summaryrefslogtreecommitdiff
path: root/docs/docbook/manpages
diff options
context:
space:
mode:
Diffstat (limited to 'docs/docbook/manpages')
-rw-r--r--docs/docbook/manpages/findsmb.1.sgml131
-rw-r--r--docs/docbook/manpages/lmhosts.5.sgml114
-rw-r--r--docs/docbook/manpages/make_smbcodepage.1.sgml197
-rw-r--r--docs/docbook/manpages/make_unicodemap.1.sgml172
-rw-r--r--docs/docbook/manpages/net.8.sgml69
-rw-r--r--docs/docbook/manpages/nmbd.8.sgml356
-rw-r--r--docs/docbook/manpages/nmblookup.1.sgml249
-rw-r--r--docs/docbook/manpages/pdbedit.8.sgml290
-rw-r--r--docs/docbook/manpages/rpcclient.1.sgml421
-rw-r--r--docs/docbook/manpages/samba.7.sgml213
-rw-r--r--docs/docbook/manpages/smb.conf.5.sgml8411
-rw-r--r--docs/docbook/manpages/smbcacls.1.sgml255
-rw-r--r--docs/docbook/manpages/smbclient.1.sgml1025
-rw-r--r--docs/docbook/manpages/smbcontrol.1.sgml174
-rw-r--r--docs/docbook/manpages/smbd.8.sgml424
-rw-r--r--docs/docbook/manpages/smbgroupedit.8.sgml267
-rw-r--r--docs/docbook/manpages/smbmnt.8.sgml113
-rw-r--r--docs/docbook/manpages/smbmount.8.sgml327
-rw-r--r--docs/docbook/manpages/smbpasswd.5.sgml204
-rw-r--r--docs/docbook/manpages/smbpasswd.8.sgml389
-rw-r--r--docs/docbook/manpages/smbsh.1.sgml105
-rw-r--r--docs/docbook/manpages/smbspool.8.sgml131
-rw-r--r--docs/docbook/manpages/smbstatus.1.sgml152
-rw-r--r--docs/docbook/manpages/smbtar.1.sgml226
-rw-r--r--docs/docbook/manpages/smbumount.8.sgml73
-rw-r--r--docs/docbook/manpages/swat.8.sgml209
-rw-r--r--docs/docbook/manpages/testparm.1.sgml168
-rw-r--r--docs/docbook/manpages/testprns.1.sgml143
-rw-r--r--docs/docbook/manpages/wbinfo.1.sgml201
-rw-r--r--docs/docbook/manpages/winbindd.8.sgml514
30 files changed, 15723 insertions, 0 deletions
diff --git a/docs/docbook/manpages/findsmb.1.sgml b/docs/docbook/manpages/findsmb.1.sgml
new file mode 100644
index 0000000000..d8f436c4a1
--- /dev/null
+++ b/docs/docbook/manpages/findsmb.1.sgml
@@ -0,0 +1,131 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="findsmb">
+
+<refmeta>
+ <refentrytitle>findsmb</refentrytitle>
+ <manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>findsmb</refname>
+ <refpurpose>list info about machines that respond to SMB
+ name queries on a subnet</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>findsmb</command>
+ <arg choice="opt">subnet broadcast address</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This perl script is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para><command>findsmb</command> is a perl script that
+ prints out several pieces of information about machines
+ on a subnet that respond to SMB name query requests.
+ It uses <ulink url="nmblookup.1.html"><command>
+ nmblookup(1)</command></ulink> and <ulink url="smbclient.1.html">
+ <command>smbclient(1)</command></ulink> to obtain this information.
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>subnet broadcast address</term>
+ <listitem><para>Without this option, <command>findsmb
+ </command> will probe the subnet of the machine where
+ <command>findsmb</command> is run. This value is passed
+ to <command>nmblookup</command> as part of the
+ <constant>-B</constant> option</para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>EXAMPLES</title>
+
+ <para>The output of <command>findsmb</command> lists the following
+ information for all machines that respond to the initial
+ <command>nmblookup</command> for any name: IP address, NetBIOS name,
+ Workgroup name, operating system, and SMB server version.</para>
+
+ <para>There will be a '+' in front of the workgroup name for
+ machines that are local master browsers for that workgroup. There
+ will be an '*' in front of the workgroup name for
+ machines that are the domain master browser for that workgroup.
+ Machines that are running Windows, Windows 95 or Windows 98 will
+ not show any information about the operating system or server
+ version.</para>
+
+ <para>The command must be run on a system without <ulink
+ url="nmbd.8.html"><command>nmbd</command></ulink> running.
+ If <command>nmbd</command> is running on the system, you will
+ only get the IP address and the DNS name of the machine. To
+ get proper responses from Windows 95 and Windows 98 machines,
+ the command must be run as root. </para>
+
+ <para>For example running <command>findsmb</command> on a machine
+ without <command>nmbd</command> running would yield output similar
+ to the following</para>
+
+ <screen><computeroutput>
+IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION
+---------------------------------------------------------------------
+192.168.35.10 MINESET-TEST1 [DMVENGR]
+192.168.35.55 LINUXBOX *[MYGROUP] [Unix] [Samba 2.0.6]
+192.168.35.56 HERBNT2 [HERB-NT]
+192.168.35.63 GANDALF [MVENGR] [Unix] [Samba 2.0.5a for IRIX]
+192.168.35.65 SAUNA [WORKGROUP] [Unix] [Samba 1.9.18p10]
+192.168.35.71 FROGSTAR [ENGR] [Unix] [Samba 2.0.0 for IRIX]
+192.168.35.78 HERBDHCP1 +[HERB]
+192.168.35.88 SCNT2 +[MVENGR] [Windows NT 4.0] [NT LAN Manager 4.0]
+192.168.35.93 FROGSTAR-PC [MVENGR] [Windows 5.0] [Windows 2000 LAN Manager]
+192.168.35.97 HERBNT1 *[HERB-NT] [Windows NT 4.0] [NT LAN Manager 4.0]
+ </computeroutput></screen>
+
+</refsect1>
+
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="nmbd.8.html"><command>nmbd(8)</command></ulink>,
+ <ulink url="smbclient.1.html"><command>smbclient(1)
+ </command></ulink>, and <ulink url="nmblookup.1.html">
+ <command>nmblookup(1)</command></ulink>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/lmhosts.5.sgml b/docs/docbook/manpages/lmhosts.5.sgml
new file mode 100644
index 0000000000..7934c18e8e
--- /dev/null
+++ b/docs/docbook/manpages/lmhosts.5.sgml
@@ -0,0 +1,114 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="lmhosts">
+
+<refmeta>
+ <refentrytitle>lmhosts</refentrytitle>
+ <manvolnum>5</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>lmhosts</refname>
+ <refpurpose>The Samba NetBIOS hosts file</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <para><filename>lmhosts</filename> is the <ulink url="samba.7.html">
+ Samba</ulink> NetBIOS name to IP address mapping file.</para>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This file is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para><filename>lmhosts</filename> is the <emphasis>Samba
+ </emphasis> NetBIOS name to IP address mapping file. It
+ is very similar to the <filename>/etc/hosts</filename> file
+ format, except that the hostname component must correspond
+ to the NetBIOS naming format.</para>
+</refsect1>
+
+<refsect1>
+ <title>FILE FORMAT</title>
+ <para>It is an ASCII file containing one line for NetBIOS name.
+ The two fields on each line are separated from each other by
+ white space. Any entry beginning with '#' is ignored. Each line
+ in the lmhosts file contains the following information :</para>
+
+ <itemizedlist>
+ <listitem><para>IP Address - in dotted decimal format.</para>
+ </listitem>
+
+ <listitem><para>NetBIOS Name - This name format is a
+ maximum fifteen character host name, with an optional
+ trailing '#' character followed by the NetBIOS name type
+ as two hexadecimal digits.</para>
+
+ <para>If the trailing '#' is omitted then the given IP
+ address will be returned for all names that match the given
+ name, whatever the NetBIOS name type in the lookup.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>An example follows :</para>
+
+ <para><programlisting>
+#
+# Sample Samba lmhosts file.
+#
+192.9.200.1 TESTPC
+192.9.200.20 NTSERVER#20
+192.9.200.21 SAMBASERVER
+ </programlisting></para>
+
+ <para>Contains three IP to NetBIOS name mappings. The first
+ and third will be returned for any queries for the names "TESTPC"
+ and "SAMBASERVER" respectively, whatever the type component of
+ the NetBIOS name requested.</para>
+
+ <para>The second mapping will be returned only when the "0x20" name
+ type for a name "NTSERVER" is queried. Any other name type will not
+ be resolved.</para>
+
+ <para>The default location of the <filename>lmhosts</filename> file
+ is in the same directory as the <ulink url="smb.conf.5.html">
+ smb.conf(5)></ulink> file.</para>
+
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="smbclient.1.html"><command>smbclient(1)
+ </command></ulink>, <ulink url="smb.conf.5.html#NAMERESOLVEORDER">
+ smb.conf(5)</ulink>, and <ulink url="smbpasswd.8.html"><command>
+ smbpasswd(8)</command></ulink>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/make_smbcodepage.1.sgml b/docs/docbook/manpages/make_smbcodepage.1.sgml
new file mode 100644
index 0000000000..a36f9b968c
--- /dev/null
+++ b/docs/docbook/manpages/make_smbcodepage.1.sgml
@@ -0,0 +1,197 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="make-smbcodepage">
+
+<refmeta>
+ <refentrytitle>make_smbcodepage</refentrytitle>
+ <manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>make_smbcodepage</refname>
+ <refpurpose>construct a codepage file for Samba</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>make_smbcodepage</command>
+ <arg choice="req">c|d</arg>
+ <arg choice="req">codepage</arg>
+ <arg choice="req">inputfile</arg>
+ <arg choice="req">outputfile</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para><command>make_smbcodepage</command> compiles or de-compiles
+ codepage files for use with the internationalization features
+ of Samba 2.2</para>
+</refsect1>
+
+
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>c|d</term>
+ <listitem><para>This tells <command>make_smbcodepage</command>
+ if it is compiling (<parameter>c</parameter>) a text format code
+ page file to binary, or (<parameter>d</parameter>) de-compiling
+ a binary codepage file to text. </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>codepage</term>
+ <listitem><para>This is the codepage we are processing (a
+ number, e.g. 850). </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>inputfile</term>
+ <listitem><para>This is the input file to process. In
+ the <parameter>c</parameter> case this will be a text
+ codepage definition file such as the ones found in the Samba
+ <filename>source/codepages</filename> directory. In
+ the <parameter>d</parameter> case this will be the
+ binary format codepage definition file normally found in
+ the <filename>lib/codepages</filename> directory in the
+ Samba install directory path.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>outputfile</term>
+ <listitem><para>This is the output file to produce.</para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>Samba Codepage Files</title>
+
+ <para>A text Samba codepage definition file is a description
+ that tells Samba how to map from upper to lower case for
+ characters greater than ascii 127 in the specified DOS code page.
+ Note that for certain DOS codepages (437 for example) mapping
+ from lower to upper case may be non-symmetrical. For example, in
+ code page 437 lower case a acute maps to a plain upper case A
+ when going from lower to upper case, but plain upper case A maps
+ to plain lower case a when lower casing a character. </para>
+
+ <para>A binary Samba codepage definition file is a binary
+ representation of the same information, including a value that
+ specifies what codepage this file is describing. </para>
+
+ <para>As Samba does not yet use UNICODE (current for Samba version 2.2)
+ you must specify the client code page that your DOS and Windows
+ clients are using if you wish to have case insensitivity done
+ correctly for your particular language. The default codepage Samba
+ uses is 850 (Western European). Text codepage definition sample files
+ are provided in the Samba distribution for codepages 437 (USA), 737 (Greek),
+ 850 (Western European) 852 (MS-DOS Latin 2), 861 (Icelandic), 866 (Cyrillic),
+ 932 (Kanji SJIS), 936 (Simplified Chinese), 949 (Hangul) and 950 (Traditional
+ Chinese). Users are encouraged to write text codepage definition files for
+ their own code pages and donate them to samba@samba.org. All codepage files
+ in the Samba <filename>source/codepages</filename> directory are
+ compiled and installed when a <command>'make install'</command>
+ command is issued there. </para>
+
+ <para>The client codepage used by the <command>smbd</command> server
+ is configured using the <command>client code page</command> parameter
+ in the <command>smb.conf</command> file. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>Files</title>
+
+ <para><command>codepage_def.&lt;codepage&gt;</command></para>
+
+ <para>These are the input (text) codepage files provided in the
+ Samba <filename>source/codepages</filename> directory.</para>
+
+ <para>A text codepage definition file consists of multiple lines
+ containing four fields. These fields are:</para>
+
+ <itemizedlist>
+ <listitem><para><command>lower</command>: which is the
+ (hex) lower case character mapped on this line.</para>
+ </listitem>
+
+ <listitem><para><command>upper</command>: which is the (hex)
+ upper case character that the lower case character will map to.
+ </para></listitem>
+
+ <listitem><para><command>map upper to lower</command> which
+ is a boolean value (put either True or False here) which tells
+ Samba if it is to map the given upper case character to the
+ given lower case character when lower casing a filename.
+ </para></listitem>
+
+ <listitem><para><command>map lower to upper</command> which
+ is a boolean value (put either True or False here) which tells
+ Samba if it is to map the given lower case character to the
+ given upper case character when upper casing a filename.
+ </para></listitem>
+ </itemizedlist>
+
+
+ <para><command>codepage.&lt;codepage&gt;</command> - These are the
+ output (binary) codepage files produced and placed in the Samba
+ destination <filename>lib/codepage</filename> directory. </para>
+</refsect1>
+
+<refsect1>
+ <title>Installation</title>
+
+ <para>The location of the server and its support files is a
+ matter for individual system administrators. The following are
+ thus suggestions only. </para>
+
+ <para>It is recommended that the <command>make_smbcodepage
+ </command> program be installed under the <filename>/usr/local/samba
+ </filename> hierarchy, in a directory readable by all, writeable
+ only by root. The program itself should be executable by all. The
+ program should NOT be setuid or setgid! </para>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="smbd.8.html"><command>smbd(8)</command></ulink>,
+ <ulink url="smb.conf.5.html">smb.conf(5)</ulink>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/make_unicodemap.1.sgml b/docs/docbook/manpages/make_unicodemap.1.sgml
new file mode 100644
index 0000000000..5e7292341b
--- /dev/null
+++ b/docs/docbook/manpages/make_unicodemap.1.sgml
@@ -0,0 +1,172 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="make-unicodemap">
+
+<refmeta>
+ <refentrytitle>make_unicodemap</refentrytitle>
+ <manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>make_unicodemap</refname>
+ <refpurpose>construct a unicode map file for Samba</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>make_unicodemap</command>
+ <arg choice="req">codepage</arg>
+ <arg choice="req">inputfile</arg>
+ <arg choice="req">outputfile</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>
+ This tool is part of the <ulink url="samba.7.html">Samba</ulink>
+ suite.
+ </para>
+
+ <para>
+ <command>make_unicodemap</command> compiles text unicode map
+ files into binary unicode map files for use with the
+ internationalization features of Samba 2.2.
+ </para>
+</refsect1>
+
+
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>codepage</term>
+ <listitem><para>This is the codepage or UNIX character
+ set we are processing (a number, e.g. 850).
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>inputfile</term>
+ <listitem><para>This is the input file to process. This is a
+ text unicode map file such as the ones found in the Samba
+ <filename>source/codepages</filename> directory.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>outputfile</term>
+ <listitem><para>This is the binary output file to produce.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>Samba Unicode Map Files</title>
+
+ <para>
+ A text Samba unicode map file is a description that tells Samba
+ how to map characters from a specified DOS code page or UNIX character
+ set to 16 bit unicode.
+ </para>
+
+ <para>A binary Samba unicode map file is a binary representation
+ of the same information, including a value that specifies what
+ codepage or UNIX character set this file is describing.
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>Files</title>
+
+ <para><filename>CP&lt;codepage&gt;.TXT</filename></para>
+
+ <para>
+ These are the input (text) unicode map files provided
+ in the Samba <filename>source/codepages</filename>
+ directory.
+ </para>
+
+ <para>
+ A text unicode map file consists of multiple lines
+ containing two fields. These fields are :
+ </para>
+
+ <itemizedlist>
+ <listitem><para><parameter>character</parameter> - which is
+ the (hex) character mapped on this line.
+ </para></listitem>
+
+ <listitem><para><parameter>unicode</parameter> - which
+ is the (hex) 16 bit unicode character that the character
+ will map to.
+ </para></listitem>
+ </itemizedlist>
+
+ <para>
+ <filename>unicode_map.&lt;codepage&gt;</filename> - These are
+ the output (binary) unicode map files produced and placed in
+ the Samba destination <filename>lib/codepage</filename>
+ directory.
+ </para>
+</refsect1>
+
+
+<refsect1>
+ <title>Installation</title>
+
+ <para>
+ The location of the server and its support files is a matter
+ for individual system administrators. The following are thus
+ suggestions only.
+ </para>
+
+ <para>
+ It is recommended that the <command>make_unicodemap</command>
+ program be installed under the
+ <filename>$prefix/samba</filename> hierarchy,
+ in a directory readable by all, writeable only by root. The
+ program itself should be executable by all. The program
+ should NOT be setuid or setgid!
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="smbd.8.html"><command>smbd(8)</command></ulink>,
+ <ulink url="smb.conf.5.html">smb.conf(5)</ulink>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/net.8.sgml b/docs/docbook/manpages/net.8.sgml
new file mode 100644
index 0000000000..5b822ccfe6
--- /dev/null
+++ b/docs/docbook/manpages/net.8.sgml
@@ -0,0 +1,69 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="net">
+
+<refmeta>
+ <refentrytitle>net</refentrytitle>
+ <manvolnum>8</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>net</refname>
+ <refpurpose>Tool for administration of Samba and remote
+ CIFS servers.</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>net</command>
+ <arg choice="req">&lt;ads|rap|rpc&gt;</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+</refsect1>
+
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <para></para>
+
+</refsect1>
+
+
+<refsect1>
+ <title>COMMANDS</title>
+
+
+ <para></para>
+
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is incomplete for version 3.0 of the Samba
+ suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The current set of manpages and documentation is maintained
+ by the Samba Team in the same fashion as the Samba source code.</para>
+
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/nmbd.8.sgml b/docs/docbook/manpages/nmbd.8.sgml
new file mode 100644
index 0000000000..46f36834df
--- /dev/null
+++ b/docs/docbook/manpages/nmbd.8.sgml
@@ -0,0 +1,356 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="nmbd">
+
+<refmeta>
+ <refentrytitle>nmbd</refentrytitle>
+ <manvolnum>8</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>nmbd</refname>
+ <refpurpose>NetBIOS name server to provide NetBIOS
+ over IP naming services to clients</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>nmbd</command>
+ <arg choice="opt">-D</arg>
+ <arg choice="opt">-a</arg>
+ <arg choice="opt">-i</arg>
+ <arg choice="opt">-o</arg>
+ <arg choice="opt">-P</arg>
+ <arg choice="opt">-h</arg>
+ <arg choice="opt">-V</arg>
+ <arg choice="opt">-d &lt;debug level&gt;</arg>
+ <arg choice="opt">-H &lt;lmhosts file&gt;</arg>
+ <arg choice="opt">-l &lt;log directory&gt;</arg>
+ <arg choice="opt">-n &lt;primary netbios name&gt;</arg>
+ <arg choice="opt">-p &lt;port number&gt;</arg>
+ <arg choice="opt">-s &lt;configuration file&gt;</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+ <para>This program is part of the Samba suite.</para>
+
+ <para><command>nmbd</command> is a server that understands
+ and can reply to NetBIOS over IP name service requests, like
+ those produced by SMB/CIFS clients such as Windows 95/98/ME,
+ Windows NT, Windows 2000, and LanManager clients. It also
+ participates in the browsing protocols which make up the
+ Windows "Network Neighborhood" view.</para>
+
+ <para>SMB/CIFS clients, when they start up, may wish to
+ locate an SMB/CIFS server. That is, they wish to know what
+ IP number a specified host is using.</para>
+
+ <para>Amongst other services, <command>nmbd</command> will
+ listen for such requests, and if its own NetBIOS name is
+ specified it will respond with the IP number of the host it
+ is running on. Its "own NetBIOS name" is by
+ default the primary DNS name of the host it is running on,
+ but this can be overridden with the <emphasis>-n</emphasis>
+ option (see OPTIONS below). Thus <command>nmbd</command> will
+ reply to broadcast queries for its own name(s). Additional
+ names for <command>nmbd</command> to respond on can be set
+ via parameters in the <ulink url="smb.conf.5.html"><filename>
+ smb.conf(5)</filename></ulink> configuration file.</para>
+
+ <para><command>nmbd</command> can also be used as a WINS
+ (Windows Internet Name Server) server. What this basically means
+ is that it will act as a WINS database server, creating a
+ database from name registration requests that it receives and
+ replying to queries from clients for these names.</para>
+
+ <para>In addition, <command>nmbd</command> can act as a WINS
+ proxy, relaying broadcast queries from clients that do
+ not understand how to talk the WINS protocol to a WIN
+ server.</para>
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-D</term>
+ <listitem><para>If specified, this parameter causes
+ <command>nmbd</command> to operate as a daemon. That is,
+ it detaches itself and runs in the background, fielding
+ requests on the appropriate port. By default, <command>nmbd</command>
+ will operate as a daemon if launched from a command shell.
+ nmbd can also be operated from the <command>inetd</command>
+ meta-daemon, although this is not recommended.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-a</term>
+ <listitem><para>If this parameter is specified, each new
+ connection will append log messages to the log file.
+ This is the default.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-i</term>
+ <listitem><para>If this parameter is specified it causes the
+ server to run "interactively", not as a daemon, even if the
+ server is executed on the command line of a shell. Setting this
+ parameter negates the implicit deamon mode when run from the
+ command line.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-o</term>
+ <listitem><para>If this parameter is specified, the
+ log files will be overwritten when opened. By default,
+ <command>smbd</command> will append entries to the log
+ files.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem><para>Prints the help information (usage)
+ for <command>nmbd</command>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-H &lt;filename&gt;</term>
+ <listitem><para>NetBIOS lmhosts file. The lmhosts
+ file is a list of NetBIOS names to IP addresses that
+ is loaded by the nmbd server and used via the name
+ resolution mechanism <ulink url="smb.conf.5.html#nameresolveorder">
+ name resolve order</ulink> described in <ulink
+ url="smb.conf.5.html"> <filename>smb.conf(5)</filename></ulink>
+ to resolve any NetBIOS name queries needed by the server. Note
+ that the contents of this file are <emphasis>NOT</emphasis>
+ used by <command>nmbd</command> to answer any name queries.
+ Adding a line to this file affects name NetBIOS resolution
+ from this host <emphasis>ONLY</emphasis>.</para>
+
+ <para>The default path to this file is compiled into
+ Samba as part of the build process. Common defaults
+ are <filename>/usr/local/samba/lib/lmhosts</filename>,
+ <filename>/usr/samba/lib/lmhosts</filename> or
+ <filename>/etc/lmhosts</filename>. See the <ulink url="lmhosts.5.html">
+ <filename>lmhosts(5)</filename></ulink> man page for details on the
+ contents of this file.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-V</term>
+ <listitem><para>Prints the version number for
+ <command>nmbd</command>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-d &lt;debug level&gt;</term>
+ <listitem><para>debuglevel is an integer
+ from 0 to 10. The default value if this parameter is
+ not specified is zero.</para>
+
+ <para>The higher this value, the more detail will
+ be logged to the log files about the activities of the
+ server. At level 0, only critical errors and serious
+ warnings will be logged. Level 1 is a reasonable level for
+ day to day running - it generates a small amount of
+ information about operations carried out.</para>
+
+ <para>Levels above 1 will generate considerable amounts
+ of log data, and should only be used when investigating
+ a problem. Levels above 3 are designed for use only by developers
+ and generate HUGE amounts of log data, most of which is extremely
+ cryptic.</para>
+
+ <para>Note that specifying this parameter here will override
+ the <ulink url="smb.conf.5.html#loglevel">log level</ulink>
+ parameter in the <ulink url="smb.conf.5.html"><filename>
+ smb.conf</filename></ulink> file.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-l &lt;log directory&gt;</term>
+ <listitem><para>The -l parameter specifies a directory
+ into which the "log.nmbd" log file will be created
+ for operational data from the running
+ <command>nmbd</command> server.</para>
+
+ <para>The default log directory is compiled into Samba
+ as part of the build process. Common defaults are <filename>
+ /usr/local/samba/var/log.nmb</filename>, <filename>
+ /usr/samba/var/log.nmb</filename> or
+ <filename>/var/log/log.nmb</filename>.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-n &lt;primary NetBIOS name&gt;</term>
+ <listitem><para>This option allows you to override
+ the NetBIOS name that Samba uses for itself. This is identical
+ to setting the <ulink url="smb.conf.5.html#netbiosname">
+ NetBIOS name</ulink> parameter in the <ulink url="smb.conf.5.html">
+ <filename>smb.conf</filename></ulink> file. However, a command
+ line setting will take precedence over settings in
+ <filename>smb.conf</filename>.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-p &lt;UDP port number&gt;</term>
+ <listitem><para>UDP port number is a positive integer value.
+ This option changes the default UDP port number (normally 137)
+ that <command>nmbd</command> responds to name queries on. Don't
+ use this option unless you are an expert, in which case you
+ won't need help!</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s &lt;configuration file&gt;</term>
+ <listitem><para>The default configuration file name
+ is set at build time, typically as <filename>
+ /usr/local/samba/lib/smb.conf</filename>, but
+ this may be changed when Samba is autoconfigured.</para>
+
+ <para>The file specified contains the configuration details
+ required by the server. See <ulink url="smb.conf.5.html">
+ <filename>smb.conf(5)</filename></ulink> for more information.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>FILES</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><filename>/etc/inetd.conf</filename></term>
+ <listitem><para>If the server is to be run by the
+ <command>inetd</command> meta-daemon, this file
+ must contain suitable startup information for the
+ meta-daemon. See the <ulink
+ url="UNIX_INSTALL.html">UNIX_INSTALL.html</ulink> document
+ for details.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><filename>/etc/rc</filename></term>
+ <listitem><para>or whatever initialization script your
+ system uses).</para>
+
+ <para>If running the server as a daemon at startup,
+ this file will need to contain an appropriate startup
+ sequence for the server. See the <ulink
+ url="UNIX_INSTALL.html">UNIX_INSTALL.html</ulink> document
+ for details.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><filename>/etc/services</filename></term>
+ <listitem><para>If running the server via the
+ meta-daemon <command>inetd</command>, this file
+ must contain a mapping of service name (e.g., netbios-ssn)
+ to service port (e.g., 139) and protocol type (e.g., tcp).
+ See the <ulink url="UNIX_INSTALL.html">UNIX_INSTALL.html</ulink>
+ document for details.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><filename>/usr/local/samba/lib/smb.conf</filename></term>
+ <listitem><para>This is the default location of the
+ <ulink url="smb.conf.5.html"><filename>smb.conf</filename></ulink>
+ server configuration file. Other common places that systems
+ install this file are <filename>/usr/samba/lib/smb.conf</filename>
+ and <filename>/etc/smb.conf</filename>.</para>
+
+ <para>When run as a WINS server (see the
+ <ulink url="smb.conf.5.html#WINSSUPPORT">wins support</ulink>
+ parameter in the <filename>smb.conf(5)</filename> man page),
+ <command>nmbd</command>
+ will store the WINS database in the file <filename>wins.dat</filename>
+ in the <filename>var/locks</filename> directory configured under
+ wherever Samba was configured to install itself.</para>
+
+ <para>If <command>nmbd</command> is acting as a <emphasis>
+ browse master</emphasis> (see the <ulink
+ url="smb.conf.5.html#LOCALMASTER">local master</ulink>
+ parameter in the <filename>smb.conf(5)</filename> man page,
+ <command>nmbd</command>
+ will store the browsing database in the file <filename>browse.dat
+ </filename> in the <filename>var/locks</filename> directory
+ configured under wherever Samba was configured to install itself.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>SIGNALS</title>
+
+ <para>To shut down an <command>nmbd</command> process it is recommended
+ that SIGKILL (-9) <emphasis>NOT</emphasis> be used, except as a last
+ resort, as this may leave the name database in an inconsistent state.
+ The correct way to terminate <command>nmbd</command> is to send it
+ a SIGTERM (-15) signal and wait for it to die on its own.</para>
+
+ <para><command>nmbd</command> will accept SIGHUP, which will cause
+ it to dump out its namelists into the file <filename>namelist.debug
+ </filename> in the <filename>/usr/local/samba/var/locks</filename>
+ directory (or the <filename>var/locks</filename> directory configured
+ under wherever Samba was configured to install itself). This will also
+ cause <command>nmbd</command> to dump out its server database in
+ the <filename>log.nmb</filename> file.</para>
+
+ <para>The debug log level of nmbd may be raised or lowered using
+ <ulink url="smbcontrol.1.html"><command>smbcontrol(1)</command>
+ </ulink> (SIGUSR[1|2] signals are no longer used in Samba 2.2). This is
+ to allow transient problems to be diagnosed, whilst still running
+ at a normally low log level.</para>
+</refsect1>
+
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><command>inetd(8)</command>, <ulink
+ url="smbd.8.html"><command>smbd(8)</command></ulink>,
+ <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename>
+ </ulink>, <ulink url="smbclient.1.html"><command>smbclient(1)
+ </command></ulink>, <ulink url="testparm.1.html"><command>
+ testparm(1)</command></ulink>, <ulink url="testprns.1.html">
+ <command>testprns(1)</command></ulink>, and the Internet RFC's
+ <filename>rfc1001.txt</filename>, <filename>rfc1002.txt</filename>.
+ In addition the CIFS (formerly SMB) specification is available
+ as a link from the Web page <ulink url="http://samba.org/cifs/">
+ http://samba.org/cifs/</ulink>.</para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/nmblookup.1.sgml b/docs/docbook/manpages/nmblookup.1.sgml
new file mode 100644
index 0000000000..67efac5634
--- /dev/null
+++ b/docs/docbook/manpages/nmblookup.1.sgml
@@ -0,0 +1,249 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="nmblookup">
+
+<refmeta>
+ <refentrytitle>nmblookup</refentrytitle>
+ <manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>nmblookup</refname>
+ <refpurpose>NetBIOS over TCP/IP client used to lookup NetBIOS
+ names</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>nmblookup</command>
+ <arg choice="opt">-M</arg>
+ <arg choice="opt">-R</arg>
+ <arg choice="opt">-S</arg>
+ <arg choice="opt">-r</arg>
+ <arg choice="opt">-A</arg>
+ <arg choice="opt">-h</arg>
+ <arg choice="opt">-B &lt;broadcast address&gt;</arg>
+ <arg choice="opt">-U &lt;unicast address&gt;</arg>
+ <arg choice="opt">-d &lt;debug level&gt;</arg>
+ <arg choice="opt">-s &lt;smb config file&gt;</arg>
+ <arg choice="opt">-i &lt;NetBIOS scope&gt;</arg>
+ <arg choice="opt">-T</arg>
+ <arg choice="req">name</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para><command>nmblookup</command> is used to query NetBIOS names
+ and map them to IP addresses in a network using NetBIOS over TCP/IP
+ queries. The options allow the name queries to be directed at a
+ particular IP broadcast area or to a particular machine. All queries
+ are done over UDP.</para>
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-M</term>
+ <listitem><para>Searches for a master browser by looking
+ up the NetBIOS name <replaceable>name</replaceable> with a
+ type of <constant>0x1d</constant>. If <replaceable>
+ name</replaceable> is "-" then it does a lookup on the special name
+ <constant>__MSBROWSE__</constant>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-R</term>
+ <listitem><para>Set the recursion desired bit in the packet
+ to do a recursive lookup. This is used when sending a name
+ query to a machine running a WINS server and the user wishes
+ to query the names in the WINS server. If this bit is unset
+ the normal (broadcast responding) NetBIOS processing code
+ on a machine is used instead. See rfc1001, rfc1002 for details.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-S</term>
+ <listitem><para>Once the name query has returned an IP
+ address then do a node status query as well. A node status
+ query returns the NetBIOS names registered by a host.
+ </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-r</term>
+ <listitem><para>Try and bind to UDP port 137 to send and receive UDP
+ datagrams. The reason for this option is a bug in Windows 95
+ where it ignores the source port of the requesting packet
+ and only replies to UDP port 137. Unfortunately, on most UNIX
+ systems root privilege is needed to bind to this port, and
+ in addition, if the <ulink url="nmbd.8.html">nmbd(8)</ulink>
+ daemon is running on this machine it also binds to this port.
+ </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-A</term>
+ <listitem><para>Interpret <replaceable>name</replaceable> as
+ an IP Address and do a node status query on this address.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem><para>Print a help (usage) message.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-B &lt;broadcast address&gt;</term>
+ <listitem><para>Send the query to the given broadcast address. Without
+ this option the default behavior of nmblookup is to send the
+ query to the broadcast address of the network interfaces as
+ either auto-detected or defined in the <ulink
+ url="smb.conf.5.html#INTERFACES"><parameter>interfaces</parameter>
+ </ulink> parameter of the <filename>smb.conf (5)</filename> file.
+ </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-U &lt;unicast address&gt;</term>
+ <listitem><para>Do a unicast query to the specified address or
+ host <replaceable>unicast address</replaceable>. This option
+ (along with the <parameter>-R</parameter> option) is needed to
+ query a WINS server.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-d &lt;debuglevel&gt;</term>
+ <listitem><para>debuglevel is an integer from 0 to 10.</para>
+
+ <para>The default value if this parameter is not specified
+ is zero.</para>
+
+ <para>The higher this value, the more detail will be logged
+ about the activities of <command>nmblookup</command>. At level
+ 0, only critical errors and serious warnings will be logged.</para>
+
+ <para>Levels above 1 will generate considerable amounts of
+ log data, and should only be used when investigating a problem.
+ Levels above 3 are designed for use only by developers and
+ generate HUGE amounts of data, most of which is extremely cryptic.</para>
+
+ <para>Note that specifying this parameter here will override
+ the <ulink url="smb.conf.5.html#LOGLEVEL"><parameter>
+ log level</parameter></ulink> parameter in the <filename>
+ smb.conf(5)</filename> file.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s &lt;smb.conf&gt;</term>
+ <listitem><para>This parameter specifies the pathname to
+ the Samba configuration file, <ulink url="smb.conf.5.html">
+ smb.conf(5)</ulink>. This file controls all aspects of
+ the Samba setup on the machine.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-i &lt;scope&gt;</term>
+ <listitem><para>This specifies a NetBIOS scope that
+ <command>nmblookup</command> will use to communicate with when
+ generating NetBIOS names. For details on the use of NetBIOS
+ scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes are
+ <emphasis>very</emphasis> rarely used, only set this parameter
+ if you are the system administrator in charge of all the
+ NetBIOS systems you communicate with.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-T</term>
+ <listitem><para>This causes any IP addresses found in the
+ lookup to be looked up via a reverse DNS lookup into a
+ DNS name, and printed out before each</para>
+
+ <para><emphasis>IP address .... NetBIOS name</emphasis></para>
+
+ <para> pair that is the normal output.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>name</term>
+ <listitem><para>This is the NetBIOS name being queried. Depending
+ upon the previous options this may be a NetBIOS name or IP address.
+ If a NetBIOS name then the different name types may be specified
+ by appending '#&lt;type&gt' to the name. This name may also be
+ '*', which will return all registered names within a broadcast
+ area.</para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>EXAMPLES</title>
+
+ <para><command>nmblookup</command> can be used to query
+ a WINS server (in the same way <command>nslookup</command> is
+ used to query DNS servers). To query a WINS server,
+ <command>nmblookup</command> must be called like this:</para>
+
+ <para><command>nmblookup -U server -R 'name'</command></para>
+
+ <para>For example, running :</para>
+
+ <para><command>nmblookup -U samba.org -R 'IRIX#1B'</command></para>
+
+ <para>would query the WINS server samba.org for the domain
+ master browser (1B name type) for the IRIX workgroup.</para>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="nmbd.8.html"><command>nmbd(8)</command></ulink>,
+ <ulink url="samba.7.html">samba(7)</ulink>, and <ulink
+ url="smb.conf.5.html">smb.conf(5)</ulink>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/pdbedit.8.sgml b/docs/docbook/manpages/pdbedit.8.sgml
new file mode 100644
index 0000000000..eeb1fb0d2c
--- /dev/null
+++ b/docs/docbook/manpages/pdbedit.8.sgml
@@ -0,0 +1,290 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="pdbedit">
+
+<refmeta>
+ <refentrytitle>pdbedit</refentrytitle>
+ <manvolnum>8</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>pdbedit</refname>
+ <refpurpose>manage the SAM database</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>pdbedit</command>
+ <arg choice="opt">-l</arg>
+ <arg choice="opt">-v</arg>
+ <arg choice="opt">-w</arg>
+ <arg choice="opt">-u username</arg>
+ <arg choice="opt">-f fullname</arg>
+ <arg choice="opt">-h homedir</arg>
+ <arg choice="opt">-d drive</arg>
+ <arg choice="opt">-s script</arg>
+ <arg choice="opt">-p profile</arg>
+ <arg choice="opt">-a</arg>
+ <arg choice="opt">-m</arg>
+ <arg choice="opt">-x</arg>
+ <arg choice="opt">-i file</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para>The pdbedit program is used to manage the users accounts
+ stored in the sam database and can be run only by root.</para>
+
+ <para>The pdbedit tool use the passdb modular interface and is
+ independent from the kind of users database used (currently there
+ are smbpasswd, ldap, nis+ and tdb based and more can be addedd
+ without changing the tool).</para>
+
+ <para>There are five main ways to use pdbedit: adding a user account,
+ removing a user account, modifing a user account, listing user
+ accounts, importing users accounts.</para>
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>-l</term>
+ <listitem><para>This option list all the user accounts
+ present in the users database.
+ This option prints a list of user/uid pairs separated by
+ the ':' character.</para>
+
+ <para>Example: <command>pdbedit -l</command></para>
+ <para><programlisting>
+ sorce:500:Simo Sorce
+ samba:45:Test User
+ </programlisting></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-v</term>
+ <listitem><para>This option sets the verbose listing format.
+ It will make pdbedit list the users in the database printing
+ out the account fields in a descriptive format.</para>
+
+ <para>Example: <command>pdbedit -l -v</command></para>
+ <para><programlisting>
+ ---------------
+ username: sorce
+ user ID/Group: 500/500
+ user RID/GRID: 2000/2001
+ Full Name: Simo Sorce
+ Home Directory: \\BERSERKER\sorce
+ HomeDir Drive: H:
+ Logon Script: \\BERSERKER\netlogon\sorce.bat
+ Profile Path: \\BERSERKER\profile
+ ---------------
+ username: samba
+ user ID/Group: 45/45
+ user RID/GRID: 1090/1091
+ Full Name: Test User
+ Home Directory: \\BERSERKER\samba
+ HomeDir Drive:
+ Logon Script:
+ Profile Path: \\BERSERKER\profile
+ </programlisting></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-w</term>
+ <listitem><para>This option sets the "smbpasswd" listing format.
+ It will make pdbedit list the users in the database printing
+ out the account fields in a format compatible with the
+ <filename>smbpasswd</filename> file format. (see the <ulink
+ url="smbpasswd.5.html"><filename>smbpasswd(5)</filename></ulink> for details)</para>
+
+ <para>Example: <command>pdbedit -l -w</command></para>
+ <para><programlisting>
+ sorce:500:508818B733CE64BEAAD3B435B51404EE:D2A2418EFC466A8A0F6B1DBB5C3DB80C:[UX ]:LCT-00000000:
+ samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:BC281CE3F53B6A5146629CD4751D3490:[UX ]:LCT-3BFA1E8D:
+ </programlisting></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-u username</term>
+ <listitem><para>This option specifies that the username to be
+ used for the operation requested (listing, adding, removing)
+ It is <emphasis>required</emphasis> in add, remove and modify
+ operations and <emphasis>optional</emphasis> in list
+ operations.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-f fullname</term>
+ <listitem><para>This option can be used while adding or
+ modifing a user account. It will specify the user's full
+ name. </para>
+
+ <para>Example: <command>-f "Simo Sorce"</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-h homedir</term>
+ <listitem><para>This option can be used while adding or
+ modifing a user account. It will specify the user's home
+ directory network path.</para>
+
+ <para>Example: <command>-h "\\\\BERSERKER\\sorce"</command>
+ </para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-d drive</term>
+ <listitem><para>This option can be used while adding or
+ modifing a user account. It will specify the windows drive
+ letter to be used to map the home directory.</para>
+
+ <para>Example: <command>-d "H:"</command>
+ </para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-s script</term>
+ <listitem><para>This option can be used while adding or
+ modifing a user account. It will specify the user's logon
+ script path.</para>
+
+ <para>Example: <command>-s "\\\\BERSERKER\\netlogon\\sorce.bat"</command>
+ </para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-p profile</term>
+ <listitem><para>This option can be used while adding or
+ modifing a user account. It will specify the user's profile
+ directory.</para>
+
+ <para>Example: <command>-p "\\\\BERSERKER\\netlogon"</command>
+ </para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-a</term>
+ <listitem><para>This option is used to add a user into the
+ database. This command need the user name be specified with
+ the -u switch. When adding a new user pdbedit will also
+ ask for the password to be used</para>
+
+ <para>Example: <command>pdbedit -a -u sorce</command>
+ <programlisting>new password:
+ retype new password</programlisting>
+ </para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-m</term>
+ <listitem><para>This option may only be used in conjunction
+ with the <parameter>-a</parameter> option. It will make
+ pdbedit to add a machine trust account instead of a user
+ account (-u username will provide the machine name).</para>
+
+ <para>Example: <command>pdbedit -a -m -u w2k-wks</command>
+ </para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-x</term>
+ <listitem><para>This option causes pdbedit to delete an account
+ from the database. It need the username be specified with the
+ -u switch.</para>
+
+ <para>Example: <command>pdbedit -x -u bob</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-i file</term>
+ <listitem><para>This command is used to import a smbpasswd
+ file into the database.</para>
+
+ <para>This option will ease migration from the plain smbpasswd
+ file database to more powerful backend databases like tdb and
+ ldap.</para>
+
+ <para>Example: <command>pdbedit -i /etc/smbpasswd.old</command>
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>NOTES</title>
+
+ <para>This command may be used only by root.</para>
+</refsect1>
+
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="smbpasswd.8.html">smbpasswd(8)</ulink>,
+ <ulink url="samba.7.html">samba(7)</ulink>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/rpcclient.1.sgml b/docs/docbook/manpages/rpcclient.1.sgml
new file mode 100644
index 0000000000..f2a44d69d9
--- /dev/null
+++ b/docs/docbook/manpages/rpcclient.1.sgml
@@ -0,0 +1,421 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="rpcclient">
+
+<refmeta>
+ <refentrytitle>rpcclient</refentrytitle>
+ <manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>rpcclient</refname>
+ <refpurpose>tool for executing client side
+ MS-RPC functions</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>rpcclient</command>
+ <arg choice="req">server</arg>
+ <arg choice="opt">-A authfile</arg>
+ <arg choice="opt">-c &lt;command string&gt;</arg>
+ <arg choice="opt">-d debuglevel</arg>
+ <arg choice="opt">-h</arg>
+ <arg choice="opt">-l logfile</arg>
+ <arg choice="opt">-N</arg>
+ <arg choice="opt">-s &lt;smb config file&gt;</arg>
+ <arg choice="opt">-U username[%password]</arg>
+ <arg choice="opt">-W workgroup</arg>
+ <arg choice="opt">-N</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para><command>rpcclient</command> is a utility initially developed
+ to test MS-RPC functionality in Samba itself. It has undergone
+ several stages of development and stability. Many system administrators
+ have now written scripts around it to manage Windows NT clients from
+ their UNIX workstation. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>server</term>
+ <listitem><para>NetBIOS name of Server to which to connect.
+ The server can be any SMB/CIFS server. The name is
+ resolved using the <ulink url="smb.conf.5.html#NAMERESOLVEORDER">
+ <parameter>name resolve order</parameter></ulink> line from
+ <filename>smb.conf(5)</filename>.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-A|--authfile=filename</term>
+ <listitem><para>This option allows
+ you to specify a file from which to read the username and
+ password used in the connection. The format of the file is
+ </para>
+
+ <para><programlisting>
+ username = &lt;value&gt;
+ password = &lt;value&gt;
+ domain = &lt;value&gt;
+ </programlisting></para>
+
+ <para>Make certain that the permissions on the file restrict
+ access from unwanted users. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-c|--command='command string'</term>
+ <listitem><para>execute semicolon separated commands (listed
+ below)) </para></listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term>-d|--debug=debuglevel</term>
+ <listitem><para>set the debuglevel. Debug level 0 is the lowest
+ and 100 being the highest. This should be set to 100 if you are
+ planning on submitting a bug report to the Samba team (see <filename>BUGS.txt</filename>).
+ </para></listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term>-h|--help</term>
+ <listitem><para>Print a summary of command line options.
+ </para></listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term>-l|--logfile=logbasename</term>
+ <listitem><para>File name for log/debug files. The extension
+ <constant>'.client'</constant> will be appended. The log file is never removed
+ by the client.
+ </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-N|--nopass</term>
+ <listitem><para>instruct <command>rpcclient</command> not to ask
+ for a password. By default, <command>rpcclient</command> will prompt
+ for a password. See also the <parameter>-U</parameter> option.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-s|--conf=smb.conf</term>
+ <listitem><para>Specifies the location of the all important
+ <filename>smb.conf</filename> file. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-U|--user=username[%password]</term>
+ <listitem><para>Sets the SMB username or username and password. </para>
+
+ <para>If %password is not specified, the user will be prompted. The
+ client will first check the <envar>USER</envar> environment variable, then the
+ <envar>LOGNAME</envar> variable and if either exists, the
+ string is uppercased. If these environmental variables are not
+ found, the username <constant>GUEST</constant> is used. </para>
+
+ <para>A third option is to use a credentials file which
+ contains the plaintext of the username and password. This
+ option is mainly provided for scripts where the admin doesn't
+ desire to pass the credentials on the command line or via environment
+ variables. If this method is used, make certain that the permissions
+ on the file restrict access from unwanted users. See the
+ <parameter>-A</parameter> for more details. </para>
+
+ <para>Be cautious about including passwords in scripts. Also, on
+ many systems the command line of a running process may be seen
+ via the <command>ps</command> command. To be safe always allow
+ <command>rpcclient</command> to prompt for a password and type
+ it in directly. </para></listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term>-W|--workgroup=domain</term>
+ <listitem><para>Set the SMB domain of the username. This
+ overrides the default domain which is the domain defined in
+ smb.conf. If the domain specified is the same as the server's NetBIOS name,
+ it causes the client to log on using the server's local SAM (as
+ opposed to the Domain SAM). </para></listitem>
+ </varlistentry>
+
+
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>COMMANDS</title>
+
+ <para><emphasis>LSARPC</emphasis></para>
+ <itemizedlist>
+ <listitem><para><command>lsaquery</command></para></listitem>
+
+ <listitem><para><command>lookupsids</command> - Resolve a list
+ of SIDs to usernames.
+ </para></listitem>
+
+ <listitem><para><command>lookupnames</command> - Resolve s list
+ of usernames to SIDs.
+ </para></listitem>
+
+ <listitem><para><command>enumtrusts</command></para></listitem>
+ </itemizedlist>
+ <para> </para>
+
+
+
+ <para><emphasis>SAMR</emphasis></para>
+ <itemizedlist>
+ <listitem><para><command>queryuser</command></para></listitem>
+ <listitem><para><command>querygroup</command></para></listitem>
+ <listitem><para><command>queryusergroups</command></para></listitem>
+ <listitem><para><command>querygroupmem</command></para></listitem>
+ <listitem><para><command>queryaliasmem</command></para></listitem>
+ <listitem><para><command>querydispinfo</command></para></listitem>
+ <listitem><para><command>querydominfo</command></para></listitem>
+ <listitem><para><command>enumdomgroups</command></para></listitem>
+ </itemizedlist>
+ <para> </para>
+
+
+
+ <para><emphasis>SPOOLSS</emphasis></para>
+
+ <itemizedlist>
+ <listitem><para><command>adddriver &lt;arch&gt &lt;config&gt;</command>
+ - Execute an AddPrinterDriver() RPC to install the printer driver
+ information on the server. Note that the driver files should
+ already exist in the directory returned by
+ <command>getdriverdir</command>. Possible values for
+ <parameter>arch</parameter> are the same as those for
+ the <command>getdriverdir</command> command.
+ The <parameter>config</parameter> parameter is defined as
+ follows: </para>
+
+ <para><programlisting>
+ Long Printer Name:\
+ Driver File Name:\
+ Data File Name:\
+ Config File Name:\
+ Help File Name:\
+ Language Monitor Name:\
+ Default Data Type:\
+ Comma Separated list of Files
+ </programlisting></para>
+
+ <para>Any empty fields should be enter as the string "NULL". </para>
+
+ <para>Samba does not need to support the concept of Print Monitors
+ since these only apply to local printers whose driver can make
+ use of a bi-directional link for communication. This field should
+ be "NULL". On a remote NT print server, the Print Monitor for a
+ driver must already be installed prior to adding the driver or
+ else the RPC will fail. </para></listitem>
+
+
+
+
+ <listitem><para><command>addprinter &lt;printername&gt;
+ &lt;sharename&gt; &lt;drivername&gt; &lt;port&gt;</command>
+ - Add a printer on the remote server. This printer
+ will be automatically shared. Be aware that the printer driver
+ must already be installed on the server (see <command>adddriver</command>)
+ and the <parameter>port</parameter>must be a valid port name (see
+ <command>enumports</command>.</para>
+ </listitem>
+
+
+ <listitem><para><command>deldriver</command> - Delete the
+ specified printer driver for all architectures. This
+ does not delete the actual driver files from the server,
+ only the entry from the server's list of drivers.
+ </para></listitem>
+
+ <listitem><para><command>enumdata</command> - Enumerate all
+ printer setting data stored on the server. On Windows NT clients,
+ these values are stored in the registry, while Samba servers
+ store them in the printers TDB. This command corresponds
+ to the MS Platform SDK GetPrinterData() function (* This
+ command is currently unimplemented).</para></listitem>
+
+
+
+ <listitem><para><command>enumjobs &lt;printer&gt;</command>
+ - List the jobs and status of a given printer.
+ This command corresponds to the MS Platform SDK EnumJobs()
+ function (* This command is currently unimplemented).</para></listitem>
+
+
+
+
+ <listitem><para><command>enumports [level]</command>
+ - Executes an EnumPorts() call using the specified
+ info level. Currently only info levels 1 and 2 are supported.
+ </para></listitem>
+
+
+
+ <listitem><para><command>enumdrivers [level]</command>
+ - Execute an EnumPrinterDrivers() call. This lists the various installed
+ printer drivers for all architectures. Refer to the MS Platform SDK
+ documentation for more details of the various flags and calling
+ options. Currently supported info levels are 1, 2, and 3.</para></listitem>
+
+
+
+ <listitem><para><command>enumprinters [level]</command>
+ - Execute an EnumPrinters() call. This lists the various installed
+ and share printers. Refer to the MS Platform SDK documentation for
+ more details of the various flags and calling options. Currently
+ supported info levels are 0, 1, and 2.</para></listitem>
+
+
+
+
+ <listitem><para><command>getdata &lt;printername&gt;</command>
+ - Retrieve the data for a given printer setting. See
+ the <command>enumdata</command> command for more information.
+ This command corresponds to the GetPrinterData() MS Platform
+ SDK function (* This command is currently unimplemented). </para></listitem>
+
+
+
+ <listitem><para><command>getdriver &lt;printername&gt;</command>
+ - Retrieve the printer driver information (such as driver file,
+ config file, dependent files, etc...) for
+ the given printer. This command corresponds to the GetPrinterDriver()
+ MS Platform SDK function. Currently info level 1, 2, and 3 are supported.
+ </para></listitem>
+
+
+ <listitem><para><command>getdriverdir &lt;arch&gt;</command>
+ - Execute a GetPrinterDriverDirectory()
+ RPC to retreive the SMB share name and subdirectory for
+ storing printer driver files for a given architecture. Possible
+ values for <parameter>arch</parameter> are "Windows 4.0"
+ (for Windows 95/98), "Windows NT x86", "Windows NT PowerPC", "Windows
+ Alpha_AXP", and "Windows NT R4000". </para></listitem>
+
+
+
+ <listitem><para><command>getprinter &lt;printername&gt;</command>
+ - Retrieve the current printer information. This command
+ corresponds to the GetPrinter() MS Platform SDK function.
+ </para></listitem>
+
+
+
+ <listitem><para><command>openprinter &lt;printername&gt;</command>
+ - Execute an OpenPrinterEx() and ClosePrinter() RPC
+ against a given printer. </para></listitem>
+
+
+ <listitem><para><command>setdriver &lt;printername&gt; &lt;drivername&gt;</command>
+ - Execute a SetPrinter() command to update the printer driver associated
+ with an installed printer. The printer driver must already be correctly
+ installed on the print server. </para>
+
+ <para>See also the <command>enumprinters</command> and
+ <command>enumdrivers</command> commands for obtaining a list of
+ of installed printers and drivers.</para></listitem>
+
+ </itemizedlist>
+
+
+ <para><emphasis>GENERAL OPTIONS</emphasis></para>
+
+ <itemizedlist>
+ <listitem><para><command>debuglevel</command> - Set the current debug level
+ used to log information.</para></listitem>
+
+ <listitem><para><command>help (?)</command> - Print a listing of all
+ known commands or extended help on a particular command.
+ </para></listitem>
+
+ <listitem><para><command>quit (exit)</command> - Exit <command>rpcclient
+ </command>.</para></listitem>
+ </itemizedlist>
+
+
+</refsect1>
+
+<refsect1>
+ <title>BUGS</title>
+
+ <para><command>rpcclient</command> is designed as a developer testing tool
+ and may not be robust in certain areas (such as command line parsing).
+ It has been known to generate a core dump upon failures when invalid
+ parameters where passed to the interpreter. </para>
+
+ <para>From Luke Leighton's original rpcclient man page:</para>
+
+ <para><emphasis>"WARNING!</emphasis> The MSRPC over SMB code has
+ been developed from examining Network traces. No documentation is
+ available from the original creators (Microsoft) on how MSRPC over
+ SMB works, or how the individual MSRPC services work. Microsoft's
+ implementation of these services has been demonstrated (and reported)
+ to be... a bit flaky in places. </para>
+
+ <para>The development of Samba's implementation is also a bit rough,
+ and as more of the services are understood, it can even result in
+ versions of <command>smbd(8)</command> and <command>rpcclient(1)</command>
+ that are incompatible for some commands or services. Additionally,
+ the developers are sending reports to Microsoft, and problems found
+ or reported to Microsoft are fixed in Service Packs, which may
+ result in incompatibilities." </para>
+</refsect1>
+
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 3.0 of the Samba
+ suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original rpcclient man page was written by Matthew
+ Geddes, Luke Kenneth Casson Leighton, and rewritten by Gerald Carter.
+ The conversion to DocBook for Samba 2.2 was done by Gerald
+ Carter.</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/samba.7.sgml b/docs/docbook/manpages/samba.7.sgml
new file mode 100644
index 0000000000..5d81d9d446
--- /dev/null
+++ b/docs/docbook/manpages/samba.7.sgml
@@ -0,0 +1,213 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="samba">
+
+<refmeta>
+ <refentrytitle>samba</refentrytitle>
+ <manvolnum>7</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>SAMBA</refname>
+ <refpurpose>A Windows SMB/CIFS fileserver for UNIX</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis><command>Samba</command></cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>The Samba software suite is a collection of programs
+ that implements the Server Message Block (commonly abbreviated
+ as SMB) protocol for UNIX systems. This protocol is sometimes
+ also referred to as the Common Internet File System (CIFS),
+ LanManager or NetBIOS protocol.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><command>smbd</command></term>
+ <listitem><para>The <command>smbd </command>
+ daemon provides the file and print services to
+ SMB clients, such as Windows 95/98, Windows NT, Windows
+ for Workgroups or LanManager. The configuration file
+ for this daemon is described in <filename>smb.conf</filename>
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>nmbd</command></term>
+ <listitem><para>The <command>nmbd</command>
+ daemon provides NetBIOS nameserving and browsing
+ support. The configuration file for this daemon
+ is described in <filename>smb.conf</filename></para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>smbclient</command></term>
+ <listitem><para>The <command>smbclient</command>
+ program implements a simple ftp-like client. This
+ is useful for accessing SMB shares on other compatible
+ servers (such as Windows NT), and can also be used
+ to allow a UNIX box to print to a printer attached to
+ any SMB server (such as a PC running Windows NT).</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>testparm</command></term>
+ <listitem><para>The <command>testparm</command>
+ utility is a simple syntax checker for Samba's
+ <filename>smb.conf</filename>configuration file.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>testprns</command></term>
+ <listitem><para>The <command>testprns</command>
+ utility supports testing printer names defined
+ in your <filename>printcap></filename> file used
+ by Samba.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>smbstatus</command></term>
+ <listitem><para>The <command>smbstatus</command>
+ tool provides access to information about the
+ current connections to <command>smbd</command>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>nmblookup</command></term>
+ <listitem><para>The <command>nmblookup</command>
+ tools allows NetBIOS name queries to be made
+ from a UNIX host.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>make_smbcodepage</command></term>
+ <listitem><para>The <command>make_smbcodepage</command>
+ utility provides a means of creating SMB code page
+ definition files for your <command>smbd</command> server.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>smbpasswd</command></term>
+ <listitem><para>The <command>smbpasswd</command>
+ command is a tool for changing LanMan and Windows NT
+ password hashes on Samba and Windows NT servers.</para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>COMPONENTS</title>
+
+ <para>The Samba suite is made up of several components. Each
+ component is described in a separate manual page. It is strongly
+ recommended that you read the documentation that comes with Samba
+ and the manual pages of those components that you use. If the
+ manual pages aren't clear enough then please send a patch or
+ bug report to <ulink url="mailto:samba@samba.org">
+ samba@samba.org</ulink></para>
+
+
+
+</refsect1>
+
+<refsect1>
+ <title>AVAILABILITY</title>
+
+ <para>The Samba software suite is licensed under the
+ GNU Public License(GPL). A copy of that license should
+ have come with the package in the file COPYING. You are
+ encouraged to distribute copies of the Samba suite, but
+ please obey the terms of this license.</para>
+
+ <para>The latest version of the Samba suite can be
+ obtained via anonymous ftp from samba.org in the
+ directory pub/samba/. It is also available on several
+ mirror sites worldwide.</para>
+
+ <para>You may also find useful information about Samba
+ on the newsgroup <ulink url="news:comp.protocols.smb">
+ comp.protocol.smb</ulink> and the Samba mailing
+ list. Details on how to join the mailing list are given in
+ the README file that comes with Samba.</para>
+
+ <para>If you have access to a WWW viewer (such as Netscape
+ or Mosaic) then you will also find lots of useful information,
+ including back issues of the Samba mailing list, at
+ <ulink url="http://lists.samba.org/">http://lists.samba.org</ulink>.</para>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of the
+ Samba suite. </para>
+</refsect1>
+
+<refsect1>
+ <title>CONTRIBUTIONS</title>
+
+ <para>If you wish to contribute to the Samba project,
+ then I suggest you join the Samba mailing list at
+ <ulink url="http://lists.samba.org/">http://lists.samba.org</ulink>.
+ </para>
+
+ <para>If you have patches to submit or bugs to report
+ then you may mail them directly to samba-patches@samba.org.
+ Note, however, that due to the enormous popularity of this
+ package the Samba Team may take some time to respond to mail. We
+ prefer patches in <command>diff -u</command> format.</para>
+</refsect1>
+
+<refsect1>
+ <title>CONTRIBUTORS</title>
+
+ <para>Contributors to the project are now too numerous
+ to mention here but all deserve the thanks of all Samba
+ users. To see a full list, look at <ulink
+ url="ftp://samba.org/pub/samba/alpha/change-log">
+ ftp://samba.org/pub/samba/alpha/change-log</ulink>
+ for the pre-CVS changes and at <ulink
+ url="ftp://samba.org/pub/samba/alpha/cvs.log">
+ ftp://samba.org/pub/samba/alpha/cvs.log</ulink>
+ for the contributors to Samba post-CVS. CVS is the Open Source
+ source code control system used by the Samba Team to develop
+ Samba. The project would have been unmanageable without it.</para>
+
+ <para>In addition, several commercial organizations now help
+ fund the Samba Team with money and equipment. For details see
+ the Samba Web pages at <ulink
+ url="http://samba.org/samba/samba-thanks.html">
+ http://samba.org/samba/samba-thanks.html</ulink>.</para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml
new file mode 100644
index 0000000000..1567087d9e
--- /dev/null
+++ b/docs/docbook/manpages/smb.conf.5.sgml
@@ -0,0 +1,8411 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="smb.conf">
+
+<refmeta>
+ <refentrytitle>smb.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>smb.conf</refname>
+ <refpurpose>The configuration file for the Samba suite</refpurpose>
+</refnamediv>
+
+<refsect1>
+ <title>SYNOPSIS</title>
+
+ <para>The <filename>smb.conf</filename> file is a configuration
+ file for the Samba suite. <filename>smb.conf</filename> contains
+ runtime configuration information for the Samba programs. The
+ <filename>smb.conf</filename> file is designed to be configured and
+ administered by the <ulink url="swat.8.html"><command>swat(8)</command>
+ </ulink> program. The complete description of the file format and
+ possible parameters held within are here for reference purposes.</para>
+</refsect1>
+
+<refsect1>
+ <title id="FILEFORMATSECT">FILE FORMAT</title>
+
+ <para>The file consists of sections and parameters. A section
+ begins with the name of the section in square brackets and continues
+ until the next section begins. Sections contain parameters of the
+ form</para>
+
+ <para><replaceable>name</replaceable> = <replaceable>value
+ </replaceable></para>
+
+ <para>The file is line-based - that is, each newline-terminated
+ line represents either a comment, a section name or a parameter.</para>
+
+ <para>Section and parameter names are not case sensitive.</para>
+
+ <para>Only the first equals sign in a parameter is significant.
