Move existing samba4 documentation to Samba-docs trunk

(This used to be commit ee3dfdcf09d6a657cf7e7325f10aa3154867c351)

1 files changed, 7782 insertions, 626 deletions

diff --git a/docs/manpages-3/smb.conf.5.xml b/docs/manpages-3/smb.conf.5.xml
index ad9e3fbe97..ba010de317 100644
--- a/docs/manpages-3/smb.conf.5.xml
+++ b/docs/manpages-3/smb.conf.5.xml
@@ -1,656 +1,7812 @@
-<refentry id="smb.conf.5" xmlns:xi="http://www.w3.org/2003/XInclude">
-	
-<refmeta>
-	<refentrytitle>smb.conf</refentrytitle>
-	<manvolnum>5</manvolnum>
-</refmeta>
-
-
-<refnamediv>
-	<refname>smb.conf</refname>
-	<refpurpose>The configuration file for the Samba suite</refpurpose>
-</refnamediv>
-
-<refsect1>
-	<title>SYNOPSIS</title>
-
-	<para>The <filename moreinfo="none">smb.conf</filename> file is a configuration  
-	file for the Samba suite. <filename moreinfo="none">smb.conf</filename> contains  
-	runtime configuration information for the Samba programs. The <filename moreinfo="none">smb.conf</filename> file 
-	is designed to be configured and  administered by the <citerefentry><refentrytitle>swat</refentrytitle> 
-	<manvolnum>8</manvolnum></citerefentry> program. The complete
-	description of the file format and possible parameters held within
-	are here for reference purposes.</para> </refsect1>
-
-<refsect1 id="FILEFORMATSECT">
-	<title>FILE FORMAT</title>
-
-	<para>The file consists of sections and parameters. A section 
-	begins with the name of the section in square brackets and continues 
-	until the next section begins. Sections contain parameters of the 
-	form</para>
-
-	<para><replaceable>name</replaceable> = <replaceable>value
-	</replaceable></para>
-
-	<para>The file is line-based - that is, each newline-terminated 
-	line represents either a comment, a section name or a parameter.</para>
-
-	<para>Section and parameter names are not case sensitive.</para>
-
-	<para>Only the first equals sign in a parameter is significant. 
-	Whitespace before or after the first equals sign is discarded.
-	Leading, trailing and internal whitespace in section and parameter 
-	names is irrelevant. Leading and trailing whitespace in a parameter 
-	value is discarded. Internal whitespace within a parameter value 
-	is retained verbatim.</para>
-
-	<para>Any line beginning with a semicolon (<quote>;</quote>) or a hash (<quote>#</quote>) 
-	character is ignored, as are lines containing only whitespace.</para>
-
-	<para>Any line ending in a <quote>\</quote> is continued
-	on the next line in the customary UNIX fashion.</para>
-
-	<para>The values following the equals sign in parameters are all 
-	either a string (no quotes needed) or a boolean, which may be given 
-	as yes/no, 0/1 or true/false. Case is not significant in boolean 
-	values, but is preserved in string values. Some items such as 
-	create modes are numeric.</para>
-</refsect1>
-
-<refsect1>
-	<title>SECTION DESCRIPTIONS</title>
-
-	<para>Each section in the configuration file (except for the
-	[global] section) describes a shared resource (known
-	as a <quote>share</quote>). The section name is the name of the 
-	shared resource and the parameters within the section define 
-	the shares attributes.</para>
-
-	<para>There are three special sections, [global],
-	[homes] and [printers], which are
-	described under <emphasis>special sections</emphasis>. The
-	following notes apply to ordinary section descriptions.</para>
-
-	<para>A share consists of a directory to which access is being 
-	given plus a description of the access rights which are granted 
-	to the user of the service. Some housekeeping options are 
-	also specifiable.</para>
-	
-	<para>Sections are either file share services (used by the 
-	client as an extension of their native file systems) or 
-	printable services (used by the client to access print services 
-	on the host running the server).</para>
-	
-	<para>Sections may be designated <emphasis>guest</emphasis> services,
-	in which case no password is required to access them. A specified 
-	UNIX <emphasis>guest account</emphasis> is used to define access
-	privileges in this case.</para>
-
-	<para>Sections other than guest services will require a password 
-	to access them. The client provides the username. As older clients 
-	only provide passwords and not usernames, you may specify a list 
-	of usernames to check against the password using the <quote>user =</quote>
-	option in the share definition. For modern clients such as 
-	Windows 95/98/ME/NT/2000, this should not be necessary.</para>
-
-	<para>The access rights granted by the server are 
-	masked by the access rights granted to the specified or guest 
-	UNIX user by the host system. The server does not grant more
-	access than the host system grants.</para>
-	
-	<para>The following sample section defines a file space share. 
-	The user has write access to the path <filename moreinfo="none">/home/bar</filename>. 
-	The share is accessed via the share name <quote>foo</quote>:</para>
-
-<smbconfexample>
-	<smbconfsection name="[foo]"/>
-	<smbconfoption name="path">/home/bar</smbconfoption>
-	<smbconfoption name="read only">read only = no</smbconfoption>
-</smbconfexample>
-
-	<para>The following sample section defines a printable share. 
-	The share is read-only, but printable. That is, the only write 
-	access permitted is via calls to open, write to and close a 
-	spool file. The <emphasis>guest ok</emphasis> parameter means 
-	access will be permitted as the default guest user (specified 
-	elsewhere):</para>
-
-<smbconfexample>
-	<smbconfsection name="[aprinter]"/>
-	<smbconfoption name="path">/usr/spool/public</smbconfoption>
-	<smbconfoption name="read only">yes</smbconfoption>
-	<smbconfoption name="printable">yes</smbconfoption>
-	<smbconfoption name="guest ok">yes</smbconfoption>
-</smbconfexample>
-</refsect1>
-
-<refsect1>
-	<title>SPECIAL SECTIONS</title>
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE variablelist PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<variablelist xmlns:xi="http://www.w3.org/2003/XInclude">
+<varlistentry>
+<indexterm significance="preferred"><primary>abort shutdown script</primary></indexterm><term><anchor id="ABORTSHUTDOWNSCRIPT"/>abort shutdown script (G)</term><listitem>
+	<para>This a full path name to a script called by <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> that
+	should stop a shutdown procedure issued by the <link linkend="SHUTDOWNSCRIPT">
+	<parameter moreinfo="none">shutdown script</parameter></link>.</para>
+		
+	<para>If the connected user posseses the <constant>SeRemoteShutdownPrivilege</constant>,
+	right, this command will be run as user.</para>
+
+<para>Default: <emphasis><parameter>abort shutdown script</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>abort shutdown script</parameter> = /sbin/shutdown -c
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>acl compatibility</primary></indexterm><term><anchor id="ACLCOMPATIBILITY"/>acl compatibility (S)</term><listitem>
+	<para>This parameter specifies what OS ACL semantics should 
+	be compatible with. Possible values are <emphasis>winnt</emphasis> for Windows NT 4, 
+	<emphasis>win2k</emphasis> for Windows 2000 and above and <emphasis>auto</emphasis>.
+	If you specify <emphasis>auto</emphasis>, the value for this parameter 
+	will be based upon the version of the client. There should 
+	be no reason to change this parameter from the default.</para>
+
+<para>Default: <emphasis><parameter>acl compatibility</parameter> = Auto
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>acl compatibility</parameter> = win2k
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>add group script</primary></indexterm><term><anchor id="ADDGROUPSCRIPT"/>add group script (G)</term><listitem>
+	<para>This is the full pathname to a script that will be run
+	<emphasis>AS ROOT</emphasis> by <citerefentry>
+	<refentrytitle>smbd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+	when a new group is requested. It will expand any <parameter moreinfo="none">%g</parameter> to the group name passed. This
+	script is only useful for installations using the Windows NT
+	domain administration tools. The script is free to create a
+	group with an arbitrary name to circumvent unix group name
+	restrictions. In that case the script must print the numeric gid
+	of the created group on stdout.</para>
+
+<para><emphasis>No default</emphasis></para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>add machine script</primary></indexterm><term><anchor id="ADDMACHINESCRIPT"/>add machine script (G)</term><listitem>
+	<para>This is the full pathname to a script that will  be run by
+	<citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> when a machine is added
+	to it's domain using the administrator username and password
+	method. </para>
+
+	<para>This option is only required when using sam back-ends tied
+	to the Unix uid method of RID calculation such as smbpasswd. 
+	This option is only available in Samba 3.0.</para>
+
+<para>Default: <emphasis><parameter>add machine script</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>add machine script</parameter> = /usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>addprinter command</primary></indexterm><term><anchor id="ADDPRINTERCOMMAND"/>addprinter command (G)</term><listitem>
+    <para>With the introduction of MS-RPC based printing
+    support for Windows NT/2000 clients in Samba 2.2, The MS Add
+    Printer Wizard (APW) icon is now also available in the 
+    "Printers..." folder displayed a share listing.  The APW
+    allows for printers to be add remotely to a Samba or Windows 
+    NT/2000 print server.</para>
+		
+    <para>For a Samba host this means that the printer must be 
+    physically added to the underlying printing system.  The <parameter moreinfo="none">add 
+    printer command</parameter> defines a script to be run which 
+    will perform the necessary operations for adding the printer
+    to the print system and to add the appropriate service definition 
+    to the  <filename moreinfo="none">smb.conf</filename> file in order that it can be 
+    shared by <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry>.</para>
+		
+    <para>The <parameter moreinfo="none">addprinter command</parameter> is
+    automatically invoked with the following parameter (in 
+    order):</para>
+		
+    <itemizedlist>
+	<listitem><para><parameter moreinfo="none">printer name</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">share name</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">port name</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">driver name</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">location</parameter></para></listitem>
+	<listitem><para><parameter moreinfo="none">Windows 9x driver location</parameter></para></listitem>
+    </itemizedlist>
+		
+    <para>All parameters are filled in from the PRINTER_INFO_2 structure sent 
+    by the Windows NT/2000 client with one exception.  The "Windows 9x
+    driver location" parameter is included for backwards compatibility
+    only.  The remaining fields in the structure are generated from answers
+    to the APW questions.</para>
+
+    <para>Once the <parameter moreinfo="none">addprinter command</parameter> has 
+    been executed, <command moreinfo="none">smbd</command> will reparse the <filename moreinfo="none">
+    smb.conf</filename> to determine if the share defined by the APW
+    exists.  If the sharename is still invalid, then <command moreinfo="none">smbd
+    </command> will return an ACCESS_DENIED error to the client.</para>
+
+    <para>
+    The "add printer command" program can output a single line of text,
+    which Samba will set as the port the new printer is connected to. 
+    If this line isn't output, Samba won't reload its printer shares.
+    </para>
+		
+
+<para>Default: <emphasis><parameter>addprinter command</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>addprinter command</parameter> = /usr/bin/addprinter
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>add share command</primary></indexterm><term><anchor id="ADDSHARECOMMAND"/>add share command (G)</term><listitem>
+	<para>Samba 2.2.0 introduced the ability to dynamically 
+	add and delete shares via the Windows NT 4.0 Server Manager.  The 
+	<parameter moreinfo="none">add share command</parameter> is used to define an 
+	external program or script which will add a new service definition 
+	to <filename moreinfo="none">smb.conf</filename>.  In order to successfully 
+	execute the <parameter moreinfo="none">add share command</parameter>, <command moreinfo="none">smbd</command>
+	requires that the administrator be connected using a root account (i.e. 
+	uid == 0).
+	</para>
+		
+	<para>
+	When executed, <command moreinfo="none">smbd</command> will automatically invoke the 
+	<parameter moreinfo="none">add share command</parameter> with four parameters.
+	</para>
+		
+	<itemizedlist>
+		<listitem>
+			<para><parameter moreinfo="none">configFile</parameter> - the location 
+			of the global <filename moreinfo="none">smb.conf</filename> file. 
+			</para>
+		</listitem>
+			
+		<listitem>
+			<para><parameter moreinfo="none">shareName</parameter> - the name of the new 
+			share.
+			</para>
+		</listitem>
+			
+		<listitem>
+			<para><parameter moreinfo="none">pathName</parameter> - path to an **existing**
+			directory on disk.
+			</para>
+		</listitem>
+			
+		<listitem>
+			<para><parameter moreinfo="none">comment</parameter> - comment string to associate 
+			with the new share.
+			</para>
+		</listitem>
+	</itemizedlist>
+		
+	<para>
+	This parameter is only used for add file shares.  To add printer shares, 
+	see the <link linkend="ADDPRINTERCOMMAND"><parameter moreinfo="none">addprinter 
+	command</parameter></link>.
+	</para>
+
+<para>Default: <emphasis><parameter>add share command</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>add share command</parameter> = /usr/local/bin/addshare
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>add user script</primary></indexterm><term><anchor id="ADDUSERSCRIPT"/>add user script (G)</term><listitem>
+	<para>This is the full pathname to a script that will 
+	be run <emphasis>AS ROOT</emphasis> by <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> under special circumstances described below.</para>
+
+	<para>Normally, a Samba server requires that UNIX users are 
+	created for all users accessing files on this server. For sites 
+	that use Windows NT account databases as their primary user database 
+	creating these users and keeping the user list in sync with the 
+	Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users 
+	<emphasis>ON DEMAND</emphasis> when a user accesses the Samba server.</para>
+
+	<para>In order to use this option, <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> must <emphasis>NOT</emphasis> be set to <parameter moreinfo="none">security = share</parameter>
+	and <parameter moreinfo="none">add user script</parameter>
+	must be set to a full pathname for a script that will create a UNIX 
+	user given one argument of <parameter moreinfo="none">%u</parameter>, which expands into 
+	the UNIX user name to create.</para>
+
+	<para>When the Windows user attempts to access the Samba server, 
+	at login (session setup in the SMB protocol) time, <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> contacts the <parameter moreinfo="none">password server</parameter> and 
+	attempts to authenticate the given user with the given password. If the 
+	authentication succeeds then <command moreinfo="none">smbd</command> 
+	attempts to find a UNIX user in the UNIX password database to map the 
+	Windows user into. If this lookup fails, and <parameter moreinfo="none">add user script
+	</parameter> is set then <command moreinfo="none">smbd</command> will
+	call the specified script <emphasis>AS ROOT</emphasis>, expanding 
+	any <parameter moreinfo="none">%u</parameter> argument to be the user name to create.</para>
+
+	<para>If this script successfully creates the user then <command moreinfo="none">smbd
+	</command> will continue on as though the UNIX user
+	already existed. In this way, UNIX users are dynamically created to
+	match existing Windows NT accounts.</para>
+
+	<para>See also <link linkend="SECURITY"><parameter moreinfo="none">
+	security</parameter></link>, <link linkend="PASSWORDSERVER">
+	<parameter moreinfo="none">password server</parameter></link>, 
+	<link linkend="DELETEUSERSCRIPT"><parameter moreinfo="none">delete user 
+	script</parameter></link>.</para>
+
+<para>Default: <emphasis><parameter>add user script</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>add user script</parameter> = /usr/local/samba/bin/add_user %u
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>add user to group script</primary></indexterm><term><anchor id="ADDUSERTOGROUPSCRIPT"/>add user to group script (G)</term><listitem>
+	<para>Full path to the script that will be called when 
+	a user is added to a group using the Windows NT domain administration 
+	tools. It will be run by <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry>	<emphasis>AS ROOT</emphasis>. 
+	Any <parameter moreinfo="none">%g</parameter> will be replaced with the group name and 
+	any <parameter moreinfo="none">%u</parameter> will be replaced with the user name.
+	</para>
+
+	<para>Note that the <command>adduser</command> command used in the example below does 
+		not support the used syntax on all systems. </para>
+
+
+<para>Default: <emphasis><parameter>add user to group script</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>add user to group script</parameter> = /usr/sbin/adduser %u %g
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>admin users</primary></indexterm><term><anchor id="ADMINUSERS"/>admin users (S)</term><listitem>
+    <para>This is a list of users who will be granted 
+    administrative privileges on the share. This means that they 
+    will do all file operations as the super-user (root).</para>
+
+    <para>You should use this option very carefully, as any user in 
+    this list will be able to do anything they like on the share, 
+    irrespective of file permissions.</para>
+
+    <para>This parameter will not work with the <link linkend="SECURITY">
+    <parameter moreinfo="none">security = share</parameter></link> in
+    Samba 3.0.  This is by design.</para>
+
+
+<para>Default: <emphasis><parameter>admin users</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>admin users</parameter> = jason
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>afs share</primary></indexterm><term><anchor id="AFSSHARE"/>afs share (S)</term><listitem>
+	<para>This parameter controls whether special AFS features are enabled
+	for this share. If enabled, it assumes that the directory exported via
+	the <parameter>path</parameter> parameter is a local AFS import. The
+	special AFS features include the attempt to hand-craft an AFS token
+	if you enabled --with-fake-kaserver in configure.
+</para>
+
+<para>Default: <emphasis><parameter>afs share</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>afs username map</primary></indexterm><term><anchor id="AFSUSERNAMEMAP"/>afs username map (G)</term><listitem>
+	<para>If you are using the fake kaserver AFS feature, you might
+	want to hand-craft the usernames you are creating tokens for.
+	For example this is necessary if you have users from several domain
+	in your AFS Protection Database. One possible scheme to code users
+	as DOMAIN+User as it is done by winbind with the + as a separator.
+	</para>
+
+	<para>The mapped user name must contain the cell name to log into,
+	so without setting this parameter there will be no token.</para>
+
+<para>Default: <emphasis><parameter>afs username map</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>afs username map</parameter> = %u@afs.samba.org
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>algorithmic rid base</primary></indexterm><term><anchor id="ALGORITHMICRIDBASE"/>algorithmic rid base (G)</term><listitem>
+    <para>This determines how Samba will use its
+    algorithmic mapping from uids/gid to the RIDs needed to construct
+    NT Security Identifiers.
+    </para>
+
+    <para>Setting this option to a larger value could be useful to sites
+    transitioning from WinNT and Win2k, as existing user and 
+    group rids would otherwise clash with sytem users etc. 
+    </para>
+
+    <para>All UIDs and GIDs must be able to be resolved into SIDs for  
+    the correct operation of ACLs on the server.  As such the algorithmic
+    mapping can't be 'turned off', but pushing it 'out of the way' should
+    resolve the issues.  Users and groups can then be assigned 'low' RIDs
+    in arbitary-rid supporting backends.
+    </para>
+
+<para>Default: <emphasis><parameter>algorithmic rid base</parameter> = 1000
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>algorithmic rid base</parameter> = 100000
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>allocation roundup size</primary></indexterm><term><anchor id="ALLOCATIONROUNDUPSIZE"/>allocation roundup size (S)</term><listitem>
+    <para>This parameter allows an administrator to tune the 
+    allocation size reported to Windows clients.  The default 
+    size of 1Mb generally results in improved Windows client
+    performance.   However, rounding the allocation size may cause
+    difficulties for some applications, e.g. MS Visual Studio.
+    If the MS Visual Studio compiler starts to crash with an
+    internal error, set this parameter to zero for this share.
+    </para>
+
+    <para>The integer parameter specifies the roundup size in bytes.</para>
+
+<para>Default: <emphasis><parameter>allocation roundup size</parameter> = 1048576
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>allocation roundup size</parameter> = 0
+# (to disable roundups)
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>allow trusted domains</primary></indexterm><term><anchor id="ALLOWTRUSTEDDOMAINS"/>allow trusted domains (G)</term><listitem>
+    <para>This option only takes effect when the <link linkend="SECURITY">
+    <parameter moreinfo="none">security</parameter></link> option is set to 
+    <constant>server</constant> or <constant>domain</constant>.  
+    If it is set to no, then attempts to connect to a resource from 
+    a domain or workgroup other than the one which smbd is running 
+    in will fail, even if that domain is trusted by the remote server 
+    doing the authentication.</para>
+		
+    <para>This is useful if you only want your Samba server to 
+    serve resources to users in the domain it is a member of. As 
+    an example, suppose that there are two domains DOMA and DOMB.  DOMB 
+    is trusted by DOMA, which contains the Samba server.  Under normal 
+    circumstances, a user with an account in DOMB can then access the 
+    resources of a UNIX account with the same account name on the 
+    Samba server even if they do not have an account in DOMA.  This 
+    can make implementing a security boundary difficult.</para>
+
+<para>Default: <emphasis><parameter>allow trusted domains</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>announce as</primary></indexterm><term><anchor id="ANNOUNCEAS"/>announce as (G)</term><listitem>
+    <para>This specifies what type of server <citerefentry><refentrytitle>nmbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> will announce itself as, to a network neighborhood browse 
+    list. By default this is set to Windows NT. The valid options 
+    are : "NT Server" (which can also be written as "NT"), 
+    "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, 
+    Windows NT Workstation, Windows 95 and Windows for Workgroups 
+    respectively. Do not change this parameter unless you have a 
+    specific need to stop Samba appearing as an NT server as this 
+    may prevent Samba servers from participating as browser servers 
+	correctly.</para>
+
+<para>Default: <emphasis><parameter>announce as</parameter> = NT Server
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>announce as</parameter> = Win95
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>announce version</primary></indexterm><term><anchor id="ANNOUNCEVERSION"/>announce version (G)</term><listitem>
+    <para>This specifies the major and minor version numbers 
+    that nmbd will use when announcing itself as a server. The default 
+    is 4.9.  Do not change this parameter unless you have a specific 
+	need to set a Samba server to be a downlevel server.</para>
+
+<para>Default: <emphasis><parameter>announce version</parameter> = 4.9
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>announce version</parameter> = 2.0
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>auth methods</primary></indexterm><term><anchor id="AUTHMETHODS"/>auth methods (G)</term><listitem>
+    <para>This option allows the administrator to chose what
+    authentication methods <command moreinfo="none">smbd</command> will use when authenticating
+    a user.  This option defaults to sensible values based on <link linkend="SECURITY">
+    <parameter moreinfo="none">security</parameter></link>.  This should be considered
+    a developer option and used only in rare circumstances.  In the majority (if not all)
+    of production servers, the default setting should be adequate.</para>
+
+    <para>Each entry in the list attempts to authenticate the user in turn, until
+    the user authenticates.  In practice only one method will ever actually 
+    be able to complete the authentication.
+    </para>
+
+    <para>Possible options include <constant>guest</constant> (anonymous access), 
+    <constant>sam</constant> (lookups in local list of accounts based on netbios 
+    name or domain name), <constant>winbind</constant> (relay authentication requests
+    for remote users through winbindd), <constant>ntdomain</constant> (pre-winbindd 
+    method of authentication for remote domain users; deprecated in favour of winbind method), 
+    <constant>trustdomain</constant> (authenticate trusted users by contacting the 
+	remote DC directly from smbd; deprecated in favour of winbind method).</para>
+
+<para>Default: <emphasis><parameter>auth methods</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>auth methods</parameter> = guest sam winbind
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>available</primary></indexterm><term><anchor id="AVAILABLE"/>available (S)</term><listitem>
+	<para>This parameter lets you "turn off" a service. If 
+	<parameter moreinfo="none">available = no</parameter>, then <emphasis>ALL</emphasis> 
+	attempts to connect to the service will fail. Such failures are 
+	logged.</para>
+
+
+<para>Default: <emphasis><parameter>available</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>bind interfaces only</primary></indexterm><term><anchor id="BINDINTERFACESONLY"/>bind interfaces only (G)</term><listitem>
+        <para>This global parameter allows the Samba admin 
+        to limit what interfaces on a machine will serve SMB requests. It 
+        affects file service <citerefentry><refentrytitle>smbd</refentrytitle>
+        <manvolnum>8</manvolnum></citerefentry> and name service <citerefentry><refentrytitle>nmbd</refentrytitle>
+        <manvolnum>8</manvolnum></citerefentry> in a slightly different ways.</para>
+
+	<para>For name service it causes <command moreinfo="none">nmbd</command> to bind 
+	to ports 137 and 138 on the interfaces listed in 
+        the <link linkend="INTERFACES">interfaces</link> parameter. <command moreinfo="none">nmbd</command> also 
+        binds to the "all addresses" interface (0.0.0.0) 
+	on ports 137 and 138 for the purposes of reading broadcast messages. 
+	If this option is not set then <command moreinfo="none">nmbd</command> will service 
+	name requests on all of these sockets. If <parameter moreinfo="none">bind interfaces
+	only</parameter> is set then <command moreinfo="none">nmbd</command> will check the 
+	source address of any packets coming in on the broadcast sockets 
+	and discard any that don't match the broadcast addresses of the 
+	interfaces in the <parameter moreinfo="none">interfaces</parameter> parameter list. 
+	As unicast packets are received on the other sockets it allows 
+	<command moreinfo="none">nmbd</command> to refuse to serve names to machines that 
+	send packets that arrive through any interfaces not listed in the
+	<parameter moreinfo="none">interfaces</parameter> list.  IP Source address spoofing
+	does defeat this simple check, however, so it must not be used
+	seriously as a security feature for <command moreinfo="none">nmbd</command>.</para>
+
+	<para>For file service it causes <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> to bind only to the interface list 
+	given in the <link linkend="INTERFACES">interfaces</link> parameter. This 
+        restricts the networks that <command moreinfo="none">smbd</command> will serve 
+        to packets coming in those interfaces.  Note that you should not use this parameter 
+        for machines that are serving PPP or other intermittent or non-broadcast network 
+	interfaces as it will not cope with non-permanent interfaces.</para>
+
+	<para>If <parameter moreinfo="none">bind interfaces only</parameter> is set then 
+	unless the network address <emphasis>127.0.0.1</emphasis> is added 
+	to the <parameter moreinfo="none">interfaces</parameter> parameter 
+        list <citerefentry><refentrytitle>smbpasswd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> and <citerefentry><refentrytitle>swat</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> may not work as expected due 
+        to the reasons covered below.</para>
+
+	<para>To change a users SMB password, the <command moreinfo="none">smbpasswd</command>
+	by default connects to the <emphasis>localhost - 127.0.0.1</emphasis> 
+	address as an SMB client to issue the password change request. If 
+	<parameter moreinfo="none">bind interfaces only</parameter> is set then unless the 
+	network address <emphasis>127.0.0.1</emphasis> is added to the
+	<parameter moreinfo="none">interfaces</parameter> parameter list then <command moreinfo="none">
+	smbpasswd</command> will fail to connect in it's default mode. 
+	<command moreinfo="none">smbpasswd</command> can be forced to use the primary IP interface 
+	of the local host by using its <citerefentry><refentrytitle>smbpasswd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry>	<parameter moreinfo="none">-r <replaceable>remote machine</replaceable></parameter>
+	parameter, with <replaceable>remote machine</replaceable> set 
+	to the IP name of the primary interface of the local host.</para>
+
+	<para>The <command moreinfo="none">swat</command> status page tries to connect with
+	<command moreinfo="none">smbd</command> and <command moreinfo="none">nmbd</command> at the address 
+	<emphasis>127.0.0.1</emphasis> to determine if they are running.  
+	Not adding <emphasis>127.0.0.1</emphasis>  will cause <command moreinfo="none">
+	smbd</command> and <command moreinfo="none">nmbd</command> to always show
+	"not running" even if they really are.  This can prevent <command moreinfo="none">
+	swat</command> from starting/stopping/restarting <command moreinfo="none">smbd</command>
+	and <command moreinfo="none">nmbd</command>.</para>
+
+
+<para>Default: <emphasis><parameter>bind interfaces only</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>blocking locks</primary></indexterm><term><anchor id="BLOCKINGLOCKS"/>blocking locks (S)</term><listitem>
+	<para>This parameter controls the behavior 
+	of <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> when given a request by a client 
+	to obtain a byte range lock on a region of an open file, and the 
+	request has a time limit associated with it.</para>
+		
+	<para>If this parameter is set and the lock range requested 
+	cannot be immediately satisfied, samba will internally 
+	queue the lock request, and periodically attempt to obtain 
+	the lock until the timeout period expires.</para>
+
+	<para>If this parameter is set to <constant>no</constant>, then 
+	samba will behave as previous versions of Samba would and 
+	will fail the lock request immediately if the lock range 
+	cannot be obtained.</para>
+
+
+<para>Default: <emphasis><parameter>blocking locks</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>block size</primary></indexterm><term><anchor id="BLOCKSIZE"/>block size (S)</term><listitem>
+    <para>This parameter controls the behavior of <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> when reporting disk free 
+    sizes. By default, this reports a disk block size of 1024 bytes.
+    </para>        
+		
+    <para>Changing this parameter may have some effect on the
+    efficiency of client writes, this is not yet confirmed. This
+    parameter was added to allow advanced administrators to change
+    it (usually to a higher value) and test the effect it has on
+    client write performance without re-compiling the code. As this
+    is an experimental option it may be removed in a future release.
+    </para>
+
+    <para>Changing this option does not change the disk free reporting
+    size, just the block size unit reported to the client.
+    </para>
+
+<para><emphasis>No default</emphasis></para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>browsable</primary><see>browseable</see></indexterm><term><anchor id="BROWSABLE"/>browsable</term><listitem><para>This parameter is a synonym for browseable.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>browseable</primary></indexterm><term><anchor id="BROWSEABLE"/>browseable (S)</term><listitem>
+	<para>This controls whether this share is seen in 
+	the list of available shares in a net view and in the browse list.</para>
+
+
+<para>Default: <emphasis><parameter>browseable</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>browse list</primary></indexterm><term><anchor id="BROWSELIST"/>browse list (G)</term><listitem>
+	<para>This controls whether <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> will serve a browse list to 
+	a client doing a <command moreinfo="none">NetServerEnum</command> call. Normally 
+	set to <constant>yes</constant>. You should never need to change 
+	this.</para>
+		
+
+<para>Default: <emphasis><parameter>browse list</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>casesignames</primary><see>case sensitive</see></indexterm><term><anchor id="CASESIGNAMES"/>casesignames</term><listitem><para>This parameter is a synonym for case sensitive.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>case sensitive</primary></indexterm><term><anchor id="CASESENSITIVE"/>case sensitive (S)</term><listitem>
+	<para>See the discussion in the section <link linkend="NAMEMANGLINGSECT">NAME MANGLING</link>.</para>
+
+<para>Default: <emphasis><parameter>case sensitive</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>change notify timeout</primary></indexterm><term><anchor id="CHANGENOTIFYTIMEOUT"/>change notify timeout (G)</term><listitem>
+    <para>This SMB allows a client to tell a server to 
+    "watch" a particular directory for any changes and only reply to
+    the SMB request when a change has occurred. Such constant scanning of
+    a directory is expensive under UNIX, hence an <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> daemon only performs such a scan 
+    on each requested directory once every <parameter moreinfo="none">change notify 
+    timeout</parameter> seconds.</para>
+
+<para>Default: <emphasis><parameter>change notify timeout</parameter> = 60
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>change notify timeout</parameter> = 300
+# Would change the scan time to every 5 minutes.
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>change share command</primary></indexterm><term><anchor id="CHANGESHARECOMMAND"/>change share command (G)</term><listitem>
+	<para>Samba 2.2.0 introduced the ability to dynamically 
+	add and delete shares via the Windows NT 4.0 Server Manager.  The 
+	<parameter moreinfo="none">change share command</parameter> is used to define an 
+	external program or script which will modify an existing service definition 
+	in <filename moreinfo="none">smb.conf</filename>.  In order to successfully 
+	execute the <parameter moreinfo="none">change share command</parameter>, <command moreinfo="none">smbd</command>
+	requires that the administrator be connected using a root account (i.e. 
+	uid == 0).
+	</para>
+		
+	<para>
+	When executed, <command moreinfo="none">smbd</command> will automatically invoke the 
+	<parameter moreinfo="none">change share command</parameter> with four parameters.
+	</para>
+		
+	<itemizedlist>
+		<listitem>
+			<para><parameter moreinfo="none">configFile</parameter> - the location 
+			of the global <filename moreinfo="none">smb.conf</filename> file. 
+			</para>
+		</listitem>
+			
+		<listitem>
+			<para><parameter moreinfo="none">shareName</parameter> - the name of the new 
+			share.
+			</para>
+		</listitem>
+			
+		<listitem>
+			<para><parameter moreinfo="none">pathName</parameter> - path to an **existing**
+			directory on disk.
+			</para>
+		</listitem>
+			
+		<listitem>
+			<para><parameter moreinfo="none">comment</parameter> - comment string to associate 
+			with the new share.
+			</para>
+		</listitem>
+	</itemizedlist>
+		
+	<para>
+	This parameter is only used modify existing file shares definitions.  To modify 
+	printer shares, use the "Printers..." folder as seen when browsing the Samba host.
+	</para>
+
+<para>Default: <emphasis><parameter>change share command</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>change share command</parameter> = /usr/local/bin/addshare
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>check password script</primary></indexterm><term><anchor id="CHECKPASSWORDSCRIPT"/>check password script (G)</term><listitem>
+    <para>The name of a program that can be used to check password
+    complexity. The password is sent to the program's standrad input.</para>
+ 
+    <para>The program must return 0 on good password any other value otherwise.
+    In case the password is considered weak (the program do not return 0) the
+    user will be notified and the password change will fail.</para>
+
+    <para>Note: In the example directory there is a sample program called crackcheck
+    that uses cracklib to checkpassword quality</para>.
+
+
+<para>Default: <emphasis><parameter>check password script</parameter> = Disabled
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>check password script</parameter> = check password script = /usr/local/sbin/crackcheck
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>client lanman auth</primary></indexterm><term><anchor id="CLIENTLANMANAUTH"/>client lanman auth (G)</term><listitem>
+    <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> and other samba client
+    tools will attempt to authenticate itself to servers using the
+    weaker LANMAN password hash. If disabled, only server which support NT 
+    password hashes (e.g. Windows NT/2000, Samba, etc... but not 
+    Windows 95/98) will be able to be connected from the Samba client.</para>
+
+    <para>The LANMAN encrypted response is easily broken, due to it's
+    case-insensitive nature, and the choice of algorithm.  Clients
+    without Windows 95/98 servers are advised to disable
+    this option.  </para>
+
+    <para>Disabling this option will also disable the <command moreinfo="none">client plaintext auth</command> option</para>
+
+    <para>Likewise, if the <command moreinfo="none">client ntlmv2
+    auth</command> parameter is enabled, then only NTLMv2 logins will be
+    attempted.</para>
+
+<para>Default: <emphasis><parameter>client lanman auth</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>client ntlmv2 auth</primary></indexterm><term><anchor id="CLIENTNTLMV2AUTH"/>client ntlmv2 auth (G)</term><listitem>
+    <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> will attempt to
+    authenticate itself to servers using the NTLMv2 encrypted password
+    response.</para>
+
+    <para>If enabled, only an NTLMv2 and LMv2 response (both much more
+    secure than earlier versions) will be sent.  Many servers
+    (including NT4 &lt; SP4, Win9x and Samba 2.2) are not compatible with
+    NTLMv2.  </para>
+
+    <para>Similarly, if enabled, NTLMv1, <command moreinfo="none">client lanman auth</command> and <command moreinfo="none">client plaintext auth</command>
+    authentication will be disabled.  This also disables share-level 
+    authentication. </para>
+
+    <para>If disabled, an NTLM response (and possibly a LANMAN response)
+    will be sent by the client, depending on the value of <command moreinfo="none">client lanman auth</command>.  </para>
+
+    <para>Note that some sites (particularly
+    those following 'best practice' security polices) only allow NTLMv2
+	responses, and not the weaker LM or NTLM.</para>
+
+<para>Default: <emphasis><parameter>client ntlmv2 auth</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>client plaintext auth</primary></indexterm><term><anchor id="CLIENTPLAINTEXTAUTH"/>client plaintext auth (G)</term><listitem>
+	<para>Specifies whether a client should send a plaintext 
+		password if the server does not support encrypted passwords.</para>
+
+<para>Default: <emphasis><parameter>client plaintext auth</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>client schannel</primary></indexterm><term><anchor id="CLIENTSCHANNEL"/>client schannel (G)</term><listitem>
+
+    <para>This controls whether the client offers or even
+    demands the use of the netlogon schannel.
+    <parameter>client schannel = no</parameter> does not
+    offer the schannel, <parameter>client schannel =
+    auto</parameter> offers the schannel but does not
+    enforce it, and <parameter>client schannel =
+    yes</parameter> denies access if the server is not
+	able to speak netlogon schannel. </para>
+
+<para>Default: <emphasis><parameter>client schannel</parameter> = auto
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>client schannel</parameter> = yes
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>client signing</primary></indexterm><term><anchor id="CLIENTSIGNING"/>client signing (G)</term><listitem>
+    <para>This controls whether the client offers or requires
+    the server it talks to to use SMB signing. Possible values 
+    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> 
+    and <emphasis>disabled</emphasis>. 
+    </para>
+
+    <para>When set to auto, SMB signing is offered, but not enforced. 
+    When set to mandatory, SMB signing is required and if set 
+	to disabled, SMB signing is not offered either.</para>
+
+<para>Default: <emphasis><parameter>client signing</parameter> = auto
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>client use spnego</primary></indexterm><term><anchor id="CLIENTUSESPNEGO"/>client use spnego (G)</term><listitem>
+    <para> This variable controls whether Samba clients will try 
+    to use Simple and Protected NEGOciation (as specified by rfc2478) with 
+    supporting servers (including WindowsXP, Windows2000 and Samba
+    3.0) to agree upon an authentication
+    mechanism.  This enables Kerberos authentication in particular.</para>
+
+<para>Default: <emphasis><parameter>client use spnego</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>comment</primary></indexterm><term><anchor id="COMMENT"/>comment (S)</term><listitem>
+    <para>This is a text field that is seen next to a share 
+	when a client does a queries the server, either via the network 
+	neighborhood or via <command moreinfo="none">net view</command> to list what shares 
+	are available.</para>
+
+	<para>If you want to set the string that is displayed next to the 
+	machine name then see the <link linkend="SERVERSTRING"><parameter moreinfo="none">
+	server string</parameter></link> parameter.</para>
+
+
+<para>Default: <emphasis><parameter>comment</parameter> = 
+# No comment
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>comment</parameter> = Fred's Files
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>config file</primary></indexterm><term><anchor id="CONFIGFILE"/>config file (G)</term><listitem>
+	<para>This allows you to override the config file 
+	to use, instead of the default (usually <filename moreinfo="none">smb.conf</filename>). 
+	There is a chicken and egg problem here as this option is set 
+	in the config file!</para>
+
+	<para>For this reason, if the name of the config file has changed 
+	when the parameters are loaded then it will reload them from 
+	the new config file.</para>
+
+	<para>This option takes the usual substitutions, which can 
+	be very useful.</para>
+
+	<para>If the config file doesn't exist then it won't be loaded 
+	(allowing you to special case the config files of just a few 
+	clients).</para>
+
+<para><emphasis>No default</emphasis></para>
+<para>Example: <emphasis><parameter>config file</parameter> = /usr/local/samba/lib/smb.conf.%m
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>copy</primary></indexterm><term><anchor id="COPY"/>copy (S)</term><listitem>
+	<para>This parameter allows you to "clone" service 
+	entries. The specified service is simply duplicated under the 
+	current service's name. Any parameters specified in the current 
+	section will override those in the section being copied.</para>
+
+	<para>This feature lets you set up a 'template' service and 
+	create similar services easily. Note that the service being 
+	copied must occur earlier in the configuration file than the 
+	service doing the copying.</para>
+
+<para>Default: <emphasis><parameter>copy</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>copy</parameter> = otherservice
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>create mode</primary><see>create mask</see></indexterm><term><anchor id="CREATEMODE"/>create mode</term><listitem><para>This parameter is a synonym for create mask.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>create mask</primary></indexterm><term><anchor id="CREATEMASK"/>create mask (S)</term><listitem>
+    <para>When a file is created, the necessary permissions are 
+    calculated according to the mapping from DOS modes to UNIX 
+    permissions, and the resulting UNIX mode is then bit-wise 'AND'ed 
+    with this parameter. This parameter may be thought of as a bit-wise 
+    MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis> 
+    set here will be removed from the modes set on a file when it is 
+    created.</para>
+
+    <para>The default value of this parameter removes the 
+    'group' and 'other' write and execute bits from the UNIX modes.</para>
+
+    <para>Following this Samba will bit-wise 'OR' the UNIX mode created 
+    from this parameter with the value of the <link linkend="FORCECREATEMODE">
+    <parameter moreinfo="none">force create mode</parameter></link>
+    parameter which is set to 000 by default.</para>
+
+    <para>This parameter does not affect directory modes. See the 
+    parameter <link linkend="DIRECTORYMODE"><parameter moreinfo="none">directory mode
+    </parameter></link> for details.</para>
+
+    <para>Note that this parameter does not apply to permissions
+    set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
+    a mask on access control lists also, they need to set the <link linkend="SECURITYMASK">
+		<parameter moreinfo="none">security mask</parameter></link>.</para>
+
+<para>Default: <emphasis><parameter>create mask</parameter> = 0744
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>create mask</parameter> = 0775
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>csc policy</primary></indexterm><term><anchor id="CSCPOLICY"/>csc policy (S)</term><listitem>
+	<para>This stands for <emphasis>client-side caching 
+	policy</emphasis>, and specifies how clients capable of offline
+	caching will cache the files in the share. The valid values
+	are: manual, documents, programs, disable.</para>
+
+	<para>These values correspond to those used on Windows servers.</para>
+
+	<para>For example, shares containing roaming profiles can have
+	offline caching disabled using <command moreinfo="none">csc policy = disable</command>.</para>
+
+<para>Default: <emphasis><parameter>csc policy</parameter> = manual
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>csc policy</parameter> = programs
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>cups options</primary></indexterm><term><anchor id="CUPSOPTIONS"/>cups options (S)</term><listitem>
+    <para>This parameter is only applicable if <link linkend="PRINTING"><parameter moreinfo="none">printing</parameter></link> is 
+    set to <constant>cups</constant>.  Its value is a free form string of options
+    passed directly to the cups library.  
+    </para>
+
+   <para>You can pass any generic print option known to CUPS (as listed
+   in the CUPS "Software Users' Manual").  You can also pass any printer
+   specific option (as listed in "lpoptions -d printername -l")
+   valid for the target queue.</para>
+
+   <para>You should set this parameter to <constant>raw</constant> if your CUPS server 
+   <filename>error_log</filename> file contains messages such as
+   "Unsupported format 'application/octet-stream'" when printing from a Windows client 
+   through Samba.  It is no longer necessary to enable
+   system wide raw printing in <filename>/etc/cups/mime.{convs,types}</filename>.
+   </para>
+
+
+<para>Default: <emphasis><parameter>cups options</parameter> = ""
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>cups options</parameter> = "raw,media=a4,job-sheets=secret,secret"
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>cups server</primary></indexterm><term><anchor id="CUPSSERVER"/>cups server (G)</term><listitem>
+    <para>This parameter is only applicable if <link linkend="PRINTING"><parameter moreinfo="none">printing</parameter></link> is 
+    set to <constant>cups</constant>.
+    </para>
+
+   <para>If set, this option overrides the ServerName option in the CUPS
+   <filename>client.conf</filename>. This is necessary if you have virtual
+   samba servers that connect to different CUPS daemons.</para>
+
+<para>Default: <emphasis><parameter>cups server</parameter> = ""
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>cups server</parameter> = MYCUPSSERVER
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>deadtime</primary></indexterm><term><anchor id="DEADTIME"/>deadtime (G)</term><listitem>
+    <para>The value of the parameter (a decimal integer) 
+    represents the number of minutes of inactivity before a connection 
+    is considered dead, and it is disconnected. The deadtime only takes 
+    effect if the number of open files is zero.</para>
+		
+    <para>This is useful to stop a server's resources being 
+    exhausted by a large number of inactive connections.</para>
+
+    <para>Most clients have an auto-reconnect feature when a 
+    connection is broken so in most cases this parameter should be 
+    transparent to users.</para>
+
+    <para>Using this parameter with a timeout of a few minutes 
+    is recommended for most systems.</para>
+
+    <para>A deadtime of zero indicates that no auto-disconnection 
+		should be performed.</para>
+
+<para>Default: <emphasis><parameter>deadtime</parameter> = 0
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>deadtime</parameter> = 15
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>debug hires timestamp</primary></indexterm><term><anchor id="DEBUGHIRESTIMESTAMP"/>debug hires timestamp (G)</term><listitem>
+    <para>Sometimes the timestamps in the log messages 
+    are needed with a resolution of higher that seconds, this 
+    boolean parameter adds microsecond resolution to the timestamp 
+    message header when turned on.</para>
+
+    <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter moreinfo="none">
+    debug timestamp</parameter></link> must be on for this to have an 
+    effect.</para>
+
+
+<para>Default: <emphasis><parameter>debug hires timestamp</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>debug pid</primary></indexterm><term><anchor id="DEBUGPID"/>debug pid (G)</term><listitem>
+    <para>When using only one log file for more then one  forked
+    <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry>-process there may be hard to
+    follow which process  outputs which message. This boolean parameter
+    is adds the process-id to the timestamp message headers in the
+    logfile when turned on.</para>
+
+    <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter moreinfo="none">
+    debug timestamp</parameter></link> must be on for this to have an 
+	effect.</para>
+
+<para>Default: <emphasis><parameter>debug pid</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>timestamp logs</primary><see>debug timestamp</see></indexterm><term><anchor id="TIMESTAMPLOGS"/>timestamp logs</term><listitem><para>This parameter is a synonym for debug timestamp.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>debug timestamp</primary></indexterm><term><anchor id="DEBUGTIMESTAMP"/>debug timestamp (G)</term><listitem>
+    <para>Samba debug log messages are timestamped 
+    by default. If you are running at a high <link linkend="DEBUGLEVEL">
+    <parameter moreinfo="none">debug level</parameter></link> these timestamps
+    can be distracting. This boolean parameter allows timestamping 
+    to be turned off.</para>
+
+<para>Default: <emphasis><parameter>debug timestamp</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>debug uid</primary></indexterm><term><anchor id="DEBUGUID"/>debug uid (G)</term><listitem>
+    <para>Samba is sometimes run as root and sometime 
+    run as the connected user, this boolean parameter inserts the 
+    current euid, egid, uid and gid to the timestamp message headers 
+    in the log file if turned on.</para>
+		
+    <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter moreinfo="none">
+    debug timestamp</parameter></link> must be on for this to have an 
+    effect.</para>
+
+<para>Default: <emphasis><parameter>debug uid</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>default case</primary></indexterm><term><anchor id="DEFAULTCASE"/>default case (S)</term><listitem>
+	<para>See the section on <link linkend="NAMEMANGLINGSECT">
+	NAME MANGLING</link>. Also note the <link linkend="SHORTPRESERVECASE">
+	<parameter moreinfo="none">short preserve case</parameter></link> parameter.</para>
+
+<para>Default: <emphasis><parameter>default case</parameter> = lower
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>default devmode</primary></indexterm><term><anchor id="DEFAULTDEVMODE"/>default devmode (S)</term><listitem>
+    <para>This parameter is only applicable to <link linkend="PRINTOK">printable</link> services.
+    When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
+    server has a Device Mode which defines things such as paper size and
+    orientation and duplex settings.  The device mode can only correctly be
+    generated by the printer driver itself (which can only be executed on a
+    Win32 platform).  Because smbd is unable to execute the driver code
+    to generate the device mode, the default behavior is to set this field
+    to NULL.
+    </para>
+
+    <para>Most problems with serving printer drivers to Windows NT/2k/XP clients
+    can be traced to a problem with the generated device mode.  Certain drivers
+    will do things such as crashing the client's Explorer.exe with a NULL devmode.
+    However, other printer drivers can cause the client's spooler service
+    (spoolsv.exe) to die if the devmode was not created by the driver itself
+    (i.e. smbd generates a default devmode).
+    </para>
+
+    <para>This parameter should be used with care and tested with the printer
+    driver in question.  It is better to leave the device mode to NULL
+    and let the Windows client set the correct values.  Because drivers do not
+    do this all the time, setting <command moreinfo="none">default devmode = yes</command>
+    will instruct smbd to generate a default one.
+    </para>
+
+    <para>For more information on Windows NT/2k printing and Device Modes,
+    see the <ulink url="http://msdn.microsoft.com/">MSDN documentation</ulink>.
+</para>
+
+<para>Default: <emphasis><parameter>default devmode</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>default</primary><see>default service</see></indexterm><term><anchor id="DEFAULT"/>default</term><listitem><para>This parameter is a synonym for default service.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>default service</primary></indexterm><term><anchor id="DEFAULTSERVICE"/>default service (G)</term><listitem>
+	<para>This parameter specifies the name of a service
+	which will be connected to if the service actually requested cannot
+	be found. Note that the square brackets are <emphasis>NOT</emphasis>
+	given in the parameter value (see example below).</para>
+
+	<para>There is no default value for this parameter. If this 
+	parameter is not given, attempting to connect to a nonexistent 
+	service results in an error.</para>
+
+	<para>Typically the default service would be a <link linkend="GUESTOK">
+	<parameter moreinfo="none">guest ok</parameter></link>, <link linkend="READONLY">
+	<parameter moreinfo="none">read-only</parameter></link> service.</para>
+
+	<para>Also note that the apparent service name will be changed 
+	to equal that of the requested service, this is very useful as it 
+	allows you to use macros like <parameter moreinfo="none">%S</parameter> to make 
+	a wildcard service.</para>
+
+	<para>Note also that any "_" characters in the name of the service 
+	used in the default service will get mapped to a "/". This allows for
+	interesting things.</para>
+
+<para>Default: <emphasis><parameter>default service</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>default service</parameter> = pub
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>defer sharing violations</primary></indexterm><term><anchor id="DEFERSHARINGVIOLATIONS"/>defer sharing violations (G)</term><listitem>
+	<para>
+	Windows allows specifying how a file will be shared with 
+	other processes when it is opened. Sharing violations occur when 
+	a file is opened by a different process using options that violate 
+	the share settings specified by other processes. This parameter causes
+	smbd to act as a Windows server does, and defer returning a "sharing
+	violation" error message for up to one second, allowing the client
+	to close the file causing the violation in the meantime.
+	</para>
+
+	<para>Unix by default does not have this behaviour.</para>
+
+	<para>
+	There should be no reason to turn off this parameter, as it is
+	designed to enable Samba to more correctly emulate Windows.
+	</para>
+
+<para>Default: <emphasis><parameter>defer sharing violations</parameter> = True
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>delete group script</primary></indexterm><term><anchor id="DELETEGROUPSCRIPT"/>delete group script (G)</term><listitem>
+	<para>This is the full pathname to a script that will 
+	be run <emphasis>AS ROOT</emphasis> <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> when a group is requested to be deleted. 
+	It will expand any <parameter moreinfo="none">%g</parameter> to the group name passed.  
+	This script is only useful for installations using the Windows NT domain administration tools.
+	</para>
+
+<para>Default: <emphasis><parameter>delete group script</parameter> = 
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>deleteprinter command</primary></indexterm><term><anchor id="DELETEPRINTERCOMMAND"/>deleteprinter command (G)</term><listitem>
+    <para>With the introduction of MS-RPC based printer
+    support for Windows NT/2000 clients in Samba 2.2, it is now 
+    possible to delete printer at run time by issuing the 
+    DeletePrinter() RPC call.</para>
+		
+    <para>For a Samba host this means that the printer must be 
+    physically deleted from underlying printing system.  The <parameter moreinfo="none">
+    deleteprinter command</parameter> defines a script to be run which 
+    will perform the necessary operations for removing the printer
+    from the print system and from <filename moreinfo="none">smb.conf</filename>.
+    </para>
+		
+    <para>The <parameter moreinfo="none">deleteprinter command</parameter> is 
+    automatically called with only one parameter: <parameter moreinfo="none">
+    "printer name"</parameter>.</para>
+		
+    <para>Once the <parameter moreinfo="none">deleteprinter command</parameter> has 
+    been executed, <command moreinfo="none">smbd</command> will reparse the <filename moreinfo="none">
+    smb.conf</filename> to associated printer no longer exists.  
+    If the sharename is still valid, then <command moreinfo="none">smbd
+</command> will return an ACCESS_DENIED error to the client.</para>
+
+<para>Default: <emphasis><parameter>deleteprinter command</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>deleteprinter command</parameter> = /usr/bin/removeprinter
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>delete readonly</primary></indexterm><term><anchor id="DELETEREADONLY"/>delete readonly (S)</term><listitem>
+	<para>This parameter allows readonly files to be deleted.  
+	This is not normal DOS semantics, but is allowed by UNIX.</para>
+		
+	<para>This option may be useful for running applications such 
+	as rcs, where UNIX file ownership prevents changing file 
+	permissions, and DOS semantics prevent deletion of a read only file.</para>
+
+<para>Default: <emphasis><parameter>delete readonly</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>delete share command</primary></indexterm><term><anchor id="DELETESHARECOMMAND"/>delete share command (G)</term><listitem>
+	<para>Samba 2.2.0 introduced the ability to dynamically 
+	add and delete shares via the Windows NT 4.0 Server Manager.  The 
+	<parameter moreinfo="none">delete share command</parameter> is used to define an 
+	external program or script which will remove an existing service 
+	definition from <filename moreinfo="none">smb.conf</filename>.  In order to successfully 
+	execute the <parameter moreinfo="none">delete share command</parameter>, <command moreinfo="none">smbd</command>
+	requires that the administrator be connected using a root account (i.e. 
+	uid == 0).
+	</para>
+		
+	<para>
+	When executed, <command moreinfo="none">smbd</command> will automatically invoke the 
+	<parameter moreinfo="none">delete share command</parameter> with two parameters.
+	</para>
+		
+	<itemizedlist>
+		<listitem>
+			<para><parameter moreinfo="none">configFile</parameter> - the location 
+			of the global <filename moreinfo="none">smb.conf</filename> file. 
+			</para>
+		</listitem>
+			
+		<listitem>
+			<para><parameter moreinfo="none">shareName</parameter> - the name of 
+			the existing service.
+			</para>
+		</listitem>
+	</itemizedlist>
+		
+	<para>
+	This parameter is only used to remove file shares.  To delete printer shares, 
+	see the <link linkend="DELETEPRINTERCOMMAND"><parameter moreinfo="none">deleteprinter 
+	command</parameter></link>.
+	</para>
+
+<para>Default: <emphasis><parameter>delete share command</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>delete share command</parameter> = /usr/local/bin/delshare
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>delete user from group script</primary></indexterm><term><anchor id="DELETEUSERFROMGROUPSCRIPT"/>delete user from group script (G)</term><listitem>
