summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/yodldocs/smb.conf.5.yo862
1 files changed, 627 insertions, 235 deletions
diff --git a/docs/yodldocs/smb.conf.5.yo b/docs/yodldocs/smb.conf.5.yo
index 85690560a5..e884022cee 100644
--- a/docs/yodldocs/smb.conf.5.yo
+++ b/docs/yodldocs/smb.conf.5.yo
@@ -826,6 +826,8 @@ it() link(bf(map hidden))(maphidden)
it() link(bf(map system))(mapsystem)
+it() link(bf(map to guest))(maptoguest)
+
it() link(bf(max connections))(maxconnections)
it() link(bf(min print space))(minprintspace)
@@ -935,10 +937,10 @@ will be able to do anything they like on the share, irrespective of
file permissions.
bf(Default:) nl()
- no admin users
+tt( no admin users)
bf(Example:) nl()
- admin users = jason
+tt( admin users = jason)
label(allow hosts)
dit(bf(allow hosts (S)))
@@ -996,10 +998,10 @@ See url(bf(testparm (1)))(testparm.1.html) for a way of testing your
host access to see if it does what you expect.
bf(Default:)
- none (i.e., all hosts permitted access)
+tt( none (i.e., all hosts permitted access))
bf(Example:)
- allow hosts = 150.203.5. localhost myhost.mynet.edu.au
+tt( allow hosts = 150.203.5. localhost myhost.mynet.edu.au)
label(alternatepermissions)
dit(bf(alternate permissions (S)))
@@ -1022,10 +1024,10 @@ need to stop Samba appearing as an NT server as this may prevent Samba
servers from participating as browser servers correctly.
bf(Default:)
- announce as = NT
+tt( announce as = NT)
bf(Example)
- announce as = Win95
+tt( announce as = Win95)
label(announceversion)
dit(bf(announce version (G)))
@@ -1036,10 +1038,10 @@ this parameter unless you have a specific need to set a Samba server
to be a downlevel server.
bf(Default:)
- announce version = 4.2
+tt( announce version = 4.2)
bf(Example:)
- announce version = 2.0
+tt( announce version = 2.0)
label(autoservices)
@@ -1053,10 +1055,10 @@ Note that if you just want all printers in your printcap file loaded
then the link(bf("load printers"))(loadprinters) option is easier.
bf(Default:)
- no auto services
+tt( no auto services)
bf(Example:)
- auto services = fred lp colorlp
+tt( auto services = fred lp colorlp)
label(available)
dit(bf(available (S)))
@@ -1066,10 +1068,10 @@ then em(ALL) attempts to connect to the service will fail. Such failures
are logged.
bf(Default:)
- available = yes
+tt( available = yes)
bf(Example:)
- available = no
+tt( available = no)
label(bindinterfacesonly)
dit(bf(bind interfaces only (G)))
@@ -1116,10 +1118,10 @@ bf("remote machine") set to the IP name of the primary interface
of the local host.
bf(Default:)
- bind interfaces only = False
+tt( bind interfaces only = False)
bf(Example:)
- bind interfaces only = True
+tt( bind interfaces only = True)
label(blockinglocks)
dit(bf(blocking locks (S)))
@@ -1140,10 +1142,10 @@ request immediately if the lock range cannot be obtained.
This parameter can be set per share.
bf(Default:)
- blocking locks = True
+tt( blocking locks = True)
bf(Example:)
- blocking locks = False
+tt( blocking locks = False)
label(browsable)
dit(bf(broweable (S)))
@@ -1152,10 +1154,10 @@ This controls whether this share is seen in the list of available
shares in a net view and in the browse list.
bf(Default:)
- browsable = Yes
+tt( browsable = Yes)
bf(Example:)
- browsable = No
+tt( browsable = No)
label(browselist)
dit(bf(browse list(G)))
@@ -1165,7 +1167,7 @@ list to a client doing a NetServerEnum call. Normally set to true. You
should never need to change this.
bf(Default:)
- browse list = Yes
+tt( browse list = Yes)
label(browseable)
dit(bf(browseable))
@@ -1196,10 +1198,10 @@ requested directory once every bf(change notify timeout) seconds.
bf(change notify timeout) is specified in units of seconds.
bf(Default:)
- change notify timeout = 60
+tt( change notify timeout = 60)
bf(Example:)
- change notify timeout = 300
+tt( change notify timeout = 300)
Would change the scan time to every 5 minutes.
@@ -1245,10 +1247,10 @@ See also link(bf(client code page))(clientcodepage). Normally this
parameter is not set, meaning no filename translation is done.
bf(Default:)
- character set =
+tt( character set = <empty string>)
bf(Example:)
- character set = ISO8859-1
+tt( character set = ISO8859-1)
label(clientcodepage)
dit(bf(client code page (G)))
@@ -1314,10 +1316,10 @@ If not set, bf("client code page") defaults to 850.
See also : link(bf("valid chars"))(validchars)
bf(Default:)
- client code page = 850
+tt( client code page = 850)
bf(Example:)
- client code page = 936
+tt( client code page = 936)
label(codingsystem)
dit(bf(codingsystem (G)))
@@ -1367,10 +1369,10 @@ If you want to set the string that is displayed next to the machine
name then see the server string command.
bf(Default:)
- No comment string
+tt( No comment string)
bf(Example:)
- comment = Fred's Files
+tt( comment = Fred's Files)
label(configfile)
dit(bf(config file (G)))
@@ -1404,10 +1406,10 @@ services easily. Note that the service being copied must occur earlier
in the configuration file than the service doing the copying.
bf(Default:)
- none
+tt( none)
bf(Example:)
- copy = otherservice
+tt( copy = otherservice)
label(createmode)
dit(bf(create mask (S)))
@@ -1437,10 +1439,10 @@ the link(bf("directory mode"))(directorymode) parameter for masking
mode bits on created directories.
bf(Default:)
- create mask = 0744
+tt( create mask = 0744)
bf(Example:)
- create mask = 0775
+tt( create mask = 0775)
label(createmode)
dit(bf(create mode (S)))
@@ -1468,10 +1470,10 @@ A deadtime of zero indicates that no auto-disconnection should be
performed.
bf(Default:)
- deadtime = 0
+tt( deadtime = 0)
bf(Example:)
- deadtime = 15
+tt( deadtime = 15)
label(debug timestamp (G))
@@ -1481,10 +1483,10 @@ can be distracting. This boolean parameter allows them to be turned
off.
bf(Default:)
- debug timestamp = Yes
+tt( debug timestamp = Yes)
bf(Example:)
- debug timestamp = No
+tt( debug timestamp = No)
label(debuglevel)
dit(bf(debug level (G)))
@@ -1497,7 +1499,7 @@ The default will be the debug level specified on the command line
or level zero if none was specified.
bf(Example:)
- debug level = 3
+tt( debug level = 3)
label(default)
dit(bf(default (G)))
@@ -1553,10 +1555,10 @@ UNIX file ownership prevents changing file permissions, and DOS
semantics prevent deletion of a read only file.
bf(Default:)
- delete readonly = No
+tt( delete readonly = No)
bf(Example:)
- delete readonly = Yes
+tt( delete readonly = Yes)
label(deletevetofiles)
dit(bf(delete veto files (S)))
@@ -1581,10 +1583,10 @@ as the user has permissions to do so).
