diff options
-rw-r--r-- | swat/help/smb.conf.5.html | 4456 | ||||
-rw-r--r-- | swat/help/welcome.html | 64 |
2 files changed, 36 insertions, 4484 deletions
diff --git a/swat/help/smb.conf.5.html b/swat/help/smb.conf.5.html deleted file mode 100644 index a206451979..0000000000 --- a/swat/help/smb.conf.5.html +++ /dev/null @@ -1,4456 +0,0 @@ - - - - - -<html><head><title>smb.conf (5)</title> - -<link rev="made" href="mailto:samba-bugs@samba.org"> -</head> -<body> - -<hr> - -<h1>smb.conf (5)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - - -<p><br><a name="NAME"></a> -<h2>NAME</h2> - smb.conf - The configuration file for the Samba suite -<p><br><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><br><strong>smb.conf</strong> The <strong>smb.conf</strong> file is a configuration file for the -Samba suite. <strong>smb.conf</strong> contains runtime configuration information -for the Samba programs. The <strong>smb.conf</strong> file is designed to be -configured and administered by the <a href="swat.8.html"><strong>swat (8)</strong></a> -program. The complete description of the file format and possible -parameters held within are here for reference purposes. -<p><br><a name="FILEFORMAT"></a> -<h2>FILE FORMAT</h2> - -<p><br>The file consists of sections and parameters. A section begins with -the name of the section in square brackets and continues until the -next section begins. Sections contain parameters of the form -<p><br><code>'name = value'</code> -<p><br>The file is line-based - that is, each newline-terminated line -represents either a comment, a section name or a parameter. -<p><br>Section and parameter names are not case sensitive. -<p><br>Only the first equals sign in a parameter is significant. Whitespace -before or after the first equals sign is discarded. Leading, trailing -and internal whitespace in section and parameter names is -irrelevant. Leading and trailing whitespace in a parameter value is -discarded. Internal whitespace within a parameter value is retained -verbatim. -<p><br>Any line beginning with a semicolon (';') or a hash ('#') character is -ignored, as are lines containing only whitespace. -<p><br>Any line ending in a <code>'\'</code> is "continued" on the next line in the -customary UNIX fashion. -<p><br>The values following the equals sign in parameters are all either a -string (no quotes needed) or a boolean, which may be given as yes/no, -0/1 or true/false. Case is not significant in boolean values, but is -preserved in string values. Some items such as create modes are -numeric. -<p><br><a name="SECTIONDESCRIPTIONS"></a> -<h2>SECTION DESCRIPTIONS</h2> - -<p><br>Each section in the configuration file (except for the -<a href="smb.conf.5.html#global"><strong>[global]</strong></a> section) describes a shared resource (known -as a <em>"share"</em>). The section name is the name of the shared resource -and the parameters within the section define the shares attributes. -<p><br>There are three special sections, <a href="smb.conf.5.html#global"><strong>[global]</strong></a>, -<a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> and <a href="smb.conf.5.html#printers"><strong>[printers]</strong></a>, which are -described under <a href="smb.conf.5.html#SPECIALSECTIONS"><strong>'special sections'</strong></a>. The -following notes apply to ordinary section descriptions. -<p><br>A share consists of a directory to which access is being given plus -a description of the access rights which are granted to the user of -the service. Some housekeeping options are also specifiable. -<p><br>Sections are either filespace services (used by the client as an -extension of their native file systems) or printable services (used by -the client to access print services on the host running the server). -<p><br>Sections may be designated <a href="smb.conf.5.html#guestok"><strong>guest</strong></a> services, in which -case no password is required to access them. A specified UNIX -<a href="smb.conf.5.html#guestaccount"><strong>guest account</strong></a> is used to define access -privileges in this case. -<p><br>Sections other than guest services will require a password to access -them. The client provides the username. As older clients only provide -passwords and not usernames, you may specify a list of usernames to -check against the password using the <a href="smb.conf.5.html#user"><strong>"user="</strong></a> option in -the share definition. For modern clients such as Windows 95/98 and -Windows NT, this should not be necessary. -<p><br>Note that the access rights granted by the server are masked by the -access rights granted to the specified or guest UNIX user by the host -system. The server does not grant more access than the host system -grants. -<p><br>The following sample section defines a file space share. The user has -write access to the path <code>/home/bar</code>. The share is accessed via -the share name "foo": -<p><br><pre> - - - [foo] - path = /home/bar - writeable = true - - -</pre> - -<p><br>The following sample section defines a printable share. The share -is readonly, but printable. That is, the only write access permitted -is via calls to open, write to and close a spool file. The -<a href="smb.conf.5.html#guestok"><strong>'guest ok'</strong></a> parameter means access will be permitted -as the default guest user (specified elsewhere): -<p><br><pre> - - [aprinter] - path = /usr/spool/public - read only = true - printable = true - guest ok = true - -</pre> - -<p><br><a name="SPECIALSECTIONS"></a> -<h2>SPECIAL SECTIONS</h2> - -<p><br><ul> -<p><br><a name="global"></a> -<li><strong><strong>The [global] section</strong></strong> -<p><br>Parameters in this section apply to the server as a whole, or are -defaults for sections which do not specifically define certain -items. See the notes under <a href="smb.conf.5.html#PARAMETERS"><strong>'PARAMETERS'</strong></a> for more -information. -<p><br><a name="homes"></a> -<li><strong><strong>The [homes] section</strong></strong> -<p><br>If a section called <code>'homes'</code> is included in the configuration file, -services connecting clients to their home directories can be created -on the fly by the server. -<p><br>When the connection request is made, the existing sections are -scanned. If a match is found, it is used. If no match is found, the -requested section name is treated as a user name and looked up in the -local password file. If the name exists and the correct password has -been given, a share is created by cloning the [homes] section. -<p><br>Some modifications are then made to the newly created share: -<p><br><ul> -<p><br><li > The share name is changed from <code>'homes'</code> to the located -username -<p><br><li > If no path was given, the path is set to the user's home -directory. -<p><br></ul> -<p><br>If you decide to use a <a href="smb.conf.5.html#path"><strong>path=</strong></a> line in your [homes] -section then you may find it useful to use the <a href="smb.conf.5.html#percentS"><strong>%S</strong></a> -macro. For example : -<p><br><code>path=/data/pchome/%S</code> -<p><br>would be useful if you have different home directories for your PCs -than for UNIX access. -<p><br>This is a fast and simple way to give a large number of clients access -to their home directories with a minimum of fuss. -<p><br>A similar process occurs if the requested section name is <code>"homes"</code>, -except that the share name is not changed to that of the requesting -user. This method of using the [homes] section works well if different -users share a client PC. -<p><br>The [homes] section can specify all the parameters a normal service -section can specify, though some make more sense than others. The -following is a typical and suitable [homes] section: -<p><br><pre> - - [homes] - writeable = yes - -</pre> - -<p><br>An important point is that if guest access is specified in the [homes] -section, all home directories will be visible to all clients -<strong>without a password</strong>. In the very unlikely event that this is -actually desirable, it would be wise to also specify <a href="smb.conf.5.html#readonly"><strong>read only -access</strong></a>. -<p><br>Note that the <a href="smb.conf.5.html#browseable"><strong>browseable</strong></a> flag for auto home -directories will be inherited from the global browseable flag, not the -[homes] browseable flag. This is useful as it means setting -browseable=no in the [homes] section will hide the [homes] share but -make any auto home directories visible. -<p><br><a name="printers"></a> -<li><strong><strong>The [printers] section</strong></strong> -<p><br>This section works like <a href="smb.conf.5.html#homes"><strong>[homes]</strong></a>, but for printers. -<p><br>If a [printers] section occurs in the configuration file, users are -able to connect to any printer specified in the local host's printcap -file. -<p><br>When a connection request is made, the existing sections are -scanned. If a match is found, it is used. If no match is found, but a -<a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> section exists, it is used as described -above. Otherwise, the requested section name is treated as a printer -name and the appropriate printcap file is scanned to see if the -requested section name is a valid printer share name. If a match is -found, a new printer share is created by cloning the [printers] -section. -<p><br>A few modifications are then made to the newly created share: -<p><br><ul> -<p><br><li > The share name is set to the located printer name -<p><br><li > If no printer name was given, the printer name is set to the -located printer name -<p><br><li > If the share does not permit guest access and no username was -given, the username is set to the located printer name. -<p><br></ul> -<p><br>Note that the [printers] service MUST be printable - if you specify -otherwise, the server will refuse to load the configuration file. -<p><br>Typically the path specified would be that of a world-writeable spool -directory with the sticky bit set on it. A typical [printers] entry -would look like this: -<p><br><pre> - - [printers] - path = /usr/spool/public - writeable = no - guest ok = yes - printable = yes - -</pre> - -<p><br>All aliases given for a printer in the printcap file are legitimate -printer names as far as the server is concerned. If your printing -subsystem doesn't work like that, you will have to set up a -pseudo-printcap. This is a file consisting of one or more lines like -this: -<p><br><pre> - alias|alias|alias|alias... -</pre> - -<p><br>Each alias should be an acceptable printer name for your printing -subsystem. In the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section, specify the new -file as your printcap. The server will then only recognize names -found in your pseudo-printcap, which of course can contain whatever -aliases you like. The same technique could be used simply to limit -access to a subset of your local printers. -<p><br>An alias, by the way, is defined as any component of the first entry -of a printcap record. Records are separated by newlines, components -(if there are more than one) are separated by vertical bar symbols -("|"). -<p><br>NOTE: On SYSV systems which use lpstat to determine what printers are -defined on the system you may be able to use <a href="smb.conf.5.html#printcapname"><strong>"printcap name = -lpstat"</strong></a> to automatically obtain a list of -printers. See the <a href="smb.conf.5.html#printcapname"><strong>"printcap name"</strong></a> option for -more details. -<p><br></ul> -<p><br><a name="PARAMETERS"></a> -<h2>PARAMETERS</h2> - -<p><br>Parameters define the specific attributes of sections. -<p><br>Some parameters are specific to the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section -(e.g., <a href="smb.conf.5.html#security"><strong>security</strong></a>). Some parameters are usable in -all sections (e.g., <a href="smb.conf.5.html#createmode"><strong>create mode</strong></a>). All others are -permissible only in normal sections. For the purposes of the following -descriptions the <a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> and -<a href="smb.conf.5.html#printers"><strong>[printers]</strong></a> sections will be considered normal. -The letter <code>'G'</code> in parentheses indicates that a parameter is -specific to the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section. The letter <code>'S'</code> -indicates that a parameter can be specified in a service specific -section. Note that all <code>'S'</code> parameters can also be specified in the -<a href="smb.conf.5.html#global"><strong>[global]</strong></a> section - in which case they will define -the default behavior for all services. -<p><br>Parameters are arranged here in alphabetical order - this may not -create best bedfellows, but at least you can find them! Where there -are synonyms, the preferred synonym is described, others refer to the -preferred synonym. -<p><br><a name="VARIABLESUBSTITUTIONS"></a> -<h2>VARIABLE SUBSTITUTIONS</h2> - -<p><br>Many of the strings that are settable in the config file can take -substitutions. For example the option <a href="smb.conf.5.html#path"><strong><code>"path = -/tmp/%u"</code></strong></a> would be interpreted as <code>"path = /tmp/john"</code> if -the user connected with the username john. -<p><br>These substitutions are mostly noted in the descriptions below, but -there are some general substitutions which apply whenever they might -be relevant. These are: -<p><br><ul> -<p><br><a name="percentS"></a> -<li > <strong>%S</strong> = the name of the current service, if any. -<p><br><a name="percentP"></a> -<li > <strong>%P</strong> = the root directory of the current service, if any. -<p><br><a name="percentu"></a> -<li > <strong>%u</strong> = user name of the current service, if any. -<p><br><a name="percentg"></a> -<li > <strong>%g</strong> = primary group name of <a href="smb.conf.5.html#percentu"><strong>%u</strong></a>. -<p><br><a name="percentU"></a> -<li > <strong>%U</strong> = session user name (the user name that -the client wanted, not necessarily the same as the one they got). -<p><br><a name="percentG"></a> -<li > <strong>%G</strong> = primary group name of <a href="smb.conf.5.html#percentU"><strong>%U</strong></a>. -<p><br><a name="percentH"></a> -<li > <strong>%H</strong> = the home directory of the user given by <a href="smb.conf.5.html#percentu"><strong>%u</strong></a>. -<p><br><a name="percentv"></a> -<li > <strong>%v</strong> = the Samba version. -<p><br><a name="percenth"></a> -<li > <strong>%h</strong> = the internet hostname that Samba is running on. -<p><br><a name="percentm"></a> -<li > <strong>%m</strong> = the NetBIOS name of the client machine (very useful). -<p><br><a name="percentL"></a> -<li > <strong>%L</strong> = the NetBIOS name of the server. This allows you to change your -config based on what the client calls you. Your server can have a "dual -personality". -<p><br><a name="percentM"></a> -<li > <strong>%M</strong> = the internet name of the client machine. -<p><br><a name="percentN"></a> -<li > <strong>%N</strong> = the name of your NIS home directory server. This is -obtained from your NIS auto.map entry. If you have not compiled Samba -with the <strong>--with-automount</strong> option then this value will be the same -as <a href="smb.conf.5.html#percentL"><strong>%L</strong></a>. -<p><br><a name="percentp"></a> -<li > <strong>%p</strong> = the path of the service's home directory, obtained from your NIS -auto.map entry. The NIS auto.map entry is split up as "%N:%p". -<p><br><a name="percentR"></a> -<li > <strong>%R</strong> = the selected protocol level after protocol -negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1. -<p><br><a name="percentd"></a> -<li > <strong>%d</strong> = The process id of the current server process. -<p><br><a name="percenta"></a> -<li > <strong>%a</strong> = the architecture of the remote -machine. Only some are recognized, and those may not be 100% -reliable. It currently recognizes Samba, WfWg, WinNT and -Win95. Anything else will be known as "UNKNOWN". If it gets it wrong -then sending a level 3 log to <a href="mailto:samba-bugs@samba.org"><em>samba-bugs@samba.org</em></a> -should allow it to be fixed. -<p><br><a name="percentI"></a> -<li > <strong>%I</strong> = The IP address of the client machine. -<p><br><a name="percentT"></a> -<li > <strong>%T</strong> = the current date and time. -<p><br></ul> -<p><br>There are some quite creative things that can be done with these -substitutions and other smb.conf options. -<p><br><a name="NAMEMANGLING"></a> -<h2>NAME MANGLING</h2> - -<p><br>Samba supports <em>"name mangling"</em> so that DOS and Windows clients can -use files that don't conform to the 8.3 format. It can also be set to -adjust the case of 8.3 format filenames. -<p><br>There are several options that control the way mangling is performed, -and they are grouped here rather than listed separately. For the -defaults look at the output of the testparm program. -<p><br>All of these options can be set separately for each service (or -globally, of course). -<p><br>The options are: -<p><br><a name="manglecaseoption"></a> -<strong>"mangle case = yes/no"</strong> controls if names that have characters that -aren't of the "default" case are mangled. For example, if this is yes -then a name like <code>"Mail"</code> would be mangled. Default <em>no</em>. -<p><br><a name="casesensitiveoption"></a> -<strong>"case sensitive = yes/no"</strong> controls whether filenames are case -sensitive. If they aren't then Samba must do a filename search and -match on passed names. Default <em>no</em>. -<p><br><a name="defaultcaseoption"></a> -<strong>"default case = upper/lower"</strong> controls what the default case is for new -filenames. Default <em>lower</em>. -<p><br><a name="preservecaseoption"></a> -<strong>"preserve case = yes/no"</strong> controls if new files are created with the -case that the client passes, or if they are forced to be the <code>"default"</code> -case. Default <em>Yes</em>. -<p><br><a name="shortpreservecaseoption"></a> -<p><br><strong>"short preserve case = yes/no"</strong> controls if new files which conform -to 8.3 syntax, that is all in upper case and of suitable length, are -created upper case, or if they are forced to be the <code>"default"</code> -case. This option can be use with <a href="smb.conf.5.html#preservecaseoption"><strong>"preserve case = -yes"</strong></a> to permit long filenames to retain their -case, while short names are lowered. Default <em>Yes</em>. -<p><br>By default, Samba 2.0 has the same semantics as a Windows NT -server, in that it is case insensitive but case preserving. -<p><br><a name="NOTEABOUTUSERNAMEPASSWORDVALIDATION"></a> -<h2>NOTE ABOUT USERNAME/PASSWORD VALIDATION</h2> - -<p><br>There are a number of ways in which a user can connect to a -service. The server follows the following steps in determining if it -will allow a connection to a specified service. If all the steps fail -then the connection request is rejected. If one of the steps pass then -the following steps are not checked. -<p><br>If the service is marked <a href="smb.conf.5.html#guestonly"><strong>"guest only = yes"</strong></a> then -steps 1 to 5 are skipped. -<p><br><ol> -<p><br><li> Step 1: If the client has passed a username/password pair and -that username/password pair is validated by the UNIX system's password -programs then the connection is made as that username. Note that this -includes the <code>\\server\service%username</code> method of passing a -username. -<p><br><li> Step 2: If the client has previously registered a username with -the system and now supplies a correct password for that username then -the connection is allowed. -<p><br><li> Step 3: The client's netbios name and any previously used user -names are checked against the supplied password, if they match then -the connection is allowed as the corresponding user. -<p><br><li> Step 4: If the client has previously validated a -username/password pair with the server and the client has passed the -validation token then that username is used. This step is skipped if -<a href="smb.conf.5.html#revalidate"><strong>"revalidate = yes"</strong></a> for this service. -<p><br><li> Step 5: If a <a href="smb.conf.5.html#user"><strong>"user = "</strong></a> field is given in the -smb.conf file for the service and the client has supplied a password, -and that password matches (according to the UNIX system's password -checking) with one of the usernames from the <a href="smb.conf.5.html#user"><strong>user=</strong></a> -field then the connection is made as the username in the -<a href="smb.conf.5.html#user"><strong>"user="</strong></a> line. If one of the username in the -<a href="smb.conf.5.html#user"><strong>user=</strong></a> list begins with a <code>'@'</code> then that name -expands to a list of names in the group of the same name. -<p><br><li> Step 6: If the service is a guest service then a connection is -made as the username given in the <a href="smb.conf.5.html#guestaccount"><strong>"guest account -="</strong></a> for the service, irrespective of the supplied -password. -<p><br></ol> -<p><br><a name="COMPLETELISTOFGLOBALPARAMETERS"></a> -<h2>COMPLETE LIST OF GLOBAL PARAMETERS</h2> - -<p><br>Here is a list of all global parameters. See the section of each -parameter for details. Note that some are synonyms. -<p><br><ul> -<p><br><li > <a href="smb.conf.5.html#announceas"><strong>announce as</strong></a> -<p><br><li > <a href="smb.conf.5.html#announceversion"><strong>announce version</strong></a> -<p><br><li > <a href="smb.conf.5.html#autoservices"><strong>auto services</strong></a> -<p><br><li > <a href="smb.conf.5.html#bindinterfacesonly"><strong>bind interfaces only</strong></a> -<p><br><li > <a href="smb.conf.5.html#browselist"><strong>browse list</strong></a> -<p><br><li > <a href="smb.conf.5.html#changenotifytimeout"><strong>change notify timeout</strong></a> -<p><br><li > <a href="smb.conf.5.html#characterset"><strong>character set</strong></a> -<p><br><li > <a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a> -<p><br><li > <a href="smb.conf.5.html#codingsystem"><strong>coding system</strong></a> -<p><br><li > <a href="smb.conf.5.html#configfile"><strong>config file</strong></a> -<p><br><li > <a href="smb.conf.5.html#deadtime"><strong>deadtime</strong></a> -<p><br><li > <a href="smb.conf.5.html#debugtimestamp"><strong>debug timestamp</strong></a> -<p><br><li > <a href="smb.conf.5.html#debuglevel"><strong>debuglevel</strong></a> -<p><br><li > <a href="smb.conf.5.html#default"><strong>default</strong></a> -<p><br><li > <a href="smb.conf.5.html#defaultservice"><strong>default service</strong></a> -<p><br><li > <a href="smb.conf.5.html#dfreecommand"><strong>dfree command</strong></a> -<p><br><li > <a href="smb.conf.5.html#dnsproxy"><strong>dns proxy</strong></a> -<p><br><li > <a href="smb.conf.5.html#domainadmingroup"><strong>domain admin group</strong></a> -<p><br><li > <a href="smb.conf.5.html#domainadminusers"><strong>domain admin users</strong></a> -<p><br><li > <a href="smb.conf.5.html#domaincontroller"><strong>domain controller</strong></a> -<p><br><li > <a href="smb.conf.5.html#domaingroups"><strong>domain groups</strong></a> -<p><br><li > <a href="smb.conf.5.html#domainguestgroup"><strong>domain guest group</strong></a> -<p><br><li > <a href="smb.conf.5.html#domainguestusers"><strong>domain guest users</strong></a> -<p><br><li > <a href="smb.conf.5.html#domainlogons"><strong>domain logons</strong></a> -<p><br><li > <a href="smb.conf.5.html#domainmaster"><strong>domain master</strong></a> -<p><br><li > <a href="smb.conf.5.html#encryptpasswords"><strong>encrypt passwords</strong></a> -<p><br><li > <a href="smb.conf.5.html#getwdcache"><strong>getwd cache</strong></a> -<p><br><li > <a href="smb.conf.5.html#homedirmap"><strong>homedir map</strong></a> -<p><br><li > <a href="smb.conf.5.html#hostsequiv"><strong>hosts equiv</strong></a> -<p><br><li > <a href="smb.conf.5.html#interfaces"><strong>interfaces</strong></a> -<p><br><li > <a href="smb.conf.5.html#keepalive"><strong>keepalive</strong></a> -<p><br><li > <a href="smb.conf.5.html#kerneloplocks"><strong>kernel oplocks</strong></a> -<p><br><li > <a href="smb.conf.5.html#ldapfilter"><strong>ldap filter</strong></a> -<p><br><li > <a href="smb.conf.5.html#ldapport"><strong>ldap port</strong></a> -<p><br><li > <a href="smb.conf.5.html#ldaproot"><strong>ldap root</strong></a> -<p><br><li > <a href="smb.conf.5.html#ldaprootpasswd"><strong>ldap root passwd</strong></a> -<p><br><li > <a href="smb.conf.5.html#ldapserver"><strong>ldap server</strong></a> -<p><br><li > <a href="smb.conf.5.html#ldapsuffix"><strong>ldap suffix</strong></a> -<p><br><li > <a href="smb.conf.5.html#lmannounce"><strong>lm announce</strong></a> -<p><br><li > <a href="smb.conf.5.html#lminterval"><strong>lm interval</strong></a> -<p><br><li > <a href="smb.conf.5.html#loadprinters"><strong>load printers</strong></a> -<p><br><li > <a href="smb.conf.5.html#localmaster"><strong>local master</strong></a> -<p><br><li > <a href="smb.conf.5.html#lockdir"><strong>lock dir</strong></a> -<p><br><li > <a href="smb.conf.5.html#lockdirectory"><strong>lock directory</strong></a> -<p><br><li > <a href="smb.conf.5.html#logfile"><strong>log file</strong></a> -<p><br><li > <a href="smb.conf.5.html#loglevel"><strong>log level</strong></a> -<p><br><li > <a href="smb.conf.5.html#logondrive"><strong>logon drive</strong></a> -<p><br><li > <a href="smb.conf.5.html#logonhome"><strong>logon home</strong></a> -<p><br><li > <a href="smb.conf.5.html#logonpath"><strong>logon path</strong></a> -<p><br><li > <a href="smb.conf.5.html#logonscript"><strong>logon script</strong></a> -<p><br><li > <a href="smb.conf.5.html#lpqcachetime"><strong>lpq cache time</strong></a> -<p><br><li > <a href="smb.conf.5.html#machinepasswordtimeout"><strong>machine password timeout</strong></a> -<p><br><li > <a href="smb.conf.5.html#mangledstack"><strong>mangled stack</strong></a> -<p><br><li > <a href="smb.conf.5.html#maxdisksize"><strong>max disk size</strong></a> -<p><br><li > <a href="smb.conf.5.html#maxlogsize"><strong>max log size</strong></a> -<p><br><li > <a href="smb.conf.5.html#maxmux"><strong>max mux</strong></a> -<p><br><li > <a href="smb.conf.5.html#maxopenfiles"><strong>max open files</strong></a> -<p><br><li > <a href="smb.conf.5.html#maxpacket"><strong>max packet</strong></a> -<p><br><li > <a href="smb.conf.5.html#maxttl"><strong>max ttl</strong></a> -<p><br><li > <a href="smb.conf.5.html#maxwinsttl"><strong>max wins ttl</strong></a> -<p><br><li > <a href="smb.conf.5.html#maxxmit"><strong>max xmit</strong></a> -<p><br><li > <a href="smb.conf.5.html#messagecommand"><strong>message command</strong></a> -<p><br><li > <a href="smb.conf.5.html#minwinsttl"><strong>min wins ttl</strong></a> -<p><br><li > <a href="smb.conf.5.html#nameresolveorder"><strong>name resolve order</strong></a> -<p><br><li > <a href="smb.conf.5.html#netbiosaliases"><strong>netbios aliases</strong></a> -<p><br><li > <a href="smb.conf.5.html#netbiosname"><strong>netbios name</strong></a> -<p><br><li > <a href="smb.conf.5.html#nishomedir"><strong>nis homedir</strong></a> -<p><br><li > <a href="smb.conf.5.html#ntpipesupport"><strong>nt pipe support</strong></a> -<p><br><li > <a href="smb.conf.5.html#ntsmbsupport"><strong>nt smb support</strong></a> -<p><br><li > <a href="smb.conf.5.html#nullpasswords"><strong>null passwords</strong></a> -<p><br><li > <a href="smb.conf.5.html#olelockingcompatibility"><strong>ole locking compatibility</strong></a> -<p><br><li > <a href="smb.conf.5.html#oslevel"><strong>os level</strong></a> -<p><br><li > <a href="smb.conf.5.html#packetsize"><strong>packet size</strong></a> -<p><br><li > <a href="smb.conf.5.html#panicaction"><strong>panic action</strong></a> -<p><br><li > <a href="smb.conf.5.html#passwdchat"><strong>passwd chat</strong></a> -<p><br><li > <a href="smb.conf.5.html#passwdchatdebug"><strong>passwd chat debug</strong></a> -<p><br><li > <a href="smb.conf.5.html#passwdprogram"><strong>passwd program</strong></a> -<p><br><li > <a href="smb.conf.5.html#passwordlevel"><strong>password level</strong></a> -<p><br><li > <a href="smb.conf.5.html#passwordserver"><strong>password server</strong></a> -<p><br><li > <a href="smb.conf.5.html#preferedmaster"><strong>prefered master</strong></a> -<p><br><li > <a href="smb.conf.5.html#preferredmaster"><strong>preferred master</strong></a> -<p><br><li > <a href="smb.conf.5.html#preload"><strong>preload</strong></a> -<p><br><li > <a href="smb.conf.5.html#printcap"><strong>printcap</strong></a> -<p><br><li > <a href="smb.conf.5.html#printcapname"><strong>printcap name</strong></a> -<p><br><li > <a href="smb.conf.5.html#printerdriverfile"><strong>printer driver file</strong></a> -<p><br><li > <a href="smb.conf.5.html#protocol"><strong>protocol</strong></a> -<p><br><li > <a href="smb.conf.5.html#readbmpx"><strong>read bmpx</strong></a> -<p><br><li > <a href="smb.conf.5.html#readprediction"><strong>read prediction</strong></a> -<p><br><li > <a href="smb.conf.5.html#readraw"><strong>read raw</strong></a> -<p><br><li > <a href="smb.conf.5.html#readsize"><strong>read size</strong></a> -<p><br><li > <a href="smb.conf.5.html#remoteannounce"><strong>remote announce</strong></a> -<p><br><li > <a href="smb.conf.5.html#remotebrowsesync"><strong>remote browse sync</strong></a> -<p><br><li > <a href="smb.conf.5.html#root"><strong>root</strong></a> -<p><br><li > <a href="smb.conf.5.html#rootdir"><strong>root dir</strong></a> -<p><br><li > <a href="smb.conf.5.html#rootdirectory"><strong>root directory</strong></a> -<p><br><li > <a href="smb.conf.5.html#security"><strong>security</strong></a> -<p><br><li > <a href="smb.conf.5.html#serverstring"><strong>server string</strong></a> -<p><br><li > <a href="smb.conf.5.html#sharedmemsize"><strong>shared mem size</strong></a> -<p><br><li > <a href="smb.conf.5.html#smbpasswdfile"><strong>smb passwd file</strong></a> -<p><br><li > <a href="smb.conf.5.html#smbrun"><strong>smbrun</strong></a> -<p><br><li > <a href="smb.conf.5.html#socketaddress"><strong>socket address</strong></a> -<p><br><li > <a href="smb.conf.5.html#socketoptions"><strong>socket options</strong></a> -<p><br><li > <a href="smb.conf.5.html#ssl"><strong>ssl</strong></a> -<p><br><li > <a href="smb.conf.5.html#sslCAcertDir"><strong>ssl CA certDir</strong></a> -<p><br><li > <a href="smb.conf.5.html#sslCAcertFile"><strong>ssl CA certFile</strong></a> -<p><br><li > <a href="smb.conf.5.html#sslciphers"><strong>ssl ciphers</strong></a> -<p><br><li > <a href="smb.conf.5.html#sslclientcert"><strong>ssl client cert</strong></a> -<p><br><li > <a href="smb.conf.5.html#sslclientkey"><strong>ssl client key</strong></a> -<p><br><li > <a href="smb.conf.5.html#sslcompatibility"><strong>ssl compatibility</strong></a> -<p><br><li > <a href="smb.conf.5.html#sslhosts"><strong>ssl hosts</strong></a> -<p><br><li > <a href="smb.conf.5.html#sslhostsresign"><strong>ssl hosts resign</strong></a> -<p><br><li > <a href="smb.conf.5.html#sslrequireclientcert"><strong>ssl require clientcert</strong></a> -<p><br><li > <a href="smb.conf.5.html#sslrequireservercert"><strong>ssl require servercert</strong></a> -<p><br><li > <a href="smb.conf.5.html#sslservercert"><strong>ssl server cert</strong></a> -<p><br><li > <a href="smb.conf.5.html#sslserverkey"><strong>ssl server key</strong></a> -<p><br><li > <a href="smb.conf.5.html#sslversion"><strong>ssl version</strong></a> -<p><br><li > <a href="smb.conf.5.html#statcache"><strong>stat cache</strong></a> -<p><br><li > <a href="smb.conf.5.html#statcachesize"><strong>stat cache size</strong></a> -<p><br><li > <a href="smb.conf.5.html#stripdot"><strong>strip dot</strong></a> -<p><br><li > <a href="smb.conf.5.html#syslog"><strong>syslog</strong></a> -<p><br><li > <a href="smb.conf.5.html#syslogonly"><strong>syslog only</strong></a> -<p><br><li > <a href="smb.conf.5.html#timeoffset"><strong>time offset</strong></a> -<p><br><li > <a href="smb.conf.5.html#timeserver"><strong>time server</strong></a> -<p><br><li > <a href="smb.conf.5.html#timestamplogs"><strong>timestamp logs</strong></a> -<p><br><li > <a href="smb.conf.5.html#unixpasswordsync"><strong>unix password sync</strong></a> -<p><br><li > <a href="smb.conf.5.html#unixrealname"><strong>unix realname</strong></a> -<p><br><li > <a href="smb.conf.5.html#updateencrypted"><strong>update encrypted</strong></a> -<p><br><li > <a href="smb.conf.5.html#userhosts"><strong>use rhosts</strong></a> -<p><br><li > <a href="smb.conf.5.html#usernamelevel"><strong>username level</strong></a> -<p><br><li > <a href="smb.conf.5.html#usernamemap"><strong>username