diff options
author | Gerald Carter <jerry@samba.org> | 2001-02-22 13:03:24 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2001-02-22 13:03:24 +0000 |
commit | 63c9afc82dca7c700c2f13feecc045679fe1b547 (patch) | |
tree | 21cb87df2024a75ae75b1094a09c4d798ec7fb46 /docs | |
parent | b4096748dd5613f7c6f7d8c6d73c5ff0fba0c346 (diff) | |
download | samba-63c9afc82dca7c700c2f13feecc045679fe1b547.tar.gz samba-63c9afc82dca7c700c2f13feecc045679fe1b547.tar.bz2 samba-63c9afc82dca7c700c2f13feecc045679fe1b547.zip |
Whew! smb.conf.5.yo completely converted to DocBook (only after 2 & 1/2
days :) ). The man page generation is fine. Some anchor tags
need to be tweaked to get the HTML generation correct.
Also, I have done very little editing which means that we'll have to go
through and verify acurracy of things like default values, etc...
(This used to be commit 9fb11c5ec6d439544549060903ea0f275f5de9a9)
Diffstat (limited to 'docs')
-rw-r--r-- | docs/docbook/smb.conf.5.sgml | 3077 |
1 files changed, 3057 insertions, 20 deletions
diff --git a/docs/docbook/smb.conf.5.sgml b/docs/docbook/smb.conf.5.sgml index 16d72a01ce..6e44a7a59a 100644 --- a/docs/docbook/smb.conf.5.sgml +++ b/docs/docbook/smb.conf.5.sgml @@ -215,7 +215,7 @@ </refsect2> <refsect2> - <title id="printersect">The [printers] section</title> + <title id="printerssect">The [printers] section</title> <para>This section works like [homes], but for printers.</para> @@ -529,7 +529,7 @@ </refsect1> <refsect1> - <title>NOTE ABOUT USERNAME/PASSWORD VALIDATION</title> + <title id="validationsect">NOTE ABOUT USERNAME/PASSWORD VALIDATION</title> <para>There are a number of ways in which a user can connect to a service. The server follows the following steps in determining @@ -670,7 +670,6 @@ <listitem><para><parameter>ole locking compatibility</parameter></para></listitem> <listitem><para><parameter>oplock break wait time</parameter> </para></listitem> <listitem><para><parameter>os level</parameter> </para></listitem> - <listitem><para><parameter>packet size</parameter> </para></listitem> <listitem><para><parameter>panic action</parameter> </para></listitem> <listitem><para><parameter>passwd chat</parameter></para></listitem> <listitem><para><parameter>passwd chat debug</parameter> </para></listitem> @@ -1596,7 +1595,7 @@ <term id="defaultcase">default case (S)</term> <listitem><para>See the section on <link linkend="namemanglingsect"> NAME MANGLING"</link>. Also note the <link linkend="shortpreservecase"> - <parameter>short preserve case"</parameter>></link> parameter.</para> + <parameter>short preserve case"</parameter></link> parameter.</para> </listitem> </varlistentry> @@ -1688,7 +1687,7 @@ UNIX users are dynamically deleted to match existing Windows NT accounts.</para> - <para>See also <link linkend="securitydomain">security=domain</link>, + <para>See also <link linkend="securityequalsdomain">security=domain</link>, <link linkend="passwordserver"><parameter>password server</parameter> </link>, <link linkend="adduserscript"><parameter>add user script</parameter> </link>.</para> @@ -2300,7 +2299,7 @@ it to 0000.</para> <para>See also the <link linkend="directorysecuritymask"><parameter> - directory security mask</parameter></link>, <link linkend="secduritymask"> + directory security mask</parameter></link>, <link linkend="securitymask"> <parameter>security mask</parameter></link>, <link linkend="forcesecuritymode"><parameter>force security mode </parameter></link> parameters.</para> @@ -3001,7 +3000,7 @@ <term id="loadprinters">load printers (G)</term> <listitem><para>A boolean variable that controls whether all printers in the printcap will be loaded for browsing by default. - See the <link linkend="printersect">printers</link> section for + See the <link linkend="printerssect">printers</link> section for more details.</para> <para>Default: <command>load printers = yes</command></para></listitem> @@ -3440,7 +3439,7 @@ <varlistentry> <term id="machinepasswordtimeout">machine password timeout (G)</term> <listitem><para>If a Samba server is a member of an Windows - NT Domain (see the <link linkend="securitydomain">security=domain</link>) + NT Domain (see the <link linkend="securityequalsdomain">security=domain</link>) parameter) then periodically a running <ulink url="smbd.8.html"> smbd(8)</ulink> process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called <filename>private/secrets.tdb @@ -3449,7 +3448,7 @@ seconds), the same as a Windows NT Domain member server.</para> <para>See also <ulink url="smbpasswd.8.html"><command>smbpasswd(8) - </command></ulink>, and the <link linkend="securitydomain"> + </command></ulink>, and the <link linkend="securityequalsdomain"> security=domain</link>) parameter.</para> <para>Default: <command>machine password timeout = 604800</command></para> @@ -3509,7 +3508,7 @@ <varlistentry> <term id="manglecase">mangle case (S)</term> - <listitem><para>See the section on <link linkend="manmaglingsect"> + <listitem><para>See the section on <link linkend="namemanglingsect"> NAME MANGLING</link></para> </listitem> </varlistentry> @@ -3841,15 +3840,6 @@ <varlistentry> - <term id="maxpacket">max packet (G)</term> - <listitem><para>Synonym for <link linkend="packetsize"><parameter> - packet size</parameter></link>.</para> - </listitem> - </varlistentry> - - - - <varlistentry> <term id="maxttl">max ttl (G)</term> <listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)</ulink> what the default 'time to live' of NetBIOS names should be (in seconds) @@ -3866,7 +3856,7 @@ <varlistentry> <term id="maxwinsttl">max wins ttl (G)</term> <listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8) - </ulink> when acting as a WINS server (<link linkend="winsupport"> + </ulink> when acting as a WINS server (<link linkend="winssupport"> <parameter>wins support=yes</parameter></link>) what the maximum 'time to live' of NetBIOS names that <command>nmbd</command> will grant will be (in seconds). You should never need to change this @@ -4332,6 +4322,3053 @@ </varlistentry> + <varlistentry> + <term id="oslevel">os level (G)</term> + <listitem><para>This integer value controls what level Samba + advertises itself as for browse elections. The value of this + parameter determines whether <ulink url="nmbd.8.html">nmbd(8)</ulink> + has a chance of becoming a local master browser for the <parameter> + WORKGROUP</parameter> in the local broadcast area. The default is + zero, which means <command>nmbd</command> will lose elections to + Windows machines. See <filename>BROWSING.txt</filename> in the + Samba <filename>docs/</filename> directory for details.</para> + + <para>Default: <command>os level = 20</command></para> + <para>Example: <command>os level = 65 </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="panicaction">panic action (G)</term> + <listitem><para>This is a Samba developer option that allows a + system command to be called when either <ulink url="smbd.8.html"> + smbd(8)</ulink> or <ulink url="nmbd.8.html">nmbd(8)</ulink> + crashes. This is usually used to draw attention to the fact that + a problem occurred.</para> + + <para>Default: <command>panic action = <empty string></command></para> + <para>Example: <command>panic action = "/bin/sleep 90000"</command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="passwdchat">passwd chat (G)</term> + <listitem><para>This string controls the <emphasis>"chat"</emphasis> + conversation that takes places between <ulink + url="smbd.8.html">smbd</ulink> and the local password changing + program to change the users password. The string describes a + sequence of response-receive pairs that <ulink url="smbd.8.html"> + smbd(8)</ulink> uses to determine what to send to the + <link linkend="passwdprogram"><parameter>passwd program</parameter> + </link> and what to expect back. If the expected output is not + received then the password is not changed.</para> + + <para>This chat sequence is often quite site specific, depending + on what local methods are used for password control (such as NIS + etc).</para> + + <para>The string can contain the macros <parameter>%o</parameter> + and <parameter>%n</parameter> which are substituted for the old + and new passwords respectively. It can also contain the standard + macros <constant>\n</constant>, <constant>\r</constant>, <constant> + \t</constant> and <constant>%s</constant> to give line-feed, + carriage-return, tab and space.</para> + + <para>The string can also contain a '*' which matches + any sequence of characters.</para> + + <para>Double quotes can be used to collect strings with spaces + in them into a single string.</para> + + <para>If the send string in any part of the chat sequence + is a fullstop ".", then no string is sent. Similarly, + is the expect string is a fullstop then no string is expected.</para> + + <para>Note that if the <link linkend="unixpasswordsync"><parameter>unix + password sync</parameter></link> parameter is set to true, then this + sequence is called <emphasis>AS ROOT</emphasis> when the SMB password + in the smbpasswd file is being changed, without access to the old + password cleartext. In this case the old password cleartext is set + to "" (the empty string).</para> + + <para>See also <link linkend="unixpasswordsync"><parameter>unix password + sync</parameter></link>, <link linkend="passwdprogram"><parameter> + passwd program</parameter></link> and <link linkend="passwdchatdebug"> + <parameter>passwd chat debug</parameter></link>.</para> + + <para>Default: <command>passwd chat = *old*password* %o\n *new* + password* %n\n *new*password* %n\n *changed*</command></para> + <para>Example: <command>passwd chat = "*Enter OLD password*" %o\n + "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password + changed*"</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="passwdchatdebug">passwd chat debug (G)</term> + <listitem><para>This boolean specifies if the passwd chat script + parameter is run in <emphasis>debug</emphasis> mode. In this mode the + strings passed to and received from the passwd chat are printed + in the <ulink url="smbd.8.html">smbd(8)</ulink> log with a + <link linkend="debuglevel"><parameter>debug level</parameter></link> + of 100. This is a dangerous option as it will allow plaintext passwords + to be seen in the <command>smbd</command> log. It is available to help + Samba admins debug their <parameter>passwd chat</parameter> scripts + when calling the <parameter>passwd program</parameter> and should + be turned off after this has been done. This parameter is off by + default.</para> + + <para>See also <<link linkend="passwdchat"><parameter>passwd chat</parameter> + </link>, <link linkend="passwdprogram"><parameter>passwd program</parameter> + </link>.</para> + + <para>Default: <command>passwd chat debug = no</command></para> + <para>Example: <command>passwd chat debug = yes</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="passwdprogram">passwd program (G)</term> + <listitem><para>The name of a program that can be used to set + UNIX user passwords. Any occurrences of <parameter>%u</parameter> + will be replaced with the user name. The user name is checked for + existence before calling the password changing program.</para> + + <para>Also note that many passwd programs insist in <emphasis>reasonable + </emphasis> passwords, such as a minimum length, or the inclusion + of mixed case chars and digits. This can pose a problem as some clients + (such as Windows for Workgroups) uppercase the password before sending + it.</para> + + <para><emphasis>Note</emphasis> that if the <parameter>unix + password sync</parameter> parameter is set to <constant>True + </constant> then this program is called <emphasis>AS ROOT</emphasis> + before the SMB password in the <ulink url="smbpasswd.5.html">smbpasswd(5) + </ulink> file is changed. If this UNIX password change fails, then + <command>smbd</command> will fail to change the SMB password also + (this is by design).</para> + + <para>If the <parameter>unix password sync</parameter> parameter + is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis> + for <emphasis>ALL</emphasis> programs called, and must be examined + for security implications. Note that by default <parameter>unix + password sync</parameter> is set to <constant>False</constant>.</para> + + <para>See also <link linkend="unixpasswordsync"><parameter>unix + password sync</parameter></link>.</para> + + <para>Default: <command>passwd program = /bin/passwd</command></para> + <para>Example: <command>passwd program = /sbin/npasswd %u</command> + </para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="passwordlevel">password level (G)</term> + <listitem><para>Some client/server combinations have difficulty + with mixed-case passwords. One offending client is Windows for + Workgroups, which for some reason forces passwords to upper + case when using the LANMAN1 protocol, but leaves them alone when + using COREPLUS!</para> + + <para>This parameter defines the maximum number of characters + that may be upper case in passwords.</para> + + <para>For example, say the password given was "FRED". If <parameter> + password level</parameter> is set to 1, the following combinations + would be tried if "FRED" failed:</para> + + <para>"Fred", "fred", "fRed", "frEd","freD"</para> + + <para>If <parameter>password level</parameter> was set to 2, + the following combinations would also be tried: </para> + + <para>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</para> + + <para>And so on.</para> + + <para>The higher value this parameter is set to the more likely + it is that a mixed case password will be matched against a single + case password. However, you should be aware that use of this + parameter reduces security and increases the time taken to + process a new connection.</para> + + <para>A value of zero will cause only two attempts to be + made - the password as is and the password in all-lower case.</para> + + <para>Default: <command>password level = 0</command></para> + <para>Example: <command>password level = 4</command</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="passwordserver">password server (G)</term> + <listitem><para>By specifying the name of another SMB server (such + as a WinNT box) with this option, and using <command>security = domain + </command> or <command>security = server</command> you can get Samba + to do all its username/password validation via a remote server.</para> + + <para>This options sets the name of the password server to use. + It must be a NetBIOS name, so if the machine's NetBIOS name is + different from its internet name then you may have to add its NetBIOS + name to the lmhosts file which is stored in the same directory + as the <filename>smb.conf</filename> file.