+ Whitespace before or after the first equals sign is discarded.
+ Leading, trailing and internal whitespace in section and parameter
+ names is irrelevant. Leading and trailing whitespace in a parameter
+ value is discarded. Internal whitespace within a parameter value
+ is retained verbatim.</para>
+
+ <para>Any line beginning with a semicolon (';') or a hash ('#')
+ character is ignored, as are lines containing only whitespace.</para>
+
+ <para>Any line ending in a '\' is continued
+ on the next line in the customary UNIX fashion.</para>
+
+ <para>The values following the equals sign in parameters are all
+ either a string (no quotes needed) or a boolean, which may be given
+ as yes/no, 0/1 or true/false. Case is not significant in boolean
+ values, but is preserved in string values. Some items such as
+ create modes are numeric.</para>
+</refsect1>
+
+<refsect1>
+ <title>SECTION DESCRIPTIONS</title>
+
+ <para>Each section in the configuration file (except for the
+ [global] section) describes a shared resource (known
+ as a "share"). The section name is the name of the
+ shared resource and the parameters within the section define
+ the shares attributes.</para>
+
+ <para>There are three special sections, [global],
+ [homes] and [printers], which are
+ described under <emphasis>special sections</emphasis>. The
+ following notes apply to ordinary section descriptions.</para>
+
+ <para>A share consists of a directory to which access is being
+ given plus a description of the access rights which are granted
+ to the user of the service. Some housekeeping options are
+ also specifiable.</para>
+
+ <para>Sections are either file share services (used by the
+ client as an extension of their native file systems) or
+ printable services (used by the client to access print services
+ on the host running the server).</para>
+
+ <para>Sections may be designated <emphasis>guest</emphasis> services,
+ in which case no password is required to access them. A specified
+ UNIX <emphasis>guest account</emphasis> is used to define access
+ privileges in this case.</para>
+
+ <para>Sections other than guest services will require a password
+ to access them. The client provides the username. As older clients
+ only provide passwords and not usernames, you may specify a list
+ of usernames to check against the password using the "user ="
+ option in the share definition. For modern clients such as
+ Windows 95/98/ME/NT/2000, this should not be necessary.</para>
+
+ <para>Note that the access rights granted by the server are
+ masked by the access rights granted to the specified or guest
+ UNIX user by the host system. The server does not grant more
+ access than the host system grants.</para>
+
+ <para>The following sample section defines a file space share.
+ The user has write access to the path <filename>/home/bar</filename>.
+ The share is accessed via the share name "foo":</para>
+
+ <screen>
+ <computeroutput>
+ [foo]
+ path = /home/bar
+ writeable = true
+ </computeroutput>
+ </screen>
+
+ <para>The following sample section defines a printable share.
+ The share is readonly, but printable. That is, the only write
+ access permitted is via calls to open, write to and close a
+ spool file. The <emphasis>guest ok</emphasis> parameter means
+ access will be permitted as the default guest user (specified
+ elsewhere):</para>
+
+ <screen>
+ <computeroutput>
+ [aprinter]
+ path = /usr/spool/public
+ writeable = false
+ printable = true
+ guest ok = true
+ </computeroutput>
+ </screen>
+</refsect1>
+
+<refsect1>
+ <title>SPECIAL SECTIONS</title>
+
+ <refsect2>
+ <title>The [global] section</title>
+
+ <para>parameters in this section apply to the server
+ as a whole, or are defaults for sections which do not
+ specifically define certain items. See the notes
+ under PARAMETERS for more information.</para>
+ </refsect2>
+
+ <refsect2>
+ <title id="HOMESECT">The [homes] section</title>
+
+ <para>If a section called homes is included in the
+ configuration file, services connecting clients to their
+ home directories can be created on the fly by the server.</para>
+
+ <para>When the connection request is made, the existing
+ sections are scanned. If a match is found, it is used. If no
+ match is found, the requested section name is treated as a
+ user name and looked up in the local password file. If the
+ name exists and the correct password has been given, a share is
+ created by cloning the [homes] section.</para>
+
+ <para>Some modifications are then made to the newly
+ created share:</para>
+
+ <itemizedlist>
+ <listitem><para>The share name is changed from homes to
+ the located username.</para></listitem>
+
+ <listitem><para>If no path was given, the path is set to
+ the user's home directory.</para></listitem>
+ </itemizedlist>
+
+ <para>If you decide to use a <emphasis>path =</emphasis> line
+ in your [homes] section then you may find it useful
+ to use the %S macro. For example :</para>
+
+ <para><userinput>path = /data/pchome/%S</userinput></para>
+
+ <para>would be useful if you have different home directories
+ for your PCs than for UNIX access.</para>
+
+ <para>This is a fast and simple way to give a large number
+ of clients access to their home directories with a minimum
+ of fuss.</para>
+
+ <para>A similar process occurs if the requested section
+ name is "homes", except that the share name is not
+ changed to that of the requesting user. This method of using
+ the [homes] section works well if different users share
+ a client PC.</para>
+
+ <para>The [homes] section can specify all the parameters
+ a normal service section can specify, though some make more sense
+ than others. The following is a typical and suitable [homes]
+ section:</para>
+
+ <screen>
+ <computeroutput>
+ [homes]
+ writeable = yes
+ </computeroutput>
+ </screen>
+
+ <para>An important point is that if guest access is specified
+ in the [homes] section, all home directories will be
+ visible to all clients <emphasis>without a password</emphasis>.
+ In the very unlikely event that this is actually desirable, it
+ would be wise to also specify <emphasis>read only
+ access</emphasis>.</para>
+
+ <para>Note that the <emphasis>browseable</emphasis> flag for
+ auto home directories will be inherited from the global browseable
+ flag, not the [homes] browseable flag. This is useful as
+ it means setting <emphasis>browseable = no</emphasis> in
+ the [homes] section will hide the [homes] share but make
+ any auto home directories visible.</para>
+ </refsect2>
+
+ <refsect2>
+ <title id="PRINTERSSECT">The [printers] section</title>
+
+ <para>This section works like [homes],
+ but for printers.</para>
+
+ <para>If a [printers] section occurs in the
+ configuration file, users are able to connect to any printer
+ specified in the local host's printcap file.</para>
+
+ <para>When a connection request is made, the existing sections
+ are scanned. If a match is found, it is used. If no match is found,
+ but a [homes] section exists, it is used as described
+ above. Otherwise, the requested section name is treated as a
+ printer name and the appropriate printcap file is scanned to see
+ if the requested section name is a valid printer share name. If
+ a match is found, a new printer share is created by cloning
+ the [printers] section.</para>
+
+ <para>A few modifications are then made to the newly created
+ share:</para>
+
+ <itemizedlist>
+ <listitem><para>The share name is set to the located printer
+ name</para></listitem>
+
+ <listitem><para>If no printer name was given, the printer name
+ is set to the located printer name</para></listitem>
+
+ <listitem><para>If the share does not permit guest access and
+ no username was given, the username is set to the located
+ printer name.</para></listitem>
+ </itemizedlist>
+
+ <para>Note that the [printers] service MUST be
+ printable - if you specify otherwise, the server will refuse
+ to load the configuration file.</para>
+
+ <para>Typically the path specified would be that of a
+ world-writeable spool directory with the sticky bit set on
+ it. A typical [printers] entry would look like
+ this:</para>
+
+ <screen><computeroutput>
+ [printers]
+ path = /usr/spool/public
+ guest ok = yes
+ printable = yes
+ </computeroutput></screen>
+
+ <para>All aliases given for a printer in the printcap file
+ are legitimate printer names as far as the server is concerned.
+ If your printing subsystem doesn't work like that, you will have
+ to set up a pseudo-printcap. This is a file consisting of one or
+ more lines like this:</para>
+
+ <screen>
+ <computeroutput>
+ alias|alias|alias|alias...
+ </computeroutput>
+ </screen>
+
+ <para>Each alias should be an acceptable printer name for
+ your printing subsystem. In the [global] section, specify
+ the new file as your printcap. The server will then only recognize
+ names found in your pseudo-printcap, which of course can contain
+ whatever aliases you like. The same technique could be used
+ simply to limit access to a subset of your local printers.</para>
+
+ <para>An alias, by the way, is defined as any component of the
+ first entry of a printcap record. Records are separated by newlines,
+ components (if there are more than one) are separated by vertical
+ bar symbols ('|').</para>
+
+ <para>NOTE: On SYSV systems which use lpstat to determine what
+ printers are defined on the system you may be able to use
+ "printcap name = lpstat" to automatically obtain a list
+ of printers. See the "printcap name" option
+ for more details.</para>
+ </refsect2>
+</refsect1>
+
+<refsect1>
+ <title>PARAMETERS</title>
+
+ <para>parameters define the specific attributes of sections.</para>
+
+ <para>Some parameters are specific to the [global] section
+ (e.g., <emphasis>security</emphasis>). Some parameters are usable
+ in all sections (e.g., <emphasis>create mode</emphasis>). All others
+ are permissible only in normal sections. For the purposes of the
+ following descriptions the [homes] and [printers]
+ sections will be considered normal. The letter <emphasis>G</emphasis>
+ in parentheses indicates that a parameter is specific to the
+ [global] section. The letter <emphasis>S</emphasis>
+ indicates that a parameter can be specified in a service specific
+ section. Note that all <emphasis>S</emphasis> parameters can also be specified in
+ the [global] section - in which case they will define
+ the default behavior for all services.</para>
+
+ <para>parameters are arranged here in alphabetical order - this may
+ not create best bedfellows, but at least you can find them! Where
+ there are synonyms, the preferred synonym is described, others refer
+ to the preferred synonym.</para>
+</refsect1>
+
+<refsect1>
+ <title>VARIABLE SUBSTITUTIONS</title>
+
+ <para>Many of the strings that are settable in the config file
+ can take substitutions. For example the option "path =
+ /tmp/%u" would be interpreted as "path =
+ /tmp/john" if the user connected with the username john.</para>
+
+ <para>These substitutions are mostly noted in the descriptions below,
+ but there are some general substitutions which apply whenever they
+ might be relevant. These are:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>%S</term>
+ <listitem><para>the name of the current service, if any.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%P</term>
+ <listitem><para>the root directory of the current service,
+ if any.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%u</term>
+ <listitem><para>user name of the current service, if any.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%g</term>
+ <listitem><para>primary group name of %u.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%U</term>
+ <listitem><para>session user name (the user name that the client
+ wanted, not necessarily the same as the one they got).</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%G</term>
+ <listitem><para>primary group name of %U.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%H</term>
+ <listitem><para>the home directory of the user given
+ by %u.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%v</term>
+ <listitem><para>the Samba version.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%h</term>
+ <listitem><para>the Internet hostname that Samba is running
+ on.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%m</term>
+ <listitem><para>the NetBIOS name of the client machine
+ (very useful).</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%L</term>
+ <listitem><para>the NetBIOS name of the server. This allows you
+ to change your config based on what the client calls you. Your
+ server can have a "dual personality".</para>
+
+ <para>Note that this paramater is not available when Samba listens
+ on port 445, as clients no longer send this information </para>
+ </listitem>
+
+ </varlistentry>
+
+ <varlistentry>
+ <term>%M</term>
+ <listitem><para>the Internet name of the client machine.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%N</term>
+ <listitem><para>the name of your NIS home directory server.
+ This is obtained from your NIS auto.map entry. If you have
+ not compiled Samba with the <emphasis>--with-automount</emphasis>
+ option then this value will be the same as %L.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%p</term>
+ <listitem><para>the path of the service's home directory,
+ obtained from your NIS auto.map entry. The NIS auto.map entry
+ is split up as "%N:%p".</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%R</term>
+ <listitem><para>the selected protocol level after
+ protocol negotiation. It can be one of CORE, COREPLUS,
+ LANMAN1, LANMAN2 or NT1.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%d</term>
+ <listitem><para>The process id of the current server
+ process.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%a</term>
+ <listitem><para>the architecture of the remote
+ machine. Only some are recognized, and those may not be
+ 100% reliable. It currently recognizes Samba, WfWg, Win95,
+ WinNT and Win2k. Anything else will be known as
+ "UNKNOWN". If it gets it wrong then sending a level
+ 3 log to <ulink url="mailto:samba@samba.org">samba@samba.org
+ </ulink> should allow it to be fixed.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%I</term>
+ <listitem><para>The IP address of the client machine.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%T</term>
+ <listitem><para>the current date and time.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>%$(<replaceable>envvar</replaceable>)</term>
+ <listitem><para>The value of the environment variable
+ <replaceable>envar</replaceable>.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>There are some quite creative things that can be done
+ with these substitutions and other smb.conf options.</para
+</refsect1>
+
+<refsect1>
+ <title id="NAMEMANGLINGSECT">NAME MANGLING</title>
+
+ <para>Samba supports "name mangling" so that DOS and
+ Windows clients can use files that don't conform to the 8.3 format.
+ It can also be set to adjust the case of 8.3 format filenames.</para>
+
+ <para>There are several options that control the way mangling is
+ performed, and they are grouped here rather than listed separately.
+ For the defaults look at the output of the testparm program. </para>
+
+ <para>All of these options can be set separately for each service
+ (or globally, of course). </para>
+
+ <para>The options are: </para>
+
+ <variablelist>
+
+ <varlistentry>
+ <term>mangle case = yes/no</term>
+ <listitem><para> controls if names that have characters that
+ aren't of the "default" case are mangled. For example,
+ if this is yes then a name like "Mail" would be mangled.
+ Default <emphasis>no</emphasis>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>case sensitive = yes/no</term>
+ <listitem><para>controls whether filenames are case sensitive. If
+ they aren't then Samba must do a filename search and match on passed
+ names. Default <emphasis>no</emphasis>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>default case = upper/lower</term>
+ <listitem><para>controls what the default case is for new
+ filenames. Default <emphasis>lower</emphasis>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>preserve case = yes/no</term>
+ <listitem><para>controls if new files are created with the
+ case that the client passes, or if they are forced to be the
+ "default" case. Default <emphasis>yes</emphasis>.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>short preserve case = yes/no</term>
+ <listitem><para>controls if new files which conform to 8.3 syntax,
+ that is all in upper case and of suitable length, are created
+ upper case, or if they are forced to be the "default"
+ case. This option can be use with "preserve case = yes"
+ to permit long filenames to retain their case, while short names
+ are lowercased. Default <emphasis>yes</emphasis>.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>By default, Samba 2.2 has the same semantics as a Windows
+ NT server, in that it is case insensitive but case preserving.</para>
+
+</refsect1>
+
+<refsect1>
+ <title id="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</title>
+
+ <para>There are a number of ways in which a user can connect
+ to a service. The server uses the following steps in determining
+ if it will allow a connection to a specified service. If all the
+ steps fail, then the connection request is rejected. However, if one of the
+ steps succeeds, then the following steps are not checked.</para>
+
+ <para>If the service is marked "guest only = yes" then
+ steps 1 to 5 are skipped.</para>
+
+ <orderedlist numeration="Arabic">
+ <listitem><para>If the client has passed a username/password
+ pair and that username/password pair is validated by the UNIX
+ system's password programs then the connection is made as that
+ username. Note that this includes the
+ \\server\service%<replaceable>username</replaceable> method of passing
+ a username.</para></listitem>
+
+ <listitem><para>If the client has previously registered a username
+ with the system and now supplies a correct password for that
+ username then the connection is allowed.</para></listitem>
+
+ <listitem><para>The client's NetBIOS name and any previously
+ used user names are checked against the supplied password, if
+ they match then the connection is allowed as the corresponding
+ user.</para></listitem>
+
+ <listitem><para>If the client has previously validated a
+ username/password pair with the server and the client has passed
+ the validation token then that username is used. </para></listitem>
+
+ <listitem><para>If a "user = " field is given in the
+ <filename>smb.conf</filename> file for the service and the client
+ has supplied a password, and that password matches (according to
+ the UNIX system's password checking) with one of the usernames
+ from the "user =" field then the connection is made as
+ the username in the "user =" line. If one
+ of the username in the "user =" list begins with a
+ '@' then that name expands to a list of names in
+ the group of the same name.</para></listitem>
+
+ <listitem><para>If the service is a guest service then a
+ connection is made as the username given in the "guest
+ account =" for the service, irrespective of the
+ supplied password.</para></listitem>
+ </orderedlist>
+
+</refsect1>
+
+<refsect1>
+ <title>COMPLETE LIST OF GLOBAL PARAMETERS</title>
+
+ <para>Here is a list of all global parameters. See the section of
+ each parameter for details. Note that some are synonyms.</para>
+
+ <itemizedlist>
+ <listitem><para><link linkend="ABORTSHUTDOWNSCRIPT"><parameter>abort shutdown script</parameter></link></para></listitem>
+ <listitem><para><link linkend="ADDPRINTERCOMMAND"><parameter>add printer command</parameter></link></para></listitem>
+ <listitem><para><link linkend="ADDSHARECOMMAND"><parameter>add share command</parameter></link></para></listitem>
+ <listitem><para><link linkend="ADDUSERSCRIPT"><parameter>add user script</parameter></link></para></listitem>
+ <listitem><para><link linkend="ADDMACHINESCRIPT"><parameter>add machine script</parameter></link></para></listitem>
+ <listitem><para><link linkend="ALLOWTRUSTEDDOMAINS"><parameter>allow trusted domains</parameter></link></para></listitem>
+ <listitem><para><link linkend="ANNOUNCEAS"><parameter>announce as</parameter></link></para></listitem>
+ <listitem><para><link linkend="ANNOUNCEVERSION"><parameter>announce version</parameter></link></para></listitem>
+ <listitem><para><link linkend="AUTHMETHODS"><parameter>auth methods</parameter></link></para></listitem>
+ <listitem><para><link linkend="AUTOSERVICES"><parameter>auto services</parameter></link></para></listitem>
+ <listitem><para><link linkend="BINDINTERFACESONLY"><parameter>bind interfaces only</parameter></link></para></listitem>
+ <listitem><para><link linkend="BROWSELIST"><parameter>browse list</parameter></link></para></listitem>
+ <listitem><para><link linkend="CHANGENOTIFYTIMEOUT"><parameter>change notify timeout</parameter></link></para></listitem>
+ <listitem><para><link linkend="CHANGESHARECOMMAND"><parameter>change share command</parameter></link></para></listitem>
+ <listitem><para><link linkend="CONFIGFILE"><parameter>config file</parameter></link></para></listitem>
+ <listitem><para><link linkend="DEADTIME"><parameter>deadtime</parameter></link></para></listitem>
+ <listitem><para><link linkend="DEBUGHIRESTIMESTAMP"><parameter>debug hires timestamp</parameter></link></para></listitem>
+ <listitem><para><link linkend="DEBUGPID"><parameter>debug pid</parameter></link></para></listitem>
+ <listitem><para><link linkend="DEBUGTIMESTAMP"><parameter>debug timestamp</parameter></link></para></listitem>
+ <listitem><para><link linkend="DEBUGUID"><parameter>debug uid</parameter></link></para></listitem>
+ <listitem><para><link linkend="DEBUGLEVEL"><parameter>debuglevel</parameter></link></para></listitem>
+ <listitem><para><link linkend="DEFAULT"><parameter>default</parameter></link></para></listitem>
+ <listitem><para><link linkend="DEFAULTSERVICE"><parameter>default service</parameter></link></para></listitem>
+ <listitem><para><link linkend="DELETEPRINTERCOMMAND"><parameter>delete printer command</parameter></link></para></listitem>
+ <listitem><para><link linkend="DELETESHARECOMMAND"><parameter>delete share command</parameter></link></para></listitem>
+ <listitem><para><link linkend="DELETEUSERSCRIPT"><parameter>delete user script</parameter></link></para></listitem>
+ <listitem><para><link linkend="DFREECOMMAND"><parameter>dfree command</parameter></link></para></listitem>
+ <listitem><para><link linkend="DISABLESPOOLSS"><parameter>disable spoolss</parameter></link></para></listitem>
+ <listitem><para><link linkend="DNSPROXY"><parameter>dns proxy</parameter></link></para></listitem>
+ <listitem><para><link linkend="DOMAINADMINGROUP"><parameter>domain admin group</parameter></link></para></listitem>
+ <listitem><para><link linkend="DOMAINGUESTGROUP"><parameter>domain guest group</parameter></link></para></listitem>
+ <listitem><para><link linkend="DOMAINLOGONS"><parameter>domain logons</parameter></link></para></listitem>
+ <listitem><para><link linkend="DOMAINMASTER"><parameter>domain master</parameter></link></para></listitem>
+ <listitem><para><link linkend="ENCRYPTPASSWORDS"><parameter>encrypt passwords</parameter></link></para></listitem>
+ <listitem><para><link linkend="ENHANCEDBROWSING"><parameter>enhanced browsing</parameter></link></para></listitem>
+ <listitem><para><link linkend="ENUMPORTSCOMMAND"><parameter>enumports command</parameter></link></para></listitem>
+ <listitem><para><link linkend="GETWDCACHE"><parameter>getwd cache</parameter></link></para></listitem>
+ <listitem><para><link linkend="HIDELOCALUSERS"><parameter>hide local users</parameter></link></para></listitem>
+ <listitem><para><link linkend="HIDEUNREADABLE"><parameter>hide unreadable</parameter></link></para></listitem>
+ <listitem><para><link linkend="HOMEDIRMAP"><parameter>homedir map</parameter></link></para></listitem>
+ <listitem><para><link linkend="HOSTMSDFS"><parameter>host msdfs</parameter></link></para></listitem>
+ <listitem><para><link linkend="HOSTSEQUIV"><parameter>hosts equiv</parameter></link></para></listitem>
+ <listitem><para><link linkend="INTERFACES"><parameter>interfaces</parameter></link></para></listitem>
+ <listitem><para><link linkend="KEEPALIVE"><parameter>keepalive</parameter></link></para></listitem>
+ <listitem><para><link linkend="KERNELOPLOCKS"><parameter>kernel oplocks</parameter></link></para></listitem>
+ <listitem><para><link linkend="LANMANAUTH"><parameter>lanman auth</parameter></link></para></listitem>
+ <listitem><para><link linkend="LARGEREADWRITE"><parameter>large readwrite</parameter></link></para></listitem>
+
+ <listitem><para><link linkend="LDAPADMINDN"><parameter>ldap admin dn</parameter></link></para></listitem>
+ <listitem><para><link linkend="LDAPFILTER"><parameter>ldap filter</parameter></link></para></listitem>
+ <listitem><para><link linkend="LDAPPORT"><parameter>ldap port</parameter></link></para></listitem>
+ <listitem><para><link linkend="LDAPSERVER"><parameter>ldap server</parameter></link></para></listitem>
+ <listitem><para><link linkend="LDAPSSL"><parameter>ldap ssl</parameter></link></para></listitem>
+ <listitem><para><link linkend="LDAPSUFFIX"><parameter>ldap suffix</parameter></link></para></listitem>
+
+ <listitem><para><link linkend="LMANNOUNCE"><parameter>lm announce</parameter></link></para></listitem>
+ <listitem><para><link linkend="LMINTERVAL"><parameter>lm interval</parameter></link></para></listitem>
+ <listitem><para><link linkend="LOADPRINTERS"><parameter>load printers</parameter></link></para></listitem>
+ <listitem><para><link linkend="LOCALMASTER"><parameter>local master</parameter></link></para></listitem>
+ <listitem><para><link linkend="LOCKDIR"><parameter>lock dir</parameter></link></para></listitem>
+ <listitem><para><link linkend="LOCKDIRECTORY"><parameter>lock directory</parameter></link></para></listitem>
+ <listitem><para><link linkend="LOGFILE"><parameter>log file</parameter></link></para></listitem>
+ <listitem><para><link linkend="LOGLEVEL"><parameter>log level</parameter></link></para></listitem>
+ <listitem><para><link linkend="LOGONDRIVE"><parameter>logon drive</parameter></link></para></listitem>
+ <listitem><para><link linkend="LOGONHOME"><parameter>logon home</parameter></link></para></listitem>
+ <listitem><para><link linkend="LOGONPATH"><parameter>logon path</parameter></link></para></listitem>
+ <listitem><para><link linkend="LOGONSCRIPT"><parameter>logon script</parameter></link></para></listitem>
+ <listitem><para><link linkend="LPQCACHETIME"><parameter>lpq cache time</parameter></link></para></listitem>
+ <listitem><para><link linkend="MACHINEPASSWORDTIMEOUT"><parameter>machine password timeout</parameter></link></para></listitem>
+ <listitem><para><link linkend="MANGLEDSTACK"><parameter>mangled stack</parameter></link></para></listitem>
+ <listitem><para><link linkend="MAPTOGUEST"><parameter>map to guest</parameter></link></para></listitem>
+ <listitem><para><link linkend="MAXDISKSIZE"><parameter>max disk size</parameter></link></para></listitem>
+ <listitem><para><link linkend="MAXLOGSIZE"><parameter>max log size</parameter></link></para></listitem>
+ <listitem><para><link linkend="MAXMUX"><parameter>max mux</parameter></link></para></listitem>
+ <listitem><para><link linkend="MAXOPENFILES"><parameter>max open files</parameter></link></para></listitem>
+ <listitem><para><link linkend="MAXPROTOCOL"><parameter>max protocol</parameter></link></para></listitem>
+ <listitem><para><link linkend="MAXSMBDPROCESSES"><parameter>max smbd processes</parameter></link></para></listitem>
+ <listitem><para><link linkend="MAXTTL"><parameter>max ttl</parameter></link></para></listitem>
+ <listitem><para><link linkend="MAXWINSTTL"><parameter>max wins ttl</parameter></link></para></listitem>
+ <listitem><para><link linkend="MAXXMIT"><parameter>max xmit</parameter></link></para></listitem>
+ <listitem><para><link linkend="MESSAGECOMMAND"><parameter>message command</parameter></link></para></listitem>
+ <listitem><para><link linkend="MINPASSWDLENGTH"><parameter>min passwd length</parameter></link></para></listitem>
+ <listitem><para><link linkend="MINPASSWORDLENGTH"><parameter>min password length</parameter></link></para></listitem>
+ <listitem><para><link linkend="MINPROTOCOL"><parameter>min protocol</parameter></link></para></listitem>
+ <listitem><para><link linkend="MINWINSTTL"><parameter>min wins ttl</parameter></link></para></listitem>
+ <listitem><para><link linkend="NAMERESOLVEORDER"><parameter>name resolve order</parameter></link></para></listitem>
+ <listitem><para><link linkend="NETBIOSALIASES"><parameter>netbios aliases</parameter></link></para></listitem>
+ <listitem><para><link linkend="NETBIOSNAME"><parameter>netbios name</parameter></link></para></listitem>
+ <listitem><para><link linkend="NETBIOSSCOPE"><parameter>netbios scope</parameter></link></para></listitem>
+ <listitem><para><link linkend="NISHOMEDIR"><parameter>nis homedir</parameter></link></para></listitem>
+ <listitem><para><link linkend="NONUNIXACCOUNTRANGE"><parameter>non unix account range</parameter></link></para></listitem>
+ <listitem><para><link linkend="NTPIPESUPPORT"><parameter>nt pipe support</parameter></link></para></listitem>
+ <listitem><para><link linkend="NULLPASSWORDS"><parameter>null passwords</parameter></link></para></listitem>
+ <listitem><para><link linkend="OBEYPAMRESTRICTIONS"><parameter>obey pam restrictions</parameter></link></para></listitem>
+ <listitem><para><link linkend="OPLOCKBREAKWAITTIME"><parameter>oplock break wait time</parameter></link></para></listitem>
+ <listitem><para><link linkend="OSLEVEL"><parameter>os level</parameter></link></para></listitem>
+ <listitem><para><link linkend="OS2DRIVERMAP"><parameter>os2 driver map</parameter></link></para></listitem>
+ <listitem><para><link linkend="PAMPASSWORDCHANGE"><parameter>pam password change</parameter></link></para></listitem>
+ <listitem><para><link linkend="PANICACTION"><parameter>panic action</parameter></link></para></listitem>
+ <listitem><para><link linkend="PASSDBBACKEND"><parameter>passdb backend</parameter></link></para></listitem>
+ <listitem><para><link linkend="PASSWDCHAT"><parameter>passwd chat</parameter></link></para></listitem>
+ <listitem><para><link linkend="PASSWDCHATDEBUG"><parameter>passwd chat debug</parameter></link></para></listitem>
+ <listitem><para><link linkend="PASSWDPROGRAM"><parameter>passwd program</parameter></link></para></listitem>
+ <listitem><para><link linkend="PASSWORDLEVEL"><parameter>password level</parameter></link></para></listitem>
+ <listitem><para><link linkend="PASSWORDSERVER"><parameter>password server</parameter></link></para></listitem>
+ <listitem><para><link linkend="PREFEREDMASTER"><parameter>prefered master</parameter></link></para></listitem>
+ <listitem><para><link linkend="PREFERREDMASTER"><parameter>preferred master</parameter></link></para></listitem>
+ <listitem><para><link linkend="PRELOAD"><parameter>preload</parameter></link></para></listitem>
+ <listitem><para><link linkend="PRINTCAP"><parameter>printcap</parameter></link></para></listitem>
+ <listitem><para><link linkend="PRINTCAPNAME"><parameter>printcap name</parameter></link></para></listitem>
+ <listitem><para><link linkend="PRINTERDRIVERFILE"><parameter>printer driver file</parameter></link></para></listitem>
+ <listitem><para><link linkend="PRIVATEDIR"><parameter>private dir</parameter></link></para></listitem>
+ <listitem><para><link linkend="PROTOCOL"><parameter>protocol</parameter></link></para></listitem>
+ <listitem><para><link linkend="READBMPX"><parameter>read bmpx</parameter></link></para></listitem>
+ <listitem><para><link linkend="READRAW"><parameter>read raw</parameter></link></para></listitem>
+ <listitem><para><link linkend="READSIZE"><parameter>read size</parameter></link></para></listitem>
+ <listitem><para><link linkend="REMOTEANNOUNCE"><parameter>remote announce</parameter></link></para></listitem>
+ <listitem><para><link linkend="REMOTEBROWSESYNC"><parameter>remote browse sync</parameter></link></para></listitem>
+ <listitem><para><link linkend="RESTRICTANONYMOUS"><parameter>restrict anonymous</parameter></link></para></listitem>
+ <listitem><para><link linkend="ROOT"><parameter>root</parameter></link></para></listitem>
+ <listitem><para><link linkend="ROOTDIR"><parameter>root dir</parameter></link></para></listitem>
+ <listitem><para><link linkend="ROOTDIRECTORY"><parameter>root directory</parameter></link></para></listitem>
+ <listitem><para><link linkend="SECURITY"><parameter>security</parameter></link></para></listitem>
+ <listitem><para><link linkend="SERVERSTRING"><parameter>server string</parameter></link></para></listitem>
+ <listitem><para><link linkend="SHOWADDPRINTERWIZARD"><parameter>show add printer wizard</parameter></link></para></listitem>
+ <listitem><para><link linkend="SHUTDOWNSCRIPT"><parameter>shutdown script</parameter></link></para></listitem>
+ <listitem><para><link linkend="SMBPASSWDFILE"><parameter>smb passwd file</parameter></link></para></listitem>
+ <listitem><para><link linkend="SOCKETADDRESS"><parameter>socket address</parameter></link></para></listitem>
+ <listitem><para><link linkend="SOCKETOPTIONS"><parameter>socket options</parameter></link></para></listitem>
+ <listitem><para><link linkend="SOURCEENVIRONMENT"><parameter>source environment</parameter></link></para></listitem>
+
+ <listitem><para><link linkend="SSL"><parameter>ssl</parameter></link></para></listitem>
+ <listitem><para><link linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter></link></para></listitem>
+ <listitem><para><link linkend="SSLCACERTFILE"><parameter>ssl CA certFile</parameter></link></para></listitem>
+ <listitem><para><link linkend="SSLCIPHERS"><parameter>ssl ciphers</parameter></link></para></listitem>
+ <listitem><para><link linkend="SSLCLIENTCERT"><parameter>ssl client cert</parameter></link></para></listitem>
+ <listitem><para><link linkend="SSLCLIENTKEY"><parameter>ssl client key</parameter></link></para></listitem>
+ <listitem><para><link linkend="SSLCOMPATIBILITY"><parameter>ssl compatibility</parameter></link></para></listitem>
+ <listitem><para><link linkend="SSLEGDSOCKET"><parameter>ssl egd socket</parameter></link></para></listitem>
+ <listitem><para><link linkend="SSLENTROPYBYTES"><parameter>ssl entropy bytes</parameter></link></para></listitem>
+ <listitem><para><link linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link></para></listitem>
+ <listitem><para><link linkend="SSLHOSTS"><parameter>ssl hosts</parameter></link></para></listitem>
+ <listitem><para><link linkend="SSLHOSTSRESIGN"><parameter>ssl hosts resign</parameter></link></para></listitem>
+ <listitem><para><link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require clientcert</parameter></link></para></listitem>
+ <listitem><para><link linkend="SSLREQUIRESERVERCERT"><parameter>ssl require servercert</parameter></link></para></listitem>
+ <listitem><para><link linkend="SSLSERVERCERT"><parameter>ssl server cert</parameter></link></para></listitem>
+ <listitem><para><link linkend="SSLSERVERKEY"><parameter>ssl server key</parameter></link></para></listitem>
+ <listitem><para><link linkend="SSLVERSION"><parameter>ssl version</parameter></link></para></listitem>
+
+ <listitem><para><link linkend="STATCACHE"><parameter>stat cache</parameter></link></para></listitem>
+ <listitem><para><link linkend="STATCACHESIZE"><parameter>stat cache size</parameter></link></para></listitem>
+ <listitem><para><link linkend="STRIPDOT"><parameter>strip dot</parameter></link></para></listitem>
+ <listitem><para><link linkend="SYSLOG"><parameter>syslog</parameter></link></para></listitem>
+ <listitem><para><link linkend="SYSLOGONLY"><parameter>syslog only</parameter></link></para></listitem>
+ <listitem><para><link linkend="TEMPLATEHOMEDIR"><parameter>template homedir</parameter></link></para></listitem>
+ <listitem><para><link linkend="TEMPLATESHELL"><parameter>template shell</parameter></link></para></listitem>
+ <listitem><para><link linkend="TIMEOFFSET"><parameter>time offset</parameter></link></para></listitem>
+ <listitem><para><link linkend="TIMESERVER"><parameter>time server</parameter></link></para></listitem>
+ <listitem><para><link linkend="TIMESTAMPLOGS"><parameter>timestamp logs</parameter></link></para></listitem>
+ <listitem><para><link linkend="TOTALPRINTJOBS"><parameter>total print jobs</parameter></link></para></listitem>
+ <listitem><para><link linkend="UNIXEXTENSIONS"><parameter>unix extensions</parameter></link></para></listitem>
+ <listitem><para><link linkend="UNIXPASSWORDSYNC"><parameter>unix password sync</parameter></link></para></listitem>
+ <listitem><para><link linkend="UPDATEENCRYPTED"><parameter>update encrypted</parameter></link></para></listitem>
+ <listitem><para><link linkend="USEMMAP"><parameter>use mmap</parameter></link></para></listitem>
+ <listitem><para><link linkend="USERHOSTS"><parameter>use rhosts</parameter></link></para></listitem>
+ <listitem><para><link linkend="USERNAMELEVEL"><parameter>username level</parameter></link></para></listitem>
+ <listitem><para><link linkend="USERNAMEMAP"><parameter>username map</parameter></link></para></listitem>
+ <listitem><para><link linkend="UTMP"><parameter>utmp</parameter></link></para></listitem>
+ <listitem><para><link linkend="UTMPDIRECTORY"><parameter>utmp directory</parameter></link></para></listitem>
+ <listitem><para><link linkend="WINBINDCACHETIME"><parameter>winbind cache time</parameter></link></para></listitem>
+ <listitem><para><link linkend="WINBINDENUMUSERS"><parameter>winbind enum users</parameter></link></para></listitem>
+ <listitem><para><link linkend="WINBINDENUMGROUPS"><parameter>winbind enum groups</parameter></link></para></listitem>
+ <listitem><para><link linkend="WINBINDGID"><parameter>winbind gid</parameter></link></para></listitem>
+ <listitem><para><link linkend="WINBINDSEPARATOR"><parameter>winbind separator</parameter></link></para></listitem>
+ <listitem><para><link linkend="WINBINDUID"><parameter>winbind uid</parameter></link></para></listitem>
+ <listitem><para><link linkend="WINBINDUSEDEFAULTDOMAIN"><parameter>winbind use default domain</parameter></link></para></listitem>
+ <listitem><para><link linkend="WINSHOOK"><parameter>wins hook</parameter></link></para></listitem>
+ <listitem><para><link linkend="WINSPROXY"><parameter>wins proxy</parameter></link></para></listitem>
+ <listitem><para><link linkend="WINSSERVER"><parameter>wins server</parameter></link></para></listitem>
+ <listitem><para><link linkend="WINSSUPPORT"><parameter>wins support</parameter></link></para></listitem>
+ <listitem><para><link linkend="WORKGROUP"><parameter>workgroup</parameter></link></para></listitem>
+ <listitem><para><link linkend="WRITERAW"><parameter>write raw</parameter></link></para></listitem>
+ </itemizedlist>
+
+</refsect1>
+
+<refsect1>
+ <title>COMPLETE LIST OF SERVICE PARAMETERS</title>
+
+ <para>Here is a list of all service parameters. See the section on
+ each parameter for details. Note that some are synonyms.</para>
+
+ <itemizedlist>
+ <listitem><para><link linkend="ADMINUSERS"><parameter>admin users</parameter></link></para></listitem>
+ <listitem><para><link linkend="ALLOWHOSTS"><parameter>allow hosts</parameter></link></para></listitem>
+ <listitem><para><link linkend="AVAILABLE"><parameter>available</parameter></link></para></listitem>
+ <listitem><para><link linkend="BLOCKINGLOCKS"><parameter>blocking locks</parameter></link></para></listitem>
+ <listitem><para><link linkend="BROWSABLE"><parameter>browsable</parameter></link></para></listitem>
+ <listitem><para><link linkend="BROWSEABLE"><parameter>browseable</parameter></link></para></listitem>
+ <listitem><para><link linkend="CASESENSITIVE"><parameter>case sensitive</parameter></link></para></listitem>
+ <listitem><para><link linkend="CASESIGNAMES"><parameter>casesignames</parameter></link></para></listitem>
+ <listitem><para><link linkend="COMMENT"><parameter>comment</parameter></link></para></listitem>
+ <listitem><para><link linkend="COPY"><parameter>copy</parameter></link></para></listitem>
+ <listitem><para><link linkend="CREATEMASK"><parameter>create mask</parameter></link></para></listitem>
+ <listitem><para><link linkend="CREATEMODE"><parameter>create mode</parameter></link></para></listitem>
+ <listitem><para><link linkend="DEFAULTCASE"><parameter>default case</parameter></link></para></listitem>
+ <listitem><para><link linkend="DEFAULTDEVMODE"><parameter>default devmode</parameter></link></para></listitem>
+ <listitem><para><link linkend="DELETEREADONLY"><parameter>delete readonly</parameter></link></para></listitem>
+ <listitem><para><link linkend="DELETEVETOFILES"><parameter>delete veto files</parameter></link></para></listitem>
+ <listitem><para><link linkend="DENYHOSTS"><parameter>deny hosts</parameter></link></para></listitem>
+ <listitem><para><link linkend="DIRECTORY"><parameter>directory</parameter></link></para></listitem>
+ <listitem><para><link linkend="DIRECTORYMASK"><parameter>directory mask</parameter></link></para></listitem>
+ <listitem><para><link linkend="DIRECTORYMODE"><parameter>directory mode</parameter></link></para></listitem>
+ <listitem><para><link linkend="DIRECTORYSECURITYMASK"><parameter>directory security mask</parameter></link></para></listitem>
+ <listitem><para><link linkend="DONTDESCEND"><parameter>dont descend</parameter></link></para></listitem>
+ <listitem><para><link linkend="DOSFILEMODE"><parameter>dos filemode</parameter></link></para></listitem>
+ <listitem><para><link linkend="DOSFILETIMERESOLUTION"><parameter>dos filetime resolution</parameter></link></para></listitem>
+ <listitem><para><link linkend="DOSFILETIMES"><parameter>dos filetimes</parameter></link></para></listitem>
+ <listitem><para><link linkend="EXEC"><parameter>exec</parameter></link></para></listitem>
+ <listitem><para><link linkend="FAKEDIRECTORYCREATETIMES"><parameter>fake directory create times</parameter></link></para></listitem>
+ <listitem><para><link linkend="FAKEOPLOCKS"><parameter>fake oplocks</parameter></link></para></listitem>
+ <listitem><para><link linkend="FOLLOWSYMLINKS"><parameter>follow symlinks</parameter></link></para></listitem>
+ <listitem><para><link linkend="FORCECREATEMODE"><parameter>force create mode</parameter></link></para></listitem>
+ <listitem><para><link linkend="FORCEDIRECTORYMODE"><parameter>force directory mode</parameter></link></para></listitem>
+ <listitem><para><link linkend="FORCEDIRECTORYSECURITYMODE"><parameter>force directory security mode</parameter></link></para></listitem>
+ <listitem><para><link linkend="FORCEGROUP"><parameter>force group</parameter></link></para></listitem>
+ <listitem><para><link linkend="FORCESECURITYMODE"><parameter>force security mode</parameter></link></para></listitem>
+ <listitem><para><link linkend="FORCEUSER"><parameter>force user</parameter></link></para></listitem>
+ <listitem><para><link linkend="FSTYPE"><parameter>fstype</parameter></link></para></listitem>
+ <listitem><para><link linkend="GROUP"><parameter>group</parameter></link></para></listitem>
+ <listitem><para><link linkend="GUESTACCOUNT"><parameter>guest account</parameter></link></para></listitem>
+ <listitem><para><link linkend="GUESTOK"><parameter>guest ok</parameter></link></para></listitem>
+ <listitem><para><link linkend="GUESTONLY"><parameter>guest only</parameter></link></para></listitem>
+ <listitem><para><link linkend="HIDEDOTFILES"><parameter>hide dot files</parameter></link></para></listitem>
+ <listitem><para><link linkend="HIDEFILES"><parameter>hide files</parameter></link></para></listitem>
+ <listitem><para><link linkend="HOSTSALLOW"><parameter>hosts allow</parameter></link></para></listitem>
+ <listitem><para><link linkend="HOSTSDENY"><parameter>hosts deny</parameter></link></para></listitem>
+ <listitem><para><link linkend="INCLUDE"><parameter>include</parameter></link></para></listitem>
+ <listitem><para><link linkend="INHERITPERMISSIONS"><parameter>inherit permissions</parameter></link></para></listitem>
+ <listitem><para><link linkend="INVALIDUSERS"><parameter>invalid users</parameter></link></para></listitem>
+ <listitem><para><link linkend="LEVEL2OPLOCKS"><parameter>level2 oplocks</parameter></link></para></listitem>
+ <listitem><para><link linkend="LOCKING"><parameter>locking</parameter></link></para></listitem>
+ <listitem><para><link linkend="LPPAUSECOMMAND"><parameter>lppause command</parameter></link></para></listitem>
+ <listitem><para><link linkend="LPQCOMMAND"><parameter>lpq command</parameter></link></para></listitem>
+ <listitem><para><link linkend="LPRESUMECOMMAND"><parameter>lpresume command</parameter></link></para></listitem>
+ <listitem><para><link linkend="LPRMCOMMAND"><parameter>lprm command</parameter></link></para></listitem>
+ <listitem><para><link linkend="MAGICOUTPUT"><parameter>magic output</parameter></link></para></listitem>
+ <listitem><para><link linkend="MAGICSCRIPT"><parameter>magic script</parameter></link></para></listitem>
+ <listitem><para><link linkend="MANGLECASE"><parameter>mangle case</parameter></link></para></listitem>
+ <listitem><para><link linkend="MANGLEDMAP"><parameter>mangled map</parameter></link></para></listitem>
+ <listitem><para><link linkend="MANGLEDNAMES"><parameter>mangled names</parameter></link></para></listitem>
+ <listitem><para><link linkend="MANGLINGCHAR"><parameter>mangling char</parameter></link></para></listitem>
+ <listitem><para><link linkend="MAPARCHIVE"><parameter>map archive</parameter></link></para></listitem>
+ <listitem><para><link linkend="MAPHIDDEN"><parameter>map hidden</parameter></link></para></listitem>
+ <listitem><para><link linkend="MAPSYSTEM"><parameter>map system</parameter></link></para></listitem>
+ <listitem><para><link linkend="MAXCONNECTIONS"><parameter>max connections</parameter></link></para></listitem>
+ <listitem><para><link linkend="MAXPRINTJOBS"><parameter>max print jobs</parameter></link></para></listitem>
+ <listitem><para><link linkend="MINPRINTSPACE"><parameter>min print space</parameter></link></para></listitem>
+ <listitem><para><link linkend="MSDFSROOT"><parameter>msdfs root</parameter></link></para></listitem>
+ <listitem><para><link linkend="NTACLSUPPORT"><parameter>nt acl support</parameter></link></para></listitem>
+ <listitem><para><link linkend="ONLYGUEST"><parameter>only guest</parameter></link></para></listitem>
+ <listitem><para><link linkend="ONLYUSER"><parameter>only user</parameter></link></para></listitem>
+ <listitem><para><link linkend="OPLOCKCONTENTIONLIMIT"><parameter>oplock contention limit</parameter></link></para></listitem>
+ <listitem><para><link linkend="OPLOCKS"><parameter>oplocks</parameter></link></para></listitem>
+ <listitem><para><link linkend="PATH"><parameter>path</parameter></link></para></listitem>
+ <listitem><para><link linkend="POSIXLOCKING"><parameter>posix locking</parameter></link></para></listitem>
+ <listitem><para><link linkend="POSTEXEC"><parameter>postexec</parameter></link></para></listitem>
+ <listitem><para><link linkend="POSTSCRIPT"><parameter>postscript</parameter></link></para></listitem>
+ <listitem><para><link linkend="PREEXEC"><parameter>preexec</parameter></link></para></listitem>
+ <listitem><para><link linkend="PREEXECCLOSE"><parameter>preexec close</parameter></link></para></listitem>
+ <listitem><para><link linkend="PRESERVECASE"><parameter>preserve case</parameter></link></para></listitem>
+ <listitem><para><link linkend="PRINTCOMMAND"><parameter>print command</parameter></link></para></listitem>
+ <listitem><para><link linkend="PRINTOK"><parameter>print ok</parameter></link></para></listitem>
+ <listitem><para><link linkend="PRINTABLE"><parameter>printable</parameter></link></para></listitem>
+ <listitem><para><link linkend="PRINTER"><parameter>printer</parameter></link></para></listitem>
+ <listitem><para><link linkend="PRINTERADMIN"><parameter>printer admin</parameter></link></para></listitem>
+ <listitem><para><link linkend="PRINTERDRIVER"><parameter>printer driver</parameter></link></para></listitem>
+ <listitem><para><link linkend="PRINTERDRIVERLOCATION"><parameter>printer driver location</parameter></link></para></listitem>
+ <listitem><para><link linkend="PRINTERNAME"><parameter>printer name</parameter></link></para></listitem>
+ <listitem><para><link linkend="PRINTING"><parameter>printing</parameter></link></para></listitem>
+ <listitem><para><link linkend="PUBLIC"><parameter>public</parameter></link></para></listitem>
+ <listitem><para><link linkend="QUEUEPAUSECOMMAND"><parameter>queuepause command</parameter></link></para></listitem>
+ <listitem><para><link linkend="QUEUERESUMECOMMAND"><parameter>queueresume command</parameter></link></para></listitem>
+ <listitem><para><link linkend="READLIST"><parameter>read list</parameter></link></para></listitem>
+ <listitem><para><link linkend="READONLY"><parameter>read only</parameter></link></para></listitem>
+ <listitem><para><link linkend="ROOTPOSTEXEC"><parameter>root postexec</parameter></link></para></listitem>
+ <listitem><para><link linkend="ROOTPREEXEC"><parameter>root preexec</parameter></link></para></listitem>
+ <listitem><para><link linkend="ROOTPREEXECCLOSE"><parameter>root preexec close</parameter></link></para></listitem>
+ <listitem><para><link linkend="SECURITYMASK"><parameter>security mask</parameter></link></para></listitem>
+ <listitem><para><link linkend="SETDIRECTORY"><parameter>set directory</parameter></link></para></listitem>
+ <listitem><para><link linkend="SHORTPRESERVECASE"><parameter>short preserve case</parameter></link></para></listitem>
+ <listitem><para><link linkend="STATUS"><parameter>status</parameter></link></para></listitem>
+ <listitem><para><link linkend="STRICTALLOCATE"><parameter>strict allocate</parameter></link></para></listitem>
+ <listitem><para><link linkend="STRICTLOCKING"><parameter>strict locking</parameter></link></para></listitem>
+ <listitem><para><link linkend="STRICTSYNC"><parameter>strict sync</parameter></link></para></listitem>
+ <listitem><para><link linkend="SYNCALWAYS"><parameter>sync always</parameter></link></para></listitem>
+ <listitem><para><link linkend="USECLIENTDRIVER"><parameter>use client driver</parameter></link></para></listitem>
+ <listitem><para><link linkend="USER"><parameter>user</parameter></link></para></listitem>
+ <listitem><para><link linkend="USERNAME"><parameter>username</parameter></link></para></listitem>
+ <listitem><para><link linkend="USERS"><parameter>users</parameter></link></para></listitem>
+ <listitem><para><link linkend="VALIDUSERS"><parameter>valid users</parameter></link></para></listitem>
+ <listitem><para><link linkend="VETOFILES"><parameter>veto files</parameter></link></para></listitem>
+ <listitem><para><link linkend="VETOOPLOCKFILES"><parameter>veto oplock files</parameter></link></para></listitem>
+ <listitem><para><link linkend="VFSOBJECT"><parameter>vfs object</parameter></link></para></listitem>
+ <listitem><para><link linkend="VFSOPTIONS"><parameter>vfs options</parameter></link></para></listitem>
+ <listitem><para><link linkend="VOLUME"><parameter>volume</parameter></link></para></listitem>
+ <listitem><para><link linkend="WIDELINKS"><parameter>wide links</parameter></link></para></listitem>
+ <listitem><para><link linkend="WRITABLE"><parameter>writable</parameter></link></para></listitem>
+ <listitem><para><link linkend="WRITECACHESIZE"><parameter>write cache size</parameter></link></para></listitem>
+ <listitem><para><link linkend="WRITELIST"><parameter>write list</parameter></link></para></listitem>
+ <listitem><para><link linkend="WRITEOK"><parameter>write ok</parameter></link></para></listitem>
+ <listitem><para><link linkend="WRITEABLE"><parameter>writeable</parameter></link></para></listitem>
+ </itemizedlist>
+
+</refsect1>
+
+<refsect1>
+ <title>EXPLANATION OF EACH PARAMETER</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><anchor id="ABORTSHUTDOWNSCRIPT">abort shutdown script (G)</term>
+ <listitem><para><emphasis>This parameter only exists in the HEAD cvs branch</emphasis>
+ This a full path name to a script called by
+ <ulink url="smbd.8.html"><command>smbd(8)</command></ulink> that
+ should stop a shutdown procedure issued by the <link
+ linkend="SHUTDOWNSCRIPT"><parameter>shutdown script</parameter></link>.</para>
+
+ <para>This command will be run as user.</para>
+
+ <para>Default: <emphasis>None</emphasis>.</para>
+ <para>Example: <command>abort shutdown script = /sbin/shutdown -c</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="ADDPRINTERCOMMAND">add printer command (G)</term>
+ <listitem><para>With the introduction of MS-RPC based printing
+ support for Windows NT/2000 clients in Samba 2.2, The MS Add
+ Printer Wizard (APW) icon is now also available in the
+ "Printers..." folder displayed a share listing. The APW
+ allows for printers to be add remotely to a Samba or Windows
+ NT/2000 print server.</para>
+
+ <para>For a Samba host this means that the printer must be
+ physically added to the underlying printing system. The <parameter>add
+ printer command</parameter> defines a script to be run which
+ will perform the necessary operations for adding the printer
+ to the print system and to add the appropriate service definition
+ to the <filename>smb.conf</filename> file in order that it can be
+ shared by <ulink url="smbd.8.html"><command>smbd(8)</command>
+ </ulink>.</para>
+
+ <para>The <parameter>add printer command</parameter> is
+ automatically invoked with the following parameter (in
+ order:</para>
+
+ <itemizedlist>
+ <listitem><para><parameter>printer name</parameter></para></listitem>
+ <listitem><para><parameter>share name</parameter></para></listitem>
+ <listitem><para><parameter>port name</parameter></para></listitem>
+ <listitem><para><parameter>driver name</parameter></para></listitem>
+ <listitem><para><parameter>location</parameter></para></listitem>
+ <listitem><para><parameter>Windows 9x driver location</parameter>
+ </para></listitem>
+ </itemizedlist>
+
+ <para>All parameters are filled in from the PRINTER_INFO_2 structure sent
+ by the Windows NT/2000 client with one exception. The "Windows 9x
+ driver location" parameter is included for backwards compatibility
+ only. The remaining fields in the structure are generated from answers
+ to the APW questions.</para>
+
+ <para>Once the <parameter>add printer command</parameter> has
+ been executed, <command>smbd</command> will reparse the <filename>
+ smb.conf</filename> to determine if the share defined by the APW
+ exists. If the sharename is still invalid, then <command>smbd
+ </command> will return an ACCESS_DENIED error to the client.</para>
+
+ <para>See also <link linkend="DELETEPRINTERCOMMAND"><parameter>
+ delete printer command</parameter></link>, <link
+ linkend="printing"><parameter>printing</parameter></link>,
+ <link linkend="SHOWADDPRINTERWIZARD"><parameter>show add
+ printer wizard</parameter></link></para>
+
+ <para>Default: <emphasis>none</emphasis></para>
+ <para>Example: <command>addprinter command = /usr/bin/addprinter
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ADDSHARECOMMAND">add share command (G)</term>
+ <listitem><para>Samba 2.2.0 introduced the ability to dynamically
+ add and delete shares via the Windows NT 4.0 Server Manager. The
+ <parameter>add share command</parameter> is used to define an
+ external program or script which will add a new service definition
+ to <filename>smb.conf</filename>. In order to successfully
+ execute the <parameter>add share command</parameter>, <command>smbd</command>
+ requires that the administrator be connected using a root account (i.e.
+ uid == 0).
+ </para>
+
+ <para>
+ When executed, <command>smbd</command> will automatically invoke the
+ <parameter>add share command</parameter> with four parameters.
+ </para>
+
+ <itemizedlist>
+ <listitem><para><parameter>configFile</parameter> - the location
+ of the global <filename>smb.conf</filename> file.
+ </para></listitem>
+
+ <listitem><para><parameter>shareName</parameter> - the name of the new
+ share.
+ </para></listitem>
+
+ <listitem><para><parameter>pathName</parameter> - path to an **existing**
+ directory on disk.
+ </para></listitem>
+
+ <listitem><para><parameter>comment</parameter> - comment string to associate
+ with the new share.
+ </para></listitem>
+ </itemizedlist>
+
+ <para>
+ This parameter is only used for add file shares. To add printer shares,
+ see the <link linkend="ADDPRINTERCOMMAND"><parameter>add printer
+ command</parameter></link>.
+ </para>
+
+ <para>
+ See also <link linkend="CHANGESHARECOMMAND"><parameter>change share
+ command</parameter></link>, <link linkend="DELETESHARECOMMAND"><parameter>delete share
+ command</parameter></link>.
+ </para>
+
+ <para>Default: <emphasis>none</emphasis></para>
+ <para>Example: <command>add share command = /usr/local/bin/addshare</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ADDMACHINESCRIPT">add machine script (G)</term>
+ <listitem><para>This is the full pathname to a script that will
+ be run by <ulink url="smbd.8.html">smbd(8)</ulink> when a machine is added
+ to it's domain using the administrator username and password method. </para>
+
+ <para>This option is only required when using sam back-ends tied to the
+ Unix uid method of RID calculation such as smbpasswd. This option is only
+ available in Samba 3.0.</para>
+
+ <para>Default: <command>add machine script = &lt;empty string&gt;
+ </command></para>
+
+ <para>Example: <command>add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="ADDUSERSCRIPT">add user script (G)</term>
+ <listitem><para>This is the full pathname to a script that will
+ be run <emphasis>AS ROOT</emphasis> by <ulink url="smbd.8.html">smbd(8)
+ </ulink> under special circumstances described below.</para>
+
+ <para>Normally, a Samba server requires that UNIX users are
+ created for all users accessing files on this server. For sites
+ that use Windows NT account databases as their primary user database
+ creating these users and keeping the user list in sync with the
+ Windows NT PDC is an onerous task. This option allows <ulink
+ url="smbd.8.html">smbd</ulink> to create the required UNIX users
+ <emphasis>ON DEMAND</emphasis> when a user accesses the Samba server.</para>
+
+ <para>In order to use this option, <ulink url="smbd.8.html">smbd</ulink>
+ must <emphasis>NOT</emphasis> be set to <parameter>security = share</parameter>
+ and <parameter>add user script</parameter>
+ must be set to a full pathname for a script that will create a UNIX
+ user given one argument of <parameter>%u</parameter>, which expands into
+ the UNIX user name to create.</para>
+
+ <para>When the Windows user attempts to access the Samba server,
+ at login (session setup in the SMB protocol) time, <ulink url="smbd.8.html">
+ smbd</ulink> contacts the <parameter>password server</parameter> and
+ attempts to authenticate the given user with the given password. If the
+ authentication succeeds then <command>smbd</command>
+ attempts to find a UNIX user in the UNIX password database to map the
+ Windows user into. If this lookup fails, and <parameter>add user script
+ </parameter> is set then <command>smbd</command> will
+ call the specified script <emphasis>AS ROOT</emphasis>, expanding
+ any <parameter>%u</parameter> argument to be the user name to create.</para>
+
+ <para>If this script successfully creates the user then <command>smbd
+ </command> will continue on as though the UNIX user
+ already existed. In this way, UNIX users are dynamically created to
+ match existing Windows NT accounts.</para>
+
+ <para>See also <link linkend="SECURITY"><parameter>
+ security</parameter></link>, <link linkend="PASSWORDSERVER">
+ <parameter>password server</parameter></link>,
+ <link linkend="DELETEUSERSCRIPT"><parameter>delete user
+ script</parameter></link>.</para>
+
+ <para>Default: <command>add user script = &lt;empty string&gt;
+ </command></para>
+
+ <para>Example: <command>add user script = /usr/local/samba/bin/add_user
+ %u</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ADMINUSERS">admin users (S)</term>
+ <listitem><para>This is a list of users who will be granted
+ administrative privileges on the share. This means that they
+ will do all file operations as the super-user (root).</para>
+
+ <para>You should use this option very carefully, as any user in
+ this list will be able to do anything they like on the share,
+ irrespective of file permissions.</para>
+
+ <para>Default: <emphasis>no admin users</emphasis></para>
+
+ <para>Example: <command>admin users = jason</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ALLOWHOSTS">allow hosts (S)</term>
+ <listitem><para>Synonym for <link linkend="HOSTSALLOW">
+ <parameter>hosts allow</parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ALLOWTRUSTEDDOMAINS">allow trusted domains (G)</term>
+ <listitem><para>This option only takes effect when the <link
+ linkend="SECURITY"><parameter>security</parameter></link> option is set to
+ <constant>server</constant> or <constant>domain</constant>.
+ If it is set to no, then attempts to connect to a resource from
+ a domain or workgroup other than the one which <ulink url="smbd.8.html">smbd</ulink> is running
+ in will fail, even if that domain is trusted by the remote server
+ doing the authentication.</para>
+
+ <para>This is useful if you only want your Samba server to
+ serve resources to users in the domain it is a member of. As
+ an example, suppose that there are two domains DOMA and DOMB. DOMB
+ is trusted by DOMA, which contains the Samba server. Under normal
+ circumstances, a user with an account in DOMB can then access the
+ resources of a UNIX account with the same account name on the
+ Samba server even if they do not have an account in DOMA. This
+ can make implementing a security boundary difficult.</para>
+
+ <para>Default: <command>allow trusted domains = yes</command></para>
+
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ANNOUNCEAS">announce as (G)</term>
+ <listitem><para>This specifies what type of server
+ <ulink url="nmbd.8.html"><command>nmbd</command></ulink>
+ will announce itself as, to a network neighborhood browse
+ list. By default this is set to Windows NT. The valid options
+ are : "NT Server" (which can also be written as "NT"),
+ "NT Workstation", "Win95" or "WfW" meaning Windows NT Server,
+ Windows NT Workstation, Windows 95 and Windows for Workgroups
+ respectively. Do not change this parameter unless you have a
+ specific need to stop Samba appearing as an NT server as this
+ may prevent Samba servers from participating as browser servers
+ correctly.</para>
+
+ <para>Default: <command>announce as = NT Server</command></para>
+
+ <para>Example: <command>announce as = Win95</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ANNOUNCEVERSION">announce version (G)</term>
+ <listitem><para>This specifies the major and minor version numbers
+ that nmbd will use when announcing itself as a server. The default
+ is 4.2. Do not change this parameter unless you have a specific
+ need to set a Samba server to be a downlevel server.</para>
+
+ <para>Default: <command>announce version = 4.5</command></para>
+
+ <para>Example: <command>announce version = 2.0</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="AUTOSERVICES">auto services (G)</term>
+ <listitem><para>This is a synonym for the <link linkend="PRELOAD">
+ <parameter>preload</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="AUTHMETHODS">auth methods (G)</term>
+ <listitem><para>This option allows the administrator to chose what
+ authentication methods <command>smbd</command> will use when authenticating
+ a user. This option defaults to sensible values based on <link linkend="SECURITY"><parameter>
+ security</parameter></link>.
+
+ Each entry in the list attempts to authenticate the user in turn, until
+ the user authenticates. In practice only one method will ever actually
+ be able to complete the authentication.
