examples above actually add two characters,
+ and alter the uppercase and lowercase mappings appropriately.</para>
+
+ <para>Note that you <emphasis>MUST</emphasis> specify this parameter
+ after the <parameter>client code page</parameter> parameter if you
+ have both set. If <parameter>client code page</parameter> is set after
+ the <parameter>valid chars</parameter> parameter the <parameter>valid
+ chars</parameter> settings will be overwritten.</para>
+
+ <para>See also the <link linkend="CLIENTCODEPAGE"><parameter>client
+ code page</parameter></link> parameter.</para>
+
+ <para>Default: <emphasis>Samba defaults to using a reasonable set
+ of valid characters for English systems</emphasis></para>
+
+ <para>Example: <command>valid chars = 0345:0305 0366:0326 0344:0304
+ </command></para>
+
+ <para>The above example allows filenames to have the Swedish
+ characters in them.</para>
+
+ <para><emphasis>NOTE:</emphasis> It is actually quite difficult to
+ correctly produce a <parameter>valid chars</parameter> line for
+ a particular system. To automate the process <ulink
+ url="mailto:tino@augsburg.net">tino@augsburg.net</ulink> has written
+ a package called <command>validchars</command> which will automatically
+ produce a complete <parameter>valid chars</parameter> line for
+ a given client system. Look in the <filename>examples/validchars/
+ </filename> subdirectory of your Samba source code distribution
+ for this package.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="VALIDUSERS">valid users (S)</term>
+ <listitem><para>This is a list of users that should be allowed
+ to login to this service. Names starting with '@', '+' and '&'
+ are interpreted using the same rules as described in the
+ <parameter>invalid users</parameter> parameter.</para>
+
+ <para>If this is empty (the default) then any user can login.
+ If a username is in both this list and the <parameter>invalid
+ users</parameter> list then access is denied for that user.</para>
+
+ <para>The current servicename is substituted for <parameter>%S
+ </parameter>. This is useful in the [homes] section.</para>
+
+ <para>See also <link linkend="INVALIDUSERS"><parameter>invalid users
+ </parameter></link></para>
+
+ <para>Default: <emphasis>No valid users list (anyone can login)
+ </emphasis></para>
+
+ <para>Example: <command>valid users = greg, @pcusers</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="VETOFILES">veto files(S)</term>
+ <listitem><para>This is a list of files and directories that
+ are neither visible nor accessible. Each entry in the list must
+ be separated by a '/', which allows spaces to be included
+ in the entry. '*' and '?' can be used to specify multiple files
+ or directories as in DOS wildcards.</para>
+
+ <para>Each entry must be a unix path, not a DOS path and
+ must <emphasis>not</emphasis> include the unix directory
+ separator '/'.</para>
+
+ <para>Note that the <parameter>case sensitive</parameter> option
+ is applicable in vetoing files.</para>
+
+ <para>One feature of the veto files parameter that it is important
+ to be aware of, is that if a directory contains nothing but files
+ that match the veto files parameter (which means that Windows/DOS
+ clients cannot ever see them) is deleted, the veto files within
+ that directory <emphasis>are automatically deleted</emphasis> along
+ with it, if the user has UNIX permissions to do so.</para>
+
+ <para>Setting this parameter will affect the performance
+ of Samba, as it will be forced to check all files and directories
+ for a match as they are scanned.</para>
+
+ <para>See also <link linkend="HIDEFILES"><parameter>hide files
+ </parameter></link> and <link linkend="CASESENSITIVE"><parameter>
+ case sensitive</parameter></link>.</para>
+
+ <para>Default: <emphasis>No files or directories are vetoed.
+ </emphasis></para>
+
+ <para>Examples:<programlisting>
+ ; Veto any files containing the word Security,
+ ; any ending in .tmp, and any directory containing the
+ ; word root.
+ veto files = /*Security*/*.tmp/*root*/
+
+ ; Veto the Apple specific files that a NetAtalk server
+ ; creates.
+ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
+ </programlisting></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="VETOOPLOCKFILES">veto oplock files (S)</term>
+ <listitem><para>This parameter is only valid when the <link
+ linkend="OPLOCKS"><parameter>oplocks</parameter></link>
+ parameter is turned on for a share. It allows the Samba administrator
+ to selectively turn off the granting of oplocks on selected files that
+ match a wildcarded list, similar to the wildcarded list used in the
+ <link linkend="VETOFILES"><parameter>veto files</parameter></link>
+ parameter.</para>
+
+ <para>Default: <emphasis>No files are vetoed for oplock
+ grants</emphasis></para>
+
+ <para>You might want to do this on files that you know will
+ be heavily contended for by clients. A good example of this
+ is in the NetBench SMB benchmark program, which causes heavy
+ client contention for files ending in <filename>.SEM</filename>.