map</strong></a> -<p><br><li > <a href="smb.conf.5.html#validchars"><strong>valid chars</strong></a> -<p><br><li > <a href="smb.conf.5.html#winsproxy"><strong>wins proxy</strong></a> -<p><br><li > <a href="smb.conf.5.html#winsserver"><strong>wins server</strong></a> -<p><br><li > <a href="smb.conf.5.html#winssupport"><strong>wins support</strong></a> -<p><br><li > <a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> -<p><br><li > <a href="smb.conf.5.html#writeraw"><strong>write raw</strong></a> -<p><br></ul> -<p><br><a name="COMPLETELISTOFSERVICEPARAMETERS"></a> -<h2>COMPLETE LIST OF SERVICE PARAMETERS</h2> - -<p><br>Here is a list of all service parameters. See the section of each -parameter for details. Note that some are synonyms. -<p><br><ul> -<p><br><li > <a href="smb.conf.5.html#adminusers"><strong>admin users</strong></a> -<p><br><li > <a href="smb.conf.5.html#allowhosts"><strong>allow hosts</strong></a> -<p><br><li > <a href="smb.conf.5.html#alternatepermissions"><strong>alternate permissions</strong></a> -<p><br><li > <a href="smb.conf.5.html#available"><strong>available</strong></a> -<p><br><li > <a href="smb.conf.5.html#blockinglocks"><strong>blocking locks</strong></a> -<p><br><li > <a href="smb.conf.5.html#browsable"><strong>browsable</strong></a> -<p><br><li > <a href="smb.conf.5.html#browseable"><strong>browseable</strong></a> -<p><br><li > <a href="smb.conf.5.html#casesensitive"><strong>case sensitive</strong></a> -<p><br><li > <a href="smb.conf.5.html#casesignames"><strong>casesignames</strong></a> -<p><br><li > <a href="smb.conf.5.html#comment"><strong>comment</strong></a> -<p><br><li > <a href="smb.conf.5.html#copy"><strong>copy</strong></a> -<p><br><li > <a href="smb.conf.5.html#createmask"><strong>create mask</strong></a> -<p><br><li > <a href="smb.conf.5.html#createmode"><strong>create mode</strong></a> -<p><br><li > <a href="smb.conf.5.html#defaultcase"><strong>default case</strong></a> -<p><br><li > <a href="smb.conf.5.html#deletereadonly"><strong>delete readonly</strong></a> -<p><br><li > <a href="smb.conf.5.html#deletevetofiles"><strong>delete veto files</strong></a> -<p><br><li > <a href="smb.conf.5.html#denyhosts"><strong>deny hosts</strong></a> -<p><br><li > <a href="smb.conf.5.html#directory"><strong>directory</strong></a> -<p><br><li > <a href="smb.conf.5.html#directorymask"><strong>directory mask</strong></a> -<p><br><li > <a href="smb.conf.5.html#directorymode"><strong>directory mode</strong></a> -<p><br><li > <a href="smb.conf.5.html#dontdescend"><strong>dont descend</strong></a> -<p><br><li > <a href="smb.conf.5.html#dosfiletimeresolution"><strong>dos filetime resolution</strong></a> -<p><br><li > <a href="smb.conf.5.html#dosfiletimes"><strong>dos filetimes</strong></a> -<p><br><li > <a href="smb.conf.5.html#exec"><strong>exec</strong></a> -<p><br><li > <a href="smb.conf.5.html#fakedirectorycreatetimes"><strong>fake directory create times</strong></a> -<p><br><li > <a href="smb.conf.5.html#fakeoplocks"><strong>fake oplocks</strong></a> -<p><br><li > <a href="smb.conf.5.html#followsymlinks"><strong>follow symlinks</strong></a> -<p><br><li > <a href="smb.conf.5.html#forcecreatemode"><strong>force create mode</strong></a> -<p><br><li > <a href="smb.conf.5.html#forcedirectorymode"><strong>force directory mode</strong></a> -<p><br><li > <a href="smb.conf.5.html#forcegroup"><strong>force group</strong></a> -<p><br><li > <a href="smb.conf.5.html#forceuser"><strong>force user</strong></a> -<p><br><li > <a href="smb.conf.5.html#fstype"><strong>fstype</strong></a> -<p><br><li > <a href="smb.conf.5.html#group"><strong>group</strong></a> -<p><br><li > <a href="smb.conf.5.html#guestaccount"><strong>guest account</strong></a> -<p><br><li > <a href="smb.conf.5.html#guestok"><strong>guest ok</strong></a> -<p><br><li > <a href="smb.conf.5.html#guestonly"><strong>guest only</strong></a> -<p><br><li > <a href="smb.conf.5.html#hidedotfiles"><strong>hide dot files</strong></a> -<p><br><li > <a href="smb.conf.5.html#hidefiles"><strong>hide files</strong></a> -<p><br><li > <a href="smb.conf.5.html#hostsallow"><strong>hosts allow</strong></a> -<p><br><li > <a href="smb.conf.5.html#hostsdeny"><strong>hosts deny</strong></a> -<p><br><li > <a href="smb.conf.5.html#include"><strong>include</strong></a> -<p><br><li > <a href="smb.conf.5.html#invalidusers"><strong>invalid users</strong></a> -<p><br><li > <a href="smb.conf.5.html#locking"><strong>locking</strong></a> -<p><br><li > <a href="smb.conf.5.html#lppausecommand"><strong>lppause command</strong></a> -<p><br><li > <a href="smb.conf.5.html#lpqcommand"><strong>lpq command</strong></a> -<p><br><li > <a href="smb.conf.5.html#lpresumecommand"><strong>lpresume command</strong></a> -<p><br><li > <a href="smb.conf.5.html#lprmcommand"><strong>lprm command</strong></a> -<p><br><li > <a href="smb.conf.5.html#magicoutput"><strong>magic output</strong></a> -<p><br><li > <a href="smb.conf.5.html#magicscript"><strong>magic script</strong></a> -<p><br><li > <a href="smb.conf.5.html#manglecase"><strong>mangle case</strong></a> -<p><br><li > <a href="smb.conf.5.html#mangledmap"><strong>mangled map</strong></a> -<p><br><li > <a href="smb.conf.5.html#manglednames"><strong>mangled names</strong></a> -<p><br><li > <a href="smb.conf.5.html#manglingchar"><strong>mangling char</strong></a> -<p><br><li > <a href="smb.conf.5.html#maparchive"><strong>map archive</strong></a> -<p><br><li > <a href="smb.conf.5.html#maphidden"><strong>map hidden</strong></a> -<p><br><li > <a href="smb.conf.5.html#mapsystem"><strong>map system</strong></a> -<p><br><li > <a href="smb.conf.5.html#maptoguest"><strong>map to guest</strong></a> -<p><br><li > <a href="smb.conf.5.html#maxconnections"><strong>max connections</strong></a> -<p><br><li > <a href="smb.conf.5.html#minprintspace"><strong>min print space</strong></a> -<p><br><li > <a href="smb.conf.5.html#onlyguest"><strong>only guest</strong></a> -<p><br><li > <a href="smb.conf.5.html#onlyuser"><strong>only user</strong></a> -<p><br><li > <a href="smb.conf.5.html#oplocks"><strong>oplocks</strong></a> -<p><br><li > <a href="smb.conf.5.html#path"><strong>path</strong></a> -<p><br><li > <a href="smb.conf.5.html#postexec"><strong>postexec</strong></a> -<p><br><li > <a href="smb.conf.5.html#postscript"><strong>postscript</strong></a> -<p><br><li > <a href="smb.conf.5.html#preexec"><strong>preexec</strong></a> -<p><br><li > <a href="smb.conf.5.html#preservecase"><strong>preserve case</strong></a> -<p><br><li > <a href="smb.conf.5.html#printcommand"><strong>print command</strong></a> -<p><br><li > <a href="smb.conf.5.html#printok"><strong>print ok</strong></a> -<p><br><li > <a href="smb.conf.5.html#printable"><strong>printable</strong></a> -<p><br><li > <a href="smb.conf.5.html#printer"><strong>printer</strong></a> -<p><br><li > <a href="smb.conf.5.html#printerdriver"><strong>printer driver</strong></a> -<p><br><li > <a href="smb.conf.5.html#printerdriverlocation"><strong>printer driver location</strong></a> -<p><br><li > <a href="smb.conf.5.html#printername"><strong>printer name</strong></a> -<p><br><li > <a href="smb.conf.5.html#printing"><strong>printing</strong></a> -<p><br><li > <a href="smb.conf.5.html#public"><strong>public</strong></a> -<p><br><li > <a href="smb.conf.5.html#queuepausecommand"><strong>queuepause command</strong></a> -<p><br><li > <a href="smb.conf.5.html#queueresumecommand"><strong>queueresume command</strong></a> -<p><br><li > <a href="smb.conf.5.html#readlist"><strong>read list</strong></a> -<p><br><li > <a href="smb.conf.5.html#readonly"><strong>read only</strong></a> -<p><br><li > <a href="smb.conf.5.html#revalidate"><strong>revalidate</strong></a> -<p><br><li > <a href="smb.conf.5.html#rootpostexec"><strong>root postexec</strong></a> -<p><br><li > <a href="smb.conf.5.html#rootpreexec"><strong>root preexec</strong></a> -<p><br><li > <a href="smb.conf.5.html#setdirectory"><strong>set directory</strong></a> -<p><br><li > <a href="smb.conf.5.html#sharemodes"><strong>share modes</strong></a> -<p><br><li > <a href="smb.conf.5.html#shortpreservecase"><strong>short preserve case</strong></a> -<p><br><li > <a href="smb.conf.5.html#status"><strong>status</strong></a> -<p><br><li > <a href="smb.conf.5.html#strictlocking"><strong>strict locking</strong></a> -<p><br><li > <a href="smb.conf.5.html#strictsync"><strong>strict sync</strong></a> -<p><br><li > <a href="smb.conf.5.html#syncalways"><strong>sync always</strong></a> -<p><br><li > <a href="smb.conf.5.html#user"><strong>user</strong></a> -<p><br><li > <a href="smb.conf.5.html#username"><strong>username</strong></a> -<p><br><li > <a href="smb.conf.5.html#users"><strong>users</strong></a> -<p><br><li > <a href="smb.conf.5.html#validusers"><strong>valid users</strong></a> -<p><br><li > <a href="smb.conf.5.html#vetofiles"><strong>veto files</strong></a> -<p><br><li > <a href="smb.conf.5.html#vetooplockfiles"><strong>veto oplock files</strong></a> -<p><br><li > <a href="smb.conf.5.html#volume"><strong>volume</strong></a> -<p><br><li > <a href="smb.conf.5.html#widelinks"><strong>wide links</strong></a> -<p><br><li > <a href="smb.conf.5.html#writable"><strong>writable</strong></a> -<p><br><li > <a href="smb.conf.5.html#writelist"><strong>write list</strong></a> -<p><br><li > <a href="smb.conf.5.html#writeok"><strong>write ok</strong></a> -<p><br><li > <a href="smb.conf.5.html#writeable"><strong>writeable</strong></a> -<p><br></ul> -<p><br><a name="EXPLANATIONOFEACHPARAMETER"></a> -<h2>EXPLANATION OF EACH PARAMETER</h2> - -<p><br><ul> -<p><br><a name="adminusers"></a> -<li><strong><strong>admin users (S)</strong></strong> -<p><br>This is a list of users who will be granted administrative privileges -on the share. This means that they will do all file operations as the -super-user (root). -<p><br>You should use this option very carefully, as any user in this list -will be able to do anything they like on the share, irrespective of -file permissions. -<p><br><strong>Default:</strong> <br> -<code> no admin users</code> -<p><br><strong>Example:</strong> <br> -<code> admin users = jason</code> -<p><br><a name="allowhosts"></a> -<li><strong><strong>allow hosts (S)</strong></strong> -<p><br>A synonym for this parameter is <a href="smb.conf.5.html#hostsallow"><strong>'hosts allow'</strong></a> -<p><br>This parameter is a comma, space, or tab delimited set of hosts which -are permitted to access a service. -<p><br>If specified in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section then it will -apply to all services, regardless of whether the individual service -has a different setting. -<p><br>You can specify the hosts by name or IP number. For example, you could -restrict access to only the hosts on a Class C subnet with something -like <code>"allow hosts = 150.203.5."</code>. The full syntax of the list is -described in the man page <strong>hosts_access (5)</strong>. Note that this man -page may not be present on your system, so a brief description will -be given here also. -<p><br><em>NOTE:</em> IF you wish to allow the <a href="smbpasswd.html.8"><strong>smbpasswd -(8)</strong></a> program to be run by local users to change -their Samba passwords using the local <a href="smbd.8.html"><strong>smbd (8)</strong></a> -daemon, then you <em>MUST</em> ensure that the localhost is listed in your -<strong>allow hosts</strong> list, as <a href="smbpasswd.html.8"><strong>smbpasswd (8)</strong></a> runs -in client-server mode and is seen by the local -<a href="smbd.8.html"><strong>smbd</strong></a> process as just another client. -<p><br>You can also specify hosts by network/netmask pairs and by netgroup -names if your system supports netgroups. The <em>EXCEPT</em> keyword can also -be used to limit a wildcard list. The following examples may provide -some help: -<p><br><strong>Example 1</strong>: allow localhost and all IPs in 150.203.*.* except one -<p><br><code> hosts allow = localhost, 150.203. EXCEPT 150.203.6.66</code> -<p><br><strong>Example 2</strong>: allow localhost and hosts that match the given network/netmask -<p><br><code> hosts allow = localhost, 150.203.15.0/255.255.255.0</code> -<p><br><strong>Example 3</strong>: allow a localhost plus a couple of hosts -<p><br><code> hosts allow = localhost, lapland, arvidsjaur</code> -<p><br><strong>Example 4</strong>: allow only hosts in NIS netgroup "foonet" or localhost, but -deny access from one particular host -<p><br><code> hosts allow = @foonet, localhost</code> -<code> hosts deny = pirate</code> -<p><br>Note that access still requires suitable user-level passwords. -<p><br>See <a href="testparm.1.html"><strong>testparm (1)</strong></a> for a way of testing your -host access to see if it does what you expect. -<p><br><strong>Default:</strong> -<code> none (i.e., all hosts permitted access)</code> -<p><br><strong>Example:</strong> -<code> allow hosts = 150.203.5. localhost myhost.mynet.edu.au</code> -<p><br><a name="alternatepermissions"></a> -<li><strong><strong>alternate permissions (S)</strong></strong> -<p><br>This is a deprecated parameter. It no longer has any effect in Samba2.0. -In previous versions of Samba it affected the way the DOS "read only" -attribute was mapped for a file. In Samba2.0 a file is marked "read only" -if the UNIX file does not have the 'w' bit set for the owner of the file, -regardless if the owner of the file is the currently logged on user or not. -<p><br><a name="announceas"></a> -<li><strong><strong>announce as (G)</strong></strong> -<p><br>This specifies what type of server <a href="nmbd.8.html"><strong>nmbd</strong></a> will -announce itself as, to a network neighborhood browse list. By default -this is set to Windows NT. The valid options are : "NT", "Win95" or -"WfW" meaning Windows NT, Windows 95 and Windows for Workgroups -respectively. Do not change this parameter unless you have a specific -need to stop Samba appearing as an NT server as this may prevent Samba -servers from participating as browser servers correctly. -<p><br><strong>Default:</strong> -<code> announce as = NT</code> -<p><br><strong>Example</strong> -<code> announce as = Win95</code> -<p><br><a name="announceversion"></a> -<li><strong><strong>announce version (G)</strong></strong> -<p><br>This specifies the major and minor version numbers that nmbd will use -when announcing itself as a server. The default is 4.2. Do not change -this parameter unless you have a specific need to set a Samba server -to be a downlevel server. -<p><br><strong>Default:</strong> -<code> announce version = 4.2</code> -<p><br><strong>Example:</strong> -<code> announce version = 2.0</code> -<p><br><a name="autoservices"></a> -<li><strong><strong>auto services (G)</strong></strong> -<p><br>This is a list of services that you want to be automatically added to -the browse lists. This is most useful for homes and printers services -that would otherwise not be visible. -<p><br>Note that if you just want all printers in your printcap file loaded -then the <a href="smb.conf.5.html#loadprinters"><strong>"load printers"</strong></a> option is easier. -<p><br><strong>Default:</strong> -<code> no auto services</code> -<p><br><strong>Example:</strong> -<code> auto services = fred lp colorlp</code> -<p><br><a name="available"></a> -<li><strong><strong>available (S)</strong></strong> -<p><br>This parameter lets you <em>'turn off'</em> a service. If <code>'available = no'</code>, -then <em>ALL</em> attempts to connect to the service will fail. Such failures -are logged. -<p><br><strong>Default:</strong> -<code> available = yes</code> -<p><br><strong>Example:</strong> -<code> available = no</code> -<p><br><a name="bindinterfacesonly"></a> -<li><strong><strong>bind interfaces only (G)</strong></strong> -<p><br>This global parameter allows the Samba admin to limit what interfaces -on a machine will serve smb requests. If affects file service -<a href="smbd.8.html"><strong>smbd</strong></a> and name service <a href="nmbd.8.html"><strong>nmbd</strong></a> -in slightly different ways. -<p><br>For name service it causes <a href="nmbd.8.html"><strong>nmbd</strong></a> to bind to ports -137 and 138 on the interfaces listed in the -<a href="smb.conf.5.html#interfaces"><strong>'interfaces'</strong></a> -parameter. <a href="nmbd.8.html"><strong>nmbd</strong></a> also binds to the 'all -addresses' interface (0.0.0.0) on ports 137 and 138 for the purposes -of reading broadcast messages. If this option is not set then -<a href="nmbd.8.html"><strong>nmbd</strong></a> will service name requests on all of these -sockets. If <strong>"bind interfaces only"</strong> is set then -<a href="nmbd.8.html"><strong>nmbd</strong></a> will check the source address of any -packets coming in on the broadcast sockets and discard any that don't -match the broadcast addresses of the interfaces in the -<a href="smb.conf.5.html#interfaces"><strong>'interfaces'</strong></a> parameter list. As unicast packets -are received on the other sockets it allows <a href="nmbd.8.html"><strong>nmbd</strong></a> -to refuse to serve names to machines that send packets that arrive -through any interfaces not listed in the -<a href="smb.conf.5.html#interfaces"><strong>"interfaces"</strong></a> list. IP Source address spoofing -does defeat this simple check, however so it must not be used -seriously as a security feature for <a href="nmbd.8.html"><strong>nmbd</strong></a>. -<p><br>For file service it causes <a href="smbd.8.html"><strong>smbd</strong></a> to bind only to -the interface list given in the <a href="smb.conf.5.html#interfaces"><strong>'interfaces'</strong></a> -parameter. This restricts the networks that <a href="smbd.8.html"><strong>smbd</strong></a> -will serve to packets coming in those interfaces. Note that you -should not use this parameter for machines that are serving PPP or -other intermittent or non-broadcast network interfaces as it will not -cope with non-permanent interfaces. -<p><br>In addition, to change a users SMB password, the -<a href="smbpasswd.8.html"><strong>smbpasswd</strong></a> by default connects to the -<em>"localhost" - 127.0.0.1</em> address as an SMB client to issue the -password change request. If <strong>"bind interfaces only"</strong> is set then -unless the network address <em>127.0.0.1</em> is added to the -<a href="smb.conf.5.html#interfaces"><strong>'interfaces'</strong></a> parameter list then -<a href="smbpasswd.8.html"><strong>smbpasswd</strong></a> will fail to connect in it's -default mode. <a href="smbpasswd.8.html"><strong>smbpasswd</strong></a> can be forced to -use the primary IP interface of the local host by using its -<a href="smbpasswd.8.html#minusr"><strong>"-r remote machine"</strong></a> parameter, with -<strong>"remote machine"</strong> set to the IP name of the primary interface -of the local host. -<p><br><strong>Default:</strong> -<code> bind interfaces only = False</code> -<p><br><strong>Example:</strong> -<code> bind interfaces only = True</code> -<p><br><a name="blockinglocks"></a> -<li><strong><strong>blocking locks (S)</strong></strong> -<p><br>This parameter controls the behavior of <a href="smbd.8.html"><strong>smbd</strong></a> when -given a request by a client to obtain a byte range lock on a region -of an open file, and the request has a time limit associated with it. -<p><br>If this parameter is set and the lock range requested cannot be -immediately satisfied, Samba 2.0 will internally queue the lock -request, and periodically attempt to obtain the lock until the -timeout period expires. -<p><br>If this parameter is set to "False", then Samba 2.0 will behave -as previous versions of Samba would and will fail the lock -request immediately if the lock range cannot be obtained. -<p><br>This parameter can be set per share. -<p><br><strong>Default:</strong> -<code> blocking locks = True</code> -<p><br><strong>Example:</strong> -<code> blocking locks = False</code> -<p><br><a name="browsable"></a> -<li><strong><strong>browseable (S)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#browseable"><strong>browseable</strong></a>. -<p><br><a name="browselist"></a> -<li><strong><strong>browse list(G)</strong></strong> -<p><br>This controls whether <a href="smbd.8.html"><strong>smbd</strong></a> will serve a browse -list to a client doing a NetServerEnum call. Normally set to true. You -should never need to change this. -<p><br><strong>Default:</strong> -<code> browse list = Yes</code> -<p><br><a name="browseable"></a> -<li><strong><strong>browseable</strong></strong> -<p><br>This controls whether this share is seen in the list of available -shares in a net view and in the browse list. -<p><br><strong>Default:</strong> -<code> browseable = Yes</code> -<p><br><strong>Example:</strong> -<code> browseable = No</code> -<p><br><a name="casesensitive"></a> -<li><strong><strong>case sensitive (G)</strong></strong> -<p><br>See the discussion in the section <a href="smb.conf.5.html#NAMEMANGLING"><strong>NAME MANGLING</strong></a>. -<p><br><a name="casesignames"></a> -<li><strong><strong>casesignames (G)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#casesensitive"><strong>"case sensitive"</strong></a>. -<p><br><a name="changenotifytimeout"></a> -<li><strong><strong>change notify timeout (G)</strong></strong> -<p><br>One of the new NT SMB requests that Samba 2.0 supports is the -"ChangeNotify" requests. This SMB allows a client to tell a server to -<em>"watch"</em> a particular directory for any changes and only reply to -the SMB request when a change has occurred. Such constant scanning of -a directory is expensive under UNIX, hence an -<a href="smbd.8.html"><strong>smbd</strong></a> daemon only performs such a scan on each -requested directory once every <strong>change notify timeout</strong> seconds. -<p><br><strong>change notify timeout</strong> is specified in units of seconds. -<p><br><strong>Default:</strong> -<code> change notify timeout = 60</code> -<p><br><strong>Example:</strong> -<code> change notify timeout = 300</code> -<p><br>Would change the scan time to every 5 minutes. -<p><br><a name="characterset"></a> -<li><strong><strong>character set (G)</strong></strong> -<p><br>This allows a smbd to map incoming filenames from a DOS Code page (see -the <a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a> parameter) to several -built in UNIX character sets. The built in code page translations are: -<p><br><ul> -<p><br><li > <strong>ISO8859-1</strong> Western European UNIX character set. The parameter -<a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a> <em>MUST</em> be set to code -page 850 if the <strong>character set</strong> parameter is set to iso8859-1 -in order for the conversion to the UNIX character set to be done -correctly. -<p><br><li > <strong>ISO8859-2</strong> Eastern European UNIX character set. The parameter -<a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a> <em>MUST</em> be set to code -page 852 if the <strong>character set</strong> parameter is set to ISO8859-2 -in order for the conversion to the UNIX character set to be done -correctly. -<p><br><li > <strong>ISO8859-5</strong> Russian Cyrillic UNIX character set. The parameter -<a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a> <em>MUST</em> be set to code -page 866 if the <strong>character set</strong> parameter is set to ISO8859-2 -in order for the conversion to the UNIX character set to be done -correctly. -<p><br><li > <strong>KOI8-R</strong> Alternate mapping for Russian Cyrillic UNIX -character set. The parameter <a href="smb.conf.5.html#clientcodepage"><strong>client code -page</strong></a> <em>MUST</em> be set to code page 866 if the -<strong>character set</strong> parameter is set to KOI8-R in order for the -conversion to the UNIX character set to be done correctly. -<p><br></ul> -<p><br><em>BUG</em>. These MSDOS code page to UNIX character set mappings should -be dynamic, like the loading of MS DOS code pages, not static. -<p><br>See also <a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a>. Normally this -parameter is not set, meaning no filename translation is done. -<p><br><strong>Default:</strong> -<code> character set = <empty string></code> -<p><br><strong>Example:</strong> -<code> character set = ISO8859-1</code> -<p><br><a name="clientcodepage"></a> -<li><strong><strong>client code page (G)</strong></strong> -<p><br>This parameter specifies the DOS code page that the clients accessing -Samba are using. To determine what code page a Windows or DOS client -is using, open a DOS command prompt and type the command "chcp". This -will output the code page. The default for USA MS-DOS, Windows 95, and -Windows NT releases is code page 437. The default for western european -releases of the above operating systems is code page 850. -<p><br>This parameter tells <a href="smbd.8.html"><strong>smbd</strong></a> which of the -<code>codepage.XXX</code> files to dynamically load on startup. These files, -described more fully in the manual page <a href="make_smbcodepage.1.html"><strong>make_smbcodepage -(1)</strong></a>, tell <a href="smbd.8.html"><strong>smbd</strong></a> how -to map lower to upper case characters to provide the case insensitivity -of filenames that Windows clients expect. -<p><br>Samba currently ships with the following code page files : -<p><br><ul> -<p><br><li > <strong>Code Page 437 - MS-DOS Latin US</strong> -<p><br><li > <strong>Code Page 737 - Windows '95 Greek</strong> -<p><br><li > <strong>Code Page 850 - MS-DOS Latin 1</strong> -<p><br><li > <strong>Code Page 852 - MS-DOS Latin 2</strong> -<p><br><li > <strong>Code Page 861 - MS-DOS Icelandic</strong> -<p><br><li > <strong>Code Page 866 - MS-DOS Cyrillic</strong> -<p><br><li > <strong>Code Page 932 - MS-DOS Japanese SJIS</strong> -<p><br><li > <strong>Code Page 936 - MS-DOS Simplified Chinese</strong> -<p><br><li > <strong>Code Page 949 - MS-DOS Korean Hangul</strong> -<p><br><li > <strong>Code Page 950 - MS-DOS Traditional Chinese</strong> -<p><br></ul> -<p><br>Thus this parameter may have any of the values 437, 737, 850, 852, -861, 932, 936, 949, or 950. If you don't find the codepage you need, -read the comments in one of the other codepage files and the -<a href="make_smbcodepage.1.html"><strong>make_smbcodepage (1)</strong></a> man page and -write one. Please remember to donate it back to the Samba user -community. -<p><br>This parameter co-operates with the <a href="smb.conf.5.html#validchars"><strong>"valid -chars"</strong></a> parameter in determining what characters are -valid in filenames and how capitalization is done. If you set both -this parameter and the <a href="smb.conf.5.html#validchars"><strong>"valid chars"</strong></a> parameter -the <strong>"client code page"</strong> parameter <em>MUST</em> be set before the -<a href="smb.conf.5.html#validchars"><strong>"valid chars"</strong></a> parameter in the <strong>smb.conf</strong> -file. The <a href="smb.conf.5.html#validchars"><strong>"valid chars"</strong></a> string will then augment -the character settings in the "client code page" parameter. -<p><br>If not set, <strong>"client code page"</strong> defaults to 850. -<p><br>See also : <a href="smb.conf.5.html#validchars"><strong>"valid chars"</strong></a> -<p><br><strong>Default:</strong> -<code> client code page = 850</code> -<p><br><strong>Example:</strong> -<code> client code page = 936</code> -<p><br><a name="codingsystem"></a> -<li><strong><strong>codingsystem (G)</strong></strong> -<p><br>This parameter is used to determine how incoming Shift-JIS Japanese -characters are mapped from the incoming <a href="smb.conf.5.html#clientcodepage"><strong>"client code -page"</strong></a> used by the client, into file names in the -UNIX filesystem. Only useful if <a href="smb.conf.5.html#clientcodepage"><strong>"client code -page"</strong></a> is set to 932 (Japanese Shift-JIS). -<p><br>The options are : -<p><br><ul> -<p><br><li > <strong>SJIS</strong> Shift-JIS. Does no conversion of the incoming filename. -<p><br><li > <strong>JIS8, J8BB, J8BH, J8@B, J8@J, J8@H </strong> Convert from incoming -Shift-JIS to eight bit JIS code with different shift-in, shift out -codes. -<p><br><li > <strong>JIS7, J7BB, J7BH, J7@B, J7@J, J7@H </strong> Convert from incoming -Shift-JIS to seven bit JIS code with different shift-in, shift out -codes. -<p><br><li > <strong>JUNET, JUBB, JUBH, JU@B, JU@J, JU@H </strong> Convert from incoming -Shift-JIS to JUNET code with different shift-in, shift out codes. -<p><br><li > <strong>EUC</strong> Convert an incoming Shift-JIS character to EUC code. -<p><br><li > <strong>HEX</strong> Convert an incoming Shift-JIS character to a 3 byte hex -representation, i.e. <code>:AB</code>. -<p><br><li > <strong>CAP</strong> Convert an incoming Shift-JIS character to the 3 byte hex -representation used by the Columbia AppleTalk Program (CAP), -i.e. <code>:AB</code>. This is used for compatibility between Samba and CAP. -<p><br></ul> -<p><br><a name="comment"></a> -<li><strong><strong>comment (S)</strong></strong> -<p><br>This is a text field that is seen next to a share when a client does a -queries the server, either via the network neighborhood or via "net -view" to list what shares are available. -<p><br>If you want to set the string that is displayed next to the machine -name then see the server string command. -<p><br><strong>Default:</strong> -<code> No comment string</code> -<p><br><strong>Example:</strong> -<code> comment = Fred's Files</code> -<p><br><a name="configfile"></a> -<li><strong><strong>config file (G)</strong></strong> -<p><br>This allows you to override the config file to use, instead of the -default (usually <strong>smb.conf</strong>). There is a chicken and egg problem -here as this option is set in the config file! -<p><br>For this reason, if the name of the config file has changed when the -parameters are loaded then it will reload them from the new config -file. -<p><br>This option takes the usual substitutions, which can be very useful. -<p><br>If the config file doesn't exist then it won't be loaded (allowing you -to special case the config files of just a few clients). -<p><br><strong>Example:</strong> -<code> config file = /usr/local/samba/lib/smb.conf.