+ </para>
+
+ <para>Default: <command>auth methods = &lt;empty string&gt;</command></para>
+ <para>Example: <command>auth methods = guest sam ntdomain</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="AVAILABLE">available (S)</term>
+ <listitem><para>This parameter lets you "turn off" a service. If
+ <parameter>available = no</parameter>, then <emphasis>ALL</emphasis>
+ attempts to connect to the service will fail. Such failures are
+ logged.</para>
+
+ <para>Default: <command>available = yes</command></para>
+
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="BINDINTERFACESONLY">bind interfaces only (G)</term>
+ <listitem><para>This global parameter allows the Samba admin
+ to limit what interfaces on a machine will serve SMB requests. If
+ affects file service <ulink url="smbd.8.html">smbd(8)</ulink> and
+ name service <ulink url="nmbd.8.html">nmbd(8)</ulink> in slightly
+ different ways.</para>
+
+ <para>For name service it causes <command>nmbd</command> to bind
+ to ports 137 and 138 on the interfaces listed in the <link
+ linkend="INTERFACES">interfaces</link> parameter. <command>nmbd
+ </command> also binds to the "all addresses" interface (0.0.0.0)
+ on ports 137 and 138 for the purposes of reading broadcast messages.
+ If this option is not set then <command>nmbd</command> will service
+ name requests on all of these sockets. If <parameter>bind interfaces
+ only</parameter> is set then <command>nmbd</command> will check the
+ source address of any packets coming in on the broadcast sockets
+ and discard any that don't match the broadcast addresses of the
+ interfaces in the <parameter>interfaces</parameter> parameter list.
+ As unicast packets are received on the other sockets it allows
+ <command>nmbd</command> to refuse to serve names to machines that
+ send packets that arrive through any interfaces not listed in the
+ <parameter>interfaces</parameter> list. IP Source address spoofing
+ does defeat this simple check, however so it must not be used
+ seriously as a security feature for <command>nmbd</command>.</para>
+
+ <para>For file service it causes <ulink url="smbd.8.html">smbd(8)</ulink>
+ to bind only to the interface list given in the <link linkend="INTERFACES">
+ interfaces</link> parameter. This restricts the networks that
+ <command>smbd</command> will serve to packets coming in those
+ interfaces. Note that you should not use this parameter for machines
+ that are serving PPP or other intermittent or non-broadcast network
+ interfaces as it will not cope with non-permanent interfaces.</para>
+
+ <para>If <parameter>bind interfaces only</parameter> is set then
+ unless the network address <emphasis>127.0.0.1</emphasis> is added
+ to the <parameter>interfaces</parameter> parameter list <ulink
+ url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink>
+ and <ulink url="swat.8.html"><command>swat(8)</command></ulink> may
+ not work as expected due to the reasons covered below.</para>
+
+ <para>To change a users SMB password, the <command>smbpasswd</command>
+ by default connects to the <emphasis>localhost - 127.0.0.1</emphasis>
+ address as an SMB client to issue the password change request. If
+ <parameter>bind interfaces only</parameter> is set then unless the
+ network address <emphasis>127.0.0.1</emphasis> is added to the
+ <parameter>interfaces</parameter> parameter list then <command>
+ smbpasswd</command> will fail to connect in it's default mode.
+ <command>smbpasswd</command> can be forced to use the primary IP interface
+ of the local host by using its <ulink url="smbpasswd.8.html#minusr">
+ <parameter>-r <replaceable>remote machine</replaceable></parameter>
+ </ulink> parameter, with <replaceable>remote machine</replaceable> set
+ to the IP name of the primary interface of the local host.</para>
+
+ <para>The <command>swat</command> status page tries to connect with
+ <command>smbd</command> and <command>nmbd</command> at the address
+ <emphasis>127.0.0.1</emphasis> to determine if they are running.
+ Not adding <emphasis>127.0.0.1</emphasis> will cause <command>
+ smbd</command> and <command>nmbd</command> to always show
+ "not running" even if they really are. This can prevent <command>
+ swat</command> from starting/stopping/restarting <command>smbd</command>
+ and <command>nmbd</command>.</para>
+
+ <para>Default: <command>bind interfaces only = no</command></para>
+
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="BLOCKINGLOCKS">blocking locks (S)</term>
+ <listitem><para>This parameter controls the behavior of <ulink
+ url="smbd.8.html">smbd(8)</ulink> when given a request by a client
+ to obtain a byte range lock on a region of an open file, and the
+ request has a time limit associated with it.</para>
+
+ <para>If this parameter is set and the lock range requested
+ cannot be immediately satisfied, Samba 2.2 will internally
+ queue the lock request, and periodically attempt to obtain
+ the lock until the timeout period expires.</para>
+
+ <para>If this parameter is set to <constant>false</constant>, then
+ Samba 2.2 will behave as previous versions of Samba would and
+ will fail the lock request immediately if the lock range
+ cannot be obtained.</para>
+
+ <para>Default: <command>blocking locks = yes</command></para>
+
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="BROWSABLE">browsable (S)</term>
+ <listitem><para>See the <link linkend="BROWSEABLE"><parameter>
+ browseable</parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="BROWSELIST">browse list (G)</term>
+ <listitem><para>This controls whether <ulink url="smbd.8.html">
+ <command>smbd(8)</command></ulink> will serve a browse list to
+ a client doing a <command>NetServerEnum</command> call. Normally
+ set to <constant>true</constant>. You should never need to change
+ this.</para>
+
+ <para>Default: <command>browse list = yes</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="BROWSEABLE">browseable (S)</term>
+ <listitem><para>This controls whether this share is seen in
+ the list of available shares in a net view and in the browse list.</para>
+
+ <para>Default: <command>browseable = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="CASESENSITIVE">case sensitive (S)</term>
+ <listitem><para>See the discussion in the section <link
+ linkend="NAMEMANGLINGSECT">NAME MANGLING</link>.</para>
+
+ <para>Default: <command>case sensitive = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="CASESIGNAMES">casesignames (S)</term>
+ <listitem><para>Synonym for <link linkend="CASESENSITIVE">case
+ sensitive</link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="CHANGENOTIFYTIMEOUT">change notify timeout (G)</term>
+ <listitem><para>This SMB allows a client to tell a server to
+ "watch" a particular directory for any changes and only reply to
+ the SMB request when a change has occurred. Such constant scanning of
+ a directory is expensive under UNIX, hence an <ulink url="smbd.8.html">
+ <command>smbd(8)</command></ulink> daemon only performs such a scan
+ on each requested directory once every <parameter>change notify
+ timeout</parameter> seconds.</para>
+
+ <para>Default: <command>change notify timeout = 60</command></para>
+ <para>Example: <command>change notify timeout = 300</command></para>
+
+ <para>Would change the scan time to every 5 minutes.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="CHANGESHARECOMMAND">change share command (G)</term>
+ <listitem><para>Samba 2.2.0 introduced the ability to dynamically
+ add and delete shares via the Windows NT 4.0 Server Manager. The
+ <parameter>change share command</parameter> is used to define an
+ external program or script which will modify an existing service definition
+ in <filename>smb.conf</filename>. In order to successfully
+ execute the <parameter>change share command</parameter>, <command>smbd</command>
+ requires that the administrator be connected using a root account (i.e.
+ uid == 0).
+ </para>
+
+ <para>
+ When executed, <command>smbd</command> will automatically invoke the
+ <parameter>change share command</parameter> with four parameters.
+ </para>
+
+ <itemizedlist>
+ <listitem><para><parameter>configFile</parameter> - the location
+ of the global <filename>smb.conf</filename> file.
+ </para></listitem>
+
+ <listitem><para><parameter>shareName</parameter> - the name of the new
+ share.
+ </para></listitem>
+
+ <listitem><para><parameter>pathName</parameter> - path to an **existing**
+ directory on disk.
+ </para></listitem>
+
+ <listitem><para><parameter>comment</parameter> - comment string to associate
+ with the new share.
+ </para></listitem>
+ </itemizedlist>
+
+ <para>
+ This parameter is only used modify existing file shares definitions. To modify
+ printer shares, use the "Printers..." folder as seen when browsing the Samba host.
+ </para>
+
+ <para>
+ See also <link linkend="ADDSHARECOMMAND"><parameter>add share
+ command</parameter></link>, <link linkend="DELETESHARECOMMAND"><parameter>delete
+ share command</parameter></link>.
+ </para>
+
+ <para>Default: <emphasis>none</emphasis></para>
+ <para>Example: <command>change share command = /usr/local/bin/addshare</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="COMMENT">comment (S)</term>
+ <listitem><para>This is a text field that is seen next to a share
+ when a client does a queries the server, either via the network
+ neighborhood or via <command>net view</command> to list what shares
+ are available.</para>
+
+ <para>If you want to set the string that is displayed next to the
+ machine name then see the <link linkend="SERVERSTRING"><parameter>
+ server string</parameter></link> parameter.</para>
+
+ <para>Default: <emphasis>No comment string</emphasis></para>
+ <para>Example: <command>comment = Fred's Files</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="CONFIGFILE">config file (G)</term>
+ <listitem><para>This allows you to override the config file
+ to use, instead of the default (usually <filename>smb.conf</filename>).
+ There is a chicken and egg problem here as this option is set
+ in the config file!</para>
+
+ <para>For this reason, if the name of the config file has changed
+ when the parameters are loaded then it will reload them from
+ the new config file.</para>
+
+ <para>This option takes the usual substitutions, which can
+ be very useful.</para>
+
+ <para>If the config file doesn't exist then it won't be loaded
+ (allowing you to special case the config files of just a few
+ clients).</para>
+
+ <para>Example: <command>config file = /usr/local/samba/lib/smb.conf.%m
+ </command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="COPY">copy (S)</term>
+ <listitem><para>This parameter allows you to "clone" service
+ entries. The specified service is simply duplicated under the
+ current service's name. Any parameters specified in the current
+ section will override those in the section being copied.</para>
+
+ <para>This feature lets you set up a 'template' service and
+ create similar services easily. Note that the service being
+ copied must occur earlier in the configuration file than the
+ service doing the copying.</para>
+
+ <para>Default: <emphasis>no value</emphasis></para>
+ <para>Example: <command>copy = otherservice</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="CREATEMASK">create mask (S)</term>
+ <listitem><para>A synonym for this parameter is
+ <link linkend="CREATEMODE"><parameter>create mode</parameter>
+ </link>.</para>
+
+ <para>When a file is created, the necessary permissions are
+ calculated according to the mapping from DOS modes to UNIX
+ permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
+ with this parameter. This parameter may be thought of as a bit-wise
+ MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis>
+ set here will be removed from the modes set on a file when it is
+ created.</para>
+
+ <para>The default value of this parameter removes the
+ 'group' and 'other' write and execute bits from the UNIX modes.</para>
+
+ <para>Following this Samba will bit-wise 'OR' the UNIX mode created
+ from this parameter with the value of the <link
+ linkend="FORCECREATEMODE"><parameter>force create mode</parameter></link>
+ parameter which is set to 000 by default.</para>
+
+ <para>This parameter does not affect directory modes. See the
+ parameter <link linkend="DIRECTORYMODE"><parameter>directory mode
+ </parameter></link> for details.</para>
+
+ <para>See also the <link linkend="FORCECREATEMODE"><parameter>force
+ create mode</parameter></link> parameter for forcing particular mode
+ bits to be set on created files. See also the <link linkend="DIRECTORYMODE">
+ <parameter>directory mode</parameter></link> parameter for masking
+ mode bits on created directories. See also the <link linkend="INHERITPERMISSIONS">
+ <parameter>inherit permissions</parameter></link> parameter.</para>
+
+ <para>Note that this parameter does not apply to permissions
+ set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
+ a mask on access control lists also, they need to set the <link
+ linkend="SECURITYMASK"><parameter>security mask</parameter></link>.</para>
+
+ <para>Default: <command>create mask = 0744</command></para>
+ <para>Example: <command>create mask = 0775</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="CREATEMODE">create mode (S)</term>
+ <listitem><para>This is a synonym for <link linkend="CREATEMASK"><parameter>
+ create mask</parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEADTIME">deadtime (G)</term>
+ <listitem><para>The value of the parameter (a decimal integer)
+ represents the number of minutes of inactivity before a connection
+ is considered dead, and it is disconnected. The deadtime only takes
+ effect if the number of open files is zero.</para>
+
+ <para>This is useful to stop a server's resources being
+ exhausted by a large number of inactive connections.</para>
+
+ <para>Most clients have an auto-reconnect feature when a
+ connection is broken so in most cases this parameter should be
+ transparent to users.</para>
+
+ <para>Using this parameter with a timeout of a few minutes
+ is recommended for most systems.</para>
+
+ <para>A deadtime of zero indicates that no auto-disconnection
+ should be performed.</para>
+
+ <para>Default: <command>deadtime = 0</command></para>
+ <para>Example: <command>deadtime = 15</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEBUGHIRESTIMESTAMP">debug hires timestamp (G)</term>
+ <listitem><para>Sometimes the timestamps in the log messages
+ are needed with a resolution of higher that seconds, this
+ boolean parameter adds microsecond resolution to the timestamp
+ message header when turned on.</para>
+
+ <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter>
+ debug timestamp</parameter></link> must be on for this to have an
+ effect.</para>
+
+ <para>Default: <command>debug hires timestamp = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEBUGPID">debug pid (G)</term>
+ <listitem><para>When using only one log file for more then one
+ forked <ulink url="smbd.8.html">smbd</ulink>-process there may be hard to follow which process
+ outputs which message. This boolean parameter is adds the process-id
+ to the timestamp message headers in the logfile when turned on.</para>
+
+ <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter>
+ debug timestamp</parameter></link> must be on for this to have an
+ effect.</para>
+
+ <para>Default: <command>debug pid = no</command></para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="DEBUGTIMESTAMP">debug timestamp (G)</term>
+ <listitem><para>Samba 2.2 debug log messages are timestamped
+ by default. If you are running at a high <link linkend="DEBUGLEVEL">
+ <parameter>debug level</parameter></link> these timestamps
+ can be distracting. This boolean parameter allows timestamping
+ to be turned off.</para>
+
+ <para>Default: <command>debug timestamp = yes</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEBUGUID">debug uid (G)</term>
+ <listitem><para>Samba is sometimes run as root and sometime
+ run as the connected user, this boolean parameter inserts the
+ current euid, egid, uid and gid to the timestamp message headers
+ in the log file if turned on.</para>
+
+ <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter>
+ debug timestamp</parameter></link> must be on for this to have an
+ effect.</para>
+
+ <para>Default: <command>debug uid = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEBUGLEVEL">debuglevel (G)</term>
+ <listitem><para>Synonym for <link linkend="LOGLEVEL"><parameter>
+ log level</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEFAULT">default (G)</term>
+ <listitem><para>A synonym for <link linkend="DEFAULTSERVICE"><parameter>
+ default service</parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEFAULTCASE">default case (S)</term>
+ <listitem><para>See the section on <link linkend="NAMEMANGLINGSECT">
+ NAME MANGLING</link>. Also note the <link linkend="SHORTPRESERVECASE">
+ <parameter>short preserve case</parameter></link> parameter.</para>
+
+ <para>Default: <command>default case = lower</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEFAULTDEVMODE">default devmode (S)</term>
+ <listitem><para>This parameter is only applicable to <link
+ linkend="PRINTOK">printable</link> services. When smbd is serving
+ Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
+ server has a Device Mode which defines things such as paper size and
+ orientation and duplex settings. The device mode can only correctly be
+ generated by the printer driver itself (which can only be executed on a
+ Win32 platform). Because smbd is unable to execute the driver code
+ to generate the device mode, the default behavior is to set this field
+ to NULL.
+ </para>
+
+ <para>Most problems with serving printer drivers to Windows NT/2k/XP clients
+ can be traced to a problem with the generated device mode. Certain drivers
+ will do things such as crashing the client's Explorer.exe with a NULL devmode.
+ However, other printer drivers can cause the client's spooler service
+ (spoolsv.exe) to die if the devmode was not created by the driver itself
+ (i.e. smbd generates a default devmode).
+ </para>
+
+ <para>This parameter should be used with care and tested with the printer
+ driver in question. It is better to leave the device mode to NULL
+ and let the Windows client set the correct values. Because drivers do not
+ do this all the time, setting <command>default devmode = yes</command>
+ will instruct smbd to generate a default one.
+ </para>
+
+ <para>For more information on Windows NT/2k printing and Device Modes,
+ see the <ulink url="http://msdn.microsoft.com/">MSDN documentation</ulink>.
+ </para>
+
+ <para>Default: <command>default devmode = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DEFAULTSERVICE">default service (G)</term>
+ <listitem><para>This parameter specifies the name of a service
+ which will be connected to if the service actually requested cannot
+ be found. Note that the square brackets are <emphasis>NOT</emphasis>
+ given in the parameter value (see example below).</para>
+
+ <para>There is no default value for this parameter. If this
+ parameter is not given, attempting to connect to a nonexistent
+ service results in an error.</para>
+
+ <para>Typically the default service would be a <link linkend="GUESTOK">
+ <parameter>guest ok</parameter></link>, <link linkend="READONLY">
+ <parameter>read-only</parameter></link> service.</para>
+
+ <para>Also note that the apparent service name will be changed
+ to equal that of the requested service, this is very useful as it
+ allows you to use macros like <parameter>%S</parameter> to make
+ a wildcard service.</para>
+
+ <para>Note also that any "_" characters in the name of the service
+ used in the default service will get mapped to a "/". This allows for
+ interesting things.</para>
+
+
+ <para>Example:</para>
+
+ <para><programlisting>
+[global]
+ default service = pub
+
+[pub]
+ path = /%S
+ </programlisting></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DELETEPRINTERCOMMAND">delete printer command (G)</term>
+ <listitem><para>With the introduction of MS-RPC based printer
+ support for Windows NT/2000 clients in Samba 2.2, it is now
+ possible to delete printer at run time by issuing the
+ DeletePrinter() RPC call.</para>
+
+ <para>For a Samba host this means that the printer must be
+ physically deleted from underlying printing system. The <parameter>
+ deleteprinter command</parameter> defines a script to be run which
+ will perform the necessary operations for removing the printer
+ from the print system and from <filename>smb.conf</filename>.
+ </para>
+
+ <para>The <parameter>delete printer command</parameter> is
+ automatically called with only one parameter: <parameter>
+ "printer name"</parameter>.</para>
+
+
+ <para>Once the <parameter>delete printer command</parameter> has
+ been executed, <command>smbd</command> will reparse the <filename>
+ smb.conf</filename> to associated printer no longer exists.
+ If the sharename is still valid, then <command>smbd
+ </command> will return an ACCESS_DENIED error to the client.</para>
+
+ <para>See also <link linkend="ADDPRINTERCOMMAND"><parameter>
+ add printer command</parameter></link>, <link
+ linkend="printing"><parameter>printing</parameter></link>,
+ <link linkend="SHOWADDPRINTERWIZARD"><parameter>show add
+ printer wizard</parameter></link></para>
+
+ <para>Default: <emphasis>none</emphasis></para>
+ <para>Example: <command>deleteprinter command = /usr/bin/removeprinter
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="DELETEREADONLY">delete readonly (S)</term>
+ <listitem><para>This parameter allows readonly files to be deleted.
+ This is not normal DOS semantics, but is allowed by UNIX.</para>
+
+ <para>This option may be useful for running applications such
+ as rcs, where UNIX file ownership prevents changing file
+ permissions, and DOS semantics prevent deletion of a read only file.</para>
+
+ <para>Default: <command>delete readonly = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DELETESHARECOMMAND">delete share command (G)</term>
+ <listitem><para>Samba 2.2.0 introduced the ability to dynamically
+ add and delete shares via the Windows NT 4.0 Server Manager. The
+ <parameter>delete share command</parameter> is used to define an
+ external program or script which will remove an existing service
+ definition from <filename>smb.conf</filename>. In order to successfully
+ execute the <parameter>delete share command</parameter>, <command>smbd</command>
+ requires that the administrator be connected using a root account (i.e.
+ uid == 0).
+ </para>
+
+ <para>
+ When executed, <command>smbd</command> will automatically invoke the
+ <parameter>delete share command</parameter> with two parameters.
+ </para>
+
+ <itemizedlist>
+ <listitem><para><parameter>configFile</parameter> - the location
+ of the global <filename>smb.conf</filename> file.
+ </para></listitem>
+
+ <listitem><para><parameter>shareName</parameter> - the name of
+ the existing service.
+ </para></listitem>
+ </itemizedlist>
+
+ <para>
+ This parameter is only used to remove file shares. To delete printer shares,
+ see the <link linkend="DELETEPRINTERCOMMAND"><parameter>delete printer
+ command</parameter></link>.
+ </para>
+
+ <para>
+ See also <link linkend="ADDSHARECOMMAND"><parameter>add share
+ command</parameter></link>, <link linkend="CHANGESHARECOMMAND"><parameter>change
+ share command</parameter></link>.
+ </para>
+
+ <para>Default: <emphasis>none</emphasis></para>
+ <para>Example: <command>delete share command = /usr/local/bin/delshare</command></para>
+
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="DELETEUSERSCRIPT">delete user script (G)</term>
+ <listitem><para>This is the full pathname to a script that will
+ be run <emphasis>AS ROOT</emphasis> by <ulink url="smbd.8.html">
+ <command>smbd(8)</command></ulink> under special circumstances
+ described below.</para>
+
+ <para>Normally, a Samba server requires that UNIX users are
+ created for all users accessing files on this server. For sites
+ that use Windows NT account databases as their primary user database
+ creating these users and keeping the user list in sync with the
+ Windows NT PDC is an onerous task. This option allows <command>
+ smbd</command> to delete the required UNIX users <emphasis>ON
+ DEMAND</emphasis> when a user accesses the Samba server and the
+ Windows NT user no longer exists.</para>
+
+ <para>In order to use this option, <command>smbd</command> must be
+ set to <parameter>security = domain</parameter> or <parameter>security =
+ user</parameter> and <parameter>delete user script</parameter>
+ must be set to a full pathname for a script
+ that will delete a UNIX user given one argument of <parameter>%u</parameter>,
+ which expands into the UNIX user name to delete.</para>
+
+ <para>When the Windows user attempts to access the Samba server,
+ at <emphasis>login</emphasis> (session setup in the SMB protocol)
+ time, <command>smbd</command> contacts the <link linkend="PASSWORDSERVER">
+ <parameter>password server</parameter></link> and attempts to authenticate
+ the given user with the given password. If the authentication fails
+ with the specific Domain error code meaning that the user no longer
+ exists then <command>smbd</command> attempts to find a UNIX user in
+ the UNIX password database that matches the Windows user account. If
+ this lookup succeeds, and <parameter>delete user script</parameter> is
+ set then <command>smbd</command> will all the specified script
+ <emphasis>AS ROOT</emphasis>, expanding any <parameter>%u</parameter>
+ argument to be the user name to delete.</para>
+
+ <para>This script should delete the given UNIX username. In this way,
+ UNIX users are dynamically deleted to match existing Windows NT
+ accounts.</para>
+
+ <para>See also <link linkend="SECURITYEQUALSDOMAIN">security = domain</link>,
+ <link linkend="PASSWORDSERVER"><parameter>password server</parameter>
+ </link>, <link linkend="ADDUSERSCRIPT"><parameter>add user script</parameter>
+ </link>.</para>
+
+ <para>Default: <command>delete user script = &lt;empty string&gt;
+ </command></para>
+ <para>Example: <command>delete user script = /usr/local/samba/bin/del_user
+ %u</command></para></listitem>
+ </varlistentry>
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="DELETEVETOFILES">delete veto files (S)</term>
+ <listitem><para>This option is used when Samba is attempting to
+ delete a directory that contains one or more vetoed directories
+ (see the <link linkend="VETOFILES"><parameter>veto files</parameter></link>
+ option). If this option is set to <constant>false</constant> (the default) then if a vetoed
+ directory contains any non-vetoed files or directories then the
+ directory delete will fail. This is usually what you want.</para>
+
+ <para>If this option is set to <constant>true</constant>, then Samba
+ will attempt to recursively delete any files and directories within
+ the vetoed directory. This can be useful for integration with file
+ serving systems such as NetAtalk which create meta-files within
+ directories you might normally veto DOS/Windows users from seeing
+ (e.g. <filename>.AppleDouble</filename>)</para>
+
+ <para>Setting <command>delete veto files = yes</command> allows these
+ directories to be transparently deleted when the parent directory
+ is deleted (so long as the user has permissions to do so).</para>
+
+ <para>See also the <link linkend="VETOFILES"><parameter>veto
+ files</parameter></link> parameter.</para>
+
+ <para>Default: <command>delete veto files = no</command></para></listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="DENYHOSTS">deny hosts (S)</term>
+ <listitem><para>Synonym for <link linkend="HOSTSDENY"><parameter>hosts
+ deny</parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="DFREECOMMAND">dfree command (G)</term>
+ <listitem><para>The <parameter>dfree command</parameter> setting should
+ only be used on systems where a problem occurs with the internal
+ disk space calculations. This has been known to happen with Ultrix,
+ but may occur with other operating systems. The symptom that was
+ seen was an error of "Abort Retry Ignore" at the end of each
+ directory listing.</para>
+
+ <para>This setting allows the replacement of the internal routines to
+ calculate the total disk space and amount available with an external
+ routine. The example below gives a possible script that might fulfill
+ this function.</para>
+
+ <para>The external program will be passed a single parameter indicating
+ a directory in the filesystem being queried. This will typically consist
+ of the string <filename>./</filename>. The script should return two
+ integers in ASCII. The first should be the total disk space in blocks,
+ and the second should be the number of available blocks. An optional
+ third return value can give the block size in bytes. The default
+ blocksize is 1024 bytes.</para>
+
+ <para>Note: Your script should <emphasis>NOT</emphasis> be setuid or
+ setgid and should be owned by (and writeable only by) root!</para>
+
+ <para>Default: <emphasis>By default internal routines for
+ determining the disk capacity and remaining space will be used.
+ </emphasis></para>
+
+ <para>Example: <command>dfree command = /usr/local/samba/bin/dfree
+ </command></para>
+
+ <para>Where the script dfree (which must be made executable) could be:</para>
+
+ <para><programlisting>
+ #!/bin/sh
+ df $1 | tail -1 | awk '{print $2" "$4}'
+ </programlisting></para>
+
+ <para>or perhaps (on Sys V based systems):</para>
+
+ <para><programlisting>
+ #!/bin/sh
+ /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
+ </programlisting></para>
+
+ <para>Note that you may have to replace the command names
+ with full path names on some systems.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="DIRECTORY">directory (S)</term>
+ <listitem><para>Synonym for <link linkend="PATH"><parameter>path
+ </parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DIRECTORYMASK">directory mask (S)</term>
+ <listitem><para>This parameter is the octal modes which are
+ used when converting DOS modes to UNIX modes when creating UNIX
+ directories.</para>
+
+ <para>When a directory is created, the necessary permissions are
+ calculated according to the mapping from DOS modes to UNIX permissions,
+ and the resulting UNIX mode is then bit-wise 'AND'ed with this
+ parameter. This parameter may be thought of as a bit-wise MASK for
+ the UNIX modes of a directory. Any bit <emphasis>not</emphasis> set
+ here will be removed from the modes set on a directory when it is
+ created.</para>
+
+ <para>The default value of this parameter removes the 'group'
+ and 'other' write bits from the UNIX mode, allowing only the
+ user who owns the directory to modify it.</para>
+
+ <para>Following this Samba will bit-wise 'OR' the UNIX mode
+ created from this parameter with the value of the <link
+ linkend="FORCEDIRECTORYMODE"><parameter>force directory mode
+ </parameter></link> parameter. This parameter is set to 000 by
+ default (i.e. no extra mode bits are added).</para>
+
+ <para>Note that this parameter does not apply to permissions
+ set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
+ a mask on access control lists also, they need to set the <link
+ linkend="DIRECTORYSECURITYMASK"><parameter>directory security mask</parameter></link>.</para>
+
+ <para>See the <link linkend="FORCEDIRECTORYMODE"><parameter>force
+ directory mode</parameter></link> parameter to cause particular mode
+ bits to always be set on created directories.</para>
+
+ <para>See also the <link linkend="CREATEMODE"><parameter>create mode
+ </parameter></link> parameter for masking mode bits on created files,
+ and the <link linkend="DIRECTORYSECURITYMASK"><parameter>directory
+ security mask</parameter></link> parameter.</para>
+
+ <para>Also refer to the <link linkend="INHERITPERMISSIONS"><parameter>
+ inherit permissions</parameter></link> parameter.</para>
+
+ <para>Default: <command>directory mask = 0755</command></para>
+ <para>Example: <command>directory mask = 0775</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DIRECTORYMODE">directory mode (S)</term>
+ <listitem><para>Synonym for <link linkend="DIRECTORYMASK"><parameter>
+ directory mask</parameter></link></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DIRECTORYSECURITYMASK">directory security mask (S)</term>
+ <listitem><para>This parameter controls what UNIX permission bits
+ can be modified when a Windows NT client is manipulating the UNIX
+ permission on a directory using the native NT security dialog
+ box.</para>
+
+ <para>This parameter is applied as a mask (AND'ed with) to
+ the changed permission bits, thus preventing any bits not in
+ this mask from being modified. Essentially, zero bits in this
+ mask may be treated as a set of bits the user is not allowed
+ to change.</para>
+
+ <para>If not set explicitly this parameter is set to 0777
+ meaning a user is allowed to modify all the user/group/world
+ permissions on a directory.</para>
+
+ <para><emphasis>Note</emphasis> that users who can access the
+ Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone "appliance" systems.
+ Administrators of most normal systems will probably want to leave
+ it as the default of <constant>0777</constant>.</para>
+
+ <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"><parameter>
+ force directory security mode</parameter></link>, <link
+ linkend="SECURITYMASK"><parameter>security mask</parameter></link>,
+ <link linkend="FORCESECURITYMODE"><parameter>force security mode
+ </parameter></link> parameters.</para>
+
+ <para>Default: <command>directory security mask = 0777</command></para>
+ <para>Example: <command>directory security mask = 0700</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DISABLESPOOLSS">disable spoolss (G)</term>
+ <listitem><para>Enabling this parameter will disables Samba's support
+ for the SPOOLSS set of MS-RPC's and will yield identical behavior
+ as Samba 2.0.x. Windows NT/2000 clients will downgrade to using
+ Lanman style printing commands. Windows 9x/ME will be uneffected by
+ the parameter. However, this will also disable the ability to upload
+ printer drivers to a Samba server via the Windows NT Add Printer
+ Wizard or by using the NT printer properties dialog window. It will
+ also disable the capability of Windows NT/2000 clients to download
+ print drivers from the Samba host upon demand.
+ <emphasis>Be very careful about enabling this parameter.</emphasis>
+ </para>
+
+ <para>See also <link linkend="USECLIENTDRIVER">use client driver</link>
+ </para>
+
+ <para>Default : <command>disable spoolss = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DNSPROXY">dns proxy (G)</term>
+ <listitem><para>Specifies that <ulink url="nmbd.8.html">nmbd(8)</ulink>
+ when acting as a WINS server and finding that a NetBIOS name has not
+ been registered, should treat the NetBIOS name word-for-word as a DNS
+ name and do a lookup with the DNS server for that name on behalf of
+ the name-querying client.</para>
+
+ <para>Note that the maximum length for a NetBIOS name is 15
+ characters, so the DNS name (or DNS alias) can likewise only be
+ 15 characters, maximum.</para>
+
+ <para><command>nmbd</command> spawns a second copy of itself to do the
+ DNS name lookup requests, as doing a name lookup is a blocking
+ action.</para>
+
+ <para>See also the parameter <link linkend="WINSSUPPORT"><parameter>
+ wins support</parameter></link>.</para>
+
+ <para>Default: <command>dns proxy = yes</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DOMAINADMINGROUP">domain admin group (G)</term>
+ <listitem><para>This parameter is intended as a temporary solution
+ to enable users to be a member of the "Domain Admins" group when
+ a Samba host is acting as a PDC. A complete solution will be provided
+ by a system for mapping Windows NT/2000 groups onto UNIX groups.
+ Please note that this parameter has a somewhat confusing name. It
+ accepts a list of usernames and of group names in standard
+ <filename>smb.conf</filename> notation.
+ </para>
+
+ <para>See also <link linkend="DOMAINGUESTGROUP"><parameter>domain
+ guest group</parameter></link>, <link linkend="DOMAINLOGONS"><parameter>domain
+ logons</parameter></link>
+ </para>
+
+ <para>Default: <emphasis>no domain administrators</emphasis></para>
+ <para>Example: <command>domain admin group = root @wheel</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="DOMAINGUESTGROUP">domain guest group (G)</term>
+ <listitem><para>This parameter is intended as a temporary solution
+ to enable users to be a member of the "Domain Guests" group when
+ a Samba host is acting as a PDC. A complete solution will be provided
+ by a system for mapping Windows NT/2000 groups onto UNIX groups.
+ Please note that this parameter has a somewhat confusing name. It
+ accepts a list of usernames and of group names in standard
+ <filename>smb.conf</filename> notation.
+ </para>
+
+ <para>See also <link linkend="DOMAINADMINGROUP"><parameter>domain
+ admin group</parameter></link>, <link linkend="DOMAINLOGONS"><parameter>domain
+ logons</parameter></link>
+ </para>
+
+ <para>Default: <emphasis>no domain guests</emphasis></para>
+ <para>Example: <command>domain guest group = nobody @guest</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="DOMAINLOGONS">domain logons (G)</term>
+ <listitem><para>If set to <constant>true</constant>, the Samba server will serve
+ Windows 95/98 Domain logons for the <link linkend="WORKGROUP">
+ <parameter>workgroup</parameter></link> it is in. Samba 2.2 also
+ has limited capability to act as a domain controller for Windows
+ NT 4 Domains. For more details on setting up this feature see
+ the Samba-PDC-HOWTO included in the <filename>htmldocs/</filename>
+ directory shipped with the source code.</para>
+
+ <para>Default: <command>domain logons = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DOMAINMASTER">domain master (G)</term>
+ <listitem><para>Tell <ulink url="nmbd.8.html"><command>
+ nmbd(8)</command></ulink> to enable WAN-wide browse list
+ collation. Setting this option causes <command>nmbd</command> to
+ claim a special domain specific NetBIOS name that identifies
+ it as a domain master browser for its given <link linkend="WORKGROUP">
+ <parameter>workgroup</parameter></link>. Local master browsers
+ in the same <parameter>workgroup</parameter> on broadcast-isolated
+ subnets will give this <command>nmbd</command> their local browse lists,
+ and then ask <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>
+ for a complete copy of the browse list for the whole wide area
+ network. Browser clients will then contact their local master browser,
+ and will receive the domain-wide browse list, instead of just the list
+ for their broadcast-isolated subnet.</para>
+
+ <para>Note that Windows NT Primary Domain Controllers expect to be
+ able to claim this <parameter>workgroup</parameter> specific special
+ NetBIOS name that identifies them as domain master browsers for
+ that <parameter>workgroup</parameter> by default (i.e. there is no
+ way to prevent a Windows NT PDC from attempting to do this). This
+ means that if this parameter is set and <command>nmbd</command> claims
+ the special name for a <parameter>workgroup</parameter> before a Windows
+ NT PDC is able to do so then cross subnet browsing will behave
+ strangely and may fail.</para>
+
+ <para>If <link linkend="DOMAINLOGONS"><command>domain logons = yes</command>
+ </link>, then the default behavior is to enable the <parameter>domain
+ master</parameter> parameter. If <parameter>domain logons</parameter> is
+ not enabled (the default setting), then neither will <parameter>domain
+ master</parameter> be enabled by default.</para>
+
+ <para>Default: <command>domain master = auto</command></para></listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="DONTDESCEND">dont descend (S)</term>
+ <listitem><para>There are certain directories on some systems
+ (e.g., the <filename>/proc</filename> tree under Linux) that are either not
+ of interest to clients or are infinitely deep (recursive). This
+ parameter allows you to specify a comma-delimited list of directories
+ that the server should always show as empty.</para>
+
+ <para>Note that Samba can be very fussy about the exact format
+ of the "dont descend" entries. For example you may need <filename>
+ ./proc</filename> instead of just <filename>/proc</filename>.
+ Experimentation is the best policy :-) </para>
+
+ <para>Default: <emphasis>none (i.e., all directories are OK
+ to descend)</emphasis></para>
+ <para>Example: <command>dont descend = /proc,/dev</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DOSFILEMODE">dos filemode (S)</term>
+ <listitem><para> The default behavior in Samba is to provide
+ UNIX-like behavior where only the owner of a file/directory is
+ able to change the permissions on it. However, this behavior
+ is often confusing to DOS/Windows users. Enabling this parameter
+ allows a user who has write access to the file (by whatever
+ means) to modify the permissions on it. Note that a user
+ belonging to the group owning the file will not be allowed to
+ change permissions if the group is only granted read access.
+ Ownership of the file/directory is not changed, only the permissions
+ are modified.</para>
+
+ <para>Default: <command>dos filemode = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DOSFILETIMERESOLUTION">dos filetime resolution (S)</term>
+ <listitem><para>Under the DOS and Windows FAT filesystem, the finest
+ granularity on time resolution is two seconds. Setting this parameter
+ for a share causes Samba to round the reported time down to the
+ nearest two second boundary when a query call that requires one second
+ resolution is made to <ulink url="smbd.8.html"><command>smbd(8)</command>
+ </ulink>.</para>
+
+ <para>This option is mainly used as a compatibility option for Visual
+ C++ when used against Samba shares. If oplocks are enabled on a
+ share, Visual C++ uses two different time reading calls to check if a
+ file has changed since it was last read. One of these calls uses a
+ one-second granularity, the other uses a two second granularity. As
+ the two second call rounds any odd second down, then if the file has a
+ timestamp of an odd number of seconds then the two timestamps will not
+ match and Visual C++ will keep reporting the file has changed. Setting
+ this option causes the two timestamps to match, and Visual C++ is
+ happy.</para>
+
+ <para>Default: <command>dos filetime resolution = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="DOSFILETIMES">dos filetimes (S)</term>
+ <listitem><para>Under DOS and Windows, if a user can write to a
+ file they can change the timestamp on it. Under POSIX semantics,
+ only the owner of the file or root may change the timestamp. By
+ default, Samba runs with POSIX semantics and refuses to change the
+ timestamp on a file if the user <command>smbd</command> is acting
+ on behalf of is not the file owner. Setting this option to <constant>
+ true</constant> allows DOS semantics and <ulink url="smbd.8.html">smbd</ulink> will change the file
+ timestamp as DOS requires.</para>
+
+ <para>Default: <command>dos filetimes = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ENCRYPTPASSWORDS">encrypt passwords (G)</term>
+ <listitem><para>This boolean controls whether encrypted passwords
+ will be negotiated with the client. Note that Windows NT 4.0 SP3 and
+ above and also Windows 98 will by default expect encrypted passwords
+ unless a registry entry is changed. To use encrypted passwords in
+ Samba see the file ENCRYPTION.txt in the Samba documentation
+ directory <filename>docs/</filename> shipped with the source code.</para>
+
+ <para>In order for encrypted passwords to work correctly
+ <ulink url="smbd.8.html"><command>smbd(8)</command></ulink> must either
+ have access to a local <ulink url="smbpasswd.5.html"><filename>smbpasswd(5)
+ </filename></ulink> file (see the <ulink url="smbpasswd.8.html"><command>
+ smbpasswd(8)</command></ulink> program for information on how to set up
+ and maintain this file), or set the <link
+ linkend="SECURITY">security = [server|domain|ads]</link> parameter which
+ causes <command>smbd</command> to authenticate against another
+ server.</para>
+
+ <para>Default: <command>encrypt passwords = yes</command></para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="ENHANCEDBROWSING">enhanced browsing (G)</term>
+ <listitem><para>This option enables a couple of enhancements to
+ cross-subnet browse propagation that have been added in Samba
+ but which are not standard in Microsoft implementations.
+ </para>
+
+ <para>The first enhancement to browse propagation consists of a regular
+ wildcard query to a Samba WINS server for all Domain Master Browsers,
+ followed by a browse synchronization with each of the returned
+ DMBs. The second enhancement consists of a regular randomised browse
+ synchronization with all currently known DMBs.</para>
+
+ <para>You may wish to disable this option if you have a problem with empty
+ workgroups not disappearing from browse lists. Due to the restrictions
+ of the browse protocols these enhancements can cause a empty workgroup
+ to stay around forever which can be annoying.</para>
+
+ <para>In general you should leave this option enabled as it makes
+ cross-subnet browse propagation much more reliable.</para>
+
+ <para>Default: <command>enhanced browsing = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="ENUMPORTSCOMMAND">enumports command (G)</term>
+ <listitem><para>The concept of a "port" is fairly foreign
+ to UNIX hosts. Under Windows NT/2000 print servers, a port
+ is associated with a port monitor and generally takes the form of
+ a local port (i.e. LPT1:, COM1:, FILE:) or a remote port
+ (i.e. LPD Port Monitor, etc...). By default, Samba has only one
+ port defined--<constant>"Samba Printer Port"</constant>. Under
+ Windows NT/2000, all printers must have a valid port name.
+ If you wish to have a list of ports displayed (<command>smbd
+ </command> does not use a port name for anything) other than
+ the default <constant>"Samba Printer Port"</constant>, you
+ can define <parameter>enumports command</parameter> to point to
+ a program which should generate a list of ports, one per line,
+ to standard output. This listing will then be used in response
+ to the level 1 and 2 EnumPorts() RPC.</para>
+
+ <para>Default: <emphasis>no enumports command</emphasis></para>
+ <para>Example: <command>enumports command = /usr/bin/listports
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><anchor id="EXEC">exec (S)</term>
+ <listitem><para>This is a synonym for <link linkend="PREEXEC">
+ <parameter>preexec</parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FAKEDIRECTORYCREATETIMES">fake directory create times (S)</term>
+ <listitem><para>NTFS and Windows VFAT file systems keep a create
+ time for all files and directories. This is not the same as the
+ ctime - status change time - that Unix keeps, so Samba by default
+ reports the earliest of the various times Unix does keep. Setting
+ this parameter for a share causes Samba to always report midnight
+ 1-1-1980 as the create time for directories.</para>
+
+ <para>This option is mainly used as a compatibility option for
+ Visual C++ when used against Samba shares. Visual C++ generated
+ makefiles have the object directory as a dependency for each object
+ file, and a make rule to create the directory. Also, when NMAKE
+ compares timestamps it uses the creation time when examining a
+ directory. Thus the object directory will be created if it does not
+ exist, but once it does exist it will always have an earlier
+ timestamp than the object files it contains.</para>
+
+ <para>However, Unix time semantics mean that the create time
+ reported by Samba will be updated whenever a file is created or
+ or deleted in the directory. NMAKE finds all object files in
+ the object directory. The timestamp of the last one built is then
+ compared to the timestamp of the object directory. If the
+ directory's timestamp if newer, then all object files
+ will be rebuilt. Enabling this option
+ ensures directories always predate their contents and an NMAKE build
+ will proceed as expected.</para>
+
+ <para>Default: <command>fake directory create times = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FAKEOPLOCKS">fake oplocks (S)</term>
+ <listitem><para>Oplocks are the way that SMB clients get permission
+ from a server to locally cache file operations. If a server grants
+ an oplock (opportunistic lock) then the client is free to assume
+ that it is the only one accessing the file and it will aggressively
+ cache file data. With some oplock types the client may even cache
+ file open/close operations. This can give enormous performance benefits.
+ </para>
+
+ <para>When you set <command>fake oplocks = yes</command>, <ulink
+ url="smbd.8.html"><command>smbd(8)</command></ulink> will
+ always grant oplock requests no matter how many clients are using
+ the file.</para>
+
+ <para>It is generally much better to use the real <link
+ linkend="OPLOCKS"><parameter>oplocks</parameter></link> support rather
+ than this parameter.</para>
+
+ <para>If you enable this option on all read-only shares or
+ shares that you know will only be accessed from one client at a
+ time such as physically read-only media like CDROMs, you will see
+ a big performance improvement on many operations. If you enable
+ this option on shares where multiple clients may be accessing the
+ files read-write at the same time you can get data corruption. Use
+ this option carefully!</para>
+
+ <para>Default: <command>fake oplocks = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FOLLOWSYMLINKS">follow symlinks (S)</term>
+ <listitem><para>This parameter allows the Samba administrator
+ to stop <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>
+ from following symbolic links in a particular share. Setting this
+ parameter to <constant>no</constant> prevents any file or directory
+ that is a symbolic link from being followed (the user will get an
+ error). This option is very useful to stop users from adding a
+ symbolic link to <filename>/etc/passwd</filename> in their home
+ directory for instance. However it will slow filename lookups
+ down slightly.</para>
+
+ <para>This option is enabled (i.e. <command>smbd</command> will
+ follow symbolic links) by default.</para>
+
+ <para>Default: <command>follow symlinks = yes</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FORCECREATEMODE">force create mode (S)</term>
+ <listitem><para>This parameter specifies a set of UNIX mode bit
+ permissions that will <emphasis>always</emphasis> be set on a
+ file created by Samba. This is done by bitwise 'OR'ing these bits onto
+ the mode bits of a file that is being created or having its
+ permissions changed. The default for this parameter is (in octal)
+ 000. The modes in this parameter are bitwise 'OR'ed onto the file
+ mode after the mask set in the <parameter>create mask</parameter>
+ parameter is applied.</para>
+
+ <para>See also the parameter <link linkend="CREATEMASK"><parameter>create
+ mask</parameter></link> for details on masking mode bits on files.</para>
+
+ <para>See also the <link linkend="INHERITPERMISSIONS"><parameter>inherit
+ permissions</parameter></link> parameter.</para>
+
+ <para>Default: <command>force create mode = 000</command></para>
+ <para>Example: <command>force create mode = 0755</command></para>
+
+ <para>would force all created files to have read and execute
+ permissions set for 'group' and 'other' as well as the
+ read/write/execute bits set for the 'user'.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FORCEDIRECTORYMODE">force directory mode (S)</term>
+ <listitem><para>This parameter specifies a set of UNIX mode bit
+ permissions that will <emphasis>always</emphasis> be set on a directory
+ created by Samba. This is done by bitwise 'OR'ing these bits onto the
+ mode bits of a directory that is being created. The default for this
+ parameter is (in octal) 0000 which will not add any extra permission
+ bits to a created directory. This operation is done after the mode
+ mask in the parameter <parameter>directory mask</parameter> is
+ applied.</para>
+
+ <para>See also the parameter <link linkend="DIRECTORYMASK"><parameter>
+ directory mask</parameter></link> for details on masking mode bits
+ on created directories.</para>
+
+ <para>See also the <link linkend="INHERITPERMISSIONS"><parameter>
+ inherit permissions</parameter></link> parameter.</para>
+
+ <para>Default: <command>force directory mode = 000</command></para>
+ <para>Example: <command>force directory mode = 0755</command></para>
+
+ <para>would force all created directories to have read and execute
+ permissions set for 'group' and 'other' as well as the
+ read/write/execute bits set for the 'user'.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FORCEDIRECTORYSECURITYMODE">force directory
+ security mode (S)</term>
+ <listitem><para>This parameter controls what UNIX permission bits
+ can be modified when a Windows NT client is manipulating the UNIX
+ permission on a directory using the native NT security dialog box.</para>
+
+ <para>This parameter is applied as a mask (OR'ed with) to the
+ changed permission bits, thus forcing any bits in this mask that
+ the user may have modified to be on. Essentially, one bits in this
+ mask may be treated as a set of bits that, when modifying security
+ on a directory, the user has always set to be 'on'.</para>
+
+ <para>If not set explicitly this parameter is 000, which
+ allows a user to modify all the user/group/world permissions on a
+ directory without restrictions.</para>
+
+ <para><emphasis>Note</emphasis> that users who can access the
+ Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone "appliance" systems.
+ Administrators of most normal systems will probably want to leave
+ it set as 0000.</para>
+
+ <para>See also the <link linkend="DIRECTORYSECURITYMASK"><parameter>
+ directory security mask</parameter></link>, <link linkend="SECURITYMASK">
+ <parameter>security mask</parameter></link>,
+ <link linkend="FORCESECURITYMODE"><parameter>force security mode
+ </parameter></link> parameters.</para>
+
+ <para>Default: <command>force directory security mode = 0</command></para>
+ <para>Example: <command>force directory security mode = 700</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="FORCEGROUP">force group (S)</term>
+ <listitem><para>This specifies a UNIX group name that will be
+ assigned as the default primary group for all users connecting
+ to this service. This is useful for sharing files by ensuring
+ that all access to files on service will use the named group for
+ their permissions checking. Thus, by assigning permissions for this
+ group to the files and directories within this service the Samba
+ administrator can restrict or allow sharing of these files.</para>
+
+ <para>In Samba 2.0.5 and above this parameter has extended
+ functionality in the following way. If the group name listed here
+ has a '+' character prepended to it then the current user accessing
+ the share only has the primary group default assigned to this group
+ if they are already assigned as a member of that group. This allows
+ an administrator to decide that only users who are already in a
+ particular group will create files with group ownership set to that
+ group. This gives a finer granularity of ownership assignment. For
+ example, the setting <filename>force group = +sys</filename> means
+ that only users who are already in group sys will have their default
+ primary group assigned to sys when accessing this Samba share. All
+ other users will retain their ordinary primary group.</para>
+
+ <para>If the <link linkend="FORCEUSER"><parameter>force user
+ </parameter></link> parameter is also set the group specified in
+ <parameter>force group</parameter> will override the primary group
+ set in <parameter>force user</parameter>.</para>
+
+ <para>See also <link linkend="FORCEUSER"><parameter>force
+ user</parameter></link>.</para>
+
+ <para>Default: <emphasis>no forced group</emphasis></para>
+ <para>Example: <command>force group = agroup</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FORCESECURITYMODE">force security mode (S)</term>
+ <listitem><para>This parameter controls what UNIX permission
+ bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a file using the native NT security dialog
+ box.</para>
+
+ <para>This parameter is applied as a mask (OR'ed with) to the
+ changed permission bits, thus forcing any bits in this mask that
+ the user may have modified to be on. Essentially, one bits in this
+ mask may be treated as a set of bits that, when modifying security
+ on a file, the user has always set to be 'on'.</para>
+
+ <para>If not set explicitly this parameter is set to 0,
+ and allows a user to modify all the user/group/world permissions on a file,
+ with no restrictions.</para>
+
+ <para><emphasis>Note</emphasis> that users who can access
+ the Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone "appliance" systems.
+ Administrators of most normal systems will probably want to leave
+ this set to 0000.</para>
+
+ <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"><parameter>
+ force directory security mode</parameter></link>,
+ <link linkend="DIRECTORYSECURITYMASK"><parameter>directory security
+ mask</parameter></link>, <link linkend="SECURITYMASK"><parameter>
+ security mask</parameter></link> parameters.</para>
+
+ <para>Default: <command>force security mode = 0</command></para>
+ <para>Example: <command>force security mode = 700</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FORCEUSER">force user (S)</term>
+ <listitem><para>This specifies a UNIX user name that will be
+ assigned as the default user for all users connecting to this service.
+ This is useful for sharing files. You should also use it carefully
+ as using it incorrectly can cause security problems.</para>
+
+ <para>This user name only gets used once a connection is established.
+ Thus clients still need to connect as a valid user and supply a
+ valid password. Once connected, all file operations will be performed
+ as the "forced user", no matter what username the client connected
+ as. This can be very useful.</para>
+
+ <para>In Samba 2.0.5 and above this parameter also causes the
+ primary group of the forced user to be used as the primary group
+ for all file activity. Prior to 2.0.5 the primary group was left
+ as the primary group of the connecting user (this was a bug).</para>
+
+ <para>See also <link linkend="FORCEGROUP"><parameter>force group
+ </parameter></link></para>
+
+ <para>Default: <emphasis>no forced user</emphasis></para>
+ <para>Example: <command>force user = auser</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="FSTYPE">fstype (S)</term>
+ <listitem><para>This parameter allows the administrator to
+ configure the string that specifies the type of filesystem a share
+ is using that is reported by <ulink url="smbd.8.html"><command>smbd(8)
+ </command></ulink> when a client queries the filesystem type
+ for a share. The default type is <constant>NTFS</constant> for
+ compatibility with Windows NT but this can be changed to other
+ strings such as <constant>Samba</constant> or <constant>FAT
+ </constant> if required.</para>
+
+ <para>Default: <command>fstype = NTFS</command></para>
+ <para>Example: <command>fstype = Samba</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="GETWDCACHE">getwd cache (G)</term>
+ <listitem><para>This is a tuning option. When this is enabled a
+ caching algorithm will be used to reduce the time taken for getwd()
+ calls. This can have a significant impact on performance, especially
+ when the <link linkend="WIDELINKS"><parameter>wide links</parameter>
+ </link>parameter is set to <constant>false</constant>.</para>
+
+ <para>Default: <command>getwd cache = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="GROUP">group (S)</term>
+ <listitem><para>Synonym for <link linkend="FORCEGROUP"><parameter>force
+ group</parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="GUESTACCOUNT">guest account (S)</term>
+ <listitem><para>This is a username which will be used for access
+ to services which are specified as <link linkend="GUESTOK"><parameter>
+ guest ok</parameter></link> (see below). Whatever privileges this
+ user has will be available to any client connecting to the guest service.
+ Typically this user will exist in the password file, but will not
+ have a valid login. The user account "ftp" is often a good choice
+ for this parameter. If a username is specified in a given service,
+ the specified username overrides this one.</para>
+
+ <para>One some systems the default guest account "nobody" may not
+ be able to print. Use another account in this case. You should test
+ this by trying to log in as your guest user (perhaps by using the
+ <command>su -</command> command) and trying to print using the
+ system print command such as <command>lpr(1)</command> or <command>
+ lp(1)</command>.</para>
+
+ <para>Default: <emphasis>specified at compile time, usually
+ "nobody"</emphasis></para>
+
+ <para>Example: <command>guest account = ftp</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="GUESTOK">guest ok (S)</term>
+ <listitem><para>If this parameter is <constant>yes</constant> for
+ a service, then no password is required to connect to the service.
+ Privileges will be those of the <link linkend="GUESTACCOUNT"><parameter>
+ guest account</parameter></link>.</para>
+
+ <para>See the section below on <link linkend="SECURITY"><parameter>
+ security</parameter></link> for more information about this option.
+ </para>
+
+ <para>Default: <command>guest ok = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="GUESTONLY">guest only (S)</term>
+ <listitem><para>If this parameter is <constant>yes</constant> for
+ a service, then only guest connections to the service are permitted.
+ This parameter will have no effect if <link linkend="GUESTOK">
+ <parameter>guest ok</parameter></link> is not set for the service.</para>
+
+ <para>See the section below on <link linkend="SECURITY"><parameter>
+ security</parameter></link> for more information about this option.
+ </para>
+
+ <para>Default: <command>guest only = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="HIDEDOTFILES">hide dot files (S)</term>
+ <listitem><para>This is a boolean parameter that controls whether
+ files starting with a dot appear as hidden files.</para>
+
+ <para>Default: <command>hide dot files = yes</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="HIDEFILES">hide files(S)</term>
+ <listitem><para>This is a list of files or directories that are not
+ visible but are accessible. The DOS 'hidden' attribute is applied
+ to any files or directories that match.</para>
+
+ <para>Each entry in the list must be separated by a '/',
+ which allows spaces to be included in the entry. '*'
+ and '?' can be used to specify multiple files or directories
+ as in DOS wildcards.</para>
+
+ <para>Each entry must be a Unix path, not a DOS path and must
+ not include the Unix directory separator '/'.</para>
+
+ <para>Note that the case sensitivity option is applicable
+ in hiding files.</para>
+
+ <para>Setting this parameter will affect the performance of Samba,
+ as it will be forced to check all files and directories for a match
+ as they are scanned.</para>
+
+ <para>See also <link linkend="HIDEDOTFILES"><parameter>hide
+ dot files</parameter></link>, <link linkend="VETOFILES"><parameter>
+ veto files</parameter></link> and <link linkend="CASESENSITIVE">
+ <parameter>case sensitive</parameter></link>.</para>
+
+ <para>Default: <emphasis>no file are hidden</emphasis></para>
+ <para>Example: <command>hide files =
+ /.*/DesktopFolderDB/TrashFor%m/resource.frk/</command></para>
+
+ <para>The above example is based on files that the Macintosh
+ SMB client (DAVE) available from <ulink url="http://www.thursby.com">
+ Thursby</ulink> creates for internal use, and also still hides
+ all files beginning with a dot.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="HIDELOCALUSERS">hide local users(G)</term>
+ <listitem><para>This parameter toggles the hiding of local UNIX
+ users (root, wheel, floppy, etc) from remote clients.</para>
+
+ <para>Default: <command>hide local users = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="HIDEUNREADABLE">hide unreadable (S)</term>
+ <listitem><para>This parameter prevents clients from seeing the
+ existance of files that cannot be read. Defaults to off.</para>
+
+ <para>Default: <command>hide unreadable = no</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="HOMEDIRMAP">homedir map (G)</term>
+ <listitem><para>If<link linkend="NISHOMEDIR"><parameter>nis homedir
+ </parameter></link> is <constant>true</constant>, and <ulink
+ url="smbd.8.html"><command>smbd(8)</command></ulink> is also acting
+ as a Win95/98 <parameter>logon server</parameter> then this parameter
+ specifies the NIS (or YP) map from which the server for the user's
+ home directory should be extracted. At present, only the Sun
+ auto.home map format is understood. The form of the map is:</para>
+
+ <para><command>username server:/some/file/system</command></para>
+
+ <para>and the program will extract the servername from before
+ the first ':'. There should probably be a better parsing system
+ that copes with different map formats and also Amd (another
+ automounter) maps.</para>
+
+ <para><emphasis>NOTE :</emphasis>A working NIS client is required on
+ the system for this option to work.</para>
+
+ <para>See also <link linkend="NISHOMEDIR"><parameter>nis homedir</parameter>
+ </link>, <link linkend="DOMAINLOGONS"><parameter>domain logons</parameter>
+ </link>.</para>
+
+ <para>Default: <command>homedir map = &lt;empty string&gt;</command></para>
+ <para>Example: <command>homedir map = amd.homedir</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="HOSTMSDFS">host msdfs (G)</term>
+ <listitem><para>This boolean parameter is only available
+ if Samba has been configured and compiled with the <command>
+ --with-msdfs</command> option. If set to <constant>yes</constant>,
+ Samba will act as a Dfs server, and allow Dfs-aware clients
+ to browse Dfs trees hosted on the server.</para>
+
+ <para>See also the <link linkend="MSDFSROOT"><parameter>
+ msdfs root</parameter></link> share level parameter. For
+ more information on setting up a Dfs tree on Samba,
+ refer to <ulink url="msdfs_setup.html">msdfs_setup.html</ulink>.
+ </para>
+
+ <para>Default: <command>host msdfs = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="HOSTSALLOW">hosts allow (S)</term>
+ <listitem><para>A synonym for this parameter is <parameter>allow
+ hosts</parameter>.</para>
+
+ <para>This parameter is a comma, space, or tab delimited
+ set of hosts which are permitted to access a service.</para>
+
+ <para>If specified in the [global] section then it will
+ apply to all services, regardless of whether the individual
+ service has a different setting.</para>
+
+ <para>You can specify the hosts by name or IP number. For
+ example, you could restrict access to only the hosts on a
+ Class C subnet with something like <command>allow hosts = 150.203.5.
+ </command>. The full syntax of the list is described in the man
+ page <filename>hosts_access(5)</filename>. Note that this man
+ page may not be present on your system, so a brief description will
+ be given here also.</para>
+
+ <para>Note that the localhost address 127.0.0.1 will always
+ be allowed access unless specifically denied by a <link
+ linkend="HOSTSDENY"><parameter>hosts deny</parameter></link> option.</para>
+
+ <para>You can also specify hosts by network/netmask pairs and
+ by netgroup names if your system supports netgroups. The
+ <emphasis>EXCEPT</emphasis> keyword can also be used to limit a
+ wildcard list. The following examples may provide some help:</para>
+
+ <para>Example 1: allow all IPs in 150.203.*.*; except one</para>
+
+ <para><command>hosts allow = 150.203. EXCEPT 150.203.6.66</command></para>
+
+ <para>Example 2: allow hosts that match the given network/netmask</para>
+
+ <para><command>hosts allow = 150.203.15.0/255.255.255.0</command></para>
+
+ <para>Example 3: allow a couple of hosts</para>
+
+ <para><command>hosts allow = lapland, arvidsjaur</command></para>
+
+ <para>Example 4: allow only hosts in NIS netgroup "foonet", but
+ deny access from one particular host</para>
+
+ <para><command>hosts allow = @foonet</command></para>
+
+ <para><command>hosts deny = pirate</command></para>
+
+ <para>Note that access still requires suitable user-level passwords.</para>
+
+ <para>See <ulink url="testparm.1.html"><command>testparm(1)</command>
+ </ulink> for a way of testing your host access to see if it does
+ what you expect.</para>
+
+ <para>Default: <emphasis>none (i.e., all hosts permitted access)
+ </emphasis></para>
+
+ <para>Example: <command>allow hosts = 150.203.5. myhost.mynet.edu.au
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="HOSTSDENY">hosts deny (S)</term>
+ <listitem><para>The opposite of <parameter>hosts allow</parameter>
+ - hosts listed here are <emphasis>NOT</emphasis> permitted access to
+ services unless the specific services have their own lists to override
+ this one. Where the lists conflict, the <parameter>allow</parameter>
+ list takes precedence.</para>
+
+ <para>Default: <emphasis>none (i.e., no hosts specifically excluded)
+ </emphasis></para>
+
+ <para>Example: <command>hosts deny = 150.203.4. badhost.mynet.edu.au
+ </command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="HOSTSEQUIV">hosts equiv (G)</term>
+ <listitem><para>If this global parameter is a non-null string,
+ it specifies the name of a file to read for the names of hosts
+ and users who will be allowed access without specifying a password.
