Whew! smb.conf.5.yo completely converted to DocBook (only after 2 & 1/2

days :) ).  The man page generation is fine.  Some anchor tags
need to be tweaked to get the HTML generation correct.

Also, I have done very little editing which means that we'll have to go
through and verify acurracy of things like default values, etc...
(This used to be commit 9fb11c5ec6d439544549060903ea0f275f5de9a9)

1 files changed, 3057 insertions, 20 deletions

diff --git a/docs/docbook/smb.conf.5.sgml b/docs/docbook/smb.conf.5.sgml
index 16d72a01ce..6e44a7a59a 100644
--- a/docs/docbook/smb.conf.5.sgml
+++ b/docs/docbook/smb.conf.5.sgml
@@ -215,7 +215,7 @@
 	</refsect2>
 	
 	<refsect2>
-		<title id="printersect">The [printers] section</title>
+		<title id="printerssect">The [printers] section</title>
 		
 		<para>This section works like [homes], 
 		but for printers.</para>
@@ -529,7 +529,7 @@
 </refsect1>
 
 <refsect1>
-	<title>NOTE ABOUT USERNAME/PASSWORD VALIDATION</title>
+	<title id="validationsect">NOTE ABOUT USERNAME/PASSWORD VALIDATION</title>
 
 	<para>There are a number of ways in which a user can connect 
 	to a service. The server follows the following steps in determining 
@@ -670,7 +670,6 @@
 		<listitem><para><parameter>ole locking compatibility</parameter></para></listitem>
 		<listitem><para><parameter>oplock break wait time</parameter> </para></listitem>
 		<listitem><para><parameter>os level</parameter> </para></listitem>
-		<listitem><para><parameter>packet size</parameter> </para></listitem>
 		<listitem><para><parameter>panic action</parameter> </para></listitem>
 		<listitem><para><parameter>passwd chat</parameter></para></listitem>
 		<listitem><para><parameter>passwd chat debug</parameter> </para></listitem>
@@ -1596,7 +1595,7 @@
 		<term id="defaultcase">default case (S)</term>
 		<listitem><para>See the section on <link linkend="namemanglingsect">
 		NAME MANGLING"</link>. Also note the <link linkend="shortpreservecase">
-		<parameter>short preserve case"</parameter>></link> parameter.</para>
+		<parameter>short preserve case"</parameter></link> parameter.</para>
 		</listitem>
 		</varlistentry>
 
@@ -1688,7 +1687,7 @@
 		UNIX users are dynamically deleted to match existing Windows NT 
 		accounts.</para>
 
-		<para>See also <link linkend="securitydomain">security=domain</link>,
+		<para>See also <link linkend="securityequalsdomain">security=domain</link>,
 		<link linkend="passwordserver"><parameter>password server</parameter>
 		</link>, <link linkend="adduserscript"><parameter>add user script</parameter>
 		</link>.</para>
@@ -2300,7 +2299,7 @@
 		it to 0000.</para>
 
 		<para>See also the <link linkend="directorysecuritymask"><parameter>
-		directory security mask</parameter></link>, <link linkend="secduritymask">
+		directory security mask</parameter></link>, <link linkend="securitymask">
 		<parameter>security mask</parameter></link>, 
 		<link linkend="forcesecuritymode"><parameter>force security mode
 		</parameter></link> parameters.</para>
@@ -3001,7 +3000,7 @@
 		<term id="loadprinters">load printers (G)</term>
 		<listitem><para>A boolean variable that controls whether all 
 		printers in the printcap will be loaded for browsing by default. 
-		See the <link linkend="printersect">printers</link> section for 
+		See the <link linkend="printerssect">printers</link> section for 
 		more details.</para>
 
 		<para>Default: <command>load printers = yes</command></para></listitem>
@@ -3440,7 +3439,7 @@
 		<varlistentry>
 		<term id="machinepasswordtimeout">machine password timeout (G)</term>
 		<listitem><para>If a Samba server is a member of an Windows 
-		NT Domain (see the <link linkend="securitydomain">security=domain</link>) 
+		NT Domain (see the <link linkend="securityequalsdomain">security=domain</link>) 
 		parameter) then periodically a running <ulink url="smbd.8.html">
 		smbd(8)</ulink> process will try and change the MACHINE ACCOUNT 
 		PASSWORD stored in the TDB called <filename>private/secrets.tdb
@@ -3449,7 +3448,7 @@
 		seconds), the same as a Windows NT Domain member server.</para>
 
 		<para>See also <ulink url="smbpasswd.8.html"><command>smbpasswd(8)
-		</command></ulink>, and the <link linkend="securitydomain">
+		</command></ulink>, and the <link linkend="securityequalsdomain">
 		security=domain</link>) parameter.</para>
 
 		<para>Default: <command>machine password timeout = 604800</command></para>
@@ -3509,7 +3508,7 @@
 
 		<varlistentry>
 		<term id="manglecase">mangle case (S)</term>
-		<listitem><para>See the section on <link linkend="manmaglingsect">
+		<listitem><para>See the section on <link linkend="namemanglingsect">
 		NAME MANGLING</link></para>
 		</listitem>
 		</varlistentry>
@@ -3841,15 +3840,6 @@
 
 
 		<varlistentry>
-		<term id="maxpacket">max packet (G)</term>
-		<listitem><para>Synonym for <link linkend="packetsize"><parameter>
-		packet size</parameter></link>.</para>
-		</listitem>
-		</varlistentry>
-
-
-
-		<varlistentry>
 		<term id="maxttl">max ttl (G)</term>
 		<listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)</ulink>
 		what the default 'time to live' of NetBIOS names should be (in seconds) 
@@ -3866,7 +3856,7 @@
 		<varlistentry>
 		<term id="maxwinsttl">max wins ttl (G)</term>
 		<listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)
-		</ulink> when acting as a WINS server (<link linkend="winsupport">
+		</ulink> when acting as a WINS server (<link linkend="winssupport">
 		<parameter>wins support=yes</parameter></link>) what the maximum
 		'time to live' of NetBIOS names that <command>nmbd</command> 
 		will grant will be (in seconds). You should never need to change this
@@ -4332,6 +4322,3053 @@
 		</varlistentry>
 