See also the link(bf(veto files))(vetofiles) parameter.
bf(Default:)
- delete veto files = False
+tt( delete veto files = False)
bf(Example:)
- delete veto files = True
+tt( delete veto files = True)
label(denyhosts)
dit(bf(deny hosts (S)))
@@ -1595,10 +1597,10 @@ services have their own lists to override this one. Where the lists
conflict, the link(bf('allow'))(allowhosts) list takes precedence.
bf(Default:)
- none (i.e., no hosts specifically excluded)
+tt( none (i.e., no hosts specifically excluded))
bf(Example:)
- deny hosts = 150.203.4. badhost.mynet.edu.au
+tt( deny hosts = 150.203.4. badhost.mynet.edu.au)
label(dfreecommand)
dit(bf(dfree command (G)))
@@ -1626,11 +1628,11 @@ Note: Your script should em(NOT) be setuid or setgid and should be
owned by (and writable only by) root!
bf(Default:)
- By default internal routines for determining the disk capacity
-and remaining space will be used.
+tt( By default internal routines for determining the disk capacity
+and remaining space will be used.)
bf(Example:)
- dfree command = /usr/local/samba/bin/dfree
+tt( dfree command = /usr/local/samba/bin/dfree)
Where the script dfree (which must be made executable) could be:
@@ -1683,10 +1685,10 @@ See also the link(bf("create mode"))(createmode) parameter for masking
mode bits on created files.
bf(Default:)
- directory mask = 0755
+tt( directory mask = 0755)
bf(Example:)
- directory mask = 0775
+tt( directory mask = 0775)
label(directorymode)
dit(bf(directory mode (S)))
@@ -1712,7 +1714,7 @@ DNS name lookup requests, as doing a name lookup is a blocking action.
See also the parameter link(bf(wins support))(winssupport).
bf(Default:)
- dns proxy = yes
+tt( dns proxy = yes)
label(domainadmingroup)
bf(domain admin group (G))
@@ -1786,7 +1788,7 @@ will be able to provide this functionality for Windows NT clients
also.
bf(Default:)
- domain logons = no
+tt( domain logons = no)
label(domainmaster)
dit(bf(domain master (G)))
@@ -1814,7 +1816,7 @@ PDC is able to do so then cross subnet browsing will behave strangely
and may fail.
bf(Default:)
- domain master = no
+tt( domain master = no)
label(dont descend)
dit(bf(dont descend (S)))
@@ -1830,10 +1832,10 @@ descend" entries. For example you may need tt("./proc") instead of
just tt("/proc"). Experimentation is the best policy :-)
bf(Default:)
- none (i.e., all directories are OK to descend)
+tt( none (i.e., all directories are OK to descend))
bf(Example:)
- dont descend = /proc,/dev
+tt( dont descend = /proc,/dev)
label(dosfiletimeresolution)
dit(bf(dos filetime resolution (S)))
@@ -1856,10 +1858,10 @@ this option causes the two timestamps to match, and Visual C++ is
happy.
bf(Default:)
- dos filetime resolution = False
+tt( dos filetime resolution = False)
bf(Example:)
- dos filetime resolution = True
+tt( dos filetime resolution = True)
label(dos filetimes)
dit(bf(dos filetimes (S)))
@@ -1873,10 +1875,10 @@ to True allows DOS semantics and smbd will change the file timstamp as
DOS requires.
bf(Default:)
- dos filetimes = False
+tt( dos filetimes = False)
bf(Example:)
- dos filetimes = True
+tt( dos filetimes = True)
label(encryptpasswords)
dit(bf(encrypt passwords (G)))
@@ -1902,7 +1904,6 @@ dit(bf(exec (S)))
This is a synonym for link(bf(preexec))(preexec).
-
label(fake directory create times)
dit(bf(fake directory create times (S)))
@@ -1931,10 +1932,10 @@ always predate their contents and an NMAKE build will proceed as
expected.
bf(Default:)
- fake directory create times = False
+tt( fake directory create times = False)
bf(Example:)
- fake directory create times = True
+tt( fake directory create times = True)
label(fakeoplocks)
dit(bf(fake oplocks (S)))
@@ -1990,10 +1991,10 @@ See also the parameter link(bf("create mask"))(createmask) for details
on masking mode bits on created files.
bf(Default:)
- force create mode = 000
+tt( force create mode = 000)
bf(Example:)
- force create mode = 0755
+tt( force create mode = 0755)
would force all created files to have read and execute permissions set
for 'group' and 'other' as well as the read/write/execute bits set for
@@ -2014,10 +2015,10 @@ See also the parameter link(bf("directory mask"))(directorymask) for
details on masking mode bits on created directories.
bf(Default:)
- force directory mode = 000
+tt( force directory mode = 000)
bf(Example:)
- force directory mode = 0755
+tt( force directory mode = 0755)
would force all created directories to have read and execute
permissions set for 'group' and 'other' as well as the
@@ -2035,10 +2036,10 @@ service the Samba administrator can restrict or allow sharing of these
files.
bf(Default:)
- no forced group
+tt( no forced group)
bf(Example:)
- force group = agroup
+tt( force group = agroup)
label(forceuser)
dit(bf(force user (S)))
@@ -2056,10 +2057,10 @@ tt("forced user"), no matter what username the client connected as.
This can be very useful.
bf(Default:)
- no forced user
+tt( no forced user)
bf(Example:)
- force user = auser
+tt( force user = auser)
label(fstype)
dit(bf(fstype (S)))
@@ -2072,10 +2073,10 @@ Windows NT but this can be changed to other strings such as "Samba" or
"FAT" if required.
bf(Default:)
- fstype = NTFS
+tt( fstype = NTFS)
bf(Example:)
- fstype = Samba
+tt( fstype = Samba)
label(getwdcache)
dit(bf(getwd cache (G)))
@@ -2086,10 +2087,10 @@ a significant impact on performance, especially when the
link(bf(widelinks))(widelinks) parameter is set to False.
bf(Default:)
- getwd cache = No
+tt( getwd cache = No)
bf(Example:)
- getwd cache = Yes
+tt( getwd cache = Yes
label(group)
dit(bf(group (S)))
@@ -2114,10 +2115,10 @@ command) and trying to print using the system print command such as
bf(lpr (1)) or bf(lp (1)).
bf(Default:)
- specified at compile time, usually "nobody"
+tt( specified at compile time, usually "nobody")
bf(Example:)
- guest account = ftp
+tt( guest account = ftp)
label(guestok)
dit(bf(guest ok (S)))
@@ -2130,10 +2131,10 @@ See the section below on link(bf(security))(security) for more
information about this option.
bf(Default:)
- guest ok = no
+tt( guest ok = no)
bf(Example:)
- guest ok = yes
+tt( guest ok = yes)
label(guestonly)
dit(bf(guest only (S)))
@@ -2147,10 +2148,10 @@ See the section below on link(bf(security))(security) for more
information about this option.
bf(Default:)
- guest only = no
+tt( guest only = no)
bf(Example:)
- guest only = yes
+tt( guest only = yes)
label(hidedotfiles)
dit(bf(hide dot files (S)))
@@ -2159,10 +2160,10 @@ This is a boolean parameter that controls whether files starting with
a dot appear as hidden files.
bf(Default:)
- hide dot files = yes
+tt( hide dot files = yes)
bf(Example:)
- hide dot files = no
+tt( hide dot files = no)
label(hidefiles)
@@ -2189,8 +2190,10 @@ See also link(bf("hide dot files"))(hidedotfiles), link(bf("veto
files"))(vetofiles) and link(bf("case sensitive"))(casesensitive).
bf(Default)
+verb(
No files or directories are hidden by this option (dot files are
hidden by default because of the "hide dot files" option).