</para> + + <para>The name of the password server is looked up using the + parameter <link linkend="nameresolveorder"><parameter>name + resolve order</parameter></link> and so may resolved + by any method and order described in that parameter.</para> + + <para>The password server much be a machine capable of using + the "LM1.2X002" or the "LM NT 0.12" protocol, and it must be in + user level security mode.</para> + + <para><emphasis>NOTE:</emphasis> Using a password server + means your UNIX box (running Samba) is only as secure as your + password server. <emphasis>DO NOT CHOOSE A PASSWORD SERVER THAT + YOU DON'T COMPLETELY TRUST</emphasis>.</para> + + <para>Never point a Samba server at itself for password + serving. This will cause a loop and could lock up your Samba + server!</para> + + <para>The name of the password server takes the standard + substitutions, but probably the only useful one is <parameter>%m + </parameter>, which means the Samba server will use the incoming + client as the passwordserver. If you use this then you better + trust your clients, and you better restrict them with hosts allow!</para> + + <para>If the <parameter>security</parameter> parameter is set to + <constant>domain</constant>, then the list of machines in this + option must be a list of Primary or Backup Domain controllers for the + Domain or the character '*', as the Samba server is cryptographicly + in that domain, and will use cryptographicly authenticated RPC calls + to authenticate the user logging on. The advantage of using <command> + security = domain</command> is that if you list several hosts in the + <parameter>password server</parameter> option then <command>smbd + </command> will try each in turn till it finds one that responds. This + is useful in case your primary server goes down.</para> + + <para>If the <parameter>password server</parameter> option is set + to the character '*', then Samba will attempt to auto-locate the + Primary or Backup Domain controllers to authenticate against by + doing a query for the name <constant>WORKGROUP<1C></constant> + and then contacting each server returned in the list of IP + addresses from the name resolution source. </para> + + <para>If the <parameter>security</parameter> parameter is + set to <constant>server</constant>, then there are different + restrictions that <command>security = domain</command> doesn't + suffer from:</para> + + <itemizedlist> + <listitem><para>You may list several password servers in + the <parameter>password server</parameter> parameter, however if an + <command>smbd</command> makes a connection to a password server, + and then the password server fails, no more users will be able + to be authenticated from this <command>smbd</command>. This is a + restriction of the SMB/CIFS protocol when in <command>security=server + </command> mode and cannot be fixed in Samba.</para></listitem> + + <listitem><para>If you are using a Windows NT server as your + password server then you will have to ensure that your users + are able to login from the Samba server, as when in <command> + security=server</command> mode the network logon will appear to + come from there rather than from the users workstation.</para></listitem> + </itemizedlist> + + <para>See also the <link linkend="security"><parameter>security + </parameter></link> parameter.</para> + + <para>Default: <command>password server = <empty string></command> + </para> + <para>Example: <command>password server = NT-PDC, NT-BDC1, NT-BDC2 + </command></para> + <para>Example: <command>password server = *</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="path">path (S)</term> + <listitem><para>This parameter specifies a directory to which + the user of the service is to be given access. In the case of + printable services, this is where print data will spool prior to + being submitted to the host for printing.</para> + + <para>For a printable service offering guest access, the service + should be readonly and the path should be world-writeable and + have the sticky bit set. This is not mandatory of course, but + you probably won't get the results you expect if you do + otherwise.</para> + + <para>Any occurrences of <parameter>%u</parameter> in the path + will be replaced with the UNIX username that the client is using + on this connection. Any occurrences of <parameter>%m</parameter> + will be replaced by the NetBIOS name of the machine they are + connecting from. These replacements are very useful for setting + up pseudo home directories for users.</para> + + <para>Note that this path will be based on <link linkend="rootdir"> + <parameter>root dir</parameter></link> if one was specified.</para> + + <para>Default: <emphasis>none</emphasis></para> + <para>Example: <command>path = /home/fred</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="postexec">postexec (S)</term> + <listitem><para>This option specifies a command to be run + whenever the service is disconnected. It takes the usual + substitutions. The command may be run as the root on some + systems.</para> + + <para>An interesting example may be do unmount server + resources:</para> + + <para><command>postexec = /etc/umount /cdrom</command></para> + + <para>See also <link linkend="preexec"><parameter>preexec</parameter> + </link>.</para> + + <para>Default: <emphasis>none (no command executed)</emphasis> + </para> + + <para>Example: <command>postexec = echo \"%u disconnected from %S + from %m (%I)\" >> /tmp/log</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="postscript">postscript (S)</term> + <listitem><para>This parameter forces a printer to interpret + the print files as postscript. This is done by adding a <constant>%! + </constant> to the start of print output.</para> + + <para>This is most useful when you have lots of PCs that persist + in putting a control-D at the start of print jobs, which then + confuses your printer.</para> + + <para>Default: <command>postscript = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="preexec">preexec (S)</term> + <listitem><para>This option specifies a command to be run whenever + the service is connected to. It takes the usual substitutions.</para> + + <para>An interesting example is to send the users a welcome + message every time they log in. Maybe a message of the day? Here + is an example:</para> + + <para><command>preexec = csh -c 'echo \"Welcome to %S!\" | + /usr/local/samba/bin/smbclient -M %m -I %I' & </command></para> + + <para>Of course, this could get annoying after a while :-)</para> + + <para>See also <link linkend="preexecclose"><parameter>preexec close + </parameter</link> and <link linkend="postexec"><parameter>postexec + </parameter></link>.</para> + + <para>Default: <emphasis>none (no command executed)</emphasis></para> + <para>Example: <command>preexec = echo \"%u connected to %S from %m + (%I)\" >> /tmp/log</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="preexecclose">preexec close (S)</term> + <listitem><para>This boolean option controls whether a non-zero + return code from <link linkend="preexec"><parameter>preexec + </parameter></link> should close the service being connected to.</para> + + <para>Default: <command>preexec close = no</command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="preferredmaster">preferred master (G)</term> + <listitem><para>This boolean parameter controls if <ulink + url="nmbd.8.html">nmbd(8)</ulink> is a preferred master browser + for its workgroup.</para> + + <para>If this is set to true, on startup, <command>nmbd</command> + will force an election, and it will have a slight advantage in + winning the election. It is recommended that this parameter is + used in conjunction with <command><link linkend="domainmaster"><parameter> + domain master</parameter></link> = yes</command>, so that <command> + nmbd</command> can guarantee becoming a domain master.</para> + + <para>Use this option with caution, because if there are several + hosts (whether Samba servers, Windows 95 or NT) that are preferred + master browsers on the same subnet, they will each periodically + and continuously attempt to become the local master browser. + This will result in unnecessary broadcast traffic and reduced browsing + capabilities.</para> + + <para>See also <link linkend="oslevel"><parameter>os level</parameter> + </link>.</para> + + <para>Default: <command>preferred master = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="preferedmaster">prefered master (G)</term> + <listitem><para>Synonym for <link linkend="preferredmaster"><parameter> + preferred master</parameter></link> for people who cannot spell :-).</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="preload">preload</term> + <listitem><para>Synonym for <link linkend="autoservices"><parameter> + auto services</parameter></link>.</para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="preservecase">preserve case (S)</term> + <listitem><para> This controls if new filenames are created + with the case that the client passes, or if they are forced to + be the <link linkend="defaultcase"><parameter>derault case + </parameter></link>.</para> + + <para>Default: <command>preserve case = yes</command></para> + + <para>See the section on <link linkend="namemanglingsect">NAME + MANGLING"</link> for a fuller discussion.</para + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="printcommand">print command (S)</term> + <listitem><para>After a print job has finished spooling to + a service, this command will be used via a <command>system()</command> + call to process the spool file. Typically the command specified will + submit the spool file to the host's printing subsystem, but there + is no requirement that this be the case. The server will not remove + the spool file, so whatever command you specify should remove the + spool file when it has been processed, otherwise you will need to + manually remove old spool files.</para> + + <para>The print command is simply a text string. It will be used + verbatim, with two exceptions: All occurrences of <parameter>%s + </parameter> and <parameter>%f</parameter> will be replaced by the + appropriate spool file name, and all occurrences of <parameter>%p + </parameter> will be replaced by the appropriate printer name. The + spool file name is generated automatically by the server, the printer + name is discussed below.</para> + + <para>The print command <emphasis>MUST</emphasis> contain at least + one occurrence of <parameter>%s</parameter> or <parameter>%f + </parameter> - the <parameter>%p</parameter> is optional. At the time + a job is submitted, if no printer name is supplied the <parameter>%p + </parameter> will be silently removed from the printer command.</para> + + <para>If specified in the [global] section, the print command given + will be used for any printable service that does not have its own + print command specified.</para> + + <para>If there is neither a specified print command for a + printable service nor a global print command, spool files will + be created but not processed and (most importantly) not removed.</para> + + <para>Note that printing may fail on some UNIXs from the + <constant>nobody</constant> account. If this happens then create + an alternative guest account that can print and set the <link + linkend="guestaccount"><parameter>guest account</parameter></link> + in the [global] section.</para> + + <para>You can form quite complex print commands by realizing + that they are just passed to a shell. For example the following + will log a print job, print the file, then remove it. Note that + ';' is the usual separator for command in shell scripts.</para> + + <para><command>print command = echo Printing %s >> + /tmp/print.log; lpr -P %p %s; rm %s</command></para> + + <para>You may have to vary this command considerably depending + on how you normally print files on your system. The default for + the parameter varies depending on the setting of the <link linkend="printing"> + <parameter>printing</parameter></link> parameter.</para> + + <para>Default: For <command>printing= BSD, AIX, QNX, LPRNG + or PLP :</command></para> + <para><command>print command = lpr -r -P%p %s</command></para> + + <para>For <command>printing= SYS or HPUX :</command></para> + <para><command>print command = lp -c -d%p %s; rm %s</command></para> + + <para>For <command>printing=SOFTQ :</command></para> + <para><command>print command = lp -d%p -s %s; rm %s</command></para> + + <para>Example: <command>print command = /usr/local/samba/bin/myprintscript + %p %s</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="printok">print ok (S)</term> + <listitem><para>Synonym for <link linkend="printable"> + <parameter>printable</parameter></link>.</para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="printable">printable (S)</term> + <listitem><para>If this parameter is <constant>yes</constant>, then + clients may open, write to and submit spool files on the directory + specified for the service. </para> + + <para>Note that a printable service will ALWAYS allow writing + to the service path (user privileges permitting) via the spooling + of print data. The <link linkend="writeable"><parameter>writeable + </parameter></link> parameter controls only non-printing access to + the resource.</para> + + <para>Default: <command>printable = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="printcap">printcap (G)</term> + <listitem><para>Synonym for <link linkend="printcapname"><parameter> + printcap name</parameter></link>.</para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="printeradmin">printer admin (S)</term> + <listitem><para>This is a list of users that can do anything to + printers via the remote administration interfaces offered by MSRPC + (usually using a NT workstation). Note that the root user always + has admin rights.</para> + + <para>Default: <command>printer admin = <empty string></command> + </para> + <para>Example: <command>printer admin = admin, @staff</command></para> + </listitem> + </varlistentry> + + + + + + + <varlistentry> + <term id="printcapname">printcap name (G)</term> + <listitem><para>This parameter may be used to override the + compiled-in default printcap name used by the server (usually <filename> + /etc/printcap</filename>). See the discussion of the <link + linkend="printerssect">[printers]</link> section above for reasons + why you might want to do this.