+ </para>
+
+ <para>This is not be confused with <link linkend="HOSTSALLOW">
+ <parameter>hosts allow</parameter></link> which is about hosts
+ access to services and is more useful for guest services. <parameter>
+ hosts equiv</parameter> may be useful for NT clients which will
+ not supply passwords to Samba.</para>
+
+ <para><emphasis>NOTE :</emphasis> The use of <parameter>hosts equiv
+ </parameter> can be a major security hole. This is because you are
+ trusting the PC to supply the correct username. It is very easy to
+ get a PC to supply a false username. I recommend that the
+ <parameter>hosts equiv</parameter> option be only used if you really
+ know what you are doing, or perhaps on a home network where you trust
+ your spouse and kids. And only if you <emphasis>really</emphasis> trust
+ them :-).</para>
+
+ <para>Default: <emphasis>no host equivalences</emphasis></para>
+ <para>Example: <command>hosts equiv = /etc/hosts.equiv</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="INCLUDE">include (G)</term>
+ <listitem><para>This allows you to include one config file
+ inside another. The file is included literally, as though typed
+ in place.</para>
+
+ <para>It takes the standard substitutions, except <parameter>%u
+ </parameter>, <parameter>%P</parameter> and <parameter>%S</parameter>.
+ </para>
+
+ <para>Default: <emphasis>no file included</emphasis></para>
+ <para>Example: <command>include = /usr/local/samba/lib/admin_smb.conf
+ </command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="INHERITPERMISSIONS">inherit permissions (S)</term>
+ <listitem><para>The permissions on new files and directories
+ are normally governed by <link linkend="CREATEMASK"><parameter>
+ create mask</parameter></link>, <link linkend="DIRECTORYMASK">
+ <parameter>directory mask</parameter></link>, <link
+ linkend="FORCECREATEMODE"><parameter>force create mode</parameter>
+ </link> and <link linkend="FORCEDIRECTORYMODE"><parameter>force
+ directory mode</parameter></link> but the boolean inherit
+ permissions parameter overrides this.</para>
+
+ <para>New directories inherit the mode of the parent directory,
+ including bits such as setgid.</para>
+
+ <para>New files inherit their read/write bits from the parent
+ directory. Their execute bits continue to be determined by
+ <link linkend="MAPARCHIVE"><parameter>map archive</parameter>
+ </link>, <link linkend="MAPHIDDEN"><parameter>map hidden</parameter>
+ </link> and <link linkend="MAPSYSTEM"><parameter>map system</parameter>
+ </link> as usual.</para>
+
+ <para>Note that the setuid bit is <emphasis>never</emphasis> set via
+ inheritance (the code explicitly prohibits this).</para>
+
+ <para>This can be particularly useful on large systems with
+ many users, perhaps several thousand, to allow a single [homes]
+ share to be used flexibly by each user.</para>
+
+ <para>See also <link linkend="CREATEMASK"><parameter>create mask
+ </parameter></link>, <link linkend="DIRECTORYMASK"><parameter>
+ directory mask</parameter></link>, <link linkend="FORCECREATEMODE">
+ <parameter>force create mode</parameter></link> and <link
+ linkend="FORCEDIRECTORYMODE"><parameter>force directory mode</parameter>
+ </link>.</para>
+
+ <para>Default: <command>inherit permissions = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="INTERFACES">interfaces (G)</term>
+ <listitem><para>This option allows you to override the default
+ network interfaces list that Samba will use for browsing, name
+ registration and other NBT traffic. By default Samba will query
+ the kernel for the list of all active interfaces and use any
+ interfaces except 127.0.0.1 that are broadcast capable.</para>
+
+ <para>The option takes a list of interface strings. Each string
+ can be in any of the following forms:</para>
+
+ <itemizedlist>
+ <listitem><para>a network interface name (such as eth0).
+ This may include shell-like wildcards so eth* will match
+ any interface starting with the substring "eth"</para></listitem>
+
+ <listitem><para>an IP address. In this case the netmask is
+ determined from the list of interfaces obtained from the
+ kernel</para></listitem>
+
+ <listitem><para>an IP/mask pair. </para></listitem>
+
+ <listitem><para>a broadcast/mask pair.</para></listitem>
+ </itemizedlist>
+
+ <para>The "mask" parameters can either be a bit length (such
+ as 24 for a C class network) or a full netmask in dotted
+ decimal form.</para>
+
+ <para>The "IP" parameters above can either be a full dotted
+ decimal IP address or a hostname which will be looked up via
+ the OS's normal hostname resolution mechanisms.</para>
+
+ <para>For example, the following line:</para>
+
+ <para><command>interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
+ </command></para>
+
+ <para>would configure three network interfaces corresponding
+ to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
+ The netmasks of the latter two interfaces would be set to 255.255.255.0.</para>
+
+ <para>See also <link linkend="BINDINTERFACESONLY"><parameter>bind
+ interfaces only</parameter></link>.</para>
+
+ <para>Default: <emphasis>all active interfaces except 127.0.0.1
+ that are broadcast capable</emphasis></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="INVALIDUSERS">invalid users (S)</term>
+ <listitem><para>This is a list of users that should not be allowed
+ to login to this service. This is really a <emphasis>paranoid</emphasis>
+ check to absolutely ensure an improper setting does not breach
+ your security.</para>
+
+ <para>A name starting with a '@' is interpreted as an NIS
+ netgroup first (if your system supports NIS), and then as a UNIX
+ group if the name was not found in the NIS netgroup database.</para>
+
+ <para>A name starting with '+' is interpreted only
+ by looking in the UNIX group database. A name starting with
+ '&' is interpreted only by looking in the NIS netgroup database
+ (this requires NIS to be working on your system). The characters
+ '+' and '&' may be used at the start of the name in either order
+ so the value <parameter>+&amp;group</parameter> means check the
+ UNIX group database, followed by the NIS netgroup database, and
+ the value <parameter>&+group</parameter> means check the NIS
+ netgroup database, followed by the UNIX group database (the
+ same as the '@' prefix).</para>
+
+ <para>The current servicename is substituted for <parameter>%S</parameter>.
+ This is useful in the [homes] section.</para>
+
+ <para>See also <link linkend="VALIDUSERS"><parameter>valid users
+ </parameter></link>.</para>
+
+ <para>Default: <emphasis>no invalid users</emphasis></para>
+ <para>Example: <command>invalid users = root fred admin @wheel
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="KEEPALIVE">keepalive (G)</term>
+ <listitem><para>The value of the parameter (an integer) represents
+ the number of seconds between <parameter>keepalive</parameter>
+ packets. If this parameter is zero, no keepalive packets will be
+ sent. Keepalive packets, if sent, allow the server to tell whether
+ a client is still present and responding.</para>
+
+ <para>Keepalives should, in general, not be needed if the socket
+ being used has the SO_KEEPALIVE attribute set on it (see <link
+ linkend="SOCKETOPTIONS"><parameter>socket options</parameter></link>).
+ Basically you should only use this option if you strike difficulties.</para>
+
+ <para>Default: <command>keepalive = 300</command></para>
+ <para>Example: <command>keepalive = 600</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="KERNELOPLOCKS">kernel oplocks (G)</term>
+ <listitem><para>For UNIXes that support kernel based <link
+ linkend="OPLOCKS"><parameter>oplocks</parameter></link>
+ (currently only IRIX and the Linux 2.4 kernel), this parameter
+ allows the use of them to be turned on or off.</para>
+
+ <para>Kernel oplocks support allows Samba <parameter>oplocks
+ </parameter> to be broken whenever a local UNIX process or NFS operation
+ accesses a file that <ulink url="smbd.8.html"><command>smbd(8)</command>
+ </ulink> has oplocked. This allows complete data consistency between
+ SMB/CIFS, NFS and local file access (and is a <emphasis>very</emphasis>
+ cool feature :-).</para>
+
+ <para>This parameter defaults to <constant>on</constant>, but is translated
+ to a no-op on systems that no not have the necessary kernel support.
+ You should never need to touch this parameter.</para>
+
+ <para>See also the <link linkend="OPLOCKS"><parameter>oplocks</parameter>
+ </link> and <link linkend="LEVEL2OPLOCKS"><parameter>level2 oplocks
+ </parameter></link> parameters.</para>
+
+ <para>Default: <command>kernel oplocks = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="LANMANAUTH">lanman auth (G)</term>
+ <listitem><para>This parameter determines whether or not <ulink url="smbd.8.html">smbd</ulink> will
+ attempt to authenticate users using the LANMAN password hash.
+ If disabled, only clients which support NT password hashes (e.g. Windows
+ NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS
+ network client) will be able to connect to the Samba host.</para>
+
+ <para>Default : <command>lanman auth = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="LARGEREADWRITE">large readwrite (G)</term>
+ <listitem><para>This parameter determines whether or not <ulink url="smbd.8.html">smbd</ulink>
+ supports the new 64k streaming read and write varient SMB requests introduced
+ with Windows 2000. Note that due to Windows 2000 client redirector bugs
+ this requires Samba to be running on a 64-bit capable operating system such
+ as IRIX, Solaris or a Linux 2.4 kernel. Can improve performance by 10% with
+ Windows 2000 clients. Defaults to on. Not as tested as some other Samba
+ code paths.
+ </para>
+
+ <para>Default : <command>large readwrite = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LDAPADMINDN">ldap admin dn (G)</term>
+ <listitem><para>This parameter is only available if Samba has been
+ configure to include the <command>--with-ldapsam</command> option
+ at compile time. This option should be considered experimental and
+ under active development.
+ </para>
+
+ <para>
+ The <parameter>ldap admin dn</parameter> defines the Distinguished
+ Name (DN) name used by Samba to contact the <link linkend="LDAPSERVER">ldap
+ server</link> when retreiving user account information. The <parameter>ldap
+ admin dn</parameter> is used in conjunction with the admin dn password
+ stored in the <filename>private/secrets.tdb</filename> file. See the
+ <ulink url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink> man
+ page for more information on how to accmplish this.
+ </para>
+
+
+ <para>Default : <emphasis>none</emphasis></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="LDAPFILTER">ldap filter (G)</term>
+ <listitem><para>This parameter is only available if Samba has been
+ configure to include the <command>--with-ldapsam</command> option
+ at compile time. This option should be considered experimental and
+ under active development.
+ </para>
+
+ <para>
+ This parameter specifies the RFC 2254 compliant LDAP search filter.
+ The default is to match the login name with the <constant>uid</constant>
+ attribute for all entries matching the <constant>sambaAccount</constant>
+ objectclass. Note that this filter should only return one entry.
+ </para>
+
+
+ <para>Default : <command>ldap filter = (&(uid=%u)(objectclass=sambaAccount))</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="LDAPPORT">ldap port (G)</term>
+ <listitem><para>This parameter is only available if Samba has been
+ configure to include the <command>--with-ldapsam</command> option
+ at compile time. This option should be considered experimental and
+ under active development.
+ </para>
+
+ <para>
+ This option is used to control the tcp port number used to contact
+ the <link linkend="LDAPSERVER"><parameter>ldap server</parameter></link>.
+ The default is to use the stand LDAPS port 636.
+ </para>
+
+ <para>See Also: <link linkend="LDAPSSL">ldap ssl</link>
+ </para>
+
+ <para>Default : <command>ldap port = 636</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="LDAPSERVER">ldap server (G)</term>
+ <listitem><para>This parameter is only available if Samba has been
+ configure to include the <command>--with-ldapsam</command> option
+ at compile time. This option should be considered experimental and
+ under active development.
+ </para>
+
+ <para>
+ This parameter should contains the FQDN of the ldap directory
+ server which should be queried to locate user account information.
+ </para>
+
+
+
+ <para>Default : <command>ldap server = localhost</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="LDAPSSL">ldap ssl (G)</term>
+ <listitem><para>This parameter is only available if Samba has been
+ configure to include the <command>--with-ldapsam</command> option
+ at compile time. This option should be considered experimental and
+ under active development.
+ </para>
+
+ <para>
+ This option is used to define whether or not Samba should
+ use SSL when connecting to the <link linkend="LDAPSERVER"><parameter>ldap
+ server</parameter></link>. This is <emphasis>NOT</emphasis> related to
+ Samba SSL support which is enabled by specifying the
+ <command>--with-ssl</command> option to the <filename>configure</filename>
+ script (see <link linkend="SSL"><parameter>ssl</parameter></link>).
+ </para>
+
+ <para>
+ The <parameter>ldap ssl</parameter> can be set to one of three values:
+ (a) <constant>on</constant> - Always use SSL when contacting the
+ <parameter>ldap server</parameter>, (b) <constant>off</constant> -
+ Never use SSL when querying the directory, or (c) <constant>start_tls</constant>
+ - Use the LDAPv3 StartTLS extended operation
+ (RFC2830) for communicating with the directory server.
+ </para>
+
+
+ <para>Default : <command>ldap ssl = on</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="LDAPSUFFIX">ldap suffix (G)</term>
+ <listitem><para>This parameter is only available if Samba has been
+ configure to include the <command>--with-ldapsam</command> option
+ at compile time. This option should be considered experimental and
+ under active development.
+ </para>
+
+
+
+ <para>Default : <emphasis>none</emphasis></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="LEVEL2OPLOCKS">level2 oplocks (S)</term>
+ <listitem><para>This parameter controls whether Samba supports
+ level2 (read-only) oplocks on a share.</para>
+
+ <para>Level2, or read-only oplocks allow Windows NT clients
+ that have an oplock on a file to downgrade from a read-write oplock
+ to a read-only oplock once a second client opens the file (instead
+ of releasing all oplocks on a second open, as in traditional,
+ exclusive oplocks). This allows all openers of the file that
+ support level2 oplocks to cache the file for read-ahead only (ie.
+ they may not cache writes or lock requests) and increases performance
+ for many accesses of files that are not commonly written (such as
+ application .EXE files).</para>
+
+ <para>Once one of the clients which have a read-only oplock
+ writes to the file all clients are notified (no reply is needed
+ or waited for) and told to break their oplocks to "none" and
+ delete any read-ahead caches.</para>
+
+ <para>It is recommended that this parameter be turned on
+ to speed access to shared executables.</para>
+
+ <para>For more discussions on level2 oplocks see the CIFS spec.</para>
+
+ <para>Currently, if <link linkend="KERNELOPLOCKS"><parameter>kernel
+ oplocks</parameter></link> are supported then level2 oplocks are
+ not granted (even if this parameter is set to <constant>yes</constant>).
+ Note also, the <link linkend="OPLOCKS"><parameter>oplocks</parameter>
+ </link> parameter must be set to <constant>true</constant> on this share in order for
+ this parameter to have any effect.</para>
+
+ <para>See also the <link linkend="OPLOCKS"><parameter>oplocks</parameter>
+ </link> and <link linkend="OPLOCKS"><parameter>kernel oplocks</parameter>
+ </link> parameters.</para>
+
+ <para>Default: <command>level2 oplocks = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="LMANNOUNCE">lm announce (G)</term>
+ <listitem><para>This parameter determines if <ulink url="nmbd.8.html">
+ <command>nmbd(8)</command></ulink> will produce Lanman announce
+ broadcasts that are needed by OS/2 clients in order for them to see
+ the Samba server in their browse list. This parameter can have three
+ values, <constant>true</constant>, <constant>false</constant>, or
+ <constant>auto</constant>. The default is <constant>auto</constant>.
+ If set to <constant>false</constant> Samba will never produce these
+ broadcasts. If set to <constant>true</constant> Samba will produce
+ Lanman announce broadcasts at a frequency set by the parameter
+ <parameter>lm interval</parameter>. If set to <constant>auto</constant>
+ Samba will not send Lanman announce broadcasts by default but will
+ listen for them. If it hears such a broadcast on the wire it will
+ then start sending them at a frequency set by the parameter
+ <parameter>lm interval</parameter>.</para>
+
+ <para>See also <link linkend="LMINTERVAL"><parameter>lm interval
+ </parameter></link>.</para>
+
+ <para>Default: <command>lm announce = auto</command></para>
+ <para>Example: <command>lm announce = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LMINTERVAL">lm interval (G)</term>
+ <listitem><para>If Samba is set to produce Lanman announce
+ broadcasts needed by OS/2 clients (see the <link linkend="LMANNOUNCE">
+ <parameter>lm announce</parameter></link> parameter) then this
+ parameter defines the frequency in seconds with which they will be
+ made. If this is set to zero then no Lanman announcements will be
+ made despite the setting of the <parameter>lm announce</parameter>
+ parameter.</para>
+
+ <para>See also <link linkend="LMANNOUNCE"><parameter>lm
+ announce</parameter></link>.</para>
+
+ <para>Default: <command>lm interval = 60</command></para>
+ <para>Example: <command>lm interval = 120</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOADPRINTERS">load printers (G)</term>
+ <listitem><para>A boolean variable that controls whether all
+ printers in the printcap will be loaded for browsing by default.
+ See the <link linkend="PRINTERSSECT">printers</link> section for
+ more details.</para>
+
+ <para>Default: <command>load printers = yes</command></para></listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="LOCALMASTER">local master (G)</term>
+ <listitem><para>This option allows <ulink url="nmbd.8.html"><command>
+ nmbd(8)</command></ulink> to try and become a local master browser
+ on a subnet. If set to <constant>false</constant> then <command>
+ nmbd</command> will not attempt to become a local master browser
+ on a subnet and will also lose in all browsing elections. By
+ default this value is set to <constant>true</constant>. Setting this value to <constant>true</constant> doesn't
+ mean that Samba will <emphasis>become</emphasis> the local master
+ browser on a subnet, just that <command>nmbd</command> will <emphasis>
+ participate</emphasis> in elections for local master browser.</para>
+
+ <para>Setting this value to <constant>false</constant> will cause <command>nmbd</command>
+ <emphasis>never</emphasis> to become a local master browser.</para>
+
+ <para>Default: <command>local master = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOCKDIR">lock dir (G)</term>
+ <listitem><para>Synonym for <link linkend="LOCKDIRECTORY"><parameter>
+ lock directory</parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOCKDIRECTORY">lock directory (G)</term>
+ <listitem><para>This option specifies the directory where lock
+ files will be placed. The lock files are used to implement the
+ <link linkend="MAXCONNECTIONS"><parameter>max connections</parameter>
+ </link> option.</para>
+
+ <para>Default: <command>lock directory = ${prefix}/var/locks</command></para>
+ <para>Example: <command>lock directory = /var/run/samba/locks</command>
+ </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOCKING">locking (S)</term>
+ <listitem><para>This controls whether or not locking will be
+ performed by the server in response to lock requests from the
+ client.</para>
+
+ <para>If <command>locking = no</command>, all lock and unlock
+ requests will appear to succeed and all lock queries will report
+ that the file in question is available for locking.</para>
+
+ <para>If <command>locking = yes</command>, real locking will be performed
+ by the server.</para>
+
+ <para>This option <emphasis>may</emphasis> be useful for read-only
+ filesystems which <emphasis>may</emphasis> not need locking (such as
+ CDROM drives), although setting this parameter of <constant>no</constant>
+ is not really recommended even in this case.</para>
+
+ <para>Be careful about disabling locking either globally or in a
+ specific service, as lack of locking may result in data corruption.
+ You should never need to set this parameter.</para>
+
+ <para>Default: <command>locking = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOGFILE">log file (G)</term>
+ <listitem><para>This option allows you to override the name
+ of the Samba log file (also known as the debug file).</para>
+
+ <para>This option takes the standard substitutions, allowing
+ you to have separate log files for each user or machine.</para>
+
+ <para>Example: <command>log file = /usr/local/samba/var/log.%m
+ </command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOGLEVEL">log level (G)</term>
+ <listitem><para>The value of the parameter (an integer) allows
+ the debug level (logging level) to be specified in the
+ <filename>smb.conf</filename> file. This is to give greater
+ flexibility in the configuration of the system.</para>
+
+ <para>The default will be the log level specified on
+ the command line or level zero if none was specified.</para>
+
+ <para>Example: <command>log level = 3</command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOGONDRIVE">logon drive (G)</term>
+ <listitem><para>This parameter specifies the local path to
+ which the home directory will be connected (see <link
+ linkend="LOGONHOME"><parameter>logon home</parameter></link>)
+ and is only used by NT Workstations. </para>
+
+ <para>Note that this option is only useful if Samba is set up as a
+ logon server.</para>
+
+ <para>Default: <command>logon drive = z:</command></para>
+ <para>Example: <command>logon drive = h:</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOGONHOME">logon home (G)</term>
+ <listitem><para>This parameter specifies the home directory
+ location when a Win95/98 or NT Workstation logs into a Samba PDC.
+ It allows you to do </para>
+
+ <para><prompt>C:\> </prompt><userinput>NET USE H: /HOME</userinput>
+ </para>
+
+ <para>from a command prompt, for example.</para>
+
+ <para>This option takes the standard substitutions, allowing
+ you to have separate logon scripts for each user or machine.</para>
+
+ <para>This parameter can be used with Win9X workstations to ensure
+ that roaming profiles are stored in a subdirectory of the user's
+ home directory. This is done in the following way:</para>
+
+ <para><command>logon home = \\%N\%U\profile</command></para>
+
+ <para>This tells Samba to return the above string, with
+ substitutions made when a client requests the info, generally
+ in a NetUserGetInfo request. Win9X clients truncate the info to
+ \\server\share when a user does <command>net use /home</command>
+ but use the whole string when dealing with profiles.</para>
+
+ <para>Note that in prior versions of Samba, the <link linkend="LOGONPATH">
+ <parameter>logon path</parameter></link> was returned rather than
+ <parameter>logon home</parameter>. This broke <command>net use
+ /home</command> but allowed profiles outside the home directory.
+ The current implementation is correct, and can be used for
+ profiles if you use the above trick.</para>
+
+ <para>This option is only useful if Samba is set up as a logon
+ server.</para>
+
+ <para>Default: <command>logon home = "\\%N\%U"</command></para>
+ <para>Example: <command>logon home = "\\remote_smb_server\%U"</command>
+ </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="LOGONPATH">logon path (G)</term>
+ <listitem><para>This parameter specifies the home directory
+ where roaming profiles (NTuser.dat etc files for Windows NT) are
+ stored. Contrary to previous versions of these manual pages, it has
+ nothing to do with Win 9X roaming profiles. To find out how to
+ handle roaming profiles for Win 9X system, see the <link linkend="LOGONHOME">
+ <parameter>logon home</parameter></link> parameter.</para>
+
+ <para>This option takes the standard substitutions, allowing you
+ to have separate logon scripts for each user or machine. It also
+ specifies the directory from which the "Application Data",
+ (<filename>desktop</filename>, <filename>start menu</filename>,
+ <filename>network neighborhood</filename>, <filename>programs</filename>
+ and other folders, and their contents, are loaded and displayed on
+ your Windows NT client.</para>
+
+ <para>The share and the path must be readable by the user for
+ the preferences and directories to be loaded onto the Windows NT
+ client. The share must be writeable when the user logs in for the first
+ time, in order that the Windows NT client can create the NTuser.dat
+ and other directories.</para>
+
+ <para>Thereafter, the directories and any of the contents can,
+ if required, be made read-only. It is not advisable that the
+ NTuser.dat file be made read-only - rename it to NTuser.man to
+ achieve the desired effect (a <emphasis>MAN</emphasis>datory
+ profile). </para>
+
+ <para>Windows clients can sometimes maintain a connection to
+ the [homes] share, even though there is no user logged in.
+ Therefore, it is vital that the logon path does not include a
+ reference to the homes share (i.e. setting this parameter to
+ \%N\%U\profile_path will cause problems).</para>
+
+ <para>This option takes the standard substitutions, allowing
+ you to have separate logon scripts for each user or machine.</para>
+
+ <para>Note that this option is only useful if Samba is set up
+ as a logon server.</para>
+
+ <para>Default: <command>logon path = \\%N\%U\profile</command></para>
+ <para>Example: <command>logon path = \\PROFILESERVER\PROFILE\%U</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LOGONSCRIPT">logon script (G)</term>
+ <listitem><para>This parameter specifies the batch file (.bat) or
+ NT command file (.cmd) to be downloaded and run on a machine when
+ a user successfully logs in. The file must contain the DOS
+ style CR/LF line endings. Using a DOS-style editor to create the
+ file is recommended.</para>
+
+ <para>The script must be a relative path to the [netlogon]
+ service. If the [netlogon] service specifies a <link linkend="PATH">
+ <parameter>path</parameter></link> of <filename>/usr/local/samba/netlogon
+ </filename>, and <command>logon script = STARTUP.BAT</command>, then
+ the file that will be downloaded is:</para>
+
+ <para><filename>/usr/local/samba/netlogon/STARTUP.BAT</filename></para>
+
+ <para>The contents of the batch file are entirely your choice. A
+ suggested command would be to add <command>NET TIME \\SERVER /SET
+ /YES</command>, to force every machine to synchronize clocks with
+ the same time server. Another use would be to add <command>NET USE
+ U: \\SERVER\UTILS</command> for commonly used utilities, or <command>
+ NET USE Q: \\SERVER\ISO9001_QA</command> for example.</para>
+
+ <para>Note that it is particularly important not to allow write
+ access to the [netlogon] share, or to grant users write permission
+ on the batch files in a secure environment, as this would allow
+ the batch files to be arbitrarily modified and security to be
+ breached.</para>
+
+ <para>This option takes the standard substitutions, allowing you
+ to have separate logon scripts for each user or machine.</para>
+
+ <para>This option is only useful if Samba is set up as a logon
+ server.</para>
+
+ <para>Default: <emphasis>no logon script defined</emphasis></para>
+ <para>Example: <command>logon script = scripts\%U.bat</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LPPAUSECOMMAND">lppause command (S)</term>
+ <listitem><para>This parameter specifies the command to be
+ executed on the server host in order to stop printing or spooling
+ a specific print job.</para>
+
+ <para>This command should be a program or script which takes
+ a printer name and job number to pause the print job. One way
+ of implementing this is by using job priorities, where jobs
+ having a too low priority won't be sent to the printer.</para>
+
+ <para>If a <parameter>%p</parameter> is given then the printer name
+ is put in its place. A <parameter>%j</parameter> is replaced with
+ the job number (an integer). On HPUX (see <parameter>printing=hpux
+ </parameter>), if the <parameter>-p%p</parameter> option is added
+ to the lpq command, the job will show up with the correct status, i.e.
+ if the job priority is lower than the set fence priority it will
+ have the PAUSED status, whereas if the priority is equal or higher it
+ will have the SPOOLED or PRINTING status.</para>
+
+ <para>Note that it is good practice to include the absolute path
+ in the lppause command as the PATH may not be available to the server.</para>
+
+ <para>See also the <link linkend="PRINTING"><parameter>printing
+ </parameter></link> parameter.</para>
+
+ <para>Default: Currently no default value is given to
+ this string, unless the value of the <parameter>printing</parameter>
+ parameter is <constant>SYSV</constant>, in which case the default is :</para>
+
+ <para><command>lp -i %p-%j -H hold</command></para>
+
+ <para>or if the value of the <parameter>printing</parameter> parameter
+ is <constant>SOFTQ</constant>, then the default is:</para>
+
+ <para><command>qstat -s -j%j -h</command></para>
+
+ <para>Example for HPUX: <command>lppause command = /usr/bin/lpalt
+ %p-%j -p0</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LPQCACHETIME">lpq cache time (G)</term>
+ <listitem><para>This controls how long lpq info will be cached
+ for to prevent the <command>lpq</command> command being called too
+ often. A separate cache is kept for each variation of the <command>
+ lpq</command> command used by the system, so if you use different
+ <command>lpq</command> commands for different users then they won't
+ share cache information.</para>
+
+ <para>The cache files are stored in <filename>/tmp/lpq.xxxx</filename>
+ where xxxx is a hash of the <command>lpq</command> command in use.</para>
+
+ <para>The default is 10 seconds, meaning that the cached results
+ of a previous identical <command>lpq</command> command will be used
+ if the cached data is less than 10 seconds old. A large value may
+ be advisable if your <command>lpq</command> command is very slow.</para>
+
+ <para>A value of 0 will disable caching completely.</para>
+
+ <para>See also the <link linkend="PRINTING"><parameter>printing
+ </parameter></link> parameter.</para>
+
+ <para>Default: <command>lpq cache time = 10</command></para>
+ <para>Example: <command>lpq cache time = 30</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LPQCOMMAND">lpq command (S)</term>
+ <listitem><para>This parameter specifies the command to be
+ executed on the server host in order to obtain <command>lpq
+ </command>-style printer status information.</para>
+
+ <para>This command should be a program or script which
+ takes a printer name as its only parameter and outputs printer
+ status information.</para>
+
+ <para>Currently eight styles of printer status information
+ are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ.
+ This covers most UNIX systems. You control which type is expected
+ using the <parameter>printing =</parameter> option.</para>
+
+ <para>Some clients (notably Windows for Workgroups) may not
+ correctly send the connection number for the printer they are
+ requesting status information about. To get around this, the
+ server reports on the first printer service connected to by the
+ client. This only happens if the connection number sent is invalid.</para>
+
+ <para>If a <parameter>%p</parameter> is given then the printer name
+ is put in its place. Otherwise it is placed at the end of the
+ command.</para>
+
+ <para>Note that it is good practice to include the absolute path
+ in the <parameter>lpq command</parameter> as the <envar>$PATH
+ </envar> may not be available to the server.</para>
+
+ <para>See also the <link linkend="PRINTING"><parameter>printing
+ </parameter></link> parameter.</para>
+
+ <para>Default: <emphasis>depends on the setting of <parameter>
+ printing</parameter></emphasis></para>
+
+ <para>Example: <command>lpq command = /usr/bin/lpq -P%p</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LPRESUMECOMMAND">lpresume command (S)</term>
+ <listitem><para>This parameter specifies the command to be
+ executed on the server host in order to restart or continue
+ printing or spooling a specific print job.</para>
+
+ <para>This command should be a program or script which takes
+ a printer name and job number to resume the print job. See
+ also the <link linkend="LPPAUSECOMMAND"><parameter>lppause command
+ </parameter></link> parameter.</para>
+
+ <para>If a <parameter>%p</parameter> is given then the printer name
+ is put in its place. A <parameter>%j</parameter> is replaced with
+ the job number (an integer).</para>
+
+ <para>Note that it is good practice to include the absolute path
+ in the <parameter>lpresume command</parameter> as the PATH may not
+ be available to the server.</para>
+
+ <para>See also the <link linkend="PRINTING"><parameter>printing
+ </parameter></link> parameter.</para>
+
+ <para>Default: Currently no default value is given
+ to this string, unless the value of the <parameter>printing</parameter>
+ parameter is <constant>SYSV</constant>, in which case the default is :</para>
+
+ <para><command>lp -i %p-%j -H resume</command></para>
+
+ <para>or if the value of the <parameter>printing</parameter> parameter
+ is <constant>SOFTQ</constant>, then the default is:</para>
+
+ <para><command>qstat -s -j%j -r</command></para>
+
+ <para>Example for HPUX: <command>lpresume command = /usr/bin/lpalt
+ %p-%j -p2</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="LPRMCOMMAND">lprm command (S)</term>
+ <listitem><para>This parameter specifies the command to be
+ executed on the server host in order to delete a print job.</para>
+
+ <para>This command should be a program or script which takes
+ a printer name and job number, and deletes the print job.</para>
+
+ <para>If a <parameter>%p</parameter> is given then the printer name
+ is put in its place. A <parameter>%j</parameter> is replaced with
+ the job number (an integer).</para>
+
+ <para>Note that it is good practice to include the absolute
+ path in the <parameter>lprm command</parameter> as the PATH may not be
+ available to the server.</para>
+
+ <para>See also the <link linkend="PRINTING"><parameter>printing
+ </parameter></link> parameter.</para>
+
+ <para>Default: <emphasis>depends on the setting of <parameter>printing
+ </parameter></emphasis></para>
+
+ <para>Example 1: <command>lprm command = /usr/bin/lprm -P%p %j
+ </command></para>
+ <para>Example 2: <command>lprm command = /usr/bin/cancel %p-%j
+ </command></para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MACHINEPASSWORDTIMEOUT">machine password timeout (G)</term>
+ <listitem><para>If a Samba server is a member of a Windows
+ NT Domain (see the <link linkend="SECURITYEQUALSDOMAIN">security = domain</link>)
+ parameter) then periodically a running <ulink url="smbd.8.html">
+ smbd(8)</ulink> process will try and change the MACHINE ACCOUNT
+ PASSWORD stored in the TDB called <filename>private/secrets.tdb
+ </filename>. This parameter specifies how often this password
+ will be changed, in seconds. The default is one week (expressed in
+ seconds), the same as a Windows NT Domain member server.</para>
+
+ <para>See also <ulink url="smbpasswd.8.html"><command>smbpasswd(8)
+ </command></ulink>, and the <link linkend="SECURITYEQUALSDOMAIN">
+ security = domain</link>) parameter.</para>
+
+ <para>Default: <command>machine password timeout = 604800</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="MAGICOUTPUT">magic output (S)</term>
+ <listitem><para>This parameter specifies the name of a file
+ which will contain output created by a magic script (see the
+ <link linkend="MAGICSCRIPT"><parameter>magic script</parameter></link>
+ parameter below).</para>
+
+ <para>Warning: If two clients use the same <parameter>magic script
+ </parameter> in the same directory the output file content
+ is undefined.</para>
+
+ <para>Default: <command>magic output = &lt;magic script name&gt;.out
+ </command></para>
+
+ <para>Example: <command>magic output = myfile.txt</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAGICSCRIPT">magic script (S)</term>
+ <listitem><para>This parameter specifies the name of a file which,
+ if opened, will be executed by the server when the file is closed.
+ This allows a UNIX script to be sent to the Samba host and
+ executed on behalf of the connected user.</para>
+
+ <para>Scripts executed in this way will be deleted upon
+ completion assuming that the user has the appropriate level
+ of privilege and the file permissions allow the deletion.</para>
+
+ <para>If the script generates output, output will be sent to
+ the file specified by the <link linkend="MAGICOUTPUT"><parameter>
+ magic output</parameter></link> parameter (see above).</para>
+
+ <para>Note that some shells are unable to interpret scripts
+ containing CR/LF instead of CR as
+ the end-of-line marker. Magic scripts must be executable
+ <emphasis>as is</emphasis> on the host, which for some hosts and
+ some shells will require filtering at the DOS end.</para>
+
+ <para>Magic scripts are <emphasis>EXPERIMENTAL</emphasis> and
+ should <emphasis>NOT</emphasis> be relied upon.</para>
+
+ <para>Default: <emphasis>None. Magic scripts disabled.</emphasis></para>
+ <para>Example: <command>magic script = user.csh</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MANGLECASE">mangle case (S)</term>
+ <listitem><para>See the section on <link linkend="NAMEMANGLINGSECT">
+ NAME MANGLING</link></para>
+
+ <para>Default: <command>mangle case = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="MANGLEDMAP">mangled map (S)</term>
+ <listitem><para>This is for those who want to directly map UNIX
+ file names which cannot be represented on Windows/DOS. The mangling
+ of names is not always what is needed. In particular you may have
+ documents with file extensions that differ between DOS and UNIX.
+ For example, under UNIX it is common to use <filename>.html</filename>
+ for HTML files, whereas under Windows/DOS <filename>.htm</filename>
+ is more commonly used.</para>
+
+ <para>So to map <filename>html</filename> to <filename>htm</filename>
+ you would use:</para>
+
+ <para><command>mangled map = (*.html *.htm)</command></para>
+
+ <para>One very useful case is to remove the annoying <filename>;1
+ </filename> off the ends of filenames on some CDROMs (only visible
+ under some UNIXes). To do this use a map of (*;1 *;).</para>
+
+ <para>Default: <emphasis>no mangled map</emphasis></para>
+ <para>Example: <command>mangled map = (*;1 *;)</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="MANGLEDNAMES">mangled names (S)</term>
+ <listitem><para>This controls whether non-DOS names under UNIX
+ should be mapped to DOS-compatible names ("mangled") and made visible,
+ or whether non-DOS names should simply be ignored.</para>
+
+ <para>See the section on <link linkend="NAMEMANGLINGSECT">
+ NAME MANGLING</link> for details on how to control the mangling process.</para>
+
+ <para>If mangling is used then the mangling algorithm is as follows:</para>
+
+ <itemizedlist>
+ <listitem><para>The first (up to) five alphanumeric characters
+ before the rightmost dot of the filename are preserved, forced
+ to upper case, and appear as the first (up to) five characters
+ of the mangled name.</para></listitem>
+
+ <listitem><para>A tilde "~" is appended to the first part of the mangled
+ name, followed by a two-character unique sequence, based on the
+ original root name (i.e., the original filename minus its final
+ extension). The final extension is included in the hash calculation
+ only if it contains any upper case characters or is longer than three
+ characters.</para>
+
+ <para>Note that the character to use may be specified using
+ the <link linkend="MANGLINGCHAR"><parameter>mangling char</parameter>
+ </link> option, if you don't like '~'.</para></listitem>
+
+ <listitem><para>The first three alphanumeric characters of the final
+ extension are preserved, forced to upper case and appear as the
+ extension of the mangled name. The final extension is defined as that
+ part of the original filename after the rightmost dot. If there are no
+ dots in the filename, the mangled name will have no extension (except
+ in the case of "hidden files" - see below).</para></listitem>
+
+ <listitem><para>Files whose UNIX name begins with a dot will be
+ presented as DOS hidden files. The mangled name will be created as
+ for other filenames, but with the leading dot removed and "___" as
+ its extension regardless of actual original extension (that's three
+ underscores).</para></listitem>
+ </itemizedlist>
+
+ <para>The two-digit hash value consists of upper case
+ alphanumeric characters.</para>
+
+ <para>This algorithm can cause name collisions only if files
+ in a directory share the same first five alphanumeric characters.
+ The probability of such a clash is 1/1300.</para>
+
+ <para>The name mangling (if enabled) allows a file to be
+ copied between UNIX directories from Windows/DOS while retaining
+ the long UNIX filename. UNIX files can be renamed to a new extension
+ from Windows/DOS and will retain the same basename. Mangled names
+ do not change between sessions.</para>
+
+ <para>Default: <command>mangled names = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MANGLEDSTACK">mangled stack (G)</term>
+ <listitem><para>This parameter controls the number of mangled names
+ that should be cached in the Samba server <ulink url="smbd.8.html">
+ smbd(8)</ulink>.</para>
+
+ <para>This stack is a list of recently mangled base names
+ (extensions are only maintained if they are longer than 3 characters
+ or contains upper case characters).</para>
+
+ <para>The larger this value, the more likely it is that mangled
+ names can be successfully converted to correct long UNIX names.
+ However, large stack sizes will slow most directory accesses. Smaller
+ stacks save memory in the server (each stack element costs 256 bytes).
+ </para>
+
+ <para>It is not possible to absolutely guarantee correct long
+ filenames, so be prepared for some surprises!</para>
+
+ <para>Default: <command>mangled stack = 50</command></para>
+ <para>Example: <command>mangled stack = 100</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="MANGLINGCHAR">mangling char (S)</term>
+ <listitem><para>This controls what character is used as
+ the <emphasis>magic</emphasis> character in <link
+ linkend="NAMEMANGLINGSECT">name mangling</link>. The default is a '~'
+ but this may interfere with some software. Use this option to set
+ it to whatever you prefer.</para>
+
+ <para>Default: <command>mangling char = ~</command></para>
+ <para>Example: <command>mangling char = ^</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="MAPARCHIVE">map archive (S)</term>
+ <listitem><para>This controls whether the DOS archive attribute
+ should be mapped to the UNIX owner execute bit. The DOS archive bit
+ is set when a file has been modified since its last backup. One
+ motivation for this option it to keep Samba/your PC from making
+ any file it touches from becoming executable under UNIX. This can
+ be quite annoying for shared source code, documents, etc...</para>
+
+ <para>Note that this requires the <parameter>create mask</parameter>
+ parameter to be set such that owner execute bit is not masked out
+ (i.e. it must include 100). See the parameter <link linkend="CREATEMASK">
+ <parameter>create mask</parameter></link> for details.</para>
+
+ <para>Default: <command>map archive = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAPHIDDEN">map hidden (S)</term>
+ <listitem><para>This controls whether DOS style hidden files
+ should be mapped to the UNIX world execute bit.</para>
+
+ <para>Note that this requires the <parameter>create mask</parameter>
+ to be set such that the world execute bit is not masked out (i.e.
+ it must include 001). See the parameter <link linkend="CREATEMASK">
+ <parameter>create mask</parameter></link> for details.</para>
+
+ <para>Default: <command>map hidden = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="MAPSYSTEM">map system (S)</term>
+ <listitem><para>This controls whether DOS style system files
+ should be mapped to the UNIX group execute bit.</para>
+
+ <para>Note that this requires the <parameter>create mask</parameter>
+ to be set such that the group execute bit is not masked out (i.e.
+ it must include 010). See the parameter <link linkend="CREATEMASK">
+ <parameter>create mask</parameter></link> for details.</para>
+
+ <para>Default: <command>map system = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="MAPTOGUEST">map to guest (G)</term>
+ <listitem><para>This parameter is only useful in <link linkend="SECURITY">
+ security</link> modes other than <parameter>security = share</parameter>
+ - i.e. <constant>user</constant>, <constant>server</constant>,
+ and <constant>domain</constant>.</para>
+
+ <para>This parameter can take three different values, which tell
+ <ulink url="smbd.8.html">smbd(8)</ulink> what to do with user
+ login requests that don't match a valid UNIX user in some way.</para>
+
+ <para>The three settings are :</para>
+
+ <itemizedlist>
+ <listitem><para><constant>Never</constant> - Means user login
+ requests with an invalid password are rejected. This is the
+ default.</para></listitem>
+
+ <listitem><para><constant>Bad User</constant> - Means user
+ logins with an invalid password are rejected, unless the username
+ does not exist, in which case it is treated as a guest login and
+ mapped into the <link linkend="GUESTACCOUNT"><parameter>
+ guest account</parameter></link>.</para></listitem>
+
+ <listitem><para><constant>Bad Password</constant> - Means user logins
+ with an invalid password are treated as a guest login and mapped
+ into the <link linkend="GUESTACCOUNT">guest account</link>. Note that
+ this can cause problems as it means that any user incorrectly typing
+ their password will be silently logged on as "guest" - and
+ will not know the reason they cannot access files they think
+ they should - there will have been no message given to them
+ that they got their password wrong. Helpdesk services will
+ <emphasis>hate</emphasis> you if you set the <parameter>map to
+ guest</parameter> parameter this way :-).</para></listitem>
+ </itemizedlist>
+
+ <para>Note that this parameter is needed to set up "Guest"
+ share services when using <parameter>security</parameter> modes other than
+ share. This is because in these modes the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client so the server
+ cannot make authentication decisions at the correct time (connection
+ to the share) for "Guest" shares.</para>
+
+ <para>For people familiar with the older Samba releases, this
+ parameter maps to the old compile-time setting of the <constant>
+ GUEST_SESSSETUP</constant> value in local.h.</para>
+
+ <para>Default: <command>map to guest = Never</command></para>
+ <para>Example: <command>map to guest = Bad User</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXCONNECTIONS">max connections (S)</term>
+ <listitem><para>This option allows the number of simultaneous
+ connections to a service to be limited. If <parameter>max connections
+ </parameter> is greater than 0 then connections will be refused if
+ this number of connections to the service are already open. A value
+ of zero mean an unlimited number of connections may be made.</para>
+
+ <para>Record lock files are used to implement this feature. The
+ lock files will be stored in the directory specified by the <link
+ linkend="LOCKDIRECTORY"><parameter>lock directory</parameter></link>
+ option.</para>
+
+ <para>Default: <command>max connections = 0</command></para>
+ <para>Example: <command>max connections = 10</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXDISKSIZE">max disk size (G)</term>
+ <listitem><para>This option allows you to put an upper limit
+ on the apparent size of disks. If you set this option to 100
+ then all shares will appear to be not larger than 100 MB in
+ size.</para>
+
+ <para>Note that this option does not limit the amount of
+ data you can put on the disk. In the above case you could still
+ store much more than 100 MB on the disk, but if a client ever asks
+ for the amount of free disk space or the total disk size then the
+ result will be bounded by the amount specified in <parameter>max
+ disk size</parameter>.</para>
+
+ <para>This option is primarily useful to work around bugs
+ in some pieces of software that can't handle very large disks,
+ particularly disks over 1GB in size.</para>
+
+ <para>A <parameter>max disk size</parameter> of 0 means no limit.</para>
+
+ <para>Default: <command>max disk size = 0</command></para>
+ <para>Example: <command>max disk size = 1000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXLOGSIZE">max log size (G)</term>
+ <listitem><para>This option (an integer in kilobytes) specifies
+ the max size the log file should grow to. Samba periodically checks
+ the size and if it is exceeded it will rename the file, adding
+ a <filename>.old</filename> extension.</para>
+
+ <para>A size of 0 means no limit.</para>
+
+ <para>Default: <command>max log size = 5000</command></para>
+ <para>Example: <command>max log size = 1000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXMUX">max mux (G)</term>
+ <listitem><para>This option controls the maximum number of
+ outstanding simultaneous SMB operations that Samba tells the client
+ it will allow. You should never need to set this parameter.</para>
+
+ <para>Default: <command>max mux = 50</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXOPENFILES">max open files (G)</term>
+ <listitem><para>This parameter limits the maximum number of
+ open files that one <ulink url="smbd.8.html">smbd(8)</ulink> file
+ serving process may have open for a client at any one time. The
+ default for this parameter is set very high (10,000) as Samba uses
+ only one bit per unopened file.</para>
+
+ <para>The limit of the number of open files is usually set
+ by the UNIX per-process file descriptor limit rather than
+ this parameter so you should never need to touch this parameter.</para>
+
+ <para>Default: <command>max open files = 10000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXPRINTJOBS">max print jobs (S)</term>
+ <listitem><para>This parameter limits the maximum number of
+ jobs allowable in a Samba printer queue at any given moment.
+ If this number is exceeded, <ulink url="smbd.8.html"><command>
+ smbd(8)</command></ulink> will remote "Out of Space" to the client.
+ See all <link linkend="TOTALPRINTJOBS"><parameter>total
+ print jobs</parameter></link>.
+ </para>
+
+ <para>Default: <command>max print jobs = 1000</command></para>
+ <para>Example: <command>max print jobs = 5000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="MAXPROTOCOL">max protocol (G)</term>
+ <listitem><para>The value of the parameter (a string) is the highest
+ protocol level that will be supported by the server.</para>
+
+ <para>Possible values are :</para>
+ <itemizedlist>
+ <listitem><para><constant>CORE</constant>: Earliest version. No
+ concept of user names.</para></listitem>
+
+ <listitem><para><constant>COREPLUS</constant>: Slight improvements on
+ CORE for efficiency.</para></listitem>
+
+ <listitem><para><constant>LANMAN1</constant>: First <emphasis>
+ modern</emphasis> version of the protocol. Long filename
+ support.</para></listitem>
+
+ <listitem><para><constant>LANMAN2</constant>: Updates to Lanman1 protocol.
+ </para></listitem>
+
+ <listitem><para><constant>NT1</constant>: Current up to date version of
+ the protocol. Used by Windows NT. Known as CIFS.</para></listitem>
+ </itemizedlist>
+
+ <para>Normally this option should not be set as the automatic
+ negotiation phase in the SMB protocol takes care of choosing
+ the appropriate protocol.</para>
+
+ <para>See also <link linkend="MINPROTOCOL"><parameter>min
+ protocol</parameter></link></para>
+
+ <para>Default: <command>max protocol = NT1</command></para>
+ <para>Example: <command>max protocol = LANMAN1</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXSMBDPROCESSES">max smbd processes (G)</term>
+ <listitem><para>This parameter limits the maximum number of
+ <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>
+ processes concurrently running on a system and is intended
+ as a stopgap to prevent degrading service to clients in the event
+ that the server has insufficient resources to handle more than this
+ number of connections. Remember that under normal operating
+ conditions, each user will have an <ulink url="smbd.8.html">smbd</ulink> associated with him or her
+ to handle connections to all shares from a given host.
+ </para>
+
+ <para>Default: <command>max smbd processes = 0</command> ## no limit</para>
+ <para>Example: <command>max smbd processes = 1000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXTTL">max ttl (G)</term>
+ <listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)</ulink>
+ what the default 'time to live' of NetBIOS names should be (in seconds)
+ when <command>nmbd</command> is requesting a name using either a
+ broadcast packet or from a WINS server. You should never need to
+ change this parameter. The default is 3 days.</para>
+
+ <para>Default: <command>max ttl = 259200</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXWINSTTL">max wins ttl (G)</term>
+ <listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)
+ </ulink> when acting as a WINS server (<link linkend="WINSSUPPORT">
+ <parameter>wins support = yes</parameter></link>) what the maximum
+ 'time to live' of NetBIOS names that <command>nmbd</command>
+ will grant will be (in seconds). You should never need to change this
+ parameter. The default is 6 days (518400 seconds).</para>
+
+ <para>See also the <link linkend="MINWINSTTL"><parameter>min
+ wins ttl</parameter></link> parameter.</para>
+
+ <para>Default: <command>max wins ttl = 518400</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MAXXMIT">max xmit (G)</term>
+ <listitem><para>This option controls the maximum packet size
+ that will be negotiated by Samba. The default is 65535, which
+ is the maximum. In some cases you may find you get better performance
+ with a smaller value. A value below 2048 is likely to cause problems.
+ </para>
+
+ <para>Default: <command>max xmit = 65535</command></para>
+ <para>Example: <command>max xmit = 8192</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MESSAGECOMMAND">message command (G)</term>
+ <listitem><para>This specifies what command to run when the
+ server receives a WinPopup style message.</para>
+
+ <para>This would normally be a command that would
+ deliver the message somehow. How this is to be done is
+ up to your imagination.</para>
+
+ <para>An example is:</para>
+
+ <para><command>message command = csh -c 'xedit %s;rm %s' &</command>
+ </para>
+
+ <para>This delivers the message using <command>xedit</command>, then
+ removes it afterwards. <emphasis>NOTE THAT IT IS VERY IMPORTANT
+ THAT THIS COMMAND RETURN IMMEDIATELY</emphasis>. That's why I
+ have the '&' on the end. If it doesn't return immediately then
+ your PCs may freeze when sending messages (they should recover
+ after 30 seconds, hopefully).</para>
+
+ <para>All messages are delivered as the global guest user.
+ The command takes the standard substitutions, although <parameter>
+ %u</parameter> won't work (<parameter>%U</parameter> may be better
+ in this case).</para>
+
+ <para>Apart from the standard substitutions, some additional
+ ones apply. In particular:</para>
+
+ <itemizedlist>
+ <listitem><para><parameter>%s</parameter> = the filename containing
+ the message.</para></listitem>
+
+ <listitem><para><parameter>%t</parameter> = the destination that
+ the message was sent to (probably the server name).</para></listitem>
+
+ <listitem><para><parameter>%f</parameter> = who the message
+ is from.</para></listitem>
+ </itemizedlist>
+
+ <para>You could make this command send mail, or whatever else
+ takes your fancy. Please let us know of any really interesting
+ ideas you have.</para>
+
+
+ <para>Here's a way of sending the messages as mail to root:</para>
+
+ <para><command>message command = /bin/mail -s 'message from %f on
+ %m' root &lt; %s; rm %s</command></para>
+
+ <para>If you don't have a message command then the message
+ won't be delivered and Samba will tell the sender there was
+ an error. Unfortunately WfWg totally ignores the error code
+ and carries on regardless, saying that the message was delivered.
+ </para>
+
+ <para>If you want to silently delete it then try:</para>
+
+ <para><command>message command = rm %s</command></para>
+
+ <para>Default: <emphasis>no message command</emphasis></para>
+ <para>Example: <command>message command = csh -c 'xedit %s;
+ rm %s' &</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="MINPASSWDLENGTH">min passwd length (G)</term>
+ <listitem><para>Synonym for <link linkend="MINPASSWORDLENGTH">
+ <parameter>min password length</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MINPASSWORDLENGTH">min password length (G)</term>
+ <listitem><para>This option sets the minimum length in characters
+ of a plaintext password that <command>smbd</command> will accept when performing
+ UNIX password changing.</para>
+
+ <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter>unix
+ password sync</parameter></link>, <link linkend="PASSWDPROGRAM">
+ <parameter>passwd program</parameter></link> and <link
+ linkend="PASSWDCHATDEBUG"><parameter>passwd chat debug</parameter>
+ </link>.</para>
+
+ <para>Default: <command>min password length = 5</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="MINPRINTSPACE">min print space (S)</term>
+ <listitem><para>This sets the minimum amount of free disk
+ space that must be available before a user will be able to spool
+ a print job. It is specified in kilobytes. The default is 0, which
+ means a user can always spool a print job.</para>
+
+ <para>See also the <link linkend="PRINTING"><parameter>printing
+ </parameter></link> parameter.</para>
+
+ <para>Default: <command>min print space = 0</command></para>
+ <para>Example: <command>min print space = 2000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="MINPROTOCOL">min protocol (G)</term>
+ <listitem><para>The value of the parameter (a string) is the
+ lowest SMB protocol dialect than Samba will support. Please refer
+ to the <link linkend="MAXPROTOCOL"><parameter>max protocol</parameter></link>
+ parameter for a list of valid protocol names and a brief description
+ of each. You may also wish to refer to the C source code in
+ <filename>source/smbd/negprot.c</filename> for a listing of known protocol
+ dialects supported by clients.</para>
+
+ <para>If you are viewing this parameter as a security measure, you should
+ also refer to the <link linkend="LANMANAUTH"><parameter>lanman
+ auth</parameter></link> parameter. Otherwise, you should never need
+ to change this parameter.</para>
+
+ <para>Default : <command>min protocol = CORE</command></para>
+ <para>Example : <command>min protocol = NT1</command> # disable DOS
+ clients</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="MINWINSTTL">min wins ttl (G)</term>
+ <listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)</ulink>
+ when acting as a WINS server (<link linkend="WINSSUPPORT"><parameter>
+ wins support = yes</parameter></link>) what the minimum 'time to live'
+ of NetBIOS names that <command>nmbd</command> will grant will be (in
+ seconds). You should never need to change this parameter. The default
+ is 6 hours (21600 seconds).</para>
+
+ <para>Default: <command>min wins ttl = 21600</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="MSDFSROOT">msdfs root (S)</term>
+ <listitem><para>This boolean parameter is only available if
+ Samba is configured and compiled with the <command>
+ --with-msdfs</command> option. If set to <constant>yes</constant>,
+ Samba treats the share as a Dfs root and allows clients to browse
+ the distributed file system tree rooted at the share directory.
+ Dfs links are specified in the share directory by symbolic
+ links of the form <filename>msdfs:serverA\shareA,serverB\shareB
+ </filename> and so on. For more information on setting up a Dfs tree
+ on Samba, refer to <ulink url="msdfs_setup.html">msdfs_setup.html
+ </ulink>.</para>
+
+ <para>See also <link linkend="HOSTMSDFS"><parameter>host msdfs
+ </parameter></link></para>
+
+ <para>Default: <command>msdfs root = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="NAMERESOLVEORDER">name resolve order (G)</term>
+ <listitem><para>This option is used by the programs in the Samba
+ suite to determine what naming services to use and in what order
+ to resolve host names to IP addresses. The option takes a space
+ separated string of name resolution options.</para>
+
+ <para>The options are :"lmhosts", "host", "wins" and "bcast". They
+ cause names to be resolved as follows :</para>
+
+ <itemizedlist>
+ <listitem><para><constant>lmhosts</constant> : Lookup an IP
+ address in the Samba lmhosts file. If the line in lmhosts has
+ no name type attached to the NetBIOS name (see the <ulink
+ url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
+ any name type matches for lookup.</para></listitem>
+
+ <listitem><para><constant>host</constant> : Do a standard host
+ name to IP address resolution, using the system <filename>/etc/hosts
+ </filename>, NIS, or DNS lookups. This method of name resolution
+ is operating system depended for instance on IRIX or Solaris this
+ may be controlled by the <filename>/etc/nsswitch.conf</filename>
+ file. Note that this method is only used if the NetBIOS name
+ type being queried is the 0x20 (server) name type, otherwise
+ it is ignored.</para></listitem>
+
+ <listitem><para><constant>wins</constant> : Query a name with
+ the IP address listed in the <link linkend="WINSSERVER"><parameter>
+ wins server</parameter></link> parameter. If no WINS server has
+ been specified this method will be ignored.</para></listitem>
+
+ <listitem><para><constant>bcast</constant> : Do a broadcast on
+ each of the known local interfaces listed in the <link
+ linkend="INTERFACES"><parameter>interfaces</parameter></link>
+ parameter. This is the least reliable of the name resolution
+ methods as it depends on the target host being on a locally
+ connected subnet.</para></listitem>
+ </itemizedlist>
+
+ <para>Default: <command>name resolve order = lmhosts host wins bcast
+ </command></para>
+ <para>Example: <command>name resolve order = lmhosts bcast host
+ </command></para>
+
+ <para>This will cause the local lmhosts file to be examined
+ first, followed by a broadcast attempt, followed by a normal
+ system hostname lookup.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="NETBIOSALIASES">netbios aliases (G)</term>
+ <listitem><para>This is a list of NetBIOS names that <ulink
+ url="nmbd.8.html">nmbd(8)</ulink> will advertise as additional
+ names by which the Samba server is known. This allows one machine
+ to appear in browse lists under multiple names. If a machine is
+ acting as a browse server or logon server none
+ of these names will be advertised as either browse server or logon
+ servers, only the primary name of the machine will be advertised
+ with these capabilities.</para>
+
+ <para>See also <link linkend="NETBIOSNAME"><parameter>netbios
+ name</parameter></link>.</para>
+
+ <para>Default: <emphasis>empty string (no additional names)</emphasis></para>
+ <para>Example: <command>netbios aliases = TEST TEST1 TEST2</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="NETBIOSNAME">netbios name (G)</term>
+ <listitem><para>This sets the NetBIOS name by which a Samba
+ server is known. By default it is the same as the first component
+ of the host's DNS name. If a machine is a browse server or
+ logon server this name (or the first component
+ of the hosts DNS name) will be the name that these services are
+ advertised under.</para>
+
+ <para>See also <link linkend="NETBIOSALIASES"><parameter>netbios
+ aliases</parameter></link>.</para>
+
+ <para>Default: <emphasis>machine DNS name</emphasis></para>
+ <para>Example: <command>netbios name = MYNAME</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="NETBIOSSCOPE">netbios scope (G)</term>
+ <listitem><para>This sets the NetBIOS scope that Samba will
+ operate under. This should not be set unless every machine
+ on your LAN also sets this value.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="NISHOMEDIR">nis homedir (G)</term>
+ <listitem><para>Get the home share server from a NIS map. For
+ UNIX systems that use an automounter, the user's home directory
+ will often be mounted on a workstation on demand from a remote
+ server. </para>
+
+ <para>When the Samba logon server is not the actual home directory
+ server, but is mounting the home directories via NFS then two
+ network hops would be required to access the users home directory
+ if the logon server told the client to use itself as the SMB server
+ for home directories (one over SMB and one over NFS). This can
+ be very slow.</para>
+
+ <para>This option allows Samba to return the home share as
+ being on a different server to the logon server and as
+ long as a Samba daemon is running on the home directory server,
+ it will be mounted on the Samba client directly from the directory
+ server. When Samba is returning the home share to the client, it
+ will consult the NIS map specified in <link linkend="HOMEDIRMAP">
+ <parameter>homedir map</parameter></link> and return the server
+ listed there.</para>
+
+ <para>Note that for this option to work there must be a working
+ NIS system and the Samba server with this option must also
+ be a logon server.</para>
+
+ <para>Default: <command>nis homedir = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="NONUNIXACCOUNTRANGE">non unix account range (G)</term>
+ <listitem><para>The non unix account range parameter specifies
+ the range of 'user ids' that are allocated by the various 'non unix
+ account' passdb backends. These backends allow
+ the storage of passwords for users who don't exist in /etc/passwd.
+ This is most often used for machine account creation.
+ This range of ids should have no existing local or NIS users within
+ it as strange conflicts can occur otherwise.</para>
+
+ <para>NOTE: These userids never appear on the system and Samba will never
+ 'become' these users. They are used only to ensure that the algorithmic
+ RID mapping does not conflict with normal users.
+ </para>
+
+ <para>Default: <command>non unix account range = &lt;empty string&gt;
+ </command></para>
+
+ <para>Example: <command>non unix account range = 10000-20000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="NTACLSUPPORT">nt acl support (S)</term>
+ <listitem><para>This boolean parameter controls whether
+ <ulink url="smbd.8.html">smbd(8)</ulink> will attempt to map
+ UNIX permissions into Windows NT access control lists.
+ This parameter was formally a global parameter in releases
+ prior to 2.2.2.</para>
+
+ <para>Default: <command>nt acl support = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="NTPIPESUPPORT">nt pipe support (G)</term>
+ <listitem><para>This boolean parameter controls whether
+ <ulink url="smbd.8.html">smbd(8)</ulink> will allow Windows NT
+ clients to connect to the NT SMB specific <constant>IPC$</constant>
+ pipes. This is a developer debugging option and can be left
+ alone.</para>
+
+ <para>Default: <command>nt pipe support = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="NULLPASSWORDS">null passwords (G)</term>
+ <listitem><para>Allow or disallow client access to accounts
+ that have null passwords. </para>
+
+ <para>See also <ulink url="smbpasswd.5.html">smbpasswd (5)</ulink>.</para>
+
+ <para>Default: <command>null passwords = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="OBEYPAMRESTRICTIONS">obey pam restrictions (G)</term>
+ <listitem><para>When Samba 2.2 is configured to enable PAM support
+ (i.e. --with-pam), this parameter will control whether or not Samba
+ should obey PAM's account and session management directives. The
+ default behavior is to use PAM for clear text authentication only
+ and to ignore any account or session management. Note that Samba
+ always ignores PAM for authentication in the case of <link
+ linkend="ENCRYPTPASSWORDS"><parameter>encrypt passwords = yes</parameter>
+ </link>. The reason is that PAM modules cannot support the challenge/response
+ authentication mechanism needed in the presence of SMB password encryption.