+	<para>Full path to the script that will be called when 
+	a user is removed from a group using the Windows NT domain administration 
+	tools. It will be run by <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> <emphasis>AS ROOT</emphasis>. 
+	Any <parameter moreinfo="none">%g</parameter> will be replaced with the group name and 
+	any <parameter moreinfo="none">%u</parameter> will be replaced with the user name.
+</para>
+
+<para>Default: <emphasis><parameter>delete user from group script</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>delete user from group script</parameter> = /usr/sbin/deluser %u %g
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>delete user script</primary></indexterm><term><anchor id="DELETEUSERSCRIPT"/>delete user script (G)</term><listitem>
+	<para>This is the full pathname to a script that will 
+	be run by <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> when managing users 
+	with remote RPC (NT) tools.
+	</para>
+
+	<para>This script is called when a remote client removes a user
+	from the server, normally using 'User Manager for Domains' or
+	<command moreinfo="none">rpcclient</command>.</para>
+
+	<para>This script should delete the given UNIX username.</para>
+
+<para>Default: <emphasis><parameter>delete user script</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>delete user script</parameter> = /usr/local/samba/bin/del_user %u
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>delete veto files</primary></indexterm><term><anchor id="DELETEVETOFILES"/>delete veto files (S)</term><listitem>
+	<para>This option is used when Samba is attempting to 
+	delete a directory that contains one or more vetoed directories 
+	(see the <link linkend="VETOFILES"><parameter moreinfo="none">veto files</parameter></link>
+	option).  If this option is set to <constant>no</constant> (the default) then if a vetoed 
+	directory contains any non-vetoed files or directories then the 
+	directory delete will fail. This is usually what you want.</para>
+
+	<para>If this option is set to <constant>yes</constant>, then Samba 
+	will attempt to recursively delete any files and directories within 
+	the vetoed directory. This can be useful for integration with file 
+	serving systems such as NetAtalk which create meta-files within 
+	directories you might normally veto DOS/Windows users from seeing 
+	(e.g. <filename moreinfo="none">.AppleDouble</filename>)</para>
+
+	<para>Setting <command moreinfo="none">delete veto files = yes</command> allows these 
+	directories to be  transparently deleted when the parent directory 
+	is deleted (so long as the user has permissions to do so).</para>
+
+<para>Default: <emphasis><parameter>delete veto files</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>dfree command</primary></indexterm><term><anchor id="DFREECOMMAND"/>dfree command (G)</term><listitem>
+
+	<para>The <parameter moreinfo="none">dfree command</parameter> setting
+	should only be used on systems where a problem occurs with the
+	internal disk space calculations. This has been known to happen
+	with Ultrix, but may occur with other operating systems. The
+	symptom that was seen was an error of "Abort Retry
+	Ignore" at the end of each directory listing.</para>
+		
+	<para>This setting allows the replacement of the internal routines to
+	calculate the total disk space and amount available with an external
+	routine. The example below gives a possible script that might fulfill
+	this function.</para>
+
+	<para>The external program will be passed a single parameter indicating 
+	a directory in the filesystem being queried. This will typically consist
+	of the string <filename moreinfo="none">./</filename>. The script should return two 
+	integers in ASCII. The first should be the total disk space in blocks, 
+	and the second should be the number of available blocks. An optional 
+	third return value can give the block size in bytes. The default 
+	blocksize is 1024 bytes.</para>
+
+	<para>Note: Your script should <emphasis>NOT</emphasis> be setuid or 
+	setgid and should be owned by (and writeable only by) root!</para>
+
+	<para>Where the script dfree (which must be made executable) could be:</para>
+
+<para><programlisting format="linespecific"> 
+#!/bin/sh
+df $1 | tail -1 | awk '{print $2" "$4}'
+</programlisting></para>
+
+	<para>or perhaps (on Sys V based systems):</para>
+
+<para><programlisting format="linespecific"> 
+#!/bin/sh
+/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
+</programlisting></para>
+		
+	<para>Note that you may have to replace the command names with full path names on some systems.</para>
+
+
+<para>Default: <emphasis><parameter>dfree command</parameter> = 
+# By default internal routines for 
+		determining the disk capacity and remaining space will be used.
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>dfree command</parameter> = /usr/local/samba/bin/dfree
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>directory mode</primary><see>directory mask</see></indexterm><term><anchor id="DIRECTORYMODE"/>directory mode</term><listitem><para>This parameter is a synonym for directory mask.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>directory mask</primary></indexterm><term><anchor id="DIRECTORYMASK"/>directory mask (S)</term><listitem>
+    <para>This parameter is the octal modes which are 
+    used when converting DOS modes to UNIX modes when creating UNIX 
+    directories.</para>
+
+    <para>When a directory is created, the necessary permissions are 
+    calculated according to the mapping from DOS modes to UNIX permissions, 
+    and the resulting UNIX mode is then bit-wise 'AND'ed with this 
+    parameter. This parameter may be thought of as a bit-wise MASK for 
+    the UNIX modes of a directory. Any bit <emphasis>not</emphasis> set 
+    here will be removed from the modes set on a directory when it is 
+    created.</para>
+
+    <para>The default value of this parameter removes the 'group' 
+    and 'other' write bits from the UNIX mode, allowing only the 
+    user who owns the directory to modify it.</para>
+		
+    <para>Following this Samba will bit-wise 'OR' the UNIX mode 
+    created from this parameter with the value of the <link linkend="FORCEDIRECTORYMODE">
+    <parameter moreinfo="none">force directory mode</parameter></link> parameter. 
+    This parameter is set to 000 by default (i.e. no extra mode bits are added).</para>
+
+    <para>Note that this parameter does not apply to permissions
+    set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
+    a mask on access control lists also, they need to set the <link linkend="DIRECTORYSECURITYMASK">
+		<parameter moreinfo="none">directory security mask</parameter></link>.</para>
+
+<para>Default: <emphasis><parameter>directory mask</parameter> = 0755
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>directory mask</parameter> = 0775
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>directory security mask</primary></indexterm><term><anchor id="DIRECTORYSECURITYMASK"/>directory security mask (S)</term><listitem>
+    <para>This parameter controls what UNIX permission bits 
+    can be modified when a Windows NT client is manipulating the UNIX 
+    permission on a directory using the native NT security dialog 
+    box.</para>
+
+    <para>This parameter is applied as a mask (AND'ed with) to 
+    the changed permission bits, thus preventing any bits not in 
+    this mask from being modified. Essentially, zero bits in this 
+    mask may be treated as a set of bits the user is not allowed 
+    to change.</para>
+
+    <para>If not set explicitly this parameter is set to 0777
+    meaning a user is allowed to modify all the user/group/world
+    permissions on a directory.</para>
+
+    <para><emphasis>Note</emphasis> that users who can access the 
+    Samba server through other means can easily bypass this restriction, 
+    so it is primarily useful for standalone "appliance" systems.  
+    Administrators of most normal systems will probably want to leave
+	it as the default of <constant>0777</constant>.</para>
+
+<para>Default: <emphasis><parameter>directory security mask</parameter> = 0777
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>directory security mask</parameter> = 0700
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>disable netbios</primary></indexterm><term><anchor id="DISABLENETBIOS"/>disable netbios (G)</term><listitem>
+    <para>Enabling this parameter will disable netbios support
+    in Samba. Netbios is the only available form of browsing in 
+    all windows versions except for 2000 and XP. </para>
+
+    <note><para>Clients that only support netbios won't be able to 
+    see your samba server when netbios support is disabled.
+	</para></note>
+
+<para>Default: <emphasis><parameter>disable netbios</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>disable spoolss</primary></indexterm><term><anchor id="DISABLESPOOLSS"/>disable spoolss (G)</term><listitem>
+    <para>Enabling this parameter will disable Samba's support
+    for the SPOOLSS set of MS-RPC's and will yield identical behavior
+    as Samba 2.0.x.  Windows NT/2000 clients will downgrade to using
+    Lanman style printing commands. Windows 9x/ME will be uneffected by
+    the parameter. However, this will also disable the ability to upload
+    printer drivers to a Samba server via the Windows NT Add Printer
+    Wizard or by using the NT printer properties dialog window.  It will
+    also disable the capability of Windows NT/2000 clients to download
+    print drivers from the Samba host upon demand.
+    <emphasis>Be very careful about enabling this parameter.</emphasis>
+</para>
+
+<para>Default: <emphasis><parameter>disable spoolss</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>display charset</primary></indexterm><term><anchor id="DISPLAYCHARSET"/>display charset (G)</term><listitem>
+        <para>Specifies the charset that samba will use 
+	to print messages to stdout and stderr and SWAT will use. 
+	Should generally be the same as the <command moreinfo="none">unix charset</command>.
+</para>
+
+<para>Default: <emphasis><parameter>display charset</parameter> = ASCII
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>display charset</parameter> = UTF8
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>dns proxy</primary></indexterm><term><anchor id="DNSPROXY"/>dns proxy (G)</term><listitem>
+	<para>Specifies that <citerefentry><refentrytitle>nmbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> when acting as a WINS server and 
+	finding that a NetBIOS name has not been registered, should treat the 
+	NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server 
+	for that name on behalf of the name-querying client.</para>
+
+	<para>Note that the maximum length for a NetBIOS name is 15 
+	characters, so the DNS name (or DNS alias) can likewise only be 
+	15 characters, maximum.</para>
+
+	<para><command moreinfo="none">nmbd</command> spawns a second copy of itself to do the
+	DNS name lookup requests, as doing a name lookup is a blocking 
+	action.</para>
+
+<para>Default: <emphasis><parameter>dns proxy</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>domain logons</primary></indexterm><term><anchor id="DOMAINLOGONS"/>domain logons (G)</term><listitem>
+	<para>
+	If set to <constant>yes</constant>, the Samba server will
+	provide the netlogon service for Windows 9X network logons for the
+	<link linkend="WORKGROUP">
+	<parameter moreinfo="none">workgroup</parameter></link> it is in.
+	This will also cause the Samba server to act as a domain
+	controller for NT4 style domain services. For more details on
+	setting up this feature see the Domain Control chapter of the
+	Samba HOWTO Collection.
+	</para>
+
+<para>Default: <emphasis><parameter>domain logons</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>domain master</primary></indexterm><term><anchor id="DOMAINMASTER"/>domain master (G)</term><listitem>
+	<para>Tell <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> to enable WAN-wide browse list
+	collation. Setting this option causes <command moreinfo="none">nmbd</command> to
+	claim a special domain specific NetBIOS name that identifies 
+	it as a domain master browser for its given <link linkend="WORKGROUP">
+	<parameter moreinfo="none">workgroup</parameter></link>. Local master browsers 
+	in the same <parameter moreinfo="none">workgroup</parameter> on broadcast-isolated 
+	subnets will give this <command moreinfo="none">nmbd</command> their local browse lists, 
+	and then ask <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> for a complete copy of the browse 
+	list for the whole wide area network.  Browser clients will then contact 
+	their local master browser, and will receive the domain-wide browse list, 
+	instead of just the list for their broadcast-isolated subnet.</para>
+
+	<para>Note that Windows NT Primary Domain Controllers expect to be 
+	able to claim this <parameter moreinfo="none">workgroup</parameter> specific special 
+	NetBIOS name that identifies them as domain master browsers for 
+	that <parameter moreinfo="none">workgroup</parameter> by default (i.e. there is no 
+	way to prevent a Windows NT PDC from attempting to do this). This 
+	means that if this parameter is set and <command moreinfo="none">nmbd</command> claims 
+	the special name for a <parameter moreinfo="none">workgroup</parameter> before a Windows 
+	NT PDC is able to do so then cross subnet browsing will behave 
+	strangely and may fail.</para>
+		
+	<para>If <link linkend="DOMAINLOGONS"><command moreinfo="none">domain logons = yes</command>
+	</link>, then the default behavior is to enable the <parameter moreinfo="none">domain 
+	master</parameter> parameter.  If <parameter moreinfo="none">domain logons</parameter> is 
+	not enabled (the default setting), then neither will <parameter moreinfo="none">domain 
+	master</parameter> be enabled by default.</para>
+
+
+<para>Default: <emphasis><parameter>domain master</parameter> = auto
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>dont descend</primary></indexterm><term><anchor id="DONTDESCEND"/>dont descend (S)</term><listitem>
+	<para>There are certain directories on some systems 
+	(e.g., the <filename moreinfo="none">/proc</filename> tree under Linux) that are either not 
+	of interest to clients or are infinitely deep (recursive). This 
+	parameter allows you to specify a comma-delimited list of directories 
+	that the server should always show as empty.</para>
+
+	<para>Note that Samba can be very fussy about the exact format 
+	of the "dont descend" entries. For example you may need <filename moreinfo="none">
+	./proc</filename> instead of just <filename moreinfo="none">/proc</filename>. 
+	Experimentation is the best policy :-)  </para>
+
+<para>Default: <emphasis><parameter>dont descend</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>dont descend</parameter> = /proc,/dev
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>dos charset</primary></indexterm><term><anchor id="DOSCHARSET"/>dos charset (G)</term><listitem>
+        <para>DOS SMB clients assume the server has 
+	the same charset as they do. This option specifies which 
+	charset Samba should talk to DOS clients.
+	</para>
+
+	<para>The default depends on which charsets you have installed. 
+	Samba tries to use charset 850 but falls back to ASCII in 
+	case it is not available. Run <citerefentry><refentrytitle>testparm</refentrytitle>
+	<manvolnum>1</manvolnum></citerefentry> to check the default on your system.</para>
+
+<para><emphasis>No default</emphasis></para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>dos filemode</primary></indexterm><term><anchor id="DOSFILEMODE"/>dos filemode (S)</term><listitem>
+	<para> The default behavior in Samba is to provide 
+	UNIX-like behavior where only the owner of a file/directory is 
+	able to change the permissions on it.  However, this behavior
+	is often confusing to  DOS/Windows users.  Enabling this parameter 
+	allows a user who has write access to the file (by whatever 
+	means) to modify the permissions on it.  Note that a user
+	belonging to the group owning the file will not be allowed to
+	change permissions if the group is only granted read access.
+	Ownership of the file/directory is not changed, only the permissions 
+	are modified.</para>
+
+<para>Default: <emphasis><parameter>dos filemode</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>dos filetime resolution</primary></indexterm><term><anchor id="DOSFILETIMERESOLUTION"/>dos filetime resolution (S)</term><listitem>
+	<para>Under the DOS and Windows FAT filesystem, the finest 
+	granularity on time resolution is two seconds. Setting this parameter 
+	for a share causes Samba to round the reported time down to the 
+	nearest two second boundary when a query call that requires one second 
+	resolution is made to <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry>.</para>
+
+	<para>This option is mainly used as a compatibility option for Visual 
+	C++ when used against Samba shares. If oplocks are enabled on a 
+	share, Visual C++ uses two different time reading calls to check if a 
+	file has changed since it was last read. One of these calls uses a
+	one-second granularity, the other uses a two second granularity. As
+	the two second call rounds any odd second down, then if the file has a
+	timestamp of an odd number of seconds then the two timestamps will not
+	match and Visual C++ will keep reporting the file has changed. Setting
+	this option causes the two timestamps to match, and Visual C++ is
+	happy.</para>
+
+<para>Default: <emphasis><parameter>dos filetime resolution</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>dos filetimes</primary></indexterm><term><anchor id="DOSFILETIMES"/>dos filetimes (S)</term><listitem>
+	<para>Under DOS and Windows, if a user can write to a 
+	file they can change the timestamp on it. Under POSIX semantics, 
+	only the owner of the file or root may change the timestamp. By 
+	default, Samba runs with POSIX semantics and refuses to change the 
+	timestamp on a file if the user <command moreinfo="none">smbd</command> is acting 
+	on behalf of is not the file owner. Setting this option to <constant>
+	yes</constant> allows DOS semantics and <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> will change the file 
+	timestamp as DOS requires. Due to changes in Microsoft Office 2000 and beyond,
+	the default for this parameter has been changed from "no" to "yes" in Samba 3.0.14
+	and above. Microsoft Excel will display dialog box warnings about the file being
+	changed by another user if this parameter is not set to "yes" and files are being
+	shared between users.
+	</para>
+
+<para>Default: <emphasis><parameter>dos filetimes</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>ea support</primary></indexterm><term><anchor id="EASUPPORT"/>ea support (S)</term><listitem>
+    <para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>                                       
+    <manvolnum>8</manvolnum></citerefentry> will allow clients to attempt to store OS/2 style Extended
+    attributes on a share. In order to enable this parameter the underlying filesystem exported by
+    the share must support extended attributes (such as provided on XFS and EXT3 on Linux, with the
+    correct kernel patches). On Linux the filesystem must have been mounted with the mount
+        option user_xattr in order for extended attributes to work, also
+		extended attributes must be compiled into the Linux kernel.</para>
+
+<para>Default: <emphasis><parameter>ea support</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>enable privileges</primary></indexterm><term><anchor id="ENABLEPRIVILEGES"/>enable privileges (G)</term><listitem>
+	<para>This parameter controls whether or not smbd will honor
+        privileges assigned to specific SIDs via either <command>net rpc rights</command>
+        or one of the Windows user and group manager tools.  This parameter is 
+	disabled by default to prevent members of the Domain Admins group from 
+	being able to assign privileges to users or groups which can then result in certain
+	smbd operations running as root that would normally run under the context 
+	of the connected user.  </para>
+
+	<para>An example of how privileges can be used is to assign
+	the right to join clients to a Samba controlled domain without
+	providing root access to the server via smbd.</para>
+
+	<para>Please read the extended description provided in the
+	Samba documentation before enabling this option.</para>
+
+
+<para>Default: <emphasis><parameter>enable privileges</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>enable rid algorithm</primary></indexterm><term><anchor id="ENABLERIDALGORITHM"/>enable rid algorithm (G)</term><listitem>
+	<para>This option is used to control whether or not smbd in Samba 3.0 should fallback
+	to the algorithm used by Samba 2.2 to generate user and group RIDs.  The longterm
+	development goal is to remove the algorithmic mappings of RIDs altogether, but 
+	this has proved to be difficult.  This parameter is mainly provided so that
+	developers can turn the algorithm on and off and see what breaks.  This parameter
+	should not be disabled by non-developers because certain features in Samba will fail 
+	to work without it.
+	</para>
+
+
+<para>Default: <emphasis><parameter>enable rid algorithm</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>encrypt passwords</primary></indexterm><term><anchor id="ENCRYPTPASSWORDS"/>encrypt passwords (G)</term><listitem>
+    <para>This boolean controls whether encrypted passwords 
+    will be negotiated with the client. Note that Windows NT 4.0 SP3 and 
+    above and also Windows 98 will by default expect encrypted passwords 
+    unless a registry entry is changed. To use encrypted passwords in 
+    Samba see the chapter "User Database" in the Samba HOWTO Collection.
+    </para>
+
+    <para>
+    MS Windows clients that expect Microsoft encrypted passwords and that
+    do not have plain text password support enabled will be able to
+    connect only to a Samba server that has encypted password support
+    enabled and for which the user accounts have a valid encrypted password.
+    Refer to the smbpasswd command man page for information regarding the
+    creation of encrypted passwords for user accounts.
+    </para>
+
+    <para>
+    The use of plain text passwords is NOT advised as support for this feature
+    is no longer maintained in Microsoft Windows products. If you want to use
+    plain text passwords you must set this parameter to no.
+    </para>
+
+    <para>In order for encrypted passwords to work correctly
+    <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> must either 
+    have access to a local <citerefentry><refentrytitle>smbpasswd</refentrytitle>
+    <manvolnum>5</manvolnum></citerefentry> file (see the <citerefentry><refentrytitle>smbpasswd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> program for information on how to set up 
+    and maintain this file), or set the <link linkend="SECURITY">security = [server|domain|ads]</link> parameter which 
+    causes <command moreinfo="none">smbd</command> to authenticate against another 
+	server.</para>
+
+<para>Default: <emphasis><parameter>encrypt passwords</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>enhanced browsing</primary></indexterm><term><anchor id="ENHANCEDBROWSING"/>enhanced browsing (G)</term><listitem>
+	<para>This option enables a couple of enhancements to 
+	cross-subnet browse propagation that have been added in Samba 
+	but which are not standard in Microsoft implementations.  
+	</para>
+
+	<para>The first enhancement to browse propagation consists of a regular
+	wildcard query to a Samba WINS server for all Domain Master Browsers,
+	followed by a browse synchronization with each of the returned
+	DMBs. The second enhancement consists of a regular randomised browse
+	synchronization with all currently known DMBs.</para>
+
+	<para>You may wish to disable this option if you have a problem with empty
+	workgroups not disappearing from browse lists. Due to the restrictions
+	of the browse protocols these enhancements can cause a empty workgroup
+	to stay around forever which can be annoying.</para>
+
+	<para>In general you should leave this option enabled as it makes
+	cross-subnet browse propagation much more reliable.</para>
+
+
+<para>Default: <emphasis><parameter>enhanced browsing</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>enumports command</primary></indexterm><term><anchor id="ENUMPORTSCOMMAND"/>enumports command (G)</term><listitem>
+    <para>The concept of a "port" is fairly foreign
+    to UNIX hosts.  Under Windows NT/2000 print servers, a port
+    is associated with a port monitor and generally takes the form of
+    a local port (i.e. LPT1:, COM1:, FILE:) or a remote port
+    (i.e. LPD Port Monitor, etc...).  By default, Samba has only one
+    port defined--<constant>"Samba Printer Port"</constant>.  Under 
+    Windows NT/2000, all printers must have a valid port name.  
+    If you wish to have a list of ports displayed (<command moreinfo="none">smbd
+    </command> does not use a port name for anything) other than 
+    the default <constant>"Samba Printer Port"</constant>, you 
+    can define <parameter moreinfo="none">enumports command</parameter> to point to
+    a program which should generate a list of ports, one per line,
+    to standard output.  This listing will then be used in response
+	to the level 1 and 2 EnumPorts() RPC.</para>
+
+<para>Default: <emphasis><parameter>enumports command</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>enumports command</parameter> = /usr/bin/listports
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>fake directory create times</primary></indexterm><term><anchor id="FAKEDIRECTORYCREATETIMES"/>fake directory create times (S)</term><listitem>
+	<para>NTFS and Windows VFAT file systems keep a create 
+	time for all files and directories. This is not the same as the 
+	ctime - status change time - that Unix keeps, so Samba by default 
+	reports the earliest of the various times Unix does keep. Setting 
+	this parameter for a share causes Samba to always report midnight 
+	1-1-1980 as the create time for directories.</para>
+
+	<para>This option is mainly used as a compatibility option for 
+	Visual C++ when used against Samba shares. Visual C++ generated 
+	makefiles have the object directory as a dependency for each object 
+	file, and a make rule to create the directory. Also, when NMAKE 
+	compares timestamps it uses the creation time when examining a 
+	directory. Thus the object directory will be created if it does not 
+	exist, but once it does exist it will always have an earlier 
+	timestamp than the object files it contains.</para>
+
+	<para>However, Unix time semantics mean that the create time 
+	reported by Samba will be updated whenever a file is created or 
+	or deleted in the directory.  NMAKE finds all object files in 
+	the object directory.  The timestamp of the last one built is then 
+	compared to the timestamp of the object directory.  If the 
+	directory's timestamp if newer, then all object files
+	will be rebuilt.  Enabling this option 
+	ensures directories always predate their contents and an NMAKE build 
+	will proceed as expected.</para>
+
+<para>Default: <emphasis><parameter>fake directory create times</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>fake oplocks</primary></indexterm><term><anchor id="FAKEOPLOCKS"/>fake oplocks (S)</term><listitem>
+	<para>Oplocks are the way that SMB clients get permission 
+	from a server to locally cache file operations. If a server grants 
+	an oplock (opportunistic lock) then the client is free to assume 
+	that it is the only one accessing the file and it will aggressively 
+	cache file data. With some oplock types the client may even cache 
+	file open/close operations. This can give enormous performance benefits.
+	</para>
+
+	<para>When you set <command moreinfo="none">fake oplocks = yes</command>, <citerefentry>
+	<refentrytitle>smbd</refentrytitle><manvolnum>8</manvolnum></citerefentry> will
+	always grant oplock requests no matter how many clients are using the file.</para>
+
+	<para>It is generally much better to use the real <link linkend="OPLOCKS">
+	<parameter moreinfo="none">oplocks</parameter></link> support rather 
+	than this parameter.</para>
+		
+	<para>If you enable this option on all read-only shares or 
+	shares that you know will only be accessed from one client at a 
+	time such as physically read-only media like CDROMs, you will see 
+	a big performance improvement on many operations. If you enable 
+	this option on shares where multiple clients may be accessing the 
+	files read-write at the same time you can get data corruption. Use 
+	this option carefully!</para>
+
+<para>Default: <emphasis><parameter>fake oplocks</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>follow symlinks</primary></indexterm><term><anchor id="FOLLOWSYMLINKS"/>follow symlinks (S)</term><listitem>
+	<para>This parameter allows the Samba administrator 
+	to stop <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry>	from following symbolic 
+	links in a particular share. Setting this 
+	parameter to <constant>no</constant> prevents any file or directory 
+	that is a symbolic link from being followed (the user will get an 
+	error).  This option is very useful to stop users from adding a 
+	symbolic link to <filename moreinfo="none">/etc/passwd</filename> in their home 
+	directory for instance.  However it will slow filename lookups 
+	down slightly.</para>
+
+	<para>This option is enabled (i.e. <command moreinfo="none">smbd</command> will 
+		follow symbolic links) by default.</para>
+
+<para>Default: <emphasis><parameter>follow symlinks</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>force create mode</primary></indexterm><term><anchor id="FORCECREATEMODE"/>force create mode (S)</term><listitem>
+    <para>This parameter specifies a set of UNIX mode bit 
+    permissions that will <emphasis>always</emphasis> be set on a 
+    file created by Samba. This is done by bitwise 'OR'ing these bits onto 
+    the mode bits of a file that is being created or having its 
+    permissions changed. The default for this parameter is (in octal) 
+    000. The modes in this parameter are bitwise 'OR'ed onto the file 
+    mode after the mask set in the <parameter moreinfo="none">create mask</parameter> 
+    parameter is applied.</para>
+
+	<para>The example below would force all created files to have read and execute 
+    permissions set for 'group' and 'other' as well as the 
+    read/write/execute bits set for the 'user'.</para>
+
+
+<para>Default: <emphasis><parameter>force create mode</parameter> = 000
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>force create mode</parameter> = 0755
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>force directory mode</primary></indexterm><term><anchor id="FORCEDIRECTORYMODE"/>force directory mode (S)</term><listitem>
+    <para>This parameter specifies a set of UNIX mode bit 
+    permissions that will <emphasis>always</emphasis> be set on a directory 
+    created by Samba. This is done by bitwise 'OR'ing these bits onto the 
+    mode bits of a directory that is being created. The default for this 
+    parameter is (in octal) 0000 which will not add any extra permission 
+    bits to a created directory. This operation is done after the mode 
+    mask in the parameter <parameter moreinfo="none">directory mask</parameter> is 
+    applied.</para>
+
+	<para>The example below would force all created directories to have read and execute
+    permissions set for 'group' and 'other' as well as the
+    read/write/execute bits set for the 'user'.</para>
+
+<para>Default: <emphasis><parameter>force directory mode</parameter> = 000
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>force directory mode</parameter> = 0755
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>force directory security mode</primary></indexterm><term><anchor id="FORCEDIRECTORYSECURITYMODE"/>force directory security mode (S)</term><listitem>
+    <para>This parameter controls what UNIX permission bits 
+    can be modified when a Windows NT client is manipulating the UNIX 
+    permission on a directory using the native NT security dialog box.</para>
+
+    <para>This parameter is applied as a mask (OR'ed with) to the 
+    changed permission bits, thus forcing any bits in this mask that 
+    the user may have modified to be on. Essentially, one bits in this 
+    mask may be treated as a set of bits that, when modifying security 
+    on a directory, the user has always set to be 'on'.</para>
+
+    <para>If not set explicitly this parameter is 000, which 
+    allows a user to modify all the user/group/world permissions on a 
+    directory without restrictions.</para>
+
+    <note><para>Users who can access the 
+    Samba server through other means can easily bypass this restriction, 
+    so it is primarily useful for standalone "appliance" systems.  
+    Administrators of most normal systems will probably want to leave
+	it set as 0000.</para></note>
+
+
+<para>Default: <emphasis><parameter>force directory security mode</parameter> = 0
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>force directory security mode</parameter> = 700
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>group</primary><see>force group</see></indexterm><term><anchor id="GROUP"/>group</term><listitem><para>This parameter is a synonym for force group.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>force group</primary></indexterm><term><anchor id="FORCEGROUP"/>force group (S)</term><listitem>
+    <para>This specifies a UNIX group name that will be 
+    assigned as the default primary group for all users connecting 
+    to this service. This is useful for sharing files by ensuring 
+    that all access to files on service will use the named group for 
+    their permissions checking. Thus, by assigning permissions for this 
+    group to the files and directories within this service the Samba 
+    administrator can restrict or allow sharing of these files.</para>
+
+    <para>In Samba 2.0.5 and above this parameter has extended 
+    functionality in the following way. If the group name listed here 
+    has a '+' character prepended to it then the current user accessing 
+    the share only has the primary group default assigned to this group 
+    if they are already assigned as a member of that group. This allows 
+    an administrator to decide that only users who are already in a 
+    particular group will create files with group ownership set to that 
+    group. This gives a finer granularity of ownership assignment. For 
+    example, the setting <filename moreinfo="none">force group = +sys</filename> means 
+    that only users who are already in group sys will have their default
+    primary group assigned to sys when accessing this Samba share. All
+    other users will retain their ordinary primary group.</para>
+
+    <para>If the <link linkend="FORCEUSER"><parameter moreinfo="none">force user</parameter>
+    </link> parameter is also set the group specified in 
+    <parameter moreinfo="none">force group</parameter> will override the primary group
+    set in <parameter moreinfo="none">force user</parameter>.</para>
+
+
+<para>Default: <emphasis><parameter>force group</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>force group</parameter> = agroup
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>force printername</primary></indexterm><term><anchor id="FORCEPRINTERNAME"/>force printername (S)</term><listitem>
+    <para>When printing from Windows NT (or later), 
+    each printer in <filename>smb.conf</filename> has two 
+    associated names which can be used by the client.  The first
+    is the sharename (or shortname) defined in smb.conf.  This
+    is the only printername available for use by Windows 9x clients.
+    The second name associated with a printer can be seen when 
+    browsing to the "Printers" (or "Printers and Faxes") folder 
+    on the Samba server.  This is referred to simply as the printername
+    (not to be confused with the <parameter>printer name</parameter> option).
+    </para>
+
+    <para>When assigning a new driver to a printer on a remote 
+    Windows compatible print server such as Samba, the Windows client
+    will rename the printer to match the driver name just uploaded.
+    This can result in confusion for users when multiple 
+    printers are bound to the same driver.  To prevent Samba from
+    allowing the printer's printername to differ from the sharename
+    defined in smb.conf, set <parameter>force printername = yes</parameter>.
+    </para>
+
+    <para>Be aware that enabling this parameter may affect migrating
+    printers from a Windows server to Samba since Windows has no way to 
+    force the sharename and printername to match.</para>
+
+    <para>It is recommended that this parameter's value not be changed
+    once the printer is in use by clients as this could cause a user
+    not be able to delete printer connections from their local Printers 
+    folder.</para>
+
+
+<para>Default: <emphasis><parameter>force printername</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>force security mode</primary></indexterm><term><anchor id="FORCESECURITYMODE"/>force security mode (S)</term><listitem>
+    <para>This parameter controls what UNIX permission 
+    bits can be modified when a Windows NT client is manipulating 
+    the UNIX permission on a file using the native NT security dialog 
+    box.</para>
+		
+    <para>This parameter is applied as a mask (OR'ed with) to the 
+    changed permission bits, thus forcing any bits in this mask that 
+    the user may have modified to be on. Essentially, one bits in this 
+    mask may be treated as a set of bits that, when modifying security 
+    on a file, the user has always set to be 'on'.</para>
+
+    <para>If not set explicitly this parameter is set to 0,
+    and allows a user to modify all the user/group/world permissions on a file,
+    with no restrictions.</para>
+		
+    <para><emphasis>Note</emphasis> that users who can access 
+    the Samba server through other means can easily bypass this restriction, 
+    so it is primarily useful for standalone "appliance" systems.  
+    Administrators of most normal systems will probably want to leave
+    this set to 0000.</para>
+
+
+<para>Default: <emphasis><parameter>force security mode</parameter> = 0
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>force security mode</parameter> = 700
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>force unknown acl user</primary></indexterm><term><anchor id="FORCEUNKNOWNACLUSER"/>force unknown acl user (S)</term><listitem>
+    <para>If this parameter is set, a Windows NT ACL that contains an unknown
+              SID (security descriptor, or representation of a user or group
+              id) as the owner or group owner of the file will be silently
+              mapped into the current UNIX uid or gid of the currently
+              connected user.</para>
+
+    <para>This is designed to allow Windows NT clients to copy files and
+              folders containing ACLs that were created locally on the client
+              machine and contain users local to that machine only (no domain
+              users) to be copied to a Samba server (usually with XCOPY /O)
+              and have the unknown userid and groupid of the file owner map to
+              the current connected user.  This can only be fixed correctly
+              when winbindd allows arbitrary mapping from any Windows NT SID
+              to a UNIX uid or gid.</para>
+
+    <para>Try using this parameter when XCOPY /O gives an ACCESS_DENIED
+    error.</para>
+
+<para>Default: <emphasis><parameter>force unknown acl user</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>force user</primary></indexterm><term><anchor id="FORCEUSER"/>force user (S)</term><listitem>
+    <para>This specifies a UNIX user name that will be 
+    assigned as the default user for all users connecting to this service. 
+    This is useful for sharing files. You should also use it carefully 
+    as using it incorrectly can cause security problems.</para>
+
+    <para>This user name only gets used once a connection is established. 
+    Thus clients still need to connect as a valid user and supply a 
+    valid password. Once connected, all file operations will be performed 
+    as the "forced user", no matter what username the client connected 
+    as.  This can be very useful.</para>
+
+    <para>In Samba 2.0.5 and above this parameter also causes the 
+    primary group of the forced user to be used as the primary group 
+    for all file activity. Prior to 2.0.5 the primary group was left 
+    as the primary group of the connecting user (this was a bug).</para>
+
+
+<para>Default: <emphasis><parameter>force user</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>force user</parameter> = auser
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>fstype</primary></indexterm><term><anchor id="FSTYPE"/>fstype (S)</term><listitem>
+	<para>This parameter allows the administrator to 
+	configure the string that specifies the type of filesystem a share 
+	is using that is reported by <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> when a client queries the filesystem type
+	for a share. The default type is <constant>NTFS</constant> for 
+	compatibility with Windows NT but this can be changed to other 
+	strings such as <constant>Samba</constant> or <constant>FAT
+	</constant> if required.</para>
+
+<para>Default: <emphasis><parameter>fstype</parameter> = NTFS
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>fstype</parameter> = Samba
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>get quota command</primary></indexterm><term><anchor id="GETQUOTACOMMAND"/>get quota command (G)</term><listitem>
+	<para>The <command>get quota command</command> should only be used 
+	whenever there is no operating system API available from the OS that 
+	samba can use.</para>
+
+	<para>This option is only available with <command>./configure --with-sys-quotas</command>.
+	Or on linux when <command>./configure --with-quotas</command> was used and a working quota api 
+	was found in the system.</para>
+
+	<para>This parameter should specify the path to a script that 
+	queries the quota information for the specified 
+	user/group for the partition that 
+	the specified directory is on.</para>
+
+	<para>Such a script should take 3 arguments:</para>
+
+	<itemizedlist>
+		<listitem><para>directory</para></listitem>
+		<listitem><para>type of query</para></listitem>
+		<listitem><para>uid of user or gid of group</para></listitem>
+	</itemizedlist>
+
+	<para>The type of query can be one of :</para>
+
+	<itemizedlist>
+		<listitem><para>1 - user quotas</para></listitem>
+		<listitem><para>2 - user default quotas (uid = -1)</para></listitem>
+		<listitem><para>3 - group quotas</para></listitem>
+		<listitem><para>4 - group default quotas (gid = -1)</para></listitem>
+	</itemizedlist>
+
+	<para>This script should print one line as output with spaces between the arguments. The arguments are: 
+	      </para>
+
+	<itemizedlist>
+		<listitem><para>Arg 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced)</para></listitem>
+		<listitem><para>Arg 2 - number of currently used blocks</para></listitem>
+		<listitem><para>Arg 3 - the softlimit number of blocks</para></listitem>
+		<listitem><para>Arg 4 - the hardlimit number of blocks</para></listitem>
+		<listitem><para>Arg 5 - currently used number of inodes</para></listitem>
+		<listitem><para>Arg 6 - the softlimit number of inodes</para></listitem>
+		<listitem><para>Arg 7 - the hardlimit number of inodes</para></listitem>
+		<listitem><para>Arg 8(optional) - the number of bytes in a block(default is 1024)</para></listitem>
+	</itemizedlist>
+
+<para>Default: <emphasis><parameter>get quota command</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>get quota command</parameter> = /usr/local/sbin/query_quota
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>getwd cache</primary></indexterm><term><anchor id="GETWDCACHE"/>getwd cache (G)</term><listitem>
+    <para>This is a tuning option. When this is enabled a 
+    caching algorithm will be used to reduce the time taken for getwd() 
+    calls. This can have a significant impact on performance, especially 
+    when the <link linkend="WIDELINKS"><parameter moreinfo="none">wide links</parameter>
+</link> parameter is set to <constant>no</constant>.</para>
+
+<para>Default: <emphasis><parameter>getwd cache</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>guest account</primary></indexterm><term><anchor id="GUESTACCOUNT"/>guest account (G)</term><listitem>
+    <para>This is a username which will be used for access 
+    to services which are specified as <link linkend="GUESTOK"><parameter moreinfo="none">
+    guest ok</parameter></link> (see below). Whatever privileges this 
+    user has will be available to any client connecting to the guest service. 
+    This user must exist in the password file, but does not require
+    a valid login. The user account "ftp" is often a good choice 
+    for this parameter. 
+    </para>
+
+    <para>On some systems the default guest account "nobody" may not 
+    be able to print. Use another account in this case. You should test 
+    this by trying to log in as your guest user (perhaps by using the 
+    <command moreinfo="none">su -</command> command) and trying to print using the 
+    system print command such as <command moreinfo="none">lpr(1)</command> or <command moreinfo="none">
+    lp(1)</command>.</para>
+
+    <para>This parameter does not accept % macros, because
+    many parts of the system require this value to be
+	constant for correct operation.</para>
+
+<para>Default: <emphasis><parameter>guest account</parameter> = nobody
+# default can be changed at compile-time
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>guest account</parameter> = ftp
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>public</primary><see>guest ok</see></indexterm><term><anchor id="PUBLIC"/>public</term><listitem><para>This parameter is a synonym for guest ok.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>guest ok</primary></indexterm><term><anchor id="GUESTOK"/>guest ok (S)</term><listitem>
+    <para>If this parameter is <constant>yes</constant> for 
+    a service, then no password is required to connect to the service. 
+    Privileges will be those of the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">
+    guest account</parameter></link>.</para>
+
+    <para>This paramater nullifies the benifits of setting
+    <link linkend="RESTRICTANONYMOUS"><parameter moreinfo="none">restrict
+    anonymous</parameter></link> = 2</para>
+
+    <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none">
+    security</parameter></link> for more information about this option.
+	</para>
+
+<para>Default: <emphasis><parameter>guest ok</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>only guest</primary><see>guest only</see></indexterm><term><anchor id="ONLYGUEST"/>only guest</term><listitem><para>This parameter is a synonym for guest only.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>guest only</primary></indexterm><term><anchor id="GUESTONLY"/>guest only (S)</term><listitem>
+    <para>If this parameter is <constant>yes</constant> for 
+    a service, then only guest connections to the service are permitted. 
+    This parameter will have no effect if <link linkend="GUESTOK">
+    <parameter moreinfo="none">guest ok</parameter></link> is not set for the service.</para>
+
+    <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none">
+    security</parameter></link> for more information about this option.
+	</para>
+
+<para>Default: <emphasis><parameter>guest only</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>hide dot files</primary></indexterm><term><anchor id="HIDEDOTFILES"/>hide dot files (S)</term><listitem>
+	<para>This is a boolean parameter that controls whether 
+	files starting with a dot appear as hidden files.</para>
+
+<para>Default: <emphasis><parameter>hide dot files</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>hide files</primary></indexterm><term><anchor id="HIDEFILES"/>hide files (S)</term><listitem>
+	<para>This is a list of files or directories that are not 
+	visible but are accessible.  The DOS 'hidden' attribute is applied 
+	to any files or directories that match.</para>
+
+	<para>Each entry in the list must be separated by a '/', 
+	which allows spaces to be included in the entry.  '*'
+	and '?' can be used to specify multiple files or directories 
+	as in DOS wildcards.</para>
+
+	<para>Each entry must be a Unix path, not a DOS path and must 
+	not include the Unix directory separator '/'.</para>
+
+	<para>Note that the case sensitivity option is applicable 
+	in hiding files.</para>
+		
+	<para>Setting this parameter will affect the performance of Samba, 
+	as it will be forced to check all files and directories for a match 
+	as they are scanned.</para>
+
+<para>Default: <emphasis><parameter>hide files</parameter> = 
+# no file are hidden
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>hide files</parameter> = /.*/DesktopFolderDB/TrashFor%m/resource.frk/
+# 
+The above example is based on files that the Macintosh 
+SMB client (DAVE) available from <ulink url="http://www.thursby.com"> 
+Thursby</ulink> creates for internal use, and also still hides 
+all files beginning with a dot.
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>hide special files</primary></indexterm><term><anchor id="HIDESPECIALFILES"/>hide special files (S)</term><listitem>
+	<para>This parameter prevents clients from seeing
+	special files such as sockets, devices and fifo's in directory 
+	listings.
+</para>
+
+<para>Default: <emphasis><parameter>hide special files</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>hide unreadable</primary></indexterm><term><anchor id="HIDEUNREADABLE"/>hide unreadable (S)</term><listitem>
+	<para>This parameter prevents clients from seeing the
+		existance of files that cannot be read. Defaults to off.</para>
+
+<para>Default: <emphasis><parameter>hide unreadable</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>hide unwriteable files</primary></indexterm><term><anchor id="HIDEUNWRITEABLEFILES"/>hide unwriteable files (S)</term><listitem>
+	<para>This parameter prevents clients from seeing
+	the existance of files that cannot be written to. Defaults to off.
+	Note that unwriteable directories are shown as usual.
+</para>
+
+<para>Default: <emphasis><parameter>hide unwriteable files</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>homedir map</primary></indexterm><term><anchor id="HOMEDIRMAP"/>homedir map (G)</term><listitem>
+	<para>If<link linkend="NISHOMEDIR"><parameter moreinfo="none">nis homedir
+	</parameter></link> is <constant>yes</constant>, and <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> is also acting 
+	as a Win95/98 <parameter moreinfo="none">logon server</parameter> then this parameter 
+	specifies the NIS (or YP) map from which the server for the user's 
+	home directory should be extracted.  At present, only the Sun 
+	auto.home map format is understood. The form of the map is:</para>
+
+	<para><command moreinfo="none">username	server:/some/file/system</command></para>
+
+	<para>and the program will extract the servername from before 
+	the first ':'.  There should probably be a better parsing system 
+	that copes with different map formats and also Amd (another 
+	automounter) maps.</para>
+		
+	<note><para>A working NIS client is required on 
+	the system for this option to work.</para></note>
+
+<para>Default: <emphasis><parameter>homedir map</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>homedir map</parameter> = amd.homedir
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>host msdfs</primary></indexterm><term><anchor id="HOSTMSDFS"/>host msdfs (G)</term><listitem>
+        <para>If set to <constant>yes</constant>, Samba will act as a Dfs
+	server, and allow Dfs-aware clients to browse Dfs trees hosted
+	on the server.</para>
+
+	<para>See also the <link linkend="MSDFSROOT"><parameter moreinfo="none">
+	msdfs root</parameter></link> share  level  parameter.  For
+	more  information  on  setting  up a Dfs tree on Samba,
+	refer to <link linkend="msdfs"/>.
+	</para>
+
+<para>Default: <emphasis><parameter>host msdfs</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>hostname lookups</primary></indexterm><term><anchor id="HOSTNAMELOOKUPS"/>hostname lookups (G)</term><listitem>
+    <para>Specifies whether samba should use (expensive)
+    hostname lookups or use the ip addresses instead. An example place
+    where hostname lookups are currently used is when checking 
+    the <command moreinfo="none">hosts deny</command> and <command moreinfo="none">hosts allow</command>.
+    </para>
+
+<para>Default: <emphasis><parameter>hostname lookups</parameter> = no
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>hostname lookups</parameter> = yes
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>allow hosts</primary><see>hosts allow</see></indexterm><term><anchor id="ALLOWHOSTS"/>allow hosts</term><listitem><para>This parameter is a synonym for hosts allow.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>hosts allow</primary></indexterm><term><anchor id="HOSTSALLOW"/>hosts allow (S)</term><listitem>
+    <para>A synonym for this parameter is <parameter moreinfo="none">allow 
+    hosts</parameter>.</para>
+		
+    <para>This parameter is a comma, space, or tab delimited 
+    set of hosts which are permitted to access a service.</para>
+
+    <para>If specified in the [global] section then it will
+    apply to all services, regardless of whether the individual 
+    service has a different setting.</para>
+
+    <para>You can specify the hosts by name or IP number. For 
+    example, you could restrict access to only the hosts on a 
+    Class C subnet with something like <command moreinfo="none">allow hosts = 150.203.5.
+    </command>. The full syntax of the list is described in the man 
+    page <filename moreinfo="none">hosts_access(5)</filename>. Note that this man
+    page may not be present on your system, so a brief description will
+    be given here also.</para>
+
+    <para>Note that the localhost address 127.0.0.1 will always 
+    be allowed access unless specifically denied by a <link linkend="HOSTSDENY">
+    <parameter moreinfo="none">hosts deny</parameter></link> option.</para>
+
+    <para>You can also specify hosts by network/netmask pairs and 
+    by netgroup names if your system supports netgroups. The 
+    <emphasis>EXCEPT</emphasis> keyword can also be used to limit a 
+    wildcard list. The following examples may provide some help:</para>
+
+<para>Example 1: allow all IPs in 150.203.*.*; except one</para>
+
+    <para><command moreinfo="none">hosts allow = 150.203. EXCEPT 150.203.6.66</command></para>
+
+    <para>Example 2: allow hosts that match the given network/netmask</para>
+
+    <para><command moreinfo="none">hosts allow = 150.203.15.0/255.255.255.0</command></para>
+
+    <para>Example 3: allow a couple of hosts</para>
+
+    <para><command moreinfo="none">hosts allow = lapland, arvidsjaur</command></para>
+
+    <para>Example 4: allow only hosts in NIS netgroup "foonet", but 
+    deny access from one particular host</para>
+
+    <para><command moreinfo="none">hosts allow = @foonet</command></para>
+
+    <para><command moreinfo="none">hosts deny = pirate</command></para>
+
+    <note><para>Note that access still requires suitable user-level passwords.</para></note>
+
+    <para>See <citerefentry><refentrytitle>testparm</refentrytitle>
+    <manvolnum>1</manvolnum></citerefentry> for a way of testing your host access 
+    to see if it does what you expect.</para>
+
+		
+
+<para>Default: <emphasis><parameter>hosts allow</parameter> = 
+# none (i.e., all hosts permitted access)
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>hosts allow</parameter> = 150.203.5. myhost.mynet.edu.au
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>deny hosts</primary><see>hosts deny</see></indexterm><term><anchor id="DENYHOSTS"/>deny hosts</term><listitem><para>This parameter is a synonym for hosts deny.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>hosts deny</primary></indexterm><term><anchor id="HOSTSDENY"/>hosts deny (S)</term><listitem>
+    <para>The opposite of <parameter moreinfo="none">hosts allow</parameter> 
+    - hosts listed here are <emphasis>NOT</emphasis> permitted access to 
+    services unless the specific services have their own lists to override 
+    this one. Where the lists conflict, the <parameter moreinfo="none">allow</parameter> 
+	list takes precedence.</para>
+
+<para>Default: <emphasis><parameter>hosts deny</parameter> = 
+# none (i.e., no hosts specifically excluded)
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>hosts deny</parameter> = 150.203.4. badhost.mynet.edu.au
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>hosts equiv</primary></indexterm><term><anchor id="HOSTSEQUIV"/>hosts equiv (G)</term><listitem>
+    <para>If this global parameter is a non-null string, 
+    it specifies the name of a file to read for the names of hosts 
+    and users who will be allowed access without specifying a password.
+    </para>
+		
+    <para>This is not be confused with <link linkend="HOSTSALLOW">
+    <parameter moreinfo="none">hosts allow</parameter></link> which is about hosts 
+    access to services and is more useful for guest services. <parameter moreinfo="none">
+    hosts equiv</parameter> may be useful for NT clients which will 
+    not supply passwords to Samba.</para>
+
+    <note><para>The use of <parameter moreinfo="none">hosts equiv
+    </parameter> can be a major security hole. This is because you are 
+    trusting the PC to supply the correct username. It is very easy to 
+    get a PC to supply a false username. I recommend that the 
+    <parameter moreinfo="none">hosts equiv</parameter> option be only used if you really 
+    know what you are doing, or perhaps on a home network where you trust 
+    your spouse and kids. And only if you <emphasis>really</emphasis> trust 
+	them :-).</para></note>
+
+<para>Default: <emphasis><parameter>hosts equiv</parameter> = 
+# no host equivalences
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>hosts equiv</parameter> = hosts equiv = /etc/hosts.equiv
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>idmap backend</primary></indexterm><term><anchor id="IDMAPBACKEND"/>idmap backend (G)</term><listitem>
+	<para>
+	The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap
+	tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common
+	LDAP backend. This way all domain members and controllers will have the same UID and GID
+	to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux
+	systems that are sharing information over protocols other than SMB/CIFS (ie: NFS).
+	</para>
+
+	<para>
+	An alternate method of SID to UID / GID  mapping can be achieved using the idmap_rid
+	plug-in. This plug-in uses the account RID to derive the UID and GID by adding the
+	RID to a base value specified. This utility requires that the parameter
+	<quote><emphasis>allow trusted domains = No</emphasis></quote> must be specified, as it is not compatible
+	with multiple domain environments. The idmap uid and idmap gid ranges must also be
+	specified.
+	</para>
+
+<para>Default: <emphasis><parameter>idmap backend</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>idmap backend</parameter> = ldap:ldap://ldapslave.example.com
+</emphasis>
+</para><para>Example: <emphasis><parameter>idmap backend</parameter> = idmap_rid:DOMNAME=1000-100000000
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>winbind gid</primary><see>idmap gid</see></indexterm><term><anchor id="WINBINDGID"/>winbind gid</term><listitem><para>This parameter is a synonym for idmap gid.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>idmap gid</primary></indexterm><term><anchor id="IDMAPGID"/>idmap gid (G)</term><listitem>
+
+	<para>The idmap gid parameter specifies the range of group ids that are allocated for
+	the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no 
+	existing local or NIS groups within it as strange conflicts can occur otherwise.</para>
+
+	<para>The availability of an idmap gid range is essential for correct operation of
+		all group mapping.</para>
+
+<para>Default: <emphasis><parameter>idmap gid</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>idmap gid</parameter> = 10000-20000
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>winbind uid</primary><see>idmap uid</see></indexterm><term><anchor id="WINBINDUID"/>winbind uid</term><listitem><para>This parameter is a synonym for idmap uid.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>idmap uid</primary></indexterm><term><anchor id="IDMAPUID"/>idmap uid (G)</term><listitem>
+	<para>The idmap uid parameter specifies the range of user ids that are allocated for use
+	in mapping UNIX users to NT user SIDs. This range of ids should have no existing local
+	or NIS users within it as strange conflicts can occur otherwise.</para>
+
+<para>Default: <emphasis><parameter>idmap uid</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>idmap uid</parameter> = 10000-20000
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>include</primary></indexterm><term><anchor id="INCLUDE"/>include (G)</term><listitem>
+	<para>This allows you to include one config file 
+	inside another.  The file is included literally, as though typed 
+	in place.</para>
+
+	<para>It takes the standard substitutions, except <parameter moreinfo="none">%u
+	</parameter>, <parameter moreinfo="none">%P</parameter> and <parameter moreinfo="none">%S</parameter>.
+</para>
+
+<para>Default: <emphasis><parameter>include</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>include</parameter> = /usr/local/samba/lib/admin_smb.conf
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>inherit acls</primary></indexterm><term><anchor id="INHERITACLS"/>inherit acls (S)</term><listitem>
+    <para>This parameter can be used to ensure that if default acls
+    exist on parent directories, they are always honored when creating a
+    subdirectory. The default behavior is to use the mode specified when
+    creating the directory.  Enabling this option sets the mode to 0777,
+    thus guaranteeing that  default directory acls are propagated.
+</para>
+
+<para>Default: <emphasis><parameter>inherit acls</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>inherit owner</primary></indexterm><term><anchor id="INHERITOWNER"/>inherit owner (S)</term><listitem>
+	<para>The ownership of new files and directories 
+	is normally governed by effective uid of the connected user.
+	This option allows the Samba administrator to specify that
+	the ownership for new files and directories should be controlled
+	by the ownership of the parent directory.</para>
 	
