regenerate

(This used to be commit 75a8a906e8031b50e6583f2e0354073a8aa7f5f3)

1 files changed, 237 insertions, 226 deletions

diff --git a/docs/manpages/smb.conf.5 b/docs/manpages/smb.conf.5
index ec77102365..3bc6f8ad49 100644
--- a/docs/manpages/smb.conf.5
+++ b/docs/manpages/smb.conf.5
@@ -516,7 +516,7 @@ Here is a list of all global parameters\&. See the section of each parameter for
 
 .TP
 \(bu
-\fIdead time\fR
+\fIdeadtime\fR
 
 .TP
 \(bu
@@ -540,11 +540,11 @@ Here is a list of all global parameters\&. See the section of each parameter for
 
 .TP
 \(bu
-\fIdefault\fR
+\fIdefault service\fR
 
 .TP
 \(bu
-\fIdefault service\fR
+\fIdefault\fR
 
 .TP
 \(bu
@@ -644,6 +644,10 @@ Here is a list of all global parameters\&. See the section of each parameter for
 
 .TP
 \(bu
+\fIidmap backend\fR
+
+.TP
+\(bu
 \fIidmap gid\fR
 
 .TP
@@ -736,11 +740,11 @@ Here is a list of all global parameters\&. See the section of each parameter for
 
 .TP
 \(bu
-\fIlock dir\fR
+\fIlock directory\fR
 
 .TP
 \(bu
-\fIlock directory\fR
+\fIlock dir\fR
 
 .TP
 \(bu
@@ -928,11 +932,11 @@ Here is a list of all global parameters\&. See the section of each parameter for
 
 .TP
 \(bu
-\fIpasswd chat\fR
+\fIpasswd chat debug\fR
 
 .TP
 \(bu
-\fIpasswd chat debug\fR
+\fIpasswd chat\fR
 
 .TP
 \(bu
@@ -960,11 +964,11 @@ Here is a list of all global parameters\&. See the section of each parameter for
 
 .TP
 \(bu
-\fIpreload\fR
+\fIpreload modules\fR
 
 .TP
 \(bu
-\fIpreload modules\fR
+\fIpreload\fR
 
 .TP
 \(bu
@@ -1008,7 +1012,7 @@ Here is a list of all global parameters\&. See the section of each parameter for
 
 .TP
 \(bu
-\fIroot\fR
+\fIroot directory\fR
 
 .TP
 \(bu
@@ -1016,7 +1020,7 @@ Here is a list of all global parameters\&. See the section of each parameter for
 
 .TP
 \(bu
-\fIroot directory\fR
+\fIroot\fR
 
 .TP
 \(bu
@@ -1072,11 +1076,11 @@ Here is a list of all global parameters\&. See the section of each parameter for
 
 .TP
 \(bu
-\fIsyslog\fR
+\fIsyslog only\fR
 
 .TP
 \(bu
-\fIsyslog only\fR
+\fIsyslog\fR
 
 .TP
 \(bu
@@ -1104,10 +1108,6 @@ Here is a list of all global parameters\&. See the section of each parameter for
 
 .TP
 \(bu
-\fItotal print jobs\fR
-
-.TP
-\(bu
 \fIunicode\fR
 
 .TP
@@ -1144,11 +1144,11 @@ Here is a list of all global parameters\&. See the section of each parameter for
 
 .TP
 \(bu
-\fIutmp\fR
+\fIutmp directory\fR
 
 .TP
 \(bu
-\fIutmp directory\fR
+\fIutmp\fR
 
 .TP
 \(bu
@@ -1303,10 +1303,6 @@ Here is a list of all service parameters\&. See the section on each parameter fo
 
 .TP
 \(bu
-\fIdirectory\fR
-
-.TP
-\(bu
 \fIdirectory mask\fR
 
 .TP
@@ -1319,6 +1315,10 @@ Here is a list of all service parameters\&. See the section on each parameter fo
 
 .TP
 \(bu
+\fIdirectory\fR
+
+.TP
+\(bu
 \fIdont descend\fR
 
 .TP
@@ -1383,10 +1383,6 @@ Here is a list of all service parameters\&. See the section on each parameter fo
 
 .TP
 \(bu
-\fIguest account\fR
-
-.TP
-\(bu
 \fIguest ok\fR
 
 .TP
@@ -1555,11 +1551,11 @@ Here is a list of all service parameters\&. See the section on each parameter fo
 
 .TP
 \(bu
-\fIpreexec\fR
+\fIpreexec close\fR
 
 .TP
 \(bu
-\fIpreexec close\fR
+\fIpreexec\fR
 
 .TP
 \(bu
@@ -1579,15 +1575,15 @@ Here is a list of all service parameters\&. See the section on each parameter fo
 
