diff options
Diffstat (limited to 'docs/docbook/manpages/smb.conf.5.sgml')
| -rw-r--r-- | docs/docbook/manpages/smb.conf.5.sgml | 786 |
1 files changed, 275 insertions, 511 deletions
diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index 3cea2d51bc..641e36f57a 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -41,7 +41,7 @@ <para>Section and parameter names are not case sensitive.</para> <para>Only the first equals sign in a parameter is significant. - Whitespace before or after the first equals sign is discarded. + Whitespace before or after the first equals sign is discarded. Leading, trailing and internal whitespace in section and parameter names is irrelevant. Leading and trailing whitespace in a parameter value is discarded. Internal whitespace within a parameter value @@ -84,7 +84,7 @@ printable services (used by the client to access print services on the host running the server).</para> - <para>Sections may be designated <emphasis>guest</emphasis> services, + <para>Sections may be designated <emphasis>guest</emphasis> services, in which case no password is required to access them. A specified UNIX <emphasis>guest account</emphasis> is used to define access privileges in this case.</para> @@ -213,7 +213,7 @@ the [homes] section will hide the [homes] share but make any auto home directories visible.</para> </refsect2> - + <refsect2> <title id="PRINTERSSECT">The [printers] section</title> @@ -433,7 +433,7 @@ <varlistentry> <term>%d</term> - <listitem><para>The process id of the current server + <listitem><para>The process id of the current server process.</para></listitem> </varlistentry> @@ -519,7 +519,7 @@ <varlistentry> <term>short preserve case = yes/no</term> - <listitem><para>controls if new files which conform to 8.3 syntax, + <listitem><para>controls if new files which conform to 8.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced to be the "default" case. This option can be use with "preserve case = yes" @@ -542,8 +542,10 @@ steps fail, then the connection request is rejected. However, if one of the steps succeeds, then the following steps are not checked.</para> - <para>If the service is marked "guest only = yes" then - steps 1 to 5 are skipped.</para> + <para>If the service is marked "guest only = yes" and the + server is running with share-level security ("security = share") + then steps 1 to 5 are skipped.</para> + <orderedlist numeration="Arabic"> <listitem><para>If the client has passed a username/password @@ -596,6 +598,7 @@ <listitem><para><link linkend="ADDSHARECOMMAND"><parameter>add share command</parameter></link></para></listitem> <listitem><para><link linkend="ADDUSERSCRIPT"><parameter>add user script</parameter></link></para></listitem> <listitem><para><link linkend="ADDMACHINESCRIPT"><parameter>add machine script</parameter></link></para></listitem> + <listitem><para><link linkend="ALGORITHMICRIDBASE"><parameter>algorithmic rid base</parameter></link></para></listitem> <listitem><para><link linkend="ALLOWTRUSTEDDOMAINS"><parameter>allow trusted domains</parameter></link></para></listitem> <listitem><para><link linkend="ANNOUNCEAS"><parameter>announce as</parameter></link></para></listitem> <listitem><para><link linkend="ANNOUNCEVERSION"><parameter>announce version</parameter></link></para></listitem> @@ -641,10 +644,10 @@ <listitem><para><link linkend="LDAPADMINDN"><parameter>ldap admin dn</parameter></link></para></listitem> <listitem><para><link linkend="LDAPFILTER"><parameter>ldap filter</parameter></link></para></listitem> - <listitem><para><link linkend="LDAPPORT"><parameter>ldap port</parameter></link></para></listitem> - <listitem><para><link linkend="LDAPSERVER"><parameter>ldap server</parameter></link></para></listitem> <listitem><para><link linkend="LDAPSSL"><parameter>ldap ssl</parameter></link></para></listitem> <listitem><para><link linkend="LDAPSUFFIX"><parameter>ldap suffix</parameter></link></para></listitem> + <listitem><para><link linkend="LDAPUSERSUFFIX"><parameter>ldap suffix</parameter></link></para></listitem> + <listitem><para><link linkend="LDAPMACHINESUFFIX"><parameter>ldap suffix</parameter></link></para></listitem> <listitem><para><link linkend="LMANNOUNCE"><parameter>lm announce</parameter></link></para></listitem> <listitem><para><link linkend="LMINTERVAL"><parameter>lm interval</parameter></link></para></listitem> @@ -652,6 +655,9 @@ <listitem><para><link linkend="LOCALMASTER"><parameter>local master</parameter></link></para></listitem> <listitem><para><link linkend="LOCKDIR"><parameter>lock dir</parameter></link></para></listitem> <listitem><para><link linkend="LOCKDIRECTORY"><parameter>lock directory</parameter></link></para></listitem> + <listitem><para><link linkend="LOCKSPINCOUNT"><parameter>lock spin count</parameter></link></para></listitem> + <listitem><para><link linkend="LOCKSPINTIME"><parameter>lock spin time</parameter></link></para></listitem> + <listitem><para><link linkend="PIDDIRECTORY"><parameter>pid directory</parameter></link></para></listitem> <listitem><para><link linkend="LOGFILE"><parameter>log file</parameter></link></para></listitem> <listitem><para><link linkend="LOGLEVEL"><parameter>log level</parameter></link></para></listitem> <listitem><para><link linkend="LOGONDRIVE"><parameter>logon drive</parameter></link></para></listitem> @@ -683,6 +689,7 @@ <listitem><para><link linkend="NISHOMEDIR"><parameter>nis homedir</parameter></link></para></listitem> <listitem><para><link