+)
bf(Example)
tt( hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/)
@@ -2221,10 +2224,10 @@ See also link(bf("nis homedir"))(nishomedir), link(bf(domain
logons))(domainlogons).
bf(Default:)
- homedir map = auto.home
+tt( homedir map = auto.home)
bf(Example:)
- homedir map = amd.homedir
+tt( homedir map = amd.homedir)
label(hostsallow)
dit(bf(hosts allow (S)))
@@ -2256,10 +2259,10 @@ doing, or perhaps on a home network where you trust your spouse and
kids. And only if you em(really) trust them :-).
bf(Default)
- No host equivalences
+tt( No host equivalences)
bf(Example)
- hosts equiv = /etc/hosts.equiv
+tt( hosts equiv = /etc/hosts.equiv)
label(include)
dit(bf(include (G)))
@@ -2326,7 +2329,7 @@ section.
See also link(bf("valid users"))(validusers).
bf(Default:)
- No invalid users
+tt( No invalid users)
bf(Example:)
tt( invalid users = root fred admin @wheel)
@@ -2345,10 +2348,10 @@ options"))(socketoptions)). Basically you should only use this option
if you strike difficulties.
bf(Default:)
- keep alive = 0
+tt( keep alive = 0)
bf(Example:)
- keep alive = 60
+tt( keep alive = 60)
label(kerneloplocks)
dit(bf(kernel oplocks (G)))
@@ -2381,7 +2384,7 @@ link(bf(%u))(percentU) which will be replaced with the user being
searched for.
bf(Default:)
- empty string.
+tt( empty string.)
label(ldapport)
dit(bf(ldap port (G)))
@@ -2395,7 +2398,7 @@ This parameter specifies the TCP port number to use to contact
the LDAP server on.
bf(Default:)
- ldap port = 389.
+tt( ldap port = 389.)
label(ldaproot)
dit(bf(ldap root (G)))
@@ -2412,7 +2415,7 @@ queries and modifications on the LDAP database.
See also link(bf(ldap root passwd))(ldaprootpasswd).
bf(Default:)
- empty string (no user defined)
+tt( empty string (no user defined))
label(ldaprootpasswd)
dit(bf(ldap root passwd (G)))
@@ -2433,7 +2436,7 @@ storage place is found.
See also link(bf(ldap root))(ldaproot).
bf(Default:)
- empty string.
+tt( empty string.)
label(ldapserver)
dit(bf(ldap server (G)))
@@ -2447,7 +2450,7 @@ This parameter specifies the DNS name of the LDAP server to use
for SMB/CIFS authentication purposes.
bf(Default:)
- ldap server = localhost
+tt( ldap server = localhost)
label(ldapsuffix)
dit(bf(ldap suffix (G)))
@@ -2462,7 +2465,7 @@ that tells url(bf(smbd))(smbd.8.html) to start from when searching
for an entry in the LDAP password database.
bf(Default:)
- empty string.
+tt( empty string.)
label(lmannounce)
dit(bf(lm announce (G)))
@@ -2482,10 +2485,10 @@ frequency set by the parameter link(bf("lm interval"))(lminterval).
See also link(bf("lm interval"))(lminterval).
bf(Default:)
- lm announce = auto
+tt( lm announce = auto)
bf(Example:)
- lm announce = true
+tt( lm announce = true)
label(lminterval)
dit(bf(lm interval (G)))
@@ -2500,10 +2503,10 @@ announce"))(lmannounce) parameter.
See also link(bf("lm announce"))(lmannounce).
bf(Default:)
- lm interval = 60
+tt( lm interval = 60)
bf(Example:)
- lm interval = 120
+tt( lm interval = 120)
label(loadprinters)
dit(bf(load printers (G)))
@@ -2513,10 +2516,10 @@ will be loaded for browsing by default. See the
link(bf("printers"))(printers) section for more details.
bf(Default:)
- load printers = yes
+tt( load printers = yes)
bg(Example:)
- load printers = no
+tt( load printers = no)
label(localmaster)
dit(bf(local master (G)))
@@ -2534,7 +2537,7 @@ Setting this value to False will cause url(bf(nmbd))(nmbd.8.html)
em(never) to become a local master browser.
bf(Default:)
- local master = yes
+tt( local master = yes)
label(lockdirectory)
dit(bf(lock directory (G)))
@@ -2544,10 +2547,10 @@ The lock files are used to implement the link(bf("max
connections"))(maxconnections) option.
bf(Default:)
- lock directory = /tmp/samba
+tt( lock directory = /tmp/samba)
bf(Example:)
- lock directory = /usr/local/samba/var/locks
+tt( lock directory = /usr/local/samba/var/locks)
label(locking)
dit(bf(locking (S)))
@@ -2570,10 +2573,10 @@ service, as lack of locking may result in data corruption. You should
never need to set this parameter.
bf(Default:)
- locking = yes
+tt( locking = yes)
bf(Example:)
- locking = no
+tt( locking = no)
label(logfile)
dit(bf(log file (G)))
@@ -2603,7 +2606,7 @@ Note that this option is only useful if Samba is set up as a
link(bf(logon server))(domainlogons).
bf(Example:)
- logon drive = h:
+tt( logon drive = h:)
label(logonhome)
dit(bf(logon home (G)))
@@ -2764,10 +2767,10 @@ A value of 0 will disable cacheing completely.
See also the link(bf("printing"))(printing) parameter.
bf(Default:)
- lpq cache time = 10
+tt( lpq cache time = 10)
bf(Example:)
- lpq cache time = 30
+tt( lpq cache time = 30)
label(lpqcommand)
dit(bf(lpq command (S)))
@@ -2798,7 +2801,7 @@ command) as the PATH may not be available to the server.
See also the link(bf("printing"))(printing) parameter.
bf(Default:)
- depends on the setting of link(bf("printing ="))(printing)
+tt( depends on the setting of printing =)
bf(Example:)
tt( lpq command = /usr/bin/lpq %p)
@@ -2855,8 +2858,8 @@ bf(lprm command) as the PATH may not be available to the server.
See also the link(bf("printing"))(printing) parameter.