 .TP
 \(bu
-\fIprinter\fR
+\fIprinter admin\fR
 
 .TP
 \(bu
-\fIprinter admin\fR
+\fIprinter name\fR
 
 .TP
 \(bu
-\fIprinter name\fR
+\fIprinter\fR
 
 .TP
 \(bu
@@ -1627,11 +1623,11 @@ Here is a list of all service parameters\&. See the section on each parameter fo
 
 .TP
 \(bu
-\fIroot preexec\fR
+\fIroot preexec close\fR
 
 .TP
 \(bu
-\fIroot preexec close\fR
+\fIroot preexec\fR
 
 .TP
 \(bu
@@ -1671,15 +1667,15 @@ Here is a list of all service parameters\&. See the section on each parameter fo
 
 .TP
 \(bu
-\fIuser\fR
+\fIusername\fR
 
 .TP
 \(bu
-\fIusername\fR
+\fIusers\fR
 
 .TP
 \(bu
-\fIusers\fR
+\fIuser\fR
 
 .TP
 \(bu
@@ -1687,11 +1683,11 @@ Here is a list of all service parameters\&. See the section on each parameter fo
 
 .TP
 \(bu
-\fI-valid\fR
+\fIvalid users\fR
 
 .TP
 \(bu
-\fIvalid users\fR
+\fI-valid\fR
 
 .TP
 \(bu
@@ -1703,11 +1699,11 @@ Here is a list of all service parameters\&. See the section on each parameter fo
 
 .TP
 \(bu
-\fIvfs object\fR
+\fIvfs objects\fR
 
 .TP
 \(bu
-\fIvfs objects\fR
+\fIvfs object\fR
 
 .TP
 \(bu
@@ -2242,7 +2238,7 @@ Example: \fBcsc policy = programs\fR
 
 
 .TP
-dead time (G)
+deadtime (G)
 The value of the parameter (a decimal integer) represents the number of minutes of inactivity before a connection is considered dead, and it is disconnected\&. The deadtime only takes effect if the number of open files is zero\&.
 
 
@@ -2311,11 +2307,6 @@ Default: \fBdebug uid = no\fR
 
 
 .TP
-default (G)
-A synonym for \fI default service\fR\&.
-
-
-.TP
 default case (S)
 See the section on NAME MANGLING\&. Also note the \fIshort preserve case\fR parameter\&.
 
@@ -2371,6 +2362,11 @@ Example:
 
 
 .TP
+default (G)
+A synonym for \fI default service\fR\&.
+
+
+.TP
 delete group script (G)
 This is the full pathname to a script that will be run \fBAS ROOT\fR \fBsmbd\fR(8) when a group is requested to be deleted\&. It will expand any \fI%g\fR to the group name passed\&. This script is only useful for installations using the Windows NT domain administration tools\&.
 
@@ -2527,11 +2523,6 @@ Note that you may have to replace the command names with full path names on some
 
 
 .TP
-directory (S)
-Synonym for \fIpath\fR\&.
-
-
-.TP
 directory mask (S)
 This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories\&.
 
@@ -2592,6 +2583,11 @@ Example: \fBdirectory security mask = 0700\fR
 
 
 .TP
+directory (S)
+Synonym for \fIpath\fR\&.
+
+
+.TP
 disable netbios (G)
 Enabling this parameter will disable netbios support in Samba\&. Netbios is the only available form of browsing in all windows versions except for 2000 and XP\&.
 
@@ -2959,11 +2955,11 @@ Synonym for \fIforce group\fR\&.
 
 
 .TP
-guest account (G,S)
+guest account (G)
 This is a username which will be used for access to services which are specified as \fI guest ok\fR (see below)\&. Whatever privileges this user has will be available to any client connecting to the guest service\&. Typically this user will exist in the password file, but will not have a valid login\&. The user account "ftp" is often a good choice for this parameter\&. If a username is specified in a given service, the specified username overrides this one\&.
 
 
-One some systems the default guest account "nobody" may not be able to print\&. Use another account in this case\&. You should test this by trying to log in as your guest user (perhaps by using the \fBsu -\fR command) and trying to print using the system print command such as \fBlpr(1)\fR or \fB lp(1)\fR\&.
+On some systems the default guest account "nobody" may not be able to print\&. Use another account in this case\&. You should test this by trying to log in as your guest user (perhaps by using the \fBsu -\fR command) and trying to print using the system print command such as \fBlpr(1)\fR or \fB lp(1)\fR\&.
 
