diff options
author | Gerald Carter <jerry@samba.org> | 2003-09-09 02:58:53 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2003-09-09 02:58:53 +0000 |
commit | 99bde6889d3d8b7a9e950c86c30e82662e1dacdd (patch) | |
tree | bb7d34722e3b2b98ae7e36c11f4e7e4d4538b6fb /docs/htmldocs/smb.conf.5.html | |
parent | a50367ee119d0acf1bcaaf93f8c6fcc8fa68c999 (diff) | |
download | samba-99bde6889d3d8b7a9e950c86c30e82662e1dacdd.tar.gz samba-99bde6889d3d8b7a9e950c86c30e82662e1dacdd.tar.bz2 samba-99bde6889d3d8b7a9e950c86c30e82662e1dacdd.zip |
syncing files from 3.0 into HEAD again
(This used to be commit bca0bba209255d0effbae6a3d3b6d298f0952c3a)
Diffstat (limited to 'docs/htmldocs/smb.conf.5.html')
-rw-r--r-- | docs/htmldocs/smb.conf.5.html | 497 |
1 files changed, 293 insertions, 204 deletions
diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html index f22afa5884..b6eb609bb0 100644 --- a/docs/htmldocs/smb.conf.5.html +++ b/docs/htmldocs/smb.conf.5.html @@ -21,7 +21,7 @@ values, but is preserved in string values. Some items such as create modes are numeric.</p></div><div class="refsect1" lang="en"><h2>SECTION DESCRIPTIONS</h2><p>Each section in the configuration file (except for the [global] section) describes a shared resource (known - as a "share"). The section name is the name of the + as a "share"). The section name is the name of the shared resource and the parameters within the section define the shares attributes.</p><p>There are three special sections, [global], [homes] and [printers], which are @@ -38,14 +38,14 @@ privileges in this case.</p><p>Sections other than guest services will require a password to access them. The client provides the username. As older clients only provide passwords and not usernames, you may specify a list - of usernames to check against the password using the "user =" + of usernames to check against the password using the "user =" option in the share definition. For modern clients such as Windows 95/98/ME/NT/2000, this should not be necessary.</p><p>Note that the access rights granted by the server are masked by the access rights granted to the specified or guest UNIX user by the host system. The server does not grant more access than the host system grants.</p><p>The following sample section defines a file space share. The user has write access to the path <tt class="filename">/home/bar</tt>. - The share is accessed via the share name "foo":</p><pre class="screen"> + The share is accessed via the share name "foo":</p><pre class="screen"> <tt class="computeroutput"> [foo] path = /home/bar @@ -83,7 +83,7 @@ for your PCs than for UNIX access.</p><p>This is a fast and simple way to give a large number of clients access to their home directories with a minimum of fuss.</p><p>A similar process occurs if the requested section - name is "homes", except that the share name is not + name is "homes", except that the share name is not changed to that of the requesting user. This method of using the [homes] section works well if different users share a client PC.</p><p>The [homes] section can specify all the parameters @@ -147,8 +147,8 @@ alias|alias|alias|alias... components (if there are more than one) are separated by vertical bar symbols ('|').</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use - "printcap name = lpstat" to automatically obtain a list - of printers. See the "printcap name" option + "printcap name = lpstat" to automatically obtain a list + of printers. See the "printcap name" option for more details.</p></div></div></div><div class="refsect1" lang="en"><h2>PARAMETERS</h2><p>parameters define the specific attributes of sections.</p><p>Some parameters are specific to the [global] section (e.g., <span class="emphasis"><em>security</em></span>). Some parameters are usable in all sections (e.g., <span class="emphasis"><em>create mode</em></span>). All others @@ -164,16 +164,16 @@ alias|alias|alias|alias... not create best bedfellows, but at least you can find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred synonym.</p></div><div class="refsect1" lang="en"><h2>VARIABLE SUBSTITUTIONS</h2><p>Many of the strings that are settable in the config file - can take substitutions. For example the option "path = - /tmp/%u" would be interpreted as "path = - /tmp/john" if the user connected with the username john.</p><p>These substitutions are mostly noted in the descriptions below, + can take substitutions. For example the option "path = + /tmp/%u" would be interpreted as "path = + /tmp/john" if the user connected with the username john.</p><p>These substitutions are mostly noted in the descriptions below, but there are some general substitutions which apply whenever they might be relevant. These are:</p><div class="variablelist"><dl><dt><span class="term">%U</span></dt><dd><p>session user name (the user name that the client wanted, not necessarily the same as the one they got).</p></dd><dt><span class="term">%G</span></dt><dd><p>primary group name of %U.</p></dd><dt><span class="term">%h</span></dt><dd><p>the Internet hostname that Samba is running on.</p></dd><dt><span class="term">%m</span></dt><dd><p>the NetBIOS name of the client machine (very useful).</p></dd><dt><span class="term">%L</span></dt><dd><p>the NetBIOS name of the server. This allows you to change your config based on what the client calls you. Your - server can have a "dual personality".</p><p>Note that this parameter is not available when Samba listens + server can have a "dual personality".</p><p>Note that this parameter is not available when Samba listens on port 445, as clients no longer send this information </p></dd><dt><span class="term">%M</span></dt><dd><p>the Internet name of the client machine. </p></dd><dt><span class="term">%R</span></dt><dd><p>the selected protocol level after protocol negotiation. It can be one of CORE, COREPLUS, @@ -182,7 +182,7 @@ alias|alias|alias|alias... machine. Only some are recognized, and those may not be 100% reliable. It currently recognizes Samba, WfWg, Win95, WinNT and Win2k. Anything else will be known as - "UNKNOWN". If it gets it wrong then sending a level + "UNKNOWN". If it gets it wrong then sending a level 3 log to <a href="mailto:samba@samba.org" target="_top">samba@samba.org </a> should allow it to be fixed.</p></dd><dt><span class="term">%I</span></dt><dd><p>The IP address of the client machine.</p></dd><dt><span class="term">%T</span></dt><dd><p>the current date and time.</p></dd><dt><span class="term">%D</span></dt><dd><p>Name of the domain or workgroup of the current user.</p></dd><dt><span class="term">%$(<i class="replaceable"><tt>envvar</tt></i>)</span></dt><dd><p>The value of the environment variable <i class="replaceable"><tt>envar</tt></i>.</p></dd></dl></div><p>The following substitutes apply only to some configuration options(only those @@ -193,33 +193,33 @@ alias|alias|alias|alias... not compiled Samba with the <span class="emphasis"><em>--with-automount</em></span> option then this value will be the same as %L.</p></dd><dt><span class="term">%p</span></dt><dd><p>the path of the service's home directory, obtained from your NIS auto.map entry. The NIS auto.map entry - is split up as "%N:%p".</p></dd></dl></div><p>There are some quite creative things that can be done - with these substitutions and other smb.conf options.</p></div><div class="refsect1" lang="en"><a name="NAMEMANGLINGSECT"></a><h2>NAME MANGLING</h2><p>Samba supports "name mangling" so that DOS and + is split up as "%N:%p".</p></dd></dl></div><p>There are some quite creative things that can be done + with these substitutions and other smb.conf options.</p></div><div class="refsect1" lang="en"><a name="NAMEMANGLINGSECT"></a><h2>NAME MANGLING</h2><p>Samba supports "name mangling" so that DOS and Windows clients can use files that don't conform to the 8.3 format. It can also be set to adjust the case of 8.3 format filenames.</p><p>There are several options that control the way mangling is performed, and they are grouped here rather than listed separately. For the defaults look at the output of the testparm program. </p><p>All of these options can be set separately for each service (or globally, of course). </p><p>The options are: </p><div class="variablelist"><dl><dt><span class="term">mangle case = yes/no</span></dt><dd><p> controls if names that have characters that - aren't of the "default" case are mangled. For example, - if this is yes then a name like "Mail" would be mangled. + aren't of the "default" case are mangled. For example, + if this is yes then a name like "Mail" would be mangled. Default <span class="emphasis"><em>no</em></span>.</p></dd><dt><span class="term">case sensitive = yes/no</span></dt><dd><p>controls whether filenames are case sensitive. If they aren't then Samba must do a filename search and match on passed names. Default <span class="emphasis"><em>no</em></span>.</p></dd><dt><span class="term">default case = upper/lower</span></dt><dd><p>controls what the default case is for new filenames. Default <span class="emphasis"><em>lower</em></span>.</p></dd><dt><span class="term">preserve case = yes/no</span></dt><dd><p>controls if new files are created with the case that the client passes, or if they are forced to be the - "default" case. Default <span class="emphasis"><em>yes</em></span>. + "default" case. Default <span class="emphasis"><em>yes</em></span>. </p></dd><dt><span class="term">short preserve case = yes/no</span></dt><dd><p>controls if new files which conform to 8.3 syntax, that is all in upper case and of suitable length, are created - upper case, or if they are forced to be the "default" - case. This option can be use with "preserve case = yes" + upper case, or if they are forced to be the "default" + case. This option can be use with "preserve case = yes" to permit long filenames to retain their case, while short names are lowercased. Default <span class="emphasis"><em>yes</em></span>.</p></dd></dl></div><p>By default, Samba 3.0 has the same semantics as a Windows NT server, in that it is case insensitive but case preserving.</p></div><div class="refsect1" lang="en"><a name="VALIDATIONSECT"></a><h2>NOTE ABOUT USERNAME/PASSWORD VALIDATION</h2><p>There are a number of ways in which a user can connect to a service. The server uses the following steps in determining if it will allow a connection to a specified service. If all the steps fail, then the connection request is rejected. However, if one of the - steps succeeds, then the following steps are not checked.</p><p>If the service is marked "guest only = yes" and the - server is running with share-level security ("security = share") + steps succeeds, then the following steps are not checked.</p><p>If the service is marked "guest only = yes" and the + server is running with share-level security ("security = share") then steps 1 to 5 are skipped.</p><div class="orderedlist"><ol type="1"><li><p>If the client has passed a username/password pair and that username/password pair is validated by the UNIX system's password programs then the connection is made as that @@ -232,23 +232,28 @@ alias|alias|alias|alias... they match then the connection is allowed as the corresponding user.</p></li><li><p>If the client has previously validated a username/password pair with the server and the client has passed - the validation token then that username is used. </p></li><li><p>If a "user = " field is given in the + the validation token then that username is used. </p></li><li><p>If a "user = " field is given in the <tt class="filename">smb.conf</tt> file for the service and the client has supplied a password, and that password matches (according to the UNIX system's password checking) with one of the usernames - from the "user =" field then the connection is made as - the username in the "user =" line. If one - of the username in the "user =" list begins with a + from the "user =" field then the connection is made as + the username in the "user =" line. If one + of the username in the "user =" list begins with a '@' then that name expands to a list of names in the group of the same name.</p></li><li><p>If the service is a guest service then a - connection is made as the username given in the "guest - account =" for the service, irrespective of the + connection is made as the username given in the "guest + account =" for the service, irrespective of the supplied password.</p></li></ol></div></div><div class="refsect1" lang="en"><h2>COMPLETE LIST OF GLOBAL PARAMETERS</h2><p>Here is a list of all global parameters. See the section of - each parameter for details. Note that some are synonyms.</p><div class="itemizedlist"><ul type="disc"><li><p><a href="#ABORTSHUTDOWNSCRIPT"><i class="parameter"><tt>abort shutdown script</tt></i></a></p></li><li><p><a href="#ADDGROUPSCRIPT"><i class="parameter"><tt>add group script</tt></i></a></p></li><li><p><a href="#ADDMACHINESCRIPT"><i class="parameter"><tt>add machine script</tt></i></a></p></li><li><p><a href="#ADDPRINTERCOMMAND"><i class="parameter"><tt>addprinter command</tt></i></a></p></li><li><p><a href="#ADDSHARECOMMAND"><i class="parameter"><tt>add share command</tt></i></a></p></li><li><p><a href="#ADDUSERSCRIPT"><i class="parameter"><tt>add user script</tt></i></a></p></li><li><p><a href="#ADDUSERTOGROUPSCRIPT"><i class="parameter"><tt>add user to group script</tt></i></a></p></li><li><p><a href="#ALGORITHMICRIDBASE"><i class="parameter"><tt>algorithmic rid base</tt></i></a></p></li><li><p><a href="#ALLOWTRUSTEDDOMAINS"><i class="parameter"><tt>allow trusted domains</tt></i></a></p></li><li><p><a href="#ANNOUNCEAS"><i class="parameter"><tt>announce as</tt></i></a></p></li><li><p><a href="#ANNOUNCEVERSION"><i class="parameter"><tt>announce version</tt></i></a></p></li><li><p><a href="#AUTHMETHODS"><i class="parameter"><tt>auth methods</tt></i></a></p></li><li><p><a href="#AUTOSERVICES"><i class="parameter"><tt>auto services</tt></i></a></p></li><li><p><a href="#BINDINTERFACESONLY"><i class="parameter"><tt>bind interfaces only</tt></i></a></p></li><li><p><a href="#BROWSELIST"><i class="parameter"><tt>browse list</tt></i></a></p></li><li><p><a href="#CHANGENOTIFYTIMEOUT"><i class="parameter"><tt>change notify timeout</tt></i></a></p></li><li><p><a href="#CHANGESHARECOMMAND"><i class="parameter"><tt>change share command</tt></i></a></p></li><li><p><a href="#CLIENTUSESPNEGO"><i class="parameter"><tt>client use spnego</tt></i></a></p></li><li><p><a href="#CONFIGFILE"><i class="parameter"><tt>config file</tt></i></a></p></li><li><p><a href="#DEADTIME"><i class="parameter"><tt>dead time</tt></i></a></p></li><li><p><a href="#DEBUGHIRESTIMESTAMP"><i class="parameter"><tt>debug hires timestamp</tt></i></a></p></li><li><p><a href="#DEBUGLEVEL"><i class="parameter"><tt>debug level</tt></i></a></p></li><li><p><a href="#DEBUGPID"><i class="parameter"><tt>debug pid</tt></i></a></p></li><li><p><a href="#DEBUGTIMESTAMP"><i class="parameter"><tt>debug timestamp</tt></i></a></p></li><li><p><a href="#DEBUGUID"><i class="parameter"><tt>debug uid</tt></i></a></p></li><li><p><a href="#DEFAULT"><i class="parameter"><tt>default</tt></i></a></p></li><li><p><a href="#DEFAULTSERVICE"><i class="parameter"><tt>default service</tt></i></a></p></li><li><p><a href="#DELETEGROUPSCRIPT"><i class="parameter"><tt>delete group script</tt></i></a></p></li><li><p><a href="#DELETEPRINTERCOMMAND"><i class="parameter"><tt>deleteprinter command</tt></i></a></p></li><li><p><a href="#DELETESHARECOMMAND"><i class="parameter"><tt>delete share command</tt></i></a></p></li><li><p><a href="#DELETEUSERFROMGROUPSCRIPT"><i class="parameter"><tt>delete user from group script</tt></i></a></p></li><li><p><a href="#DELETEUSERSCRIPT"><i class="parameter"><tt>delete user script</tt></i></a></p></li><li><p><a href="#DFREECOMMAND"><i class="parameter"><tt>dfree command</tt></i></a></p></li><li><p><a href="#DISABLENETBIOS"><i class="parameter"><tt>disable netbios</tt></i></a></p></li><li><p><a href="#DISABLESPOOLSS"><i class="parameter"><tt>disable spoolss</tt></i></a></p></li><li><p><a href="#DISPLAYCHARSET"><i class="parameter"><tt>display charset</tt></i></a></p></li><li><p><a href="#DNSPROXY"><i class="parameter"><tt>dns proxy</tt></i></a></p></li><li><p><a href="#DOMAINLOGONS"><i class="parameter"><tt>domain logons</tt></i></a></p></li><li><p><a href="#DOMAINMASTER"><i class="parameter"><tt>domain master</tt></i></a></p></li><li><p><a href="#DOSCHARSET"><i class="parameter"><tt>dos charset</tt></i></a></p></li><li><p><a href="#ENCRYPTPASSWORDS"><i class="parameter"><tt>encrypt passwords</tt></i></a></p></li><li><p><a href="#ENHANCEDBROWSING"><i class="parameter"><tt>enhanced browsing</tt></i></a></p></li><li><p><a href="#ENUMPORTSCOMMAND"><i class="parameter"><tt>enumports command</tt></i></a></p></li><li><p><a href="#GETWDCACHE"><i class="parameter"><tt>getwd cache</tt></i></a></p></li><li><p><a href="#GUESTACCOUNT"><i class="parameter"><tt>guest account</tt></i></a></p></li><li><p><a href="#HIDELOCALUSERS"><i class="parameter"><tt>hide local users</tt></i></a></p></li><li><p><a href="#HOMEDIRMAP"><i class="parameter"><tt>homedir map</tt></i></a></p></li><li><p><a href="#HOSTMSDFS"><i class="parameter"><tt>host msdfs</tt></i></a></p></li><li><p><a href="#HOSTNAMELOOKUPS"><i class="parameter"><tt>hostname lookups</tt></i></a></p></li><li><p><a href="#HOSTSEQUIV"><i class="parameter"><tt>hosts equiv</tt></i></a></p></li><li><p><a href="#IDMAPGID"><i class="parameter"><tt>idmap gid</tt></i></a></p></li><li><p><a href="#IDMAPUID"><i class="parameter"><tt>idmap uid</tt></i></a></p></li><li><p><a href="#INCLUDE"><i class="parameter"><tt>include</tt></i></a></p></li><li><p><a href="#INTERFACES"><i class="parameter"><tt>interfaces</tt></i></a></p></li><li><p><a href="#KEEPALIVE"><i class="parameter"><tt>keepalive</tt></i></a></p></li><li><p><a href="#KERNELOPLOCKS"><i class="parameter"><tt>kernel oplocks</tt></i></a></p></li><li><p><a href="#LANMANAUTH"><i class="parameter"><tt>lanman auth</tt></i></a></p></li><li><p><a href="#LARGEREADWRITE"><i class="parameter"><tt>large readwrite</tt></i></a></p></li><li><p><a href="#LDAPADMINDN"><i class="parameter"><tt>ldap admin dn</tt></i></a></p></li><li><p><a href="#LDAPDELETEDN"><i class="parameter"><tt>ldap delete dn</tt></i></a></p></li><li><p><a href="#LDAPFILTER"><i class="parameter"><tt>ldap filter</tt></i></a></p></li><li><p><a href="#LDAPMACHINESUFFIX"><i class="parameter"><tt>ldap machine suffix</tt></i></a></p></li><li><p><a href="#LDAPPASSWDSYNC"><i class="parameter"><tt>ldap passwd sync</tt></i></a></p></li><li><p><a href="#LDAPPORT"><i class="parameter"><tt>ldap port</tt></i></a></p></li><li><p><a href="#LDAPSERVER"><i class="parameter"><tt>ldap server</tt></i></a></p></li><li><p><a href="#LDAPSSL"><i class="parameter"><tt>ldap ssl</tt></i></a></p></li><li><p><a href="#LDAPSUFFIX"><i class="parameter"><tt>ldap suffix</tt></i></a></p></li><li><p><a href="#LDAPTRUSTIDS"><i class="parameter"><tt>ldap trust ids</tt></i></a></p></li><li><p><a href="#LDAPUSERSUFFIX"><i class="parameter"><tt>ldap user suffix</tt></i></a></p></li><li><p><a href="#LMANNOUNCE"><i class="parameter"><tt>lm announce</tt></i></a></p></li><li><p><a href="#LMINTERVAL"><i class="parameter"><tt>lm interval</tt></i></a></p></li><li><p><a href="#LOADPRINTERS"><i class="parameter"><tt>load printers</tt></i></a></p></li><li><p><a href="#LOCALMASTER"><i class="parameter"><tt>local master</tt></i></a></p></li><li><p><a href="#LOCKDIR"><i class="parameter"><tt>lock dir</tt></i></a></p></li><li><p><a href="#LOCKDIRECTORY"><i class="parameter"><tt>lock directory</tt></i></a></p></li><li><p><a href="#LOCKSPINCOUNT"><i class="parameter"><tt>lock spin count</tt></i></a></p></li><li><p><a href="#LOCKSPINTIME"><i class="parameter"><tt>lock spin time</tt></i></a></p></li><li><p><a href="#LOGFILE"><i class="parameter"><tt>log file</tt></i></a></p></li><li><p><a href="#LOGLEVEL"><i class="parameter"><tt>log level</tt></i></a></p></li><li><p><a href="#LOGONDRIVE"><i class="parameter"><tt>logon drive</tt></i></a></p></li><li><p><a href="#LOGONHOME"><i class="parameter"><tt>logon home</tt></i></a></p></li><li><p><a href="#LOGONPATH"><i class="parameter"><tt>logon path</tt></i></a></p></li><li><p><a href="#LOGONSCRIPT"><i class="parameter"><tt>logon script</tt></i></a></p></li><li><p><a href="#LPQCACHETIME"><i class="parameter"><tt>lpq cache time</tt></i></a></p></li><li><p><a href="#MACHINEPASSWORDTIMEOUT"><i class="parameter"><tt>machine password timeout</tt></i></a></p></li><li><p><a href="#MANGLINGSTACK"><i class="parameter"><tt>mangling stack</tt></i></a></p></li><li><p><a href="#MANGLINGPREFIX"><i class="parameter"><tt>mangling prefix</tt></i></a></p></li><li><p><a href="#MANGLINGMETHOD"><i class="parameter"><tt>mangling method</tt></i></a></p></li><li><p><a href="#MAPTOGUEST"><i class="parameter"><tt>map to guest</tt></i></a></p></li><li><p><a href="#MAXDISKSIZE"><i class="parameter"><tt>max disk size</tt></i></a></p></li><li><p><a href="#MAXLOGSIZE"><i class="parameter"><tt>max log size</tt></i></a></p></li><li><p><a href="#MAXMUX"><i class="parameter"><tt>max mux</tt></i></a></p></li><li><p><a href="#MAXOPENFILES"><i class="parameter"><tt>max open files</tt></i></a></p></li><li><p><a href="#MAXPROTOCOL"><i class="parameter"><tt>max protocol</tt></i></a></p></li><li><p><a href="#MAXSMBDPROCESSES"><i class="parameter"><tt>max smbd processes</tt></i></a></p></li><li><p><a href="#MAXTTL"><i class="parameter"><tt>max ttl</tt></i></a></p></li><li><p><a href="#MAXWINSTTL"><i class="parameter"><tt>max wins ttl</tt></i></a></p></li><li><p><a href="#MAXXMIT"><i class="parameter"><tt>max xmit</tt></i></a></p></li><li><p><a href="#MESSAGECOMMAND"><i class="parameter"><tt>message command</tt></i></a></p></li><li><p><a href="#MINPASSWDLENGTH"><i class="parameter"><tt>min passwd length</tt></i></a></p></li><li><p><a href="#MINPASSWORDLENGTH"><i class="parameter"><tt>min password length</tt></i></a></p></li><li><p><a href="#MINPROTOCOL"><i class="parameter"><tt>min protocol</tt></i></a></p></li><li><p><a href="#MINWINSTTL"><i class="parameter"><tt>min wins ttl</tt></i></a></p></li><li><p><a href="#NAMECACHETIMEOUT"><i class="parameter"><tt>name cache timeout</tt></i></a></p></li><li><p><a href="#NAMERESOLVEORDER"><i class="parameter"><tt>name resolve order</tt></i></a></p></li><li><p><a href="#NETBIOSALIASES"><i class="parameter"><tt>netbios aliases</tt></i></a></p></li><li><p><a href="#NETBIOSNAME"><i class="parameter"><tt>netbios name</tt></i></a></p></li><li><p><a href="#NETBIOSSCOPE"><i class="parameter"><tt>netbios scope</tt></i></a></p></li><li><p><a href="#NISHOMEDIR"><i class="parameter"><tt>nis homedir</tt></i></a></p></li><li><p><a href="#NONUNIXACCOUNTRANGE"><i class="parameter"><tt>non unix account range</tt></i></a></p></li><li><p><a href="#NTLMAUTH"><i class="parameter"><tt>ntlm auth</tt></i></a></p></li><li><p><a href="#NTPIPESUPPORT"><i class="parameter"><tt>nt pipe support</tt></i></a></p></li><li><p><a href="#NTSTATUSSUPPORT"><i class="parameter"><tt>nt status support</tt></i></a></p></li><li><p><a href="#NULLPASSWORDS"><i class="parameter"><tt>null passwords</tt></i></a></p></li><li><p><a href="#OBEYPAMRESTRICTIONS"><i class="parameter"><tt>obey pam restrictions</tt></i></a></p></li><li><p><a href="#OPLOCKBREAKWAITTIME"><i class="parameter"><tt>oplock break wait time</tt></i></a></p></li><li><p><a href="#OS2DRIVERMAP"><i class="parameter"><tt>os2 driver map</tt></i></a></p></li><li><p><a href="#OSLEVEL"><i class="parameter"><tt>os level</tt></i></a></p></li><li><p><a href="#PAMPASSWORDCHANGE"><i class="parameter"><tt>pam password change</tt></i></a></p></li><li><p><a href="#PANICACTION"><i class="parameter"><tt>panic action</tt></i></a></p></li><li><p><a href="#PARANOIDSERVERSECURITY"><i class="parameter"><tt>paranoid server security</tt></i></a></p></li><li><p><a href="#PASSDBBACKEND"><i class="parameter"><tt>passdb backend</tt></i></a></p></li><li><p><a href="#PASSWDCHAT"><i class="parameter"><tt>passwd chat</tt></i></a></p></li><li><p><a href="#PASSWDCHATDEBUG"><i class="parameter"><tt>passwd