diff options
author | Alexander Bokovoy <ab@samba.org> | 2003-03-27 15:27:19 +0000 |
---|---|---|
committer | Alexander Bokovoy <ab@samba.org> | 2003-03-27 15:27:19 +0000 |
commit | 5cd3d3f14ef56ff5f1d92aba0174649f3d368f66 (patch) | |
tree | 7982c107cb4ecf2b739dd0d21b591aca20e9b19a /docs/docbook/smbdotconf/smb.conf.5.xml | |
parent | 7c6a4de6f97287e43405b66baa81aa328315de7c (diff) | |
download | samba-5cd3d3f14ef56ff5f1d92aba0174649f3d368f66.tar.gz samba-5cd3d3f14ef56ff5f1d92aba0174649f3d368f66.tar.bz2 samba-5cd3d3f14ef56ff5f1d92aba0174649f3d368f66.zip |
Add new framework for smb.conf(5). Please read README before trying to compile.
I will commit more meta-information updates during week-end.
(This used to be commit 8d684dffab6a90b3d612a1aa2b2c457a2bc2e6ac)
Diffstat (limited to 'docs/docbook/smbdotconf/smb.conf.5.xml')
-rw-r--r-- | docs/docbook/smbdotconf/smb.conf.5.xml | 685 |
1 files changed, 685 insertions, 0 deletions
diff --git a/docs/docbook/smbdotconf/smb.conf.5.xml b/docs/docbook/smbdotconf/smb.conf.5.xml new file mode 100644 index 0000000000..e37add4206 --- /dev/null +++ b/docs/docbook/smbdotconf/smb.conf.5.xml @@ -0,0 +1,685 @@ +<?xml version="1.0" encoding="iso8859-1"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ + +<!ENTITY % globalentities SYSTEM './../global.ent'> %globalentities; +]> +<refentry id="smb.conf.5"> + +<refmeta> + <refentrytitle>smb.conf</refentrytitle> + <manvolnum>5</manvolnum> +</refmeta> + + +<refnamediv> + <refname>smb.conf</refname> + <refpurpose>The configuration file for the Samba suite</refpurpose> +</refnamediv> + +<refsect1> + <title>SYNOPSIS</title> + + <para>The <filename moreinfo="none">smb.conf</filename> file is a configuration + file for the Samba suite. <filename moreinfo="none">smb.conf</filename> contains + runtime configuration information for the Samba programs. The <filename moreinfo="none">smb.conf</filename> file + is designed to be configured and administered by the <citerefentry><refentrytitle>swat</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> program. The complete + description of the file format and possible parameters held within + are here for reference purposes.</para> </refsect1> + +<refsect1> + <title id="FILEFORMATSECT">FILE FORMAT</title> + + <para>The file consists of sections and parameters. A section + begins with the name of the section in square brackets and continues + until the next section begins. Sections contain parameters of the + form</para> + + <para><replaceable>name</replaceable> = <replaceable>value + </replaceable></para> + + <para>The file is line-based - that is, each newline-terminated + line represents either a comment, a section name or a parameter.</para> + + <para>Section and parameter names are not case sensitive.</para> + + <para>Only the first equals sign in a parameter is significant. + Whitespace before or after the first equals sign is discarded. + Leading, trailing and internal whitespace in section and parameter + names is irrelevant. Leading and trailing whitespace in a parameter + value is discarded. Internal whitespace within a parameter value + is retained verbatim.</para> + + <para>Any line beginning with a semicolon (';') or a hash ('#') + character is ignored, as are lines containing only whitespace.</para> + + <para>Any line ending in a '\' is continued + on the next line in the customary UNIX fashion.</para> + + <para>The values following the equals sign in parameters are all + either a string (no quotes needed) or a boolean, which may be given + as yes/no, 0/1 or true/false. Case is not significant in boolean + values, but is preserved in string values. Some items such as + create modes are numeric.</para> +</refsect1> + +<refsect1> + <title>SECTION DESCRIPTIONS</title> + + <para>Each section in the configuration file (except for the + [global] section) describes a shared resource (known + as a "share"). The section name is the name of the + shared resource and the parameters within the section define + the shares attributes.</para> + + <para>There are three special sections, [global], + [homes] and [printers], which are + described under <emphasis>special sections</emphasis>. The + following notes apply to ordinary section descriptions.</para> + + <para>A share consists of a directory to which access is being + given plus a description of the access rights which are granted + to the user of the service. Some housekeeping options are + also specifiable.</para> + + <para>Sections are either file share services (used by the + client as an extension of their native file systems) or + printable services (used by the client to access print services + on the host running the server).</para> + + <para>Sections may be designated <emphasis>guest</emphasis> services, + in which case no password is required to access them. A specified + UNIX <emphasis>guest account</emphasis> is used to define access + privileges in this case.</para> + + <para>Sections other than guest services will require a password + to access them. The client provides the username. As older clients + only provide passwords and not usernames, you may specify a list + of usernames to check against the password using the "user =" + option in the share definition. For modern clients such as + Windows 95/98/ME/NT/2000, this should not be necessary.