</para> + + <para>On System V systems that use <command>lpstat</command> to + list available printers you can use <command>printcap name = lpstat + </command> to automatically obtain lists of available printers. This + is the default for systems that define SYSV at configure time in + Samba (this includes most System V based systems). If <parameter> + printcap name</parameter> is set to <command>lpstat</command> on + these systems then Samba will launch <command>lpstat -v</command> and + attempt to parse the output to obtain a printer list.</para> + + <para>A minimal printcap file would look something like this:</para> + + <para><programlisting> + print1|My Printer 1 + print2|My Printer 2 + print3|My Printer 3 + print4|My Printer 4 + print5|My Printer 5 + </programlisting></para> + + <para>where the '|' separates aliases of a printer. The fact + that the second alias has a space in it gives a hint to Samba + that it's a comment.</para> + + <para><emphasis>NOTE</emphasis>: Under AIX the default printcap + name is <filename>/etc/qconfig</filename>. Samba will assume the + file is in AIX <filename>qconfig</filename> format if the string + <filename>qconfig</filename> appears in the printcap filename.</para> + + <para>Default: <command>printcap name = /etc/printcap</command></para> + <para>Example: <command>printcap name = /etc/myprintcap</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="printer">printer (S)</term> + <listitem><para>This parameter specifies the name of the printer + to which print jobs spooled through a printable service will be sent.</para> + + <para>If specified in the [global] section, the printer + name given will be used for any printable service that does + not have its own printer name specified.</para> + + <para>Default: <emphasis>none (but may be <constant>lp</constant> + on many systems)</emphasis></para> + + <para>Example: <command>printer name = laserwriter</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="printerdriver">printer driver (S)</term> + <listitem><para>This option allows you to control the string + that clients receive when they ask the server for the printer driver + associated with a printer. If you are using Windows95 or WindowsNT + then you can use this to automate the setup of printers on your + system.</para> + + <para>You need to set this parameter to the exact string (case + sensitive) that describes the appropriate printer driver for your + system. If you don't know the exact string to use then you should + first try with no <link linkend="printerdriver"><parameter> + printer driver</parameter></link> option set and the client will + give you a list of printer drivers. The appropriate strings are + shown in a scrollbox after you have chosen the printer manufacturer.</para> + + <para>See also <link linkend="printerdriverfile"><parameter>printer + driver file</parameter></link>.</para> + + <para>Example: <command>printer driver = HP LaserJet 4L</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="printerdriverfile">printer driver file (G)</term> + <listitem><para>This parameter tells Samba where the printer driver + definition file, used when serving drivers to Windows 95 clients, is + to be found. If this is not set, the default is :</para> + + <para><filename><replaceable>SAMBA_INSTALL_DIRECTORY</replaceable> + /lib/printers.def</filename></para> + + <para>This file is created from Windows 95 <filename>msprint.inf + </filename> files found on the Windows 95 client system. For more + details on setting up serving of printer drivers to Windows 95 + clients, see the documentation file in the <filename>docs/</filename> + directory, <filename>PRINTER_DRIVER.txt</filename>.</para> + + <para>See also <link linkend="printerdriverlocation"><parameter> + printer driver location</parameter></link>.</para> + + <para>Default: <emphasis>None (set in compile).</emphasis></para> + + <para>Example: <command>printer driver file = + /usr/local/samba/printers/drivers.def</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="printerdriverlocation">printer driver location (S)</term> + <listitem><para>This parameter tells clients of a particular printer + share where to find the printer driver files for the automatic + installation of drivers for Windows 95 machines. If Samba is set up + to serve printer drivers to Windows 95 machines, this should be set to</para> + + <para><command>\\MACHINE\PRINTER$</command></para> + + <para>Where MACHINE is the NetBIOS name of your Samba server, + and PRINTER$ is a share you set up for serving printer driver + files. For more details on setting this up see the documentation + file in the <filename>docs/</filename> directory, <filename> + PRINTER_DRIVER.txt</filename>.</para> + + <para>See also <link linkend="printerdriverfile"><parameter> + printer driver file</parameter></link>.</para> + + <para>Default: <command>none</command></para> + <para>Example: <command>printer driver location = \\MACHINE\PRINTER$ + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="printername">printer name (S)</term> + <listitem><para>Synonym for <link linkend="printer"><parameter> + printer</parameter></link>.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="printing">printing (S)</term> + <listitem><para>This parameters controls how printer status + information is interpreted on your system. It also affects the + default values for the <parameter>print command</parameter>, + <parameter>lpq command</parameter>, <parameter>lppause command + </parameter>, <parameter>lpresume command</parameter>, and + <parameter>lprm command</parameter> if specified in the + [global]f> section.</para> + + <para>Currently eight printing styles are supported. They are + <constant>BSD</constant>, <constant>AIX</constant>, + <constant>LPRNG</constant>, <constant>PLP</constant>, + <constant>SYSV</constant>, <constant>HPUX</constant>, + <constant>QNX</constant>, <constant>SOFTQ</constant>, + and <constant>CUPS</constant>.</para> + + <para>To see what the defaults are for the other print + commands when using the various options use the <ulink + url="testparm.1.html">testparm(1)</ulink> program.</para> + + <para>This option can be set on a per printer basis</para> + + <para>See also the discussion in the <link linkend="printerssect"> + [printers]</link> section.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="privatedir">private dir(G)</term> + <listitem><para>The <parameter>private dir</parameter> parameter + allows an administator to define a directory path used to hold the + various databases Samba will use to store things like a the machine + trust account information when acting as a domain member (i.e. where + the secrets.tdb file will be located), where the passdb.tbd file + will stored in the case of using the experiemental tdbsam support, + etc...</para> + + <para>Default: <command>private dir = <compile time location + of smbpasswd></command></para> + <para>Example: <command>private dir = /etc/smbprivate</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="protocol">protocol (G)</term> + <listitem><para>The value of the parameter (a string) is the highest + protocol level that will be supported by the server.</para> + + <para>Possible values are :</para> + <itemizedlist> + <listitem><para><constant>CORE</constant>: Earliest version. No + concept of user names.</para></listitem> + + <listitem><para><constant>COREPLUS</constant>: Slight improvements on + CORE for efficiency.</para></listitem> + + <listitem><para><constant>LANMAN1</constant>: First <emphasis> + modern</emphasis> version of the protocol. Long filename + support.</para></listitem> + + <listitem><para><constant>LANMAN2</constant>: Updates to Lanman1 protocol. + </para></listitem> + + <listitem><para><constant>NT1</constant>: Current up to date version of + the protocol. Used by Windows NT. Known as CIFS.</para></listitem> + </itemizedlist> + + <para>Normally this option should not be set as the automatic + negotiation phase in the SMB protocol takes care of choosing + the appropriate protocol.</para> + + <para>Default: <command>protocol = NT1</command></para> + <para>Example: <command>protocol = LANMAN1</command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="public">public (S)</term> + <listitem><para>Synonym for <link linkend="guestok"><parameter>guest + ok</parameter></link>.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="queuepausecommand">queuepause command (S)</term> + <listitem><para>This parameter specifies the command to be + executed on the server host in order to pause the printerqueue.</para> + + <para>This command should be a program or script which takes + a printer name as its only parameter and stops the printerqueue, + such that no longer jobs are submitted to the printer.</para> + + <para>This command is not supported by Windows for Workgroups, + but can be issued from the Printer's window under Windows 95 + and NT.</para> + + <para>If a <parameter>%p</parameter> is given then the printername + is put in its place. Otherwise it is placed at the end of the command. + </para> + + <para>Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server.</para> + + <para>Default: <emphasis>depends on the setting of <parameter>printing + </parameter></emphasis></para> + <para>Example: <command>queuepause command = disable %p</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="queueresumecommand">queueresume command (S)</term> + <listitem><para>This parameter specifies the command to be + executed on the server host in order to resume the printerqueue. It + is the command to undo the behavior that is caused by the + previous parameter (<link linkend="queuepausecommand"><parameter> + queuepause command</parameter></link>).</para> + + <para>This command should be a program or script which takes + a printer name as its only parameter and resumes the printerqueue, + such that queued jobs are resubmitted to the printer.</para> + + <para>This command is not supported by Windows for Workgroups, + but can be issued from the Printer's window under Windows 95 + and NT.</para> + + <para>If a <parameter>%p</parameter> is given then the printername + is put in its place. Otherwise it is placed at the end of the + command.</para> + + <para>Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server.</para> + + <para>Default: <emphasis>depends on the setting of <link + linkend="printing"><parameter>printing</parameter></link></emphasis> + </para> + + <para>Example: <command>queuepause command = enable %p + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="readbmpx">read bmpx (G)</term> + <listitem><para>This boolean parameter controls whether <ulink + url="smbd.8.html">smbd(8)</ulink> will support the "Read + Block Multiplex" SMB. This is now rarely used and defaults to + <constant>no</constant>. You should never need to set this + parameter.</para> + + <para>Default: <command>read bmpx = no</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="readlist">read list (S)</term> + <listitem><para>This is a list of users that are given read-only + access to a service. If the connecting user is in this list then + they will not be given write access, no matter what the <link + linkend="writeable"><parameter>writeable</parameter></link> + option is set to. The list can include group names using the + syntax described in the <link linkend="invalidusers"><parameter> + invalid users</parameter></link> parameter.</para> + + <para>See also the <link linkend="writelist"><parameter> + write list</parameter></link> parameter and the <link + linkend="invalidusers"><parameter>invalid users</parameter> + </link> parameter.</para> + + <para>Default: <command>read list = <empty string></command></para> + <para>Example: <command>read list = mary, @students</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="readonly">read only (S)</term> + <listitem><para>Note that this is an inverted synonym for <link + linkend="writeable"><parameter>writeable</parameter></link>.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="readraw">read raw (G)</term> + <listitem><para>This parameter controls whether or not the server + will support the raw read SMB requests when transferring data + to clients.</para> + + <para>If enabled, raw reads allow reads of 65535 bytes in + one packet. This typically provides a major performance benefit. + </para> + + <para>However, some clients either negotiate the allowable + block size incorrectly or are incapable of supporting larger block + sizes, and for these clients you may need to disable raw reads.</para> + + <para>In general this parameter should be viewed as a system tuning + tool and left severely alone. See also <link linkend="writeraw"> + <parameter>write raw</parameter></link>.</para> + + <para>Default: <command>read raw = yes</command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="readsize">read size (G)</term> + <listitem><para>The option <parameter>read size</parameter> + affects the overlap of disk reads/writes with network reads/writes. + If the amount of data being transferred in several of the SMB + commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger + than this value then the server begins writing the data before it + has received the whole packet from the network, or in the case of + SMBreadbraw, it begins writing to the network before all the data + has been read from disk.</para> + + <para>This overlapping works best when the speeds of disk and + network access are similar, having very little effect when the + speed of one is much greater than the other.</para> + + <para>The default value is 16384, but very little experimentation + has been done yet to determine the optimal value, and it is likely + that the best value will vary greatly between systems anyway. + A value over 65536 is pointless and will cause you to allocate + memory unnecessarily.</para> + + <para>Default: <command>read size = 16384</command></para> + <para>Example: <command>read size = 8192</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="remoteannounce">remote announce (G)</term> + <listitem><para>This option allows you to setup <ulink + url="nmbd.8.html">nmbd(8)</ulink> to periodically announce itself + to arbitrary IP addresses with an arbitrary workgroup name.</para> + + <para>This is useful if you want your Samba server to appear + in a remote workgroup for which the normal browse propagation + rules don't work. The remote workgroup can be anywhere that you + can send IP packets to.