+ </para>
+
+ <para>Default: <command>obey pam restrictions = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="ONLYUSER">only user (S)</term>
+ <listitem><para>This is a boolean option that controls whether
+ connections with usernames not in the <parameter>user</parameter>
+ list will be allowed. By default this option is disabled so that a
+ client can supply a username to be used by the server. Enabling
+ this parameter will force the server to only user the login
+ names from the <parameter>user</parameter> list and is only really
+ useful in <link linkend="SECURITYEQUALSSHARE">shave level</link>
+ security.</para>
+
+ <para>Note that this also means Samba won't try to deduce
+ usernames from the service name. This can be annoying for
+ the [homes] section. To get around this you could use <command>user =
+ %S</command> which means your <parameter>user</parameter> list
+ will be just the service name, which for home directories is the
+ name of the user.</para>
+
+ <para>See also the <link linkend="USER"><parameter>user</parameter>
+ </link> parameter.</para>
+
+ <para>Default: <command>only user = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="ONLYGUEST">only guest (S)</term>
+ <listitem><para>A synonym for <link linkend="GUESTONLY"><parameter>
+ guest only</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="OPLOCKBREAKWAITTIME">oplock break wait time (G)</term>
+ <listitem><para>This is a tuning parameter added due to bugs in
+ both Windows 9x and WinNT. If Samba responds to a client too
+ quickly when that client issues an SMB that can cause an oplock
+ break request, then the network client can fail and not respond
+ to the break request. This tuning parameter (which is set in milliseconds)
+ is the amount of time Samba will wait before sending an oplock break
+ request to such (broken) clients.</para>
+
+ <para><emphasis>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
+ AND UNDERSTOOD THE SAMBA OPLOCK CODE</emphasis>.</para>
+
+ <para>Default: <command>oplock break wait time = 0</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="OPLOCKCONTENTIONLIMIT">oplock contention limit (S)</term>
+ <listitem><para>This is a <emphasis>very</emphasis> advanced
+ <ulink url="smbd.8.html">smbd(8)</ulink> tuning option to
+ improve the efficiency of the granting of oplocks under multiple
+ client contention for the same file.</para>
+
+ <para>In brief it specifies a number, which causes <ulink url="smbd.8.html">smbd</ulink> not to
+ grant an oplock even when requested if the approximate number of
+ clients contending for an oplock on the same file goes over this
+ limit. This causes <command>smbd</command> to behave in a similar
+ way to Windows NT.</para>
+
+ <para><emphasis>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
+ AND UNDERSTOOD THE SAMBA OPLOCK CODE</emphasis>.</para>
+
+ <para>Default: <command>oplock contention limit = 2</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="OPLOCKS">oplocks (S)</term>
+ <listitem><para>This boolean option tells <command>smbd</command> whether to
+ issue oplocks (opportunistic locks) to file open requests on this
+ share. The oplock code can dramatically (approx. 30% or more) improve
+ the speed of access to files on Samba servers. It allows the clients
+ to aggressively cache files locally and you may want to disable this
+ option for unreliable network environments (it is turned on by
+ default in Windows NT Servers). For more information see the file
+ <filename>Speed.txt</filename> in the Samba <filename>docs/</filename>
+ directory.</para>
+
+ <para>Oplocks may be selectively turned off on certain files with a
+ share. See the <link linkend="VETOOPLOCKFILES"><parameter>
+ veto oplock files</parameter></link> parameter. On some systems
+ oplocks are recognized by the underlying operating system. This
+ allows data synchronization between all access to oplocked files,
+ whether it be via Samba or NFS or a local UNIX process. See the
+ <parameter>kernel oplocks</parameter> parameter for details.</para>
+
+ <para>See also the <link linkend="KERNELOPLOCKS"><parameter>kernel
+ oplocks</parameter></link> and <link linkend="LEVEL2OPLOCKS"><parameter>
+ level2 oplocks</parameter></link> parameters.</para>
+
+ <para>Default: <command>oplocks = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="OSLEVEL">os level (G)</term>
+ <listitem><para>This integer value controls what level Samba
+ advertises itself as for browse elections. The value of this
+ parameter determines whether <ulink url="nmbd.8.html">nmbd(8)</ulink>
+ has a chance of becoming a local master browser for the <parameter>
+ WORKGROUP</parameter> in the local broadcast area.</para>
+
+ <para><emphasis>Note :</emphasis>By default, Samba will win
+ a local master browsing election over all Microsoft operating
+ systems except a Windows NT 4.0/2000 Domain Controller. This
+ means that a misconfigured Samba host can effectively isolate
+ a subnet for browsing purposes. See <filename>BROWSING.txt
+ </filename> in the Samba <filename>docs/</filename> directory
+ for details.</para>
+
+ <para>Default: <command>os level = 20</command></para>
+ <para>Example: <command>os level = 65 </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="OS2DRIVERMAP">os2 driver map (G)</term>
+ <listitem><para>The parameter is used to define the absolute
+ path to a file containing a mapping of Windows NT printer driver
+ names to OS/2 printer driver names. The format is:</para>
+
+ <para>&lt;nt driver name&gt; = &lt;os2 driver
+ name&gt;.&lt;device name&gt;</para>
+
+ <para>For example, a valid entry using the HP LaserJet 5
+ printer driver would appear as <command>HP LaserJet 5L = LASERJET.HP
+ LaserJet 5L</command>.</para>
+
+ <para>The need for the file is due to the printer driver namespace
+ problem described in the <ulink url="printer_driver2.html">Samba
+ Printing HOWTO</ulink>. For more details on OS/2 clients, please
+ refer to the <ulink url="OS2-Client-HOWTO.html">OS2-Client-HOWTO
+ </ulink> containing in the Samba documentation.</para>
+
+ <para>Default: <command>os2 driver map = &lt;empty string&gt;
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="PAMPASSWORDCHANGE">pam password change (G)</term>
+ <listitem><para>With the addition of better PAM support in Samba 2.2,
+ this parameter, it is possible to use PAM's password change control
+ flag for Samba. If enabled, then PAM will be used for password
+ changes when requested by an SMB client instead of the program listed in
+ <link linkend="PASSWDPROGRAM"><parameter>passwd program</parameter></link>.
+ It should be possible to enable this without changing your
+ <link linkend="PASSWDCHAT"><parameter>passwd chat</parameter></link>
+ parameter for most setups.
+ </para>
+
+ <para>Default: <command>pam password change = no</command></para>
+
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="PANICACTION">panic action (G)</term>
+ <listitem><para>This is a Samba developer option that allows a
+ system command to be called when either <ulink url="smbd.8.html">
+ smbd(8)</ulink> or <ulink url="nmbd.8.html">nmbd(8)</ulink>
+ crashes. This is usually used to draw attention to the fact that
+ a problem occurred.</para>
+
+ <para>Default: <command>panic action = &lt;empty string&gt;</command></para>
+ <para>Example: <command>panic action = "/bin/sleep 90000"</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="PASSDBBACKEND">passdb backend (G)</term>
+ <listitem><para>This option allows the administrator to chose what
+ backend in which to store passwords. This allows (for example) both
+ smbpasswd and tdbsam to be used without a recompile. Only one can
+ be used at a time however, and experimental backends must still be selected
+ (eg --with-tdbsam) at configure time.
+ </para>
+
+ <para>This paramater is in two parts, the backend's name, and a 'location'
+ string that has meaning only to that particular backed. These are separated
+ by a : character.</para>
+
+ <para>Available backends can include:
+ <itemizedlist>
+ <listitem><para><command>smbpasswd</command> - The default smbpasswd
+ backend. Takes a path to the smbpasswd file as an optional argument.</para></listitem>
+
+ <listitem><para><command>smbpasswd_nua</command> - The smbpasswd
+ backend, but with support for 'not unix accounts'.
+ Takes a path to the smbpasswd file as an optional argument.</para>
+ <para>See also <link linkend="NONUNIXACCOUNTRANGE">
+ <parameter>non unix account range</parameter></link></para></listitem>
+
+ <listitem><para><command>tdbsam</command> - The TDB based password storage
+ backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
+ in the <link linkend="PRIVATEDIR">
+ <parameter>private dir</parameter></link> directory.</para></listitem>
+
+ <listitem><para><command>tdbsam_nua</command> - The TDB based password storage
+ backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
+ in the <link linkend="PRIVATEDIR">
+ <parameter>private dir</parameter></link> directory.</para>
+ <para>See also <link linkend="NONUNIXACCOUNTRANGE">
+ <parameter>non unix account range</parameter></link></para></listitem>
+
+ <listitem><para><command>ldapsam</command> - The LDAP based passdb
+ backend. Takes an LDAP URL as an optional argument (defaults to
+ <command>ldap://localhost</command>)</para></listitem>
+
+ <listitem><para><command>ldapsam_nua</command> - The LDAP based passdb
+ backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to
+ <command>ldap://localhost</command>)</para>
+ <para>See also <link linkend="NONUNIXACCOUNTRANGE">
+ <parameter>non unix account range</parameter></link></para></listitem>
+
+ <listitem><para><command>plugin</command> - Allows Samba to load an
+ arbitary passdb backend from the .so specified as a compulsary argument.
+ </para>
+
+ <para>Any characters after the (optional) second : are passed to the plugin
+ for its own processing</para>
+ </listitem>
+
+ </itemizedlist>
+ </para>
+
+ <para>Default: <command>passdb backend = smbpasswd</command></para>
+ <para>Example: <command>passdb backend = tdbsam:/etc/samba/private/passdb.tdb</command></para>
+ <para>Example: <command>passdb backend = ldapsam_nua:ldaps://ldap.example.com</command></para>
+ <para>Example: <command>passdb backend = plugin:/usr/local/samba/lib/my_passdb.so:my_plugin_args</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="PASSWDCHAT">passwd chat (G)</term>
+ <listitem><para>This string controls the <emphasis>"chat"</emphasis>
+ conversation that takes places between <ulink
+ url="smbd.8.html">smbd</ulink> and the local password changing
+ program to change the user's password. The string describes a
+ sequence of response-receive pairs that <ulink url="smbd.8.html">
+ smbd(8)</ulink> uses to determine what to send to the
+ <link linkend="PASSWDPROGRAM"><parameter>passwd program</parameter>
+ </link> and what to expect back. If the expected output is not
+ received then the password is not changed.</para>
+
+ <para>This chat sequence is often quite site specific, depending
+ on what local methods are used for password control (such as NIS
+ etc).</para>
+ <para>Note that this parameter only is only used if the <link
+ linkend="UNIXPASSWORDSYNC"><parameter>unix
+ password sync</parameter></link> parameter is set to <constant>yes</constant>. This
+ sequence is then called <emphasis>AS ROOT</emphasis> when the SMB password
+ in the smbpasswd file is being changed, without access to the old
+ password cleartext. This means that root must be able to reset the user's password
+ without knowing the text of the previous password. In the presence of NIS/YP,
+ this means that the <link linkend="PASSWDPROGRAM">passwd program</link> must be
+ executed on the NIS master.
+ </para>
+
+
+ <para>The string can contain the macro <parameter>%n</parameter> which is substituted
+ for the new password. The chat sequence can also contain the standard
+ macros <constant>\n</constant>, <constant>\r</constant>, <constant>
+ \t</constant> and <constant>\s</constant> to give line-feed,
+ carriage-return, tab and space. The chat sequence string can also contain
+ a '*' which matches any sequence of characters.
+ Double quotes can be used to collect strings with spaces
+ in them into a single string.</para>
+
+ <para>If the send string in any part of the chat sequence
+ is a full stop ".", then no string is sent. Similarly,
+ if the expect string is a full stop then no string is expected.</para>
+
+ <para>If the <link linkend="PAMPASSWORDCHANGE"><parameter>pam
+ password change</parameter></link> parameter is set to true, the chat pairs
+ may be matched in any order, and success is determined by the PAM result,
+ not any particular output. The \n macro is ignored for PAM conversions.
+ </para>
+
+ <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter>unix password
+ sync</parameter></link>, <link linkend="PASSWDPROGRAM"><parameter>
+ passwd program</parameter></link> ,<link linkend="PASSWDCHATDEBUG">
+ <parameter>passwd chat debug</parameter></link> and <link linkend="PAMPASSWORDCHANGE">
+ <parameter>pam password change</parameter></link>.</para>
+
+ <para>Default: <command>passwd chat = *new*password* %n\n
+ *new*password* %n\n *changed*</command></para>
+ <para>Example: <command>passwd chat = "*Enter OLD password*" %o\n
+ "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password
+ changed*"</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PASSWDCHATDEBUG">passwd chat debug (G)</term>
+ <listitem><para>This boolean specifies if the passwd chat script
+ parameter is run in <emphasis>debug</emphasis> mode. In this mode the
+ strings passed to and received from the passwd chat are printed
+ in the <ulink url="smbd.8.html">smbd(8)</ulink> log with a
+ <link linkend="DEBUGLEVEL"><parameter>debug level</parameter></link>
+ of 100. This is a dangerous option as it will allow plaintext passwords
+ to be seen in the <command>smbd</command> log. It is available to help
+ Samba admins debug their <parameter>passwd chat</parameter> scripts
+ when calling the <parameter>passwd program</parameter> and should
+ be turned off after this has been done. This option has no effect if the
+ <link linkend="PAMPASSWORDCHANGE"><parameter>pam password change</parameter></link>
+ paramter is set. This parameter is off by default.</para>
+
+
+ <para>See also <link linkend="PASSWDCHAT"><parameter>passwd chat</parameter>
+ </link>, <link linkend="PAMPASSWORDCHANGE"><parameter>pam password change</parameter>
+ </link>, <link linkend="PASSWDPROGRAM"><parameter>passwd program</parameter>
+ </link>.</para>
+
+ <para>Default: <command>passwd chat debug = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PASSWDPROGRAM">passwd program (G)</term>
+ <listitem><para>The name of a program that can be used to set
+ UNIX user passwords. Any occurrences of <parameter>%u</parameter>
+ will be replaced with the user name. The user name is checked for
+ existence before calling the password changing program.</para>
+
+ <para>Also note that many passwd programs insist in <emphasis>reasonable
+ </emphasis> passwords, such as a minimum length, or the inclusion
+ of mixed case chars and digits. This can pose a problem as some clients
+ (such as Windows for Workgroups) uppercase the password before sending
+ it.</para>
+
+ <para><emphasis>Note</emphasis> that if the <parameter>unix
+ password sync</parameter> parameter is set to <constant>true
+ </constant> then this program is called <emphasis>AS ROOT</emphasis>
+ before the SMB password in the <ulink url="smbpasswd.5.html">smbpasswd(5)
+ </ulink> file is changed. If this UNIX password change fails, then
+ <command>smbd</command> will fail to change the SMB password also
+ (this is by design).</para>
+
+ <para>If the <parameter>unix password sync</parameter> parameter
+ is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis>
+ for <emphasis>ALL</emphasis> programs called, and must be examined
+ for security implications. Note that by default <parameter>unix
+ password sync</parameter> is set to <constant>false</constant>.</para>
+
+ <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter>unix
+ password sync</parameter></link>.</para>
+
+ <para>Default: <command>passwd program = /bin/passwd</command></para>
+ <para>Example: <command>passwd program = /sbin/npasswd %u</command>
+ </para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PASSWORDLEVEL">password level (G)</term>
+ <listitem><para>Some client/server combinations have difficulty
+ with mixed-case passwords. One offending client is Windows for
+ Workgroups, which for some reason forces passwords to upper
+ case when using the LANMAN1 protocol, but leaves them alone when
+ using COREPLUS! Another problem child is the Windows 95/98
+ family of operating systems. These clients upper case clear
+ text passwords even when NT LM 0.12 selected by the protocol
+ negotiation request/response.</para>
+
+ <para>This parameter defines the maximum number of characters
+ that may be upper case in passwords.</para>
+
+ <para>For example, say the password given was "FRED". If <parameter>
+ password level</parameter> is set to 1, the following combinations
+ would be tried if "FRED" failed:</para>
+
+ <para>"Fred", "fred", "fRed", "frEd","freD"</para>
+
+ <para>If <parameter>password level</parameter> was set to 2,
+ the following combinations would also be tried: </para>
+
+ <para>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</para>
+
+ <para>And so on.</para>
+
+ <para>The higher value this parameter is set to the more likely
+ it is that a mixed case password will be matched against a single
+ case password. However, you should be aware that use of this
+ parameter reduces security and increases the time taken to
+ process a new connection.</para>
+
+ <para>A value of zero will cause only two attempts to be
+ made - the password as is and the password in all-lower case.</para>
+
+ <para>Default: <command>password level = 0</command></para>
+ <para>Example: <command>password level = 4</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PASSWORDSERVER">password server (G)</term>
+ <listitem><para>By specifying the name of another SMB server (such
+ as a WinNT box) with this option, and using <command>security = domain
+ </command> or <command>security = server</command> you can get Samba
+ to do all its username/password validation via a remote server.</para>
+
+ <para>This option sets the name of the password server to use.
+ It must be a NetBIOS name, so if the machine's NetBIOS name is
+ different from its Internet name then you may have to add its NetBIOS
+ name to the lmhosts file which is stored in the same directory
+ as the <filename>smb.conf</filename> file.</para>
+
+ <para>The name of the password server is looked up using the
+ parameter <link linkend="NAMERESOLVEORDER"><parameter>name
+ resolve order</parameter></link> and so may resolved
+ by any method and order described in that parameter.</para>
+
+ <para>The password server much be a machine capable of using
+ the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
+ user level security mode.</para>
+
+ <para><emphasis>NOTE:</emphasis> Using a password server
+ means your UNIX box (running Samba) is only as secure as your
+ password server. <emphasis>DO NOT CHOOSE A PASSWORD SERVER THAT
+ YOU DON'T COMPLETELY TRUST</emphasis>.</para>
+
+ <para>Never point a Samba server at itself for password
+ serving. This will cause a loop and could lock up your Samba
+ server!</para>
+
+ <para>The name of the password server takes the standard
+ substitutions, but probably the only useful one is <parameter>%m
+ </parameter>, which means the Samba server will use the incoming
+ client as the password server. If you use this then you better
+ trust your clients, and you had better restrict them with hosts allow!</para>
+
+ <para>If the <parameter>security</parameter> parameter is set to
+ <constant>domain</constant>, then the list of machines in this
+ option must be a list of Primary or Backup Domain controllers for the
+ Domain or the character '*', as the Samba server is effectively
+ in that domain, and will use cryptographically authenticated RPC calls
+ to authenticate the user logging on. The advantage of using <command>
+ security = domain</command> is that if you list several hosts in the
+ <parameter>password server</parameter> option then <command>smbd
+ </command> will try each in turn till it finds one that responds. This
+ is useful in case your primary server goes down.</para>
+
+ <para>If the <parameter>password server</parameter> option is set
+ to the character '*', then Samba will attempt to auto-locate the
+ Primary or Backup Domain controllers to authenticate against by
+ doing a query for the name <constant>WORKGROUP&lt;1C&gt;</constant>
+ and then contacting each server returned in the list of IP
+ addresses from the name resolution source. </para>
+
+ <para>If the <parameter>security</parameter> parameter is
+ set to <constant>server</constant>, then there are different
+ restrictions that <command>security = domain</command> doesn't
+ suffer from:</para>
+
+ <itemizedlist>
+ <listitem><para>You may list several password servers in
+ the <parameter>password server</parameter> parameter, however if an
+ <command>smbd</command> makes a connection to a password server,
+ and then the password server fails, no more users will be able
+ to be authenticated from this <command>smbd</command>. This is a
+ restriction of the SMB/CIFS protocol when in <command>security = server
+ </command> mode and cannot be fixed in Samba.</para></listitem>
+
+ <listitem><para>If you are using a Windows NT server as your
+ password server then you will have to ensure that your users
+ are able to login from the Samba server, as when in <command>
+ security = server</command> mode the network logon will appear to
+ come from there rather than from the users workstation.</para></listitem>
+ </itemizedlist>
+
+ <para>See also the <link linkend="SECURITY"><parameter>security
+ </parameter></link> parameter.</para>
+
+ <para>Default: <command>password server = &lt;empty string&gt;</command>
+ </para>
+ <para>Example: <command>password server = NT-PDC, NT-BDC1, NT-BDC2
+ </command></para>
+ <para>Example: <command>password server = *</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PATH">path (S)</term>
+ <listitem><para>This parameter specifies a directory to which
+ the user of the service is to be given access. In the case of
+ printable services, this is where print data will spool prior to
+ being submitted to the host for printing.</para>
+
+ <para>For a printable service offering guest access, the service
+ should be readonly and the path should be world-writeable and
+ have the sticky bit set. This is not mandatory of course, but
+ you probably won't get the results you expect if you do
+ otherwise.</para>
+
+ <para>Any occurrences of <parameter>%u</parameter> in the path
+ will be replaced with the UNIX username that the client is using
+ on this connection. Any occurrences of <parameter>%m</parameter>
+ will be replaced by the NetBIOS name of the machine they are
+ connecting from. These replacements are very useful for setting
+ up pseudo home directories for users.</para>
+
+ <para>Note that this path will be based on <link linkend="ROOTDIR">
+ <parameter>root dir</parameter></link> if one was specified.</para>
+
+ <para>Default: <emphasis>none</emphasis></para>
+ <para>Example: <command>path = /home/fred</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="POSIXLOCKING">posix locking (S)</term>
+ <listitem><para>The <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>
+ daemon maintains an database of file locks obtained by SMB clients.
+ The default behavior is to map this internal database to POSIX
+ locks. This means that file locks obtained by SMB clients are
+ consistent with those seen by POSIX compliant applications accessing
+ the files via a non-SMB method (e.g. NFS or local file access).
+ You should never need to disable this parameter.</para>
+
+ <para>Default: <command>posix locking = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="POSTEXEC">postexec (S)</term>
+ <listitem><para>This option specifies a command to be run
+ whenever the service is disconnected. It takes the usual
+ substitutions. The command may be run as the root on some
+ systems.</para>
+
+ <para>An interesting example may be to unmount server
+ resources:</para>
+
+ <para><command>postexec = /etc/umount /cdrom</command></para>
+
+ <para>See also <link linkend="PREEXEC"><parameter>preexec</parameter>
+ </link>.</para>
+
+ <para>Default: <emphasis>none (no command executed)</emphasis>
+ </para>
+
+ <para>Example: <command>postexec = echo \"%u disconnected from %S
+ from %m (%I)\" &gt;&gt; /tmp/log</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="POSTSCRIPT">postscript (S)</term>
+ <listitem><para>This parameter forces a printer to interpret
+ the print files as PostScript. This is done by adding a <constant>%!
+ </constant> to the start of print output.</para>
+
+ <para>This is most useful when you have lots of PCs that persist
+ in putting a control-D at the start of print jobs, which then
+ confuses your printer.</para>
+
+ <para>Default: <command>postscript = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PREEXEC">preexec (S)</term>
+ <listitem><para>This option specifies a command to be run whenever
+ the service is connected to. It takes the usual substitutions.</para>
+
+ <para>An interesting example is to send the users a welcome
+ message every time they log in. Maybe a message of the day? Here
+ is an example:</para>
+
+ <para><command>preexec = csh -c 'echo \"Welcome to %S!\" |
+ /usr/local/samba/bin/smbclient -M %m -I %I' & </command></para>
+
+ <para>Of course, this could get annoying after a while :-)</para>
+
+ <para>See also <link linkend="PREEXECCLOSE"><parameter>preexec close
+ </parameter</link> and <link linkend="POSTEXEC"><parameter>postexec
+ </parameter></link>.</para>
+
+ <para>Default: <emphasis>none (no command executed)</emphasis></para>
+ <para>Example: <command>preexec = echo \"%u connected to %S from %m
+ (%I)\" &gt;&gt; /tmp/log</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PREEXECCLOSE">preexec close (S)</term>
+ <listitem><para>This boolean option controls whether a non-zero
+ return code from <link linkend="PREEXEC"><parameter>preexec
+ </parameter></link> should close the service being connected to.</para>
+
+ <para>Default: <command>preexec close = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="PREFERREDMASTER">preferred master (G)</term>
+ <listitem><para>This boolean parameter controls if <ulink
+ url="nmbd.8.html">nmbd(8)</ulink> is a preferred master browser
+ for its workgroup.</para>
+
+ <para>If this is set to <constant>true</constant>, on startup, <command>nmbd</command>
+ will force an election, and it will have a slight advantage in
+ winning the election. It is recommended that this parameter is
+ used in conjunction with <command><link linkend="DOMAINMASTER"><parameter>
+ domain master</parameter></link> = yes</command>, so that <command>
+ nmbd</command> can guarantee becoming a domain master.</para>
+
+ <para>Use this option with caution, because if there are several
+ hosts (whether Samba servers, Windows 95 or NT) that are preferred
+ master browsers on the same subnet, they will each periodically
+ and continuously attempt to become the local master browser.
+ This will result in unnecessary broadcast traffic and reduced browsing
+ capabilities.</para>
+
+ <para>See also <link linkend="OSLEVEL"><parameter>os level</parameter>
+ </link>.</para>
+
+ <para>Default: <command>preferred master = auto</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PREFEREDMASTER">prefered master (G)</term>
+ <listitem><para>Synonym for <link linkend="PREFERREDMASTER"><parameter>
+ preferred master</parameter></link> for people who cannot spell :-).</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PRELOAD">preload</term>
+ <listitem><para>This is a list of services that you want to be
+ automatically added to the browse lists. This is most useful
+ for homes and printers services that would otherwise not be
+ visible.</para>
+
+ <para>Note that if you just want all printers in your
+ printcap file loaded then the <link linkend="LOADPRINTERS">
+ <parameter>load printers</parameter></link> option is easier.</para>
+
+ <para>Default: <emphasis>no preloaded services</emphasis></para>
+
+ <para>Example: <command>preload = fred lp colorlp</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="PRESERVECASE">preserve case (S)</term>
+ <listitem><para> This controls if new filenames are created
+ with the case that the client passes, or if they are forced to
+ be the <link linkend="DEFAULTCASE"><parameter>default case
+ </parameter></link>.</para>
+
+ <para>Default: <command>preserve case = yes</command></para>
+
+ <para>See the section on <link linkend="NAMEMANGLINGSECT">NAME
+ MANGLING</link> for a fuller discussion.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTCOMMAND">print command (S)</term>
+ <listitem><para>After a print job has finished spooling to
+ a service, this command will be used via a <command>system()</command>
+ call to process the spool file. Typically the command specified will
+ submit the spool file to the host's printing subsystem, but there
+ is no requirement that this be the case. The server will not remove
+ the spool file, so whatever command you specify should remove the
+ spool file when it has been processed, otherwise you will need to
+ manually remove old spool files.</para>
+
+ <para>The print command is simply a text string. It will be used
+ verbatim, with two exceptions: All occurrences of <parameter>%s
+ </parameter> and <parameter>%f</parameter> will be replaced by the
+ appropriate spool file name, and all occurrences of <parameter>%p
+ </parameter> will be replaced by the appropriate printer name. The
+ spool file name is generated automatically by the server. The
+ <parameter>%J</parameter> macro can be used to access the job
+ name as transmitted by the client.</para>
+
+ <para>The print command <emphasis>MUST</emphasis> contain at least
+ one occurrence of <parameter>%s</parameter> or <parameter>%f
+ </parameter> - the <parameter>%p</parameter> is optional. At the time
+ a job is submitted, if no printer name is supplied the <parameter>%p
+ </parameter> will be silently removed from the printer command.</para>
+
+ <para>If specified in the [global] section, the print command given
+ will be used for any printable service that does not have its own
+ print command specified.</para>
+
+ <para>If there is neither a specified print command for a
+ printable service nor a global print command, spool files will
+ be created but not processed and (most importantly) not removed.</para>
+
+ <para>Note that printing may fail on some UNIXes from the
+ <constant>nobody</constant> account. If this happens then create
+ an alternative guest account that can print and set the <link
+ linkend="GUESTACCOUNT"><parameter>guest account</parameter></link>
+ in the [global] section.</para>
+
+ <para>You can form quite complex print commands by realizing
+ that they are just passed to a shell. For example the following
+ will log a print job, print the file, then remove it. Note that
+ ';' is the usual separator for command in shell scripts.</para>
+
+ <para><command>print command = echo Printing %s &gt;&gt;
+ /tmp/print.log; lpr -P %p %s; rm %s</command></para>
+
+ <para>You may have to vary this command considerably depending
+ on how you normally print files on your system. The default for
+ the parameter varies depending on the setting of the <link linkend="PRINTING">
+ <parameter>printing</parameter></link> parameter.</para>
+
+ <para>Default: For <command>printing = BSD, AIX, QNX, LPRNG
+ or PLP :</command></para>
+ <para><command>print command = lpr -r -P%p %s</command></para>
+
+ <para>For <command>printing = SYSV or HPUX :</command></para>
+ <para><command>print command = lp -c -d%p %s; rm %s</command></para>
+
+ <para>For <command>printing = SOFTQ :</command></para>
+ <para><command>print command = lp -d%p -s %s; rm %s</command></para>
+
+ <para>Example: <command>print command = /usr/local/samba/bin/myprintscript
+ %p %s</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTOK">print ok (S)</term>
+ <listitem><para>Synonym for <link linkend="PRINTABLE">
+ <parameter>printable</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTABLE">printable (S)</term>
+ <listitem><para>If this parameter is <constant>yes</constant>, then
+ clients may open, write to and submit spool files on the directory
+ specified for the service. </para>
+
+ <para>Note that a printable service will ALWAYS allow writing
+ to the service path (user privileges permitting) via the spooling
+ of print data. The <link linkend="WRITEABLE"><parameter>writeable
+ </parameter></link> parameter controls only non-printing access to
+ the resource.</para>
+
+ <para>Default: <command>printable = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTCAP">printcap (G)</term>
+ <listitem><para>Synonym for <link linkend="PRINTCAPNAME"><parameter>
+ printcap name</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTCAPNAME">printcap name (G)</term>
+ <listitem><para>This parameter may be used to override the
+ compiled-in default printcap name used by the server (usually <filename>
+ /etc/printcap</filename>). See the discussion of the <link
+ linkend="PRINTERSSECT">[printers]</link> section above for reasons
+ why you might want to do this.</para>
+
+ <para>On System V systems that use <command>lpstat</command> to
+ list available printers you can use <command>printcap name = lpstat
+ </command> to automatically obtain lists of available printers. This
+ is the default for systems that define SYSV at configure time in
+ Samba (this includes most System V based systems). If <parameter>
+ printcap name</parameter> is set to <command>lpstat</command> on
+ these systems then Samba will launch <command>lpstat -v</command> and
+ attempt to parse the output to obtain a printer list.</para>
+
+ <para>A minimal printcap file would look something like this:</para>
+
+ <para><programlisting>
+ print1|My Printer 1
+ print2|My Printer 2
+ print3|My Printer 3
+ print4|My Printer 4
+ print5|My Printer 5
+ </programlisting></para>
+
+ <para>where the '|' separates aliases of a printer. The fact
+ that the second alias has a space in it gives a hint to Samba
+ that it's a comment.</para>
+
+ <para><emphasis>NOTE</emphasis>: Under AIX the default printcap
+ name is <filename>/etc/qconfig</filename>. Samba will assume the
+ file is in AIX <filename>qconfig</filename> format if the string
+ <filename>qconfig</filename> appears in the printcap filename.</para>
+
+ <para>Default: <command>printcap name = /etc/printcap</command></para>
+ <para>Example: <command>printcap name = /etc/myprintcap</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTERADMIN">printer admin (S)</term>
+ <listitem><para>This is a list of users that can do anything to
+ printers via the remote administration interfaces offered by MS-RPC
+ (usually using a NT workstation). Note that the root user always
+ has admin rights.</para>
+
+ <para>Default: <command>printer admin = &lt;empty string&gt;</command>
+ </para>
+ <para>Example: <command>printer admin = admin, @staff</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTERDRIVER">printer driver (S)</term>
+ <listitem><para><emphasis>Note :</emphasis>This is a deprecated
+ parameter and will be removed in the next major release
+ following version 2.2. Please see the instructions in
+ the <ulink url="printer_driver2.html">Samba 2.2. Printing
+ HOWTO</ulink> for more information
+ on the new method of loading printer drivers onto a Samba server.
+ </para>
+
+ <para>This option allows you to control the string
+ that clients receive when they ask the server for the printer driver
+ associated with a printer. If you are using Windows95 or Windows NT
+ then you can use this to automate the setup of printers on your
+ system.</para>
+
+ <para>You need to set this parameter to the exact string (case
+ sensitive) that describes the appropriate printer driver for your
+ system. If you don't know the exact string to use then you should
+ first try with no <link linkend="PRINTERDRIVER"><parameter>
+ printer driver</parameter></link> option set and the client will
+ give you a list of printer drivers. The appropriate strings are
+ shown in a scroll box after you have chosen the printer manufacturer.</para>
+
+ <para>See also <link linkend="PRINTERDRIVERFILE"><parameter>printer
+ driver file</parameter></link>.</para>
+
+ <para>Example: <command>printer driver = HP LaserJet 4L</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTERDRIVERFILE">printer driver file (G)</term>
+ <listitem><para><emphasis>Note :</emphasis>This is a deprecated
+ parameter and will be removed in the next major release
+ following version 2.2. Please see the instructions in
+ the <ulink url="printer_driver2.html">Samba 2.2. Printing
+ HOWTO</ulink> for more information
+ on the new method of loading printer drivers onto a Samba server.
+ </para>
+
+ <para>This parameter tells Samba where the printer driver
+ definition file, used when serving drivers to Windows 95 clients, is
+ to be found. If this is not set, the default is :</para>
+
+ <para><filename><replaceable>SAMBA_INSTALL_DIRECTORY</replaceable>
+ /lib/printers.def</filename></para>
+
+ <para>This file is created from Windows 95 <filename>msprint.inf
+ </filename> files found on the Windows 95 client system. For more
+ details on setting up serving of printer drivers to Windows 95
+ clients, see the outdated documentation file in the <filename>docs/</filename>
+ directory, <filename>PRINTER_DRIVER.txt</filename>.</para>
+
+ <para>See also <link linkend="PRINTERDRIVERLOCATION"><parameter>
+ printer driver location</parameter></link>.</para>
+
+ <para>Default: <emphasis>None (set in compile).</emphasis></para>
+
+ <para>Example: <command>printer driver file =
+ /usr/local/samba/printers/drivers.def</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTERDRIVERLOCATION">printer driver location (S)</term>
+ <listitem><para><emphasis>Note :</emphasis>This is a deprecated
+ parameter and will be removed in the next major release
+ following version 2.2. Please see the instructions in
+ the <ulink url="printer_driver2.html">Samba 2.2. Printing
+ HOWTO</ulink> for more information
+ on the new method of loading printer drivers onto a Samba server.
+ </para>
+
+ <para>This parameter tells clients of a particular printer
+ share where to find the printer driver files for the automatic
+ installation of drivers for Windows 95 machines. If Samba is set up
+ to serve printer drivers to Windows 95 machines, this should be set to</para>
+
+ <para><command>\\MACHINE\PRINTER$</command></para>
+
+ <para>Where MACHINE is the NetBIOS name of your Samba server,
+ and PRINTER$ is a share you set up for serving printer driver
+ files. For more details on setting this up see the outdated documentation
+ file in the <filename>docs/</filename> directory, <filename>
+ PRINTER_DRIVER.txt</filename>.</para>
+
+ <para>See also <link linkend="PRINTERDRIVERFILE"><parameter>
+ printer driver file</parameter></link>.</para>
+
+ <para>Default: <command>none</command></para>
+ <para>Example: <command>printer driver location = \\MACHINE\PRINTER$
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTERNAME">printer name (S)</term>
+ <listitem><para>This parameter specifies the name of the printer
+ to which print jobs spooled through a printable service will be sent.</para>
+
+ <para>If specified in the [global] section, the printer
+ name given will be used for any printable service that does
+ not have its own printer name specified.</para>
+
+ <para>Default: <emphasis>none (but may be <constant>lp</constant>
+ on many systems)</emphasis></para>
+
+ <para>Example: <command>printer name = laserwriter</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="PRINTER">printer (S)</term>
+ <listitem><para>Synonym for <link linkend="PRINTERNAME"><parameter>
+ printer name</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="PRINTING">printing (S)</term>
+ <listitem><para>This parameters controls how printer status
+ information is interpreted on your system. It also affects the
+ default values for the <parameter>print command</parameter>,
+ <parameter>lpq command</parameter>, <parameter>lppause command
+ </parameter>, <parameter>lpresume command</parameter>, and
+ <parameter>lprm command</parameter> if specified in the
+ [global] section.</para>
+
+ <para>Currently nine printing styles are supported. They are
+ <constant>BSD</constant>, <constant>AIX</constant>,
+ <constant>LPRNG</constant>, <constant>PLP</constant>,
+ <constant>SYSV</constant>, <constant>HPUX</constant>,
+ <constant>QNX</constant>, <constant>SOFTQ</constant>,
+ and <constant>CUPS</constant>.</para>
+
+ <para>To see what the defaults are for the other print
+ commands when using the various options use the <ulink
+ url="testparm.1.html">testparm(1)</ulink> program.</para>
+
+ <para>This option can be set on a per printer basis</para>
+
+ <para>See also the discussion in the <link linkend="PRINTERSSECT">
+ [printers]</link> section.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="PRIVATEDIR">private dir (G)</term>
+ <listitem><para>This parameters defines the directory
+ smbd will use for storing such files as <filename>smbpasswd</filename>
+ and <filename>secrets.tdb</filename>.
+ </para>
+
+ <para>Default :<command>private dir = ${prefix}/private</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="PROTOCOL">protocol (G)</term>
+ <listitem><para>Synonym for <link linkend="MAXPROTOCOL">
+ <parameter>max protocol</parameter></link>.</para></listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="PUBLIC">public (S)</term>
+ <listitem><para>Synonym for <link linkend="GUESTOK"><parameter>guest
+ ok</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="QUEUEPAUSECOMMAND">queuepause command (S)</term>
+ <listitem><para>This parameter specifies the command to be
+ executed on the server host in order to pause the printer queue.</para>
+
+ <para>This command should be a program or script which takes
+ a printer name as its only parameter and stops the printer queue,
+ such that no longer jobs are submitted to the printer.</para>
+
+ <para>This command is not supported by Windows for Workgroups,
+ but can be issued from the Printers window under Windows 95
+ and NT.</para>
+
+ <para>If a <parameter>%p</parameter> is given then the printer name
+ is put in its place. Otherwise it is placed at the end of the command.
+ </para>
+
+ <para>Note that it is good practice to include the absolute
+ path in the command as the PATH may not be available to the
+ server.</para>
+
+ <para>Default: <emphasis>depends on the setting of <parameter>printing
+ </parameter></emphasis></para>
+ <para>Example: <command>queuepause command = disable %p</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="QUEUERESUMECOMMAND">queueresume command (S)</term>
+ <listitem><para>This parameter specifies the command to be
+ executed on the server host in order to resume the printer queue. It
+ is the command to undo the behavior that is caused by the
+ previous parameter (<link linkend="QUEUEPAUSECOMMAND"><parameter>
+ queuepause command</parameter></link>).</para>
+
+ <para>This command should be a program or script which takes
+ a printer name as its only parameter and resumes the printer queue,
+ such that queued jobs are resubmitted to the printer.</para>
+
+ <para>This command is not supported by Windows for Workgroups,
+ but can be issued from the Printers window under Windows 95
+ and NT.</para>
+
+ <para>If a <parameter>%p</parameter> is given then the printer name
+ is put in its place. Otherwise it is placed at the end of the
+ command.</para>
+
+ <para>Note that it is good practice to include the absolute
+ path in the command as the PATH may not be available to the
+ server.</para>
+
+ <para>Default: <emphasis>depends on the setting of <link
+ linkend="PRINTING"><parameter>printing</parameter></link></emphasis>
+ </para>
+
+ <para>Example: <command>queuepause command = enable %p
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="READBMPX">read bmpx (G)</term>
+ <listitem><para>This boolean parameter controls whether <ulink
+ url="smbd.8.html">smbd(8)</ulink> will support the "Read
+ Block Multiplex" SMB. This is now rarely used and defaults to
+ <constant>no</constant>. You should never need to set this
+ parameter.</para>
+
+ <para>Default: <command>read bmpx = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="READLIST">read list (S)</term>
+ <listitem><para>This is a list of users that are given read-only
+ access to a service. If the connecting user is in this list then
+ they will not be given write access, no matter what the <link
+ linkend="WRITEABLE"><parameter>writeable</parameter></link>
+ option is set to. The list can include group names using the
+ syntax described in the <link linkend="INVALIDUSERS"><parameter>
+ invalid users</parameter></link> parameter.</para>
+
+ <para>See also the <link linkend="WRITELIST"><parameter>
+ write list</parameter></link> parameter and the <link
+ linkend="INVALIDUSERS"><parameter>invalid users</parameter>
+ </link> parameter.</para>
+
+ <para>Default: <command>read list = &lt;empty string&gt;</command></para>
+ <para>Example: <command>read list = mary, @students</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="READONLY">read only (S)</term>
+ <listitem><para>Note that this is an inverted synonym for <link
+ linkend="WRITEABLE"><parameter>writeable</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="READRAW">read raw (G)</term>
+ <listitem><para>This parameter controls whether or not the server
+ will support the raw read SMB requests when transferring data
+ to clients.</para>
+
+ <para>If enabled, raw reads allow reads of 65535 bytes in
+ one packet. This typically provides a major performance benefit.
+ </para>
+
+ <para>However, some clients either negotiate the allowable
+ block size incorrectly or are incapable of supporting larger block
+ sizes, and for these clients you may need to disable raw reads.</para>
+
+ <para>In general this parameter should be viewed as a system tuning
+ tool and left severely alone. See also <link linkend="WRITERAW">
+ <parameter>write raw</parameter></link>.</para>
+
+ <para>Default: <command>read raw = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="READSIZE">read size (G)</term>
+ <listitem><para>The option <parameter>read size</parameter>
+ affects the overlap of disk reads/writes with network reads/writes.
+ If the amount of data being transferred in several of the SMB
+ commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
+ than this value then the server begins writing the data before it
+ has received the whole packet from the network, or in the case of
+ SMBreadbraw, it begins writing to the network before all the data
+ has been read from disk.</para>
+
+ <para>This overlapping works best when the speeds of disk and
+ network access are similar, having very little effect when the
+ speed of one is much greater than the other.</para>
+
+ <para>The default value is 16384, but very little experimentation
+ has been done yet to determine the optimal value, and it is likely
+ that the best value will vary greatly between systems anyway.
+ A value over 65536 is pointless and will cause you to allocate
+ memory unnecessarily.</para>
+
+ <para>Default: <command>read size = 16384</command></para>
+ <para>Example: <command>read size = 8192</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="REMOTEANNOUNCE">remote announce (G)</term>
+ <listitem><para>This option allows you to setup <ulink
+ url="nmbd.8.html">nmbd(8)</ulink> to periodically announce itself
+ to arbitrary IP addresses with an arbitrary workgroup name.</para>
+
+ <para>This is useful if you want your Samba server to appear
+ in a remote workgroup for which the normal browse propagation
+ rules don't work. The remote workgroup can be anywhere that you
+ can send IP packets to.</para>
+
+ <para>For example:</para>
+
+ <para><command>remote announce = 192.168.2.255/SERVERS
+ 192.168.4.255/STAFF</command></para>
+
+ <para>the above line would cause <command>nmbd</command> to announce itself
+ to the two given IP addresses using the given workgroup names.
+ If you leave out the workgroup name then the one given in
+ the <link linkend="WORKGROUP"><parameter>workgroup</parameter></link>
+ parameter is used instead.</para>
+
+ <para>The IP addresses you choose would normally be the broadcast
+ addresses of the remote networks, but can also be the IP addresses
+ of known browse masters if your network config is that stable.</para>
+
+ <para>See the documentation file <filename>BROWSING.txt</filename>
+ in the <filename>docs/</filename> directory.</para>
+
+ <para>Default: <command>remote announce = &lt;empty string&gt;
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="REMOTEBROWSESYNC">remote browse sync (G)</term>
+ <listitem><para>This option allows you to setup <ulink
+ url="nmbd.8.html">nmbd(8)</ulink> to periodically request
+ synchronization of browse lists with the master browser of a Samba
+ server that is on a remote segment. This option will allow you to
+ gain browse lists for multiple workgroups across routed networks. This
+ is done in a manner that does not work with any non-Samba servers.</para>
+
+ <para>This is useful if you want your Samba server and all local
+ clients to appear in a remote workgroup for which the normal browse
+ propagation rules don't work. The remote workgroup can be anywhere
+ that you can send IP packets to.</para>
+
+ <para>For example:</para>
+
+ <para><command>remote browse sync = 192.168.2.255 192.168.4.255
+ </command></para>
+
+ <para>the above line would cause <command>nmbd</command> to request
+ the master browser on the specified subnets or addresses to
+ synchronize their browse lists with the local server.</para>
+
+ <para>The IP addresses you choose would normally be the broadcast
+ addresses of the remote networks, but can also be the IP addresses
+ of known browse masters if your network config is that stable. If
+ a machine IP address is given Samba makes NO attempt to validate
+ that the remote machine is available, is listening, nor that it
+ is in fact the browse master on its segment.</para>
+
+ <para>Default: <command>remote browse sync = &lt;empty string&gt;
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="RESTRICTANONYMOUS">restrict anonymous (G)</term>
+ <listitem><para>This is a boolean parameter. If it is <constant>true</constant>, then
+ anonymous access to the server will be restricted, namely in the
+ case where the server is expecting the client to send a username,
+ but it doesn't. Setting it to <constant>true</constant> will force these anonymous
+ connections to be denied, and the client will be required to always
+ supply a username and password when connecting. Use of this parameter
+ is only recommended for homogeneous NT client environments.</para>
+
+ <para>This parameter makes the use of macro expansions that rely
+ on the username (%U, %G, etc) consistent. NT 4.0
+ likes to use anonymous connections when refreshing the share list,
+ and this is a way to work around that.</para>
+
+ <para>When restrict anonymous is <constant>true</constant>, all anonymous connections
+ are denied no matter what they are for. This can effect the ability
+ of a machine to access the Samba Primary Domain Controller to revalidate
+ its machine account after someone else has logged on the client
+ interactively. The NT client will display a message saying that
+ the machine's account in the domain doesn't exist or the password is
+ bad. The best way to deal with this is to reboot NT client machines
+ between interactive logons, using "Shutdown and Restart", rather
+ than "Close all programs and logon as a different user".</para>
+
+ <para>Default: <command>restrict anonymous = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ROOT">root (G)</term>
+ <listitem><para>Synonym for <link linkend="ROOTDIRECTORY">
+ <parameter>root directory"</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ROOTDIR">root dir (G)</term>
+ <listitem><para>Synonym for <link linkend="ROOTDIRECTORY">
+ <parameter>root directory"</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="ROOTDIRECTORY">root directory (G)</term>
+ <listitem><para>The server will <command>chroot()</command> (i.e.
+ Change its root directory) to this directory on startup. This is
+ not strictly necessary for secure operation. Even without it the
+ server will deny access to files not in one of the service entries.
+ It may also check for, and deny access to, soft links to other
+ parts of the filesystem, or attempts to use ".." in file names
+ to access other directories (depending on the setting of the <link
+ linkend="WIDELINKS"><parameter>wide links</parameter></link>
+ parameter).</para>
+
+ <para>Adding a <parameter>root directory</parameter> entry other
+ than "/" adds an extra level of security, but at a price. It
+ absolutely ensures that no access is given to files not in the
+ sub-tree specified in the <parameter>root directory</parameter>
+ option, <emphasis>including</emphasis> some files needed for
+ complete operation of the server. To maintain full operability
+ of the server you will need to mirror some system files
+ into the <parameter>root directory</parameter> tree. In particular
+ you will need to mirror <filename>/etc/passwd</filename> (or a
+ subset of it), and any binaries or configuration files needed for
+ printing (if required). The set of files that must be mirrored is
+ operating system dependent.</para>
+
+ <para>Default: <command>root directory = /</command></para>
+ <para>Example: <command>root directory = /homes/smb</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ROOTPOSTEXEC">root postexec (S)</term>
+ <listitem><para>This is the same as the <parameter>postexec</parameter>
+ parameter except that the command is run as root. This
+ is useful for unmounting filesystems
+ (such as CDROMs) after a connection is closed.</para>
+
+ <para>See also <link linkend="POSTEXEC"><parameter>
+ postexec</parameter></link>.</para>
+
+ <para>Default: <command>root postexec = &lt;empty string&gt;
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><anchor id="ROOTPREEXEC">root preexec (S)</term>
+ <listitem><para>This is the same as the <parameter>preexec</parameter>
+ parameter except that the command is run as root. This
+ is useful for mounting filesystems (such as CDROMs) when a
+ connection is opened.</para>
+
+ <para>See also <link linkend="PREEXEC"><parameter>
+ preexec</parameter></link> and <link linkend="PREEXECCLOSE">
+ <parameter>preexec close</parameter></link>.</para>
+
+ <para>Default: <command>root preexec = &lt;empty string&gt;
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="ROOTPREEXECCLOSE">root preexec close (S)</term>
+ <listitem><para>This is the same as the <parameter>preexec close
+ </parameter> parameter except that the command is run as root.</para>
+
+ <para>See also <link linkend="PREEXEC"><parameter>
+ preexec</parameter></link> and <link linkend="PREEXECCLOSE">
+ <parameter>preexec close</parameter></link>.</para>
+
+ <para>Default: <command>root preexec close = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="SECURITY">security (G)</term>
+ <listitem><para>This option affects how clients respond to
+ Samba and is one of the most important settings in the <filename>
+ smb.conf</filename> file.</para>
+
+ <para>The option sets the "security mode bit" in replies to
+ protocol negotiations with <ulink url="smbd.8.html">smbd(8)
+ </ulink> to turn share level security on or off. Clients decide
+ based on this bit whether (and how) to transfer user and password
+ information to the server.</para>
+
+
+ <para>The default is <command>security = user</command>, as this is
+ the most common setting needed when talking to Windows 98 and
+ Windows NT.</para>
+
+ <para>The alternatives are <command>security = share</command>,
+ <command>security = server</command> or <command>security = domain
+ </command>.</para>
+
+ <para>In versions of Samba prior to 2.0.0, the default was
+ <command>security = share</command> mainly because that was
+ the only option at one stage.</para>
+
+ <para>There is a bug in WfWg that has relevance to this
+ setting. When in user or server level security a WfWg client
+ will totally ignore the password you type in the "connect
+ drive" dialog box. This makes it very difficult (if not impossible)
+ to connect to a Samba service as anyone except the user that
+ you are logged into WfWg as.</para>
+
+ <para>If your PCs use usernames that are the same as their
+ usernames on the UNIX machine then you will want to use
+ <command>security = user</command>. If you mostly use usernames
+ that don't exist on the UNIX box then use <command>security =
+ share</command>.</para>
+
+ <para>You should also use <command>security = share</command> if you
+ want to mainly setup shares without a password (guest shares). This
+ is commonly used for a shared printer server. It is more difficult
+ to setup guest shares with <command>security = user</command>, see
+ the <link linkend="MAPTOGUEST"><parameter>map to guest</parameter>
+ </link>parameter for details.</para>
+
+ <para>It is possible to use <command>smbd</command> in a <emphasis>
+ hybrid mode</emphasis> where it is offers both user and share
+ level security under different <link linkend="NETBIOSALIASES">
+ <parameter>NetBIOS aliases</parameter></link>. </para>
+
+ <para>The different settings will now be explained.</para>
+
+
+ <para><anchor id="SECURITYEQUALSSHARE"><emphasis>SECURITY = SHARE
+ </emphasis></para>
+
+ <para>When clients connect to a share level security server they
+ need not log onto the server with a valid username and password before
+ attempting to connect to a shared resource (although modern clients
+ such as Windows 95/98 and Windows NT will send a logon request with
+ a username but no password when talking to a <command>security = share
+ </command> server). Instead, the clients send authentication information
+ (passwords) on a per-share basis, at the time they attempt to connect
+ to that share.</para>
+
+ <para>Note that <command>smbd</command> <emphasis>ALWAYS</emphasis>
+ uses a valid UNIX user to act on behalf of the client, even in
+ <command>security = share</command> level security.</para>
+
+ <para>As clients are not required to send a username to the server
+ in share level security, <command>smbd</command> uses several
+ techniques to determine the correct UNIX user to use on behalf
+ of the client.</para>
+
+ <para>A list of possible UNIX usernames to match with the given
+ client password is constructed using the following methods :</para>
+
+ <itemizedlist>
+ <listitem><para>If the <link linkend="GUESTONLY"><parameter>guest
+ only</parameter></link> parameter is set, then all the other
+ stages are missed and only the <link linkend="GUESTACCOUNT">
+ <parameter>guest account</parameter></link> username is checked.
+ </para></listitem>
+
+ <listitem><para>Is a username is sent with the share connection
+ request, then this username (after mapping - see <link
+ linkend="USERNAMEMAP"><parameter>username map</parameter></link>),
+ is added as a potential username.</para></listitem>
+
+ <listitem><para>If the client did a previous <emphasis>logon
+ </emphasis> request (the SessionSetup SMB call) then the
+ username sent in this SMB will be added as a potential username.
+ </para></listitem>
+
+ <listitem><para>The name of the service the client requested is
+ added as a potential username.</para></listitem>
+
+ <listitem><para>The NetBIOS name of the client is added to
+ the list as a potential username.</para></listitem>
+
+ <listitem><para>Any users on the <link linkend="USER"><parameter>
+ user</parameter></link> list are added as potential usernames.
+ </para></listitem>
+ </itemizedlist>
+
+ <para>If the <parameter>guest only</parameter> parameter is
+ not set, then this list is then tried with the supplied password.
+ The first user for whom the password matches will be used as the
+ UNIX user.</para>
+
+ <para>If the <parameter>guest only</parameter> parameter is
+ set, or no username can be determined then if the share is marked
+ as available to the <parameter>guest account</parameter>, then this
+ guest user will be used, otherwise access is denied.</para>
+
+ <para>Note that it can be <emphasis>very</emphasis> confusing
+ in share-level security as to which UNIX username will eventually
+ be used in granting access.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para><anchor id="SECURITYEQUALSUSER"><emphasis>SECURITY = USER
+ </emphasis></para>
+
+ <para>This is the default security setting in Samba 2.2.
+ With user-level security a client must first "log-on" with a
+ valid username and password (which can be mapped using the <link
+ linkend="USERNAMEMAP"><parameter>username map</parameter></link>
+ parameter). Encrypted passwords (see the <link linkend="ENCRYPTPASSWORDS">
+ <parameter>encrypted passwords</parameter></link> parameter) can also
+ be used in this security mode. Parameters such as <link linkend="USER">
+ <parameter>user</parameter></link> and <link linkend="GUESTONLY">
+ <parameter>guest only</parameter></link> if set are then applied and
+ may change the UNIX user to use on this connection, but only after
+ the user has been successfully authenticated.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <link
+ linkend="GUESTACCOUNT"><parameter>guest account</parameter></link>.
+ See the <link linkend="MAPTOGUEST"><parameter>map to guest</parameter>
+ </link> parameter for details on doing this.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para><anchor id="SECURITYEQUALSSERVER"><emphasis>SECURITY = SERVER
+ </emphasis></para>
+
+ <para>In this mode Samba will try to validate the username/password
+ by passing it to another SMB server, such as an NT box. If this
+ fails it will revert to <command>security = user</command>, but note
+ that if encrypted passwords have been negotiated then Samba cannot
+ revert back to checking the UNIX password file, it must have a valid
+ <filename>smbpasswd</filename> file to check users against. See the
+ documentation file in the <filename>docs/</filename> directory
+ <filename>ENCRYPTION.txt</filename> for details on how to set this
+ up.</para>
+
+ <para><emphasis>Note</emphasis> that from the client's point of
+ view <command>security = server</command> is the same as <command>
+ security = user</command>. It only affects how the server deals
+ with the authentication, it does not in any way affect what the
+ client sees.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <link
+ linkend="GUESTACCOUNT"><parameter>guest account</parameter></link>.
+ See the <link linkend="MAPTOGUEST"><parameter>map to guest</parameter>
+ </link> parameter for details on doing this.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para>See also the <link linkend="PASSWORDSERVER"><parameter>password
+ server</parameter></link> parameter and the <link
+ linkend="ENCRYPTPASSWORDS"><parameter>encrypted passwords</parameter>
+ </link> parameter.</para>
+
+ <para><anchor id="SECURITYEQUALSDOMAIN"><emphasis>SECURITY = DOMAIN
+ </emphasis></para>
+
+ <para>This mode will only work correctly if <ulink
+ url="smbpasswd.8.html">smbpasswd(8)</ulink> has been used to add this
+ machine into a Windows NT Domain. It expects the <link
+ linkend="ENCRYPTPASSWORDS"><parameter>encrypted passwords</parameter>
+ </link> parameter to be set to <constant>true</constant>. In this
+ mode Samba will try to validate the username/password by passing
+ it to a Windows NT Primary or Backup Domain Controller, in exactly
+ the same way that a Windows NT Server would do.</para>
+
+ <para><emphasis>Note</emphasis> that a valid UNIX user must still
+ exist as well as the account on the Domain Controller to allow
+ Samba to have a valid UNIX account to map file access to.</para>
+
+ <para><emphasis>Note</emphasis> that from the client's point
+ of view <command>security = domain</command> is the same as <command>security = user
+ </command>. It only affects how the server deals with the authentication,
+ it does not in any way affect what the client sees.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <link
+ linkend="GUESTACCOUNT"><parameter>guest account</parameter></link>.
+ See the <link linkend="MAPTOGUEST"><parameter>map to guest</parameter>
+ </link> parameter for details on doing this.</para>
+
+ <para><emphasis>BUG:</emphasis> There is currently a bug in the
+ implementation of <command>security = domain</command> with respect
+ to multi-byte character set usernames. The communication with a
+ Domain Controller must be done in UNICODE and Samba currently
+ does not widen multi-byte user names to UNICODE correctly, thus
+ a multi-byte username will not be recognized correctly at the
+ Domain Controller. This issue will be addressed in a future release.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para>See also the <link linkend="PASSWORDSERVER"><parameter>password
+ server</parameter></link> parameter and the <link
+ linkend="ENCRYPTPASSWORDS"><parameter>encrypted passwords</parameter>
+ </link> parameter.</para>
+
+ <para>Default: <command>security = USER</command></para>
+ <para>Example: <command>security = DOMAIN</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SECURITYMASK">security mask (S)</term>
+ <listitem><para>This parameter controls what UNIX permission
+ bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a file using the native NT security
+ dialog box.</para>
+
+ <para>This parameter is applied as a mask (AND'ed with) to
+ the changed permission bits, thus preventing any bits not in
+ this mask from being modified. Essentially, zero bits in this
+ mask may be treated as a set of bits the user is not allowed
+ to change.</para>
+
+ <para>If not set explicitly this parameter is 0777, allowing
+ a user to modify all the user/group/world permissions on a file.
+ </para>
+
+ <para><emphasis>Note</emphasis> that users who can access the
+ Samba server through other means can easily bypass this
+ restriction, so it is primarily useful for standalone
+ "appliance" systems. Administrators of most normal systems will
+ probably want to leave it set to <constant>0777</constant>.</para>
+
+ <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE">
+ <parameter>force directory security mode</parameter></link>,
+ <link linkend="DIRECTORYSECURITYMASK"><parameter>directory
+ security mask</parameter></link>, <link linkend="FORCESECURITYMODE">
+ <parameter>force security mode</parameter></link> parameters.</para>
+
+ <para>Default: <command>security mask = 0777</command></para>
+ <para>Example: <command>security mask = 0770</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="SERVERSTRING">server string (G)</term>
+ <listitem><para>This controls what string will show up in the
+ printer comment box in print manager and next to the IPC connection
+ in <command>net view</command>. It can be any string that you wish
+ to show to your users.</para>
+
+ <para>It also sets what will appear in browse lists next
+ to the machine name.</para>
+
+ <para>A <parameter>%v</parameter> will be replaced with the Samba
+ version number.</para>
+
+ <para>A <parameter>%h</parameter> will be replaced with the
+ hostname.</para>
+
+ <para>Default: <command>server string = Samba %v</command></para>
+
+ <para>Example: <command>server string = University of GNUs Samba
+ Server</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SETDIRECTORY">set directory (S)</term>
+ <listitem><para>If <command>set directory = no</command>, then
+ users of the service may not use the setdir command to change
+ directory.</para>
+
+ <para>The <command>setdir</command> command is only implemented
+ in the Digital Pathworks client. See the Pathworks documentation
+ for details.</para>
+
+ <para>Default: <command>set directory = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="SHORTPRESERVECASE">short preserve case (S)</term>
+ <listitem><para>This boolean parameter controls if new files
+ which conform to 8.3 syntax, that is all in upper case and of
+ suitable length, are created upper case, or if they are forced
+ to be the <link linkend="DEFAULTCASE"><parameter>default case
+ </parameter></link>. This option can be use with <link
+ linkend="PRESERVECASE"><command>preserve case = yes</command>
+ </link> to permit long filenames to retain their case, while short
+ names are lowered. </para>
+
+ <para>See the section on <link linkend="NAMEMANGLINGSECT">
+ NAME MANGLING</link>.</para>
+
+ <para>Default: <command>short preserve case = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SHOWADDPRINTERWIZARD">show add printer wizard (G)</term>
+ <listitem><para>With the introduction of MS-RPC based printing support
+ for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will
+ appear on Samba hosts in the share listing. Normally this folder will
+ contain an icon for the MS Add Printer Wizard (APW). However, it is
+ possible to disable this feature regardless of the level of privilege
+ of the connected user.</para>
+
+ <para>Under normal circumstances, the Windows NT/2000 client will
+ open a handle on the printer server with OpenPrinterEx() asking for
+ Administrator privileges. If the user does not have administrative
+ access on the print server (i.e is not root or a member of the
+ <parameter>printer admin</parameter> group), the OpenPrinterEx()
+ call fails and the client makes another open call with a request for
+ a lower privilege level. This should succeed, however the APW
+ icon will not be displayed.</para>
+
+ <para>Disabling the <parameter>show add printer wizard</parameter>
+ parameter will always cause the OpenPrinterEx() on the server
+ to fail. Thus the APW icon will never be displayed. <emphasis>
+ Note :</emphasis>This does not prevent the same user from having
+ administrative privilege on an individual printer.</para>
+
+ <para>See also <link linkend="ADDPRINTERCOMMAND"><parameter>addprinter
+ command</parameter></link>, <link linkend="DELETEPRINTERCOMMAND">
+ <parameter>deleteprinter command</parameter></link>, <link
+ linkend="PRINTERADMIN"><parameter>printer admin</parameter></link></para>
+
+ <para>Default :<command>show add printer wizard = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SHUTDOWNSCRIPT">shutdown script (G)</term>
+ <listitem><para><emphasis>This parameter only exists in the HEAD cvs branch</emphasis>
+ This a full path name to a script called by
+ <ulink url="smbd.8.html"><command>smbd(8)</command></ulink> that
+ should start a shutdown procedure.</para>
+
+ <para>This command will be run as the user connected to the
+ server.</para>
+
+ <para>%m %t %r %f parameters are expanded</para>
+ <para><parameter>%m</parameter> will be substituted with the
+ shutdown message sent to the server.</para>
+ <para><parameter>%t</parameter> will be substituted with the
+ number of seconds to wait before effectively starting the
+ shutdown procedure.</para>
+ <para><parameter>%r</parameter> will be substituted with the
+ switch <emphasis>-r</emphasis>. It means reboot after shutdown
+ for NT.