linkend="NONUNIXACCOUNTRANGE"><parameter>non unix account range</parameter></link></para></listitem> <listitem><para><link linkend="NTPIPESUPPORT"><parameter>nt pipe support</parameter></link></para></listitem> + <listitem><para><link linkend="NTSTATUSSUPPORT"><parameter>nt status support</parameter></link></para></listitem> <listitem><para><link linkend="NULLPASSWORDS"><parameter>null passwords</parameter></link></para></listitem> <listitem><para><link linkend="OBEYPAMRESTRICTIONS"><parameter>obey pam restrictions</parameter></link></para></listitem> <listitem><para><link linkend="OPLOCKBREAKWAITTIME"><parameter>oplock break wait time</parameter></link></para></listitem> @@ -722,24 +729,6 @@ <listitem><para><link linkend="SOCKETOPTIONS"><parameter>socket options</parameter></link></para></listitem> <listitem><para><link linkend="SOURCEENVIRONMENT"><parameter>source environment</parameter></link></para></listitem> - <listitem><para><link linkend="SSL"><parameter>ssl</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCACERTFILE"><parameter>ssl CA certFile</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCIPHERS"><parameter>ssl ciphers</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCLIENTCERT"><parameter>ssl client cert</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCLIENTKEY"><parameter>ssl client key</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCOMPATIBILITY"><parameter>ssl compatibility</parameter></link></para></listitem> - <listitem><para><link linkend="SSLEGDSOCKET"><parameter>ssl egd socket</parameter></link></para></listitem> - <listitem><para><link linkend="SSLENTROPYBYTES"><parameter>ssl entropy bytes</parameter></link></para></listitem> - <listitem><para><link linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link></para></listitem> - <listitem><para><link linkend="SSLHOSTS"><parameter>ssl hosts</parameter></link></para></listitem> - <listitem><para><link linkend="SSLHOSTSRESIGN"><parameter>ssl hosts resign</parameter></link></para></listitem> - <listitem><para><link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require clientcert</parameter></link></para></listitem> - <listitem><para><link linkend="SSLREQUIRESERVERCERT"><parameter>ssl require servercert</parameter></link></para></listitem> - <listitem><para><link linkend="SSLSERVERCERT"><parameter>ssl server cert</parameter></link></para></listitem> - <listitem><para><link linkend="SSLSERVERKEY"><parameter>ssl server key</parameter></link></para></listitem> - <listitem><para><link linkend="SSLVERSION"><parameter>ssl version</parameter></link></para></listitem> - <listitem><para><link linkend="STATCACHE"><parameter>stat cache</parameter></link></para></listitem> <listitem><para><link linkend="STATCACHESIZE"><parameter>stat cache size</parameter></link></para></listitem> <listitem><para><link linkend="STRIPDOT"><parameter>strip dot</parameter></link></para></listitem> @@ -796,6 +785,8 @@ <listitem><para><link linkend="COPY"><parameter>copy</parameter></link></para></listitem> <listitem><para><link linkend="CREATEMASK"><parameter>create mask</parameter></link></para></listitem> <listitem><para><link linkend="CREATEMODE"><parameter>create mode</parameter></link></para></listitem> + <listitem><para><link linkend="CSCPOLICY"><parameter>csc policy</parameter></link></para></listitem> + <listitem><para><link linkend="DEFAULTCASE"><parameter>default case</parameter></link></para></listitem> <listitem><para><link linkend="DEFAULTDEVMODE"><parameter>default devmode</parameter></link></para></listitem> <listitem><para><link linkend="DELETEREADONLY"><parameter>delete readonly</parameter></link></para></listitem> @@ -829,6 +820,7 @@ <listitem><para><link linkend="HOSTSALLOW"><parameter>hosts allow</parameter></link></para></listitem> <listitem><para><link linkend="HOSTSDENY"><parameter>hosts deny</parameter></link></para></listitem> <listitem><para><link linkend="INCLUDE"><parameter>include</parameter></link></para></listitem> + <listitem><para><link linkend="INHERITACLS"><parameter>inherit acls</parameter></link></para></listitem> <listitem><para><link linkend="INHERITPERMISSIONS"><parameter>inherit permissions</parameter></link></para></listitem> <listitem><para><link linkend="INVALIDUSERS"><parameter>invalid users</parameter></link></para></listitem> <listitem><para><link linkend="LEVEL2OPLOCKS"><parameter>level2 oplocks</parameter></link></para></listitem> @@ -881,6 +873,7 @@ <listitem><para><link linkend="ROOTPREEXECCLOSE"><parameter>root preexec close</parameter></link></para></listitem> <listitem><para><link linkend="SECURITYMASK"><parameter>security mask</parameter></link></para></listitem> <listitem><para><link linkend="SETDIRECTORY"><parameter>set directory</parameter></link></para></listitem> + <listitem><para><link linkend="SHAREMODES"><parameter>share modes</parameter></link></para></listitem> <listitem><para><link linkend="SHORTPRESERVECASE"><parameter>short preserve case</parameter></link></para></listitem> <listitem><para><link linkend="STATUS"><parameter>status</parameter></link></para></listitem> <listitem><para><link linkend="STRICTALLOCATE"><parameter>strict allocate</parameter></link></para></listitem> @@ -1136,8 +1129,29 @@ <parameter>hosts allow</parameter></link>.</para></listitem> </varlistentry> + <varlistentry> + <term><anchor id="ALGORITHMICRIDBASE">algorithmic rid base (G)</term> + <listitem><para>This determines how Samba will use its + algorithmic mapping from uids/gid to the RIDs needed to construct + NT Security Identifiers.