-	<refsect2>
-		<title>The [global] section</title>
-		
-		<para>Parameters in this section apply to the server 
-		as a whole, or are defaults for sections that do not 
-		specifically define certain items. See the notes
-		under PARAMETERS for more information.</para>
-	</refsect2>
+	<para>Common scenarios where this behavior is useful is in 
+	implementing drop-boxes where users can create and edit files but not 
+	delete them and to ensure that newly create files in a user's
+	roaming profile directory are actually owner by the user.</para>
+
+<para>Default: <emphasis><parameter>inherit owner</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>inherit permissions</primary></indexterm><term><anchor id="INHERITPERMISSIONS"/>inherit permissions (S)</term><listitem>
+    <para>The permissions on new files and directories 
+    are normally governed by <link linkend="CREATEMASK"><parameter moreinfo="none">
+    create mask</parameter></link>, <link linkend="DIRECTORYMASK">
+    <parameter moreinfo="none">directory mask</parameter></link>, <link linkend="FORCECREATEMODE">
+    <parameter moreinfo="none">force create mode</parameter>
+    </link> and <link linkend="FORCEDIRECTORYMODE"><parameter moreinfo="none">force 
+    directory mode</parameter></link> but the boolean inherit 
+    permissions parameter overrides this.</para>
+		
+    <para>New directories inherit the mode of the parent directory,
+    including bits such as setgid.</para>
+
+    <para>New files inherit their read/write bits from the parent 
+    directory.  Their execute bits continue to be determined by
+    <link linkend="MAPARCHIVE"><parameter moreinfo="none">map archive</parameter>
+    </link>, <link linkend="MAPHIDDEN"><parameter moreinfo="none">map hidden</parameter>
+    </link> and <link linkend="MAPSYSTEM"><parameter moreinfo="none">map system</parameter>
+    </link> as usual.</para>
+
+    <para>Note that the setuid bit is <emphasis>never</emphasis> set via 
+    inheritance (the code explicitly prohibits this).</para>
+
+    <para>This can be particularly useful on large systems with 
+    many users, perhaps several thousand, to allow a single [homes] 
+    share to be used flexibly by each user.</para>
+
+<para>Default: <emphasis><parameter>inherit permissions</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>interfaces</primary></indexterm><term><anchor id="INTERFACES"/>interfaces (G)</term><listitem>
+        <para>This option allows you to override the default 
+	network interfaces list that Samba will use for browsing, name 
+	registration and other NBT traffic. By default Samba will query 
+	the kernel for the list of all active interfaces and use any 
+	interfaces except 127.0.0.1 that are broadcast capable.</para>
+
+	<para>The option takes a list of interface strings. Each string 
+	can be in any of the following forms:</para>
+
+	<itemizedlist>
+		<listitem><para>a network interface name (such as eth0). 
+		This may include shell-like wildcards so eth* will match 
+		any interface starting with the substring "eth"</para></listitem>
+			
+		<listitem><para>an IP address. In this case the netmask is 
+		determined from the list of interfaces obtained from the 
+		kernel</para></listitem>
+			
+		<listitem><para>an IP/mask pair. </para></listitem>
+			
+		<listitem><para>a broadcast/mask pair.</para></listitem>
+	</itemizedlist>
+
+	<para>The "mask" parameters can either be a bit length (such 
+	as 24 for a C class network) or a full netmask in dotted 
+	decimal form.</para>
+
+	<para>The "IP" parameters above can either be a full dotted 
+	decimal IP address or a hostname which will be looked up via 
+	the OS's normal hostname resolution mechanisms.</para>
+
+
+<para>Default: <emphasis><parameter>interfaces</parameter> = 
+# all active interfaces except 127.0.0.1 that are broadcast capable
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>interfaces</parameter> = 
 	
-	<refsect2 id="HOMESECT">
-		<title>The [homes] section</title>
-		
-		<para>If a section called [homes] is included in the 
-		configuration file, services connecting clients to their 
-		home directories can be created on the fly by the server.</para>
-
-		<para>When the connection request is made, the existing 
-		sections are scanned. If a match is found, it is used. If no 
-		match is found, the requested section name is treated as a 
-		username and looked up in the local password file. If the 
-		name exists and the correct password has been given, a share is 
-		created by cloning the [homes] section.</para>
-		
-		<para>Some modifications are then made to the newly 
-		created share:</para>
-		
-		<itemizedlist>
-		<listitem><para>The share name is changed from homes to 
-		the located username.</para></listitem>
-
-		<listitem><para>If no path was given, the path is set to
-		the user's home directory.</para></listitem>
-		</itemizedlist>
-
-		<para>If you decide to use a <emphasis>path =</emphasis> line 
-		in your [homes] section, you may find it useful 
-		to use the %S macro. For example :</para>
-
-		<para><userinput moreinfo="none">path = /data/pchome/%S</userinput></para>
-
-		<para>is useful if you have different home directories 
-		for your PCs than for UNIX access.</para>
-
-		<para>This is a fast and simple way to give a large number 
-		of clients access to their home directories with a minimum 
-		of fuss.</para>
-
-		<para>A similar process occurs if the requested section 
-		name is <quote>homes</quote>, except that the share name is not 
-		changed to that of the requesting user. This method of using
-		the [homes] section works well if different users share 
-		a client PC.</para>
-		
-		<para>The [homes] section can specify all the parameters 
-		a normal service section can specify, though some make more sense 
-		than others. The following is a typical and suitable [homes]
-		section:</para>
-
-	<smbconfexample>
-		<smbconfsection name="[homes]"/>
-		<smbconfoption name="read only">no</smbconfoption>
-	</smbconfexample>
+# This would configure three network interfaces corresponding 
+	to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. 
+	The netmasks of the latter two interfaces would be set to 255.255.255.0.
+	eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
+
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>invalid users</primary></indexterm><term><anchor id="INVALIDUSERS"/>invalid users (S)</term><listitem>
+    <para>This is a list of users that should not be allowed 
+    to login to this service. This is really a <emphasis>paranoid</emphasis> 
+    check to absolutely ensure an improper setting does not breach 
+    your security.</para>
+		
+    <para>A name starting with a '@' is interpreted as an NIS 
+    netgroup first (if your system supports NIS), and then as a UNIX 
+    group if the name was not found in the NIS netgroup database.</para>
+
+    <para>A name starting with '+' is interpreted only 
+    by looking in the UNIX group database. A name starting with 
+    '&amp;' is interpreted only by looking in the NIS netgroup database 
+    (this requires NIS to be working on your system). The characters 
+    '+' and '&amp;' may be used at the start of the name in either order 
+    so the value <parameter moreinfo="none">+&amp;group</parameter> means check the 
+    UNIX group database, followed by the NIS netgroup database, and 
+    the value <parameter moreinfo="none">&amp;+group</parameter> means check the NIS
+    netgroup database, followed by the UNIX group database (the 
+    same as the '@' prefix).</para>
+
+    <para>The current servicename is substituted for <parameter moreinfo="none">%S</parameter>. 
+		This is useful in the [homes] section.</para>
+
+<para>Default: <emphasis><parameter>invalid users</parameter> = 
+# no invalid users
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>invalid users</parameter> = root fred admin @wheel
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>keepalive</primary></indexterm><term><anchor id="KEEPALIVE"/>keepalive (G)</term><listitem>
+    <para>The value of the parameter (an integer) represents 
+    the number of seconds between <parameter moreinfo="none">keepalive</parameter> 
+    packets. If this parameter is zero, no keepalive packets will be 
+    sent. Keepalive packets, if sent, allow the server to tell whether 
+    a client is still present and responding.</para>
+
+    <para>Keepalives should, in general, not be needed if the socket 
+    being used has the SO_KEEPALIVE attribute set on it (see <link linkend="SOCKETOPTIONS">
+    <parameter moreinfo="none">socket options</parameter></link>). 
+Basically you should only use this option if you strike difficulties.</para>
+
+<para>Default: <emphasis><parameter>keepalive</parameter> = 300
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>keepalive</parameter> = 600
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>kernel change notify</primary></indexterm><term><anchor id="KERNELCHANGENOTIFY"/>kernel change notify (G)</term><listitem>
+	<para>This parameter specifies whether Samba should ask the 
+	kernel for change notifications in directories so that
+	SMB clients can refresh whenever the data on the server changes.
+	</para>
+
+	<para>This parameter is only used when your kernel supports 
+	change notification to user programs, using the F_NOTIFY fcntl.
+	</para>
+
+<para>Default: <emphasis><parameter>kernel change notify</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>kernel oplocks</primary></indexterm><term><anchor id="KERNELOPLOCKS"/>kernel oplocks (G)</term><listitem>
+	<para>For UNIXes that support kernel based <link linkend="OPLOCKS">
+	<parameter moreinfo="none">oplocks</parameter></link>
+	(currently only IRIX and the Linux 2.4 kernel), this parameter 
+	allows the use of them to be turned on or off.</para>
+
+	<para>Kernel oplocks support allows Samba <parameter moreinfo="none">oplocks
+	</parameter> to be broken whenever a local UNIX process or NFS operation 
+	accesses a file that <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> has oplocked. This allows complete 
+	data consistency between SMB/CIFS, NFS and local file access (and is 
+	a <emphasis>very</emphasis> cool feature :-).</para>
+
+	<para>This parameter defaults to <constant>on</constant>, but is translated
+	to a no-op on systems that no not have the necessary kernel support.
+	You should never need to touch this parameter.</para>
+
+<para>Default: <emphasis><parameter>kernel oplocks</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>lanman auth</primary></indexterm><term><anchor id="LANMANAUTH"/>lanman auth (G)</term><listitem>
+    <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> will attempt to
+    authenticate users or permit password changes
+    using the LANMAN password hash. If disabled, only clients which support NT 
+    password hashes (e.g. Windows NT/2000 clients, smbclient, but not 
+    Windows 95/98 or the MS DOS network client) will be able to
+    connect to the Samba host.</para>
+
+    <para>The LANMAN encrypted response is easily broken, due to it's
+    case-insensitive nature, and the choice of algorithm.  Servers
+    without Windows 95/98/ME or MS DOS clients are advised to disable
+    this option.  </para>
+		
+    <para>Unlike the <command moreinfo="none">encypt
+    passwords</command> option, this parameter cannot alter client
+    behaviour, and the LANMAN response will still be sent over the
+    network.  See the <command moreinfo="none">client lanman
+    auth</command> to disable this for Samba's clients (such as smbclient)</para>
+
+    <para>If this option, and <command moreinfo="none">ntlm
+    auth</command> are both disabled, then only NTLMv2 logins will be
+    permited.  Not all clients support NTLMv2, and most will require
+    special configuration to use it.</para>
+
+<para>Default: <emphasis><parameter>lanman auth</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>large readwrite</primary></indexterm><term><anchor id="LARGEREADWRITE"/>large readwrite (G)</term><listitem>
+    <para>This parameter determines whether or not
+    <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> supports the new 64k
+    streaming read and write varient SMB requests introduced with
+    Windows 2000. Note that due to Windows 2000 client redirector bugs
+    this requires Samba to be running on a 64-bit capable operating
+    system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve
+    performance by 10% with Windows 2000 clients. Defaults to on. Not as
+	tested as some other Samba code paths.</para>
+
+<para>Default: <emphasis><parameter>large readwrite</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>ldap admin dn</primary></indexterm><term><anchor id="LDAPADMINDN"/>ldap admin dn (G)</term><listitem>
+	<para> The <parameter moreinfo="none">ldap admin dn</parameter>
+	defines the Distinguished  Name (DN) name used by Samba to
+	contact the ldap server when retreiving  user account
+	information. The <parameter moreinfo="none">ldap admin
+	dn</parameter> is used in conjunction with the admin dn password
+	stored in the <filename moreinfo="none">private/secrets.tdb</filename> file.
+	See the <citerefentry><refentrytitle>smbpasswd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> man page for more
+	information on how  to accmplish this.</para>
+
+<para><emphasis>No default</emphasis></para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>ldap delete dn</primary></indexterm><term><anchor id="LDAPDELETEDN"/>ldap delete dn (G)</term><listitem>
+	<para> This parameter specifies whether a delete
+	operation in the ldapsam deletes the complete entry or only the attributes
+	specific to Samba.
+</para>
+
+<para>Default: <emphasis><parameter>ldap delete dn</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>ldap filter</primary></indexterm><term><anchor id="LDAPFILTER"/>ldap filter (G)</term><listitem>
+	<para>This parameter specifies the RFC 2254 compliant LDAP search filter.
+	The default is to match the login name with the <constant>uid</constant> 
+	attribute. Note that this filter should only return one entry.
+</para>
+
+<para>Default: <emphasis><parameter>ldap filter</parameter> = (uid=%u)
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>ldap filter</parameter> = (&amp;(uid=%u)(objectclass=sambaSamAccount))
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>ldap group suffix</primary></indexterm><term><anchor id="LDAPGROUPSUFFIX"/>ldap group suffix (G)</term><listitem>
+	<para>This parameters specifies the suffix that is 
+	used for groups when these are added to the LDAP directory.
+	If this parameter is unset, the value of <parameter>ldap suffix</parameter> will be used instead.</para>
+
+
+<para>Default: <emphasis><parameter>ldap group suffix</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>ldap group suffix</parameter> = ou=Groups,dc=samba,ou=Groups
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>ldap idmap suffix</primary></indexterm><term><anchor id="LDAPIDMAPSUFFIX"/>ldap idmap suffix (G)</term><listitem>
+	<para>This parameters specifies the suffix that is 
+	used when storing idmap mappings. If this parameter 
+	is unset, the value of <parameter>ldap suffix</parameter>
+	will be used instead.</para>
+
+<para>Default: <emphasis><parameter>ldap idmap suffix</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>ldap idmap suffix</parameter> = ou=Idmap,dc=samba,dc=org
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>ldap machine suffix</primary></indexterm><term><anchor id="LDAPMACHINESUFFIX"/>ldap machine suffix (G)</term><listitem>
+	<para>It specifies where machines should be added to the ldap tree.</para>
+
+<para>Default: <emphasis><parameter>ldap machine suffix</parameter> = 
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>ldap passwd sync</primary></indexterm><term><anchor id="LDAPPASSWDSYNC"/>ldap passwd sync (G)</term><listitem>
+	<para>This option is used to define whether
+	or not Samba should sync the LDAP password with the NT
+	and LM hashes for normal accounts (NOT for
+	workstation, server or domain trusts) on a password
+	change via SAMBA.  
+	</para>
+
+	<para>The <parameter moreinfo="none">ldap passwd
+	sync</parameter> can be set to one of three values: </para>
 	