+ </para>
+ <para><parameter>%f</parameter> will be substituted with the
+ switch <emphasis>-f</emphasis>. It means force the shutdown
+ even if applications do not respond for NT.</para>
+
+ <para>Default: <emphasis>None</emphasis>.</para>
+ <para>Example: <command>abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f</command></para>
+ <para>Shutdown script example:
+ <programlisting>
+ #!/bin/bash
+
+ $time=0
+ let "time/60"
+ let "time++"
+
+ /sbin/shutdown $3 $4 +$time $1 &
+ </programlisting>
+ Shutdown does not return so we need to launch it in background.
+ </para>
+
+ <para>See also <link linkend="ABORTSHUTDOWNSCRIPT"><parameter>abort shutdown script</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="SMBPASSWDFILE">smb passwd file (G)</term>
+ <listitem><para>This option sets the path to the encrypted
+ smbpasswd file. By default the path to the smbpasswd file
+ is compiled into Samba.</para>
+
+ <para>Default: <command>smb passwd file = ${prefix}/private/smbpasswd
+ </command></para>
+
+ <para>Example: <command>smb passwd file = /etc/samba/smbpasswd
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="SOCKETADDRESS">socket address (G)</term>
+ <listitem><para>This option allows you to control what
+ address Samba will listen for connections on. This is used to
+ support multiple virtual interfaces on the one server, each
+ with a different configuration.</para>
+
+ <para>By default Samba will accept connections on any
+ address.</para>
+
+ <para>Example: <command>socket address = 192.168.2.20</command>
+ </para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SOCKETOPTIONS">socket options (G)</term>
+ <listitem><para>This option allows you to set socket options
+ to be used when talking with the client.</para>
+
+ <para>Socket options are controls on the networking layer
+ of the operating systems which allow the connection to be
+ tuned.</para>
+
+ <para>This option will typically be used to tune your Samba
+ server for optimal performance for your local network. There is
+ no way that Samba can know what the optimal parameters are for
+ your net, so you must experiment and choose them yourself. We
+ strongly suggest you read the appropriate documentation for your
+ operating system first (perhaps <command>man setsockopt</command>
+ will help).</para>
+
+ <para>You may find that on some systems Samba will say
+ "Unknown socket option" when you supply an option. This means you
+ either incorrectly typed it or you need to add an include file
+ to includes.h for your OS. If the latter is the case please
+ send the patch to <ulink url="mailto:samba@samba.org">
+ samba@samba.org</ulink>.</para>
+
+ <para>Any of the supported socket options may be combined
+ in any way you like, as long as your OS allows it.</para>
+
+ <para>This is the list of socket options currently settable
+ using this option:</para>
+
+ <itemizedlist>
+ <listitem><para>SO_KEEPALIVE</para></listitem>
+ <listitem><para>SO_REUSEADDR</para></listitem>
+ <listitem><para>SO_BROADCAST</para></listitem>
+ <listitem><para>TCP_NODELAY</para></listitem>
+ <listitem><para>IPTOS_LOWDELAY</para></listitem>
+ <listitem><para>IPTOS_THROUGHPUT</para></listitem>
+ <listitem><para>SO_SNDBUF *</para></listitem>
+ <listitem><para>SO_RCVBUF *</para></listitem>
+ <listitem><para>SO_SNDLOWAT *</para></listitem>
+ <listitem><para>SO_RCVLOWAT *</para></listitem>
+ </itemizedlist>
+
+ <para>Those marked with a <emphasis>'*'</emphasis> take an integer
+ argument. The others can optionally take a 1 or 0 argument to enable
+ or disable the option, by default they will be enabled if you
+ don't specify 1 or 0.</para>
+
+ <para>To specify an argument use the syntax SOME_OPTION = VALUE
+ for example <command>SO_SNDBUF = 8192</command>. Note that you must
+ not have any spaces before or after the = sign.</para>
+
+ <para>If you are on a local network then a sensible option
+ might be</para>
+ <para><command>socket options = IPTOS_LOWDELAY</command></para>
+
+ <para>If you have a local network then you could try:</para>
+ <para><command>socket options = IPTOS_LOWDELAY TCP_NODELAY</command></para>
+
+ <para>If you are on a wide area network then perhaps try
+ setting IPTOS_THROUGHPUT. </para>
+
+ <para>Note that several of the options may cause your Samba
+ server to fail completely. Use these options with caution!</para>
+
+ <para>Default: <command>socket options = TCP_NODELAY</command></para>
+ <para>Example: <command>socket options = IPTOS_LOWDELAY</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="SOURCEENVIRONMENT">source environment (G)</term>
+ <listitem><para>This parameter causes Samba to set environment
+ variables as per the content of the file named.</para>
+
+ <para>If the value of this parameter starts with a "|" character
+ then Samba will treat that value as a pipe command to open and
+ will set the environment variables from the output of the pipe.</para>
+
+ <para>The contents of the file or the output of the pipe should
+ be formatted as the output of the standard Unix <command>env(1)
+ </command> command. This is of the form :</para>
+ <para>Example environment entry:</para>
+ <para><command>SAMBA_NETBIOS_NAME = myhostname</command></para>
+
+ <para>Default: <emphasis>No default value</emphasis></para>
+ <para>Examples: <command>source environment = |/etc/smb.conf.sh
+ </command></para>
+
+ <para>Example: <command>source environment =
+ /usr/local/smb_env_vars</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSL">ssl (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para>This variable enables or disables the entire SSL mode. If
+ it is set to <constant>no</constant>, the SSL-enabled Samba behaves
+ exactly like the non-SSL Samba. If set to <constant>yes</constant>,
+ it depends on the variables <link linkend="SSLHOSTS"><parameter>
+ ssl hosts</parameter></link> and <link linkend="SSLHOSTSRESIGN">
+ <parameter>ssl hosts resign</parameter></link> whether an SSL
+ connection will be required.</para>
+
+ <para>Default: <command>ssl = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSLCACERTDIR">ssl CA certDir (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para>This variable defines where to look up the Certification
+ Authorities. The given directory should contain one file for
+ each CA that Samba will trust. The file name must be the hash
+ value over the "Distinguished Name" of the CA. How this directory
+ is set up is explained later in this document. All files within the
+ directory that don't fit into this naming scheme are ignored. You
+ don't need this variable if you don't verify client certificates.</para>
+
+ <para>Default: <command>ssl CA certDir = /usr/local/ssl/certs
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSLCACERTFILE">ssl CA certFile (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para>This variable is a second way to define the trusted CAs.
+ The certificates of the trusted CAs are collected in one big
+ file and this variable points to the file. You will probably
+ only use one of the two ways to define your CAs. The first choice is
+ preferable if you have many CAs or want to be flexible, the second
+ is preferable if you only have one CA and want to keep things
+ simple (you won't need to create the hashed file names). You
+ don't need this variable if you don't verify client certificates.</para>
+
+ <para>Default: <command>ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSLCIPHERS">ssl ciphers (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para>This variable defines the ciphers that should be offered
+ during SSL negotiation. You should not set this variable unless
+ you know what you are doing.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="SSLCLIENTCERT">ssl client cert (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para>The certificate in this file is used by <ulink url="smbclient.1.html">
+ <command>smbclient(1)</command></ulink> if it exists. It's needed
+ if the server requires a client certificate.</para>
+
+ <para>Default: <command>ssl client cert = /usr/local/ssl/certs/smbclient.pem
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSLCLIENTKEY">ssl client key (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para>This is the private key for <ulink url="smbclient.1.html">
+ <command>smbclient(1)</command></ulink>. It's only needed if the
+ client should have a certificate. </para>
+
+ <para>Default: <command>ssl client key = /usr/local/ssl/private/smbclient.pem
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSLCOMPATIBILITY">ssl compatibility (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para>This variable defines whether OpenSSL should be configured
+ for bug compatibility with other SSL implementations. This is
+ probably not desirable because currently no clients with SSL
+ implementations other than OpenSSL exist.</para>
+
+ <para>Default: <command>ssl compatibility = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="SSLEGDSOCKET">ssl egd socket (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para>
+ This option is used to define the location of the communiation socket of
+ an EGD or PRNGD daemon, from which entropy can be retrieved. This option
+ can be used instead of or together with the <link
+ linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link>
+ directive. 255 bytes of entropy will be retrieved from the daemon.
+ </para>
+
+ <para>Default: <emphasis>none</emphasis></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="SSLENTROPYBYTES">ssl entropy bytes (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para>
+ This parameter is used to define the number of bytes which should
+ be read from the <link linkend="SSLENTROPYFILE"><parameter>ssl entropy
+ file</parameter></link> If a -1 is specified, the entire file will
+ be read.
+ </para>
+
+ <para>Default: <command>ssl entropy bytes = 255</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSLENTROPYFILE">ssl entropy file (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para>
+ This parameter is used to specify a file from which processes will
+ read "random bytes" on startup. In order to seed the internal pseudo
+ random number generator, entropy must be provided. On system with a
+ <filename>/dev/urandom</filename> device file, the processes
+ will retrieve its entropy from the kernel. On systems without kernel
+ entropy support, a file can be supplied that will be read on startup
+ and that will be used to seed the PRNG.
+ </para>
+
+ <para>Default: <emphasis>none</emphasis></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSLHOSTS">ssl hosts (G)</term>
+ <listitem><para>See <link linkend="SSLHOSTSRESIGN"><parameter>
+ ssl hosts resign</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="SSLHOSTSRESIGN">ssl hosts resign (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para>These two variables define whether Samba will go
+ into SSL mode or not. If none of them is defined, Samba will
+ allow only SSL connections. If the <link linkend="SSLHOSTS">
+ <parameter>ssl hosts</parameter></link> variable lists
+ hosts (by IP-address, IP-address range, net group or name),
+ only these hosts will be forced into SSL mode. If the <parameter>
+ ssl hosts resign</parameter> variable lists hosts, only these
+ hosts will <emphasis>NOT</emphasis> be forced into SSL mode. The syntax for these two
+ variables is the same as for the <link linkend="HOSTSALLOW"><parameter>
+ hosts allow</parameter></link> and <link linkend="HOSTSDENY">
+ <parameter>hosts deny</parameter></link> pair of variables, only
+ that the subject of the decision is different: It's not the access
+ right but whether SSL is used or not. </para>
+
+ <para>The example below requires SSL connections from all hosts
+ outside the local net (which is 192.168.*.*).</para>
+
+ <para>Default: <command>ssl hosts = &lt;empty string&gt;</command></para>
+ <para><command>ssl hosts resign = &lt;empty string&gt;</command></para>
+
+ <para>Example: <command>ssl hosts resign = 192.168.</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSLREQUIRECLIENTCERT">ssl require clientcert (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para>If this variable is set to <constant>yes</constant>, the
+ server will not tolerate connections from clients that don't
+ have a valid certificate. The directory/file given in <link
+ linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter>
+ </link> and <link linkend="SSLCACERTFILE"><parameter>ssl CA certFile
+ </parameter></link> will be used to look up the CAs that issued
+ the client's certificate. If the certificate can't be verified
+ positively, the connection will be terminated. If this variable
+ is set to <constant>no</constant>, clients don't need certificates.
+ Contrary to web applications you really <emphasis>should</emphasis>
+ require client certificates. In the web environment the client's
+ data is sensitive (credit card numbers) and the server must prove
+ to be trustworthy. In a file server environment the server's data
+ will be sensitive and the clients must prove to be trustworthy.</para>
+
+ <para>Default: <command>ssl require clientcert = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SSLREQUIRESERVERCERT">ssl require servercert (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para>If this variable is set to <constant>yes</constant>, the
+ <ulink url="smbclient.1.html"><command>smbclient(1)</command>
+ </ulink> will request a certificate from the server. Same as
+ <link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require
+ clientcert</parameter></link> for the server.</para>
+
+ <para>Default: <command>ssl require servercert = no</command>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><anchor id="SSLSERVERCERT">ssl server cert (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para>This is the file containing the server's certificate.
+ The server <emphasis>must</emphasis> have a certificate. The
+ file may also contain the server's private key. See later for
+ how certificates and private keys are created.</para>
+
+ <para>Default: <command>ssl server cert = &lt;empty string&gt;
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="SSLSERVERKEY">ssl server key (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para>This file contains the private key of the server. If
+ this variable is not defined, the key is looked up in the
+ certificate file (it may be appended to the certificate).
+ The server <emphasis>must</emphasis> have a private key
+ and the certificate <emphasis>must</emphasis>
+ match this private key.</para>
+
+ <para>Default: <command>ssl server key = &lt;empty string&gt;
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="SSLVERSION">ssl version (G)</term>
+ <listitem><para>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <command>--with-ssl</command> was
+ given at configure time.</para>
+
+ <para>This enumeration variable defines the versions of the
+ SSL protocol that will be used. <constant>ssl2or3</constant> allows
+ dynamic negotiation of SSL v2 or v3, <constant>ssl2</constant> results
+ in SSL v2, <constant>ssl3</constant> results in SSL v3 and
+ <constant>tls1</constant> results in TLS v1. TLS (Transport Layer
+ Security) is the new standard for SSL.</para>
+
+ <para>Default: <command>ssl version = "ssl2or3"</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="STATCACHE">stat cache (G)</term>
+ <listitem><para>This parameter determines if <ulink
+ url="smbd.8.html">smbd(8)</ulink> will use a cache in order to
+ speed up case insensitive name mappings. You should never need
+ to change this parameter.</para>
+
+ <para>Default: <command>stat cache = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><anchor id="STATCACHESIZE">stat cache size (G)</term>
+ <listitem><para>This parameter determines the number of
+ entries in the <parameter>stat cache</parameter>. You should
+ never need to change this parameter.</para>
+
+ <para>Default: <command>stat cache size = 50</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="STATUS">status (G)</term>
+ <listitem><para>This enables or disables logging of connections
+ to a status file that <ulink url="smbstatus.1.html">smbstatus(1)</ulink>
+ can read.</para>
+
+ <para>With this disabled <command>smbstatus</command> won't be able
+ to tell you what connections are active. You should never need to
+ change this parameter.</para>
+
+ <para>Default: <command>status = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="STRICTALLOCATE">strict allocate (S)</term>
+ <listitem><para>This is a boolean that controls the handling of
+ disk space allocation in the server. When this is set to <constant>yes</constant>
+ the server will change from UNIX behaviour of not committing real
+ disk storage blocks when a file is extended to the Windows behaviour
+ of actually forcing the disk system to allocate real storage blocks
+ when a file is created or extended to be a given size. In UNIX
+ terminology this means that Samba will stop creating sparse files.
+ This can be slow on some systems.</para>
+
+ <para>When strict allocate is <constant>no</constant> the server does sparse
+ disk block allocation when a file is extended.</para>
+
+ <para>Setting this to <constant>yes</constant> can help Samba return
+ out of quota messages on systems that are restricting the disk quota
+ of users.</para>
+
+ <para>Default: <command>strict allocate = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="STRICTLOCKING">strict locking (S)</term>
+ <listitem><para>This is a boolean that controls the handling of
+ file locking in the server. When this is set to <constant>yes</constant>
+ the server will check every read and write access for file locks, and
+ deny access if locks exist. This can be slow on some systems.</para>
+
+ <para>When strict locking is <constant>no</constant> the server does file
+ lock checks only when the client explicitly asks for them.</para>
+
+ <para>Well-behaved clients always ask for lock checks when it
+ is important, so in the vast majority of cases <command>strict
+ locking = no</command> is preferable.</para>
+
+ <para>Default: <command>strict locking = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="STRICTSYNC">strict sync (S)</term>
+ <listitem><para>Many Windows applications (including the Windows
+ 98 explorer shell) seem to confuse flushing buffer contents to
+ disk with doing a sync to disk. Under UNIX, a sync call forces
+ the process to be suspended until the kernel has ensured that
+ all outstanding data in kernel disk buffers has been safely stored
+ onto stable storage. This is very slow and should only be done
+ rarely. Setting this parameter to <constant>no</constant> (the
+ default) means that <ulink url="smbd.8.html">smbd</ulink> ignores the Windows applications requests for
+ a sync call. There is only a possibility of losing data if the
+ operating system itself that Samba is running on crashes, so there is
+ little danger in this default setting. In addition, this fixes many
+ performance problems that people have reported with the new Windows98
+ explorer shell file copies.</para>
+
+ <para>See also the <link linkend="SYNCALWAYS"><parameter>sync
+ always></parameter></link> parameter.</para>
+
+ <para>Default: <command>strict sync = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="STRIPDOT">strip dot (G)</term>
+ <listitem><para>This is a boolean that controls whether to
+ strip trailing dots off UNIX filenames. This helps with some
+ CDROMs that have filenames ending in a single dot.</para>
+
+ <para>Default: <command>strip dot = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SYNCALWAYS">sync always (S)</term>
+ <listitem><para>This is a boolean parameter that controls
+ whether writes will always be written to stable storage before
+ the write call returns. If this is <constant>false</constant> then the server will be
+ guided by the client's request in each write call (clients can
+ set a bit indicating that a particular write should be synchronous).
+ If this is <constant>true</constant> then every write will be followed by a <command>fsync()
+ </command> call to ensure the data is written to disk. Note that
+ the <parameter>strict sync</parameter> parameter must be set to
+ <constant>yes</constant> in order for this parameter to have
+ any affect.</para>
+
+ <para>See also the <link linkend="STRICTSYNC"><parameter>strict
+ sync</parameter></link> parameter.</para>
+
+ <para>Default: <command>sync always = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SYSLOG">syslog (G)</term>
+ <listitem><para>This parameter maps how Samba debug messages
+ are logged onto the system syslog logging levels. Samba debug
+ level zero maps onto syslog <constant>LOG_ERR</constant>, debug
+ level one maps onto <constant>LOG_WARNING</constant>, debug level
+ two maps onto <constant>LOG_NOTICE</constant>, debug level three
+ maps onto LOG_INFO. All higher levels are mapped to <constant>
+ LOG_DEBUG</constant>.</para>
+
+ <para>This parameter sets the threshold for sending messages
+ to syslog. Only messages with debug level less than this value
+ will be sent to syslog.</para>
+
+ <para>Default: <command>syslog = 1</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="SYSLOGONLY">syslog only (G)</term>
+ <listitem><para>If this parameter is set then Samba debug
+ messages are logged into the system syslog only, and not to
+ the debug log files.</para>
+
+ <para>Default: <command>syslog only = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="TEMPLATEHOMEDIR">template homedir (G)</term>
+ <listitem><para>When filling out the user information for a Windows NT
+ user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon
+ uses this parameter to fill in the home directory for that user.
+ If the string <parameter>%D</parameter> is present it is substituted
+ with the user's Windows NT domain name. If the string <parameter>%U
+ </parameter> is present it is substituted with the user's Windows
+ NT user name.</para>
+
+ <para>Default: <command>template homedir = /home/%D/%U</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="TEMPLATESHELL">template shell (G)</term>
+ <listitem><para>When filling out the user information for a Windows NT
+ user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon
+ uses this parameter to fill in the login shell for that user.</para>
+
+ <para>Default: <command>template shell = /bin/false</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="TIMEOFFSET">time offset (G)</term>
+ <listitem><para>This parameter is a setting in minutes to add
+ to the normal GMT to local time conversion. This is useful if
+ you are serving a lot of PCs that have incorrect daylight
+ saving time handling.</para>
+
+ <para>Default: <command>time offset = 0</command></para>
+ <para>Example: <command>time offset = 60</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="TIMESERVER">time server (G)</term>
+ <listitem><para>This parameter determines if <ulink url="nmbd.8.html">
+ nmbd(8)</ulink> advertises itself as a time server to Windows
+ clients.</para>
+
+ <para>Default: <command>time server = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="TIMESTAMPLOGS">timestamp logs (G)</term>
+ <listitem><para>Synonym for <link linkend="DEBUGTIMESTAMP"><parameter>
+ debug timestamp</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="TOTALPRINTJOBS">total print jobs (G)</term>
+ <listitem><para>This parameter accepts an integer value which defines
+ a limit on the maximum number of print jobs that will be accepted
+ system wide at any given time. If a print job is submitted
+ by a client which will exceed this number, then <ulink url="smbd.8.html">smbd</ulink> will return an
+ error indicating that no space is available on the server. The
+ default value of 0 means that no such limit exists. This parameter
+ can be used to prevent a server from exceeding its capacity and is
+ designed as a printing throttle. See also
+ <link linkend="MAXPRINTJOBS"><parameter>max print jobs</parameter</link>.
+ </para>
+
+ <para>Default: <command>total print jobs = 0</command></para>
+ <para>Example: <command>total print jobs = 5000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="UNIXEXTENSIONS">unix extensions(G)</term>
+ <listitem><para>This boolean parameter controls whether Samba
+ implments the CIFS UNIX extensions, as defined by HP. These
+ extensions enable CIFS to server UNIX clients to UNIX servers
+ better, and allow such things as symbolic links, hard links etc.
+ These extensions require a similarly enabled client, and are of
+ no current use to Windows clients.</para>
+
+ <para>Default: <command>unix extensions = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="UNIXPASSWORDSYNC">unix password sync (G)</term>
+ <listitem><para>This boolean parameter controls whether Samba
+ attempts to synchronize the UNIX password with the SMB password
+ when the encrypted SMB password in the smbpasswd file is changed.
+ If this is set to <constant>true</constant> the program specified in the <parameter>passwd
+ program</parameter>parameter is called <emphasis>AS ROOT</emphasis> -
+ to allow the new UNIX password to be set without access to the
+ old UNIX password (as the SMB password change code has no
+ access to the old password cleartext, only the new).</para>
+
+ <para>See also <link linkend="PASSWDPROGRAM"><parameter>passwd
+ program</parameter></link>, <link linkend="PASSWDCHAT"><parameter>
+ passwd chat</parameter></link>.</para>
+
+ <para>Default: <command>unix password sync = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="UPDATEENCRYPTED">update encrypted (G)</term>
+ <listitem><para>This boolean parameter allows a user logging
+ on with a plaintext password to have their encrypted (hashed)
+ password in the smbpasswd file to be updated automatically as
+ they log on. This option allows a site to migrate from plaintext
+ password authentication (users authenticate with plaintext
+ password over the wire, and are checked against a UNIX account
+ database) to encrypted password authentication (the SMB
+ challenge/response authentication mechanism) without forcing
+ all users to re-enter their passwords via smbpasswd at the time the
+ change is made. This is a convenience option to allow the change over
+ to encrypted passwords to be made over a longer period. Once all users
+ have encrypted representations of their passwords in the smbpasswd
+ file this parameter should be set to <constant>no</constant>.</para>
+
+ <para>In order for this parameter to work correctly the <link
+ linkend="ENCRYPTPASSWORDS"><parameter>encrypt passwords</parameter>
+ </link> parameter must be set to <constant>no</constant> when
+ this parameter is set to <constant>yes</constant>.</para>
+
+ <para>Note that even when this parameter is set a user
+ authenticating to <command>smbd</command> must still enter a valid
+ password in order to connect correctly, and to update their hashed
+ (smbpasswd) passwords.</para>
+
+ <para>Default: <command>update encrypted = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="USECLIENTDRIVER">use client driver (S)</term>
+ <listitem><para>This parameter applies only to Windows NT/2000
+ clients. It has no affect on Windows 95/98/ME clients. When
+ serving a printer to Windows NT/2000 clients without first installing
+ a valid printer driver on the Samba host, the client will be required
+ to install a local printer driver. From this point on, the client
+ will treat the print as a local printer and not a network printer
+ connection. This is much the same behavior that will occur
+ when <command>disable spoolss = yes</command>. </para>
+
+ <para>The differentiating
+ factor is that under normal circumstances, the NT/2000 client will
+ attempt to open the network printer using MS-RPC. The problem is that
+ because the client considers the printer to be local, it will attempt
+ to issue the OpenPrinterEx() call requesting access rights associated
+ with the logged on user. If the user possesses local administator rights
+ but not root privilegde on the Samba host (often the case), the OpenPrinterEx()
+ call will fail. The result is that the client will now display an "Access
+ Denied; Unable to connect" message in the printer queue window (even though
+ jobs may successfully be printed). </para>
+
+ <para>If this parameter is enabled for a printer, then any attempt
+ to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped
+ to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx()
+ call to succeed. <emphasis>This parameter MUST not be able enabled
+ on a print share which has valid print driver installed on the Samba
+ server.</emphasis></para>
+
+ <para>See also <link linkend="DISABLESPOOLSS">disable spoolss</link>
+ </para>
+
+ <para>Default: <command>use client driver = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="USEMMAP">use mmap (G)</term>
+ <listitem><para>This global parameter determines if the tdb internals of Samba can
+ depend on mmap working correctly on the running system. Samba requires a coherent
+ mmap/read-write system memory cache. Currently only HPUX does not have such a
+ coherent cache, and so this parameter is set to <constant>false</constant> by
+ default on HPUX. On all other systems this parameter should be left alone. This
+ parameter is provided to help the Samba developers track down problems with
+ the tdb internal code.
+ </para>
+
+ <para>Default: <command>use mmap = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="USERHOSTS">use rhosts (G)</term>
+ <listitem><para>If this global parameter is <constant>true</constant>, it specifies
+ that the UNIX user's <filename>.rhosts</filename> file in their home directory
+ will be read to find the names of hosts and users who will be allowed
+ access without specifying a password.</para>
+
+ <para><emphasis>NOTE:</emphasis> The use of <parameter>use rhosts
+ </parameter> can be a major security hole. This is because you are
+ trusting the PC to supply the correct username. It is very easy to
+ get a PC to supply a false username. I recommend that the <parameter>
+ use rhosts</parameter> option be only used if you really know what
+ you are doing.</para>
+
+ <para>Default: <command>use rhosts = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="USER">user (S)</term>
+ <listitem><para>Synonym for <link linkend="USERNAME"><parameter>
+ username</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="USERS">users (S)</term>
+ <listitem><para>Synonym for <link linkend="USERNAME"><parameter>
+ username</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="USERNAME">username (S)</term>
+ <listitem><para>Multiple users may be specified in a comma-delimited
+ list, in which case the supplied password will be tested against
+ each username in turn (left to right).</para>
+
+ <para>The <parameter>username</parameter> line is needed only when
+ the PC is unable to supply its own username. This is the case
+ for the COREPLUS protocol or where your users have different WfWg
+ usernames to UNIX usernames. In both these cases you may also be
+ better using the \\server\share%user syntax instead.</para>
+
+ <para>The <parameter>username</parameter> line is not a great
+ solution in many cases as it means Samba will try to validate
+ the supplied password against each of the usernames in the
+ <parameter>username</parameter> line in turn. This is slow and
+ a bad idea for lots of users in case of duplicate passwords.
+ You may get timeouts or security breaches using this parameter
+ unwisely.</para>
+
+ <para>Samba relies on the underlying UNIX security. This
+ parameter does not restrict who can login, it just offers hints
+ to the Samba server as to what usernames might correspond to the
+ supplied password. Users can login as whoever they please and
+ they will be able to do no more damage than if they started a
+ telnet session. The daemon runs as the user that they log in as,
+ so they cannot do anything that user cannot do.</para>
+
+ <para>To restrict a service to a particular set of users you
+ can use the <link linkend="VALIDUSERS"><parameter>valid users
+ </parameter></link> parameter.</para>
+
+ <para>If any of the usernames begin with a '@' then the name
+ will be looked up first in the NIS netgroups list (if Samba
+ is compiled with netgroup support), followed by a lookup in
+ the UNIX groups database and will expand to a list of all users
+ in the group of that name.</para>
+
+ <para>If any of the usernames begin with a '+' then the name
+ will be looked up only in the UNIX groups database and will
+ expand to a list of all users in the group of that name.</para>
+
+ <para>If any of the usernames begin with a '&'then the name
+ will be looked up only in the NIS netgroups database (if Samba
+ is compiled with netgroup support) and will expand to a list
+ of all users in the netgroup group of that name.</para>
+
+ <para>Note that searching though a groups database can take
+ quite some time, and some clients may time out during the
+ search.</para>
+
+ <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT
+ USERNAME/PASSWORD VALIDATION</link> for more information on how
+ this parameter determines access to the services.</para>
+
+ <para>Default: <command>The guest account if a guest service,
+ else &lt;empty string&gt;.</command></para>
+
+ <para>Examples:<command>username = fred, mary, jack, jane,
+ @users, @pcgroup</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="USERNAMELEVEL">username level (G)</term>
+ <listitem><para>This option helps Samba to try and 'guess' at
+ the real UNIX username, as many DOS clients send an all-uppercase
+ username. By default Samba tries all lowercase, followed by the
+ username with the first letter capitalized, and fails if the
+ username is not found on the UNIX machine.</para>
+
+ <para>If this parameter is set to non-zero the behavior changes.
+ This parameter is a number that specifies the number of uppercase
+ combinations to try while trying to determine the UNIX user name. The
+ higher the number the more combinations will be tried, but the slower
+ the discovery of usernames will be. Use this parameter when you have
+ strange usernames on your UNIX machine, such as <constant>AstrangeUser
+ </constant>.</para>
+
+ <para>Default: <command>username level = 0</command></para>
+ <para>Example: <command>username level = 5</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="USERNAMEMAP">username map (G)</term>
+ <listitem><para>This option allows you to specify a file containing
+ a mapping of usernames from the clients to the server. This can be
+ used for several purposes. The most common is to map usernames
+ that users use on DOS or Windows machines to those that the UNIX
+ box uses. The other is to map multiple users to a single username
+ so that they can more easily share files.</para>
+
+ <para>The map file is parsed line by line. Each line should
+ contain a single UNIX username on the left then a '=' followed
+ by a list of usernames on the right. The list of usernames on the
+ right may contain names of the form @group in which case they
+ will match any UNIX username in that group. The special client
+ name '*' is a wildcard and matches any name. Each line of the
+ map file may be up to 1023 characters long.</para>
+
+ <para>The file is processed on each line by taking the
+ supplied username and comparing it with each username on the right
+ hand side of the '=' signs. If the supplied name matches any of
+ the names on the right hand side then it is replaced with the name
+ on the left. Processing then continues with the next line.</para>
+
+ <para>If any line begins with a '#' or a ';' then it is
+ ignored</para>
+
+ <para>If any line begins with an '!' then the processing
+ will stop after that line if a mapping was done by the line.
+ Otherwise mapping continues with every line being processed.
+ Using '!' is most useful when you have a wildcard mapping line
+ later in the file.</para>
+
+ <para>For example to map from the name <constant>admin</constant>
+ or <constant>administrator</constant> to the UNIX name <constant>
+ root</constant> you would use:</para>
+
+ <para><command>root = admin administrator</command></para>
+
+ <para>Or to map anyone in the UNIX group <constant>system</constant>
+ to the UNIX name <constant>sys</constant> you would use:</para>
+
+ <para><command>sys = @system</command></para>
+
+ <para>You can have as many mappings as you like in a username
+ map file.</para>
+
+
+ <para>If your system supports the NIS NETGROUP option then
+ the netgroup database is checked before the <filename>/etc/group
+ </filename> database for matching groups.</para>
+
+ <para>You can map Windows usernames that have spaces in them
+ by using double quotes around the name. For example:</para>
+
+ <para><command>tridge = "Andrew Tridgell"</command></para>
+
+ <para>would map the windows username "Andrew Tridgell" to the
+ unix username "tridge".</para>
+
+ <para>The following example would map mary and fred to the
+ unix user sys, and map the rest to guest. Note the use of the
+ '!' to tell Samba to stop processing if it gets a match on
+ that line.</para>
+
+ <para><programlisting>
+ !sys = mary fred
+ guest = *
+ </programlisting></para>
+
+ <para>Note that the remapping is applied to all occurrences
+ of usernames. Thus if you connect to \\server\fred and <constant>
+ fred</constant> is remapped to <constant>mary</constant> then you
+ will actually be connecting to \\server\mary and will need to
+ supply a password suitable for <constant>mary</constant> not
+ <constant>fred</constant>. The only exception to this is the
+ username passed to the <link linkend="PASSWORDSERVER"><parameter>
+ password server</parameter></link> (if you have one). The password
+ server will receive whatever username the client supplies without
+ modification.</para>
+
+ <para>Also note that no reverse mapping is done. The main effect
+ this has is with printing. Users who have been mapped may have
+ trouble deleting print jobs as PrintManager under WfWg will think
+ they don't own the print job.</para>
+
+ <para>Default: <emphasis>no username map</emphasis></para>
+ <para>Example: <command>username map = /usr/local/samba/lib/users.map
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="UTMP">utmp (G)</term>
+ <listitem><para>This boolean parameter is only available if
+ Samba has been configured and compiled with the option <command>
+ --with-utmp</command>. If set to <constant>true</constant> then Samba will attempt
+ to add utmp or utmpx records (depending on the UNIX system) whenever a
+ connection is made to a Samba server. Sites may use this to record the
+ user connecting to a Samba share.</para>
+
+ <para>See also the <link linkend="UTMPDIRECTORY"><parameter>
+ utmp directory</parameter></link> parameter.</para>
+
+ <para>Default: <command>utmp = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="UTMPDIRECTORY">utmp directory(G)</term>
+ <listitem><para>This parameter is only available if Samba has
+ been configured and compiled with the option <command>
+ --with-utmp</command>. It specifies a directory pathname that is
+ used to store the utmp or utmpx files (depending on the UNIX system) that
+ record user connections to a Samba server. See also the <link linkend="UTMP">
+ <parameter>utmp</parameter></link> parameter. By default this is
+ not set, meaning the system will use whatever utmp file the
+ native system is set to use (usually
+ <filename>/var/run/utmp</filename> on Linux).</para>
+
+ <para>Default: <emphasis>no utmp directory</emphasis></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="VALIDUSERS">valid users (S)</term>
+ <listitem><para>This is a list of users that should be allowed
+ to login to this service. Names starting with '@', '+' and '&'
+ are interpreted using the same rules as described in the
+ <parameter>invalid users</parameter> parameter.</para>
+
+ <para>If this is empty (the default) then any user can login.
+ If a username is in both this list and the <parameter>invalid
+ users</parameter> list then access is denied for that user.</para>
+
+ <para>The current servicename is substituted for <parameter>%S
+ </parameter>. This is useful in the [homes] section.</para>
+
+ <para>See also <link linkend="INVALIDUSERS"><parameter>invalid users
+ </parameter></link></para>
+
+ <para>Default: <emphasis>No valid users list (anyone can login)
+ </emphasis></para>
+
+ <para>Example: <command>valid users = greg, @pcusers</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="VETOFILES">veto files(S)</term>
+ <listitem><para>This is a list of files and directories that
+ are neither visible nor accessible. Each entry in the list must
+ be separated by a '/', which allows spaces to be included
+ in the entry. '*' and '?' can be used to specify multiple files
+ or directories as in DOS wildcards.</para>
+
+ <para>Each entry must be a unix path, not a DOS path and
+ must <emphasis>not</emphasis> include the unix directory
+ separator '/'.</para>
+
+ <para>Note that the <parameter>case sensitive</parameter> option
+ is applicable in vetoing files.</para>
+
+ <para>One feature of the veto files parameter that it
+ is important to be aware of is Samba's behaviour when
+ trying to delete a directory. If a directory that is
+ to be deleted contains nothing but veto files this
+ deletion will <emphasis>fail</emphasis> unless you also set
+ the <parameter>delete veto files</parameter> parameter to
+ <parameter>yes</parameter>.</para>
+
+ <para>Setting this parameter will affect the performance
+ of Samba, as it will be forced to check all files and directories
+ for a match as they are scanned.</para>
+
+ <para>See also <link linkend="HIDEFILES"><parameter>hide files
+ </parameter></link> and <link linkend="CASESENSITIVE"><parameter>
+ case sensitive</parameter></link>.</para>
+
+ <para>Default: <emphasis>No files or directories are vetoed.
+ </emphasis></para>
+
+<para>Examples:<programlisting>
+; Veto any files containing the word Security,
+; any ending in .tmp, and any directory containing the
+; word root.
+veto files = /*Security*/*.tmp/*root*/
+
+; Veto the Apple specific files that a NetAtalk server
+; creates.
+veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
+</programlisting></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="VETOOPLOCKFILES">veto oplock files (S)</term>
+ <listitem><para>This parameter is only valid when the <link
+ linkend="OPLOCKS"><parameter>oplocks</parameter></link>
+ parameter is turned on for a share. It allows the Samba administrator
+ to selectively turn off the granting of oplocks on selected files that
+ match a wildcarded list, similar to the wildcarded list used in the
+ <link linkend="VETOFILES"><parameter>veto files</parameter></link>
+ parameter.</para>
+
+ <para>Default: <emphasis>No files are vetoed for oplock
+ grants</emphasis></para>
+
+ <para>You might want to do this on files that you know will
+ be heavily contended for by clients. A good example of this
+ is in the NetBench SMB benchmark program, which causes heavy
+ client contention for files ending in <filename>.SEM</filename>.
+ To cause Samba not to grant oplocks on these files you would use
+ the line (either in the [global] section or in the section for
+ the particular NetBench share :</para>
+
+ <para>Example: <command>veto oplock files = /*.SEM/
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="VFSOBJECT">vfs object (S)</term>
+ <listitem><para>This parameter specifies a shared object file that
+ is used for Samba VFS I/O operations. By default, normal
+ disk I/O operations are used but these can be overloaded
+ with a VFS object. The Samba VFS layer is new to Samba 2.2 and
+ must be enabled at compile time with --with-vfs.</para>
+
+ <para>Default : <emphasis>no value</emphasis></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="VFSOPTIONS">vfs options (S)</term>
+ <listitem><para>This parameter allows parameters to be passed
+ to the vfs layer at initialization time. The Samba VFS layer
+ is new to Samba 2.2 and must be enabled at compile time
+ with --with-vfs. See also <link linkend="VFSOBJECT"><parameter>
+ vfs object</parameter></link>.</para>
+
+ <para>Default : <emphasis>no value</emphasis></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="VOLUME">volume (S)</term>
+ <listitem><para> This allows you to override the volume label
+ returned for a share. Useful for CDROMs with installation programs
+ that insist on a particular volume label.</para>
+
+ <para>Default: <emphasis>the name of the share</emphasis></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="WIDELINKS">wide links (S)</term>
+ <listitem><para>This parameter controls whether or not links
+ in the UNIX file system may be followed by the server. Links
+ that point to areas within the directory tree exported by the
+ server are always allowed; this parameter controls access only
+ to areas that are outside the directory tree being exported.</para>
+
+ <para>Note that setting this parameter can have a negative
+ effect on your server performance due to the extra system calls
+ that Samba has to do in order to perform the link checks.</para>
+
+ <para>Default: <command>wide links = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="WINBINDCACHETIME">winbind cache time</term>
+ <listitem><para>This parameter specifies the number of seconds the
+ <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon will cache
+ user and group information before querying a Windows NT server
+ again.</para>
+
+ <para>Default: <command>winbind cache type = 15</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="WINBINDENUMUSERS">winbind enum
+ users</term> <listitem><para>On large installations using
+ <ulink url="winbindd.8.html">winbindd(8)</ulink> it may be
+ necessary to suppress the enumeration of users through the
+ <command> setpwent()</command>,
+ <command>getpwent()</command> and
+ <command>endpwent()</command> group of system calls. If
+ the <parameter>winbind enum users</parameter> parameter is
+ false, calls to the <command>getpwent</command> system call
+ will not return any data. </para>
+
+ <para><emphasis>Warning:</emphasis> Turning off user
+ enumeration may cause some programs to behave oddly. For
+ example, the finger program relies on having access to the
+ full user list when searching for matching
+ usernames. </para>
+
+ <para>Default: <command>winbind enum users = yes </command></para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><anchor id="WINBINDENUMGROUPS">winbind enum
+ groups</term> <listitem><para>On large installations using
+ <ulink url="winbindd.8.html">winbindd(8)</ulink> it may be
+ necessary to suppress the enumeration of groups through the
+ <command> setgrent()</command>,
+ <command>getgrent()</command> and
+ <command>endgrent()</command> group of system calls. If
+ the <parameter>winbind enum groups</parameter> parameter is
+ false, calls to the <command>getgrent()</command> system
+ call will not return any data. </para>
+
+ <para><emphasis>Warning:</emphasis> Turning off group
+ enumeration may cause some programs to behave oddly.
+ </para>
+
+ <para>Default: <command>winbind enum groups = yes </command>
+ </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="WINBINDGID">winbind gid</term>
+ <listitem><para>The winbind gid parameter specifies the range of group
+ ids that are allocated by the <ulink url="winbindd.8.html">
+ winbindd(8)</ulink> daemon. This range of group ids should have no
+ existing local or NIS groups within it as strange conflicts can
+ occur otherwise.</para>
+
+ <para>Default: <command>winbind gid = &lt;empty string&gt;
+ </command></para>
+
+ <para>Example: <command>winbind gid = 10000-20000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="WINBINDSEPARATOR">winbind separator</term>
+ <listitem><para>This parameter allows an admin to define the character
+ used when listing a username of the form of <replaceable>DOMAIN
+ </replaceable>\<replaceable>user</replaceable>. This parameter
+ is only applicable when using the <filename>pam_winbind.so</filename>
+ and <filename>nss_winbind.so</filename> modules for UNIX services.
+ </para>
+
+ <para>Example: <command>winbind separator = \</command></para>
+ <para>Example: <command>winbind separator = +</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="WINBINDUID">winbind uid</term>
+ <listitem><para>The winbind gid parameter specifies the range of group
+ ids that are allocated by the <ulink url="winbindd.8.html">
+ winbindd(8)</ulink> daemon. This range of ids should have no
+ existing local or NIS users within it as strange conflicts can
+ occur otherwise.</para>
+
+ <para>Default: <command>winbind uid = &lt;empty string&gt;
+ </command></para>
+
+ <para>Example: <command>winbind uid = 10000-20000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>winbind use default domain</term>
+
+ <term><anchor id="WINBINDUSEDEFAULTDOMAIN">winbind use default domain</term>
+ <listitem><para>This parameter specifies whether the <ulink url="winbindd.8.html">
+ winbindd(8)</ulink>
+ daemon should operate on users without domain component in their username.
+ Users without a domain component are treated as is part of the winbindd server's
+ own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail
+ function in a way much closer to the way they would in a native unix system.</para>
+
+ <para>Default: <command>winbind use default domain = &lt;falseg&gt;
+ </command></para>
+ <para>Example: <command>winbind use default domain = true</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><anchor id="WINSHOOK">wins hook (G)</term>
+ <listitem><para>When Samba is running as a WINS server this
+ allows you to call an external program for all changes to the
+ WINS database. The primary use for this option is to allow the
+ dynamic update of external name resolution databases such as
+ dynamic DNS.</para>
+
+ <para>The wins hook parameter specifies the name of a script
+ or executable that will be called as follows:</para>
+
+ <para><command>wins_hook operation name nametype ttl IP_list
+ </command></para>
+
+ <itemizedlist>
+ <listitem><para>The first argument is the operation and is one
+ of "add", "delete", or "refresh". In most cases the operation can
+ be ignored as the rest of the parameters provide sufficient
+ information. Note that "refresh" may sometimes be called when the
+ name has not previously been added, in that case it should be treated
+ as an add.</para></listitem>
+
+ <listitem><para>The second argument is the NetBIOS name. If the
+ name is not a legal name then the wins hook is not called.
+ Legal names contain only letters, digits, hyphens, underscores
+ and periods.</para></listitem>
+
+ <listitem><para>The third argument is the NetBIOS name
+ type as a 2 digit hexadecimal number. </para></listitem>
+
+ <listitem><para>The fourth argument is the TTL (time to live)
+ for the name in seconds.</para></listitem>
+
+ <listitem><para>The fifth and subsequent arguments are the IP
+ addresses currently registered for that name. If this list is
+ empty then the name should be deleted.</para></listitem>
+ </itemizedlist>
+
+ <para>An example script that calls the BIND dynamic DNS update
+ program <command>nsupdate</command> is provided in the examples
+ directory of the Samba source code. </para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="WINSPROXY">wins proxy (G)</term>
+ <listitem><para>This is a boolean that controls if <ulink
+ url="nmbd.8.html">nmbd(8)</ulink> will respond to broadcast name
+ queries on behalf of other hosts. You may need to set this
+ to <constant>yes</constant> for some older clients.</para>
+
+ <para>Default: <command>wins proxy = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="WINSSERVER">wins server (G)</term>
+ <listitem><para>This specifies the IP address (or DNS name: IP
+ address for preference) of the WINS server that <ulink url="nmbd.8.html">
+ nmbd(8)</ulink> should register with. If you have a WINS server on
+ your network then you should set this to the WINS server's IP.</para>
+
+ <para>You should point this at your WINS server if you have a
+ multi-subnetted network.</para>
+
+ <para><emphasis>NOTE</emphasis>. You need to set up Samba to point
+ to a WINS server if you have multiple subnets and wish cross-subnet
+ browsing to work correctly.</para>
+
+ <para>See the documentation file <filename>BROWSING.txt</filename>
+ in the docs/ directory of your Samba source distribution.</para>
+
+ <para>Default: <emphasis>not enabled</emphasis></para>
+ <para>Example: <command>wins server = 192.9.200.1</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="WINSSUPPORT">wins support (G)</term>
+ <listitem><para>This boolean controls if the <ulink url="nmbd.8.html">
+ nmbd(8)</ulink> process in Samba will act as a WINS server. You should
+ not set this to <constant>true</constant> unless you have a multi-subnetted network and
+ you wish a particular <command>nmbd</command> to be your WINS server.
+ Note that you should <emphasis>NEVER</emphasis> set this to <constant>true</constant>
+ on more than one machine in your network.</para>
+
+ <para>Default: <command>wins support = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="WORKGROUP">workgroup (G)</term>
+ <listitem><para>This controls what workgroup your server will
+ appear to be in when queried by clients. Note that this parameter
+ also controls the Domain name used with the <link
+ linkend="SECURITYEQUALSDOMAIN"><command>security = domain</command></link>
+ setting.</para>
+
+ <para>Default: <emphasis>set at compile time to WORKGROUP</emphasis></para>
+ <para>Example: <command>workgroup = MYGROUP</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+ <varlistentry>
+ <term><anchor id="WRITABLE">writable (S)</term>
+ <listitem><para>Synonym for <link linkend="WRITEABLE"><parameter>
+ writeable</parameter></link> for people who can't spell :-).</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="WRITECACHESIZE">write cache size (S)</term>
+ <listitem><para>If this integer parameter is set to non-zero value,
+ Samba will create an in-memory cache for each oplocked file
+ (it does <emphasis>not</emphasis> do this for
+ non-oplocked files). All writes that the client does not request
+ to be flushed directly to disk will be stored in this cache if possible.
+ The cache is flushed onto disk when a write comes in whose offset
+ would not fit into the cache or when the file is closed by the client.
+ Reads for the file are also served from this cache if the data is stored
+ within it.</para>
+
+ <para>This cache allows Samba to batch client writes into a more
+ efficient write size for RAID disks (i.e. writes may be tuned to
+ be the RAID stripe size) and can improve performance on systems
+ where the disk subsystem is a bottleneck but there is free
+ memory for userspace programs.</para>
+
+ <para>The integer parameter specifies the size of this cache
+ (per oplocked file) in bytes.</para>
+
+ <para>Default: <command>write cache size = 0</command></para>
+ <para>Example: <command>write cache size = 262144</command></para>
+
+ <para>for a 256k cache size per file.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="WRITELIST">write list (S)</term>
+ <listitem><para>This is a list of users that are given read-write
+ access to a service. If the connecting user is in this list then
+ they will be given write access, no matter what the <link
+ linkend="WRITEABLE"><parameter>writeable</parameter></link>
+ option is set to. The list can include group names using the
+ @group syntax.</para>
+
+ <para>Note that if a user is in both the read list and the
+ write list then they will be given write access.</para>
+
+ <para>See also the <link linkend="READLIST"><parameter>read list
+ </parameter></link> option.</para>
+
+ <para>Default: <command>write list = &lt;empty string&gt;
+ </command></para>
+
+ <para>Example: <command>write list = admin, root, @staff
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+
+
+ <varlistentry>
+ <term><anchor id="WRITEOK">write ok (S)</term>
+ <listitem><para>Synonym for <link linkend="WRITEABLE"><parameter>
+ writeable</parameter></link>.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="WRITERAW">write raw (G)</term>
+ <listitem><para>This parameter controls whether or not the server
+ will support raw write SMB's when transferring data from clients.
+ You should never need to change this parameter.</para>
+
+ <para>Default: <command>write raw = yes</command></para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term><anchor id="WRITEABLE">writeable (S)</term>
+ <listitem><para>An inverted synonym is <link linkend="READONLY">
+ <parameter>read only</parameter></link>.</para>
+
+ <para>If this parameter is <constant>no</constant>, then users
+ of a service may not create or modify files in the service's
+ directory.</para>
+
+ <para>Note that a printable service (<command>printable = yes</command>)
+ will <emphasis>ALWAYS</emphasis> allow writing to the directory
+ (user privileges permitting), but only via spooling operations.</para>
+
+ <para>Default: <command>writeable = no</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ </variablelist>
+
+</refsect1>
+
+<refsect1>
+ <title>WARNINGS</title>
+
+ <para>Although the configuration file permits service names
+ to contain spaces, your client software may not. Spaces will
+ be ignored in comparisons anyway, so it shouldn't be a
+ problem - but be aware of the possibility.</para>
+
+ <para>On a similar note, many clients - especially DOS clients -
+ limit service names to eight characters. <ulink url="smbd.8.html">smbd(8)
+ </ulink> has no such limitation, but attempts to connect from such
+ clients will fail if they truncate the service names. For this reason
+ you should probably keep your service names down to eight characters
+ in length.</para>
+
+ <para>Use of the [homes] and [printers] special sections make life
+ for an administrator easy, but the various combinations of default
+ attributes can be tricky. Take extreme care when designing these
+ sections. In particular, ensure that the permissions on spool
+ directories are correct.</para>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="samba.7.html">samba(7)</ulink>,
+ <ulink url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink>,
+ <ulink url="swat.8.html"><command>swat(8)</command></ulink>,
+ <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>,
+ <ulink url="nmbd.8.html"><command>nmbd(8)</command></ulink>,
+ <ulink url="smbclient.1.html"><command>smbclient(1)</command></ulink>,
+ <ulink url="nmblookup.1.html"><command>nmblookup(1)</command></ulink>,
+ <ulink url="testparm.1.html"><command>testparm(1)</command></ulink>,
+ <ulink url="testprns.1.html"><command>testprns(1)</command></ulink>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/smbcacls.1.sgml b/docs/docbook/manpages/smbcacls.1.sgml
new file mode 100644
index 0000000000..69aa967492
--- /dev/null
+++ b/docs/docbook/manpages/smbcacls.1.sgml
@@ -0,0 +1,255 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="smbcacls">
+
+<refmeta>
+ <refentrytitle>smbcacls</refentrytitle>
+ <manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>smbcacls</refname>
+ <refpurpose>Set or get ACLs on an NT file or directory names</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>smbcacls</command>
+ <arg choice="req">//server/share</arg>
+ <arg choice="req">filename</arg>
+ <arg choice="opt">-U username</arg>
+ <arg choice="opt">-A acls</arg>
+ <arg choice="opt">-M acls</arg>
+ <arg choice="opt">-D acls</arg>
+ <arg choice="opt">-S acls</arg>
+ <arg choice="opt">-C name</arg>
+ <arg choice="opt">-G name</arg>
+ <arg choice="opt">-n</arg>
+ <arg choice="opt">-h</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para>The <command>smbcacls</command> program manipulates NT Access Control Lists
+ (ACLs) on SMB file shares. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <para>The following options are available to the <command>smbcacls</command> program.
+ The format of ACLs is described in the section ACL FORMAT </para>
+
+
+ <variablelist>
+ <varlistentry>
+ <term>-A acls</term>
+ <listitem><para>Add the ACLs specified to the ACL list. Existing
+ access control entries are unchanged. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-M acls</term>
+ <listitem><para>Modify the mask value (permissions) for the ACLs
+ specified on the command line. An error will be printed for each
+ ACL specified that was not already present in the ACL list
+ </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-D acls</term>
+ <listitem><para>Delete any ACLs specified on the command line.
+ An error will be printed for each ACL specified that was not
+ already present in the ACL list. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-S acls</term>
+ <listitem><para>This command sets the ACLs on the file with
+ only the ones specified on the command line. All other ACLs are
+ erased. Note that the ACL specified must contain at least a revision,
+ type, owner and group for the call to succeed. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-U username</term>
+ <listitem><para>Specifies a username used to connect to the
+ specified service. The username may be of the form "username" in
+ which case the user is prompted to enter in a password and the
+ workgroup specified in the <filename>smb.conf</filename> file is
+ used, or "username%password" or "DOMAIN\username%password" and the
+ password and workgroup names are used as provided. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-C name</term>
+ <listitem><para>The owner of a file or directory can be changed
+ to the name given using the <parameter>-C</parameter> option.
+ The name can be a sid in the form S-1-x-y-z or a name resolved
+ against the server specified in the first argument. </para>
+
+ <para>This command is a shortcut for -M OWNER:name.
+ </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-G name</term>
+ <listitem><para>The group owner of a file or directory can
+ be changed to the name given using the <parameter>-G</parameter>
+ option. The name can be a sid in the form S-1-x-y-z or a name
+ resolved against the server specified n the first argument.
+ </para>
+
+ <para>This command is a shortcut for -M GROUP:name.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-n</term>
+ <listitem><para>This option displays all ACL information in numeric
+ format. The default is to convert SIDs to names and ACE types
+ and masks to a readable string format. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem><para>Print usage information on the <command>smbcacls
+ </command> program.</para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>ACL FORMAT</title>
+
+ <para>The format of an ACL is one or more ACL entries separated by
+ either commas or newlines. An ACL entry is one of the following: </para>
+
+ <para><programlisting>
+REVISION:&lt;revision number&gt;
+OWNER:&lt;sid or name&gt;
+GROUP:&lt;sid or name&gt;
+ACL:&lt;sid or name&gt;:&lt;type&gt;/&lt;flags&gt;/&lt;mask&gt;
+ </programlisting></para>
+
+
+ <para>The revision of the ACL specifies the internal Windows
+ NT ACL revision for the security descriptor.
+ If not specified it defaults to 1. Using values other than 1 may
+ cause strange behaviour. </para>
+
+ <para>The owner and group specify the owner and group sids for the
+ object. If a SID in the format CWS-1-x-y-z is specified this is used,
+ otherwise the name specified is resolved using the server on which
+ the file or directory resides. </para>
+
+ <para>ACLs specify permissions granted to the SID. This SID again
+ can be specified in CWS-1-x-y-z format or as a name in which case
+ it is resolved against the server on which the file or directory
+ resides. The type, flags and mask values determine the type of
+ access granted to the SID. </para>
+
+ <para>The type can be either 0 or 1 corresponding to ALLOWED or
+ DENIED access to the SID. The flags values are generally
+ zero for file ACLs and either 9 or 2 for directory ACLs. Some
+ common flags are: </para>
+
+ <itemizedlist>
+ <listitem><para>#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1</para></listitem>
+ <listitem><para>#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2</para></listitem>
+ <listitem><para>#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
+ </para></listitem>
+ <listitem><para>#define SEC_ACE_FLAG_INHERIT_ONLY 0x8</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>At present flags can only be specified as decimal or
+ hexadecimal values.</para>
+
+ <para>The mask is a value which expresses the access right
+ granted to the SID. It can be given as a decimal or hexadecimal value,
+ or by using one of the following text strings which map to the NT
+ file permissions of the same name. </para>
+
+ <itemizedlist>
+ <listitem><para><emphasis>R</emphasis> - Allow read access </para></listitem>
+ <listitem><para><emphasis>W</emphasis> - Allow write access</para></listitem>
+ <listitem><para><emphasis>X</emphasis> - Execute permission on the object</para></listitem>
+ <listitem><para><emphasis>D</emphasis> - Delete the object</para></listitem>
+ <listitem><para><emphasis>P</emphasis> - Change permissions</para></listitem>
+ <listitem><para><emphasis>O</emphasis> - Take ownership</para></listitem>
+ </itemizedlist>
+
+
+ <para>The following combined permissions can be specified:</para>
+
+
+ <itemizedlist>
+ <listitem><para><emphasis>READ</emphasis> - Equivalent to 'RX'
+ permissions</para></listitem>
+ <listitem><para><emphasis>CHANGE</emphasis> - Equivalent to 'RXWD' permissions
+ </para></listitem>
+ <listitem><para><emphasis>FULL</emphasis> - Equivalent to 'RWXDPO'
+ permissions</para></listitem>
+ </itemizedlist>
+ </refsect1>
+
+<refsect1>
+ <title>EXIT STATUS</title>
+
+ <para>The <command>smbcacls</command> program sets the exit status
+ depending on the success or otherwise of the operations performed.
+ The exit status may be one of the following values. </para>
+
+ <para>If the operation succeeded, smbcacls returns and exit
+ status of 0. If <command>smbcacls</command> couldn't connect to the specified server,
+ or there was an error getting or setting the ACLs, an exit status
+ of 1 is returned. If there was an error parsing any command line
+ arguments, an exit status of 2 is returned. </para>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para><command>smbcacls</command> was written by Andrew Tridgell
+ and Tim Potter.</para>
+
+ <para>The conversion to DocBook for Samba 2.2 was done
+ by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/smbclient.1.sgml b/docs/docbook/manpages/smbclient.1.sgml
new file mode 100644
index 0000000000..4f36de1576
--- /dev/null
+++ b/docs/docbook/manpages/smbclient.1.sgml
@@ -0,0 +1,1025 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="smbclient">
+
+<refmeta>
+ <refentrytitle>smbclient</refentrytitle>
+ <manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>smbclient</refname>
+ <refpurpose>ftp-like client to access SMB/CIFS resources
+ on servers</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>smbclient</command>
+ <arg choice="req">servicename</arg>
+ <arg choice="opt">password</arg>
+ <arg choice="opt">-b &lt;buffer size&gt;</arg>
+ <arg choice="opt">-d debuglevel</arg>
+ <arg choice="opt">-D Directory</arg>
+ <arg choice="opt">-U username</arg>
+ <arg choice="opt">-W workgroup</arg>
+ <arg choice="opt">-M &lt;netbios name&gt;</arg>
+ <arg choice="opt">-m maxprotocol</arg>
+ <arg choice="opt">-A authfile</arg>
+ <arg choice="opt">-N</arg>
+ <arg choice="opt">-l logfile</arg>
+ <arg choice="opt">-L &lt;netbios name&gt;</arg>
+ <arg choice="opt">-I destinationIP</arg>
+ <arg choice="opt">-E &lt;terminal code&gt;</arg>
+ <arg choice="opt">-c &lt;command string&gt;</arg>
+ <arg choice="opt">-i scope</arg>
+ <arg choice="opt">-O &lt;socket options&gt;</arg>
+ <arg choice="opt">-p port</arg>
+ <arg choice="opt">-R &lt;name resolve order&gt;</arg>
+ <arg choice="opt">-s &lt;smb config file&gt;</arg>
+ <arg choice="opt">-T&lt;c|x&gt;IXFqgbNan</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para><command>smbclient</command> is a client that can
+ 'talk' to an SMB/CIFS server. It offers an interface
+ similar to that of the ftp program (see <command>ftp(1)</command>).
+ Operations include things like getting files from the server
+ to the local machine, putting files from the local machine to
+ the server, retrieving directory information from the server
+ and so on. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>servicename</term>
+ <listitem><para>servicename is the name of the service
+ you want to use on the server. A service name takes the form
+ <filename>//server/service</filename> where <parameter>server
+ </parameter> is the NetBIOS name of the SMB/CIFS server
+ offering the desired service and <parameter>service</parameter>
+ is the name of the service offered. Thus to connect to
+ the service "printer" on the SMB/CIFS server "smbserver",
+ you would use the servicename <filename>//smbserver/printer
+ </filename></para>
+
+ <para>Note that the server name required is NOT necessarily
+ the IP (DNS) host name of the server ! The name required is
+ a NetBIOS server name, which may or may not be the
+ same as the IP hostname of the machine running the server.
+ </para>
+
+ <para>The server name is looked up according to either
+ the <parameter>-R</parameter> parameter to <command>smbclient</command> or
+ using the name resolve order parameter in the <filename>smb.conf</filename> file,
+ allowing an administrator to change the order and methods
+ by which server names are looked up. </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>password</term>
+ <listitem><para>The password required to access the specified
+ service on the specified server. If this parameter is
+ supplied, the <parameter>-N</parameter> option (suppress
+ password prompt) is assumed. </para>
+
+ <para>There is no default password. If no password is supplied
+ on the command line (either by using this parameter or adding
+ a password to the <parameter>-U</parameter> option (see
+ below)) and the <parameter>-N</parameter> option is not
+ specified, the client will prompt for a password, even if
+ the desired service does not require one. (If no password is
+ required, simply press ENTER to provide a null password.)
+ </para>
+
+ <para>Note: Some servers (including OS/2 and Windows for
+ Workgroups) insist on an uppercase password. Lowercase
+ or mixed case passwords may be rejected by these servers.