chat debug</tt></i></a></p></li><li><p><a href="#PASSWDPROGRAM"><i class="parameter"><tt>passwd program</tt></i></a></p></li><li><p><a href="#PASSWORDLEVEL"><i class="parameter"><tt>password level</tt></i></a></p></li><li><p><a href="#PASSWORDSERVER"><i class="parameter"><tt>password server</tt></i></a></p></li><li><p><a href="#PIDDIRECTORY"><i class="parameter"><tt>pid directory</tt></i></a></p></li><li><p><a href="#PREFEREDMASTER"><i class="parameter"><tt>prefered master</tt></i></a></p></li><li><p><a href="#PREFERREDMASTER"><i class="parameter"><tt>preferred master</tt></i></a></p></li><li><p><a href="#PRELOAD"><i class="parameter"><tt>preload</tt></i></a></p></li><li><p><a href="#PRELOADMODULES"><i class="parameter"><tt>preload modules</tt></i></a></p></li><li><p><a href="#PRINTCAP"><i class="parameter"><tt>printcap</tt></i></a></p></li><li><p><a href="#PRIVATEDIR"><i class="parameter"><tt>private dir</tt></i></a></p></li><li><p><a href="#PROTOCOL"><i class="parameter"><tt>protocol</tt></i></a></p></li><li><p><a href="#READBMPX"><i class="parameter"><tt>read bmpx</tt></i></a></p></li><li><p><a href="#READRAW"><i class="parameter"><tt>read raw</tt></i></a></p></li><li><p><a href="#READSIZE"><i class="parameter"><tt>read size</tt></i></a></p></li><li><p><a href="#REALM"><i class="parameter"><tt>realm</tt></i></a></p></li><li><p><a href="#REMOTEANNOUNCE"><i class="parameter"><tt>remote announce</tt></i></a></p></li><li><p><a href="#REMOTEBROWSESYNC"><i class="parameter"><tt>remote browse sync</tt></i></a></p></li><li><p><a href="#RESTRICTANONYMOUS"><i class="parameter"><tt>restrict anonymous</tt></i></a></p></li><li><p><a href="#ROOT"><i class="parameter"><tt>root</tt></i></a></p></li><li><p><a href="#ROOTDIR"><i class="parameter"><tt>root dir</tt></i></a></p></li><li><p><a href="#ROOTDIRECTORY"><i class="parameter"><tt>root directory</tt></i></a></p></li><li><p><a href="#SECURITY"><i class="parameter"><tt>security</tt></i></a></p></li><li><p><a href="#SERVERSCHANNEL"><i class="parameter"><tt>server schannel</tt></i></a></p></li><li><p><a href="#SERVERSTRING"><i class="parameter"><tt>server string</tt></i></a></p></li><li><p><a href="#SETPRIMARYGROUPSCRIPT"><i class="parameter"><tt>set primary group script</tt></i></a></p></li><li><p><a href="#SHOWADDPRINTERWIZARD"><i class="parameter"><tt>show add printer wizard</tt></i></a></p></li><li><p><a href="#SHUTDOWNSCRIPT"><i class="parameter"><tt>shutdown script</tt></i></a></p></li><li><p><a href="#SMBPASSWDFILE"><i class="parameter"><tt>smb passwd file</tt></i></a></p></li><li><p><a href="#SMBPORTS"><i class="parameter"><tt>smb ports</tt></i></a></p></li><li><p><a href="#SOCKETADDRESS"><i class="parameter"><tt>socket address</tt></i></a></p></li><li><p><a href="#SOCKETOPTIONS"><i class="parameter"><tt>socket options</tt></i></a></p></li><li><p><a href="#SOURCEENVIRONMENT"><i class="parameter"><tt>source environment</tt></i></a></p></li><li><p><a href="#STATCACHE"><i class="parameter"><tt>stat cache</tt></i></a></p></li><li><p><a href="#STATCACHESIZE"><i class="parameter"><tt>stat cache size</tt></i></a></p></li><li><p><a href="#STRIPDOT"><i class="parameter"><tt>strip dot</tt></i></a></p></li><li><p><a href="#SYSLOG"><i class="parameter"><tt>syslog</tt></i></a></p></li><li><p><a href="#SYSLOGONLY"><i class="parameter"><tt>syslog only</tt></i></a></p></li><li><p><a href="#TEMPLATEHOMEDIR"><i class="parameter"><tt>template homedir</tt></i></a></p></li><li><p><a href="#TEMPLATESHELL"><i class="parameter"><tt>template shell</tt></i></a></p></li><li><p><a href="#TIMEOFFSET"><i class="parameter"><tt>time offset</tt></i></a></p></li><li><p><a href="#TIMESERVER"><i class="parameter"><tt>time server</tt></i></a></p></li><li><p><a href="#TIMESTAMPLOGS"><i class="parameter"><tt>timestamp logs</tt></i></a></p></li><li><p><a href="#TOTALPRINTJOBS"><i class="parameter"><tt>total print jobs</tt></i></a></p></li><li><p><a href="#UNICODE"><i class="parameter"><tt>unicode</tt></i></a></p></li><li><p><a href="#UNIXCHARSET"><i class="parameter"><tt>unix charset</tt></i></a></p></li><li><p><a href="#UNIXEXTENSIONS"><i class="parameter"><tt>unix extensions</tt></i></a></p></li><li><p><a href="#UNIXPASSWORDSYNC"><i class="parameter"><tt>unix password sync</tt></i></a></p></li><li><p><a href="#UPDATEENCRYPTED"><i class="parameter"><tt>update encrypted</tt></i></a></p></li><li><p><a href="#USEMMAP"><i class="parameter"><tt>use mmap</tt></i></a></p></li><li><p><a href="#USERNAMELEVEL"><i class="parameter"><tt>username level</tt></i></a></p></li><li><p><a href="#USERNAMEMAP"><i class="parameter"><tt>username map</tt></i></a></p></li><li><p><a href="#USESPNEGO"><i class="parameter"><tt>use spnego</tt></i></a></p></li><li><p><a href="#UTMP"><i class="parameter"><tt>utmp</tt></i></a></p></li><li><p><a href="#UTMPDIRECTORY"><i class="parameter"><tt>utmp directory</tt></i></a></p></li><li><p><a href="#WINBINDCACHETIME"><i class="parameter"><tt>winbind cache time</tt></i></a></p></li><li><p><a href="#WINBINDENUMGROUPS"><i class="parameter"><tt>winbind enum groups</tt></i></a></p></li><li><p><a href="#WINBINDENUMUSERS"><i class="parameter"><tt>winbind enum users</tt></i></a></p></li><li><p><a href="#WINBINDGID"><i class="parameter"><tt>winbind gid</tt></i></a></p></li><li><p><a href="#WINBINDSEPARATOR"><i class="parameter"><tt>winbind separator</tt></i></a></p></li><li><p><a href="#WINBINDUID"><i class="parameter"><tt>winbind uid</tt></i></a></p></li><li><p><a href="#WINBINDUSEDDEFAULTDOMAIN"><i class="parameter"><tt>winbind used default domain</tt></i></a></p></li><li><p><a href="#WINSHOOK"><i class="parameter"><tt>wins hook</tt></i></a></p></li><li><p><a href="#WINSPARTNER"><i class="parameter"><tt>wins partner</tt></i></a></p></li><li><p><a href="#WINSPROXY"><i class="parameter"><tt>wins proxy</tt></i></a></p></li><li><p><a href="#WINSSERVER"><i class="parameter"><tt>wins server</tt></i></a></p></li><li><p><a href="#WINSSUPPORT"><i class="parameter"><tt>wins support</tt></i></a></p></li><li><p><a href="#WORKGROUP"><i class="parameter"><tt>workgroup</tt></i></a></p></li><li><p><a href="#WRITERAW"><i class="parameter"><tt>write raw</tt></i></a></p></li><li><p><a href="#WTMPDIRECTORY"><i class="parameter"><tt>wtmp directory</tt></i></a></p></li></ul></div></div><div class="refsect1" lang="en"><h2>COMPLETE LIST OF SERVICE PARAMETERS</h2><p>Here is a list of all service parameters. See the section on - each parameter for details. Note that some are synonyms.</p><div class="itemizedlist"><ul type="disc"><li><p><a href="#ADMINUSERS"><i class="parameter"><tt>admin users</tt></i></a></p></li><li><p><a href="#ALLOWHOSTS"><i class="parameter"><tt>allow hosts</tt></i></a></p></li><li><p><a href="#AVAILABLE"><i class="parameter"><tt>available</tt></i></a></p></li><li><p><a href="#BLOCKINGLOCKS"><i class="parameter"><tt>blocking locks</tt></i></a></p></li><li><p><a href="#BLOCKSIZE"><i class="parameter"><tt>block size</tt></i></a></p></li><li><p><a href="#BROWSABLE"><i class="parameter"><tt>browsable</tt></i></a></p></li><li><p><a href="#BROWSEABLE"><i class="parameter"><tt>browseable</tt></i></a></p></li><li><p><a href="#CASESENSITIVE"><i class="parameter"><tt>case sensitive</tt></i></a></p></li><li><p><a href="#CASESIGNAMES"><i class="parameter"><tt>casesignames</tt></i></a></p></li><li><p><a href="#COMMENT"><i class="parameter"><tt>comment</tt></i></a></p></li><li><p><a href="#COPY"><i class="parameter"><tt>copy</tt></i></a></p></li><li><p><a href="#CREATEMASK"><i class="parameter"><tt>create mask</tt></i></a></p></li><li><p><a href="#CREATEMODE"><i class="parameter"><tt>create mode</tt></i></a></p></li><li><p><a href="#CSCPOLICY"><i class="parameter"><tt>csc policy</tt></i></a></p></li><li><p><a href="#DEFAULTCASE"><i class="parameter"><tt>default case</tt></i></a></p></li><li><p><a href="#DEFAULTDEVMODE"><i class="parameter"><tt>default devmode</tt></i></a></p></li><li><p><a href="#DELETEREADONLY"><i class="parameter"><tt>delete readonly</tt></i></a></p></li><li><p><a href="#DELETEVETOFILES"><i class="parameter"><tt>delete veto files</tt></i></a></p></li><li><p><a href="#DENYHOSTS"><i class="parameter"><tt>deny hosts</tt></i></a></p></li><li><p><a href="#DIRECTORY"><i class="parameter"><tt>directory</tt></i></a></p></li><li><p><a href="#DIRECTORYMASK"><i class="parameter"><tt>directory mask</tt></i></a></p></li><li><p><a href="#DIRECTORYMODE"><i class="parameter"><tt>directory mode</tt></i></a></p></li><li><p><a href="#DIRECTORYSECURITYMASK"><i class="parameter"><tt>directory security mask</tt></i></a></p></li><li><p><a href="#DONTDESCEND"><i class="parameter"><tt>dont descend</tt></i></a></p></li><li><p><a href="#DOSFILEMODE"><i class="parameter"><tt>dos filemode</tt></i></a></p></li><li><p><a href="#DOSFILETIMERESOLUTION"><i class="parameter"><tt>dos filetime resolution</tt></i></a></p></li><li><p><a href="#DOSFILETIMES"><i class="parameter"><tt>dos filetimes</tt></i></a></p></li><li><p><a href="#EXEC"><i class="parameter"><tt>exec</tt></i></a></p></li><li><p><a href="#FAKEDIRECTORYCREATETIMES"><i class="parameter"><tt>fake directory create times</tt></i></a></p></li><li><p><a href="#FAKEOPLOCKS"><i class="parameter"><tt>fake oplocks</tt></i></a></p></li><li><p><a href="#FOLLOWSYMLINKS"><i class="parameter"><tt>follow symlinks</tt></i></a></p></li><li><p><a href="#FORCECREATEMODE"><i class="parameter"><tt>force create mode</tt></i></a></p></li><li><p><a href="#FORCEDIRECTORYMODE"><i class="parameter"><tt>force directory mode</tt></i></a></p></li><li><p><a href="#FORCEDIRECTORYSECURITYMODE"><i class="parameter"><tt>force directory security mode</tt></i></a></p></li><li><p><a href="#FORCEGROUP"><i class="parameter"><tt>force group</tt></i></a></p></li><li><p><a href="#FORCESECURITYMODE"><i class="parameter"><tt>force security mode</tt></i></a></p></li><li><p><a href="#FORCEUSER"><i class="parameter"><tt>force user</tt></i></a></p></li><li><p><a href="#FSTYPE"><i class="parameter"><tt>fstype</tt></i></a></p></li><li><p><a href="#GROUP"><i class="parameter"><tt>group</tt></i></a></p></li><li><p><a href="#GUESTACCOUNT"><i class="parameter"><tt>guest account</tt></i></a></p></li><li><p><a href="#GUESTOK"><i class="parameter"><tt>guest ok</tt></i></a></p></li><li><p><a href="#GUESTONLY"><i class="parameter"><tt>guest only</tt></i></a></p></li><li><p><a href="#HIDEDOTFILES"><i class="parameter"><tt>hide dot files</tt></i></a></p></li><li><p><a href="#HIDEFILES"><i class="parameter"><tt>hide files</tt></i></a></p></li><li><p><a href="#HIDESPECIALFILES"><i class="parameter"><tt>hide special files</tt></i></a></p></li><li><p><a href="#HIDEUNREADABLE"><i class="parameter"><tt>hide unreadable</tt></i></a></p></li><li><p><a href="#HIDEUNWRITEABLEFILES"><i class="parameter"><tt>hide unwriteable files</tt></i></a></p></li><li><p><a href="#HOSTSALLOW"><i class="parameter"><tt>hosts allow</tt></i></a></p></li><li><p><a href="#HOSTSDENY"><i class="parameter"><tt>hosts deny</tt></i></a></p></li><li><p><a href="#INHERITACLS"><i class="parameter"><tt>inherit acls</tt></i></a></p></li><li><p><a href="#INHERITPERMISSIONS"><i class="parameter"><tt>inherit permissions</tt></i></a></p></li><li><p><a href="#INVALIDUSERS"><i class="parameter"><tt>invalid users</tt></i></a></p></li><li><p><a href="#LEVEL2OPLOCKS"><i class="parameter"><tt>level2 oplocks</tt></i></a></p></li><li><p><a href="#LOCKING"><i class="parameter"><tt>locking</tt></i></a></p></li><li><p><a href="#LPPAUSECOMMAND"><i class="parameter"><tt>lppause command</tt></i></a></p></li><li><p><a href="#LPQCOMMAND"><i class="parameter"><tt>lpq command</tt></i></a></p></li><li><p><a href="#LPRESUMECOMMAND"><i class="parameter"><tt>lpresume command</tt></i></a></p></li><li><p><a href="#LPRMCOMMAND"><i class="parameter"><tt>lprm command</tt></i></a></p></li><li><p><a href="#MAGICOUTPUT"><i class="parameter"><tt>magic output</tt></i></a></p></li><li><p><a href="#MAGICSCRIPT"><i class="parameter"><tt>magic script</tt></i></a></p></li><li><p><a href="#MANGLECASE"><i class="parameter"><tt>mangle case</tt></i></a></p></li><li><p><a href="#MANGLEDMAP"><i class="parameter"><tt>mangled map</tt></i></a></p></li><li><p><a href="#MANGLEDNAMES"><i class="parameter"><tt>mangled names</tt></i></a></p></li><li><p><a href="#MANGLINGCHAR"><i class="parameter"><tt>mangling char</tt></i></a></p></li><li><p><a href="#MAPACLINHERIT"><i class="parameter"><tt>map acl inherit</tt></i></a></p></li><li><p><a href="#MAPARCHIVE"><i class="parameter"><tt>map archive</tt></i></a></p></li><li><p><a href="#MAPHIDDEN"><i class="parameter"><tt>map hidden</tt></i></a></p></li><li><p><a href="#MAPSYSTEM"><i class="parameter"><tt>map system</tt></i></a></p></li><li><p><a href="#MAXCONNECTIONS"><i class="parameter"><tt>max connections</tt></i></a></p></li><li><p><a href="#MAXPRINTJOBS"><i class="parameter"><tt>max print jobs</tt></i></a></p></li><li><p><a href="#MAXREPORTEDPRINTJOBS"><i class="parameter"><tt>max reported print jobs</tt></i></a></p></li><li><p><a href="#MINPRINTSPACE"><i class="parameter"><tt>min print space</tt></i></a></p></li><li><p><a href="#MSDFSPROXY"><i class="parameter"><tt>msdfs proxy</tt></i></a></p></li><li><p><a href="#MSDFSROOT"><i class="parameter"><tt>msdfs root</tt></i></a></p></li><li><p><a href="#NTACLSUPPORT"><i class="parameter"><tt>nt acl support</tt></i></a></p></li><li><p><a href="#ONLYGUEST"><i class="parameter"><tt>only guest</tt></i></a></p></li><li><p><a href="#ONLYUSER"><i class="parameter"><tt>only user</tt></i></a></p></li><li><p><a href="#OPLOCKCONTENTIONLIMIT"><i class="parameter"><tt>oplock contention limit</tt></i></a></p></li><li><p><a href="#OPLOCKS"><i class="parameter"><tt>oplocks</tt></i></a></p></li><li><p><a href="#PATH"><i class="parameter"><tt>path</tt></i></a></p></li><li><p><a href="#POSIXLOCKING"><i class="parameter"><tt>posix locking</tt></i></a></p></li><li><p><a href="#POSTEXEC"><i class="parameter"><tt>postexec</tt></i></a></p></li><li><p><a href="#PREEXEC"><i class="parameter"><tt>preexec</tt></i></a></p></li><li><p><a href="#PREEXECCLOSE"><i class="parameter"><tt>preexec close</tt></i></a></p></li><li><p><a href="#PRESERVECASE"><i class="parameter"><tt>preserve case</tt></i></a></p></li><li><p><a href="#PRINTABLE"><i class="parameter"><tt>printable</tt></i></a></p></li><li><p><a href="#PRINTCAPNAME"><i class="parameter"><tt>printcap name</tt></i></a></p></li><li><p><a href="#PRINTCOMMAND"><i class="parameter"><tt>print command</tt></i></a></p></li><li><p><a href="#PRINTER"><i class="parameter"><tt>printer</tt></i></a></p></li><li><p><a href="#PRINTERADMIN"><i class="parameter"><tt>printer admin</tt></i></a></p></li><li><p><a href="#PRINTERNAME"><i class="parameter"><tt>printer name</tt></i></a></p></li><li><p><a href="#PRINTING"><i class="parameter"><tt>printing</tt></i></a></p></li><li><p><a href="#PRINTOK"><i class="parameter"><tt>print ok</tt></i></a></p></li><li><p><a href="#PUBLIC"><i class="parameter"><tt>public</tt></i></a></p></li><li><p><a href="#QUEUEPAUSECOMMAND"><i class="parameter"><tt>queuepause command</tt></i></a></p></li><li><p><a href="#QUEUERESUMECOMMAND"><i class="parameter"><tt>queueresume command</tt></i></a></p></li><li><p><a href="#READLIST"><i class="parameter"><tt>read list</tt></i></a></p></li><li><p><a href="#READONLY"><i class="parameter"><tt>read only</tt></i></a></p></li><li><p><a href="#ROOTPOSTEXEC"><i class="parameter"><tt>root postexec</tt></i></a></p></li><li><p><a href="#ROOTPREEXEC"><i class="parameter"><tt>root preexec</tt></i></a></p></li><li><p><a href="#ROOTPREEXECCLOSE"><i class="parameter"><tt>root preexec close</tt></i></a></p></li><li><p><a href="#SECURITYMASK"><i class="parameter"><tt>security mask</tt></i></a></p></li><li><p><a href="#SETDIRECTORY"><i class="parameter"><tt>set directory</tt></i></a></p></li><li><p><a href="#SHAREMODES"><i class="parameter"><tt>share modes</tt></i></a></p></li><li><p><a href="#SHORTPRESERVECASE"><i class="parameter"><tt>short preserve case</tt></i></a></p></li><li><p><a href="#STRICTALLOCATE"><i class="parameter"><tt>strict allocate</tt></i></a></p></li><li><p><a href="#STRICTLOCKING"><i class="parameter"><tt>strict locking</tt></i></a></p></li><li><p><a href="#STRICTSYNC"><i class="parameter"><tt>strict sync</tt></i></a></p></li><li><p><a href="#SYNCALWAYS"><i class="parameter"><tt>sync always</tt></i></a></p></li><li><p><a href="#USECLIENTDRIVER"><i class="parameter"><tt>use client driver</tt></i></a></p></li><li><p><a href="#USER"><i class="parameter"><tt>user</tt></i></a></p></li><li><p><a href="#USERNAME"><i class="parameter"><tt>username</tt></i></a></p></li><li><p><a href="#USERS"><i class="parameter"><tt>users</tt></i></a></p></li><li><p><a href="#USESENDFILE"><i class="parameter"><tt>use sendfile</tt></i></a></p></li><li><p><a href="#-VALID"><i class="parameter"><tt>-valid</tt></i></a></p></li><li><p><a href="#VALIDUSERS"><i class="parameter"><tt>valid users</tt></i></a></p></li><li><p><a href="#VETOFILES"><i class="parameter"><tt>veto files</tt></i></a></p></li><li><p><a href="#VETOOPLOCKFILES"><i class="parameter"><tt>veto oplock files</tt></i></a></p></li><li><p><a href="#VFSOBJECT"><i class="parameter"><tt>vfs object</tt></i></a></p></li><li><p><a href="#VFSOBJECTS"><i class="parameter"><tt>vfs objects</tt></i></a></p></li><li><p><a href="#VOLUME"><i class="parameter"><tt>volume</tt></i></a></p></li><li><p><a href="#WIDELINKS"><i class="parameter"><tt>wide links</tt></i></a></p></li><li><p><a href="#WRITABLE"><i class="parameter"><tt>writable</tt></i></a></p></li><li><p><a href="#WRITEABLE"><i class="parameter"><tt>writeable</tt></i></a></p></li><li><p><a href="#WRITECACHESIZE"><i class="parameter"><tt>write cache size</tt></i></a></p></li><li><p><a href="#WRITELIST"><i class="parameter"><tt>write list</tt></i></a></p></li><li><p><a href="#WRITEOK"><i class="parameter"><tt>write ok</tt></i></a></p></li></ul></div></div><div class="refsect1" lang="en"><h2>EXPLANATION OF EACH PARAMETER</h2><div class="variablelist"><dl><dt><span class="term"><a name="ABORTSHUTDOWNSCRIPT"></a>abort shutdown script (G)</span></dt><dd><p><span class="emphasis"><em>This parameter only exists in the HEAD cvs branch</em></span> + each parameter for details. Note that some are synonyms.</p><div class="itemizedlist"><ul type="disc"><li><p><a href="#ABORTSHUTDOWNSCRIPT"><i class="parameter"><tt>abort shutdown script</tt></i></a></p></li><li><p><a href="#ADDGROUPSCRIPT"><i class="parameter"><tt>add group script</tt></i></a></p></li><li><p><a href="#ADDMACHINESCRIPT"><i class="parameter"><tt>add machine script</tt></i></a></p></li><li><p><a href="#ADDPRINTERCOMMAND"><i class="parameter"><tt>addprinter command</tt></i></a></p></li><li><p><a href="#ADDSHARECOMMAND"><i class="parameter"><tt>add share command</tt></i></a></p></li><li><p><a href="#ADDUSERSCRIPT"><i class="parameter"><tt>add user script</tt></i></a></p></li><li><p><a href="#ADDUSERTOGROUPSCRIPT"><i class="parameter"><tt>add user to group script</tt></i></a></p></li><li><p><a href="#ALGORITHMICRIDBASE"><i class="parameter"><tt>algorithmic rid base</tt></i></a></p></li><li><p><a href="#ALLOWTRUSTEDDOMAINS"><i class="parameter"><tt>allow trusted domains</tt></i></a></p></li><li><p><a href="#ANNOUNCEAS"><i class="parameter"><tt>announce as</tt></i></a></p></li><li><p><a href="#ANNOUNCEVERSION"><i class="parameter"><tt>announce version</tt></i></a></p></li><li><p><a href="#AUTHMETHODS"><i class="parameter"><tt>auth methods</tt></i></a></p></li><li><p><a href="#AUTOSERVICES"><i class="parameter"><tt>auto services</tt></i></a></p></li><li><p><a href="#BINDINTERFACESONLY"><i class="parameter"><tt>bind interfaces only</tt></i></a></p></li><li><p><a href="#BROWSELIST"><i class="parameter"><tt>browse list</tt></i></a></p></li><li><p><a href="#CHANGENOTIFYTIMEOUT"><i class="parameter"><tt>change notify timeout</tt></i></a></p></li><li><p><a href="#CHANGESHARECOMMAND"><i class="parameter"><tt>change share command</tt></i></a></p></li><li><p><a href="#CLIENTLANMANAUTH"><i class="parameter"><tt>client lanman auth</tt></i></a></p></li><li><p><a href="#CLIENTNTLMV2AUTH"><i class="parameter"><tt>client ntlmv2 auth</tt></i></a></p></li><li><p><a href="#CLIENTPLAINTEXTAUTH"><i class="parameter"><tt>client plaintext auth</tt></i></a></p></li><li><p><a href="#CLIENTSCHANNEL"><i class="parameter"><tt>client schannel</tt></i></a></p></li><li><p><a href="#CLIENTSIGNING"><i class="parameter"><tt>client signing</tt></i></a></p></li><li><p><a href="#CLIENTUSESPNEGO"><i class="parameter"><tt>client use spnego</tt></i></a></p></li><li><p><a href="#CONFIGFILE"><i class="parameter"><tt>config file</tt></i></a></p></li><li><p><a href="#DEADTIME"><i class="parameter"><tt>deadtime</tt></i></a></p></li><li><p><a href="#DEBUGHIRESTIMESTAMP"><i class="parameter"><tt>debug hires timestamp</tt></i></a></p></li><li><p><a href="#DEBUGLEVEL"><i class="parameter"><tt>debuglevel</tt></i></a></p></li><li><p><a href="#DEBUGPID"><i class="parameter"><tt>debug pid</tt></i></a></p></li><li><p><a href="#DEBUGTIMESTAMP"><i class="parameter"><tt>debug timestamp</tt></i></a></p></li><li><p><a href="#DEBUGUID"><i class="parameter"><tt>debug uid</tt></i></a></p></li><li><p><a href="#DEFAULT"><i class="parameter"><tt>default</tt></i></a></p></li><li><p><a href="#DEFAULTSERVICE"><i class="parameter"><tt>default service</tt></i></a></p></li><li><p><a href="#DELETEGROUPSCRIPT"><i class="parameter"><tt>delete group script</tt></i></a></p></li><li><p><a href="#DELETEPRINTERCOMMAND"><i class="parameter"><tt>deleteprinter command</tt></i></a></p></li><li><p><a href="#DELETESHARECOMMAND"><i class="parameter"><tt>delete share command</tt></i></a></p></li><li><p><a href="#DELETEUSERFROMGROUPSCRIPT"><i class="parameter"><tt>delete user from group script</tt></i></a></p></li><li><p><a href="#DELETEUSERSCRIPT"><i class="parameter"><tt>delete user script</tt></i></a></p></li><li><p><a href="#DFREECOMMAND"><i class="parameter"><tt>dfree command</tt></i></a></p></li><li><p><a href="#DISABLENETBIOS"><i class="parameter"><tt>disable netbios</tt></i></a></p></li><li><p><a href="#DISABLESPOOLSS"><i class="parameter"><tt>disable spoolss</tt></i></a></p></li><li><p><a href="#DISPLAYCHARSET"><i class="parameter"><tt>display charset</tt></i></a></p></li><li><p><a href="#DNSPROXY"><i class="parameter"><tt>dns proxy</tt></i></a></p></li><li><p><a href="#DOMAINLOGONS"><i class="parameter"><tt>domain logons</tt></i></a></p></li><li><p><a href="#DOMAINMASTER"><i class="parameter"><tt>domain master</tt></i></a></p></li><li><p><a href="#DOSCHARSET"><i class="parameter"><tt>dos charset</tt></i></a></p></li><li><p><a href="#ENABLERIDALGORITHM"><i class="parameter"><tt>enable rid algorithm</tt></i></a></p></li><li><p><a href="#ENCRYPTPASSWORDS"><i class="parameter"><tt>encrypt passwords</tt></i></a></p></li><li><p><a href="#ENHANCEDBROWSING"><i class="parameter"><tt>enhanced browsing</tt></i></a></p></li><li><p><a href="#ENUMPORTSCOMMAND"><i class="parameter"><tt>enumports command</tt></i></a></p></li><li><p><a href="#GETQUOTACOMMAND"><i class="parameter"><tt>get quota command</tt></i></a></p></li><li><p><a href="#GETWDCACHE"><i class="parameter"><tt>getwd cache</tt></i></a></p></li><li><p><a href="#GUESTACCOUNT"><i class="parameter"><tt>guest account</tt></i></a></p></li><li><p><a href="#HIDELOCALUSERS"><i class="parameter"><tt>hide local users</tt></i></a></p></li><li><p><a href="#HOMEDIRMAP"><i class="parameter"><tt>homedir map</tt></i></a></p></li><li><p><a href="#HOSTMSDFS"><i class="parameter"><tt>host msdfs</tt></i></a></p></li><li><p><a href="#HOSTNAMELOOKUPS"><i class="parameter"><tt>hostname lookups</tt></i></a></p></li><li><p><a href="#HOSTSEQUIV"><i class="parameter"><tt>hosts equiv</tt></i></a></p></li><li><p><a href="#IDMAPBACKEND"><i class="parameter"><tt>idmap backend</tt></i></a></p></li><li><p><a href="#IDMAPGID"><i class="parameter"><tt>idmap gid</tt></i></a></p></li><li><p><a href="#IDMAPUID"><i class="parameter"><tt>idmap uid</tt></i></a></p></li><li><p><a href="#INCLUDE"><i class="parameter"><tt>include</tt></i></a></p></li><li><p><a