-.B Default:
- depends on the setting of "printing ="
+ bf(Default:)
+tt( depends on the setting of "printing =")
bf(Example 1:)
tt( lprm command = /usr/bin/lprm -P%p %j)
@@ -2883,7 +2886,7 @@ See also url(bf(smbpasswd (8)))(smbpasswd.8.html), and the
link(bf("security=domain"))(security)) parameter.
bf(Default:)
- machine password timeout = 604800
+tt( machine password timeout = 604800)
label(magicoutput)
dit(bf(magic output (S)))
@@ -2897,10 +2900,10 @@ script"))(magicscript) in the same directory the output file content
is undefined.
bf(Default:)
- magic output = <magic script name>.out
+tt( magic output = <magic script name>.out)
bf(Example:)
- magic output = myfile.txt
+tt( magic output = myfile.txt)
label(magicscript)
dit(bf(magic script (S)))
@@ -2926,10 +2929,10 @@ end.
Magic scripts are em(EXPERIMENTAL) and should em(NOT) be relied upon.
bf(Default:)
- None. Magic scripts disabled.
+tt( None. Magic scripts disabled.)
bf(Example:)
- magic script = user.csh
+tt( magic script = user.csh)
label(manglecase)
dit(bf(mangle case (S)))
@@ -2955,7 +2958,7 @@ of filenames on some CDROMS (only visible under some UNIXes). To do
this use a map of (*;1 *).
bf(default:)
- no mangled map
+tt( no mangled map)
bf(Example:)
tt( mangled map = (*;1 *))
@@ -3017,10 +3020,10 @@ Windows/DOS and will retain the same basename. Mangled names do not
change between sessions.
bf(Default:)
- mangled names = yes
+tt( mangled names = yes)
bf(Example:)
- mangled names = no
+tt( mangled names = no)
label(manglingchar)
dit(bf(mangling char (S)))
@@ -3031,10 +3034,10 @@ this may interfere with some software. Use this option to set it to
whatever you prefer.
bf(Default:)
- mangling char = ~
+tt( mangling char = ~)
bf(Example:)
- mangling char = ^
+tt( mangling char = ^)
label(mangledstack)
dit(bf(mangled stack (G)))
@@ -3055,10 +3058,10 @@ It is not possible to absolutely guarantee correct long file names, so
be prepared for some surprises!
bf(Default:)
- mangled stack = 50
+tt( mangled stack = 50)
bf(Example:)
- mangled stack = 100
+tt( mangled stack = 100)
label(maparchive)
dit(bf(map archive (S)))
@@ -3076,10 +3079,10 @@ parameter to be set such that owner execute bit is not masked out
mask"))(createmask) for details.
bf(Default:)
- map archive = yes
+tt( map archive = yes)
bf(Example:)
- map archive = no
+tt( map archive = no)
label(maphidden)
dit(bf(map hidden (S)))
@@ -3093,10 +3096,10 @@ include 001). See the parameter link(bf("create mask"))(createmask)
for details.
bf(Default:)
- map hidden = no
+tt( map hidden = no)
bf(Example:)
- map hidden = yes
+tt( map hidden = yes)
label(mapsystem)
dit(bf(map system (S)))
@@ -3110,10 +3113,63 @@ include 010). See the parameter link(bf("create mask"))(createmask)
for details.
bf(Default:)
- map system = no
+tt( map system = no)
bf(Example:)
- map system = yes
+tt( map system = yes)
+
+label(maptoguest)
+dit(bf(map to guest (G)))
+
+This parameter is only useful in link(bf(security))(security) modes
+other than link(bf("security=share"))(security) - ie. user, server,
+and domain.
+
+This parameter can take three different values, which tell
+url(bf(smbd))(smbd.8.html) what to do with user login requests that
+don't match a valid UNIX user in some way.
+
+The three settings are :
+
+startit()
+
+it() bf("Never") - Means user login requests with an invalid password
+are rejected. This is the default.
+
+it() bf("Bad User") - Means user logins with an invalid password are
+rejected, unless the username does not exist, in which case it is
+treated as a guest login and mapped into the link(bf("guest
+account"))(guestaccount).
+
+it() bf("Bad Password") - Means user logins with an invalid
+password are treated as a guest login and mapped into the
+link(bf("guest account"))(guestaccount). Note that this can
+cause problems as it means that any user mistyping their
+password will be silently logged on a bf("guest") - and
+will not know the reason they cannot access files they think
+they should - there will have been no message given to them
+that they got their password wrong. Helpdesk services will
+em(*hate*) you if you set the bf("map to guest") parameter
+this way :-).
+
+endit()
+
+Note that this parameter is needed to set up bf("Guest") share
+services when using link(bf(security))(security) modes other than
+share. This is because in these modes the name of the resource being
+requested is em(*not*) sent to the server until after the server has
+successfully authenticated the client so the server cannot make
+authentication decisions at the correct time (connection to the
+share) for bf("Guest") shares.
+
+For people familiar with the older Samba releases, this parameter
+maps to the old compile-time setting of the GUEST_SESSSETUP value
+in local.h.
+
+ bf(Default:)
+tt( map to guest = Never)
+ bf(Example):
+tt( map to guest = Bad User)
label(maxconnections)
dit(bf(max connections (S)))
@@ -3129,10 +3185,10 @@ will be stored in the directory specified by the link(bf("lock
directory"))(lockdirectory) option.
bf(Default:)
- max connections = 0
+tt( max connections = 0)
bf(Example:)
- max connections = 10
+tt( max connections = 10)
label(maxdisksize)
dit(bf(max disk size (G)))
@@ -3154,10 +3210,10 @@ software that can't handle very large disks, particularly disks over
A bf("max disk size") of 0 means no limit.
bf(Default:)
- max disk size = 0
+tt( max disk size = 0)
bf(Example:)
- max disk size = 1000
+tt( max disk size = 1000)
label(maxlogsize)
dit(bf(max log size (G)))
@@ -3169,10 +3225,10 @@ exceeded it will rename the file, adding a tt(".old") extension.
A size of 0 means no limit.
bf(Default:)
- max log size = 5000
+tt( max log size = 5000)
bf(Example:)
- max log size = 1000
+tt( max log size = 1000)
label(maxmux)
dit(bf(max mux (G)))
@@ -3182,7 +3238,7 @@ SMB operations that samba tells the client it will allow. You should
never need to set this parameter.
bf(Default:)
- max mux = 50
+tt( max mux = 50)
label(maxopenfiles)
dit(bf(maxopenfiles (G)))
@@ -3197,7 +3253,7 @@ UNIX per-process file descriptor limit rather than this parameter
so you should never need to touch this parameter.
bf(Default:)
- max open files = 10000
+tt( max open files = 10000)
label(maxpacket)
dit(bf(max packet (G)))
@@ -3214,7 +3270,7 @@ broadcast packet or from a WINS server. You should never need to
change this parameter. The default is 3 days.
bf(Default:)
- max ttl = 259200
+tt( max ttl = 259200)
label(maxwinsttl)
dit(bf(max wins ttl (G)))
@@ -3228,7 +3284,7 @@ parameter. The default is 6 days (518400 seconds).