</para> + + <para>Note that the access rights granted by the server are + masked by the access rights granted to the specified or guest + UNIX user by the host system. The server does not grant more + access than the host system grants.</para> + + <para>The following sample section defines a file space share. + The user has write access to the path <filename moreinfo="none">/home/bar</filename>. + The share is accessed via the share name "foo":</para> + +<screen format="linespecific"> +<computeroutput moreinfo="none"> +[foo] + path = /home/bar + read only = no +</computeroutput> +</screen> + + <para>The following sample section defines a printable share. + The share is readonly, but printable. That is, the only write + access permitted is via calls to open, write to and close a + spool file. The <emphasis>guest ok</emphasis> parameter means + access will be permitted as the default guest user (specified + elsewhere):</para> + +<screen format="linespecific"> +<computeroutput moreinfo="none"> +[aprinter] + path = /usr/spool/public + read only = yes + printable = yes + guest ok = yes +</computeroutput> +</screen> +</refsect1> + +<refsect1> + <title>SPECIAL SECTIONS</title> + + <refsect2> + <title>The [global] section</title> + + <para>parameters in this section apply to the server + as a whole, or are defaults for sections which do not + specifically define certain items. See the notes + under PARAMETERS for more information.</para> + </refsect2> + + <refsect2> + <title id="HOMESECT">The [homes] section</title> + + <para>If a section called homes is included in the + configuration file, services connecting clients to their + home directories can be created on the fly by the server.</para> + + <para>When the connection request is made, the existing + sections are scanned. If a match is found, it is used. If no + match is found, the requested section name is treated as a + user name and looked up in the local password file. If the + name exists and the correct password has been given, a share is + created by cloning the [homes] section.</para> + + <para>Some modifications are then made to the newly + created share:</para> + + <itemizedlist> + <listitem><para>The share name is changed from homes to + the located username.</para></listitem> + + <listitem><para>If no path was given, the path is set to + the user's home directory.</para></listitem> + </itemizedlist> + + <para>If you decide to use a <emphasis>path =</emphasis> line + in your [homes] section then you may find it useful + to use the %S macro. For example :</para> + + <para><userinput moreinfo="none">path = /data/pchome/%S</userinput></para> + + <para>would be useful if you have different home directories + for your PCs than for UNIX access.</para> + + <para>This is a fast and simple way to give a large number + of clients access to their home directories with a minimum + of fuss.</para> + + <para>A similar process occurs if the requested section + name is "homes", except that the share name is not + changed to that of the requesting user. This method of using + the [homes] section works well if different users share + a client PC.</para> + + <para>The [homes] section can specify all the parameters + a normal service section can specify, though some make more sense + than others. The following is a typical and suitable [homes] + section:</para> + +<screen format="linespecific"> +<computeroutput moreinfo="none"> +[homes] + read only = no +</computeroutput> +</screen> + + <para>An important point is that if guest access is specified + in the [homes] section, all home directories will be + visible to all clients <emphasis>without a password</emphasis>. + In the very unlikely event that this is actually desirable, it + would be wise to also specify <emphasis>read only + access</emphasis>.</para> + + <para>Note that the <emphasis>browseable</emphasis> flag for + auto home directories will be inherited from the global browseable + flag, not the [homes] browseable flag. This is useful as + it means setting <emphasis>browseable = no</emphasis> in + the [homes] section will hide the [homes] share but make + any auto home directories visible.</para> + </refsect2> + + <refsect2> + <title id="PRINTERSSECT">The [printers] section</title> + + <para>This section works like [homes], + but for printers.</para> + + <para>If a [printers] section occurs in the + configuration file, users are able to connect to any printer + specified in the local host's printcap file.</para> + + <para>When a connection request is made, the existing sections + are scanned. If a match is found, it is used. If no match is found, + but a [homes] section exists, it is used as described + above. Otherwise, the requested section name is treated as a + printer name and the appropriate printcap file is scanned to see + if the requested section name is a valid printer share name. If + a match is found, a new printer share is created by cloning + the [printers] section.