+ </para>
+
+ <para>Be cautious about including passwords in scripts.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s smb.conf</term>
+ <listitem><para>Specifies the location of the all important
+ <filename>smb.conf</filename> file. </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-O socket options</term>
+ <listitem><para>TCP socket options to set on the client
+ socket. See the socket options parameter in the <filename>
+ smb.conf (5)</filename> manpage for the list of valid
+ options. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-R &lt;name resolve order&gt;</term>
+ <listitem><para>This option is used by the programs in the Samba
+ suite to determine what naming services and in what order to resolve
+ host names to IP addresses. The option takes a space-separated
+ string of different name resolution options.</para>
+
+ <para>The options are :"lmhosts", "host", "wins" and "bcast". They
+ cause names to be resolved as follows :</para>
+
+ <itemizedlist>
+ <listitem><para><constant>lmhosts</constant> : Lookup an IP
+ address in the Samba lmhosts file. If the line in lmhosts has
+ no name type attached to the NetBIOS name (see the <ulink
+ url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
+ any name type matches for lookup.</para></listitem>
+
+ <listitem><para><constant>host</constant> : Do a standard host
+ name to IP address resolution, using the system <filename>/etc/hosts
+ </filename>, NIS, or DNS lookups. This method of name resolution
+ is operating system dependent, for instance on IRIX or Solaris this
+ may be controlled by the <filename>/etc/nsswitch.conf</filename>
+ file). Note that this method is only used if the NetBIOS name
+ type being queried is the 0x20 (server) name type, otherwise
+ it is ignored.</para></listitem>
+
+ <listitem><para><constant>wins</constant> : Query a name with
+ the IP address listed in the <parameter>wins server</parameter>
+ parameter. If no WINS server has
+ been specified this method will be ignored.</para></listitem>
+
+ <listitem><para><constant>bcast</constant> : Do a broadcast on
+ each of the known local interfaces listed in the
+ <parameter>interfaces</parameter>
+ parameter. This is the least reliable of the name resolution
+ methods as it depends on the target host being on a locally
+ connected subnet.</para></listitem>
+ </itemizedlist>
+
+ <para>If this parameter is not set then the name resolve order
+ defined in the <filename>smb.conf</filename> file parameter
+ (name resolve order) will be used. </para>
+
+ <para>The default order is lmhosts, host, wins, bcast and without
+ this parameter or any entry in the <parameter>name resolve order
+ </parameter> parameter of the <filename>smb.conf</filename> file the name resolution
+ methods will be attempted in this order. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-M NetBIOS name</term>
+ <listitem><para>This options allows you to send messages, using
+ the "WinPopup" protocol, to another computer. Once a connection is
+ established you then type your message, pressing ^D (control-D) to
+ end. </para>
+
+ <para>If the receiving computer is running WinPopup the user will
+ receive the message and probably a beep. If they are not running
+ WinPopup the message will be lost, and no error message will
+ occur. </para>
+
+ <para>The message is also automatically truncated if the message
+ is over 1600 bytes, as this is the limit of the protocol.
+ </para>
+
+ <para>One useful trick is to cat the message through
+ <command>smbclient</command>. For example: <command>
+ cat mymessage.txt | smbclient -M FRED </command> will
+ send the message in the file <filename>mymessage.txt</filename>
+ to the machine FRED. </para>
+
+ <para>You may also find the <parameter>-U</parameter> and
+ <parameter>-I</parameter> options useful, as they allow you to
+ control the FROM and TO parts of the message. </para>
+
+ <para>See the message command parameter in the <filename>
+ smb.conf(5)</filename> for a description of how to handle incoming
+ WinPopup messages in Samba. </para>
+
+ <para><emphasis>Note</emphasis>: Copy WinPopup into the startup group
+ on your WfWg PCs if you want them to always be able to receive
+ messages. </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-i scope</term>
+ <listitem><para>This specifies a NetBIOS scope that smbclient will
+ use to communicate with when generating NetBIOS names. For details
+ on the use of NetBIOS scopes, see <filename>rfc1001.txt</filename>
+ and <filename>rfc1002.txt</filename>.
+ NetBIOS scopes are <emphasis>very</emphasis> rarely used, only set
+ this parameter if you are the system administrator in charge of all
+ the NetBIOS systems you communicate with. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-N</term>
+ <listitem><para>If specified, this parameter suppresses the normal
+ password prompt from the client to the user. This is useful when
+ accessing a service that does not require a password. </para>
+
+ <para>Unless a password is specified on the command line or
+ this parameter is specified, the client will request a
+ password.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-n NetBIOS name</term>
+ <listitem><para>By default, the client will use the local
+ machine's hostname (in uppercase) as its NetBIOS name. This parameter
+ allows you to override the host name and use whatever NetBIOS
+ name you wish. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-d debuglevel</term>
+ <listitem><para><replaceable>debuglevel</replaceable> is an integer from 0 to 10, or
+ the letter 'A'. </para>
+
+ <para>The default value if this parameter is not specified
+ is zero. </para>
+
+ <para>The higher this value, the more detail will be logged to
+ the log files about the activities of the
+ client. At level 0, only critical errors and serious warnings will
+ be logged. Level 1 is a reasonable level for day to day running -
+ it generates a small amount of information about operations
+ carried out. </para>
+
+ <para>Levels above 1 will generate considerable amounts of log
+ data, and should only be used when investigating a problem.
+ Levels above 3 are designed for use only by developers and
+ generate HUGE amounts of log data, most of which is extremely
+ cryptic. If <replaceable>debuglevel</replaceable> is set to the letter 'A', then <emphasis>all
+ </emphasis> debug messages will be printed. This setting
+ is for developers only (and people who <emphasis>really</emphasis> want
+ to know how the code works internally). </para>
+
+ <para>Note that specifying this parameter here will override
+ the log level parameter in the <filename>smb.conf (5)</filename>
+ file. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-p port</term>
+ <listitem><para>This number is the TCP port number that will be used
+ when making connections to the server. The standard (well-known)
+ TCP port number for an SMB/CIFS server is 139, which is the
+ default. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-l logfilename</term>
+ <listitem><para>If specified, <replaceable>logfilename</replaceable> specifies a base filename
+ into which operational data from the running client will be
+ logged. </para>
+
+ <para>The default base name is specified at compile time.</para>
+
+ <para>The base name is used to generate actual log file names.
+ For example, if the name specified was "log", the debug file
+ would be <filename>log.client</filename>.</para>
+
+ <para>The log file generated is never removed by the client.
+ </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-h</term><listitem>
+ <para>Print the usage message for the client. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-I IP-address</term>
+ <listitem><para><replaceable>IP address</replaceable> is the address of the server to connect to.
+ It should be specified in standard "a.b.c.d" notation. </para>
+
+ <para>Normally the client would attempt to locate a named
+ SMB/CIFS server by looking it up via the NetBIOS name resolution
+ mechanism described above in the <parameter>name resolve order</parameter>
+ parameter above. Using this parameter will force the client
+ to assume that the server is on the machine with the specified IP
+ address and the NetBIOS name component of the resource being
+ connected to will be ignored. </para>
+
+ <para>There is no default for this parameter. If not supplied,
+ it will be determined automatically by the client as described
+ above. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-E</term>
+ <listitem><para>This parameter causes the client to write messages
+ to the standard error stream (stderr) rather than to the standard
+ output stream. </para>
+
+ <para>By default, the client writes messages to standard output
+ - typically the user's tty. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-U username[%pass]</term>
+ <listitem><para>Sets the SMB username or username and password.
+ If %pass is not specified, The user will be prompted. The client
+ will first check the <envar>USER</envar> environment variable, then the
+ <envar>LOGNAME</envar> variable and if either exists, the
+ string is uppercased. Anything in these variables following a '%'
+ sign will be treated as the password. If these environment
+ variables are not found, the username <constant>GUEST</constant>
+ is used. </para>
+
+ <para>If the password is not included in these environment
+ variables (using the %pass syntax), <command>smbclient</command> will look for
+ a <envar>PASSWD</envar> environment variable from which
+ to read the password. </para>
+
+ <para>A third option is to use a credentials file which
+ contains the plaintext of the domain name, username and password. This
+ option is mainly provided for scripts where the admin doesn't
+ wish to pass the credentials on the command line or via environment
+ variables. If this method is used, make certain that the permissions
+ on the file restrict access from unwanted users. See the
+ <parameter>-A</parameter> for more details. </para>
+
+ <para>Be cautious about including passwords in scripts or in
+ the <envar>PASSWD</envar> environment variable. Also, on
+ many systems the command line of a running process may be seen
+ via the <command>ps</command> command to be safe always allow
+ <command>smbclient</command> to prompt for a password and type
+ it in directly. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-A filename</term><listitem><para>This option allows
+ you to specify a file from which to read the username, domain name, and
+ password used in the connection. The format of the file is
+ </para>
+
+ <para><programlisting>
+username = &lt;value&gt;
+password = &lt;value&gt;
+domain = &lt;value&gt;
+ </programlisting></para>
+
+
+ <para>If the domain parameter is missing the current workgroup name
+ is used instead. Make certain that the permissions on the file restrict
+ access from unwanted users. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-L</term>
+ <listitem><para>This option allows you to look at what services
+ are available on a server. You use it as <command>smbclient -L
+ host</command> and a list should appear. The <parameter>-I
+ </parameter> option may be useful if your NetBIOS names don't
+ match your TCP/IP DNS host names or if you are trying to reach a
+ host on another network. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-t terminal code</term>
+ <listitem><para>This option tells <command>smbclient</command> how to interpret
+ filenames coming from the remote server. Usually Asian language
+ multibyte UNIX implementations use different character sets than
+ SMB/CIFS servers (<emphasis>EUC</emphasis> instead of <emphasis>
+ SJIS</emphasis> for example). Setting this parameter will let
+ <command>smbclient</command> convert between the UNIX filenames and
+ the SMB filenames correctly. This option has not been seriously tested
+ and may have some problems. </para>
+
+ <para>The terminal codes include CWsjis, CWeuc, CWjis7, CWjis8,
+ CWjunet, CWhex, CWcap. This is not a complete list, check the Samba
+ source code for the complete list. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-b buffersize</term>
+ <listitem><para>This option changes the transmit/send buffer
+ size when getting or putting a file from/to the server. The default
+ is 65520 bytes. Setting this value smaller (to 1200 bytes) has been
+ observed to speed up file transfers to and from a Win9x server.
+ </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-W WORKGROUP</term>
+ <listitem><para>Override the default workgroup specified in the
+ workgroup parameter of the <filename>smb.conf</filename> file
+ for this connection. This may be needed to connect to some
+ servers. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-T tar options</term>
+ <listitem><para>smbclient may be used to create <command>tar(1)
+ </command> compatible backups of all the files on an SMB/CIFS
+ share. The secondary tar flags that can be given to this option
+ are : </para>
+
+ <itemizedlist>
+ <listitem><para><parameter>c</parameter> - Create a tar file on UNIX.
+ Must be followed by the name of a tar file, tape device
+ or "-" for standard output. If using standard output you must
+ turn the log level to its lowest value -d0 to avoid corrupting
+ your tar file. This flag is mutually exclusive with the
+ <parameter>x</parameter> flag. </para></listitem>
+
+ <listitem><para><parameter>x</parameter> - Extract (restore) a local
+ tar file back to a share. Unless the -D option is given, the tar
+ files will be restored from the top level of the share. Must be
+ followed by the name of the tar file, device or "-" for standard
+ input. Mutually exclusive with the <parameter>c</parameter> flag.
+ Restored files have their creation times (mtime) set to the
+ date saved in the tar file. Directories currently do not get
+ their creation dates restored properly. </para></listitem>
+
+ <listitem><para><parameter>I</parameter> - Include files and directories.
+ Is the default behavior when filenames are specified above. Causes
+ tar files to be included in an extract or create (and therefore
+ everything else to be excluded). See example below. Filename globbing
+ works in one of two ways. See r below. </para></listitem>
+
+ <listitem><para><parameter>X</parameter> - Exclude files and directories.
+ Causes tar files to be excluded from an extract or create. See
+ example below. Filename globbing works in one of two ways now.
+ See <parameter>r</parameter> below. </para></listitem>
+
+ <listitem><para><parameter>b</parameter> - Blocksize. Must be followed
+ by a valid (greater than zero) blocksize. Causes tar file to be
+ written out in blocksize*TBLOCK (usually 512 byte) blocks.
+ </para></listitem>
+
+ <listitem><para><parameter>g</parameter> - Incremental. Only back up
+ files that have the archive bit set. Useful only with the
+ <parameter>c</parameter> flag. </para></listitem>
+
+ <listitem><para><parameter>q</parameter> - Quiet. Keeps tar from printing
+ diagnostics as it works. This is the same as tarmode quiet.
+ </para></listitem>
+
+ <listitem><para><parameter>r</parameter> - Regular expression include
+ or exclude. Uses regular expression matching for
+ excluding or excluding files if compiled with HAVE_REGEX_H.
+ However this mode can be very slow. If not compiled with
+ HAVE_REGEX_H, does a limited wildcard match on '*' and '?'.
+ </para></listitem>
+
+ <listitem><para><parameter>N</parameter> - Newer than. Must be followed
+ by the name of a file whose date is compared against files found
+ on the share during a create. Only files newer than the file
+ specified are backed up to the tar file. Useful only with the
+ <parameter>c</parameter> flag. </para></listitem>
+
+ <listitem><para><parameter>a</parameter> - Set archive bit. Causes the
+ archive bit to be reset when a file is backed up. Useful with the
+ <parameter>g</parameter> and <parameter>c</parameter> flags.
+ </para></listitem>
+ </itemizedlist>
+
+ <para><emphasis>Tar Long File Names</emphasis></para>
+
+ <para><command>smbclient</command>'s tar option now supports long
+ file names both on backup and restore. However, the full path
+ name of the file must be less than 1024 bytes. Also, when
+ a tar archive is created, <command>smbclient</command>'s tar option places all
+ files in the archive with relative names, not absolute names.
+ </para>
+
+ <para><emphasis>Tar Filenames</emphasis></para>
+
+ <para>All file names can be given as DOS path names (with '\'
+ as the component separator) or as UNIX path names (with '/' as
+ the component separator). </para>
+
+ <para><emphasis>Examples</emphasis></para>
+
+ <para>Restore from tar file <filename>backup.tar</filename> into myshare on mypc
+ (no password on share). </para>
+
+ <para><command>smbclient //mypc/yshare "" -N -Tx backup.tar
+ </command></para>
+
+ <para>Restore everything except <filename>users/docs</filename>
+ </para>
+
+ <para><command>smbclient //mypc/myshare "" -N -TXx backup.tar
+ users/docs</command></para>
+
+ <para>Create a tar file of the files beneath <filename>
+ users/docs</filename>. </para>
+
+ <para><command>smbclient //mypc/myshare "" -N -Tc
+ backup.tar users/docs </command></para>
+
+ <para>Create the same tar file as above, but now use
+ a DOS path name. </para>
+
+ <para><command>smbclient //mypc/myshare "" -N -tc backup.tar
+ users\edocs </command></para>
+
+ <para>Create a tar file of all the files and directories in
+ the share. </para>
+
+ <para><command>smbclient //mypc/myshare "" -N -Tc backup.tar *
+ </command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-D initial directory</term>
+ <listitem><para>Change to initial directory before starting. Probably
+ only of any use with the tar -T option. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-c command string</term>
+ <listitem><para>command string is a semicolon-separated list of
+ commands to be executed instead of prompting from stdin. <parameter>
+ -N</parameter> is implied by <parameter>-c</parameter>.</para>
+
+ <para>This is particularly useful in scripts and for printing stdin
+ to the server, e.g. <command>-c 'print -'</command>. </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>OPERATIONS</title>
+
+ <para>Once the client is running, the user is presented with
+ a prompt : </para>
+
+ <para><prompt>smb:\&gt; </prompt></para>
+
+ <para>The backslash ("\") indicates the current working directory
+ on the server, and will change if the current working directory
+ is changed. </para>
+
+ <para>The prompt indicates that the client is ready and waiting to
+ carry out a user command. Each command is a single word, optionally
+ followed by parameters specific to that command. Command and parameters
+ are space-delimited unless these notes specifically
+ state otherwise. All commands are case-insensitive. Parameters to
+ commands may or may not be case sensitive, depending on the command.
+ </para>
+
+ <para>You can specify file names which have spaces in them by quoting
+ the name with double quotes, for example "a long file name". </para>
+
+ <para>Parameters shown in square brackets (e.g., "[parameter]") are
+ optional. If not given, the command will use suitable defaults. Parameters
+ shown in angle brackets (e.g., "&lt;parameter&gt;") are required.
+ </para>
+
+
+ <para>Note that all commands operating on the server are actually
+ performed by issuing a request to the server. Thus the behavior may
+ vary from server to server, depending on how the server was implemented.
+ </para>
+
+ <para>The commands available are given here in alphabetical order. </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>? [command]</term>
+ <listitem><para>If <replaceable>command</replaceable> is specified, the ? command will display
+ a brief informative message about the specified command. If no
+ command is specified, a list of available commands will
+ be displayed. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>! [shell command]</term>
+ <listitem><para>If <replaceable>shell command</replaceable> is specified, the !
+ command will execute a shell locally and run the specified shell
+ command. If no command is specified, a local shell will be run.
+ </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>cd [directory name]</term>
+ <listitem><para>If "directory name" is specified, the current
+ working directory on the server will be changed to the directory
+ specified. This operation will fail if for any reason the specified
+ directory is inaccessible. </para>
+
+ <para>If no directory name is specified, the current working
+ directory on the server will be reported. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>del &lt;mask&gt;</term>
+ <listitem><para>The client will request that the server attempt
+ to delete all files matching <replaceable>mask</replaceable> from the current working
+ directory on the server. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>dir &lt;mask&gt;</term>
+ <listitem><para>A list of the files matching <replaceable>mask</replaceable> in the current
+ working directory on the server will be retrieved from the server
+ and displayed. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>exit</term>
+ <listitem><para>Terminate the connection with the server and exit
+ from the program. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>get &lt;remote file name&gt; [local file name]</term>
+ <listitem><para>Copy the file called <filename>remote file name</filename> from
+ the server to the machine running the client. If specified, name
+ the local copy <filename>local file name</filename>. Note that all transfers in
+ <command>smbclient</command> are binary. See also the
+ lowercase command. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>help [command]</term>
+ <listitem><para>See the ? command above. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>lcd [directory name]</term>
+ <listitem><para>If <replaceable>directory name</replaceable> is specified, the current
+ working directory on the local machine will be changed to
+ the directory specified. This operation will fail if for any
+ reason the specified directory is inaccessible. </para>
+
+ <para>If no directory name is specified, the name of the
+ current working directory on the local machine will be reported.
+ </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>lowercase</term>
+ <listitem><para>Toggle lowercasing of filenames for the get and
+ mget commands. </para>
+
+ <para>When lowercasing is toggled ON, local filenames are converted
+ to lowercase when using the get and mget commands. This is
+ often useful when copying (say) MSDOS files from a server, because
+ lowercase filenames are the norm on UNIX systems. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>ls &lt;mask&gt;</term>
+ <listitem><para>See the dir command above. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>mask &lt;mask&gt;</term>
+ <listitem><para>This command allows the user to set up a mask
+ which will be used during recursive operation of the mget and
+ mput commands. </para>
+
+ <para>The masks specified to the mget and mput commands act as
+ filters for directories rather than files when recursion is
+ toggled ON. </para>
+
+ <para>The mask specified with the mask command is necessary
+ to filter files within those directories. For example, if the
+ mask specified in an mget command is "source*" and the mask
+ specified with the mask command is "*.c" and recursion is
+ toggled ON, the mget command will retrieve all files matching
+ "*.c" in all directories below and including all directories
+ matching "source*" in the current working directory. </para>
+
+ <para>Note that the value for mask defaults to blank (equivalent
+ to "*") and remains so until the mask command is used to change it.
+ It retains the most recently specified value indefinitely. To
+ avoid unexpected results it would be wise to change the value of
+ mask back to "*" after using the mget or mput commands. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>md &lt;directory name&gt;</term>
+ <listitem><para>See the mkdir command. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>mget &lt;mask&gt;</term>
+ <listitem><para>Copy all files matching <replaceable>mask</replaceable> from the server to
+ the machine running the client. </para>
+
+ <para>Note that <replaceable>mask</replaceable> is interpreted differently during recursive
+ operation and non-recursive operation - refer to the recurse and
+ mask commands for more information. Note that all transfers in
+ <command>smbclient</command> are binary. See also the lowercase command. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>mkdir &lt;directory name&gt;</term>
+ <listitem><para>Create a new directory on the server (user access
+ privileges permitting) with the specified name. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>mput &lt;mask&gt;</term>
+ <listitem><para>Copy all files matching <replaceable>mask</replaceable> in the current working
+ directory on the local machine to the current working directory on
+ the server. </para>
+
+ <para>Note that <replaceable>mask</replaceable> is interpreted differently during recursive
+ operation and non-recursive operation - refer to the recurse and mask
+ commands for more information. Note that all transfers in <command>smbclient</command>
+ are binary. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>print &lt;file name&gt;</term>
+ <listitem><para>Print the specified file from the local machine
+ through a printable service on the server. </para>
+
+ <para>See also the printmode command.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>printmode &lt;graphics or text&gt;</term>
+ <listitem><para>Set the print mode to suit either binary data
+ (such as graphical information) or text. Subsequent print
+ commands will use the currently set print mode. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>prompt</term>
+ <listitem><para>Toggle prompting for filenames during operation
+ of the mget and mput commands. </para>
+
+ <para>When toggled ON, the user will be prompted to confirm
+ the transfer of each file during these commands. When toggled
+ OFF, all specified files will be transferred without prompting.
+ </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>put &lt;local file name&gt; [remote file name]</term>
+ <listitem><para>Copy the file called <filename>local file name</filename> from the
+ machine running the client to the server. If specified,
+ name the remote copy <filename>remote file name</filename>. Note that all transfers
+ in <command>smbclient</command> are binary. See also the lowercase command.
+ </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>queue</term>
+ <listitem><para>Displays the print queue, showing the job id,
+ name, size and current status. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>quit</term>
+ <listitem><para>See the exit command. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>rd &lt;directory name&gt;</term>
+ <listitem><para>See the rmdir command. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>recurse</term>
+ <listitem><para>Toggle directory recursion for the commands mget
+ and mput. </para>
+
+ <para>When toggled ON, these commands will process all directories
+ in the source directory (i.e., the directory they are copying
+ from ) and will recurse into any that match the mask specified
+ to the command. Only files that match the mask specified using
+ the mask command will be retrieved. See also the mask command.
+ </para>
+
+ <para>When recursion is toggled OFF, only files from the current
+ working directory on the source machine that match the mask specified
+ to the mget or mput commands will be copied, and any mask specified
+ using the mask command will be ignored. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>rm &lt;mask&gt;</term>
+ <listitem><para>Remove all files matching <replaceable>mask</replaceable> from the current
+ working directory on the server. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>rmdir &lt;directory name&gt;</term>
+ <listitem><para>Remove the specified directory (user access
+ privileges permitting) from the server. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>tar &lt;c|x&gt;[IXbgNa]</term>
+ <listitem><para>Performs a tar operation - see the <parameter>-T
+ </parameter> command line option above. Behavior may be affected
+ by the tarmode command (see below). Using g (incremental) and N
+ (newer) will affect tarmode settings. Note that using the "-" option
+ with tar x may not work - use the command line option instead.
+ </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>blocksize &lt;blocksize&gt;</term>
+ <listitem><para>Blocksize. Must be followed by a valid (greater
+ than zero) blocksize. Causes tar file to be written out in
+ <replaceable>blocksize</replaceable>*TBLOCK (usually 512 byte) blocks. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>tarmode &lt;full|inc|reset|noreset&gt;</term>
+ <listitem><para>Changes tar's behavior with regard to archive
+ bits. In full mode, tar will back up everything regardless of the
+ archive bit setting (this is the default mode). In incremental mode,
+ tar will only back up files with the archive bit set. In reset mode,
+ tar will reset the archive bit on all files it backs up (implies
+ read/write share). </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>setmode &lt;filename&gt; &lt;perm=[+|\-]rsha&gt;</term>
+ <listitem><para>A version of the DOS attrib command to set
+ file permissions. For example: </para>
+
+ <para><command>setmode myfile +r </command></para>
+
+ <para>would make myfile read only. </para></listitem>
+ </varlistentry>
+
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>NOTES</title>
+
+ <para>Some servers are fussy about the case of supplied usernames,
+ passwords, share names (AKA service names) and machine names.
+ If you fail to connect try giving all parameters in uppercase.
+ </para>
+
+ <para>It is often necessary to use the -n option when connecting
+ to some types of servers. For example OS/2 LanManager insists
+ on a valid NetBIOS name being used, so you need to supply a valid
+ name that would be known to the server.</para>
+
+ <para>smbclient supports long file names where the server
+ supports the LANMAN2 protocol or above. </para>
+</refsect1>
+
+<refsect1>
+ <title>ENVIRONMENT VARIABLES</title>
+
+ <para>The variable <envar>USER</envar> may contain the
+ username of the person using the client. This information is
+ used only if the protocol level is high enough to support
+ session-level passwords.</para>
+
+
+ <para>The variable <envar>PASSWD</envar> may contain
+ the password of the person using the client. This information is
+ used only if the protocol level is high enough to support
+ session-level passwords. </para>
+
+ <para>The variable <envar>LIBSMB_PROG</envar> may contain
+ the path, executed with system(), which the client should connect
+ to instead of connecting to a server. This functionality is primarily
+ intended as a development aid, and works best when using a LMHOSTS
+ file</para>
+</refsect1>
+
+
+<refsect1>
+ <title>INSTALLATION</title>
+
+ <para>The location of the client program is a matter for
+ individual system administrators. The following are thus
+ suggestions only. </para>
+
+ <para>It is recommended that the smbclient software be installed
+ in the <filename>/usr/local/samba/bin/</filename> or <filename>
+ /usr/samba/bin/</filename> directory, this directory readable
+ by all, writeable only by root. The client program itself should
+ be executable by all. The client should <emphasis>NOT</emphasis> be
+ setuid or setgid! </para>
+
+ <para>The client log files should be put in a directory readable
+ and writeable only by the user. </para>
+
+ <para>To test the client, you will need to know the name of a
+ running SMB/CIFS server. It is possible to run <command>smbd(8)
+ </command> as an ordinary user - running that server as a daemon
+ on a user-accessible port (typically any port number over 1024)
+ would provide a suitable test server. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>DIAGNOSTICS</title>
+
+ <para>Most diagnostics issued by the client are logged in a
+ specified log file. The log file name is specified at compile time,
+ but may be overridden on the command line. </para>
+
+ <para>The number and nature of diagnostics available depends
+ on the debug level used by the client. If you have problems,
+ set the debug level to 3 and peruse the log files. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/smbcontrol.1.sgml b/docs/docbook/manpages/smbcontrol.1.sgml
new file mode 100644
index 0000000000..05e05f4a6a
--- /dev/null
+++ b/docs/docbook/manpages/smbcontrol.1.sgml
@@ -0,0 +1,174 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="smbcontrol">
+
+<refmeta>
+ <refentrytitle>smbcontrol</refentrytitle>
+ <manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>smbcontrol</refname>
+ <refpurpose>send messages to smbd or nmbd processes</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>smbcontrol</command>
+ <arg>-i</arg>
+ </cmdsynopsis>
+
+ <cmdsynopsis>
+ <command>smbcontrol</command>
+ <arg>destination</arg>
+ <arg>message-type</arg>
+ <arg>parameter</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para><command>smbcontrol</command> is a very small program, which
+ sends messages to an <ulink url="smbd.8.html">smbd(8)</ulink> or
+ an <ulink url="nmbd.8.html">nmbd(8)</ulink> daemon running on the
+ system.</para>
+</refsect1>
+
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-i</term>
+ <listitem><para>Run interactively. Individual commands
+ of the form destination message-type parameters can be entered
+ on STDIN. An empty command line or a "q" will quit the
+ program.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>destination</term>
+ <listitem><para>One of <parameter>nmbd</parameter>
+ <parameter>smbd</parameter> or a process ID.</para>
+
+ <para>The <parameter>smbd</parameter> destination causes the
+ message to "broadcast" to all smbd daemons.</para>
+
+ <para>The <parameter>nmbd</parameter> destination causes the
+ message to be sent to the nmbd daemon specified in the
+ <filename>nmbd.pid</filename> file.</para>
+
+ <para>If a single process ID is given, the message is sent
+ to only that process.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>message-type</term>
+ <listitem><para>One of: <constant>close-share</constant>,
+ <constant>debug</constant>,
+ <constant>force-election</constant>, <constant>ping
+ </constant>, <constant>profile</constant>, <constant>
+ debuglevel</constant>, <constant>profilelevel</constant>,
+ or <constant>printer-notify</constant>.</para>
+
+ <para>The <constant>close-share</constant> message-type sends a
+ message to smbd which will then close the client connections to
+ the named share. Note that this doesn't affect client connections
+ to any other shares. This message-type takes an argument of the
+ share name for which client connections will be close, or the
+ "*" character which will close all currently open shares.
+ This message can only be sent to <constant>smbd</constant>.</para>
+
+ <para>The <constant>debug</constant> message-type allows
+ the debug level to be set to the value specified by the
+ parameter. This can be sent to any of the destinations.</para>
+
+ <para>The <constant>force-election</constant> message-type can only be
+ sent to the <constant>nmbd</constant> destination. This message
+ causes the <command>nmbd</command> daemon to force a new browse
+ master election.</para>
+
+ <para>The <constant>ping</constant> message-type sends the
+ number of "ping" messages specified by the parameter and waits
+ for the same number of reply "pong" messages. This can be sent to
+ any of the destinations.</para>
+
+ <para>The <constant>profile</constant> message-type sends a
+ message to an smbd to change the profile settings based on the
+ parameter. The parameter can be "on" to turn on profile stats
+ collection, "off" to turn off profile stats collection, "count"
+ to enable only collection of count stats (time stats are
+ disabled), and "flush" to zero the current profile stats. This can
+ be sent to any of the destinations.</para>
+
+ <para>The <constant>debuglevel</constant> message-type sends
+ a "request debug level" message. The current debug level setting
+ is returned by a "debuglevel" message. This can be
+ sent to any of the destinations.</para>
+
+ <para>The <constant>profilelevel</constant> message-type sends
+ a "request profile level" message. The current profile level
+ setting is returned by a "profilelevel" message. This can be sent
+ to any of the destinations.</para>
+
+ <para>The <constant>printer-notify</constant> message-type sends a
+ message to smbd which in turn sends a printer notify message to
+ any Windows NT clients connected to a printer. This message-type
+ takes an argument of the printer name to send notify messages to.
+ This message can only be sent to <constant>smbd</constant>.</para>
+
+ <para>The <constant>close-share</constant> message-type sends a
+ message to smbd which forces smbd to close the share that was
+ specified as an argument. This may be useful if you made changes
+ to the access controls on the share. </para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>parameters</term>
+ <listitem><para>any parameters required for the message-type</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="nmbd.8.html"><command>nmbd(8)</command></ulink>,
+ and <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>.
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/smbd.8.sgml b/docs/docbook/manpages/smbd.8.sgml
new file mode 100644
index 0000000000..824ae20241
--- /dev/null
+++ b/docs/docbook/manpages/smbd.8.sgml
@@ -0,0 +1,424 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="smbd">
+
+<refmeta>
+ <refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>smbd</refname>
+ <refpurpose>server to provide SMB/CIFS services to clients</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>smbd</command>
+ <arg choice="opt">-D</arg>
+ <arg choice="opt">-a</arg>
+ <arg choice="opt">-i</arg>
+ <arg choice="opt">-o</arg>
+ <arg choice="opt">-P</arg>
+ <arg choice="opt">-h</arg>
+ <arg choice="opt">-V</arg>
+ <arg choice="opt">-b</arg>
+ <arg choice="opt">-d &lt;debug level&gt;</arg>
+ <arg choice="opt">-l &lt;log directory&gt;</arg>
+ <arg choice="opt">-p &lt;port number&gt;</arg>
+ <arg choice="opt">-O &lt;socket option&gt;</arg>
+ <arg choice="opt">-s &lt;configuration file&gt;</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+ <para>This program is part of the Samba suite.</para>
+
+ <para><command>smbd</command> is the server daemon that
+ provides filesharing and printing services to Windows clients.
+ The server provides filespace and printer services to
+ clients using the SMB (or CIFS) protocol. This is compatible
+ with the LanManager protocol, and can service LanManager
+ clients. These include MSCLIENT 3.0 for DOS, Windows for
+ Workgroups, Windows 95/98/ME, Windows NT, Windows 2000,
+ OS/2, DAVE for Macintosh, and smbfs for Linux.</para>
+
+ <para>An extensive description of the services that the
+ server can provide is given in the man page for the
+ configuration file controlling the attributes of those
+ services (see <ulink url="smb.conf.5.html"><filename>smb.conf(5)
+ </filename></ulink>. This man page will not describe the
+ services, but will concentrate on the administrative aspects
+ of running the server.</para>
+
+ <para>Please note that there are significant security
+ implications to running this server, and the <ulink
+ url="smb.conf.5.html"><filename>smb.conf(5)</filename></ulink>
+ manpage should be regarded as mandatory reading before
+ proceeding with installation.</para>
+
+ <para>A session is created whenever a client requests one.
+ Each client gets a copy of the server for each session. This
+ copy then services all connections made by the client during
+ that session. When all connections from its client are closed,
+ the copy of the server for that client terminates.</para>
+
+ <para>The configuration file, and any files that it includes,
+ are automatically reloaded every minute, if they change. You
+ can force a reload by sending a SIGHUP to the server. Reloading
+ the configuration file will not affect connections to any service
+ that is already established. Either the user will have to
+ disconnect from the service, or <command>smbd</command> killed and restarted.</para>
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-D</term>
+ <listitem><para>If specified, this parameter causes
+ the server to operate as a daemon. That is, it detaches
+ itself and runs in the background, fielding requests
+ on the appropriate port. Operating the server as a
+ daemon is the recommended way of running <command>smbd</command> for
+ servers that provide more than casual use file and
+ print services. This switch is assumed if <command>smbd
+ </command> is executed on the command line of a shell.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-a</term>
+ <listitem><para>If this parameter is specified, each new
+ connection will append log messages to the log file.
+ This is the default.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-i</term>
+ <listitem><para>If this parameter is specified it causes the
+ server to run "interactively", not as a daemon, even if the
+ server is executed on the command line of a shell. Setting this
+ parameter negates the implicit deamon mode when run from the
+ command line.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-o</term>
+ <listitem><para>If this parameter is specified, the
+ log files will be overwritten when opened. By default,
+ <command>smbd</command> will append entries to the log
+ files.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-P</term>
+ <listitem><para>Passive option. Causes <command>smbd</command> not to
+ send any network traffic out. Used for debugging by
+ the developers only.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem><para>Prints the help information (usage)
+ for <command>smbd</command>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-v</term>
+ <listitem><para>Prints the version number for
+ <command>smbd</command>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-b</term>
+ <listitem><para>Prints information about how
+ Samba was built.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-d &lt;debug level&gt;</term>
+ <listitem><para><replaceable>debuglevel</replaceable> is an integer
+ from 0 to 10. The default value if this parameter is
+ not specified is zero.</para>
+
+ <para>The higher this value, the more detail will be
+ logged to the log files about the activities of the
+ server. At level 0, only critical errors and serious
+ warnings will be logged. Level 1 is a reasonable level for
+ day to day running - it generates a small amount of
+ information about operations carried out.</para>
+
+ <para>Levels above 1 will generate considerable
+ amounts of log data, and should only be used when
+ investigating a problem. Levels above 3 are designed for
+ use only by developers and generate HUGE amounts of log
+ data, most of which is extremely cryptic.</para>
+
+ <para>Note that specifying this parameter here will
+ override the <ulink url="smb.conf.5.html#loglevel">log
+ level</ulink> parameter in the <ulink url="smb.conf.5.html">
+ <filename>smb.conf(5)</filename></ulink> file.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-l &lt;log directory&gt;</term>
+ <listitem><para>If specified,
+ <replaceable>log directory</replaceable>
+ specifies a log directory into which the "log.smbd" log
+ file will be created for informational and debug
+ messages from the running server. The log
+ file generated is never removed by the server although
+ its size may be controlled by the <ulink
+ url="smb.conf.5.html#maxlogsize">max log size</ulink>
+ option in the <ulink url="smb.conf.5.html"><filename>
+ smb.conf(5)</filename></ulink> file.
+ </para>
+
+ <para>The default log directory is specified at
+ compile time.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-O &lt;socket options&gt;</term>
+ <listitem><para>See the <ulink
+ url="smb.conf.5.html#socketoptions">socket options</ulink>
+ parameter in the <ulink url="smb.conf.5.html"><filename>smb.conf(5)
+ </filename></ulink> file for details.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p &lt;port number&gt;</term>
+ <listitem><para><replaceable>port number</replaceable> is a positive integer
+ value. The default value if this parameter is not
+ specified is 139.</para>
+
+ <para>This number is the port number that will be
+ used when making connections to the server from client
+ software. The standard (well-known) port number for the
+ SMB over TCP is 139, hence the default. If you wish to
+ run the server as an ordinary user rather than
+ as root, most systems will require you to use a port
+ number greater than 1024 - ask your system administrator
+ for help if you are in this situation.</para>
+
+ <para>In order for the server to be useful by most
+ clients, should you configure it on a port other
+ than 139, you will require port redirection services
+ on port 139, details of which are outlined in rfc1002.txt
+ section 4.3.5.</para>
+
+ <para>This parameter is not normally specified except
+ in the above situation.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s &lt;configuration file&gt;</term>
+ <listitem><para>The file specified contains the
+ configuration details required by the server. The
+ information in this file includes server-specific
+ information such as what printcap file to use, as well
+ as descriptions of all the services that the server is
+ to provide. See <ulink url="smb.conf.5.html"><filename>
+ smb.conf(5)</filename></ulink> for more information.
+ The default configuration file name is determined at
+ compile time.</para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>FILES</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><filename>/etc/inetd.conf</filename></term>
+ <listitem><para>If the server is to be run by the
+ <command>inetd</command> meta-daemon, this file
+ must contain suitable startup information for the
+ meta-daemon. See the <ulink url="UNIX_INSTALL.html">UNIX_INSTALL.html</ulink>
+ document for details.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><filename>/etc/rc</filename></term>
+ <listitem><para>or whatever initialization script your
+ system uses).</para>
+
+ <para>If running the server as a daemon at startup,
+ this file will need to contain an appropriate startup
+ sequence for the server. See the <ulink url="UNIX_INSTALL.html">UNIX_INSTALL.html</ulink>
+ document for details.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><filename>/etc/services</filename></term>
+ <listitem><para>If running the server via the
+ meta-daemon <command>inetd</command>, this file
+ must contain a mapping of service name (e.g., netbios-ssn)
+ to service port (e.g., 139) and protocol type (e.g., tcp).
+ See the <ulink url="UNIX_INSTALL.html">UNIX_INSTALL.html</ulink>
+ document for details.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><filename>/usr/local/samba/lib/smb.conf</filename></term>
+ <listitem><para>This is the default location of the
+ <ulink url="smb.conf.5.html"><filename>smb.conf</filename></ulink>
+ server configuration file. Other common places that systems
+ install this file are <filename>/usr/samba/lib/smb.conf</filename>
+ and <filename>/etc/smb.conf</filename>.</para>
+
+ <para>This file describes all the services the server
+ is to make available to clients. See <ulink url="smb.conf.5.html">
+ <filename>smb.conf(5)</filename></ulink> for more information.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>LIMITATIONS</title>
+ <para>On some systems <command>smbd</command> cannot change uid back
+ to root after a setuid() call. Such systems are called
+ trapdoor uid systems. If you have such a system,
+ you will be unable to connect from a client (such as a PC) as
+ two different users at once. Attempts to connect the
+ second user will result in access denied or
+ similar.</para>
+</refsect1>
+
+<refsect1>
+ <title>ENVIRONMENT VARIABLES</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><envar>PRINTER</envar></term>
+ <listitem><para>If no printer name is specified to
+ printable services, most systems will use the value of
+ this variable (or <constant>lp</constant> if this variable is
+ not defined) as the name of the printer to use. This
+ is not specific to the server, however.</para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>PAM INTERACTION</title>
+ <para>Samba uses PAM for authentication (when presented with a plaintext
+ password), for account checking (is this account disabled?) and for
+ session management. The degree too which samba supports PAM is restricted
+ by the limitations of the SMB protocol and the
+ <ulink url="smb.conf.5.html#OBEYPAMRESRICTIONS">obey pam restricions</ulink>
+ smb.conf paramater. When this is set, the following restrictions apply:
+ </para>
+
+ <itemizedlist>
+ <listitem><para><emphasis>Account Validation</emphasis>: All acccesses to a
+ samba server are checked
+ against PAM to see if the account is vaild, not disabled and is permitted to
+ login at this time. This also applies to encrypted logins.
+ </para></listitem>
+
+ <listitem><para><emphasis>Session Management</emphasis>: When not using share
+ level secuirty, users must pass PAM's session checks before access
+ is granted. Note however, that this is bypassed in share level secuirty.
+ Note also that some older pam configuration files may need a line
+ added for session support.
+ </para></listitem>
+ </itemizedlist>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>DIAGNOSTICS</title>
+
+ <para>Most diagnostics issued by the server are logged
+ in a specified log file. The log file name is specified
+ at compile time, but may be overridden on the command line.</para>
+
+ <para>The number and nature of diagnostics available depends
+ on the debug level used by the server. If you have problems, set
+ the debug level to 3 and peruse the log files.</para>
+
+ <para>Most messages are reasonably self-explanatory. Unfortunately,
+ at the time this man page was created, there are too many diagnostics
+ available in the source code to warrant describing each and every
+ diagnostic. At this stage your best bet is still to grep the
+ source code and inspect the conditions that gave rise to the
+ diagnostics you are seeing.</para>
+</refsect1>
+
+<refsect1>
+ <title>SIGNALS</title>
+
+ <para>Sending the <command>smbd</command> a SIGHUP will cause it to
+ reload its <filename>smb.conf</filename> configuration
+ file within a short period of time.</para>
+
+ <para>To shut down a user's <command>smbd</command> process it is recommended
+ that <command>SIGKILL (-9)</command> <emphasis>NOT</emphasis>
+ be used, except as a last resort, as this may leave the shared
+ memory area in an inconsistent state. The safe way to terminate
+ an <command>smbd</command> is to send it a SIGTERM (-15) signal and wait for
+ it to die on its own.</para>
+
+ <para>The debug log level of <command>smbd</command> may be raised
+ or lowered using <ulink url="smbcontrol.1.html"><command>smbcontrol(1)
+ </command></ulink> program (SIGUSR[1|2] signals are no longer used in
+ Samba 2.2). This is to allow transient problems to be diagnosed,
+ whilst still running at a normally low log level.</para>
+
+ <para>Note that as the signal handlers send a debug write,
+ they are not re-entrant in <command>smbd</command>. This you should wait until
+ <command>smbd</command> is in a state of waiting for an incoming SMB before
+ issuing them. It is possible to make the signal handlers safe
+ by un-blocking the signals before the select call and re-blocking
+ them after, however this would affect performance.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para>hosts_access(5), <command>inetd(8)</command>,
+ <ulink url="nmbd.8.html"><command>nmbd(8)</command></ulink>,
+ <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename>
+ </ulink>, <ulink url="smbclient.1.html"><command>smbclient(1)
+ </command></ulink>, <ulink url="testparm.1.html"><command>
+ testparm(1)</command></ulink>, <ulink url="testprns.1.html">
+ <command>testprns(1)</command></ulink>, and the Internet RFC's
+ <filename>rfc1001.txt</filename>, <filename>rfc1002.txt</filename>.
+ In addition the CIFS (formerly SMB) specification is available
+ as a link from the Web page <ulink url="http://samba.org/cifs/">
+ http://samba.org/cifs/</ulink>.</para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/smbgroupedit.8.sgml b/docs/docbook/manpages/smbgroupedit.8.sgml
new file mode 100644
index 0000000000..b9607312ff
--- /dev/null
+++ b/docs/docbook/manpages/smbgroupedit.8.sgml
@@ -0,0 +1,267 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="smbgroupedit">
+
+<refmeta>
+ <refentrytitle>smbgroupedit</refentrytitle>
+ <manvolnum>8</manvolnum>
+</refmeta>
+
+
+<!-- ****************************************************
+** Name and Options **
+**************************************************** -->
+<refnamediv>
+ <refname>smbgroupedit</refname>
+ <refpurpose>Query/set/change UNIX - Windows NT group mapping</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>smbroupedit</command>
+ <arg choice="opt">-v [l|s]</arg>
+ <arg choice="opt">-a UNIX-groupname [-d NT-groupname|-p prividge|</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+
+
+<!-- ****************************************************
+** Description **
+**************************************************** -->
+<refsect1>
+
+<title>DESCRIPTION</title>
+
+<para>
+This program is part of the <ulink url="samba.7.html">Samba</ulink>
+suite.
+</para>
+
+<para>
+The smbgroupedit command allows for mapping unix groups
+to NT Builtin, Domain, or Local groups. Also
+allows setting privileges for that group, such as saAddUser,
+etc.
+</para>
+
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-v[l|s]</term>
+ <listitem><para>This option will list all groups available
+ in the Windows NT domain in which samba is operating.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>-l</term>
+ <listitem><para>give a long listing, of the format:</para>
+
+<para><programlisting>
+"NT Group Name"
+ SID :
+ Unix group :
+ Group type :
+ Comment :
+ Privilege :
+</programlisting></para>
+
+<para>For examples,</para>
+<para><programlisting>
+Users
+ SID : S-1-5-32-545
+ Unix group: -1
+ Group type: Local group
+ Comment :
+ Privilege : No privilege
+</programlisting></para>
+
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s</term>
+ <listitem><para>display a short listing of the format:</para>
+
+<para><programlisting>
+NTGroupName(SID) -> UnixGroupName
+</programlisting></para>
+
+<para>For example,</para>
+
+<para><programlisting>
+Users (S-1-5-32-545) -> -1
+</programlisting></para>
+
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+</refsect1>
+
+
+
+<!-- ****************************************************
+**************************************************** -->
+<refsect1>
+<title>FILES</title>
+
+<para></para>
+
+</refsect1>
+
+
+
+<!-- ****************************************************
+**************************************************** -->
+<refsect1>
+
+<title>EXIT STATUS</title>
+
+<para>
+<command>smbgroupedit</command> returns a status of 0 if the
+operation completed successfully, and a value of 1 in the event
+of a failure.
+</para>
+
+</refsect1>
+
+
+
+
+<!-- ****************************************************
+**************************************************** -->
+<refsect1>
+
+<title>EXAMPLES</title>
+
+
+<para>
+To make a subset of your samba PDC users members of
+the 'Domain Admins' Global group:
+</para>
+
+<orderedlist>
+
+ <listitem><para>create a unix group (usually in
+ <filename>/etc/group</filename>), let's call it <constant>domadm</constant>.
+ </para></listitem>
+
+ <listitem><para>add to this group the users that you want to be
+ domain administrators. For example if you want joe, john and mary,
+ your entry in <filename>/etc/group</filename> will look like:
+ </para>
+
+ <para>domadm:x:502:joe,john,mary</para>
+ </listitem>
+
+ <listitem><para>map this domadm group to the 'domain admins' group:
+ </para>
+ <orderedlist>
+ <listitem><para>Get the SID for the Windows NT "Domain Admins"
+ group:</para>
+
+<para><programlisting>
+<prompt>root# </prompt><command>smbgroupedit -vs | grep "Domain Admins"</command>
+Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -> -1
+</programlisting></para>
+</listitem>
+
+ <listitem><para>map the unix domadm group to the Windows NT
+ "Domain Admins" group, by running the command:
+ </para>
+
+<para><programlisting>
+<prompt>root# </prompt><command>smbgroupedit \
+-c S-1-5-21-1108995562-3116817432-1375597819-512 \
+-u domadm</command>
+</programlisting></para>
+
+ <para>
+ <emphasis>warning:</emphasis> don't copy and paste this sample, the
+ Domain Admins SID (the S-1-5-21-...-512) is different for every PDC.
+ </para>
+ </listitem>
+ </orderedlist>
+ </listitem>
+</orderedlist>
+
+<para>
+To verify that you mapping has taken effect:
+</para>
+
+<para><programlisting>
+<prompt>root# </prompt><command>smbgroupedit -vs|grep "Domain Admins"</command>
+Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -> domadm
+</programlisting></para>
+
+<para>
+To give access to a certain directory on a domain member machine (an
+NT/W2K or a samba server running winbind) to some users who are member
+of a group on your samba PDC, flag that group as a domain group:
+</para>
+
+<para><programlisting>
+<prompt>root# </prompt><command>smbgroupedit -a unixgroup -td</command>
+</programlisting></para>
+
+
+
+</refsect1>
+
+
+
+
+<!-- ****************************************************
+**************************************************** -->
+<refsect1>
+
+<title>VERSION</title>
+
+<para>
+This man page is correct for the 3.0alpha releases of
+the Samba suite.
+</para>
+</refsect1>
+
+<!-- ****************************************************
+**************************************************** -->
+
+<refsect1>
+<title>SEE ALSO</title>
+
+<para>
+<ulink url="smb.conf.5.html">smb.conf(5)</ulink>
+</para>
+
+</refsect1>
+
+
+<!-- ****************************************************
+**************************************************** -->
+
+<refsect1>
+<title>AUTHOR</title>
+
+<para>
+The original Samba software and related utilities
+were created by Andrew Tridgell. Samba is now developed
+by the Samba Team as an Open Source project similar
+to the way the Linux kernel is developed.
+</para>
+
+<para>
+<command>smbgroupedit</command> was written by Jean Francois Micouleau.
+The current set of manpages and documentation is maintained
+by the Samba Team in the same fashion as the Samba source code.</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/smbmnt.8.sgml b/docs/docbook/manpages/smbmnt.8.sgml
new file mode 100644
index 0000000000..55b66d5d25
--- /dev/null
+++ b/docs/docbook/manpages/smbmnt.8.sgml
@@ -0,0 +1,113 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="smbmnt">
+
+<refmeta>
+ <refentrytitle>smbmnt</refentrytitle>
+ <manvolnum>8</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>smbmnt</refname>
+ <refpurpose>helper utility for mounting SMB filesystems</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>smbmnt</command>
+ <arg choice="req">mount-point</arg>
+ <arg choice="opt">-s &lt;share&gt;</arg>
+ <arg choice="opt">-r</arg>
+ <arg choice="opt">-u &lt;uid&gt;</arg>
+ <arg choice="opt">-g &lt;gid&gt;</arg>
+ <arg choice="opt">-f &lt;mask&gt;</arg>
+ <arg choice="opt">-d &lt;mask&gt;</arg>
+ <arg choice="opt">-o &lt;options&gt;</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para><command>smbmnt</command> is a helper application used
+ by the smbmount program to do the actual mounting of SMB shares.
+ <command>smbmnt</command> can be installed setuid root if you want
+ normal users to be able to mount their SMB shares.</para>
+
+ <para>A setuid smbmnt will only allow mounts on directories owned
+ by the user, and that the user has write permission on.</para>
+
+ <para>The <command>smbmnt</command> program is normally invoked
+ by <ulink url="smbmount.8.html"><command>smbmount(8)</command>
+ </ulink>. It should not be invoked directly by users. </para>
+
+ <para>smbmount searches the normal PATH for smbmnt. You must ensure
+ that the smbmnt version in your path matches the smbmount used.</para>
+
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-r</term>
+ <listitem><para>mount the filesystem read-only
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-u uid</term>
+ <listitem><para>specify the uid that the files will
+ be owned by </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-g gid</term>
+ <listitem><para>specify the gid that the files will be
+ owned by </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-f mask</term>
+ <listitem><para>specify the octal file mask applied
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-d mask</term>
+ <listitem><para>specify the octal directory mask
+ applied </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-o options</term>
+ <listitem><para>
+ list of options that are passed as-is to smbfs, if this
+ command is run on a 2.4 or higher Linux kernel.
+ </para></listitem>
+ </varlistentry>
+
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>Volker Lendecke, Andrew Tridgell, Michael H. Warfield
+ and others.</para>
+
+ <para>The current maintainer of smbfs and the userspace
+ tools <command>smbmount</command>, <command>smbumount</command>,
+ and <command>smbmnt</command> is <ulink
+ url="mailto:urban@teststation.com">Urban Widmark</ulink>.
+ The <ulink url="mailto:samba@samba.org">SAMBA Mailing list</ulink>
+ is the preferred place to ask questions regarding these programs.
+ </para>
+
+ <para>The conversion of this manpage for Samba 2.2 was performed
+ by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/smbmount.8.sgml b/docs/docbook/manpages/smbmount.8.sgml
new file mode 100644
index 0000000000..b4a77e51c9
--- /dev/null
+++ b/docs/docbook/manpages/smbmount.8.sgml
@@ -0,0 +1,327 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="smbmount">
+
+<refmeta>
+ <refentrytitle>smbmount</refentrytitle>
+ <manvolnum>8</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>smbmount</refname>
+ <refpurpose>mount an smbfs filesystem</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>smbumount</command>
+ <arg choice="req">service</arg>
+ <arg choice="req">mount-point</arg>
+ <arg choice="opt">-o options</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para><command>smbmount</command> mounts a Linux SMB filesystem. It
+ is usually invoked as <command>mount.smbfs</command> by
+ the <command>mount(8)</command> command when using the
+ "-t smbfs" option. This command only works in Linux, and the kernel must
+ support the smbfs filesystem. </para>
+
+ <para>Options to <command>smbmount</command> are specified as a comma-separated
+ list of key=value pairs. It is possible to send options other
+ than those listed here, assuming that smbfs supports them. If
+ you get mount failures, check your kernel log for errors on
+ unknown options.</para>
+
+ <para><command>smbmount</command> is a daemon. After mounting it keeps running until
+ the mounted smbfs is umounted. It will log things that happen
+ when in daemon mode using the "machine name" smbmount, so
+ typically this output will end up in <filename>log.smbmount</filename>. The
+ <command>smbmount</command> process may also be called mount.smbfs.</para>
+
+ <para><emphasis>NOTE:</emphasis> <command>smbmount</command>
+ calls <command>smbmnt(8)</command> to do the actual mount. You
+ must make sure that <command>smbmnt</command> is in the path so
+ that it can be found. </para>
+
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>username=&lt;arg&gt;</term>
+ <listitem><para>specifies the username to connect as. If
+ this is not given, then the environment variable <envar>
+ USER</envar> is used. This option can also take the
+ form "user%password" or "user/workgroup" or
+ "user/workgroup%password" to allow the password and workgroup
+ to be specified as part of the username.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>password=&lt;arg&gt;</term>
+ <listitem><para>specifies the SMB password. If this
+ option is not given then the environment variable
+ <envar>PASSWD</envar> is used. If it can find
+ no password <command>smbmount</command> will prompt
+ for a passeword, unless the guest option is
+ given. </para>
+
+ <para>
+ Note that password which contain the arguement delimiter
+ character (i.e. a comma ',') will failed to be parsed correctly
+ on the command line. However, the same password defined
+ in the PASSWD environment variable or a credentials file (see
+ below) will be read correctly.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>credentials=&lt;filename&gt;</term>
+ <listitem><para>specifies a file that contains a username
+ and/or password. The format of the file is:</para>
+
+ <para>
+ <programlisting>
+ username = &lt;value&gt;
+ password = &lt;value&gt;
+ </programlisting>
+ </para>
+
+ <para>This is preferred over having passwords in plaintext in a
+ shared file, such as <filename>/etc/fstab</filename>. Be sure to protect any
+ credentials file properly.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>netbiosname=&lt;arg&gt;</term>
+ <listitem><para>sets the source NetBIOS name. It defaults
+ to the local hostname. </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>uid=&lt;arg&gt;</term>
+ <listitem><para>sets the uid that will own all files on
+ the mounted filesystem.
+ It may be specified as either a username or a numeric uid.
+ </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>gid=&lt;arg&gt;</term>
+ <listitem><para>sets the gid that will own all files on
+ the mounted filesystem.
+ It may be specified as either a groupname or a numeric
+ gid. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>port=&lt;arg&gt;</term>
+ <listitem><para>sets the remote SMB port number. The default
+ is 139. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>fmask=&lt;arg&gt;</term>
+ <listitem><para>sets the file mask. This determines the
+ permissions that remote files have in the local filesystem.
+ The default is based on the current umask. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>dmask=&lt;arg&gt;</term>
+ <listitem><para>sets the directory mask. This determines the
+ permissions that remote directories have in the local filesystem.
+ The default is based on the current umask. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>debug=&lt;arg&gt;</term>
+ <listitem><para>sets the debug level. This is useful for
+ tracking down SMB connection problems. A suggested value to
+ start with is 4. If set too high there will be a lot of
+ output, possibly hiding the useful output.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>ip=&lt;arg&gt;</term>
+ <listitem><para>sets the destination host or IP address.
+ </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>workgroup=&lt;arg&gt;</term>
+ <listitem><para>sets the workgroup on the destination </para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>sockopt=&lt;arg&gt;</term>
+ <listitem><para>sets the TCP socket options. See the <ulink
+ url="smb.conf.5.html#SOCKETOPTIONS"><filename>smb.conf
+ </filename></ulink> <parameter>socket options</parameter> option.
+ </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>scope=&lt;arg&gt;</term>
+ <listitem><para>sets the NetBIOS scope </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>guest</term>
+ <listitem><para>don't prompt for a password </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>ro</term>
+ <listitem><para>mount read-only </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>rw</term><listitem><para>mount read-write </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>iocharset=&lt;arg&gt;</term>
+ <listitem><para>
+ sets the charset used by the Linux side for codepage
+ to charset translations (NLS). Argument should be the
+ name of a charset, like iso8859-1. (Note: only kernel
+ 2.4.0 or later)
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>codepage=&lt;arg&gt;</term>
+ <listitem><para>
+ sets the codepage the server uses. See the iocharset
+ option. Example value cp850. (Note: only kernel 2.4.0
+ or later)
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ttl=&lt;arg&gt;</term>
+ <listitem><para>
+ how long a directory listing is cached in milliseconds
+ (also affects visibility of file size and date
+ changes). A higher value means that changes on the
+ server take longer to be noticed but it can give
+ better performance on large directories, especially
+ over long distances. Default is 1000ms but something
+ like 10000ms (10 seconds) is probably more reasonable
+ in many cases.
+ (Note: only kernel 2.4.2 or later)
+ </para></listitem>
+ </varlistentry>
+
+ </variablelist>
+
+
+</refsect1>
+
+<refsect1>
+ <title>ENVIRONMENT VARIABLES</title>
+
+ <para>The variable <envar>USER</envar> may contain the username of the
+ person using the client. This information is used only if the
+ protocol level is high enough to support session-level
+ passwords. The variable can be used to set both username and
+ password by using the format username%password.</para>
+
+ <para>The variable <envar>PASSWD</envar> may contain the password of the
+ person using the client. This information is used only if the
+ protocol level is high enough to support session-level
+ passwords.</para>
+
+ <para>The variable <envar>PASSWD_FILE</envar> may contain the pathname
+ of a file to read the password from. A single line of input is
+ read and used as the password.</para>
+</refsect1>
+
+
+<refsect1>
+ <title>BUGS</title>
+
+ <para>Passwords and other options containing , can not be handled.
+ For passwords an alternative way of passing them is in a credentials
+ file or in the PASSWD environment.</para>
+
+ <para>The credentials file does not handle usernames or passwords with
+ leading space.</para>
+
+ <para>One smbfs bug is important enough to mention here, even if it
+ is a bit misplaced:</para>
+
+ <itemizedlist>
+
+ <listitem><para>Mounts sometimes stop working. This is usually
+ caused by smbmount terminating. Since smbfs needs smbmount to
+ reconnect when the server disconnects, the mount will eventually go
+ dead. An umount/mount normally fixes this. At least 2 ways to
+ trigger this bug are known.</para></listitem>
+
+ </itemizedlist>
+
+ <para>Note that the typical response to a bug report is suggestion
+ to try the latest version first. So please try doing that first,
+ and always include which versions you use of relevant software
+ when reporting bugs (minimum: samba, kernel, distribution)</para>
+
+</refsect1>
+
+
+<refsect1>
+ <title>SEE ALSO</title>
+
+ <para>Documentation/filesystems/smbfs.txt in the linux kernel
+ source tree may contain additional options and information.</para>
+
+ <para>FreeBSD also has a smbfs, but it is not related to smbmount</para>
+
+ <para>For Solaris, HP-UX and others you may want to look at
+ <ulink url="smbsh.1.html"><command>smbsh(1)</command></ulink> or at other
+ solutions, such as sharity or perhaps replacing the SMB server with
+ a NFS server.</para>
+
+</refsect1>
+
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>Volker Lendecke, Andrew Tridgell, Michael H. Warfield
+ and others.</para>
+
+ <para>The current maintainer of smbfs and the userspace
+ tools <command>smbmount</command>, <command>smbumount</command>,
+ and <command>smbmnt</command> is <ulink
+ url="mailto:urban@teststation.com">Urban Widmark</ulink>.
+ The <ulink url="mailto:samba@samba.org">SAMBA Mailing list</ulink>
+ is the preferred place to ask questions regarding these programs.