See also the link(bf("min wins ttl"))(minwinsttl) parameter.
bf(Default:)
- max wins ttl = 518400
+tt( max wins ttl = 518400)
label(maxxmit)
dit(bf(max xmit (G)))
@@ -3239,10 +3295,10 @@ you may find you get better performance with a smaller value. A value
below 2048 is likely to cause problems.
bf(Default:)
- max xmit = 65535
+tt( max xmit = 65535)
bf(Example:)
- max xmit = 8192
+tt( max xmit = 8192)
label(messagecommand)
dit(bf(message command (G)))
@@ -3253,7 +3309,7 @@ style message.
This would normally be a command that would deliver the message
somehow. How this is to be done is up to your imagination.
-What I use is:
+An example is:
tt( message command = csh -c 'xedit %s;rm %s' &)
@@ -3272,12 +3328,12 @@ particular:
startit()
-it() %s = the filename containing the message
+it() tt("%s") = the filename containing the message.
-it() %t = the destination that the message was sent to (probably the server
-name)
+it() tt("%t") = the destination that the message was sent to (probably the server
+name).
-it() %f = who the message is from
+it() tt("%f") = who the message is from.
endit()
@@ -3295,7 +3351,7 @@ on regardless, saying that the message was delivered.
If you want to silently delete it then try:
- tt("message command = rm %s").
+tt("message command = rm %s").
For the really adventurous, try something like this:
@@ -3307,7 +3363,7 @@ loop if you send a message from the server using smbclient! You better
wrap the above in a script that checks for this :-)
bf(Default:)
- no message command
+tt( no message command)
bf(Example:)
tt( message command = csh -c 'xedit %s;rm %s' &)
@@ -3323,10 +3379,10 @@ job.
See also the link(bf(printing))(printing) parameter.
bf(Default:)
- min print space = 0
+tt( min print space = 0)
bf(Example:)
- min print space = 2000
+tt( min print space = 2000)
label(minwinsttl)
dit(bf(min wins ttl (G)))
@@ -3338,7 +3394,7 @@ grant will be (in seconds). You should never need to change this
parameter. The default is 6 hours (21600 seconds).
bf(Default:)
- min wins ttl = 21600
+tt( min wins ttl = 21600)
label(nameresolveorder)
@@ -3373,10 +3429,10 @@ target host being on a locally connected subnet.
endit()
bf(Default:)
- name resolve order = lmhosts host wins bcast
+tt( name resolve order = lmhosts host wins bcast)
bf(Example:)
- name resolve order = lmhosts bcast host
+tt( name resolve order = lmhosts bcast host)
This will cause the local lmhosts file to be examined first, followed
by a broadcast attempt, followed by a normal system hostname lookup.
@@ -3395,10 +3451,10 @@ name of the machine will be advertised with these capabilities.
See also link(bf("netbios name"))(netbiosname).
bf(Default:)
- empty string (no additional names)
+tt( empty string (no additional names))
bf(Example:)
- netbios aliases = TEST TEST1 TEST2
+tt( netbios aliases = TEST TEST1 TEST2)
label(netbiosname)
dit(bf(netbios name (G)))
@@ -3413,10 +3469,10 @@ advertised under.
See also link(bf("netbios aliases"))(netbiosaliases).
bf(Default:)
- Machine DNS name.
+tt( Machine DNS name.)
bf(Example:)
- netbios name = MYNAME
+tt( netbios name = MYNAME)
label(nishomedir)
dit(bf(nis homedir (G)))
@@ -3445,10 +3501,10 @@ system and the Samba server with this option must also be a
link(bf(logon server))(domainlogons).
bf(Default:)
- nis homedir = false
+tt( nis homedir = false)
bf(Example:)
- nis homedir = true
+tt( nis homedir = true)
label(ntpipesupport)
dit(bf(nt pipe support (G)))
@@ -3459,7 +3515,7 @@ tt(IPC$) pipes. This is a developer debugging option and can be left
alone.
bf(Default:)
- nt pipe support = yes
+tt( nt pipe support = yes)
label(ntsmbsupport)
dit(bf(nt smb support (G)))
@@ -3475,7 +3531,7 @@ offered. This information may be of use if any users are having
problems with NT SMB support.
bf(Default:)
- nt support = yes
+tt( nt support = yes)
label(nullpasswords)
dit(bf(null passwords (G)))
@@ -3485,10 +3541,10 @@ Allow or disallow client access to accounts that have null passwords.
See also url(bf(smbpasswd (5)))(smbpasswd.5.html).
bf(Default:)
- null passwords = no
+tt( null passwords = no)
bf(Example:)
- null passwords = yes
+tt( null passwords = yes)
label(olelockingcompatibility)
dit(bf(ole locking compatibility (G)))
@@ -3503,10 +3559,10 @@ to tt("no") means you trust your UNIX lock manager to handle such cases
correctly.
bf(Default:)
- ole locking compatibility = yes
+tt( ole locking compatibility = yes)
bf(Example:)
- ole locking compatibility = no
+tt( ole locking compatibility = no)
label(onlyguest)
dit(bf(only guest (S)))
@@ -3531,10 +3587,10 @@ of the user.
See also the link(bf(user))(user) parameter.
bf(Default:)
- only user = False
+tt( only user = False)
bf(Example:)
- only user = True
+tt( only user = True)
label(oplocks)
dit(bf(oplocks (S)))
@@ -3555,10 +3611,10 @@ UNIX process. See the link(bf(kernel oplocks))(kerneloplocks) parameter
for details.
bf(Default:)
- oplocks = True
+tt( oplocks = True)
bf(Example:)
- oplocks = False
+tt( oplocks = False)
label(oslevel)
dit(bf(os level (G)))
@@ -3572,7 +3628,7 @@ lose elections to Windows machines. See BROWSING.txt in the Samba
docs/ directory for details.
bf(Default:)
- os level = 0
+tt( os level = 0)
bf(Example:)
tt( os level = 65 ; This will win against any NT Server)
@@ -3593,7 +3649,7 @@ url(bf(nmbd))(nmbd.8.html) crashes. This is usually used to draw
attention to the fact that a problem occured.
bf(Default:)
- panic action = <empty string>
+tt( panic action = <empty string>)
label(passwdchat)
dit(bf(passwd chat (G)))
@@ -3659,10 +3715,10 @@ See also link(bf("passwd chat"))(passwdchat"), link(bf("passwd
program"))(passwdprogram).
bf(Example:)
- passwd chat debug = True
+tt( passwd chat debug = True)
bf(Default:)
- passwd chat debug = False
+tt( passwd chat debug = False)
label(passwdprogram)
dit(bf(passwd program (G)))
@@ -3733,10 +3789,10 @@ A value of zero will cause only two attempts to be made - the password
as is and the password in all-lower case.
bf(Default:)
- password level = 0
+tt( password level = 0)
bf(Example:)
- password level = 4
+tt( password level = 4)
label(passwordserver)
dit(bf(password server (G)))
@@ -3808,10 +3864,10 @@ endit()
See also the link(bf("security") parameter.
bf(Default:)
- password server = <empty string>
+tt( password server = <empty string>)
bf(Example:)
- password server = NT-PDC, NT-BDC1, NT-BDC2
+tt( password server = NT-PDC, NT-BDC1, NT-BDC2)
label(path)
dit(bf(path (S)))
@@ -3837,10 +3893,10 @@ Note that this path will be based on link(bf("root dir"))(rootdir) if
one was specified.