-		<para>An important point is that if guest access is specified 
-		in the [homes] section, all home directories will be 
-		visible to all clients <emphasis>without a password</emphasis>. 
-		In the very unlikely event that this is actually desirable, it 
-		is wise to also specify <emphasis>read only access</emphasis>.</para>
-
-		<para>The <emphasis>browseable</emphasis> flag for 
-		auto home directories will be inherited from the global browseable 
-		flag, not the [homes] browseable flag. This is useful as 
-		it means setting <emphasis>browseable = no</emphasis> in
-		the [homes] section will hide the [homes] share but make
-		any auto home directories visible.</para>
-	</refsect2>
-
-	<refsect2 id="PRINTERSSECT">
-		<title>The [printers] section</title>
-		
-		<para>This section works like [homes], 
-		but for printers.</para>
-
-		<para>If a [printers] section occurs in the 
-		configuration file, users are able to connect to any printer 
-		specified in the local host's printcap file.</para>
-
-		<para>When a connection request is made, the existing sections 
-		are scanned. If a match is found, it is used. If no match is found, 
-		but a [homes] section exists, it is used as described
-		above. Otherwise, the requested section name is treated as a
-		printer name and the appropriate printcap file is scanned to see 
-		if the requested section name is a valid printer share name. If 
-		a match is found, a new printer share is created by cloning 
-		the [printers] section.</para>
-
-		<para>A few modifications are then made to the newly created 
-		share:</para>
-
-		<itemizedlist>
-		<listitem><para>The share name is set to the located printer 
-		name</para></listitem>
-
-		<listitem><para>If no printer name was given, the printer name 
-		is set to the located printer name</para></listitem>
-
-		<listitem><para>If the share does not permit guest access and 
-		no username was given, the username is set to the located 
-		printer name.</para></listitem>
-		</itemizedlist>
-
-		<para>The [printers] service MUST be 
-		printable - if you specify otherwise, the server will refuse 
-		to load the configuration file.</para>
-		
-		<para>Typically the path specified is that of a 
-		world-writeable spool directory with the sticky bit set on 
-		it. A typical [printers] entry looks like 
-		this:</para>
-
-	<smbconfexample>
-		<smbconfsection name="[printers]"/>
-		<smbconfoption name="path">/usr/spool/public</smbconfoption>
-		<smbconfoption name="guest ok">yes</smbconfoption>
-		<smbconfoption name="printable">yes</smbconfoption>
-	</smbconfexample>
-
-		<para>All aliases given for a printer in the printcap file 
-		are legitimate printer names as far as the server is concerned. 
-		If your printing subsystem doesn't work like that, you will have 
-		to set up a pseudo-printcap. This is a file consisting of one or 
-		more lines like this:</para>
-
-		<programlisting>
-alias|alias|alias|alias...    
-		</programlisting>
-
-		<para>Each alias should be an acceptable printer name for 
-		your printing subsystem. In the [global] section, specify 
-		the new file as your printcap.  The server will only recognize 
-		names found in your pseudo-printcap, which of course can contain 
-		whatever aliases you like. The same technique could be used 
-		simply to limit access to a subset of your local printers.</para>
-
-		<para>An alias, by the way, is defined as any component of the 
-		first entry of a printcap record. Records are separated by newlines,
-		components (if there are more than one) are separated by vertical 
-		bar symbols (<quote>|</quote>).</para>
-		
-		<note><para>On SYSV systems which use lpstat to determine what 
-		printers are defined on the system you may be able to use
-		<quote>printcap name = lpstat</quote> to automatically obtain a list 
-		of printers. See the <quote>printcap name</quote> option 
-		for more details.</para></note>
-	</refsect2>
-</refsect1>
-
-<refsect1>
-	<title>PARAMETERS</title>
-
-	<para>Parameters define the specific attributes of sections.</para>
-
-	<para>Some parameters are specific to the [global] section
-	(e.g., <emphasis>security</emphasis>).  Some parameters are usable 
-	in all sections (e.g., <emphasis>create mode</emphasis>). All others 
-	are permissible only in normal sections. For the purposes of the 
-	following descriptions the [homes] and [printers]
-	sections will be considered normal.  The letter <emphasis>G</emphasis> 
-	in parentheses indicates that a parameter is specific to the
-	[global] section. The letter <emphasis>S</emphasis>
-	indicates that a parameter can be specified in a service specific
-	section. All <emphasis>S</emphasis> parameters can also be specified in 
-	the [global] section - in which case they will define
-	the default behavior for all services.</para>
-
-	<para>Parameters are arranged here in alphabetical order - this may 
-	not create best bedfellows, but at least you can find them! Where
-	there are synonyms, the preferred synonym is described, others refer 
-	to the preferred synonym.</para>
-</refsect1>
-
-<refsect1>
-	<title>VARIABLE SUBSTITUTIONS</title>
-
-	<para>Many of the strings that are settable in the config file 
-	can take substitutions. For example the option <quote>path =
-	/tmp/%u</quote> is interpreted as <quote>path = 
-	/tmp/john</quote> if the user connected with the username john.</para>
-
-	<para>These substitutions are mostly noted in the descriptions below, 
-	but there are some general substitutions which apply whenever they 
-	might be relevant. These are:</para>
-
-	<variablelist>
-		<varlistentry>
-		<term>%U</term>
-		<listitem><para>session username (the username that the client 
-		wanted, not necessarily the same as the one they got).</para></listitem>
-		</varlistentry>
-		
-		<varlistentry>
-		<term>%G</term>
-		<listitem><para>primary group name of %U.</para></listitem>
-		</varlistentry>
-
-		<varlistentry>
-		<term>%h</term>
-		<listitem><para>the Internet hostname that Samba is running 
-		on.</para></listitem>
-		</varlistentry>
-
-		<varlistentry>
-		<term>%m</term>
-		<listitem><para>the NetBIOS name of the client machine 
-		(very useful).</para></listitem>
-		</varlistentry>
-		
-		<varlistentry>
-		<term>%L</term>
-		<listitem><para>the NetBIOS name of the server. This allows you 
-		to change your config based on what the client calls you. Your 
-		server can have a <quote>dual personality</quote>.</para>
-
-                <para>This parameter is not available when Samba listens
-                on port 445, as clients no longer send this information.</para>
-                </listitem>
-
-		</varlistentry>
-		
-		<varlistentry>
-		<term>%M</term>
-		<listitem><para>the Internet name of the client machine.
-		</para></listitem>
-		</varlistentry>
-		
-		<varlistentry>
-		<term>%R</term>
-		<listitem><para>the selected protocol level after 
-		protocol negotiation. It can be one of CORE, COREPLUS, 
-		LANMAN1, LANMAN2 or NT1.</para></listitem>
-		</varlistentry>
-
-		<varlistentry>
-		<term>%d</term>
-		<listitem><para>the process id of the current server
-		process.</para></listitem>
-		</varlistentry>
-		
-		<varlistentry>
-		<term>%a</term>
-		<listitem><para>the architecture of the remote
-		machine.  It currently recognizes Samba (<constant>Samba</constant>), 
-		the Linux CIFS file system (<constant>CIFSFS</constant>), OS/2, (<constant>OS2</constant>),
-		Windows for Workgroups (<constant>WfWg</constant>), Windows 9x/ME 
-		(<constant>Win95</constant>), Windows NT (<constant>WinNT</constant>),
-		Windows 2000 (<constant>Win2K</constant>), Windows XP (<constant>WinXP</constant>),
-		and Windows 2003 (<constant>Win2K3</constant>).  Anything else will be known as 
-		<constant>UNKNOWN</constant>.</para> 
+	<itemizedlist>
+		<listitem>
+			<para><parameter moreinfo="none">Yes</parameter>  =  Try 
+			to update the LDAP, NT and LM passwords and update the pwdLastSet time.</para>
+		</listitem>
+			
+		<listitem>
+			<para><parameter moreinfo="none">No</parameter> = Update NT and 
+			LM passwords and update the pwdLastSet time.</para>
+		</listitem>
+
+		<listitem>
+			<para><parameter moreinfo="none">Only</parameter> = Only update 
+			the LDAP password and let the LDAP server do the rest.</para>
 		</listitem>
-		</varlistentry>
+	</itemizedlist>		
+
+<para>Default: <emphasis><parameter>ldap passwd sync</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>ldap port</primary></indexterm><term><anchor id="LDAPPORT"/>ldap port (G)</term><listitem>
+	<para>This parameter is only available if Samba has been
+	configure to include the <command moreinfo="none">--with-ldapsam</command> option
+	at compile time.</para>
+
+	<para>This option is used to control the tcp port number used to contact
+	the <link linkend="LDAPSERVER"><parameter moreinfo="none">ldap server</parameter></link>.
+	The default is to use the stand LDAPS port 636.</para>
+
+<para>Default: <emphasis><parameter>ldap port</parameter> = 636
+# if ldap ssl = on
+</emphasis>
+</para><para>Default: <emphasis><parameter>ldap port</parameter> = 389
+# if ldap ssl = off
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>ldap replication sleep</primary></indexterm><term><anchor id="LDAPREPLICATIONSLEEP"/>ldap replication sleep (G)</term><listitem>
+	<para>When Samba is asked to write to a read-only LDAP
+replica, we are redirected to talk to the read-write master server.
+This server then replicates our changes back to the 'local' server,
+however the replication might take some seconds, especially over slow
+links.  Certain client activities, particularly domain joins, can become
+confused by the 'success' that does not immediately change the LDAP
+back-end's data.  </para>
+        <para>This option simply causes Samba to wait a short time, to
+allow the LDAP server to catch up.  If you have a particularly
+high-latency network, you may wish to time the LDAP replication with a
+network sniffer, and increase this value accordingly.  Be aware that no
+checking is performed that the data has actually replicated.</para>
+        <para>The value is specified in milliseconds, the maximum
+value is 5000 (5 seconds).</para>
+
+<para>Default: <emphasis><parameter>ldap replication sleep</parameter> = 1000
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>ldapsam:trusted</primary></indexterm><term><anchor id="LDAPSAM:TRUSTED"/>ldapsam:trusted (G)</term><listitem>
+
+<para>
+By default, Samba as a Domain Controller with an LDAP backend needs to use the
+Unix-style NSS subsystem to access user and group information. Due to the way
+Unix stores user information in /etc/passwd and /etc/group this inevitably
+leads to inefficiencies. One important question a user needs to know is the
+list of groups he is member of. The plain Unix model involves a complete
+enumeration of the file /etc/group and its NSS counterparts in LDAP. In this
+particular case there often optimized functions are available in Unix, but for
+other queries there is no optimized function available.</para>
+
+<para>To make Samba scale well in large environments, the ldapsam:trusted=yes
+option assumes that the complete user and group database that is relevant to
+Samba is stored in LDAP with the standard posixAccount/posixGroup model, and
+that the Samba auxiliary object classes are stored together with the the posix
+data in the same LDAP object. If these assumptions are met,
+ldapsam:trusted=yes can be activated and Samba can completely bypass the NSS
+system to query user information. Optimized LDAP queries can speed up domain
+logon and administration tasks a lot. Depending on the size of the LDAP
+database a factor of 100 or more for common queries is easily achieved.</para>
+
+
+<para>Default: <emphasis><parameter>ldapsam:trusted</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>ldap server</primary></indexterm><term><anchor id="LDAPSERVER"/>ldap server (G)</term><listitem>
+	<para>This parameter is only available if Samba has been
+	configure to include the <command moreinfo="none">--with-ldapsam</command> 
+	option at compile time.</para>
+
+	<para>This parameter should contain the FQDN of the ldap directory
+	server which should be queried to locate user account information.
+</para>
+
+<para>Default: <emphasis><parameter>ldap server</parameter> = localhost
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>ldap ssl</primary></indexterm><term><anchor id="LDAPSSL"/>ldap ssl (G)</term><listitem>
+	<para>This option is used to define whether or not Samba should
+	use SSL when connecting to the ldap server
+	This is <emphasis>NOT</emphasis> related to
+	Samba's previous SSL support which was enabled by specifying the 
+	<command moreinfo="none">--with-ssl</command> option to the <filename moreinfo="none">configure</filename> 
+	script.</para>
 		
-		<varlistentry>
-		<term>%I</term>
-		<listitem><para>the IP address of the client machine.</para>
+	<para>The <parameter moreinfo="none">ldap ssl</parameter> can be set to one of three values:</para>	
+	<itemizedlist>
+		<listitem>
+			<para><parameter moreinfo="none">Off</parameter> = Never 
+			use SSL when querying the directory.</para>
 		</listitem>
-		</varlistentry>
 
-		<varlistentry>
-		<term>%i</term>
-		<listitem><para>the local IP address to which a client connected.</para>
+		<listitem>
+			<para><parameter moreinfo="none">Start_tls</parameter> = Use 
+			the LDAPv3 StartTLS extended operation (RFC2830) for 
+			communicating with the directory server.</para>
 		</listitem>
-		</varlistentry>
-
-		<varlistentry>
-		<term>%T</term>
-		<listitem><para>the current date and time.</para></listitem>
-		</varlistentry>
-
-		<varlistentry>
-		<term>%D</term>
-		<listitem><para>name of the domain or workgroup of the current user.</para></listitem>
-		</varlistentry>
-		
-		<varlistentry>
-		<term>%$(<replaceable>envvar</replaceable>)</term>
-		<listitem><para>the value of the environment variable
-		<replaceable>envar</replaceable>.</para></listitem>
-		</varlistentry>
-	</variablelist>
-
-	<para>The following substitutes apply only to some configuration options (only those 
-	that are used when a connection has been established):</para>
-
-	<variablelist>
-		<varlistentry>
-		<term>%S</term>
-		<listitem><para>the name of the current service, if any.</para>
+	    
+		<listitem>
+			<para><parameter moreinfo="none">On</parameter>  = Use SSL 
+			on the ldaps port when contacting the <parameter moreinfo="none">ldap server</parameter>. Only available when the 
+			backwards-compatiblity <command moreinfo="none">--with-ldapsam</command> option is specified
+			to configure. See <link linkend="PASSDBBACKEND"><parameter moreinfo="none">passdb backend</parameter></link></para>
 		</listitem>
-		</varlistentry>
-	
-		<varlistentry>
-		<term>%P</term>
-		<listitem><para>the root directory of the current service, 
-		if any.</para></listitem>
-		</varlistentry>
-	
-		<varlistentry>
-		<term>%u</term>
-		<listitem><para>username of the current service, if any.</para>
+	</itemizedlist>		
+
+<para>Default: <emphasis><parameter>ldap ssl</parameter> = start_tls
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>ldap suffix</primary></indexterm><term><anchor id="LDAPSUFFIX"/>ldap suffix (G)</term><listitem>
+	<para>Specifies where user and machine accounts are added to the
+	tree. Can be overriden by <command moreinfo="none">ldap user
+	suffix</command> and <command moreinfo="none">ldap machine
+	suffix</command>. It also used as the base dn for all ldap
+searches. </para>
+
+<para>Default: <emphasis><parameter>ldap suffix</parameter> = 
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>ldap timeout</primary></indexterm><term><anchor id="LDAPTIMEOUT"/>ldap timeout (G)</term><listitem>
+	<para>When Samba connects to an ldap server that server
+may be down or unreachable. To prevent Samba from hanging whilst
+waiting for the connection this parameter specifies in seconds how
+long Samba should wait before failing the connect. The default is
+to only wait fifteen seconds for the ldap server to respond to the
+connect request.</para>
+
+<para>Default: <emphasis><parameter>ldap timeout</parameter> = 15
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>ldap user suffix</primary></indexterm><term><anchor id="LDAPUSERSUFFIX"/>ldap user suffix (G)</term><listitem>
+	<para>This parameter specifies where users are added to the tree. 
+	If this parameter is not specified, the value from <command>ldap suffix</command>.</para>
+
+
+<para>Default: <emphasis><parameter>ldap user suffix</parameter> = 
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>level2 oplocks</primary></indexterm><term><anchor id="LEVEL2OPLOCKS"/>level2 oplocks (S)</term><listitem>
+	<para>This parameter controls whether Samba supports
+	level2 (read-only) oplocks on a share.</para>
+		
+	<para>Level2, or read-only oplocks allow Windows NT clients 
+	that have an oplock on a file to downgrade from a read-write oplock 
+	to a read-only oplock once a second client opens the file (instead 
+	of releasing all oplocks on a second open, as in traditional, 
+	exclusive oplocks). This allows all openers of the file that 
+	support level2 oplocks to cache the file for read-ahead only (ie. 
+	they may not cache writes or lock requests) and increases performance 
+	for many accesses of files that are not commonly written (such as 
+	application .EXE files).</para>
+
+	<para>Once one of the clients which have a read-only oplock 
+	writes to the file all clients are notified (no reply is needed 
+	or waited for) and told to break their oplocks to "none" and 
+	delete any read-ahead caches.</para>
+
+	<para>It is recommended that this parameter be turned on to
+	speed access to shared executables.</para>
+
+	<para>For more discussions on level2 oplocks see the CIFS spec.</para>
+
+	<para>Currently, if <link linkend="KERNELOPLOCKS"><parameter moreinfo="none">kernel 
+	oplocks</parameter></link> are supported then level2 oplocks are 
+	not granted (even if this parameter is set to <constant>yes</constant>). 
+	Note also, the <link linkend="OPLOCKS"><parameter moreinfo="none">oplocks</parameter>
+	</link> parameter must be set to <constant>yes</constant> on this share in order for 
+	this parameter to have any effect.</para>
+
+<para>Default: <emphasis><parameter>level2 oplocks</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>lm announce</primary></indexterm><term><anchor id="LMANNOUNCE"/>lm announce (G)</term><listitem>
+	<para>This parameter determines if <citerefentry><refentrytitle>nmbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> will produce Lanman announce 
+	broadcasts that are needed by OS/2 clients in order for them to see 
+	the Samba server in their browse list. This parameter can have three 
+	values, <constant>yes</constant>, <constant>no</constant>, or
+	<constant>auto</constant>. The default is <constant>auto</constant>.  
+	If set to <constant>no</constant> Samba will never produce these 
+	broadcasts. If set to <constant>yes</constant> Samba will produce 
+	Lanman announce broadcasts at a frequency set by the parameter 
+	<parameter moreinfo="none">lm interval</parameter>. If set to <constant>auto</constant> 
+	Samba will not send Lanman announce broadcasts by default but will 
+	listen for them. If it hears such a broadcast on the wire it will 
+	then start sending them at a frequency set by the parameter 
+	<parameter moreinfo="none">lm interval</parameter>.</para>
+
+<para>Default: <emphasis><parameter>lm announce</parameter> = auto
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>lm announce</parameter> = yes
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>lm interval</primary></indexterm><term><anchor id="LMINTERVAL"/>lm interval (G)</term><listitem>
+	<para>If Samba is set to produce Lanman announce 
+	broadcasts needed by OS/2 clients (see the <link linkend="LMANNOUNCE">
+	<parameter moreinfo="none">lm announce</parameter></link> parameter) then this 
+	parameter defines the frequency in seconds with which they will be 
+	made.  If this is set to zero then no Lanman announcements will be 
+	made despite the setting of the <parameter moreinfo="none">lm announce</parameter> 
+	parameter.</para>
+
+<para>Default: <emphasis><parameter>lm interval</parameter> = 60
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>lm interval</parameter> = 120
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>load printers</primary></indexterm><term><anchor id="LOADPRINTERS"/>load printers (G)</term><listitem>
+    <para>A boolean variable that controls whether all 
+    printers in the printcap will be loaded for browsing by default. 
+    See the <link linkend="PRINTERSSECT">printers</link> section for 
+	more details.</para>
+
+<para>Default: <emphasis><parameter>load printers</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>local master</primary></indexterm><term><anchor id="LOCALMASTER"/>local master (G)</term><listitem>
+	<para>This option allows <citerefentry><refentrytitle>nmbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> to try and become a local master browser 
+	on a subnet. If set to <constant>no</constant> then <command moreinfo="none">
+	nmbd</command> will not attempt to become a local master browser 
+	on a subnet and will also lose in all browsing elections. By
+	default this value is set to <constant>yes</constant>. Setting this value to 
+	<constant>yes</constant> doesn't mean that Samba will <emphasis>become</emphasis> the 
+	local master browser on a subnet, just that <command moreinfo="none">nmbd</command> 
+	will <emphasis>participate</emphasis> in elections for local master browser.</para>
+
+	<para>Setting this value to <constant>no</constant> will cause <command moreinfo="none">nmbd</command> <emphasis>never</emphasis> to become a local 
+master browser.</para>
+
+<para>Default: <emphasis><parameter>local master</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>lock dir</primary><see>lock directory</see></indexterm><term><anchor id="LOCKDIR"/>lock dir</term><listitem><para>This parameter is a synonym for lock directory.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>lock directory</primary></indexterm><term><anchor id="LOCKDIRECTORY"/>lock directory (G)</term><listitem>
+	<para>This option specifies the directory where lock 
+	files will be placed.  The lock files are used to implement the 
+	<link linkend="MAXCONNECTIONS"><parameter moreinfo="none">max connections</parameter>
+</link> option.</para>
+
+<para>Default: <emphasis><parameter>lock directory</parameter> = ${prefix}/var/locks
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>lock directory</parameter> = /var/run/samba/locks
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>locking</primary></indexterm><term><anchor id="LOCKING"/>locking (S)</term><listitem>
+	<para>This controls whether or not locking will be 
+	performed by the server in response to lock requests from the 
+	client.</para>
+
+	<para>If <command moreinfo="none">locking = no</command>, all lock and unlock 
+	requests will appear to succeed and all lock queries will report 
+	that the file in question is available for locking.</para>
+
+	<para>If <command moreinfo="none">locking = yes</command>, real locking will be performed 
+	by the server.</para>
+
+	<para>This option <emphasis>may</emphasis> be useful for read-only 
+	filesystems which <emphasis>may</emphasis> not need locking (such as 
+	CDROM drives), although setting this parameter of <constant>no</constant> 
+	is not really recommended even in this case.</para>
+
+	<para>Be careful about disabling locking either globally or in a 
+	specific service, as lack of locking may result in data corruption. 
+	You should never need to set this parameter.</para>
+
+<para><emphasis>No default</emphasis></para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>lock spin count</primary></indexterm><term><anchor id="LOCKSPINCOUNT"/>lock spin count (G)</term><listitem>
+	<para>This parameter controls the number of times
+	that smbd should attempt to gain a byte range lock on the 
+	behalf of a client request.  Experiments have shown that
+	Windows 2k servers do not reply with a failure if the lock
+	could not be immediately granted, but try a few more times
+	in case the lock could later be acquired.  This behavior
+	is used to support PC database formats such as MS Access
+	and FoxPro.
+</para>
+
+<para>Default: <emphasis><parameter>lock spin count</parameter> = 3
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>lock spin time</primary></indexterm><term><anchor id="LOCKSPINTIME"/>lock spin time (G)</term><listitem>
+	<para>The time in microseconds that smbd should 
+	pause before attempting to gain a failed lock.  See
+	<link linkend="LOCKSPINCOUNT"><parameter moreinfo="none">lock spin 
+			count</parameter></link> for more details.</para>
+
+<para>Default: <emphasis><parameter>lock spin time</parameter> = 10
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>log file</primary></indexterm><term><anchor id="LOGFILE"/>log file (G)</term><listitem>
+    <para>This option allows you to override the name 
+    of the Samba log file (also known as the debug file).</para>
+
+    <para>This option takes the standard substitutions, allowing 
+		you to have separate log files for each user or machine.</para>
+
+<para><emphasis>No default</emphasis></para>
+<para>Example: <emphasis><parameter>log file</parameter> = /usr/local/samba/var/log.%m
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>debuglevel</primary><see>log level</see></indexterm><term><anchor id="DEBUGLEVEL"/>debuglevel</term><listitem><para>This parameter is a synonym for log level.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>log level</primary></indexterm><term><anchor id="LOGLEVEL"/>log level (G)</term><listitem>
+    <para>The value of the parameter (a astring) allows 
+    the debug level (logging level) to be specified in the 
+    <filename moreinfo="none">smb.conf</filename> file. This parameter has been
+    extended since the 2.2.x series, now it allow to specify the debug
+    level for multiple debug classes. This is to give greater 
+    flexibility in the configuration of the system.</para>
+
+    <para>The default will be the log level specified on 
+    the command line or level zero if none was specified.</para>
+
+
+<para><emphasis>No default</emphasis></para>
+<para>Example: <emphasis><parameter>log level</parameter> = 3 passdb:5 auth:10 winbind:2
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>logon drive</primary></indexterm><term><anchor id="LOGONDRIVE"/>logon drive (G)</term><listitem>
+	<para>This parameter specifies the local path to 
+	which the home directory will be connected (see <link linkend="LOGONHOME">
+	<parameter moreinfo="none">logon home</parameter></link>) 
+	and is only used by NT Workstations. </para>
+
+	<para>Note that this option is only useful if Samba is set up as a
+		logon server.</para>
+
+<para>Default: <emphasis><parameter>logon drive</parameter> = z:
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>logon drive</parameter> = h:
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>logon home</primary></indexterm><term><anchor id="LOGONHOME"/>logon home (G)</term><listitem>
+	<para>This parameter specifies the home directory 
+	location when a Win95/98 or NT Workstation logs into a Samba PDC.  
+	It allows you to do </para>
+		
+	<para><prompt moreinfo="none">C:\&gt;</prompt>
+	<userinput moreinfo="none">NET USE H: /HOME</userinput>
+	</para>
+
+	<para>from a command prompt, for example.</para>
+
+	<para>This option takes the standard substitutions, allowing 
+	you to have separate logon scripts for each user or machine.</para>
+
+	<para>This parameter can be used with Win9X workstations to ensure 
+	that roaming profiles are stored in a subdirectory of the user's 
+	home directory.  This is done in the following way:</para>
+
+	<para><command moreinfo="none">logon home = \\%N\%U\profile</command></para>
+
+	<para>This tells Samba to return the above string, with 
+	substitutions made when a client requests the info, generally 
+	in a NetUserGetInfo request.  Win9X clients truncate the info to
+	\\server\share when a user does <command moreinfo="none">net use /home</command>
+	but use the whole string when dealing with profiles.</para>
+
+	<para>Note that in prior versions of Samba, the <link linkend="LOGONPATH">
+	<parameter moreinfo="none">logon path</parameter></link> was returned rather than 
+	<parameter moreinfo="none">logon home</parameter>.  This broke <command moreinfo="none">net use /home</command> but allowed profiles outside the home directory.  
+	The current implementation is correct, and can be used for profiles if you use 
+	the above trick.</para>
+
+	<para>This option is only useful if Samba is set up as a logon 
+	server.</para>
+
+<para>Default: <emphasis><parameter>logon home</parameter> = \\%N\%U
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>logon home</parameter> = \\remote_smb_server\%U
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>logon path</primary></indexterm><term><anchor id="LOGONPATH"/>logon path (G)</term><listitem>
+	<para>This parameter specifies the home directory 
+	where roaming profiles (NTuser.dat etc files for Windows NT) are 
+	stored.  Contrary to previous versions of these manual pages, it has 
+	nothing to do with Win 9X roaming profiles.  To find out how to 
+	handle roaming profiles for Win 9X system, see the <link linkend="LOGONHOME">
+	<parameter moreinfo="none">logon home</parameter></link> parameter.</para>
+
+	<para>This option takes the standard substitutions, allowing you 
+	to have separate logon scripts for each user or machine.  It also 
+	specifies the directory from which the "Application Data", 
+	(<filename moreinfo="none">desktop</filename>, <filename moreinfo="none">start menu</filename>,
+	<filename moreinfo="none">network neighborhood</filename>, <filename moreinfo="none">programs</filename> 
+	and other folders, and their contents, are loaded and displayed on 
+	your Windows NT client.</para>
+
+	<para>The share and the path must be readable by the user for 
+	the preferences and directories to be loaded onto the Windows NT
+	client. The share must be writeable when the user logs in for the first
+	time, in order that the Windows NT client can create the NTuser.dat
+	and other directories.</para>
+
+	<para>Thereafter, the directories and any of the contents can, 
+	if required, be made read-only.  It is not advisable that the 
+	NTuser.dat file be made read-only - rename it to NTuser.man to 
+	achieve the desired effect (a <emphasis>MAN</emphasis>datory 
+	profile). </para>
+
+	<para>Windows clients can sometimes maintain a connection to 
+	the [homes] share, even though there is no user logged in.  
+	Therefore, it is vital that the logon path does not include a 
+	reference to the homes share (i.e. setting this parameter to
+	\%N\%U\profile_path will cause problems).</para>
+
+	<para>This option takes the standard substitutions, allowing 
+	you to have separate logon scripts for each user or machine.</para>
+
+	<warning>
+        <para>
+        Do not quote the value. Setting this as <quote><emphasis>\\%N\profile\%U</emphasis></quote>
+		will break profile handling.  </para>
+	</warning>
+
+	<para>Note that this option is only useful if Samba is set up 
+	as a logon server.</para>
+
+<para>Default: <emphasis><parameter>logon path</parameter> = \\%N\%U\profile
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>logon path</parameter> = &gt;\\PROFILESERVER\PROFILE\%U
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>logon script</primary></indexterm><term><anchor id="LOGONSCRIPT"/>logon script (G)</term><listitem>
+	<para>This parameter specifies the batch file (.bat) or 
+	NT command file (.cmd) to be downloaded and run on a machine when 
+	a user successfully logs in.  The file must contain the DOS 
+	style CR/LF line endings. Using a DOS-style editor to create the 
+	file is recommended.</para>
+		
+	<para>The script must be a relative path to the [netlogon] 
+	service.  If the [netlogon] service specifies a <link linkend="PATH">
+	<parameter moreinfo="none">path</parameter></link> of <filename moreinfo="none">/usr/local/samba/netlogon</filename>, and <command moreinfo="none">logon script = STARTUP.BAT</command>, then 
+	the file that will be downloaded is:</para>
+
+	<para><filename moreinfo="none">/usr/local/samba/netlogon/STARTUP.BAT</filename></para>
+
+	<para>The contents of the batch file are entirely your choice.  A 
+	suggested command would be to add <command moreinfo="none">NET TIME \\SERVER /SET 
+	/YES</command>, to force every machine to synchronize clocks with 
+	the same time server.  Another use would be to add <command moreinfo="none">NET USE 
+	U: \\SERVER\UTILS</command> for commonly used utilities, or <screen>
+	<userinput>NET USE Q: \\SERVER\ISO9001_QA</userinput></screen> for example.</para>
+
+	<para>Note that it is particularly important not to allow write 
+	access to the [netlogon] share, or to grant users write permission 
+	on the batch files in a secure environment, as this would allow 
+	the batch files to be arbitrarily modified and security to be 
+	breached.</para>
+
+	<para>This option takes the standard substitutions, allowing you 
+	to have separate logon scripts for each user or machine.</para>
+
+	<para>This option is only useful if Samba is set up as a logon 
+		server.</para>
+
+<para>Default: <emphasis><parameter>logon script</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>logon script</parameter> = scripts\%U.bat
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>lppause command</primary></indexterm><term><anchor id="LPPAUSECOMMAND"/>lppause command (S)</term><listitem>
+    <para>This parameter specifies the command to be 
+    executed on the server host in order to stop printing or spooling 
+    a specific print job.</para>
+
+    <para>This command should be a program or script which takes 
+    a printer name and job number to pause the print job. One way 
+    of implementing this is by using job priorities, where jobs 
+    having a too low priority won't be sent to the printer.</para>
+
+    <para>If a <parameter moreinfo="none">%p</parameter> is given then the printer name 
+    is put in its place. A <parameter moreinfo="none">%j</parameter> is replaced with 
+    the job number (an integer).  On HPUX (see <parameter moreinfo="none">printing=hpux
+    </parameter>), if the <parameter moreinfo="none">-p%p</parameter> option is added 
+    to the lpq command, the job will show up with the correct status, i.e. 
+    if the job priority is lower than the set fence priority it will 
+    have the PAUSED status, whereas if  the priority is equal or higher it 
+    will have the SPOOLED or PRINTING status.</para>
+
+    <para>Note that it is good practice to include the absolute path 
+    in the lppause command as the PATH may not be available to the server.</para>
+
+<para>Default: <emphasis><parameter>lppause command</parameter> = 
+# Currently no default value is given to 
+    this string, unless the value of the <parameter moreinfo="none">printing</parameter> 
+	parameter is <constant>SYSV</constant>, in which case the default is : <command moreinfo="none">lp -i %p-%j -H hold</command> or if the value of the <parameter moreinfo="none">printing</parameter> parameter is <constant>SOFTQ</constant>, then the default is: <command moreinfo="none">qstat -s -j%j -h</command>. 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>lppause command</parameter> = /usr/bin/lpalt %p-%j -p0
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>lpq cache time</primary></indexterm><term><anchor id="LPQCACHETIME"/>lpq cache time (G)</term><listitem>
+	<para>This controls how long lpq info will be cached 
+	for to prevent the <command moreinfo="none">lpq</command> command being called too 
+	often. A separate cache is kept for each variation of the <command moreinfo="none">
+	lpq</command> command used by the system, so if you use different 
+	<command moreinfo="none">lpq</command> commands for different users then they won't
+	share cache information.</para>
+
+	<para>The cache files are stored in <filename moreinfo="none">/tmp/lpq.xxxx</filename> 
+	where xxxx is a hash of the <command moreinfo="none">lpq</command> command in use.</para>
+
+	<para>The default is 10 seconds, meaning that the cached results 
+	of a previous identical <command moreinfo="none">lpq</command> command will be used 
+	if the cached data is less than 10 seconds old. A large value may 
+	be advisable if your <command moreinfo="none">lpq</command> command is very slow.</para>
+
+<para>A value of 0 will disable caching completely.</para>
+
+<para>Default: <emphasis><parameter>lpq cache time</parameter> = 10
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>lpq cache time</parameter> = 30
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>lpq command</primary></indexterm><term><anchor id="LPQCOMMAND"/>lpq command (S)</term><listitem>
+    <para>This parameter specifies the command to be 
+    executed on the server host in order to obtain <command moreinfo="none">lpq
+    </command>-style printer status information.</para>
+
+    <para>This command should be a program or script which 
+    takes a printer name as its only parameter and outputs printer 
+    status information.</para>
+
+    <para>Currently nine styles of printer status information 
+    are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. 
+    This covers most UNIX systems. You control which type is expected 
+    using the <parameter moreinfo="none">printing =</parameter> option.</para>
+
+    <para>Some clients (notably Windows for Workgroups) may not 
+    correctly send the connection number for the printer they are 
+    requesting status information about. To get around this, the 
+    server reports on the first printer service connected to by the 
+    client. This only happens if the connection number sent is invalid.</para>
+
+    <para>If a <parameter moreinfo="none">%p</parameter> is given then the printer name 
+    is put in its place. Otherwise it is placed at the end of the 
+    command.</para>
+
+    <para>Note that it is good practice to include the absolute path 
+    in the <parameter moreinfo="none">lpq command</parameter> as the <envar>$PATH
+    </envar> may not be available to the server.  When compiled with
+    the CUPS libraries, no <parameter moreinfo="none">lpq command</parameter> is
+    needed because smbd will make a library call to obtain the 
+	print queue listing.</para>
+
+<para>Default: <emphasis><parameter>lpq command</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>lpq command</parameter> = /usr/bin/lpq -P%p
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>lpresume command</primary></indexterm><term><anchor id="LPRESUMECOMMAND"/>lpresume command (S)</term><listitem>
+    <para>This parameter specifies the command to be 
+    executed on the server host in order to restart or continue 
+    printing or spooling a specific print job.</para>
+
+    <para>This command should be a program or script which takes 
+    a printer name and job number to resume the print job. See 
+    also the <link linkend="LPPAUSECOMMAND"><parameter moreinfo="none">lppause command
+    </parameter></link> parameter.</para>
+
+    <para>If a <parameter moreinfo="none">%p</parameter> is given then the printer name 
+    is put in its place. A <parameter moreinfo="none">%j</parameter> is replaced with 
+    the job number (an integer).</para>
+		
+    <para>Note that it is good practice to include the absolute path 
+    in the <parameter moreinfo="none">lpresume command</parameter> as the PATH may not 
+    be available to the server.</para>
+		
+    <para>See also the <link linkend="PRINTING"><parameter moreinfo="none">printing
+    </parameter></link> parameter.</para>
+
+    <para>Default: Currently no default value is given 
+    to this string, unless the value of the <parameter moreinfo="none">printing</parameter> 
+    parameter is <constant>SYSV</constant>, in which case the default is :</para>
+
+    <para><command moreinfo="none">lp -i %p-%j -H resume</command></para>
+
+    <para>or if the value of the <parameter moreinfo="none">printing</parameter> parameter 
+		is <constant>SOFTQ</constant>, then the default is:</para>
+
+    <para><command moreinfo="none">qstat -s -j%j -r</command></para>
+
+<para>Default: <emphasis><parameter>lpresume command</parameter> = lpresume command = /usr/bin/lpalt %p-%j -p2
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>lprm command</primary></indexterm><term><anchor id="LPRMCOMMAND"/>lprm command (S)</term><listitem>
+    <para>This parameter specifies the command to be 
+    executed on the server host in order to delete a print job.</para>
+
+    <para>This command should be a program or script which takes 
+    a printer name and job number, and deletes the print job.</para>
+
+    <para>If a <parameter moreinfo="none">%p</parameter> is given then the printer name 
+    is put in its place. A <parameter moreinfo="none">%j</parameter> is replaced with 
+    the job number (an integer).</para>
+
+    <para>Note that it is good practice to include the absolute 
+    path in the <parameter moreinfo="none">lprm command</parameter> as the PATH may not be 
+    available to the server.</para>
+
+
+<para>Default: <emphasis><parameter>lprm command</parameter> = 
+# depends on the setting of <parameter moreinfo="none">printing</parameter>
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>lprm command</parameter> = /usr/bin/lprm -P%p %j
+</emphasis>
+</para><para>Example: <emphasis><parameter>lprm command</parameter> = /usr/bin/cancel %p-%j
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>machine password timeout</primary></indexterm><term><anchor id="MACHINEPASSWORDTIMEOUT"/>machine password timeout (G)</term><listitem>
+	<para>If a Samba server is a member of a Windows 
+	NT Domain (see the <link linkend="SECURITYEQUALSDOMAIN">security = domain</link>
+	parameter) then periodically a running smbd
+	 process will try and change the MACHINE ACCOUNT 
+	PASSWORD stored in the TDB called <filename moreinfo="none">private/secrets.tdb
+	</filename>.  This parameter specifies how often this password 
+	will be changed, in seconds. The default is one week (expressed in 
+	seconds), the same as a Windows NT Domain member server.</para>
+
+	<para>See also <citerefentry><refentrytitle>smbpasswd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry>, and the <link linkend="SECURITYEQUALSDOMAIN">
+	security = domain</link> parameter.</para>
+
+
+<para>Default: <emphasis><parameter>machine password timeout</parameter> = 604800
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>magic output</primary></indexterm><term><anchor id="MAGICOUTPUT"/>magic output (S)</term><listitem>
+	<para>This parameter specifies the name of a file 
+	which will contain output created by a magic script (see the 
+	<link linkend="MAGICSCRIPT"><parameter moreinfo="none">magic script</parameter></link>
+	parameter below).</para>
+
+<warning><para>If two clients use the same <parameter moreinfo="none">magic script
+	</parameter> in the same directory the output file content
+	is undefined.</para></warning>
+
+<para>Default: <emphasis><parameter>magic output</parameter> = &lt;magic script name&gt;.out
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>magic output</parameter> = myfile.txt
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>magic script</primary></indexterm><term><anchor id="MAGICSCRIPT"/>magic script (S)</term><listitem>
+	<para>This parameter specifies the name of a file which, 
+	if opened, will be executed by the server when the file is closed. 
+	This allows a UNIX script to be sent to the Samba host and 
+	executed on behalf of the connected user.</para>
+
+	<para>Scripts executed in this way will be deleted upon 
+	completion assuming that the user has the appropriate level 
+	of privilege and the file permissions allow the deletion.</para>
+
+	<para>If the script generates output, output will be sent to 
+	the file specified by the <link linkend="MAGICOUTPUT"><parameter moreinfo="none">
+	magic output</parameter></link> parameter (see above).</para>
+
+	<para>Note that some shells are unable to interpret scripts 
+	containing CR/LF instead of CR as 
+	the end-of-line marker. Magic scripts must be executable 
+	<emphasis>as is</emphasis> on the host, which for some hosts and 
+	some shells will require filtering at the DOS end.</para>
+
+	<para>Magic scripts are <emphasis>EXPERIMENTAL</emphasis> and 
+		should <emphasis>NOT</emphasis> be relied upon.</para>
+
+<para>Default: <emphasis><parameter>magic script</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>magic script</parameter> = user.csh
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>mangled map</primary></indexterm><term><anchor id="MANGLEDMAP"/>mangled map (S)</term><listitem>
+	<para>This is for those who want to directly map UNIX 
+	file names which cannot be represented on Windows/DOS.  The mangling 
+	of names is not always what is needed.  In particular you may have 
+	documents with file extensions that differ between DOS and UNIX. 
+	For example, under UNIX it is common to use <filename moreinfo="none">.html</filename> 
+	for HTML files, whereas under Windows/DOS <filename moreinfo="none">.htm</filename> 
+	is more commonly used.</para>
+
+	<para>So to map <filename moreinfo="none">html</filename> to <filename moreinfo="none">htm</filename> 
+	you would use:</para>
+		
+	<para><command moreinfo="none">mangled map = (*.html *.htm)</command></para>
+
+	<para>One very useful case is to remove the annoying <filename moreinfo="none">;1
+	</filename> off the ends of filenames on some CDROMs (only visible 
+	under some UNIXes). To do this use a map of (*;1 *;).</para>
+
+<para>Default: <emphasis><parameter>mangled map</parameter> = 
+# no mangled map
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>mangled map</parameter> = (*;1 *;)
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>mangled names</primary></indexterm><term><anchor id="MANGLEDNAMES"/>mangled names (S)</term><listitem>
+	<para>This controls whether non-DOS names under UNIX 
+	should be mapped to DOS-compatible names ("mangled") and made visible, 
+	or whether non-DOS names should simply be ignored.</para>
+
+	<para>See the section on <link linkend="NAMEMANGLINGSECT">NAME MANGLING</link> for 
+	details on how to control the mangling process.</para>
+
+	<para>If mangling is used then the mangling algorithm is as follows:</para>
+
+	<itemizedlist>
+		<listitem>
+			<para>The first (up to) five alphanumeric characters 
+			before the rightmost dot of the filename are preserved, forced 
+			to upper case, and appear as the first (up to) five characters 
+			of the mangled name.</para>
 		</listitem>
-		</varlistentry>
-	
-		<varlistentry>
-		<term>%g</term>
-		<listitem><para>primary group name of %u.</para></listitem>
-		</varlistentry>
+		
+		<listitem>
+			<para>A tilde "~" is appended to the first part of the mangled
+			name, followed by a two-character unique sequence, based on the
+			original root name (i.e., the original filename minus its final
+			extension). The final extension is included in the hash calculation
+			only if it contains any upper case characters or is longer than three
+			characters.</para>
+
+			<para>Note that the character to use may be specified using 
+			the <link linkend="MANGLINGCHAR"><parameter moreinfo="none">mangling char</parameter>
+			</link> option, if you don't like '~'.</para>
+		</listitem>
+
+		<listitem>
+			<para>Files whose UNIX name begins with a dot will be 
+			presented as DOS hidden files. The mangled name will be created as 
+			for other filenames, but with the leading dot removed and "___" as 
+			its extension regardless of actual original extension (that's three 
+			underscores).</para>
+		</listitem>
+	</itemizedlist>
+
+	<para>The two-digit hash value consists of upper case alphanumeric characters.</para>
+
+	<para>This algorithm can cause name collisions only if files 
+	in a directory share the same first five alphanumeric characters. 
+	The probability of such a clash is 1/1300.</para>
+
+	<para>The name mangling (if enabled) allows a file to be 
+	copied between UNIX directories from Windows/DOS while retaining 
+	the long UNIX filename. UNIX files can be renamed to a new extension 
+	from Windows/DOS and will retain the same basename. Mangled names 
+	do not change between sessions.</para>
+
+<para>Default: <emphasis><parameter>mangled names</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>mangle prefix</primary></indexterm><term><anchor id="MANGLEPREFIX"/>mangle prefix (G)</term><listitem>
+	<para> controls the number of prefix
+	characters from the original name used when generating
+	the mangled names. A larger value will give a weaker
+	hash and therefore more name collisions. The minimum
+	value is 1 and the maximum value is 6.</para>
+
+	<para>
+	mangle prefix is effective only when mangling method is hash2.
+	</para>
+
+<para>Default: <emphasis><parameter>mangle prefix</parameter> = 1
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>mangle prefix</parameter> = 4
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>mangling char</primary></indexterm><term><anchor id="MANGLINGCHAR"/>mangling char (S)</term><listitem>
+	<para>This controls what character is used as 
+	the <emphasis>magic</emphasis> character in <link linkend="NAMEMANGLINGSECT">name mangling</link>. The 
+	default is a '~' but this may interfere with some software. Use this option to set 
+	it to whatever you prefer. This is effective only when mangling method is hash.</para>
+
+<para>Default: <emphasis><parameter>mangling char</parameter> = ~
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>mangling char</parameter> = ^
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>mangling method</primary></indexterm><term><anchor id="MANGLINGMETHOD"/>mangling method (G)</term><listitem>
+	<para> controls the algorithm used for the generating
+	the mangled names. Can take two different values, "hash" and
+	"hash2". "hash" is the algorithm that was used
+	used in Samba for many years and was the default in Samba 2.2.x "hash2" is
+        now the default and is newer and considered a better algorithm (generates less collisions) in
+        the names. Many Win32 applications store the mangled names and so
+	changing to algorithms must not be done lightly as these applications
+        may break unless reinstalled.</para>
+
+<para>Default: <emphasis><parameter>mangling method</parameter> = hash2
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>mangling method</parameter> = hash
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>map acl inherit</primary></indexterm><term><anchor id="MAPACLINHERIT"/>map acl inherit (S)</term><listitem>
+    <para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>                                       
+    <manvolnum>8</manvolnum></citerefentry> will attempt to map the 'inherit' and 'protected'
+    access control entry flags stored in Windows ACLs into an extended attribute
+    called user.SAMBA_PAI. This parameter only takes effect if Samba is being run
+    on a platform that supports extended attributes (Linux and IRIX so far) and
+    allows the Windows 2000 ACL editor to correctly use inheritance with the Samba
+    POSIX ACL mapping code.
+    </para>
+
+<para>Default: <emphasis><parameter>map acl inherit</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>map archive</primary></indexterm><term><anchor id="MAPARCHIVE"/>map archive (S)</term><listitem>
+	<para>This controls whether the DOS archive attribute 
+	should be mapped to the UNIX owner execute bit.  The DOS archive bit 
+	is set when a file has been modified since its last backup.  One 
+	motivation for this option it to keep Samba/your PC from making 
+	any file it touches from becoming executable under UNIX.  This can 
+	be quite annoying for shared source code, documents, etc...</para>
+
+	<para>Note that this requires the <parameter moreinfo="none">create mask</parameter>
+	parameter to be set such that owner execute bit is not masked out 
+	(i.e. it must include 100). See the parameter <link linkend="CREATEMASK">
+	<parameter moreinfo="none">create mask</parameter></link> for details.</para>
+
+<para>Default: <emphasis><parameter>map archive</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>map hidden</primary></indexterm><term><anchor id="MAPHIDDEN"/>map hidden (S)</term><listitem>
+	<para>This controls whether DOS style hidden files 
+	should be mapped to the UNIX world execute bit.</para>
+
+	<para>Note that this requires the <parameter moreinfo="none">create mask</parameter> 
+	to be set such that the world execute bit is not masked out (i.e. 
+	it must include 001). See the parameter <link linkend="CREATEMASK">
+	<parameter moreinfo="none">create mask</parameter></link> for details.</para>
+
+
+<para><emphasis>No default</emphasis></para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>map system</primary></indexterm><term><anchor id="MAPSYSTEM"/>map system (S)</term><listitem>
+	<para>This controls whether DOS style system files 
+	should be mapped to the UNIX group execute bit.</para>
+
+	<para>Note that this requires the <parameter moreinfo="none">create mask</parameter> 
+	to be set such that the group execute bit is not masked out (i.e. 
+	it must include 010). See the parameter <link linkend="CREATEMASK">
+	<parameter moreinfo="none">create mask</parameter></link> for details.</para>
 	