 
 This parameter does not accept % macros, because many parts of the system require this value to be constant for correct operation\&.
@@ -3093,7 +3089,7 @@ Example: \fBhomedir map = amd.homedir\fR
 
 .TP
 host msdfs (G)
-This boolean parameter is only available if Samba has been configured and compiled with the \fB --with-msdfs\fR option\&. If set to \fByes\fR, Samba will act as a Dfs server, and allow Dfs-aware clients to browse Dfs trees hosted on the server\&.
+If set to \fByes\fR, Samba will act as a Dfs server, and allow Dfs-aware clients to browse Dfs trees hosted on the server\&.
 
 
 See also the \fI msdfs root\fR share level parameter\&. For more information on setting up a Dfs tree on Samba, refer to msdfs_setup\&.html\&.
@@ -3199,8 +3195,19 @@ Example: \fBhosts equiv = /etc/hosts.equiv\fR
 
 
 .TP
+idmap backend (G)
+The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common LDAP backend\&. This way all domain members and controllers will have the same UID and GID to SID mappings\&. This avoids the risk of UID / GID inconsistencies across UNIX / Linux systems that are sharing information over protocols other than SMB/CIFS (ie: NFS)\&.
+
+
+Default: \fBidmap backend = <empty string>\fR
+
+
+Example: \fBidmap backend = ldapsam://ldapslave.example.com\fR
+
+
+.TP
 idmap gid (G)
-The idmap gid parameter specifies the range of group ids that are allocated for the purpose of mapping UNX groups to NT group SIDs\&. This range of group ids should have no existing local or NIS groups within it as strange conflicts can occur otherwise\&.
+The idmap gid parameter specifies the range of group ids that are allocated for the purpose of mapping UNIX groups to NT group SIDs\&. This range of group ids should have no existing local or NIS groups within it as strange conflicts can occur otherwise\&.
 
 
 The availability of an idmap gid range is essential for correct operation of all group mapping\&.
@@ -3576,11 +3583,6 @@ Default: \fBlocal master = yes\fR
 
 
 .TP
-lock dir (G)
-Synonym for \fI lock directory\fR\&.
-
-
-.TP
 lock directory (G)
 This option specifies the directory where lock files will be placed\&. The lock files are used to implement the \fImax connections\fR option\&.
 
@@ -3592,6 +3594,11 @@ Example: \fBlock directory = /var/run/samba/locks\fR
 
 
 .TP
+lock dir (G)
+Synonym for \fI lock directory\fR\&.
+
+
+.TP
 locking (S)
 This controls whether or not locking will be performed by the server in response to lock requests from the client\&.
 
@@ -3616,7 +3623,7 @@ lock spin count (G)
 This parameter controls the number of times that smbd should attempt to gain a byte range lock on the behalf of a client request\&. Experiments have shown that Windows 2k servers do not reply with a failure if the lock could not be immediately granted, but try a few more times in case the lock could later be aquired\&. This behavior is used to support PC database formats such as MS Access and FoxPro\&.
 
 
-Default: \fBlock spin count = 2\fR
+Default: \fBlock spin count = 3\fR
 
 
 .TP
@@ -4033,6 +4040,9 @@ mangle prefix (G)
 controls the number of prefix characters from the original name used when generating the mangled names\&. A larger value will give a weaker hash and therefore more name collisions\&. The minimum value is 1 and the maximum value is 6\&.
 
 
+mangle prefix is effective only when mangling method is hash2\&.
+
+
 Default: \fBmangle prefix = 1\fR
 
 
@@ -4041,7 +4051,7 @@ Example: \fBmangle prefix = 4\fR
 
 .TP
 mangling char (S)
-This controls what character is used as the \fBmagic\fR character in name mangling\&. The default is a '~' but this may interfere with some software\&. Use this option to set it to whatever you prefer\&.
+This controls what character is used as the \fBmagic\fR character in name mangling\&. The default is a '~' but this may interfere with some software\&. Use this option to set it to whatever you prefer\&. This is effective only when mangling method is hash\&.
 
 
 Default: \fBmangling char = ~\fR
@@ -4409,7 +4419,7 @@ Example: \fBmsdfs proxy = \\\\otherserver\\someshare\fR
 
 .TP
 msdfs root (S)
-This boolean parameter is only available if Samba is configured and compiled with the \fB --with-msdfs\fR option\&. If set to \fByes\fR, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory\&. Dfs links are specified in the share directory by symbolic links of the form \fImsdfs:serverA\\\\shareA,serverB\\\\shareB\fR and so on\&. For more information on setting up a Dfs tree on Samba, refer to "Hosting a Microsoft Distributed File System tree on Samba" document\&.
+If set to \fByes\fR, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory\&. Dfs links are specified in the share directory by symbolic links of the form \fImsdfs:serverA\\\\shareA,serverB\\\\shareB\fR and so on\&. For more information on setting up a Dfs tree on Samba, refer to "Hosting a Microsoft Distributed File System tree on Samba" document\&.
 