bf(Default:)
- none
+tt( none)
bf(Example:)
- path = /home/fred
+tt( path = /home/fred)
label(postexec)
dit(bf(postexec (S)))
@@ -3856,7 +3912,7 @@ tt(postexec = /etc/umount /cdrom)
See also link(bf(preexec))(preexec).
bf(Default:)
- none (no command executed)
+tt( none (no command executed))
bf(Example:)
tt( postexec = echo "%u disconnected from %S from %m (%I)" >> /tmp/log)
@@ -3872,10 +3928,10 @@ a control-D at the start of print jobs, which then confuses your
printer.
bf(Default:)
- postscript = False
+tt( postscript = False)
bf(Example:)
- postscript = True
+tt( postscript = True)
label(preexec)
dit(bf(preexec (S)))
@@ -3896,7 +3952,7 @@ Of course, this could get annoying after a while :-)
See also link(bf(postexec))(postexec).
bf(Default:)
- none (no command executed)
+tt( none (no command executed))
bf(Example:)
tt( preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log)
@@ -3924,7 +3980,10 @@ capabilities.
See also link(bf(os level))(oslevel).
bf(Default:)
- preferred master = no
+tt( preferred master = no)
+
+ bf(Example:)
+tt( preferred master = yes)
label(preferedmaster)
dit(bf(prefered master (G)))
@@ -3943,7 +4002,7 @@ This controls if new filenames are created with the case that the
client passes, or if they are forced to be the tt("default") case.
bf(Default:)
- preserve case = yes
+tt( preserve case = yes)
See the section on link(bf("NAME MANGLING"))(NAMEMANGLING) for a
fuller discussion.
@@ -4031,10 +4090,10 @@ link(bf("read only"))(readonly) parameter controls only non-printing
access to the resource.
bf(Default:)
- printable = no
+tt( printable = no)
bf(Example:)
- printable = yes
+tt( printable = yes)
label(printcap)
dit(bf(printcap (G)))
@@ -4132,7 +4191,7 @@ of printer drivers to Windows 95 clients, see the documentation file
in the docs/ directory, PRINTER_DRIVER.txt.
bf(Default:)
- None (set in compile).
+tt( None (set in compile).)
bf(Example:)
tt( printer driver file = /usr/local/samba/printers/drivers.def)
@@ -4155,7 +4214,7 @@ details on setting this up see the documentation file in the docs/
directory, PRINTER_DRIVER.txt.
bf(Default:)
- None
+tt( None)
bf(Example:)
tt( printer driver location = \\MACHINE\PRINTER$)
@@ -4219,10 +4278,10 @@ phase in the SMB protocol takes care of choosing the appropriate
protocol.
bf(Default:)
- protocol = NT1
+tt( protocol = NT1)
bf(Example:)
- protocol = LANMAN1
+tt( protocol = LANMAN1)
label(public)
dit(bf(public (S)))
@@ -4249,7 +4308,7 @@ Note that it is good practice to include the absolute path in the
command as the PATH may not be available to the server.
bf(Default:)
- depends on the setting of "printing ="
+tt( depends on the setting of "printing =")
bf(Example:)
tt( queuepause command = disable %p)
@@ -4276,7 +4335,7 @@ Note that it is good practice to include the absolute path in the
command as the PATH may not be available to the server.
bf(Default:)
- depends on the setting of "printing ="
+tt( depends on the setting of "printing =")
bf(Example:)
tt( queuepause command = enable %p)
@@ -4331,7 +4390,7 @@ pre-read data from the last accessed file that was opened read-only
while waiting for packets.
bf(Default:)
- read prediction = False
+tt( read prediction = False)
label(readraw)
dit(bf(read raw (G)))
@@ -4350,7 +4409,7 @@ In general this parameter should be viewed as a system tuning tool and left
severely alone. See also link(bf("write raw"))(writeraw).
bf(Default:)
- read raw = yes
+tt( read raw = yes)
label(readsize)
dit(bf(read size (G)))
@@ -4374,10 +4433,10 @@ best value will vary greatly between systems anyway. A value over
unnecessarily.
bf(Default:)
- read size = 2048
+tt( read size = 2048)
bf(Example:)
- read size = 8192
+tt( read size = 8192)
label(remoteannounce)
dit(bf(remote announce (G)))
@@ -4407,7 +4466,7 @@ browse masters if your network config is that stable.
See the documentation file BROWSING.txt in the docs/ directory.
bf(Default:)
- remote announce = <empty string>
+tt( remote announce = <empty string>)
bf(Example:)
tt( remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF)
@@ -4443,7 +4502,7 @@ machine is available, is listening, nor that it is in fact the browse
master on it's segment.
bf(Default:)
- remote browse sync = <empty string>
+tt( remote browse sync = <empty string>)
bf(Example:)
tt( remote browse sync = 192.168.2.255 192.168.4.255)
@@ -4465,10 +4524,10 @@ If bf("revalidate") is tt("True") then the client will be denied
automatic access as the same username.
bf(Default:)
- revalidate = False
+tt( revalidate = False)
bf(Example:)
- revalidate = True
+tt( revalidate = True)
label(root)
dit(bf(root (G)))
@@ -4538,7 +4597,7 @@ security on or off. Clients decide based on this bit whether (and how)
to transfer user and password information to the server.
The default is bf("security=user"), as this is the most common setting
-needed when talking to Windows 98 and Windows NT4.0 SP3.
+needed when talking to Windows 98 and Windows NT.
The alternatives are bf("security = share") or bf("security = server") or
bf("security=domain").
@@ -4560,6 +4619,18 @@ UNIX machine then you will want to use bf("security = user"). If you
mostly use usernames that don't exist on the UNIX box then use
bf("security = share").
+You should also use bf(security=share) if you want to be able to
+access any shares without a password (guest shares). This is commonly
+used for a shared printer server. It is more difficult to setup guest
+shares with bf(security=user), see the link(bf("map to
+guest"))(maptoguest)parameter for details.
+
+It is possible to use url(bf(smbd))(smbd.8.html) in a em("hybred
+mode") where it is offers both user and share level security under
+different link(bf(NetBIOS aliases))(netbiosaliases). See the
+link(bf(NetBIOS aliases))(netbiosaliases) and the
+link(bf(include))(include) parameters for more information.
+
The different settings will now be explained.
startdit()
@@ -4567,43 +4638,60 @@ startdit()
dit(bf("security=share")) When clients connect to a share level
security server then need not log onto the server with a valid
username and password before attempting to connect to a shared
-resource. Instead, the clients send authentication information on a
-per-share basis, at the time they attempt to connect to that
-share.
+resource (although modern clients such as Windows 95/98 and Windows NT
+will send a logon request with a username but no password when talking
+to a bf(security=share) server). Instead, the clients send
+authentication information (passwords) on a per-share basis, at the
+time they attempt to connect to that share.
Note that url(bf(smbd))(smbd.8.html) em(*ALWAYS*) uses a valid UNIX
user to act on behalf of the client, even in bf("security=share")
-level security. There are no tt("anonymous") users.
+level security.