-		<varlistentry>
-		<term>%H</term>
-		<listitem><para>the home directory of the user given 
-		by %u.</para></listitem>
-		</varlistentry>
-
-		<varlistentry>
-		<term>%N</term>
-		<listitem><para>the name of your NIS home directory server.  
-		This is obtained from your NIS auto.map entry.  If you have 
-		not compiled Samba with the <emphasis>--with-automount</emphasis> 
-		option, this value will be the same as %L.</para>
+<para>Default: <emphasis><parameter>map system</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>map to guest</primary></indexterm><term><anchor id="MAPTOGUEST"/>map to guest (G)</term><listitem>
+    <para>This parameter is only useful in <link linkend="SECURITY">
+    security</link> modes other than <parameter moreinfo="none">security = share</parameter> 
+    - i.e. <constant>user</constant>, <constant>server</constant>, 
+    and <constant>domain</constant>.</para>
+
+    <para>This parameter can take three different values, which tell
+    <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> what to do with user 
+    login requests that don't match a valid UNIX user in some way.</para>
+
+    <para>The three settings are :</para>
+
+    <itemizedlist>
+	<listitem>
+	    <para><constant>Never</constant> - Means user login 
+	    requests with an invalid password are rejected. This is the 
+	    default.</para>
+	</listitem>
+			
+	<listitem>
+	    <para><constant>Bad User</constant> - Means user
+	    logins with an invalid password are rejected, unless the username 
+	    does not exist, in which case it is treated as a guest login and 
+	    mapped into the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">
+	    guest account</parameter></link>.</para>
+	</listitem>
+
+	<listitem>
+	    <para><constant>Bad Password</constant> - Means user logins 
+	    with an invalid password are treated as a guest login and mapped 
+	    into the <link linkend="GUESTACCOUNT">guest account</link>. Note that 
+	    this can cause problems as it means that any user incorrectly typing 
+	    their password will be silently logged on as "guest" - and 
+	    will not know the reason they cannot access files they think
+	    they should - there will have been no message given to them
+	    that they got their password wrong. Helpdesk services will
+	    <emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to 
+	    guest</parameter> parameter this way :-).</para>
+	</listitem>
+    </itemizedlist>
+
+    <para>Note that this parameter is needed to set up "Guest" 
+    share services when using <parameter moreinfo="none">security</parameter> modes other than 
+    share. This is because in these modes the name of the resource being
+    requested is <emphasis>not</emphasis> sent to the server until after 
+    the server has successfully authenticated the client so the server 
+    cannot make authentication decisions at the correct time (connection 
+    to the share) for "Guest" shares.</para>
+
+    <para>For people familiar with the older Samba releases, this 
+    parameter maps to the old compile-time setting of the <constant>
+		GUEST_SESSSETUP</constant> value in local.h.</para>
+
+<para>Default: <emphasis><parameter>map to guest</parameter> = Never
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>map to guest</parameter> = Bad User
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>max connections</primary></indexterm><term><anchor id="MAXCONNECTIONS"/>max connections (S)</term><listitem>
+    <para>This option allows the number of simultaneous connections to a service to be limited.
+    If <parameter moreinfo="none">max connections</parameter> is greater than 0 then connections
+    will be refused if this number of connections to the service are already open. A value 
+    of zero mean an unlimited number of connections may be made.</para>
+
+    <para>Record lock files are used to implement this feature. The lock files will be stored in 
+    the directory specified by the <link linkend="LOCKDIRECTORY">
+    <parameter moreinfo="none">lock directory</parameter></link> option.</para>
+
+<para>Default: <emphasis><parameter>max connections</parameter> = 0
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>max connections</parameter> = 10
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>max disk size</primary></indexterm><term><anchor id="MAXDISKSIZE"/>max disk size (G)</term><listitem>
+    <para>This option allows you to put an upper limit 
+    on the apparent size of disks. If you set this option to 100 
+    then all shares will appear to be not larger than 100 MB in 
+    size.</para>
+
+    <para>Note that this option does not limit the amount of 
+    data you can put on the disk. In the above case you could still 
+    store much more than 100 MB on the disk, but if a client ever asks 
+    for the amount of free disk space or the total disk size then the 
+    result will be bounded by the amount specified in <parameter moreinfo="none">max 
+    disk size</parameter>.</para>
+
+    <para>This option is primarily useful to work around bugs 
+    in some pieces of software that can't handle very large disks, 
+    particularly disks over 1GB in size.</para>
+
+    <para>A <parameter moreinfo="none">max disk size</parameter> of 0 means no limit.</para>
+
+<para>Default: <emphasis><parameter>max disk size</parameter> = 0
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>max disk size</parameter> = 1000
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>max log size</primary></indexterm><term><anchor id="MAXLOGSIZE"/>max log size (G)</term><listitem>
+    <para>This option (an integer in kilobytes) specifies 
+    the max size the log file should grow to. Samba periodically checks 
+    the size and if it is exceeded it will rename the file, adding 
+	a <filename moreinfo="none">.old</filename> extension.</para>
+
+<para>A size of 0 means no limit.</para>
+
+<para>Default: <emphasis><parameter>max log size</parameter> = 5000
+</emphasis>
+</para><para>Default: <emphasis><parameter>max log size</parameter> = 1000
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>max mux</primary></indexterm><term><anchor id="MAXMUX"/>max mux (G)</term><listitem>
+    <para>This option controls the maximum number of 
+    outstanding simultaneous SMB operations that Samba tells the client 
+	it will allow. You should never need to set this parameter.</para>
+
+<para>Default: <emphasis><parameter>max mux</parameter> = 50
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>max open files</primary></indexterm><term><anchor id="MAXOPENFILES"/>max open files (G)</term><listitem>
+    <para>This parameter limits the maximum number of 
+    open files that one <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> file 
+    serving process may have open for a client at any one time. The 
+    default for this parameter is set very high (10,000) as Samba uses 
+    only one bit per unopened file.</para>
+		
+    <para>The limit of the number of open files is usually set 
+    by the UNIX per-process file descriptor limit rather than 
+    this parameter so you should never need to touch this parameter.</para>
+
+<para>Default: <emphasis><parameter>max open files</parameter> = 10000
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>max print jobs</primary></indexterm><term><anchor id="MAXPRINTJOBS"/>max print jobs (S)</term><listitem>
+    <para>This parameter limits the maximum number of 
+    jobs allowable in a Samba printer queue at any given moment.
+    If this number is exceeded, <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> will remote "Out of Space" to the client.
+	</para>
+
+<para>Default: <emphasis><parameter>max print jobs</parameter> = 1000
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>max print jobs</parameter> = 5000
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>protocol</primary><see>max protocol</see></indexterm><term><anchor id="PROTOCOL"/>protocol</term><listitem><para>This parameter is a synonym for max protocol.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>max protocol</primary></indexterm><term><anchor id="MAXPROTOCOL"/>max protocol (G)</term><listitem>
+    <para>The value of the parameter (a string) is the highest 
+    protocol level that will be supported by the server.</para>
+
+    <para>Possible values are :</para>
+    <itemizedlist>
+	<listitem>
+	    <para><constant>CORE</constant>: Earliest version. No 
+	    concept of user names.</para>
+	</listitem>
+			
+	<listitem>
+	    <para><constant>COREPLUS</constant>: Slight improvements on 
+	    CORE for efficiency.</para>
+	</listitem>
+
+	<listitem>
+	    <para><constant>LANMAN1</constant>: First <emphasis>
+	    modern</emphasis> version of the protocol. Long filename
+	    support.</para>
+	</listitem>
+
+	<listitem>
+	    <para><constant>LANMAN2</constant>: Updates to Lanman1 protocol.</para>
+	</listitem>
+
+	<listitem>
+	    <para><constant>NT1</constant>: Current up to date version of the protocol. 
+	    Used by Windows NT. Known as CIFS.</para>
+	</listitem>
+    </itemizedlist>
+
+    <para>Normally this option should not be set as the automatic 
+    negotiation phase in the SMB protocol takes care of choosing 
+	the appropriate protocol.</para>
+
+<para>Default: <emphasis><parameter>max protocol</parameter> = NT1
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>max protocol</parameter> = LANMAN1
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>max reported print jobs</primary></indexterm><term><anchor id="MAXREPORTEDPRINTJOBS"/>max reported print jobs (S)</term><listitem>
+    <para>This parameter limits the maximum number of 
+    jobs displayed in a port monitor for Samba printer queue at any given 
+    moment. If this number is exceeded, the excess jobs will not be shown.
+    A value of zero means there is no limit on the number of print
+	jobs reported.</para>
+
+<para>Default: <emphasis><parameter>max reported print jobs</parameter> = 0
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>max reported print jobs</parameter> = 1000
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>max smbd processes</primary></indexterm><term><anchor id="MAXSMBDPROCESSES"/>max smbd processes (G)</term><listitem>
+    <para>This parameter limits the maximum number of <citerefentry><refentrytitle>smbd</refentrytitle>                                       
+    <manvolnum>8</manvolnum></citerefentry> processes concurrently running on a system and is intended
+    as a stopgap to prevent degrading service to clients in the event that the server has insufficient
+    resources to handle more than this number of connections.  Remember that under normal operating
+    conditions, each user will have an <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> associated with him or her to handle connections to all
+    shares from a given host.</para>
+
+<para>Default: <emphasis><parameter>max smbd processes</parameter> = 0
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>max smbd processes</parameter> = 1000
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>max stat cache size</primary></indexterm><term><anchor id="MAXSTATCACHESIZE"/>max stat cache size (G)</term><listitem>
+	<para>This parameter specifies the maximum amount of memory (in kilobytes)
+	smbd will use for the stat cache that speeds up case insensitive name mappings.
+	If set to zero (the default) there is no limit. Change this if your smbd processes
+	grow too large when servicing something like a back-up application.</para>
+
+<para>Default: <emphasis><parameter>max stat cache size</parameter> = 0
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>max ttl</primary></indexterm><term><anchor id="MAXTTL"/>max ttl (G)</term><listitem>
+    <para>This option tells <citerefentry><refentrytitle>nmbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> what the default 'time to live' 
+    of NetBIOS names should be (in seconds) when <command moreinfo="none">nmbd</command> is 
+    requesting a name using either a broadcast packet or from a WINS server. You should 
+	never need to change this parameter. The default is 3 days.</para>
+
+<para>Default: <emphasis><parameter>max ttl</parameter> = 259200
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>max wins ttl</primary></indexterm><term><anchor id="MAXWINSTTL"/>max wins ttl (G)</term><listitem>
+    <para>This option tells <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> when acting as a WINS server (<link linkend="WINSSUPPORT">
+    <parameter moreinfo="none">wins support = yes</parameter></link>) what the maximum
+    'time to live' of NetBIOS names that <command moreinfo="none">nmbd</command> 
+    will grant will be (in seconds). You should never need to change this
+	parameter.  The default is 6 days (518400 seconds).</para>
+
+<para>Default: <emphasis><parameter>max wins ttl</parameter> = 518400
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>max xmit</primary></indexterm><term><anchor id="MAXXMIT"/>max xmit (G)</term><listitem>
+    <para>This option controls the maximum packet size 
+    that will be negotiated by Samba. The default is 65535, which 
+    is the maximum. In some cases you may find you get better performance 
+    with a smaller value. A value below 2048 is likely to cause problems.
+</para>
+
+<para>Default: <emphasis><parameter>max xmit</parameter> = 65535
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>max xmit</parameter> = 8192
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>message command</primary></indexterm><term><anchor id="MESSAGECOMMAND"/>message command (G)</term><listitem>
+	<para>This specifies what command to run when the 
+	server receives a WinPopup style message.</para>
+
+	<para>This would normally be a command that would 
+	deliver the message somehow. How this is to be done is 
+	up to your imagination.</para>
+
+	<para>An example is:</para>
+
+	<para><command moreinfo="none">message command = csh -c 'xedit %s;rm %s' &amp;</command>
+	</para>
+
+	<para>This delivers the message using <command moreinfo="none">xedit</command>, then 
+	removes it afterwards. <emphasis>NOTE THAT IT IS VERY IMPORTANT 
+	THAT THIS COMMAND RETURN IMMEDIATELY</emphasis>. That's why I 
+	have the '&amp;' on the end. If it doesn't return immediately then 
+	your PCs may freeze when sending messages (they should recover 
+	after 30 seconds, hopefully).</para>
+
+	<para>All messages are delivered as the global guest user. 
+	The command takes the standard substitutions, although <parameter moreinfo="none">
+	%u</parameter> won't work (<parameter moreinfo="none">%U</parameter> may be better 
+	in this case).</para>
+
+	<para>Apart from the standard substitutions, some additional 
+	ones apply. In particular:</para>
+
+	<itemizedlist>
+		<listitem>
+			<para><parameter moreinfo="none">%s</parameter> = the filename containing 
+				the message.</para>
+		</listitem>
+			
+		<listitem>
+			<para><parameter moreinfo="none">%t</parameter> = the destination that 
+				the message was sent to (probably the server name).</para>
+		</listitem>
+
+		<listitem>
+			<para><parameter moreinfo="none">%f</parameter> = who the message 
+				is from.</para>
 		</listitem>
-		</varlistentry>
+	</itemizedlist>
+
+	<para>You could make this command send mail, or whatever else 
+	takes your fancy. Please let us know of any really interesting 
+	ideas you have.</para>
+
+	<para>Here's a way of sending the messages as mail to root:</para>
+
+	<para><command moreinfo="none">message command = /bin/mail -s 'message from %f on 
+	%m' root &lt; %s; rm %s</command></para>
+
+	<para>If you don't have a message command then the message 
+	won't be delivered and Samba will tell the sender there was 
+	an error. Unfortunately WfWg totally ignores the error code 
+	and carries on regardless, saying that the message was delivered.
+	</para>
+
+	<para>If you want to silently delete it then try:</para>
+
+	<para><command moreinfo="none">message command = rm %s</command></para>
+
+<para>Default: <emphasis><parameter>message command</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>message command</parameter> = csh -c 'xedit %s; rm %s' &amp;
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>min passwd length</primary><see>min password length</see></indexterm><term><anchor id="MINPASSWDLENGTH"/>min passwd length</term><listitem><para>This parameter is a synonym for min password length.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>min password length</primary></indexterm><term><anchor id="MINPASSWORDLENGTH"/>min password length (G)</term><listitem>
+    <para>This option sets the minimum length in characters of a
+    plaintext password that <command moreinfo="none">smbd</command> will
+    accept when performing  UNIX password changing.</para>
+
+<para>Default: <emphasis><parameter>min password length</parameter> = 5
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>min print space</primary></indexterm><term><anchor id="MINPRINTSPACE"/>min print space (S)</term><listitem>
+    <para>This sets the minimum amount of free disk 
+    space that must be available before a user will be able to spool 
+    a print job. It is specified in kilobytes. The default is 0, which 
+    means a user can always spool a print job.</para>
+
+<para>Default: <emphasis><parameter>min print space</parameter> = 0
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>min print space</parameter> = 2000
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>min protocol</primary></indexterm><term><anchor id="MINPROTOCOL"/>min protocol (G)</term><listitem>
+    <para>The value of the parameter (a string) is the 
+    lowest SMB protocol dialect than Samba will support.  Please refer
+    to the <link linkend="MAXPROTOCOL"><parameter moreinfo="none">max protocol</parameter></link>
+    parameter for a list of valid protocol names and a brief description
+    of each.  You may also wish to refer to the C source code in
+    <filename moreinfo="none">source/smbd/negprot.c</filename> for a listing of known protocol
+    dialects supported by clients.</para>
+		
+    <para>If you are viewing this parameter as a security measure, you should
+    also refer to the <link linkend="LANMANAUTH"><parameter moreinfo="none">lanman 
+    auth</parameter></link> parameter.  Otherwise, you should never need 
+    to change this parameter.</para>
+
+<para>Default: <emphasis><parameter>min protocol</parameter> = CORE
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>min protocol</parameter> = NT1
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>min wins ttl</primary></indexterm><term><anchor id="MINWINSTTL"/>min wins ttl (G)</term><listitem>
+    <para>This option tells <citerefentry><refentrytitle>nmbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry>
+    when acting as a WINS server (<link linkend="WINSSUPPORT"><parameter moreinfo="none">
+    wins support = yes</parameter></link>) what the minimum 'time to live' 
+    of NetBIOS names that <command moreinfo="none">nmbd</command> will grant will be (in 
+    seconds). You should never need to change this parameter.  The default 
+    is 6 hours (21600 seconds).</para>
+
+<para>Default: <emphasis><parameter>min wins ttl</parameter> = 21600
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>msdfs proxy</primary></indexterm><term><anchor id="MSDFSPROXY"/>msdfs proxy (S)</term><listitem>
+	<para>This parameter indicates that the share is a
+	stand-in for another CIFS share whose location is specified by
+	the value of the parameter. When clients attempt to connect to
+	this share, they are redirected to the proxied share using
+	the SMB-Dfs protocol.</para>
+
+	<para>Only Dfs roots can act as proxy shares. Take a look at the
+	<link linkend="MSDFSROOT"><parameter moreinfo="none">msdfs root</parameter></link>
+	and <link linkend="HOSTMSDFS"><parameter moreinfo="none">host msdfs</parameter></link>
+	options to find out how to set up a Dfs root share.</para>
+
+<para><emphasis>No default</emphasis></para>
+<para>Example: <emphasis><parameter>msdfs proxy</parameter> = \otherserver\someshare
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>msdfs root</primary></indexterm><term><anchor id="MSDFSROOT"/>msdfs root (S)</term><listitem>
+	<para>If set to <constant>yes</constant>, Samba treats the
+	share as a Dfs root and allows clients to browse the
+	distributed file system tree rooted at the share directory.
+	Dfs links are specified in the share directory by symbolic
+	links of the form <filename moreinfo="none">msdfs:serverA\\shareA,serverB\\shareB</filename>
+	and so on.  For more information on setting up a Dfs tree on
+	Samba, refer to <link linkend="msdfs"/>.</para>
+
+<para>Default: <emphasis><parameter>msdfs root</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>name cache timeout</primary></indexterm><term><anchor id="NAMECACHETIMEOUT"/>name cache timeout (G)</term><listitem>
+    <para>Specifies the number of seconds it takes before 
+    entries in samba's hostname resolve cache time out. If 
+    the timeout is set to 0. the caching is disabled.
+</para>
+
+<para>Default: <emphasis><parameter>name cache timeout</parameter> = 660
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>name cache timeout</parameter> = 0
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>name resolve order</primary></indexterm><term><anchor id="NAMERESOLVEORDER"/>name resolve order (G)</term><listitem>
+    <para>This option is used by the programs in the Samba 
+    suite to determine what naming services to use and in what order 
+    to resolve host names to IP addresses. Its main purpose to is to
+    control how netbios name resolution is performed.  The option takes a space 
+    separated string of name resolution options.</para>
+
+    <para>The options are: "lmhosts", "host",
+    "wins" and "bcast". They cause names to be
+    resolved as follows:</para>
+
+    <itemizedlist>
+	<listitem>
+	    <para><constant>lmhosts</constant> : Lookup an IP 
+	    address in the Samba lmhosts file. If the line in lmhosts has 
+	    no name type attached to the NetBIOS name (see the <ulink url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
+	    any name type matches for lookup.</para>
+	</listitem>
+
+	<listitem>
+	    <para><constant>host</constant> : Do a standard host 
+	    name to IP address resolution, using the system <filename moreinfo="none">/etc/hosts
+	    </filename>, NIS, or DNS lookups. This method of name resolution 
+	    is operating system depended for instance on IRIX or Solaris this 
+	    may be controlled by the <filename moreinfo="none">/etc/nsswitch.conf</filename> 
+	    file.  Note that this method is used only if the NetBIOS name 
+	    type being queried is the 0x20 (server) name type or 0x1c (domain controllers). 
+            The latter case is only useful for active directory domains and results in a DNS
+            query for the SRV RR entry matching _ldap._tcp.domain.</para>
+	</listitem>
+
+	<listitem>
+	    <para><constant>wins</constant> : Query a name with 
+	    the IP address listed in the <link linkend="WINSSERVER"><parameter moreinfo="none">
+	    wins server</parameter></link> parameter.  If no WINS server has
+	    been specified this method will be ignored.</para>
+	</listitem>
+
+	<listitem>
+	    <para><constant>bcast</constant> : Do a broadcast on 
+	    each of the known local interfaces listed in the <link linkend="INTERFACES"><parameter moreinfo="none">interfaces</parameter></link> 
+	    parameter. This is the least reliable of the name resolution 
+	    methods as it depends on the target host being on a locally 
+	    connected subnet.</para>
+	</listitem>
+</itemizedlist>
+
+    <para>The example below will cause the local lmhosts file to be examined 
+    first, followed by a broadcast attempt, followed by a normal 
+    system hostname lookup.</para>
+
+    <para>When Samba is functioning in ADS security mode (<command moreinfo="none">security = ads</command>)
+    it is advised to use following settings for <parameter moreinfo="none">name resolve order</parameter>:</para>
+
+    <para><command moreinfo="none">name resolve order = wins bcast</command></para>
+
+    <para>DC lookups will still be done via DNS, but fallbacks to netbios names will
+		not inundate your DNS servers with needless querys for DOMAIN&lt;0x1c&gt; lookups.</para>
+ 
+
+<para>Default: <emphasis><parameter>name resolve order</parameter> = lmhosts host wins bcast
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>name resolve order</parameter> = lmhosts bcast host
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>netbios aliases</primary></indexterm><term><anchor id="NETBIOSALIASES"/>netbios aliases (G)</term><listitem>
+        <para>This is a list of NetBIOS names that nmbd will 
+        advertise as additional names by which the Samba server is known. This allows one machine 
+	to appear in browse lists under multiple names. If a machine is acting as a browse server 
+        or logon server none of these names will be advertised as either browse server or logon 
+	servers, only the primary name of the machine will be advertised with these capabilities.
+        </para>
+
+<para>Default: <emphasis><parameter>netbios aliases</parameter> = 
+# empty string (no additional names)
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>netbios aliases</parameter> = TEST TEST1 TEST2
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>netbios name</primary></indexterm><term><anchor id="NETBIOSNAME"/>netbios name (G)</term><listitem>
+        <para>This sets the NetBIOS name by which a Samba 
+	server is known. By default it is the same as the first component 
+	of the host's DNS name. If a machine is a browse server or
+	logon server this name (or the first component
+	of the hosts DNS name) will be the name that these services are
+	advertised under.</para>
+
+<para>Default: <emphasis><parameter>netbios name</parameter> = 
+# machine DNS name
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>netbios name</parameter> = MYNAME
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>netbios scope</primary></indexterm><term><anchor id="NETBIOSSCOPE"/>netbios scope (G)</term><listitem>
+        <para>This sets the NetBIOS scope that Samba will 
+	operate under. This should not be set unless every machine 
+	on your LAN also sets this value.</para>
+
+<para>Default: <emphasis><parameter>netbios scope</parameter> = 
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>nis homedir</primary></indexterm><term><anchor id="NISHOMEDIR"/>nis homedir (G)</term><listitem>
+	<para>Get the home share server from a NIS map. For 
+	UNIX systems that use an automounter, the user's home directory 
+	will often be mounted on a workstation on demand from a remote 
+	server. </para>
+
+	<para>When the Samba logon server is not the actual home directory 
+	server, but is mounting the home directories via NFS then two 
+	network hops would be required to access the users home directory 
+	if the logon server told the client to use itself as the SMB server 
+	for home directories (one over SMB and one over NFS). This can 
+	be very slow.</para>
+
+	<para>This option allows Samba to return the home share as 
+	being on a different server to the logon server and as 
+	long as a Samba daemon is running on the home directory server, 
+	it will be mounted on the Samba client directly from the directory 
+	server. When Samba is returning the home share to the client, it 
+	will consult the NIS map specified in <link linkend="HOMEDIRMAP">
+	<parameter moreinfo="none">homedir map</parameter></link> and return the server 
+	listed there.</para>
+
+	<para>Note that for this option to work there must be a working 
+	NIS system and the Samba server with this option must also 
+	be a logon server.</para>
+
+<para>Default: <emphasis><parameter>nis homedir</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>nt acl support</primary></indexterm><term><anchor id="NTACLSUPPORT"/>nt acl support (S)</term><listitem>
+    <para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>                                       
+    <manvolnum>8</manvolnum></citerefentry> will attempt to map 
+    UNIX permissions into Windows NT access control lists.
+    This parameter was formally a global parameter in releases
+    prior to 2.2.2.</para>
+
+<para>Default: <emphasis><parameter>nt acl support</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>ntlm auth</primary></indexterm><term><anchor id="NTLMAUTH"/>ntlm auth (G)</term><listitem>
+    <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> will attempt to
+    authenticate users using the NTLM encrypted password response.
+    If disabled, either the lanman password hash or an NTLMv2 response
+    will need to be sent by the client.</para>
+
+    <para>If this option, and <command moreinfo="none">lanman
+    auth</command> are both disabled, then only NTLMv2 logins will be
+    permited.  Not all clients support NTLMv2, and most will require
+	special configuration to us it.</para>
+
+<para>Default: <emphasis><parameter>ntlm auth</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>nt pipe support</primary></indexterm><term><anchor id="NTPIPESUPPORT"/>nt pipe support (G)</term><listitem>
+    <para>This boolean parameter controls whether 
+    <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> will allow Windows NT 
+    clients to connect to the NT SMB specific <constant>IPC$</constant> 
+    pipes. This is a developer debugging option and can be left
+	alone.</para>
+
+<para>Default: <emphasis><parameter>nt pipe support</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>nt status support</primary></indexterm><term><anchor id="NTSTATUSSUPPORT"/>nt status support (G)</term><listitem>
+    <para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>                                       
+    <manvolnum>8</manvolnum></citerefentry> will negotiate NT specific status
+    support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone.
+    If this option is set to <constant>no</constant> then Samba offers
+    exactly the same DOS error codes that versions prior to Samba 2.2.3
+    reported.</para>
+
+    <para>You should not need to ever disable this parameter.</para>
+
+<para>Default: <emphasis><parameter>nt status support</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>null passwords</primary></indexterm><term><anchor id="NULLPASSWORDS"/>null passwords (G)</term><listitem>
+    <para>Allow or disallow client access to accounts that have null passwords. </para>
+
+    <para>See also <citerefentry><refentrytitle>smbpasswd</refentrytitle>
+			<manvolnum>5</manvolnum></citerefentry>.</para>
+
+<para>Default: <emphasis><parameter>null passwords</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>obey pam restrictions</primary></indexterm><term><anchor id="OBEYPAMRESTRICTIONS"/>obey pam restrictions (G)</term><listitem>
+    <para>When Samba 3.0 is configured to enable PAM support
+    (i.e. --with-pam), this parameter will control whether or not Samba
+    should obey PAM's account and session management directives.  The 
+    default behavior is to use PAM for clear text authentication only
+    and to ignore any account or session management.  Note that Samba
+    always ignores PAM for authentication in the case of <link linkend="ENCRYPTPASSWORDS">
+    <parameter moreinfo="none">encrypt passwords = yes</parameter></link>.  The reason 
+    is that PAM modules cannot support the challenge/response
+    authentication mechanism needed in the presence of SMB password encryption.
+</para>
+
+<para>Default: <emphasis><parameter>obey pam restrictions</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>only user</primary></indexterm><term><anchor id="ONLYUSER"/>only user (S)</term><listitem>
+    <para>This is a boolean option that controls whether 
+    connections with usernames not in the <parameter moreinfo="none">user</parameter> 
+    list will be allowed. By default this option is disabled so that a 
+    client can supply a username to be used by the server.  Enabling
+    this parameter will force the server to only use the login 
+    names from the <parameter moreinfo="none">user</parameter> list and is only really
+    useful in <link linkend="SECURITYEQUALSSHARE">share level</link>
+    security.</para>
+
+    <para>Note that this also means Samba won't try to deduce 
+    usernames from the service name. This can be annoying for 
+    the [homes] section. To get around this you could use <command moreinfo="none">user =
+    %S</command> which means your <parameter moreinfo="none">user</parameter> list
+    will be just the service name, which for home directories is the 
+    name of the user.</para>
+
+<para>Default: <emphasis><parameter>only user</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>oplock break wait time</primary></indexterm><term><anchor id="OPLOCKBREAKWAITTIME"/>oplock break wait time (G)</term><listitem>
+	<para>This is a tuning parameter added due to bugs in 
+	both Windows 9x and WinNT. If Samba responds to a client too 
+	quickly when that client issues an SMB that can cause an oplock 
+	break request, then the network client can fail and not respond 
+	to the break request. This tuning parameter (which is set in milliseconds) 
+	is the amount of time Samba will wait before sending an oplock break 
+	request to such (broken) clients.</para>
+
+	<warning><para>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND 
+			UNDERSTOOD THE SAMBA OPLOCK CODE.</para></warning>
 	