+ To cause Samba not to grant oplocks on these files you would use
+ the line (either in the [global] section or in the section for
+ the particular NetBench share :</para>
+
+ <para>Example: <command>veto oplock files = /*;.SEM/
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="VOLUME">volume (S)</term>
+ <listitem><para> This allows you to override the volume label
+ returned for a share. Useful for CDROMs with installation programs
+ that insist on a particular volume label.</para>
+
+ <para>Default: <emphasis>the name of the share</emphasis></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="WIDELINKS">wide links (S)</term>
+ <listitem><para>This parameter controls whether or not links
+ in the UNIX file system may be followed by the server. Links
+ that point to areas within the directory tree exported by the
+ server are always allowed; this parameter controls access only
+ to areas that are outside the directory tree being exported.</para>
+
+ <para>Note that setting this parameter can have a negative
+ effect on your server performance due to the extra system calls
+ that Samba has to do in order to perform the link checks.</para>
+
+ <para>Default: <command>wide links = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="WINSPROXY">wins proxy (G)</term>
+ <listitem><para>This is a boolean that controls if <ulink
+ url="nmbd.8.html">nmbd(8)</ulink> will respond to broadcast name
+ queries on behalf of other hosts. You may need to set this
+ to <constant>yes</constant> for some older clients.</para>
+
+ <para>Default: <command>wins proxy = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="WINSSERVER">wins server (G)</term>
+ <listitem><para>This specifies the IP address (or DNS name: IP
+ address for preference) of the WINS server that <ulink url="nmbd.8.html">
+ nmbd(8)</ulink> should register with. If you have a WINS server on
+ your network then you should set this to the WINS server's IP.</para>
+
+ <para>You should point this at your WINS server if you have a
+ multi-subnetted network.</para>
+
+ <para><emphasis>NOTE</emphasis>. You need to set up Samba to point
+ to a WINS server if you have multiple subnets and wish cross-subnet
+ browsing to work correctly.</para>
+
+ <para>See the documentation file <filename>BROWSING.txt</filename>
+ in the docs/ directory of your Samba source distribution.</para>
+
+ <para>Default: <emphasis>not enabled</emphasis></para>
+ <para>Example: <command>wins server = 192.9.200.1</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="WINSHOOK">wins hook (G)</term>
+ <listitem><para>When Samba is running as a WINS server this
+ allows you to call an external program for all changes to the
+ WINS database. The primary use for this option is to allow the
+ dynamic update of external name resolution databases such as
+ dynamic DNS.</para>
+
+ <para>The wins hook parameter specifies the name of a script
+ or executable that will be called as follows:</para>
+
+ <para><command>wins_hook operation name nametype ttl IP_list
+ </command></para>
+
+ <itemizedlist>
+ <listitem><para>The first argument is the operation and is one
+ of "add", "delete", or "refresh". In most cases the operation can
+ be ignored as the rest of the parameters provide sufficient
+ information. Note that "refresh" may sometimes be called when the
+ name has not previously been added, in that case it should be treated
+ as an add.</para></listitem>
+
+ <listitem><para>The second argument is the netbios name. If the
+ name is not a legal name then the wins hook is not called.
+ Legal names contain only letters, digits, hyphens, underscores
+ and periods.</para></listitem>
+
+ <listitem><para>The third argument is the netbios name
+ type as a 2 digit hexadecimal number. </para></listitem>
+
+ <listitem><para>The fourth argument is the TTL (time to live)
+ for the name in seconds.</para></listitem>
+
+ <listitem><para>The fifth and subsequent arguments are the IP
+ addresses currently registered for that name. If this list is
+ empty then the name should be deleted.</para></listitem>
+ </itemizedlist>
+
+ <para>An example script that calls the BIND dynamic DNS update
+ program <command>nsupdate</command> is provided in the examples
+ directory of the Samba source code. </para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="WINSSUPPORT">wins support (G)</term>
+ <listitem><para>This boolean controls if the <ulink url="nmbd.8.html">
+ nmbd(8)</ulink> process in Samba will act as a WINS server. You should
+ not set this to true unless you have a multi-subnetted network and
+ you wish a particular <command>nmbd</command> to be your WINS server.