 
+		<varlistentry>
+		<term id="oslevel">os level (G)</term>
+		<listitem><para>This integer value controls what level Samba 
+		advertises itself as for browse elections. The value of this 
+		parameter determines whether <ulink url="nmbd.8.html">nmbd(8)</ulink> 
+		has a chance of becoming a local master browser for the <parameter>
+		WORKGROUP</parameter> in the local broadcast area. The default is 
+		zero, which means <command>nmbd</command> will lose elections to 
+		Windows machines. See <filename>BROWSING.txt</filename> in the 
+		Samba <filename>docs/</filename> directory for details.</para>
+
+		<para>Default: <command>os level = 20</command></para>
+		<para>Example: <command>os level = 65 </command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="panicaction">panic action (G)</term>
+		<listitem><para>This is a Samba developer option that allows a 
+		system command to be called when either <ulink url="smbd.8.html">
+		smbd(8)</ulink> or <ulink url="nmbd.8.html">nmbd(8)</ulink> 
+		crashes. This is usually used to draw attention to the fact that 
+		a problem occurred.</para>
+
+		<para>Default: <command>panic action = &lt;empty string&gt;</command></para>
+		<para>Example: <command>panic action = "/bin/sleep 90000"</command></para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
+		<term id="passwdchat">passwd chat (G)</term>
+		<listitem><para>This string controls the <emphasis>"chat"</emphasis> 
+		conversation that takes places between <ulink 
+		url="smbd.8.html">smbd</ulink> and the local password changing
+		program to change the users password. The string describes a 
+		sequence of response-receive pairs that <ulink url="smbd.8.html">
+		smbd(8)</ulink> uses to determine what to send to the 
+		<link linkend="passwdprogram"><parameter>passwd program</parameter>
+		</link> and what to expect back. If the expected output is not 
+		received then the password is not changed.</para>
+
+		<para>This chat sequence is often quite site specific, depending 
+		on what local methods are used for password control (such as NIS 
+		etc).</para>
+
+		<para>The string can contain the macros <parameter>%o</parameter> 
+		and <parameter>%n</parameter> which are substituted for the old 
+		and new passwords respectively. It can also contain the standard 
+		macros <constant>\n</constant>, <constant>\r</constant>, <constant>
+		\t</constant> and <constant>%s</constant> to give line-feed, 
+		carriage-return, tab and space.</para>
+
+		<para>The string can also contain a '*' which matches 
+		any sequence of characters.</para>
+
+		<para>Double quotes can be used to collect strings with spaces 
+		in them into a single string.</para>
+
+		<para>If the send string in any part of the chat sequence 
+		is a fullstop ".",  then no string is sent. Similarly, 
+		is the expect string is a fullstop then no string is expected.</para>
+
+		<para>Note that if the <link linkend="unixpasswordsync"><parameter>unix 
+		password sync</parameter></link> parameter is set to true, then this 
+		sequence is called <emphasis>AS ROOT</emphasis> when the SMB password 
+		in the smbpasswd file is being changed, without access to the old 
+		password cleartext. In this case the old password cleartext is set 
+		to "" (the empty string).</para>
+
+		<para>See also <link linkend="unixpasswordsync"><parameter>unix password 
+		sync</parameter></link>, <link linkend="passwdprogram"><parameter>
+		passwd program</parameter></link> and <link linkend="passwdchatdebug">
+		<parameter>passwd chat debug</parameter></link>.</para>
+
+		<para>Default: <command>passwd chat = *old*password* %o\n *new*
+		password* %n\n *new*password* %n\n *changed*</command></para>
+		<para>Example: <command>passwd chat = "*Enter OLD password*" %o\n 
+		"*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password 
+		changed*"</command></para>
+		</listitem>
+		</varlistentry>
+
+	
+   
+		<varlistentry>
+		<term id="passwdchatdebug">passwd chat debug (G)</term>
+		<listitem><para>This boolean specifies if the passwd chat script 
+		parameter is run in <emphasis>debug</emphasis> mode. In this mode the 
+		strings passed to and received from the passwd chat are printed 
+		in the <ulink url="smbd.8.html">smbd(8)</ulink> log with a 
+		<link linkend="debuglevel"><parameter>debug level</parameter></link> 
+		of 100. This is a dangerous option as it will allow plaintext passwords 
+		to be seen in the <command>smbd</command> log. It is available to help 
+		Samba admins debug their <parameter>passwd chat</parameter> scripts 
+		when calling the <parameter>passwd program</parameter> and should 
+		be turned off after this has been done. This parameter is off by
+		default.</para>
+
+		<para>See also <<link linkend="passwdchat"><parameter>passwd chat</parameter>
+		</link>, <link linkend="passwdprogram"><parameter>passwd program</parameter>
+		</link>.</para>
+
+		<para>Default: <command>passwd chat debug = no</command></para>
+		<para>Example: <command>passwd chat debug = yes</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="passwdprogram">passwd program (G)</term>
+		<listitem><para>The name of a program that can be used to set 
+		UNIX user passwords.  Any occurrences of <parameter>%u</parameter> 
+		will be replaced with the user name. The user name is checked for 
+		existence before calling the password changing program.</para>
+
+		<para>Also note that many passwd programs insist in <emphasis>reasonable
+		</emphasis> passwords, such as a minimum length, or the inclusion 
+		of mixed case chars and digits. This can pose a problem as some clients 
+		(such as Windows for Workgroups) uppercase the password before sending 
+		it.</para>
+
+		<para><emphasis>Note</emphasis> that if the <parameter>unix 
+		password sync</parameter> parameter is set to <constant>True
+		</constant> then this program is called <emphasis>AS ROOT</emphasis> 
+		before the SMB password in the <ulink url="smbpasswd.5.html">smbpasswd(5)
+		</ulink> file is changed. If this UNIX password change fails, then 
+		<command>smbd</command> will fail to change the SMB password also 
+		(this is by design).</para>
+
+		<para>If the <parameter>unix password sync</parameter> parameter 
+		is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis> 
+		for <emphasis>ALL</emphasis> programs called, and must be examined 
+		for security implications. Note that by default <parameter>unix 
+		password sync</parameter> is set to <constant>False</constant>.</para>
+
+		<para>See also <link linkend="unixpasswordsync"><parameter>unix 
+		password sync</parameter></link>.</para>
+
+		<para>Default: <command>passwd program = /bin/passwd</command></para>
+		<para>Example: <command>passwd program = /sbin/npasswd %u</command>
+		</para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="passwordlevel">password level (G)</term>
+		<listitem><para>Some client/server combinations have difficulty 
+		with mixed-case passwords.  One offending client is Windows for 
+		Workgroups, which for some reason forces passwords to upper 
+		case when using the LANMAN1 protocol, but leaves them alone when 
+		using COREPLUS!</para>
+
+		<para>This parameter defines the maximum number of characters 
+		that may be upper case in passwords.</para>
+
+		<para>For example, say the password given was "FRED". If <parameter>
+		password level</parameter> is set to 1, the following combinations 
+		would be tried if "FRED" failed:</para>
+
+		<para>"Fred", "fred", "fRed", "frEd","freD"</para>
+
+		<para>If <parameter>password level</parameter> was set to 2, 
+		the following combinations would also be tried: </para>
+
+		<para>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</para>
+
+		<para>And so on.</para>
+
+		<para>The higher value this parameter is set to the more likely 
+		it is that a mixed case password will be matched against a single 
+		case password. However, you should be aware that use of this 
+		parameter reduces security and increases the time taken to 
+ 		process a new connection.</para>
+
+		<para>A value of zero will cause only two attempts to be 
+		made - the password as is and the password in all-lower case.</para>
+
+		<para>Default: <command>password level = 0</command></para>
+		<para>Example: <command>password level = 4</command</para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="passwordserver">password server (G)</term>
+		<listitem><para>By specifying the name of another SMB server (such 
+		as a WinNT box) with this option, and using <command>security = domain
+		</command> or <command>security = server</command> you can get Samba 
+		to do all its username/password validation via a remote server.</para>
+
+		<para>This options sets the name of the password server to use. 
+		It must be a NetBIOS name, so if the machine's NetBIOS name is 
+		different from its internet name then you may have to add its NetBIOS 
+		name to the lmhosts  file which is stored in the same directory 
+		as the <filename>smb.conf</filename> file.</para>
+
+		<para>The name of the password server is looked up using the 
+		parameter <link linkend="nameresolveorder"><parameter>name 
+		resolve order</parameter></link> and so may resolved
+		by any method and order described in that parameter.</para>
+
+		<para>The password server much be a machine capable of using 
+		the "LM1.2X002" or the "LM NT 0.12" protocol, and it must be in 
+		user level security mode.</para>
+
+		<para><emphasis>NOTE:</emphasis> Using a password server 
+		means your UNIX box (running Samba) is only as secure as your 
+		password server. <emphasis>DO NOT CHOOSE A PASSWORD SERVER THAT 
+		YOU DON'T COMPLETELY TRUST</emphasis>.</para>
+		
+		<para>Never point a Samba server at itself for password 
+		serving. This will cause a loop and could lock up your Samba 
+		server!</para>
+
+		<para>The name of the password server takes the standard 
+		substitutions, but probably the only useful one is <parameter>%m
+		</parameter>, which means the Samba server will use the incoming 
+	 	client as the passwordserver. If you use this then you better 
+		trust your clients, and you better restrict them with hosts allow!</para>
+
+		<para>If the <parameter>security</parameter> parameter is set to
+		<constant>domain</constant>, then the list of machines in this 
+		option must be a list of Primary or Backup Domain controllers for the
+		Domain or the character '*', as the Samba server is cryptographicly
+		in that domain, and will use cryptographicly authenticated RPC calls
+		to authenticate the user logging on. The advantage of using <command>
+		security = domain</command> is that if you list several hosts in the 
+		<parameter>password server</parameter> option then <command>smbd
+		</command> will try each in turn till it finds one that responds. This 
+		is useful in case your primary server goes down.</para>
+
+		<para>If the <parameter>password server</parameter> option is set 
+		to the character '*', then Samba will attempt to auto-locate the 
+		Primary or Backup Domain controllers to authenticate against by 
+		doing a query for the name <constant>WORKGROUP&lt;1C&gt;</constant> 
+		and then contacting each server returned in the list of IP 
+		addresses from the name resolution source. </para>
+		
+		<para>If the <parameter>security</parameter> parameter is 
+		set to <constant>server</constant>, then there are different
+		restrictions that <command>security = domain</command> doesn't 
+		suffer from:</para>
+
+		<itemizedlist>
+			<listitem><para>You may list several password servers in 
+			the <parameter>password server</parameter> parameter, however if an 
+			<command>smbd</command> makes a connection to a password server, 
+			and then the password server fails, no more users will be able 
+			to be authenticated from this <command>smbd</command>.  This is a 
+			restriction of the SMB/CIFS protocol when in <command>security=server
+			</command> mode and cannot be fixed in Samba.</para></listitem>
+
+			<listitem><para>If you are using a Windows NT server as your 
+			password server then you will have to ensure that your users 
+			are able to login from the Samba server, as when in <command>
+			security=server</command>  mode the network logon will appear to 
+			come from there rather than from the users workstation.</para></listitem>
+		</itemizedlist>
+
+		<para>See also the <link linkend="security"><parameter>security
+		</parameter></link> parameter.</para>
+
+		<para>Default: <command>password server = &lt;empty string&gt;</command>
+		</para>
+		<para>Example: <command>password server = NT-PDC, NT-BDC1, NT-BDC2
+		</command></para>
+		<para>Example: <command>password server = *</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="path">path (S)</term>
+		<listitem><para>This parameter specifies a directory to which 
+		the user of the service is to be given access. In the case of 
+		printable services, this is where print data will spool prior to 
+		being submitted to the host for printing.</para>
+
+		<para>For a printable service offering guest access, the service 
+		should be readonly and the path should be world-writeable and 
+		have the sticky bit set. This is not mandatory of course, but 
+		you probably won't get the results you expect if you do 
+		otherwise.</para>
+
+		<para>Any occurrences of <parameter>%u</parameter> in the path 
+		will be replaced with the UNIX username that the client is using 
+		on this connection. Any occurrences of <parameter>%m</parameter> 
+		will be replaced by the NetBIOS name of the machine they are 
+		connecting from. These replacements are very useful for setting 
+		up pseudo home directories for users.</para>
+
+		<para>Note that this path will be based on <link linkend="rootdir">
+		<parameter>root dir</parameter></link> if one was specified.</para>
+
+		<para>Default: <emphasis>none</emphasis></para>
+		<para>Example: <command>path = /home/fred</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="postexec">postexec (S)</term>
+		<listitem><para>This option specifies a command to be run 
+		whenever the service is disconnected. It takes the usual 
+		substitutions. The command may be run as the root on some 
+		systems.</para>
+
+		<para>An interesting example may be do unmount server 
+		resources:</para>
+
+		<para><command>postexec = /etc/umount /cdrom</command></para>
+
+		<para>See also <link linkend="preexec"><parameter>preexec</parameter>
+		</link>.</para>
+
+		<para>Default: <emphasis>none (no command executed)</emphasis>
+		</para>
+
+		<para>Example: <command>postexec = echo \"%u disconnected from %S 
+		from %m (%I)\" &gt;&gt; /tmp/log</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="postscript">postscript (S)</term>
+		<listitem><para>This parameter forces a printer to interpret 
+		the print files as postscript. This is done by adding a <constant>%!
+		</constant> to the start of print output.</para>
+
+		<para>This is most useful when you have lots of PCs that persist 
+		in putting a control-D at the start of print jobs, which then 
+		confuses your printer.</para>
+
+		<para>Default: <command>postscript = no</command></para>
+		</listitem>
+		</varlistentry>
+	
+	
+	
+		<varlistentry>
+		<term id="preexec">preexec (S)</term>
+		<listitem><para>This option specifies a command to be run whenever 
+		the service is connected to. It takes the usual substitutions.</para>
+
+		<para>An interesting example is to send the users a welcome 
+		message every time they log in. Maybe a message of the day? Here 
+		is an example:</para>
+
+		<para><command>preexec = csh -c 'echo \"Welcome to %S!\" |
+		 /usr/local/samba/bin/smbclient -M %m -I %I' & </command></para>
+
+		<para>Of course, this could get annoying after a while :-)</para>
+
+		<para>See also <link linkend="preexecclose"><parameter>preexec close
+		</parameter</link> and <link linkend="postexec"><parameter>postexec
+		</parameter></link>.</para>
+
+		<para>Default: <emphasis>none (no command executed)</emphasis></para>
+		<para>Example: <command>preexec = echo \"%u connected to %S from %m
+		(%I)\" &gt;&gt; /tmp/log</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="preexecclose">preexec close (S)</term>
+		<listitem><para>This boolean option controls whether a non-zero 
+		return code from <link linkend="preexec"><parameter>preexec
+		</parameter></link> should close the service being connected to.</para>
+
+		<para>Default: <command>preexec close = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
+		<term id="preferredmaster">preferred master (G)</term>
+		<listitem><para>This boolean parameter controls if <ulink 
+		url="nmbd.8.html">nmbd(8)</ulink> is a preferred master browser 
+		for its workgroup.</para>
+
+		<para>If this is set to true, on startup, <command>nmbd</command> 
+		will force an election, and it will have a slight advantage in 
+		winning the election.  It is recommended that this parameter is 
+		used in conjunction with <command><link linkend="domainmaster"><parameter>
+		domain master</parameter></link> = yes</command>, so that <command>