-		<varlistentry>
-		<term>%p</term>
-		<listitem><para>the path of the service's home directory, 
-		obtained from your NIS auto.map entry. The NIS auto.map entry 
-		is split up as <quote>%N:%p</quote>.</para></listitem>
-		</varlistentry>
-	</variablelist>
+<para>Default: <emphasis><parameter>oplock break wait time</parameter> = 0
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>oplock contention limit</primary></indexterm><term><anchor id="OPLOCKCONTENTIONLIMIT"/>oplock contention limit (S)</term><listitem>
+	<para>This is a <emphasis>very</emphasis> advanced
+	<citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> tuning option to 
+	improve the efficiency of the granting of oplocks under multiple 
+	client contention for the same file.</para>
+		
+	<para>In brief it specifies a number, which causes <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry>not to grant an oplock even when requested 
+	if the approximate number of clients contending for an oplock on the same file goes over this 
+	limit. This causes <command moreinfo="none">smbd</command> to behave in a similar 
+	way to Windows NT.</para>
+
+<warning><para>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ 
+		AND UNDERSTOOD THE SAMBA OPLOCK CODE.</para></warning>
+
+
+<para>Default: <emphasis><parameter>oplock contention limit</parameter> = 2
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>oplocks</primary></indexterm><term><anchor id="OPLOCKS"/>oplocks (S)</term><listitem>
+	<para>This boolean option tells <command moreinfo="none">smbd</command> whether to 
+	issue oplocks (opportunistic locks) to file open requests on this 
+	share. The oplock code can dramatically (approx. 30% or more) improve 
+	the speed of access to files on Samba servers. It allows the clients 
+	to aggressively cache files locally and you may want to disable this 
+	option for unreliable network environments (it is turned on by 
+	default in Windows NT Servers).  For more information see the file 
+	<filename moreinfo="none">Speed.txt</filename> in the Samba <filename moreinfo="none">docs/</filename> 
+	directory.</para>
+
+	<para>Oplocks may be selectively turned off on certain files with a 
+	share. See the <link linkend="VETOOPLOCKFILES"><parameter moreinfo="none">
+	veto oplock files</parameter></link> parameter. On some systems 
+	oplocks are recognized by the underlying operating system. This 
+	allows data synchronization between all access to oplocked files, 
+	whether it be via Samba or NFS or a local UNIX process. See the 
+	<parameter moreinfo="none">kernel oplocks</parameter> parameter for details.</para>
+
+<para>Default: <emphasis><parameter>oplocks</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>os2 driver map</primary></indexterm><term><anchor id="OS2DRIVERMAP"/>os2 driver map (G)</term><listitem>
+    <para>The parameter is used to define the absolute
+    path to a file containing a mapping of Windows NT printer driver
+    names to OS/2 printer driver names.  The format is:</para>
+		
+    <para>&lt;nt driver name&gt; = &lt;os2 driver name&gt;.&lt;device name&gt;</para>
+		
+    <para>For example, a valid entry using the HP LaserJet 5
+    printer driver would appear as <command moreinfo="none">HP LaserJet 5L = LASERJET.HP 
+    LaserJet 5L</command>.</para>
+		
+    <para>The need for the file is due to the printer driver namespace 
+		problem described in <link linkend="printing"/>.  For more details on OS/2 clients, please 
+		refer to <link linkend="Other-Clients"/>.</para>
+
+<para>Default: <emphasis><parameter>os2 driver map</parameter> = 
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>os level</primary></indexterm><term><anchor id="OSLEVEL"/>os level (G)</term><listitem>
+	<para>This integer value controls what level Samba 
+	advertises itself as for browse elections. The value of this 
+	parameter determines whether <citerefentry><refentrytitle>nmbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> 
+	has a chance of becoming a local master browser for the <parameter moreinfo="none">
+	WORKGROUP</parameter> in the local broadcast area.</para>
+		
+	<para><emphasis>Note :</emphasis>By default, Samba will win 
+	a local master browsing election over all Microsoft operating 
+	systems except a Windows NT 4.0/2000 Domain Controller.  This 
+	means that a misconfigured Samba host can effectively isolate 
+	a subnet for browsing purposes.  See <filename moreinfo="none">BROWSING.txt
+	</filename> in the Samba <filename moreinfo="none">docs/</filename> directory 
+	for details.</para>
+
+<para>Default: <emphasis><parameter>os level</parameter> = 20
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>os level</parameter> = 65
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>pam password change</primary></indexterm><term><anchor id="PAMPASSWORDCHANGE"/>pam password change (G)</term><listitem>
+    <para>With the addition of better PAM support in Samba 2.2, 
+    this parameter, it is possible to use PAM's password change control 
+    flag for Samba.  If enabled, then PAM will be used for password
+    changes when requested by an SMB client instead of the program listed in 
+    <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter></link>. 
+    It should be possible to enable this without changing your 
+    <link linkend="PASSWDCHAT"><parameter moreinfo="none">passwd chat</parameter></link>
+	parameter for most setups.</para>
+
+<para>Default: <emphasis><parameter>pam password change</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>panic action</primary></indexterm><term><anchor id="PANICACTION"/>panic action (G)</term><listitem>
+	<para>This is a Samba developer option that allows a 
+	system command to be called when either <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> or <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry>	crashes. This is usually used to 
+draw attention to the fact that a problem occurred.</para>
+
+<para>Default: <emphasis><parameter>panic action</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>panic action</parameter> = "/bin/sleep 90000"
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>paranoid server security</primary></indexterm><term><anchor id="PARANOIDSERVERSECURITY"/>paranoid server security (G)</term><listitem>
+    <para>Some version of NT 4.x allow non-guest 
+    users with a bad passowrd. When this option is enabled, samba will not 
+    use a broken NT 4.x server as password server, but instead complain
+    to the logs and exit.  
+    </para>
+
+    <para>Disabling this option prevents Samba from making
+    this check, which involves deliberatly attempting a
+    bad logon to the remote server.</para>
+
+<para>Default: <emphasis><parameter>paranoid server security</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>passdb backend</primary></indexterm><term><anchor id="PASSDBBACKEND"/>passdb backend (G)</term><listitem>
+
+    <para>This option allows the administrator to chose which backends
+    to retrieve and store passwords with. This allows (for example) both 
+    smbpasswd and tdbsam to be used without a recompile. Multiple
+    backends can be specified, separated by spaces. The backends will be
+    searched in the order they are specified. New users are always added
+	to the first backend specified. </para>
+
+    <para>This parameter is in two parts, the backend's name, and a 'location'
+    string that has meaning only to that particular backed.  These are separated
+    by a : character.</para>
+
+    <para>Available backends can include:
+	<itemizedlist>
+	    <listitem>
+		<para><command moreinfo="none">smbpasswd</command> - The default smbpasswd
+		backend. Takes a path to the smbpasswd file as an optional argument.
+		</para>
+	    </listitem>
+			
+	    <listitem>
+		<para><command moreinfo="none">tdbsam</command> - The TDB based password storage
+                backend.  Takes a path to the TDB as an optional argument (defaults to passdb.tdb 
+                in the <link linkend="PRIVATEDIR">
+                <parameter moreinfo="none">private dir</parameter></link> directory.</para>
+	    </listitem>
+			
+	    <listitem>
+		<para><command moreinfo="none">ldapsam</command> - The LDAP based passdb 
+                backend.  Takes an LDAP URL as an optional argument (defaults to 
+                <command moreinfo="none">ldap://localhost</command>)</para>
+			
+		<para>LDAP connections should be secured where possible.  This may be done using either
+                Start-TLS (see <link linkend="LDAPSSL"><parameter moreinfo="none">ldap ssl</parameter></link>) or by
+                specifying <parameter moreinfo="none">ldaps://</parameter> in
+                the URL argument. </para>
+
+                <para>Multiple servers may also be specified in double-quotes, if your
+                LDAP libraries supports the LDAP URL notation.
+                (OpenLDAP does).   
+		</para>
+
+	    </listitem>
+			
+	    <listitem>
+		<para><command moreinfo="none">nisplussam</command> -
+		The NIS+ based passdb backend. Takes name NIS domain as
+		an optional argument. Only works with sun NIS+ servers.
+		</para>
+	    </listitem>
+
+		<listitem>
+		<para><command moreinfo="none">mysql</command> - 
+		The MySQL based passdb backend. Takes an identifier as 
+		argument. Read the Samba HOWTO Collection for configuration
+		details.
+		</para></listitem>
+
+	</itemizedlist>
+    </para>
+
+<para>Default: <emphasis><parameter>passdb backend</parameter> = smbpasswd
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>passdb backend</parameter> = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd
+</emphasis>
+</para><para>Example: <emphasis><parameter>passdb backend</parameter> = ldapsam:ldaps://ldap.example.com
+</emphasis>
+</para><para>Example: <emphasis><parameter>passdb backend</parameter> = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com"
+</emphasis>
+</para><para>Example: <emphasis><parameter>passdb backend</parameter> = mysql:my_plugin_args tdbsam
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>passwd chat</primary></indexterm><term><anchor id="PASSWDCHAT"/>passwd chat (G)</term><listitem>
+    <para>This string controls the <emphasis>"chat"</emphasis> 
+    conversation that takes places between <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> and the local password changing
+    program to change the user's password. The string describes a 
+    sequence of response-receive pairs that <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> uses to determine what to send to the 
+    <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter>
+    </link> and what to expect back. If the expected output is not 
+    received then the password is not changed.</para>
+
+    <para>This chat sequence is often quite site specific, depending 
+    on what local methods are used for password control (such as NIS 
+    etc).</para>
+
+    <para>Note that this parameter only is only used if the <link linkend="UNIXPASSWORDSYNC"> <parameter moreinfo="none">unix password sync</parameter>
+    </link> parameter is set  to <constant>yes</constant>. This sequence is 
+    then called <emphasis>AS ROOT</emphasis> when the SMB password  in the 
+    smbpasswd file is being changed, without access to the old password
+    cleartext. This means that root must be able to reset the user's password without
+    knowing the text of the previous password. In the presence of
+    NIS/YP,  this means that the <link linkend="PASSWDPROGRAM">passwd program</link> must
+    be executed on the NIS master.
+    </para>
+
+
+    <para>The string can contain the macro <parameter moreinfo="none">%n</parameter> which is substituted 
+    for the new password.  The chat sequence can also contain the standard 
+    macros \n, \r, \t and \s to 
+    give line-feed, carriage-return, tab and space.  The chat sequence string can also contain 
+    a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces 
+    in them into a single string.</para>
+
+    <para>If the send string in any part of the chat sequence  is a full
+    stop ".",  then no string is sent. Similarly,  if the
+    expect string is a full stop then no string is expected.</para>
+
+    <para>If the <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam
+    password change</parameter></link> parameter is set to <constant>yes</constant>, the chat pairs
+    may be matched in any order, and success is determined by the PAM result, 
+    not any particular output. The \n macro is ignored for PAM conversions.
+    </para>
+
+
+<para>Default: <emphasis><parameter>passwd chat</parameter> = *new*password* %n\n*new*password* %n\n *changed*
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>passwd chat</parameter> = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*"
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>passwd chat debug</primary></indexterm><term><anchor id="PASSWDCHATDEBUG"/>passwd chat debug (G)</term><listitem>
+    <para>This boolean specifies if the passwd chat script 
+    parameter is run in <emphasis>debug</emphasis> mode. In this mode the 
+    strings passed to and received from the passwd chat are printed 
+    in the <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> log with a 
+    <link linkend="DEBUGLEVEL"><parameter moreinfo="none">debug level</parameter></link> 
+    of 100. This is a dangerous option as it will allow plaintext passwords 
+    to be seen in the <command moreinfo="none">smbd</command> log. It is available to help 
+    Samba admins debug their <parameter moreinfo="none">passwd chat</parameter> scripts 
+    when calling the <parameter moreinfo="none">passwd program</parameter> and should 
+    be turned off after this has been done. This option has no effect if the 
+    <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam password change</parameter></link>
+	paramter is set. This parameter is off by default.</para>
+
+<para>Default: <emphasis><parameter>passwd chat debug</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>passwd chat timeout</primary></indexterm><term><anchor id="PASSWDCHATTIMEOUT"/>passwd chat timeout (G)</term><listitem>
+    <para>This integer specifies the number of seconds smbd will wait for an initial
+    answer from a passwd chat script being run. Once the initial answer is received
+    the subsequent answers must be received in one tenth of this time. The default it
+    two seconds.</para>
+
+<para>Default: <emphasis><parameter>passwd chat timeout</parameter> = 2
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>passwd program</primary></indexterm><term><anchor id="PASSWDPROGRAM"/>passwd program (G)</term><listitem>
+    <para>The name of a program that can be used to set 
+    UNIX user passwords.  Any occurrences of <parameter moreinfo="none">%u</parameter> 
+    will be replaced with the user name. The user name is checked for 
+    existence before calling the password changing program.</para>
+
+    <para>Also note that many passwd programs insist in <emphasis>reasonable
+    </emphasis> passwords, such as a minimum length, or the inclusion 
+    of mixed case chars and digits. This can pose a problem as some clients 
+    (such as Windows for Workgroups) uppercase the password before sending 
+    it.</para>
+
+    <para><emphasis>Note</emphasis> that if the <parameter moreinfo="none">unix 
+    password sync</parameter> parameter is set to <constant>yes
+    </constant> then this program is called <emphasis>AS ROOT</emphasis> 
+    before the SMB password in the smbpasswd
+    file is changed. If this UNIX password change fails, then 
+    <command moreinfo="none">smbd</command> will fail to change the SMB password also 
+    (this is by design).</para>
+
+    <para>If the <parameter moreinfo="none">unix password sync</parameter> parameter 
+    is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis> 
+    for <emphasis>ALL</emphasis> programs called, and must be examined 
+    for security implications. Note that by default <parameter moreinfo="none">unix 
+    password sync</parameter> is set to <constant>no</constant>.</para>
 	
-	<para>There are some quite creative things that can be done 
-	with these substitutions and other <filename moreinfo="none">smb.conf</filename> options.</para>
-</refsect1>
+<para>Default: <emphasis><parameter>passwd program</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>passwd program</parameter> = /bin/passwd %u
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>password level</primary></indexterm><term><anchor id="PASSWORDLEVEL"/>password level (G)</term><listitem>
+    <para>Some client/server combinations have difficulty 
+    with mixed-case passwords.  One offending client is Windows for 
+    Workgroups, which for some reason forces passwords to upper 
+    case when using the LANMAN1 protocol, but leaves them alone when 
+    using COREPLUS!  Another problem child is the Windows 95/98
+    family of operating systems.  These clients upper case clear
+    text passwords even when NT LM 0.12 selected by the protocol
+    negotiation request/response.</para>
+
+    <para>This parameter defines the maximum number of characters 
+    that may be upper case in passwords.</para>
+
+    <para>For example, say the password given was "FRED". If <parameter moreinfo="none">
+    password level</parameter> is set to 1, the following combinations 
+    would be tried if "FRED" failed:</para>
+
+    <para>"Fred", "fred", "fRed", "frEd","freD"</para>
+
+    <para>If <parameter moreinfo="none">password level</parameter> was set to 2, 
+    the following combinations would also be tried: </para>
+
+    <para>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</para>
+
+    <para>And so on.</para>
+
+    <para>The higher value this parameter is set to the more likely 
+    it is that a mixed case password will be matched against a single 
+    case password. However, you should be aware that use of this 
+    parameter reduces security and increases the time taken to 
+    process a new connection.</para>
+
+    <para>A value of zero will cause only two attempts to be 
+    made - the password as is and the password in all-lower case.</para>
+
+    <para>This parameter is used only when using plain-text passwords. It is
+    not at all used when encrypted passwords as in use (that is the default
+    since samba-3.0.0). Use this only when <link linkend="ENCRYPTPASSWORDS">
+    encrypt passwords = No</link>.</para>
+
+<para>Default: <emphasis><parameter>password level</parameter> = 0
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>password level</parameter> = 4
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>password server</primary></indexterm><term><anchor id="PASSWORDSERVER"/>password server (G)</term><listitem>
+    <para>By specifying the name of another SMB server 
+    or Active Directory domain controller with this option, 
+    and using <command moreinfo="none">security = [ads|domain|server]</command> 
+    it is possible to get Samba to 
+    to do all its username/password validation using a specific remote server.</para>
+
+    <para>This option sets the name or IP address of the password server to use. 
+    New syntax has been added to support defining the port to use when connecting 
+    to the server the case of an ADS realm.  To define a port other than the
+    default LDAP port of 389, add the port number using a colon after the 
+    name or IP address (e.g. 192.168.1.100:389).  If you do not specify a port,
+    Samba will use the standard LDAP port of tcp/389.  Note that port numbers
+    have no effect on password servers for Windows NT 4.0 domains or netbios 
+    connections.</para>
+
+    <para>If parameter is a name, it is looked up using the 
+    parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name 
+    resolve order</parameter></link> and so may resolved
+    by any method and order described in that parameter.</para>
+
+    <para>The password server must be a machine capable of using 
+    the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in 
+    user level security mode.</para>
+
+    <note><para>Using a password server  means your UNIX box (running
+    Samba) is only as secure as your  password server. <emphasis>DO NOT
+    CHOOSE A PASSWORD SERVER THAT  YOU DON'T COMPLETELY TRUST</emphasis>.
+    </para></note>
+		
+    <para>Never point a Samba server at itself for password serving.
+    This will cause a loop and could lock up your Samba  server!</para>
+
+    <para>The name of the password server takes the standard 
+    substitutions, but probably the only useful one is <parameter moreinfo="none">%m
+    </parameter>, which means the Samba server will use the incoming 
+    client as the password server. If you use this then you better 
+    trust your clients, and you had better restrict them with hosts allow!</para>
+
+    <para>If the <parameter moreinfo="none">security</parameter> parameter is set to
+    <constant>domain</constant> or <constant>ads</constant>, then the list of machines in this 
+    option must be a list of Primary or Backup Domain controllers for the
+    Domain or the character '*', as the Samba server is effectively
+    in that domain, and will use cryptographically authenticated RPC calls
+    to authenticate the user logging on. The advantage of using <command moreinfo="none">
+    security = domain</command> is that if you list several hosts in the 
+    <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd
+    </command> will try each in turn till it finds one that responds.  This
+    is useful in case your primary server goes down.</para>
+
+    <para>If the <parameter moreinfo="none">password server</parameter> option is set 
+    to the character '*', then Samba will attempt to auto-locate the 
+    Primary or Backup Domain controllers to authenticate against by 
+    doing a query for the name <constant>WORKGROUP&lt;1C&gt;</constant> 
+    and then contacting each server returned in the list of IP 
+    addresses from the name resolution source. </para>
+
+    <para>If the list of servers contains both names/IP's and the '*'
+    character, the list is treated as a list of preferred 
+    domain controllers, but an auto lookup of all remaining DC's
+    will be added to the list as well.  Samba will not attempt to optimize 
+    this list by locating the closest DC.</para>
+		
+    <para>If the <parameter moreinfo="none">security</parameter> parameter is 
+    set to <constant>server</constant>, then there are different
+    restrictions that <command moreinfo="none">security = domain</command> doesn't 
+    suffer from:</para>
+
+    <itemizedlist>
+	<listitem>
+	    <para>You may list several password servers in 
+	    the <parameter moreinfo="none">password server</parameter> parameter, however if an 
+	    <command moreinfo="none">smbd</command> makes a connection to a password server, 
+	    and then the password server fails, no more users will be able 
+	    to be authenticated from this <command moreinfo="none">smbd</command>.  This is a 
+	    restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server
+	    </command> mode and cannot be fixed in Samba.</para>
+	</listitem>
+	    
+	<listitem>
+	    <para>If you are using a Windows NT server as your 
+	    password server then you will have to ensure that your users 
+	    are able to login from the Samba server, as when in <command moreinfo="none">
+	    security = server</command>  mode the network logon will appear to 
+	    come from there rather than from the users workstation.</para>
+	</listitem>
+    </itemizedlist>
 
-<refsect1 id="NAMEMANGLINGSECT">
-	<title>NAME MANGLING</title>
+<para>Default: <emphasis><parameter>password server</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>password server</parameter> = NT-PDC, NT-BDC1, NT-BDC2, *
+</emphasis>
+</para><para>Example: <emphasis><parameter>password server</parameter> = windc.mydomain.com:389 192.168.1.101 *
+</emphasis>
+</para><para>Example: <emphasis><parameter>password server</parameter> = *
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>directory</primary><see>path</see></indexterm><term><anchor id="DIRECTORY"/>directory</term><listitem><para>This parameter is a synonym for path.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>path</primary></indexterm><term><anchor id="PATH"/>path (S)</term><listitem>
+        <para>This parameter specifies a directory to which 
+	the user of the service is to be given access. In the case of 
+	printable services, this is where print data will spool prior to 
+	being submitted to the host for printing.</para>
+
+	<para>For a printable service offering guest access, the service 
+	should be readonly and the path should be world-writeable and 
+	have the sticky bit set. This is not mandatory of course, but 
+	you probably won't get the results you expect if you do 
+	otherwise.</para>
+
+	<para>Any occurrences of <parameter moreinfo="none">%u</parameter> in the path 
+	will be replaced with the UNIX username that the client is using 
+	on this connection. Any occurrences of <parameter moreinfo="none">%m</parameter> 
+	will be replaced by the NetBIOS name of the machine they are 
+	connecting from. These replacements are very useful for setting 
+	up pseudo home directories for users.</para>
+
+	<para>Note that this path will be based on <link linkend="ROOTDIR">
+	<parameter moreinfo="none">root dir</parameter></link> if one was specified.</para>
 	
-	<para>Samba supports <quote>name mangling</quote> so that DOS and 
-	Windows clients can use files that don't conform to the 8.3 format. 
-	It can also be set to adjust the case of 8.3 format filenames.</para>
+<para>Default: <emphasis><parameter>path</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>path</parameter> = /home/fred
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>pid directory</primary></indexterm><term><anchor id="PIDDIRECTORY"/>pid directory (G)</term><listitem>
+	<para>This option specifies the directory where pid 
+		files will be placed.  </para>
+
+<para>Default: <emphasis><parameter>pid directory</parameter> = ${prefix}/var/locks
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>pid directory</parameter> = pid directory = /var/run/
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>posix locking</primary></indexterm><term><anchor id="POSIXLOCKING"/>posix locking (S)</term><listitem>
+	<para>The <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry>
+	daemon maintains an database of file locks obtained by SMB clients.
+	The default behavior is to map this internal database to POSIX
+	locks.  This means that file locks obtained by SMB clients are 
+	consistent with those seen by POSIX compliant applications accessing 
+	the files via a non-SMB method (e.g. NFS or local file access).  
+	You should never need to disable this parameter.</para>
+
+<para>Default: <emphasis><parameter>posix locking</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>postexec</primary></indexterm><term><anchor id="POSTEXEC"/>postexec (S)</term><listitem>
+	<para>This option specifies a command to be run 
+	whenever the service is disconnected. It takes the usual 
+	substitutions. The command may be run as the root on some 
+	systems.</para>
+
+	<para>An interesting example may be to unmount server 
+	resources:</para>
+
+<para><command moreinfo="none">postexec = /etc/umount /cdrom</command></para>
+
+<para>Default: <emphasis><parameter>postexec</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>postexec</parameter> = echo \"%u disconnected from %S from %m (%I)\" &gt;&gt; /tmp/log
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>exec</primary><see>preexec</see></indexterm><term><anchor id="EXEC"/>exec</term><listitem><para>This parameter is a synonym for preexec.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>preexec</primary></indexterm><term><anchor id="PREEXEC"/>preexec (S)</term><listitem>
+	<para>This option specifies a command to be run whenever 
+	the service is connected to. It takes the usual substitutions.</para>
+
+	<para>An interesting example is to send the users a welcome 
+	message every time they log in. Maybe a message of the day? Here 
+	is an example:</para>
+
+	<para><command moreinfo="none">preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' &amp; </command></para>
+
+	<para>Of course, this could get annoying after a while :-)</para>
+
+	<para>See also <link linkend="PREEXECCLOSE"><parameter moreinfo="none">preexec close</parameter></link> and <link linkend="POSTEXEC"><parameter moreinfo="none">postexec
+	</parameter></link>.</para>
+
+<para>Default: <emphasis><parameter>preexec</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>preexec</parameter> = echo \"%u connected to %S from %m (%I)\" &gt;&gt; /tmp/log
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>preexec close</primary></indexterm><term><anchor id="PREEXECCLOSE"/>preexec close (S)</term><listitem>
+	<para>This boolean option controls whether a non-zero 
+	return code from <link linkend="PREEXEC"><parameter moreinfo="none">preexec
+</parameter></link> should close the service being connected to.</para>
+
+<para>Default: <emphasis><parameter>preexec close</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>prefered master</primary><see>preferred master</see></indexterm><term><anchor id="PREFEREDMASTER"/>prefered master</term><listitem><para>This parameter is a synonym for preferred master.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>preferred master</primary></indexterm><term><anchor id="PREFERREDMASTER"/>preferred master (G)</term><listitem>
+	<para>This boolean parameter controls if
+	<citerefentry><refentrytitle>nmbd</refentrytitle>                                 
+	<manvolnum>8</manvolnum></citerefentry> is a preferred master
+	browser  for its workgroup.</para>
+
+	<para>If this is set to <constant>yes</constant>, on startup, <command moreinfo="none">nmbd</command> 
+	will force an election, and it will have a slight advantage in 
+	winning the election.  It is recommended that this parameter is 
+	used in conjunction with <command moreinfo="none"><link linkend="DOMAINMASTER">
+	<parameter moreinfo="none">domain master</parameter></link> = yes</command>, so 
+	that <command moreinfo="none">nmbd</command> can guarantee becoming a domain master.</para>
+		
+	<para>Use this option with caution, because if there are several 
+	hosts (whether Samba servers, Windows 95 or NT) that are
+	preferred  master browsers on the same subnet, they will each
+	periodically  and continuously attempt to become the local
+	master browser. This will result in unnecessary broadcast
+	traffic and reduced browsing capabilities.</para>
+
+<para>Default: <emphasis><parameter>preferred master</parameter> = auto
+</emphasis>
+</para>
 
-	<para>There are several options that control the way mangling is 
-	performed, and they are grouped here rather than listed separately. 
-	For the defaults look at the output of the testparm program. </para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>auto services</primary><see>preload</see></indexterm><term><anchor id="AUTOSERVICES"/>auto services</term><listitem><para>This parameter is a synonym for preload.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>preload</primary></indexterm><term><anchor id="PRELOAD"/>preload (G)</term><listitem>
+	<para>This is a list of services that you want to be 
+	automatically added to the browse lists. This is most useful 
+	for homes and printers services that would otherwise not be 
+	visible.</para>
 
-	<para>All of these options can be set separately for each service 
-	(or globally, of course). </para>
+	<para>Note that if you just want all printers in your 
+	printcap file loaded then the <link linkend="LOADPRINTERS">
+	<parameter moreinfo="none">load printers</parameter></link> option is easier.</para>
 
-	<para>The options are: </para>
+<para>Default: <emphasis><parameter>preload</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>preload</parameter> = fred lp colorlp
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>preload modules</primary></indexterm><term><anchor id="PRELOADMODULES"/>preload modules (G)</term><listitem>
+	<para>This is a list of paths to modules that should
+	be loaded into smbd before a client connects. This improves
+	the speed of smbd when reacting to new connections somewhat. </para>
+
+<para>Default: <emphasis><parameter>preload modules</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>preload modules</parameter> = /usr/lib/samba/passdb/mysql.so
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>preserve case</primary></indexterm><term><anchor id="PRESERVECASE"/>preserve case (S)</term><listitem>
+	<para> This controls if new filenames are created
+	with the case that the client passes, or if they are forced to 
+	be the <link linkend="DEFAULTCASE"><parameter moreinfo="none">default case
+	</parameter></link>.</para>
+	<para>See the section on <link linkend="NAMEMANGLINGSECT">NAME MANGLING</link> for a fuller discussion.</para>
+
+<para>Default: <emphasis><parameter>preserve case</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>print ok</primary><see>printable</see></indexterm><term><anchor id="PRINTOK"/>print ok</term><listitem><para>This parameter is a synonym for printable.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>printable</primary></indexterm><term><anchor id="PRINTABLE"/>printable (S)</term><listitem>
+    <para>If this parameter is <constant>yes</constant>, then 
+    clients may open, write to and submit spool files on the directory 
+    specified for the service. </para>
+		
+    <para>Note that a printable service will ALWAYS allow writing 
+    to the service path (user privileges permitting) via the spooling 
+    of print data. The <link linkend="READONLY"><parameter moreinfo="none">read only
+    </parameter></link> parameter controls only non-printing access to 
+    the resource.</para>
+
+<para>Default: <emphasis><parameter>printable</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>printcap cache time</primary></indexterm><term><anchor id="PRINTCAPCACHETIME"/>printcap cache time (G)</term><listitem>
+    <para>This option specifies the number of seconds before the printing
+    subsystem is again asked for the known printers.  If the value
+    is greater than 60 the initial waiting time is set to 60 seconds
+    to allow an earlier first rescan of the printing subsystem.
+    </para>
+
+    <para>Setting this parameter to 0 (the default) disables any 
+    rescanning for new or removed printers after the initial startup.
+    </para>
+
+<para>Default: <emphasis><parameter>printcap cache time</parameter> = 0
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>printcap cache time</parameter> = 600
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>printcap</primary><see>printcap name</see></indexterm><term><anchor id="PRINTCAP"/>printcap</term><listitem><para>This parameter is a synonym for printcap name.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>printcap name</primary></indexterm><term><anchor id="PRINTCAPNAME"/>printcap name (S)</term><listitem>
+    <para>This parameter may be used to override the 
+    compiled-in default printcap name used by the server (usually <filename moreinfo="none">
+    /etc/printcap</filename>). See the discussion of the <link linkend="PRINTERSSECT">[printers]</link> section above for reasons 
+    why you might want to do this.</para>
+
+    <para>To use the CUPS printing interface set <command moreinfo="none">printcap name = cups
+    </command>. This should be supplemented by an addtional setting 
+    <link linkend="PRINTING">printing = cups</link> in the [global] 
+    section.  <command moreinfo="none">printcap name = cups</command> will use the  
+    "dummy" printcap created by CUPS, as specified in your CUPS
+    configuration file.
+    </para>
+
+    <para>On System V systems that use <command moreinfo="none">lpstat</command> to 
+    list available printers you can use <command moreinfo="none">printcap name = lpstat
+    </command> to automatically obtain lists of available printers. This 
+    is the default for systems that define SYSV at configure time in 
+    Samba (this includes most System V based systems). If <parameter moreinfo="none">
+    printcap name</parameter> is set to <command moreinfo="none">lpstat</command> on 
+    these systems then Samba will launch <command moreinfo="none">lpstat -v</command> and 
+    attempt to parse the output to obtain a printer list.</para>
+
+    <para>A minimal printcap file would look something like this:</para>
+
+<para><programlisting format="linespecific">
+print1|My Printer 1
+print2|My Printer 2
+print3|My Printer 3
+print4|My Printer 4
+print5|My Printer 5
+</programlisting></para>
 	
-	<variablelist>
+    <para>where the '|' separates aliases of a printer. The fact 
+    that the second alias has a space in it gives a hint to Samba 
+    that it's a comment.</para>
+
+    <note><para>Under AIX the default printcap 
+    name is <filename moreinfo="none">/etc/qconfig</filename>. Samba will assume the 
+    file is in AIX <filename moreinfo="none">qconfig</filename> format if the string
+	<filename moreinfo="none">qconfig</filename> appears in the printcap filename.</para></note>
 	
-	<varlistentry>
-		<term>case sensitive = yes/no/auto</term>
-		<listitem><para>controls whether filenames are case sensitive. If 
-		they aren't, Samba must do a filename search and match on passed 
-		names. The default setting of auto allows clients that support case
-		sensitive filenames (Linux CIFSVFS and smbclient 3.0.5 and above currently)
-		to tell the Samba server on a per-packet basis that they wish to access
-		the file system in a case-sensitive manner (to support UNIX case sensitive
-		semantics). No Windows or DOS system supports case-sensitive filename so
-		setting this option to auto is that same as setting it to no for them.
-		Default <emphasis>auto</emphasis>.</para></listitem>
-		</varlistentry> 
-
-		<varlistentry>
-		<term>default case = upper/lower</term>
-		<listitem><para>controls what the default case is for new 
-		filenames. Default <emphasis>lower</emphasis>.</para></listitem>
-		</varlistentry> 
+<para>Default: <emphasis><parameter>printcap name</parameter> = /etc/printcap
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>printcap name</parameter> = /etc/myprintcap
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>print command</primary></indexterm><term><anchor id="PRINTCOMMAND"/>print command (S)</term><listitem>
+    <para>After a print job has finished spooling to 
+    a service, this command will be used via a <command moreinfo="none">system()</command> 
+    call to process the spool file. Typically the command specified will 
+    submit the spool file to the host's printing subsystem, but there 
+    is no requirement that this be the case. The server will not remove 
+    the spool file, so whatever command you specify should remove the 
+    spool file when it has been processed, otherwise you will need to 
+    manually remove old spool files.</para>
+		
+    <para>The print command is simply a text string. It will be used 
+    verbatim after macro substitutions have been made:</para>
+
+	<para>%s, %f - the path to the spool
+    file name</para>
+
+    <para>%p - the appropriate printer 
+    name</para>
+
+    <para>%J - the job 
+    name as transmitted by the client.</para>
+
+    <para>%c - The number of printed pages
+    of the spooled job (if known).</para>
+
+    <para>%z - the size of the spooled
+    print job (in bytes)</para>
+
+    <para>The print command <emphasis>MUST</emphasis> contain at least 
+    one occurrence of <parameter moreinfo="none">%s</parameter> or <parameter moreinfo="none">%f
+    </parameter> - the <parameter moreinfo="none">%p</parameter> is optional. At the time 
+    a job is submitted, if no printer name is supplied the <parameter moreinfo="none">%p
+    </parameter> will be silently removed from the printer command.</para>
+
+    <para>If specified in the [global] section, the print command given 
+    will be used for any printable service that does not have its own 
+    print command specified.</para>
+
+    <para>If there is neither a specified print command for a 
+    printable service nor a global print command, spool files will 
+    be created but not processed and (most importantly) not removed.</para>
+
+    <para>Note that printing may fail on some UNIXes from the 
+    <constant>nobody</constant> account. If this happens then create 
+    an alternative guest account that can print and set the <link linkend="GUESTACCOUNT">
+    <parameter moreinfo="none">guest account</parameter></link> 
+    in the [global] section.</para>
+
+    <para>You can form quite complex print commands by realizing 
+    that they are just passed to a shell. For example the following 
+    will log a print job, print the file, then remove it. Note that 
+    ';' is the usual separator for command in shell scripts.</para>
+
+    <para><command moreinfo="none">print command = echo Printing %s &gt;&gt; 
+    /tmp/print.log; lpr -P %p %s; rm %s</command></para>
+
+    <para>You may have to vary this command considerably depending 
+    on how you normally print files on your system. The default for 
+    the parameter varies depending on the setting of the <link linkend="PRINTING">
+    <parameter moreinfo="none">printing</parameter></link> parameter.</para>
+
+    <para>Default: For <command moreinfo="none">printing = BSD, AIX, QNX, LPRNG 
+    or PLP :</command></para>
+    <para><command moreinfo="none">print command = lpr -r -P%p %s</command></para>
+
+    <para>For <command moreinfo="none">printing = SYSV or HPUX :</command></para>
+    <para><command moreinfo="none">print command = lp -c -d%p %s; rm %s</command></para>
+
+    <para>For <command moreinfo="none">printing = SOFTQ :</command></para>
+    <para><command moreinfo="none">print command = lp -d%p -s %s; rm %s</command></para>
+
+    <para>For printing = CUPS :   If SAMBA is compiled against
+    libcups, then <link linkend="PRINTING">printcap = cups</link> 
+    uses the CUPS API to
+    submit jobs, etc.  Otherwise it maps to the System V
+    commands with the -oraw option for printing, i.e. it
+    uses <command moreinfo="none">lp -c -d%p -oraw; rm %s</command>.   
+    With <command moreinfo="none">printing = cups</command>,
+    and if SAMBA is compiled against libcups, any manually 
+	set print command will be ignored.</para>
+
+<para><emphasis>No default</emphasis></para>
+<para>Example: <emphasis><parameter>print command</parameter> = /usr/local/samba/bin/myprintscript %p %s
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>printer admin</primary></indexterm><term><anchor id="PRINTERADMIN"/>printer admin (S)</term><listitem>
+	<para>
+	This lists users who can do anything to printers
+	via the remote administration interfaces offered
+	by MS-RPC (usually using a NT workstation).
+	This parameter can be set per-share or globally.
+	Note: The root user always has admin rights. Use
+	caution with use in the global stanza as this can
+	cause side effects.
+	</para>
+
+<para>Default: <emphasis><parameter>printer admin</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>printer admin</parameter> = admin, @staff
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>printer</primary><see>printer name</see></indexterm><term><anchor id="PRINTER"/>printer</term><listitem><para>This parameter is a synonym for printer name.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>printer name</primary></indexterm><term><anchor id="PRINTERNAME"/>printer name (S)</term><listitem>
+    <para>This parameter specifies the name of the printer 
+    to which print jobs spooled through a printable service will be sent.</para>
+
+    <para>If specified in the [global] section, the printer
+    name given will be used for any printable service that does 
+	not have its own printer name specified.</para>
+
+<para>Default: <emphasis><parameter>printer name</parameter> = 
+# none (but may be <constant>lp</constant> on many systems)
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>printer name</parameter> = laserwriter
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>printing</primary></indexterm><term><anchor id="PRINTING"/>printing (S)</term><listitem>
+    <para>This parameters controls how printer status  information is
+    interpreted on your system. It also affects the  default values for
+    the <parameter moreinfo="none">print command</parameter>,  <parameter moreinfo="none">lpq command</parameter>, <parameter moreinfo="none">lppause command </parameter>, <parameter moreinfo="none">lpresume command</parameter>, and  <parameter moreinfo="none">lprm command</parameter> if specified in the 
+    [global] section.</para>
+
+    <para>Currently nine printing styles are supported. They are
+    <constant>BSD</constant>, <constant>AIX</constant>, 
+    <constant>LPRNG</constant>, <constant>PLP</constant>,
+    <constant>SYSV</constant>, <constant>HPUX</constant>,
+    <constant>QNX</constant>, <constant>SOFTQ</constant>,
+    and <constant>CUPS</constant>.</para>
+
+    <para>To see what the defaults are for the other print 
+    commands when using the various options use the <citerefentry><refentrytitle>testparm</refentrytitle>
+    <manvolnum>1</manvolnum></citerefentry> program.</para>
+
+    <para>This option can be set on a per printer basis.  Please be 
+    aware however, that you must place any of the various printing 
+    commands (e.g. print command, lpq command, etc...) after defining
+    the value for the <parameter>printing</parameter> option since it will 
+    reset the printing commands to default values.</para>
+
+    <para>See also the discussion in the <link linkend="PRINTERSSECT">
+    [printers]</link> section.</para>
+
+<para><emphasis>No default</emphasis></para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>private dir</primary></indexterm><term><anchor id="PRIVATEDIR"/>private dir (G)</term><listitem>
+    <para>This parameters defines the directory
+    smbd will use for storing such files as <filename moreinfo="none">smbpasswd</filename>
+    and <filename moreinfo="none">secrets.tdb</filename>.
+</para>
+
+<para>Default: <emphasis><parameter>private dir</parameter> = ${prefix}/private
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>profile acls</primary></indexterm><term><anchor id="PROFILEACLS"/>profile acls (S)</term><listitem>
+	<para>
+	This boolean parameter was added to fix the problems that people have been
+	having with storing user profiles on Samba shares from Windows 2000 or
+	Windows XP clients. New versions of Windows 2000 or Windows XP service
+	packs do security ACL checking on the owner and ability to write of the
+	profile directory stored on a local workstation when copied from a Samba
+	share.
+</para>
+
+<para>When not in domain mode with winbindd then the security info copied
+	onto the local workstation has no meaning to the logged in user (SID) on
+	that workstation so the profile storing fails. Adding this parameter
+	onto a share used for profile storage changes two things about the
+	returned Windows ACL. Firstly it changes the owner and group owner
+	of all reported files and directories to be BUILTIN\\Administrators,
+	BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly
+	it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to
+	every returned ACL. This will allow any Windows 2000 or XP workstation
+	user to access the profile.</para>
 	