 
 See also \fIhost msdfs\fR
@@ -4713,6 +4723,17 @@ Example: \fBpassdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/pass
 
 
 .TP
+passwd chat debug (G)
+This boolean specifies if the passwd chat script parameter is run in \fBdebug\fR mode\&. In this mode the strings passed to and received from the passwd chat are printed in the \fBsmbd\fR(8) log with a \fIdebug level\fR of 100\&. This is a dangerous option as it will allow plaintext passwords to be seen in the \fBsmbd\fR log\&. It is available to help Samba admins debug their \fIpasswd chat\fR scripts when calling the \fIpasswd program\fR and should be turned off after this has been done\&. This option has no effect if the \fIpam password change\fR paramter is set\&. This parameter is off by default\&.
+
+
+See also \fIpasswd chat\fR , \fIpam password change\fR , \fIpasswd program\fR \&.
+
+
+Default: \fBpasswd chat debug = no\fR
+
+
+.TP
 passwd chat (G)
 This string controls the \fB"chat"\fR conversation that takes places between \fBsmbd\fR(8) and the local password changing program to change the user's password\&. The string describes a sequence of response-receive pairs that \fBsmbd\fR(8) uses to determine what to send to the \fIpasswd program\fR and what to expect back\&. If the expected output is not received then the password is not changed\&.
 
@@ -4742,17 +4763,6 @@ Example: \fBpasswd chat = "*Enter OLD password*" %o\\n "*Enter NEW password*" %n
 
 
 .TP
-passwd chat debug (G)
-This boolean specifies if the passwd chat script parameter is run in \fBdebug\fR mode\&. In this mode the strings passed to and received from the passwd chat are printed in the \fBsmbd\fR(8) log with a \fIdebug level\fR of 100\&. This is a dangerous option as it will allow plaintext passwords to be seen in the \fBsmbd\fR log\&. It is available to help Samba admins debug their \fIpasswd chat\fR scripts when calling the \fIpasswd program\fR and should be turned off after this has been done\&. This option has no effect if the \fIpam password change\fR paramter is set\&. This parameter is off by default\&.
-
-
-See also \fIpasswd chat\fR , \fIpam password change\fR , \fIpasswd program\fR \&.
-
-
-Default: \fBpasswd chat debug = no\fR
-
-
-.TP
 passwd program (G)
 The name of a program that can be used to set UNIX user passwords\&. Any occurrences of \fI%u\fR will be replaced with the user name\&. The user name is checked for existence before calling the password changing program\&.
 
@@ -4766,6 +4776,9 @@ Also note that many passwd programs insist in \fBreasonable \fR passwords, such
 If the \fIunix password sync\fR parameter is set this parameter \fBMUST USE ABSOLUTE PATHS\fR for \fBALL\fR programs called, and must be examined for security implications\&. Note that by default \fIunix password sync\fR is set to \fBno\fR\&.
 
 
+Not that this program is only invoked when a password change is done via the smbd program, not when smbpasswd is used locally as root to change a password\&. This means that you cannot run "smbpasswd USERNAME" as root on the SMB server in order to test this parameter, but should run the command "smbpasswd -r SMBMACHINE" as a non-root user instead if you want to test the invocation of this program\&.
+
+
 See also \fIunix password sync\fR\&.
 
 
@@ -4923,6 +4936,14 @@ Example: \fBpostexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log
 
 
 .TP
+preexec close (S)
+This boolean option controls whether a non-zero return code from \fIpreexec \fR should close the service being connected to\&.
+
+
+Default: \fBpreexec close = no\fR
+
+
+.TP
 preexec (S)
 This option specifies a command to be run whenever the service is connected to\&. It takes the usual substitutions\&.
 
@@ -4946,14 +4967,6 @@ Example: \fBpreexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log\fR
 
 
 .TP
-preexec close (S)
-This boolean option controls whether a non-zero return code from \fIpreexec \fR should close the service being connected to\&.
-
-
-Default: \fBpreexec close = no\fR
-
-
-.TP
 prefered master (G)
 Synonym for \fI preferred master\fR for people who cannot spell :-)\&.
 
@@ -4976,31 +4989,31 @@ Default: \fBpreferred master = auto\fR
 
 
 .TP
-preload (G)
-This is a list of services that you want to be automatically added to the browse lists\&. This is most useful for homes and printers services that would otherwise not be visible\&.
+preload modules (G)
+This is a list of paths to modules that should be loaded into smbd before a client connects\&. This improves the speed of smbd when reacting to new connections somewhat\&.
 