+		nmbd</command> can guarantee becoming a domain master.</para>
+		
+		<para>Use this option with caution, because if there are several 
+		hosts (whether Samba servers, Windows 95 or NT) that are preferred 
+		master browsers on the same subnet, they will each periodically 
+		and continuously attempt to become the local master browser.  
+		This will result in unnecessary broadcast traffic and reduced browsing
+		capabilities.</para>
+
+		<para>See also <link linkend="oslevel"><parameter>os level</parameter>
+		</link>.</para>
+
+		<para>Default: <command>preferred master = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="preferedmaster">prefered master (G)</term>
+		<listitem><para>Synonym for <link linkend="preferredmaster"><parameter>
+		preferred master</parameter></link> for people who cannot spell :-).</para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="preload">preload</term>
+		<listitem><para>Synonym for <link linkend="autoservices"><parameter>
+		auto services</parameter></link>.</para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
+		<term id="preservecase">preserve case (S)</term>
+		<listitem><para> This controls if new filenames are created
+		with the case that the client passes, or if they are forced to 
+		be the <link linkend="defaultcase"><parameter>derault case
+		</parameter></link>.</para>
+
+		<para>Default: <command>preserve case = yes</command></para>
+
+		<para>See the section on <link linkend="namemanglingsect">NAME 
+		MANGLING"</link> for a fuller discussion.</para
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="printcommand">print command (S)</term>
+		<listitem><para>After a print job has finished spooling to 
+		a service, this command will be used via a <command>system()</command> 
+		call to process the spool file. Typically the command specified will 
+		submit the spool file to the host's printing subsystem, but there 
+ 		is no requirement that this be the case. The server will not remove 
+		the spool file, so whatever command you specify should remove the 
+		spool file when it has been processed, otherwise you will need to 
+		manually remove old spool files.</para>
+		
+		<para>The print command is simply a text string. It will be used 
+		verbatim, with two exceptions: All occurrences of <parameter>%s
+		</parameter> and <parameter>%f</parameter> will be replaced by the 
+		appropriate spool file name, and all occurrences of <parameter>%p
+		</parameter> will be replaced by the appropriate printer name. The 
+		spool file name is generated automatically by the server, the printer 
+		name is discussed below.</para>
+
+		<para>The print command <emphasis>MUST</emphasis> contain at least 
+		one occurrence of <parameter>%s</parameter> or <parameter>%f
+		</parameter> - the <parameter>%p</parameter> is optional. At the time 
+		a job is submitted, if no printer name is supplied the <parameter>%p
+		</parameter> will be silently removed from the printer command.</para>
+
+		<para>If specified in the [global] section, the print command given 
+		will be used for any printable service that does not have its own 
+		print command specified.</para>
+
+		<para>If there is neither a specified print command for a 
+		printable service nor a global print command, spool files will 
+		be created but not processed and (most importantly) not removed.</para>
+
+		<para>Note that printing may fail on some UNIXs from the 
+		<constant>nobody</constant> account. If this happens then create 
+		an alternative guest account that can print and set the <link
+		linkend="guestaccount"><parameter>guest account</parameter></link> 
+		in the [global] section.</para>
+
+		<para>You can form quite complex print commands by realizing 
+		that they are just passed to a shell. For example the following 
+		will log a print job, print the file, then remove it. Note that 
+		';' is the usual separator for command in shell scripts.</para>
+
+		<para><command>print command = echo Printing %s &gt;&gt; 
+		/tmp/print.log; lpr -P %p %s; rm %s</command></para>
+
+		<para>You may have to vary this command considerably depending 
+		on how you normally print files on your system. The default for 
+		the parameter varies depending on the setting of the <link linkend="printing">
+		<parameter>printing</parameter></link> parameter.</para>
+
+		<para>Default: For <command>printing= BSD, AIX, QNX, LPRNG 
+		or PLP :</command></para>
+		<para><command>print command = lpr -r -P%p %s</command></para>
+
+		<para>For <command>printing= SYS or HPUX :</command></para>
+		<para><command>print command = lp -c -d%p %s; rm %s</command></para>
+
+		<para>For <command>printing=SOFTQ :</command></para>
+		<para><command>print command = lp -d%p -s %s; rm %s</command></para>
+
+		<para>Example: <command>print command = /usr/local/samba/bin/myprintscript
+		%p %s</command></para>
+		</listitem>
+		</varlistentry>
+		
+		
+
+		<varlistentry>
+		<term id="printok">print ok (S)</term>
+		<listitem><para>Synonym for <link linkend="printable">
+		<parameter>printable</parameter></link>.</para>
+		</listitem>
+		</varlistentry>
+
+
+
+
+		<varlistentry>
+		<term id="printable">printable (S)</term>
+		<listitem><para>If this parameter is <constant>yes</constant>, then 
+		clients may open, write to and submit spool files on the directory 
+		specified for the service. </para>
+		
+		<para>Note that a printable service will ALWAYS allow writing 
+		to the service path (user privileges permitting) via the spooling 
+		of print data. The <link linkend="writeable"><parameter>writeable
+		</parameter></link> parameter controls only non-printing access to 
+		the resource.</para>
+
+		<para>Default: <command>printable = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="printcap">printcap (G)</term>
+		<listitem><para>Synonym for 	<link linkend="printcapname"><parameter>
+		printcap name</parameter></link>.</para>
+		</listitem>
+		</varlistentry>
+
+
+
+
+		<varlistentry>
+		<term id="printeradmin">printer admin (S)</term>
+		<listitem><para>This is a list of users that can do anything to 
+		printers via the remote administration interfaces offered by MSRPC 
+		(usually using a NT workstation). Note that the root user always 
+		has admin rights.</para>
+
+		<para>Default: <command>printer admin = &lt;empty string&gt;</command>
+		</para>
+		<para>Example: <command>printer admin = admin, @staff</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+
+
+
+		<varlistentry>
+		<term id="printcapname">printcap name (G)</term>
+		<listitem><para>This parameter may be used to override the 
+		compiled-in default printcap name used by the server (usually <filename>
+		/etc/printcap</filename>). See the discussion of the <link
+		linkend="printerssect">[printers]</link> section above for reasons 
+		why you might want to do this.</para>
+
+		<para>On System V systems that use <command>lpstat</command> to 
+		list available printers you can use <command>printcap name = lpstat
+		</command> to automatically obtain lists of available printers. This 
+		is the default for systems that define SYSV at configure time in 
+		Samba (this includes most System V based systems). If <parameter>
+		printcap name</parameter> is set to <command>lpstat</command> on 
+		these systems then Samba will launch <command>lpstat -v</command> and 
+		attempt to parse the output to obtain a printer list.</para>
+
+		<para>A minimal printcap file would look something like this:</para>
+
+		<para><programlisting>
+		print1|My Printer 1
+		print2|My Printer 2
+		print3|My Printer 3
+		print4|My Printer 4
+		print5|My Printer 5
+		</programlisting></para>
+	
+		<para>where the '|' separates aliases of a printer. The fact 
+		that the second alias has a space in it gives a hint to Samba 
+		that it's a comment.</para>
+
+		<para><emphasis>NOTE</emphasis>: Under AIX the default printcap 
+		name is <filename>/etc/qconfig</filename>. Samba will assume the 
+		file is in AIX <filename>qconfig</filename> format if the string
+		<filename>qconfig</filename> appears in the printcap filename.</para>
+
+		<para>Default: <command>printcap name = /etc/printcap</command></para>
+		<para>Example: <command>printcap name = /etc/myprintcap</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="printer">printer (S)</term>
+		<listitem><para>This parameter specifies the name of the printer 
+		to which print jobs spooled through a printable service will be sent.</para>
+
+		<para>If specified in the [global] section, the printer
+		name given will be used for any printable service that does 
+		not have its own printer name specified.</para>
+
+		<para>Default: <emphasis>none (but may be <constant>lp</constant> 
+		on many systems)</emphasis></para>
+
+		<para>Example: <command>printer name = laserwriter</command></para>
+		</listitem>
+		</varlistentry>
+		
+
+
+		<varlistentry>
+		<term id="printerdriver">printer driver (S)</term>
+		<listitem><para>This option allows you to control the string 
+		that clients receive when they ask the server for the printer driver 
+		associated with a printer. If you are using Windows95 or WindowsNT 
+		then you can use this to automate the setup of printers on your 
+		system.</para>
+
+		<para>You need to set this parameter to the exact string (case 
+		sensitive) that describes the appropriate printer driver for your 
+		system. If you don't know the exact string to use then you should 
+		first try with no <link linkend="printerdriver"><parameter>
+		printer driver</parameter></link> option set and the client will 
+		give you a list of printer drivers. The appropriate strings are 
+		shown in a scrollbox after you have chosen the printer manufacturer.</para>
+
+		<para>See also <link linkend="printerdriverfile"><parameter>printer
+		driver file</parameter></link>.</para>
+
+		<para>Example: <command>printer driver = HP LaserJet 4L</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="printerdriverfile">printer driver file (G)</term>
+		<listitem><para>This parameter tells Samba where the printer driver 
+		definition file, used when serving drivers to Windows 95 clients, is 
+		to be found. If this is not set, the default is :</para>
+
+		<para><filename><replaceable>SAMBA_INSTALL_DIRECTORY</replaceable>
+		/lib/printers.def</filename></para>
+
+		<para>This file is created from Windows 95 <filename>msprint.inf
+		</filename> files found on the Windows 95 client system. For more 
+		details on setting up serving of printer drivers to Windows 95 
+		clients, see the documentation file in the <filename>docs/</filename> 
+		directory, <filename>PRINTER_DRIVER.txt</filename>.</para>
+
+		<para>See also <link linkend="printerdriverlocation"><parameter>
+		printer driver location</parameter></link>.</para>
+		
+		<para>Default: <emphasis>None (set in compile).</emphasis></para>
+
+		<para>Example: <command>printer driver file = 
+		/usr/local/samba/printers/drivers.def</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+
+		<varlistentry>
+		<term id="printerdriverlocation">printer driver location (S)</term>
+		<listitem><para>This parameter tells clients of a particular printer 
+		share where to find the printer driver files for the automatic 
+		installation of drivers for Windows 95 machines. If Samba is set up 
+		to serve printer drivers to Windows 95 machines, this should be set to</para>
+
+		<para><command>\\MACHINE\PRINTER$</command></para>
+
+		<para>Where MACHINE is the NetBIOS name of your Samba server, 
+		and PRINTER$ is a share you set up for serving printer driver 
+		files. For more details on setting this up see the documentation 
+		file in the <filename>docs/</filename> directory, <filename>
+		PRINTER_DRIVER.txt</filename>.</para>
+
+		<para>See also <link linkend="printerdriverfile"><parameter>
+		printer driver file</parameter></link>.</para>
+
+		<para>Default: <command>none</command></para>
+		<para>Example: <command>printer driver location = \\MACHINE\PRINTER$
+		</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="printername">printer name (S)</term>
+		<listitem><para>Synonym for <link linkend="printer"><parameter>
+		printer</parameter></link>.</para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="printing">printing (S)</term>
+		<listitem><para>This parameters controls how printer status 
+		information is interpreted on your system. It also affects the 
+		default values for the <parameter>print command</parameter>, 
+		<parameter>lpq command</parameter>, <parameter>lppause command
+		</parameter>, <parameter>lpresume command</parameter>, and 
+		<parameter>lprm command</parameter> if specified in the 
+		[global]f> section.</para>
+
+		<para>Currently eight printing styles are supported. They are
+		<constant>BSD</constant>, <constant>AIX</constant>, 
+		<constant>LPRNG</constant>, <constant>PLP</constant>,
+		<constant>SYSV</constant>, <constant>HPUX</constant>,
+		<constant>QNX</constant>, <constant>SOFTQ</constant>,
+		and <constant>CUPS</constant>.</para>
+
+		<para>To see what the defaults are for the other print 
+		commands when using the various options use the <ulink 
+		url="testparm.1.html">testparm(1)</ulink> program.</para>
+
+		<para>This option can be set on a per printer basis</para>
+
+		<para>See also the discussion in the <link linkend="printerssect">
+		[printers]</link> section.</para>
+		</listitem>
+		</varlistentry>
+		
+		
+
+		<varlistentry>
+		<term id="privatedir">private dir(G)</term>
+		<listitem><para>The <parameter>private dir</parameter> parameter 
+		allows an administator to define a directory path used to hold the 
+		various databases Samba will use to store things like a the machine 
+		trust account information when acting as a domain member (i.e. where 
+		the secrets.tdb file will be located), where the passdb.tbd file 
+		will stored in the case of using the experiemental tdbsam support, 
+		etc...</para>
+
+		<para>Default: <command>private dir = &lt;compile time location 
+		of smbpasswd&gt;</command></para>
+		<para>Example: <command>private dir = /etc/smbprivate</command></para>
+		</listitem>
+		</varlistentry>
+		
+		
+		
+		<varlistentry>
+		<term id="protocol">protocol (G)</term>
+		<listitem><para>The value of the parameter (a string) is the highest 
+		protocol level that will be supported by the server.</para>
+
+		<para>Possible values are :</para>
+		<itemizedlist>
+			<listitem><para><constant>CORE</constant>: Earliest version. No 
+			concept of user names.</para></listitem>
+			
+			<listitem><para><constant>COREPLUS</constant>: Slight improvements on 
+			CORE for efficiency.</para></listitem>
+
+			<listitem><para><constant>LANMAN1</constant>: First <emphasis>
+			modern</emphasis> version of the protocol. Long filename
+			support.</para></listitem>
+
+			<listitem><para><constant>LANMAN2</constant>: Updates to Lanman1 protocol.
+			</para></listitem>
+
+			<listitem><para><constant>NT1</constant>: Current up to date version of 
+			the protocol. Used by Windows NT. Known as CIFS.</para></listitem>
+		</itemizedlist>
+
+		<para>Normally this option should not be set as the automatic 
+		negotiation phase in the SMB protocol takes care of choosing 
+		the appropriate protocol.</para>
+
+		<para>Default: <command>protocol = NT1</command></para>
+		<para>Example: <command>protocol = LANMAN1</command></para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
+		<term id="public">public (S)</term>
+		<listitem><para>Synonym for <link linkend="guestok"><parameter>guest 
+		ok</parameter></link>.</para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="queuepausecommand">queuepause command (S)</term>
+		<listitem><para>This parameter specifies the command to be 
+		executed on the server host in order to pause the printerqueue.</para>
+
+		<para>This command should be a program or script which takes 
+		a printer name as its only parameter and stops the printerqueue, 
+		such that no longer jobs are submitted to the printer.</para>
+
+		<para>This command is not supported by Windows for Workgroups, 
+		but can be issued from the Printer's window under Windows 95 
+		and NT.</para>
+		
+		<para>If a <parameter>%p</parameter> is given then the printername 
+		is put in its place. Otherwise it is placed at the end of the command.
+		</para>
+
+		<para>Note that it is good practice to include the absolute 
+		path in the command as the PATH may not be available to the 
+		server.</para>
+
+		<para>Default: <emphasis>depends on the setting of <parameter>printing
+		</parameter></emphasis></para>
+		<para>Example: <command>queuepause command = disable %p</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="queueresumecommand">queueresume command (S)</term>
+		<listitem><para>This parameter specifies the command to be 
+		executed on the server host in order to resume the printerqueue. It 
+ 		is the command to undo the behavior that is caused by the 
+		previous parameter (<link linkend="queuepausecommand"><parameter>
+		queuepause command</parameter></link>).</para>
+ 
+		<para>This command should be a program or script which takes 
+		a printer name as its only parameter and resumes the printerqueue, 
