summaryrefslogtreecommitdiff
path: root/docs/htmldocs/smb.conf.5.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/htmldocs/smb.conf.5.html')
-rw-r--r--docs/htmldocs/smb.conf.5.html2880
1 files changed, 2878 insertions, 2 deletions
diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html
index c154347a86..9c01b5de56 100644
--- a/docs/htmldocs/smb.conf.5.html
+++ b/docs/htmldocs/smb.conf.5.html
@@ -244,8 +244,2884 @@ alias|alias|alias|alias...
connection is made as the username given in the "guest
account =" for the service, irrespective of the
supplied password.</p></li></ol></div></div><div class="refsect1" lang="en"><h2>COMPLETE LIST OF GLOBAL PARAMETERS</h2><p>Here is a list of all global parameters. See the section of
- each parameter for details. Note that some are synonyms.</p><div class="itemizedlist"><ul type="disc"></ul></div></div><div class="refsect1" lang="en"><h2>COMPLETE LIST OF SERVICE PARAMETERS</h2><p>Here is a list of all service parameters. See the section on
- each parameter for details. Note that some are synonyms.</p><div class="itemizedlist"><ul type="disc"></ul></div></div><div class="refsect1" lang="en"><h2>EXPLANATION OF EACH PARAMETER</h2><div class="variablelist"><dl></dl></div></div><div class="refsect1" lang="en"><h2>WARNINGS</h2><p>Although the configuration file permits service names
+ each parameter for details. Note that some are synonyms.</p><div class="itemizedlist"><ul type="disc"><li><p><a href="#ABORTSHUTDOWNSCRIPT"><i class="parameter"><tt>abort shutdown script</tt></i></a></p></li><li><p><a href="#ADDGROUPSCRIPT"><i class="parameter"><tt>add group script</tt></i></a></p></li><li><p><a href="#ADDMACHINESCRIPT"><i class="parameter"><tt>add machine script</tt></i></a></p></li><li><p><a href="#ADDPRINTERCOMMAND"><i class="parameter"><tt>addprinter command</tt></i></a></p></li><li><p><a href="#ADDSHARECOMMAND"><i class="parameter"><tt>add share command</tt></i></a></p></li><li><p><a href="#ADDUSERSCRIPT"><i class="parameter"><tt>add user script</tt></i></a></p></li><li><p><a href="#ADDUSERTOGROUPSCRIPT"><i class="parameter"><tt>add user to group script</tt></i></a></p></li><li><p><a href="#ADSSERVER"><i class="parameter"><tt>ads server</tt></i></a></p></li><li><p><a href="#ALGORITHMICRIDBASE"><i class="parameter"><tt>algorithmic rid base</tt></i></a></p></li><li><p><a href="#ALLOWTRUSTEDDOMAINS"><i class="parameter"><tt>allow trusted domains</tt></i></a></p></li><li><p><a href="#ANNOUNCEAS"><i class="parameter"><tt>announce as</tt></i></a></p></li><li><p><a href="#ANNOUNCEVERSION"><i class="parameter"><tt>announce version</tt></i></a></p></li><li><p><a href="#AUTHMETHODS"><i class="parameter"><tt>auth methods</tt></i></a></p></li><li><p><a href="#AUTOSERVICES"><i class="parameter"><tt>auto services</tt></i></a></p></li><li><p><a href="#BINDINTERFACESONLY"><i class="parameter"><tt>bind interfaces only</tt></i></a></p></li><li><p><a href="#BROWSELIST"><i class="parameter"><tt>browse list</tt></i></a></p></li><li><p><a href="#CHANGENOTIFYTIMEOUT"><i class="parameter"><tt>change notify timeout</tt></i></a></p></li><li><p><a href="#CHANGESHARECOMMAND"><i class="parameter"><tt>change share command</tt></i></a></p></li><li><p><a href="#CONFIGFILE"><i class="parameter"><tt>config file</tt></i></a></p></li><li><p><a href="#DEADTIME"><i class="parameter"><tt>dead