</para> + + <para>For example:</para> + + <para><command>remote announce = 192.168.2.255/SERVERS + 192.168.4.255/STAFF</command></para> + + <para>the above line would cause nmbd to announce itself + to the two given IP addresses using the given workgroup names. + If you leave out the workgroup name then the one given in + the <link linkend="workgroup"><parameter>workgroup</parameter></link> + parameter is used instead.</para> + + <para>The IP addresses you choose would normally be the broadcast + addresses of the remote networks, but can also be the IP addresses + of known browse masters if your network config is that stable.</para> + + <para>See the documentation file <filename>BROWSING.txt</filename> + in the <filename>docs/</filename> directory.</para> + + <para>Default: <command>remote announce = <empty string> + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="remotebrowsesync">remote browse sync (G)</term> + <listitem><para>This option allows you to setup <ulink + url="nmbd.8.html">nmbd(8)</ulink> to periodically request + synchronization of browse lists with the master browser of a samba + server that is on a remote segment. This option will allow you to + gain browse lists for multiple workgroups across routed networks. This + is done in a manner that does not work with any non-samba servers.</para> + + <para>This is useful if you want your Samba server and all local + clients to appear in a remote workgroup for which the normal browse + propagation rules don't work. The remote workgroup can be anywhere + that you can send IP packets to.</para> + + <para>For example:</para> + + <para><command>remote browse sync = 192.168.2.255 192.168.4.255 + </command></para> + + <para>the above line would cause <command>nmbd</command> to request + the master browser on the specified subnets or addresses to + synchronize their browse lists with the local server.</para> + + <para>The IP addresses you choose would normally be the broadcast + addresses of the remote networks, but can also be the IP addresses + of known browse masters if your network config is that stable. If + a machine IP address is given Samba makes NO attempt to validate + that the remote machine is available, is listening, nor that it + is in fact the browse master on it's segment.</para> + + <para>Default: <command>remote browse sync = <empty string> + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="restrictanonymous">restrict anonymous (G)</term> + <listitem><para>This is a boolean parameter. If it is true, then + anonymous access to the server will be restricted, namely in the + case where the server is expecting the client to send a username, + but it doesn't. Setting it to true will force these anonymous + connections to be denied, and the client will be required to always + supply a username and password when connecting. Use of this parameter + is only recommened for homogenous NT client environments.</para> + + <para>This parameter makes the use of macro expansions that rely + on the username (%U, %G, etc) consistant. NT 4.0 + likes to use anonymous connections when refreshing the share list, + and this is a way to work around that.</para> + + <para>When restrict anonymous is true, all anonymous connections + are denied no matter what they are for. This can effect the ability + of a machine to access the samba Primary Domain Controller to revalidate + it's machine account after someone else has logged on the client + interactively. The NT client will display a message saying that + the machine's account in the domain doesn't exist or the password is + bad. The best way to deal with this is to reboot NT client machines + between interactive logons, using "Shutdown and Restart", rather + than "Close all programs and logon as a different user".</para> + + <para>Default: <command>restrict anonymous = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="root">root (G)</term> + <listitem><para>Synonym for <link linkend="rootdirectory"> + <parameter>root directory"</parameter></link>.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="rootdir">root dir (G)</term> + <listitem><para>Synonym for <link linkend="rootdirectory"> + <parameter>root directory"</parameter></link>.</para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="rootdirectory">root directory (G)</term> + <listitem><para>The server will <command>chroot()</command> (i.e. + Change it's root directory) to this directory on startup. This is + not strictly necessary for secure operation. Even without it the + server will deny access to files not in one of the service entries. + It may also check for, and deny access to, soft links to other + parts of the filesystem, or attempts to use ".." in file names + to access other directories (depending on the setting of the <link + linkend="widelinks"><parameter>wide links</parameter></link> + parameter).</para> + + <para>Adding a <parameter>root directory</parameter> entry other + than "/" adds an extra level of security, but at a price. It + absolutely ensures that no access is given to files not in the + sub-tree specified in the <parameter>root directory</parameter> + option, <emphasis>including</emphasis> some files needed for + complete operation of the server. To maintain full operability + of the server you will need to mirror some system files + into the <parameter>root directory</parameter> tree. In particular + you will need to mirror <filename>/etc/passwd</filename> (or a + subset of it), and any binaries or configuration files needed for + printing (if required). The set of files that must be mirrored is + operating system dependent.</para> + + <para>Default: <command>root directory = /</command></para> + <para>Example: <command>root directory = /homes/smb</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="rootpostexec">root postexec (S)</term> + <listitem><para>This is the same as the <parameter>postexec</parameter> + parameter except that the command is run as root. This + is useful for unmounting filesystems + (such as cdroms) after a connection is closed.</para> + + <para>See also <link linkend="postexec"><parameter> + postexec</parameter></link>.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term id="rootpreexec">root preexec (S)</term> + <listitem><para>This is the same as the <parameter>preexec</parameter> + parameter except that the command is run as root. This + is useful for mounting filesystems + (such as cdroms) after a connection is closed.</para> + + <para>See also <link linkend="preexec"><parameter> + preexec</parameter></link> and <link linkend="preexecclose"> + <parameter>preexec close</parameter></link>.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="rootpreexecclose">root preexec close (S)</term> + <listitem><para>This is the same as the <parameter>preexec close + </parameter> parameter except that the command is run as root.</para> + + <para>See also <link linkend="preexec"><parameter> + preexec</parameter></link> and <link linkend="preexecclose"> + <parameter>preexec close</parameter></link>.</para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="security">security (G)</term> + <listitem><para>This option affects how clients respond to + Samba and is one of the most important settings in the <filename> + smb.conf</filename> file.</para> + + <para>The option sets the "security mode bit" in replies to + protocol negotiations with <ulink url="smbd.8.html">smbd(8) + </ulink> to turn share level security on or off. Clients decide + based on this bit whether (and how) to transfer user and password + information to the server.</para> + + + <para>The default is <command>security = user</command>, as this is + the most common setting needed when talking to Windows 98 and + Windows NT.</para> + + <para>The alternatives are <command>security = share</command>, + <command>security = server</command> or <command>security=domain + </command>.</para> + + <para>In versions of Samba prior to 2..0, the default was + <command>security = share</command> mainly because that was + the only option at one stage.</para> + + <para>There is a bug in WfWg that has relevance to this + setting. When in user or server level security a WfWg client + will totally ignore the password you type in the "connect + drive" dialog box. This makes it very difficult (if not impossible) + to connect to a Samba service as anyone except the user that + you are logged into WfWg as.</para> + + <para>If your PCs use usernames that are the same as their + usernames on the UNIX machine then you will want to use + <command>security = user</command>. If you mostly use usernames + that don't exist on the UNIX box then use <command>security = + share</command>.</para> + + <para>You should also use <command>security = share</command> if you + want to mainly setup shares without a password (guest shares). This + is commonly used for a shared printer server. It is more difficult + to setup guest shares with <command>security = user</command>, see + the <link linkend="maptoguest"><parameter>map to guest</parameter> + </link>parameter for details.</para> + + <para>It is possible to use <command>smbd</command> in a <emphasis> + hybrid mode</emphasis> where it is offers both user and share + level security under different <link linkend="netbiosaliases"> + <parameter>NetBIOS aliases</parameter></link>. </para> + + <para>The different settings will now be explained.</para> + + + <para><anchor id="securityequalshare"><emphasis>SECURITY = SHARE + </emphasis></para> + + <para>When clients connect to a share level security server then + need not log onto the server with a valid username and password before + attempting to connect to a shared resource (although modern clients + such as Windows 95/98 and Windows NT will send a logon request with + a username but no password when talking to a <command>security = share + </command> server). Instead, the clients send authentication information + (passwords) on a per-share basis, at the time they attempt to connect + to that share.</para> + + <para>Note that <command>smbd</command> <emphasis>ALWAYS</emphasis> + uses a valid UNIX user to act on behalf of the client, even in + <command>security = share</command> level security.</para> + + <para>As clients are not required to send a username to the server + in share level security, <command>smbd</command> uses several + techniques to determine the correct UNIX user to use on behalf + of the client.</para> + + <para>A list of possible UNIX usernames to match with the given + client password is constructed using the following methods :</para> + + <itemizedlist> + <listitem><para>If the <link linkend="guestonly"><parameter>guest + only</parameter></link> parameter is set, then all the other + stages are missed and only the <link linkend="guestaccount"> + <parameter>guest account</parameter></link> username is checked. + </para></listitem> + + <listitem><para>Is a username is sent with the share connection + request, then this username (after mapping - see <link + linkend="usernamemap"><parameter>username map</parameter></link>), + is added as a potential username.</para></listitem> + + <listitem><para>If the client did a previous <emphasis>logon + </emphasis> request (the SessionSetup SMB call) then the + username sent in this SMB will be added as a potential username. + </para></listitem> + + <listitem><para>The name of the service the client requested is + added as a potential username.</para></listitem> + + <listitem><para>The NetBIOS name of the client is added to + the list as a potential username.</para></listitem> + + <listitem><para>Any users on the <link linkend="user"><parameter> + user</parameter></link> list are added as potential usernames. + </para></listitem> + </itemizedlist> + + <para>If the <parameter>guest only</parameter> parameter is + not set, then this list is then tried with the supplied password. + The first user for whom the password matches will be used as the + UNIX user.</para> + + <para>If the <parameter>guest only</parameter> parameter is + set, or no username can be determined then if the share is marked + as available to the <parameter>guest account</parameter>, then this + guest user will be used, otherwise access is denied.</para> + + <para>Note that it can be <emphasis>very</emphasis> confusing + in share-level security as to which UNIX username will eventually + be used in granting access.</para> + + <para>See also the section <link linkend="validationsect"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> + + <para><anchor id="securityequaluser"><emphasis>SECURIYT = USER + </emphasis></para> + + <para>This is the default security setting in Samba 2.2. + With user-level security a client must first "log=on" with a + valid username and password (which can be mapped using the <link + linkend="usernamemap"><parameter>username map</parameter></link> + parameter). Encrypted passwords (see the <link linkend="encryptpasswords"> + <parameter>encrypted passwords</parameter></link> parameter) can also + be used in this security mode. Parameters such as <link linkend="user"> + <parameter>user</parameter></link> and <link linkend="guestonly"> + <parameter>guest only</parameter></link> if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated.</para> + + <para><emphasis>Note</emphasis> that the name of the resource being + requested is <emphasis>not</emphasis> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <link + linkend="guestaccount"><parameter>guest account</parameter></link>. + See the <link linkend="maptoguest"><parameter>map to guest</parameter> + </link> parameter for details on doing this.</para> + + <para>See also the section <link linkend="validationsect"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> + + <para><anchor id="securityequalserver"><emphasis>SECURITY = SERVER + </emphasis></para> + + <para>In this mode Samba will try to validate the username/password + by passing it to another SMB server, such as an NT box. If this + fails it will revert to <command>security = user</command>, but note + that if encrypted passwords have been negotiated then Samba cannot + revert back to checking the UNIX password file, it must have a valid + <filename>smbpasswd</filename> file to check users against. See the + documentation file in the <filename>docs/</filename> directory + <filename>ENCRYPTION.txt</filename> for details on how to set this + up.</para> + + <para><emphasis>Note</emphasis> that from the clients point of + view <command>security = server</command> is the same as <command> + security = user</command>. It only affects how the server deals + with the authentication, it does not in any way affect what the + client sees.