</para> + + <para>Setting this option to a larger value could be useful to sites + transitioning from WinNT and Win2k, as existing user and + group rids would otherwise clash with sytem users etc. + </para> + <para>All UIDs and GIDs must be able to be resolved into SIDs for + the correct operation of ACLs on the server. As such the algorithmic + mapping can't be 'turned off', but pushing it 'out of the way' should + resolve the issues. Users and groups can then be assigned 'low' RIDs + in arbitary-rid supporting backends. </para> + <para>Default: <command>algorithmic rid base = 1000</command></para> + + <para>Example: <command>algorithmic rid base = 100000</command></para> + </listitem> + </varlistentry> + <varlistentry> <term><anchor id="ALLOWTRUSTEDDOMAINS">allow trusted domains (G)</term> <listitem><para>This option only takes effect when the <link @@ -1570,6 +1584,24 @@ </varlistentry> + <varlistentry> + <term><anchor id="CSCPOLICY">csc policy (S)</term> + <listitem><para>This stands for <emphasis>client-side caching + policy</emphasis>, and specifies how clients capable of offline + caching will cache the files in the share. The valid values + are: manual, documents, programs, disable.</para> + + <para>These values correspond to those used on Windows + servers.</para> + + <para>For example, shares containing roaming profiles can have + offline caching disabled using <command>csc policy = disable + </command>.</para> + + <para>Default: <command>csc policy = manual</command></para> + <para>Example: <command>csc policy = programs</command></para> + </listitem> + </varlistentry> <varlistentry> <term><anchor id="DEADTIME">deadtime (G)</term> @@ -1871,47 +1903,16 @@ <varlistentry> <term><anchor id="DELETEUSERSCRIPT">delete user script (G)</term> <listitem><para>This is the full pathname to a script that will - be run <emphasis>AS ROOT</emphasis> by <ulink url="smbd.8.html"> - <command>smbd(8)</command></ulink> under special circumstances - described below.</para> + be run by <ulink url="smbd.8.html"><command>smbd(8)</command></ulink> + when managing user's with remote RPC (NT) tools. + </para> - <para>Normally, a Samba server requires that UNIX users are - created for all users accessing files on this server. For sites - that use Windows NT account databases as their primary user database - creating these users and keeping the user list in sync with the - Windows NT PDC is an onerous task. This option allows <command> - smbd</command> to delete the required UNIX users <emphasis>ON - DEMAND</emphasis> when a user accesses the Samba server and the - Windows NT user no longer exists.</para> - - <para>In order to use this option, <command>smbd</command> must be - set to <parameter>security = domain</parameter> or <parameter>security = - user</parameter> and <parameter>delete user script</parameter> - must be set to a full pathname for a script - that will delete a UNIX user given one argument of <parameter>%u</parameter>, - which expands into the UNIX user name to delete.</para> + <para>This script is called when a remote client removes a user + from the server, normally using 'User Manager for Domains' or + <command>rpcclient</command>. - <para>When the Windows user attempts to access the Samba server, - at <emphasis>login</emphasis> (session setup in the SMB protocol) - time, <command>smbd</command> contacts the <link linkend="PASSWORDSERVER"> - <parameter>password server</parameter></link> and attempts to authenticate - the given user with the given password. If the authentication fails - with the specific Domain error code meaning that the user no longer - exists then <command>smbd</command> attempts to find a UNIX user in - the UNIX password database that matches the Windows user account. If - this lookup succeeds, and <parameter>delete user script</parameter> is - set then <command>smbd</command> will all the specified script - <emphasis>AS ROOT</emphasis>, expanding any <parameter>%u</parameter> - argument to be the user name to delete.</para> - - <para>This script should delete the given UNIX username. In this way, - UNIX users are dynamically deleted to match existing Windows NT - accounts.</para> - - <para>See also <link linkend="SECURITYEQUALSDOMAIN">security = domain</link>, - <link linkend="PASSWORDSERVER"><parameter>password server</parameter> - </link>, <link linkend="ADDUSERSCRIPT"><parameter>add user script</parameter> - </link>.</para> + <para>This script should delete the given UNIX username. + </para> <para>Default: <command>delete user script = <empty string> </command></para> @@ -3050,6 +3051,24 @@ <varlistentry> + <term><anchor id="INHERITACLS">inherit acls (S)</term> + <listitem><para>This parameter can be used to ensure + that if default acls exist on parent directories, + they are always honored when creating a subdirectory. + The default behavior is to use the mode specified + when creating the directory. Enabling this option + sets the mode to 0777, thus guaranteeing that + default directory acls are propagated. + </para> + + <para>Default: <command>inherit acls = no</command> + </para></listitem> + </varlistentry> + + + + + <varlistentry> <term><anchor id="INHERITPERMISSIONS">inherit permissions (S)</term> <listitem><para>The permissions on new files and directories are normally governed by <link linkend="CREATEMASK"><parameter> @@ -3262,12 +3281,6 @@ <varlistentry> <term><anchor id="LDAPADMINDN">ldap admin