+		such that queued jobs are resubmitted to the printer.</para>
+
+		<para>This command is not supported by Windows for Workgroups, 
+		but can be issued from the Printer's window under Windows 95 
+		and NT.</para>
+
+		<para>If a <parameter>%p</parameter> is given then the printername 
+		is put in its place. Otherwise it is placed at the end of the 
+		command.</para>
+
+		<para>Note that it is good practice to include the absolute 
+		path in the command as the PATH may not be available to the 
+		server.</para>
+
+		<para>Default: <emphasis>depends on the setting of <link
+		linkend="printing"><parameter>printing</parameter></link></emphasis>
+		</para>
+
+		<para>Example: <command>queuepause command = enable %p
+		</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="readbmpx">read bmpx (G)</term>
+		<listitem><para>This boolean parameter controls whether <ulink 
+		url="smbd.8.html">smbd(8)</ulink> will support the "Read 
+		Block Multiplex" SMB. This is now rarely used and defaults to 
+		<constant>no</constant>. You should never need to set this 
+		parameter.</para>
+		
+		<para>Default: <command>read bmpx = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+
+		<varlistentry>
+		<term id="readlist">read list (S)</term>
+		<listitem><para>This is a list of users that are given read-only 
+		access to a service. If the connecting user is in this list then 
+		they will not be given write access, no matter what the <link 
+		linkend="writeable"><parameter>writeable</parameter></link>
+		option is set to. The list can include group names using the 
+		syntax described in the <link linkend="invalidusers"><parameter>
+		invalid users</parameter></link> parameter.</para>
+
+		<para>See also the <link linkend="writelist"><parameter>
+		write list</parameter></link> parameter and the <link 
+		linkend="invalidusers"><parameter>invalid users</parameter>
+		</link> parameter.</para>
+
+		<para>Default: <command>read list = &lt;empty string&gt;</command></para>
+		<para>Example: <command>read list = mary, @students</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="readonly">read only (S)</term>
+		<listitem><para>Note that this is an inverted synonym for <link 
+		linkend="writeable"><parameter>writeable</parameter></link>.</para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="readraw">read raw (G)</term>
+		<listitem><para>This parameter controls whether or not the server 
+		will support the raw read SMB requests when transferring data 
+		to clients.</para>
+
+		<para>If enabled, raw reads allow reads of 65535 bytes in 
+		one packet. This typically provides a major performance benefit.
+		</para>
+
+		<para>However, some clients either negotiate the allowable 
+		block size incorrectly or are incapable of supporting larger block 
+		sizes, and for these clients you may need to disable raw reads.</para>
+
+		<para>In general this parameter should be viewed as a system tuning 
+		tool and left severely alone. See also <link linkend="writeraw">
+		<parameter>write raw</parameter></link>.</para>
+
+		<para>Default: <command>read raw = yes</command></para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
+		<term id="readsize">read size (G)</term>
+		<listitem><para>The option <parameter>read size</parameter> 
+		affects the overlap of disk reads/writes with network reads/writes. 
+		If the amount of data being transferred in several of the SMB 
+		commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger 
+		than this value then the server begins writing the data before it 
+		has received the whole packet from the network, or in the case of 
+		SMBreadbraw, it begins writing to the network before all the data 
+		has been read from disk.</para>
+
+		<para>This overlapping works best when the speeds of disk and 
+		network access are similar, having very little effect when the 
+		speed of one is much greater than the other.</para>
+
+		<para>The default value is 16384, but very little experimentation 
+		has been done yet to determine the optimal value, and it is likely 
+		that the best value will vary greatly between systems anyway. 
+		A value over 65536 is pointless and will cause you to allocate 
+		memory unnecessarily.</para>
+
+		<para>Default: <command>read size = 16384</command></para>
+		<para>Example: <command>read size = 8192</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="remoteannounce">remote announce (G)</term>
+		<listitem><para>This option allows you to setup <ulink 
+		url="nmbd.8.html">nmbd(8)</ulink> to periodically announce itself 
+		to arbitrary IP addresses with an arbitrary workgroup name.</para>
+
+		<para>This is useful if you want your Samba server to appear 
+		in a remote workgroup for which the normal browse propagation 
+		rules don't work. The remote workgroup can be anywhere that you 
+		can send IP packets to.</para>
+
+		<para>For example:</para>
+
+		<para><command>remote announce = 192.168.2.255/SERVERS 
+		192.168.4.255/STAFF</command></para>
+
+		<para>the above line would cause nmbd to announce itself 
+		to the two given IP addresses using the given workgroup names. 
+		If you leave out the workgroup name then the one given in 
+		the <link linkend="workgroup"><parameter>workgroup</parameter></link> 
+		parameter is used instead.</para>
+
+		<para>The IP addresses you choose would normally be the broadcast 
+		addresses of the remote networks, but can also be the IP addresses 
+		of known browse masters if your network config is that stable.</para>
+
+		<para>See the documentation file <filename>BROWSING.txt</filename> 
+		in the <filename>docs/</filename> directory.</para>
+		
+		<para>Default: <command>remote announce = &lt;empty string&gt;
+		</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="remotebrowsesync">remote browse sync (G)</term>
+		<listitem><para>This option allows you to setup <ulink 
+		url="nmbd.8.html">nmbd(8)</ulink> to periodically request 
+		synchronization of browse lists with the master browser of a samba 
+		server that is on a remote segment. This option will allow you to 
+		gain browse lists for multiple workgroups across routed networks. This 
+		is done in a manner that does not work with any non-samba servers.</para>
+
+		<para>This is useful if you want your Samba server and all local 
+		clients to appear in a remote workgroup for which the normal browse 
+		propagation rules don't work. The remote workgroup can be anywhere 
+		that you can send IP packets to.</para>
+
+		<para>For example:</para>
+		
+		<para><command>remote browse sync = 192.168.2.255 192.168.4.255
+		</command></para>
+
+		<para>the above line would cause <command>nmbd</command> to request 
+		the master browser on the specified subnets or addresses to 
+		synchronize their browse lists with the local server.</para>
+
+		<para>The IP addresses you choose would normally be the broadcast 
+		addresses of the remote networks, but can also be the IP addresses 
+		of known browse masters if your network config is that stable. If 
+		a machine IP address is given Samba makes NO attempt to validate 
+		that the remote machine is available, is listening, nor that it 
+		is in fact the browse master on it's segment.</para>
+
+		<para>Default: <command>remote browse sync = &lt;empty string&gt;
+		</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="restrictanonymous">restrict anonymous (G)</term>
+		<listitem><para>This is a boolean parameter.  If it is true, then 
+		anonymous access to the server will be restricted, namely in the 
+		case where the server is expecting the client to send a username, 
+		but it doesn't.  Setting it to true will force these anonymous 
+ 		connections to be denied, and the client will be required to always 
+		supply a username and password when connecting. Use of this parameter 
+		is only recommened for homogenous NT client environments.</para>
+
+		<para>This parameter makes the use of macro expansions that rely
+		on the username (%U, %G, etc) consistant.  NT 4.0 
+		likes to use anonymous connections when refreshing the share list, 
+		and this is a way to work around that.</para>
+
+		<para>When restrict anonymous is true, all anonymous connections 
+		are denied no matter what they are for.  This can effect the ability 
+		of a machine to access the samba Primary Domain Controller to revalidate 
+		it's machine account after someone else has logged on the client 
+		interactively.  The NT client will display a message saying that 
+		the machine's account in  the domain doesn't exist or the password is 
+		bad.  The best way to deal  with this is to reboot NT client machines 
+		between interactive logons,  using "Shutdown and Restart", rather 
+		than "Close all programs and logon as a different user".</para>
+
+		<para>Default: <command>restrict anonymous = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="root">root (G)</term>
+		<listitem><para>Synonym for <link linkend="rootdirectory">
+		<parameter>root directory"</parameter></link>.</para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="rootdir">root dir (G)</term>
+		<listitem><para>Synonym for <link linkend="rootdirectory">
+		<parameter>root directory"</parameter></link>.</para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
+		<term id="rootdirectory">root directory (G)</term>
+		<listitem><para>The server will <command>chroot()</command> (i.e. 
+		Change it's root directory) to this directory on startup. This is 
+		not strictly necessary for secure operation. Even without it the 
+		server will deny access to files not in one of the service entries. 
+		It may also check for, and deny access to, soft links to other 
+		parts of the filesystem, or attempts to use ".." in file names 
+		to access other directories (depending on the setting of the <link
+		linkend="widelinks"><parameter>wide links</parameter></link> 
+		parameter).</para>
+
+		<para>Adding a <parameter>root directory</parameter> entry other 
+		than "/" adds an extra level of security, but at a price. It 
+		absolutely ensures that no access is given to files not in the 
+		sub-tree specified in the <parameter>root directory</parameter> 
+		option, <emphasis>including</emphasis> some files needed for 
+		complete operation of the server. To maintain full operability 
+		of the server you will need to mirror some system files 
+		into the <parameter>root directory</parameter> tree. In particular 
+		you will need to mirror <filename>/etc/passwd</filename> (or a 
+		subset of it), and any binaries or configuration files needed for 
+		printing (if required). The set of files that must be mirrored is
+		operating system dependent.</para>
+
+		<para>Default: <command>root directory = /</command></para>
+		<para>Example: <command>root directory = /homes/smb</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="rootpostexec">root postexec (S)</term>
+		<listitem><para>This is the same as the <parameter>postexec</parameter>
+		parameter except that the command is run as root. This 
+		is useful for unmounting filesystems 
+		(such as cdroms) after a connection is closed.</para>
+
+		<para>See also <link linkend="postexec"><parameter>
+		postexec</parameter></link>.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term id="rootpreexec">root preexec (S)</term>
+		<listitem><para>This is the same as the <parameter>preexec</parameter>
+		parameter except that the command is run as root. This 
+		is useful for mounting filesystems 
+		(such as cdroms) after a connection is closed.</para>
+
+		<para>See also <link linkend="preexec"><parameter>
+		preexec</parameter></link> and <link linkend="preexecclose">
+		<parameter>preexec close</parameter></link>.</para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="rootpreexecclose">root preexec close (S)</term>
+		<listitem><para>This is the same as the <parameter>preexec close
+		</parameter> parameter except that the command is run as root.</para>
+
+		<para>See also <link linkend="preexec"><parameter>
+		preexec</parameter></link> and <link linkend="preexecclose">
+		<parameter>preexec close</parameter></link>.</para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
+		<term id="security">security (G)</term>
+		<listitem><para>This option affects how clients respond to 
+		Samba and is one of the most important settings in the <filename>
+		smb.conf</filename> file.</para>
+
+		<para>The option sets the "security mode bit" in replies to 
+		protocol negotiations with <ulink url="smbd.8.html">smbd(8)
+		</ulink> to turn share level security on or off. Clients decide 
+		based on this bit whether (and how) to transfer user and password 
+		information to the server.</para>
+
+
+		<para>The default is <command>security = user</command>, as this is
+		the most common setting needed when talking to Windows 98 and 
+		Windows NT.</para>
+
+		<para>The alternatives are <command>security = share</command>,
+		<command>security = server</command> or <command>security=domain
+		</command>.</para>
+
+		<para>In versions of Samba prior to 2..0, the default was 
+		<command>security = share</command> mainly because that was
+		the only option at one stage.</para>
+
+		<para>There is a bug in WfWg that has relevance to this 
+		setting. When in user or server level security a WfWg client 
+		will totally ignore the password you type in the "connect 
+		drive" dialog box. This makes it very difficult (if not impossible) 
+		to connect to a Samba service as anyone except the user that 
+		you are logged into WfWg as.</para>
+
+		<para>If your PCs use usernames that are the same as their 
+		usernames on the UNIX machine then you will want to use 
+ 		<command>security = user</command>. If you mostly use usernames 
+		that don't exist on the UNIX box then use <command>security = 
+		share</command>.</para>
+
+		<para>You should also use <command>security = share</command> if you 
+		want to mainly setup shares without a password (guest shares). This 
+		is commonly used for a shared printer server. It is more difficult 
+		to setup guest shares with <command>security = user</command>, see 
+		the <link linkend="maptoguest"><parameter>map to guest</parameter>
+		</link>parameter for details.</para>
+		
+		<para>It is possible to use <command>smbd</command> in a <emphasis>
+		hybrid mode</emphasis> where it is offers both user and share 
+		level security under different <link linkend="netbiosaliases">
+		<parameter>NetBIOS aliases</parameter></link>. </para>
+
+		<para>The different settings will now be explained.</para>
+
+
+		<para><anchor id="securityequalshare"><emphasis>SECURITY = SHARE
+		</emphasis></para> 
+		
+		<para>When clients connect to a share level security server then 
+		need not log onto the server with a valid username and password before 
+		attempting to connect to a shared resource (although modern clients 
+		such as Windows 95/98 and Windows NT will send a logon request with 
+		a username but no password when talking to a <command>security = share
+		</command> server). Instead, the clients send authentication information 
+		(passwords) on a per-share basis, at the time they attempt to connect 
+		to that share.</para>
+
+		<para>Note that <command>smbd</command> <emphasis>ALWAYS</emphasis> 
+		uses a valid UNIX user to act on behalf of the client, even in
+		<command>security = share</command> level security.</para>
+
+		<para>As clients are not required to send a username to the server
+		in share level security, <command>smbd</command> uses several
+		techniques to determine the correct UNIX user to use on behalf
+		of the client.</para>
+
+		<para>A list of possible UNIX usernames to match with the given
+		client password is constructed using the following methods :</para>
+
+		<itemizedlist>
+			<listitem><para>If the <link linkend="guestonly"><parameter>guest 
+			only</parameter></link> parameter is set, then all the other 
+			stages are missed and only the <link linkend="guestaccount">
+			<parameter>guest account</parameter></link> username is checked.
+			</para></listitem>
+
+			<listitem><para>Is a username is sent with the share connection 
+			request, then this username (after mapping - see <link 
+			linkend="usernamemap"><parameter>username map</parameter></link>), 
+			is added as a potential username.</para></listitem>
+
+			<listitem><para>If the client did a previous <emphasis>logon
+			</emphasis> request (the SessionSetup SMB call) then the 
+			username sent in this SMB will be added as a potential username.
+			</para></listitem>
+
+			<listitem><para>The name of the service the client requested is 
+			added as a potential username.</para></listitem>
+
+			<listitem><para>The NetBIOS name of the client is added to 
+			the list as a potential username.</para></listitem>
+
+			<listitem><para>Any users on the <link linkend="user"><parameter>
+			user</parameter></link> list are added as potential usernames.
+			</para></listitem>
+		</itemizedlist>
+
+		<para>If the <parameter>guest only</parameter> parameter is 
+		not set, then this list is then tried with the supplied password. 