As clients are not required to send a username to the server
in share level security, url(bf(smbd))(smbd.8.html) uses several
techniques to determine the correct UNIX user to use on behalf
-of the client.
+of the client.
+
+A list of possible UNIX usernames to match with the given
+client password is constructed using the following methods :
startit()
-it() Parameters such as link(bf("user"))(user) and link(bf("guest
-only"))(guestonly), if set, will determine the UNIX user to use.
+it() If the link(bf("guest only"))(guestonly) parameter is set, then
+all the other stages are missed and only the link(bf("guest
+account"))(guestaccount) username is checked.
it() Is a username is sent with the share connection request, then
-this is used as the UNIX username (see also link(bf("username
-map"))(usernamemap).
+this username (after mapping - see link(bf("username
+map"))(usernamemap)), is added as a potential username.
+
+it() If the client did a previous em("logon") request (the
+SessionSetup SMB call) then the username sent in this SMB
+will be added as a potential username.
-it() If a username is not sent to the server, then
-url(bf(smbd))(smbd.8.html) will try the NetBIOS name of the client as
-a potential UNIX username.
+it() The name of the service the client requested is added
+as a potential username.
-it() If no username can be determined then if the share is marked as
-available to the link(bf("guest account"))(guestaccount), then this
-guest user will be used.
+it() The NetBIOS name of the client is added to the list as a
+potential username.
+
+it() Ant users on the link(bf("user"))(user) list are added
+as potential usernames.
endit()
-Note that it can be confusing in share-level security as to which UNIX
-username will eventually be used in granting access.
+If the link(bf("guest only"))(guestonly) parameter is not set, then
+this list is then tried with the supplied password. The first user for
+whom the password matches will be used as the UNIX user.
+
+If the link(bf("guest only"))(guestonly) parameter is set, or no
+username can be determined then if the share is marked as available to
+the link(bf("guest account"))(guestaccount), then this guest user will
+be used, otherwise access is denied.
-Note also that share-level security cannot support link(bf("encrypted
-passwords"))(encryptpasswords).
+Note that it can be em(*very*) confusing in share-level security as to
+which UNIX username will eventually be used in granting access.
dit(bf("security=user"))
@@ -4618,6 +4706,14 @@ are then applied and may change the UNIX user to use on this
connection, but only after the user has been successfully
authenticated.
+em(Note) that the the name of the resource being requested is
+em(*not*) sent to the server until after the server has successfully
+authenticated the client. This is why guest shares don't work in user
+level security without allowing the server to automatically map unknown
+users into the link(bf("guest account"))(guestaccount). See the
+link(bf("map to guest"))(maptoguest) parameter for details on
+doing this.
+
dit(bf("security=server"))
In this mode Samba will try to validate the username/password by
@@ -4628,6 +4724,19 @@ checking the UNIX password file, it must have a valid smbpasswd file
to check users against. See the documentation file in the docs/
directory ENCRYPTION.txt for details on how to set this up.
+em(Note) that from the clients point of view bf("security=server")
+is the same as bf("security=user"). It only affects how the server
+deals with the authentication, it does not in any way affect what the
+client sees.
+
+em(Note) that the the name of the resource being requested is
+em(*not*) sent to the server until after the server has successfully
+authenticated the client. This is why guest shares don't work in server
+level security without allowing the server to automatically map unknown
+users into the link(bf("guest account"))(guestaccount). See the
+link(bf("map to guest"))(maptoguest) parameter for details on
+doing this.
+
See also the link(bf("password server"))(passwordserver) parameter.
and the link(bf("encrypted passwords"))(encryptpasswords) parameter.
@@ -4645,16 +4754,37 @@ em(Note) that a valid UNIX user must still exist as well as the
account on the Domain Controller to allow Samba to have a valid
UNIX account to map file access to.
+em(Note) that from the clients point of view bf("security=domain")
+is the same as bf("security=user"). It only affects how the server
+deals with the authentication, it does not in any way affect what the
+client sees.
+
+em(Note) that the the name of the resource being requested is
+em(*not*) sent to the server until after the server has successfully
+authenticated the client. This is why guest shares don't work in domain
+level security without allowing the server to automatically map unknown
+users into the link(bf("guest account"))(guestaccount). See the
+link(bf("map to guest"))(maptoguest) parameter for details on
+doing this.
+
+e,(BUG:) There is currently a bug in the implementation of
+bf("security=domain) with respect to multi-byte character
+set usernames. The communication with a Domain Controller
+must be done in UNICODE and Samba currently does not widen
+multi-byte user names to UNICODE correctly, thus a multi-byte
+username will not be recognised correctly at the Domain Controller.
+This issue will be addressed in a future release.
+
See also the link(bf("password server"))(passwordserver) parameter.
and the link(bf("encrypted passwords"))(encryptpasswords) parameter.
enddit()
bf(Default:)
- security = USER
+tt( security = USER)
bf(Example:)
- security = DOMAIN
+tt( security = DOMAIN)
label(serverstring)
dit(bf(server string (G)))
@@ -4686,10 +4816,10 @@ The setdir command is only implemented in the Digital Pathworks
client. See the Pathworks documentation for details.
bf(Default:)
- set directory = no
+tt( set directory = no)
bf(Example:)
- set directory = yes
+tt( set directory = yes)
label(sharemodes)
dit(bf(share modes (S)))
@@ -4711,7 +4841,7 @@ You should em(*NEVER*) turn this parameter off as many Windows
applications will break if you do so.
bf(Default:)
- share modes = yes
+tt( share modes = yes)
label(sharedmemsize)
dit(bf(shared mem size (G)))
@@ -4744,7 +4874,7 @@ case, while short names are lowered. Default em(Yes).
See the section on link(bf(NAME MANGLING))(NAMEMANGLING).
bf(Default:)
- short preserve case = yes
+tt( short preserve case = yes)
label(smbpasswdfile)
dit(bf(smb passwd file (G)))
@@ -4753,10 +4883,10 @@ This option sets the path to the encrypted smbpasswd file. By default
the path to the smbpasswd file is compiled into Samba.
bf(Default:)
- smb passwd file= <compiled default>
+tt( smb passwd file= <compiled default>)
bf(Example:)
- smb passwd file = /usr/samba/private/smbpasswd
+tt( smb passwd file = /usr/samba/private/smbpasswd)
label(smbrun)
dit(bf(smbrun (G)))
@@ -4770,10 +4900,10 @@ You should not need to change this parameter so long as Samba
is installed correctly.
bf(Default:)
- smbrun=<compiled default>
+tt( smbrun=<compiled default>)
bf(Example:)
- smbrun = /usr/local/samba/bin/smbrun
+tt( smbrun = /usr/local/samba/bin/smbrun)
label(socketaddress)
dit(bf(socket address (G)))
@@ -4785,7 +4915,7 @@ the one server, each with a different configuration.
By default samba will accept connections on any address.
bf(Example:)
- socket address = 192.168.2.20
+tt( socket address = 192.168.2.20)
label(socketoptions)
dit(bf(socket options (G)))
@@ -4844,16 +4974,16 @@ optionally take a 1 or 0 argument to enable or disable the option, by
default they will be enabled if you don't specify 1 or 0.