dn (G)</term> - <listitem><para>This parameter is only available if Samba has been - configure to include the <command>--with-ldapsam</command> option - at compile time. This option should be considered experimental and - under active development. - </para> - <para> The <parameter>ldap admin dn</parameter> defines the Distinguished Name (DN) name used by Samba to contact the <link linkend="LDAPSERVER">ldap @@ -3288,12 +3301,6 @@ <varlistentry> <term><anchor id="LDAPFILTER">ldap filter (G)</term> - <listitem><para>This parameter is only available if Samba has been - configure to include the <command>--with-ldapsam</command> option - at compile time. This option should be considered experimental and - under active development. - </para> - <para> This parameter specifies the RFC 2254 compliant LDAP search filter. The default is to match the login name with the <constant>uid</constant> @@ -3307,69 +3314,15 @@ </varlistentry> - - - <varlistentry> - <term><anchor id="LDAPPORT">ldap port (G)</term> - <listitem><para>This parameter is only available if Samba has been - configure to include the <command>--with-ldapsam</command> option - at compile time. This option should be considered experimental and - under active development. - </para> - - <para> - This option is used to control the tcp port number used to contact - the <link linkend="LDAPSERVER"><parameter>ldap server</parameter></link>. - The default is to use the stand LDAPS port 636. - </para> - - <para>See Also: <link linkend="LDAPSSL">ldap ssl</link> - </para> - - <para>Default : <command>ldap port = 636</command></para> - </listitem> - </varlistentry> - - - - - <varlistentry> - <term><anchor id="LDAPSERVER">ldap server (G)</term> - <listitem><para>This parameter is only available if Samba has been - configure to include the <command>--with-ldapsam</command> option - at compile time. This option should be considered experimental and - under active development. - </para> - - <para> - This parameter should contains the FQDN of the ldap directory - server which should be queried to locate user account information. - </para> - - - - <para>Default : <command>ldap server = localhost</command></para> - </listitem> - </varlistentry> - - - - <varlistentry> <term><anchor id="LDAPSSL">ldap ssl (G)</term> - <listitem><para>This parameter is only available if Samba has been - configure to include the <command>--with-ldapsam</command> option - at compile time. This option should be considered experimental and - under active development. - </para> - <para> This option is used to define whether or not Samba should use SSL when connecting to the <link linkend="LDAPSERVER"><parameter>ldap server</parameter></link>. This is <emphasis>NOT</emphasis> related to - Samba SSL support which is enabled by specifying the + Samba's previous SSL support which was enabled by specifying the <command>--with-ssl</command> option to the <filename>configure</filename> - script (see <link linkend="SSL"><parameter>ssl</parameter></link>). + script. </para> <para> @@ -3391,10 +3344,30 @@ <varlistentry> <term><anchor id="LDAPSUFFIX">ldap suffix (G)</term> - <listitem><para>This parameter is only available if Samba has been - configure to include the <command>--with-ldapsam</command> option - at compile time. This option should be considered experimental and - under active development. + <listitem> + <para>Default : <emphasis>none</emphasis></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term><anchor id="LDAPUSERSUFFIX">ldap user suffix (G)</term> + <listitem><para>It specifies where users are added to the tree. + </para> + + + + <para>Default : <emphasis>none</emphasis></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term><anchor id="LDAPSUFFIX">ldap machine suffix (G)</term> + <listitem><para>It specifies where machines should be + added to the ldap tree. </para> @@ -3557,6 +3530,39 @@ <varlistentry> + <term><anchor id="LOCKSPINCOUNT">lock spin count (G)</term> + <listitem><para>This parameter controls the number of times + that smbd should attempt to gain a byte range lock on the + behalf of a client request. Experiments have shown that + Windows 2k servers do not reply with a failure if the lock + could not be immediately granted, but try a few more times + in case the lock could later be aquired. This behavior + is used to support PC database formats such as MS Access + and FoxPro. + </para> + + <para>Default: <command>lock spin count = 2</command> + </para></listitem> + </varlistentry> + + + + + <varlistentry> + <term><anchor id="LOCKSPINTIME">lock spin time (G)</term> + <listitem><para>The time in microseconds that smbd should + pause before attempting to gain a failed lock. See + <link linkend="LOCKSPINCOUNT"><parameter>lock spin + count</parameter></link> for more details. + </para> + + <para>Default: <command>lock spin time = 10</command> + </para></listitem> + </varlistentry> + + + + <varlistentry> <term><anchor id="LOCKING">locking (S)</term> <listitem><para>This controls whether or not locking will be performed by the server in response to lock requests from the @@ -3845,8 +3851,8 @@ takes a printer name as its only parameter and outputs printer status information.</para> - <para>Currently eight styles of printer status information - are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ. + <para>Currently nine styles of printer status information + are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. This covers most UNIX systems. You control which type is expected using the <parameter>printing =</parameter> option.