href="#INTERFACES"><i class="parameter"><tt>interfaces</tt></i></a></p></li><li><p><a href="#KEEPALIVE"><i class="parameter"><tt>keepalive</tt></i></a></p></li><li><p><a href="#KERNELCHANGENOTIFY"><i class="parameter"><tt>kernel change notify</tt></i></a></p></li><li><p><a href="#KERNELOPLOCKS"><i class="parameter"><tt>kernel oplocks</tt></i></a></p></li><li><p><a href="#LANMANAUTH"><i class="parameter"><tt>lanman auth</tt></i></a></p></li><li><p><a href="#LARGEREADWRITE"><i class="parameter"><tt>large readwrite</tt></i></a></p></li><li><p><a href="#LDAPADMINDN"><i class="parameter"><tt>ldap admin dn</tt></i></a></p></li><li><p><a href="#LDAPDELETEDN"><i class="parameter"><tt>ldap delete dn</tt></i></a></p></li><li><p><a href="#LDAPFILTER"><i class="parameter"><tt>ldap filter</tt></i></a></p></li><li><p><a href="#LDAPGROUPSUFFIX"><i class="parameter"><tt>ldap group suffix</tt></i></a></p></li><li><p><a href="#LDAPIDMAPSUFFIX"><i class="parameter"><tt>ldap idmap suffix</tt></i></a></p></li><li><p><a href="#LDAPMACHINESUFFIX"><i class="parameter"><tt>ldap machine suffix</tt></i></a></p></li><li><p><a href="#LDAPPASSWDSYNC"><i class="parameter"><tt>ldap passwd sync</tt></i></a></p></li><li><p><a href="#LDAPPORT"><i class="parameter"><tt>ldap port</tt></i></a></p></li><li><p><a href="#LDAPSERVER"><i class="parameter"><tt>ldap server</tt></i></a></p></li><li><p><a href="#LDAPSSL"><i class="parameter"><tt>ldap ssl</tt></i></a></p></li><li><p><a href="#LDAPSUFFIX"><i class="parameter"><tt>ldap suffix</tt></i></a></p></li><li><p><a href="#LDAPUSERSUFFIX"><i class="parameter"><tt>ldap user suffix</tt></i></a></p></li><li><p><a href="#LMANNOUNCE"><i class="parameter"><tt>lm announce</tt></i></a></p></li><li><p><a href="#LMINTERVAL"><i class="parameter"><tt>lm interval</tt></i></a></p></li><li><p><a href="#LOADPRINTERS"><i class="parameter"><tt>load printers</tt></i></a></p></li><li><p><a href="#LOCALMASTER"><i class="parameter"><tt>local master</tt></i></a></p></li><li><p><a href="#LOCKDIR"><i class="parameter"><tt>lock dir</tt></i></a></p></li><li><p><a href="#LOCKDIRECTORY"><i class="parameter"><tt>lock directory</tt></i></a></p></li><li><p><a href="#LOCKSPINCOUNT"><i class="parameter"><tt>lock spin count</tt></i></a></p></li><li><p><a href="#LOCKSPINTIME"><i class="parameter"><tt>lock spin time</tt></i></a></p></li><li><p><a href="#LOGFILE"><i class="parameter"><tt>log file</tt></i></a></p></li><li><p><a href="#LOGLEVEL"><i class="parameter"><tt>log level</tt></i></a></p></li><li><p><a href="#LOGONDRIVE"><i class="parameter"><tt>logon drive</tt></i></a></p></li><li><p><a href="#LOGONHOME"><i class="parameter"><tt>logon home</tt></i></a></p></li><li><p><a href="#LOGONPATH"><i class="parameter"><tt>logon path</tt></i></a></p></li><li><p><a href="#LOGONSCRIPT"><i class="parameter"><tt>logon script</tt></i></a></p></li><li><p><a href="#LPQCACHETIME"><i class="parameter"><tt>lpq cache time</tt></i></a></p></li><li><p><a href="#MACHINEPASSWORDTIMEOUT"><i class="parameter"><tt>machine password timeout</tt></i></a></p></li><li><p><a href="#MANGLEDSTACK"><i class="parameter"><tt>mangled stack</tt></i></a></p></li><li><p><a href="#MANGLEPREFIX"><i class="parameter"><tt>mangle prefix</tt></i></a></p></li><li><p><a href="#MANGLINGMETHOD"><i class="parameter"><tt>mangling method</tt></i></a></p></li><li><p><a href="#MAPTOGUEST"><i class="parameter"><tt>map to guest</tt></i></a></p></li><li><p><a href="#MAXDISKSIZE"><i class="parameter"><tt>max disk size</tt></i></a></p></li><li><p><a href="#MAXLOGSIZE"><i class="parameter"><tt>max log size</tt></i></a></p></li><li><p><a href="#MAXMUX"><i class="parameter"><tt>max mux</tt></i></a></p></li><li><p><a href="#MAXOPENFILES"><i class="parameter"><tt>max open files</tt></i></a></p></li><li><p><a href="#MAXPROTOCOL"><i class="parameter"><tt>max protocol</tt></i></a></p></li><li><p><a href="#MAXSMBDPROCESSES"><i class="parameter"><tt>max smbd processes</tt></i></a></p></li><li><p><a href="#MAXTTL"><i class="parameter"><tt>max ttl</tt></i></a></p></li><li><p><a href="#MAXWINSTTL"><i class="parameter"><tt>max wins ttl</tt></i></a></p></li><li><p><a href="#MAXXMIT"><i class="parameter"><tt>max xmit</tt></i></a></p></li><li><p><a href="#MESSAGECOMMAND"><i class="parameter"><tt>message command</tt></i></a></p></li><li><p><a href="#MINPASSWDLENGTH"><i class="parameter"><tt>min passwd length</tt></i></a></p></li><li><p><a href="#MINPASSWORDLENGTH"><i class="parameter"><tt>min password length</tt></i></a></p></li><li><p><a href="#MINPROTOCOL"><i class="parameter"><tt>min protocol</tt></i></a></p></li><li><p><a href="#MINWINSTTL"><i class="parameter"><tt>min wins ttl</tt></i></a></p></li><li><p><a href="#NAMECACHETIMEOUT"><i class="parameter"><tt>name cache timeout</tt></i></a></p></li><li><p><a href="#NAMERESOLVEORDER"><i class="parameter"><tt>name resolve order</tt></i></a></p></li><li><p><a href="#NETBIOSALIASES"><i class="parameter"><tt>netbios aliases</tt></i></a></p></li><li><p><a href="#NETBIOSNAME"><i class="parameter"><tt>netbios name</tt></i></a></p></li><li><p><a href="#NETBIOSSCOPE"><i class="parameter"><tt>netbios scope</tt></i></a></p></li><li><p><a href="#NISHOMEDIR"><i class="parameter"><tt>nis homedir</tt></i></a></p></li><li><p><a href="#NTLMAUTH"><i class="parameter"><tt>ntlm auth</tt></i></a></p></li><li><p><a href="#NTPIPESUPPORT"><i class="parameter"><tt>nt pipe support</tt></i></a></p></li><li><p><a href="#NTSTATUSSUPPORT"><i class="parameter"><tt>nt status support</tt></i></a></p></li><li><p><a href="#NULLPASSWORDS"><i class="parameter"><tt>null passwords</tt></i></a></p></li><li><p><a href="#OBEYPAMRESTRICTIONS"><i class="parameter"><tt>obey pam restrictions</tt></i></a></p></li><li><p><a href="#OPLOCKBREAKWAITTIME"><i class="parameter"><tt>oplock break wait time</tt></i></a></p></li><li><p><a href="#OS2DRIVERMAP"><i class="parameter"><tt>os2 driver map</tt></i></a></p></li><li><p><a href="#OSLEVEL"><i class="parameter"><tt>os level</tt></i></a></p></li><li><p><a href="#PAMPASSWORDCHANGE"><i class="parameter"><tt>pam password change</tt></i></a></p></li><li><p><a href="#PANICACTION"><i class="parameter"><tt>panic action</tt></i></a></p></li><li><p><a href="#PARANOIDSERVERSECURITY"><i class="parameter"><tt>paranoid server security</tt></i></a></p></li><li><p><a href="#PASSDBBACKEND"><i class="parameter"><tt>passdb backend</tt></i></a></p></li><li><p><a href="#PASSWDCHAT"><i class="parameter"><tt>passwd chat</tt></i></a></p></li><li><p><a href="#PASSWDCHATDEBUG"><i class="parameter"><tt>passwd chat debug</tt></i></a></p></li><li><p><a href="#PASSWDPROGRAM"><i class="parameter"><tt>passwd program</tt></i></a></p></li><li><p><a href="#PASSWORDLEVEL"><i class="parameter"><tt>password level</tt></i></a></p></li><li><p><a href="#PASSWORDSERVER"><i class="parameter"><tt>password server</tt></i></a></p></li><li><p><a href="#PIDDIRECTORY"><i class="parameter"><tt>pid directory</tt></i></a></p></li><li><p><a href="#PREFEREDMASTER"><i class="parameter"><tt>prefered master</tt></i></a></p></li><li><p><a href="#PREFERREDMASTER"><i class="parameter"><tt>preferred master</tt></i></a></p></li><li><p><a href="#PRELOAD"><i class="parameter"><tt>preload</tt></i></a></p></li><li><p><a href="#PRELOADMODULES"><i class="parameter"><tt>preload modules</tt></i></a></p></li><li><p><a href="#PRINTCAP"><i class="parameter"><tt>printcap</tt></i></a></p></li><li><p><a href="#PRIVATEDIR"><i class="parameter"><tt>private dir</tt></i></a></p></li><li><p><a href="#PROTOCOL"><i class="parameter"><tt>protocol</tt></i></a></p></li><li><p><a href="#READBMPX"><i class="parameter"><tt>read bmpx</tt></i></a></p></li><li><p><a href="#READRAW"><i class="parameter"><tt>read raw</tt></i></a></p></li><li><p><a href="#READSIZE"><i class="parameter"><tt>read size</tt></i></a></p></li><li><p><a href="#REALM"><i class="parameter"><tt>realm</tt></i></a></p></li><li><p><a href="#REMOTEANNOUNCE"><i class="parameter"><tt>remote announce</tt></i></a></p></li><li><p><a href="#REMOTEBROWSESYNC"><i class="parameter"><tt>remote browse sync</tt></i></a></p></li><li><p><a href="#RESTRICTANONYMOUS"><i class="parameter"><tt>restrict anonymous</tt></i></a></p></li><li><p><a href="#ROOT"><i class="parameter"><tt>root</tt></i></a></p></li><li><p><a href="#ROOTDIR"><i class="parameter"><tt>root dir</tt></i></a></p></li><li><p><a href="#ROOTDIRECTORY"><i class="parameter"><tt>root directory</tt></i></a></p></li><li><p><a href="#SECURITY"><i class="parameter"><tt>security</tt></i></a></p></li><li><p><a href="#SERVERSCHANNEL"><i class="parameter"><tt>server schannel</tt></i></a></p></li><li><p><a href="#SERVERSIGNING"><i class="parameter"><tt>server signing</tt></i></a></p></li><li><p><a href="#SERVERSTRING"><i class="parameter"><tt>server string</tt></i></a></p></li><li><p><a href="#SETPRIMARYGROUPSCRIPT"><i class="parameter"><tt>set primary group script</tt></i></a></p></li><li><p><a href="#SETQUOTACOMMAND"><i class="parameter"><tt>set quota command</tt></i></a></p></li><li><p><a href="#SHOWADDPRINTERWIZARD"><i class="parameter"><tt>show add printer wizard</tt></i></a></p></li><li><p><a href="#SHUTDOWNSCRIPT"><i class="parameter"><tt>shutdown script</tt></i></a></p></li><li><p><a href="#SMBPASSWDFILE"><i class="parameter"><tt>smb passwd file</tt></i></a></p></li><li><p><a href="#SMBPORTS"><i class="parameter"><tt>smb ports</tt></i></a></p></li><li><p><a href="#SOCKETADDRESS"><i class="parameter"><tt>socket address</tt></i></a></p></li><li><p><a href="#SOCKETOPTIONS"><i class="parameter"><tt>socket options</tt></i></a></p></li><li><p><a href="#SOURCEENVIRONMENT"><i class="parameter"><tt>source environment</tt></i></a></p></li><li><p><a href="#STATCACHE"><i class="parameter"><tt>stat cache</tt></i></a></p></li><li><p><a href="#STRIPDOT"><i class="parameter"><tt>strip dot</tt></i></a></p></li><li><p><a href="#SYSLOG"><i class="parameter"><tt>syslog</tt></i></a></p></li><li><p><a href="#SYSLOGONLY"><i class="parameter"><tt>syslog only</tt></i></a></p></li><li><p><a href="#TEMPLATEHOMEDIR"><i class="parameter"><tt>template homedir</tt></i></a></p></li><li><p><a href="#TEMPLATEPRIMARYGROUP"><i class="parameter"><tt>template primary group</tt></i></a></p></li><li><p><a href="#TEMPLATESHELL"><i class="parameter"><tt>template shell</tt></i></a></p></li><li><p><a href="#TIMEOFFSET"><i class="parameter"><tt>time offset</tt></i></a></p></li><li><p><a href="#TIMESERVER"><i class="parameter"><tt>time server</tt></i></a></p></li><li><p><a href="#TIMESTAMPLOGS"><i class="parameter"><tt>timestamp logs</tt></i></a></p></li><li><p><a href="#UNICODE"><i class="parameter"><tt>unicode</tt></i></a></p></li><li><p><a href="#UNIXCHARSET"><i class="parameter"><tt>unix charset</tt></i></a></p></li><li><p><a href="#UNIXEXTENSIONS"><i class="parameter"><tt>unix extensions</tt></i></a></p></li><li><p><a href="#UNIXPASSWORDSYNC"><i class="parameter"><tt>unix password sync</tt></i></a></p></li><li><p><a href="#UPDATEENCRYPTED"><i class="parameter"><tt>update encrypted</tt></i></a></p></li><li><p><a href="#USEMMAP"><i class="parameter"><tt>use mmap</tt></i></a></p></li><li><p><a href="#USERNAMELEVEL"><i class="parameter"><tt>username level</tt></i></a></p></li><li><p><a href="#USERNAMEMAP"><i class="parameter"><tt>username map</tt></i></a></p></li><li><p><a href="#USESPNEGO"><i class="parameter"><tt>use spnego</tt></i></a></p></li><li><p><a href="#UTMP"><i class="parameter"><tt>utmp</tt></i></a></p></li><li><p><a href="#UTMPDIRECTORY"><i class="parameter"><tt>utmp directory</tt></i></a></p></li><li><p><a href="#WINBINDCACHETIME"><i class="parameter"><tt>winbind cache time</tt></i></a></p></li><li><p><a href="#WINBINDENABLELOCALACCOUNTS"><i class="parameter"><tt>winbind enable local accounts</tt></i></a></p></li><li><p><a href="#WINBINDENUMGROUPS"><i class="parameter"><tt>winbind enum groups</tt></i></a></p></li><li><p><a href="#WINBINDENUMUSERS"><i class="parameter"><tt>winbind enum users</tt></i></a></p></li><li><p><a href="#WINBINDGID"><i class="parameter"><tt>winbind gid</tt></i></a></p></li><li><p><a href="#WINBINDSEPARATOR"><i class="parameter"><tt>winbind separator</tt></i></a></p></li><li><p><a href="#WINBINDTRUSTEDDOMAINSONLY"><i class="parameter"><tt>winbind trusted domains only</tt></i></a></p></li><li><p><a href="#WINBINDUID"><i class="parameter"><tt>winbind uid</tt></i></a></p></li><li><p><a href="#WINBINDUSEDEFAULTDOMAIN"><i class="parameter"><tt>winbind use default domain</tt></i></a></p></li><li><p><a href="#WINSHOOK"><i class="parameter"><tt>wins hook</tt></i></a></p></li><li><p><a href="#WINSPARTNERS"><i class="parameter"><tt>wins partners</tt></i></a></p></li><li><p><a href="#WINSPROXY"><i class="parameter"><tt>wins proxy</tt></i></a></p></li><li><p><a href="#WINSSERVER"><i class="parameter"><tt>wins server</tt></i></a></p></li><li><p><a href="#WINSSUPPORT"><i class="parameter"><tt>wins support</tt></i></a></p></li><li><p><a href="#WORKGROUP"><i class="parameter"><tt>workgroup</tt></i></a></p></li><li><p><a href="#WRITERAW"><i class="parameter"><tt>write raw</tt></i></a></p></li><li><p><a href="#WTMPDIRECTORY"><i class="parameter"><tt>wtmp directory</tt></i></a></p></li></ul></div></div><div class="refsect1" lang="en"><h2>COMPLETE LIST OF SERVICE PARAMETERS</h2><p>Here is a list of all service parameters. See the section on + each parameter for details. Note that some are synonyms.</p><div class="itemizedlist"><ul type="disc"><li><p><a href="#ACLCOMPATIBILITY"><i class="parameter"><tt>acl compatibility</tt></i></a></p></li><li><p><a href="#ADMINUSERS"><i class="parameter"><tt>admin users</tt></i></a></p></li><li><p><a href="#ALLOWHOSTS"><i class="parameter"><tt>allow hosts</tt></i></a></p></li><li><p><a href="#AVAILABLE"><i class="parameter"><tt>available</tt></i></a></p></li><li><p><a href="#BLOCKINGLOCKS"><i class="parameter"><tt>blocking locks</tt></i></a></p></li><li><p><a href="#BLOCKSIZE"><i class="parameter"><tt>block size</tt></i></a></p></li><li><p><a href="#BROWSABLE"><i class="parameter"><tt>browsable</tt></i></a></p></li><li><p><a href="#BROWSEABLE"><i class="parameter"><tt>browseable</tt></i></a></p></li><li><p><a href="#CASESENSITIVE"><i class="parameter"><tt>case sensitive</tt></i></a></p></li><li><p><a href="#CASESIGNAMES"><i class="parameter"><tt>casesignames</tt></i></a></p></li><li><p><a href="#COMMENT"><i class="parameter"><tt>comment</tt></i></a></p></li><li><p><a href="#COPY"><i class="parameter"><tt>copy</tt></i></a></p></li><li><p><a href="#CREATEMASK"><i class="parameter"><tt>create mask</tt></i></a></p></li><li><p><a href="#CREATEMODE"><i class="parameter"><tt>create mode</tt></i></a></p></li><li><p><a href="#CSCPOLICY"><i class="parameter"><tt>csc policy</tt></i></a></p></li><li><p><a href="#DEFAULTCASE"><i class="parameter"><tt>default case</tt></i></a></p></li><li><p><a href="#DEFAULTDEVMODE"><i class="parameter"><tt>default devmode</tt></i></a></p></li><li><p><a href="#DELETEREADONLY"><i class="parameter"><tt>delete readonly</tt></i></a></p></li><li><p><a href="#DELETEVETOFILES"><i class="parameter"><tt>delete veto files</tt></i></a></p></li><li><p><a href="#DENYHOSTS"><i class="parameter"><tt>deny hosts</tt></i></a></p></li><li><p><a href="#DIRECTORY"><i class="parameter"><tt>directory</tt></i></a></p></li><li><p><a href="#DIRECTORYMASK"><i class="parameter"><tt>directory mask</tt></i></a></p></li><li><p><a href="#DIRECTORYMODE"><i class="parameter"><tt>directory mode</tt></i></a></p></li><li><p><a href="#DIRECTORYSECURITYMASK"><i class="parameter"><tt>directory security mask</tt></i></a></p></li><li><p><a href="#DONTDESCEND"><i class="parameter"><tt>dont descend</tt></i></a></p></li><li><p><a href="#DOSFILEMODE"><i class="parameter"><tt>dos filemode</tt></i></a></p></li><li><p><a href="#DOSFILETIMERESOLUTION"><i class="parameter"><tt>dos filetime resolution</tt></i></a></p></li><li><p><a href="#DOSFILETIMES"><i class="parameter"><tt>dos filetimes</tt></i></a></p></li><li><p><a href="#EXEC"><i class="parameter"><tt>exec</tt></i></a></p></li><li><p><a href="#FAKEDIRECTORYCREATETIMES"><i class="parameter"><tt>fake directory create times</tt></i></a></p></li><li><p><a href="#FAKEOPLOCKS"><i class="parameter"><tt>fake oplocks</tt></i></a></p></li><li><p><a href="#FOLLOWSYMLINKS"><i class="parameter"><tt>follow symlinks</tt></i></a></p></li><li><p><a href="#FORCECREATEMODE"><i class="parameter"><tt>force create mode</tt></i></a></p></li><li><p><a href="#FORCEDIRECTORYMODE"><i class="parameter"><tt>force directory mode</tt></i></a></p></li><li><p><a href="#FORCEDIRECTORYSECURITYMODE"><i class="parameter"><tt>force directory security mode</tt></i></a></p></li><li><p><a href="#FORCEGROUP"><i class="parameter"><tt>force group</tt></i></a></p></li><li><p><a href="#FORCESECURITYMODE"><i class="parameter"><tt>force security mode</tt></i></a></p></li><li><p><a href="#FORCEUSER"><i class="parameter"><tt>force user</tt></i></a></p></li><li><p><a href="#FSTYPE"><i class="parameter"><tt>fstype</tt></i></a></p></li><li><p><a href="#GROUP"><i class="parameter"><tt>group</tt></i></a></p></li><li><p><a href="#GUESTACCOUNT"><i class="parameter"><tt>guest account</tt></i></a></p></li><li><p><a href="#GUESTOK"><i class="parameter"><tt>guest ok</tt></i></a></p></li><li><p><a href="#GUESTONLY"><i class="parameter"><tt>guest only</tt></i></a></p></li><li><p><a href="#HIDEDOTFILES"><i class="parameter"><tt>hide dot files</tt></i></a></p></li><li><p><a href="#HIDEFILES"><i class="parameter"><tt>hide files</tt></i></a></p></li><li><p><a href="#HIDESPECIALFILES"><i class="parameter"><tt>hide special files</tt></i></a></p></li><li><p><a href="#HIDEUNREADABLE"><i class="parameter"><tt>hide unreadable</tt></i></a></p></li><li><p><a href="#HIDEUNWRITEABLEFILES"><i class="parameter"><tt>hide unwriteable files</tt></i></a></p></li><li><p><a href="#HOSTSALLOW"><i class="parameter"><tt>hosts allow</tt></i></a></p></li><li><p><a href="#HOSTSDENY"><i class="parameter"><tt>hosts deny</tt></i></a></p></li><li><p><a href="#INHERITACLS"><i class="parameter"><tt>inherit acls</tt></i></a></p></li><li><p><a href="#INHERITPERMISSIONS"><i class="parameter"><tt>inherit permissions</tt></i></a></p></li><li><p><a href="#INVALIDUSERS"><i class="parameter"><tt>invalid users</tt></i></a></p></li><li><p><a href="#LEVEL2OPLOCKS"><i class="parameter"><tt>level2 oplocks</tt></i></a></p></li><li><p><a href="#LOCKING"><i class="parameter"><tt>locking</tt></i></a></p></li><li><p><a href="#LPPAUSECOMMAND"><i class="parameter"><tt>lppause command</tt></i></a></p></li><li><p><a href="#LPQCOMMAND"><i class="parameter"><tt>lpq command</tt></i></a></p></li><li><p><a href="#LPRESUMECOMMAND"><i class="parameter"><tt>lpresume command</tt></i></a></p></li><li><p><a href="#LPRMCOMMAND"><i class="parameter"><tt>lprm command</tt></i></a></p></li><li><p><a href="#MAGICOUTPUT"><i class="parameter"><tt>magic output</tt></i></a></p></li><li><p><a href="#MAGICSCRIPT"><i class="parameter"><tt>magic script</tt></i></a></p></li><li><p><a href="#MANGLECASE"><i class="parameter"><tt>mangle case</tt></i></a></p></li><li><p><a href="#MANGLEDMAP"><i class="parameter"><tt>mangled map</tt></i></a></p></li><li><p><a href="#MANGLEDNAMES"><i class="parameter"><tt>mangled names</tt></i></a></p></li><li><p><a href="#MANGLINGCHAR"><i class="parameter"><tt>mangling char</tt></i></a></p></li><li><p><a href="#MAPACLINHERIT"><i class="parameter"><tt>map acl inherit</tt></i></a></p></li><li><p><a href="#MAPARCHIVE"><i class="parameter"><tt>map archive</tt></i></a></p></li><li><p><a href="#MAPHIDDEN"><i class="parameter"><tt>map hidden</tt></i></a></p></li><li><p><a href="#MAPSYSTEM"><i class="parameter"><tt>map system</tt></i></a></p></li><li><p><a href="#MAXCONNECTIONS"><i class="parameter"><tt>max connections</tt></i></a></p></li><li><p><a href="#MAXPRINTJOBS"><i class="parameter"><tt>max print jobs</tt></i></a></p></li><li><p><a href="#MAXREPORTEDPRINTJOBS"><i class="parameter"><tt>max reported print jobs</tt></i></a></p></li><li><p><a href="#MINPRINTSPACE"><i class="parameter"><tt>min print space</tt></i></a></p></li><li><p><a href="#MSDFSPROXY"><i class="parameter"><tt>msdfs proxy</tt></i></a></p></li><li><p><a href="#MSDFSROOT"><i class="parameter"><tt>msdfs root</tt></i></a></p></li><li><p><a href="#NTACLSUPPORT"><i class="parameter"><tt>nt acl support</tt></i></a></p></li><li><p><a href="#ONLYGUEST"><i class="parameter"><tt>only guest</tt></i></a></p></li><li><p><a href="#ONLYUSER"><i class="parameter"><tt>only user</tt></i></a></p></li><li><p><a href="#OPLOCKCONTENTIONLIMIT"><i class="parameter"><tt>oplock contention limit</tt></i></a></p></li><li><p><a href="#OPLOCKS"><i class="parameter"><tt>oplocks</tt></i></a></p></li><li><p><a href="#PATH"><i class="parameter"><tt>path</tt></i></a></p></li><li><p><a href="#POSIXLOCKING"><i class="parameter"><tt>posix locking</tt></i></a></p></li><li><p><a href="#POSTEXEC"><i class="parameter"><tt>postexec</tt></i></a></p></li><li><p><a href="#PREEXEC"><i class="parameter"><tt>preexec</tt></i></a></p></li><li><p><a href="#PREEXECCLOSE"><i class="parameter"><tt>preexec close</tt></i></a></p></li><li><p><a href="#PRESERVECASE"><i class="parameter"><tt>preserve case</tt></i></a></p></li><li><p><a href="#PRINTABLE"><i class="parameter"><tt>printable</tt></i></a></p></li><li><p><a href="#PRINTCAPNAME"><i class="parameter"><tt>printcap name</tt></i></a></p></li><li><p><a href="#PRINTCOMMAND"><i class="parameter"><tt>print command</tt></i></a></p></li><li><p><a href="#PRINTER"><i class="parameter"><tt>printer</tt></i></a></p></li><li><p><a href="#PRINTERADMIN"><i class="parameter"><tt>printer admin</tt></i></a></p></li><li><p><a href="#PRINTERNAME"><i class="parameter"><tt>printer name</tt></i></a></p></li><li><p><a href="#PRINTING"><i class="parameter"><tt>printing</tt></i></a></p></li><li><p><a href="#PRINTOK"><i class="parameter"><tt>print ok</tt></i></a></p></li><li><p><a href="#PROFILEACLS"><i class="parameter"><tt>profile acls</tt></i></a></p></li><li><p><a href="#PUBLIC"><i class="parameter"><tt>public</tt></i></a></p></li><li><p><a href="#QUEUEPAUSECOMMAND"><i class="parameter"><tt>queuepause command</tt></i></a></p></li><li><p><a href="#QUEUERESUMECOMMAND"><i class="parameter"><tt>queueresume command</tt></i></a></p></li><li><p><a href="#READLIST"><i class="parameter"><tt>read list</tt></i></a></p></li><li><p><a href="#READONLY"><i class="parameter"><tt>read only</tt></i></a></p></li><li><p><a href="#ROOTPOSTEXEC"><i class="parameter"><tt>root postexec</tt></i></a></p></li><li><p><a href="#ROOTPREEXEC"><i class="parameter"><tt>root preexec</tt></i></a></p></li><li><p><a href="#ROOTPREEXECCLOSE"><i class="parameter"><tt>root preexec close</tt></i></a></p></li><li><p><a href="#SECURITYMASK"><i class="parameter"><tt>security mask</tt></i></a></p></li><li><p><a href="#SETDIRECTORY"><i class="parameter"><tt>set directory</tt></i></a></p></li><li><p><a href="#SHAREMODES"><i class="parameter"><tt>share modes</tt></i></a></p></li><li><p><a href="#SHORTPRESERVECASE"><i class="parameter"><tt>short preserve case</tt></i></a></p></li><li><p><a href="#STRICTALLOCATE"><i class="parameter"><tt>strict allocate</tt></i></a></p></li><li><p><a href="#STRICTLOCKING"><i class="parameter"><tt>strict locking</tt></i></a></p></li><li><p><a href="#STRICTSYNC"><i class="parameter"><tt>strict sync</tt></i></a></p></li><li><p><a href="#SYNCALWAYS"><i class="parameter"><tt>sync always</tt></i></a></p></li><li><p><a href="#USECLIENTDRIVER"><i class="parameter"><tt>use client driver</tt></i></a></p></li><li><p><a href="#USER"><i class="parameter"><tt>user</tt></i></a></p></li><li><p><a href="#USERNAME"><i class="parameter"><tt>username</tt></i></a></p></li><li><p><a href="#USERS"><i class="parameter"><tt>users</tt></i></a></p></li><li><p><a href="#USESENDFILE"><i class="parameter"><tt>use sendfile</tt></i></a></p></li><li><p><a href="#-VALID"><i class="parameter"><tt>-valid</tt></i></a></p></li><li><p><a href="#VALIDUSERS"><i class="parameter"><tt>valid users</tt></i></a></p></li><li><p><a href="#VETOFILES"><i class="parameter"><tt>veto files</tt></i></a></p></li><li><p><a href="#VETOOPLOCKFILES"><i class="parameter"><tt>veto oplock files</tt></i></a></p></li><li><p><a href="#VFSOBJECT"><i class="parameter"><tt>vfs object</tt></i></a></p></li><li><p><a href="#VFSOBJECTS"><i class="parameter"><tt>vfs objects</tt></i></a></p></li><li><p><a href="#VOLUME"><i class="parameter"><tt>volume</tt></i></a></p></li><li><p><a href="#WIDELINKS"><i class="parameter"><tt>wide links</tt></i></a></p></li><li><p><a href="#WRITABLE"><i class="parameter"><tt>writable</tt></i></a></p></li><li><p><a href="#WRITEABLE"><i class="parameter"><tt>writeable</tt></i></a></p></li><li><p><a href="#WRITECACHESIZE"><i class="parameter"><tt>write cache size</tt></i></a></p></li><li><p><a href="#WRITELIST"><i class="parameter"><tt>write list</tt></i></a></p></li><li><p><a href="#WRITEOK"><i class="parameter"><tt>write ok</tt></i></a></p></li></ul></div></div><div class="refsect1" lang="en"><h2>EXPLANATION OF EACH PARAMETER</h2><div class="variablelist"><dl><dt><span class="term"><a name="ABORTSHUTDOWNSCRIPT"></a>abort shutdown script (G)</span></dt><dd><p><span class="emphasis"><em>This parameter only exists in the HEAD cvs branch</em></span> This a full path name to a script called by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> that should stop a shutdown procedure issued by the <a href="#SHUTDOWNSCRIPT"> - <i class="parameter"><tt>shutdown script</tt></i></a>.