time</tt></i></a></p></li><li><p><a href="#DEBUGHIRESTIMESTAMP"><i class="parameter"><tt>debug hires timestamp</tt></i></a></p></li><li><p><a href="#DEBUGLEVEL"><i class="parameter"><tt>debug level</tt></i></a></p></li><li><p><a href="#DEBUGPID"><i class="parameter"><tt>debug pid</tt></i></a></p></li><li><p><a href="#DEBUGTIMESTAMP"><i class="parameter"><tt>debug timestamp</tt></i></a></p></li><li><p><a href="#DEBUGUID"><i class="parameter"><tt>debug uid</tt></i></a></p></li><li><p><a href="#DEFAULT"><i class="parameter"><tt>default</tt></i></a></p></li><li><p><a href="#DEFAULTSERVICE"><i class="parameter"><tt>default service</tt></i></a></p></li><li><p><a href="#DELETEGROUPSCRIPT"><i class="parameter"><tt>delete group script</tt></i></a></p></li><li><p><a href="#DELETEPRINTERCOMMAND"><i class="parameter"><tt>deleteprinter command</tt></i></a></p></li><li><p><a href="#DELETESHARECOMMAND"><i class="parameter"><tt>delete share command</tt></i></a></p></li><li><p><a href="#DELETEUSERFROMGROUPSCRIPT"><i class="parameter"><tt>delete user from group script</tt></i></a></p></li><li><p><a href="#DELETEUSERSCRIPT"><i class="parameter"><tt>delete user script</tt></i></a></p></li><li><p><a href="#DFREECOMMAND"><i class="parameter"><tt>dfree command</tt></i></a></p></li><li><p><a href="#DISABLENETBIOS"><i class="parameter"><tt>disable netbios</tt></i></a></p></li><li><p><a href="#DISABLESPOOLSS"><i class="parameter"><tt>disable spoolss</tt></i></a></p></li><li><p><a href="#DISPLAYCHARSET"><i class="parameter"><tt>display charset</tt></i></a></p></li><li><p><a href="#DNSPROXY"><i class="parameter"><tt>dns proxy</tt></i></a></p></li><li><p><a href="#DOMAINLOGONS"><i class="parameter"><tt>domain logons</tt></i></a></p></li><li><p><a href="#DOMAINMASTER"><i class="parameter"><tt>domain master</tt></i></a></p></li><li><p><a href="#DOSCHARSET"><i class="parameter"><tt>dos charset</tt></i></a></p></li><li><p><a href="#ENCRYPTPASSWORDS"><i class="parameter"><tt>encrypt passwords</tt></i></a></p></li><li><p><a href="#ENHANCEDBROWSING"><i class="parameter"><tt>enhanced browsing</tt></i></a></p></li><li><p><a href="#ENUMPORTSCOMMAND"><i class="parameter"><tt>enumports command</tt></i></a></p></li><li><p><a href="#GETWDCACHE"><i class="parameter"><tt>getwd cache</tt></i></a></p></li><li><p><a href="#GUESTACCOUNT"><i class="parameter"><tt>guest account</tt></i></a></p></li><li><p><a href="#HIDELOCALUSERS"><i class="parameter"><tt>hide local users</tt></i></a></p></li><li><p><a href="#HOMEDIRMAP"><i class="parameter"><tt>homedir map</tt></i></a></p></li><li><p><a href="#HOSTMSDFS"><i class="parameter"><tt>host msdfs</tt></i></a></p></li><li><p><a href="#HOSTNAMELOOKUPS"><i class="parameter"><tt>hostname lookups</tt></i></a></p></li><li><p><a href="#HOSTSEQUIV"><i class="parameter"><tt>hosts equiv</tt></i></a></p></li><li><p><a href="#INCLUDE"><i class="parameter"><tt>include</tt></i></a></p></li><li><p><a href="#INTERFACES"><i class="parameter"><tt>interfaces</tt></i></a></p></li><li><p><a href="#KEEPALIVE"><i class="parameter"><tt>keepalive</tt></i></a></p></li><li><p><a href="#KERNELOPLOCKS"><i class="parameter"><tt>kernel oplocks</tt></i></a></p></li><li><p><a href="#LANMANAUTH"><i class="parameter"><tt>lanman auth</tt></i></a></p></li><li><p><a href="#LARGEREADWRITE"><i class="parameter"><tt>large readwrite</tt></i></a></p></li><li><p><a