</para> + + <para><emphasis>Note</emphasis> that the name of the resource being + requested is <emphasis>not</emphasis> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <link + linkend="guestaccount"><parameter>guest account</parameter></link>. + See the <link linkend="maptoguest"><parameter>map to guest</parameter> + </link> parameter for details on doing this.</para> + + <para>See also the section <link linkend="validationsect"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> + + <para>See also the <link linkend="passwordserver"><parameter>password + server</parameter></link> parameter and the <link + linkend="encryptpasswords"><parameter>encrypted passwords</parameter> + </link> parameter.</para> + + <para><anchor id="securityequalsdomain"><emphasis>SECURITY = DOMAIN + </emphasis></para> + + <para>This mode will only work correctly if <ulink + url="smbpasswd.8.html">smbpasswd(8)</ulink> has been used to add this + machine into a Windows NT Domain. It expects the <link + linkend="encryptpasswords"><parameter>encrypted passwords</parameter> + </link> parameter to be set to <constant>true</constant>. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do.</para> + + <para><emphasis>Note</emphasis> that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to.</para> + + <para><emphasis>Note</emphasis> that from the clients point + of view <command>security = domain</command> is the same as <command>security = user + </command>. It only affects how the server deals with the authentication, + it does not in any way affect what the client sees.</para> + + <para><emphasis>Note</emphasis> that the name of the resource being + requested is <emphasis>not</emphasis> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <link + linkend="guestaccount"><parameter>guest account</parameter></link>. + See the <link linkend="maptoguest"><parameter>map to guest</parameter> + </link> parameter for details on doing this.</para> + + <para><emphasis>BUG:</emphasis> There is currently a bug in the + implementation of <command>security = domain</command> with respect + to multi-byte character set usernames. The communication with a + Domain Controller must be done in UNICODE and Samba currently + does not widen multi-byte user names to UNICODE correctly, thus + a multi-byte username will not be recognized correctly at the + Domain Controller. This issue will be addressed in a future release.</para> + + <para>See also the section <link linkend="validationsect"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> + + <para>See also the <link linkend="passwordserver"><parameter>password + server</parameter></link> parameter and the <link + linkend="encryptpasswords"><parameter>encrypted passwords</parameter> + </link> parameter.</para> + + <para>Default: <command>security = USER</command></para> + <para>Example: <command>security = DOMAIN</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="securitymask">security mask (S)</term> + <listitem><para>This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security + dialog box.</para> + + <para>This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change.</para> + + <para>If not set explicitly this parameter is set to the same + value as the <link linkend="createmask"><parameter>create mask + </parameter></link> parameter. To allow a user to modify all the + user/group/world permissions on a file, set this parameter to + 0777.</para> + + <para><emphasis>Note</emphasis> that users who can access the + Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone + "appliance" systems. Administrators of most normal systems will + probably want to set it to 0777.</para> + + <para>See also the <link linkend="forcedirectorysecuritymode"> + <parameter>force directory security mode</parameter></link>, + <link linkend="directorysecuritymask"><parameter>directory + security mask</parameter></link>, <link linkend="forcesecuritymode"> + <parameter>force security mode</parameter></link> parameters.</para> + + <para>Default: <command>security mask = <same as create mask> + </command></para> + <para>Example: <command>security mask = 0777</command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="serverstring">server string (G)</term> + <listitem><para>This controls what string will show up in the + printer comment box in print manager and next to the IPC connection + in <command>net view"</command>. It can be any string that you wish + to show to your users.</para> + + <para>It also sets what will appear in browse lists next + to the machine name.</para> + + <para>A <parameter>%v</parameter> will be replaced with the Samba + version number.</para> + + <para>A <parameter>%h</parameter> will be replaced with the + hostname.</para> + + <para>Default: <command>server string = Samba %v</command></para> + + <para>Example: <command>server string = University of GNUs Samba + Server</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="setdirectory">set directory (S)</term> + <listitem><para>If <command>set directory = no</command>, then + users of the service may not use the setdir command to change + directory.</para> + + <para>The <command>setdir</command> command is only implemented + in the Digital Pathworks client. See the Pathworks documentation + for details.</para> + + <para>Default: <command>set directory = no</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="sharemodes">share modes (S)</term> + <listitem><para>This enables or disables the honoring of + the <parameter>share modes</parameter> during a file open. These + modes are used by clients to gain exclusive read or write access + to a file.</para> + + <para>These open modes are not directly supported by UNIX, so + they are simulated using shared memory, or lock files if your + UNIX doesn't support shared memory (almost all do).</para> + + <para>The share modes that are enabled by this option are + <constant>DENY_DOS</constant>, <constant>DENY_ALL</constant>, + <constant>DENY_READ</constant>, <constant>DENY_WRITE</constant>, + <constant>DENY_NONE</constant> and <constant>DENY_FCB</constant>. + </para> + + <para>This option gives full share compatibility and enabled + by default.</para> + + <para>You should <emphasis>NEVER</emphasis> turn this parameter + off as many Windows applications will break if you do so.</para> + + <para>Default: <command>share modes = yes</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="sharedmemsize">shared mem size (G)</term> + <listitem><para>It specifies the size of the shared memory (in + bytes) to use between <ulink url="smbd.8.html">smbd(8)</ulink> + processes. This parameter defaults to one megabyte of shared + memory. It is possible that if you have a large erver with many + files open simultaneously that you may need to increase this + parameter. Signs that this parameter is set too low are users + reporting strange problems trying to save files (locking errors) + and error messages in the smbd log looking like <emphasis>ERROR + smb_shm_alloc : alloc of XX bytes failed</emphasis>.</para> + + <para>If your OS refuses the size that Samba asks for then + Samba will try a smaller size, reducing by a factor of 0.8 until + the OS accepts it.</para> + + <para>Default: <command>shared mem size = 1048576</command></para> + <para>Example: <command>shared mem size = 5242880 ; Set to 5mb for a + large number of files.</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="shortpreservecase">short preserve case (S)</term> + <listitem><para>This boolean parameter controls if new files + which conform to 8.3 syntax, that is all in upper case and of + suitable length, are created upper case, or if they are forced + to be the <link linkend="defaultcase"><parameter>default case + </parameter></link>. This option can be use with <link + linkend="preservecase"><command>preserve case = yes</command> + </link> to permit long filenames to retain their case, while short + names are lowered. </para> + + <para>See the section on <link linkend="namemanglingsect"> + NAME MANGLING</link>.</para> + + <para>Default: <command>short preserve case = yes</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="smbpasswdfile">smb passwd file (G)</term> + <listitem><para>This option sets the path to the encrypted + smbpasswd file. By default the path to the smbpasswd file + is compiled into Samba.</para> + + <para>Default: <command>smb passwd file= <compiled + default></command></para> + + <para>Example: <command>smb passwd file = /usr/samba/private/smbpasswd + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="smbrun">smbrun (G)</term> + <listitem><para>This sets the full path to the <command>smbrun + </command> binary. This defaults to the value in the <filename> + Makefile</filename>.</para> + + <para>You must get this path right for many services + to work correctly.</para> + + <para>You should not need to change this parameter so + long as Samba is installed correctly.</para> + + <para>Default: <command>smbrun=<compiled default> + </command></para> + + <para>Example: <command>smbrun = /usr/local/samba/bin/smbrun + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="socketaddress">socket address (G)</term> + <listitem><para>This option allows you to control what + address Samba will listen for connections on. This is used to + support multiple virtual interfaces on the one server, each + with a different configuration.</para> + + <para>By default samba will accept connections on any + address.</para> + + <para>Example: <command>socket address = 192.168.2.20</command> + </para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="socketoptions">socket options (G)</term> + <listitem><para>This option allows you to set socket options + to be used when talking with the client.</para> + + <para>Socket options are controls on the networking layer + of the operating systems which allow the connection to be + tuned.</para> + + <para>This option will typically be used to tune your Samba + server for optimal performance for your local network. There is + no way that Samba can know what the optimal parameters are for + your net, so you must experiment and choose them yourself. We + strongly suggest you read the appropriate documentation for your + operating system first (perhaps <command>man setsockopt</command> + will help).</para> + + <para>You may find that on some systems Samba will say + "Unknown socket option" when you supply an option. This means you + either incorrectly typed it or you need to add an include file + to includes.h for your OS. If the latter is the case please + send the patch to <ulink url="mailto:samba@samba.org"> + samba@samba.org</ulink>.</para> + + <para>Any of the supported socket options may be combined + in any way you like, as long as your OS allows it.</para> + + <para>This is the list of socket options currently settable + using this option:</para> + + <itemizedlist> + <listitem><para>SO_KEEPALIVE</para></listitem> + <listitem><para>SO_REUSEADDR</para></listitem> + <listitem><para>SO_BROADCAST</para></listitem> + <listitem><para>TCP_NODELAY</para></listitem> + <listitem><para>IPTOS_LOWDELAY</para></listitem> + <listitem><para>IPTOS_THROUGHPUT</para></listitem> + <listitem><para>SO_SNDBUF *</para></listitem> + <listitem><para>SO_RCVBUF *</para></listitem> + <listitem><para>SO_SNDLOWAT *</para></listitem> + <listitem><para>SO_RCVLOWAT *</para></listitem> + </itemizedlist> + + <para>Those marked with a <emphasis>'*'</emphasis> take an integer + argument. The others can optionally take a 1 or 0 argument to enable + or disable the option, by default they will be enabled if you + don't specify 1 or 0.</para> + + <para>To specify an argument use the syntax SOME_OPTION=VALUE + for example <command>SO_SNDBUF=8192</command>. Note that you must + not have any spaces before or after the = sign.</para> + + <para>If you are on a local network then a sensible option + might be</para> + <para><command>socket options = IPTOS_LOWDELAY</command></para> + + <para>If you have a local network then you could try:</para> + <para><command>socket options = IPTOS_LOWDELAY TCP_NODELAY</command></para> + + <para>If you are on a wide area network then perhaps try + setting IPTOS_THROUGHPUT. </para> + + <para>Note that several of the options may cause your Samba + server to fail completely. Use these options with caution!</para> + + <para>Default: <command>socket options = TCP_NODELAY</command></para> + <para>Example: <command>socket options = IPTOS_LOWDELAY</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="sourceenvironment">source environment (G)</term> + <listitem><para>This parameter causes Samba to set environment + variables as per the content of the file named.</para> + + <para>If the value of this parameter starts with a "|" character + then Samba will treat that value as a pipe command to open and + will set the environment variables from the output of the pipe.</para> + + <para>The contents of the file or the output of the pipe should + be formatted as the output of the standard Unix <command>env(1) + </command> command. This is of the form :</para> + <para>Example environment entry:</para> + <para><command>SAMBA_NETBIOS_NAME=myhostname</command></para> + + <para>Default: <emphasis>No default value</emphasis></para> + <para>Examples: <command>source environment = |/etc/smb.conf.sh + </command></para> + + <para>Example: <command>source environment = + /usr/local/smb_env_vars</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="ssl">ssl (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This variable enables or disables the entire SSL mode. If + it is set to <constant>no</constant>, the SSL enabled samba behaves + exactly like the non-SSL samba. If set to <constant>yes</constant>, + it depends on the variables <link linkend="sslhosts"><parameter> + ssl hosts</parameter></link> and <link linkend="sslhostsresign"> + <parameter>ssl hosts resign</parameter></link> whether an SSL + connection will be required.</para> + + <para>Default: <command>ssl=no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="sslCAcertDir">ssl CA certDir (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This variable defines where to look up the Certification + Authorities. The given directory should contain one file for + each CA that samba will trust. The file name must be the hash + value over the "Distinguished Name" of the CA. How this directory + is set up is explained later in this document. All files within the + directory that don't fit into this naming scheme are ignored. You + don't need this variable if you don't verify client certificates.