</p><p>This command will be run as user.</p><p>Default: <span class="emphasis"><em>None</em></span>.</p><p>Example: <b class="command">abort shutdown script = /sbin/shutdown -c</b></p></dd><dt><span class="term"><a name="ADDGROUPSCRIPT"></a>add group script (G)</span></dt><dd><p>This is the full pathname to a script that will be run + <i class="parameter"><tt>shutdown script</tt></i></a>.</p><p>This command will be run as user.</p><p>Default: <span class="emphasis"><em>None</em></span>.</p><p>Example: <b class="command">abort shutdown script = /sbin/shutdown -c</b></p></dd><dt><span class="term"><a name="ACLCOMPATIBILITY"></a>acl compatibility (S)</span></dt><dd><p>This parameter specifies what OS ACL semantics should + be compatible with. Possible values are <span class="emphasis"><em>winnt</em></span> for Windows NT 4, + <span class="emphasis"><em>win2k</em></span> for Windows 2000 and above and <span class="emphasis"><em>auto</em></span>. + If you specify <span class="emphasis"><em>auto</em></span>, the value for this parameter + will be based upon the version of the client. There should + be no reason to change this parameter from the default.</p><p>Default: <b class="command">acl compatibility = Auto</b></p><p>Example: <b class="command">acl compatibility = win2k</b></p></dd><dt><span class="term"><a name="ADDGROUPSCRIPT"></a>add group script (G)</span></dt><dd><p>This is the full pathname to a script that will be run <span class="emphasis"><em>AS ROOT</em></span> by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a new group is requested. It will expand any <i class="parameter"><tt>%g</tt></i> to the group name passed. This script is only useful for installations using the Windows NT @@ -264,7 +269,7 @@ alias|alias|alias|alias... machines -c Machine -d /dev/null -s /bin/false %u</b></p></dd><dt><span class="term"><a name="ADDPRINTERCOMMAND"></a>addprinter command (G)</span></dt><dd><p>With the introduction of MS-RPC based printing support for Windows NT/2000 clients in Samba 2.2, The MS Add Printer Wizard (APW) icon is now also available in the - "Printers..." folder displayed a share listing. The APW + "Printers..." folder displayed a share listing. The APW allows for printers to be add remotely to a Samba or Windows NT/2000 print server.</p><p>For a Samba host this means that the printer must be physically added to the underlying printing system. The <i class="parameter"><tt>add @@ -275,15 +280,15 @@ alias|alias|alias|alias... shared by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>.</p><p>The <i class="parameter"><tt>addprinter command</tt></i> is automatically invoked with the following parameter (in order):</p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>printer name</tt></i></p></li><li><p><i class="parameter"><tt>share name</tt></i></p></li><li><p><i class="parameter"><tt>port name</tt></i></p></li><li><p><i class="parameter"><tt>driver name</tt></i></p></li><li><p><i class="parameter"><tt>location</tt></i></p></li><li><p><i class="parameter"><tt>Windows 9x driver location</tt></i></p></li></ul></div><p>All parameters are filled in from the PRINTER_INFO_2 structure sent - by the Windows NT/2000 client with one exception. The "Windows 9x - driver location" parameter is included for backwards compatibility + by the Windows NT/2000 client with one exception. The "Windows 9x + driver location" parameter is included for backwards compatibility only. The remaining fields in the structure are generated from answers to the APW questions.</p><p>Once the <i class="parameter"><tt>addprinter command</tt></i> has been executed, <b class="command">smbd</b> will reparse the <tt class="filename"> smb.conf</tt> to determine if the share defined by the APW exists. If the sharename is still invalid, then <b class="command">smbd </b> will return an ACCESS_DENIED error to the client.</p><p> - The "add printer command" program can output a single line of text, + The "add printer command" program can output a single line of text, which Samba will set as the port the new printer is connected to. If this line isn't output, Samba won't reload its printer shares. </p><p>See also <a href="#DELETEPRINTERCOMMAND"><i class="parameter"><tt> @@ -322,7 +327,7 @@ alias|alias|alias|alias... created for all users accessing files on this server. For sites that use Windows NT account databases as their primary user database creating these users and keeping the user list in sync with the - Windows NT PDC is an onerous task. This option allows <a href="smbd.8.html" target="_top">smbd</a> to create the required UNIX users + Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users <span class="emphasis"><em>ON DEMAND</em></span> when a user accesses the Samba server.</p><p>In order to use this option, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must <span class="emphasis"><em>NOT</em></span> be set to <i class="parameter"><tt>security = share</tt></i> and <i class="parameter"><tt>add user script</tt></i> must be set to a full pathname for a script that will create a UNIX @@ -367,7 +372,7 @@ alias|alias|alias|alias... <i class="parameter"><tt>security</tt></i></a> option is set to <tt class="constant">server</tt> or <tt class="constant">domain</tt>. If it is set to no, then attempts to connect to a resource from - a domain or workgroup other than the one which <a href="smbd.8.html" target="_top">smbd</a> is running + a domain or workgroup other than the one which smbd is running in will fail, even if that domain is trusted by the remote server doing the authentication.</p><p>This is useful if you only want your Samba server to serve resources to users in the domain it is a member of. As @@ -378,8 +383,8 @@ alias|alias|alias|alias... Samba server even if they do not have an account in DOMA. This can make implementing a security boundary difficult.</p><p>Default: <b class="command">allow trusted domains = yes</b></p></dd><dt><span class="term"><a name="ANNOUNCEAS"></a>announce as (G)</span></dt><dd><p>This specifies what type of server <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> will announce itself as, to a network neighborhood browse list. By default this is set to Windows NT. The valid options - are : "NT Server" (which can also be written as "NT"), - "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, + are : "NT Server" (which can also be written as "NT"), + "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95 and Windows for Workgroups respectively. Do not change this parameter unless you have a specific need to stop Samba appearing as an NT server as this @@ -402,7 +407,7 @@ alias|alias|alias|alias... method of authentication for remote domain users; deprecated in favour of winbind method), <tt class="constant">trustdomain</tt> (authenticate trusted users by contacting the remote DC directly from smbd; deprecated in favour of winbind method).</p><p>Default: <b class="command">auth methods = <empty string></b></p><p>Example: <b class="command">auth methods = guest sam winbind</b></p></dd><dt><span class="term"><a name="AUTOSERVICES"></a>auto services (G)</span></dt><dd><p>This is a synonym for the <a href="#PRELOAD"> - <i class="parameter"><tt>preload</tt></i></a>.</p></dd><dt><span class="term"><a name="AVAILABLE"></a>available (S)</span></dt><dd><p>This parameter lets you "turn off" a service. If + <i class="parameter"><tt>preload</tt></i></a>.</p></dd><dt><span class="term"><a name="AVAILABLE"></a>available (S)</span></dt><dd><p>This parameter lets you "turn off" a service. If <i class="parameter"><tt>available = no</tt></i>, then <span class="emphasis"><em>ALL</em></span> attempts to connect to the service will fail. Such failures are logged.</p><p>Default: <b class="command">available = yes</b></p></dd><dt><span class="term"><a name="BINDINTERFACESONLY"></a>bind interfaces only (G)</span></dt><dd><p>This global parameter allows the Samba admin @@ -410,7 +415,7 @@ alias|alias|alias|alias... affects file service <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and name service <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> in a slightly different ways.</p><p>For name service it causes <b class="command">nmbd</b> to bind to ports 137 and 138 on the interfaces listed in the <a href="#INTERFACES">interfaces</a> parameter. <b class="command">nmbd</b> also - binds to the "all addresses" interface (0.0.0.0) + binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast messages. If this option is not set then <b class="command">nmbd</b> will service name requests on all of these sockets. If <i class="parameter"><tt>bind interfaces @@ -447,7 +452,7 @@ alias|alias|alias|alias... <span class="emphasis"><em>127.0.0.1</em></span> to determine if they are running. Not adding <span class="emphasis"><em>127.0.0.1</em></span> will cause <b class="command"> smbd</b> and <b class="command">nmbd</b> to always show - "not running" even if they really are. This can prevent <b class="command"> + "not running" even if they really are. This can prevent <b class="command"> swat</b> from starting/stopping/restarting <b class="command">smbd</b> and <b class="command">nmbd</b>.</p><p>Default: <b class="command">bind interfaces only = no</b></p></dd><dt><span class="term"><a name="BLOCKINGLOCKS"></a>blocking locks (S)</span></dt><dd><p>This parameter controls the behavior of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when given a request by a client @@ -474,7 +479,7 @@ alias|alias|alias|alias... a client doing a <b class="command">NetServerEnum</b> call. Normally set to <tt class="constant">yes</tt>. You should never need to change this.</p><p>Default: <b class="command">browse list = yes</b></p></dd><dt><span class="term"><a name="CASESENSITIVE"></a>case sensitive (S)</span></dt><dd><p>See the discussion in the section <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a>.</p><p>Default: <b class="command">case sensitive = no</b></p></dd><dt><span class="term"><a name="CASESIGNAMES"></a>casesignames (S)</span></dt><dd><p>Synonym for <a href="#CASESENSITIVE">case sensitive</a>.</p></dd><dt><span class="term"><a name="CHANGENOTIFYTIMEOUT"></a>change notify timeout (G)</span></dt><dd><p>This SMB allows a client to tell a server to - "watch" a particular directory for any changes and only reply to + "watch" a particular directory for any changes and only reply to the SMB request when a change has occurred. Such constant scanning of a directory is expensive under UNIX, hence an <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> daemon only performs such a scan on each requested directory once every <i class="parameter"><tt>change notify @@ -499,17 +504,49 @@ alias|alias|alias|alias... with the new share. </p></li></ul></div><p> This parameter is only used modify existing file shares definitions. To modify - printer shares, use the "Printers..." folder as seen when browsing the Samba host. + printer shares, use the "Printers..." folder as seen when browsing the Samba host. </p><p> See also <a href="#ADDSHARECOMMAND"><i class="parameter"><tt>add share command</tt></i></a>, <a href="#DELETESHARECOMMAND"><i class="parameter"><tt>delete share command</tt></i></a>. - </p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b class="command">change share command = /usr/local/bin/addshare</b></p></dd><dt><span class="term"><a name="CLIENTUSESPNEGO"></a>client use spnego (G)</span></dt><dd><p> This variable controls controls whether samba clients will try + </p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b class="command">change share command = /usr/local/bin/addshare</b></p></dd><dt><span class="term"><a name="CLIENTLANMANAUTH"></a>client lanman auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbclient.8.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(8)</span></a> and other samba client + tools will attempt to authenticate itself to servers using the + weaker LANMAN password hash. If disabled, only server which support NT + password hashes (e.g. Windows NT/2000, Samba, etc... but not + Windows 95/98) will be able to be connected from the Samba client.</p><p>The LANMAN encrypted response is easily broken, due to it's + case-insensitive nature, and the choice of algorithm. Clients + without Windows 95/98 servers are advised to disable + this option. </p><p>Disabling this option will also disable the <b class="command">client plaintext auth</b> option</p><p>Likewise, if the <b class="command">client ntlmv2 + auth</b> parameter is enabled, then only NTLMv2 logins will be + attempted. Not all servers support NTLMv2, and most will require + special configuration to us it.</p><p>Default : <b class="command">client lanman auth = yes</b></p></dd><dt><span class="term"><a name="CLIENTNTLMV2AUTH"></a>client ntlmv2 auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbclient.8.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(8)</span></a> will attempt to + authenticate itself to servers using the NTLMv2 encrypted password + response.</p><p>If enabled, only an NTLMv2 and LMv2 response (both much more + secure than earlier versions) will be sent. Many servers + (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with + NTLMv2. </p><p>If disabled, an NTLM response (and possibly a LANMAN response) + will be sent by the client, depending on the value of <b class="command">client lanman auth</b>. </p><p>Note that some sites (particularly + those following 'best practice' security polices) only allow NTLMv2 + responses, and not the weaker LM or NTLM.</p><p>Default : <b class="command">client ntlmv2 auth = no</b></p></dd><dt><span class="term"><a name="CLIENTPLAINTEXTAUTH"></a>client plaintext auth (G)</span></dt><dd><p>Specifies whether a client should send a plaintext + password if the server does not support encrypted passwords.</p><p>Default: <b class="command">client plaintext auth = yes</b></p></dd><dt><span class="term"><a name="CLIENTSCHANNEL"></a>client schannel (G)</span></dt><dd><p>This controls whether the client offers or even + demands the use of the netlogon schannel. + <i class="parameter"><tt>client schannel = no</tt></i> does not + offer the schannel, <i class="parameter"><tt>server schannel = + auto</tt></i> offers the schannel but does not + enforce it, and <i class="parameter"><tt>server schannel = + yes</tt></i> denies access if the server is not + able to speak netlogon schannel. </p><p>Default: <b class="command">client schannel = auto</b></p><p>Example: <b class="command">client schannel = yes</b></p></dd><dt><span class="term"><a name="CLIENTSIGNING"></a>client signing (G)</span></dt><dd><p>This controls whether the client offers or requires + the server it talks to to use SMB signing. Possible values + are <span class="emphasis"><em>auto</em></span>, <span class="emphasis"><em>mandatory</em></span> + and <span class="emphasis"><em>disabled</em></span>. + </p><p>When set to auto, SMB signing is offered, but not enforced. + When set to mandatory, SMB signing is required and if set + to disabled, SMB signing is not offered either.</p><p>Default: <b class="command">client signing = auto</b></p></dd><dt><span class="term"><a name="CLIENTUSESPNEGO"></a>client use spnego (G)</span></dt><dd><p> This variable controls controls whether samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 servers to agree upon an authentication mechanism. - SPNEGO client support with Sign and Seal is currently broken, so - you might want to turn this option off when doing joins to - Windows 2003 domains. + SPNEGO client support for SMB Signing is currently broken, so + you might want to turn this option off when operating with + Windows 2003 domain controllers in particular. </p><p>Default: <span class="emphasis"><em>client use spnego = yes</em></span></p></dd><dt><span class="term"><a name="COMMENT"></a>comment (S)</span></dt><dd><p>This is a text field that is seen next to a share when a client does a queries the server, either via the network neighborhood or via <b class="command">net view</b> to list what shares @@ -523,7 +560,7 @@ alias|alias|alias|alias... the new config file.</p><p>This option takes the usual substitutions, which can be very useful.</p><p>If the config file doesn't exist then it won't be loaded (allowing you to special case the config files of just a few - clients).</p><p>Example: <b class="command">config file = /usr/local/samba/lib/smb.conf.%m</b></p></dd><dt><span class="term"><a name="COPY"></a>copy (S)</span></dt><dd><p>This parameter allows you to "clone" service + clients).</p><p>Example: <b class="command">config file = /usr/local/samba/lib/smb.conf.%m</b></p></dd><dt><span class="term"><a name="COPY"></a>copy (S)</span></dt><dd><p>This parameter allows you to "clone" service entries. The specified service is simply duplicated under the current service's name. Any parameters specified in the current section will override those in the section being copied.</p><p>This feature lets you set up a 'template' service and @@ -556,7 +593,7 @@ alias|alias|alias|alias... policy</em></span>, and specifies how clients capable of offline caching will cache the files in the share. The valid values are: manual, documents, programs, disable.</p><p>These values correspond to those used on Windows servers.</p><p>For example, shares containing roaming profiles can have - offline caching disabled using <b class="command">csc policy = disable</b>.</p><p>Default: <b class="command">csc policy = manual</b></p><p>Example: <b class="command">csc policy = programs</b></p></dd><dt><span class="term"><a name="DEADTIME"></a>dead time (G)</span></dt><dd><p>The value of the parameter (a decimal integer) + offline caching disabled using <b class="command">csc policy = disable</b>.</p><p>Default: <b class="command">csc policy = manual</b></p><p>Example: <b class="command">csc policy = programs</b></p></dd><dt><span class="term"><a name="DEADTIME"></a>deadtime (G)</span></dt><dd><p>The value of the parameter (a decimal integer) represents the number of minutes of inactivity before a connection is considered dead, and it is disconnected. The deadtime only takes effect if the number of open files is zero.</p><p>This is useful to stop a server's resources being @@ -569,7 +606,7 @@ alias|alias|alias|alias... boolean parameter adds microsecond resolution to the timestamp message header when turned on.</p><p>Note that the parameter <a href="#DEBUGTIMESTAMP"><i class="parameter"><tt> debug timestamp</tt></i></a> must be on for this to have an - effect.</p><p>Default: <b class="command">debug hires timestamp = no</b></p></dd><dt><span class="term"><a name="DEBUGLEVEL"></a>debug level (G)</span></dt><dd><p>Synonym for <a href="#LOGLEVEL"><i class="parameter"><tt> + effect.</p><p>Default: <b class="command">debug hires timestamp = no</b></p></dd><dt><span class="term"><a name="DEBUGLEVEL"></a>debuglevel (G)</span></dt><dd><p>Synonym for <a href="#LOGLEVEL"><i class="parameter"><tt> log level</tt></i></a>.</p></dd><dt><span class="term"><a name="DEBUGPID"></a>debug pid (G)</span></dt><dd><p>When using only one log file for more then one forked <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>-process there may be hard to follow which process outputs which message. This boolean parameter @@ -619,8 +656,8 @@ alias|alias|alias|alias... <i class="parameter"><tt>read-only</tt></i></a> service.</p><p>Also note that the apparent service name will be changed to equal that of the requested service, this is very useful as it allows you to use macros like <i class="parameter"><tt>%S</tt></i> to make - a wildcard service.</p><p>Note also that any "_" characters in the name of the service - used in the default service will get mapped to a "/". This allows for + a wildcard service.</p><p>Note also that any "_" characters in the name of the service + used in the default service will get mapped to a "/". This allows for interesting things.</p><p>Example:</p><pre class="programlisting"> [global] default service = pub @@ -641,7 +678,7 @@ alias|alias|alias|alias... from the print system and from <tt class="filename">smb.conf</tt>. </p><p>The <i class="parameter"><tt>deleteprinter command</tt></i> is automatically called with only one parameter: <i class="parameter"><tt> - "printer name"</tt></i>.</p><p>Once the <i class="parameter"><tt>deleteprinter command</tt></i> has + "printer name"</tt></i>.</p><p>Once the <i class="parameter"><tt>deleteprinter command</tt></i> has been executed, <b class="command">smbd</b> will reparse the <tt class="filename"> smb.conf</tt> to associated printer no longer exists. If the sharename is still valid, then <b class="command">smbd @@ -703,8 +740,8 @@ alias|alias|alias|alias... should only be used on systems where a problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may occur with other operating systems. The - symptom that was seen was an error of "Abort Retry - Ignore" at the end of each directory listing.</p><p>This setting allows the replacement of the internal routines to + symptom that was seen was an error of "Abort Retry + Ignore" at the end of each directory listing.</p><p>This setting allows the replacement of the internal routines to calculate the total disk space and amount available with an external routine. The example below gives a possible script that might fulfill this function.</p><p>The external program will be passed a single parameter indicating @@ -718,10 +755,10 @@ alias|alias|alias|alias... determining the disk capacity and remaining space will be used. </em></span></p><p>Example: <b class="command">dfree command = /usr/local/samba/bin/dfree</b></p><p>Where the script dfree (which must be made executable) could be:</p><pre class="programlisting"> #!/bin/sh -df $1 | tail -1 | awk '{print $2" "$4}' +df $1 | tail -1 | awk '{print $2" "$4}' </pre><p>or perhaps (on Sys V based systems):</p><pre class="programlisting"> #!/bin/sh -/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' +/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' </pre><p>Note that you may have to replace the command names with full path names on some systems.</p></dd><dt><span class="term"><a name="DIRECTORY"></a>directory (S)</span></dt><dd><p>Synonym for <a href="#PATH"><i class="parameter"><tt>path</tt></i></a>.</p></dd><dt><span class="term"><a name="DIRECTORYMASK"></a>directory mask (S)</span></dt><dd><p>This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories.</p><p>When a directory is created, the necessary permissions are @@ -756,7 +793,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' meaning a user is allowed to modify all the user/group/world permissions on a directory.