 
-Note that if you just want all printers in your printcap file loaded then the \fIload printers\fR option is easier\&.
+It is recommended to only use this option on heavy-performance servers\&.
 
 
-Default: \fBno preloaded services\fR
+Default: \fBpreload modules = \fR
 
 
-Example: \fBpreload = fred lp colorlp\fR
+Example: \fBpreload modules = /usr/lib/samba/passdb/mysql.so+++ \fR
 
 
 .TP
-preload modules (G)
-This is a list of paths to modules that should be loaded into smbd before a client connects\&. This improves the speed of smbd when reacting to new connections somewhat\&.
+preload (G)
+This is a list of services that you want to be automatically added to the browse lists\&. This is most useful for homes and printers services that would otherwise not be visible\&.
 
 
-It is recommended to only use this option on heavy-performance servers\&.
+Note that if you just want all printers in your printcap file loaded then the \fIload printers\fR option is easier\&.
 
 
-Default: \fBpreload modules = \fR
+Default: \fBno preloaded services\fR
 
 
-Example: \fBpreload modules = /usr/lib/samba/passdb/mysql.so+++ \fR
+Example: \fBpreload = fred lp colorlp\fR
 
 
 .TP
@@ -5026,11 +5039,6 @@ Default: \fBprintable = no\fR
 
 
 .TP
-printcap (G)
-Synonym for \fI printcap name\fR\&.
-
-
-.TP
 printcap name (S)
 This parameter may be used to override the compiled-in default printcap name used by the server (usually \fI /etc/printcap\fR)\&. See the discussion of the [printers] section above for reasons why you might want to do this\&.
 
@@ -5066,6 +5074,11 @@ Example: \fBprintcap name = /etc/myprintcap\fR
 
 
 .TP
+printcap (G)
+Synonym for \fI printcap name\fR\&.
+
+
+.TP
 print command (S)
 After a print job has finished spooling to a service, this command will be used via a \fBsystem()\fR call to process the spool file\&. Typically the command specified will submit the spool file to the host's printing subsystem, but there is no requirement that this be the case\&. The server will not remove the spool file, so whatever command you specify should remove the spool file when it has been processed, otherwise you will need to manually remove old spool files\&.
 
@@ -5134,11 +5147,6 @@ Example: \fBprint command = /usr/local/samba/bin/myprintscript %p %s\fR
 
 
 .TP
-printer (S)
-Synonym for \fI printer name\fR\&.
-
-
-.TP
 printer admin (S)
 This is a list of users that can do anything to printers via the remote administration interfaces offered by MS-RPC (usually using a NT workstation)\&. Note that the root user always has admin rights\&.
 
@@ -5164,6 +5172,11 @@ Example: \fBprinter name = laserwriter\fR
 
 
 .TP
+printer (S)
+Synonym for \fI printer name\fR\&.
+
+
+.TP
 printing (S)
 This parameters controls how printer status information is interpreted on your system\&. It also affects the default values for the \fIprint command\fR, \fIlpq command\fR, \fIlppause command \fR, \fIlpresume command\fR, and \fIlprm command\fR if specified in the [global] section\&.
 
@@ -5401,16 +5414,6 @@ Default: \fBrestrict anonymous = 0\fR
 
 
 .TP
-root (G)
-Synonym for \fIroot directory"\fR\&.
-
-
-.TP
-root dir (G)
-Synonym for \fIroot directory"\fR\&.
-
-
-.TP
 root directory (G)
 The server will \fBchroot()\fR (i\&.e\&. Change its root directory) to this directory on startup\&. This is not strictly necessary for secure operation\&. Even without it the server will deny access to files not in one of the service entries\&. It may also check for, and deny access to, soft links to other parts of the filesystem, or attempts to use "\&.\&." in file names to access other directories (depending on the setting of the \fIwide links\fR parameter)\&.
 
@@ -5425,6 +5428,11 @@ Example: \fBroot directory = /homes/smb\fR
 
 
 .TP
+root dir (G)
+Synonym for \fIroot directory"\fR\&.
+
+
+.TP
 root postexec (S)
 This is the same as the \fIpostexec\fR parameter except that the command is run as root\&. This is useful for unmounting filesystems (such as CDROMs) after a connection is closed\&.
 
@@ -5436,6 +5444,17 @@ Default: \fBroot postexec = <empty string>\fR
 
 
 .TP
+root preexec close (S)
+This is the same as the \fIpreexec close \fR parameter except that the command is run as root\&.
+
+
+See also \fI preexec\fR and \fIpreexec close\fR\&.
+
+
+Default: \fBroot preexec close = no\fR
+
+
+.TP
 root preexec (S)
 This is the same as the \fIpreexec\fR parameter except that the command is run as root\&. This is useful for mounting filesystems (such as CDROMs) when a connection is opened\&.
 