+		The first user for whom the password matches will be used as the 
+		UNIX user.</para>
+
+		<para>If the <parameter>guest only</parameter> parameter is 
+		set, or no username can be determined then if the share is marked 
+		as available to the <parameter>guest account</parameter>, then this 
+		guest user will be used, otherwise access is denied.</para>
+
+		<para>Note that it can be <emphasis>very</emphasis> confusing 
+		in share-level security as to which UNIX username will eventually
+		be used in granting access.</para>
+
+		<para>See also the section <link linkend="validationsect">
+		NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+		<para><anchor id="securityequaluser"><emphasis>SECURIYT = USER
+		</emphasis></para>
+
+		<para>This is the default security setting in Samba 2.2. 
+		With user-level security a client must first "log=on" with a 
+		valid username and password (which can be mapped using the <link
+		linkend="usernamemap"><parameter>username map</parameter></link> 
+		parameter). Encrypted passwords (see the <link linkend="encryptpasswords">
+		<parameter>encrypted passwords</parameter></link> parameter) can also
+		be used in this security mode. Parameters such as <link linkend="user">
+		<parameter>user</parameter></link> and <link linkend="guestonly">
+		<parameter>guest only</parameter></link> if set	are then applied and 
+		may change the UNIX user to use on this connection, but only after 
+		the user has been successfully authenticated.</para>
+
+		<para><emphasis>Note</emphasis> that the name of the resource being 
+		requested is <emphasis>not</emphasis> sent to the server until after 
+		the server has successfully authenticated the client. This is why 
+		guest shares don't work in user level security without allowing 
+		the server to automatically map unknown users into the <link
+		linkend="guestaccount"><parameter>guest account</parameter></link>. 
+		See the <link linkend="maptoguest"><parameter>map to guest</parameter>
+		</link> parameter for details on doing this.</para>
+
+		<para>See also the section <link linkend="validationsect">
+		NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+		<para><anchor id="securityequalserver"><emphasis>SECURITY = SERVER
+		</emphasis></para>
+
+		<para>In this mode Samba will try to validate the username/password 
+		by passing it to another SMB server, such as an NT box. If this 
+		fails it will revert to <command>security = user</command>, but note 
+		that if encrypted passwords have been negotiated then Samba cannot 
+		revert back to checking the UNIX password file, it must have a valid 
+		<filename>smbpasswd</filename> file to check users against. See the 
+		documentation file in the <filename>docs/</filename> directory 
+		<filename>ENCRYPTION.txt</filename> for details on how to set this 
+		up.</para>
+
+		<para><emphasis>Note</emphasis> that from the clients point of 
+		view <command>security = server</command> is the same as <command>
+		security = user</command>.  It only affects how the server deals 
+		with the authentication, it does not in any way affect what the 
+		client sees.</para>
+
+		<para><emphasis>Note</emphasis> that the name of the resource being 
+		requested is <emphasis>not</emphasis> sent to the server until after 
+		the server has successfully authenticated the client. This is why 
+		guest shares don't work in user level security without allowing 
+		the server to automatically map unknown users into the <link
+		linkend="guestaccount"><parameter>guest account</parameter></link>. 
+		See the <link linkend="maptoguest"><parameter>map to guest</parameter>
+		</link> parameter for details on doing this.</para>
+
+		<para>See also the section <link linkend="validationsect">
+		NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+		<para>See also the <link linkend="passwordserver"><parameter>password 
+		server</parameter></link> parameter and the <link 
+		linkend="encryptpasswords"><parameter>encrypted passwords</parameter>
+		</link> parameter.</para>
+		
+		<para><anchor id="securityequalsdomain"><emphasis>SECURITY = DOMAIN
+		</emphasis></para>
+
+		<para>This mode will only work correctly if <ulink 
+		url="smbpasswd.8.html">smbpasswd(8)</ulink> has been used to add this 
+		machine into a Windows NT Domain. It expects the <link 
+		linkend="encryptpasswords"><parameter>encrypted passwords</parameter>
+		</link> parameter to be set to <constant>true</constant>. In this 
+		mode Samba will try to validate the username/password by passing
+		it to a Windows NT Primary or Backup Domain Controller, in exactly 
+		the same way that a Windows NT Server would do.</para>
+
+		<para><emphasis>Note</emphasis> that a valid UNIX user must still 
+		exist as well as the account on the Domain Controller to allow 
+		Samba to have a valid UNIX account to map file access to.</para>
+
+		<para><emphasis>Note</emphasis> that from the clients point 
+		of view <command>security = domain</command> is the same as <command>security = user
+		</command>. It only affects how the server deals with the authentication, 
+		it does not in any way affect what the client sees.</para>
+
+		<para><emphasis>Note</emphasis> that the name of the resource being 
+		requested is <emphasis>not</emphasis> sent to the server until after 
+		the server has successfully authenticated the client. This is why 
+		guest shares don't work in user level security without allowing 
+		the server to automatically map unknown users into the <link
+		linkend="guestaccount"><parameter>guest account</parameter></link>. 
+		See the <link linkend="maptoguest"><parameter>map to guest</parameter>
+		</link> parameter for details on doing this.</para>
+
+		<para><emphasis>BUG:</emphasis> There is currently a bug in the 
+		implementation of <command>security = domain</command> with respect 
+		to multi-byte character set usernames. The communication with a 
+		Domain Controller must be done in UNICODE and Samba currently 
+		does not widen multi-byte user names to UNICODE correctly, thus 
+		a multi-byte username will not be recognized correctly at the 
+		Domain Controller. This issue will be addressed in a future release.</para>
+
+		<para>See also the section <link linkend="validationsect">
+		NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+		<para>See also the <link linkend="passwordserver"><parameter>password 
+		server</parameter></link> parameter and the <link 
+		linkend="encryptpasswords"><parameter>encrypted passwords</parameter>
+		</link> parameter.</para>
+
+		<para>Default: <command>security = USER</command></para>
+		<para>Example: <command>security = DOMAIN</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="securitymask">security mask (S)</term>
+		<listitem><para>This parameter controls what UNIX permission 
+		bits can be modified when a Windows NT client is manipulating 
+		the UNIX permission on a file using the native NT security 
+		dialog box.</para>
+
+		<para>This parameter is applied as a mask (AND'ed with) to 
+		the changed permission bits, thus preventing any bits not in 
+		this mask from being modified. Essentially, zero bits in this 
+		mask may be treated as a set of bits the user is not allowed 
+		to change.</para>
+
+		<para>If not set explicitly this parameter is set to the same
+		value as the <link linkend="createmask"><parameter>create mask
+		</parameter></link> parameter. To allow a user to modify all the 
+		user/group/world permissions on a file, set this parameter to 
+		0777.</para>
+
+		<para><emphasis>Note</emphasis> that users who can access the 
+		Samba server through other means can easily bypass this 
+		restriction, so it is primarily useful for standalone 
+		"appliance" systems.  Administrators of most normal systems will 
+		probably want to set it to 0777.</para>
+		
+		<para>See also the <link linkend="forcedirectorysecuritymode">
+		<parameter>force directory security mode</parameter></link>, 
+		<link linkend="directorysecuritymask"><parameter>directory 
+		security mask</parameter></link>, <link linkend="forcesecuritymode">
+		<parameter>force security mode</parameter></link> parameters.</para>
+
+		<para>Default: <command>security mask = &lt;same as create mask&gt;
+		</command></para>
+		<para>Example: <command>security mask = 0777</command></para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
+		<term id="serverstring">server string (G)</term>
+		<listitem><para>This controls what string will show up in the 
+		printer comment box in print manager and next to the IPC connection 
+		in <command>net view"</command>. It can be any string that you wish 
+		to show to your users.</para>
+		
+		<para>It also sets what will appear in browse lists next 
+		to the machine name.</para>
+
+		<para>A <parameter>%v</parameter> will be replaced with the Samba 
+		version number.</para>
+
+		<para>A <parameter>%h</parameter> will be replaced with the 
+		hostname.</para>
+
+		<para>Default: <command>server string = Samba %v</command></para>
+
+		<para>Example: <command>server string = University of GNUs Samba 
+		Server</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="setdirectory">set directory (S)</term>
+		<listitem><para>If <command>set directory = no</command>, then 
+		users of the service may not use the setdir command to change 
+		directory.</para>
+
+		<para>The <command>setdir</command> command is only implemented 
+		in the Digital Pathworks client. See the Pathworks documentation 
+		for details.</para>
+
+		<para>Default: <command>set directory = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+
+		<varlistentry>
+		<term id="sharemodes">share modes (S)</term>
+		<listitem><para>This enables or disables the honoring of 
+		the <parameter>share modes</parameter> during a file open. These 
+		modes are used by clients to gain exclusive read or write access 
+		to a file.</para>
+
+		<para>These open modes are not directly supported by UNIX, so
+		they are simulated using shared memory, or lock files if your 
+		UNIX doesn't support shared memory (almost all do).</para>
+
+		<para>The share modes that are enabled by this option are 
+		<constant>DENY_DOS</constant>, <constant>DENY_ALL</constant>,
+		<constant>DENY_READ</constant>, <constant>DENY_WRITE</constant>,
+		<constant>DENY_NONE</constant> and <constant>DENY_FCB</constant>.
+		</para>
+
+		<para>This option gives full share compatibility and enabled 
+		by default.</para>
+
+		<para>You should <emphasis>NEVER</emphasis> turn this parameter 
+		off as many Windows applications will break if you do so.</para>
+
+		<para>Default: <command>share modes = yes</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="sharedmemsize">shared mem size (G)</term>
+		<listitem><para>It specifies the size of the shared memory (in 
+		bytes) to use between <ulink url="smbd.8.html">smbd(8)</ulink> 
+		processes. This parameter defaults to one megabyte of shared 
+		memory. It is possible that if you have a large erver with many 
+		files open simultaneously that you may need to increase this 
+		parameter. Signs that this parameter is set too low are users 
+		reporting strange problems trying to save files (locking errors) 
+		and error messages in the smbd log looking like <emphasis>ERROR
+		smb_shm_alloc : alloc of XX bytes failed</emphasis>.</para>
+
+		<para>If your OS refuses the size that Samba asks for then 
+		Samba will try a smaller size, reducing by a factor of 0.8 until 
+		the OS accepts it.</para>
+
+		<para>Default: <command>shared mem size = 1048576</command></para>
+		<para>Example: <command>shared mem size = 5242880 ; Set to 5mb for a 
+		large number of files.</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="shortpreservecase">short preserve case (S)</term>
+		<listitem><para>This boolean parameter controls if new files 
+		which conform to 8.3 syntax, that is all in upper case and of 
+		suitable length, are created upper case, or if they are forced 
+		to be the <link linkend="defaultcase"><parameter>default case
+		</parameter></link>. This  option can be use with <link 
+		linkend="preservecase"><command>preserve case = yes</command>
+		</link> to permit long filenames to retain their case, while short 
+		names are lowered. </para>
+		
+		<para>See the section on <link linkend="namemanglingsect">
+		NAME MANGLING</link>.</para>
+
+		<para>Default: <command>short preserve case = yes</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="smbpasswdfile">smb passwd file (G)</term>
+		<listitem><para>This option sets the path to the encrypted 
+ 		smbpasswd file.  By default the path to the smbpasswd file 
+		is compiled into Samba.</para>
+		
+		<para>Default: <command>smb passwd file= &lt;compiled 
+		default&gt;</command></para>
+
+		<para>Example: <command>smb passwd file = /usr/samba/private/smbpasswd
+		</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="smbrun">smbrun (G)</term>
+		<listitem><para>This sets the full path to the <command>smbrun
+		</command> binary. This defaults to the value in the <filename>
+		Makefile</filename>.</para>
+
+		<para>You must get this path right for many services 
+		to work correctly.</para>
+
+		<para>You should not need to change this parameter so 
+		long as Samba is installed correctly.</para>
+
+		<para>Default: <command>smbrun=&lt;compiled default&gt;
+		</command></para>
+
+		<para>Example: <command>smbrun = /usr/local/samba/bin/smbrun
+		</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="socketaddress">socket address (G)</term>
+		<listitem><para>This option allows you to control what 
+		address Samba will listen for connections on. This is used to 
+		support multiple virtual interfaces on the one server, each 
+		with a different configuration.</para>
+		
+		<para>By default samba will accept connections on any 
+		address.</para>
+
+		<para>Example: <command>socket address = 192.168.2.20</command>
+		</para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="socketoptions">socket options (G)</term>
+		<listitem><para>This option allows you to set socket options 
+		to be used when talking with the client.</para>
+
+		<para>Socket options are controls on the networking layer 
+		of the operating systems which allow the connection to be 
+		tuned.</para>
+
+		<para>This option will typically be used to tune your Samba 
+		server for optimal performance for your local network. There is 
+		no way that Samba can know what the optimal parameters are for 
+		your net, so you must experiment and choose them yourself. We 
+		strongly suggest you read the appropriate documentation for your 
+		operating system first (perhaps <command>man setsockopt</command> 
+		will help).</para>
+
+		<para>You may find that on some systems Samba will say 
+		"Unknown socket option" when you supply an option. This means you 
+		either incorrectly  typed it or you need to add an include file 
+		to includes.h for your OS.  If the latter is the case please 
+		send the patch to <ulink url="mailto:samba@samba.org">
+		samba@samba.org</ulink>.</para>
+
+		<para>Any of the supported socket options may be combined 
+		in any way you like, as long as your OS allows it.</para>
+
+		<para>This is the list of socket options currently settable 
+		using this option:</para>
+
+		<itemizedlist>
+			<listitem><para>SO_KEEPALIVE</para></listitem>
+			<listitem><para>SO_REUSEADDR</para></listitem>
+			<listitem><para>SO_BROADCAST</para></listitem>
+			<listitem><para>TCP_NODELAY</para></listitem>
+			<listitem><para>IPTOS_LOWDELAY</para></listitem>
+			<listitem><para>IPTOS_THROUGHPUT</para></listitem>
+			<listitem><para>SO_SNDBUF *</para></listitem>
+			<listitem><para>SO_RCVBUF *</para></listitem>
+			<listitem><para>SO_SNDLOWAT *</para></listitem>
+			<listitem><para>SO_RCVLOWAT *</para></listitem>
+		</itemizedlist>
+
+		<para>Those marked with a <emphasis>'*'</emphasis> take an integer 
+		argument. The others can optionally take a 1 or 0 argument to enable 
+		or disable the option, by default they will be enabled if you 
+		don't specify 1 or 0.</para>
+
+		<para>To specify an argument use the syntax SOME_OPTION=VALUE 
+		for example <command>SO_SNDBUF=8192</command>. Note that you must 
+		not have any spaces before or after the = sign.</para>
+
+		<para>If you are on a local network then a sensible option 
+		might be</para>
+		<para><command>socket options = IPTOS_LOWDELAY</command></para>
+
+		<para>If you have a local network then you could try:</para>
+		<para><command>socket options = IPTOS_LOWDELAY TCP_NODELAY</command></para>
+
+		<para>If you are on a wide area network then perhaps try 
+		setting IPTOS_THROUGHPUT. </para>
+
+		<para>Note that several of the options may cause your Samba 
+		server to fail completely. Use these options with caution!</para>
+
+  		<para>Default: <command>socket options = TCP_NODELAY</command></para>
+		<para>Example: <command>socket options = IPTOS_LOWDELAY</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+
+		<varlistentry>
+		<term id="sourceenvironment">source environment (G)</term>