</p><p><span class="emphasis"><em>Note</em></span> that users who can access the Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. + so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave it as the default of <tt class="constant">0777</tt>.</p><p>See also the <a href="#FORCEDIRECTORYSECURITYMODE"><i class="parameter"><tt> force directory security mode</tt></i></a>, <a href="#SECURITYMASK"> @@ -820,7 +857,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' of interest to clients or are infinitely deep (recursive). This parameter allows you to specify a comma-delimited list of directories that the server should always show as empty.</p><p>Note that Samba can be very fussy about the exact format - of the "dont descend" entries. For example you may need <tt class="filename"> + of the "dont descend" entries. For example you may need <tt class="filename"> ./proc</tt> instead of just <tt class="filename">/proc</tt>. Experimentation is the best policy :-) </p><p>Default: <span class="emphasis"><em>none (i.e., all directories are OK to descend)</em></span></p><p>Example: <b class="command">dont descend = /proc,/dev</b></p></dd><dt><span class="term"><a name="DOSCHARSET"></a>dos charset (G)</span></dt><dd><p>DOS SMB clients assume the server has @@ -857,11 +894,18 @@ df $1 | tail -1 | awk '{print $2" "$4}' timestamp on a file if the user <b class="command">smbd</b> is acting on behalf of is not the file owner. Setting this option to <tt class="constant"> yes</tt> allows DOS semantics and <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will change the file - timestamp as DOS requires.</p><p>Default: <b class="command">dos filetimes = no</b></p></dd><dt><span class="term"><a name="ENCRYPTPASSWORDS"></a>encrypt passwords (G)</span></dt><dd><p>This boolean controls whether encrypted passwords + timestamp as DOS requires.</p><p>Default: <b class="command">dos filetimes = no</b></p></dd><dt><span class="term"><a name="ENABLERIDALGORITHM"></a>enable rid algorithm (G)</span></dt><dd><p>This option is used to control whether or not smbd in Samba 3.0 should fallback + to the algorithm used by Samba 2.2 to generate user and group RIDs. The longterm + development goal is to remove the algorithmic mappings of RIDs altogether, but + this has proved to be difficult. This parameter is mainly provided so that + developers can turn the algorithm on and off and see what breaks. This parameter + should not be disabled by non-developers because certain features in Samba will fail + to work without it. + </p><p>Default: <b class="command">enable rid algorithm = <yes></b></p></dd><dt><span class="term"><a name="ENCRYPTPASSWORDS"></a>encrypt passwords (G)</span></dt><dd><p>This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in - Samba see the chapter "User Database" in the Samba HOWTO Collection. </p><p>In order for encrypted passwords to work correctly + Samba see the chapter "User Database" in the Samba HOWTO Collection. </p><p>In order for encrypted passwords to work correctly <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must either have access to a local <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> file (see the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> program for information on how to set up and maintain this file), or set the <a href="#SECURITY">security = [server|domain|ads]</a> parameter which @@ -877,16 +921,16 @@ df $1 | tail -1 | awk '{print $2" "$4}' workgroups not disappearing from browse lists. Due to the restrictions of the browse protocols these enhancements can cause a empty workgroup to stay around forever which can be annoying.</p><p>In general you should leave this option enabled as it makes - cross-subnet browse propagation much more reliable.</p><p>Default: <b class="command">enhanced browsing = yes</b></p></dd><dt><span class="term"><a name="ENUMPORTSCOMMAND"></a>enumports command (G)</span></dt><dd><p>The concept of a "port" is fairly foreign + cross-subnet browse propagation much more reliable.</p><p>Default: <b class="command">enhanced browsing = yes</b></p></dd><dt><span class="term"><a name="ENUMPORTSCOMMAND"></a>enumports command (G)</span></dt><dd><p>The concept of a "port" is fairly foreign to UNIX hosts. Under Windows NT/2000 print servers, a port is associated with a port monitor and generally takes the form of a local port (i.e. LPT1:, COM1:, FILE:) or a remote port (i.e. LPD Port Monitor, etc...). By default, Samba has only one - port defined--<tt class="constant">"Samba Printer Port"</tt>. Under + port defined--<tt class="constant">"Samba Printer Port"</tt>. Under Windows NT/2000, all printers must have a valid port name. If you wish to have a list of ports displayed (<b class="command">smbd </b> does not use a port name for anything) other than - the default <tt class="constant">"Samba Printer Port"</tt>, you + the default <tt class="constant">"Samba Printer Port"</tt>, you can define <i class="parameter"><tt>enumports command</tt></i> to point to a program which should generate a list of ports, one per line, to standard output. This listing will then be used in response @@ -968,7 +1012,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' allows a user to modify all the user/group/world permissions on a directory without restrictions.</p><p><span class="emphasis"><em>Note</em></span> that users who can access the Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. + so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave it set as 0000.</p><p>See also the <a href="#DIRECTORYSECURITYMASK"><i class="parameter"><tt> directory security mask</tt></i></a>, <a href="#SECURITYMASK"> @@ -1005,7 +1049,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' and allows a user to modify all the user/group/world permissions on a file, with no restrictions.</p><p><span class="emphasis"><em>Note</em></span> that users who can access the Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. + so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave this set to 0000.</p><p>See also the <a href="#FORCEDIRECTORYSECURITYMODE"><i class="parameter"><tt> force directory security mode</tt></i></a>, @@ -1017,7 +1061,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' as using it incorrectly can cause security problems.</p><p>This user name only gets used once a connection is established. Thus clients still need to connect as a valid user and supply a valid password. Once connected, all file operations will be performed - as the "forced user", no matter what username the client connected + as the "forced user", no matter what username the client connected as. This can be very useful.</p><p>In Samba 2.0.5 and above this parameter also causes the primary group of the forced user to be used as the primary group for all file activity. Prior to 2.0.5 the primary group was left @@ -1027,7 +1071,13 @@ df $1 | tail -1 | awk '{print $2" "$4}' for a share. The default type is <tt class="constant">NTFS</tt> for compatibility with Windows NT but this can be changed to other strings such as <tt class="constant">Samba</tt> or <tt class="constant">FAT - </tt> if required.</p><p>Default: <b class="command">fstype = NTFS</b></p><p>Example: <b class="command">fstype = Samba</b></p></dd><dt><span class="term"><a name="GETWDCACHE"></a>getwd cache (G)</span></dt><dd><p>This is a tuning option. When this is enabled a + </tt> if required.</p><p>Default: <b class="command">fstype = NTFS</b></p><p>Example: <b class="command">fstype = Samba</b></p></dd><dt><span class="term"><a name="GETQUOTACOMMAND"></a>get quota command (G)</span></dt><dd><p>The <b class="command">get quota command</b> should only be used + whenever there is no operating system API available from the OS that + samba can use.</p><p>This parameter should specify the path to a script that + queries the quota information for the specified + user/group for the partition that + the specified directory is on.</p><p>Such a script should take 3 arguments:</p><div class="itemizedlist"><ul type="disc"><li><p>directory</p></li><li><p>type of query</p></li><li><p>uid of user or gid of group</p></li></ul></div><p>The type of query can be one of :</p><div class="itemizedlist"><ul type="disc"><li><p>1 - user quotas</p></li><li><p>2 - user default quotas (uid = -1)</p></li><li><p>3 - group quotas</p></li><li><p>4 - group default quotas (gid = -1)</p></li></ul></div><p>This script should print its output according to the following format:</p><div class="itemizedlist"><ul type="disc"><li><p>Line 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced)</p></li><li><p>Line 2 - number of currently used blocks</p></li><li><p>Line 3 - the softlimit number of blocks</p></li><li><p>Line 4 - the hardlimit number of blocks</p></li><li><p>Line 5 - currently used number of inodes</p></li><li><p>Line 6 - the softlimit number of inodes</p></li><li><p>Line 7 - the hardlimit number of inodes</p></li><li><p>Line 8(optional) - the number of bytes in a block(default is 1024)</p></li></ul></div><p>See also the <a href="#SETQUOTACOMMAND"><i class="parameter"><tt>set quota command</tt></i></a> parameter. + </p><p>Default: <b class="command">get quota command = </b></p><p>Example: <b class="command">get quota command = /usr/local/sbin/query_quota</b></p></dd><dt><span class="term"><a name="GETWDCACHE"></a>getwd cache (G)</span></dt><dd><p>This is a tuning option. When this is enabled a caching algorithm will be used to reduce the time taken for getwd() calls. This can have a significant impact on performance, especially when the <a href="#WIDELINKS"><i class="parameter"><tt>wide links</tt></i> @@ -1037,17 +1087,17 @@ df $1 | tail -1 | awk '{print $2" "$4}' guest ok</tt></i></a> (see below). Whatever privileges this user has will be available to any client connecting to the guest service. Typically this user will exist in the password file, but will not - have a valid login. The user account "ftp" is often a good choice + have a valid login. The user account "ftp" is often a good choice for this parameter. If a username is specified in a given service, the specified username overrides this one. - </p><p>One some systems the default guest account "nobody" may not + </p><p>One some systems the default guest account "nobody" may not be able to print. Use another account in this case. You should test this by trying to log in as your guest user (perhaps by using the <b class="command">su -</b> command) and trying to print using the system print command such as <b class="command">lpr(1)</b> or <b class="command"> lp(1)</b>.</p><p>This parameter does not accept % macros, because many parts of the system require this value to be - constant for correct operation.</p><p>Default: <span class="emphasis"><em>specified at compile time, usually "nobody"</em></span></p><p>Example: <b class="command">guest account = ftp</b></p></dd><dt><span class="term"><a name="GUESTOK"></a>guest ok (S)</span></dt><dd><p>If this parameter is <tt class="constant">yes</tt> for + constant for correct operation.</p><p>Default: <span class="emphasis"><em>specified at compile time, usually "nobody"</em></span></p><p>Example: <b class="command">guest account = ftp</b></p></dd><dt><span class="term"><a name="GUESTOK"></a>guest ok (S)</span></dt><dd><p>If this parameter is <tt class="constant">yes</tt> for a service, then no password is required to connect to the service. Privileges will be those of the <a href="#GUESTACCOUNT"><i class="parameter"><tt> guest account</tt></i></a>.</p><p>This paramater nullifies the benifits of setting @@ -1102,7 +1152,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' to browse Dfs trees hosted on the server.</p><p>See also the <a href="#MSDFSROOT"><i class="parameter"><tt> msdfs root</tt></i></a> share level parameter. For more information on setting up a Dfs tree on Samba, - refer to <a href="msdfs_setup.html" target="_top">msdfs_setup.html</a>. + refer to <a href="#">???</a>. </p><p>Default: <b class="command">host msdfs = no</b></p></dd><dt><span class="term"><a name="HOSTNAMELOOKUPS"></a>hostname lookups (G)</span></dt><dd><p>Specifies whether samba should use (expensive) hostname lookups or use the ip addresses instead. An example place where hostname lookups are currently used is when checking @@ -1122,7 +1172,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' <i class="parameter"><tt>hosts deny</tt></i></a> option.</p><p>You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups. The <span class="emphasis"><em>EXCEPT</em></span> keyword can also be used to limit a - wildcard list. The following examples may provide some help:</p><p>Example 1: allow all IPs in 150.203.*.*; except one</p><p><b class="command">hosts allow = 150.203. EXCEPT 150.203.6.66</b></p><p>Example 2: allow hosts that match the given network/netmask</p><p><b class="command">hosts allow = 150.203.15.0/255.255.255.0</b></p><p>Example 3: allow a couple of hosts</p><p><b class="command">hosts allow = lapland, arvidsjaur</b></p><p>Example 4: allow only hosts in NIS netgroup "foonet", but + wildcard list. The following examples may provide some help:</p><p>Example 1: allow all IPs in 150.203.*.*; except one</p><p><b class="command">hosts allow = 150.203. EXCEPT 150.203.6.66</b></p><p>Example 2: allow hosts that match the given network/netmask</p><p><b class="command">hosts allow = 150.203.15.0/255.255.255.0</b></p><p>Example 3: allow a couple of hosts</p><p><b class="command">hosts allow = lapland, arvidsjaur</b></p><p>Example 4: allow only hosts in NIS netgroup "foonet", but deny access from one particular host</p><p><b class="command">hosts allow = @foonet</b></p><p><b class="command">hosts deny = pirate</b></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Note that access still requires suitable user-level passwords.</p></div><p>See <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a> for a way of testing your host access to see if it does what you expect.</p><p>Default: <span class="emphasis"><em>none (i.e., all hosts permitted access)</em></span></p><p>Example: <b class="command">allow hosts = 150.203.5. myhost.mynet.edu.au</b></p></dd><dt><span class="term"><a name="HOSTSDENY"></a>hosts deny (S)</span></dt><dd><p>The opposite of <i class="parameter"><tt>hosts allow</tt></i> - hosts listed here are <span class="emphasis"><em>NOT</em></span> permitted access to @@ -1142,7 +1192,13 @@ df $1 | tail -1 | awk '{print $2" "$4}' <i class="parameter"><tt>hosts equiv</tt></i> option be only used if you really know what you are doing, or perhaps on a home network where you trust your spouse and kids. And only if you <span class="emphasis"><em>really</em></span> trust - them :-).</p></div><p>Default: <span class="emphasis"><em>no host equivalences</em></span></p><p>Example: <b class="command">hosts equiv = /etc/hosts.equiv</b></p></dd><dt><span class="term"><a name="IDMAPGID"></a>idmap gid (G)</span></dt><dd><p>The idmap gid parameter specifies the range of group ids that are allocated for + them :-).</p></div><p>Default: <span class="emphasis"><em>no host equivalences</em></span></p><p>Example: <b class="command">hosts equiv = /etc/hosts.equiv</b></p></dd><dt><span class="term"><a name="IDMAPBACKEND"></a>idmap backend (G)</span></dt><dd><p> + The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap + tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common + LDAP backend. This way all domain members and controllers will have the same UID and GID + to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux + systems that are sharing information over protocols other than SMB/CIFS (ie: NFS). + </p><p>Default: <b class="command">idmap backend = <empty string></b></p><p>Example: <b class="command">idmap backend = ldap:ldap://ldapslave.example.com</b></p></dd><dt><span class="term"><a name="IDMAPGID"></a>idmap gid (G)</span></dt><dd><p>The idmap gid parameter specifies the range of group ids that are allocated for the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no existing local or NIS groups within it as strange conflicts can occur otherwise.</p><p>The availability of an idmap gid range is essential for correct operation of all group mapping.</p><p>Default: <b class="command">idmap gid = <empty string></b></p><p>Example: <b class="command">idmap gid = 10000-20000</b></p></dd><dt><span class="term"><a name="IDMAPUID"></a>idmap uid (G)</span></dt><dd><p>The idmap uid parameter specifies the range of user ids that are allocated for use @@ -1185,11 +1241,11 @@ df $1 | tail -1 | awk '{print $2" "$4}' interfaces except 127.0.0.1 that are broadcast capable.</p><p>The option takes a list of interface strings. Each string can be in any of the following forms:</p><div class="itemizedlist"><ul type="disc"><li><p>a network interface name (such as eth0). This may include shell-like wildcards so eth* will match - any interface starting with the substring "eth"</p></li><li><p>an IP address. In this case the netmask is + any interface starting with the substring "eth"</p></li><li><p>an IP address. In this case the netmask is determined from the list of interfaces obtained from the - kernel</p></li><li><p>an IP/mask pair. </p></li><li><p>a broadcast/mask pair.</p></li></ul></div><p>The "mask" parameters can either be a bit length (such + kernel</p></li><li><p>an IP/mask pair. </p></li><li><p>a broadcast/mask pair.</p></li></ul></div><p>The "mask" parameters can either be a bit length (such as 24 for a C class network) or a full netmask in dotted - decimal form.</p><p>The "IP" parameters above can either be a full dotted + decimal form.</p><p>The "IP" parameters above can either be a full dotted decimal IP address or a hostname which will be looked up via the OS's normal hostname resolution mechanisms.</p><p>For example, the following line:</p><p><b class="command">interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0</b></p><p>would configure three network interfaces corresponding to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. @@ -1218,7 +1274,12 @@ df $1 | tail -1 | awk '{print $2" "$4}' a client is still present and responding.</p><p>Keepalives should, in general, not be needed if the socket being used has the SO_KEEPALIVE attribute set on it (see <a href="#SOCKETOPTIONS"> <i class="parameter"><tt>socket options</tt></i></a>). - Basically you should only use this option if you strike difficulties.</p><p>Default: <b class="command">keepalive = 300</b></p><p>Example: <b class="command">keepalive = 600</b></p></dd><dt><span class="term"><a name="KERNELOPLOCKS"></a>kernel oplocks (G)</span></dt><dd><p>For UNIXes that support kernel based <a href="#OPLOCKS"> + Basically you should only use this option if you strike difficulties.</p><p>Default: <b class="command">keepalive = 300</b></p><p>Example: <b class="command">keepalive = 600</b></p></dd><dt><span class="term"><a name="KERNELCHANGENOTIFY"></a>kernel change notify (G)</span></dt><dd><p>This parameter specifies whether Samba should ask the + kernel for change notifications in directories so that + SMB clients can refresh whenever the data on the server changes. + </p><p>This parameter is only usd when your kernel supports + change notification to user programs, using the F_NOTIFY fcntl. + </p><p>Default: <span class="emphasis"><em>Yes</em></span></p></dd><dt><span class="term"><a name="KERNELOPLOCKS"></a>kernel oplocks (G)</span></dt><dd><p>For UNIXes that support kernel based <a href="#OPLOCKS"> <i class="parameter"><tt>oplocks</tt></i></a> (currently only IRIX and the Linux 2.4 kernel), this parameter allows the use of them to be turned on or off.</p><p>Kernel oplocks support allows Samba <i class="parameter"><tt>oplocks @@ -1263,7 +1324,12 @@ df $1 | tail -1 | awk '{print $2" "$4}' The default is to match the login name with the <tt class="constant">uid</tt> attribute for all entries matching the <tt class="constant">sambaAccount</tt> objectclass. Note that this filter should only return one entry. - </p><p>Default: <b class="command">ldap filter = (&(uid=%u)(objectclass=sambaAccount))</b></p></dd><dt><span class="term"><a name="LDAPMACHINESUFFIX"></a>ldap machine suffix (G)</span></dt><dd><p>It specifies where machines should be added to the ldap tree.</p><p>Default: <span class="emphasis"><em>none</em></span></p></dd><dt><span class="term"><a name="LDAPPASSWDSYNC"></a>ldap passwd sync (G)</span></dt><dd><p>This option is used to define whether + </p><p>Default: <b class="command">ldap filter = (&(uid=%u)(objectclass=sambaAccount))</b></p></dd><dt><span class="term"><a name="LDAPGROUPSUFFIX"></a>ldap group suffix (G)</span></dt><dd><p>This parameters specifies the suffix that is + used for groups when these are added to the LDAP directory. + If this parameter is unset, the value of <i class="parameter"><tt>ldap suffix</tt></i> will be used instead.</p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <span class="emphasis"><em>dc=samba,ou=Groups</em></span></p></dd><dt><span class="term"><a name="LDAPIDMAPSUFFIX"></a>ldap idmap suffix (G)</span></dt><dd><p>This parameters specifies the suffix that is + used when storing idmap mappings. If this parameter + is unset, the value of <i class="parameter"><tt>ldap suffix</tt></i> + will be used instead.</p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <span class="emphasis"><em>dc=samba,ou=Idmap</em></span></p></dd><dt><span class="term"><a name="LDAPMACHINESUFFIX"></a>ldap machine suffix (G)</span></dt><dd><p>It specifies where machines should be added to the ldap tree.</p><p>Default: <span class="emphasis"><em>none</em></span></p></dd><dt><span class="term"><a name="LDAPPASSWDSYNC"></a>ldap passwd sync (G)</span></dt><dd><p>This option is used to define whether or not Samba should sync the LDAP password with the NT and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password @@ -1295,16 +1361,8 @@ df $1 | tail -1 | awk '{print $2" "$4}' tree. Can be overriden by <b class="command">ldap user suffix</b> and <b class="command">ldap machine suffix</b>. It also used as the base dn for all ldap - searches. </p><p>Default: <span class="emphasis"><em>none</em></span></p></dd><dt><span class="term"><a name="LDAPTRUSTIDS"></a>ldap trust ids (G)</span></dt><dd><p>Normally, Samba validates each entry in the LDAP server - against getpwnam(). This allows LDAP to be used for Samba with - the unix system using NIS (for example) and also ensures that - Samba does not present accounts that do not otherwise exist. - </p><p>This option is used to disable this functionality, and - instead to rely on the presence of the appropriate attributes - in LDAP directly, which can result in a significant performance - boost in some situations. Setting this option to yes effectivly - assumes that the local machine is running <b class="command">nss_ldap</b> against the same LDAP - server.</p><p>Default: <b class="command">ldap trust ids = No</b></p></dd><dt><span class="term"><a name="LDAPUSERSUFFIX"></a>ldap user suffix (G)</span></dt><dd><p>It specifies where users are added to the tree.</p><p>Default: <span class="emphasis"><em>none</em></span></p></dd><dt><span class="term"><a name="LEVEL2OPLOCKS"></a>level2 oplocks (S)</span></dt><dd><p>This parameter controls whether Samba supports + searches. </p><p>Default: <span class="emphasis"><em>none</em></span></p></dd><dt><span class="term"><a name="LDAPUSERSUFFIX"></a>ldap user suffix (G)</span></dt><dd><p>This parameter specifies where users are added to the tree. + If this parameter is not specified, the value from <b class="command">ldap suffix</b>.</p><p>Default: <span class="emphasis"><em>none</em></span></p></dd><dt><span class="term"><a name="LEVEL2OPLOCKS"></a>level2 oplocks (S)</span></dt><dd><p>This parameter controls whether Samba supports level2 (read-only) oplocks on a share.</p><p>Level2, or read-only oplocks allow Windows NT clients that have an oplock on a file to downgrade from a read-write oplock to a read-only oplock once a second client opens the file (instead @@ -1315,7 +1373,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' for many accesses of files that are not commonly written (such as application .EXE files).