</para> + + <para>Default: <command>ssl CA certDir = /usr/local/ssl/certs + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="sslCAcertFile">ssl CA certFile (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This variable is a second way to define the trusted CAs. + The certificates of the trusted CAs are collected in one big + file and this variable points to the file. You will probably + only use one of the two ways to define your CAs. The first choice is + preferable if you have many CAs or want to be flexible, the second + is preferable if you only have one CA and want to keep things + simple (you won't need to create the hashed file names). You + don't need this variable if you don't verify client certificates.</para> + + <para>Default: <command>ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry><term id="sslciphers">ssl ciphers (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This variable defines the ciphers that should be offered + during SSL negotiation. You should not set this variable unless + you know what you are doing.</para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="sslclientcert">ssl client cert (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>The certificate in this file is used by <ulink url="smbclient.1.html"> + <command>smbclient(1)</command></ulink> if it exists. It's needed + if the server requires a client certificate.</para> + + <para>Default: <command>ssl client cert = /usr/local/ssl/certs/smbclient.pem + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="sslclientkey">ssl client key (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This is the private key for <ulink url="smbclient.1.html"> + <command>smbclient(1)</command></ulink>. It's only needed if the + client should have a certificate. </para> + + <para>Default: <command>ssl client key = /usr/local/ssl/private/smbclient.pem + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="sslcompatibility">ssl compatibility (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This variable defines whether SSLeay should be configured + for bug compatibility with other SSL implementations. This is + probably not desirable because currently no clients with SSL + implementations other than SSLeay exist.</para> + + <para>Default: <command>ssl compatibility = no</command></para> + </listitem> + </varlistentry> + + + <varlistentry><term id="sslhosts">ssl hosts (G)</term> + <listitem><para>See <link linkend="sslhostsresign"><parameter> + ssl hosts resign</parameter></link>.</para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="sslhostsresign">ssl hosts resign (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>These two variables define whether samba will go + into SSL mode or not. If none of them is defined, samba will + allow only SSL connections. If the <link linkend="sslhosts"> + <parameter>ssl hosts</parameter></link> variable lists + hosts (by IP-address, IP-address range, net group or name), + only these hosts will be forced into SSL mode. If the <parameter> + ssl hosts resign</parameter> variable lists hosts, only these + hosts will NOT be forced into SSL mode. The syntax for these two + variables is the same as for the <link linkend="hostsallow"><parameter> + hosts allow</parameter></link> and <link linkend="hostsdeny"> + <parameter>hosts deny</parameter></link> pair of variables, only + that the subject of the decision is different: It's not the access + right but whether SSL is used or not. </para> + + <para>The example below requires SSL connections from all hosts + outside the local net (which is 192.168.*.*).</para> + + <para>Default: <command>ssl hosts = <empty string></command></para> + <para><command>ssl hosts resign = <empty string></command></para> + + <para>Example: <command>ssl hosts resign = 192.168.</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="sslrequireclientcert">ssl require clientcert (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>If this variable is set to <constant>yes</constant>, the + server will not tolerate connections from clients that don't + have a valid certificate. The directory/file given in <link + linkend="sslcacertdir"><parameter>ssl CA certDir</parameter> + </link> and <link linkend="sslcacertfile"><parameter>ssl CA certFile + </parameter></link> will be used to look up the CAs that issued + the client's certificate. If the certificate can't be verified + positively, the connection will be terminated. If this variable + is set to <constant>no</constant>, clients don't need certificates. + Contrary to web applications you really <emphasis>should</emphasis> + require client certificates. In the web environment the client's + data is sensitive (credit card numbers) and the server must prove + to be trustworthy. In a file server environment the server's data + will be sensitive and the clients must prove to be trustworthy.</para> + + <para>Default: <command>ssl require clientcert = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="sslrequireservercert">ssl require servercert (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>If this variable is set to <constant>yes</constant>, the + <ulink url="smbclient.1.html"><command>smbclient(1)</command> + </ulink> will request a certificate from the server. Same as + <link linkend="sslrequireclientcert"><parameter>ssl require + clientcert</parameter></link> for the server.</para> + + <para>Default: <command>ssl require servercert = no</command> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term id="sslservercert">ssl server cert (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This is the file containing the server's certificate. + The server <emphasis>must</emphasis> have a certificate. The + file may also contain the server's private key. See later for + how certificates and private keys are created.</para> + + <para>Default: <command>ssl server cert = <empty string> + </command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="sslserverkey">ssl server key (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This file contains the private key of the server. If + this variable is not defined, the key is looked up in the + certificate file (it may be appended to the certificate). + The server <emphasis>must</emphasis> have a private key + and the certificate <emphasis>must</emphasis> + match this private key.</para> + + <para>Default: <command>ssl server key = <empty string> + </command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="sslversion">ssl version (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para><emphasis>Note</emphasis> that for export control reasons + this code is <emphasis>NOT</emphasis> enabled by default in any + current binary version of Samba.</para> + + <para>This enumeration variable defines the versions of the + SSL protocol that will be used. <constant>ssl2or3</constant> allows + dynamic negotiation of SSL v2 or v3, <constant>ssl2</constant> results + in SSL v2, <constant>ssl3</constant> results in SSL v3 and + <constant>tls1</constant> results in TLS v1. TLS (Transport Layer + Security) is the new standard for SSL.</para> + + <para>Default: <command>ssl version = "ssl2or3"</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="statcache">stat cache (G)</term> + <listitem><para>This parameter determines if <ulink + url="smbd.8.html">smbd(8)</ulink> will use a cache in order to + speed up case insensitive name mappings. You should never need + to change this parameter.</para> + + <para>Default: <command>stat cache = yes</command></para> + </listitem> + </varlistentry> + + <varlistentry> + <term id="statcachesize">stat cache size (G)</term> + <listitem><para>This parameter determines the number of + entries in the <parameter>stat cache</parameter>. You should + never need to change this parameter.</para> + + <para>Default: <command>stat cache size = 50</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="status">status (G)</term> + <listitem><para>This enables or disables logging of connections + to a status file that <ulink url="smbstatus.1.html">smbstatus(1)</ulink> + can read.</para> + + <para>With this disabled <command>smbstatus</command> won't be able + to tell you what connections are active. You should never need to + change this parameter.</para> + + <para>Default: <command>status = yes</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="strictlocking">strict locking (S)</term> + <listitem><para>This is a boolean that controls the handling of + file locking in the server. When this is set to <constant>yes</constant> + the server will check every read and write access for file locks, and + deny access if locks exist. This can be slow on some systems.</para> + + <para>When strict locking is <constant>no</constant> the server does file + lock checks only when the client explicitly asks for them.</para> + + <para>Well behaved clients always ask for lock checks when it + is important, so in the vast majority of cases <command>strict + locking = no</command> is preferable.</para> + + <para>Default: <command>strict locking = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="strictsync">strict sync (S)</term> + <listitem><para>Many Windows applications (including the Windows + 98 explorer shell) seem to confuse flushing buffer contents to + disk with doing a sync to disk. Under UNIX, a sync call forces + the process to be suspended until the kernel has ensured that + all outstanding data in kernel disk buffers has been safely stored + onto stable storage. This is very slow and should only be done + rarely. Setting this parameter to <constant>no</constant> (the + default) means that smbd ignores the Windows applications requests for + a sync call. There is only a possibility of losing data if the + operating system itself that Samba is running on crashes, so there is + little danger in this default setting. In addition, this fixes many + performance problems that people have reported with the new Windows98 + explorer shell file copies.</para> + + <para>See also the <link linkend="syncalways"><parameter>sync + always></parameter></link> parameter.</para> + + <para>Default: <command>strict sync = no</command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="stripdot">strip dot (G)</term> + <listitem><para>This is a boolean that controls whether to + strip trailing dots off UNIX filenames. This helps with some + CDROMs that have filenames ending in a single dot.</para> + + <para>Default: <command>strip dot = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="syncalways">sync always (S)</term> + <listitem><para>This is a boolean parameter that controls + whether writes will always be written to stable storage before + the write call returns. If this is false then the server will be + guided by the client's request in each write call (clients can + set a bit indicating that a particular write should be synchronous). + If this is true then every write will be followed by a <command>fsync() + </command> call to ensure the data is written to disk. Note that + the <parameter>strict sync</parameter> parameter must be set to + <constant>yes</constant> in order for this parameter to have + any affect.</para> + + <para>See also the <link linkend="strictsync"><parameter>strict + sync</parameter></link> parameter.</para> + + <para>Default: <command>sync always = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="syslog">syslog (G)</term> + <listitem><para>This parameter maps how Samba debug messages + are logged onto the system syslog logging levels. Samba debug + level zero maps onto syslog <constant>LOG_ERR</constant>, debug + level one maps onto <constant>LOG_WARNING</constant>, debug level + two maps onto <constant>LOG_NOTICE</constant>, debug level three + maps onto LOG_INFO. All higher levels are mapped to <constant> + LOG_DEBUG</constant>.</para> + + <para>This paramter sets the threshold for sending messages + to syslog. Only messages with debug level less than this value + will be sent to syslog.</para> + + <para>Default: <command>syslog = 1</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="syslogonly">syslog only (G)</term> + <listitem><para>If this parameter is set then Samba debug + messages are logged into the system syslog only, and not to + the debug log files.</para> + + <para>Default: <command>syslog only = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="templatehomedir">template homedir (G)</term> + <listitem><para><emphasis>NOTE:</emphasis> this parameter is + only available in Samba 3.0.</para> + + <para>When filling out the user information for a Windows NT + user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon + uses this parameter to fill in the home directory for that user. + If the string <parameter>%D</parameter> is present it is substituted + with the user's Windows NT domain name. If the string <parameter>%U + </parameter> is present it is substituted with the user's Windows + NT user name.</para> + + <para>Default: <command>template homedir = /home/%D/%U</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="templateshell">template shell (G)</term> + <listitem><para><emphasis>NOTE:</emphasis> this parameter is + only available in Samba 3.0.</para> + + <para>When filling out the user information for a Windows NT + user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon + uses this parameter to fill in the login shell for that user.</para> + + <para>Default: <command>template shell = /bin/false</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="timeoffset">time offset (G)</term> + <listitem><para>This parameter is a setting in minutes to add + to the normal GMT to local time conversion. This is useful if + you are serving a lot of PCs that have incorrect daylight + saving time handling.</para> + + <para>Default: <command>time offset = 0</command></para> + <para>Example: <command>time offset = 60</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="timeserver">time server (G)</term> + <listitem><para>This parameter determines if <ulink url="nmbd.8.html"> + nmbd(8)</ulink> advertises itself as a time server to Windows + clients.</para> + + <para>Default: <command>time server = no</command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="timestamplogs">timestamp logs (G)</term> + <listitem><para>Synonym for <link linkend="debugtimestamp"><parameter> + debug timestamp</parameter></link>.</para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="unixpasswordsync">unix password sync (G)</term> + <listitem><para>This boolean parameter controls whether Samba + attempts to synchronize the UNIX password with the SMB password + when the encrypted SMB password in the smbpasswd file is changed. + If this is set to true the program specified in the <parameter>passwd + program</parameter>parameter is called <emphasis>AS ROOT</emphasis> - + to allow the new UNIX password to be set without access to the + old UNIX password (as the SMB password has change code has no + access to the old password cleartext, only the new).