+ Note that you should <emphasis>NEVER</emphasis> set this to true
+ on more than one machine in your network.</para>
+
+ <para>Default: <command>wins support = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="WORKGROUP">workgroup (G)</term>
+ <listitem><para>This controls what workgroup your server will
+ appear to be in when queried by clients. Note that this parameter
+ also controls the Domain name used with the <link
+ linkend="WORKGROUP"><command>security=domain</command></link>
+ setting.</para>
+
+ <para>Default: <emphasis>set at compile time to WORKGROUP</emphasis></para>
+ <para>Example: <command>workgroup = MYGROUP</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="WRITABLE">writable (S)</term>
+ <listitem><para>Synonym for <link linkend="WRITEABLE"><parameter>
+ writeable</parameter></link> for people who can't spell :-).</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="WRITELIST">write list (S)</term>
+ <listitem><para>This is a list of users that are given read-write
+ access to a service. If the connecting user is in this list then
+ they will be given write access, no matter what the <link
+ linkend="WRITEABLE"><parameter>writeable</parameter></link>
+ option is set to. The list can include group names using the
+ @group syntax.</para>
+
+ <para>Note that if a user is in both the read list and the
+ write list then they will be given write access.</para>
+
+ <para>See also the <link linkend="READLIST"><parameter>read list
+ </parameter></link> option.</para>
+
+ <para>Default: <command>write list = &lt;empty string&gt;
+ </command></para>
+
+ <para>Example: <command>write list = admin, root, @staff
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="WRITECACHESIZE">write cache size (S)</term>
+ <listitem><para>This integer parameter (new with Samba 2.0.7)
+ if set to non-zero causes Samba to create an in-memory cache for
+ each oplocked file (it does <emphasis>not</emphasis> do this for
+ non-oplocked files). All writes that the client does not request
+ to be flushed directly to disk will be stored in this cache if possible.
+ The cache is flushed onto disk when a write comes in whose offset
+ would not fit into the cache or when the file is closed by the client.
+ Reads for the file are also served from this cache if the data is stored
+ within it.</para>
+
+ <para>This cache allows Samba to batch client writes into a more
+ efficient write size for RAID disks (ie. writes may be tuned to
+ be the RAID stripe size) and can improve performance on systems
+ where the disk subsystem is a bottleneck but there is free
+ memory for userspace programs.</para>
+
+ <para>The integer parameter specifies the size of this cache
+ (per oplocked file) in bytes.</para>
+
+ <para>Default: <command>write cache size = 0</command></para>
+ <para>Example: <command>write cache size = 262144</command></para>
+
+ <para>for a 256k cache size per file.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="WRITEOK">write ok (S)</term>
+ <listitem><para>Synonym for <link linkend="WRITEABLE"><parameter>
+ writeable</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="WRITERAW">write raw (G)</term>
+ <listitem><para>This parameter controls whether or not the server
+ will support raw writes SMB's when transferring data from clients.
+ You should never need to change this parameter.</para>
+
+ <para>Default: <command>write raw = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="WRITEABLE">writeable (S)</term>
+ <listitem><para>An inverted synonym is <link linkend="READONLY">
+ <parameter>read only</parameter></link>.</para>
+
+ <para>If this parameter is <constant>no</constant>, then users
+ of a service may not create or modify files in the service's
+ directory.</para>
+
+ <para>Note that a printable service (<command>printable = yes</command>)
+ will <emphasis>ALWAYS</emphasis> allow writing to the directory
+ (user privileges permitting), but only via spooling operations.</para>
+
+ <para>Default: <command>writeable = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ </variablelist>
+
+</refsect1>
+
+<refsect1>
+ <title>WARNINGS</title>
+
+ <para>Although the configuration file permits service names
+ to contain spaces, your client software may not. Spaces will
+ be ignored in comparisons anyway, so it shouldn't be a
+ problem - but be aware of the possibility.</para>
+
+ <para>On a similar note, many clients - especially DOS clients -
+ limit service names to eight characters. <ulink url="smbd.8.html">smbd(8)
+ </ulink> has no such limitation, but attempts to connect from such
+ clients will fail if they truncate the service names. For this reason
+ you should probably keep your service names down to eight characters
+ in length.</para>
+
+ <para>Use of the [homes] and [printers] special sections make life
+ for an administrator easy, but the various combinations of default
+ attributes can be tricky. Take extreme care when designing these
+ sections. In particular, ensure that the permissions on spool
+ directories are correct.</para>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="samba.7.html">samba(7)</ulink>,
+ <ulink url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink>,
+ <ulink url="swat.8.html"><command>swat(8)</command></ulink>,
+ <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>,
+ <ulink url="nmbd.8.html"><command>nmbd(8)</command></ulink>,
+ <ulink url="smbclient.1.html"><command>smbclient(1)</command></ulink>,
+ <ulink url="nmblookup.1.html"><command>nmblookup(1)</command></ulink>,
+ <ulink url="testparm.1.html"><command>testparm(1)</command></ulink>,
+ <ulink url="testprns.1.html"><command>testprns(1)</command></ulink>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>