</para> @@ -3862,7 +3868,10 @@ <para>Note that it is good practice to include the absolute path in the <parameter>lpq command</parameter> as the <envar>$PATH - </envar> may not be available to the server.</para> + </envar> may not be available to the server. When compiled with + the CUPS libraries, no <parameter>lpq command</parameter> is + needed because smbd will make a library call to obtain the + print queue listing.</para> <para>See also the <link linkend="PRINTING"><parameter>printing </parameter></link> parameter.</para> @@ -4839,6 +4848,23 @@ <varlistentry> + <term><anchor id="NTSTATUSSUPPORT">nt status support (G)</term> + <listitem><para>This boolean parameter controls whether <ulink + url="smbd.8.html">smbd(8)</ulink> will negotiate NT specific status + support with Windows NT/2k/XP clients. This is a developer + debugging option and should be left alone. + If this option is set to <constant>no</constant> then Samba offers + exactly the same DOS error codes that versions prior to Samba 2.2.3 + reported.</para> + + <para>You should not need to ever disable this parameter.</para> + + <para>Default: <command>nt status support = yes</command></para> + </listitem> + </varlistentry> + + + <varlistentry> <term><anchor id="NULLPASSWORDS">null passwords (G)</term> <listitem><para>Allow or disallow client access to accounts that have null passwords. </para> @@ -5064,10 +5090,10 @@ <varlistentry> <term><anchor id="PASSDBBACKEND">passdb backend (G)</term> - <listitem><para>This option allows the administrator to chose what - backend in which to store passwords. This allows (for example) both - smbpasswd and tdbsam to be used without a recompile. Only one can - be used at a time however, and experimental backends must still be selected + <listitem><para>This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both + smbpasswd and tdbsam to be used without a recompile. + Multiple backends can be specified, seperated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified. + Experimental backends must still be selected (eg --with-tdbsam) at configure time. </para> @@ -5115,14 +5141,27 @@ <para>Any characters after the (optional) second : are passed to the plugin for its own processing</para> </listitem> - + + <listitem><para><command>unixsam</command> - Allows samba to map all (other) available unix users</para> + + <para>This backend uses the standard unix database for retrieving users. Users included + in this pdb are NOT listed in samba user listings and users included in this pdb won't be + able to login. The use of this backend is to always be able to display the owner of a file + on the samba server - even when the user doesn't have a 'real' samba account in one of the + other passdb backends. + </para> + + <para>This backend should always be the last backend listed, since it contains all users in + the unix passdb and might 'override' mappings if specified earlier. It's meant to only return + accounts for users that aren't covered by the previous backends.</para> + </listitem> </itemizedlist> </para> - <para>Default: <command>passdb backend = smbpasswd</command></para> - <para>Example: <command>passdb backend = tdbsam:/etc/samba/private/passdb.tdb</command></para> - <para>Example: <command>passdb backend = ldapsam_nua:ldaps://ldap.example.com</command></para> - <para>Example: <command>passdb backend = plugin:/usr/local/samba/lib/my_passdb.so:my_plugin_args</command></para> + <para>Default: <command>passdb backend = smbpasswd unixsam</command></para> + <para>Example: <command>passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd unixsam</command></para> + <para>Example: <command>passdb backend = ldapsam_nua:ldaps://ldap.example.com unixsam</command></para> + <para>Example: <command>passdb backend = plugin:/usr/local/samba/lib/my_passdb.so:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb</command></para> </listitem> </varlistentry> @@ -5418,6 +5457,18 @@ <varlistentry> + <term><anchor id="PIDDIRECTORY">pid directory (G)</term> + <listitem><para>This option specifies the directory where pid + files will be placed. </para> + + <para>Default: <command>pid directory = ${prefix}/var/locks</command></para> + <para>Example: <command>pid directory = /var/run/</command> + </para></listitem> + </varlistentry> + + + + <varlistentry> <term><anchor id="POSIXLOCKING">posix locking (S)</term> <listitem><para>The <ulink url="smbd.8.html"><command>smbd(8)</command></ulink> daemon maintains an database of file locks obtained by SMB clients. @@ -5596,14 +5647,23 @@ manually remove old spool files.</para> <para>The print command is simply a text string. It will be used - verbatim, with two exceptions: All occurrences of <parameter>%s - </parameter> and <parameter>%f</parameter> will be replaced by the - appropriate spool file name, and all occurrences of <parameter>%p - </parameter> will be replaced by the appropriate printer name. The - spool file name is generated automatically by the server. The - <parameter>%J</parameter> macro can be used to access the job + verbatim after macro substitutions have been made:</para> + + <para>s, %p - the path to the spool + file name</para> + + <para>%p - the appropriate printer + name</para> + + <para>%J - the job name as transmitted by the client.</para> + <para>%c - The number of printed pages + of the spooled job (if known).