</para> + + <para>See also <link linkend="passwdprogram"><parameter>passwd + program</parameter></link>, <link linkend="passwdchat"><parameter> + passwd chat</parameter></link>.</para> + + <para>Default: <command>unix password sync = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="unixrealname">unix realname (G)</term> + <listitem><para>This boolean parameter when set causes samba + to supply the real name field from the unix password file to + the client. This isuseful for setting up mail clients and WWW + browsers on systems used by more than one person.</para> + + <para>Default: <command>unix realname = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="updateencrypted">update encrypted (G)</term> + <listitem><para>This boolean parameter allows a user logging + on with a plaintext password to have their encrypted (hashed) + password in the smbpasswd file to be updated automatically as + they log on. This option allows a site to migrate from plaintext + password authentication (users authenticate with plaintext + password over the wire, and are checked against a UNIX account + database) to encrypted password authentication (the SMB + challenge/response authentication mechanism) without forcing + all users to re-enter their passwords via smbpasswd at the time the + change is made. This is a convenience option to allow the change over + to encrypted passwords to be made over a longer period. Once all users + have encrypted representations of their passwords in the smbpasswd + file this parameter should be set to <constant>no</constant>.</para> + + <para>In order for this parameter to work correctly the <link + linkend="encryptpasswords"><parameter>encrypt passwords</parameter> + </link> parameter must be set to <constant>no</constant> when + this parameter is set to <constant>yes</constant>.</para> + + <para>Note that even when this parameter is set a user + authenticating to <command>smbd</command> must still enter a valid + password in order to connect correctly, and to update their hashed + (smbpasswd) passwords.</para> + + <para>Default: <command>update encrypted = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="userhosts">use rhosts (G)</term> + <listitem><para>If this global parameter is a true, it specifies + that the UNIX users <filename>.rhosts</filename> file in their home directory + will be read to find the names of hosts and users who will be allowed + access without specifying a password.</para> + + <para><emphasis>NOTE:</emphasis> The use of <parameter>use rhosts + </parameter> can be a major security hole. This is because you are + trusting the PC to supply the correct username. It is very easy to + get a PC to supply a false username. I recommend that the <parameter> + use rhosts</parameter> option be only used if you really know what + you are doing.</para> + + <para>Default: <command>use rhosts = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="user">user (S)</term> + <listitem><para>Synonym for <link linkend="username"><parameter> + username</parameter></link>.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="users">users (S)</term> + <listitem><para>Synonym for <link linkend="username"><parameter> + username</parameter></link>.</para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="username">username (S)</term> + <listitem><para>Multiple users may be specified in a comma-delimited + list, in which case the supplied password will be tested against + each username in turn (left to right).</para> + + <para>The <parameter>username</parameter> line is needed only when + the PC is unable to supply its own username. This is the case + for the COREPLUS protocol or where your users have different WfWg + usernames to UNIX usernames. In both these cases you may also be + better using the \\server\share%user syntax instead.</para> + + <para>The <parameter>username</parameter> line is not a great + solution in many cases as it means Samba will try to validate + the supplied password against each of the usernames in the + <parameter>username</parameter> line in turn. This is slow and + a bad idea for lots of users in case of duplicate passwords. + You may get timeouts or security breaches using this parameter + unwisely.</para> + + <para>Samba relies on the underlying UNIX security. This + parameter does not restrict who can login, it just offers hints + to the Samba server as to what usernames might correspond to the + supplied password. Users can login as whoever they please and + they will be able to do no more damage than if they started a + telnet session. The daemon runs as the user that they log in as, + so they cannot do anything that user cannot do.</para> + + <para>To restrict a service to a particular set of users you + can use the <link linkend="validusers"><parameter>valid users + </parameter></link> parameter.</para> + + <para>If any of the usernames begin with a '@' then the name + will be looked up first in the yp netgroups list (if Samba + is compiled with netgroup support), followed by a lookup in + the UNIX groups database and will expand to a list of all users + in the group of that name.</para> + + <para>If any of the usernames begin with a '+' then the name + will be looked up only in the UNIX groups database and will + expand to a list of all users in the group of that name.</para> + + <para>If any of the usernames begin with a '&'then the name + will be looked up only in the yp netgroups database (if Samba + is compiled with netgroup support) and will expand to a list + of all users in the netgroup group of that name.</para> + + <para>Note that searching though a groups database can take + quite some time, snd some clients may time out during the + search.</para> + + <para>See the section <link linkend="validationsect">NOTE ABOUT + USERNAME/PASSWORD VALIDATION</link> for more information on how + this parameter determines access to the services.</para> + + <para>Default: <command>The guest account if a guest service, + else the name of the service.</command></para> + + <para>Examples:<command>username = fred, mary, jack, jane, + @users, @pcgroup</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="usernamelevel">username level (G)</term> + <listitem><para>This option helps Samba to try and 'guess' at + the real UNIX username, as many DOS clients send an all-uppercase + username. By default Samba tries all lowercase, followed by the + username with the first letter capitalized, and fails if the + username is not found on the UNIX machine.</para> + + <para>If this parameter is set to non-zero the behavior changes. + This parameter is a number that specifies the number of uppercase + combinations to try whilst trying to determine the UNIX user name. The + higher the number the more combinations will be tried, but the slower + the discovery of usernames will be. Use this parameter when you have + strange usernames on your UNIX machine, such as <constant>AstrangeUser + </constant>.</para> + + <para>Default: <command>username level = 0</command></para> + <para>Example: <command>username level = 5</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="usernamemap">username map (G)</term> + <listitem><para>This option allows you to specify a file containing + a mapping of usernames from the clients to the server. This can be + used for several purposes. The most common is to map usernames + that users use on DOS or Windows machines to those that the UNIX + box uses. The other is to map multiple users to a single username + so that they can more easily share files.</para> + + <para>The map file is parsed line by line. Each line should + contain a single UNIX username on the left then a '=' followed + by a list of usernames on the right. The list of usernames on the + right may contain names of the form @group in which case they + will match any UNIX username in that group. The special client + name '*' is a wildcard and matches any name. Each line of the + map file may be up to 1023 characters long.</para> + + <para>The file is processed on each line by taking the + supplied username and comparing it with each username on the right + hand side of the '=' signs. If the supplied name matches any of + the names on the right hand side then it is replaced with the name + on the left. Processing then continues with the next line.</para> + + <para>If any line begins with a '#' or a ';' then it is + ignored</para> + + <para>If any line begins with an '!' then the processing + will stop after that line if a mapping was done by the line. + Otherwise mapping continues with every line being processed. + Using '!' is most useful when you have a wildcard mapping line + later in the file.</para> + + <para>For example to map from the name <constant>admin</constant> + or <constant>administrator</constant> to the UNIX name <constant> + root</constant> you would use:</para> + + <para><command>root = admin administrator</command></para> + + <para>Or to map anyone in the UNIX group <constant>system</constant> + to the UNIX name <constant>sys</constant> you would use:</para> + + <para><command>sys = @system</command></para> + + <para>You can have as many mappings as you like in a username + map file.</para> + + + <para>If your system supports the NIS NETGROUP option then + the netgroup database is checked before the <filename>/etc/group + </filename> database for matching groups.</para> + + <para>You can map Windows usernames that have spaces in them + by using double quotes around the name. For example:</para> + + <para><command>tridge = "Andrew Tridgell"</command></para> + + <para>would map the windows username "Andrew Tridgell" to the + unix username "tridge".</para> + + <para>The following example would map mary and fred to the + unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on + that line.</para> + + <para><programlisting> + !sys = mary fred + guest = * + </programlisting></para> + + <para>Note that the remapping is applied to all occurrences + of usernames. Thus if you connect to \\server\fred and <constant> + fred</constant> is remapped to <constant>mary</constant> then you + will actually be connecting to \\server\mary and will need to + supply a password suitable for <constant>mary</constant> not + <constant>fred</constant>. The only exception to this is the + username passed to the <link linkend="passwordserver"><parameter> + password server</parameter></link> (if you have one). The password + server will receive whatever username the client supplies without + modification.</para> + + <para>Also note that no reverse mapping is done. The main effect + this has is with printing. Users who have been mapped may have + trouble deleting print jobs as PrintManager under WfWg will think + they don't own the print job.</para> + + <para>Default: <emphasis>no username map</emphasis></para> + <para>Example: <command>username map = /usr/local/samba/lib/users.map + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="utmp">utmp (S)</term> + <listitem><para>This boolean parameter is only available if + Samba has been configured and compiled with the option <command> + --with-utmp</command>. If set to True then Samba will attempt + to add utmp or utmpx records (depending on the UNIX system) whenever a + connection is made to a Samba server. Sites may use this to record the + user connecting to a Samba share.</para> + + <para>See also the <link linkend="utmpdirectory"><parameter> + utmp directory</parameter></link> parameter.</para> + + <para>Default: <command>utmp = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="utmpdirectory">utmp directory(G)</term> + <listitem><para>This parameter is only available if Samba has + been configured and compiled with the option <command> + --with-utmp</command>. It specifies a directory pathname that is + used to store the utmp or utmpx files (depending on the UNIX system) that + record user connections to a Samba server. See also the <link linkend="utmp"> + <parameter>utmp</parameter></link> parameter. By default this is + not set, meaning the system will use whatever utmp file the + native system is set to use (usually + <filename>/var/run/utmp</filename> on Linux).</para> + + <para>Default: <emphasis>no utmp directory</emphasis></para> + </listitem> + </varlistentry> + + + + <varlistentry><term id="winbindcachetime">winbind cache time</term> + <listitem><para><emphasis>NOTE:</emphasis> this parameter is only + available in Samba 3.0.</para> + + <para>This parameter specifies the number of seconds the + <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon will cache + user and group information before querying a Windows NT server + again.</para> + + <para>Default: <command>winbind cache type = 15</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry><term id="winbindgid">winbind gid</term> + <listitem><para><emphasis>NOTE:</emphasis> this parameter is only + available in Samba 3.0.</para> + + <para>The winbind gid parameter specifies the range of group + ids that are allocated by the <ulink url="winbindd.8.html"> + winbindd(8)</ulink> daemon. This range of group ids should have no + existing local or nis groups within it as strange conflicts can + occur otherwise.</para> + + <para>Default: <command>winbind gid = <empty string> + </command></para> + + <para>Example: <command>winbind gid = 10000-20000</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="winbinduid">winbind uid</term> + <listitem><para><emphasis>NOTE:</emphasis> this parameter is only + available in Samba 3.0.</para> + + <para>The winbind gid parameter specifies the range of group + ids that are allocated by the <ulink url="winbindd.8.html"> + winbindd(8)</ulink> daemon. This range of ids should have no + existing local or nis users within it as strange conflicts can + occur otherwise.</para> + + <para>Default: <command>winbind uid = <empty string> + </command></para> + + <para>Example: <command>winbind uid = 10000-20000</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="validchars">valid chars (G)</term> + <listitem><para>The option allows you to specify additional + characters that should be considered valid by the server in + filenames. This is particularly useful for national character + sets, such as adding u-umlaut or a-ring.