@@ -5447,14 +5466,31 @@ Default: \fBroot preexec = <empty string>\fR
 
 
 .TP
-root preexec close (S)
-This is the same as the \fIpreexec close \fR parameter except that the command is run as root\&.
+root (G)
+Synonym for \fIroot directory"\fR\&.
 
 
-See also \fI preexec\fR and \fIpreexec close\fR\&.
+.TP
+security mask (S)
+This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box\&.
 
 
-Default: \fBroot preexec close = no\fR
+This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified\&. Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change\&.
+
+
+If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file\&.
+
+
+\fBNote\fR that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave it set to \fB0777\fR\&.
+
+
+See also the \fIforce directory security mode\fR, \fIdirectory security mask\fR, \fIforce security mode\fR parameters\&.
+
+
+Default: \fBsecurity mask = 0777\fR
+
+
+Example: \fBsecurity mask = 0770\fR
 
 
 .TP
@@ -5468,7 +5504,7 @@ The option sets the "security mode bit" in replies to protocol negotiations with
 The default is \fBsecurity = user\fR, as this is the most common setting needed when talking to Windows 98 and Windows NT\&.
 
 
-The alternatives are \fBsecurity = share\fR, \fBsecurity = server\fR or \fBsecurity = domain \fR\&.
+The alternatives are \fBsecurity = share\fR, \fBsecurity = server\fR, \fBsecurity = domain \fR, or \fBsecurity = ads\fR\&.
 
 
 In versions of Samba prior to 2\&.0\&.0, the default was \fBsecurity = share\fR mainly because that was the only option at one stage\&.
@@ -5602,29 +5638,6 @@ Example: \fBsecurity = DOMAIN\fR
 
 
 .TP
-security mask (S)
-This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box\&.
-
-
-This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified\&. Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change\&.
-
-
-If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file\&.
-
-
-\fBNote\fR that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave it set to \fB0777\fR\&.
-
-
-See also the \fIforce directory security mode\fR, \fIdirectory security mask\fR, \fIforce security mode\fR parameters\&.
-
-
-Default: \fBsecurity mask = 0777\fR
-
-
-Example: \fBsecurity mask = 0770\fR
-
-
-.TP
 server schannel (G)
 This controls whether the server offers or even demands the use of the netlogon schannel\&. \fIserver schannel = no\fR does not offer the schannel, \fIserver schannel = auto\fR offers the schannel but does not enforce it, and \fIserver schannel = yes\fR denies access if the client is not able to speak netlogon schannel\&. This is only the case for Windows NT4 before SP4\&.
 
@@ -5964,22 +5977,22 @@ Default: \fBsync always = no\fR
 
 
 .TP
-syslog (G)
-This parameter maps how Samba debug messages are logged onto the system syslog logging levels\&. Samba debug level zero maps onto syslog \fBLOG_ERR\fR, debug level one maps onto \fBLOG_WARNING\fR, debug level two maps onto \fBLOG_NOTICE\fR, debug level three maps onto LOG_INFO\&. All higher levels are mapped to \fB LOG_DEBUG\fR\&.
+syslog only (G)
+If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files\&.
 
 
-This parameter sets the threshold for sending messages to syslog\&. Only messages with debug level less than this value will be sent to syslog\&.
+Default: \fBsyslog only = no\fR
 
 
-Default: \fBsyslog = 1\fR
+.TP
+syslog (G)
+This parameter maps how Samba debug messages are logged onto the system syslog logging levels\&. Samba debug level zero maps onto syslog \fBLOG_ERR\fR, debug level one maps onto \fBLOG_WARNING\fR, debug level two maps onto \fBLOG_NOTICE\fR, debug level three maps onto LOG_INFO\&. All higher levels are mapped to \fB LOG_DEBUG\fR\&.
 
 
-.TP
-syslog only (G)
-If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files\&.
+This parameter sets the threshold for sending messages to syslog\&. Only messages with debug level less than this value will be sent to syslog\&.
 
 
-Default: \fBsyslog only = no\fR
+Default: \fBsyslog = 1\fR
 
 
 .TP
@@ -6031,17 +6044,6 @@ Synonym for \fI debug timestamp\fR\&.
 
 
 .TP
-total print jobs (G)
-This parameter accepts an integer value which defines a limit on the maximum number of print jobs that will be accepted system wide at any given time\&. If a print job is submitted by a client which will exceed this number, then \fBsmbd\fR(8) will return an error indicating that no space is available on the server\&. The default value of 0 means that no such limit exists\&. This parameter can be used to prevent a server from exceeding its capacity and is designed as a printing throttle\&. See also \fImax print jobs\fR\&.
-
-
-Default: \fBtotal print jobs = 0\fR
-
-
-Example: \fBtotal print jobs = 5000\fR
-
-
-.TP
 unicode (G)
 Specifies whether Samba should try to use unicode on the wire by default\&. Note: This does NOT mean that samba will assume that the unix machine uses unicode!
 