</para> + + <para>%z - the size of the spooled + print job (in bytes)</para> + <para>The print command <emphasis>MUST</emphasis> contain at least one occurrence of <parameter>%s</parameter> or <parameter>%f </parameter> - the <parameter>%p</parameter> is optional. At the time @@ -5647,6 +5707,17 @@ <para>For <command>printing = SOFTQ :</command></para> <para><command>print command = lp -d%p -s %s; rm %s</command></para> + <para>For printing = CUPS : If SAMBA is compiled against + libcups, then <link linkend="PRINTING">printcap = cups</link> + uses the CUPS API to + submit jobs, etc. Otherwise it maps to the System V + commands with the -oraw option for printing, i.e. it + uses <command>lp -c -d%p -oraw; rm %s</command>. + With <command>printing = cups</command>, + and if SAMBA is compiled against libcups, any manually + set print command will be ignored.</para> + + <para>Example: <command>print command = /usr/local/samba/bin/myprintscript %p %s</command></para> </listitem> @@ -5700,6 +5771,14 @@ linkend="PRINTERSSECT">[printers]</link> section above for reasons why you might want to do this.</para> + <para>To use the CUPS printing interface set <command>printcap name = cups + </command>. This should be supplemented by an addtional setting + <link linkend="PRINTING">printing = cups</link> in the [global] + section. <command>printcap name = cups</command> will use the + "dummy" printcap created by CUPS, as specified in your CUPS + configuration file. + </para> + <para>On System V systems that use <command>lpstat</command> to list available printers you can use <command>printcap name = lpstat </command> to automatically obtain lists of available printers. This @@ -6622,6 +6701,33 @@ + <varlistentry> + <term><anchor id="SHAREMODES">share modes (S)</term> + <listitem><para>This enables or disables the honoring of + the <parameter>share modes</parameter> during a file open. These + modes are used by clients to gain exclusive read or write access + to a file.</para> + + <para>These open modes are not directly supported by UNIX, so + they are simulated using shared memory, or lock files if your + UNIX doesn't support shared memory (almost all do).</para> + + <para>The share modes that are enabled by this option are + <constant>DENY_DOS</constant>, <constant>DENY_ALL</constant>, + <constant>DENY_READ</constant>, <constant>DENY_WRITE</constant>, + <constant>DENY_NONE</constant> and <constant>DENY_FCB</constant>. + </para> + + <para>This option gives full share compatibility and enabled + by default.</para> + + <para>You should <emphasis>NEVER</emphasis> turn this parameter + off as many Windows applications will break if you do so.</para> + + <para>Default: <command>share modes = yes</command></para> + </listitem> + </varlistentry> + <varlistentry> @@ -6855,348 +6961,6 @@ </varlistentry> - - <varlistentry> - <term><anchor id="SSL">ssl (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This variable enables or disables the entire SSL mode. If - it is set to <constant>no</constant>, the SSL-enabled Samba behaves - exactly like the non-SSL Samba. If set to <constant>yes</constant>, - it depends on the variables <link linkend="SSLHOSTS"><parameter> - ssl hosts</parameter></link> and <link linkend="SSLHOSTSRESIGN"> - <parameter>ssl hosts resign</parameter></link> whether an SSL - connection will be required.</para> - - <para>Default: <command>ssl = no</command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLCACERTDIR">ssl CA certDir (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This variable defines where to look up the Certification - Authorities. The given directory should contain one file for - each CA that Samba will trust. The file name must be the hash - value over the "Distinguished Name" of the CA. How this directory - is set up is explained later in this document. All files within the - directory that don't fit into this naming scheme are ignored. You - don't need this variable if you don't verify client certificates.</para> - - <para>Default: <command>ssl CA certDir = /usr/local/ssl/certs - </command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLCACERTFILE">ssl CA certFile (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This variable is a second way to define the trusted CAs. - The certificates of the trusted CAs are collected in one big - file and this variable points to the file. You will probably - only use one of the two ways to define your CAs. The first choice is - preferable if you have many CAs or want to be flexible, the second - is preferable if you only have one CA and want to keep things - simple (you won't need to create the hashed file names). You - don't need this variable if you don't verify client certificates.</para> - - <para>Default: <command>ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem - </command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLCIPHERS">ssl ciphers (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This variable defines the ciphers that should be offered - during SSL negotiation. You should not set this variable unless - you know what you are doing.</para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLCLIENTCERT">ssl client cert (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>The certificate in this file is used by <ulink url="smbclient.1.html"> - <command>smbclient(1)</command></ulink> if it exists. It's needed - if the server requires a client certificate.