+		<listitem><para>This parameter causes Samba to set environment 
+		variables as per the content of the file named.</para>
+
+		<para>If the value of this parameter starts with a "|" character 
+		then Samba will treat that value as a pipe command to open and 
+		will set the environment variables from the output of the pipe.</para>
+
+		<para>The contents of the file or the output of the pipe should 
+		be formatted as the output of the standard Unix <command>env(1)
+		</command> command. This is of the form :</para>
+		<para>Example environment entry:</para>
+		<para><command>SAMBA_NETBIOS_NAME=myhostname</command></para>
+
+		<para>Default: <emphasis>No default value</emphasis></para>
+		<para>Examples: <command>source environment = |/etc/smb.conf.sh
+		</command></para>
+
+		<para>Example: <command>source environment = 
+		/usr/local/smb_env_vars</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="ssl">ssl (G)</term>
+		<listitem><para>This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option <command>--with-ssl</command> was 
+		given at configure time.</para>
+
+		<para><emphasis>Note</emphasis> that for export control reasons 
+		this code is <emphasis>NOT</emphasis> enabled by default in any 
+		current binary version of Samba.</para>
+
+		<para>This variable enables or disables the entire SSL mode. If 
+		it is set to <constant>no</constant>, the SSL enabled samba behaves 
+		exactly like the non-SSL samba. If set to <constant>yes</constant>, 
+		it depends on the variables <link linkend="sslhosts"><parameter>
+		ssl hosts</parameter></link> and <link linkend="sslhostsresign">
+		<parameter>ssl hosts resign</parameter></link> whether an SSL 
+		connection will be required.</para>
+
+		<para>Default: <command>ssl=no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="sslCAcertDir">ssl CA certDir (G)</term>
+		<listitem><para>This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option <command>--with-ssl</command> was 
+		given at configure time.</para>
+
+		<para><emphasis>Note</emphasis> that for export control reasons 
+		this code is <emphasis>NOT</emphasis> enabled by default in any 
+		current binary version of Samba.</para>
+
+		<para>This variable defines where to look up the Certification
+		Authorities. The given directory should contain one file for 
+		each CA that samba will trust.  The file name must be the hash 
+		value over the "Distinguished Name" of the CA. How this directory 
+		is set up is explained later in this document. All files within the 
+		directory that don't fit into this naming scheme are ignored. You 
+		don't need this variable if you don't verify client certificates.</para>
+
+		<para>Default: <command>ssl CA certDir = /usr/local/ssl/certs
+		</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="sslCAcertFile">ssl CA certFile (G)</term>
+		<listitem><para>This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option <command>--with-ssl</command> was 
+		given at configure time.</para>
+
+		<para><emphasis>Note</emphasis> that for export control reasons 
+		this code is <emphasis>NOT</emphasis> enabled by default in any 
+		current binary version of Samba.</para>
+
+		<para>This variable is a second way to define the trusted CAs. 
+		The certificates of the trusted CAs are collected in one big 
+		file and this variable points to the file. You will probably 
+		only use one of the two ways to define your CAs. The first choice is 
+		preferable if you have many CAs or want to be flexible, the second 
+		is preferable if you only have one CA and want to keep things 
+		simple (you won't need to create the hashed file names). You 
+		don't need this variable if you don't verify client certificates.</para>
+
+		<para>Default: <command>ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem
+		</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry><term id="sslciphers">ssl ciphers (G)</term>
+		<listitem><para>This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option <command>--with-ssl</command> was 
+		given at configure time.</para>
+
+		<para><emphasis>Note</emphasis> that for export control reasons 
+		this code is <emphasis>NOT</emphasis> enabled by default in any 
+		current binary version of Samba.</para>
+
+		<para>This variable defines the ciphers that should be offered 
+		during SSL negotiation. You should not set this variable unless 
+		you know what you are doing.</para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
+		<term id="sslclientcert">ssl client cert (G)</term>
+		<listitem><para>This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option <command>--with-ssl</command> was 
+		given at configure time.</para>
+
+		<para><emphasis>Note</emphasis> that for export control reasons 
+		this code is <emphasis>NOT</emphasis> enabled by default in any 
+		current binary version of Samba.</para>
+
+		<para>The certificate in this file is used by <ulink url="smbclient.1.html">
+		<command>smbclient(1)</command></ulink> if it exists. It's needed 
+		if the server requires a client certificate.</para>
+
+		<para>Default: <command>ssl client cert = /usr/local/ssl/certs/smbclient.pem
+		</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="sslclientkey">ssl client key (G)</term>
+		<listitem><para>This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option <command>--with-ssl</command> was 
+		given at configure time.</para>
+
+		<para><emphasis>Note</emphasis> that for export control reasons 
+		this code is <emphasis>NOT</emphasis> enabled by default in any 
+		current binary version of Samba.</para>
+
+		<para>This is the private key for <ulink url="smbclient.1.html">
+		<command>smbclient(1)</command></ulink>. It's only needed if the 
+		client should have a certificate. </para>
+
+		<para>Default: <command>ssl client key = /usr/local/ssl/private/smbclient.pem
+		</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="sslcompatibility">ssl compatibility (G)</term>
+		<listitem><para>This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option <command>--with-ssl</command> was 
+		given at configure time.</para>
+
+		<para><emphasis>Note</emphasis> that for export control reasons 
+		this code is <emphasis>NOT</emphasis> enabled by default in any 
+		current binary version of Samba.</para>
+
+		<para>This variable defines whether SSLeay should be configured 
+		for bug compatibility with other SSL implementations. This is 
+		probably not desirable because currently no clients with SSL 
+		implementations other than SSLeay exist.</para>
+
+		<para>Default: <command>ssl compatibility = no</command></para>
+		</listitem>
+		</varlistentry>
+		
+
+		<varlistentry><term id="sslhosts">ssl hosts (G)</term>
+		<listitem><para>See <link linkend="sslhostsresign"><parameter>
+		ssl hosts resign</parameter></link>.</para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
+		<term id="sslhostsresign">ssl hosts resign (G)</term>
+		<listitem><para>This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option <command>--with-ssl</command> was 
+		given at configure time.</para>
+
+		<para><emphasis>Note</emphasis> that for export control reasons 
+		this code is <emphasis>NOT</emphasis> enabled by default in any 
+		current binary version of Samba.</para>
+
+		<para>These two variables define whether samba will go 
+		into SSL mode or not. If none of them is defined, samba will 
+		allow only SSL connections. If the <link linkend="sslhosts">
+		<parameter>ssl hosts</parameter></link> variable lists
+		hosts (by IP-address, IP-address range, net group or name), 
+		only these hosts will be forced into SSL mode. If the <parameter>
+		ssl hosts resign</parameter> variable lists hosts, only these 
+		hosts will NOT be forced into SSL mode. The syntax for these two 
+		variables is the same as for the <link linkend="hostsallow"><parameter>
+		hosts allow</parameter></link> and <link linkend="hostsdeny">
+		<parameter>hosts deny</parameter></link> pair of variables, only 
+		that the subject of the decision is different: It's not the access 
+		right but whether SSL is used or not. </para>
+
+		<para>The example below requires SSL connections from all hosts
+		outside the local net (which is 192.168.*.*).</para>
+
+		<para>Default: <command>ssl hosts = &lt;empty string&gt;</command></para>
+		<para><command>ssl hosts resign = &lt;empty string&gt;</command></para>
+
+		<para>Example: <command>ssl hosts resign = 192.168.</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="sslrequireclientcert">ssl require clientcert (G)</term>
+		<listitem><para>This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option <command>--with-ssl</command> was 
+		given at configure time.</para>
+
+		<para><emphasis>Note</emphasis> that for export control reasons 
+		this code is <emphasis>NOT</emphasis> enabled by default in any 
+		current binary version of Samba.</para>
+
+		<para>If this variable is set to <constant>yes</constant>, the 
+		server will not tolerate connections from clients that don't 
+		have a valid certificate. The directory/file given in <link
+		linkend="sslcacertdir"><parameter>ssl CA certDir</parameter>
+		</link> and <link linkend="sslcacertfile"><parameter>ssl CA certFile
+		</parameter></link> will be used to look up the CAs that issued 
+		the client's certificate. If the certificate can't be verified 
+		positively, the connection will be terminated.  If this variable 
+		is set to <constant>no</constant>, clients don't need certificates. 
+		Contrary to web applications you really <emphasis>should</emphasis> 
+		require client certificates. In the web environment the client's 
+		data is sensitive (credit card numbers) and the server must prove 
+		to be trustworthy. In a file server environment the server's data 
+		will be sensitive and the clients must prove to be trustworthy.</para>
+
+		<para>Default: <command>ssl require clientcert = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="sslrequireservercert">ssl require servercert (G)</term>
+		<listitem><para>This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option <command>--with-ssl</command> was 
+		given at configure time.</para>
+
+		<para><emphasis>Note</emphasis> that for export control reasons 
+		this code is <emphasis>NOT</emphasis> enabled by default in any 
+		current binary version of Samba.</para>
+
+		<para>If this variable is set to <constant>yes</constant>, the 
+		<ulink url="smbclient.1.html"><command>smbclient(1)</command>
+		</ulink> will request a certificate from the server. Same as 
+		<link linkend="sslrequireclientcert"><parameter>ssl require 
+		clientcert</parameter></link> for the server.</para>
+
+		<para>Default: <command>ssl require servercert = no</command>
+		</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term id="sslservercert">ssl server cert (G)</term>
+		<listitem><para>This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option <command>--with-ssl</command> was 
+		given at configure time.</para>
+
+		<para><emphasis>Note</emphasis> that for export control reasons 
+		this code is <emphasis>NOT</emphasis> enabled by default in any 
+		current binary version of Samba.</para>
+
+		<para>This is the file containing the server's certificate. 
+		The server <emphasis>must</emphasis> have a certificate. The 
+		file may also contain the server's private key. See later for 
+		how certificates and private keys are created.</para>
+
+		<para>Default: <command>ssl server cert = &lt;empty string&gt;
+		</command></para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
+		<term id="sslserverkey">ssl server key (G)</term>
+		<listitem><para>This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option <command>--with-ssl</command> was 
+		given at configure time.</para>
+
+		<para><emphasis>Note</emphasis> that for export control reasons 
+		this code is <emphasis>NOT</emphasis> enabled by default in any 
+		current binary version of Samba.</para>
+
+		<para>This file contains the private key of the server. If 
+		this variable is not defined, the key is looked up in the 
+		certificate file (it may be appended to the certificate). 
+		The server <emphasis>must</emphasis> have a private key
+		and the certificate <emphasis>must</emphasis> 
+		match this private key.</para>
+
+		<para>Default: <command>ssl server key = &lt;empty string&gt;
+		</command></para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
+		<term id="sslversion">ssl version (G)</term>
+		<listitem><para>This variable is part of SSL-enabled Samba. This 
+		is only available if the SSL libraries have been compiled on your 
+		system and the configure option <command>--with-ssl</command> was 
+		given at configure time.</para>
+
+		<para><emphasis>Note</emphasis> that for export control reasons 
+		this code is <emphasis>NOT</emphasis> enabled by default in any 
+		current binary version of Samba.</para>
+
+		<para>This enumeration variable defines the versions of the 
+		SSL protocol that will be used. <constant>ssl2or3</constant> allows 
+		dynamic negotiation of SSL v2 or v3, <constant>ssl2</constant> results 
+		in SSL v2, <constant>ssl3</constant> results in SSL v3 and
+		<constant>tls1</constant> results in TLS v1. TLS (Transport Layer 
+		Security) is the new standard for SSL.</para>
+
+		<para>Default: <command>ssl version = "ssl2or3"</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="statcache">stat cache (G)</term>
+		<listitem><para>This parameter determines if <ulink 
+		url="smbd.8.html">smbd(8)</ulink> will use a cache in order to 
+		speed up case insensitive name mappings. You should never need 
+		to change this parameter.</para>
+
+  		<para>Default: <command>stat cache = yes</command></para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term id="statcachesize">stat cache size (G)</term>
+		<listitem><para>This parameter determines the number of 
+		entries in the <parameter>stat cache</parameter>.  You should 
+		never need to change this parameter.</para>
+		
+		<para>Default: <command>stat cache size = 50</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="status">status (G)</term>
+		<listitem><para>This enables or disables logging of connections 
+		to a status file that <ulink url="smbstatus.1.html">smbstatus(1)</ulink>
+		can read.</para>
+
+		<para>With this disabled <command>smbstatus</command> won't be able
+		to tell you what connections are active. You should never need to
+		change this parameter.</para>
+
+		<para>Default: <command>status = yes</command></para>
+		</listitem>
+		</varlistentry>
+
+
+		
+		<varlistentry>
+		<term id="strictlocking">strict locking (S)</term>
+		<listitem><para>This is a boolean that controls the handling of 
+		file locking in the server. When this is set to <constant>yes</constant> 
+		the server will check every read and write access for file locks, and 
+		deny access if locks exist. This can be slow on some systems.</para>
+
+		<para>When strict locking is <constant>no</constant> the server does file 
+		lock checks only when the client explicitly asks for them.</para>
+
+		<para>Well behaved clients always ask for lock checks when it 
+		is important, so in the vast majority of cases <command>strict 
+		locking = no</command> is preferable.</para>
+
+		<para>Default: <command>strict locking = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="strictsync">strict sync (S)</term>
+		<listitem><para>Many Windows applications (including the Windows 
+		98 explorer shell) seem to confuse flushing buffer contents to 
+		disk with doing a sync to disk. Under UNIX, a sync call forces 
+		the process to be suspended until the kernel has ensured that 
+		all outstanding data in kernel disk buffers has been safely stored 
+		onto stable storage. This is very slow and should only be done 
+		rarely. Setting this parameter to <constant>no</constant> (the 
+		default) means that smbd ignores the Windows applications requests for
+		a sync call. There is only a possibility of losing data if the
+		operating system itself that Samba is running on crashes, so there is
+		little danger in this default setting. In addition, this fixes many
+		performance problems that people have reported with the new Windows98
+		explorer shell file copies.</para>
+
+		<para>See also the <link linkend="syncalways"><parameter>sync 
+		always></parameter></link> parameter.</para>
+
+		<para>Default: <command>strict sync = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
+		<term id="stripdot">strip dot (G)</term>
+		<listitem><para>This is a boolean that controls whether to 
+		strip trailing dots off UNIX filenames. This helps with some 
+		CDROMs that have filenames ending in a single dot.</para>
+
+		<para>Default: <command>strip dot = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="syncalways">sync always (S)</term>
+		<listitem><para>This is a boolean parameter that controls 
+		whether writes will always be written to stable storage before 
+		the write call returns. If this is false then the server will be 
+		guided by the client's request in each write call (clients can 