</p><p>Once one of the clients which have a read-only oplock writes to the file all clients are notified (no reply is needed - or waited for) and told to break their oplocks to "none" and + or waited for) and told to break their oplocks to "none" and delete any read-ahead caches.</p><p>It is recommended that this parameter be turned on to speed access to shared executables.</p><p>For more discussions on level2 oplocks see the CIFS spec.</p><p>Currently, if <a href="#KERNELOPLOCKS"><i class="parameter"><tt>kernel oplocks</tt></i></a> are supported then level2 oplocks are @@ -1376,7 +1434,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' in case the lock could later be aquired. This behavior is used to support PC database formats such as MS Access and FoxPro. - </p><p>Default: <b class="command">lock spin count = 2</b></p></dd><dt><span class="term"><a name="LOCKSPINTIME"></a>lock spin time (G)</span></dt><dd><p>The time in microseconds that smbd should + </p><p>Default: <b class="command">lock spin count = 3</b></p></dd><dt><span class="term"><a name="LOCKSPINTIME"></a>lock spin time (G)</span></dt><dd><p>The time in microseconds that smbd should pause before attempting to gain a failed lock. See <a href="#LOCKSPINCOUNT"><i class="parameter"><tt>lock spin count</tt></i></a> for more details.</p><p>Default: <b class="command">lock spin time = 10</b></p></dd><dt><span class="term"><a name="LOGFILE"></a>log file (G)</span></dt><dd><p>This option allows you to override the name @@ -1407,14 +1465,14 @@ df $1 | tail -1 | awk '{print $2" "$4}' <i class="parameter"><tt>logon home</tt></i>. This broke <b class="command">net use /home</b> but allowed profiles outside the home directory. The current implementation is correct, and can be used for profiles if you use the above trick.</p><p>This option is only useful if Samba is set up as a logon - server.</p><p>Default: <b class="command">logon home = "\\%N\%U"</b></p><p>Example: <b class="command">logon home = "\\remote_smb_server\%U"</b></p></dd><dt><span class="term"><a name="LOGONPATH"></a>logon path (G)</span></dt><dd><p>This parameter specifies the home directory + server.</p><p>Default: <b class="command">logon home = "\\%N\%U"</b></p><p>Example: <b class="command">logon home = "\\remote_smb_server\%U"</b></p></dd><dt><span class="term"><a name="LOGONPATH"></a>logon path (G)</span></dt><dd><p>This parameter specifies the home directory where roaming profiles (NTuser.dat etc files for Windows NT) are stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming profiles. To find out how to handle roaming profiles for Win 9X system, see the <a href="#LOGONHOME"> <i class="parameter"><tt>logon home</tt></i></a> parameter.</p><p>This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. It also - specifies the directory from which the "Application Data", + specifies the directory from which the "Application Data", (<tt class="filename">desktop</tt>, <tt class="filename">start menu</tt>, <tt class="filename">network neighborhood</tt>, <tt class="filename">programs</tt> and other folders, and their contents, are loaded and displayed on @@ -1443,8 +1501,8 @@ df $1 | tail -1 | awk '{print $2" "$4}' suggested command would be to add <b class="command">NET TIME \\SERVER /SET /YES</b>, to force every machine to synchronize clocks with the same time server. Another use would be to add <b class="command">NET USE - U: \\SERVER\UTILS</b> for commonly used utilities, or <b class="command"> - NET USE Q: \\SERVER\ISO9001_QA</b> for example.</p><p>Note that it is particularly important not to allow write + U: \\SERVER\UTILS</b> for commonly used utilities, or </p><pre class="screen"> + <b class="userinput"><tt>NET USE Q: \\SERVER\ISO9001_QA</tt></b></pre><p> for example.</p><p>Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users write permission on the batch files in a secure environment, as this would allow the batch files to be arbitrarily modified and security to be @@ -1519,8 +1577,8 @@ df $1 | tail -1 | awk '{print $2" "$4}' </tt></i></a> parameter.</p><p>Default: <span class="emphasis"><em>depends on the setting of <i class="parameter"><tt>printing </tt></i></em></span></p><p>Example 1: <b class="command">lprm command = /usr/bin/lprm -P%p %j</b></p><p>Example 2: <b class="command">lprm command = /usr/bin/cancel %p-%j</b></p></dd><dt><span class="term"><a name="MACHINEPASSWORDTIMEOUT"></a>machine password timeout (G)</span></dt><dd><p>If a Samba server is a member of a Windows NT Domain (see the <a href="#SECURITYEQUALSDOMAIN">security = domain</a>) - parameter) then periodically a running <a href="smbd.8.html" target="_top"> - smbd(8)</a> process will try and change the MACHINE ACCOUNT + parameter) then periodically a running smbd + process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called <tt class="filename">private/secrets.tdb </tt>. This parameter specifies how often this password will be changed, in seconds. The default is one week (expressed in @@ -1552,12 +1610,12 @@ df $1 | tail -1 | awk '{print $2" "$4}' you would use:</p><p><b class="command">mangled map = (*.html *.htm)</b></p><p>One very useful case is to remove the annoying <tt class="filename">;1 </tt> off the ends of filenames on some CDROMs (only visible under some UNIXes). To do this use a map of (*;1 *;).</p><p>Default: <span class="emphasis"><em>no mangled map</em></span></p><p>Example: <b class="command">mangled map = (*;1 *;)</b></p></dd><dt><span class="term"><a name="MANGLEDNAMES"></a>mangled names (S)</span></dt><dd><p>This controls whether non-DOS names under UNIX - should be mapped to DOS-compatible names ("mangled") and made visible, + should be mapped to DOS-compatible names ("mangled") and made visible, or whether non-DOS names should simply be ignored.</p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a> for details on how to control the mangling process.</p><p>If mangling is used then the mangling algorithm is as follows:</p><div class="itemizedlist"><ul type="disc"><li><p>The first (up to) five alphanumeric characters before the rightmost dot of the filename are preserved, forced to upper case, and appear as the first (up to) five characters - of the mangled name.</p></li><li><p>A tilde "~" is appended to the first part of the mangled + of the mangled name.</p></li><li><p>A tilde "~" is appended to the first part of the mangled name, followed by a two-character unique sequence, based on the original root name (i.e., the original filename minus its final extension). The final extension is included in the hash calculation @@ -1569,9 +1627,9 @@ df $1 | tail -1 | awk '{print $2" "$4}' extension of the mangled name. The final extension is defined as that part of the original filename after the rightmost dot. If there are no dots in the filename, the mangled name will have no extension (except - in the case of "hidden files" - see below).</p></li><li><p>Files whose UNIX name begins with a dot will be + in the case of "hidden files" - see below).</p></li><li><p>Files whose UNIX name begins with a dot will be presented as DOS hidden files. The mangled name will be created as - for other filenames, but with the leading dot removed and "___" as + for other filenames, but with the leading dot removed and "___" as its extension regardless of actual original extension (that's three underscores).</p></li></ul></div><p>The two-digit hash value consists of upper case alphanumeric characters.</p><p>This algorithm can cause name collisions only if files in a directory share the same first five alphanumeric characters. @@ -1579,7 +1637,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' copied between UNIX directories from Windows/DOS while retaining the long UNIX filename. UNIX files can be renamed to a new extension from Windows/DOS and will retain the same basename. Mangled names - do not change between sessions.</p><p>Default: <b class="command">mangled names = yes</b></p></dd><dt><span class="term"><a name="MANGLINGSTACK"></a>mangling stack (G)</span></dt><dd><p>This parameter controls the number of mangled names + do not change between sessions.</p><p>Default: <b class="command">mangled names = yes</b></p></dd><dt><span class="term"><a name="MANGLEDSTACK"></a>mangled stack (G)</span></dt><dd><p>This parameter controls the number of mangled names that should be cached in the Samba server <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>.</p><p>This stack is a list of recently mangled base names (extensions are only maintained if they are longer than 3 characters or contains upper case characters).</p><p>The larger this value, the more likely it is that mangled @@ -1587,17 +1645,19 @@ df $1 | tail -1 | awk '{print $2" "$4}' However, large stack sizes will slow most directory accesses. Smaller stacks save memory in the server (each stack element costs 256 bytes). </p><p>It is not possible to absolutely guarantee correct long - filenames, so be prepared for some surprises!</p><p>Default: <b class="command">mangled stack = 50</b></p><p>Example: <b class="command">mangled stack = 100</b></p></dd><dt><span class="term"><a name="MANGLINGPREFIX"></a>mangling prefix (G)</span></dt><dd><p> controls the number of prefix + filenames, so be prepared for some surprises!</p><p>Default: <b class="command">mangled stack = 50</b></p><p>Example: <b class="command">mangled stack = 100</b></p></dd><dt><span class="term"><a name="MANGLEPREFIX"></a>mangle prefix (G)</span></dt><dd><p> controls the number of prefix characters from the original name used when generating the mangled names. A larger value will give a weaker hash and therefore more name collisions. The minimum - value is 1 and the maximum value is 6.</p><p>Default: <b class="command">mangle prefix = 1</b></p><p>Example: <b class="command">mangle prefix = 4</b></p></dd><dt><span class="term"><a name="MANGLINGCHAR"></a>mangling char (S)</span></dt><dd><p>This controls what character is used as + value is 1 and the maximum value is 6.</p><p> + mangle prefix is effective only when mangling method is hash2. + </p><p>Default: <b class="command">mangle prefix = 1</b></p><p>Example: <b class="command">mangle prefix = 4</b></p></dd><dt><span class="term"><a name="MANGLINGCHAR"></a>mangling char (S)</span></dt><dd><p>This controls what character is used as the <span class="emphasis"><em>magic</em></span> character in <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">name mangling</a>. The default is a '~' but this may interfere with some software. Use this option to set - it to whatever you prefer.</p><p>Default: <b class="command">mangling char = ~</b></p><p>Example: <b class="command">mangling char = ^</b></p></dd><dt><span class="term"><a name="MANGLINGMETHOD"></a>mangling method (G)</span></dt><dd><p> controls the algorithm used for the generating - the mangled names. Can take two different values, "hash" and - "hash2". "hash" is the default and is the algorithm that has been - used in Samba for many years. "hash2" is a newer and considered + it to whatever you prefer. This is effective only when mangling method is hash.</p><p>Default: <b class="command">mangling char = ~</b></p><p>Example: <b class="command">mangling char = ^</b></p></dd><dt><span class="term"><a name="MANGLINGMETHOD"></a>mangling method (G)</span></dt><dd><p> controls the algorithm used for the generating + the mangled names. Can take two different values, "hash" and + "hash2". "hash" is the default and is the algorithm that has been + used in Samba for many years. "hash2" is a newer and considered a better algorithm (generates less collisions) in the names. However, many Win32 applications store the mangled names and so changing to the new algorithm must not be done @@ -1638,18 +1698,18 @@ df $1 | tail -1 | awk '{print $2" "$4}' with an invalid password are treated as a guest login and mapped into the <a href="#GUESTACCOUNT">guest account</a>. Note that this can cause problems as it means that any user incorrectly typing - their password will be silently logged on as "guest" - and + their password will be silently logged on as "guest" - and will not know the reason they cannot access files they think they should - there will have been no message given to them that they got their password wrong. Helpdesk services will <span class="emphasis"><em>hate</em></span> you if you set the <i class="parameter"><tt>map to - guest</tt></i> parameter this way :-).</p></li></ul></div><p>Note that this parameter is needed to set up "Guest" + guest</tt></i> parameter this way :-).</p></li></ul></div><p>Note that this parameter is needed to set up "Guest" share services when using <i class="parameter"><tt>security</tt></i> modes other than share. This is because in these modes the name of the resource being requested is <span class="emphasis"><em>not</em></span> sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection - to the share) for "Guest" shares.</p><p>For people familiar with the older Samba releases, this + to the share) for "Guest" shares.</p><p>For people familiar with the older Samba releases, this parameter maps to the old compile-time setting of the <tt class="constant"> GUEST_SESSSETUP</tt> value in local.h.</p><p>Default: <b class="command">map to guest = Never</b></p><p>Example: <b class="command">map to guest = Bad User</b></p></dd><dt><span class="term"><a name="MAXCONNECTIONS"></a>max connections (S)</span></dt><dd><p>This option allows the number of simultaneous connections to a service to be limited. If <i class="parameter"><tt>max connections</tt></i> is greater than 0 then connections @@ -1679,8 +1739,8 @@ df $1 | tail -1 | awk '{print $2" "$4}' by the UNIX per-process file descriptor limit rather than this parameter so you should never need to touch this parameter.</p><p>Default: <b class="command">max open files = 10000</b></p></dd><dt><span class="term"><a name="MAXPRINTJOBS"></a>max print jobs (S)</span></dt><dd><p>This parameter limits the maximum number of jobs allowable in a Samba printer queue at any given moment. - If this number is exceeded, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will remote "Out of Space" to the client. - See all <a href="#TOTALPRINTJOBS"><i class="parameter"><tt>total + If this number is exceeded, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will remote "Out of Space" to the client. + See all <a href="#"><i class="parameter"><tt>total print jobs</tt></i></a>. </p><p>Default: <b class="command">max print jobs = 1000</b></p><p>Example: <b class="command">max print jobs = 5000</b></p></dd><dt><span class="term"><a name="MAXPROTOCOL"></a>max protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the highest protocol level that will be supported by the server.</p><p>Possible values are :</p><div class="itemizedlist"><ul type="disc"><li><p><tt class="constant">CORE</tt>: Earliest version. No @@ -1697,7 +1757,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' A value of zero means there is no limit on the number of print jobs reported. - See all <a href="#TOTALPRINTJOBS"><i class="parameter"><tt>total + See all <a href="#"><i class="parameter"><tt>total print jobs</tt></i></a> and <a href="#MAXPRINTJOBS"><i class="parameter"><tt>max print jobs</tt></i></a> parameters. </p><p>Default: <b class="command">max reported print jobs = 0</b></p><p>Example: <b class="command">max reported print jobs = 1000</b></p></dd><dt><span class="term"><a name="MAXSMBDPROCESSES"></a>max smbd processes (G)</span></dt><dd><p>This parameter limits the maximum number of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> processes concurrently running on a system and is intended @@ -1779,16 +1839,15 @@ df $1 | tail -1 | awk '{print $2" "$4}' Dfs links are specified in the share directory by symbolic links of the form <tt class="filename">msdfs:serverA\\shareA,serverB\\shareB</tt> and so on. For more information on setting up a Dfs tree - on Samba, refer to <a href="msdfs.html" target="_top">"Hosting a Microsoft - Distributed File System tree on Samba"</a> document.</p><p>See also <a href="#HOSTMSDFS"><i class="parameter"><tt>host msdfs</tt></i></a></p><p>Default: <b class="command">msdfs root = no</b></p></dd><dt><span class="term"><a name="NAMECACHETIMEOUT"></a>name cache timeout (G)</span></dt><dd><p>Specifies the number of seconds it takes before + on Samba, refer to <a href="#">???</a>.</p><p>See also <a href="#HOSTMSDFS"><i class="parameter"><tt>host msdfs</tt></i></a></p><p>Default: <b class="command">msdfs root = no</b></p></dd><dt><span class="term"><a name="NAMECACHETIMEOUT"></a>name cache timeout (G)</span></dt><dd><p>Specifies the number of seconds it takes before entries in samba's hostname resolve cache time out. If the timeout is set to 0. the caching is disabled. </p><p>Default: <b class="command">name cache timeout = 660</b></p><p>Example: <b class="command">name cache timeout = 0</b></p></dd><dt><span class="term"><a name="NAMERESOLVEORDER"></a>name resolve order (G)</span></dt><dd><p>This option is used by the programs in the Samba suite to determine what naming services to use and in what order to resolve host names to IP addresses. Its main purpose to is to control how netbios name resolution is performed. The option takes a space - separated string of name resolution options.</p><p>The options are: "lmhosts", "host", - "wins" and "bcast". They cause names to be + separated string of name resolution options.</p><p>The options are: "lmhosts", "host", + "wins" and "bcast". They cause names to be resolved as follows:</p><div class="itemizedlist"><ul type="disc"><li><p><tt class="constant">lmhosts</tt> : Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has no name type attached to the NetBIOS name (see the <a href="lmhosts.5.html" target="_top">lmhosts(5)</a> for details) then @@ -1811,7 +1870,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' first, followed by a broadcast attempt, followed by a normal system hostname lookup.</p><p>When Samba is functioning in ADS security mode (<b class="command">security = ads</b>) it is advised to use following settings for <i class="parameter"><tt>name resolve order</tt></i>:</p><p><b class="command">name resolve order = wins bcast</b></p><p>DC lookups will still be done via DNS, but fallbacks to netbios names will - not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.</p></dd><dt><span class="term"><a name="NETBIOSALIASES"></a>netbios aliases (G)</span></dt><dd><p>This is a list of NetBIOS names that <a href="nmbd.8.html" target="_top">nmbd(8)</a> will + not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.</p></dd><dt><span class="term"><a name="NETBIOSALIASES"></a>netbios aliases (G)</span></dt><dd><p>This is a list of NetBIOS names that nmbd will advertise as additional names by which the Samba server is known. This allows one machine to appear in browse lists under multiple names. If a machine is acting as a browse server or logon server none of these names will be advertised as either browse server or logon @@ -1842,16 +1901,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' <i class="parameter"><tt>homedir map</tt></i></a> and return the server listed there.</p><p>Note that for this option to work there must be a working NIS system and the Samba server with this option must also - be a logon server.</p><p>Default: <b class="command">nis homedir = no</b></p></dd><dt><span class="term"><a name="NONUNIXACCOUNTRANGE"></a>non unix account range (G)</span></dt><dd><p>The non unix account range parameter specifies - the range of 'user ids' that are allocated by the various 'non unix - account' passdb backends. These backends allow - the storage of passwords for users who don't exist in /etc/passwd. - This is most often used for machine account creation. - This range of ids should have no existing local or NIS users within - it as strange conflicts can occur otherwise.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>These userids never appear on the system and Samba will never - 'become' these users. They are used only to ensure that the algorithmic - RID mapping does not conflict with normal users. - </p></div><p>Default: <b class="command">non unix account range = <empty string></b></p><p>Example: <b class="command">non unix account range = 10000-20000</b></p></dd><dt><span class="term"><a name="NTACLSUPPORT"></a>nt acl support (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to map + be a logon server.</p><p>Default: <b class="command">nis homedir = no</b></p></dd><dt><span class="term"><a name="NTACLSUPPORT"></a>nt acl support (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to map UNIX permissions into Windows NT access control lists. This parameter was formally a global parameter in releases prior to 2.2.2.</p><p>Default: <b class="command">nt acl support = yes</b></p></dd><dt><span class="term"><a name="NTLMAUTH"></a>ntlm auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to @@ -1926,9 +1976,8 @@ df $1 | tail -1 | awk '{print $2" "$4}' names to OS/2 printer driver names. The format is:</p><p><nt driver name> = <os2 driver name>.<device name></p><p>For example, a valid entry using the HP LaserJet 5 printer driver would appear as <b class="command">HP LaserJet 5L = LASERJET.HP LaserJet 5L</b>.</p><p>The need for the file is due to the printer driver namespace - problem described in the <a href="printing.html" target="_top">Samba - Printing HOWTO</a>. For more details on OS/2 clients, please - refer to the OS2-Client-HOWTO containing in the Samba documentation.</p><p>Default: <b class="command">os2 driver map = <empty string></b></p></dd><dt><span class="term"><a name="OSLEVEL"></a>os level (G)</span></dt><dd><p>This integer value controls what level Samba + problem described in <a href="#">???</a>. For more details on OS/2 clients, please + refer to <a href="#">???</a>.</p><p>Default: <b class="command">os2 driver map = <empty string></b></p></dd><dt><span class="term"><a name="OSLEVEL"></a>os level (G)</span></dt><dd><p>This integer value controls what level Samba advertises itself as for browse elections. The value of this parameter determines whether <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> has a chance of becoming a local master browser for the <i class="parameter"><tt> @@ -1947,7 +1996,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' <a href="#PASSWDCHAT"><i class="parameter"><tt>passwd chat</tt></i></a> parameter for most setups.</p><p>Default: <b class="command">pam password change = no</b></p></dd><dt><span class="term"><a name="PANICACTION"></a>panic action (G)</span></dt><dd><p>This is a Samba developer option that allows a system command to be called when either <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> or <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> crashes. This is usually used to - draw attention to the fact that a problem occurred.</p><p>Default: <b class="command">panic action = <empty string></b></p><p>Example: <b class="command">panic action = "/bin/sleep 90000"</b></p></dd><dt><span class="term"><a name="PARANOIDSERVERSECURITY"></a>paranoid server security (G)</span></dt><dd><p>Some version of NT 4.x allow non-guest + draw attention to the fact that a problem occurred.