</para> - - <para>Default: <command>ssl client cert = /usr/local/ssl/certs/smbclient.pem - </command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLCLIENTKEY">ssl client key (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This is the private key for <ulink url="smbclient.1.html"> - <command>smbclient(1)</command></ulink>. It's only needed if the - client should have a certificate. </para> - - <para>Default: <command>ssl client key = /usr/local/ssl/private/smbclient.pem - </command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLCOMPATIBILITY">ssl compatibility (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This variable defines whether OpenSSL should be configured - for bug compatibility with other SSL implementations. This is - probably not desirable because currently no clients with SSL - implementations other than OpenSSL exist.</para> - - <para>Default: <command>ssl compatibility = no</command></para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLEGDSOCKET">ssl egd socket (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para> - This option is used to define the location of the communiation socket of - an EGD or PRNGD daemon, from which entropy can be retrieved. This option - can be used instead of or together with the <link - linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link> - directive. 255 bytes of entropy will be retrieved from the daemon. - </para> - - <para>Default: <emphasis>none</emphasis></para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLENTROPYBYTES">ssl entropy bytes (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para> - This parameter is used to define the number of bytes which should - be read from the <link linkend="SSLENTROPYFILE"><parameter>ssl entropy - file</parameter></link> If a -1 is specified, the entire file will - be read. - </para> - - <para>Default: <command>ssl entropy bytes = 255</command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLENTROPYFILE">ssl entropy file (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para> - This parameter is used to specify a file from which processes will - read "random bytes" on startup. In order to seed the internal pseudo - random number generator, entropy must be provided. On system with a - <filename>/dev/urandom</filename> device file, the processes - will retrieve its entropy from the kernel. On systems without kernel - entropy support, a file can be supplied that will be read on startup - and that will be used to seed the PRNG. - </para> - - <para>Default: <emphasis>none</emphasis></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLHOSTS">ssl hosts (G)</term> - <listitem><para>See <link linkend="SSLHOSTSRESIGN"><parameter> - ssl hosts resign</parameter></link>.</para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLHOSTSRESIGN">ssl hosts resign (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>These two variables define whether Samba will go - into SSL mode or not. If none of them is defined, Samba will - allow only SSL connections. If the <link linkend="SSLHOSTS"> - <parameter>ssl hosts</parameter></link> variable lists - hosts (by IP-address, IP-address range, net group or name), - only these hosts will be forced into SSL mode. If the <parameter> - ssl hosts resign</parameter> variable lists hosts, only these - hosts will <emphasis>NOT</emphasis> be forced into SSL mode. The syntax for these two - variables is the same as for the <link linkend="HOSTSALLOW"><parameter> - hosts allow</parameter></link> and <link linkend="HOSTSDENY"> - <parameter>hosts deny</parameter></link> pair of variables, only - that the subject of the decision is different: It's not the access - right but whether SSL is used or not. </para> - - <para>The example below requires SSL connections from all hosts - outside the local net (which is 192.168.*.*).</para> - - <para>Default: <command>ssl hosts = <empty string></command></para> - <para><command>ssl hosts resign = <empty string></command></para> - - <para>Example: <command>ssl hosts resign = 192.168.</command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLREQUIRECLIENTCERT">ssl require clientcert (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>If this variable is set to <constant>yes</constant>, the - server will not tolerate connections from clients that don't - have a valid certificate. The directory/file given in <link - linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter> - </link> and <link linkend="SSLCACERTFILE"><parameter>ssl CA certFile - </parameter></link> will be used to look up the CAs that issued - the client's certificate. If the certificate can't be verified - positively, the connection will be terminated. If this variable - is set to <constant>no</constant>, clients don't need certificates. - Contrary to web applications you really <emphasis>should</emphasis> - require client certificates. In the web environment the client's - data is sensitive (credit card numbers) and the server must prove - to be trustworthy. In a file server environment the server's data - will be sensitive and the clients must prove to be trustworthy.</para> - - <para>Default: <command>ssl require clientcert = no</command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLREQUIRESERVERCERT">ssl require servercert (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>If this variable is set to <constant>yes</constant>, the - <ulink url="smbclient.1.html"><command>smbclient(1)</command> - </ulink> will request a certificate from the server. Same as - <link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require - clientcert</parameter></link> for the server.