@@ -6119,49 +6121,6 @@ Default: \fBuse mmap = yes\fR
 
 
 .TP
-user (S)
-Synonym for \fIusername\fR\&.
-
-
-.TP
-username (S)
-Multiple users may be specified in a comma-delimited list, in which case the supplied password will be tested against each username in turn (left to right)\&.
-
-
-The \fIusername\fR line is needed only when the PC is unable to supply its own username\&. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX usernames\&. In both these cases you may also be better using the \\\\server\\share%user syntax instead\&.
-
-
-The \fIusername\fR line is not a great solution in many cases as it means Samba will try to validate the supplied password against each of the usernames in the \fIusername\fR line in turn\&. This is slow and a bad idea for lots of users in case of duplicate passwords\&. You may get timeouts or security breaches using this parameter unwisely\&.
-
-
-Samba relies on the underlying UNIX security\&. This parameter does not restrict who can login, it just offers hints to the Samba server as to what usernames might correspond to the supplied password\&. Users can login as whoever they please and they will be able to do no more damage than if they started a telnet session\&. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do\&.
-
-
-To restrict a service to a particular set of users you can use the \fIvalid users \fR parameter\&.
-
-
-If any of the usernames begin with a '@' then the name will be looked up first in the NIS netgroups list (if Samba is compiled with netgroup support), followed by a lookup in the UNIX groups database and will expand to a list of all users in the group of that name\&.
-
-
-If any of the usernames begin with a '+' then the name will be looked up only in the UNIX groups database and will expand to a list of all users in the group of that name\&.
-
-
-If any of the usernames begin with a '&' then the name will be looked up only in the NIS netgroups database (if Samba is compiled with netgroup support) and will expand to a list of all users in the netgroup group of that name\&.
-
-
-Note that searching though a groups database can take quite some time, and some clients may time out during the search\&.
-
-
-See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more information on how this parameter determines access to the services\&.
-
-
-Default: \fBThe guest account if a guest service, else <empty string>.\fR
-
-
-Examples:\fBusername = fred, mary, jack, jane, @users, @pcgroup\fR
-
-
-.TP
 username level (G)
 This option helps Samba to try and 'guess' at the real UNIX username, as many DOS clients send an all-uppercase username\&. By default Samba tries all lowercase, followed by the username with the first letter capitalized, and fails if the username is not found on the UNIX machine\&.
 
@@ -6242,38 +6201,67 @@ Example: \fBusername map = /usr/local/samba/lib/users.map\fR
 
 
 .TP
-users (S)
-Synonym for \fI username\fR\&.
+username (S)
+Multiple users may be specified in a comma-delimited list, in which case the supplied password will be tested against each username in turn (left to right)\&.
 
 
-.TP
-use sendfile (S)
-If this parameter is \fByes\fR, and Samba was built with the --with-sendfile-support option, and the underlying operating system supports sendfile system call, then some SMB read calls (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that are exclusively oplocked\&. This may make more efficient use of the system CPU's and cause Samba to be faster\&. This is off by default as it's effects are unknown as yet\&.
+The \fIusername\fR line is needed only when the PC is unable to supply its own username\&. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX usernames\&. In both these cases you may also be better using the \\\\server\\share%user syntax instead\&.
 
 
-Default: \fBuse sendfile = no\fR
+The \fIusername\fR line is not a great solution in many cases as it means Samba will try to validate the supplied password against each of the usernames in the \fIusername\fR line in turn\&. This is slow and a bad idea for lots of users in case of duplicate passwords\&. You may get timeouts or security breaches using this parameter unwisely\&.
+
+
+Samba relies on the underlying UNIX security\&. This parameter does not restrict who can login, it just offers hints to the Samba server as to what usernames might correspond to the supplied password\&. Users can login as whoever they please and they will be able to do no more damage than if they started a telnet session\&. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do\&.
+
+
+To restrict a service to a particular set of users you can use the \fIvalid users \fR parameter\&.
+
+
+If any of the usernames begin with a '@' then the name will be looked up first in the NIS netgroups list (if Samba is compiled with netgroup support), followed by a lookup in the UNIX groups database and will expand to a list of all users in the group of that name\&.
+
+
+If any of the usernames begin with a '+' then the name will be looked up only in the UNIX groups database and will expand to a list of all users in the group of that name\&.
+
+
+If any of the usernames begin with a '&' then the name will be looked up only in the NIS netgroups database (if Samba is compiled with netgroup support) and will expand to a list of all users in the netgroup group of that name\&.
+
+
+Note that searching though a groups database can take quite some time, and some clients may time out during the search\&.
+
+
+See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more information on how this parameter determines access to the services\&.
+
+
+Default: \fBThe guest account if a guest service, else <empty string>.\fR
+
+
+Examples:\fBusername = fred, mary, jack, jane, @users, @pcgroup\fR
 
 
 .TP
-use spnego (G)
-This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism\&. Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be disabled\&.
+users (S)
+Synonym for \fI username\fR\&.
 