</p><p>Default: <b class="command">panic action = <empty string></b></p><p>Example: <b class="command">panic action = "/bin/sleep 90000"</b></p></dd><dt><span class="term"><a name="PARANOIDSERVERSECURITY"></a>paranoid server security (G)</span></dt><dd><p>Some version of NT 4.x allow non-guest users with a bad passowrd. When this option is enabled, samba will not use a broken NT 4.x server as password server, but instead complain to the logs and exit. @@ -1978,12 +2027,8 @@ df $1 | tail -1 | awk '{print $2" "$4}' The MySQL based passdb backend. Takes an identifier as argument. Read the Samba HOWTO Collection for configuration details. - </p></li><li><p><b class="command">guest</b> - - Very simple backend that only provides one user: the guest user. - Only maps the NT guest user to the <i class="parameter"><tt>guest account</tt></i>. - Required in pretty much all situations. </p></li></ul></div><p> - </p><p>Default: <b class="command">passdb backend = smbpasswd</b></p><p>Example: <b class="command">passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd guest</b></p><p>Example: <b class="command">passdb backend = ldapsam:ldaps://ldap.example.com guest</b></p><p>Example: <b class="command">passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb guest</b></p></dd><dt><span class="term"><a name="PASSWDCHAT"></a>passwd chat (G)</span></dt><dd><p>This string controls the <span class="emphasis"><em>"chat"</em></span> + </p><p>Default: <b class="command">passdb backend = smbpasswd</b></p><p>Example: <b class="command">passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd</b></p><p>Example: <b class="command">passdb backend = ldapsam:ldaps://ldap.example.com</b></p><p>Example: <b class="command">passdb backend = mysql:my_plugin_args tdbsam</b></p></dd><dt><span class="term"><a name="PASSWDCHAT"></a>passwd chat (G)</span></dt><dd><p>This string controls the <span class="emphasis"><em>"chat"</em></span> conversation that takes places between <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and the local password changing program to change the user's password. The string describes a sequence of response-receive pairs that <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> uses to determine what to send to the @@ -2005,7 +2050,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' give line-feed, carriage-return, tab and space. The chat sequence string can also contain a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces in them into a single string.</p><p>If the send string in any part of the chat sequence is a full - stop ".", then no string is sent. Similarly, if the + stop ".", then no string is sent. Similarly, if the expect string is a full stop then no string is expected.</p><p>If the <a href="#PAMPASSWORDCHANGE"><i class="parameter"><tt>pam password change</tt></i></a> parameter is set to <tt class="constant">yes</tt>, the chat pairs may be matched in any order, and success is determined by the PAM result, @@ -2015,9 +2060,9 @@ df $1 | tail -1 | awk '{print $2" "$4}' passwd program</tt></i></a> ,<a href="#PASSWDCHATDEBUG"> <i class="parameter"><tt>passwd chat debug</tt></i></a> and <a href="#PAMPASSWORDCHANGE"> <i class="parameter"><tt>pam password change</tt></i></a>.</p><p>Default: <b class="command">passwd chat = *new*password* %n\\n - *new*password* %n\\n *changed*</b></p><p>Example: <b class="command">passwd chat = "*Enter OLD password*" %o\\n - "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n - "*Password changed*"</b></p></dd><dt><span class="term"><a name="PASSWDCHATDEBUG"></a>passwd chat debug (G)</span></dt><dd><p>This boolean specifies if the passwd chat script + *new*password* %n\\n *changed*</b></p><p>Example: <b class="command">passwd chat = "*Enter OLD password*" %o\\n + "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n + "*Password changed*"</b></p></dd><dt><span class="term"><a name="PASSWDCHATDEBUG"></a>passwd chat debug (G)</span></dt><dd><p>This boolean specifies if the passwd chat script parameter is run in <span class="emphasis"><em>debug</em></span> mode. In this mode the strings passed to and received from the passwd chat are printed in the <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> log with a @@ -2041,8 +2086,8 @@ df $1 | tail -1 | awk '{print $2" "$4}' it.</p><p><span class="emphasis"><em>Note</em></span> that if the <i class="parameter"><tt>unix password sync</tt></i> parameter is set to <tt class="constant">yes </tt> then this program is called <span class="emphasis"><em>AS ROOT</em></span> - before the SMB password in the <a href="smbpasswd.5.html" target="_top"><a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> - </a> file is changed. If this UNIX password change fails, then + before the SMB password in the smbpasswd + file is changed. If this UNIX password change fails, then <b class="command">smbd</b> will fail to change the SMB password also (this is by design).</p><p>If the <i class="parameter"><tt>unix password sync</tt></i> parameter is set this parameter <span class="emphasis"><em>MUST USE ABSOLUTE PATHS</em></span> @@ -2057,10 +2102,10 @@ df $1 | tail -1 | awk '{print $2" "$4}' family of operating systems. These clients upper case clear text passwords even when NT LM 0.12 selected by the protocol negotiation request/response.</p><p>This parameter defines the maximum number of characters - that may be upper case in passwords.</p><p>For example, say the password given was "FRED". If <i class="parameter"><tt> + that may be upper case in passwords.</p><p>For example, say the password given was "FRED". If <i class="parameter"><tt> password level</tt></i> is set to 1, the following combinations - would be tried if "FRED" failed:</p><p>"Fred", "fred", "fRed", "frEd","freD"</p><p>If <i class="parameter"><tt>password level</tt></i> was set to 2, - the following combinations would also be tried: </p><p>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</p><p>And so on.</p><p>The higher value this parameter is set to the more likely + would be tried if "FRED" failed:</p><p>"Fred", "fred", "fRed", "frEd","freD"</p><p>If <i class="parameter"><tt>password level</tt></i> was set to 2, + the following combinations would also be tried: </p><p>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</p><p>And so on.</p><p>The higher value this parameter is set to the more likely it is that a mixed case password will be matched against a single case password. However, you should be aware that use of this parameter reduces security and increases the time taken to @@ -2080,7 +2125,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' parameter <a href="#NAMERESOLVEORDER"><i class="parameter"><tt>name resolve order</tt></i></a> and so may resolved by any method and order described in that parameter.</p><p>The password server must be a machine capable of using - the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in + the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in user level security mode.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Using a password server means your UNIX box (running Samba) is only as secure as your password server. <span class="emphasis"><em>DO NOT CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</em></span>. @@ -2145,11 +2190,11 @@ df $1 | tail -1 | awk '{print $2" "$4}' whenever the service is disconnected. It takes the usual substitutions. The command may be run as the root on some systems.</p><p>An interesting example may be to unmount server - resources:</p><p><b class="command">postexec = /etc/umount /cdrom</b></p><p>See also <a href="#PREEXEC"><i class="parameter"><tt>preexec</tt></i></a>.</p><p>Default: <span class="emphasis"><em>none (no command executed)</em></span></p><p>Example: <b class="command">postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log</b></p></dd><dt><span class="term"><a name="PREEXEC"></a>preexec (S)</span></dt><dd><p>This option specifies a command to be run whenever + resources:</p><p><b class="command">postexec = /etc/umount /cdrom</b></p><p>See also <a href="#PREEXEC"><i class="parameter"><tt>preexec</tt></i></a>.</p><p>Default: <span class="emphasis"><em>none (no command executed)</em></span></p><p>Example: <b class="command">postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log</b></p></dd><dt><span class="term"><a name="PREEXEC"></a>preexec (S)</span></dt><dd><p>This option specifies a command to be run whenever the service is connected to. It takes the usual substitutions.</p><p>An interesting example is to send the users a welcome message every time they log in. Maybe a message of the day? Here - is an example:</p><p><b class="command">preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' & </b></p><p>Of course, this could get annoying after a while :-)</p><p>See also <a href="#PREEXECCLOSE"><i class="parameter"><tt>preexec close</tt></i></a> and <a href="#POSTEXEC"><i class="parameter"><tt>postexec - </tt></i></a>.</p><p>Default: <span class="emphasis"><em>none (no command executed)</em></span></p><p>Example: <b class="command">preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log</b></p></dd><dt><span class="term"><a name="PREEXECCLOSE"></a>preexec close (S)</span></dt><dd><p>This boolean option controls whether a non-zero + is an example:</p><p><b class="command">preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' & </b></p><p>Of course, this could get annoying after a while :-)</p><p>See also <a href="#PREEXECCLOSE"><i class="parameter"><tt>preexec close</tt></i></a> and <a href="#POSTEXEC"><i class="parameter"><tt>postexec + </tt></i></a>.</p><p>Default: <span class="emphasis"><em>none (no command executed)</em></span></p><p>Example: <b class="command">preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log</b></p></dd><dt><span class="term"><a name="PREEXECCLOSE"></a>preexec close (S)</span></dt><dd><p>This boolean option controls whether a non-zero return code from <a href="#PREEXEC"><i class="parameter"><tt>preexec </tt></i></a> should close the service being connected to.</p><p>Default: <b class="command">preexec close = no</b></p></dd><dt><span class="term"><a name="PREFEREDMASTER"></a>prefered master (G)</span></dt><dd><p>Synonym for <a href="#PREFERREDMASTER"><i class="parameter"><tt> preferred master</tt></i></a> for people who cannot spell :-).</p></dd><dt><span class="term"><a name="PREFERREDMASTER"></a>preferred master (G)</span></dt><dd><p>This boolean parameter controls if @@ -2171,8 +2216,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' printcap file loaded then the <a href="#LOADPRINTERS"> <i class="parameter"><tt>load printers</tt></i></a> option is easier.</p><p>Default: <span class="emphasis"><em>no preloaded services</em></span></p><p>Example: <b class="command">preload = fred lp colorlp</b></p></dd><dt><span class="term"><a name="PRELOADMODULES"></a>preload modules (G)</span></dt><dd><p>This is a list of paths to modules that should be loaded into smbd before a client connects. This improves - the speed of smbd when reacting to new connections somewhat. </p><p>It is recommended to only use this option on heavy-performance - servers.</p><p>Default: <b class="command">preload modules = </b></p><p>Example: <b class="command">preload modules = /usr/lib/samba/passdb/mysql.so+++ </b></p></dd><dt><span class="term"><a name="PRESERVECASE"></a>preserve case (S)</span></dt><dd><p> This controls if new filenames are created + the speed of smbd when reacting to new connections somewhat. </p><p>Default: <b class="command">preload modules = </b></p><p>Example: <b class="command">preload modules = /usr/lib/samba/passdb/mysql.so+++ </b></p></dd><dt><span class="term"><a name="PRESERVECASE"></a>preserve case (S)</span></dt><dd><p> This controls if new filenames are created with the case that the client passes, or if they are forced to be the <a href="#DEFAULTCASE"><i class="parameter"><tt>default case </tt></i></a>.</p><p>Default: <b class="command">preserve case = yes</b></p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a> for a fuller discussion.</p></dd><dt><span class="term"><a name="PRINTABLE"></a>printable (S)</span></dt><dd><p>If this parameter is <tt class="constant">yes</tt>, then @@ -2189,7 +2233,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' </b>. This should be supplemented by an addtional setting <a href="#PRINTING">printing = cups</a> in the [global] section. <b class="command">printcap name = cups</b> will use the - "dummy" printcap created by CUPS, as specified in your CUPS + "dummy" printcap created by CUPS, as specified in your CUPS configuration file. </p><p>On System V systems that use <b class="command">lpstat</b> to list available printers you can use <b class="command">printcap name = lpstat @@ -2272,7 +2316,30 @@ print5|My Printer 5 <i class="parameter"><tt>printable</tt></i></a>.</p></dd><dt><span class="term"><a name="PRIVATEDIR"></a>private dir (G)</span></dt><dd><p>This parameters defines the directory smbd will use for storing such files as <tt class="filename">smbpasswd</tt> and <tt class="filename">secrets.tdb</tt>. - </p><p>Default :<b class="command">private dir = ${prefix}/private</b></p></dd><dt><span class="term"><a name="PROTOCOL"></a>protocol (G)</span></dt><dd><p>Synonym for <a href="#MAXPROTOCOL"> + </p><p>Default :<b class="command">private dir = ${prefix}/private</b></p></dd><dt><span class="term"><a name="PROFILEACLS"></a>profile acls (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> + This boolean parameter was added to fix the problems that people have been + having with storing user profiles on Samba shares from Windows 2000 or + Windows XP clients. New versions of Windows 2000 or Windows XP service + packs do security ACL checking on the owner and ability to write of the + profile directory stored on a local workstation when copied from a Samba + share. +</p><p>When not in domain mode with winbindd then the security info copied + onto the local workstation has no meaning to the logged in user (SID) on + that workstation so the profile storing fails. Adding this parameter + onto a share used for profile storage changes two things about the + returned Windows ACL. Firstly it changes the owner and group owner + of all reported files and directories to be BUILTIN\\Administrators, + BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly + it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to + every returned ACL. This will allow any Windows 2000 or XP workstation + user to access the profile.</p><p>Note that if you have multiple users logging + on to a workstation then in order to prevent them from being able to access + each others profiles you must remove the "Bypass traverse checking" advanced + user right. This will prevent access to other users profile directories as + the top level profile directory (named after the user) is created by the + workstation profile code and has an ACL restricting entry to the directory + tree to the owning user. +</p><p>Default: <b class="command">profile acls = no</b></p></dd><dt><span class="term"><a name="PROTOCOL"></a>protocol (G)</span></dt><dd><p>Synonym for <a href="#MAXPROTOCOL"> <i class="parameter"><tt>max protocol</tt></i></a>.</p></dd><dt><span class="term"><a name="PUBLIC"></a>public (S)</span></dt><dd><p>Synonym for <a href="#GUESTOK"><i class="parameter"><tt>guest ok</tt></i></a>.</p></dd><dt><span class="term"><a name="QUEUEPAUSECOMMAND"></a>queuepause command (S)</span></dt><dd><p>This parameter specifies the command to be executed on the server host in order to pause the printer queue.</p><p>This command should be a program or script which takes @@ -2297,8 +2364,8 @@ print5|My Printer 5 path in the command as the PATH may not be available to the server.</p><p>Default: <span class="emphasis"><em>depends on the setting of <a href="#PRINTING"> <i class="parameter"><tt>printing</tt></i></a></em></span></p><p>Example: <b class="command">queuepause command = enable %p</b></p></dd><dt><span class="term"><a name="READBMPX"></a>read bmpx (G)</span></dt><dd><p>This boolean parameter controls whether - <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will support the "Read - Block Multiplex" SMB. This is now rarely used and defaults to + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will support the "Read + Block Multiplex" SMB. This is now rarely used and defaults to <tt class="constant">no</tt>. You should never need to set this parameter.</p><p>Default: <b class="command">read bmpx = no</b></p></dd><dt><span class="term"><a name="READLIST"></a>read list (S)</span></dt><dd><p>This is a list of users that are given read-only access to a service. If the connecting user is in this list then @@ -2349,8 +2416,7 @@ print5|My Printer 5 the <a href="#WORKGROUP"><i class="parameter"><tt>workgroup</tt></i></a> parameter is used instead.</p><p>The IP addresses you choose would normally be the broadcast addresses of the remote networks, but can also be the IP addresses - of known browse masters if your network config is that stable.</p><p>See the documentation file <a href="improved-browsing.html" target="_top">BROWSING</a> - in the <tt class="filename">docs/</tt> directory.</p><p>Default: <b class="command">remote announce = <empty string></b></p></dd><dt><span class="term"><a name="REMOTEBROWSESYNC"></a>remote browse sync (G)</span></dt><dd><p>This option allows you to setup <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> to periodically request + of known browse masters if your network config is that stable.</p><p>See <a href="#">???</a>.</p><p>Default: <b class="command">remote announce = <empty string></b></p></dd><dt><span class="term"><a name="REMOTEBROWSESYNC"></a>remote browse sync (G)</span></dt><dd><p>This option allows you to setup <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> to periodically request synchronization of browse lists with the master browser of a Samba server that is on a remote segment. This option will allow you to gain browse lists for multiple workgroups across routed networks. This @@ -2384,20 +2450,20 @@ print5|My Printer 5 by setting <a href="#GUESTOK"><i class="parameter"><tt>guest ok</tt></i> = yes</a> on any share. </p></div><p>Default: <b class="command">restrict anonymous = 0</b></p></dd><dt><span class="term"><a name="ROOT"></a>root (G)</span></dt><dd><p>Synonym for <a href="#ROOTDIRECTORY"> - <i class="parameter"><tt>root directory"</tt></i></a>. + <i class="parameter"><tt>root directory"</tt></i></a>. </p></dd><dt><span class="term"><a name="ROOTDIR"></a>root dir (G)</span></dt><dd><p>Synonym for <a href="#ROOTDIRECTORY"> - <i class="parameter"><tt>root directory"</tt></i></a>. + <i class="parameter"><tt>root directory"</tt></i></a>. </p></dd><dt><span class="term"><a name="ROOTDIRECTORY"></a>root directory (G)</span></dt><dd><p>The server will <b class="command">chroot()</b> (i.e. Change its root directory) to this directory on startup. This is not strictly necessary for secure operation. Even without it the server will deny access to files not in one of the service entries. It may also check for, and deny access to, soft links to other - parts of the filesystem, or attempts to use ".." in file names + parts of the filesystem, or attempts to use ".." in file names to access other directories (depending on the setting of the <a href="#WIDELINKS"> <i class="parameter"><tt>wide links</tt></i></a> parameter). </p><p>Adding a <i class="parameter"><tt>root directory</tt></i> entry other - than "/" adds an extra level of security, but at a price. It + than "/" adds an extra level of security, but at a price. It absolutely ensures that no access is given to files not in the sub-tree specified in the <i class="parameter"><tt>root directory</tt></i> option, <span class="emphasis"><em>including</em></span> some files needed for @@ -2421,7 +2487,7 @@ print5|My Printer 5 preexec</tt></i></a> and <a href="#PREEXECCLOSE"> <i class="parameter"><tt>preexec close</tt></i></a>.</p><p>Default: <b class="command">root preexec close = no</b></p></dd><dt><span class="term"><a name="SECURITY"></a>security (G)</span></dt><dd><p>This option affects how clients respond to Samba and is one of the most important settings in the <tt class="filename"> - smb.conf</tt> file.</p><p>The option sets the "security mode bit" in replies to + smb.conf</tt> file.</p><p>The option sets the "security mode bit" in replies to protocol negotiations with <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to turn share level security on or off. Clients decide based on this bit whether (and how) to transfer user and password information to the server.</p><p>The default is <b class="command">security = user</b>, as this is @@ -2432,8 +2498,8 @@ print5|My Printer 5 <b class="command">security = share</b> mainly because that was the only option at one stage.</p><p>There is a bug in WfWg that has relevance to this setting. When in user or server level security a WfWg client - will totally ignore the password you type in the "connect - drive" dialog box. This makes it very difficult (if not impossible) + will totally ignore the password you type in the "connect + drive" dialog box. This makes it very difficult (if not impossible) to connect to a Samba service as anyone except the user that you are logged into WfWg as.</p><p>If your PCs use usernames that are the same as their usernames on the UNIX machine then you will want to use @@ -2487,7 +2553,7 @@ print5|My Printer 5 in share-level security as to which UNIX username will eventually be used in granting access.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION"> NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSUSER"></a><span class="emphasis"><em>SECURITY = USER</em></span></p><p>This is the default security setting in Samba 3.0. - With user-level security a client must first "log-on" with a + With user-level security a client must first "log-on" with a valid username and password (which can be mapped using the <a href="#USERNAMEMAP"> <i class="parameter"><tt>username map</tt></i></a> parameter). Encrypted passwords (see the <a href="#ENCRYPTPASSWORDS"> @@ -2536,7 +2602,7 @@ print5|My Printer 5 does not support them. However note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have a valid <tt class="filename">smbpasswd</tt> file to check - users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up.</p><p><span class="emphasis"><em>Note</em></span> this mode of operation has + users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This mode of operation has significant pitfalls, due to the fact that is activly initiates a man-in-the-middle attack on the remote SMB server. In particular, this mode of operation can cause significant resource consuption on @@ -2544,11 +2610,11 @@ print5|My Printer 5 of the user's session. Furthermore, if this connection is lost, there is no way to reestablish it, and futher authenticaions to the Samba server may fail. (From a single client, till it disconnects). - </p><p><span class="emphasis"><em>Note</em></span> that from the client's point of + </p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>From the client's point of view <b class="command">security = server</b> is the same as <b class="command">security = user</b>. It only affects how the server deals with the authentication, it does - not in any way affect what the client sees.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being + not in any way affect what the client sees.</p></div><p><span class="emphasis"><em>Note</em></span> that the name of the resource being requested is <span class="emphasis"><em>not</em></span> sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing @@ -2558,6 +2624,13 @@ print5|My Printer 5 </a> parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION"> NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a href="#PASSWORDSERVER"><i class="parameter"><tt>password server</tt></i></a> parameter and the <a href="#ENCRYPTPASSWORDS"> + <i class="parameter"><tt>encrypted passwords</tt></i></a> parameter.</p><p><a name="SECURITYEQUALSADS"></a><span class="emphasis"><em>SECURITY = ADS</em></span></p><p>In this mode, Samba will act as a domain member in an ADS realm. To operate + in this mode, the machine running Samba will need to have Kerberos installed + and configured and Samba will need to be joined to the ADS realm using the + net utility. </p><p>Note that this mode does NOT make Samba operate as a Active Directory Domain + Controller. </p><p>Read the chapter about Domain Membership in the HOWTO for details.</p><p>See also the <a href="#"><i class="parameter"><tt>ads server + </tt></i></a> parameter, the <a href="#REALM"><i class="parameter"><tt>realm + </tt></i></a> paramter and the <a href="#ENCRYPTPASSWORDS"> <i class="parameter"><tt>encrypted passwords</tt></i></a> parameter.