+ </para>
+
+ <para>The conversion of this manpage for Samba 2.2 was performed
+ by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/smbpasswd.5.sgml b/docs/docbook/manpages/smbpasswd.5.sgml
new file mode 100644
index 0000000000..be75107819
--- /dev/null
+++ b/docs/docbook/manpages/smbpasswd.5.sgml
@@ -0,0 +1,204 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="smbpasswd">
+
+<refmeta>
+ <refentrytitle>smbpasswd</refentrytitle>
+ <manvolnum>5</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>smbpasswd</refname>
+ <refpurpose>The Samba encrypted password file</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <para><filename>smbpasswd</filename></para>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para>smbpasswd is the Samba encrypted password file. It contains
+ the username, Unix user id and the SMB hashed passwords of the
+ user, as well as account flag information and the time the
+ password was last changed. This file format has been evolving with
+ Samba and has had several different formats in the past. </para>
+</refsect1>
+
+<refsect1>
+ <title>FILE FORMAT</title>
+
+ <para>The format of the smbpasswd file used by Samba 2.2
+ is very similar to the familiar Unix <filename>passwd(5)</filename>
+ file. It is an ASCII file containing one line for each user. Each field
+ ithin each line is separated from the next by a colon. Any entry
+ beginning with '#' is ignored. The smbpasswd file contains the
+ following information for each user: </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>name</term>
+ <listitem><para> This is the user name. It must be a name that
+ already exists in the standard UNIX passwd file. </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>uid</term>
+ <listitem><para>This is the UNIX uid. It must match the uid
+ field for the same user entry in the standard UNIX passwd file.
+ If this does not match then Samba will refuse to recognize
+ this smbpasswd file entry as being valid for a user.
+ </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>Lanman Password Hash</term>
+ <listitem><para>This is the LANMAN hash of the user's password,
+ encoded as 32 hex digits. The LANMAN hash is created by DES
+ encrypting a well known string with the user's password as the
+ DES key. This is the same password used by Windows 95/98 machines.
+ Note that this password hash is regarded as weak as it is
+ vulnerable to dictionary attacks and if two users choose the
+ same password this entry will be identical (i.e. the password
+ is not "salted" as the UNIX password is). If the user has a
+ null password this field will contain the characters "NO PASSWORD"
+ as the start of the hex string. If the hex string is equal to
+ 32 'X' characters then the user's account is marked as
+ <constant>disabled</constant> and the user will not be able to
+ log onto the Samba server. </para>
+
+ <para><emphasis>WARNING !!</emphasis> Note that, due to
+ the challenge-response nature of the SMB/CIFS authentication
+ protocol, anyone with a knowledge of this password hash will
+ be able to impersonate the user on the network. For this
+ reason these hashes are known as <emphasis>plain text
+ equivalents</emphasis> and must <emphasis>NOT</emphasis> be made
+ available to anyone but the root user. To protect these passwords
+ the smbpasswd file is placed in a directory with read and
+ traverse access only to the root user and the smbpasswd file
+ itself must be set to be read/write only by root, with no
+ other access. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>NT Password Hash</term>
+ <listitem><para>This is the Windows NT hash of the user's
+ password, encoded as 32 hex digits. The Windows NT hash is
+ created by taking the user's password as represented in
+ 16-bit, little-endian UNICODE and then applying the MD4
+ (internet rfc1321) hashing algorithm to it. </para>
+
+ <para>This password hash is considered more secure than
+ the LANMAN Password Hash as it preserves the case of the
+ password and uses a much higher quality hashing algorithm.
+ However, it is still the case that if two users choose the same
+ password this entry will be identical (i.e. the password is
+ not "salted" as the UNIX password is). </para>
+
+ <para><emphasis>WARNING !!</emphasis>. Note that, due to
+ the challenge-response nature of the SMB/CIFS authentication
+ protocol, anyone with a knowledge of this password hash will
+ be able to impersonate the user on the network. For this
+ reason these hashes are known as <emphasis>plain text
+ equivalents</emphasis> and must <emphasis>NOT</emphasis> be made
+ available to anyone but the root user. To protect these passwords
+ the smbpasswd file is placed in a directory with read and
+ traverse access only to the root user and the smbpasswd file
+ itself must be set to be read/write only by root, with no
+ other access. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>Account Flags</term>
+ <listitem><para>This section contains flags that describe
+ the attributes of the users account. In the Samba 2.2 release
+ this field is bracketed by '[' and ']' characters and is always
+ 13 characters in length (including the '[' and ']' characters).
+ The contents of this field may be any of the characters.
+ </para>
+
+ <itemizedlist>
+ <listitem><para><emphasis>U</emphasis> - This means
+ this is a "User" account, i.e. an ordinary user. Only User
+ and Workstation Trust accounts are currently supported
+ in the smbpasswd file. </para></listitem>
+
+ <listitem><para><emphasis>N</emphasis> - This means the
+ account has no password (the passwords in the fields LANMAN
+ Password Hash and NT Password Hash are ignored). Note that this
+ will only allow users to log on with no password if the <parameter>
+ null passwords</parameter> parameter is set in the <ulink
+ url="smb.conf.5.html#NULLPASSWORDS"><filename>smb.conf(5)
+ </filename></ulink> config file. </para></listitem>
+
+ <listitem><para><emphasis>D</emphasis> - This means the account
+ is disabled and no SMB/CIFS logins will be allowed for
+ this user. </para></listitem>
+
+ <listitem><para><emphasis>W</emphasis> - This means this account
+ is a "Workstation Trust" account. This kind of account is used
+ in the Samba PDC code stream to allow Windows NT Workstations
+ and Servers to join a Domain hosted by a Samba PDC. </para>
+ </listitem>
+ </itemizedlist>
+
+ <para>Other flags may be added as the code is extended in future.
+ The rest of this field space is filled in with spaces. </para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>Last Change Time</term>
+ <listitem><para>This field consists of the time the account was
+ last modified. It consists of the characters 'LCT-' (standing for
+ "Last Change Time") followed by a numeric encoding of the UNIX time
+ in seconds since the epoch (1970) that the last change was made.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>All other colon separated fields are ignored at this time.</para>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink>,
+ <ulink url="samba.7.html">samba(7)</ulink>, and
+ the Internet RFC1321 for details on the MD4 algorithm.
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/smbpasswd.8.sgml b/docs/docbook/manpages/smbpasswd.8.sgml
new file mode 100644
index 0000000000..3c7a6a5150
--- /dev/null
+++ b/docs/docbook/manpages/smbpasswd.8.sgml
@@ -0,0 +1,389 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="smbpasswd">
+
+<refmeta>
+ <refentrytitle>smbpasswd</refentrytitle>
+ <manvolnum>8</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>smbpasswd</refname>
+ <refpurpose>change a user's SMB password</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>smbpasswd</command>
+ <arg choice="opt">-a</arg>
+ <arg choice="opt">-x</arg>
+ <arg choice="opt">-d</arg>
+ <arg choice="opt">-e</arg>
+ <arg choice="opt">-D debuglevel</arg>
+ <arg choice="opt">-n</arg>
+ <arg choice="opt">-r &lt;remote machine&gt;</arg>
+ <arg choice="opt">-R &lt;name resolve order&gt;</arg>
+ <arg choice="opt">-m</arg>
+ <arg choice="opt">-j DOMAIN</arg>
+ <arg choice="opt">-U username[%password]</arg>
+ <arg choice="opt">-h</arg>
+ <arg choice="opt">-s</arg>
+ <arg choice="opt">-w pass</arg>
+ <arg choice="opt">username</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para>The smbpasswd program has several different
+ functions, depending on whether it is run by the <emphasis>root</emphasis>
+ user or not. When run as a normal user it allows the user to change
+ the password used for their SMB sessions on any machines that store
+ SMB passwords. </para>
+
+ <para>By default (when run with no arguments) it will attempt to
+ change the current user's SMB password on the local machine. This is
+ similar to the way the <command>passwd(1)</command> program works.
+ <command>smbpasswd</command> differs from how the passwd program works
+ however in that it is not <emphasis>setuid root</emphasis> but works in
+ a client-server mode and communicates with a locally running
+ <command>smbd(8)</command>. As a consequence in order for this to
+ succeed the smbd daemon must be running on the local machine. On a
+ UNIX machine the encrypted SMB passwords are usually stored in
+ the <filename>smbpasswd(5)</filename> file. </para>
+
+ <para>When run by an ordinary user with no options. smbpasswd
+ will prompt them for their old SMB password and then ask them
+ for their new password twice, to ensure that the new password
+ was typed correctly. No passwords will be echoed on the screen
+ whilst being typed. If you have a blank SMB password (specified by
+ the string "NO PASSWORD" in the smbpasswd file) then just press
+ the &lt;Enter&gt; key when asked for your old password. </para>
+
+ <para>smbpasswd can also be used by a normal user to change their
+ SMB password on remote machines, such as Windows NT Primary Domain
+ Controllers. See the (-r) and -U options below. </para>
+
+ <para>When run by root, smbpasswd allows new users to be added
+ and deleted in the smbpasswd file, as well as allows changes to
+ the attributes of the user in this file to be made. When run by root,
+ <command>smbpasswd</command> accesses the local smbpasswd file
+ directly, thus enabling changes to be made even if smbd is not
+ running. </para>
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>-a</term>
+ <listitem><para>This option specifies that the username
+ following should be added to the local smbpasswd file, with the
+ new password typed (type &lt;Enter&gt; for the old password). This
+ option is ignored if the username following already exists in
+ the smbpasswd file and it is treated like a regular change
+ password command. Note that the default passdb backends require
+ the user to already exist in the system password file (usually
+ <filename>/etc/passwd</filename>), else the request to add the
+ user will fail. </para>
+
+ <para>This option is only available when running smbpasswd
+ as root. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-x</term>
+ <listitem><para>This option specifies that the username
+ following should be deleted from the local smbpasswd file.
+ </para>
+
+ <para>This option is only available when running smbpasswd as
+ root.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-d</term>
+ <listitem><para>This option specifies that the username following
+ should be <constant>disabled</constant> in the local smbpasswd
+ file. This is done by writing a <constant>'D'</constant> flag
+ into the account control space in the smbpasswd file. Once this
+ is done all attempts to authenticate via SMB using this username
+ will fail. </para>
+
+ <para>If the smbpasswd file is in the 'old' format (pre-Samba 2.0
+ format) there is no space in the user's password entry to write
+ this information and the command will FAIL. See <command>smbpasswd(5)
+ </command> for details on the 'old' and new password file formats.
+ </para>
+
+ <para>This option is only available when running smbpasswd as
+ root.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-e</term>
+ <listitem><para>This option specifies that the username following
+ should be <constant>enabled</constant> in the local smbpasswd file,
+ if the account was previously disabled. If the account was not
+ disabled this option has no effect. Once the account is enabled then
+ the user will be able to authenticate via SMB once again. </para>
+
+ <para>If the smbpasswd file is in the 'old' format, then <command>
+ smbpasswd</command> will FAIL to enable the account.
+ See <command>smbpasswd (5)</command> for
+ details on the 'old' and new password file formats. </para>
+
+ <para>This option is only available when running smbpasswd as root.
+ </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-D debuglevel</term>
+ <listitem><para><replaceable>debuglevel</replaceable> is an integer
+ from 0 to 10. The default value if this parameter is not specified
+ is zero. </para>
+
+ <para>The higher this value, the more detail will be logged to the
+ log files about the activities of smbpasswd. At level 0, only
+ critical errors and serious warnings will be logged. </para>
+
+ <para>Levels above 1 will generate considerable amounts of log
+ data, and should only be used when investigating a problem. Levels
+ above 3 are designed for use only by developers and generate
+ HUGE amounts of log data, most of which is extremely cryptic.
+ </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-n</term>
+ <listitem><para>This option specifies that the username following
+ should have their password set to null (i.e. a blank password) in
+ the local smbpasswd file. This is done by writing the string "NO
+ PASSWORD" as the first part of the first password stored in the
+ smbpasswd file. </para>
+
+ <para>Note that to allow users to logon to a Samba server once
+ the password has been set to "NO PASSWORD" in the smbpasswd
+ file the administrator must set the following parameter in the [global]
+ section of the <filename>smb.conf</filename> file : </para>
+
+ <para><command>null passwords = yes</command></para>
+
+ <para>This option is only available when running smbpasswd as
+ root.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-r remote machine name</term>
+ <listitem><para>This option allows a user to specify what machine
+ they wish to change their password on. Without this parameter
+ smbpasswd defaults to the local host. The <replaceable>remote
+ machine name</replaceable> is the NetBIOS name of the SMB/CIFS
+ server to contact to attempt the password change. This name is
+ resolved into an IP address using the standard name resolution
+ mechanism in all programs of the Samba suite. See the <parameter>-R
+ name resolve order</parameter> parameter for details on changing
+ this resolving mechanism. </para>
+
+ <para>The username whose password is changed is that of the
+ current UNIX logged on user. See the <parameter>-U username</parameter>
+ parameter for details on changing the password for a different
+ username. </para>
+
+ <para>Note that if changing a Windows NT Domain password the
+ remote machine specified must be the Primary Domain Controller for
+ the domain (Backup Domain Controllers only have a read-only
+ copy of the user account database and will not allow the password
+ change).</para>
+
+ <para><emphasis>Note</emphasis> that Windows 95/98 do not have
+ a real password database so it is not possible to change passwords
+ specifying a Win95/98 machine as remote machine target. </para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-R name resolve order</term>
+ <listitem><para>This option allows the user of smbpasswd to determine
+ what name resolution services to use when looking up the NetBIOS
+ name of the host being connected to. </para>
+
+ <para>The options are :"lmhosts", "host", "wins" and "bcast". They cause
+ names to be resolved as follows : </para>
+ <itemizedlist>
+ <listitem><para><constant>lmhosts</constant> : Lookup an IP
+ address in the Samba lmhosts file. If the line in lmhosts has
+ no name type attached to the NetBIOS name (see the <ulink
+ url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
+ any name type matches for lookup.</para></listitem>
+
+ <listitem><para><constant>host</constant> : Do a standard host
+ name to IP address resolution, using the system <filename>/etc/hosts
+ </filename>, NIS, or DNS lookups. This method of name resolution
+ is operating system depended for instance on IRIX or Solaris this
+ may be controlled by the <filename>/etc/nsswitch.conf</filename>
+ file). Note that this method is only used if the NetBIOS name
+ type being queried is the 0x20 (server) name type, otherwise
+ it is ignored.</para></listitem>
+
+ <listitem><para><constant>wins</constant> : Query a name with
+ the IP address listed in the <parameter>wins server</parameter>
+ parameter. If no WINS server has been specified this method
+ will be ignored.</para></listitem>
+
+ <listitem><para><constant>bcast</constant> : Do a broadcast on
+ each of the known local interfaces listed in the
+ <parameter>interfaces</parameter> parameter. This is the least
+ reliable of the name resolution methods as it depends on the
+ target host being on a locally connected subnet.</para></listitem>
+ </itemizedlist>
+
+ <para>The default order is <command>lmhosts, host, wins, bcast</command>
+ and without this parameter or any entry in the
+ <filename>smb.conf</filename> file the name resolution methods will
+ be attempted in this order. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-m</term>
+ <listitem><para>This option tells smbpasswd that the account
+ being changed is a MACHINE account. Currently this is used
+ when Samba is being used as an NT Primary Domain Controller.</para>
+
+ <para>This option is only available when running smbpasswd as root.
+ </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-U username</term>
+ <listitem><para>This option may only be used in conjunction
+ with the <parameter>-r</parameter> option. When changing
+ a password on a remote machine it allows the user to specify
+ the user name on that machine whose password will be changed. It
+ is present to allow users who have different user names on
+ different systems to change these passwords. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem><para>This option prints the help string for <command>
+ smbpasswd</command>, selecting the correct one for running as root
+ or as an ordinary user. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-s</term>
+ <listitem><para>This option causes smbpasswd to be silent (i.e.
+ not issue prompts) and to read its old and new passwords from
+ standard input, rather than from <filename>/dev/tty</filename>
+ (like the <command>passwd(1)</command> program does). This option
+ is to aid people writing scripts to drive smbpasswd</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-w password</term>
+ <listitem><para>This parameter is only available is Samba
+ has been configured to use the experiemental
+ <command>--with-ldapsam</command> option. The <parameter>-w</parameter>
+ switch is used to specify the password to be used with the
+ <ulink url="smb.conf.5.html#LDAPADMINDN"><parameter>ldap admin
+ dn</parameter></ulink>. Note that the password is stored in
+ the <filename>private/secrets.tdb</filename> and is keyed off
+ of the admin's DN. This means that if the value of <parameter>ldap
+ admin dn</parameter> ever changes, the password will beed to be
+ manually updated as well.
+ </para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>username</term>
+ <listitem><para>This specifies the username for all of the
+ <emphasis>root only</emphasis> options to operate on. Only root
+ can specify this parameter as only root has the permission needed
+ to modify attributes directly in the local smbpasswd file.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>NOTES</title>
+
+ <para>Since <command>smbpasswd</command> works in client-server
+ mode communicating with a local smbd for a non-root user then
+ the smbd daemon must be running for this to work. A common problem
+ is to add a restriction to the hosts that may access the <command>
+ smbd</command> running on the local machine by specifying a
+ <parameter>allow hosts</parameter> or <parameter>deny hosts</parameter>
+ entry in the <filename>smb.conf</filename> file and neglecting to
+ allow "localhost" access to the smbd. </para>
+
+ <para>In addition, the smbpasswd command is only useful if Samba
+ has been set up to use encrypted passwords. See the file
+ <filename>ENCRYPTION.txt</filename> in the docs directory for details
+ on how to do this. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 3.0 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="smbpasswd.5.html"><filename>smbpasswd(5)</filename></ulink>,
+ <ulink url="samba.7.html">samba(7)</ulink>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
+
+
+
+
diff --git a/docs/docbook/manpages/smbsh.1.sgml b/docs/docbook/manpages/smbsh.1.sgml
new file mode 100644
index 0000000000..46adac6b79
--- /dev/null
+++ b/docs/docbook/manpages/smbsh.1.sgml
@@ -0,0 +1,105 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="smbsh">
+
+<refmeta>
+ <refentrytitle>smbsh</refentrytitle>
+ <manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>smbsh</refname>
+ <refpurpose>Allows access to Windows NT filesystem
+ using UNIX commands</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>smbsh</command>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para><command>smbsh</command> allows you to access an NT filesystem
+ using UNIX commands such as <command>ls</command>, <command>
+ egrep</command>, and <command>rcp</command>. You must use a
+ shell that is dynamically linked in order for <command>smbsh</command>
+ to work correctly.</para>
+
+ <para>To use the <command>smbsh</command> command, execute <command>
+ smbsh</command> from the prompt and enter the username and password
+ that authenticates you to the machine running the Windows NT
+ operating system.</para>
+
+ <para><programlisting>
+ <prompt>system% </prompt><userinput>smbsh</userinput>
+ <prompt>Username: </prompt><userinput>user</userinput>
+ <prompt>Password: </prompt><userinput>XXXXXXX</userinput>
+ </programlisting></para>
+
+
+ <para>Any dynamically linked command you execute from
+ this shell will access the <filename>/smb</filename> directory
+ using the smb protocol. For example, the command <command>ls /smb
+ </command> will show a list of workgroups. The command
+ <command>ls /smb/MYGROUP </command> will show all the machines in
+ the workgroup MYGROUP. The command
+ <command>ls /smb/MYGROUP/&lt;machine-name&gt;</command> will show the share
+ names for that machine. You could then, for example, use the <command>
+ cd</command> command to change directories, <command>vi</command> to
+ edit files, and <command>rcp</command> to copy files.</para>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>BUGS</title>
+
+ <para><command>smbsh</command> works by intercepting the standard
+ libc calls with the dynamically loaded versions in <filename>
+ smbwrapper.o</filename>. Not all calls have been "wrapped", so
+ some programs may not function correctly under <command>smbsh
+ </command>.</para>
+
+ <para>Programs which are not dynamically linked cannot make
+ use of <command>smbsh</command>'s functionality. Most versions
+ of UNIX have a <command>file</command> command that will
+ describe how a program was linked.</para>
+</refsect1>
+
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="smbd.8.html"><command>smbd(8)</command></ulink>,
+ <ulink url="smb.conf.5.html">smb.conf(5)</ulink>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/smbspool.8.sgml b/docs/docbook/manpages/smbspool.8.sgml
new file mode 100644
index 0000000000..d5c9c0a114
--- /dev/null
+++ b/docs/docbook/manpages/smbspool.8.sgml
@@ -0,0 +1,131 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="smbspool">
+
+<refmeta>
+ <refentrytitle>smbspool</refentrytitle>
+ <manvolnum>8</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>smbspool</refname>
+ <refpurpose>send print file to an SMB printer</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>smbspool</command>
+ <arg>job</arg>
+ <arg>user</arg>
+ <arg>title</arg>
+ <arg>copies</arg>
+ <arg>options</arg>
+ <arg>filename</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para>smbspool is a very small print spooling program that
+ sends a print file to an SMB printer. The command-line arguments
+ are position-dependent for compatibility with the Common UNIX
+ Printing System, but you can use smbspool with any printing system
+ or from a program or script.</para>
+
+ <para><emphasis>DEVICE URI</emphasis></para>
+
+ <para>smbspool specifies the destination using a Uniform Resource
+ Identifier ("URI") with a method of "smb". This string can take
+ a number of forms:</para>
+
+ <itemizedlist>
+ <listitem><para>smb://server/printer</para></listitem>
+ <listitem><para>smb://workgroup/server/printer</para></listitem>
+ <listitem><para>smb://username:password@server/printer</para>
+ </listitem>
+ <listitem><para>smb://username:password@workgroup/server/printer
+ </para></listitem>
+ </itemizedlist>
+
+ <para>smbspool tries to get the URI from argv[0]. If argv[0]
+ contains the name of the program then it looks in the <envar>
+ DEVICE_URI</envar> environment variable.</para>
+
+ <para>Programs using the <command>exec(2)</command> functions can
+ pass the URI in argv[0], while shell scripts must set the
+ <envar>DEVICE_URI</envar> environment variable prior to
+ running smbspool.</para>
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <itemizedlist>
+ <listitem><para>The job argument (argv[1]) contains the
+ job ID number and is presently not used by smbspool.
+ </para></listitem>
+
+ <listitem><para>The user argument (argv[2]) contains the
+ print user's name and is presently not used by smbspool.
+ </para></listitem>
+
+ <listitem><para>The title argument (argv[3]) contains the
+ job title string and is passed as the remote file name
+ when sending the print job.</para></listitem>
+
+ <listitem><para>The copies argument (argv[4]) contains
+ the number of copies to be printed of the named file. If
+ no filename is provided than this argument is not used by
+ smbspool.</para></listitem>
+
+ <listitem><para>The options argument (argv[5]) contains
+ the print options in a single string and is presently
+ not used by smbspool.</para></listitem>
+
+ <listitem><para>The filename argument (argv[6]) contains the
+ name of the file to print. If this argument is not specified
+ then the print file is read from the standard input.</para>
+ </listitem>
+ </itemizedlist>
+</refsect1>
+
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="smbd.8.html"><command>smbd(8)</command></ulink>,
+ and <ulink url="samba.7.html">samba(7)</ulink>.
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para><command>smbspool</command> was written by Michael Sweet
+ at Easy Software Products.</para>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/smbstatus.1.sgml b/docs/docbook/manpages/smbstatus.1.sgml
new file mode 100644
index 0000000000..99963a4bec
--- /dev/null
+++ b/docs/docbook/manpages/smbstatus.1.sgml
@@ -0,0 +1,152 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="smbstatus">
+
+<refmeta>
+ <refentrytitle>smbstatus</refentrytitle>
+ <manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>smbstatus</refname>
+ <refpurpose>report on current Samba connections</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>smbstatus</command>
+ <arg choice="opt">-P</arg>
+ <arg choice="opt">-b</arg>
+ <arg choice="opt">-d &lt;debug level&gt;</arg>
+ <arg choice="opt">-v</arg>
+ <arg choice="opt">-L</arg>
+ <arg choice="opt">-B</arg>
+ <arg choice="opt">-p</arg>
+ <arg choice="opt">-S</arg>
+ <arg choice="opt">-s &lt;configuration file&gt;</arg>
+ <arg choice="opt">-u &lt;username&gt;</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para><command>smbstatus</command> is a very simple program to
+ list the current Samba connections.</para>
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-P|--profile</term>
+ <listitem><para>If samba has been compiled with the
+ profiling option, print only the contents of the profiling
+ shared memory area.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-b|--brief</term>
+ <listitem><para>gives brief output.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-d|--debug=&lt;debuglevel&gt;</term>
+ <listitem><para>sets debugging to specified level</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-v|--verbose</term>
+ <listitem><para>gives verbose output.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-L|--locks</term>
+ <listitem><para>causes smbstatus to only list locks.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-B|--byterange</term>
+ <listitem><para>causes smbstatus to include byte range locks.
+ </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-p|--processes</term>
+ <listitem><para>print a list of <ulink url="smbd.8.html">
+ <command>smbd(8)</command></ulink> processes and exit.
+ Useful for scripting.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-S|--shares</term>
+ <listitem><para>causes smbstatus to only list shares.</para>
+ </listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-s|--conf=&lt;configuration file&gt;</term>
+ <listitem><para>The default configuration file name is
+ determined at compile time. The file specified contains the
+ configuration details required by the server. See <ulink
+ url="smb.conf.5.html"><filename>smb.conf(5)</filename>
+ </ulink> for more information.</para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-u|--user=&lt;username&gt;</term>
+ <listitem><para>selects information relevant to
+ <parameter>username</parameter> only.</para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 3.0 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="smbd.8.html"><command>smbd(8)</command></ulink> and
+ <ulink url="smb.conf.5.html">smb.conf(5)</ulink>.</para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/smbtar.1.sgml b/docs/docbook/manpages/smbtar.1.sgml
new file mode 100644
index 0000000000..4e2ee5fff0
--- /dev/null
+++ b/docs/docbook/manpages/smbtar.1.sgml
@@ -0,0 +1,226 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="smbtar">
+
+<refmeta>
+ <refentrytitle>smbtar</refentrytitle>
+ <manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>smbtar</refname>
+ <refpurpose>shell script for backing up SMB/CIFS shares
+ directly to UNIX tape drives</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>smbtar</command>
+ <arg choice="req">-s server</arg>
+ <arg choice="opt">-p password</arg>
+ <arg choice="opt">-x services</arg>
+ <arg choice="opt">-X</arg>
+ <arg choice="opt">-d directory</arg>
+ <arg choice="opt">-u user</arg>
+ <arg choice="opt">-t tape</arg>
+ <arg choice="opt">-t tape</arg>
+ <arg choice="opt">-b blocksize</arg>
+ <arg choice="opt">-N filename</arg>
+ <arg choice="opt">-i</arg>
+ <arg choice="opt">-r</arg>
+ <arg choice="opt">-l loglevel</arg>
+ <arg choice="opt">-v</arg>
+ <arg choice="req">filenames</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para><command>smbtar</command> is a very small shell script on top
+ of <ulink url="smbclient.1.html"><command>smbclient(1)</command></ulink>
+ which dumps SMB shares directly to tape. </para>
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-s server</term>
+ <listitem><para>The SMB/CIFS server that the share resides
+ upon.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-x service</term>
+ <listitem><para>The share name on the server to connect to.
+ The default is "backup".</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-X</term>
+ <listitem><para>Exclude mode. Exclude filenames... from tar
+ create or restore. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-d directory</term>
+ <listitem><para>Change to initial <parameter>directory
+ </parameter> before restoring / backing up files. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-v</term>
+ <listitem><para>Verbose mode.</para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-p password</term>
+ <listitem><para>The password to use to access a share.
+ Default: none </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-u user</term>
+ <listitem><para>The user id to connect as. Default:
+ UNIX login name. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-t tape</term>
+ <listitem><para>Tape device. May be regular file or tape
+ device. Default: <parameter>$TAPE</parameter> environmental
+ variable; if not set, a file called <filename>tar.out
+ </filename>. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-b blocksize</term>
+ <listitem><para>Blocking factor. Defaults to 20. See
+ <command>tar(1)</command> for a fuller explanation. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-N filename</term>
+ <listitem><para>Backup only files newer than filename. Could
+ be used (for example) on a log file to implement incremental
+ backups. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-i</term>
+ <listitem><para>Incremental mode; tar files are only backed
+ up if they have the archive bit set. The archive bit is reset
+ after each file is read. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-r</term>
+ <listitem><para>Restore. Files are restored to the share
+ from the tar file. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-l log level</term>
+ <listitem><para>Log (debug) level. Corresponds to the
+ <parameter>-d</parameter> flag of <command>smbclient(1)
+ </command>. </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>ENVIRONMENT VARIABLES</title>
+
+ <para>The <parameter>$TAPE</parameter> variable specifies the
+ default tape device to write to. May be overridden
+ with the -t option. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>BUGS</title>
+
+ <para>The <command>smbtar</command> script has different
+ options from ordinary tar and tar called from smbclient. </para>
+
+</refsect1>
+
+<refsect1>
+ <title>CAVEATS</title>
+
+ <para>Sites that are more careful about security may not like
+ the way the script handles PC passwords. Backup and restore work
+ on entire shares, should work on file lists. smbtar works best
+ with GNU tar and may not work well with other versions. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>DIAGNOSTICS</title>
+
+ <para>See the <emphasis>DIAGNOSTICS</emphasis> section for the
+ <ulink url="smbclient.1.html"><command>smbclient(1)</command>
+ </ulink> command.</para>
+</refsect1>
+
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="smbd.8.html"><command>smbd(8)</command></ulink>,
+ <ulink url="smbclient.1.html"><command>smbclient(1)</command></ulink>,
+ <ulink url="smb.conf.5.html">smb.conf(5)</ulink>,
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para><ulink url="mailto:poultenr@logica.co.uk">Ricky Poulten</ulink>
+ wrote the tar extension and this man page. The <command>smbtar</command>
+ script was heavily rewritten and improved by <ulink
+ url="mailto:Martin.Kraemer@mch.sni.de">Martin Kraemer</ulink>. Many
+ thanks to everyone who suggested extensions, improvements, bug
+ fixes, etc. The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter.</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/smbumount.8.sgml b/docs/docbook/manpages/smbumount.8.sgml
new file mode 100644
index 0000000000..d6a1b65b57
--- /dev/null
+++ b/docs/docbook/manpages/smbumount.8.sgml
@@ -0,0 +1,73 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="smbumount">
+
+<refmeta>
+ <refentrytitle>smbumount</refentrytitle>
+ <manvolnum>8</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>smbumount</refname>
+ <refpurpose>smbfs umount for normal users</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>smbumount</command>
+ <arg choice="req">mount-point</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>With this program, normal users can unmount smb-filesystems,
+ provided that it is suid root. <command>smbumount</command> has
+ been written to give normal Linux users more control over their
+ resources. It is safe to install this program suid root, because only
+ the user who has mounted a filesystem is allowed to unmount it again.
+ For root it is not necessary to use smbumount. The normal umount
+ program works perfectly well, but it would certainly be problematic
+ to make umount setuid root.</para>
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>mount-point</term>
+ <listitem><para>The directory to unmount.</para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>SEE ALSO</title>
+
+ <para><ulink url="smbmount.8.html"><command>smbmount(8)</command>
+ </ulink></para>
+</refsect1>
+
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>Volker Lendecke, Andrew Tridgell, Michael H. Warfield
+ and others.</para>
+
+ <para>The current maintainer of smbfs and the userspace
+ tools <command>smbmount</command>, <command>smbumount</command>,
+ and <command>smbmnt</command> is <ulink
+ url="mailto:urban@teststation.com">Urban Widmark</ulink>.
+ The <ulink url="mailto:samba@samba.org">SAMBA Mailing list</ulink>
+ is the preferred place to ask questions regarding these programs.
+ </para>
+
+ <para>The conversion of this manpage for Samba 2.2 was performed
+ by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/swat.8.sgml b/docs/docbook/manpages/swat.8.sgml
new file mode 100644
index 0000000000..dc6989d566
--- /dev/null
+++ b/docs/docbook/manpages/swat.8.sgml
@@ -0,0 +1,209 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="swat">
+
+<refmeta>
+ <refentrytitle>swat</refentrytitle>
+ <manvolnum>8</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>swat</refname>
+ <refpurpose>Samba Web Administration Tool</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>swat</command>
+ <arg choice="opt">-s &lt;smb config file&gt;</arg>
+ <arg choice="opt">-a</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+
+ <para><command>swat</command> allows a Samba administrator to
+ configure the complex <ulink url="smb.conf.5.html"><filename>
+ smb.conf(5)</filename></ulink> file via a Web browser. In addition,
+ a <command>swat</command> configuration page has help links
+ to all the configurable options in the <filename>smb.conf</filename> file allowing an
+ administrator to easily look up the effects of any change. </para>
+
+ <para><command>swat</command> is run from <command>inetd</command> </para>
+</refsect1>
+
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-s smb configuration file</term>
+ <listitem><para>The default configuration file path is
+ determined at compile time. The file specified contains
+ the configuration details required by the <command>smbd
+ </command> server. This is the file that <command>swat</command> will modify.
+ The information in this file includes server-specific
+ information such as what printcap file to use, as well as
+ descriptions of all the services that the server is to provide.
+ See <filename>smb.conf</filename> for more information.
+ </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-a</term>
+ <listitem><para>This option disables authentication and puts
+ <command>swat</command> in demo mode. In that mode anyone will be able to modify
+ the <filename>smb.conf</filename> file. </para>
+
+ <para><emphasis>Do NOT enable this option on a production
+ server. </emphasis></para></listitem>
+ </varlistentry>
+ </variablelist>
+
+</refsect1>
+
+<refsect1>
+
+ <title>INSTALLATION</title>
+
+ <para>After you compile SWAT you need to run <command>make install
+ </command> to install the <command>swat</command> binary
+ and the various help files and images. A default install would put
+ these in: </para>
+
+ <itemizedlist>
+ <listitem><para>/usr/local/samba/bin/swat</para></listitem>
+ <listitem><para>/usr/local/samba/swat/images/*</para></listitem>
+ <listitem><para>/usr/local/samba/swat/help/*</para></listitem>
+ </itemizedlist>
+
+ <refsect2>
+ <title>Inetd Installation</title>
+
+ <para>You need to edit your <filename>/etc/inetd.conf
+ </filename> and <filename>/etc/services</filename>
+ to enable SWAT to be launched via <command>inetd</command>.</para>
+
+ <para>In <filename>/etc/services</filename> you need to
+ add a line like this: </para>
+
+ <para><command>swat 901/tcp</command></para>
+
+ <para>Note for NIS/YP users - you may need to rebuild the
+ NIS service maps rather than alter your local <filename>
+ /etc/services</filename> file. </para>
+
+ <para>the choice of port number isn't really important
+ except that it should be less than 1024 and not currently
+ used (using a number above 1024 presents an obscure security
+ hole depending on the implementation details of your
+ <command>inetd</command> daemon). </para>
+
+ <para>In <filename>/etc/inetd.conf</filename> you should
+ add a line like this: </para>
+
+ <para><command>swat stream tcp nowait.400 root
+ /usr/local/samba/bin/swat swat</command></para>
+
+ <para>One you have edited <filename>/etc/services</filename>
+ and <filename>/etc/inetd.conf</filename> you need to send a
+ HUP signal to inetd. To do this use <command>kill -1 PID
+ </command> where PID is the process ID of the inetd daemon. </para>
+
+ </refsect2>
+
+
+ <refsect2>
+ <title>Launching</title>
+
+ <para>To launch SWAT just run your favorite web browser and
+ point it at "http://localhost:901/".</para>
+
+ <para>Note that you can attach to SWAT from any IP connected
+ machine but connecting from a remote machine leaves your
+ connection open to password sniffing as passwords will be sent
+ in the clear over the wire. </para>
+ </refsect2>
+</refsect1>
+
+<refsect1>
+ <title>FILES</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><filename>/etc/inetd.conf</filename></term>
+ <listitem><para>This file must contain suitable startup
+ information for the meta-daemon.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><filename>/etc/services</filename></term>
+ <listitem><para>This file must contain a mapping of service name
+ (e.g., swat) to service port (e.g., 901) and protocol type
+ (e.g., tcp). </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><filename>/usr/local/samba/lib/smb.conf</filename></term>
+ <listitem><para>This is the default location of the <filename>smb.conf(5)
+ </filename> server configuration file that swat edits. Other
+ common places that systems install this file are <filename>
+ /usr/samba/lib/smb.conf</filename> and <filename>/etc/smb.conf
+ </filename>. This file describes all the services the server
+ is to make available to clients. </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>WARNINGS</title>
+
+ <para><command>swat</command> will rewrite your <filename>smb.conf
+ </filename> file. It will rearrange the entries and delete all
+ comments, <parameter>include=</parameter> and <parameter>copy="
+ </parameter> options. If you have a carefully crafted <filename>
+ smb.conf</filename> then back it up or don't use swat! </para>
+</refsect1>
+
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><command>inetd(5)</command>,
+ <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>,
+ <ulink url="smb.conf.5.html">smb.conf(5)</ulink>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/testparm.1.sgml b/docs/docbook/manpages/testparm.1.sgml
new file mode 100644
index 0000000000..320e39e6f5
--- /dev/null
+++ b/docs/docbook/manpages/testparm.1.sgml
@@ -0,0 +1,168 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="testparm">
+
+<refmeta>
+ <refentrytitle>testparm</refentrytitle>
+ <manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>testparm</refname>
+ <refpurpose>check an smb.conf configuration file for
+ internal correctness</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>testparm</command>
+ <arg choice="opt">-s</arg>
+ <arg choice="opt">-h</arg>
+ <arg choice="opt">-L &lt;servername&gt;</arg>
+ <arg choice="req">config filename</arg>
+ <arg choice="opt">hostname hostIP</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para><command>testparm</command> is a very simple test program
+ to check an <command>smbd</command> configuration file for
+ internal correctness. If this program reports no problems, you
+ can use the configuration file with confidence that <command>smbd
+ </command> will successfully load the configuration file.</para>
+
+
+ <para>Note that this is <emphasis>NOT</emphasis> a guarantee that
+ the services specified in the configuration file will be
+ available or will operate as expected. </para>
+
+ <para>If the optional host name and host IP address are
+ specified on the command line, this test program will run through
+ the service entries reporting whether the specified host
+ has access to each service. </para>
+
+ <para>If <command>testparm</command> finds an error in the <filename>
+ smb.conf</filename> file it returns an exit code of 1 to the calling
+ program, else it returns an exit code of 0. This allows shell scripts
+ to test the output from <command>testparm</command>.</para>
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-s</term>
+ <listitem><para>Without this option, <command>testparm</command>
+ will prompt for a carriage return after printing the service
+ names and before dumping the service definitions.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem><para>Print usage message </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-L servername</term>
+ <listitem><para>Sets the value of the %L macro to <replaceable>servername</replaceable>.
+ This is useful for testing include files specified with the
+ %L macro. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>configfilename</term>
+ <listitem><para>This is the name of the configuration file
+ to check. If this parameter is not present then the
+ default <filename>smb.conf</filename> file will be checked.
+ </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>hostname</term>
+ <listitem><para>If this parameter and the following are
+ specified, then <command>testparm</command> will examine the <parameter>hosts
+ allow</parameter> and <parameter>hosts deny</parameter>
+ parameters in the <filename>smb.conf</filename> file to
+ determine if the hostname with this IP address would be
+ allowed access to the <command>smbd</command> server. If
+ this parameter is supplied, the hostIP parameter must also
+ be supplied.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>hostIP</term>
+ <listitem><para>This is the IP address of the host specified
+ in the previous parameter. This address must be supplied
+ if the hostname parameter is supplied. </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>FILES</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><filename>smb.conf</filename></term>
+ <listitem><para>This is usually the name of the configuration
+ file used by <command>smbd</command>.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>DIAGNOSTICS</title>
+
+ <para>The program will issue a message saying whether the
+ configuration file loaded OK or not. This message may be preceded by
+ errors and warnings if the file did not load. If the file was
+ loaded OK, the program then dumps all known service details
+ to stdout. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename></ulink>,
+ <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
+
diff --git a/docs/docbook/manpages/testprns.1.sgml b/docs/docbook/manpages/testprns.1.sgml
new file mode 100644
index 0000000000..cd99494a9a
--- /dev/null
+++ b/docs/docbook/manpages/testprns.1.sgml
@@ -0,0 +1,143 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="testprns">
+
+<refmeta>
+ <refentrytitle>testprns</refentrytitle>
+ <manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>testprns</refname>
+ <refpurpose>check printer name for validity with smbd</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>testprns</command>
+ <arg choice="req">printername</arg>
+ <arg choice="opt">printcapname</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para><command>testprns</command> is a very simple test program
+ to determine whether a given printer name is valid for use in
+ a service to be provided by <ulink url="smbd.8.html"><command>
+ smbd(8)</command></ulink>. </para>
+
+ <para>"Valid" in this context means "can be found in the
+ printcap specified". This program is very stupid - so stupid in
+ fact that it would be wisest to always specify the printcap file
+ to use. </para>
+
+</refsect1>
+
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>printername</term>
+ <listitem><para>The printer name to validate.</para>
+
+ <para>Printer names are taken from the first field in each
+ record in the printcap file, single printer names and sets
+ of aliases separated by vertical bars ("|") are recognized.
+ Note that no validation or checking of the printcap syntax is
+ done beyond that required to extract the printer name. It may
+ be that the print spooling system is more forgiving or less
+ forgiving than <command>testprns</command>. However, if
+ <command>testprns</command> finds the printer then
+ <command>smbd</command> should do so as well. </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>printcapname</term>
+ <listitem><para>This is the name of the printcap file within
+ which to search for the given printer name. </para>
+
+ <para>If no printcap name is specified <command>testprns
+ </command> will attempt to scan the printcap file name
+ specified at compile time. </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>FILES</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><filename>/etc/printcap</filename></term>
+ <listitem><para>This is usually the default printcap
+ file to scan. See <filename>printcap (5)</filename>.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>DIAGNOSTICS</title>
+
+ <para>If a printer is found to be valid, the message
+ "Printer name &lt;printername&gt; is valid" will be
+ displayed. </para>
+
+ <para>If a printer is found to be invalid, the message
+ "Printer name &lt;printername&gt; is not valid" will be
+ displayed. </para>
+
+ <para>All messages that would normally be logged during
+ operation of the Samba daemons are logged by this program to the
+ file <filename>test.log</filename> in the current directory. The
+ program runs at debuglevel 3, so quite extensive logging
+ information is written. The log should be checked carefully
+ for errors and warnings. </para>
+
+ <para>Other messages are self-explanatory. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><filename>printcap(5)</filename>,
+ <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>,
+ <ulink url="smbclient.1.html"><command>smbclient(1)</command></ulink>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
+ ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</para>
+</refsect1>
+
+</refentry>
+
diff --git a/docs/docbook/manpages/wbinfo.1.sgml b/docs/docbook/manpages/wbinfo.1.sgml
new file mode 100644
index 0000000000..7f2c4624a9
--- /dev/null
+++ b/docs/docbook/manpages/wbinfo.1.sgml
@@ -0,0 +1,201 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="wbinfo">
+
+<refmeta>
+ <refentrytitle>wbinfo</refentrytitle>
+ <manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>wbinfo</refname>
+ <refpurpose>Query information from winbind daemon</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>wbinfo</command>
+ <arg choice="opt">-u</arg>
+ <arg choice="opt">-g</arg>
+ <arg choice="opt">-n name</arg>
+ <arg choice="opt">-s sid</arg>
+ <arg choice="opt">-U uid</arg>
+ <arg choice="opt">-G gid</arg>
+ <arg choice="opt">-S sid</arg>
+ <arg choice="opt">-Y sid</arg>
+ <arg choice="opt">-t</arg>
+ <arg choice="opt">-m</arg>
+ <arg choice="opt">-a user%password</arg>
+ <arg choice="opt">-p</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para>The <command>wbinfo</command> program queries and returns information
+ created and used by the <ulink url="winbindd.8.html"><command>
+ winbindd(8)</command></ulink> daemon. </para>
+
+ <para>The <command>winbindd(8)</command> daemon must be configured
+ and running for the <command>wbinfo</command> program to be able
+ to return information.</para>
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-u</term>
+ <listitem><para>This option will list all users available
+ in the Windows NT domain for which the <command>winbindd(8)
+ </command> daemon is operating in. Users in all trusted domains
+ will also be listed. Note that this operation does not assign
+ user ids to any users that have not already been seen by
+ <command>winbindd(8)</command>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-g</term>
+ <listitem><para>This option will list all groups available
+ in the Windows NT domain for which the <command>winbindd(8)
+ </command> daemon is operating in. Groups in all trusted domains
+ will also be listed. Note that this operation does not assign
+ group ids to any groups that have not already been seen by
+ <command>winbindd(8)</command>. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-n name</term>
+ <listitem><para>The <parameter>-n</parameter> option
+ queries <command>winbindd(8)</command> for the SID
+ associated with the name specified. Domain names can be specified
+ before the user name by using the winbind separator character.
+ For example CWDOM1/Administrator refers to the Administrator
+ user in the domain CWDOM1. If no domain is specified then the
+ domain used is the one specified in the <filename>smb.conf</filename>
+ <parameter>workgroup</parameter> parameter. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-s sid</term>
+ <listitem><para>Use <parameter>-s</parameter> to resolve
+ a SID to a name. This is the inverse of the <parameter>-n
+ </parameter> option above. SIDs must be specified as ASCII strings
+ in the traditional Microsoft format. For example,
+ S-1-5-21-1455342024-3071081365-2475485837-500. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-U uid</term>
+ <listitem><para>Try to convert a UNIX user id to a Windows NT
+ SID. If the uid specified does not refer to one within
+ the winbind uid range then the operation will fail. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-G gid</term>
+ <listitem><para>Try to convert a UNIX group id to a Windows
+ NT SID. If the gid specified does not refer to one within
+ the winbind gid range then the operation will fail. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-S sid</term>
+ <listitem><para>Convert a SID to a UNIX user id. If the SID
+ does not correspond to a UNIX user mapped by <command>
+ winbindd(8)</command> then the operation will fail. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-Y sid</term>
+ <listitem><para>Convert a SID to a UNIX group id. If the SID
+ does not correspond to a UNIX group mapped by <command>
+ winbindd(8)</command> then the operation will fail. </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>-t</term>
+ <listitem><para>Verify that the workstation trust account
+ created when the Samba server is added to the Windows NT
+ domain is working. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-m</term>
+ <listitem><para>Produce a list of domains trusted by the
+ Windows NT server <command>winbindd(8)</command> contacts
+ when resolving names. This list does not include the Windows
+ NT domain the server is a Primary Domain Controller for.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-a username%password</term>
+ <listitem><para>Attempt to authenticate a user via winbindd.
+ This checks both authenticaion methods and reports its results.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p</term>
+ <listitem><para>Attempt a simple 'ping' check that the winbindd
+ is indeed alive.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>EXIT STATUS</title>
+
+ <para>The wbinfo program returns 0 if the operation
+ succeeded, or 1 if the operation failed. If the <command>winbindd(8)
+ </command> daemon is not working <command>wbinfo</command> will always return
+ failure. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para><ulink url="winbindd.8.html"><command>winbindd(8)</command>
+ </ulink></para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para><command>wbinfo</command> and <command>winbindd</command>
+ were written by Tim Potter.</para>
+
+ <para>The conversion to DocBook for Samba 2.2 was done
+ by Gerald Carter</para>
+</refsect1>
+
+</refentry>
diff --git a/docs/docbook/manpages/winbindd.8.sgml b/docs/docbook/manpages/winbindd.8.sgml
new file mode 100644
index 0000000000..bd1dafa07e
--- /dev/null
+++ b/docs/docbook/manpages/winbindd.8.sgml
@@ -0,0 +1,514 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<refentry id="winbindd">
+
+<refmeta>
+ <refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>winbindd</refname>
+ <refpurpose>Name Service Switch daemon for resolving names
+ from NT servers</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>winbindd</command>
+ <arg choice="opt">-i</arg>
+ <arg choice="opt">-d &lt;debug level&gt;</arg>
+ <arg choice="opt">-s &lt;smb config file&gt;</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This program is part of the <ulink url="samba.7.html">
+ Samba</ulink> suite.</para>
+
+ <para><command>winbindd</command> is a daemon that provides
+ a service for the Name Service Switch capability that is present
+ in most modern C libraries. The Name Service Switch allows user
+ and system information to be obtained from different databases
+ services such as NIS or DNS. The exact behaviour can be configured
+ throught the <filename>/etc/nsswitch.conf</filename> file.
+ Users and groups are allocated as they are resolved to a range
+ of user and group ids specified by the administrator of the
+ Samba system.</para>
+
+ <para>The service provided by <command>winbindd</command> is called `winbind' and
+ can be used to resolve user and group information from a
+ Windows NT server. The service can also provide authentication
+ services via an associated PAM module. </para>
+
+ <para>
+ The <filename>pam_winbind</filename> module in the 2.2.2 release only
+ supports the <parameter>auth</parameter> and <parameter>account</parameter>
+ module-types. The latter is simply
+ performs a getpwnam() to verify that the system can obtain a uid for the
+ user. If the <filename>libnss_winbind</filename> library has been correctly
+ installed, this should always suceed.
+ </para>
+
+ <para>The following nsswitch databases are implemented by
+ the winbindd service: </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>passwd</term>
+ <listitem><para>User information traditionally stored in
+ the <filename>passwd(5)</filename> file and used by
+ <command>getpwent(3)</command> functions. </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>group</term>
+ <listitem><para>Group information traditionally stored in
+ the <filename>group(5)</filename> file and used by
+ <command>getgrent(3)</command> functions. </para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>For example, the following simple configuration in the
+ <filename>/etc/nsswitch.conf</filename> file can be used to initially
+ resolve user and group information from <filename>/etc/passwd
+ </filename> and <filename>/etc/group</filename> and then from the
+ Windows NT server. </para>
+
+ <para><programlisting>
+passwd: files winbind
+group: files winbind
+ </programlisting></para>
+</refsect1>
+
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-d debuglevel</term>
+ <listitem><para>Sets the debuglevel to an integer between
+ 0 and 100. 0 is for no debugging and 100 is for reams and
+ reams. To submit a bug report to the Samba Team, use debug
+ level 100 (see BUGS.txt). </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-i</term>
+ <listitem><para>Tells <command>winbindd</command> to not
+ become a daemon and detach from the current terminal. This
+ option is used by developers when interactive debugging
+ of <command>winbindd</command> is required. </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>NAME AND ID RESOLUTION</title>
+
+ <para>Users and groups on a Windows NT server are assigned
+ a relative id (rid) which is unique for the domain when the
+ user or group is created. To convert the Windows NT user or group
+ into a unix user or group, a mapping between rids and unix user
+ and group ids is required. This is one of the jobs that <command>
+ winbindd</command> performs. </para>
+
+ <para>As winbindd users and groups are resolved from a server, user
+ and group ids are allocated from a specified range. This
+ is done on a first come, first served basis, although all existing
+ users and groups will be mapped as soon as a client performs a user
+ or group enumeration command. The allocated unix ids are stored
+ in a database file under the Samba lock directory and will be
+ remembered. </para>
+
+ <para>WARNING: The rid to unix id database is the only location
+ where the user and group mappings are stored by winbindd. If this
+ file is deleted or corrupted, there is no way for winbindd to
+ determine which user and group ids correspond to Windows NT user
+ and group rids. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>CONFIGURATION</title>
+
+ <para>Configuration of the <command>winbindd</command> daemon
+ is done through configuration parameters in the <filename>smb.conf(5)
+ </filename> file. All parameters should be specified in the
+ [global] section of smb.conf. </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>winbind separator</term>
+ <listitem><para>The winbind separator option allows you
+ to specify how NT domain names and user names are combined
+ into unix user names when presented to users. By default,
+ <command>winbindd</command> will use the traditional '\'
+ separator so that the unix user names look like
+ DOMAIN\username. In some cases this separator character may
+ cause problems as the '\' character has special meaning in
+ unix shells. In that case you can use the winbind separator
+ option to specify an alternative separator character. Good
+ alternatives may be '/' (although that conflicts
+ with the unix directory separator) or a '+ 'character.
+ The '+' character appears to be the best choice for 100%
+ compatibility with existing unix utilities, but may be an
+ aesthetically bad choice depending on your taste. </para>
+
+ <para>Default: <command>winbind separator = \ </command>
+ </para>
+ <para>Example: <command>winbind separator = + </command></para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>winbind uid</term>
+ <listitem><para>The winbind uid parameter specifies the
+ range of user ids that are allocated by the winbindd daemon.
+ This range of ids should have no existing local or NIS users
+ within it as strange conflicts can occur otherwise. </para>
+
+ <para>Default: <command>winbind uid = &lt;empty string&gt;
+ </command></para>
+ <para>Example: <command>winbind uid = 10000-20000</command></para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>winbind gid</term>
+ <listitem><para>The winbind gid parameter specifies the
+ range of group ids that are allocated by the winbindd daemon.
+ This range of group ids should have no existing local or NIS
+ groups within it as strange conflicts can occur otherwise.</para>
+
+ <para>Default: <command>winbind gid = &lt;empty string&gt;
+ </command></para>
+ <para>Example: <command>winbind gid = 10000-20000
+ </command> </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>winbind cache time</term>
+ <listitem><para>This parameter specifies the number of
+ seconds the winbindd daemon will cache user and group information
+ before querying a Windows NT server again. When a item in the
+ cache is older than this time winbindd will ask the domain
+ controller for the sequence number of the server's account database.
+ If the sequence number has not changed then the cached item is
+ marked as valid for a further <parameter>winbind cache time
+ </parameter> seconds. Otherwise the item is fetched from the
+ server. This means that as long as the account database is not
+ actively changing winbindd will only have to send one sequence
+ number query packet every <parameter>winbind cache time
+ </parameter> seconds. </para>
+
+ <para>Default: <command>winbind cache time = 15</command>
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>winbind enum users</term>
+ <listitem><para>On large installations it may be necessary
+ to suppress the enumeration of users through the <command>
+ setpwent()</command>, <command>getpwent()</command> and
+ <command>endpwent()</command> group of system calls. If
+ the <parameter>winbind enum users</parameter> parameter is false,
+ calls to the <command>getpwent</command> system call will not
+ return any data. </para>
+
+ <para><emphasis>Warning:</emphasis> Turning off user enumeration
+ may cause some programs to behave oddly. For example, the <command>finger</command>
+ program relies on having access to the full user list when
+ searching for matching usernames. </para>
+
+ <para>Default: <command>winbind enum users = yes </command></para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>winbind enum groups</term>
+ <listitem><para>On large installations it may be necessary
+ to suppress the enumeration of groups through the <command>
+ setgrent()</command>, <command>getgrent()</command> and
+ <command>endgrent()</command> group of system calls. If
+ the <parameter>winbind enum groups</parameter> parameter is
+ false, calls to the <command>getgrent()</command> system
+ call will not return any data. </para>
+
+ <para><emphasis>Warning:</emphasis> Turning off group
+ enumeration may cause some programs to behave oddly.
+ </para>
+
+ <para>Default: <command>winbind enum groups = no </command>
+ </para></listitem>
+ </varlistentry>
+
+
+
+ <varlistentry>
+ <term>template homedir</term>
+ <listitem><para>When filling out the user information
+ for a Windows NT user, the <command>winbindd</command> daemon
+ uses this parameter to fill in the home directory for that user.
+ If the string <parameter>%D</parameter> is present it is
+ substituted with the user's Windows NT domain name. If the
+ string <parameter>%U</parameter> is present it is substituted
+ with the user's Windows NT user name. </para>
+
+ <para>Default: <command>template homedir = /home/%D/%U </command>
+ </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>template shell</term>
+ <listitem><para>When filling out the user information for
+ a Windows NT user, the <command>winbindd</command> daemon
+ uses this parameter to fill in the shell for that user.
+ </para>
+
+ <para>Default: <command>template shell = /bin/false </command>
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>winbind use default domain</term>
+ <listitem><para>This parameter specifies whether the <command>winbindd</command>
+ daemon should operate on users without domain component in their username.
+ Users without a domain component are treated as is part of the winbindd server's
+ own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail
+ function in a way much closer to the way they would in a native unix system.</para>
+
+ <para>Default: <command>winbind use default domain = &lt;falseg&gt;
+ </command></para>
+ <para>Example: <command>winbind use default domain = true</command></para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>EXAMPLE SETUP</title>
+
+ <para>To setup winbindd for user and group lookups plus
+ authentication from a domain controller use something like the
+ following setup. This was tested on a RedHat 6.2 Linux box. </para>
+
+ <para>In <filename>/etc/nsswitch.conf</filename> put the
+ following:</para>
+
+ <para><programlisting>
+passwd: files winbind
+group: files winbind
+ </programlisting></para>
+
+ <para>In <filename>/etc/pam.d/*</filename> replace the
+ <parameter>auth</parameter> lines with something like this: </para>
+
+
+ <para><programlisting>
+auth required /lib/security/pam_securetty.so
+auth required /lib/security/pam_nologin.so
+auth sufficient /lib/security/pam_winbind.so
+auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
+ </programlisting></para>
+
+
+ <para>Note in particular the use of the <parameter>sufficient</parameter>
+ keyword and the <parameter>use_first_pass</parameter> keyword. </para>
+
+ <para>Now replace the account lines with this: </para>
+
+ <para><command>account required /lib/security/pam_winbind.so
+ </command></para>
+
+ <para>The next step is to join the domain. To do that use the
+ <command>smbpasswd</command> program like this: </para>
+
+ <para><command>smbpasswd -j DOMAIN -r PDC -U
+ Administrator</command></para>
+
+ <para>The username after the <parameter>-U</parameter> can be any
+ Domain user that has administrator privileges on the machine.
+ Substitute your domain name for "DOMAIN" and the name of your PDC
+ for "PDC".</para>
+
+ <para>Next copy <filename>libnss_winbind.so</filename> to
+ <filename>/lib</filename> and <filename>pam_winbind.so</filename>
+ to <filename>/lib/security</filename>. A symbolic link needs to be
+ made from <filename>/lib/libnss_winbind.so</filename> to
+ <filename>/lib/libnss_winbind.so.2</filename>. If you are using an
+ older version of glibc then the target of the link should be
+ <filename>/lib/libnss_winbind.so.1</filename>.</para>
+
+ <para>Finally, setup a <filename>smb.conf</filename> containing directives like the
+ following: </para>
+
+ <para><programlisting>
+[global]
+ winbind separator = +
+ winbind cache time = 10
+ template shell = /bin/bash
+ template homedir = /home/%D/%U
+ winbind uid = 10000-20000
+ winbind gid = 10000-20000
+ workgroup = DOMAIN
+ security = domain
+ password server = *
+ </programlisting></para>
+
+
+ <para>Now start winbindd and you should find that your user and
+ group database is expanded to include your NT users and groups,
+ and that you can login to your unix box as a domain user, using
+ the DOMAIN+user syntax for the username. You may wish to use the
+ commands <command>getent passwd</command> and <command>getent group
+ </command> to confirm the correct operation of winbindd.</para>
+</refsect1>
+
+
+<refsect1>
+ <title>NOTES</title>
+
+ <para>The following notes are useful when configuring and
+ running <command>winbindd</command>: </para>
+
+ <para><command>nmbd</command> must be running on the local machine
+ for <command>winbindd</command> to work. <command>winbindd</command>
+ queries the list of trusted domains for the Windows NT server
+ on startup and when a SIGHUP is received. Thus, for a running <command>
+ winbindd</command> to become aware of new trust relationships between
+ servers, it must be sent a SIGHUP signal. </para>
+
+ <para>Client processes resolving names through the <command>winbindd</command>
+ nsswitch module read an environment variable named <envar>
+ $WINBINDD_DOMAIN</envar>. If this variable contains a comma separated
+ list of Windows NT domain names, then winbindd will only resolve users
+ and groups within those Windows NT domains. </para>
+
+ <para>PAM is really easy to misconfigure. Make sure you know what
+ you are doing when modifying PAM configuration files. It is possible
+ to set up PAM such that you can no longer log into your system. </para>
+
+ <para>If more than one UNIX machine is running <command>winbindd</command>,
+ then in general the user and groups ids allocated by winbindd will not
+ be the same. The user and group ids will only be valid for the local
+ machine.</para>
+
+ <para>If the the Windows NT RID to UNIX user and group id mapping
+ file is damaged or destroyed then the mappings will be lost. </para>
+</refsect1>
+
+
+<refsect1>
+ <title>SIGNALS</title>
+
+ <para>The following signals can be used to manipulate the
+ <command>winbindd</command> daemon. </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>SIGHUP</term>
+ <listitem><para>Reload the <filename>smb.conf(5)</filename>
+ file and apply any parameter changes to the running
+ version of winbindd. This signal also clears any cached
+ user and group information. The list of other domains trusted
+ by winbindd is also reloaded. </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>SIGUSR1</term>
+ <listitem><para>The SIGUSR1 signal will cause <command>
+ winbindd</command> to write status information to the winbind
+ log file including information about the number of user and
+ group ids allocated by <command>winbindd</command>.</para>
+
+ <para>Log files are stored in the filename specified by the
+ log file parameter.</para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>FILES</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><filename>/etc/nsswitch.conf(5)</filename></term>
+ <listitem><para>Name service switch configuration file.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>/tmp/.winbindd/pipe</term>
+ <listitem><para>The UNIX pipe over which clients communicate with
+ the <command>winbindd</command> program. For security reasons, the
+ winbind client will only attempt to connect to the winbindd daemon
+ if both the <filename>/tmp/.winbindd</filename> directory
+ and <filename>/tmp/.winbindd/pipe</filename> file are owned by
+ root. </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>/lib/libnss_winbind.so.X</term>
+ <listitem><para>Implementation of name service switch library.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>$LOCKDIR/winbindd_idmap.tdb</term>
+ <listitem><para>Storage for the Windows NT rid to UNIX user/group
+ id mapping. The lock directory is specified when Samba is initially
+ compiled using the <parameter>--with-lockdir</parameter> option.
+ This directory is by default <filename>/usr/local/samba/var/locks
+ </filename>. </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>$LOCKDIR/winbindd_cache.tdb</term>
+ <listitem><para>Storage for cached user and group information.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 2.2 of
+ the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+
+ <para><filename>nsswitch.conf(5)</filename>,
+ <ulink url="samba.7.html">samba(7)</ulink>,
+ <ulink url="wbinfo.1.html">wbinfo(1)</ulink>,
+ <ulink url="smb.conf.5.html">smb.conf(5)</ulink></para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para><command>wbinfo</command> and <command>winbindd</command>
+ were written by Tim Potter.</para>
+
+ <para>The conversion to DocBook for Samba 2.2 was done
+ by Gerald Carter</para>
+</refsect1>
+
+</refentry>