+		set a bit indicating that a particular write should be synchronous). 
+		If this is true then every write will be followed by a <command>fsync()
+		</command> call to ensure the data is written to disk. Note that 
+		the <parameter>strict sync</parameter> parameter must be set to
+		<constant>yes</constant> in order for this parameter to have 
+		any affect.</para>
+		
+		<para>See also the <link linkend="strictsync"><parameter>strict 
+		sync</parameter></link> parameter.</para>
+
+		<para>Default: <command>sync always = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="syslog">syslog (G)</term>
+		<listitem><para>This parameter maps how Samba debug messages 
+		are logged onto the system syslog logging levels. Samba debug 
+		level zero maps onto syslog <constant>LOG_ERR</constant>, debug 
+		level one maps onto <constant>LOG_WARNING</constant>, debug level 
+		two maps onto <constant>LOG_NOTICE</constant>, debug level three 
+		maps onto LOG_INFO. All higher levels are mapped to <constant>
+		LOG_DEBUG</constant>.</para>
+
+		<para>This paramter sets the threshold for sending messages 
+		to syslog.  Only messages with debug level less than this value 
+		will be sent to syslog.</para>
+
+		<para>Default: <command>syslog = 1</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="syslogonly">syslog only (G)</term>
+		<listitem><para>If this parameter is set then Samba debug 
+		messages are logged into the system syslog only, and not to 
+		the debug log files.</para>
+
+		<para>Default: <command>syslog only = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="templatehomedir">template homedir (G)</term>
+		<listitem><para><emphasis>NOTE:</emphasis> this parameter is 
+		only available in Samba 3.0.</para>
+
+		<para>When filling out the user information for a Windows NT 
+		user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon 
+		uses this parameter to fill in the home directory for that user.  
+		If the string <parameter>%D</parameter> is present it is substituted 
+		with the user's Windows NT domain name.  If the string <parameter>%U
+		</parameter> is present it is substituted with the user's Windows 
+		NT user name.</para>
+
+		<para>Default: <command>template homedir = /home/%D/%U</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="templateshell">template shell (G)</term>
+		<listitem><para><emphasis>NOTE:</emphasis> this parameter is 
+		only available in Samba 3.0.</para>
+
+		<para>When filling out the user information for a Windows NT 
+		user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon 
+		uses this parameter to fill in the login shell for that user.</para>
+
+		<para>Default: <command>template shell = /bin/false</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="timeoffset">time offset (G)</term>
+		<listitem><para>This parameter is a setting in minutes to add 
+		to the normal GMT to local time conversion. This is useful if 
+		you are serving a lot of PCs that have incorrect daylight 
+		saving time handling.</para>
+		
+		<para>Default: <command>time offset = 0</command></para>
+		<para>Example: <command>time offset = 60</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="timeserver">time server (G)</term>
+		<listitem><para>This parameter determines if <ulink url="nmbd.8.html"> 			
+		nmbd(8)</ulink> advertises itself as a time server to Windows 
+		clients.</para>
+
+  		<para>Default: <command>time server = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
+		<term id="timestamplogs">timestamp logs (G)</term>
+		<listitem><para>Synonym for <link linkend="debugtimestamp"><parameter>
+		debug timestamp</parameter></link>.</para>
+		</listitem>
+		</varlistentry>
+
+
+
+
+		<varlistentry>
+		<term id="unixpasswordsync">unix password sync (G)</term>
+		<listitem><para>This boolean parameter controls whether Samba 
+		attempts to synchronize the UNIX password with the SMB password 
+		when the encrypted SMB password in the smbpasswd file is changed. 
+		If this is set to true the program specified in the <parameter>passwd
+		program</parameter>parameter is called <emphasis>AS ROOT</emphasis> - 
+		to allow the new UNIX password to be set without access to the 
+		old UNIX password (as the SMB password has change code has no 
+		access to the old password cleartext, only the new).</para>
+
+		<para>See also <link linkend="passwdprogram"><parameter>passwd 
+		program</parameter></link>, <link linkend="passwdchat"><parameter>
+		passwd chat</parameter></link>.</para>
+
+		<para>Default: <command>unix password sync = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="unixrealname">unix realname (G)</term>
+		<listitem><para>This boolean parameter when set causes samba 
+		to supply the real name field from the unix password file to 
+		the client. This isuseful for setting up mail clients and WWW 
+		browsers on systems used by more than one person.</para>
+
+		<para>Default: <command>unix realname = no</command></para>
+		</listitem>
+		</varlistentry>
+
+	
+	
+		<varlistentry>
+		<term id="updateencrypted">update encrypted (G)</term>
+		<listitem><para>This boolean parameter allows a user logging 
+		on with a plaintext password to have their encrypted (hashed) 
+		password in the smbpasswd file to be updated automatically as 
+		they log on. This option allows a site to migrate from plaintext 
+		password authentication (users authenticate with plaintext 
+		password over the wire, and are checked against a UNIX account 
+		database) to encrypted password authentication (the SMB 
+		challenge/response authentication mechanism) without forcing
+		all users to re-enter their passwords via smbpasswd at the time the
+		change is made. This is a convenience option to allow the change over
+		to encrypted passwords to be made over a longer period. Once all users
+		have encrypted representations of their passwords in the smbpasswd
+		file this parameter should be set to <constant>no</constant>.</para>
+
+		<para>In order for this parameter to work correctly the <link
+		linkend="encryptpasswords"><parameter>encrypt passwords</parameter>
+		</link> parameter must be set to <constant>no</constant> when
+		this parameter is set to <constant>yes</constant>.</para>
+
+		<para>Note that even when this parameter is set a user 
+		authenticating to <command>smbd</command> must still enter a valid 
+		password in order to connect correctly, and to update their hashed 
+		(smbpasswd) passwords.</para>
+
+  		<para>Default: <command>update encrypted = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="userhosts">use rhosts (G)</term>
+		<listitem><para>If this global parameter is a true, it specifies 
+		that the UNIX users <filename>.rhosts</filename> file in their home directory 
+		will be read to find the names of hosts and users who will be allowed 
+		access without specifying a password.</para>
+
+		<para><emphasis>NOTE:</emphasis> The use of <parameter>use rhosts
+		</parameter> can be a major security hole. This is because you are 
+		trusting the PC to supply the correct username. It is very easy to 
+		get a PC to supply a false username. I recommend that the <parameter>
+		use rhosts</parameter> option be only used if you really know what 
+		you are doing.</para>
+
+		<para>Default: <command>use rhosts = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="user">user (S)</term>
+		<listitem><para>Synonym for <link linkend="username"><parameter>
+		username</parameter></link>.</para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="users">users (S)</term>
+		<listitem><para>Synonym for <link linkend="username"><parameter>
+		username</parameter></link>.</para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
+		<term id="username">username (S)</term>
+		<listitem><para>Multiple users may be specified in a comma-delimited 
+		list, in which case the supplied password will be tested against 
+		each username in turn (left to right).</para>
+
+		<para>The <parameter>username</parameter> line is needed only when 
+		the PC is unable to supply its own username. This is the case 
+		for the COREPLUS protocol or where your users have different WfWg 
+		usernames to UNIX usernames. In both these cases you may also be 
+		better using the \\server\share%user syntax instead.</para>
+
+		<para>The <parameter>username</parameter> line is not a great 
+		solution in many cases as it means Samba will try to validate 
+		the supplied password against each of the usernames in the 
+		<parameter>username</parameter> line in turn. This is slow and 
+		a bad idea for lots of users in case of duplicate passwords. 
+		You may get timeouts or security breaches using this parameter 
+		unwisely.</para>
+
+		<para>Samba relies on the underlying UNIX security. This 
+		parameter does not restrict who can login, it just offers hints 
+		to the Samba server as to what usernames might correspond to the 
+		supplied password. Users can login as whoever they please and 
+		they will be able to do no more damage than if they started a 
+		telnet session. The daemon runs as the user that they log in as, 
+		so they cannot do anything that user cannot do.</para>
+
+		<para>To restrict a service to a particular set of users you 
+		can use the <link linkend="validusers"><parameter>valid users
+		</parameter></link> parameter.</para>
+
+		<para>If any of the usernames begin with a '@' then the name 
+		will be looked up first in the yp netgroups list (if Samba 
+		is compiled with netgroup support), followed by a lookup in 
+		the UNIX groups database and will expand to a list of all users 
+		in the group of that name.</para>
+		
+		<para>If any of the usernames begin with a '+' then the name 
+		will be looked up only in the UNIX groups database and will 
+		expand to a list of all users in the group of that name.</para>
+
+		<para>If any of the usernames begin with a '&'then the name 
+		will be looked up only in the yp netgroups database (if Samba 
+		is compiled with netgroup support) and will expand to a list 
+		of all users in the netgroup group of that name.</para>
+
+		<para>Note that searching though a groups database can take 
+		quite some time, snd some clients may time out during the 
+		search.</para>
+
+		<para>See the section <link linkend="validationsect">NOTE ABOUT 
+		USERNAME/PASSWORD VALIDATION</link> for more information on how 
+		this parameter determines access to the services.</para>
+
+		<para>Default: <command>The guest account if a guest service, 
+		else the name of the service.</command></para>
+
+		<para>Examples:<command>username = fred, mary, jack, jane, 
+		@users, @pcgroup</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="usernamelevel">username level (G)</term>
+		<listitem><para>This option helps Samba to try and 'guess' at 
+		the real UNIX username, as many DOS clients send an all-uppercase 
+		username. By default Samba tries all lowercase, followed by the 
+		username with the first letter capitalized, and fails if the 
+		username is not found on the UNIX machine.</para>
+
+		<para>If this parameter is set to non-zero the behavior changes. 
+		This parameter is a number that specifies the number of uppercase
+		combinations to try whilst trying to determine the UNIX user name. The
+		higher the number the more combinations will be tried, but the slower
+		the discovery of usernames will be. Use this parameter when you have
+		strange usernames on your UNIX machine, such as <constant>AstrangeUser
+		</constant>.</para>
+
+		<para>Default: <command>username level = 0</command></para>
+		<para>Example: <command>username level = 5</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="usernamemap">username map (G)</term>
+		<listitem><para>This option allows you to specify a file containing 
+		a mapping of usernames from the clients to the server. This can be 
+		used for several purposes. The most common is to map usernames 
+		that users use on DOS or Windows machines to those that the UNIX 
+		box uses. The other is to map multiple users to a single username 
+		so that they can more easily share files.</para>
+
+		<para>The map file is parsed line by line. Each line should 
+		contain a single UNIX username on the left then a '=' followed 
+		by a list of usernames on the right. The list of usernames on the 
+		right may contain names of the form @group in which case they 
+		will match any UNIX username in that group. The special client 
+		name '*' is a wildcard and matches any name. Each line of the 
+		map file may be up to 1023 characters long.</para>
+
+		<para>The file is processed on each line by taking the 
+		supplied username and comparing it with each username on the right 
+		hand side of the '=' signs. If the supplied name matches any of 
+		the names on the right hand side then it is replaced with the name 
+		on the left. Processing then continues with the next line.</para>
+
+		<para>If any line begins with a '#' or a ';' then it is 
+		ignored</para>
+
+		<para>If any line begins with an '!' then the processing 
+		will stop after that line if a mapping was done by the line. 
+		Otherwise mapping continues with every line being processed. 
+		Using '!' is most useful when you have a wildcard mapping line 
+		later in the file.</para>
+		
+		<para>For example to map from the name <constant>admin</constant> 
+		or <constant>administrator</constant> to the UNIX name <constant>
+		root</constant> you would use:</para>
+
+		<para><command>root = admin administrator</command></para>
+
+		<para>Or to map anyone in the UNIX group <constant>system</constant> 
+		to the UNIX name <constant>sys</constant> you would use:</para>
+
+		<para><command>sys = @system</command></para>
+
+		<para>You can have as many mappings as you like in a username 
+		map file.</para>
+		
+		
+		<para>If your system supports the NIS NETGROUP option then 
+		the netgroup database is checked before the <filename>/etc/group
+		</filename> database for matching groups.</para>
+
+		<para>You can map Windows usernames that have spaces in them
+		 by using double quotes around the name. For example:</para>
+
+		<para><command>tridge = "Andrew Tridgell"</command></para>
+
+		<para>would map the windows username "Andrew Tridgell" to the 
+		unix username "tridge".</para>
+
+		<para>The following example would map mary and fred to the 
+		unix user sys, and map the rest to guest. Note the use of the 
+		'!' to tell Samba to stop processing if it gets a match on 
+		that line.</para>
+
+		<para><programlisting>
+		!sys = mary fred
+		guest = *
+		</programlisting></para>
+
+		<para>Note that the remapping is applied to all occurrences 
+		of usernames. Thus if you connect to \\server\fred and <constant>
+		fred</constant> is remapped to <constant>mary</constant> then you 
+		will actually be connecting to \\server\mary and will need to 
+		supply a password suitable for <constant>mary</constant> not 
+		<constant>fred</constant>. The only exception to this is the 
+		username passed to the <link linkend="passwordserver"><parameter>
+		password server</parameter></link> (if you have one). The password 
+		server will receive whatever username the client supplies without 
+		modification.</para>
+
+		<para>Also note that no reverse mapping is done. The main effect 
+		this has is with printing. Users who have been mapped may have 
+		trouble deleting print jobs as PrintManager under WfWg will think 
+		they don't own the print job.</para>
+
+		<para>Default: <emphasis>no username map</emphasis></para>
+		<para>Example: <command>username map = /usr/local/samba/lib/users.map
+		</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="utmp">utmp (S)</term>
+		<listitem><para>This boolean parameter is only available if 
+		Samba has been configured and compiled  with the option <command>
+		--with-utmp</command>. If set to True then Samba will attempt
+		to add utmp or utmpx records (depending on the UNIX system) whenever a
+		connection is made to a Samba server. Sites may use this to record the
+		user connecting to a Samba share.</para>
+
+		<para>See also the <link linkend="utmpdirectory"><parameter>
+		utmp directory</parameter></link> parameter.</para>
+
+		<para>Default: <command>utmp = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="utmpdirectory">utmp directory(G)</term>
+		<listitem><para>This parameter is only available if Samba has 
+		been configured and compiled with the option <command>
+		--with-utmp</command>. It specifies a directory pathname that is
+		used to store the utmp or utmpx files (depending on the UNIX system) that
+		record user connections to a Samba server. See also the <link linkend="utmp">
+		<parameter>utmp</parameter></link> parameter. By default this is 
+		not set, meaning the system will use whatever utmp file the 
+		native system is set to use (usually 
+		<filename>/var/run/utmp</filename> on Linux).</para>
+
+		<para>Default: <emphasis>no utmp directory</emphasis></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry><term id="winbindcachetime">winbind cache time</term>
+		<listitem><para><emphasis>NOTE:</emphasis> this parameter is only 