%m</code> -<p><br><a name="copy"></a> -<li><strong><strong>copy (S)</strong></strong> -<p><br>This parameter allows you to <em>'clone'</em> service entries. The specified -service is simply duplicated under the current service's name. Any -parameters specified in the current section will override those in the -section being copied. -<p><br>This feature lets you set up a 'template' service and create similar -services easily. Note that the service being copied must occur earlier -in the configuration file than the service doing the copying. -<p><br><strong>Default:</strong> -<code> none</code> -<p><br><strong>Example:</strong> -<code> copy = otherservice</code> -<p><br><a name="createmask"></a> -<li><strong><strong>create mask (S)</strong></strong> -<p><br>A synonym for this parameter is <a href="smb.conf.5.html#createmode"><strong>'create mode'</strong></a>. -<p><br>When a file is created, the necessary permissions are calculated -according to the mapping from DOS modes to UNIX permissions, and the -resulting UNIX mode is then bit-wise 'AND'ed with this parameter. -This parameter may be thought of as a bit-wise MASK for the UNIX modes -of a file. Any bit <em>*not*</em> set here will be removed from the modes set -on a file when it is created. -<p><br>The default value of this parameter removes the 'group' and 'other' -write and execute bits from the UNIX modes. -<p><br>Following this Samba will bit-wise 'OR' the UNIX mode created from -this parameter with the value of the "force create mode" parameter -which is set to 000 by default. -<p><br>This parameter does not affect directory modes. See the parameter -<a href="smb.conf.5.html#directorymode"><strong>'directory mode'</strong></a> for details. -<p><br>See also the <a href="smb.conf.5.html#forcecreatemode"><strong>"force create mode"</strong></a> parameter -for forcing particular mode bits to be set on created files. See also -the <a href="smb.conf.5.html#directorymode"><strong>"directory mode"</strong></a> parameter for masking -mode bits on created directories. -<p><br><strong>Default:</strong> -<code> create mask = 0744</code> -<p><br><strong>Example:</strong> -<code> create mask = 0775</code> -<p><br><a name="createmode"></a> -<li><strong><strong>create mode (S)</strong></strong> -<p><br>This is a synonym for <a href="smb.conf.5.html#createmask"><strong>create mask</strong></a>. -<p><br><a name="deadtime"></a> -<li><strong><strong>deadtime (G)</strong></strong> -<p><br>The value of the parameter (a decimal integer) represents the number -of minutes of inactivity before a connection is considered dead, and -it is disconnected. The deadtime only takes effect if the number of -open files is zero. -<p><br>This is useful to stop a server's resources being exhausted by a large -number of inactive connections. -<p><br>Most clients have an auto-reconnect feature when a connection is -broken so in most cases this parameter should be transparent to users. -<p><br>Using this parameter with a timeout of a few minutes is recommended -for most systems. -<p><br>A deadtime of zero indicates that no auto-disconnection should be -performed. -<p><br><strong>Default:</strong> -<code> deadtime = 0</code> -<p><br><strong>Example:</strong> -<code> deadtime = 15</code> -<p><br><a name="debugtimestamp"></a> -<li><strong><strong>debug timestamp (G)</strong></strong> -<p><br>Samba2.0 debug log messages are timestamped by default. If you are -running at a high <a href="smb.conf.5.html#debuglevel"><strong>"debug level"</strong></a> these timestamps -can be distracting. This boolean parameter allows them to be turned -off. -<p><br><strong>Default:</strong> -<code> debug timestamp = Yes</code> -<p><br><strong>Example:</strong> -<code> debug timestamp = No</code> -<p><br><a name="debuglevel"></a> -<li><strong><strong>debug level (G)</strong></strong> -<p><br>The value of the parameter (an integer) allows the debug level -(logging level) to be specified in the <strong>smb.conf</strong> file. This is to -give greater flexibility in the configuration of the system. -<p><br>The default will be the debug level specified on the command line -or level zero if none was specified. -<p><br><strong>Example:</strong> -<code> debug level = 3</code> -<p><br><a name="default"></a> -<li><strong><strong>default (G)</strong></strong> -<p><br>A synonym for <a href="smb.conf.5.html#defaultservice"><strong>default service</strong></a>. -<p><br><a name="defaultcase"></a> -<li><strong><strong>default case (S)</strong></strong> -<p><br>See the section on <a href="smb.conf.5.html#NAMEMANGLING"><strong>"NAME MANGLING"</strong></a>. Also note -the <a href="smb.conf.5.html#shortpreservecase"><strong>"short preserve case"</strong></a> parameter. -<p><br><a name="defaultservice"></a> -<li><strong><strong>default service (G)</strong></strong> -<p><br>This parameter specifies the name of a service which will be connected -to if the service actually requested cannot be found. Note that the -square brackets are <em>NOT</em> given in the parameter value (see example -below). -<p><br>There is no default value for this parameter. If this parameter is not -given, attempting to connect to a nonexistent service results in an -error. -<p><br>Typically the default service would be a <a href="smb.conf.5.html#guestok"><strong>guest ok</strong></a>, -<a href="smb.conf.5.html#readonly"><strong>read-only</strong></a> service. -<p><br>Also note that the apparent service name will be changed to equal that -of the requested service, this is very useful as it allows you to use -macros like <a href="smb.conf.5.html#percentS"><strong>%S</strong></a> to make a wildcard service. -<p><br>Note also that any <code>'_'</code> characters in the name of the service used -in the default service will get mapped to a <code>'/'</code>. This allows for -interesting things. -<p><br><strong>Example:</strong> -<pre> - - default service = pub - - [pub] - path = /%S - -</pre> - -<p><br><a name="deletereadonly"></a> -<li><strong><strong>delete readonly (S)</strong></strong> -<p><br>This parameter allows readonly files to be deleted. This is not -normal DOS semantics, but is allowed by UNIX. -<p><br>This option may be useful for running applications such as rcs, where -UNIX file ownership prevents changing file permissions, and DOS -semantics prevent deletion of a read only file. -<p><br><strong>Default:</strong> -<code> delete readonly = No</code> -<p><br><strong>Example:</strong> -<code> delete readonly = Yes</code> -<p><br><a name="deletevetofiles"></a> -<li><strong><strong>delete veto files (S)</strong></strong> -<p><br>This option is used when Samba is attempting to delete a directory -that contains one or more vetoed directories (see the <a href="smb.conf.5.html#vetofiles"><strong>'veto -files'</strong></a> option). If this option is set to False (the -default) then if a vetoed directory contains any non-vetoed files or -directories then the directory delete will fail. This is usually what -you want. -<p><br>If this option is set to True, then Samba will attempt to recursively -delete any files and directories within the vetoed directory. This can -be useful for integration with file serving systems such as <strong>NetAtalk</strong>, -which create meta-files within directories you might normally veto -DOS/Windows users from seeing (e.g. <code>.AppleDouble</code>) -<p><br>Setting <code>'delete veto files = True'</code> allows these directories to be -transparently deleted when the parent directory is deleted (so long -as the user has permissions to do so). -<p><br>See also the <a href="smb.conf.5.html#vetofiles"><strong>veto files</strong></a> parameter. -<p><br><strong>Default:</strong> -<code> delete veto files = False</code> -<p><br><strong>Example:</strong> -<code> delete veto files = True</code> -<p><br><a name="denyhosts"></a> -<li><strong><strong>deny hosts (S)</strong></strong> -<p><br>The opposite of <a href="smb.conf.5.html#allowhosts"><strong>'allow hosts'</strong></a> - hosts listed -here are <em>NOT</em> permitted access to services unless the specific -services have their own lists to override this one. Where the lists -conflict, the <a href="smb.conf.5.html#allowhosts"><strong>'allow'</strong></a> list takes precedence. -<p><br><strong>Default:</strong> -<code> none (i.e., no hosts specifically excluded)</code> -<p><br><strong>Example:</strong> -<code> deny hosts = 150.203.4. badhost.mynet.edu.au</code> -<p><br><a name="dfreecommand"></a> -<li><strong><strong>dfree command (G)</strong></strong> -<p><br>The dfree command setting should only be used on systems where a -problem occurs with the internal disk space calculations. This has -been known to happen with Ultrix, but may occur with other operating -systems. The symptom that was seen was an error of "Abort Retry -Ignore" at the end of each directory listing. -<p><br>This setting allows the replacement of the internal routines to -calculate the total disk space and amount available with an external -routine. The example below gives a possible script that might fulfill -this function. -<p><br>The external program will be passed a single parameter indicating a -directory in the filesystem being queried. This will typically consist -of the string <code>"./"</code>. The script should return two integers in -ascii. The first should be the total disk space in blocks, and the -second should be the number of available blocks. An optional third -return value can give the block size in bytes. The default blocksize -is 1024 bytes. -<p><br>Note: Your script should <em>NOT</em> be setuid or setgid and should be -owned by (and writeable only by) root! -<p><br><strong>Default:</strong> -<code> By default internal routines for determining the disk capacity -and remaining space will be used.</code> -<p><br><strong>Example:</strong> -<code> dfree command = /usr/local/samba/bin/dfree</code> -<p><br>Where the script dfree (which must be made executable) could be: -<p><br><pre> - - #!/bin/sh - df $1 | tail -1 | awk '{print $2" "$4}' - -</pre> - -<p><br>or perhaps (on Sys V based systems): -<p><br><pre> - - #!/bin/sh - /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' - -</pre> - -<p><br>Note that you may have to replace the command names with full -path names on some systems. -<p><br><a name="directory"></a> -<li><strong><strong>directory (S)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#path"><strong>path</strong></a>. -<p><br><a name="directorymask"></a> -<li><strong><strong>directory mask (S)</strong></strong> -<p><br>This parameter is the octal modes which are used when converting DOS -modes to UNIX modes when creating UNIX directories. -<p><br>When a directory is created, the necessary permissions are calculated -according to the mapping from DOS modes to UNIX permissions, and the -resulting UNIX mode is then bit-wise 'AND'ed with this parameter. -This parameter may be thought of as a bit-wise MASK for the UNIX modes -of a directory. Any bit <em>*not*</em> set here will be removed from the -modes set on a directory when it is created. -<p><br>The default value of this parameter removes the 'group' and 'other' -write bits from the UNIX mode, allowing only the user who owns the -directory to modify it. -<p><br>Following this Samba will bit-wise 'OR' the UNIX mode created from -this parameter with the value of the "force directory mode" -parameter. This parameter is set to 000 by default (i.e. no extra mode -bits are added). -<p><br>See the <a href="smb.conf.5.html#forcedirectorymode"><strong>"force directory mode"</strong></a> parameter -to cause particular mode bits to always be set on created directories. -<p><br>See also the <a href="smb.conf.5.html#createmode"><strong>"create mode"</strong></a> parameter for masking -mode bits on created files. -<p><br><strong>Default:</strong> -<code> directory mask = 0755</code> -<p><br><strong>Example:</strong> -<code> directory mask = 0775</code> -<p><br><a name="directorymode"></a> -<li><strong><strong>directory mode (S)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#directorymask"><strong>directory mask</strong></a>. -<p><br><a name="dnsproxy"></a> -<li><strong><strong>dns proxy (G)</strong></strong> -<p><br>Specifies that <a href="nmbd.8.html"><strong>nmbd</strong></a> when acting as a WINS -server and finding that a NetBIOS name has not been registered, should -treat the NetBIOS name word-for-word as a DNS name and do a lookup -with the DNS server for that name on behalf of the name-querying -client. -<p><br>Note that the maximum length for a NetBIOS name is 15 characters, so -the DNS name (or DNS alias) can likewise only be 15 characters, -maximum. -<p><br><a href="nmbd.8.html"><strong>nmbd</strong></a> spawns a second copy of itself to do the -DNS name lookup requests, as doing a name lookup is a blocking action. -<p><br>See also the parameter <a href="smb.conf.5.html#winssupport"><strong>wins support</strong></a>. -<p><br><strong>Default:</strong> -<code> dns proxy = yes</code> -<p><br><a name="domainadmingroup"></a> -<strong>domain admin group (G)</strong> -<p><br>This is an <strong>EXPERIMENTAL</strong> parameter that is part of the unfinished -Samba NT Domain Controller Code. It may be removed in a later release. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list <strong>Samba-ntdom</strong> available by sending email to -<a href="mailto:listproc@samba.org"><em>listproc@samba.org</em></a> -<p><br><a name="domainadminusers"></a> -<li><strong><strong>domain admin users (G)</strong></strong> -<p><br>This is an <strong>EXPERIMENTAL</strong> parameter that is part of the unfinished -Samba NT Domain Controller Code. It may be removed in a later release. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list <strong>Samba-ntdom</strong> available by sending email to -<a href="mailto:listproc@samba.org"><em>listproc@samba.org</em></a> -<p><br><a name="domaincontroller"></a> -<li><strong><strong>domain controller (G)</strong></strong> -<p><br>This is a <strong>DEPRECATED</strong> parameter. It is currently not used within -the Samba source and should be removed from all current smb.conf -files. It is left behind for compatibility reasons. -<p><br><a name="domaingroups"></a> -<li><strong><strong>domain groups (G)</strong></strong> -<p><br>This is an <strong>EXPERIMENTAL</strong> parameter that is part of the unfinished -Samba NT Domain Controller Code. It may be removed in a later release. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list <strong>Samba-ntdom</strong> available by sending email to -<a href="mailto:listproc@samba.org"><em>listproc@samba.org</em></a> -<p><br><a name="domainguestgroup"></a> -<li><strong><strong>domain guest group (G)</strong></strong> -<p><br>This is an <strong>EXPERIMENTAL</strong> parameter that is part of the unfinished -Samba NT Domain Controller Code. It may be removed in a later release. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list <strong>Samba-ntdom</strong> available by sending email to -<a href="mailto:listproc@samba.org"><em>listproc@samba.org</em></a> -<p><br><a name="domainguestusers"></a> -<li><strong><strong>domain guest users (G)</strong></strong> -<p><br>This is an <strong>EXPERIMENTAL</strong> parameter that is part of the unfinished -Samba NT Domain Controller Code. It may be removed in a later release. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list <strong>Samba-ntdom</strong> available by sending email to -<a href="mailto:listproc@samba.org"><em>listproc@samba.org</em></a> -<p><br><a name="domainlogons"></a> -<li><strong><strong>domain logons (G)</strong></strong> -<p><br>If set to true, the Samba server will serve Windows 95/98 Domain -logons for the <a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> it is in. For more -details on setting up this feature see the file DOMAINS.txt in the -Samba documentation directory <code>docs/</code> shipped with the source code. -<p><br>Note that Win95/98 Domain logons are <em>NOT</em> the same as Windows -NT Domain logons. NT Domain logons require a Primary Domain Controller -(PDC) for the Domain. It is intended that in a future release Samba -will be able to provide this functionality for Windows NT clients -also. -<p><br><strong>Default:</strong> -<code> domain logons = no</code> -<p><br><a name="domainmaster"></a> -<li><strong><strong>domain master (G)</strong></strong> -<p><br>Tell <a href="nmbd.8.html"><strong>nmbd</strong></a> to enable WAN-wide browse list -collation. Setting this option causes <a href="nmbd.8.html"><strong>nmbd</strong></a> to -claim a special domain specific NetBIOS name that identifies it as a -domain master browser for its given -<a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a>. Local master browsers in the same -<a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> on broadcast-isolated subnets will give -this <a href="nmbd.8.html"><strong>nmbd</strong></a> their local browse lists, and then -ask <a href="smbd.8.html"><strong>smbd</strong></a> for a complete copy of the browse list -for the whole wide area network. Browser clients will then contact -their local master browser, and will receive the domain-wide browse -list, instead of just the list for their broadcast-isolated subnet. -<p><br>Note that Windows NT Primary Domain Controllers expect to be able to -claim this <a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> specific special NetBIOS -name that identifies them as domain master browsers for that -<a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> by default (i.e. there is no way to -prevent a Windows NT PDC from attempting to do this). This means that -if this parameter is set and <a href="nmbd.8.html"><strong>nmbd</strong></a> claims the -special name for a <a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> before a Windows NT -PDC is able to do so then cross subnet browsing will behave strangely -and may fail. -<p><br><strong>Default:</strong> -<code> domain master = no</code> -<p><br><a name="dontdescend"></a> -<li><strong><strong>dont descend (S)</strong></strong> -<p><br>There are certain directories on some systems (e.g., the <code>/proc</code> tree -under Linux) that are either not of interest to clients or are -infinitely deep (recursive). This parameter allows you to specify a -comma-delimited list of directories that the server should always show -as empty. -<p><br>Note that Samba can be very fussy about the exact format of the "dont -descend" entries. For example you may need <code>"./proc"</code> instead of -just <code>"/proc"</code>. Experimentation is the best policy :-) -<p><br><strong>Default:</strong> -<code> none (i.e., all directories are OK to descend)</code> -<p><br><strong>Example:</strong> -<code> dont descend = /proc,/dev</code> -<p><br><a name="dosfiletimeresolution"></a> -<li><strong><strong>dos filetime resolution (S)</strong></strong> -<p><br>Under the DOS and Windows FAT filesystem, the finest granularity on -time resolution is two seconds. Setting this parameter for a share -causes Samba to round the reported time down to the nearest two second -boundary when a query call that requires one second resolution is made -to <a href="smbd.8.html"><strong>smbd</strong></a>. -<p><br>This option is mainly used as a compatibility option for Visual C++ -when used against Samba shares. If oplocks are enabled on a share, -Visual C++ uses two different time reading calls to check if a file -has changed since it was last read. One of these calls uses a -one-second granularity, the other uses a two second granularity. As -the two second call rounds any odd second down, then if the file has a -timestamp of an odd number of seconds then the two timestamps will not -match and Visual C++ will keep reporting the file has changed. Setting -this option causes the two timestamps to match, and Visual C++ is -happy. -<p><br><strong>Default:</strong> -<code> dos filetime resolution = False</code> -<p><br><strong>Example:</strong> -<code> dos filetime resolution = True</code> -<p><br><a name="dosfiletimes"></a> -<li><strong><strong>dos filetimes (S)</strong></strong> -<p><br>Under DOS and Windows, if a user can write to a file they can change -the timestamp on it. Under POSIX semantics, only the owner of the file -or root may change the timestamp. By default, Samba runs with POSIX -semantics and refuses to change the timestamp on a file if the user -smbd is acting on behalf of is not the file owner. Setting this option -to True allows DOS semantics and smbd will change the file timestamp as -DOS requires. -<p><br><strong>Default:</strong> -<code> dos filetimes = False</code> -<p><br><strong>Example:</strong> -<code> dos filetimes = True</code> -<p><br><a name="encryptpasswords"></a> -<li><strong><strong>encrypt passwords (G)</strong></strong> -<p><br>This boolean controls whether encrypted passwords will be negotiated -with the client. Note that Windows NT 4.0 SP3 and above and also -Windows 98 will by default expect encrypted passwords unless a -registry entry is changed. To use encrypted passwords in Samba see the -file ENCRYPTION.txt in the Samba documentation directory <code>docs/</code> -shipped with the source code. -<p><br>In order for encrypted passwords to work correctly -<a href="smbd.8.html"><strong>smbd</strong></a> must either have access to a local -<a href="smbpasswd.5.html"><strong>smbpasswd (5)</strong></a> file (see the -<a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a> program for information on -how to set up and maintain this file), or set the -<a href="smb.conf.5.html#security"><strong>security=</strong></a> parameter to either -<a href="smb.conf.5.html#securityequalserver"><strong>"server"</strong></a> or -<a href="smb.conf.5.html#securityequaldomain"><strong>"domain"</strong></a> which causes -<a href="smbd.8.html"><strong>smbd</strong></a> to authenticate against another server. -<p><br><a name="exec"></a> -<li><strong><strong>exec (S)</strong></strong> -<p><br>This is a synonym for <a href="smb.conf.5.html#preexec"><strong>preexec</strong></a>. -<p><br><a name="fakedirectorycreatetimes"></a> -<li><strong><strong>fake directory create times (S)</strong></strong> -<p><br>NTFS and Windows VFAT file systems keep a create time for all files -and directories. This is not the same as the ctime - status change -time - that Unix keeps, so Samba by default reports the earliest of -the various times Unix does keep. Setting this parameter for a share -causes Samba to always report midnight 1-1-1980 as the create time for -directories. -<p><br>This option is mainly used as a compatibility option for Visual C++ -when used against Samba shares. Visual C++ generated makefiles have -the object directory as a dependency for each object file, and a make -rule to create the directory. Also, when NMAKE compares timestamps it -uses the creation time when examining a directory. Thus the object -directory will be created if it does not exist, but once it does exist -it will always have an earlier timestamp than the object files it -contains. -<p><br>However, Unix time semantics mean that the create time reported by -Samba will be updated whenever a file is created or deleted in the -directory. NMAKE therefore finds all object files in the object -directory bar the last one built are out of date compared to the -directory and rebuilds them. Enabling this option ensures directories -always predate their contents and an NMAKE build will proceed as -expected. -<p><br><strong>Default:</strong> -<code> fake directory create times = False</code> -<p><br><strong>Example:</strong> -<code> fake directory create times = True</code> -<p><br><a name="fakeoplocks"></a> -<li><strong><strong>fake oplocks (S)</strong></strong> -<p><br>Oplocks are the way that SMB clients get permission from a server to -locally cache file operations. If a server grants an oplock -(opportunistic lock) then the client is free to assume that it is the -only one accessing the file and it will aggressively cache file -data. With some oplock types the client may even cache file open/close -operations. This can give enormous performance benefits. -<p><br>When you set <code>"fake oplocks = yes"</code> <a href="smbd.8.html"><strong>smbd</strong></a> will -always grant oplock requests no matter how many clients are using the -file. -<p><br>It is generally much better to use the real <a href="smb.conf.5.html#oplocks"><strong>oplocks</strong></a> -support rather than this parameter. -<p><br>If you enable this option on all read-only shares or shares that you -know will only be accessed from one client at a time such as -physically read-only media like CDROMs, you will see a big performance -improvement on many operations. If you enable this option on shares -where multiple clients may be accessing the files read-write at the -same time you can get data corruption. Use this option carefully! -<p><br>This option is disabled by default. -<p><br><a name="followsymlinks"></a> -<li><strong><strong>follow symlinks (S)</strong></strong> -<p><br>This parameter allows the Samba administrator to stop -<a href="smbd.8.html"><strong>smbd</strong></a> from following symbolic links in a -particular share. Setting this parameter to <em>"No"</em> prevents any file -or directory that is a symbolic link from being followed (the user -will get an error). This option is very useful to stop users from -adding a symbolic link to <code>/etc/passwd</code> in their home directory for -instance. However it will slow filename lookups down slightly. -<p><br>This option is enabled (i.e. <a href="smbd.8.html"><strong>smbd</strong></a> will follow -symbolic links) by default. -<p><br><a name="forcecreatemode"></a> -<li><strong><strong>force create mode (S)</strong></strong> -<p><br>This parameter specifies a set of UNIX mode bit permissions that will -<em>*always*</em> be set on a file created by Samba. This is done by -bitwise 'OR'ing these bits onto the mode bits of a file that is being -created. The default for this parameter is (in octal) 000. The modes -in this parameter are bitwise 'OR'ed onto the file mode after the mask -set in the <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a> parameter is applied. -<p><br>See also the parameter <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a> for details -on masking mode bits on created files. -<p><br><strong>Default:</strong> -<code> force create mode = 000</code> -<p><br><strong>Example:</strong> -<code> force create mode = 0755</code> -<p><br>would force all created files to have read and execute permissions set -for 'group' and 'other' as well as the read/write/execute bits set for -the 'user'. -<p><br><a name="forcedirectorymode"></a> -<li><strong><strong>force directory mode (S)</strong></strong> -<p><br>This parameter specifies a set of UNIX mode bit permissions that will -<em>*always*</em> be set on a directory created by Samba. This is done by -bitwise 'OR'ing these bits onto the mode bits of a directory that is -being created. The default for this parameter is (in octal) 0000 which -will not add any extra permission bits to a created directory. This -operation is done after the mode mask in the parameter -<a href="smb.conf.5.html#directorymask"><strong>"directory mask"</strong></a> is applied. -<p><br>See also the parameter <a href="smb.conf.5.html#directorymask"><strong>"directory mask"</strong></a> for -details on masking mode bits on created directories. -<p><br><strong>Default:</strong> -<code> force directory mode = 000</code> -<p><br><strong>Example:</strong> -<code> force directory mode = 0755</code> -<p><br>would force all created directories to have read and execute -permissions set for 'group' and 'other' as well as the -read/write/execute bits set for the 'user'. -<p><br><a name="forcegroup"></a> -<li><strong><strong>force group (S)</strong></strong> -<p><br>This specifies a UNIX group name that will be assigned as the default -primary group for all users connecting to this service. This is useful -for sharing files by ensuring that all access to files on service will -use the named group for their permissions checking. Thus, by assigning -permissions for this group to the files and directories within this -service the Samba administrator can restrict or allow sharing of these -files. -<p><br><strong>Default:</strong> -<code> no forced group</code> -<p><br><strong>Example:</strong> -<code> force group = agroup</code> -<p><br><a name="forceuser"></a> -<li><strong><strong>force user (S)</strong></strong> -<p><br>This specifies a UNIX user name that will be assigned as the default -user for all users connecting to this service. This is useful for -sharing files. You should also use it carefully as using it -incorrectly can cause security problems. -<p><br>This user name only gets used once a connection is established. Thus -clients still need to connect as a valid user and supply a valid -password. Once connected, all file operations will be performed as the -<code>"forced user"</code>, no matter what username the client connected as. -<p><br>This can be very useful. -<p><br><strong>Default:</strong> -<code> no forced user</code> -<p><br><strong>Example:</strong> -<code> force user = auser</code> -<p><br><a name="fstype"></a> -<li><strong><strong>fstype (S)</strong></strong> -<p><br>This parameter allows the administrator to configure the string that -specifies the type of filesystem a share is using that is reported by -<a href="smbd.8.html"><strong>smbd</strong></a> when a client queries the filesystem type -for a share. The default type is <strong>"NTFS"</strong> for compatibility with -Windows NT but this can be changed to other strings such as "Samba" or -"FAT" if required. -<p><br><strong>Default:</strong> -<code> fstype = NTFS</code> -<p><br><strong>Example:</strong> -<code> fstype = Samba</code> -<p><br><a name="getwdcache"></a> -<li><strong><strong>getwd cache (G)</strong></strong> -<p><br>This is a tuning option. When this is enabled a caching algorithm -will be used to reduce the time taken for getwd() calls. This can have -a significant impact on performance, especially when the -<a href="smb.conf.5.html#widelinks"><strong>widelinks</strong></a> parameter is set to False. -<p><br><strong>Default:</strong> -<code> getwd cache = No</code> -<p><br><strong>Example:</strong> -<code> getwd cache = Yes</code> -<p><br><a name="group"></a> -<li><strong><strong>group (S)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#forcegroup"><strong>"force group"</strong></a>. -<p><br><a name="guestaccount"></a> -<li><strong><strong>guest account (S)</strong></strong> -<p><br>This is a username which will be used for access to services which are -specified as <a href="smb.conf.5.html#guestok"><strong>'guest ok'</strong></a> (see below). Whatever -privileges this user has will be available to any client connecting to -the guest service. Typically this user will exist in the password -file, but will not have a valid login. The user account <strong>"ftp"</strong> is -often a good choice for this parameter. If a username is specified in -a given service, the specified username overrides this one. -<p><br>One some systems the default guest account "nobody" may not be able to -print. Use another account in this case. You should test this by -trying to log in as your guest user (perhaps by using the <code>"su -"</code> -command) and trying to print using the system print command such as -<strong>lpr (1)</strong> or <strong>lp (1)</strong>. -<p><br><strong>Default:</strong> -<code> specified at compile time, usually "nobody"</code> -<p><br><strong>Example:</strong> -<code> guest account = ftp</code> -<p><br><a name="guestok"></a> -<li><strong><strong>guest ok (S)</strong></strong> -<p><br>If this parameter is <em>'yes'</em> for a service, then no password is -required to connect to the service. Privileges will be those of the -<a href="smb.conf.5.html#guestaccount"><strong>guest account</strong></a>. -<p><br>See the section below on <a href="smb.conf.5.html#security"><strong>security</strong></a> for more -information about this option. -<p><br><strong>Default:</strong> -<code> guest ok = no</code> -<p><br><strong>Example:</strong> -<code> guest ok = yes</code> -<p><br><a name="guestonly"></a> -<li><strong><strong>guest only (S)</strong></strong> -<p><br>If this parameter is <em>'yes'</em> for a service, then only guest -connections to the service are permitted. This parameter will have no -affect if <a href="smb.conf.5.html#guestok"><strong>"guest ok"</strong></a> or <a href="smb.conf.5.html#public"><strong>"public"</strong></a> -is not set for the service. -<p><br>See the section below on <a href="smb.conf.5.html#security"><strong>security</strong></a> for more -information about this option. -<p><br><strong>Default:</strong> -<code> guest only = no</code> -<p><br><strong>Example:</strong> -<code> guest only = yes</code> -<p><br><a name="hidedotfiles"></a> -<li><strong><strong>hide dot files (S)</strong></strong> -<p><br>This is a boolean parameter that controls whether files starting with -a dot appear as hidden files. -<p><br><strong>Default:</strong> -<code> hide dot files = yes</code> -<p><br><strong>Example:</strong> -<code> hide dot files = no</code> -<p><br><a name="hidefiles"></a> -<li><strong><strong>hide files(S)</strong></strong> -<p><br>This is a list of files or directories that are not visible but are -accessible. The DOS 'hidden' attribute is applied to any files or -directories that match. -<p><br>Each entry in the list must be separated by a <code>'/'</code>, which allows -spaces to be included in the entry. <code>'*'</code> and <code>'?'