</para> + + <para>A few modifications are then made to the newly created + share:</para> + + <itemizedlist> + <listitem><para>The share name is set to the located printer + name</para></listitem> + + <listitem><para>If no printer name was given, the printer name + is set to the located printer name</para></listitem> + + <listitem><para>If the share does not permit guest access and + no username was given, the username is set to the located + printer name.</para></listitem> + </itemizedlist> + + <para>Note that the [printers] service MUST be + printable - if you specify otherwise, the server will refuse + to load the configuration file.</para> + + <para>Typically the path specified would be that of a + world-writeable spool directory with the sticky bit set on + it. A typical [printers] entry would look like + this:</para> + +<screen format="linespecific"><computeroutput moreinfo="none"> +[printers] + path = /usr/spool/public + guest ok = yes + printable = yes +</computeroutput></screen> + + <para>All aliases given for a printer in the printcap file + are legitimate printer names as far as the server is concerned. + If your printing subsystem doesn't work like that, you will have + to set up a pseudo-printcap. This is a file consisting of one or + more lines like this:</para> + +<screen format="linespecific"> +<computeroutput moreinfo="none"> +alias|alias|alias|alias... +</computeroutput> +</screen> + + <para>Each alias should be an acceptable printer name for + your printing subsystem. In the [global] section, specify + the new file as your printcap. The server will then only recognize + names found in your pseudo-printcap, which of course can contain + whatever aliases you like. The same technique could be used + simply to limit access to a subset of your local printers.</para> + + <para>An alias, by the way, is defined as any component of the + first entry of a printcap record. Records are separated by newlines, + components (if there are more than one) are separated by vertical + bar symbols ('|').</para> + + <para>NOTE: On SYSV systems which use lpstat to determine what + printers are defined on the system you may be able to use + "printcap name = lpstat" to automatically obtain a list + of printers. See the "printcap name" option + for more details.</para> + </refsect2> +</refsect1> + +<refsect1> + <title>PARAMETERS</title> + + <para>parameters define the specific attributes of sections.</para> + + <para>Some parameters are specific to the [global] section + (e.g., <emphasis>security</emphasis>). Some parameters are usable + in all sections (e.g., <emphasis>create mode</emphasis>). All others + are permissible only in normal sections. For the purposes of the + following descriptions the [homes] and [printers] + sections will be considered normal. The letter <emphasis>G</emphasis> + in parentheses indicates that a parameter is specific to the + [global] section. The letter <emphasis>S</emphasis> + indicates that a parameter can be specified in a service specific + section. Note that all <emphasis>S</emphasis> parameters can also be specified in + the [global] section - in which case they will define + the default behavior for all services.</para> + + <para>parameters are arranged here in alphabetical order - this may + not create best bedfellows, but at least you can find them! Where + there are synonyms, the preferred synonym is described, others refer + to the preferred synonym.</para> +</refsect1> + +<refsect1> + <title>VARIABLE SUBSTITUTIONS</title> + + <para>Many of the strings that are settable in the config file + can take substitutions. For example the option "path = + /tmp/%u" would be interpreted as "path = + /tmp/john" if the user connected with the username john.</para> + + <para>These substitutions are mostly noted in the descriptions below, + but there are some general substitutions which apply whenever they + might be relevant. These are:</para> + + <variablelist> + <varlistentry> + <term>%U</term> + <listitem><para>session user name (the user name that the client + wanted, not necessarily the same as the one they got).</para></listitem> + </varlistentry> + + <varlistentry> + <term>%G</term> + <listitem><para>primary group name of %U.</para></listitem> + </varlistentry> + + <varlistentry> + <term>%h</term> + <listitem><para>the Internet hostname that Samba is running + on.</para></listitem> + </varlistentry> + + <varlistentry> + <term>%m</term> + <listitem><para>the NetBIOS name of the client machine + (very useful).</para></listitem> + </varlistentry> + + <varlistentry> + <term>%L</term> + <listitem><para>the NetBIOS name of the server. This allows you + to change your config based on what the client calls you. Your + server can have a "dual personality".</para> + + <para>Note that this parameter is not available when Samba listens + on port 445, as clients no longer send this information </para> + </listitem> + + </varlistentry> + + <varlistentry> + <term>%M</term> + <listitem><para>the Internet name of the client machine. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>%R</term> + <listitem><para>the selected protocol level after + protocol negotiation. It can be one of CORE, COREPLUS, + LANMAN1, LANMAN2 or NT1.