+		available in Samba 3.0.</para>
+		
+		<para>This parameter specifies the number of seconds the
+		<ulink url="winbindd.8.html">winbindd(8)</ulink> daemon will cache 
+		user and group information before querying a Windows NT server 
+		again.</para>
+
+		<para>Default: <command>winbind cache type = 15</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+	
+		<varlistentry><term id="winbindgid">winbind gid</term>
+		<listitem><para><emphasis>NOTE:</emphasis> this parameter is only 
+		available in Samba 3.0.</para>
+		
+		<para>The winbind gid parameter specifies the range of group 
+		ids that are allocated by the <ulink url="winbindd.8.html">
+		winbindd(8)</ulink> daemon.  This range of group ids should have no 
+		existing local or nis groups within it as strange conflicts can 
+		occur otherwise.</para>
+
+		<para>Default: <command>winbind gid = &lt;empty string&gt;
+		</command></para>
+
+		<para>Example: <command>winbind gid = 10000-20000</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="winbinduid">winbind uid</term>
+		<listitem><para><emphasis>NOTE:</emphasis> this parameter is only 
+		available in Samba 3.0.</para>
+		
+		<para>The winbind gid parameter specifies the range of group 
+		ids that are allocated by the <ulink url="winbindd.8.html">
+		winbindd(8)</ulink> daemon.  This range of ids should have no 
+		existing local or nis users within it as strange conflicts can 
+		occur otherwise.</para>
+
+		<para>Default: <command>winbind uid = &lt;empty string&gt;
+		</command></para>
+		
+		<para>Example: <command>winbind uid = 10000-20000</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="validchars">valid chars (G)</term>
+		<listitem><para>The option allows you to specify additional 
+		characters that should be considered valid by the server in 
+		filenames. This is particularly useful for national character 
+		sets, such as adding u-umlaut or a-ring.</para>
+
+		<para>The option takes a list of characters in either integer 
+		or character form with spaces between them. If you give two 
+		characters with a colon between them then it will be taken as 
+		an lowercase:uppercase pair.</para>
+
+		<para>If you have an editor capable of entering the characters 
+		into the config file then it is probably easiest to use this 
+		method. Otherwise you can specify the characters in octal, 
+		decimal or hexadecimal form using the usual C notation.</para>
+
+		<para>For example to add the single character 'Z' to the charset 
+		(which is a pointless thing to do as it's already there) you could 
+		do one of the following</para>
+
+		<para><programlisting>
+		valid chars = Z
+		valid chars = z:Z
+		valid chars = 0132:0172
+		</programlisting></para>
+		
+		<para>The last two examples above actually add two characters, 
+		and alter the uppercase and lowercase mappings appropriately.</para>
+
+		<para>Note that you <emphasis>MUST</emphasis> specify this parameter 
+		after the <parameter>client code page</parameter> parameter if you 
+		have both set. If <parameter>client code page</parameter> is set after 
+		the <parameter>valid chars</parameter> parameter the <parameter>valid 
+		chars</parameter> settings will be overwritten.</para>
+
+		<para>See also the <link linkend="clientcodepage"><parameter>client 
+		code page</parameter></link> parameter.</para>
+
+		<para>Default: <emphasis>Samba defaults to using a reasonable set 
+		of valid characters for English systems</emphasis></para>
+
+		<para>Example: <command>valid chars = 0345:0305 0366:0326 0344:0304
+		</command></para>
+
+		<para>The above example allows filenames to have the Swedish 
+		characters in them.</para>
+
+		<para><emphasis>NOTE:</emphasis> It is actually quite difficult to 
+		correctly produce a <parameter>valid chars</parameter> line for 
+		a particular system. To automate the process <ulink 
+		url="mailto:tino@augsburg.net">tino@augsburg.net</ulink> has written 
+		a package called <command>validchars</command> which will automatically 
+		produce a complete <parameter>valid chars</parameter> line for
+		a given client system. Look in the <filename>examples/validchars/
+		</filename> subdirectory of your Samba source code distribution 
+		for this package.</para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="validusers">valid users (S)</term>
+		<listitem><para>This is a list of users that should be allowed 
+		to login to this service. Names starting with '@', '+' and  '&'
+		are interpreted using the same rules as described in the 
+		<parameter>invalid users</parameter> parameter.</para>
+
+		<para>If this is empty (the default) then any user can login. 
+		If a username is in both this list and the <parameter>invalid 
+		users</parameter> list then access is denied for that user.</para>
+
+		<para>The current servicename is substituted for <parameter>%S
+		</parameter>. This is useful in the [homes] section.</para>
+
+		<para>See also <link linkend="invalidusers"><parameter>invalid users
+		</parameter></link></para>
+
+		<para>Default: <emphasis>No valid users list (anyone can login)
+		</emphasis></para>
+
+		<para>Example: <command>valid users = greg, @pcusers</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+
+		<varlistentry>
+		<term id="vetofiles">veto files(S)</term>
+		<listitem><para>This is a list of files and directories that 
+		are neither visible nor accessible.  Each entry in the list must 
+		be separated by a '/', which allows spaces to be included 
+		in the entry. '*' and '?' can be used to specify multiple files 
+		or directories as in DOS wildcards.</para>
+
+		<para>Each entry must be a unix path, not a DOS path and 
+		must <emphasis>not</emphasis> include the  unix directory 
+		separator '/'.</para>
+
+		<para>Note that the <parameter>case sensitive</parameter> option 
+		is applicable in vetoing files.</para>
+		
+		<para>One feature of the veto files parameter that it is important 
+		to be aware of, is that if a directory contains nothing but files 
+		that match the veto files parameter (which means that Windows/DOS 
+		clients cannot ever see them) is deleted, the veto files within 
+		that directory <emphasis>are automatically deleted</emphasis> along 
+		with it, if the user has UNIX permissions to do so.</para>
+ 
+		<para>Setting this parameter will affect the performance 
+		of Samba, as it will be forced to check all files and directories 
+		for a match as they are scanned.</para>
+
+		<para>See also <link linkend="hidefiles"><parameter>hide files
+		</parameter></link> and <link linkend="casesensitive"><parameter>
+		case sensitive</parameter></link>.</para>
+
+		<para>Default: <emphasis>No files or directories are vetoed.
+		</emphasis></para>
+
+		<para>Examples:<programlisting>
+	   ; Veto any files containing the word Security, 
+    	; any ending in .tmp, and any directory containing the
+    	; word root.
+		veto files = /*Security*/*.tmp/*root*/
+
+		; Veto the Apple specific files that a NetAtalk server
+    	; creates.
+		veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
+		</programlisting></para>
+		</listitem>
+		</varlistentry>
+
+
+		<varlistentry>
+		<term id="vetooplockfiles">veto oplock files (S)</term>
+		<listitem><para>This parameter is only valid when the <link
+		linkend="oplocks"><parameter>oplocks</parameter></link>
+		parameter is turned on for a share. It allows the Samba administrator
+		to selectively turn off the granting of oplocks on selected files that
+		match a wildcarded list, similar to the wildcarded list used in the
+		<link linkend="vetofiles"><parameter>veto files</parameter></link> 
+		parameter.</para>
+
+		<para>Default: <emphasis>No files are vetoed for oplock 
+		grants</emphasis></para>
+
+		<para>You might want to do this on files that you know will 
+		be heavily contended for by clients. A good example of this 
+		is in the NetBench SMB benchmark program, which causes heavy 
+		client contention for files ending in <filename>.SEM</filename>. 
+		To cause Samba not to grant oplocks on these files you would use 
+		the line (either in the [global] section or in the section for 
+		the particular NetBench share :</para>
+
+		<para>Example: <command>veto oplock files = /*;.SEM/
+		</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="volume">volume (S)</term>
+		<listitem><para> This allows you to override the volume label 
+		returned for a share. Useful for CDROMs with installation programs 
+		that insist on a particular volume label.</para>
+
+		<para>Default: <emphasis>the name of the share</emphasis></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="widelinks">wide links (S)</term>
+		<listitem><para>This parameter controls whether or not links 
+		in the UNIX file system may be followed by the server. Links 
+		that point to areas within the directory tree exported by the 
+		server are always allowed; this parameter controls access only 
+		to areas that are outside the directory tree being exported.</para>
+
+		<para>Note that setting this parameter can have a negative 
+		effect on your server performance due to the extra system calls 
+		that Samba has to  do in order to perform the link checks.</para>
+
+		<para>Default: <command>wide links = yes</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="winsproxy">wins proxy (G)</term>
+		<listitem><para>This is a boolean that controls if <ulink 
+		url="nmbd.8.html">nmbd(8)</ulink> will respond to broadcast name 
+		queries on behalf of  other hosts. You may need to set this 
+		to <constant>yes</constant> for some older clients.</para>
+
+		<para>Default: <command>wins proxy = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+
+		<varlistentry>
+		<term id="winsserver">wins server (G)</term>
+		<listitem><para>This specifies the IP address (or DNS name: IP 
+		address for preference) of the WINS server that <ulink url="nmbd.8.html">
+		nmbd(8)</ulink> should register with. If you have a WINS server on 
+		your network then you should set this to the WINS server's IP.</para>
+
+		<para>You should point this at your WINS server if you have a
+		multi-subnetted network.</para>
+
+		<para><emphasis>NOTE</emphasis>. You need to set up Samba to point 
+		to a WINS server if you have multiple subnets and wish cross-subnet 
+		browsing to work correctly.</para>
+
+		<para>See the documentation file <filename>BROWSING.txt</filename> 
+		in the docs/ directory of your Samba source distribution.</para>
+
+		<para>Default: <emphasis>not enabled</emphasis></para>
+		<para>Example: <command>wins server = 192.9.200.1</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="winshook">wins hook (G)</term>
+		<listitem><para>When Samba is running as a WINS server this 
+		allows you to call an external program for all changes to the 
+		WINS database. The primary use for this option is to allow the 
+		dynamic update of external name resolution databases such as 
+		dynamic DNS.</para>
+
+		<para>The wins hook parameter specifies the name of a script 
+		or executable that will be called as follows:</para>
+
+		<para><command>wins_hook operation name nametype ttl IP_list
+		</command></para>
+
+		<itemizedlist>
+			<listitem><para>The first argument is the operation and is one 
+			of "add", "delete", or "refresh". In most cases the operation can 
+			be ignored as the rest of the parameters provide sufficient 
+			information. Note that "refresh" may sometimes be called when the 
+			name has not previously been added, in that case it should be treated 
+			as an add.</para></listitem>
+
+			<listitem><para>The second argument is the netbios name. If the 
+			name is not a legal name then the wins hook is not called. 
+			Legal names contain only  letters, digits, hyphens, underscores 
+			and periods.</para></listitem>
+
+			<listitem><para>The third argument is the netbios name 
+			type as a 2 digit hexadecimal number. </para></listitem>
+
+			<listitem><para>The fourth argument is the TTL (time to live) 
+			for the name in seconds.</para></listitem>
+			
+			<listitem><para>The fifth and subsequent arguments are the IP 
+			addresses currently registered for that name. If this list is 
+			empty then the name should be deleted.</para></listitem>
+		</itemizedlist>
+
+		<para>An example script that calls the BIND dynamic DNS update 
+		program <command>nsupdate</command> is provided in the examples 
+		directory of the Samba source code. </para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="winssupport">wins support (G)</term>
+		<listitem><para>This boolean controls if the <ulink url="nmbd.8.html"> 		
+		nmbd(8)</ulink> process in Samba will act as a WINS server. You should 
+		not set this to true unless you have a multi-subnetted network and 
+		you wish a particular <command>nmbd</command> to be your WINS server. 
+		Note that you should <emphasis>NEVER</emphasis> set this to true 
+		on more than one machine in your network.</para>
+
+		<para>Default: <command>wins support = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry><term id="workgroup">workgroup (G)</term>
+		<listitem><para>This controls what workgroup your server will 
+		appear to be in when queried by clients. Note that this parameter 
+		also controls the Domain name used with the <link 
+		linkend="workgroup"><command>security=domain</command></link>
+		setting.</para>
+
+		<para>Default: <emphasis>set at compile time to WORKGROUP</emphasis></para>
+		<para>Example: <command>workgroup = MYGROUP</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+
+		<varlistentry>
+		<term id="writable">writable (S)</term>
+		<listitem><para>Synonym for <link linkend="writeable"><parameter>
+		writeable</parameter></link> for people who can't spell :-).</para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="writelist">write list (S)</term>
+		<listitem><para>This is a list of users that are given read-write 
+		access to a service. If the connecting user is in this list then 
+		they will be given write access, no matter what the <link
+		linkend="writeable"><parameter>writeable</parameter></link>
+		option is set to. The list can include group names using the 
+		@group syntax.</para>
+
+		<para>Note that if a user is in both the read list and the 
+		write list then they will be given write access.</para>
+
+		<para>See also the <link linkend="readlist"><parameter>read list
+		</parameter></link> option.</para>
+
+		<para>Default: <command>write list = &lt;empty string&gt;
+		</command></para>
+
+		<para>Example: <command>write list = admin, root, @staff
+		</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="writecachesize">write cache size (S)</term>
+		<listitem><para>This integer parameter (new with Samba 2.0.7) 
+		if set to non-zero causes Samba to create an in-memory cache for 
+		each oplocked file (it does <emphasis>not</emphasis> do this for 
+		non-oplocked files). All writes that the client does not request 
+		to be flushed directly to disk will be stored in this cache if possible. 
+		The cache is flushed onto disk when a write comes in whose offset 
+		would not fit into the cache or when the file is closed by the client. 
+		Reads for the file are also served from this cache if the data is stored 
+		within it.</para>
+
+		<para>This cache allows Samba to batch client writes into a more 
+		efficient write size for RAID disks (ie. writes may be tuned to 
+		be the RAID stripe size) and can improve performance on systems 
+		where the disk subsystem is a bottleneck but there is free 
+		memory for userspace programs.</para>
+
+		<para>The integer parameter specifies the size of this cache 
+		(per oplocked file) in bytes.</para>
+
+		<para>Default: <command>write cache size = 0</command></para>
+		<para>Example: <command>write cache size = 262144</command></para>
+
+		<para>for a 256k cache size per file.</para>
+		</listitem>
+		</varlistentry>
+
+
+
+
+
+
+		<varlistentry>
+		<term id="writeok">write ok (S)</term>
+		<listitem><para>Synonym for <link linkend="writeable"><parameter>
+		writeable</parameter></link>.</para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="writeraw">write raw (G)</term>
+		<listitem><para>This parameter controls whether or not the server 
+		will support raw writes SMB's when transferring data from clients. 
+		You should never need to change this parameter.</para>
+
+		<para>Default: <command>write raw = yes</command></para>
+		</listitem>
+		</varlistentry>
+
+
+
+		<varlistentry>
+		<term id="writeable">writeable (S)</term>
+		<listitem><para>An inverted synonym is <link linkend="readonly">
+		<parameter>read only</parameter></link>.</para>
+
+		<para>If this parameter is <constant>no</constant>, then users 
+		of a service may not create or modify files in the service's 
+		directory.</para>
+
+		<para>Note that a printable service (<command>printable = yes</command>)
+		will <emphasis>ALWAYS</emphasis> allow writing to the directory 
+		(user privileges permitting), but only via spooling operations.</para>
+
+		<para>Default: <command>writeable = no</command></para>
+		</listitem>
+		</varlistentry>
+
+
 	</variablelist>
 
 </refsect1>