-		<varlistentry>
-		<term>preserve case = yes/no</term>
-		<listitem><para>controls whether new files are created with the 
-		case that the client passes, or if they are forced to be the 
-		<quote>default</quote> case. Default <emphasis>yes</emphasis>.
-		</para></listitem>
-		</varlistentry> 
-
-		<varlistentry>
-		<term>short preserve case = yes/no</term>
-		<listitem><para>controls if new files which conform to 8.3 syntax,
-		that is all in upper case and of suitable length, are created 
-		upper case, or if they are forced to be the <quote>default</quote> 
-		case. This option can be used with <quote>preserve case = yes</quote> 
-		to permit long filenames to retain their case, while short names 
-		are lowercased. Default <emphasis>yes</emphasis>.</para></listitem>
-		</varlistentry> 
-	</variablelist>
+	<para>Note that if you have multiple users logging
+	on to a workstation then in order to prevent them from being able to access
+	each others profiles you must remove the "Bypass traverse checking" advanced
+	user right. This will prevent access to other users profile directories as
+	the top level profile directory (named after the user) is created by the
+	workstation profile code and has an ACL restricting entry to the directory
+	tree to the owning user.
+</para>
+
+<para>Default: <emphasis><parameter>profile acls</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>queuepause command</primary></indexterm><term><anchor id="QUEUEPAUSECOMMAND"/>queuepause command (S)</term><listitem>
+    <para>This parameter specifies the command to be 
+    executed on the server host in order to pause the printer queue.</para>
+
+    <para>This command should be a program or script which takes 
+    a printer name as its only parameter and stops the printer queue, 
+    such that no longer jobs are submitted to the printer.</para>
+
+    <para>This command is not supported by Windows for Workgroups, 
+    but can be issued from the Printers window under Windows 95 
+    and NT.</para>
+		
+    <para>If a <parameter moreinfo="none">%p</parameter> is given then the printer name 
+    is put in its place. Otherwise it is placed at the end of the command.
+    </para>
+
+    <para>Note that it is good practice to include the absolute 
+    path in the command as the PATH may not be available to the 
+	server.</para>
+
+<para><emphasis>No default</emphasis></para>
+<para>Example: <emphasis><parameter>queuepause command</parameter> = disable %p
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>queueresume command</primary></indexterm><term><anchor id="QUEUERESUMECOMMAND"/>queueresume command (S)</term><listitem>
+    <para>This parameter specifies the command to be 
+    executed on the server host in order to resume the printer queue. It 
+    is the command to undo the behavior that is caused by the 
+    previous parameter (<link linkend="QUEUEPAUSECOMMAND"><parameter moreinfo="none">
+    queuepause command</parameter></link>).</para>
+ 
+    <para>This command should be a program or script which takes 
+    a printer name as its only parameter and resumes the printer queue, 
+    such that queued jobs are resubmitted to the printer.</para>
+
+    <para>This command is not supported by Windows for Workgroups, 
+    but can be issued from the Printers window under Windows 95 
+    and NT.</para>
+
+    <para>If a <parameter moreinfo="none">%p</parameter> is given then the printer name 
+    is put in its place. Otherwise it is placed at the end of the 
+    command.</para>
+
+    <para>Note that it is good practice to include the absolute 
+    path in the command as the PATH may not be available to the 
+	server.</para>
+
+<para>Default: <emphasis><parameter>queueresume command</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>queueresume command</parameter> = enable %p
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>read bmpx</primary></indexterm><term><anchor id="READBMPX"/>read bmpx (G)</term><listitem>
+    <para>This boolean parameter controls whether
+    <citerefentry><refentrytitle>smbd</refentrytitle>                                       
+    <manvolnum>8</manvolnum></citerefentry> will support the "Read
+    Block Multiplex" SMB. This is now rarely used and defaults to 
+    <constant>no</constant>. You should never need to set this 
+	parameter.</para>
+
+<para>Default: <emphasis><parameter>read bmpx</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>read list</primary></indexterm><term><anchor id="READLIST"/>read list (S)</term><listitem>
+    <para>This is a list of users that are given read-only 
+    access to a service. If the connecting user is in this list then 
+    they will not be given write access, no matter what the <link linkend="READONLY">
+    <parameter moreinfo="none">read only</parameter></link>
+    option is set to. The list can include group names using the 
+    syntax described in the <link linkend="INVALIDUSERS"><parameter moreinfo="none">
+    invalid users</parameter></link> parameter.</para>
+  
+    <para>This parameter will not work with the <link linkend="SECURITY">
+    <parameter moreinfo="none">security = share</parameter></link> in 
+    Samba 3.0.  This is by design.</para>
+
+<para>Default: <emphasis><parameter>read list</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>read list</parameter> = mary, @students
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>read only</primary></indexterm><term><anchor id="READONLY"/>read only (S)</term><listitem>
+    <para>An inverted synonym is <link linkend="WRITEABLE">
+    <parameter moreinfo="none">writeable</parameter></link>.</para>
+
+    <para>If this parameter is <constant>yes</constant>, then users 
+    of a service may not create or modify files in the service's 
+    directory.</para>
+
+    <para>Note that a printable service (<command moreinfo="none">printable = yes</command>)
+    will <emphasis>ALWAYS</emphasis> allow writing to the directory 
+    (user privileges permitting), but only via spooling operations.</para>
+
+<para>Default: <emphasis><parameter>read only</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>read raw</primary></indexterm><term><anchor id="READRAW"/>read raw (G)</term><listitem>
+    <para>This parameter controls whether or not the server 
+    will support the raw read SMB requests when transferring data 
+    to clients.</para>
+
+    <para>If enabled, raw reads allow reads of 65535 bytes in 
+    one packet. This typically provides a major performance benefit.
+    </para>
+
+    <para>However, some clients either negotiate the allowable 
+    block size incorrectly or are incapable of supporting larger block 
+	sizes, and for these clients you may need to disable raw reads.</para>
+
+<para>In general this parameter should be viewed as a system tuning 
+	tool and left severely alone.</para>
+
+<para>Default: <emphasis><parameter>read raw</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>realm</primary></indexterm><term><anchor id="REALM"/>realm (G)</term><listitem>
+        <para>This option specifies the kerberos realm to use. The realm is 
+	used as the ADS equivalent of the NT4 <command moreinfo="none">domain</command>. It
+	is usually set to the DNS name of the kerberos server.
+	</para>
+
+<para>Default: <emphasis><parameter>realm</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>realm</parameter> = mysambabox.mycompany.com
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>remote announce</primary></indexterm><term><anchor id="REMOTEANNOUNCE"/>remote announce (G)</term><listitem>
+	<para>This option allows you to setup <citerefentry><refentrytitle>nmbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry>to periodically announce itself 
+	to arbitrary IP addresses with an arbitrary workgroup name.</para>
+
+	<para>This is useful if you want your Samba server to appear 
+	in a remote workgroup for which the normal browse propagation 
+	rules don't work. The remote workgroup can be anywhere that you 
+	can send IP packets to.</para>
+
+	<para>For example:</para>
+
+	<para><command moreinfo="none">remote announce = 192.168.2.255/SERVERS 
+	192.168.4.255/STAFF</command></para>
+
+	<para>the above line would cause <command moreinfo="none">nmbd</command> to announce itself 
+	to the two given IP addresses using the given workgroup names. 
+	If you leave out the workgroup name then the one given in 
+	the <link linkend="WORKGROUP"><parameter moreinfo="none">workgroup</parameter></link> 
+	parameter is used instead.</para>
+
+	<para>The IP addresses you choose would normally be the broadcast 
+	addresses of the remote networks, but can also be the IP addresses 
+	of known browse masters if your network config is that stable.</para>
+
+<para>See <link linkend="NetworkBrowsing"/>.</para>
+
+<para>Default: <emphasis><parameter>remote announce</parameter> = 
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>remote browse sync</primary></indexterm><term><anchor id="REMOTEBROWSESYNC"/>remote browse sync (G)</term><listitem>
+	<para>This option allows you to setup <citerefentry><refentrytitle>nmbd</refentrytitle>
+        <manvolnum>8</manvolnum></citerefentry> to periodically request 
+	synchronization of browse lists with the master browser of a Samba 
+	server that is on a remote segment. This option will allow you to 
+	gain browse lists for multiple workgroups across routed networks. This 
+	is done in a manner that does not work with any non-Samba servers.</para>
+
+	<para>This is useful if you want your Samba server and all local 
+	clients to appear in a remote workgroup for which the normal browse 
+	propagation rules don't work. The remote workgroup can be anywhere 
+	that you can send IP packets to.</para>
+
+	<para>For example:</para>
+		
+	<para><command moreinfo="none">remote browse sync = 192.168.2.255 192.168.4.255</command></para>
+
+	<para>the above line would cause <command moreinfo="none">nmbd</command> to request 
+	the master browser on the specified subnets or addresses to 
+	synchronize their browse lists with the local server.</para>
+
+	<para>The IP addresses you choose would normally be the broadcast 
+	addresses of the remote networks, but can also be the IP addresses 
+	of known browse masters if your network config is that stable. If 
+	a machine IP address is given Samba makes NO attempt to validate 
+	that the remote machine is available, is listening, nor that it 
+	is in fact the browse master on its segment.</para>
+
+<para>Default: <emphasis><parameter>remote browse sync</parameter> = 
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>restrict anonymous</primary></indexterm><term><anchor id="RESTRICTANONYMOUS"/>restrict anonymous (G)</term><listitem>
+    <para>The setting of this parameter determines whether user and
+    group list information is returned for an anonymous connection.
+    and mirrors the effects of the
+    <constant>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous</constant> registry key in Windows
+    2000 and Windows NT.  When set to 0, user and group list
+    information is returned to anyone who asks.  When set
+    to 1, only an authenticated user can retrive user and
+    group list information.  For the value 2, supported by
+    Windows 2000/XP and Samba, no anonymous connections are allowed at
+    all.  This can break third party and Microsoft
+    applications which expect to be allowed to perform
+	operations anonymously.</para>
+
+	<para>
+    The security advantage of using restrict anonymous = 1 is dubious,
+    as user and group list information can be obtained using other
+	means.
+	</para>
+
+	<note>
+	<para>
+    The security advantage of using restrict anonymous = 2 is removed
+    by setting <link linkend="GUESTOK"><parameter moreinfo="none">guest
+	ok</parameter> = yes</link> on any share.
+	</para>
+	</note>
+
+<para>Default: <emphasis><parameter>restrict anonymous</parameter> = 0
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>root</primary><see>root directory</see></indexterm><term><anchor id="ROOT"/>root</term><listitem><para>This parameter is a synonym for root directory.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>root dir</primary><see>root directory</see></indexterm><term><anchor id="ROOTDIR"/>root dir</term><listitem><para>This parameter is a synonym for root directory.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>root directory</primary></indexterm><term><anchor id="ROOTDIRECTORY"/>root directory (G)</term><listitem>
+    <para>The server will <command moreinfo="none">chroot()</command> (i.e. 
+    Change its root directory) to this directory on startup. This is 
+    not strictly necessary for secure operation. Even without it the 
+    server will deny access to files not in one of the service entries. 
+    It may also check for, and deny access to, soft links to other 
+    parts of the filesystem, or attempts to use ".." in file names 
+    to access other directories (depending on the setting of the <link linkend="WIDELINKS">
+    <parameter moreinfo="none">wide links</parameter></link> 
+    parameter).
+    </para>
+
+    <para>Adding a <parameter moreinfo="none">root directory</parameter> entry other 
+    than "/" adds an extra level of security, but at a price. It 
+    absolutely ensures that no access is given to files not in the 
+    sub-tree specified in the <parameter moreinfo="none">root directory</parameter> 
+    option, <emphasis>including</emphasis> some files needed for 
+    complete operation of the server. To maintain full operability 
+    of the server you will need to mirror some system files 
+    into the <parameter moreinfo="none">root directory</parameter> tree. In particular 
+    you will need to mirror <filename moreinfo="none">/etc/passwd</filename> (or a 
+    subset of it), and any binaries or configuration files needed for 
+    printing (if required). The set of files that must be mirrored is
+    operating system dependent.</para>
+
+<para>Default: <emphasis><parameter>root directory</parameter> = /
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>root directory</parameter> = /homes/smb
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>root postexec</primary></indexterm><term><anchor id="ROOTPOSTEXEC"/>root postexec (S)</term><listitem>
+	<para>This is the same as the <parameter moreinfo="none">postexec</parameter>
+	parameter except that the command is run as root. This 
+	is useful for unmounting filesystems 
+	(such as CDROMs) after a connection is closed.</para>
+
+<para>Default: <emphasis><parameter>root postexec</parameter> = 
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>root preexec</primary></indexterm><term><anchor id="ROOTPREEXEC"/>root preexec (S)</term><listitem>
+	<para>This is the same as the <parameter moreinfo="none">preexec</parameter>
+	parameter except that the command is run as root. This 
+	is useful for mounting filesystems (such as CDROMs) when a 
+	connection is opened.</para>
+
+<para>Default: <emphasis><parameter>root preexec</parameter> = 
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>root preexec close</primary></indexterm><term><anchor id="ROOTPREEXECCLOSE"/>root preexec close (S)</term><listitem>
+	<para>This is the same as the <parameter moreinfo="none">preexec close
+	</parameter> parameter except that the command is run as root.</para>
+
+<para>Default: <emphasis><parameter>root preexec close</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>security</primary></indexterm><term><anchor id="SECURITY"/>security (G)</term><listitem>
+    <para>This option affects how clients respond to 
+    Samba and is one of the most important settings in the <filename moreinfo="none">
+    smb.conf</filename> file.</para>
+
+    <para>The option sets the "security mode bit" in replies to 
+    protocol negotiations with <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> to turn share level security on or off. Clients decide 
+    based on this bit whether (and how) to transfer user and password 
+    information to the server.</para>
+
+
+    <para>The default is <command moreinfo="none">security = user</command>, as this is
+    the most common setting needed when talking to Windows 98 and 
+    Windows NT.</para>
+
+    <para>The alternatives are <command moreinfo="none">security = share</command>,
+    <command moreinfo="none">security = server</command> or <command moreinfo="none">security = domain
+    </command>.</para>
+
+    <para>In versions of Samba prior to 2.0.0, the default was 
+    <command moreinfo="none">security = share</command> mainly because that was
+    the only option at one stage.</para>
+
+    <para>There is a bug in WfWg that has relevance to this 
+    setting. When in user or server level security a WfWg client 
+    will totally ignore the password you type in the "connect 
+    drive" dialog box. This makes it very difficult (if not impossible) 
+    to connect to a Samba service as anyone except the user that 
+    you are logged into WfWg as.</para>
+
+    <para>If your PCs use usernames that are the same as their 
+    usernames on the UNIX machine then you will want to use 
+    <command moreinfo="none">security = user</command>. If you mostly use usernames 
+    that don't exist on the UNIX box then use <command moreinfo="none">security = 
+    share</command>.</para>
+
+    <para>You should also use <command moreinfo="none">security = share</command> if you 
+    want to mainly setup shares without a password (guest shares). This 
+    is commonly used for a shared printer server. It is more difficult 
+    to setup guest shares with <command moreinfo="none">security = user</command>, see 
+    the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
+    </link>parameter for details.</para>
+		
+    <para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis>
+    hybrid mode</emphasis> where it is offers both user and share 
+    level security under different <link linkend="NETBIOSALIASES">
+    <parameter moreinfo="none">NetBIOS aliases</parameter></link>. </para>
+
+    <para>The different settings will now be explained.</para>
+
+
+    <para><anchor id="SECURITYEQUALSSHARE"/><emphasis>SECURITY = SHARE</emphasis></para> 
+		
+    <para>When clients connect to a share level security server they 
+    need not log onto the server with a valid username and password before 
+    attempting to connect to a shared resource (although modern clients 
+    such as Windows 95/98 and Windows NT will send a logon request with 
+    a username but no password when talking to a <command moreinfo="none">security = share
+    </command> server). Instead, the clients send authentication information 
+    (passwords) on a per-share basis, at the time they attempt to connect 
+    to that share.</para>
+
+    <para>Note that <command moreinfo="none">smbd</command> <emphasis>ALWAYS</emphasis> 
+    uses a valid UNIX user to act on behalf of the client, even in
+    <command moreinfo="none">security = share</command> level security.</para>
+
+    <para>As clients are not required to send a username to the server
+    in share level security, <command moreinfo="none">smbd</command> uses several
+    techniques to determine the correct UNIX user to use on behalf
+    of the client.</para>
+
+    <para>A list of possible UNIX usernames to match with the given
+    client password is constructed using the following methods :</para>
+
+    <itemizedlist>
+	<listitem>
+	    <para>If the <link linkend="GUESTONLY"><parameter moreinfo="none">guest 
+	    only</parameter></link> parameter is set, then all the other 
+	    stages are missed and only the <link linkend="GUESTACCOUNT">
+	    <parameter moreinfo="none">guest account</parameter></link> username is checked.
+	    </para>
+	</listitem>
+
+	<listitem>
+	    <para>Is a username is sent with the share connection 
+	    request, then this username (after mapping - see <link linkend="USERNAMEMAP">
+	    <parameter moreinfo="none">username map</parameter></link>), 
+	    is added as a potential username.
+	    </para>
+	</listitem>
+
+	<listitem>
+	    <para>If the client did a previous <emphasis>logon
+	    </emphasis> request (the SessionSetup SMB call) then the 
+	    username sent in this SMB will be added as a potential username.
+	    </para>
+	</listitem>
+
+	<listitem>
+	    <para>The name of the service the client requested is 
+	    added as a potential username.
+	    </para>
+	</listitem>
+
+	<listitem>
+	    <para>The NetBIOS name of the client is added to 
+	    the list as a potential username.
+	    </para>
+	</listitem>
+
+	<listitem>
+	    <para>Any users on the <link linkend="USER"><parameter moreinfo="none">
+	    user</parameter></link> list are added as potential usernames.
+	    </para>
+	</listitem>
+    </itemizedlist>
+
+    <para>If the <parameter moreinfo="none">guest only</parameter> parameter is 
+    not set, then this list is then tried with the supplied password. 
+    The first user for whom the password matches will be used as the 
+    UNIX user.</para>
+
+    <para>If the <parameter moreinfo="none">guest only</parameter> parameter is 
+    set, or no username can be determined then if the share is marked 
+    as available to the <parameter moreinfo="none">guest account</parameter>, then this 
+    guest user will be used, otherwise access is denied.</para>
+
+    <para>Note that it can be <emphasis>very</emphasis> confusing 
+    in share-level security as to which UNIX username will eventually
+    be used in granting access.</para>
+
+    <para>See also the section <link linkend="VALIDATIONSECT">
+    NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+    <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para>
+
+    <para>This is the default security setting in Samba 3.0. 
+    With user-level security a client must first "log-on" with a 
+    valid username and password (which can be mapped using the <link linkend="USERNAMEMAP">
+    <parameter moreinfo="none">username map</parameter></link> 
+    parameter). Encrypted passwords (see the <link linkend="ENCRYPTPASSWORDS">
+    <parameter moreinfo="none">encrypted passwords</parameter></link> parameter) can also
+    be used in this security mode. Parameters such as <link linkend="USER">
+    <parameter moreinfo="none">user</parameter></link> and <link linkend="GUESTONLY">
+    <parameter moreinfo="none">guest only</parameter></link> if set	are then applied and 
+    may change the UNIX user to use on this connection, but only after 
+    the user has been successfully authenticated.</para>
+
+    <para><emphasis>Note</emphasis> that the name of the resource being 
+    requested is <emphasis>not</emphasis> sent to the server until after 
+    the server has successfully authenticated the client. This is why 
+    guest shares don't work in user level security without allowing 
+    the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
+    <parameter moreinfo="none">guest account</parameter></link>. 
+    See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
+    </link> parameter for details on doing this.</para>
+
+    <para>See also the section <link linkend="VALIDATIONSECT">
+    NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+    <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
+
+    <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> has been used to add this
+    machine into a Windows NT Domain. It expects the <link linkend="ENCRYPTPASSWORDS">
+    <parameter moreinfo="none">encrypted passwords</parameter>
+    </link> parameter to be set to <constant>yes</constant>. In this 
+    mode Samba will try to validate the username/password by passing
+    it to a Windows NT Primary or Backup Domain Controller, in exactly 
+    the same way that a Windows NT Server would do.</para>
+
+    <para><emphasis>Note</emphasis> that a valid UNIX user must still 
+    exist as well as the account on the Domain Controller to allow 
+    Samba to have a valid UNIX account to map file access to.</para>
+
+    <para><emphasis>Note</emphasis> that from the client's point 
+    of view <command moreinfo="none">security = domain</command> is the same 
+    as <command moreinfo="none">security = user</command>. It only 
+    affects how the server deals with the authentication, 
+    it does not in any way affect what the client sees.</para>
+
+    <para><emphasis>Note</emphasis> that the name of the resource being 
+    requested is <emphasis>not</emphasis> sent to the server until after 
+    the server has successfully authenticated the client. This is why 
+    guest shares don't work in user level security without allowing 
+    the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
+    <parameter moreinfo="none">guest account</parameter></link>. 
+    See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
+    </link> parameter for details on doing this.</para>
+
+    <para>See also the section <link linkend="VALIDATIONSECT">
+    NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+    <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password 
+    server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS">
+    <parameter moreinfo="none">encrypted passwords</parameter>
+    </link> parameter.</para>
+
+    <para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para>
+
+    <para>In this mode Samba will try to validate the username/password 
+    by passing it to another SMB server, such as an NT box. If this 
+    fails it will revert to <command moreinfo="none">security =
+    user</command>. It expects the <link linkend="ENCRYPTPASSWORDS">
+    <parameter moreinfo="none">encrypted passwords</parameter></link> parameter 
+    to be set to <constant>yes</constant>, unless the remote server
+    does not support them.  However note that if encrypted passwords have been 
+    negotiated then Samba cannot revert back to checking the UNIX password file, 
+    it must have a valid <filename moreinfo="none">smbpasswd</filename> file to check 
+	users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up.</para>
+
+	<note><para>This mode of operation has
+    significant pitfalls, due to the fact that is activly initiates a
+    man-in-the-middle attack on the remote SMB server.  In particular,
+    this mode of operation can cause significant resource consuption on
+    the PDC, as it must maintain an active connection for the duration
+    of the user's session.  Furthermore, if this connection is lost,
+    there is no way to reestablish it, and futher authenticaions to the
+    Samba server may fail.  (From a single client, till it disconnects).
+	</para></note>
+
+	<note><para>From the client's point of 
+    view <command moreinfo="none">security = server</command> is the
+    same as <command moreinfo="none">security = user</command>.  It
+    only affects how the server deals  with the authentication, it does
+	not in any way affect what the  client sees.</para></note>
+
+    <para><emphasis>Note</emphasis> that the name of the resource being 
+    requested is <emphasis>not</emphasis> sent to the server until after 
+    the server has successfully authenticated the client. This is why 
+    guest shares don't work in user level security without allowing 
+    the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
+    <parameter moreinfo="none">guest account</parameter></link>. 
+    See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
+    </link> parameter for details on doing this.</para>
+
+    <para>See also the section <link linkend="VALIDATIONSECT">
+    NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+    <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password 
+    server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS">
+    <parameter moreinfo="none">encrypted passwords</parameter></link> parameter.</para>
+
+	<para><anchor id="SECURITYEQUALSADS"/><emphasis>SECURITY = ADS</emphasis></para>
 	
-	<para>By default, Samba 3.0 has the same semantics as a Windows 
-	NT server, in that it is case insensitive but case preserving.</para>
+	<para>In this mode, Samba will act as a domain member in an ADS realm. To operate 
+		in this mode, the machine running Samba will need to have Kerberos installed 
+		and configured and Samba will need to be joined to the ADS realm using the 
+		net utility. </para>
 	
-</refsect1>
-
-<refsect1 id="VALIDATIONSECT">
-	<title>NOTE ABOUT USERNAME/PASSWORD VALIDATION</title>
-
-	<para>There are a number of ways in which a user can connect 
-	to a service. The server uses the following steps in determining 
-	if it will allow a connection to a specified service. If all the 
-	steps fail, the connection request is rejected.  However, if one of the 
-	steps succeeds, the following steps are not checked.</para>
-
-	<para>If the service is marked <quote>guest only = yes</quote> and the
-	server is running with share-level security (<quote>security = share</quote>,
-	steps 1 to 5 are skipped.</para>
-
-
-	<orderedlist continuation="restarts" inheritnum="ignore" numeration="arabic">
-		<listitem><para>If the client has passed a username/password 
-		pair and that username/password pair is validated by the UNIX 
-		system's password programs, the connection is made as that 
-		username. This includes the 
-		\\server\service%<replaceable>username</replaceable> method of passing 
-		a username.</para></listitem>
-
-		<listitem><para>If the client has previously registered a username 
-		with the system and now supplies a correct password for that 
-		username, the connection is allowed.</para></listitem>
-		
-		<listitem><para>The client's NetBIOS name and any previously 
-		used usernames are checked against the supplied password. If 
-		they match, the connection is allowed as the corresponding 
-		user.</para></listitem>
-		
-		<listitem><para>If the client has previously validated a
-		username/password pair with the server and the client has passed 
-		the validation token, that username is used. </para></listitem>
-
-		<listitem><para>If a <quote>user = </quote> field is given in the
-		<filename moreinfo="none">smb.conf</filename> file for the service and the client 
-		has supplied a password, and that password matches (according to 
-		the UNIX system's password checking) with one of the usernames 
-		from the <quote>user =</quote> field, the connection is made as 
-		the username in the <quote>user =</quote> line. If one 
-		of the usernames in the <quote>user =</quote> list begins with a
-		<quote>@</quote>, that name expands to a list of names in 
-		the group of the same name.</para></listitem>
-
-		<listitem><para>If the service is a guest service, a 
-		connection is made as the username given in the <quote>guest 
-		account =</quote> for the service, irrespective of the 
-		supplied password.</para></listitem>
-	</orderedlist>
-
-</refsect1>
-
-<refsect1>
-	<title>EXPLANATION OF EACH PARAMETER</title>
+	<para>Note that this mode does NOT make Samba operate as a Active Directory Domain 
+		Controller. </para>
 	
-	<xi:include href="../smbdotconf/parameters.all.xml" parse="xml"/>
+	<para>Read the chapter about Domain Membership in the HOWTO for details.</para>
+
+<para>Default: <emphasis><parameter>security</parameter> = USER
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>security</parameter> = DOMAIN
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>security mask</primary></indexterm><term><anchor id="SECURITYMASK"/>security mask (S)</term><listitem>
+    <para>This parameter controls what UNIX permission 
+    bits can be modified when a Windows NT client is manipulating 
+    the UNIX permission on a file using the native NT security 
+    dialog box.</para>
+
+    <para>This parameter is applied as a mask (AND'ed with) to 
+    the changed permission bits, thus preventing any bits not in 
+    this mask from being modified. Essentially, zero bits in this 
+    mask may be treated as a set of bits the user is not allowed 
+    to change.</para>
+
+    <para>If not set explicitly this parameter is 0777, allowing
+    a user to modify all the user/group/world permissions on a file.
+    </para>
+
+    <para><emphasis>Note</emphasis> that users who can access the 
+    Samba server through other means can easily bypass this 
+    restriction, so it is primarily useful for standalone 
+    "appliance" systems.  Administrators of most normal systems will 
+	probably want to leave it set to <constant>0777</constant>.</para>
+
+<para>Default: <emphasis><parameter>security mask</parameter> = 0777
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>security mask</parameter> = 0770
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>server schannel</primary></indexterm><term><anchor id="SERVERSCHANNEL"/>server schannel (G)</term><listitem>
+    <para>This controls whether the server offers or even
+    demands the use of the netlogon schannel.
+    <parameter>server schannel = no</parameter> does not
+    offer the schannel, <parameter>server schannel =
+    auto</parameter> offers the schannel but does not
+    enforce it, and <parameter>server schannel =
+    yes</parameter> denies access if the client is not
+    able to speak netlogon schannel. This is only the case
+    for Windows NT4 before SP4.</para>
+
+    <para>Please note that with this set to
+    <parameter>no</parameter> you will have to apply the
+    WindowsXP requireSignOrSeal-Registry patch found in
+	the docs/Registry subdirectory.</para>
+
+<para>Default: <emphasis><parameter>server schannel</parameter> = auto
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>server schannel</parameter> = yes
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>server signing</primary></indexterm><term><anchor id="SERVERSIGNING"/>server signing (G)</term><listitem>
+
+    <para>This controls whether the server offers or requires
+    the client it talks to to use SMB signing. Possible values 
+    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> 
+    and <emphasis>disabled</emphasis>. 
+    </para>
+
+    <para>When set to auto, SMB signing is offered, but not enforced. 
+    When set to mandatory, SMB signing is required and if set 
+	to disabled, SMB signing is not offered either.</para>
+
+<para>Default: <emphasis><parameter>server signing</parameter> = Disabled
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>server string</primary></indexterm><term><anchor id="SERVERSTRING"/>server string (G)</term><listitem>
+        <para>This controls what string will show up in the printer comment box in print 
+        manager and next to the IPC connection in <command moreinfo="none">net view</command>. It 
+        can be any string that you wish to show to your users.</para>
+		
+	<para>It also sets what will appear in browse lists next 
+	to the machine name.</para>
+
+	<para>A <parameter moreinfo="none">%v</parameter> will be replaced with the Samba 
+	version number.</para>
+
+	<para>A <parameter moreinfo="none">%h</parameter> will be replaced with the 
+		hostname.</para>
+
+<para>Default: <emphasis><parameter>server string</parameter> = Samba %v
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>server string</parameter> = University of GNUs Samba Server
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>set directory</primary></indexterm><term><anchor id="SETDIRECTORY"/>set directory (S)</term><listitem>
+	<para>If <command moreinfo="none">set directory = no</command>, then 
+	users of the service may not use the setdir command to change 
+	directory.</para>
+
+	<para>The <command moreinfo="none">setdir</command> command is only implemented 
+	in the Digital Pathworks client. See the Pathworks documentation 
+	for details.</para>
+
+<para>Default: <emphasis><parameter>set directory</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>set primary group script</primary></indexterm><term><anchor id="SETPRIMARYGROUPSCRIPT"/>set primary group script (G)</term><listitem>
+
+	<para>Thanks to the Posix subsystem in NT a Windows User has a
+	primary group in addition to the auxiliary groups.  This script
+	sets the primary group in the unix userdatase when an
+	administrator sets the primary group from the windows user
+	manager or when fetching a SAM with <command>net rpc
+	vampire</command>. <parameter>%u</parameter> will be replaced
+	with the user whose primary group is to be set. 
+	<parameter>%g</parameter> will be replaced with the group to
+	set.</para>
+
+<para>Default: <emphasis><parameter>set primary group script</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>set primary group script</parameter> = /usr/sbin/usermod -g '%g' '%u'
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>set quota command</primary></indexterm><term><anchor id="SETQUOTACOMMAND"/>set quota command (G)</term><listitem>
+	<para>The <command>set quota command</command> should only be used 
+	whenever there is no operating system API available from the OS that 
+	samba can use.</para>
+
+	<para>This option is only available if Samba was configured with the argument <command>--with-sys-quotas</command> or 
+	on linux when <command>./configure --with-quotas</command> was used and a working quota api 
+	was found in the system. Most packages are configured with these options already.</para>
 
-</refsect1>
+	<para>This parameter should specify the path to a script that 
+	can set quota for the specified arguments.</para>
 
-<refsect1>
-	<title>WARNINGS</title>
+	<para>The specified script should take the following arguments:</para>
+
+	<itemizedlist>
+		<listitem><para>1 - quota type
+			<itemizedlist>
+				<listitem><para>1 - user quotas</para></listitem>
+				<listitem><para>2 - user default quotas (uid = -1)</para></listitem>
+				<listitem><para>3 - group quotas</para></listitem>
+				<listitem><para>4 - group default quotas (gid = -1)</para></listitem>
+			</itemizedlist>
+			</para></listitem>
+		<listitem><para>2 - id (uid for user, gid for group, -1 if N/A)</para></listitem>
+		<listitem><para>3 - quota state (0 = disable, 1 = enable, 2 = enable and enforce)</para></listitem>
+		<listitem><para>4 - block softlimit</para></listitem>
+		<listitem><para>5 - block hardlimit</para></listitem>
+		<listitem><para>6 - inode softlimit</para></listitem>
+		<listitem><para>7 - inode hardlimit</para></listitem>
+		<listitem><para>8(optional) - block size, defaults to 1024</para></listitem>
+	</itemizedlist>
+
+	<para>The script should output at least one line of data on success. And nothing on failure.</para>
+
+<para>Default: <emphasis><parameter>set quota command</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>set quota command</parameter> = /usr/local/sbin/set_quota
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>share modes</primary></indexterm><term><anchor id="SHAREMODES"/>share modes (S)</term><listitem>
+	<para>This enables or disables the honoring of 
+	the <parameter moreinfo="none">share modes</parameter> during a file open. These 
+	modes are used by clients to gain exclusive read or write access 
+	to a file.</para>
+
+	<para>These open modes are not directly supported by UNIX, so
+	they are simulated using shared memory, or lock files if your 
+	UNIX doesn't support shared memory (almost all do).</para>
+
+	<para>The share modes that are enabled by this option are 
+	<constant>DENY_DOS</constant>, <constant>DENY_ALL</constant>,
+	<constant>DENY_READ</constant>, <constant>DENY_WRITE</constant>,
+	<constant>DENY_NONE</constant> and <constant>DENY_FCB</constant>.
+	</para>
+
+	<para>This option gives full share compatibility and enabled 
+	by default.</para>
+
+	<para>You should <emphasis>NEVER</emphasis> turn this parameter 
+	off as many Windows applications will break if you do so.</para>
+
+<para>Default: <emphasis><parameter>share modes</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>short preserve case</primary></indexterm><term><anchor id="SHORTPRESERVECASE"/>short preserve case (S)</term><listitem>
+	<para>This boolean parameter controls if new files 
+	which conform to 8.3 syntax, that is all in upper case and of 
+	suitable length, are created upper case, or if they are forced 
+	to be the <link linkend="DEFAULTCASE"><parameter moreinfo="none">default case
+	</parameter></link>. This  option can be use with <link linkend="PRESERVECASE"><command moreinfo="none">preserve case = yes</command>
+	</link> to permit long filenames to retain their case, while short 
+	names are lowered. </para>
+		
+	<para>See the section on <link linkend="NAMEMANGLINGSECT">NAME MANGLING</link>.</para>
+
+<para>Default: <emphasis><parameter>short preserve case</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>show add printer wizard</primary></indexterm><term><anchor id="SHOWADDPRINTERWIZARD"/>show add printer wizard (G)</term><listitem>
+    <para>With the introduction of MS-RPC based printing support
+    for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will 
+    appear on Samba hosts in the share listing.  Normally this folder will 
+    contain an icon for the MS Add Printer Wizard (APW).  However, it is 
+    possible to disable this feature regardless of the level of privilege 
+    of the connected user.</para>
+		
+    <para>Under normal circumstances, the Windows NT/2000 client will 
+    open a handle on the printer server with OpenPrinterEx() asking for
+    Administrator privileges.  If the user does not have administrative
+    access on the print server (i.e is not root or a member of the 
+    <parameter moreinfo="none">printer admin</parameter> group), the OpenPrinterEx() 
+    call fails and the client makes another open call with a request for 
+    a lower privilege level.  This should succeed, however the APW 
+    icon will not be displayed.</para>
+		
+    <para>Disabling the <parameter moreinfo="none">show add printer wizard</parameter>
+    parameter will always cause the OpenPrinterEx() on the server
+	to fail.  Thus the APW icon will never be displayed. 
+</para>
+<note><para>This does not prevent the same user from having 
+		administrative privilege on an individual printer.</para></note>
+
+<para>Default: <emphasis><parameter>show add printer wizard</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>shutdown script</primary></indexterm><term><anchor id="SHUTDOWNSCRIPT"/>shutdown script (G)</term><listitem>
+	<para>This a full path name to a script called by 
+	<citerefentry><refentrytitle>smbd</refentrytitle> 
+        <manvolnum>8</manvolnum></citerefentry> that should 
+	start a shutdown procedure.</para>
+
+	<para>If the connected user posseses the <constant>SeRemoteShutdownPrivilege</constant>,
+	right, this command will be run as user.</para>
+
+	<para>The %z %t %r %f variables are expanded as follows:</para>
 	
-	<para>Although the configuration file permits service names 
-	to contain spaces, your client software may not. Spaces will 
-	be ignored in comparisons anyway, so it shouldn't be a 
-	problem - but be aware of the possibility.</para>
-
-	<para>On a similar note, many clients - especially DOS clients - 
-	limit service names to eight characters. <citerefentry><refentrytitle>smbd</refentrytitle>
-	<manvolnum>8</manvolnum></citerefentry> has no such limitation, but attempts to connect from such 
-	clients will fail if they truncate the service names.  For this reason 
-	you should probably keep your service names down to eight characters 
-	in length.</para>
-
-	<para>Use of the [homes] and [printers] special sections make life 
-	for an administrator easy, but the various combinations of default 
-	attributes can be tricky. Take extreme care when designing these 
-	sections. In particular, ensure that the permissions on spool 
-	directories are correct.</para>
-</refsect1>
-
-<refsect1>
-	<title>VERSION</title>
-
-	<para>This man page is correct for version 3.0 of the Samba suite.</para>
-</refsect1>
-
-<refsect1>
-	<title>SEE ALSO</title>
-	<para>
-	<citerefentry><refentrytitle>samba</refentrytitle>
-	<manvolnum>7</manvolnum></citerefentry>, <citerefentry><refentrytitle>smbpasswd</refentrytitle>
-	<manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>swat</refentrytitle>
-	<manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>smbd</refentrytitle>
-	<manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>nmbd</refentrytitle>
-	<manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>smbclient</refentrytitle>
-	<manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>nmblookup</refentrytitle>
-	<manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>testparm</refentrytitle>
-	<manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>testprns</refentrytitle>
-	<manvolnum>1</manvolnum></citerefentry>.</para>
-</refsect1>
-
-<refsect1>
-	<title>AUTHOR</title>
+	<itemizedlist>
+		<listitem>
+			<para><parameter moreinfo="none">%z</parameter> will be substituted with the
+			shutdown message sent to the server.</para>
+		</listitem>
+		
+		<listitem>
+			<para><parameter moreinfo="none">%t</parameter> will be substituted with the
+			number of seconds to wait before effectively starting the
+			shutdown procedure.</para>
+		</listitem>
+		
+		<listitem>
+			<para><parameter moreinfo="none">%r</parameter> will be substituted with the
+			switch <emphasis>-r</emphasis>. It means reboot after shutdown
+			for NT.</para>
+		</listitem>
+		
+		<listitem>
+			<para><parameter moreinfo="none">%f</parameter> will be substituted with the
+			switch <emphasis>-f</emphasis>. It means force the shutdown
+			even if applications do not respond for NT.</para>
+		</listitem>
+	</itemizedlist>
+
+	<para>Shutdown script example:
+<programlisting format="linespecific">
+#!/bin/bash
+		
+$time=0
+let "time/60"
+let "time++"
+
+/sbin/shutdown $3 $4 +$time $1 &amp;
+</programlisting>
+Shutdown does not return so we need to launch it in background.
+</para>
+
+<para>Default: <emphasis><parameter>shutdown script</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>shutdown script</parameter> = /usr/local/samba/sbin/shutdown %m %t %r %f
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>smb passwd file</primary></indexterm><term><anchor id="SMBPASSWDFILE"/>smb passwd file (G)</term><listitem>
+    <para>This option sets the path to the encrypted smbpasswd file. By
+    default the path to the smbpasswd file  is compiled into Samba.</para>
+
+<para>Default: <emphasis><parameter>smb passwd file</parameter> = ${prefix}/private/smbpasswd
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>smb passwd file</parameter> = /etc/samba/smbpasswd
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>smb ports</primary></indexterm><term><anchor id="SMBPORTS"/>smb ports (G)</term><listitem>
+	<para>Specifies which ports the server should listen on for SMB traffic.</para>
+
+<para>Default: <emphasis><parameter>smb ports</parameter> = 445 139
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>socket address</primary></indexterm><term><anchor id="SOCKETADDRESS"/>socket address (G)</term><listitem>
+	<para>This option allows you to control what 
+	address Samba will listen for connections on. This is used to 
+	support multiple virtual interfaces on the one server, each 
+	with a different configuration.</para>
+		
+	<para>By default Samba will accept connections on any 
+		address.</para>
+
+<para>Default: <emphasis><parameter>socket address</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>socket address</parameter> = 192.168.2.20
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>socket options</primary></indexterm><term><anchor id="SOCKETOPTIONS"/>socket options (G)</term><listitem>
+    <para>This option allows you to set socket options 
+    to be used when talking with the client.</para>
+
+    <para>Socket options are controls on the networking layer 
+    of the operating systems which allow the connection to be 
+    tuned.</para>
+
+    <para>This option will typically be used to tune your Samba  server
+    for optimal performance for your local network. There is  no way
+    that Samba can know what the optimal parameters are for  your net,
+    so you must experiment and choose them yourself. We  strongly
+    suggest you read the appropriate documentation for your  operating
+    system first (perhaps <command moreinfo="none">man
+    setsockopt</command> will help).</para>
+
+    <para>You may find that on some systems Samba will say 
+    "Unknown socket option" when you supply an option. This means you 
+    either incorrectly  typed it or you need to add an include file 
+    to includes.h for your OS.  If the latter is the case please 
+    send the patch to <ulink url="mailto:samba-technical@samba.org">
+    samba-technical@samba.org</ulink>.</para>
+
+    <para>Any of the supported socket options may be combined 
+    in any way you like, as long as your OS allows it.</para>
+
+    <para>This is the list of socket options currently settable 
+    using this option:</para>
+
+    <itemizedlist>
+    	<listitem><para>SO_KEEPALIVE</para></listitem>
+    	<listitem><para>SO_REUSEADDR</para></listitem>
+    	<listitem><para>SO_BROADCAST</para></listitem>
+    	<listitem><para>TCP_NODELAY</para></listitem>
+    	<listitem><para>IPTOS_LOWDELAY</para></listitem>
+    	<listitem><para>IPTOS_THROUGHPUT</para></listitem>
+    	<listitem><para>SO_SNDBUF *</para></listitem>
+    	<listitem><para>SO_RCVBUF *</para></listitem>
+    	<listitem><para>SO_SNDLOWAT *</para></listitem>
+    	<listitem><para>SO_RCVLOWAT *</para></listitem>
+    </itemizedlist>
+
+    <para>Those marked with a <emphasis>'*'</emphasis> take an integer 
+    argument. The others can optionally take a 1 or 0 argument to enable 
+    or disable the option, by default they will be enabled if you 
+    don't specify 1 or 0.</para>
+
+    <para>To specify an argument use the syntax SOME_OPTION = VALUE 
+    for example <command moreinfo="none">SO_SNDBUF = 8192</command>. Note that you must 
+    not have any spaces before or after the = sign.</para>
+
+    <para>If you are on a local network then a sensible option 
+    might be:</para>
+
+    <para><command moreinfo="none">socket options = IPTOS_LOWDELAY</command></para>
+
+    <para>If you have a local network then you could try:</para>
+
+    <para><command moreinfo="none">socket options = IPTOS_LOWDELAY TCP_NODELAY</command></para>
+
+    <para>If you are on a wide area network then perhaps try 
+    setting IPTOS_THROUGHPUT. </para>
+
+    <para>Note that several of the options may cause your Samba 
+		server to fail completely. Use these options with caution!</para>
+
+<para>Default: <emphasis><parameter>socket options</parameter> = TCP_NODELAY
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>socket options</parameter> = IPTOS_LOWDELAY
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>stat cache</primary></indexterm><term><anchor id="STATCACHE"/>stat cache (G)</term><listitem>
+	<para>This parameter determines if <citerefentry><refentrytitle>smbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> will use a cache in order to 
+	speed up case insensitive name mappings. You should never need 
+	to change this parameter.</para>
+
+<para>Default: <emphasis><parameter>stat cache</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>store dos attributes</primary></indexterm><term><anchor id="STOREDOSATTRIBUTES"/>store dos attributes (S)</term><listitem>
+	<para>If this parameter is set Samba no longer attempts to
+	map DOS attributes like SYSTEM, HIDDEN, ARCHIVE or READ-ONLY
+	to UNIX permission bits (such as the <link linkend="MAPHIDDEN"><parameter moreinfo="none">map hidden</parameter></link>. Instead, DOS attributes will be stored onto an extended
+	attribute in the UNIX filesystem, associated with the file or directory.
+	For this to operate correctly, the parameters <link linkend="MAPHIDDEN"><parameter moreinfo="none">map hidden</parameter></link>, <link linkend="MAPSYSTEM"><parameter moreinfo="none">map system</parameter></link>, <link linkend="MAPARCHIVE"><parameter moreinfo="none">map archive</parameter></link> must be set to off.
+	This parameter writes the DOS attributes as a string into the
+	extended attribute named "user.DOSATTRIB". This extended attribute
+	is explicitly hidden from smbd clients requesting an EA list.
+	On Linux the filesystem must have been mounted with the mount
+	option user_xattr in order for extended attributes to work, also
+	extended attributes must be compiled into the Linux kernel.
+	</para>
+
+<para>Default: <emphasis><parameter>store dos attributes</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>strict allocate</primary></indexterm><term><anchor id="STRICTALLOCATE"/>strict allocate (S)</term><listitem>
+    <para>This is a boolean that controls the handling of 
+    disk space allocation in the server. When this is set to <constant>yes</constant> 
+    the server will change from UNIX behaviour of not committing real
+    disk storage blocks when a file is extended to the Windows behaviour
+    of actually forcing the disk system to allocate real storage blocks
+    when a file is created or extended to be a given size. In UNIX
+    terminology this means that Samba will stop creating sparse files.
+    This can be slow on some systems.</para>
+
+    <para>When strict allocate is <constant>no</constant> the server does sparse
+    disk block allocation when a file is extended.</para>
+
+    <para>Setting this to <constant>yes</constant> can help Samba return
+    out of quota messages on systems that are restricting the disk quota
+    of users.</para>
+
+<para>Default: <emphasis><parameter>strict allocate</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>strict locking</primary></indexterm><term><anchor id="STRICTLOCKING"/>strict locking (S)</term><listitem>
+	<para>This is a boolean that controls the handling of 
+	file locking in the server. When this is set to <constant>yes</constant>,
+	the server will check every read and write access for file locks, and 
+	deny access if locks exist. This can be slow on some systems.</para>
+
+	<para>When strict locking is disabled, the server performs file 
+	lock checks only when the client explicitly asks for them.</para>
+
+	<para>Well-behaved clients always ask for lock checks when it 
+	is important.  So in the vast majority of cases, <command moreinfo="none">strict 
+	locking = no</command> is acceptable.</para>
 	