 
-Default: \fBuse spnego = yes\fR
+.TP
+user (S)
+Synonym for \fIusername\fR\&.
 
 
 .TP
-utmp (G)
-This boolean parameter is only available if Samba has been configured and compiled with the option \fB --with-utmp\fR\&. If set to \fByes\fR then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server\&. Sites may use this to record the user connecting to a Samba share\&.
+use sendfile (S)
+If this parameter is \fByes\fR, and the underlying operating system supports sendfile system call, then some SMB read calls (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that are exclusively oplocked\&. This may make more efficient use of the system CPU's and cause Samba to be faster\&.
 
 
-Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user\&. Enabling this option creates an n^2 algorithm to find this number\&. This may impede performance on large installations\&.
+Default: \fBuse sendfile = no\fR
 
 
-See also the \fI utmp directory\fR parameter\&.
+.TP
+use spnego (G)
+This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism\&. Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be disabled\&.
 
 
-Default: \fButmp = no\fR
+Default: \fBuse spnego = yes\fR
 
 
 .TP
@@ -6288,14 +6276,17 @@ Example: \fButmp directory = /var/run/utmp\fR
 
 
 .TP
--valid (S)
-This parameter indicates whether a share is valid and thus can be used\&. When this parameter is set to false, the share will be in no way visible nor accessible\&.
+utmp (G)
+This boolean parameter is only available if Samba has been configured and compiled with the option \fB --with-utmp\fR\&. If set to \fByes\fR then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server\&. Sites may use this to record the user connecting to a Samba share\&.
 
 
-This option should not be used by regular users but might be of help to developers\&. Samba uses this option internally to mark shares as deleted\&.
+Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user\&. Enabling this option creates an n^2 algorithm to find this number\&. This may impede performance on large installations\&.
 
 
-Default: \fBTrue\fR
+See also the \fI utmp directory\fR parameter\&.
+
+
+Default: \fButmp = no\fR
 
 
 .TP
@@ -6319,6 +6310,17 @@ Example: \fBvalid users = greg, @pcusers\fR
 
 
 .TP
+-valid (S)
+This parameter indicates whether a share is valid and thus can be used\&. When this parameter is set to false, the share will be in no way visible nor accessible\&.
+
+
+This option should not be used by regular users but might be of help to developers\&. Samba uses this option internally to mark shares as deleted\&.
+
+
+Default: \fBTrue\fR
+
+
+.TP
 veto files (S)
 This is a list of files and directories that are neither visible nor accessible\&. Each entry in the list must be separated by a '/', which allows spaces to be included in the entry\&. '*' and '?' can be used to specify multiple files or directories as in DOS wildcards\&.
 
@@ -6370,13 +6372,17 @@ Example: \fBveto oplock files = /*.SEM/\fR
 
 
 .TP
-vfs object (S)
-Synonym for \fIvfs objects\fR \&.
+vfs objects (S)
+This parameter specifies the backend module names which are used for Samba VFS I/O operations\&. By default, normal disk I/O operations are used but these can be overloaded with one or more VFS objects\&.
 
 
-.TP
-vfs objects (S)
-This parameter specifies the backend names which are used for Samba VFS I/O operations\&. By default, normal disk I/O operations are used but these can be overloaded with one or more VFS objects\&.
+Options for a given VFS module are specified one per line smb\&.conf perfaced by the module name and a colon (:)\&. Such as
+
+
+foo:bar=biddle
+
+
+where 'foo' is the name of VFS module, 'bar' is a parameter supported by ;foo;, and 'biddle' is the value of the option 'bar'\&. Refer to the manpage for a given VFS modules regarding the options supported by that module\&.
 
 
 Default: \fBno value\fR
@@ -6386,6 +6392,11 @@ Example: \fBvfs objects = extd_audit recycle\fR
 
 
 .TP
+vfs object (S)
+Synonym for \fIvfs objects\fR \&.
+
+
+.TP
 volume (S)
 This allows you to override the volume label returned for a share\&. Useful for CDROMs with installation programs that insist on a particular volume label\&.