href="#LDAPADMINDN"><i class="parameter"><tt>ldap admin dn</tt></i></a></p></li><li><p><a href="#LDAPDELETEDN"><i class="parameter"><tt>ldap delete dn</tt></i></a></p></li><li><p><a href="#LDAPFILTER"><i class="parameter"><tt>ldap filter</tt></i></a></p></li><li><p><a href="#LDAPMACHINESUFFIX"><i class="parameter"><tt>ldap machine suffix</tt></i></a></p></li><li><p><a href="#LDAPPASSWDSYNC"><i class="parameter"><tt>ldap passwd sync</tt></i></a></p></li><li><p><a href="#LDAPPORT"><i class="parameter"><tt>ldap port</tt></i></a></p></li><li><p><a href="#LDAPSERVER"><i class="parameter"><tt>ldap server</tt></i></a></p></li><li><p><a href="#LDAPSSL"><i class="parameter"><tt>ldap ssl</tt></i></a></p></li><li><p><a href="#LDAPSUFFIX"><i class="parameter"><tt>ldap suffix</tt></i></a></p></li><li><p><a href="#LDAPTRUSTIDS"><i class="parameter"><tt>ldap trust ids</tt></i></a></p></li><li><p><a href="#LDAPUSERSUFFIX"><i class="parameter"><tt>ldap user suffix</tt></i></a></p></li><li><p><a href="#LMANNOUNCE"><i class="parameter"><tt>lm announce</tt></i></a></p></li><li><p><a href="#LMINTERVAL"><i class="parameter"><tt>lm interval</tt></i></a></p></li><li><p><a href="#LOADPRINTERS"><i class="parameter"><tt>load printers</tt></i></a></p></li><li><p><a href="#LOCALMASTER"><i class="parameter"><tt>local master</tt></i></a></p></li><li><p><a href="#LOCKDIR"><i class="parameter"><tt>lock dir</tt></i></a></p></li><li><p><a href="#LOCKDIRECTORY"><i class="parameter"><tt>lock directory</tt></i></a></p></li><li><p><a href="#LOCKSPINCOUNT"><i class="parameter"><tt>lock spin count</tt></i></a></p></li><li><p><a href="#LOCKSPINTIME"><i class="parameter"><tt>lock spin time</tt></i></a></p></li><li><p><a href="#LOGFILE"><i class="parameter"><tt>log file</tt></i></a></p></li><li><p><a href="#LOGLEVEL"><i class="parameter"><tt>log level</tt></i></a></p></li><li><p><a href="#LOGONDRIVE"><i class="parameter"><tt>logon drive</tt></i></a></p></li><li><p><a href="#LOGONHOME"><i class="parameter"><tt>logon home</tt></i></a></p></li><li><p><a href="#LOGONPATH"><i class="parameter"><tt>logon path</tt></i></a></p></li><li><p><a href="#LOGONSCRIPT"><i class="parameter"><tt>logon script</tt></i></a></p></li><li><p><a href="#LPQCACHETIME"><i class="parameter"><tt>lpq cache time</tt></i></a></p></li><li><p><a href="#MACHINEPASSWORDTIMEOUT"><i class="parameter"><tt>machine password timeout</tt></i></a></p></li><li><p><a href="#MANGLINGSTACK"><i class="parameter"><tt>mangling stack</tt></i></a></p></li><li><p><a href="#MANGLINGPREFIX"><i class="parameter"><tt>mangling prefix</tt></i></a></p></li><li><p><a href="#MANGLINGMETHOD"><i class="parameter"><tt>mangling method</tt></i></a></p></li><li><p><a href="#MAPTOGUEST"><i class="parameter"><tt>map to guest</tt></i></a></p></li><li><p><a href="#MAXDISKSIZE"><i class="parameter"><tt>max disk size</tt></i></a></p></li><li><p><a href="#MAXLOGSIZE"><i class="parameter"><tt>max log size</tt></i></a></p></li><li><p><a href="#MAXMUX"><i class="parameter"><tt>max mux</tt></i></a></p></li><li><p><a href="#MAXOPENFILES"><i class="parameter"><tt>max open files</tt></i></a></p></li><li><p><a href="#MAXPROTOCOL"><i class="parameter"><tt>max protocol</tt></i></a></p></li><li><p><a href="#MAXSMBDPROCESSES"><i class="parameter"><tt>max smbd processes</tt></i></a></p></li><li><p><a href="#MAXTTL"><i