</code> can be used -to specify multiple files or directories as in DOS wildcards. -<p><br>Each entry must be a Unix path, not a DOS path and must not include the -Unix directory separator <code>'/'</code>. -<p><br>Note that the case sensitivity option is applicable in hiding files. -<p><br>Setting this parameter will affect the performance of Samba, as it -will be forced to check all files and directories for a match as they -are scanned. -<p><br>See also <a href="smb.conf.5.html#hidedotfiles"><strong>"hide dot files"</strong></a>, <a href="smb.conf.5.html#vetofiles"><strong>"veto -files"</strong></a> and <a href="smb.conf.5.html#casesensitive"><strong>"case sensitive"</strong></a>. -<p><br><strong>Default</strong> -<pre> - - No files or directories are hidden by this option (dot files are - hidden by default because of the "hide dot files" option). - -</pre> - -<p><br><strong>Example</strong> -<code> hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/</code> -<p><br>The above example is based on files that the Macintosh SMB client -(DAVE) available from <a href="www.thursby.com"><strong>Thursby</strong></a> creates for -internal use, and also still hides all files beginning with a dot. -<p><br><a name="homedirmap"></a> -<li><strong><strong>homedir map (G)</strong></strong> -<p><br>If <a href="smb.conf.5.html#nishomedir"><strong>"nis homedir"</strong></a> is true, and -<a href="smbd.8.html"><strong>smbd</strong></a> is also acting as a Win95/98 <a href="smb.conf.5.html#domainlogons"><strong>logon -server</strong></a> then this parameter specifies the NIS (or YP) -map from which the server for the user's home directory should be -extracted. At present, only the Sun auto.home map format is -understood. The form of the map is: -<p><br><code>username server:/some/file/system</code> -<p><br>and the program will extract the servername from before the first -<code>':'</code>. There should probably be a better parsing system that copes -with different map formats and also Amd (another automounter) maps. -<p><br>NB: A working NIS is required on the system for this option to work. -<p><br>See also <a href="smb.conf.5.html#nishomedir"><strong>"nis homedir"</strong></a>, <a href="smb.conf.5.html#domainlogons"><strong>domain -logons</strong></a>. -<p><br><strong>Default:</strong> -<code> homedir map = auto.home</code> -<p><br><strong>Example:</strong> -<code> homedir map = amd.homedir</code> -<p><br><a name="hostsallow"></a> -<li><strong><strong>hosts allow (S)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#allowhosts"><strong>allow hosts</strong></a>. -<p><br><a name="hostsdeny"></a> -<li><strong><strong>hosts deny (S)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#denyhosts"><strong>denyhosts</strong></a>. -<p><br><a name="hostsequiv"></a> -<li><strong><strong>hosts equiv (G)</strong></strong> -<p><br>If this global parameter is a non-null string, it specifies the name -of a file to read for the names of hosts and users who will be allowed -access without specifying a password. -<p><br>This is not be confused with <a href="smb.conf.5.html#allowhosts"><strong>allow hosts</strong></a> which -is about hosts access to services and is more useful for guest -services. <strong>hosts equiv</strong> may be useful for NT clients which will not -supply passwords to samba. -<p><br>NOTE: The use of <strong>hosts equiv</strong> can be a major security hole. This is -because you are trusting the PC to supply the correct username. It is -very easy to get a PC to supply a false username. I recommend that the -<strong>hosts equiv</strong> option be only used if you really know what you are -doing, or perhaps on a home network where you trust your spouse and -kids. And only if you <em>really</em> trust them :-). -<p><br><strong>Default</strong> -<code> No host equivalences</code> -<p><br><strong>Example</strong> -<code> hosts equiv = /etc/hosts.equiv</code> -<p><br><a name="include"></a> -<li><strong><strong>include (G)</strong></strong> -<p><br>This allows you to include one config file inside another. The file -is included literally, as though typed in place. -<p><br>It takes the standard substitutions, except <a href="smb.conf.5.html#percentu"><strong>%u</strong></a>, -<a href="smb.conf.5.html#percentP"><strong>%P</strong></a> and <a href="smb.conf.5.html#percentS"><strong>%S</strong></a>. -<p><br><a name="interfaces"></a> -<li><strong><strong>interfaces (G)</strong></strong> -<p><br>This option allows you to setup multiple network interfaces, so that -Samba can properly handle browsing on all interfaces. -<p><br>The option takes a list of ip/netmask pairs. The netmask may either be -a bitmask, or a bitlength. -<p><br>For example, the following line: -<p><br><code>interfaces = 192.168.2.10/24 192.168.3.10/24</code> -<p><br>would configure two network interfaces with IP addresses 192.168.2.10 -and 192.168.3.10. The netmasks of both interfaces would be set to -255.255.255.0. -<p><br>You could produce an equivalent result by using: -<p><br><code>interfaces = 192.168.2.10/255.255.255.0 192.168.3.10/255.255.255.0</code> -<p><br>if you prefer that format. -<p><br>If this option is not set then Samba will attempt to find a primary -interface, but won't attempt to configure more than one interface. -<p><br>See also <a href="smb.conf.5.html#bindinterfacesonly"><strong>"bind interfaces only"</strong></a>. -<p><br><a name="invalidusers"></a> -<li><strong><strong>invalid users (S)</strong></strong> -<p><br>This is a list of users that should not be allowed to login to this -service. This is really a <em>"paranoid"</em> check to absolutely ensure an -improper setting does not breach your security. -<p><br>A name starting with a <code>'@'</code> is interpreted as an NIS netgroup first -(if your system supports NIS), and then as a UNIX group if the name -was not found in the NIS netgroup database. -<p><br>A name starting with <code>'+'</code> is interpreted only by looking in the -UNIX group database. A name starting with <code>'&'</code> is interpreted only -by looking in the NIS netgroup database (this requires NIS to be -working on your system). The characters <code>'+'</code> and <code>'&'</code> may be -used at the start of the name in either order so the value -<code>"+&group"</code> means check the UNIX group database, followed by the NIS -netgroup database, and the value <code>"&+group"</code> means check the NIS -netgroup database, followed by the UNIX group database (the same as -the <code>'@'</code> prefix). -<p><br>The current servicename is substituted for -<a href="smb.conf.5.html#percentS"><strong>%S</strong></a>. This is useful in the <a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> -section. -<p><br>See also <a href="smb.conf.5.html#validusers"><strong>"valid users"</strong></a>. -<p><br><strong>Default:</strong> -<code> No invalid users</code> -<p><br><strong>Example:</strong> -<code> invalid users = root fred admin @wheel</code> -<p><br><a name="keepalive"></a> -<li><strong><strong>keepalive (G)</strong></strong> -<p><br>The value of the parameter (an integer) represents the number of -seconds between <strong>'keepalive'</strong> packets. If this parameter is zero, no -keepalive packets will be sent. Keepalive packets, if sent, allow the -server to tell whether a client is still present and responding. -<p><br>Keepalives should, in general, not be needed if the socket being used -has the SO_KEEPALIVE attribute set on it (see <a href="smb.conf.5.html#socketoptions"><strong>"socket -options"</strong></a>). Basically you should only use this option -if you strike difficulties. -<p><br><strong>Default:</strong> -<code> keep alive = 0</code> -<p><br><strong>Example:</strong> -<code> keep alive = 60</code> -<p><br><a name="kerneloplocks"></a> -<li><strong><strong>kernel oplocks (G)</strong></strong> -<p><br>For UNIXs that support kernel based <a href="smb.conf.5.html#oplocks"><strong>oplocks</strong></a> -(currently only IRIX but hopefully also Linux and FreeBSD soon) this -parameter allows the use of them to be turned on or off. -<p><br>Kernel oplocks support allows Samba <a href="smb.conf.5.html#oplocks"><strong>oplocks</strong></a> to be -broken whenever a local UNIX process or NFS operation accesses a file -that <a href="smbd.8.html"><strong>smbd</strong></a> has oplocked. This allows complete -data consistency between SMB/CIFS, NFS and local file access (and is a -<em>very</em> cool feature :-). -<p><br>This parameter defaults to <em>"On"</em> on systems that have the support, -and <em>"off"</em> on systems that don't. You should never need to touch -this parameter. -<p><br><a name="ldapfilter"></a> -<li><strong><strong>ldap filter (G)</strong></strong> -<p><br>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the <strong>--with-ldap</strong> option. -<p><br>This parameter specifies an LDAP search filter used to search for a -user name in the LDAP database. It must contain the string -<a href="smb.conf.5.html#percentU"><strong>%u</strong></a> which will be replaced with the user being -searched for. -<p><br><strong>Default:</strong> -<code> empty string.</code> -<p><br><a name="ldapport"></a> -<li><strong><strong>ldap port (G)</strong></strong> -<p><br>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the <strong>--with-ldap</strong> option. -<p><br>This parameter specifies the TCP port number to use to contact -the LDAP server on. -<p><br><strong>Default:</strong> -<code> ldap port = 389.</code> -<p><br><a name="ldaproot"></a> -<li><strong><strong>ldap root (G)</strong></strong> -<p><br>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the <strong>--with-ldap</strong> option. -<p><br>This parameter specifies the entity to bind to the LDAP server -as (essentially the LDAP username) in order to be able to perform -queries and modifications on the LDAP database. -<p><br>See also <a href="smb.conf.5.html#ldaprootpasswd"><strong>ldap root passwd</strong></a>. -<p><br><strong>Default:</strong> -<code> empty string (no user defined)</code> -<p><br><a name="ldaprootpasswd"></a> -<li><strong><strong>ldap root passwd (G)</strong></strong> -<p><br>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the <strong>--with-ldap</strong> option. -<p><br>This parameter specifies the password for the entity to bind to the -LDAP server as (the password for this LDAP username) in order to be -able to perform queries and modifications on the LDAP database. -<p><br><em>BUGS:</em> This parameter should <em>NOT</em> be a readable parameter -in the <strong>smb.conf</strong> file and will be removed once a correct -storage place is found. -<p><br>See also <a href="smb.conf.5.html#ldaproot"><strong>ldap root</strong></a>. -<p><br><strong>Default:</strong> -<code> empty string.</code> -<p><br><a name="ldapserver"></a> -<li><strong><strong>ldap server (G)</strong></strong> -<p><br>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the <strong>--with-ldap</strong> option. -<p><br>This parameter specifies the DNS name of the LDAP server to use -for SMB/CIFS authentication purposes. -<p><br><strong>Default:</strong> -<code> ldap server = localhost</code> -<p><br><a name="ldapsuffix"></a> -<li><strong><strong>ldap suffix (G)</strong></strong> -<p><br>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the <strong>--with-ldap</strong> option. -<p><br>This parameter specifies the <code>"dn"</code> or LDAP <em>"distinguished name"</em> -that tells <a href="smbd.8.html"><strong>smbd</strong></a> to start from when searching -for an entry in the LDAP password database. -<p><br><strong>Default:</strong> -<code> empty string.</code> -<p><br><a name="lmannounce"></a> -<li><strong><strong>lm announce (G)</strong></strong> -<p><br>This parameter determines if <a href="nmbd.8.html"><strong>nmbd</strong></a> will produce -Lanman announce broadcasts that are needed by <strong>OS/2</strong> clients in order -for them to see the Samba server in their browse list. This parameter -can have three values, <code>"true"</code>, <code>"false"</code>, or <code>"auto"</code>. The -default is <code>"auto"</code>. If set to <code>"false"</code> Samba will never produce -these broadcasts. If set to <code>"true"</code> Samba will produce Lanman -announce broadcasts at a frequency set by the parameter <a href="smb.conf.5.html#lminterval"><strong>"lm -interval"</strong></a>. If set to <code>"auto"</code> Samba will not send Lanman -announce broadcasts by default but will listen for them. If it hears -such a broadcast on the wire it will then start sending them at a -frequency set by the parameter <a href="smb.conf.5.html#lminterval"><strong>"lm interval"</strong></a>. -<p><br>See also <a href="smb.conf.5.html#lminterval"><strong>"lm interval"</strong></a>. -<p><br><strong>Default:</strong> -<code> lm announce = auto</code> -<p><br><strong>Example:</strong> -<code> lm announce = true</code> -<p><br><a name="lminterval"></a> -<li><strong><strong>lm interval (G)</strong></strong> -<p><br>If Samba is set to produce Lanman announce broadcasts needed by -<strong>OS/2</strong> clients (see the <a href="smb.conf.5.html#lmannounce"><strong>"lm announce"</strong></a> -parameter) then this parameter defines the frequency in seconds with -which they will be made. If this is set to zero then no Lanman -announcements will be made despite the setting of the <a href="smb.conf.5.html#lmannounce"><strong>"lm -announce"</strong></a> parameter. -<p><br>See also <a href="smb.conf.5.html#lmannounce"><strong>"lm announce"</strong></a>. -<p><br><strong>Default:</strong> -<code> lm interval = 60</code> -<p><br><strong>Example:</strong> -<code> lm interval = 120</code> -<p><br><a name="loadprinters"></a> -<li><strong><strong>load printers (G)</strong></strong> -<p><br>A boolean variable that controls whether all printers in the printcap -will be loaded for browsing by default. See the -<a href="smb.conf.5.html#printers"><strong>"printers"</strong></a> section for more details. -<p><br><strong>Default:</strong> -<code> load printers = yes</code> -<p><br><strong>Example:</strong> -<code> load printers = no</code> -<p><br><a name="localmaster"></a> -<li><strong><strong>local master (G)</strong></strong> -<p><br>This option allows <a href="nmbd.8.html"><strong>nmbd</strong></a> to try and become a -local master browser on a subnet. If set to False then -<a href="nmbd.8.html"><strong>nmbd</strong></a> will not attempt to become a local master -browser on a subnet and will also lose in all browsing elections. By -default this value is set to true. Setting this value to true doesn't -mean that Samba will <em>become</em> the local master browser on a subnet, -just that <a href="nmbd.8.html"><strong>nmbd</strong></a> will <em>participate</em> in -elections for local master browser. -<p><br>Setting this value to False will cause <a href="nmbd.8.html"><strong>nmbd</strong></a> -<em>never</em> to become a local master browser. -<p><br><strong>Default:</strong> -<code> local master = yes</code> -<p><br><a name="lockdir"></a> -<li><strong><strong>lock dir (G)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#lockdirectory"><strong>"lock directory"</strong></a>. -<p><br><a name="lockdirectory"></a> -<li><strong><strong>lock directory (G)</strong></strong> -<p><br>This option specifies the directory where lock files will be placed. -The lock files are used to implement the <a href="smb.conf.5.html#maxconnections"><strong>"max -connections"</strong></a> option. -<p><br><strong>Default:</strong> -<code> lock directory = /tmp/samba</code> -<p><br><strong>Example:</strong> -<code> lock directory = /usr/local/samba/var/locks</code> -<p><br><a name="locking"></a> -<li><strong><strong>locking (S)</strong></strong> -<p><br>This controls whether or not locking will be performed by the server -in response to lock requests from the client. -<p><br>If <code>"locking = no"</code>, all lock and unlock requests will appear to -succeed and all lock queries will indicate that the queried lock is -clear. -<p><br>If <code>"locking = yes"</code>, real locking will be performed by the server. -<p><br>This option <em>may</em> be useful for read-only filesystems which <em>may</em> -not need locking (such as cdrom drives), although setting this -parameter of <code>"no"</code> is not really recommended even in this case. -<p><br>Be careful about disabling locking either globally or in a specific -service, as lack of locking may result in data corruption. You should -never need to set this parameter. -<p><br><strong>Default:</strong> -<code> locking = yes</code> -<p><br><strong>Example:</strong> -<code> locking = no</code> -<p><br><a name="logfile"></a> -<li><strong><strong>log file (G)</strong></strong> -<p><br>This options allows you to override the name of the Samba log file -(also known as the debug file). -<p><br>This option takes the standard substitutions, allowing you to have -separate log files for each user or machine. -<p><br><strong>Example:</strong> -<code> log file = /usr/local/samba/var/log.%m</code> -<p><br><a name="loglevel"></a> -<li><strong><strong>log level (G)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#debuglevel"><strong>"debug level"</strong></a>. -<p><br><a name="logondrive"></a> -<li><strong><strong>logon drive (G)</strong></strong> -<p><br>This parameter specifies the local path to which the home directory -will be connected (see <a href="smb.conf.5.html#logonhome"><strong>"logon home"</strong></a>) and is only -used by NT Workstations. -<p><br>Note that this option is only useful if Samba is set up as a -<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a>. -<p><br><strong>Example:</strong> -<code> logon drive = h:</code> -<p><br><a name="logonhome"></a> -<li><strong><strong>logon home (G)</strong></strong> -<p><br>This parameter specifies the home directory location when a Win95/98 or -NT Workstation logs into a Samba PDC. It allows you to do -<p><br><code>"NET USE H: /HOME"</code> -<p><br>from a command prompt, for example. -<p><br>This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine. -<p><br>Note that this option is only useful if Samba is set up as a -<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a>. -<p><br><strong>Example:</strong> -<code> logon home = "\\remote_smb_server\%U"</code> -<p><br><strong>Default:</strong> -<code> logon home = "\\%N\%U"</code> -<p><br><a name="logonpath"></a> -<li><strong><strong>logon path (G)</strong></strong> -<p><br>This parameter specifies the home directory where roaming profiles -(USER.DAT / USER.MAN files for Windows 95/98) are stored. -<p><br>This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine. It also specifies -the directory from which the <code>"desktop"</code>, <code>"start menu"</code>, -<code>"network neighborhood"</code> and <code>"programs"</code> folders, and their -contents, are loaded and displayed on your Windows 95/98 client. -<p><br>The share and the path must be readable by the user for the -preferences and directories to be loaded onto the Windows 95/98 -client. The share must be writeable when the logs in for the first -time, in order that the Windows 95/98 client can create the user.dat -and other directories. -<p><br>Thereafter, the directories and any of the contents can, if required, be -made read-only. It is not advisable that the USER.DAT file be made -read-only - rename it to USER.MAN to achieve the desired effect (a -<em>MAN</em>datory profile). -<p><br>Windows clients can sometimes maintain a connection to the [homes] -share, even though there is no user logged in. Therefore, it is vital -that the logon path does not include a reference to the homes share -(i.e. setting this parameter to <code>\\%N\HOMES\profile_path</code> will cause -problems). -<p><br>This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine. -<p><br>Note that this option is only useful if Samba is set up as a -<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a>. -<p><br><strong>Default:</strong> -<code> logon path = \\%N\%U\profile</code> -<p><br><strong>Example:</strong> -<code> logon path = \\PROFILESERVER\HOME_DIR\%U\PROFILE</code> -<p><br><a name="logonscript"></a> -<li><strong><strong>logon script (G)</strong></strong> -<p><br>This parameter specifies the batch file (.bat) or NT command file -(.cmd) to be downloaded and run on a machine when a user successfully -logs in. The file must contain the DOS style cr/lf line endings. -Using a DOS-style editor to create the file is recommended. -<p><br>The script must be a relative path to the <code>[netlogon]</code> service. If -the <code>[netlogon]</code> service specifies a <a href="smb.conf.5.html#path"><strong>path</strong></a> of -/usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the -file that will be downloaded is: -<p><br><code>/usr/local/samba/netlogon/STARTUP.BAT</code> -<p><br>The contents of the batch file is entirely your choice. A suggested -command would be to add <code>NET TIME \\SERVER /SET /YES</code>, to force every -machine to synchronize clocks with the same time server. Another use -would be to add <code>NET USE U: \\SERVER\UTILS</code> for commonly used -utilities, or <code>NET USE Q: \\SERVER\ISO9001_QA</code> for example. -<p><br>Note that it is particularly important not to allow write access to -the <code>[netlogon]</code> share, or to grant users write permission on the -batch files in a secure environment, as this would allow the batch -files to be arbitrarily modified and security to be breached. -<p><br>This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine. -<p><br>Note that this option is only useful if Samba is set up as a -<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a>. -<p><br><strong>Example:</strong> -<code> logon script = scripts\%U.bat</code> -<p><br><a name="lppausecommand"></a> -<li><strong><strong>lppause command (S)</strong></strong> -<p><br>This parameter specifies the command to be executed on the server host -in order to stop printing or spooling a specific print job. -<p><br>This command should be a program or script which takes a printer name -and job number to pause the print job. One way of implementing this is -by using job priorities, where jobs having a too low priority won't be -sent to the printer. -<p><br>If a <code>"%p"</code> is given then the printername is put in its place. A -<code>"%j"</code> is replaced with the job number (an integer). On HPUX (see -<a href="smb.conf.5.html#printing"><strong>printing=hpux</strong></a>), if the <code>"-p%p"</code> option is added -to the lpq command, the job will show up with the correct status, -i.e. if the job priority is lower than the set fence priority it will -have the PAUSED status, whereas if the priority is equal or higher it -will have the SPOOLED or PRINTING status. -<p><br>Note that it is good practice to include the absolute path in the -lppause command as the PATH may not be available to the server. -<p><br>See also the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter. -<p><br><strong>Default:</strong> - Currently no default value is given to this string, unless the -value of the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter is <code>SYSV</code>, in -which case the default is : -<p><br><code> lp -i %p-%j -H hold</code> -<p><br>or if the value of the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter is <code>softq</code>, -then the default is: -<p><br><code> qstat -s -j%j -h</code> -<p><br><strong>Example for HPUX:</strong> - lppause command = /usr/bin/lpalt %p-%j -p0 -<p><br><a name="lpqcachetime"></a> -<li><strong><strong>lpq cache time (G)</strong></strong> -<p><br>This controls how long lpq info will be cached for to prevent the -<strong>lpq</strong> command being called too often. A separate cache is kept for -each variation of the <strong>lpq</strong> command used by the system, so if you -use different <strong>lpq</strong> commands for different users then they won't -share cache information. -<p><br>The cache files are stored in <code>/tmp/lpq.xxxx</code> where xxxx is a hash of -the <strong>lpq</strong> command in use. -<p><br>The default is 10 seconds, meaning that the cached results of a -previous identical <strong>lpq</strong> command will be used if the cached data is -less than 10 seconds old. A large value may be advisable if your -<strong>lpq</strong> command is very slow. -<p><br>A value of 0 will disable caching completely. -<p><br>See also the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter. -<p><br><strong>Default:</strong> -<code> lpq cache time = 10</code> -<p><br><strong>Example:</strong> -<code> lpq cache time = 30</code> -<p><br><a name="lpqcommand"></a> -<li><strong><strong>lpq command (S)</strong></strong> -<p><br>This parameter specifies the command to be executed on the server host -in order to obtain <code>"lpq"</code>-style printer status information. -<p><br>This command should be a program or script which takes a printer name -as its only parameter and outputs printer status information. -<p><br>Currently eight styles of printer status information are supported; -BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ. This covers most UNIX -systems. You control which type is expected using the -<a href="smb.conf.5.html#printing"><strong>"printing ="</strong></a> option. -<p><br>Some clients (notably Windows for Workgroups) may not correctly send -the connection number for the printer they are requesting status -information about. To get around this, the server reports on the first -printer service connected to by the client. This only happens if the -connection number sent is invalid. -<p><br>If a <code>%p</code> is given then the printername is put in its place. Otherwise -it is placed at the end of the command. -<p><br>Note that it is good practice to include the absolute path in the <strong>lpq -command</strong> as the PATH may not be available to the server. -<p><br>See also the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter. -<p><br><strong>Default:</strong> -<code> depends on the setting of printing =</code> -<p><br><strong>Example:</strong> -<code> lpq command = /usr/bin/lpq %p</code> -<p><br><a name="lpresumecommand"></a> -<li><strong><strong>lpresume command (S)</strong></strong> -<p><br>This parameter specifies the command to be executed on the server host -in order to restart or continue printing or spooling a specific print -job. -<p><br>This command should be a program or script which takes a printer name -and job number to resume the print job. See also the <a href="smb.conf.5.html#lppausecommand"><strong>"lppause -command"</strong></a> parameter. -<p><br>If a <code>%p</code> is given then the printername is put in its place. A -<code>%j</code> is replaced with the job number (an integer). -<p><br>Note that it is good practice to include the absolute path in the <strong>lpresume -command</strong> as the PATH may not be available to the server. -<p><br>See also the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter. -<p><br><strong>Default:</strong> -<p><br>Currently no default value is given to this string, unless the -value of the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter is <code>SYSV</code>, in -which case the default is : -<p><br><code> lp -i %p-%j -H resume</code> -<p><br>or if the value of the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter is <code>softq</code>, -then the default is: -<p><br><code> qstat -s -j%j -r</code> -<p><br><strong>Example for HPUX:</strong> -<code> lpresume command = /usr/bin/lpalt %p-%j -p2</code> -<p><br><a name="lprmcommand"></a> -<li><strong><strong>lprm command (S)</strong></strong> -<p><br>This parameter specifies the command to be executed on the server host -in order to delete a print job. -<p><br>This command should be a program or script which takes a printer name -and job number, and deletes the print job. -<p><br>If a <code>%p</code> is given then the printername is put in its place. A -<code>%j</code> is replaced with the job number (an integer). -<p><br>Note that it is good practice to include the absolute path in the -<strong>lprm command</strong> as the PATH may not be available to the server. -<p><br>See also the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter. -<p><br><strong>Default:</strong> -<code> depends on the setting of "printing ="</code> -<p><br><strong>Example 1:</strong> -<code> lprm command = /usr/bin/lprm -P%p %j</code> -<p><br><strong>Example 2:</strong> -<code> lprm command = /usr/bin/cancel %p-%j</code> -<p><br><a name="machinepasswordtimeout"></a> -<li><strong><strong>machine password timeout (G)</strong></strong> -<p><br>If a Samba server is a member of an Windows NT Domain (see the -<a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a>) parameter) then -periodically a running <a href="smbd.8.html"><strong>smbd</strong></a> process will try and -change the <strong>MACHINE ACCOUNT PASWORD</strong> stored in the file called -<code><Domain>.<Machine>.mac</code> where <code><Domain></code> is the name of the -Domain we are a member of and <code><Machine></code> is the primary -<a href="smb.conf.5.html#netbiosname"><strong>"NetBIOS name"</strong></a> of the machine -<a href="smbd.8.html"><strong>smbd</strong></a> is running on. This parameter specifies how -often this password will be changed, in seconds. The default is one -week (expressed in seconds), the same as a Windows NT Domain member -server. -<p><br>See also <a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a>, and the -<a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a>) parameter. -<p><br><strong>Default:</strong> -<code> machine password timeout = 604800</code> -<p><br><a name="magicoutput"></a> -<li><strong><strong>magic output (S)</strong></strong> -<p><br>This parameter specifies the name of a file which will contain output -created by a magic script (see the <a href="smb.conf.5.html#magicscript"><strong>"magic -script"</strong></a> parameter below). -<p><br>Warning: If two clients use the same <a href="smb.conf.5.html#magicscript"><strong>"magic -script"</strong></a> in the same directory the output file content -is undefined. -<p><br><strong>Default:</strong> -<code> magic output = <magic script name>.out</code> -<p><br><strong>Example:</strong> -<code> magic output = myfile.txt</code> -<p><br><a name="magicscript"></a> -<li><strong><strong>magic script (S)</strong></strong> -<p><br>This parameter specifies the name of a file which, if opened, will be -executed by the server when the file is closed. This allows a UNIX -script to be sent to the Samba host and executed on behalf of the -connected user. -<p><br>Scripts executed in this way will be deleted upon completion, -permissions permitting. -<p><br>If the script generates output, output will be sent to the file -specified by the <a href="smb.conf.5.html#magicoutput"><strong>"magic output"</strong></a> parameter (see -above). -<p><br>Note that some shells are unable to interpret scripts containing -carriage-return-linefeed instead of linefeed as the end-of-line -marker. Magic scripts must be executable <em>"as is"</em> on the host, -which for some hosts and some shells will require filtering at the DOS -end. -<p><br>Magic scripts are <em>EXPERIMENTAL</em> and should <em>NOT</em> be relied upon. -<p><br><strong>Default:</strong> -<code> None. Magic scripts disabled.