To specify an argument use the syntax SOME_OPTION=VALUE for example
-SO_SNDBUF=8192. Note that you must not have any spaces before or after
+tt(SO_SNDBUF=8192). Note that you must not have any spaces before or after
the = sign.
If you are on a local network then a sensible option might be
-socket options = IPTOS_LOWDELAY
+tt(socket options = IPTOS_LOWDELAY)
If you have a local network then you could try:
-socket options = IPTOS_LOWDELAY TCP_NODELAY
+tt(socket options = IPTOS_LOWDELAY TCP_NODELAY)
If you are on a wide area network then perhaps try setting
IPTOS_THROUGHPUT.
@@ -4862,13 +4992,275 @@ Note that several of the options may cause your Samba server to fail
completely. Use these options with caution!
bf(Default:)
- socket options = TCP_NODELAY
+tt( socket options = TCP_NODELAY)
+
+ bf(Example:)
+tt( socket options = IPTOS_LOWDELAY)
+
+label(ssl)
+dit(bf(ssl (G))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This variable enables or disables the entire SSL mode. If it is set to
+"no", the SSL enabled samba behaves exactly like the non-SSL samba. If
+set to "yes", it depends on the variables link(bf("ssl
+hosts"))(sslhosts) and link(bf("ssl hosts resign"))(sslhostsresign)
+whether an SSL connection will be required.
+
+ bf(Default:)
+tt( ssl=no)
+ bf(Example:)
+tt( ssl=yes)
+
+label(sslCAcertDir)
+dit(bf(ssl CA certDir (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This variable defines where to look up the Certification
+Autorities. The given directory should contain one file for each CA
+that samba will trust. The file name must be the hash value over the
+"Distinguished Name" of the CA. How this directory is set up is
+explained later in this document. All files within the directory that
+don't fit into this naming scheme are ignored. You don't need this
+variable if you don't verify client certificates.
+
+ bf(Default:)
+tt( ssl CA certDir = /usr/local/ssl/certs)
+
+label(CA certFile)
+dit(bf(ssl CA certFile (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This variable is a second way to define the trusted CAs. The
+certificates of the trusted CAs are collected in one big file and this
+variable points to the file. You will probably only use one of the two
+ways to define your CAs. The first choice is preferable if you have
+many CAs or want to be flexible, the second is perferable if you only
+have one CA and want to keep things simple (you won't need to create
+the hashed file names). You don't need this variable if you don't
+verify client certificates.
+
+ bf(Default:)
+tt( ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem)
+
+label(sslciphers)
+dit(bf(ssl ciphers (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This variable defines the ciphers that should be offered during SSL
+negotiation. You should not set this variable unless you know what you
+are doing.
+
+label(sslclientcert)
+dit(bf(ssl client cert (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+The certificate in this file is used by
+url(bf(smbclient))(smbclient.1.html) if it exists. It's needed if the
+server requires a client certificate.
+
+ bf(Default:)
+tt( ssl client cert = /usr/local/ssl/certs/smbclient.pem)
+
+label(sslclientkey)
+dit(bf(ssl client key (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This is the private key for url(bf(smbclient))(smbclient.1.html). It's
+only needed if the client should have a certificate.
+
+ bf(Default:)
+tt( ssl client key = /usr/local/ssl/private/smbclient.pem)
+
+label(sslcompatibility)
+dit(bf(ssl compatibility (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This variable defines whether SSLeay should be configured for bug
+compatibility with other SSL implementations. This is probably not
+desirable because currently no clients with SSL implementations other
+than SSLeay exist.
+
+ bf(Default:)
+tt( ssl compatibility = no)
+
+label(sslhosts)
+dit(bf(ssl hosts (G)))
+
+See link(bf("ssl hosts resign"))(sslhostsresign).
+
+label(sslhostsresign)
+dit(bf(ssl hosts resign (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+These two variables define whether samba will go into SSL mode or
+not. If none of them is defined, samba will allow only SSL
+connections. If the link(bf("ssl hosts"))(sslhosts) variable lists
+hosts (by IP-address, IP-address range, net group or name), only these
+hosts will be forced into SSL mode. If the bf("ssl hosts resign")
+variable lists hosts, only these hosts will NOT be forced into SSL
+mode. The syntax for these two variables is the same as for the
+link(bf("hosts allow"))(hostsallow) and link(bf("hosts
+deny"))(hostsdeny) pair of variables, only that the subject of the
+decision is different: It's not the access right but whether SSL is
+used or not. See the link(bf("allow hosts"))(allowhosts) parameter for
+details. The example below requires SSL connections from all hosts
+outside the local net (which is 192.168.*.*).
+
+ bf(Default:)
+tt( ssl hosts = <empty string>)
+tt( ssl hosts resign = <empty string>)
bf(Example:)
- socket options = IPTOS_LOWDELAY
+tt( ssl hosts resign = 192.168.)
+
+label(sslrequireclientcert)
+dit(bf(ssl require clientcert (G)))
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+If this variable is set to tt("yes"), the server will not tolerate
+connections from clients that don't have a valid certificate. The
+directory/file given in link(bf("ssl CA certDir"))(sslCAcertDir) and
+link(bf("ssl CA certFile"))(sslCAcertFile) will be used to look up the
+CAs that issued the client's certificate. If the certificate can't be
+verified positively, the connection will be terminated. If this
+variable is set to tt("no"), clients don't need certificates. Contrary
+to web applications you really em(*should*) require client
+certificates. In the web environment the client's data is sensitive
+(credit card numbers) and the server must prove to be trustworthy. In
+a file server environment the server's data will be sensitive and the
+clients must prove to be trustworthy.
+
+ bf(Default:)
+tt( ssl require clientcert = no)
+
+label(sslrequireservercert)
+dit(bf(ssl require servercert (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+If this variable is set to tt("yes"), the
+url(bf(smbclient))(smbclient.1.html) will request a certificate from
+the server. Same as link(bf("ssl require
+clientcert"))(sslrequireclientcert) for the server.
+
+ bf(Default:)
+tt( ssl require servercert = no)
+
+label(sslservercert)
+dit(bf(ssl server cert (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This is the file containing the server's certificate. The server _must_
+have a certificate. The file may also contain the server's private key.
+See later for how certificates and private keys are created.
+
+ bf(Default:)
+tt( ssl server cert = <empty string>)
+
+ssl server key G
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This file contains the private key of the server. If this variable is
+not defined, the key is looked up in the certificate file (it may be
+appended to the certificate). The server em(*must*) have a private key
+and the certificate em(*must*) match this private key.
+
+ bf(Default:)
+tt( ssl server key = <empty string>)
+
+label(sslversion)
+dit(bf(ssl version (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This enumeration variable defines the versions of the SSL protocol
+that will be used. tt("ssl2or3") allows dynamic negotiation of SSL v2
+or v3, tt("ssl2") results in SSL v2, tt("ssl3") results in SSL v3 and
+"tls1" results in TLS v1. TLS (Transport Layer Security) is the
+(proposed?) new standard for SSL.
+
+ bf(Default:)
+tt( ssl version = "ssl2or3")
+stat cache G
+stat cache size G
.SS status (G)
This enables or disables logging of connections to a status file that