</para></listitem> + </varlistentry> + + <varlistentry> + <term>%d</term> + <listitem><para>The process id of the current server + process.</para></listitem> + </varlistentry> + + <varlistentry> + <term>%a</term> + <listitem><para>the architecture of the remote + machine. Only some are recognized, and those may not be + 100% reliable. It currently recognizes Samba, WfWg, Win95, + WinNT and Win2k. Anything else will be known as + "UNKNOWN". If it gets it wrong then sending a level + 3 log to <ulink url="mailto:samba@samba.org">samba@samba.org + </ulink> should allow it to be fixed.</para></listitem> + </varlistentry> + + <varlistentry> + <term>%I</term> + <listitem><para>The IP address of the client machine.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>%T</term> + <listitem><para>the current date and time.</para></listitem> + </varlistentry> + + <varlistentry> + <term>%D</term> + <listitem><para>Name of the domain or workgroup of the current user.</para></listitem> + </varlistentry> + + <varlistentry> + <term>%$(<replaceable>envvar</replaceable>)</term> + <listitem><para>The value of the environment variable + <replaceable>envar</replaceable>.</para></listitem> + </varlistentry> + </variablelist> + + <para>The following substitutes apply only to some configuration options(only those + that are used when a connection has been established):</para> + + <variablelist> + <varlistentry> + <term>%S</term> + <listitem><para>the name of the current service, if any.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>%P</term> + <listitem><para>the root directory of the current service, + if any.</para></listitem> + </varlistentry> + + <varlistentry> + <term>%u</term> + <listitem><para>user name of the current service, if any.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>%g</term> + <listitem><para>primary group name of %u.</para></listitem> + </varlistentry> + + <varlistentry> + <term>%H</term> + <listitem><para>the home directory of the user given + by %u.</para></listitem> + </varlistentry> + + <varlistentry> + <term>%N</term> + <listitem><para>the name of your NIS home directory server. + This is obtained from your NIS auto.map entry. If you have + not compiled Samba with the <emphasis>--with-automount</emphasis> + option then this value will be the same as %L.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>%p</term> + <listitem><para>the path of the service's home directory, + obtained from your NIS auto.map entry. The NIS auto.map entry + is split up as "%N:%p".</para></listitem> + </varlistentry> + </variablelist> + + <para>There are some quite creative things that can be done + with these substitutions and other smb.conf options.</para> +</refsect1> + +<refsect1> + <title id="NAMEMANGLINGSECT">NAME MANGLING</title> + + <para>Samba supports "name mangling" so that DOS and + Windows clients can use files that don't conform to the 8.3 format. + It can also be set to adjust the case of 8.3 format filenames.</para> + + <para>There are several options that control the way mangling is + performed, and they are grouped here rather than listed separately. + For the defaults look at the output of the testparm program. </para> + + <para>All of these options can be set separately for each service + (or globally, of course). </para> + + <para>The options are: </para> + + <variablelist> + + <varlistentry> + <term>mangle case = yes/no</term> + <listitem><para> controls if names that have characters that + aren't of the "default" case are mangled. For example, + if this is yes then a name like "Mail" would be mangled. + Default <emphasis>no</emphasis>.</para></listitem> + </varlistentry> + + <varlistentry> + <term>case sensitive = yes/no</term> + <listitem><para>controls whether filenames are case sensitive. If + they aren't then Samba must do a filename search and match on passed + names. Default <emphasis>no</emphasis>.</para></listitem> + </varlistentry> + + <varlistentry> + <term>default case = upper/lower</term> + <listitem><para>controls what the default case is for new + filenames. Default <emphasis>lower</emphasis>.</para></listitem> + </varlistentry> + + <varlistentry> + <term>preserve case = yes/no</term> + <listitem><para>controls if new files are created with the + case that the client passes, or if they are forced to be the + "default" case. Default <emphasis>yes</emphasis>. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>short preserve case = yes/no</term> + <listitem><para>controls if new files which conform to 8.3 syntax, + that is all in upper case and of suitable length, are created + upper case, or if they are forced to be the "default" + case. This option can be use with "preserve case = yes" + to permit long filenames to retain their case, while short names + are lowercased. Default <emphasis>yes</emphasis>.</para></listitem> + </varlistentry> + </variablelist> + + <para>By default, Samba 3.0 has the same semantics as a Windows + NT server, in that it is case insensitive but case preserving.</para> + +</refsect1> + +<refsect1> + <title id="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</title> + + <para>There are a number of ways in which a user can connect + to a service. The server uses the following steps in determining + if it will allow a connection to a specified service. If all the + steps fail, then the connection request is rejected. However, if one of the + steps succeeds, then the following steps are not checked.