</code> -<p><br><strong>Example:</strong> -<code> magic script = user.csh</code> -<p><br><a name="manglecase"></a> -<li><strong><strong>mangle case (S)</strong></strong> -<p><br>See the section on <a href="smb.conf.5.html#NAMEMANGLING"><strong>"NAME MANGLING"</strong></a>. -<p><br><a name="mangledmap"></a> -<li><strong><strong>mangled map (S)</strong></strong> -<p><br>This is for those who want to directly map UNIX file names which can -not be represented on Windows/DOS. The mangling of names is not always -what is needed. In particular you may have documents with file -extensions that differ between DOS and UNIX. For example, under UNIX -it is common to use <code>".html"</code> for HTML files, whereas under -Windows/DOS <code>".htm"</code> is more commonly used. -<p><br>So to map <code>"html"</code> to <code>"htm"</code> you would use: -<p><br><code> mangled map = (*.html *.htm)</code> -<p><br>One very useful case is to remove the annoying <code>";1"</code> off the ends -of filenames on some CDROMS (only visible under some UNIXs). To do -this use a map of (*;1 *). -<p><br><strong>default:</strong> -<code> no mangled map</code> -<p><br><strong>Example:</strong> -<code> mangled map = (*;1 *)</code> -<p><br><a name="manglednames"></a> -<li><strong><strong>mangled names (S)</strong></strong> -<p><br>This controls whether non-DOS names under UNIX should be mapped to -DOS-compatible names ("mangled") and made visible, or whether non-DOS -names should simply be ignored. -<p><br>See the section on <a href="smb.conf.5.html#NAMEMANGLING"><strong>"NAME MANGLING"</strong></a> for details -on how to control the mangling process. -<p><br>If mangling is used then the mangling algorithm is as follows: -<p><br><ul> -<p><br><li > The first (up to) five alphanumeric characters before the -rightmost dot of the filename are preserved, forced to upper case, and -appear as the first (up to) five characters of the mangled name. -<p><br><li > A tilde <code>"~"</code> is appended to the first part of the mangled -name, followed by a two-character unique sequence, based on the -original root name (i.e., the original filename minus its final -extension). The final extension is included in the hash calculation -only if it contains any upper case characters or is longer than three -characters. -<p><br>Note that the character to use may be specified using the -<a href="smb.conf.5.html#manglingchar"><strong>"mangling char"</strong></a> option, if you don't like -<code>'~'</code>. -<p><br><li > The first three alphanumeric characters of the final extension -are preserved, forced to upper case and appear as the extension of the -mangled name. The final extension is defined as that part of the -original filename after the rightmost dot. If there are no dots in the -filename, the mangled name will have no extension (except in the case -of <a href="smb.conf.5.html#hidefiles"><strong>"hidden files"</strong></a> - see below). -<p><br><li > Files whose UNIX name begins with a dot will be presented as DOS -hidden files. The mangled name will be created as for other filenames, -but with the leading dot removed and <code>"___"</code> as its extension regardless -of actual original extension (that's three underscores). -<p><br></ul> -<p><br>The two-digit hash value consists of upper case alphanumeric -characters. -<p><br>This algorithm can cause name collisions only if files in a directory -share the same first five alphanumeric characters. The probability of -such a clash is 1/1300. -<p><br>The name mangling (if enabled) allows a file to be copied between UNIX -directories from Windows/DOS while retaining the long UNIX -filename. UNIX files can be renamed to a new extension from -Windows/DOS and will retain the same basename. Mangled names do not -change between sessions. -<p><br><strong>Default:</strong> -<code> mangled names = yes</code> -<p><br><strong>Example:</strong> -<code> mangled names = no</code> -<p><br><a name="manglingchar"></a> -<li><strong><strong>mangling char (S)</strong></strong> -<p><br>This controls what character is used as the <em>"magic"</em> character in -<a href="smb.conf.5.html#manglednames"><strong>name mangling</strong></a>. The default is a <code>'~'</code> but -this may interfere with some software. Use this option to set it to -whatever you prefer. -<p><br><strong>Default:</strong> -<code> mangling char = ~</code> -<p><br><strong>Example:</strong> -<code> mangling char = ^</code> -<p><br><a name="mangledstack"></a> -<li><strong><strong>mangled stack (G)</strong></strong> -<p><br>This parameter controls the number of mangled names that should be -cached in the Samba server <a href="smbd.8.html"><strong>smbd</strong></a>. -<p><br>This stack is a list of recently mangled base names (extensions are -only maintained if they are longer than 3 characters or contains upper -case characters). -<p><br>The larger this value, the more likely it is that mangled names can be -successfully converted to correct long UNIX names. However, large -stack sizes will slow most directory access. Smaller stacks save -memory in the server (each stack element costs 256 bytes). -<p><br>It is not possible to absolutely guarantee correct long file names, so -be prepared for some surprises! -<p><br><strong>Default:</strong> -<code> mangled stack = 50</code> -<p><br><strong>Example:</strong> -<code> mangled stack = 100</code> -<p><br><a name="maparchive"></a> -<li><strong><strong>map archive (S)</strong></strong> -<p><br>This controls whether the DOS archive attribute should be mapped to -the UNIX owner execute bit. The DOS archive bit is set when a file -has been modified since its last backup. One motivation for this -option it to keep Samba/your PC from making any file it touches from -becoming executable under UNIX. This can be quite annoying for shared -source code, documents, etc... -<p><br>Note that this requires the <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a> -parameter to be set such that owner execute bit is not masked out -(i.e. it must include 100). See the parameter <a href="smb.conf.5.html#createmask"><strong>"create -mask"</strong></a> for details. -<p><br><strong>Default:</strong> -<code> map archive = yes</code> -<p><br><strong>Example:</strong> -<code> map archive = no</code> -<p><br><a name="maphidden"></a> -<li><strong><strong>map hidden (S)</strong></strong> -<p><br>This controls whether DOS style hidden files should be mapped to the -UNIX world execute bit. -<p><br>Note that this requires the <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a> to be -set such that the world execute bit is not masked out (i.e. it must -include 001). See the parameter <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a> -for details. -<p><br><strong>Default:</strong> -<code> map hidden = no</code> -<p><br><strong>Example:</strong> -<code> map hidden = yes</code> -<p><br><a name="mapsystem"></a> -<li><strong><strong>map system (S)</strong></strong> -<p><br>This controls whether DOS style system files should be mapped to the -UNIX group execute bit. -<p><br>Note that this requires the <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a> to be -set such that the group execute bit is not masked out (i.e. it must -include 010). See the parameter <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a> -for details. -<p><br><strong>Default:</strong> -<code> map system = no</code> -<p><br><strong>Example:</strong> -<code> map system = yes</code> -<p><br><a name="maptoguest"></a> -<li><strong><strong>map to guest (G)</strong></strong> -<p><br>This parameter is only useful in <a href="smb.conf.5.html#security"><strong>security</strong></a> modes -other than <a href="smb.conf.5.html#securityequalshare"><strong>"security=share"</strong></a> - i.e. user, -server, and domain. -<p><br>This parameter can take three different values, which tell -<a href="smbd.8.html"><strong>smbd</strong></a> what to do with user login requests that -don't match a valid UNIX user in some way. -<p><br>The three settings are : -<p><br><ul> -<p><br><li > <strong>"Never"</strong> - Means user login requests with an invalid password -are rejected. This is the default. -<p><br><li > <strong>"Bad User"</strong> - Means user logins with an invalid password are -rejected, unless the username does not exist, in which case it is -treated as a guest login and mapped into the <a href="smb.conf.5.html#guestaccount"><strong>"guest -account"</strong></a>. -<p><br><li > <strong>"Bad Password"</strong> - Means user logins with an invalid -password are treated as a guest login and mapped into the -<a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a>. Note that this can -cause problems as it means that any user incorrectly typing their -password will be silently logged on a <strong>"guest"</strong> - and -will not know the reason they cannot access files they think -they should - there will have been no message given to them -that they got their password wrong. Helpdesk services will -<em>*hate*</em> you if you set the <strong>"map to guest"</strong> parameter -this way :-). -<p><br></ul> -<p><br>Note that this parameter is needed to set up <strong>"Guest"</strong> share -services when using <a href="smb.conf.5.html#security"><strong>security</strong></a> modes other than -share. This is because in these modes the name of the resource being -requested is <em>*not*</em> sent to the server until after the server has -successfully authenticated the client so the server cannot make -authentication decisions at the correct time (connection to the -share) for <strong>"Guest"</strong> shares. -<p><br>For people familiar with the older Samba releases, this parameter -maps to the old compile-time setting of the GUEST_SESSSETUP value -in local.h. -<p><br><strong>Default:</strong> -<code> map to guest = Never</code> - <strong>Example</strong>: -<code> map to guest = Bad User</code> -<p><br><a name="maxconnections"></a> -<li><strong><strong>max connections (S)</strong></strong> -<p><br>This option allows the number of simultaneous connections to a service -to be limited. If <strong>"max connections"</strong> is greater than 0 then -connections will be refused if this number of connections to the -service are already open. A value of zero mean an unlimited number of -connections may be made. -<p><br>Record lock files are used to implement this feature. The lock files -will be stored in the directory specified by the <a href="smb.conf.5.html#lockdirectory"><strong>"lock -directory"</strong></a> option. -<p><br><strong>Default:</strong> -<code> max connections = 0</code> -<p><br><strong>Example:</strong> -<code> max connections = 10</code> -<p><br><a name="maxdisksize"></a> -<li><strong><strong>max disk size (G)</strong></strong> -<p><br>This option allows you to put an upper limit on the apparent size of -disks. If you set this option to 100 then all shares will appear to be -not larger than 100 MB in size. -<p><br>Note that this option does not limit the amount of data you can put on -the disk. In the above case you could still store much more than 100 -MB on the disk, but if a client ever asks for the amount of free disk -space or the total disk size then the result will be bounded by the -amount specified in <strong>"max disk size"</strong>. -<p><br>This option is primarily useful to work around bugs in some pieces of -software that can't handle very large disks, particularly disks over -1GB in size. -<p><br>A <strong>"max disk size"</strong> of 0 means no limit. -<p><br><strong>Default:</strong> -<code> max disk size = 0</code> -<p><br><strong>Example:</strong> -<code> max disk size = 1000</code> -<p><br><a name="maxlogsize"></a> -<li><strong><strong>max log size (G)</strong></strong> -<p><br>This option (an integer in kilobytes) specifies the max size the log -file should grow to. Samba periodically checks the size and if it is -exceeded it will rename the file, adding a <code>".old"</code> extension. -<p><br>A size of 0 means no limit. -<p><br><strong>Default:</strong> -<code> max log size = 5000</code> -<p><br><strong>Example:</strong> -<code> max log size = 1000</code> -<p><br><a name="maxmux"></a> -<li><strong><strong>max mux (G)</strong></strong> -<p><br>This option controls the maximum number of outstanding simultaneous -SMB operations that samba tells the client it will allow. You should -never need to set this parameter. -<p><br><strong>Default:</strong> -<code> max mux = 50</code> -<p><br><a name="maxopenfiles"></a> -<li><strong><strong>maxopenfiles (G)</strong></strong> -<p><br>This parameter limits the maximum number of open files that one -<a href="smbd.8.html"><strong>smbd</strong></a> file serving process may have open for -a client at any one time. The default for this parameter is set -very high (10,000) as Samba uses only one bit per unopened file. -<p><br>The limit of the number of open files is usually set by the -UNIX per-process file descriptor limit rather than this parameter -so you should never need to touch this parameter. -<p><br><strong>Default:</strong> -<code> max open files = 10000</code> -<p><br><a name="maxpacket"></a> -<li><strong><strong>max packet (G)</strong></strong> -<p><br>Synonym for <a name="<strong>"packetsize"</strong>"></a>(packetsize). -<p><br><a name="maxttl"></a> -<li><strong><strong>max ttl (G)</strong></strong> -<p><br>This option tells <a href="nmbd.8.html"><strong>nmbd</strong></a> what the default 'time -to live' of NetBIOS names should be (in seconds) when -<a href="nmbd.8.html"><strong>nmbd</strong></a> is requesting a name using either a -broadcast packet or from a WINS server. You should never need to -change this parameter. The default is 3 days. -<p><br><strong>Default:</strong> -<code> max ttl = 259200</code> -<p><br><a name="maxwinsttl"></a> -<li><strong><strong>max wins ttl (G)</strong></strong> -<p><br>This option tells <a href="nmbd.8.html"><strong>nmbd</strong></a> when acting as a WINS -server <a href="smb.conf.5.html#winssupport"><strong>(wins support =true)</strong></a> what the maximum -'time to live' of NetBIOS names that <a href="nmbd.8.html"><strong>nmbd</strong></a> will -grant will be (in seconds). You should never need to change this -parameter. The default is 6 days (518400 seconds). -<p><br>See also the <a href="smb.conf.5.html#minwinsttl"><strong>"min wins ttl"</strong></a> parameter. -<p><br><strong>Default:</strong> -<code> max wins ttl = 518400</code> -<p><br><a name="maxxmit"></a> -<li><strong><strong>max xmit (G)</strong></strong> -<p><br>This option controls the maximum packet size that will be negotiated -by Samba. The default is 65535, which is the maximum. In some cases -you may find you get better performance with a smaller value. A value -below 2048 is likely to cause problems. -<p><br><strong>Default:</strong> -<code> max xmit = 65535</code> -<p><br><strong>Example:</strong> -<code> max xmit = 8192</code> -<p><br><a name="messagecommand"></a> -<li><strong><strong>message command (G)</strong></strong> -<p><br>This specifies what command to run when the server receives a WinPopup -style message. -<p><br>This would normally be a command that would deliver the message -somehow. How this is to be done is up to your imagination. -<p><br>An example is: -<p><br><code> message command = csh -c 'xedit %s;rm %s' &</code> -<p><br>This delivers the message using <strong>xedit</strong>, then removes it -afterwards. <em>NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN -IMMEDIATELY</em>. That's why I have the <code>'&'</code> on the end. If it doesn't -return immediately then your PCs may freeze when sending messages -(they should recover after 30secs, hopefully). -<p><br>All messages are delivered as the global guest user. The command takes -the standard substitutions, although <a href="smb.conf.5.html#percentu"><strong>%u</strong></a> won't work -(<a href="smb.conf.5.html#percentU"><strong>%U</strong></a> may be better in this case). -<p><br>Apart from the standard substitutions, some additional ones apply. In -particular: -<p><br><ul> -<p><br><li > <code>"%s"</code> = the filename containing the message. -<p><br><li > <code>"%t"</code> = the destination that the message was sent to (probably the server -name). -<p><br><li > <code>"%f"</code> = who the message is from. -<p><br></ul> -<p><br>You could make this command send mail, or whatever else takes your -fancy. Please let us know of any really interesting ideas you have. -<p><br>Here's a way of sending the messages as mail to root: -<p><br><code>message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s</code> -<p><br>If you don't have a message command then the message won't be -delivered and Samba will tell the sender there was an -error. Unfortunately WfWg totally ignores the error code and carries -on regardless, saying that the message was delivered. -<p><br>If you want to silently delete it then try: -<p><br><code>"message command = rm %s"</code>. -<p><br>For the really adventurous, try something like this: -<p><br><code>message command = csh -c 'csh < %s |& /usr/local/samba/bin/smbclient -M %m; rm %s' &</code> -<p><br>this would execute the command as a script on the server, then give -them the result in a WinPopup message. Note that this could cause a -loop if you send a message from the server using smbclient! You better -wrap the above in a script that checks for this :-) -<p><br><strong>Default:</strong> -<code> no message command</code> -<p><br><strong>Example:</strong> -<code> message command = csh -c 'xedit %s;rm %s' &</code> -<p><br><a name="minprintspace"></a> -<li><strong><strong>min print space (S)</strong></strong> -<p><br>This sets the minimum amount of free disk space that must be available -before a user will be able to spool a print job. It is specified in -kilobytes. The default is 0, which means a user can always spool a print -job. -<p><br>See also the <a href="smb.conf.5.html#printing"><strong>printing</strong></a> parameter. -<p><br><strong>Default:</strong> -<code> min print space = 0</code> -<p><br><strong>Example:</strong> -<code> min print space = 2000</code> -<p><br><a name="minwinsttl"></a> -<li><strong><strong>min wins ttl (G)</strong></strong> -<p><br>This option tells <a href="nmbd.8.html"><strong>nmbd</strong></a> when acting as a WINS -server <a href="smb.conf.5.html#winssupport"><strong>(wins support = true)</strong></a> what the minimum -'time to live' of NetBIOS names that <a href="nmbd.8.html"><strong>nmbd</strong></a> will -grant will be (in seconds). You should never need to change this -parameter. The default is 6 hours (21600 seconds). -<p><br><strong>Default:</strong> -<code> min wins ttl = 21600</code> -<p><br><a name="nameresolveorder"></a> -<li><strong><strong>name resolve order (G)</strong></strong> -<p><br>This option is used by the programs in the Samba suite to determine -what naming services and in what order to resolve host names to IP -addresses. The option takes a space separated string of different name -resolution options. -<p><br>The options are :"lmhosts", "host", "wins" and "bcast". They cause -names to be resolved as follows : -<p><br><ul> -<p><br><li > <strong>lmhosts</strong> : Lookup an IP address in the Samba lmhosts file. -<p><br><li > <strong>host</strong> : Do a standard host name to IP address resolution, -using the system /etc/hosts, NIS, or DNS lookups. This method of name -resolution is operating system depended for instance on IRIX or -Solaris this may be controlled by the <em>/etc/nsswitch.conf</em> file). -<p><br><li > <strong>wins</strong> : Query a name with the IP address listed in the -<a href="smb.conf.5.html#winsserver"><strong>wins server</strong></a> parameter. If no WINS server has -been specified this method will be ignored. -<p><br><li > <strong>bcast</strong> : Do a broadcast on each of the known local interfaces -listed in the <a href="smb.conf.5.html#interfaces"><strong>interfaces</strong></a> parameter. This is the -least reliable of the name resolution methods as it depends on the -target host being on a locally connected subnet. -<p><br></ul> -<p><br><strong>Default:</strong> -<code> name resolve order = lmhosts host wins bcast</code> -<p><br><strong>Example:</strong> -<code> name resolve order = lmhosts bcast host</code> -<p><br>This will cause the local lmhosts file to be examined first, followed -by a broadcast attempt, followed by a normal system hostname lookup. -<p><br><a name="netbiosaliases"></a> -<li><strong><strong>netbios aliases (G)</strong></strong> -<p><br>This is a list of NetBIOS names that <a href="nmbd.8.html"><strong>nmbd</strong></a> will -advertise as additional names by which the Samba server is known. This -allows one machine to appear in browse lists under multiple names. If -a machine is acting as a <a href="smb.conf.5.html#localmaster"><strong>browse server</strong></a> or -<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a> none of these names will be -advertised as either browse server or logon servers, only the primary -name of the machine will be advertised with these capabilities. -<p><br>See also <a href="smb.conf.5.html#netbiosname"><strong>"netbios name"</strong></a>. -<p><br><strong>Default:</strong> -<code> empty string (no additional names)</code> -<p><br><strong>Example:</strong> -<code> netbios aliases = TEST TEST1 TEST2</code> -<p><br><a name="netbiosname"></a> -<li><strong><strong>netbios name (G)</strong></strong> -<p><br>This sets the NetBIOS name by which a Samba server is known. By -default it is the same as the first component of the host's DNS name. -If a machine is a <a href="smb.conf.5.html#localmaster"><strong>browse server</strong></a> or -<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a> this name (or the first component -of the hosts DNS name) will be the name that these services are -advertised under. -<p><br>See also <a href="smb.conf.5.html#netbiosaliases"><strong>"netbios aliases"</strong></a>. -<p><br><strong>Default:</strong> -<code> Machine DNS name.</code> -<p><br><strong>Example:</strong> -<code> netbios name = MYNAME</code> -<p><br><a name="nishomedir"></a> -<li><strong><strong>nis homedir (G)</strong></strong> -<p><br>Get the home share server from a NIS map. For UNIX systems that use an -automounter, the user's home directory will often be mounted on a -workstation on demand from a remote server. -<p><br>When the Samba logon server is not the actual home directory server, -but is mounting the home directories via NFS then two network hops -would be required to access the users home directory if the logon -server told the client to use itself as the SMB server for home -directories (one over SMB and one over NFS). This can be very -slow. -<p><br>This option allows Samba to return the home share as being on a -different server to the logon server and as long as a Samba daemon is -running on the home directory server, it will be mounted on the Samba -client directly from the directory server. When Samba is returning the -home share to the client, it will consult the NIS map specified in -<a href="smb.conf.5.html#homedirmap"><strong>"homedir map"</strong></a> and return the server listed -there. -<p><br>Note that for this option to work there must be a working NIS -system and the Samba server with this option must also be a -<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a>. -<p><br><strong>Default:</strong> -<code> nis homedir = false</code> -<p><br><strong>Example:</strong> -<code> nis homedir = true</code> -<p><br><a name="ntpipesupport"></a> -<li><strong><strong>nt pipe support (G)</strong></strong> -<p><br>This boolean parameter controls whether <a href="smbd.8.html"><strong>smbd</strong></a> -will allow Windows NT clients to connect to the NT SMB specific -<code>IPC$</code> pipes. This is a developer debugging option and can be left -alone. -<p><br><strong>Default:</strong> -<code> nt pipe support = yes</code> -<p><br><a name="ntsmbsupport"></a> -<li><strong><strong>nt smb support (G)</strong></strong> -<p><br>This boolean parameter controls whether <a href="smbd.8.html"><strong>smbd</strong></a> -will negotiate NT specific SMB support with Windows NT -clients. Although this is a developer debugging option and should be -left alone, benchmarking has discovered that Windows NT clients give -faster performance with this option set to <code>"no"</code>. This is still -being investigated. If this option is set to <code>"no"</code> then Samba -offers exactly the same SMB calls that versions prior to Samba2.0 -offered. This information may be of use if any users are having -problems with NT SMB support. -<p><br><strong>Default:</strong> -<code> nt support = yes</code> -<p><br><a name="nullpasswords"></a> -<li><strong><strong>null passwords (G)</strong></strong> -<p><br>Allow or disallow client access to accounts that have null passwords. -<p><br>See also <a href="smbpasswd.5.html"><strong>smbpasswd (5)</strong></a>. -<p><br><strong>Default:</strong> -<code> null passwords = no</code> -<p><br><strong>Example:</strong> -<code> null passwords = yes</code> -<p><br><a name="olelockingcompatibility"></a> -<li><strong><strong>ole locking compatibility (G)</strong></strong> -<p><br>This parameter allows an administrator to turn off the byte range lock -manipulation that is done within Samba to give compatibility for OLE -applications. Windows OLE applications use byte range locking as a -form of inter-process communication, by locking ranges of bytes around -the 2^32 region of a file range. This can cause certain UNIX lock -managers to crash or otherwise cause problems. Setting this parameter -to <code>"no"</code> means you trust your UNIX lock manager to handle such cases -correctly. -<p><br><strong>Default:</strong> -<code> ole locking compatibility = yes</code> -<p><br><strong>Example:</strong> -<code> ole locking compatibility = no</code> -<p><br><a name="onlyguest"></a> -<li><strong><strong>only guest (S)</strong></strong> -<p><br>A synonym for <a href="smb.conf.5.html#guestonly"><strong>"guest only"</strong></a>. -<p><br><a name="onlyuser"></a> -<li><strong><strong>only user (S)</strong></strong> -<p><br>This is a boolean option that controls whether connections with -usernames not in the <a href="smb.conf.5.html#user"><strong>user=</strong></a> list will be allowed. By -default this option is disabled so a client can supply a username to -be used by the server. -<p><br>Note that this also means Samba won't try to deduce usernames from the -service name. This can be annoying for the <a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> -section. To get around this you could use "<a href="smb.conf.5.html#user"><strong>user</strong></a> = -<a href="smb.conf.5.html#percentS"><strong>%S</strong></a>" which means your <a href="smb.conf.5.html#user"><strong>"user"</strong></a> list -will be just the service name, which for home directories is the name -of the user. -<p><br>See also the <a href="smb.conf.5.html#user"><strong>user</strong></a> parameter. -<p><br><strong>Default:</strong> -<code> only user = False</code> -<p><br><strong>Example:</strong> -<code> only user = True</code> -<p><br><a name="oplocks"></a> -<li><strong><strong>oplocks (S)</strong></strong> -<p><br>This boolean option tells smbd whether to issue oplocks (opportunistic -locks) to file open requests on this share. The oplock code can -dramatically (approx. 30% or more) improve the speed of access to files -on Samba servers. It allows the clients to aggressively cache files -locally and you may want to disable this option for unreliable network -environments (it is turned on by default in Windows NT Servers). For -more information see the file Speed.txt in the Samba docs/ directory. -<p><br>Oplocks may be selectively turned off on certain files on a per share basis. -See the 'veto oplock files' parameter. On some systems oplocks are recognized -by the underlying operating system. This allows data synchronization between -all access to oplocked files, whether it be via Samba or NFS or a local -UNIX process. See the <a href="smb.conf.5.html#kerneloplocks"><strong>kernel oplocks</strong></a> parameter -for details. -<p><br><strong>Default:</strong> -<code> oplocks = True</code> -<p><br><strong>Example:</strong> -<code> oplocks = False</code> -<p><br><a name="oslevel"></a> -<li><strong><strong>os level (G)</strong></strong> -<p><br>This integer value controls what level Samba advertises itself as for -browse elections. The value of this parameter determines whether -<a href="nmbd.8.html"><strong>nmbd</strong></a> has a chance of becoming a local master -browser for the <a href="smb.conf.5.html#workgroup"><strong>WORKGROUP</strong></a> in the local broadcast -area. The default is zero, which means <a href="nmbd.8.html"><strong>nmbd</strong></a> will -lose elections to Windows machines. See BROWSING.txt in the Samba -docs/ directory for details. -<p><br><strong>Default:</strong> -<code> os level = 0</code> -<p><br><strong>Example:</strong> -<code> os level = 65 ; This will win against any NT Server</code> -<p><br><a name="packetsize"></a> -<li><strong><strong>packet size (G)</strong></strong> -<p><br>This is a deprecated parameter that how no effect on the current -Samba code. It is left in the parameter list to prevent breaking -old <strong>smb.conf</strong> files. -<p><br><a name="panicaction"></a> -<li><strong><strong>panic action (G)</strong></strong> -<p><br>This is a Samba developer option that allows a system command to be -called when either <a href="smbd.8.html"><strong>smbd</strong></a> or -<a href="nmbd.8.html"><strong>nmbd</strong></a> crashes. This is usually used to draw -attention to the fact that a problem occurred. -<p><br><strong>Default:</strong> -<code> panic action = <empty string></code> -<p><br><a name="passwdchat"></a> -<li><strong><strong>passwd chat (G)</strong></strong> -<p><br>This string controls the <em>"chat"</em> conversation that takes places -between <a href="smbd.8.html"><strong>smbd</strong></a> and the local password changing -program to change the users password. The string describes a sequence -of response-receive pairs that <a href="smbd.8.html"><strong>smbd</strong></a> uses to -determine what to send to the <a href="smb.conf.5.html#passwdprogram"><strong>passwd</strong></a> program -and what to expect back. If the expected output is not received then -the password is not changed. -<p><br>This chat sequence is often quite site specific, depending on what -local methods are used for password control (such as NIS etc). -<p><br>The string can contain the macros <code>"%o"</code> and <code>"%n"</code> which are -substituted for the old and new passwords respectively. It can also -contain the standard macros <code>"\n"</code>, <code>"\r"</code>, <code>"\t"</code> and <code>"\s"</code> -to give line-feed, carriage-return, tab and space. -<p><br>The string can also contain a <code>'*'</code> which matches any sequence of -characters. -<p><br>Double quotes can be used to collect strings with spaces in them into -a single string. -<p><br>If the send string in any part of the chat sequence is a fullstop -<code>"."</code> then no string is sent. Similarly, is the expect string is a -fullstop then no string is expected. -<p><br>Note that if the <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a> -parameter is set to true, then this sequence is called <em>*AS ROOT*</em> -when the SMB password in the smbpasswd file is being changed, without -access to the old password cleartext. In this case the old password -cleartext is set to <code>""</code> (the empty string). -<p><br>See also <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a>, -<a href="smb.conf.5.html#passwdprogram"><strong>"passwd program"</strong></a> and <a href="smb.conf.5.html#passwdchatdebug"><strong>"passwd chat -debug"</strong></a>. -<p><br><strong>Example:</strong> -<pre> - passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*" - -</pre> - -<p><br><strong>Default:</strong> -<pre> - passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed* -</pre> - -<p><br><a name="passwdchatdebug"></a> -<li><strong><strong>passwd chat debug (G)</strong></strong> -<p><br>This boolean specifies if the passwd chat script parameter is run in -<code>"debug"</code> mode. In this mode the strings passed to and received from -the passwd chat are printed in the <a href="smbd.8.html"><strong>smbd</strong></a> log with -a <a href="smb.conf.5.html#debuglevel"><strong>"debug level"</strong></a> of 100. This is a dangerous -option as it will allow plaintext passwords to be seen in the -<a href="smbd.8.html"><strong>smbd</strong></a> log. It is available to help Samba admins -debug their <a href="smb.conf.5.html#passwdchat"><strong>"passwd chat"</strong></a> scripts when calling -the <a href="smb.conf.5.html#passwdprogram"><strong>"passwd program"</strong></a> and should be turned off -after this has been done. This parameter is off by default. -<p><br>See also <a href="smb.conf.5.html#passwdchat"><strong>"passwd chat"</strong></a>, <a href="smb.conf.5.html#passwdprogram"><strong>"passwd -program"</strong></a>. -<p><br><strong>Example:</strong> -<code> passwd chat debug = True</code> -<p><br><strong>Default:</strong> -<code> passwd chat debug = False</code> -<p><br><a name="passwdprogram"></a> -<li><strong><strong>passwd program (G)</strong></strong> -<p><br>The name of a program that can be used to set UNIX user passwords. -Any occurrences of <a href="smb.conf.5.html#percentu"><strong>%u</strong></a> will be replaced with the -user name. The user name is checked for existence before calling the -password changing program. -<p><br>Also note that many passwd programs insist in <em>"reasonable"</em> -passwords, such as a minimum length, or the inclusion of mixed case -chars and digits. This can pose a problem as some clients (such as -Windows for Workgroups) uppercase the password before sending it. -<p><br><em>Note</em> that if the <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a> -parameter is set to <code>"True"</code> then this program is called <em>*AS -ROOT*</em> before the SMB password in the -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file is changed. If this UNIX -password change fails, then <a href="smbd.8.html"><strong>smbd</strong></a> will fail to -change the SMB password also (this is by design). -<p><br>If the <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a> parameter is -set this parameter <em>MUST USE ABSOLUTE PATHS</em> for <em>ALL</em> programs -called, and must be examined for security implications. Note that by -default <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a> is set to -<code>"False"</code>. -<p><br>See also <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a>. -<p><br><strong>Default:</strong> -<code> passwd program = /bin/passwd</code> -<p><br><strong>Example:</strong> -<code> passwd program = /sbin/passwd %u</code> -<p><br><a name="passwordlevel"></a> -<li><strong><strong>password level (G)</strong></strong> -<p><br>Some client/server combinations have difficulty with mixed-case -passwords. One offending client is Windows for Workgroups, which for -some reason forces passwords to upper case when using the LANMAN1 -protocol, but leaves them alone when using COREPLUS! -<p><br>This parameter defines the maximum number of characters that may be -upper case in passwords. -<p><br>For example, say the password given was <code>"FRED"</code>. If <strong>password -level</strong> is set to 1, the following combinations would be tried if -<code>"FRED"</code> failed: -<p><br><code>"Fred"</code>, <code>"fred"</code>, <code>"fRed"</code>, <code>"frEd"</code>, <code>"freD"</code> -<p><br>If <strong>password level</strong> was set to 2, the following combinations would -also be tried: -<p><br><code>"FRed"</code>, <code>"FrEd"</code>, <code>"FreD"</code>, <code>"fREd"</code>, <code>"fReD"</code>, -<code>"frED"</code>, <code>..