-	<para>The original Samba software and related utilities 
-	were created by Andrew Tridgell. Samba is now developed
-	by the Samba Team as an Open Source project similar 
-	to the way the Linux kernel is developed.</para>
+<para>Default: <emphasis><parameter>strict locking</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>strict sync</primary></indexterm><term><anchor id="STRICTSYNC"/>strict sync (S)</term><listitem>
+    <para>Many Windows applications (including the Windows 98 explorer
+    shell) seem to confuse flushing buffer contents to disk with doing
+    a sync to disk. Under UNIX, a sync call forces the process to be
+    suspended until the kernel has ensured that all outstanding data in
+    kernel disk buffers has been safely stored onto stable storage.
+    This is very slow and should only be done rarely. Setting this
+    parameter to <constant>no</constant> (the default) means that
+    <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> ignores the Windows
+    applications requests for a sync call. There is only a possibility
+    of losing data if the operating system itself that Samba is running
+    on crashes, so there is little danger in this default setting. In
+    addition, this fixes many performance problems that people have
+    reported with the new Windows98 explorer shell file copies.</para>
+
+<para>Default: <emphasis><parameter>strict sync</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>sync always</primary></indexterm><term><anchor id="SYNCALWAYS"/>sync always (S)</term><listitem>
+    <para>This is a boolean parameter that controls 
+    whether writes will always be written to stable storage before 
+    the write call returns. If this is <constant>no</constant> then the server will be 
+    guided by the client's request in each write call (clients can 
+    set a bit indicating that a particular write should be synchronous). 
+    If this is <constant>yes</constant> then every write will be followed by a <command moreinfo="none">fsync()
+    </command> call to ensure the data is written to disk. Note that 
+    the <parameter moreinfo="none">strict sync</parameter> parameter must be set to
+    <constant>yes</constant> in order for this parameter to have 
+    any affect.</para>
+
+<para>Default: <emphasis><parameter>sync always</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>syslog</primary></indexterm><term><anchor id="SYSLOG"/>syslog (G)</term><listitem>
+    <para>This parameter maps how Samba debug messages 
+    are logged onto the system syslog logging levels. Samba debug 
+    level zero maps onto syslog <constant>LOG_ERR</constant>, debug 
+    level one maps onto <constant>LOG_WARNING</constant>, debug level 
+    two maps onto <constant>LOG_NOTICE</constant>, debug level three 
+    maps onto LOG_INFO. All higher levels are mapped to <constant>
+    LOG_DEBUG</constant>.</para>
+
+    <para>This parameter sets the threshold for sending messages 
+    to syslog.  Only messages with debug level less than this value 
+    will be sent to syslog.</para>
+
+<para>Default: <emphasis><parameter>syslog</parameter> = 1
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>syslog only</primary></indexterm><term><anchor id="SYSLOGONLY"/>syslog only (G)</term><listitem>
+    <para>If this parameter is set then Samba debug 
+    messages are logged into the system syslog only, and not to 
+	the debug log files.</para>
+
+<para>Default: <emphasis><parameter>syslog only</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>template homedir</primary></indexterm><term><anchor id="TEMPLATEHOMEDIR"/>template homedir (G)</term><listitem>
+	<para>When filling out the user information for a Windows NT 
+	user, the <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> daemon  uses this
+	parameter to fill in the home directory for that user. If the
+	string <parameter moreinfo="none">%D</parameter> is present it
+	is substituted  with the user's Windows NT domain name. If the
+	string <parameter moreinfo="none">%U</parameter> is present it
+	is substituted with the user's Windows  NT user name.</para>
+
+<para>Default: <emphasis><parameter>template homedir</parameter> = /home/%D/%U
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>template primary group</primary></indexterm><term><anchor id="TEMPLATEPRIMARYGROUP"/>template primary group (G)</term><listitem>
+	<para>This option defines the default primary group for 
+	each user created by <citerefentry><refentrytitle>winbindd</refentrytitle>
+        <manvolnum>8</manvolnum></citerefentry>'s local account management
+	functions (similar to the 'add user script').
+	</para>
+
+<para>Default: <emphasis><parameter>template primary group</parameter> = nobody
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>template shell</primary></indexterm><term><anchor id="TEMPLATESHELL"/>template shell (G)</term><listitem>
+	<para>When filling out the user information for a Windows NT 
+	user, the <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> daemon uses this
+	parameter to fill in the login shell for that user.</para>
+
+<para><emphasis>No default</emphasis></para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>time offset</primary></indexterm><term><anchor id="TIMEOFFSET"/>time offset (G)</term><listitem>
+	<para>This parameter is a setting in minutes to add 
+	to the normal GMT to local time conversion. This is useful if 
+	you are serving a lot of PCs that have incorrect daylight 
+	saving time handling.</para>
+
+<para>Default: <emphasis><parameter>time offset</parameter> = 0
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>time offset</parameter> = 60
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>time server</primary></indexterm><term><anchor id="TIMESERVER"/>time server (G)</term><listitem>
+    <para>This parameter determines if <citerefentry><refentrytitle>nmbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> advertises itself as a time server to Windows 
+clients.</para>
+
+<para>Default: <emphasis><parameter>time server</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>unix charset</primary></indexterm><term><anchor id="UNIXCHARSET"/>unix charset (G)</term><listitem>
+        <para>Specifies the charset the unix machine 
+		Samba runs on uses. Samba needs to know this in order to be able to 
+		convert text to the charsets other SMB clients use.
+	</para>
+
+	<para>This is also the charset Samba will use when specifying arguments 
+		to scripts that it invokes.
+	</para>
+
+<para>Default: <emphasis><parameter>unix charset</parameter> = UTF8
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>unix charset</parameter> = ASCII
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>unix extensions</primary></indexterm><term><anchor id="UNIXEXTENSIONS"/>unix extensions (G)</term><listitem>
+    <para>This boolean parameter controls whether Samba 
+    implments the CIFS UNIX extensions, as defined by HP. 
+    These extensions enable Samba to better serve UNIX CIFS clients
+    by supporting features such as symbolic links, hard links, etc...
+    These extensions require a similarly enabled client, and are of
+    no current use to Windows clients.</para>
+
+<para>Default: <emphasis><parameter>unix extensions</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>unix password sync</primary></indexterm><term><anchor id="UNIXPASSWORDSYNC"/>unix password sync (G)</term><listitem>
+    <para>This boolean parameter controls whether Samba 
+    attempts to synchronize the UNIX password with the SMB password 
+    when the encrypted SMB password in the smbpasswd file is changed. 
+    If this is set to <constant>yes</constant> the program specified in the <parameter moreinfo="none">passwd
+    program</parameter>parameter is called <emphasis>AS ROOT</emphasis> - 
+    to allow the new UNIX password to be set without access to the 
+    old UNIX password (as the SMB password change code has no 
+	access to the old password cleartext, only the new).</para>
+
+<para>Default: <emphasis><parameter>unix password sync</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>update encrypted</primary></indexterm><term><anchor id="UPDATEENCRYPTED"/>update encrypted (G)</term><listitem>
+
+    <para>This boolean parameter allows a user logging on with
+    a plaintext password to have their encrypted (hashed) password in
+    the smbpasswd file to be updated automatically as they log
+    on. This option allows a site to migrate from plaintext  	
+    password authentication (users authenticate with plaintext  	
+    password over the wire, and are checked against a UNIX account  	
+    database) to encrypted password authentication (the SMB  	
+    challenge/response authentication mechanism) without forcing all
+    users to re-enter their passwords via smbpasswd at the time the 	
+    change is made. This is a convenience option to allow the change
+    over to encrypted passwords to be made over a longer period.
+    Once all users have encrypted representations of their passwords
+    in the smbpasswd file this parameter should be set to
+    <constant>no</constant>.</para>
+
+    <para>In order for this parameter to work correctly the <link linkend="ENCRYPTPASSWORDS">
+    <parameter moreinfo="none">encrypt passwords</parameter></link> parameter must 
+    be set to <constant>no</constant> when this parameter is set to <constant>yes</constant>.</para>
+
+    <para>Note that even when this parameter is set a user 
+    authenticating to <command moreinfo="none">smbd</command> must still enter a valid 
+    password in order to connect correctly, and to update their hashed 
+	(smbpasswd) passwords.</para>
+
+<para>Default: <emphasis><parameter>update encrypted</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>use client driver</primary></indexterm><term><anchor id="USECLIENTDRIVER"/>use client driver (S)</term><listitem>
+    <para>This parameter applies only to Windows NT/2000
+    clients.  It has no effect on Windows 95/98/ME clients.  When 
+    serving a printer to Windows NT/2000 clients without first installing
+    a valid printer driver on the Samba host, the client will be required
+    to install a local printer driver.  From this point on, the client
+    will treat the print as a local printer and not a network printer 
+    connection.  This is much the same behavior that will occur
+    when <command moreinfo="none">disable spoolss = yes</command>.
+    </para>
+
+    <para>The differentiating  factor is that under normal
+    circumstances, the NT/2000 client will  attempt to open the network
+    printer using MS-RPC.  The problem is that because the client
+    considers the printer to be local, it will attempt to issue the
+    OpenPrinterEx() call requesting access rights associated  with the
+    logged on user. If the user possesses local administator rights but
+    not root privilegde on the Samba host (often the case), the
+    OpenPrinterEx() call will fail.  The result is that the client will
+    now display an "Access Denied; Unable to connect" message
+    in the printer queue window (even though jobs may successfully be
+    printed).  </para>
+
+    <para>If this parameter is enabled for a printer, then any attempt
+    to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped
+    to PRINTER_ACCESS_USE instead.  Thus allowing the OpenPrinterEx()
+    call to succeed.  <emphasis>This parameter MUST not be able enabled
+    on a print share which has valid print driver installed on the Samba 
+	server.</emphasis></para>
+
+<para>Default: <emphasis><parameter>use client driver</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>use kerberos keytab</primary></indexterm><term><anchor id="USEKERBEROSKEYTAB"/>use kerberos keytab (G)</term><listitem>
+<para>
+Specifies whether Samba should attempt to maintain service principals in the systems
+keytab file for <constant>host/FQDN</constant> and <constant>cifs/FQDN</constant>.
+</para>
+
+<para>When you are using the heimdal Kerberos libraries, you must also 
+specify the following in <filename>/etc/krb5.conf</filename>:</para>
+
+<programlisting>
+[libdefaults]
+  default_keytab_name = FILE:/etc/krb5.keytab
+</programlisting>
+
+<para>Default: <emphasis><parameter>use kerberos keytab</parameter> = False
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>use mmap</primary></indexterm><term><anchor id="USEMMAP"/>use mmap (G)</term><listitem>
+    <para>This global parameter determines if the tdb internals of Samba can
+    depend on mmap working correctly on the running system. Samba requires a coherent
+    mmap/read-write system memory cache. Currently only HPUX does not have such a
+    coherent cache, and so this parameter is set to <constant>no</constant> by
+    default on HPUX. On all other systems this parameter should be left alone. This
+    parameter is provided to help the Samba developers track down problems with
+    the tdb internal code.
+    </para>
+
+<para>Default: <emphasis><parameter>use mmap</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>user</primary><see>username</see></indexterm><term><anchor id="USER"/>user</term><listitem><para>This parameter is a synonym for username.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>users</primary><see>username</see></indexterm><term><anchor id="USERS"/>users</term><listitem><para>This parameter is a synonym for username.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>username</primary></indexterm><term><anchor id="USERNAME"/>username (S)</term><listitem>
+    <para>Multiple users may be specified in a comma-delimited 
+    list, in which case the supplied password will be tested against 
+    each username in turn (left to right).</para>
+
+    <para>The <parameter moreinfo="none">username</parameter> line is needed only when 
+    the PC is unable to supply its own username. This is the case 
+    for the COREPLUS protocol or where your users have different WfWg 
+    usernames to UNIX usernames. In both these cases you may also be 
+    better using the \\server\share%user syntax instead.</para>
+
+    <para>The <parameter moreinfo="none">username</parameter> line is not a great 
+    solution in many cases as it means Samba will try to validate 
+    the supplied password against each of the usernames in the 
+    <parameter moreinfo="none">username</parameter> line in turn. This is slow and 
+    a bad idea for lots of users in case of duplicate passwords. 
+    You may get timeouts or security breaches using this parameter 
+    unwisely.</para>
+
+    <para>Samba relies on the underlying UNIX security. This 
+    parameter does not restrict who can login, it just offers hints 
+    to the Samba server as to what usernames might correspond to the 
+    supplied password. Users can login as whoever they please and 
+    they will be able to do no more damage than if they started a 
+    telnet session. The daemon runs as the user that they log in as, 
+    so they cannot do anything that user cannot do.</para>
+
+    <para>To restrict a service to a particular set of users you 
+    can use the <link linkend="VALIDUSERS"><parameter moreinfo="none">valid users
+    </parameter></link> parameter.</para>
+
+    <para>If any of the usernames begin with a '@' then the name 
+    will be looked up first in the NIS netgroups list (if Samba 
+    is compiled with netgroup support), followed by a lookup in 
+    the UNIX groups database and will expand to a list of all users 
+    in the group of that name.</para>
+		
+    <para>If any of the usernames begin with a '+' then the name 
+    will be looked up only in the UNIX groups database and will 
+    expand to a list of all users in the group of that name.</para>
+
+    <para>If any of the usernames begin with a '&amp;' then the name 
+    will be looked up only in the NIS netgroups database (if Samba 
+    is compiled with netgroup support) and will expand to a list 
+    of all users in the netgroup group of that name.</para>
+
+    <para>Note that searching though a groups database can take 
+    quite some time, and some clients may time out during the 
+    search.</para>
+
+    <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT 
+    USERNAME/PASSWORD VALIDATION</link> for more information on how 
+this parameter determines access to the services.</para>
+
+<para>Default: <emphasis><parameter>username</parameter> = 
+# The guest account if a guest service, 
+		else &lt;empty string&gt;.
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>username</parameter> = fred, mary, jack, jane, @users, @pcgroup
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>username level</primary></indexterm><term><anchor id="USERNAMELEVEL"/>username level (G)</term><listitem>
+    <para>This option helps Samba to try and 'guess' at 
+    the real UNIX username, as many DOS clients send an all-uppercase 
+    username. By default Samba tries all lowercase, followed by the 
+    username with the first letter capitalized, and fails if the 
+    username is not found on the UNIX machine.</para>
+
+    <para>If this parameter is set to non-zero the behavior changes. 
+    This parameter is a number that specifies the number of uppercase
+    combinations to try while trying to determine the UNIX user name. The
+    higher the number the more combinations will be tried, but the slower
+    the discovery of usernames will be. Use this parameter when you have
+    strange usernames on your UNIX machine, such as <constant>AstrangeUser
+    </constant>.</para>
+
+    <para>This parameter is needed only on UNIX systems that have case
+    sensitive usernames.</para>
+
+<para>Default: <emphasis><parameter>username level</parameter> = 0
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>username level</parameter> = 5
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>username map</primary></indexterm><term><anchor id="USERNAMEMAP"/>username map (G)</term><listitem>
+    <para>This option allows you to specify a file containing 
+    a mapping of usernames from the clients to the server. This can be 
+    used for several purposes. The most common is to map usernames 
+    that users use on DOS or Windows machines to those that the UNIX 
+    box uses. The other is to map multiple users to a single username 
+    so that they can more easily share files.</para>
+    
+    <para>The map file is parsed line by line. Each line should 
+    contain a single UNIX username on the left then a '=' followed 
+    by a list of usernames on the right. The list of usernames on the 
+    right may contain names of the form @group in which case they 
+    will match any UNIX username in that group. The special client 
+    name '*' is a wildcard and matches any name. Each line of the 
+    map file may be up to 1023 characters long.</para>
+
+    <para>The file is processed on each line by taking the 
+    supplied username and comparing it with each username on the right 
+    hand side of the '=' signs. If the supplied name matches any of 
+    the names on the right hand side then it is replaced with the name 
+    on the left. Processing then continues with the next line.</para>
+
+    <para>If any line begins with a '#' or a ';' then it is ignored</para>
+
+    <para>If any line begins with an '!' then the processing
+    will stop after that line if a mapping was done by the line.
+    Otherwise mapping continues with every line being processed.
+    Using '!' is most useful when you have a wildcard mapping line
+    later in the file.</para>
+
+    <para>For example to map from the name <constant>admin</constant>
+    or <constant>administrator</constant> to the UNIX name <constant>
+    root</constant> you would use:</para>
+
+    <para><command moreinfo="none">root = admin administrator</command></para>
+
+    <para>Or to map anyone in the UNIX group <constant>system</constant>
+    to the UNIX name <constant>sys</constant> you would use:</para>
+
+    <para><command moreinfo="none">sys = @system</command></para>
+
+    <para>You can have as many mappings as you like in a username map file.</para>
+
+
+    <para>If your system supports the NIS NETGROUP option then
+    the netgroup database is checked before the <filename moreinfo="none">/etc/group
+    </filename> database for matching groups.</para>
+
+    <para>You can map Windows usernames that have spaces in them
+     by using double quotes around the name. For example:</para>
+
+    <para><command moreinfo="none">tridge = "Andrew Tridgell"</command></para>
+
+    <para>would map the windows username "Andrew Tridgell" to the
+    unix username "tridge".</para>
+
+    <para>The following example would map mary and fred to the
+    unix user sys, and map the rest to guest. Note the use of the
+    '!' to tell Samba to stop processing if it gets a match on
+    that line.</para>
+
+<para><programlisting format="linespecific">
+!sys = mary fred
+guest = *
+</programlisting></para>
+
+    <para>Note that the remapping is applied to all occurrences
+    of usernames. Thus if you connect to \\server\fred and <constant>
+    fred</constant> is remapped to <constant>mary</constant> then you
+    will actually be connecting to \\server\mary and will need to
+    supply a password suitable for <constant>mary</constant> not
+    <constant>fred</constant>. The only exception to this is the
+    username passed to the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">
+    password server</parameter></link> (if you have one). The password
+    server will receive whatever username the client supplies without
+    modification.</para>
+
+    <para>Also note that no reverse mapping is done. The main effect
+    this has is with printing. Users who have been mapped may have
+    trouble deleting print jobs as PrintManager under WfWg will think
+    they don't own the print job.</para>
+
+   <para>
+   Samba versions prior to 3.0.8 would only support reading the fully qualified
+   username (e.g.: DOMAIN\user) from the username map when performing a
+   kerberos login from a client.  However, when looking up a map
+   entry for a user authenticated by NTLM[SSP], only the login name would be
+   used for matches.  This resulted in inconsistent behavior sometimes
+   even on the same server.
+   </para>
+
+   <para>
+   The following functionality is obeyed in version 3.0.8 and later:
+   </para>
+
+   <para>
+    When performing local authentication, the username map is
+    applied to the login name before attempting to authenticate
+    the connection.
+    </para>
+
+    <para>
+    When relying upon a external domain controller for validating
+    authentication requests, smbd will apply the username map
+    to the fully qualified username (i.e. DOMAIN\user) only
+    after the user has been successfully authenticated.
+    </para>
+
+<para>Default: <emphasis><parameter>username map</parameter> = 
+# no username map
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>username map</parameter> = /usr/local/samba/lib/users.map
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>use sendfile</primary></indexterm><term><anchor id="USESENDFILE"/>use sendfile (S)</term><listitem>
+	<para>If this parameter is <constant>yes</constant>, and the <constant>sendfile()</constant> system call is supported by the underlying operating system, then some SMB read calls (mainly ReadAndX
+    and ReadRaw) will use the more efficient sendfile system call for files that
+    are exclusively oplocked. This may make more efficient use of the system CPU's
+    and cause Samba to be faster. Samba automatically turns this off for clients
+    that use protocol levels lower than NT LM 0.12 and when it detects a client is
+    Windows 9x (using sendfile from Linux will cause these clients to fail).
+    </para>
+
+<para>Default: <emphasis><parameter>use sendfile</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>use spnego</primary></indexterm><term><anchor id="USESPNEGO"/>use spnego (G)</term><listitem>
+    <para>This variable controls controls whether samba will try 
+    to use Simple and Protected NEGOciation (as specified by rfc2478) with 
+    WindowsXP and Windows2000 clients to agree upon an authentication mechanism. 
+</para>
+
+<para>
+    Unless further issues are discovered with our SPNEGO
+    implementation, there is no reason this should ever be
+	disabled.</para>
+
+<para>Default: <emphasis><parameter>use spnego</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>utmp</primary></indexterm><term><anchor id="UTMP"/>utmp (G)</term><listitem>
+	<para>This boolean parameter is only available if
+	Samba has been configured and compiled  with the option <command moreinfo="none">
+	--with-utmp</command>. If set to <constant>yes</constant> then Samba will attempt
+	to add utmp or utmpx records (depending on the UNIX system) whenever a
+	connection is made to a Samba server. Sites may use this to record the
+	user connecting to a Samba share.</para>
+
+	<para>Due to the requirements of the utmp record, we
+	are required to create a unique identifier for the
+	incoming user.  Enabling this option creates an n^2
+	algorithm to find this number.  This may impede
+	performance on large installations. </para>
+
+<para>Default: <emphasis><parameter>utmp</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>utmp directory</primary></indexterm><term><anchor id="UTMPDIRECTORY"/>utmp directory (G)</term><listitem>
+	<para>This parameter is only available if Samba has 
+	been configured and compiled with the option <command moreinfo="none">
+	--with-utmp</command>. It specifies a directory pathname that is
+	used to store the utmp or utmpx files (depending on the UNIX system) that
+	record user connections to a Samba server. By default this is 
+	not set, meaning the system will use whatever utmp file the 
+	native system is set to use (usually 
+	<filename moreinfo="none">/var/run/utmp</filename> on Linux).</para>
+
+<para>Default: <emphasis><parameter>utmp directory</parameter> = 
+# Determined automatically
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>utmp directory</parameter> = /var/run/utmp
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>-valid</primary></indexterm><term><anchor id="-VALID"/>-valid (S)</term><listitem>
+	<para> This parameter indicates whether a share is 
+	valid and thus can be used. When this parameter is set to false, 
+	the share will be in no way visible nor accessible.
+	</para>
+
+	<para>
+	This option should not be 
+	used by regular users but might be of help to developers. 
+	Samba uses this option internally to mark shares as deleted.
+	</para>
+
+<para>Default: <emphasis><parameter>-valid</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>valid users</primary></indexterm><term><anchor id="VALIDUSERS"/>valid users (S)</term><listitem>
+    <para>This is a list of users that should be allowed 
+    to login to this service. Names starting with '@', '+' and  '&amp;'
+    are interpreted using the same rules as described in the 
+    <parameter moreinfo="none">invalid users</parameter> parameter.</para>
+
+    <para>If this is empty (the default) then any user can login. 
+    If a username is in both this list and the <parameter moreinfo="none">invalid 
+    users</parameter> list then access is denied for that user.</para>
+
+    <para>The current servicename is substituted for <parameter moreinfo="none">%S
+	</parameter>. This is useful in the [homes] section.</para>
+
+<para>Default: <emphasis><parameter>valid users</parameter> = 
+# No valid users list (anyone can login) 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>valid users</parameter> = greg, @pcusers
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>veto files</primary></indexterm><term><anchor id="VETOFILES"/>veto files (S)</term><listitem>
+	<para>This is a list of files and directories that 
+	are neither visible nor accessible.  Each entry in the list must 
+	be separated by a '/', which allows spaces to be included 
+	in the entry. '*' and '?' can be used to specify multiple files 
+	or directories as in DOS wildcards.</para>
+
+	<para>Each entry must be a unix path, not a DOS path and 
+	must <emphasis>not</emphasis> include the  unix directory 
+	separator '/'.</para>
+
+	<para>Note that the <parameter moreinfo="none">case sensitive</parameter> option 
+	is applicable in vetoing files.</para>
+		
+	<para>One feature of the veto files parameter that it
+	is important to be aware of is Samba's behaviour when
+	trying to delete a directory. If a directory that is
+	to be deleted contains nothing but veto files this
+	deletion will <emphasis>fail</emphasis> unless you also set
+	the <parameter moreinfo="none">delete veto files</parameter> parameter to
+	<parameter moreinfo="none">yes</parameter>.</para>
+
+	<para>Setting this parameter will affect the performance 
+	of Samba, as it will be forced to check all files and directories 
+	for a match as they are scanned.</para>
+
+<para>Default: <emphasis><parameter>veto files</parameter> = 
+# No files or directories are vetoed.
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>veto files</parameter> = 
+; Veto any files containing the word Security, 
+; any ending in .tmp, and any directory containing the
+; word root.
+veto files = /*Security*/*.tmp/*root*/
+
+; Veto the Apple specific files that a NetAtalk server
+; creates.
+veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
+
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>veto oplock files</primary></indexterm><term><anchor id="VETOOPLOCKFILES"/>veto oplock files (S)</term><listitem>
+	<para>This parameter is only valid when the <link linkend="OPLOCKS">
+	<parameter moreinfo="none">oplocks</parameter></link>
+	parameter is turned on for a share. It allows the Samba administrator
+	to selectively turn off the granting of oplocks on selected files that
+	match a wildcarded list, similar to the wildcarded list used in the
+	<link linkend="VETOFILES"><parameter moreinfo="none">veto files</parameter></link> 
+	parameter.</para>
+
+
+	<para>You might want to do this on files that you know will 
+	be heavily contended for by clients. A good example of this 
+	is in the NetBench SMB benchmark program, which causes heavy 
+	client contention for files ending in <filename moreinfo="none">.SEM</filename>. 
+	To cause Samba not to grant oplocks on these files you would use 
+	the line (either in the [global] section or in the section for 
+	the particular NetBench share :</para>
+
+<para>Default: <emphasis><parameter>veto oplock files</parameter> = 
+# No files are vetoed for oplock grants
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>veto oplock files</parameter> = /.*SEM/
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>vfs object</primary><see>vfs objects</see></indexterm><term><anchor id="VFSOBJECT"/>vfs object</term><listitem><para>This parameter is a synonym for vfs objects.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>vfs objects</primary></indexterm><term><anchor id="VFSOBJECTS"/>vfs objects (S)</term><listitem>
+	<para>This parameter specifies the backend names which 
+	are used for Samba VFS I/O operations.  By default, normal 
+	disk I/O operations are used but these can be overloaded 
+	with one or more VFS objects. </para>
+
+<para>Default: <emphasis><parameter>vfs objects</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>vfs objects</parameter> = extd_audit recycle
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>volume</primary></indexterm><term><anchor id="VOLUME"/>volume (S)</term><listitem>
+	<para>This allows you to override the volume label 
+	returned for a share. Useful for CDROMs with installation programs 
+	that insist on a particular volume label.</para>
+
+<para>Default: <emphasis><parameter>volume</parameter> = 
+# the name of the share
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>wide links</primary></indexterm><term><anchor id="WIDELINKS"/>wide links (S)</term><listitem>
+	<para>This parameter controls whether or not links 
+	in the UNIX file system may be followed by the server. Links 
+	that point to areas within the directory tree exported by the 
+	server are always allowed; this parameter controls access only 
+	to areas that are outside the directory tree being exported.</para>
+
+	<para>Note that setting this parameter can have a negative 
+	effect on your server performance due to the extra system calls 
+	that Samba has to  do in order to perform the link checks.</para>
+
+<para>Default: <emphasis><parameter>wide links</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>winbind cache time</primary></indexterm><term><anchor id="WINBINDCACHETIME"/>winbind cache time (G)</term><listitem>
+	<para>This parameter specifies the number of 
+	seconds the <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> daemon will cache 
+	user and group information before querying a Windows NT server 
+	again.</para>
+        <note><para>This does not apply to authentication requests,
+	these are always evaluated in real time.</para></note>
+
+<para>Default: <emphasis><parameter>winbind cache time</parameter> = 300
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>winbind enable local accounts</primary></indexterm><term><anchor id="WINBINDENABLELOCALACCOUNTS"/>winbind enable local accounts (G)</term><listitem>
+	<para>This parameter controls whether or not winbindd 
+	will act as a stand in replacement for the various account
+	management hooks in smb.conf (e.g. 'add user script').
+	If enabled, winbindd will support the creation of local 
+	users and groups as another source of UNIX account information
+	available via getpwnam() or getgrgid(), etc...
+	</para>
+
+<para>Default: <emphasis><parameter>winbind enable local accounts</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>winbind enum groups</primary></indexterm><term><anchor id="WINBINDENUMGROUPS"/>winbind enum groups (G)</term><listitem>
+	<para>On large installations using <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> it may be necessary to suppress 
+	the enumeration of groups through the <command moreinfo="none">setgrent()</command>,
+	<command moreinfo="none">getgrent()</command> and
+	<command moreinfo="none">endgrent()</command> group of system calls.  If
+	the <parameter moreinfo="none">winbind enum groups</parameter> parameter is
+	<constant>no</constant>, calls to the <command moreinfo="none">getgrent()</command> system
+	call will not return any data. </para>
+
+<warning><para>Turning off group enumeration may cause some programs to behave oddly.  </para></warning>
+
+<para>Default: <emphasis><parameter>winbind enum groups</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>winbind enum users</primary></indexterm><term><anchor id="WINBINDENUMUSERS"/>winbind enum users (G)</term><listitem>
+	<para>On large installations using <citerefentry><refentrytitle>winbindd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> it may be
+	necessary to suppress the enumeration of users through the <command moreinfo="none">setpwent()</command>,
+	<command moreinfo="none">getpwent()</command> and
+	<command moreinfo="none">endpwent()</command> group of system calls.  If
+	the <parameter moreinfo="none">winbind enum users</parameter> parameter is
+	<constant>no</constant>, calls to the <command moreinfo="none">getpwent</command> system call
+	will not return any data. </para>
+
+<warning><para>Turning off user
+	enumeration may cause some programs to behave oddly.  For
+	example, the finger program relies on having access to the
+	full user list when searching for matching
+	usernames. </para></warning>
+
+<para>Default: <emphasis><parameter>winbind enum users</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>winbind nested groups</primary></indexterm><term><anchor id="WINBINDNESTEDGROUPS"/>winbind nested groups (G)</term><listitem>
+	<para>If set to yes, this parameter activates the support for nested
+                 groups. Nested groups are also called local groups or
+                 aliases. They work like their counterparts in Windows: Nested
+                 groups are defined locally on any machine (they are shared
+                 between DC's through their SAM) and can contain users and
+                 global groups from any trusted SAM. To be able to use nested
+                 groups, you need to run nss_winbind.</para>
+		 <para>Please note that per 3.0.3 this is a new feature, so 
+		 handle with care.</para>
+
+<para>Default: <emphasis><parameter>winbind nested groups</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>winbind separator</primary></indexterm><term><anchor id="WINBINDSEPARATOR"/>winbind separator (G)</term><listitem>
+	<para>This parameter allows an admin to define the character 
+	used when listing a username of the form of <replaceable>DOMAIN
+	</replaceable>\<replaceable>user</replaceable>.  This parameter 
+	is only applicable when using the <filename moreinfo="none">pam_winbind.so</filename>
+	and <filename moreinfo="none">nss_winbind.so</filename> modules for UNIX services.
+	</para>
+
+	<para>Please note that setting this parameter to + causes problems
+	with group membership at least on glibc systems, as the character +
+	is used as a special character for NIS in /etc/group.</para>
+
+<para>Default: <emphasis><parameter>winbind separator</parameter> = '\'
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>winbind separator</parameter> = +
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>winbind trusted domains only</primary></indexterm><term><anchor id="WINBINDTRUSTEDDOMAINSONLY"/>winbind trusted domains only (G)</term><listitem>
+	<para>This parameter is designed to allow Samba servers that
+	are members of a Samba controlled domain to use UNIX accounts
+	distributed via NIS, rsync, or LDAP as the uid's for winbindd users
+	in the hosts primary domain.  Therefore, the user DOMAIN\user1 would
+	be mapped to the account user1 in /etc/passwd instead of allocating
+	a new uid for him or her.
+</para>
+
+<para>Default: <emphasis><parameter>winbind trusted domains only</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>winbind use default domain</primary></indexterm><term><anchor id="WINBINDUSEDEFAULTDOMAIN"/>winbind use default domain (G)</term><listitem>
+	<para>This parameter specifies whether the
+	<citerefentry><refentrytitle>winbindd</refentrytitle> 
+	<manvolnum>8</manvolnum></citerefentry> daemon should operate on users  
+	without domain component in their username. Users without a domain
+	component are treated as is part of the winbindd server's own
+	domain. While this does not benifit Windows users, it makes SSH, FTP and
+	e-mail function in a way much closer to the way they
+	would in a native unix system.</para>
+
+<para>Default: <emphasis><parameter>winbind use default domain</parameter> = no
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>winbind use default domain</parameter> = yes
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>wins hook</primary></indexterm><term><anchor id="WINSHOOK"/>wins hook (G)</term><listitem>
+	<para>When Samba is running as a WINS server this 
+	allows you to call an external program for all changes to the 
+	WINS database. The primary use for this option is to allow the 
+	dynamic update of external name resolution databases such as 
+	dynamic DNS.</para>
+
+	<para>The wins hook parameter specifies the name of a script 
+	or executable that will be called as follows:</para>
+
+	<para><command moreinfo="none">wins_hook operation name nametype ttl IP_list</command></para>
+
+	<itemizedlist>
+		<listitem>
+			<para>The first argument is the operation and is
+			one  of "add", "delete", or
+			"refresh". In most cases the operation
+			can  be ignored as the rest of the parameters
+			provide sufficient  information. Note that
+			"refresh" may sometimes be called when
+			the  name has not previously been added, in that
+			case it should be treated  as an add.</para>
+		</listitem>
+
+		<listitem>
+			<para>The second argument is the NetBIOS name. If the 
+			name is not a legal name then the wins hook is not called. 
+			Legal names contain only  letters, digits, hyphens, underscores 
+			and periods.</para>
+		</listitem>
+
+		<listitem>
+			<para>The third argument is the NetBIOS name 
+			type as a 2 digit hexadecimal number. </para>
+		</listitem>
+
+		<listitem>
+			<para>The fourth argument is the TTL (time to live) 
+			for the name in seconds.</para>
+		</listitem>
+			
+		<listitem>
+			<para>The fifth and subsequent arguments are the IP 
+			addresses currently registered for that name. If this list is 
+			empty then the name should be deleted.</para>
+		</listitem>
+	</itemizedlist>
+
+	<para>An example script that calls the BIND dynamic DNS update 
+	program <command moreinfo="none">nsupdate</command> is provided in the examples 
+	directory of the Samba source code. </para>
+
+<para><emphasis>No default</emphasis></para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>wins proxy</primary></indexterm><term><anchor id="WINSPROXY"/>wins proxy (G)</term><listitem>
+	<para>This is a boolean that controls if <citerefentry><refentrytitle>nmbd</refentrytitle>                                 
+	<manvolnum>8</manvolnum></citerefentry> will respond to broadcast name 
+	queries on behalf of  other hosts. You may need to set this 
+	to <constant>yes</constant> for some older clients.</para>
+
+<para>Default: <emphasis><parameter>wins proxy</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>wins server</primary></indexterm><term><anchor id="WINSSERVER"/>wins server (G)</term><listitem>
+	<para>This specifies the IP address (or DNS name: IP 
+	address for preference) of the WINS server that <citerefentry><refentrytitle>nmbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> should register with. If you have a WINS server on 
+	your network then you should set this to the WINS server's IP.</para>
+
+	<para>You should point this at your WINS server if you have a
+	multi-subnetted network.</para>
+
+	<para>If you want to work in multiple namespaces, you can 
+	give every wins server a 'tag'. For each tag, only one 
+	(working) server will be queried for a name. The tag should be 
+	separated from the ip address by a colon.
+	</para>
+
+	<note><para>You need to set up Samba to point 
+	to a WINS server if you have multiple subnets and wish cross-subnet 
+	browsing to work correctly.</para></note>
+	<para>See the <link linkend="NetworkBrowsing"/>.</para>
+
+<para>Default: <emphasis><parameter>wins server</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>wins server</parameter> = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61
 	
-	<para>The original Samba man pages were written by Karl Auer. 
-	The man page sources were converted to YODL format (another 
-	excellent piece of Open Source software, available at <ulink noescape="1" url="ftp://ftp.icce.rug.nl/pub/unix/">
-	ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0 
-	release by Jeremy Allison.  The conversion to DocBook for 
-	Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2
-	for Samba 3.0 was done by Alexander Bokovoy.</para>
-</refsect1>
-
-</refentry>
+# For this example when querying a certain name, 192.19.200.1 will 
+	be asked first and if that doesn't respond 192.168.2.61. If either 
+	of those doesn't know the name 192.168.3.199 will be queried.
+</emphasis>
+</para><para>Example: <emphasis><parameter>wins server</parameter> = 192.9.200.1 192.168.2.61
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>wins support</primary></indexterm><term><anchor id="WINSSUPPORT"/>wins support (G)</term><listitem>
+	<para>This boolean controls if the <citerefentry><refentrytitle>nmbd</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> process in Samba will act as a WINS server. You should 
+	not set this to <constant>yes</constant> unless you have a multi-subnetted network and 
+	you wish a particular <command moreinfo="none">nmbd</command> to be your WINS server. 
+	Note that you should <emphasis>NEVER</emphasis> set this to <constant>yes</constant>
+	on more than one machine in your network.</para>
+
+
+<para>Default: <emphasis><parameter>wins support</parameter> = no
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>workgroup</primary></indexterm><term><anchor id="WORKGROUP"/>workgroup (G)</term><listitem>
+        <para>This controls what workgroup your server will 
+	appear to be in when queried by clients. Note that this parameter 
+	also controls the Domain name used with 
+        the <link linkend="SECURITYEQUALSDOMAIN"><command moreinfo="none">security = domain</command></link>
+		setting.</para>
+
+<para>Default: <emphasis><parameter>workgroup</parameter> = WORKGROUP
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>workgroup</parameter> = MYGROUP
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>writable</primary><see>writeable</see></indexterm><term><anchor id="WRITABLE"/>writable</term><listitem><para>This parameter is a synonym for writeable.</para></listitem></varlistentry><varlistentry>
+<indexterm significance="preferred"><primary>writeable</primary></indexterm><term><anchor id="WRITEABLE"/>writeable (S)</term><listitem>
+    <para>Inverted synonym for <link linkend="READONLY">
+    <parameter moreinfo="none">read only</parameter></link>.</para>
+
+<para><emphasis>No default</emphasis></para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>write cache size</primary></indexterm><term><anchor id="WRITECACHESIZE"/>write cache size (S)</term><listitem>
+    <para>If this integer parameter is set to non-zero value,
+    Samba will create an in-memory cache for each oplocked file 
+    (it does <emphasis>not</emphasis> do this for 
+    non-oplocked files). All writes that the client does not request 
+    to be flushed directly to disk will be stored in this cache if possible. 
+    The cache is flushed onto disk when a write comes in whose offset 
+    would not fit into the cache or when the file is closed by the client. 
+    Reads for the file are also served from this cache if the data is stored 
+    within it.</para>
+
+    <para>This cache allows Samba to batch client writes into a more 
+    efficient write size for RAID disks (i.e. writes may be tuned to 
+    be the RAID stripe size) and can improve performance on systems 
+    where the disk subsystem is a bottleneck but there is free 
+    memory for userspace programs.</para>
+
+    <para>The integer parameter specifies the size of this cache 
+		(per oplocked file) in bytes.</para>
+
+<para>Default: <emphasis><parameter>write cache size</parameter> = 0
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>write cache size</parameter> = 262144
+#  for a 256k cache size per file
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>write list</primary></indexterm><term><anchor id="WRITELIST"/>write list (S)</term><listitem>
+    <para>This is a list of users that are given read-write 
+    access to a service. If the connecting user is in this list then 
+    they will be given write access, no matter what the <link linkend="READONLY">
+    <parameter moreinfo="none">read only</parameter></link>
+    option is set to. The list can include group names using the 
+    @group syntax.</para>
+
+    <para>Note that if a user is in both the read list and the 
+    write list then they will be given write access.</para>
+
+    <para>This parameter will not work with the <link linkend="SECURITY">
+    <parameter moreinfo="none">security = share</parameter></link> in
+    Samba 3.0.  This is by design.</para>
+
+
+<para>Default: <emphasis><parameter>write list</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>write list</parameter> = admin, root, @staff
+</emphasis>
+</para>
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>write raw</primary></indexterm><term><anchor id="WRITERAW"/>write raw (G)</term><listitem>
+    <para>This parameter controls whether or not the server 
+    will support raw write SMB's when transferring data from clients. 
+    You should never need to change this parameter.</para>
+
+<para>Default: <emphasis><parameter>write raw</parameter> = yes
+</emphasis>
+</para>
+
+</listitem></varlistentry>
+<varlistentry>
+<indexterm significance="preferred"><primary>wtmp directory</primary></indexterm><term><anchor id="WTMPDIRECTORY"/>wtmp directory (G)</term><listitem>
+	<para>This parameter is only available if Samba has 
+	been configured and compiled with the option <command moreinfo="none">
+	--with-utmp</command>. It specifies a directory pathname that is
+	used to store the wtmp or wtmpx files (depending on the UNIX system) that
+	record user connections to a Samba server. The difference with
+	the utmp directory is the fact that user info is kept after a user 
+	has logged out.</para>
+		
+<para>
+ By default this is 
+	not set, meaning the system will use whatever utmp file the 
+	native system is set to use (usually 
+	<filename moreinfo="none">/var/run/wtmp</filename> on Linux).</para>
+
+<para>Default: <emphasis><parameter>wtmp directory</parameter> = 
+</emphasis>
+</para>
+<para>Example: <emphasis><parameter>wtmp directory</parameter> = /var/log/wtmp
+</emphasis>
+</para>
+</listitem></varlistentry>
+</variablelist>