</p><p>Default: <b class="command">security = USER</b></p><p>Example: <b class="command">security = DOMAIN</b></p></dd><dt><span class="term"><a name="SECURITYMASK"></a>security mask (S)</span></dt><dd><p>This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security @@ -2570,7 +2643,7 @@ print5|My Printer 5 </p><p><span class="emphasis"><em>Note</em></span> that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone - "appliance" systems. Administrators of most normal systems will + "appliance" systems. Administrators of most normal systems will probably want to leave it set to <tt class="constant">0777</tt>.</p><p>See also the <a href="#FORCEDIRECTORYSECURITYMODE"> <i class="parameter"><tt>force directory security mode</tt></i></a>, <a href="#DIRECTORYSECURITYMASK"><i class="parameter"><tt>directory @@ -2586,7 +2659,13 @@ print5|My Printer 5 for Windows NT4 before SP4.</p><p>Please note that with this set to <i class="parameter"><tt>no</tt></i> you will have to apply the WindowsXP requireSignOrSeal-Registry patch found in - the docs/Registry subdirectory.</p><p>Default: <b class="command">server schannel = auto</b></p><p>Example: <b class="command">server schannel = yes</b></p></dd><dt><span class="term"><a name="SERVERSTRING"></a>server string (G)</span></dt><dd><p>This controls what string will show up in the printer comment box in print + the docs/Registry subdirectory.</p><p>Default: <b class="command">server schannel = auto</b></p><p>Example: <b class="command">server schannel = yes</b></p></dd><dt><span class="term"><a name="SERVERSIGNING"></a>server signing (G)</span></dt><dd><p>This controls whether the server offers or requires + the client it talks to to use SMB signing. Possible values + are <span class="emphasis"><em>auto</em></span>, <span class="emphasis"><em>mandatory</em></span> + and <span class="emphasis"><em>disabled</em></span>. + </p><p>When set to auto, SMB signing is offered, but not enforced. + When set to mandatory, SMB signing is required and if set + to disabled, SMB signing is not offered either.</p><p>Default: <b class="command">client signing = False</b></p></dd><dt><span class="term"><a name="SERVERSTRING"></a>server string (G)</span></dt><dd><p>This controls what string will show up in the printer comment box in print manager and next to the IPC connection in <b class="command">net view</b>. It can be any string that you wish to show to your users.</p><p>It also sets what will appear in browse lists next to the machine name.</p><p>A <i class="parameter"><tt>%v</tt></i> will be replaced with the Samba @@ -2604,7 +2683,13 @@ print5|My Printer 5 vampire</b>. <i class="parameter"><tt>%u</tt></i> will be replaced with the user whose primary group is to be set. <i class="parameter"><tt>%g</tt></i> will be replaced with the group to - set.</p><p>Default: <span class="emphasis"><em>No default value</em></span></p><p>Example: <b class="command">set primary group script = /usr/sbin/usermod -g '%g' '%u'</b></p></dd><dt><span class="term"><a name="SHAREMODES"></a>share modes (S)</span></dt><dd><p>This enables or disables the honoring of + set.</p><p>Default: <span class="emphasis"><em>No default value</em></span></p><p>Example: <b class="command">set primary group script = /usr/sbin/usermod -g '%g' '%u'</b></p></dd><dt><span class="term"><a name="SETQUOTACOMMAND"></a>set quota command (G)</span></dt><dd><p>The <b class="command">set quota command</b> should only be used + whenever there is no operating system API available from the OS that + samba can use.</p><p>This parameter should specify the path to a script that + can set quota for the specified arguments.</p><p>The specified script should take the following arguments:</p><div class="itemizedlist"><ul type="disc"><li><p>1 - quota type + </p><div class="itemizedlist"><ul type="circle"><li><p>1 - user quotas</p></li><li><p>2 - user default quotas (uid = -1)</p></li><li><p>3 - group quotas</p></li><li><p>4 - group default quotas (gid = -1)</p></li></ul></div><p> + </p></li><li><p>2 - id (uid for user, gid for group, -1 if N/A)</p></li><li><p>3 - quota state (0 = disable, 1 = enable, 2 = enable and enforce)</p></li><li><p>4 - block softlimit</p></li><li><p>5 - block hardlimit</p></li><li><p>6 - inode softlimit</p></li><li><p>7 - inode hardlimit</p></li><li><p>8(optional) - block size, defaults to 1024</p></li></ul></div><p>The script should output at least one line of data.</p><p>See also the <a href="#GETQUOTACOMMAND"><i class="parameter"><tt>get quota command</tt></i></a> parameter. + </p><p>Default: <b class="command">set quota command = </b></p><p>Example: <b class="command">set quota command = /usr/local/sbin/set_quota</b></p></dd><dt><span class="term"><a name="SHAREMODES"></a>share modes (S)</span></dt><dd><p>This enables or disables the honoring of the <i class="parameter"><tt>share modes</tt></i> during a file open. These modes are used by clients to gain exclusive read or write access to a file.</p><p>These open modes are not directly supported by UNIX, so @@ -2622,7 +2707,7 @@ print5|My Printer 5 </tt></i></a>. This option can be use with <a href="#PRESERVECASE"><b class="command">preserve case = yes</b> </a> to permit long filenames to retain their case, while short names are lowered. </p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a>.</p><p>Default: <b class="command">short preserve case = yes</b></p></dd><dt><span class="term"><a name="SHOWADDPRINTERWIZARD"></a>show add printer wizard (G)</span></dt><dd><p>With the introduction of MS-RPC based printing support - for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will + for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will appear on Samba hosts in the share listing. Normally this folder will contain an icon for the MS Add Printer Wizard (APW). However, it is possible to disable this feature regardless of the level of privilege @@ -2648,13 +2733,13 @@ print5|My Printer 5 switch <span class="emphasis"><em>-r</em></span>. It means reboot after shutdown for NT.</p></li><li><p><i class="parameter"><tt>%f</tt></i> will be substituted with the switch <span class="emphasis"><em>-f</em></span>. It means force the shutdown - even if applications do not respond for NT.</p></li></ul></div><p>Default: <span class="emphasis"><em>None</em></span>.</p><p>Example: <b class="command">abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f</b></p><p>Shutdown script example: + even if applications do not respond for NT.</p></li></ul></div><p>Default: <span class="emphasis"><em>None</em></span>.</p><p>Example: <b class="command">shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f</b></p><p>Shutdown script example: </p><pre class="programlisting"> #!/bin/bash $time=0 -let "time/60" -let "time++" +let "time/60" +let "time++" /sbin/shutdown $3 $4 +$time $1 & </pre><p> @@ -2675,7 +2760,7 @@ Shutdown does not return so we need to launch it in background. suggest you read the appropriate documentation for your operating system first (perhaps <b class="command">man setsockopt</b> will help).</p><p>You may find that on some systems Samba will say - "Unknown socket option" when you supply an option. This means you + "Unknown socket option" when you supply an option. This means you either incorrectly typed it or you need to add an include file to includes.h for your OS. If the latter is the case please send the patch to <a href="mailto:samba-technical@samba.org" target="_top"> @@ -2690,15 +2775,13 @@ Shutdown does not return so we need to launch it in background. might be:</p><p><b class="command">socket options = IPTOS_LOWDELAY</b></p><p>If you have a local network then you could try:</p><p><b class="command">socket options = IPTOS_LOWDELAY TCP_NODELAY</b></p><p>If you are on a wide area network then perhaps try setting IPTOS_THROUGHPUT. </p><p>Note that several of the options may cause your Samba server to fail completely. Use these options with caution!</p><p>Default: <b class="command">socket options = TCP_NODELAY</b></p><p>Example: <b class="command">socket options = IPTOS_LOWDELAY</b></p></dd><dt><span class="term"><a name="SOURCEENVIRONMENT"></a>source environment (G)</span></dt><dd><p>This parameter causes Samba to set environment - variables as per the content of the file named.</p><p>If the value of this parameter starts with a "|" character + variables as per the content of the file named.</p><p>If the value of this parameter starts with a "|" character then Samba will treat that value as a pipe command to open and will set the environment variables from the output of the pipe.</p><p>The contents of the file or the output of the pipe should be formatted as the output of the standard Unix <b class="command">env(1)</b> command. This is of the form:</p><p>Example environment entry:</p><p><b class="command">SAMBA_NETBIOS_NAME = myhostname</b></p><p>Default: <span class="emphasis"><em>No default value</em></span></p><p>Examples: <b class="command">source environment = |/etc/smb.conf.sh</b></p><p>Example: <b class="command">source environment = /usr/local/smb_env_vars</b></p></dd><dt><span class="term"><a name="STATCACHE"></a>stat cache (G)</span></dt><dd><p>This parameter determines if <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will use a cache in order to speed up case insensitive name mappings. You should never need - to change this parameter.</p><p>Default: <b class="command">stat cache = yes</b></p></dd><dt><span class="term"><a name="STATCACHESIZE"></a>stat cache size (G)</span></dt><dd><p>This parameter determines the number of - entries in the <i class="parameter"><tt>stat cache</tt></i>. You should - never need to change this parameter.</p><p>Default: <b class="command">stat cache size = 50</b></p></dd><dt><span class="term"><a name="STRICTALLOCATE"></a>strict allocate (S)</span></dt><dd><p>This is a boolean that controls the handling of + to change this parameter.</p><p>Default: <b class="command">stat cache = yes</b></p></dd><dt><span class="term"><a name="STRICTALLOCATE"></a>strict allocate (S)</span></dt><dd><p>This is a boolean that controls the handling of disk space allocation in the server. When this is set to <tt class="constant">yes</tt> the server will change from UNIX behaviour of not committing real disk storage blocks when a file is extended to the Windows behaviour @@ -2755,23 +2838,17 @@ Shutdown does not return so we need to launch it in background. string <i class="parameter"><tt>%D</tt></i> is present it is substituted with the user's Windows NT domain name. If the string <i class="parameter"><tt>%U</tt></i> is present it - is substituted with the user's Windows NT user name.</p><p>Default: <b class="command">template homedir = /home/%D/%U</b></p></dd><dt><span class="term"><a name="TEMPLATESHELL"></a>template shell (G)</span></dt><dd><p>When filling out the user information for a Windows NT + is substituted with the user's Windows NT user name.</p><p>Default: <b class="command">template homedir = /home/%D/%U</b></p></dd><dt><span class="term"><a name="TEMPLATEPRIMARYGROUP"></a>template primary group (G)</span></dt><dd><p>This option defines the default primary group for + each user created by <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a>'s local account management + functions (similar to the 'add user script'). + </p><p>Default: <b class="command">template primary group = nobody</b></p></dd><dt><span class="term"><a name="TEMPLATESHELL"></a>template shell (G)</span></dt><dd><p>When filling out the user information for a Windows NT user, the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon uses this parameter to fill in the login shell for that user.</p><p>Default: <b class="command">template shell = /bin/false</b></p></dd><dt><span class="term"><a name="TIMEOFFSET"></a>time offset (G)</span></dt><dd><p>This parameter is a setting in minutes to add to the normal GMT to local time conversion. This is useful if you are serving a lot of PCs that have incorrect daylight saving time handling.</p><p>Default: <b class="command">time offset = 0</b></p><p>Example: <b class="command">time offset = 60</b></p></dd><dt><span class="term"><a name="TIMESERVER"></a>time server (G)</span></dt><dd><p>This parameter determines if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> advertises itself as a time server to Windows clients.</p><p>Default: <b class="command">time server = no</b></p></dd><dt><span class="term"><a name="TIMESTAMPLOGS"></a>timestamp logs (G)</span></dt><dd><p>Synonym for <a href="#DEBUGTIMESTAMP"><i class="parameter"><tt> - debug timestamp</tt></i></a>.</p></dd><dt><span class="term"><a name="TOTALPRINTJOBS"></a>total print jobs (G)</span></dt><dd><p>This parameter accepts an integer value which defines - a limit on the maximum number of print jobs that will be accepted - system wide at any given time. If a print job is submitted - by a client which will exceed this number, then <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will return an - error indicating that no space is available on the server. The - default value of 0 means that no such limit exists. This parameter - can be used to prevent a server from exceeding its capacity and is - designed as a printing throttle. See also <a href="#MAXPRINTJOBS"> - <i class="parameter"><tt>max print jobs</tt></i></a>. - </p><p>Default: <b class="command">total print jobs = 0</b></p><p>Example: <b class="command">total print jobs = 5000</b></p></dd><dt><span class="term"><a name="UNICODE"></a>unicode (G)</span></dt><dd><p>Specifies whether Samba should try + debug timestamp</tt></i></a>.</p></dd><dt><span class="term"><a name="UNICODE"></a>unicode (G)</span></dt><dd><p>Specifies whether Samba should try to use unicode on the wire by default. Note: This does NOT mean that samba will assume that the unix machine uses unicode! </p><p>Default: <b class="command">unicode = yes</b></p></dd><dt><span class="term"><a name="UNIXCHARSET"></a>unix charset (G)</span></dt><dd><p>Specifies the charset the unix machine @@ -2782,7 +2859,7 @@ Shutdown does not return so we need to launch it in background. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of - no current use to Windows clients.</p><p>Default: <b class="command">unix extensions = no</b></p></dd><dt><span class="term"><a name="UNIXPASSWORDSYNC"></a>unix password sync (G)</span></dt><dd><p>This boolean parameter controls whether Samba + no current use to Windows clients.</p><p>Default: <b class="command">unix extensions = yes</b></p></dd><dt><span class="term"><a name="UNIXPASSWORDSYNC"></a>unix password sync (G)</span></dt><dd><p>This boolean parameter controls whether Samba attempts to synchronize the UNIX password with the SMB password when the encrypted SMB password in the smbpasswd file is changed. If this is set to <tt class="constant">yes</tt> the program specified in the <i class="parameter"><tt>passwd @@ -2826,7 +2903,7 @@ Shutdown does not return so we need to launch it in background. logged on user. If the user possesses local administator rights but not root privilegde on the Samba host (often the case), the OpenPrinterEx() call will fail. The result is that the client will - now display an "Access Denied; Unable to connect" message + now display an "Access Denied; Unable to connect" message in the printer queue window (even though jobs may successfully be printed). </p><p>If this parameter is enabled for a printer, then any attempt to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped @@ -2910,8 +2987,8 @@ Shutdown does not return so we need to launch it in background. to the UNIX name <tt class="constant">sys</tt> you would use:</p><p><b class="command">sys = @system</b></p><p>You can have as many mappings as you like in a username map file.</p><p>If your system supports the NIS NETGROUP option then the netgroup database is checked before the <tt class="filename">/etc/group </tt> database for matching groups.</p><p>You can map Windows usernames that have spaces in them - by using double quotes around the name. For example:</p><p><b class="command">tridge = "Andrew Tridgell"</b></p><p>would map the windows username "Andrew Tridgell" to the - unix username "tridge".</p><p>The following example would map mary and fred to the + by using double quotes around the name. For example:</p><p><b class="command">tridge = "Andrew Tridgell"</b></p><p>would map the windows username "Andrew Tridgell" to the + unix username "tridge".</p><p>The following example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the '!' to tell Samba to stop processing if it gets a match on that line.</p><pre class="programlisting"> @@ -3032,7 +3109,13 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ that Samba has to do in order to perform the link checks.</p><p>Default: <b class="command">wide links = yes</b></p></dd><dt><span class="term"><a name="WINBINDCACHETIME"></a>winbind cache time (G)</span></dt><dd><p>This parameter specifies the number of seconds the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon will cache user and group information before querying a Windows NT server - again.</p><p>Default: <b class="command">winbind cache type = 15</b></p></dd><dt><span class="term"><a name="WINBINDENUMGROUPS"></a>winbind enum groups (G)</span></dt><dd><p>On large installations using <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> it may be necessary to suppress + again.</p><p>Default: <b class="command">winbind cache type = 300</b></p></dd><dt><span class="term"><a name="WINBINDENABLELOCALACCOUNTS"></a>winbind enable local accounts (G)</span></dt><dd><p>This parameter controls whether or not winbindd + will act as a stand in replacement for the various account + management hooks in smb.conf (e.g. 'add user script'). + If enabled, winbindd will support the creation of local + users and groups as another source of UNIX account information + available via getpwnam() or getgrgid(), etc... + </p><p>Default: <b class="command">winbind enable local accounts = yes</b></p></dd><dt><span class="term"><a name="WINBINDENUMGROUPS"></a>winbind enum groups (G)</span></dt><dd><p>On large installations using <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> it may be necessary to suppress the enumeration of groups through the <b class="command">setgrent()</b>, <b class="command">getgrent()</b> and <b class="command">endgrent()</b> group of system calls. If @@ -3060,10 +3143,16 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ and <tt class="filename">nss_winbind.so</tt> modules for UNIX services. </p><p>Please note that setting this parameter to + causes problems with group membership at least on glibc systems, as the character + - is used as a special character for NIS in /etc/group.</p><p>Default: <b class="command">winbind separator = '\'</b></p><p>Example: <b class="command">winbind separator = +</b></p></dd><dt><span class="term"><a name="WINBINDUID"></a>winbind uid (G)</span></dt><dd><p>This parameter is now an alias for <b class="command">idmap uid</b></p><p>The winbind gid parameter specifies the range of user ids that are allocated by the + is used as a special character for NIS in /etc/group.</p><p>Default: <b class="command">winbind separator = '\'</b></p><p>Example: <b class="command">winbind separator = +</b></p></dd><dt><span class="term"><a name="WINBINDTRUSTEDDOMAINSONLY"></a>winbind trusted domains only (G)</span></dt><dd><p>This parameter is designed to allow Samba servers that + are members of a Samba controlled domain to use UNIX accounts + distributed vi NIS, rsync, or LDAP as the uid's for winbindd users + in the hosts primary domain. Therefore, the user 'SAMBA\user1' would + be mapped to the account 'user1' in /etc/passwd instead of allocating + a new uid for him or her. + </p><p>Default: <b class="command">winbind trusted domains only = <no></b></p></dd><dt><span class="term"><a name="WINBINDUID"></a>winbind uid (G)</span></dt><dd><p>This parameter is now an alias for <b class="command">idmap uid</b></p><p>The winbind gid parameter specifies the range of user ids that are allocated by the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon. This range of ids should have no existing local or NIS users within it as strange - conflicts can occur otherwise.</p><p>Default: <b class="command">winbind uid = <empty string></b></p><p>Example: <b class="command">winbind uid = 10000-20000</b></p></dd><dt><span class="term"><a name="WINBINDUSEDDEFAULTDOMAIN"></a>winbind used default domain (G)</span></dt><dd><p>This parameter specifies whether the + conflicts can occur otherwise.</p><p>Default: <b class="command">winbind uid = <empty string></b></p><p>Example: <b class="command">winbind uid = 10000-20000</b></p></dd><dt><span class="term"><a name="WINBINDUSEDEFAULTDOMAIN"></a>winbind use default domain (G)</span></dt><dd><p>This parameter specifies whether the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon should operate on users without domain component in their username. Users without a domain component are treated as is part of the winbindd server's own @@ -3075,11 +3164,11 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ dynamic update of external name resolution databases such as dynamic DNS.</p><p>The wins hook parameter specifies the name of a script or executable that will be called as follows:</p><p><b class="command">wins_hook operation name nametype ttl IP_list</b></p><div class="itemizedlist"><ul type="disc"><li><p>The first argument is the operation and is - one of "add", "delete", or - "refresh". In most cases the operation + one of "add", "delete", or + "refresh". In most cases the operation can be ignored as the rest of the parameters provide sufficient information. Note that - "refresh" may sometimes be called when + "refresh" may sometimes be called when the name has not previously been added, in that case it should be treated as an add.</p></li><li><p>The second argument is the NetBIOS name. If the name is not a legal name then the wins hook is not called. @@ -3090,7 +3179,7 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ addresses currently registered for that name. If this list is empty then the name should be deleted.</p></li></ul></div><p>An example script that calls the BIND dynamic DNS update program <b class="command">nsupdate</b> is provided in the examples - directory of the Samba source code. </p></dd><dt><span class="term"><a name="WINSPARTNER"></a>wins partner (G)</span></dt><dd><p>A space separated list of partners' IP addresses for + directory of the Samba source code. </p></dd><dt><span class="term"><a name="WINSPARTNERS"></a>wins partners (G)</span></dt><dd><p>A space separated list of partners' IP addresses for WINS replication. WINS partners are always defined as push/pull partners as defining only one way WINS replication is unreliable. WINS replication is currently experimental and unreliable between @@ -3106,7 +3195,7 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ seperated from the ip address by a colon. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You need to set up Samba to point to a WINS server if you have multiple subnets and wish cross-subnet - browsing to work correctly.</p></div><p>See the documentation file <a href="improved-browsing.html" target="_top">Browsing</a> in the samba howto collection.</p><p>Default: <span class="emphasis"><em>not enabled</em></span></p><p>Example: <b class="command">wins server = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61</b></p><p>For this example when querying a certain name, 192.19.200.1 will + browsing to work correctly.</p></div><p>See the <a href="#">???</a>.</p><p>Default: <span class="emphasis"><em>not enabled</em></span></p><p>Example: <b class="command">wins server = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61</b></p><p>For this example when querying a certain name, 192.19.200.1 will be asked first and if that doesn't respond 192.168.2.61. If either of those doesn't know the name 192.168.3.199 will be queried. </p><p>Example: <b class="command">wins server = 192.9.200.1 192.168.2.61</b></p></dd><dt><span class="term"><a name="WINSSUPPORT"></a>wins support (G)</span></dt><dd><p>This boolean controls if the <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> process in Samba will act as a WINS server. You should |