</code> -<p><br>And so on. -<p><br>The higher value this parameter is set to the more likely it is that a -mixed case password will be matched against a single case -password. However, you should be aware that use of this parameter -reduces security and increases the time taken to process a new -connection. -<p><br>A value of zero will cause only two attempts to be made - the password -as is and the password in all-lower case. -<p><br><strong>Default:</strong> -<code> password level = 0</code> -<p><br><strong>Example:</strong> -<code> password level = 4</code> -<p><br><a name="passwordserver"></a> -<li><strong><strong>password server (G)</strong></strong> -<p><br>By specifying the name of another SMB server (such as a WinNT box) -with this option, and using <a href="smb.conf.5.html#security"><strong>"security = domain"</strong></a> or -<a href="smb.conf.5.html#security"><strong>"security = server"</strong></a> you can get Samba to do all -its username/password validation via a remote server. -<p><br>This options sets the name of the password server to use. It must be a -NetBIOS name, so if the machine's NetBIOS name is different from its -internet name then you may have to add its NetBIOS name to the lmhosts -file which is stored in the same directory as the <strong>smb.conf</strong> file. -<p><br>The name of the password server is looked up using the parameter -<a href="smb.conf.5.html#nameresolveorder"><strong>"name resolve order="</strong></a> and so may resolved -by any method and order described in that parameter. -<p><br>The password server much be a machine capable of using the "LM1.2X002" -or the "LM NT 0.12" protocol, and it must be in user level security -mode. -<p><br>NOTE: Using a password server means your UNIX box (running Samba) is -only as secure as your password server. <em>DO NOT CHOOSE A PASSWORD -SERVER THAT YOU DON'T COMPLETELY TRUST</em>. -<p><br>Never point a Samba server at itself for password serving. This will -cause a loop and could lock up your Samba server! -<p><br>The name of the password server takes the standard substitutions, but -probably the only useful one is <a href="smb.conf.5.html#percentm"><strong>%m</strong></a>, which means -the Samba server will use the incoming client as the password -server. If you use this then you better trust your clients, and you -better restrict them with hosts allow! -<p><br>If the <a href="smb.conf.5.html#security"><strong>"security"</strong></a> parameter is set to -<strong>"domain"</strong>, then the list of machines in this option must be a list -of Primary or Backup Domain controllers for the -<a href="smb.conf.5.html#workgroup"><strong>Domain</strong></a>, as the Samba server is cryptographicly -in that domain, and will use cryptographicly authenticated RPC calls -to authenticate the user logging on. The advantage of using -<a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a> is that if you list -several hosts in the <strong>"password server"</strong> option then -<a href="smbd.8.html"><strong>smbd</strong></a> will try each in turn till it finds one -that responds. This is useful in case your primary server goes down. -<p><br>If the <a href="smb.conf.5.html#security"><strong>"security"</strong></a> parameter is set to -<a href="smb.conf.5.html#securityequalserver"><strong>"server"</strong></a>, then there are different -restrictions that <a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a> -doesn't suffer from: -<p><br><ul> -<p><br><li > You may list several password servers in the <strong>"password server"</strong> -parameter, however if an <a href="smbd.8.html"><strong>smbd</strong></a> makes a connection -to a password server, and then the password server fails, no more -users will be able to be authenticated from this -<a href="smbd.8.html"><strong>smbd</strong></a>. This is a restriction of the SMB/CIFS -protocol when in <a href="smb.conf.5.html#securityequalserver"><strong>"security=server"</strong></a> mode -and cannot be fixed in Samba. -<p><br><li > If you are using a Windows NT server as your password server then -you will have to ensure that your users are able to login from the -Samba server, as when in -<a href="smb.conf.5.html#securityequalserver"><strong>"security=server"</strong></a> mode the network -logon will appear to come from there rather than from the users -workstation. -<p><br></ul> -<p><br>See also the <a href="smb.conf.5.html#security"><strong>"security"</strong></a> parameter. -<p><br><strong>Default:</strong> -<code> password server = <empty string></code> -<p><br><strong>Example:</strong> -<code> password server = NT-PDC, NT-BDC1, NT-BDC2</code> -<p><br><a name="path"></a> -<li><strong><strong>path (S)</strong></strong> -<p><br>This parameter specifies a directory to which the user of the service -is to be given access. In the case of printable services, this is -where print data will spool prior to being submitted to the host for -printing. -<p><br>For a printable service offering guest access, the service should be -readonly and the path should be world-writeable and have the sticky bit -set. This is not mandatory of course, but you probably won't get the -results you expect if you do otherwise. -<p><br>Any occurrences of <a href="smb.conf.5.html#percentu"><strong>%u</strong></a> in the path will be replaced -with the UNIX username that the client is using on this -connection. Any occurrences of <a href="smb.conf.5.html#percentm"><strong>%m</strong></a> will be replaced -by the NetBIOS name of the machine they are connecting from. These -replacements are very useful for setting up pseudo home directories -for users. -<p><br>Note that this path will be based on <a href="smb.conf.5.html#rootdir"><strong>"root dir"</strong></a> if -one was specified. -<p><br><strong>Default:</strong> -<code> none</code> -<p><br><strong>Example:</strong> -<code> path = /home/fred</code> -<p><br><a name="postexec"></a> -<li><strong><strong>postexec (S)</strong></strong> -<p><br>This option specifies a command to be run whenever the service is -disconnected. It takes the usual substitutions. The command may be run -as the root on some systems. -<p><br>An interesting example may be do unmount server resources: -<p><br><code>postexec = /etc/umount /cdrom</code> -<p><br>See also <a href="smb.conf.5.html#preexec"><strong>preexec</strong></a>. -<p><br><strong>Default:</strong> -<code> none (no command executed)</code> -<p><br><strong>Example:</strong> -<code> postexec = echo "%u disconnected from %S from %m (%I)" >> /tmp/log</code> -<p><br><a name="postscript"></a> -<li><strong><strong>postscript (S)</strong></strong> -<p><br>This parameter forces a printer to interpret the print files as -postscript. This is done by adding a <code>%!</code> to the start of print output. -<p><br>This is most useful when you have lots of PCs that persist in putting -a control-D at the start of print jobs, which then confuses your -printer. -<p><br><strong>Default:</strong> -<code> postscript = False</code> -<p><br><strong>Example:</strong> -<code> postscript = True</code> -<p><br><a name="preexec"></a> -<li><strong><strong>preexec (S)</strong></strong> -<p><br>This option specifies a command to be run whenever the service is -connected to. It takes the usual substitutions. -<p><br>An interesting example is to send the users a welcome message every -time they log in. Maybe a message of the day? Here is an example: -<p><br><pre> - - preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' & - -</pre> - -<p><br>Of course, this could get annoying after a while :-) -<p><br>See also <a href="smb.conf.5.html#postexec"><strong>postexec</strong></a>. -<p><br><strong>Default:</strong> -<code> none (no command executed)</code> -<p><br><strong>Example:</strong> -<code> preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log</code> -<p><br><a name="preferredmaster"></a> -<li><strong><strong>preferred master (G)</strong></strong> -<p><br>This boolean parameter controls if <a href="nmbd.8.html"><strong>nmbd</strong></a> is a -preferred master browser for its workgroup. -<p><br>If this is set to true, on startup, <a href="nmbd.8.html"><strong>nmbd</strong></a> will -force an election, and it will have a slight advantage in winning the -election. It is recommended that this parameter is used in -conjunction with <a href="smb.conf.5.html#domainmaster"><strong>"domain master = yes"</strong></a>, so -that <a href="nmbd.8.html"><strong>nmbd</strong></a> can guarantee becoming a domain -master. -<p><br>Use this option with caution, because if there are several hosts -(whether Samba servers, Windows 95 or NT) that are preferred master -browsers on the same subnet, they will each periodically and -continuously attempt to become the local master browser. This will -result in unnecessary broadcast traffic and reduced browsing -capabilities. -<p><br>See also <a href="smb.conf.5.html#oslevel"><strong>os level</strong></a>. -<p><br><strong>Default:</strong> -<code> preferred master = no</code> -<p><br><strong>Example:</strong> -<code> preferred master = yes</code> -<p><br><a name="preferedmaster"></a> -<li><strong><strong>prefered master (G)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#preferredmaster"><strong>"preferred master"</strong></a> for people -who cannot spell :-). -<p><br><a name="preload"></a> -<li><strong><strong>preload</strong></strong> -Synonym for <a href="smb.conf.5.html#autoservices"><strong>"auto services"</strong></a>. -<p><br><a name="preservecase"></a> -<li><strong><strong>preserve case (S)</strong></strong> -<p><br>This controls if new filenames are created with the case that the -client passes, or if they are forced to be the <code>"default"</code> case. -<p><br><strong>Default:</strong> -<code> preserve case = yes</code> -<p><br>See the section on <a href="smb.conf.5.html#NAMEMANGLING"><strong>"NAME MANGLING"</strong></a> for a -fuller discussion. -<p><br><a name="printcommand"></a> -<li><strong><strong>print command (S)</strong></strong> -<p><br>After a print job has finished spooling to a service, this command -will be used via a <code>system()</code> call to process the spool -file. Typically the command specified will submit the spool file to -the host's printing subsystem, but there is no requirement that this -be the case. The server will not remove the spool file, so whatever -command you specify should remove the spool file when it has been -processed, otherwise you will need to manually remove old spool files. -<p><br>The print command is simply a text string. It will be used verbatim, -with two exceptions: All occurrences of <code>"%s"</code> will be replaced by -the appropriate spool file name, and all occurrences of <code>"%p"</code> will -be replaced by the appropriate printer name. The spool file name is -generated automatically by the server, the printer name is discussed -below. -<p><br>The full path name will be used for the filename if <code>"%s"</code> is not -preceded by a <code>'/'</code>. If you don't like this (it can stuff up some -lpq output) then use <code>"%f"</code> instead. Any occurrences of <code>"%f"</code> get -replaced by the spool filename without the full path at the front. -<p><br>The print command <em>MUST</em> contain at least one occurrence of <code>"%s"</code> -or <code>"%f"</code> - the <code>"%p"</code> is optional. At the time a job is -submitted, if no printer name is supplied the <code>"%p"</code> will be -silently removed from the printer command. -<p><br>If specified in the <a href="smb.conf.5.html#global"><strong>"[global]"</strong></a> section, the print -command given will be used for any printable service that does not -have its own print command specified. -<p><br>If there is neither a specified print command for a printable service -nor a global print command, spool files will be created but not -processed and (most importantly) not removed. -<p><br>Note that printing may fail on some UNIXs from the <code>"nobody"</code> -account. If this happens then create an alternative guest account that -can print and set the <a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a> in the -<a href="smb.conf.5.html#global"><strong>"[global]"</strong></a> section. -<p><br>You can form quite complex print commands by realizing that they are -just passed to a shell. For example the following will log a print -job, print the file, then remove it. Note that <code>';'</code> is the usual -separator for command in shell scripts. -<p><br><code>print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s</code> -<p><br>You may have to vary this command considerably depending on how you -normally print files on your system. The default for the parameter -varies depending on the setting of the <a href="smb.conf.5.html#printing"><strong>"printing="</strong></a> -parameter. -<p><br><strong>Default:</strong> - For <a href="smb.conf.5.html#printing"><strong>"printing="</strong></a> BSD, AIX, QNX, LPRNG or PLP : -<code> print command = lpr -r -P%p %s</code> -<p><br>For <a href="smb.conf.5.html#printing"><strong>"printing="</strong></a> SYS or HPUX : -<code> print command = lp -c -d%p %s; rm %s</code> -<p><br>For <a href="smb.conf.5.html#printing"><strong>"printing="</strong></a> SOFTQ : -<code> print command = lp -d%p -s %s; rm %s</code> -<p><br><strong>Example:</strong> -<code> print command = /usr/local/samba/bin/myprintscript %p %s</code> -<p><br><a name="printok"></a> -<li><strong><strong>print ok (S)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#printable"><strong>printable</strong></a>. -<p><br><a name="printable"></a> -<li><strong><strong>printable (S)</strong></strong> -<p><br>If this parameter is <code>"yes"</code>, then clients may open, write to and -submit spool files on the directory specified for the service. -<p><br>Note that a printable service will ALWAYS allow writing to the service -path (user privileges permitting) via the spooling of print data. The -<a href="smb.conf.5.html#readonly"><strong>"read only"</strong></a> parameter controls only non-printing -access to the resource. -<p><br><strong>Default:</strong> -<code> printable = no</code> -<p><br><strong>Example:</strong> -<code> printable = yes</code> -<p><br><a name="printcap"></a> -<li><strong><strong>printcap (G)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#printcapname"><strong>printcapname</strong></a>. -<p><br><a name="printcapname"></a> -<li><strong><strong>printcap name (G)</strong></strong> -<p><br>This parameter may be used to override the compiled-in default -printcap name used by the server (usually /etc/printcap). See the -discussion of the <a href="smb.conf.5.html#printers"><strong>[printers]</strong></a> section above for -reasons why you might want to do this. -<p><br>On System V systems that use <strong>lpstat</strong> to list available printers you -can use <code>"printcap name = lpstat"</code> to automatically obtain lists of -available printers. This is the default for systems that define SYSV -at configure time in Samba (this includes most System V based -systems). If <strong>"printcap name"</strong> is set to <strong>lpstat</strong> on these systems -then Samba will launch <code>"lpstat -v"</code> and attempt to parse the output -to obtain a printer list. -<p><br>A minimal printcap file would look something like this: -<p><br><pre> - - print1|My Printer 1 - print2|My Printer 2 - print3|My Printer 3 - print4|My Printer 4 - print5|My Printer 5 - -</pre> - -<p><br>where the <code>'|'</code> separates aliases of a printer. The fact that the -second alias has a space in it gives a hint to Samba that it's a -comment. -<p><br><em>NOTE</em>: Under AIX the default printcap name is -<code>"/etc/qconfig"</code>. Samba will assume the file is in AIX <code>"qconfig"</code> -format if the string <code>"/qconfig"</code> appears in the printcap filename. -<p><br><strong>Default:</strong> -<code> printcap name = /etc/printcap</code> -<p><br><strong>Example:</strong> -<code> printcap name = /etc/myprintcap</code> -<p><br><a name="printer"></a> -<li><strong><strong>printer (S)</strong></strong> -<p><br>This parameter specifies the name of the printer to which print jobs -spooled through a printable service will be sent. -<p><br>If specified in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section, the printer -name given will be used for any printable service that does not have -its own printer name specified. -<p><br><strong>Default:</strong> - none (but may be <code>"lp"</code> on many systems) -<p><br><strong>Example:</strong> - printer name = laserwriter -<p><br><a name="printerdriver"></a> -<li><strong><strong>printer driver (S)</strong></strong> -<p><br>This option allows you to control the string that clients receive when -they ask the server for the printer driver associated with a -printer. If you are using Windows95 or WindowsNT then you can use this -to automate the setup of printers on your system. -<p><br>You need to set this parameter to the exact string (case sensitive) -that describes the appropriate printer driver for your system. If you -don't know the exact string to use then you should first try with no -<strong>"printer driver"</strong> option set and the client will give you a list of -printer drivers. The appropriate strings are shown in a scrollbox -after you have chosen the printer manufacturer. -<p><br>See also <a href="smb.conf.5.html#printerdriverfile"><strong>"printer driver file"</strong></a>. -<p><br><strong>Example:</strong> - printer driver = HP LaserJet 4L -<p><br><a name="printerdriverfile"></a> -<li><strong><strong>printer driver file (G)</strong></strong> -<p><br>This parameter tells Samba where the printer driver definition file, -used when serving drivers to Windows 95 clients, is to be found. If -this is not set, the default is : -<p><br><code>SAMBA_INSTALL_DIRECTORY/lib/printers.def</code> -<p><br>This file is created from Windows 95 <code>"msprint.def"</code> files found on -the Windows 95 client system. For more details on setting up serving -of printer drivers to Windows 95 clients, see the documentation file -in the docs/ directory, PRINTER_DRIVER.txt. -<p><br><strong>Default:</strong> -<code> None (set in compile).</code> -<p><br><strong>Example:</strong> -<code> printer driver file = /usr/local/samba/printers/drivers.def</code> -<p><br>See also <a href="smb.conf.5.html#printerdriverlocation"><strong>"printer driver location"</strong></a>. -<p><br><a name="printerdriverlocation"></a> -<li><strong><strong>printer driver location (S)</strong></strong> -<p><br>This parameter tells clients of a particular printer share where to -find the printer driver files for the automatic installation of -drivers for Windows 95 machines. If Samba is set up to serve printer -drivers to Windows 95 machines, this should be set to -<p><br><code>\\MACHINE\aPRINTER$</code> -<p><br>Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$ -is a share you set up for serving printer driver files. For more -details on setting this up see the documentation file in the docs/ -directory, PRINTER_DRIVER.txt. -<p><br><strong>Default:</strong> -<code> None</code> -<p><br><strong>Example:</strong> -<code> printer driver location = \\MACHINE\PRINTER$</code> -<p><br>See also <a href="smb.conf.5.html#printerdriverfile"><strong>"printer driver file"</strong></a>. -<p><br><a name="printername"></a> -<li><strong><strong>printer name (S)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#printer"><strong>printer</strong></a>. -<p><br><a name="printing"></a> -<li><strong><strong>printing (S)</strong></strong> -<p><br>This parameters controls how printer status information is interpreted -on your system, and also affects the default values for the -<a href="smb.conf.5.html#printcommand"><strong>"print command"</strong></a>, <a href="smb.conf.5.html#lpqcommand"><strong>"lpq -command"</strong></a> <a href="smb.conf.5.html#lppausecommand"><strong>"lppause command"</strong></a>, -<a href="smb.conf.5.html#lpresumecommand"><strong>"lpresume command"</strong></a>, and <a href="smb.conf.5.html#lprmcommand"><strong>"lprm -command"</strong></a>. -<p><br>Currently eight printing styles are supported. They are -<strong>"printing=BSD"</strong>, <strong>"printing=AIX"</strong>, <strong>"printing=LPRNG"</strong>, -<strong>"printing=PLP"</strong>, -<strong>"printing=SYSV"</strong>,<strong>"printing="HPUX"</strong>,<strong>"printing=QNX"</strong> and -<strong>"printing=SOFTQ"</strong>. -<p><br>To see what the defaults are for the other print commands when using -these three options use the <a href="testparm"><strong>"testparm"</strong></a> program. -<p><br>This option can be set on a per printer basis -<p><br>See also the discussion in the <a href="smb.conf.5.html#printers"><strong>[printers]</strong></a> section. -<p><br><a name="protocol"></a> -<li><strong><strong>protocol (G)</strong></strong> -<p><br>The value of the parameter (a string) is the highest protocol level -that will be supported by the server. -<p><br>Possible values are : -<p><br><ul> -<p><br><li > CORE: Earliest version. No concept of user names. -<p><br><li > COREPLUS: Slight improvements on CORE for efficiency. -<p><br><li > LANMAN1: First <em>"modern"</em> version of the protocol. Long -filename support. -<p><br><li > LANMAN2: Updates to Lanman1 protocol. -<p><br><li > NT1: Current up to date version of the protocol. Used by Windows -NT. Known as CIFS. -<p><br></ul> -<p><br>Normally this option should not be set as the automatic negotiation -phase in the SMB protocol takes care of choosing the appropriate -protocol. -<p><br><strong>Default:</strong> -<code> protocol = NT1</code> -<p><br><strong>Example:</strong> -<code> protocol = LANMAN1</code> -<p><br><a name="public"></a> -<li><strong><strong>public (S)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#guestok"><strong>"guest ok"</strong></a>. -<p><br><a name="queuepausecommand"></a> -<li><strong><strong>queuepause command (S)</strong></strong> -<p><br>This parameter specifies the command to be executed on the server host -in order to pause the printerqueue. -<p><br>This command should be a program or script which takes a printer name -as its only parameter and stops the printerqueue, such that no longer -jobs are submitted to the printer. -<p><br>This command is not supported by Windows for Workgroups, but can be -issued from the Printer's window under Windows 95 & NT. -<p><br>If a <code>"%p"</code> is given then the printername is put in its -place. Otherwise it is placed at the end of the command. -<p><br>Note that it is good practice to include the absolute path in the -command as the PATH may not be available to the server. -<p><br><strong>Default:</strong> -<code> depends on the setting of "printing ="</code> -<p><br><strong>Example:</strong> -<code> queuepause command = disable %p</code> -<p><br><a name="queueresumecommand"></a> -<li><strong><strong>queueresume command (S)</strong></strong> -<p><br>This parameter specifies the command to be executed on the server host -in order to resume the printerqueue. It is the command to undo the -behavior that is caused by the previous parameter -(<a href="smb.conf.5.html#queuepausecommand"><strong>"queuepause command</strong></a>). -<p><br>This command should be a program or script which takes a printer name -as its only parameter and resumes the printerqueue, such that queued -jobs are resubmitted to the printer. -<p><br>This command is not supported by Windows for Workgroups, but can be -issued from the Printer's window under Windows 95 & NT. -<p><br>If a <code>"%p"</code> is given then the printername is put in its -place. Otherwise it is placed at the end of the command. -<p><br>Note that it is good practice to include the absolute path in the -command as the PATH may not be available to the server. -<p><br><strong>Default:</strong> -<code> depends on the setting of "printing ="</code> -<p><br><strong>Example:</strong> -<code> queuepause command = enable %p</code> -<p><br><a name="readbmpx"></a> -<li><strong><strong>read bmpx (G)</strong></strong> -<p><br>This boolean parameter controls whether <a href="smbd.8.html"><strong>smbd</strong></a> -will support the "Read Block Multiplex" SMB. This is now rarely used -and defaults to off. You should never need to set this parameter. -<p><br><strong>Default:</strong> - read bmpx = No -<p><br><a name="readlist"></a> -<li><strong><strong>read list (S)</strong></strong> -<p><br>This is a list of users that are given read-only access to a -service. If the connecting user is in this list then they will not be -given write access, no matter what the <a href="smb.conf.5.html#readonly"><strong>"read only"</strong></a> -option is set to. The list can include group names using the syntax -described in the <a href="smb.conf.5.html#invalidusers"><strong>"invalid users"</strong></a> parameter. -<p><br>See also the <a href="smb.conf.5.html#writelist"><strong>"write list"</strong></a> parameter and -the <a href="smb.conf.5.html#invalidusers"><strong>"invalid users"</strong></a> parameter. -<p><br><strong>Default:</strong> -<code> read list = <empty string></code> -<p><br><strong>Example:</strong> -<code> read list = mary, @students</code> -<p><br><a name="readonly"></a> -<li><strong><strong>read only (S)</strong></strong> -<p><br>Note that this is an inverted synonym for -<a href="smb.conf.5.html#writeable"><strong>"writeable"</strong></a> and <a href="smb.conf.5.html#writeok"><strong>"write ok"</strong></a>. -<p><br>See also <a href="smb.conf.5.html#writeable"><strong>"writeable"</strong></a> and <a href="smb.conf.5.html#writeok"><strong>"write -ok"</strong></a>. -<p><br><a name="readprediction"></a> -<li><strong><strong>read prediction (G)</strong></strong> -<p><br><em>NOTE</em>: This code is currently disabled in Samba2.0 and -may be removed at a later date. Hence this parameter has -no effect. -<p><br>This options enables or disables the read prediction code used to -speed up reads from the server. When enabled the server will try to -pre-read data from the last accessed file that was opened read-only -while waiting for packets. -<p><br><strong>Default:</strong> -<code> read prediction = False</code> -<p><br><a name="readraw"></a> -<li><strong><strong>read raw (G)</strong></strong> -<p><br>This parameter controls whether or not the server will support the raw -read SMB requests when transferring data to clients. -<p><br>If enabled, raw reads allow reads of 65535 bytes in one packet. This -typically provides a major performance benefit. -<p><br>However, some clients either negotiate the allowable block size -incorrectly or are incapable of supporting larger block sizes, and for -these clients you may need to disable raw reads. -<p><br>In general this parameter should be viewed as a system tuning tool and left -severely alone. See also <a href="smb.conf.5.html#writeraw"><strong>"write raw"</strong></a>. -<p><br><strong>Default:</strong> -<code> read raw = yes</code> -<p><br><a name="readsize"></a> -<li><strong><strong>read size (G)</strong></strong> -<p><br>The option <strong>"read size"</strong> affects the overlap of disk reads/writes -with network reads/writes. If the amount of data being transferred in -several of the SMB commands (currently SMBwrite, SMBwriteX and -SMBreadbraw) is larger than this value then the server begins writing -the data before it has received the whole packet from the network, or -in the case of SMBreadbraw, it begins writing to the network before -all the data has been read from disk. -<p><br>This overlapping works best when the speeds of disk and network access -are similar, having very little effect when the speed of one is much -greater than the other. -<p><br>The default value is 2048, but very little experimentation has been -done yet to determine the optimal value, and it is likely that the -best value will vary greatly between systems anyway. A value over -65536 is pointless and will cause you to allocate memory -unnecessarily. -<p><br><strong>Default:</strong> -<code> read size = 2048</code> -<p><br><strong>Example:</strong> -<code> read size = 8192</code> -<p><br><a name="remoteannounce"></a> -<li><strong><strong>remote announce (G)</strong></strong> -<p><br>This option allows you to setup <a href="nmbd.8.html"><strong>nmbd</strong></a> to -periodically announce itself to arbitrary IP addresses with an -arbitrary workgroup name. -<p><br>This is useful if you want your Samba server to appear in a remote -workgroup for which the normal browse propagation rules don't -work. The remote workgroup can be anywhere that you can send IP -packets to. -<p><br>For example: -<p><br><code> remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF</code> -<p><br>the above line would cause nmbd to announce itself to the two given IP -addresses using the given workgroup names. If you leave out the -workgroup name then the one given in the -<a href="smb.conf.5.html#workgroup"><strong>"workgroup"</strong></a> parameter is used instead. -<p><br>The IP addresses you choose would normally be the broadcast addresses -of the remote networks, but can also be the IP addresses of known -browse masters if your network config is that stable. -<p><br>See the documentation file BROWSING.txt in the docs/ directory. -<p><br><strong>Default:</strong> -<code> remote announce = <empty string></code> -<p><br><strong>Example:</strong> -<code> remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF</code> -<p><br><a name="remotebrowsesync"></a> -<li><strong><strong>remote browse sync (G)</strong></strong> -<p><br>This option allows you to setup <a href="nmbd.8.html"><strong>nmbd</strong></a> to -periodically request synchronization of browse lists with the master -browser of a samba server that is on a remote segment. This option -will allow you to gain browse lists for multiple workgroups across -routed networks. This is done in a manner that does not work with any -non-samba servers. -<p><br>This is useful if you want your Samba server and all local clients to -appear in a remote workgroup for which the normal browse propagation -rules don't work. The remote workgroup can be anywhere that you can -send IP packets to. -<p><br>For example: -<p><br><code> remote browse sync = 192.168.2.255 192.168.4.255</code> -<p><br>the above line would cause <a href="nmbd.8.html"><strong>nmbd</strong></a> to request the -master browser on the specified subnets or addresses to synchronize -their browse lists with the local server. -<p><br>The IP addresses you choose would normally be the broadcast addresses -of the remote networks, but can also be the IP addresses of known -browse masters if your network config is that stable. If a machine IP -address is given Samba makes NO attempt to validate that the remote -machine is available, is listening, nor that it is in fact the browse -master on it's segment. -<p><br><strong>Default:</strong> -<code> remote browse sync = <empty string></code> -<p><br><strong>Example:</strong> -<code> remote browse sync = 192.168.2.255 192.168.4.255</code> -<p><br><a name="revalidate"></a> -<li><strong><strong>revalidate (S)</strong></strong> -<p><br>Note that this option only works with -<a href="smb.conf.5.html#securityequalshare"><strong>"security=share"</strong></a> and will be ignored if -this is not the case. -<p><br>This option controls whether Samba will allow a previously validated -username/password pair to be used to attach to a share. Thus if you -connect to <code>\\server\share1</code> then to <code>\\server\share2</code> it won't -automatically allow the client to request connection to the second -share as the same username as the first without a password. -<p><br>If <strong>"revalidate"</strong> is <code>"True"</code> then the client will be denied -automatic access as the same username. -<p><br><strong>Default:</strong> -<code> revalidate = False</code> -<p><br><strong>Example:</strong> -<code> revalidate = True</code> -<p><br><a name="root"></a> -<li><strong><strong>root (G)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#rootdirectory"><strong>"root directory"</strong></a>. -<p><br><a name="rootdir"></a> -<li><strong><strong>root dir (G)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#rootdirectory"><strong>"root directory"</strong></a>. -<p><br><a name="rootdirectory"></a> -<li><strong><strong>root directory (G)</strong></strong> -<p><br>The server will <code>"chroot()"</code> (i.e. Change it's root directory) to -this directory on startup. This is not strictly necessary for secure -operation. Even without it the server will deny access to files not in -one of the service entries. It may also check for, and deny access to, -soft links to other parts of the filesystem, or attempts to use -<code>".."