class="parameter"><tt>max ttl</tt></i></a></p></li><li><p><a href="#MAXWINSTTL"><i class="parameter"><tt>max wins ttl</tt></i></a></p></li><li><p><a href="#MAXXMIT"><i class="parameter"><tt>max xmit</tt></i></a></p></li><li><p><a href="#MESSAGECOMMAND"><i class="parameter"><tt>message command</tt></i></a></p></li><li><p><a href="#MINPASSWDLENGTH"><i class="parameter"><tt>min passwd length</tt></i></a></p></li><li><p><a href="#MINPASSWORDLENGTH"><i class="parameter"><tt>min password length</tt></i></a></p></li><li><p><a href="#MINPROTOCOL"><i class="parameter"><tt>min protocol</tt></i></a></p></li><li><p><a href="#MINWINSTTL"><i class="parameter"><tt>min wins ttl</tt></i></a></p></li><li><p><a href="#NAMECACHETIMEOUT"><i class="parameter"><tt>name cache timeout</tt></i></a></p></li><li><p><a href="#NAMERESOLVEORDER"><i class="parameter"><tt>name resolve order</tt></i></a></p></li><li><p><a href="#NETBIOSALIASES"><i class="parameter"><tt>netbios aliases</tt></i></a></p></li><li><p><a href="#NETBIOSNAME"><i class="parameter"><tt>netbios name</tt></i></a></p></li><li><p><a href="#NETBIOSSCOPE"><i class="parameter"><tt>netbios scope</tt></i></a></p></li><li><p><a href="#NISHOMEDIR"><i class="parameter"><tt>nis homedir</tt></i></a></p></li><li><p><a href="#NONUNIXACCOUNTRANGE"><i class="parameter"><tt>non unix account range</tt></i></a></p></li><li><p><a href="#NTLMAUTH"><i class="parameter"><tt>ntlm auth</tt></i></a></p></li><li><p><a href="#NTPIPESUPPORT"><i class="parameter"><tt>nt pipe support</tt></i></a></p></li><li><p><a href="#NTSTATUSSUPPORT"><i class="parameter"><tt>nt status support</tt></i></a></p></li><li><p><a href="#NULLPASSWORDS"><i class="parameter"><tt>null passwords</tt></i></a></p></li><li><p><a href="#OBEYPAMRESTRICTIONS"><i class="parameter"><tt>obey pam restrictions</tt></i></a></p></li><li><p><a href="#OPLOCKBREAKWAITTIME"><i class="parameter"><tt>oplock break wait time</tt></i></a></p></li><li><p><a href="#OS2DRIVERMAP"><i class="parameter"><tt>os2 driver map</tt></i></a></p></li><li><p><a href="#OSLEVEL"><i class="parameter"><tt>os level</tt></i></a></p></li><li><p><a href="#PAMPASSWORDCHANGE"><i class="parameter"><tt>pam password change</tt></i></a></p></li><li><p><a href="#PANICACTION"><i class="parameter"><tt>panic action</tt></i></a></p></li><li><p><a href="#PARANOIDSERVERSECURITY"><i class="parameter"><tt>paranoid server security</tt></i></a></p></li><li><p><a href="#PASSDBBACKEND"><i class="parameter"><tt>passdb backend</tt></i></a></p></li><li><p><a href="#PASSWDCHAT"><i class="parameter"><tt>passwd chat</tt></i></a></p></li><li><p><a href="#PASSWDCHATDEBUG"><i class="parameter"><tt>passwd chat debug</tt></i></a></p></li><li><p><a href="#PASSWDPROGRAM"><i class="parameter"><tt>passwd program</tt></i></a></p></li><li><p><a href="#PASSWORDLEVEL"><i class="parameter"><tt>password level</tt></i></a></p></li><li><p><a href="#PASSWORDSERVER"><i class="parameter"><tt>password server</tt></i></a></p></li><li><p><a href="#PIDDIRECTORY"><i class="parameter"><tt>pid directory</tt></i></a></p></li><li><p><a href="#PREFEREDMASTER"><i class="parameter"><tt>prefered master</tt></i></a></p></li><li><p><a href="#PREFERREDMASTER"><i class="parameter"><tt>preferred master</tt></i></a></p></li><li><p><a href="#PRELOAD"><i class="parameter"><tt>preload</tt></i></a></p></li><li><p><a href="#PRELOADMODULES"><i