</para> + + <para>The option takes a list of characters in either integer + or character form with spaces between them. If you give two + characters with a colon between them then it will be taken as + an lowercase:uppercase pair.</para> + + <para>If you have an editor capable of entering the characters + into the config file then it is probably easiest to use this + method. Otherwise you can specify the characters in octal, + decimal or hexadecimal form using the usual C notation.</para> + + <para>For example to add the single character 'Z' to the charset + (which is a pointless thing to do as it's already there) you could + do one of the following</para> + + <para><programlisting> + valid chars = Z + valid chars = z:Z + valid chars = 0132:0172 + </programlisting></para> + + <para>The last two examples above actually add two characters, + and alter the uppercase and lowercase mappings appropriately.</para> + + <para>Note that you <emphasis>MUST</emphasis> specify this parameter + after the <parameter>client code page</parameter> parameter if you + have both set. If <parameter>client code page</parameter> is set after + the <parameter>valid chars</parameter> parameter the <parameter>valid + chars</parameter> settings will be overwritten.</para> + + <para>See also the <link linkend="clientcodepage"><parameter>client + code page</parameter></link> parameter.</para> + + <para>Default: <emphasis>Samba defaults to using a reasonable set + of valid characters for English systems</emphasis></para> + + <para>Example: <command>valid chars = 0345:0305 0366:0326 0344:0304 + </command></para> + + <para>The above example allows filenames to have the Swedish + characters in them.</para> + + <para><emphasis>NOTE:</emphasis> It is actually quite difficult to + correctly produce a <parameter>valid chars</parameter> line for + a particular system. To automate the process <ulink + url="mailto:tino@augsburg.net">tino@augsburg.net</ulink> has written + a package called <command>validchars</command> which will automatically + produce a complete <parameter>valid chars</parameter> line for + a given client system. Look in the <filename>examples/validchars/ + </filename> subdirectory of your Samba source code distribution + for this package.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="validusers">valid users (S)</term> + <listitem><para>This is a list of users that should be allowed + to login to this service. Names starting with '@', '+' and '&' + are interpreted using the same rules as described in the + <parameter>invalid users</parameter> parameter.</para> + + <para>If this is empty (the default) then any user can login. + If a username is in both this list and the <parameter>invalid + users</parameter> list then access is denied for that user.</para> + + <para>The current servicename is substituted for <parameter>%S + </parameter>. This is useful in the [homes] section.</para> + + <para>See also <link linkend="invalidusers"><parameter>invalid users + </parameter></link></para> + + <para>Default: <emphasis>No valid users list (anyone can login) + </emphasis></para> + + <para>Example: <command>valid users = greg, @pcusers</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="vetofiles">veto files(S)</term> + <listitem><para>This is a list of files and directories that + are neither visible nor accessible. Each entry in the list must + be separated by a '/', which allows spaces to be included + in the entry. '*' and '?' can be used to specify multiple files + or directories as in DOS wildcards.</para> + + <para>Each entry must be a unix path, not a DOS path and + must <emphasis>not</emphasis> include the unix directory + separator '/'.</para> + + <para>Note that the <parameter>case sensitive</parameter> option + is applicable in vetoing files.</para> + + <para>One feature of the veto files parameter that it is important + to be aware of, is that if a directory contains nothing but files + that match the veto files parameter (which means that Windows/DOS + clients cannot ever see them) is deleted, the veto files within + that directory <emphasis>are automatically deleted</emphasis> along + with it, if the user has UNIX permissions to do so.</para> + + <para>Setting this parameter will affect the performance + of Samba, as it will be forced to check all files and directories + for a match as they are scanned.</para> + + <para>See also <link linkend="hidefiles"><parameter>hide files + </parameter></link> and <link linkend="casesensitive"><parameter> + case sensitive</parameter></link>.</para> + + <para>Default: <emphasis>No files or directories are vetoed. + </emphasis></para> + + <para>Examples:<programlisting> + ; Veto any files containing the word Security, + ; any ending in .tmp, and any directory containing the + ; word root. + veto files = /*Security*/*.tmp/*root*/ + + ; Veto the Apple specific files that a NetAtalk server + ; creates. + veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ + </programlisting></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term id="vetooplockfiles">veto oplock files (S)</term> + <listitem><para>This parameter is only valid when the <link + linkend="oplocks"><parameter>oplocks</parameter></link> + parameter is turned on for a share. It allows the Samba administrator + to selectively turn off the granting of oplocks on selected files that + match a wildcarded list, similar to the wildcarded list used in the + <link linkend="vetofiles"><parameter>veto files</parameter></link> + parameter.</para> + + <para>Default: <emphasis>No files are vetoed for oplock + grants</emphasis></para> + + <para>You might want to do this on files that you know will + be heavily contended for by clients. A good example of this + is in the NetBench SMB benchmark program, which causes heavy + client contention for files ending in <filename>.SEM</filename>. + To cause Samba not to grant oplocks on these files you would use + the line (either in the [global] section or in the section for + the particular NetBench share :</para> + + <para>Example: <command>veto oplock files = /*;.SEM/ + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="volume">volume (S)</term> + <listitem><para> This allows you to override the volume label + returned for a share. Useful for CDROMs with installation programs + that insist on a particular volume label.</para> + + <para>Default: <emphasis>the name of the share</emphasis></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="widelinks">wide links (S)</term> + <listitem><para>This parameter controls whether or not links + in the UNIX file system may be followed by the server. Links + that point to areas within the directory tree exported by the + server are always allowed; this parameter controls access only + to areas that are outside the directory tree being exported.</para> + + <para>Note that setting this parameter can have a negative + effect on your server performance due to the extra system calls + that Samba has to do in order to perform the link checks.</para> + + <para>Default: <command>wide links = yes</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="winsproxy">wins proxy (G)</term> + <listitem><para>This is a boolean that controls if <ulink + url="nmbd.8.html">nmbd(8)</ulink> will respond to broadcast name + queries on behalf of other hosts. You may need to set this + to <constant>yes</constant> for some older clients.</para> + + <para>Default: <command>wins proxy = no</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="winsserver">wins server (G)</term> + <listitem><para>This specifies the IP address (or DNS name: IP + address for preference) of the WINS server that <ulink url="nmbd.8.html"> + nmbd(8)</ulink> should register with. If you have a WINS server on + your network then you should set this to the WINS server's IP.</para> + + <para>You should point this at your WINS server if you have a + multi-subnetted network.</para> + + <para><emphasis>NOTE</emphasis>. You need to set up Samba to point + to a WINS server if you have multiple subnets and wish cross-subnet + browsing to work correctly.</para> + + <para>See the documentation file <filename>BROWSING.txt</filename> + in the docs/ directory of your Samba source distribution.</para> + + <para>Default: <emphasis>not enabled</emphasis></para> + <para>Example: <command>wins server = 192.9.200.1</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="winshook">wins hook (G)</term> + <listitem><para>When Samba is running as a WINS server this + allows you to call an external program for all changes to the + WINS database. The primary use for this option is to allow the + dynamic update of external name resolution databases such as + dynamic DNS.</para> + + <para>The wins hook parameter specifies the name of a script + or executable that will be called as follows:</para> + + <para><command>wins_hook operation name nametype ttl IP_list + </command></para> + + <itemizedlist> + <listitem><para>The first argument is the operation and is one + of "add", "delete", or "refresh". In most cases the operation can + be ignored as the rest of the parameters provide sufficient + information. Note that "refresh" may sometimes be called when the + name has not previously been added, in that case it should be treated + as an add.</para></listitem> + + <listitem><para>The second argument is the netbios name. If the + name is not a legal name then the wins hook is not called. + Legal names contain only letters, digits, hyphens, underscores + and periods.</para></listitem> + + <listitem><para>The third argument is the netbios name + type as a 2 digit hexadecimal number. </para></listitem> + + <listitem><para>The fourth argument is the TTL (time to live) + for the name in seconds.</para></listitem> + + <listitem><para>The fifth and subsequent arguments are the IP + addresses currently registered for that name. If this list is + empty then the name should be deleted.</para></listitem> + </itemizedlist> + + <para>An example script that calls the BIND dynamic DNS update + program <command>nsupdate</command> is provided in the examples + directory of the Samba source code. </para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="winssupport">wins support (G)</term> + <listitem><para>This boolean controls if the <ulink url="nmbd.8.html"> + nmbd(8)</ulink> process in Samba will act as a WINS server. You should + not set this to true unless you have a multi-subnetted network and + you wish a particular <command>nmbd</command> to be your WINS server. + Note that you should <emphasis>NEVER</emphasis> set this to true + on more than one machine in your network.</para> + + <para>Default: <command>wins support = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry><term id="workgroup">workgroup (G)</term> + <listitem><para>This controls what workgroup your server will + appear to be in when queried by clients. Note that this parameter + also controls the Domain name used with the <link + linkend="workgroup"><command>security=domain</command></link> + setting.</para> + + <para>Default: <emphasis>set at compile time to WORKGROUP</emphasis></para> + <para>Example: <command>workgroup = MYGROUP</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term id="writable">writable (S)</term> + <listitem><para>Synonym for <link linkend="writeable"><parameter> + writeable</parameter></link> for people who can't spell :-).</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="writelist">write list (S)</term> + <listitem><para>This is a list of users that are given read-write + access to a service. If the connecting user is in this list then + they will be given write access, no matter what the <link + linkend="writeable"><parameter>writeable</parameter></link> + option is set to. The list can include group names using the + @group syntax.</para> + + <para>Note that if a user is in both the read list and the + write list then they will be given write access.</para> + + <para>See also the <link linkend="readlist"><parameter>read list + </parameter></link> option.</para> + + <para>Default: <command>write list = <empty string> + </command></para> + + <para>Example: <command>write list = admin, root, @staff + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="writecachesize">write cache size (S)</term> + <listitem><para>This integer parameter (new with Samba 2.0.7) + if set to non-zero causes Samba to create an in-memory cache for + each oplocked file (it does <emphasis>not</emphasis> do this for + non-oplocked files). All writes that the client does not request + to be flushed directly to disk will be stored in this cache if possible. + The cache is flushed onto disk when a write comes in whose offset + would not fit into the cache or when the file is closed by the client. + Reads for the file are also served from this cache if the data is stored + within it.</para> + + <para>This cache allows Samba to batch client writes into a more + efficient write size for RAID disks (ie. writes may be tuned to + be the RAID stripe size) and can improve performance on systems + where the disk subsystem is a bottleneck but there is free + memory for userspace programs.</para> + + <para>The integer parameter specifies the size of this cache + (per oplocked file) in bytes.</para> + + <para>Default: <command>write cache size = 0</command></para> + <para>Example: <command>write cache size = 262144</command></para> + + <para>for a 256k cache size per file.</para> + </listitem> + </varlistentry> + + + + + + + <varlistentry> + <term id="writeok">write ok (S)</term> + <listitem><para>Synonym for <link linkend="writeable"><parameter> + writeable</parameter></link>.</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="writeraw">write raw (G)</term> + <listitem><para>This parameter controls whether or not the server + will support raw writes SMB's when transferring data from clients. + You should never need to change this parameter.</para> + + <para>Default: <command>write raw = yes</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term id="writeable">writeable (S)</term> + <listitem><para>An inverted synonym is <link linkend="readonly"> + <parameter>read only</parameter></link>.</para> + + <para>If this parameter is <constant>no</constant>, then users + of a service may not create or modify files in the service's + directory.</para> + + <para>Note that a printable service (<command>printable = yes</command>) + will <emphasis>ALWAYS</emphasis> allow writing to the directory + (user privileges permitting), but only via spooling operations.</para> + + <para>Default: <command>writeable = no</command></para> + </listitem> + </varlistentry> + + </variablelist> </refsect1> |