</code> in file names to access other directories (depending on the -setting of the <a href="smb.conf.5.html#widelinks"><strong>"wide links"</strong></a> parameter). -<p><br>Adding a <strong>"root directory"</strong> entry other than <code>"/"</code> adds an extra -level of security, but at a price. It absolutely ensures that no -access is given to files not in the sub-tree specified in the <strong>"root -directory"</strong> option, <em>*including*</em> some files needed for complete -operation of the server. To maintain full operability of the server -you will need to mirror some system files into the <strong>"root -directory"</strong> tree. In particular you will need to mirror /etc/passwd -(or a subset of it), and any binaries or configuration files needed -for printing (if required). The set of files that must be mirrored is -operating system dependent. -<p><br><strong>Default:</strong> -<code> root directory = /</code> -<p><br><strong>Example:</strong> -<code> root directory = /homes/smb</code> -<p><br><a name="rootpostexec"></a> -<li><strong><strong>root postexec (S)</strong></strong> -<p><br>This is the same as the <a href="smb.conf.5.html#postexec"><strong>"postexec"</strong></a> parameter -except that the command is run as root. This is useful for unmounting -filesystems (such as cdroms) after a connection is closed. -<p><br>See also <a href="smb.conf.5.html#postexec"><strong>"postexec"</strong></a>. -<p><br><a name="rootpreexec"></a> -<li><strong><strong>root preexec (S)</strong></strong> -<p><br>This is the same as the <a href="smb.conf.5.html#preexec"><strong>"preexec"</strong></a> parameter except -that the command is run as root. This is useful for mounting -filesystems (such as cdroms) before a connection is finalized. -<p><br>See also <a href="smb.conf.5.html#preexec"><strong>"preexec"</strong></a>. -<p><br><a name="security"></a> -<li><strong><strong>security (G)</strong></strong> -<p><br>This option affects how clients respond to Samba and is one of the most -important settings in the <strong>smb.conf</strong> file. -<p><br>The option sets the <code>"security mode bit"</code> in replies to protocol -negotiations with <a href="smbd.8.html"><strong>smbd</strong></a> to turn share level -security on or off. Clients decide based on this bit whether (and how) -to transfer user and password information to the server. -<p><br>The default is <a href="smb.conf.5.html#securityequaluser">"security=user"</a>, as this is -the most common setting needed when talking to Windows 98 and Windows -NT. -<p><br>The alternatives are <a href="smb.conf.5.html#securityequalshare"><strong>"security = share"</strong></a>, -<a href="smb.conf.5.html#securityequalserver"><strong>"security = server"</strong></a> or -<a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a>. -<p><br><em>*****NOTE THAT THIS DEFAULT IS DIFFERENT IN SAMBA2.0 THAN FOR -PREVIOUS VERSIONS OF SAMBA *******</em>. -<p><br>In previous versions of Samba the default was -<a href="smb.conf.5.html#securityequalshare"><strong>"security=share"</strong></a> mainly because that was -the only option at one stage. -<p><br>There is a bug in WfWg that has relevance to this setting. When in -user or server level security a WfWg client will totally ignore the -password you type in the "connect drive" dialog box. This makes it -very difficult (if not impossible) to connect to a Samba service as -anyone except the user that you are logged into WfWg as. -<p><br>If your PCs use usernames that are the same as their usernames on the -UNIX machine then you will want to use <strong>"security = user"</strong>. If you -mostly use usernames that don't exist on the UNIX box then use -<strong>"security = share"</strong>. -<p><br>You should also use <a href="smb.conf.5.html#securityequalshare"><strong>security=share</strong></a> if -you want to mainly setup shares without a password (guest -shares). This is commonly used for a shared printer server. It is more -difficult to setup guest shares with -<a href="smb.conf.5.html#securityequaluser"><strong>security=user</strong></a>, see the <a href="smb.conf.5.html#maptoguest"><strong>"map to -guest"</strong></a>parameter for details. -<p><br>It is possible to use <a href="smbd.8.html"><strong>smbd</strong></a> in a <em>"hybrid -mode"</em> where it is offers both user and share level security under -different <a href="smb.conf.5.html#netbiosaliases"><strong>NetBIOS aliases</strong></a>. See the -<a href="smb.conf.5.html#netbiosaliases"><strong>NetBIOS aliases</strong></a> and the -<a href="smb.conf.5.html#include"><strong>include</strong></a> parameters for more information. -<p><br>The different settings will now be explained. -<p><br><ul> -<p><br><a name="securityequalshare"></a> -<li><strong><strong>"security=share"</strong></strong> When clients connect to a share level -security server then need not log onto the server with a valid -username and password before attempting to connect to a shared -resource (although modern clients such as Windows 95/98 and Windows NT -will send a logon request with a username but no password when talking -to a <strong>security=share</strong> server). Instead, the clients send -authentication information (passwords) on a per-share basis, at the -time they attempt to connect to that share. -<p><br>Note that <a href="smbd.8.html"><strong>smbd</strong></a> <em>*ALWAYS*</em> uses a valid UNIX -user to act on behalf of the client, even in <strong>"security=share"</strong> -level security. -<p><br>As clients are not required to send a username to the server -in share level security, <a href="smbd.8.html"><strong>smbd</strong></a> uses several -techniques to determine the correct UNIX user to use on behalf -of the client. -<p><br>A list of possible UNIX usernames to match with the given -client password is constructed using the following methods : -<p><br><ul> -<p><br><li > If the <a href="smb.conf.5.html#guestonly"><strong>"guest only"</strong></a> parameter is set, then -all the other stages are missed and only the <a href="smb.conf.5.html#guestaccount"><strong>"guest -account"</strong></a> username is checked. -<p><br><li > Is a username is sent with the share connection request, then -this username (after mapping - see <a href="smb.conf.5.html#usernamemap"><strong>"username -map"</strong></a>), is added as a potential username. -<p><br><li > If the client did a previous <em>"logon"</em> request (the -SessionSetup SMB call) then the username sent in this SMB -will be added as a potential username. -<p><br><li > The name of the service the client requested is added -as a potential username. -<p><br><li > The NetBIOS name of the client is added to the list as a -potential username. -<p><br><li > Any users on the <a href="smb.conf.5.html#user"><strong>"user"</strong></a> list are added -as potential usernames. -<p><br></ul> -<p><br>If the <a href="smb.conf.5.html#guestonly"><strong>"guest only"</strong></a> parameter is not set, then -this list is then tried with the supplied password. The first user for -whom the password matches will be used as the UNIX user. -<p><br>If the <a href="smb.conf.5.html#guestonly"><strong>"guest only"</strong></a> parameter is set, or no -username can be determined then if the share is marked as available to -the <a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a>, then this guest user will -be used, otherwise access is denied. -<p><br>Note that it can be <em>*very*</em> confusing in share-level security as to -which UNIX username will eventually be used in granting access. -<p><br>See also the section <a href="smb.conf.5.html#NOTEABOUTUSERNAMEPASSWORDVALIDATION"><strong>"NOTE ABOUT USERNAME/PASSWORD -VALIDATION"</strong></a>. -<p><br><a name="securityequaluser"></a> -<li><strong><strong>"security=user"</strong></strong> -<p><br>This is the default security setting in Samba2.0. With user-level -security a client must first <code>"log-on"</code> with a valid username and -password (which can be mapped using the <a href="smb.conf.5.html#usernamemap"><strong>"username -map"</strong></a> parameter). Encrypted passwords (see the -<a href="smb.conf.5.html#encryptpasswords"><strong>"encrypted passwords"</strong></a> parameter) can also -be used in this security mode. Parameters such as -<a href="smb.conf.5.html#user"><strong>"user"</strong></a> and <a href="smb.conf.5.html#guestonly"><strong>"guest only"</strong></a>, if set -are then applied and may change the UNIX user to use on this -connection, but only after the user has been successfully -authenticated. -<p><br><em>Note</em> that the name of the resource being requested is -<em>*not*</em> sent to the server until after the server has successfully -authenticated the client. This is why guest shares don't work in user -level security without allowing the server to automatically map unknown -users into the <a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a>. See the -<a href="smb.conf.5.html#maptoguest"><strong>"map to guest"</strong></a> parameter for details on -doing this. -<p><br>See also the section <a href="smb.conf.5.html#NOTEABOUTUSERNAMEPASSWORDVALIDATION"><strong>"NOTE ABOUT USERNAME/PASSWORD -VALIDATION"</strong></a>. -<p><br><a name="securityequalserver"></a> -<li><strong><strong>"security=server"</strong></strong> -<p><br>In this mode Samba will try to validate the username/password by -passing it to another SMB server, such as an NT box. If this fails it -will revert to <strong>"security = user"</strong>, but note that if encrypted -passwords have been negotiated then Samba cannot revert back to -checking the UNIX password file, it must have a valid smbpasswd file -to check users against. See the documentation file in the docs/ -directory ENCRYPTION.txt for details on how to set this up. -<p><br><em>Note</em> that from the clients point of view <strong>"security=server"</strong> is -the same as <a href="smb.conf.5.html#securityequaluser"><strong>"security=user"</strong></a>. It only -affects how the server deals with the authentication, it does not in -any way affect what the client sees. -<p><br><em>Note</em> that the name of the resource being requested is -<em>*not*</em> sent to the server until after the server has successfully -authenticated the client. This is why guest shares don't work in server -level security without allowing the server to automatically map unknown -users into the <a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a>. See the -<a href="smb.conf.5.html#maptoguest"><strong>"map to guest"</strong></a> parameter for details on -doing this. -<p><br>See also the section <a href="smb.conf.5.html#NOTEABOUTUSERNAMEPASSWORDVALIDATION"><strong>"NOTE ABOUT USERNAME/PASSWORD -VALIDATION"</strong></a>. -<p><br>See also the <a href="smb.conf.5.html#passwordserver"><strong>"password server"</strong></a> parameter. -and the <a href="smb.conf.5.html#encryptpasswords"><strong>"encrypted passwords"</strong></a> parameter. -<p><br><a name="securityequaldomain"></a> -<li><strong><strong>"security=domain"</strong></strong> -<p><br>This mode will only work correctly if -<a href="smbpasswd.8.html"><strong>smbpasswd</strong></a> has been used to add this machine -into a Windows NT Domain. It expects the <a href="smb.conf.5.html#encryptpasswords"><strong>"encrypted -passwords"</strong></a> parameter to be set to <code>"true"</code>. In -this mode Samba will try to validate the username/password by passing -it to a Windows NT Primary or Backup Domain Controller, in exactly the -same way that a Windows NT Server would do. -<p><br><em>Note</em> that a valid UNIX user must still exist as well as the -account on the Domain Controller to allow Samba to have a valid -UNIX account to map file access to. -<p><br><em>Note</em> that from the clients point of view <strong>"security=domain"</strong> is -the same as <a href="smb.conf.5.html#securityequaluser"><strong>"security=user"</strong></a>. It only -affects how the server deals with the authentication, it does not in -any way affect what the client sees. -<p><br><em>Note</em> that the name of the resource being requested is -<em>*not*</em> sent to the server until after the server has successfully -authenticated the client. This is why guest shares don't work in domain -level security without allowing the server to automatically map unknown -users into the <a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a>. See the -<a href="smb.conf.5.html#maptoguest"><strong>"map to guest"</strong></a> parameter for details on -doing this. -<p><br>e,(BUG:) There is currently a bug in the implementation of -<strong>"security=domain</strong> with respect to multi-byte character -set usernames. The communication with a Domain Controller -must be done in UNICODE and Samba currently does not widen -multi-byte user names to UNICODE correctly, thus a multi-byte -username will not be recognized correctly at the Domain Controller. -This issue will be addressed in a future release. -<p><br>See also the section <a href="smb.conf.5.html#NOTEABOUTUSERNAMEPASSWORDVALIDATION"><strong>"NOTE ABOUT USERNAME/PASSWORD -VALIDATION"</strong></a>. -<p><br>See also the <a href="smb.conf.5.html#passwordserver"><strong>"password server"</strong></a> parameter. -and the <a href="smb.conf.5.html#encryptpasswords"><strong>"encrypted passwords"</strong></a> parameter. -<p><br></ul> -<p><br><strong>Default:</strong> -<code> security = USER</code> -<p><br><strong>Example:</strong> -<code> security = DOMAIN</code> -<p><br><a name="serverstring"></a> -<li><strong><strong>server string (G)</strong></strong> -<p><br>This controls what string will show up in the printer comment box in -print manager and next to the IPC connection in <code>"net view"</code>. It can be -any string that you wish to show to your users. -<p><br>It also sets what will appear in browse lists next to the machine -name. -<p><br>A <code>"%v"</code> will be replaced with the Samba version number. -<p><br>A <code>"%h"</code> will be replaced with the hostname. -<p><br><strong>Default:</strong> -<code> server string = Samba %v</code> -<p><br><strong>Example:</strong> -<code> server string = University of GNUs Samba Server</code> -<p><br><a name="setdirectory"></a> -<li><strong><strong>set directory (S)</strong></strong> -<p><br>If <code>"set directory = no"</code>, then users of the service may not use the -setdir command to change directory. -<p><br>The setdir command is only implemented in the Digital Pathworks -client. See the Pathworks documentation for details. -<p><br><strong>Default:</strong> -<code> set directory = no</code> -<p><br><strong>Example:</strong> -<code> set directory = yes</code> -<p><br><a name="sharemodes"></a> -<li><strong><strong>share modes (S)</strong></strong> -<p><br>This enables or disables the honoring of the <code>"share modes"</code> during a -file open. These modes are used by clients to gain exclusive read or -write access to a file. -<p><br>These open modes are not directly supported by UNIX, so they are -simulated using shared memory, or lock files if your UNIX doesn't -support shared memory (almost all do). -<p><br>The share modes that are enabled by this option are DENY_DOS, -DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB. -<p><br>This option gives full share compatibility and enabled by default. -<p><br>You should <em>*NEVER*</em> turn this parameter off as many Windows -applications will break if you do so. -<p><br><strong>Default:</strong> -<code> share modes = yes</code> -<p><br><a name="sharedmemsize"></a> -<li><strong><strong>shared mem size (G)</strong></strong> -<p><br>It specifies the size of the shared memory (in bytes) to use between -<a href="smbd.8.html"><strong>smbd</strong></a> processes. This parameter defaults to one -megabyte of shared memory. It is possible that if you have a large -server with many files open simultaneously that you may need to -increase this parameter. Signs that this parameter is set too low are -users reporting strange problems trying to save files (locking errors) -and error messages in the smbd log looking like <code>"ERROR -smb_shm_alloc : alloc of XX bytes failed"</code>. -<p><br><strong>Default:</strong> -<code> shared mem size = 1048576</code> -<p><br><strong>Example:</strong> -<code> shared mem size = 5242880 ; Set to 5mb for a large number of files.</code> -<p><br><a name="shortpreservecase"></a> -<li><strong><strong>short preserve case (G)</strong></strong> -<p><br>This boolean parameter controls if new files which conform to 8.3 -syntax, that is all in upper case and of suitable length, are created -upper case, or if they are forced to be the <code>"default"</code> case. This -option can be use with <a href="smb.conf.5.html#preservecaseoption"><strong>"preserve case -=yes"</strong></a> to permit long filenames to retain their -case, while short names are lowered. Default <em>Yes</em>. -<p><br>See the section on <a href="smb.conf.5.html#NAMEMANGLING"><strong>NAME MANGLING</strong></a>. -<p><br><strong>Default:</strong> -<code> short preserve case = yes</code> -<p><br><a name="smbpasswdfile"></a> -<li><strong><strong>smb passwd file (G)</strong></strong> -<p><br>This option sets the path to the encrypted smbpasswd file. By default -the path to the smbpasswd file is compiled into Samba. -<p><br><strong>Default:</strong> -<code> smb passwd file= <compiled default></code> -<p><br><strong>Example:</strong> -<code> smb passwd file = /usr/samba/private/smbpasswd</code> -<p><br><a name="smbrun"></a> -<li><strong><strong>smbrun (G)</strong></strong> -<p><br>This sets the full path to the <strong>smbrun</strong> binary. This defaults to the -value in the Makefile. -<p><br>You must get this path right for many services to work correctly. -<p><br>You should not need to change this parameter so long as Samba -is installed correctly. -<p><br><strong>Default:</strong> -<code> smbrun=<compiled default></code> -<p><br><strong>Example:</strong> -<code> smbrun = /usr/local/samba/bin/smbrun</code> -<p><br><a name="socketaddress"></a> -<li><strong><strong>socket address (G)</strong></strong> -<p><br>This option allows you to control what address Samba will listen for -connections on. This is used to support multiple virtual interfaces on -the one server, each with a different configuration. -<p><br>By default samba will accept connections on any address. -<p><br><strong>Example:</strong> -<code> socket address = 192.168.2.20</code> -<p><br><a name="socketoptions"></a> -<li><strong><strong>socket options (G)</strong></strong> -<p><br>This option allows you to set socket options to be used when talking -with the client. -<p><br>Socket options are controls on the networking layer of the operating -systems which allow the connection to be tuned. -<p><br>This option will typically be used to tune your Samba server for -optimal performance for your local network. There is no way that Samba -can know what the optimal parameters are for your net, so you must -experiment and choose them yourself. We strongly suggest you read the -appropriate documentation for your operating system first (perhaps -<strong>"man setsockopt"</strong> will help). -<p><br>You may find that on some systems Samba will say "Unknown socket -option" when you supply an option. This means you either incorrectly -typed it or you need to add an include file to includes.h for your OS. -If the latter is the case please send the patch to -<a href="mailto:samba-bugs@samba.org"><em>samba-bugs@samba.org</em></a>. -<p><br>Any of the supported socket options may be combined in any way you -like, as long as your OS allows it. -<p><br>This is the list of socket options currently settable using this -option: -<p><br><ul> -<p><br><li > SO_KEEPALIVE -<p><br><li > SO_REUSEADDR -<p><br><li > SO_BROADCAST -<p><br><li > TCP_NODELAY -<p><br><li > IPTOS_LOWDELAY -<p><br><li > IPTOS_THROUGHPUT -<p><br><li > SO_SNDBUF * -<p><br><li > SO_RCVBUF * -<p><br><li > SO_SNDLOWAT * -<p><br><li > SO_RCVLOWAT * -<p><br></ul> -<p><br>Those marked with a <code>*</code> take an integer argument. The others can -optionally take a 1 or 0 argument to enable or disable the option, by -default they will be enabled if you don't specify 1 or 0. -<p><br>To specify an argument use the syntax SOME_OPTION=VALUE for example -<code>SO_SNDBUF=8192</code>. Note that you must not have any spaces before or after -the = sign. -<p><br>If you are on a local network then a sensible option might be -<p><br><code>socket options = IPTOS_LOWDELAY</code> -<p><br>If you have a local network then you could try: -<p><br><code>socket options = IPTOS_LOWDELAY TCP_NODELAY</code> -<p><br>If you are on a wide area network then perhaps try setting -IPTOS_THROUGHPUT. -<p><br>Note that several of the options may cause your Samba server to fail -completely. Use these options with caution! -<p><br><strong>Default:</strong> -<code> socket options = TCP_NODELAY</code> -<p><br><strong>Example:</strong> -<code> socket options = IPTOS_LOWDELAY</code> -<p><br><a name="ssl"></a> -<li><strong><strong>ssl (G)</strong></strong> -<p><br>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><br><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p><br>This variable enables or disables the entire SSL mode. If it is set to -"no", the SSL enabled samba behaves exactly like the non-SSL samba. If -set to "yes", it depends on the variables <a href="smb.conf.5.html#sslhosts"><strong>"ssl -hosts"</strong></a> and <a href="smb.conf.5.html#sslhostsresign"><strong>"ssl hosts resign"</strong></a> -whether an SSL connection will be required. -<p><br><strong>Default:</strong> -<code> ssl=no</code> - <strong>Example:</strong> -<code> ssl=yes</code> -<p><br><a name="sslCAcertDir"></a> -<li><strong><strong>ssl CA certDir (G)</strong></strong> -<p><br>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><br><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p><br>This variable defines where to look up the Certification -Authorities. The given directory should contain one file for each CA -that samba will trust. The file name must be the hash value over the -"Distinguished Name" of the CA. How this directory is set up is -explained later in this document. All files within the directory that -don't fit into this naming scheme are ignored. You don't need this -variable if you don't verify client certificates. -<p><br><strong>Default:</strong> -<code> ssl CA certDir = /usr/local/ssl/certs</code> -<p><br><a name="sslCAcertFile"></a> -<li><strong><strong>ssl CA certFile (G)</strong></strong> -<p><br>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><br><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p><br>This variable is a second way to define the trusted CAs. The -certificates of the trusted CAs are collected in one big file and this -variable points to the file. You will probably only use one of the two -ways to define your CAs. The first choice is preferable if you have -many CAs or want to be flexible, the second is preferable if you only -have one CA and want to keep things simple (you won't need to create -the hashed file names). You don't need this variable if you don't -verify client certificates. -<p><br><strong>Default:</strong> -<code> ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem</code> -<p><br><a name="sslciphers"></a> -<li><strong><strong>ssl ciphers (G)</strong></strong> -<p><br>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><br><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p><br>This variable defines the ciphers that should be offered during SSL -negotiation. You should not set this variable unless you know what you -are doing. -<p><br><a name="sslclientcert"></a> -<li><strong><strong>ssl client cert (G)</strong></strong> -<p><br>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><br><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p><br>The certificate in this file is used by -<a href="smbclient.1.html"><strong>smbclient</strong></a> if it exists. It's needed if the -server requires a client certificate. -<p><br><strong>Default:</strong> -<code> ssl client cert = /usr/local/ssl/certs/smbclient.pem</code> -<p><br><a name="sslclientkey"></a> -<li><strong><strong>ssl client key (G)</strong></strong> -<p><br>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><br><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p><br>This is the private key for <a href="smbclient.1.html"><strong>smbclient</strong></a>. It's -only needed if the client should have a certificate. -<p><br><strong>Default:</strong> -<code> ssl client key = /usr/local/ssl/private/smbclient.pem</code> -<p><br><a name="sslcompatibility"></a> -<li><strong><strong>ssl compatibility (G)</strong></strong> -<p><br>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><br><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p><br>This variable defines whether SSLeay should be configured for bug -compatibility with other SSL implementations. This is probably not -desirable because currently no clients with SSL implementations other -than SSLeay exist. -<p><br><strong>Default:</strong> -<code> ssl compatibility = no</code> -<p><br><a name="sslhosts"></a> -<li><strong><strong>ssl hosts (G)</strong></strong> -<p><br>See <a href="smb.conf.5.html#sslhostsresign"><strong>"ssl hosts resign"</strong></a>. -<p><br><a name="sslhostsresign"></a> -<li><strong><strong>ssl hosts resign (G)</strong></strong> -<p><br>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><br><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p><br>These two variables define whether samba will go into SSL mode or -not. If none of them is defined, samba will allow only SSL -connections. If the <a href="smb.conf.5.html#sslhosts"><strong>"ssl hosts"</strong></a> variable lists -hosts (by IP-address, IP-address range, net group or name), only these -hosts will be forced into SSL mode. If the <strong>"ssl hosts resign"</strong> -variable lists hosts, only these hosts will NOT be forced into SSL -mode. The syntax for these two variables is the same as for the -<a href="smb.conf.5.html#hostsallow"><strong>"hosts allow"</strong></a> and <a href="smb.conf.5.html#hostsdeny"><strong>"hosts -deny"</strong></a> pair of variables, only that the subject of the -decision is different: It's not the access right but whether SSL is -used or not. See the <a href="smb.conf.5.html#allowhosts"><strong>"allow hosts"</strong></a> parameter for -details. The example below requires SSL connections from all hosts -outside the local net (which is 192.168.*.*). -<p><br><strong>Default:</strong> -<code> ssl hosts = <empty string></code> -<code> ssl hosts resign = <empty string></code> -<p><br><strong>Example:</strong> -<code> ssl hosts resign = 192.168.</code> -<p><br><a name="sslrequireclientcert"></a> -<li><strong><strong>ssl require clientcert (G)</strong></strong> -<p><br>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><br><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p><br>If this variable is set to <code>"yes"</code>, the server will not tolerate -connections from clients that don't have a valid certificate. The -directory/file given in <a href="smb.conf.5.html#sslCAcertDir"><strong>"ssl CA certDir"</strong></a> and -<a href="smb.conf.5.html#sslCAcertFile"><strong>"ssl CA certFile"</strong></a> will be used to look up the -CAs that issued the client's certificate. If the certificate can't be -verified positively, the connection will be terminated. If this -variable is set to <code>"no"</code>, clients don't need certificates. Contrary -to web applications you really <em>*should*</em> require client -certificates. In the web environment the client's data is sensitive -(credit card numbers) and the server must prove to be trustworthy. In -a file server environment the server's data will be sensitive and the -clients must prove to be trustworthy. -<p><br><strong>Default:</strong> -<code> ssl require clientcert = no</code> -<p><br><a name="sslrequireservercert"></a> -<li><strong><strong>ssl require servercert (G)</strong></strong> -<p><br>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><br><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p><br>If this variable is set to <code>"yes"</code>, the -<a href="smbclient.1.html"><strong>smbclient</strong></a> will request a certificate from -the server. Same as <a href="smb.conf.5.html#sslrequireclientcert"><strong>"ssl require -clientcert"</strong></a> for the server. -<p><br><strong>Default:</strong> -<code> ssl require servercert = no</code> -<p><br><a name="sslservercert"></a> -<li><strong><strong>ssl server cert (G)</strong></strong> -<p><br>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><br><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p><br>This is the file containing the server's certificate. The server _must_ -have a certificate. The file may also contain the server's private key. -See later for how certificates and private keys are created. -<p><br><strong>Default:</strong> -<code> ssl server cert = <empty string></code> -<p><br><a name="sslserverkey"></a> -<li><strong><strong>ssl server key (G)</strong></strong> -<p><br>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><br><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p><br>This file contains the private key of the server. If this variable is -not defined, the key is looked up in the certificate file (it may be -appended to the certificate). The server <em>*must*</em> have a private key -and the certificate <em>*must*</em> match this private key. -<p><br><strong>Default:</strong> -<code> ssl server key = <empty string></code> -<p><br><a name="sslversion"></a> -<li><strong><strong>ssl version (G)</strong></strong> -<p><br>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><br><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p><br>This enumeration variable defines the versions of the SSL protocol -that will be used. <code>"ssl2or3"</code> allows dynamic negotiation of SSL v2 -or v3, <code>"ssl2"</code> results in SSL v2, <code>"ssl3"</code> results in SSL v3 and -"tls1" results in TLS v1. TLS (Transport Layer Security) is the -(proposed?) new standard for SSL. -<p><br><strong>Default:</strong> -<code> ssl version = "ssl2or3"</code> -<p><br><a name="statcache"></a> -<li><strong><strong>stat cache (G)</strong></strong> -<p><br>This parameter determines if <a href="smbd.8.html"><strong>smbd</strong></a> will use a -cache in order to speed up case insensitive name mappings. You should -never need to change this parameter. -<p><br><strong>Default:</strong> -<code> stat cache = yes</code> -<p><br><a name="statcachesize"></a> -<li><strong><strong>stat cache size (G)</strong></strong> -<p><br>This parameter determines the number of entries in the <a href="smb.conf.5.html#statcache"><strong>stat -cache</strong></a>. You should never need to change this parameter. -<p><br><strong>Default:</strong> -<code> stat cache size = 50</code> -<p><br><a name="status"></a> -<li><strong><strong>status (G)</strong></strong> -<p><br>This enables or disables logging of connections to a status file that -<a href="smbstatus.1.html"><strong>smbstatus</strong></a> can read. -<p><br>With this disabled <a href="smbstatus.1.html"><strong>smbstatus</strong></a> won't be able -to tell you what connections are active. You should never need to -change this parameter. -<p><br><strong>Default:</strong> - status = yes -<p><br><a name="strictlocking"></a> -<li><strong><strong>strict locking (S)</strong></strong> -<p><br>This is a boolean that controls the handling of file locking in the -server. When this is set to <code>"yes"</code> the server will check every read and -write access for file locks, and deny access if locks exist. This can -be slow on some systems. -<p><br>When strict locking is <code>"no"</code> the server does file lock checks only -when the client explicitly asks for them. -<p><br>Well behaved clients always ask for lock checks when it is important, -so in the vast majority of cases <strong>"strict locking = no"</strong> is -preferable. -<p><br><strong>Default:</strong> -<code> strict locking = no</code> -<p><br><strong>Example:</strong> -<code> strict locking = yes</code> -<p><br><a name="strictsync"></a> -<li><strong><strong>strict sync (S)</strong></strong> -<p><br>Many Windows applications (including the Windows 98 explorer shell) -seem to confuse flushing buffer contents to disk with doing a sync to -disk. Under UNIX, a sync call forces the process to be suspended until -the kernel has ensured that all outstanding data in kernel disk -buffers has been safely stored onto stable storage. This is very slow -and should only be done rarely. Setting this parameter to "no" (the -default) means that smbd ignores the Windows applications requests for -a sync call. There is only a possibility of losing data if the -operating system itself that Samba is running on crashes, so there is -little danger in this default setting. In addition, this fixes many -performance problems that people have reported with the new Windows98 -explorer shell file copies. -<p><br>See also the <a href="smb.conf.5.html#syncalways"><strong>"sync always"</strong></a> parameter. -<p><br><strong>Default:</strong> -<code> strict sync = no</code> -<p><br><strong>Example:</strong> -<code> strict sync = yes</code> -<p><br><a name="stripdot"></a> -<li><strong><strong>strip dot (G)</strong></strong> -<p><br>This is a boolean that controls whether to strip trailing dots off -UNIX filenames. This helps with some CDROMs that have filenames ending -in a single dot. -<p><br><strong>Default:</strong> -<code> strip dot = no</code> -<p><br><strong>Example:</strong> -<code> strip dot = yes</code> -<p><br><a name="syncalways"></a> -<li><strong><strong>sync always (S)</strong></strong> -<p><br>This is a boolean parameter that controls whether writes will always -be written to stable storage before the write call returns. If this is -false then the server will be guided by the client's request in each -write call (clients can set a bit indicating that a particular write -should be synchronous). If this is true then every write will be -followed by a fsync() call to ensure the data is written to disk. -Note that the <a href="smb.conf.5.html#strictsync"><strong>"strict sync"</strong></a> parameter must be -set to <code>"yes"</code> in order for this parameter to have any affect. -<p><br>See also the <a href="smb.conf.5.html#strictsync"><strong>"strict sync"</strong></a> parameter. -<p><br><strong>Default:</strong> -<code> sync always = no</code> -<p><br><strong>Example:</strong> -<code> sync always = yes</code> -<p><br><a name="syslog"></a> -<li><strong><strong>syslog (G)</strong></strong> -<p><br>This parameter maps how Samba debug messages are logged onto the -system syslog logging levels. Samba debug level zero maps onto syslog -LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps -to LOG_NOTICE, debug level three maps onto LOG_INFO. The parameter -sets the threshold for doing the mapping, all Samba debug messages -above this threshold are mapped to syslog LOG_DEBUG messages. -<p><br><strong>Default:</strong> -<code> syslog = 1</code> -<p><br><a name="syslogonly"></a> -<li><strong><strong>syslog only (G)</strong></strong> -<p><br>If this parameter is set then Samba debug messages are logged into the -system syslog only, and not to the debug log files. -<p><br><strong>Default:</strong> -<code> syslog only = no</code> -<p><br><a name="timeoffset"></a> -<li><strong><strong>time offset (G)</strong></strong> -<p><br>This parameter is a setting in minutes to add to the normal GMT to -local time conversion. This is useful if you are serving a lot of PCs -that have incorrect daylight saving time handling. -<p><br><strong>Default:</strong> -<code> time offset = 0</code> -<p><br><strong>Example:</strong> -<code> time offset = 60</code> -<p><br><a name="timeserver"></a> -<p><br><li><strong><strong>time server (G)</strong></strong> -<p><br>This parameter determines if <a href="nmbd.8.html"><strong>nmbd</strong></a> advertises -itself as a time server to Windows clients. The default is False. -<p><br><strong>Default:</strong> -<code> time server = False</code> -<p><br><strong>Example:</strong> -<code> time server = True</code> -<p><br><a name="timestamplogs"></a> -<li><strong><strong>timestamp logs (G)</strong></strong> -<p><br>Samba2.0 will a timestamps to all log entries by default. This -can be distracting if you are attempting to debug a problem. This -parameter allows the timestamping to be turned off. -<p><br><strong>Default:</strong> -<code> timestamp logs = True</code> -<p><br><strong>Example:</strong> -<code> timestamp logs = False</code> -<p><br><a name="unixpasswordsync"></a> -<li><strong><strong>unix password sync (G)</strong></strong> -<p><br>This boolean parameter controls whether Samba attempts to synchronize -the UNIX password with the SMB password when the encrypted SMB -password in the smbpasswd file is changed. If this is set to true the -program specified in the <a href="smb.conf.5.html#passwdprogram"><strong>"passwd program"</strong></a> -parameter is called <em>*AS ROOT*</em> - to allow the new UNIX password to be -set without access to the old UNIX password (as the SMB password has -change code has no access to the old password cleartext, only the -new). By default this is set to <code>"false"</code>. -<p><br>See also <a href="smb.conf.5.html#passwdprogram"><strong>"passwd program"</strong></a>, <a href="smb.conf.5.html#passwdchat"><strong>"passwd -chat"</strong></a>. -<p><br><strong>Default:</strong> -<code> unix password sync = False</code> -<p><br><strong>Example:</strong> -<code> unix password sync = True</code> -<p><br><a name="unixrealname"></a> -<li><strong><strong>unix realname (G)</strong></strong> -<p><br>This boolean parameter when set causes samba to supply the real name -field from the unix password file to the client. This is useful for -setting up mail clients and WWW browsers on systems used by more than -one person. -<p><br><strong>Default:</strong> -<code> unix realname = no</code> -<p><br><strong>Example:</strong> -<code> unix realname = yes</code> -<p><br><a name="updateencrypted"></a> -<li><strong><strong>update encrypted (G)</strong></strong> -<p><br>This boolean parameter allows a user logging on with a plaintext -password to have their encrypted (hashed) password in the smbpasswd -file to be updated automatically as they log on. This option allows a -site to migrate from plaintext password authentication (users -authenticate with plaintext password over the wire, and are checked -against a UNIX account database) to encrypted password authentication -(the SMB challenge/response authentication mechanism) without forcing -all users to re-enter their passwords via smbpasswd at the time the -change is made. This is a convenience option to allow the change over -to encrypted passwords to be made over a longer period. Once all users -have encrypted representations of their passwords in the smbpasswd -file this parameter should be set to <code>"off"</code>. -<p><br>In order for this parameter to work correctly the <a href="smb.conf.5.html#encryptpasswords"><strong>"encrypt -passwords"</strong></a> parameter must be set to <code>"no"</code> when -this parameter is set to <code>"yes"</code>. -<p><br>Note that even when this parameter is set a user authenticating to -smbd must still enter a valid password in order to connect correctly, -and to update their hashed (smbpasswd) passwords. -<p><br><strong>Default:</strong> -<code> update encrypted = no</code> -<p><br><strong>Example:</strong> -<code> update encrypted = yes</code> -<p><br><a name="userhosts"></a> -<li><strong><strong>use rhosts (G)</strong></strong> -<p><br>If this global parameter is a true, it specifies that the UNIX users -<code>".rhosts"</code> file in their home directory will be read to find the -names of hosts and users who will be allowed access without specifying -a password. -<p><br>NOTE: The use of <strong>use rhosts</strong> can be a major security hole. This is -because you are trusting the PC to supply the correct username. It is -very easy to get a PC to supply a false username. I recommend that the -<strong>use rhosts</strong> option be only used if you really know what you are -doing. -<p><br><strong>Default:</strong> -<code> use rhosts = no</code> -<p><br><strong>Example:</strong> -<code> use rhosts = yes</code> -<p><br><a name="user"></a> -<li><strong><strong>user (S)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#username"><strong>"username"</strong></a>. -<p><br><a name="users"></a> -<li><strong><strong>users (S)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#username"><strong>"username"</strong></a>. -<p><br><a name="username"></a> -<li><strong><strong>username (S)</strong></strong> -<p><br>Multiple users may be specified in a comma-delimited list, in which -case the supplied password will be tested against each username in -turn (left to right). -<p><br>The <strong>username=</strong> line is needed only when the PC is unable to supply -its own username. This is the case for the COREPLUS protocol or where -your users have different WfWg usernames to UNIX usernames. In both -these cases you may also be better using the <code>\\server\share%user</code> -syntax instead. -<p><br>The <strong>username=</strong> line is not a great solution in many cases as it -means Samba will try to validate the supplied password against each of -the usernames in the username= line in turn. This is slow and a bad -idea for lots of users in case of duplicate passwords. You may get -timeouts or security breaches using this parameter unwisely. -<p><br>Samba relies on the underlying UNIX security. This parameter does not -restrict who can login, it just offers hints to the Samba server as to -what usernames might correspond to the supplied password. Users can -login as whoever they please and they will be able to do no more -damage than if they started a telnet session. The daemon runs as the -user that they log in as, so they cannot do anything that user cannot -do. -<p><br>To restrict a service to a particular set of users you can use the -<a href="smb.conf.5.html#validusers"><strong>"valid users="</strong></a> parameter. -<p><br>If any of the usernames begin with a <code>'@'</code> then the name will be -looked up first in the yp netgroups list (if Samba is compiled with -netgroup support), followed by a lookup in the UNIX groups database -and will expand to a list of all users in the group of that name. -<p><br>If any of the usernames begin with a <code>'+'</code> then the name will be -looked up only in the UNIX groups database and will expand to a list -of all users in the group of that name. -<p><br>If any of the usernames begin with a <code>'&'</code> then the name will be -looked up only in the yp netgroups database (if Samba is compiled with -netgroup support) and will expand to a list of all users in the -netgroup group of that name. -<p><br>Note that searching though a groups database can take quite some time, -and some clients may time out during the search. -<p><br>See the section <a href="smb.conf.5.html#NOTEABOUTUSERNAMEPASSWORDVALIDATION"><strong>"NOTE ABOUT USERNAME/PASSWORD -VALIDATION"</strong></a> for more -information on how this parameter determines access to the services. -<p><br><strong>Default:</strong> -<code> The guest account if a guest service, else the name of the service.</code> -<p><br><strong>Examples:</strong> -<pre> - - username = fred - username = fred, mary, jack, jane, @users, @pcgroup - -</pre> - -<p><br><a name="usernamelevel"></a> -<li><strong><strong>username level (G)</strong></strong> -<p><br>This option helps Samba to try and 'guess' at the real UNIX username, -as many DOS clients send an all-uppercase username. By default Samba -tries all lowercase, followed by the username with the first letter -capitalized, and fails if the username is not found on the UNIX -machine. -<p><br>If this parameter is set to non-zero the behavior changes. This -parameter is a number that specifies the number of uppercase -combinations to try whilst trying to determine the UNIX user name. The -higher the number the more combinations will be tried, but the slower -the discovery of usernames will be. Use this parameter when you have -strange usernames on your UNIX machine, such as <code>"AstrangeUser"</code>. -<p><br><strong>Default:</strong> -<code> username level = 0</code> -<p><br><strong>Example:</strong> -<code> username level = 5</code> -<p><br><a name="usernamemap"></a> -<li><strong><strong>username map (G)</strong></strong> -<p><br>This option allows you to specify a file containing a mapping of -usernames from the clients to the server. This can be used for several -purposes. The most common is to map usernames that users use on DOS or -Windows machines to those that the UNIX box uses. The other is to map -multiple users to a single username so that they can more easily share -files. -<p><br>The map file is parsed line by line. Each line should contain a single -UNIX username on the left then a <code>'='</code> followed by a list of -usernames on the right. The list of usernames on the right may contain -names of the form @group in which case they will match any UNIX -username in that group. The special client name <code>'*'</code> is a wildcard -and matches any name. Each line of the map file may be up to 1023 -characters long. -<p><br>The file is processed on each line by taking the supplied username and -comparing it with each username on the right hand side of the <code>'='</code> -signs. If the supplied name matches any of the names on the right hand -side then it is replaced with the name on the left. Processing then -continues with the next line. -<p><br>If any line begins with a <code>'#'</code> or a <code>';'</code> then it is ignored -<p><br>If any line begins with an <code>'!'</code> then the processing will stop after -that line if a mapping was done by the line. Otherwise mapping -continues with every line being processed. Using <code>'!'</code> is most -useful when you have a wildcard mapping line later in the file. -<p><br>For example to map from the name <code>"admin"</code> or <code>"administrator"</code> to -the UNIX name <code>"root"</code> you would use: -<p><br><code> root = admin administrator</code> -<p><br>Or to map anyone in the UNIX group <code>"system"</code> to the UNIX name -<code>"sys"</code> you would use: -<p><br><code> sys = @system</code> -<p><br>You can have as many mappings as you like in a username map file. -<p><br>If your system supports the NIS NETGROUP option then the netgroup -database is checked before the <code>/etc/group</code> database for matching -groups. -<p><br>You can map Windows usernames that have spaces in them by using double -quotes around the name. For example: -<p><br><code> tridge = "Andrew Tridgell"</code> -<p><br>would map the windows username <code>"Andrew Tridgell"</code> to the unix -username tridge. -<p><br>The following example would map mary and fred to the unix user sys, -and map the rest to guest. Note the use of the <code>'!'</code> to tell Samba -to stop processing if it gets a match on that line. -<p><br><pre> - - !sys = mary fred - guest = * - -</pre> - -<p><br>Note that the remapping is applied to all occurrences of -usernames. Thus if you connect to <code>"\\server\fred"</code> and <code>"fred"</code> -is remapped to <code>"mary"</code> then you will actually be connecting to -<code>"\\server\mary"</code> and will need to supply a password suitable for -<code>"mary"</code> not <code>"fred"</code>. The only exception to this is the username -passed to the <a href="smb.conf.5.html#passwordserver"><strong>"password server"</strong></a> (if you have -one). The password server will receive whatever username the client -supplies without modification. -<p><br>Also note that no reverse mapping is done. The main effect this has is -with printing. Users who have been mapped may have trouble deleting -print jobs as PrintManager under WfWg will think they don't own the -print job. -<p><br><strong>Default:</strong> -<code> no username map</code> -<p><br><strong>Example:</strong> -<code> username map = /usr/local/samba/lib/users.map</code> -<p><br><a name="validchars"></a> -<li><strong><strong>valid chars (S)</strong></strong> -<p><br>The option allows you to specify additional characters that should be -considered valid by the server in filenames. This is particularly -useful for national character sets, such as adding u-umlaut or a-ring. -<p><br>The option takes a list of characters in either integer or character -form with spaces between them. If you give two characters with a colon -between them then it will be taken as an lowercase:uppercase pair. -<p><br>If you have an editor capable of entering the characters into the -config file then it is probably easiest to use this method. Otherwise -you can specify the characters in octal, decimal or hexadecimal form -using the usual C notation. -<p><br>For example to add the single character <code>'Z'</code> to the charset (which -is a pointless thing to do as it's already there) you could do one of -the following -<p><br><pre> - - valid chars = Z - valid chars = z:Z - valid chars = 0132:0172 - -</pre> - -<p><br>The last two examples above actually add two characters, and alter the -uppercase and lowercase mappings appropriately. -<p><br>Note that you MUST specify this parameter after the <a href="smb.conf.5.html#clientcodepage"><strong>"client -code page"</strong></a> parameter if you have both set. If -<a href="smb.conf.5.html#clientcodepage"><strong>"client code page"</strong></a> is set after the -<strong>"valid chars"</strong> parameter the <strong>"valid chars"</strong> settings will be -overwritten. -<p><br>See also the <a href="smb.conf.5.html#clientcodepage"><strong>"client code page"</strong></a> parameter. -<p><br><strong>Default:</strong> -<pre> - - Samba defaults to using a reasonable set of valid characters - for English systems - -</pre> - -<p><br><strong>Example</strong> -<code> valid chars = 0345:0305 0366:0326 0344:0304</code> -<p><br>The above example allows filenames to have the Swedish characters in -them. -<p><br>NOTE: It is actually quite difficult to correctly produce a <strong>"valid -chars"</strong> line for a particular system. To automate the process -<a href="mailto:tino@augsburg.net"><em>tino@augsburg.net</em></a> has written a package called <strong>"validchars"</strong> -which will automatically produce a complete <strong>"valid chars"</strong> line for -a given client system. Look in the examples/validchars/ subdirectory -of your Samba source code distribution for this package. -<p><br><a name="validusers"></a> -<li><strong><strong>valid users (S)</strong></strong> -<p><br>This is a list of users that should be allowed to login to this -service. Names starting with <code>'@'</code>, <code>'+'</code> and <code>'&'</code> are -interpreted using the same rules as described in the <a href="smb.conf.5.html#invalidusers"><strong>"invalid -users"</strong></a> parameter. -<p><br>If this is empty (the default) then any user can login. If a username -is in both this list and the <a href="smb.conf.5.html#invalidusers"><strong>"invalid users"</strong></a> -list then access is denied for that user. -<p><br>The current servicename is substituted for -<a href="smb.conf.5.html#percentS"><strong>"%S"</strong></a>. This is useful in the -<a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> section. -<p><br>See also <a href="smb.conf.5.html#invalidusers"><strong>"invalid users"</strong></a>. -<p><br><strong>Default:</strong> -<code> No valid users list. (anyone can login)</code> -<p><br><strong>Example:</strong> -<code> valid users = greg, @pcusers</code> -<p><br><a name="vetofiles"></a> -<li><strong><strong>veto files(S)</strong></strong> -<p><br>This is a list of files and directories that are neither visible nor -accessible. Each entry in the list must be separated by a <code>'/'</code>, -which allows spaces to be included in the entry. <code>'*'</code> and <code>'?'</code> -can be used to specify multiple files or directories as in DOS -wildcards. -<p><br>Each entry must be a unix path, not a DOS path and must <em>*not*</em> include the -unix directory separator <code>'/'</code>. -<p><br>Note that the <a href="smb.conf.5.html#casesensitive"><strong>"case sensitive"</strong></a> option is -applicable in vetoing files. -<p><br>One feature of the veto files parameter that it is important to be -aware of, is that if a directory contains nothing but files that match -the veto files parameter (which means that Windows/DOS clients cannot -ever see them) is deleted, the veto files within that directory *are -automatically deleted* along with it, if the user has UNIX permissions -to do so. -<p><br>Setting this parameter will affect the performance of Samba, as it -will be forced to check all files and directories for a match as they -are scanned. -<p><br>See also <a href="smb.conf.5.html#hidefiles"><strong>"hide files"</strong></a> and <a href="smb.conf.5.html#casesensitive"><strong>"case -sensitive"</strong></a>. -<p><br><strong>Default:</strong> -<code> No files or directories are vetoed.</code> -<p><br><strong>Examples:</strong> -<p><br>Example 1. -<p><br><pre> - - - Veto any files containing the word Security, - any ending in .tmp, and any directory containing the - word root. - - veto files = /*Security*/*.tmp/*root*/ - -</pre> - -<p><br>Example 2. -<p><br><pre> - - Veto the Apple specific files that a NetAtalk server - creates. - - veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ - -</pre> - -<p><br><a name="vetooplockfiles"></a> -<li><strong><strong>veto oplock files (S)</strong></strong> -<p><br>This parameter is only valid when the <a href="smb.conf.5.html#oplocks"><strong>"oplocks"</strong></a> -parameter is turned on for a share. It allows the Samba administrator -to selectively turn off the granting of oplocks on selected files that -match a wildcarded list, similar to the wildcarded list used in the -<a href="smb.conf.5.html#vetofiles"><strong>"veto files"</strong></a> parameter. -<p><br><strong>Default:</strong> -<code> No files are vetoed for oplock grants.</code> -<p><br><strong>Examples:</strong> -<p><br>You might want to do this on files that you know will be heavily -contended for by clients. A good example of this is in the NetBench -SMB benchmark program, which causes heavy client contention for files -ending in <code>".SEM"</code>. To cause Samba not to grant oplocks on these -files you would use the line (either in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> -section or in the section for the particular NetBench share : -<p><br><code> veto oplock files = /*.SEM/</code> -<p><br><a name="volume"></a> -<li><strong><strong>volume (S)</strong></strong> -<p><br>This allows you to override the volume label returned for a -share. Useful for CDROMs with installation programs that insist on a -particular volume label. -<p><br>The default is the name of the share. -<p><br><a name="widelinks"></a> -<li><strong><strong>wide links (S)</strong></strong> -<p><br>This parameter controls whether or not links in the UNIX file system -may be followed by the server. Links that point to areas within the -directory tree exported by the server are always allowed; this -parameter controls access only to areas that are outside the directory -tree being exported. -<p><br><strong>Default:</strong> -<code> wide links = yes</code> -<p><br><strong>Example:</strong> -<code> wide links = no</code> -<p><br><a name="winsproxy"></a> -<li><strong><strong>wins proxy (G)</strong></strong> -<p><br>This is a boolean that controls if <a href="nmbd.8.html"><strong>nmbd</strong></a> will -respond to broadcast name queries on behalf of other hosts. You may -need to set this to <code>"yes"</code> for some older clients. -<p><br><strong>Default:</strong> -<code> wins proxy = no</code> -<p><br><a name="winsserver"></a> -<li><strong><strong>wins server (G)</strong></strong> -<p><br>This specifies the DNS name (or IP address) of the WINS server that -<a href="nmbd.8.html"><strong>nmbd</strong></a> should register with. If you have a WINS -server on your network then you should set this to the WINS servers -name. -<p><br>You should point this at your WINS server if you have a -multi-subnetted network. -<p><br><em>NOTE</em>. You need to set up Samba to point to a WINS server if you -have multiple subnets and wish cross-subnet browsing to work correctly. -<p><br>See the documentation file BROWSING.txt in the docs/ directory of your -Samba source distribution. -<p><br><strong>Default:</strong> -<code> wins server = </code> -<p><br><strong>Example:</strong> -<code> wins server = 192.9.200.1</code> -<p><br><a name="winssupport"></a> -<li><strong><strong>wins support (G)</strong></strong> -<p><br>This boolean controls if the <a href="nmbd.8.html"><strong>nmbd</strong></a> process in -Samba will act as a WINS server. You should not set this to true -unless you have a multi-subnetted network and you wish a particular -<a href="nmbd.8.html"><strong>nmbd</strong></a> to be your WINS server. Note that you -should <em>*NEVER*</em> set this to true on more than one machine in your -network. -<p><br><strong>Default:</strong> -<code> wins support = no</code> -<p><br><a name="workgroup"></a> -<li><strong><strong>workgroup (G)</strong></strong> -<p><br>This controls what workgroup your server will appear to be in when -queried by clients. Note that this parameter also controls the Domain -name used with the <a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a> -setting. -<p><br><strong>Default:</strong> -<code> set at compile time to WORKGROUP</code> -<p><br><strong>Example:</strong> - workgroup = MYGROUP -<p><br><a name="writable"></a> -<li><strong><strong>writable (S)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#writeable"><strong>"writeable"</strong></a> for people who can't spell :-). -<p><br><a name="writelist"></a> -<li><strong><strong>write list (S)</strong></strong> -<p><br>This is a list of users that are given read-write access to a -service. If the connecting user is in this list then they will be -given write access, no matter what the <a href="smb.conf.5.html#readonly"><strong>"read only"</strong></a> -option is set to. The list can include group names using the @group -syntax. -<p><br>Note that if a user is in both the read list and the write list then -they will be given write access. -<p><br>See also the <a href="smb.conf.5.html#readlist"><strong>"read list"</strong></a> option. -<p><br><strong>Default:</strong> -<code> write list = <empty string></code> -<p><br><strong>Example:</strong> -<code> write list = admin, root, @staff</code> -<p><br><a name="writeok"></a> -<li><strong><strong>write ok (S)</strong></strong> -<p><br>Synonym for <a href="smb.conf.5.html#writeable"><strong>writeable</strong></a>. -<p><br><a name="writeraw"></a> -<li><strong><strong>write raw (G)</strong></strong> -<p><br>This parameter controls whether or not the server will support raw -writes SMB's when transferring data from clients. You should never -need to change this parameter. -<p><br><strong>Default:</strong> -<code> write raw = yes</code> -<p><br><a name="writeable"></a> -<li><strong><strong>writeable</strong></strong> -<p><br>An inverted synonym is <a href="smb.conf.5.html#readonly"><strong>"read only"</strong></a>. -<p><br>If this parameter is <code>"no"</code>, then users of a service may not create -or modify files in the service's directory. -<p><br>Note that a printable service <a href="smb.conf.5.html#printable"><strong>("printable = yes")</strong></a> -will <em>*ALWAYS*</em> allow writing to the directory (user privileges -permitting), but only via spooling operations. -<p><br><strong>Default:</strong> -<code> writeable = no</code> -<p><br><strong>Examples:</strong> -<pre> - - read only = no - writeable = yes - write ok = yes - -</pre> - -<p><br><a name="WARNINGS"></a> -<h2>WARNINGS</h2> - -<p><br>Although the configuration file permits service names to contain -spaces, your client software may not. Spaces will be ignored in -comparisons anyway, so it shouldn't be a problem - but be aware of the -possibility. -<p><br>On a similar note, many clients - especially DOS clients - limit -service names to eight characters. <a href="smbd.8.html"><strong>Smbd</strong></a> has no -such limitation, but attempts to connect from such clients will fail -if they truncate the service names. For this reason you should -probably keep your service names down to eight characters in length. -<p><br>Use of the <a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> and <a href="smb.conf.5.html#printers"><strong>[printers]</strong></a> -special sections make life for an administrator easy, but the various -combinations of default attributes can be tricky. Take extreme care -when designing these sections. In particular, ensure that the -permissions on spool directories are correct. -<p><br><a name="VERSION"></a> -<h2>VERSION</h2> - -<p><br>This man page is correct for version 2.0 of the Samba suite. -<p><br><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><br><a href="smbd.8.html"><strong>smbd (8)</strong></a>, <a href="smbclient.1.html"><strong>smbclient (1)</strong></a>, -<a href="nmbd.8.html"><strong>nmbd (8)</strong></a>, <a href="testparm.1.html"><strong>testparm (1)</strong></a>, -<a href="testprns.1.html"><strong>testprns (1)</strong></a>, <a href="samba.7.html"><strong>Samba</strong></a>, -<a href="nmblookup.1.html"><strong>nmblookup (1)</strong></a>, <a href="smbpasswd.5.html"><strong>smbpasswd (5)</strong></a>, -<a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a>. -<p><br><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p><br>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba-bugs@samba.org"><em>samba-bugs@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p><br>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba-bugs@samba.org"><em>samba-bugs@samba.org</em></a>. -<p><br>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> diff --git a/swat/help/welcome.html b/swat/help/welcome.html index 0df7991cd7..bbde61e549 100644 --- a/swat/help/welcome.html +++ b/swat/help/welcome.html @@ -1,37 +1,45 @@ -Welcome to SWAT!<p> +<h3>Welcome to SWAT!</h3> -This is the first release of the Samba Web Administration Tool. This tool -is being improved so you may find some things look rough at this stage.<p> +Please choose a configuration action using one of the above buttons -SWAT demands authentication before showing you this page, so that only -authenticated users can modify your smb.conf!<p> - -Here are some features of SWAT: - -<ul> -<li> Built in mini web server so you don't need a web server installed to -manage a Samba server, you just need a browser. -<li> Linked into the master source code so it automatically makes available new -parameters as they are added to Samba. -<li> Direct links to the html version of the smb.conf man page for help -on parameters. -<li> Layout and dialog building is done automatically based on the type -of the smb.conf parameter being changed. -<li> Password and account management built in. -</ul> - - -<H2>Features</H2> - -Here are some of the features we want to eventually incorporate.<p> +<h3>Documentation</h3> <ul> -<li> Secure authentication. -<li> Running the disgnosis steps from DIAGNOSIS.txt. -<li> GUI wizard style config building. + <li><b>Daemons</b> + <ul> + <li><a href="/swat/help/smbd.8.html" target="docs">smbd</a> - the SMB daemon + <li><a href="/swat/help/nmbd.8.html" target="docs">nmbd</a> - the NetBIOS nameserver + </ul> + <li><b>Administrative Utilities</b> + <ul> + <li><a href="/swat/help/smbstatus.1.html" target="docs">smbstatus</a> - monitoring Samba + <li><a href="/swat/help/swat.8.html" target="docs">SWAT</a> - web configuration tool + <li><a href="/swat/help/smbpasswd.8.html" target="docs">smbpasswd</a> - managing SMB passwords + <li><a href="/swat/help/make_smbcodepage.1.html" target="docs">make_smbcodepage</a> - codepage creation + <li><a href="/swat/help/testparm.1.html" target="docs">testparm</a> - validating your config file + <li><a href="/swat/help/testprns.1.html" target="docs">testprns</a> - testing printer configuration + </ul> + <li><b>General Utilities</b> + <ul> + <li><a href="/swat/help/nmblookup.1.html" target="docs">nmblookup</a> - NetBIOS name query tool + <li><a href="/swat/help/smbtar.1.html" target="docs">smbtar</a> - SMB backup tool + <li><a href="/swat/help/smbclient.1.html" target="docs">smbclient</a> - command line SMB client + </ul> + <li><b>Configuration Files</b> + <ul> + <li><a href="/swat/help/smb.conf.5.html" target="docs">smb.conf</a> - the main Samba configuration file + <li><a href="/swat/help/lmhosts.5.html" target="docs">lmhosts</a> - NetBIOS hosts file + <li><a href="/swat/help/smbpasswd.5.html" target="docs">smbpasswd</a> - SMB password file + </ul> + <li><b>Miscellaneous</b> + <ul> + <li><a href="/swat/help/samba.7.html" target="docs">Samba introduction</a> + <li><a href="/swat/help/DOMAIN_MEMBER.html" target="docs">Joining a NT Domain</a> + <li><a href="/swat/help/smbrun.1.html" target="docs">smbrun</a> - internal smbd utility + </ul> </ul> -<H2>Feedback</H2> +<h3>Feedback</h3> Please join the <A HREF="http://samba.org/listproc/">samba</A> mailing |