</para> - - <para>Default: <command>ssl require servercert = no</command> - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><anchor id="SSLSERVERCERT">ssl server cert (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This is the file containing the server's certificate. - The server <emphasis>must</emphasis> have a certificate. The - file may also contain the server's private key. See later for - how certificates and private keys are created.</para> - - <para>Default: <command>ssl server cert = <empty string> - </command></para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLSERVERKEY">ssl server key (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This file contains the private key of the server. If - this variable is not defined, the key is looked up in the - certificate file (it may be appended to the certificate). - The server <emphasis>must</emphasis> have a private key - and the certificate <emphasis>must</emphasis> - match this private key.</para> - - <para>Default: <command>ssl server key = <empty string> - </command></para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLVERSION">ssl version (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This enumeration variable defines the versions of the - SSL protocol that will be used. <constant>ssl2or3</constant> allows - dynamic negotiation of SSL v2 or v3, <constant>ssl2</constant> results - in SSL v2, <constant>ssl3</constant> results in SSL v3 and - <constant>tls1</constant> results in TLS v1. TLS (Transport Layer - Security) is the new standard for SSL.</para> - - <para>Default: <command>ssl version = "ssl2or3"</command></para> - </listitem> - </varlistentry> - - - <varlistentry> <term><anchor id="STATCACHE">stat cache (G)</term> <listitem><para>This parameter determines if <ulink @@ -7458,9 +7222,9 @@ <varlistentry> <term><anchor id="UNIXEXTENSIONS">unix extensions(G)</term> <listitem><para>This boolean parameter controls whether Samba - implments the CIFS UNIX extensions, as defined by HP. These - extensions enable CIFS to server UNIX clients to UNIX servers - better, and allow such things as symbolic links, hard links etc. + implments the CIFS UNIX extensions, as defined by HP. + These extensions enable Samba to better serve UNIX CIFS clients + by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients.</para> @@ -7999,7 +7763,7 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ <varlistentry> - <term><anchor id="WINBINDCACHETIME">winbind cache time</term> + <term><anchor id="WINBINDCACHETIME">winbind cache time (G)</term> <listitem><para>This parameter specifies the number of seconds the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon will cache user and group information before querying a Windows NT server @@ -8011,8 +7775,8 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ <varlistentry> - <term><anchor id="WINBINDENUMUSERS">winbind enum - users</term> <listitem><para>On large installations using + <term><anchor id="WINBINDENUMUSERS">winbind enum users (G)</term> + <listitem><para>On large installations using <ulink url="winbindd.8.html">winbindd(8)</ulink> it may be necessary to suppress the enumeration of users through the <command> setpwent()</command>, @@ -8033,8 +7797,8 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ </varlistentry> <varlistentry> - <term><anchor id="WINBINDENUMGROUPS">winbind enum - groups</term> <listitem><para>On large installations using + <term><anchor id="WINBINDENUMGROUPS">winbind enum groups (G)</term> + <listitem><para>On large installations using <ulink url="winbindd.8.html">winbindd(8)</ulink> it may be necessary to suppress the enumeration of groups through the <command> setgrent()</command>, @@ -8054,7 +7818,7 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ <varlistentry> - <term><anchor id="WINBINDGID">winbind gid</term> + <term><anchor id="WINBINDGID">winbind gid (G)</term> <listitem><para>The winbind gid parameter specifies the range of group ids that are allocated by the <ulink url="winbindd.8.html"> winbindd(8)</ulink> daemon. This range of group ids should have no @@ -8070,7 +7834,7 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ <varlistentry> - <term><anchor id="WINBINDSEPARATOR">winbind separator</term> + <term><anchor id="WINBINDSEPARATOR">winbind separator (G)</term> <listitem><para>This parameter allows an admin to define the character used when listing a username of the form of <replaceable>DOMAIN </replaceable>\<replaceable>user</replaceable>. This parameter @@ -8082,8 +7846,8 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ with group membership at least on glibc systems, as the character + is used as a special character for NIS in /etc/group.</para> - <para>Example: <command>winbind separator = \\</command></para> - <para>Example: <command>winbind separator = /</command></para> + <para>Default: <command>winbind separator = '\'</command></para> + <para>Example: <command>winbind separator = +</command></para> </listitem> </varlistentry> @@ -8091,7 +7855,7 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ <varlistentry> - <term><anchor id="WINBINDUID">winbind uid</term> + <term><anchor id="WINBINDUID">winbind uid (G)</term> <listitem><para>The winbind gid parameter specifies the range of group ids that are allocated by the <ulink url="winbindd.8.html"> winbindd(8)</ulink> daemon. This range of ids should have no |