</para> + + <para>If the service is marked "guest only = yes" and the + server is running with share-level security ("security = share") + then steps 1 to 5 are skipped.</para> + + + <orderedlist continuation="restarts" inheritnum="ignore" numeration="arabic"> + <listitem><para>If the client has passed a username/password + pair and that username/password pair is validated by the UNIX + system's password programs then the connection is made as that + username. Note that this includes the + \\server\service%<replaceable>username</replaceable> method of passing + a username.</para></listitem> + + <listitem><para>If the client has previously registered a username + with the system and now supplies a correct password for that + username then the connection is allowed.</para></listitem> + + <listitem><para>The client's NetBIOS name and any previously + used user names are checked against the supplied password, if + they match then the connection is allowed as the corresponding + user.</para></listitem> + + <listitem><para>If the client has previously validated a + username/password pair with the server and the client has passed + the validation token then that username is used. </para></listitem> + + <listitem><para>If a "user = " field is given in the + <filename moreinfo="none">smb.conf</filename> file for the service and the client + has supplied a password, and that password matches (according to + the UNIX system's password checking) with one of the usernames + from the "user =" field then the connection is made as + the username in the "user =" line. If one + of the username in the "user =" list begins with a + '@' then that name expands to a list of names in + the group of the same name.</para></listitem> + + <listitem><para>If the service is a guest service then a + connection is made as the username given in the "guest + account =" for the service, irrespective of the + supplied password.</para></listitem> + </orderedlist> + +</refsect1> + +<refsect1> + <title>COMPLETE LIST OF GLOBAL PARAMETERS</title> + + <para>Here is a list of all global parameters. See the section of + each parameter for details. Note that some are synonyms.</para> + + <xi:include href="parameters.global.xml" parse="xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> + +</refsect1> + +<refsect1> + <title>COMPLETE LIST OF SERVICE PARAMETERS</title> + + <para>Here is a list of all service parameters. See the section on + each parameter for details. Note that some are synonyms.</para> + + <xi:include href="parameters.service.xml" parse="xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> + +</refsect1> + +<refsect1> + <title>EXPLANATION OF EACH PARAMETER</title> + + <xi:include href="parameters.all.xml" parse="xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> + +</refsect1> + +<refsect1> + <title>WARNINGS</title> + + <para>Although the configuration file permits service names + to contain spaces, your client software may not. Spaces will + be ignored in comparisons anyway, so it shouldn't be a + problem - but be aware of the possibility.</para> + + <para>On a similar note, many clients - especially DOS clients - + limit service names to eight characters. <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> has no such limitation, but attempts to connect from such + clients will fail if they truncate the service names. For this reason + you should probably keep your service names down to eight characters + in length.</para> + + <para>Use of the [homes] and [printers] special sections make life + for an administrator easy, but the various combinations of default + attributes can be tricky. Take extreme care when designing these + sections. In particular, ensure that the permissions on spool + directories are correct.</para> +</refsect1> + +<refsect1> + <title>VERSION</title> + + <para>This man page is correct for version 3.0 of the Samba suite.</para> +</refsect1> + +<refsect1> + <title>SEE ALSO</title> + <para> + <citerefentry><refentrytitle>samba</refentrytitle> + <manvolnum>7</manvolnum></citerefentry>, <citerefentry><refentrytitle>smbpasswd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>swat</refentrytitle> + <manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>nmbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>smbclient</refentrytitle> + <manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>nmblookup</refentrytitle> + <manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>testparm</refentrytitle> + <manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>testprns</refentrytitle> + <manvolnum>1</manvolnum></citerefentry>.</para> +</refsect1> + +<refsect1> + <title>AUTHOR</title> + + <para>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</para> + + <para>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <ulink url="ftp://ftp.icce.rug.nl/pub/unix/"> + ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 + for Samba 3.0 was done by Alexander Bokovoy.</para> +</refsect1> + +</refentry> |