class="parameter"><tt>preload modules</tt></i></a></p></li><li><p><a href="#PRINTCAP"><i class="parameter"><tt>printcap</tt></i></a></p></li><li><p><a href="#PRIVATEDIR"><i class="parameter"><tt>private dir</tt></i></a></p></li><li><p><a href="#PROTOCOL"><i class="parameter"><tt>protocol</tt></i></a></p></li><li><p><a href="#READBMPX"><i class="parameter"><tt>read bmpx</tt></i></a></p></li><li><p><a href="#READRAW"><i class="parameter"><tt>read raw</tt></i></a></p></li><li><p><a href="#READSIZE"><i class="parameter"><tt>read size</tt></i></a></p></li><li><p><a href="#REALM"><i class="parameter"><tt>realm</tt></i></a></p></li><li><p><a href="#REMOTEANNOUNCE"><i class="parameter"><tt>remote announce</tt></i></a></p></li><li><p><a href="#REMOTEBROWSESYNC"><i class="parameter"><tt>remote browse sync</tt></i></a></p></li><li><p><a href="#RESTRICTANONYMOUS"><i class="parameter"><tt>restrict anonymous</tt></i></a></p></li><li><p><a href="#ROOT"><i class="parameter"><tt>root</tt></i></a></p></li><li><p><a href="#ROOTDIR"><i class="parameter"><tt>root dir</tt></i></a></p></li><li><p><a href="#ROOTDIRECTORY"><i class="parameter"><tt>root directory</tt></i></a></p></li><li><p><a href="#SECURITY"><i class="parameter"><tt>security</tt></i></a></p></li><li><p><a href="#SERVERSCHANNEL"><i class="parameter"><tt>server schannel</tt></i></a></p></li><li><p><a href="#SERVERSTRING"><i class="parameter"><tt>server string</tt></i></a></p></li><li><p><a href="#SETPRIMARYGROUPSCRIPT"><i class="parameter"><tt>set primary group script</tt></i></a></p></li><li><p><a href="#SHOWADDPRINTERWIZARD"><i class="parameter"><tt>show add printer wizard</tt></i></a></p></li><li><p><a href="#SHUTDOWNSCRIPT"><i class="parameter"><tt>shutdown script</tt></i></a></p></li><li><p><a href="#SMBPASSWDFILE"><i class="parameter"><tt>smb passwd file</tt></i></a></p></li><li><p><a href="#SMBPORTS"><i class="parameter"><tt>smb ports</tt></i></a></p></li><li><p><a href="#SOCKETADDRESS"><i class="parameter"><tt>socket address</tt></i></a></p></li><li><p><a href="#SOCKETOPTIONS"><i class="parameter"><tt>socket options</tt></i></a></p></li><li><p><a href="#SOURCEENVIRONMENT"><i class="parameter"><tt>source environment</tt></i></a></p></li><li><p><a href="#STATCACHE"><i class="parameter"><tt>stat cache</tt></i></a></p></li><li><p><a href="#STATCACHESIZE"><i class="parameter"><tt>stat cache size</tt></i></a></p></li><li><p><a href="#STRIPDOT"><i class="parameter"><tt>strip dot</tt></i></a></p></li><li><p><a href="#SYSLOG"><i class="parameter"><tt>syslog</tt></i></a></p></li><li><p><a href="#SYSLOGONLY"><i class="parameter"><tt>syslog only</tt></i></a></p></li><li><p><a href="#TEMPLATEHOMEDIR"><i class="parameter"><tt>template homedir</tt></i></a></p></li><li><p><a href="#TEMPLATESHELL"><i class="parameter"><tt>template shell</tt></i></a></p></li><li><p><a href="#TIMEOFFSET"><i class="parameter"><tt>time offset</tt></i></a></p></li><li><p><a href="#TIMESERVER"><i class="parameter"><tt>time server</tt></i></a></p></li><li><p><a href="#TIMESTAMPLOGS"><i class="parameter"><tt>timestamp logs</tt></i></a></p></li><li><p><a href="#TOTALPRINTJOBS"><i class="parameter"><tt>total print jobs</tt></i></a></p></li><li><p><a href="#UNICODE"><i class="parameter"><tt>unicode</tt></i></a></p></li><li><p><a href="#UNIXCHARSET"><i class="parameter"><tt>unix charset</tt></i></a></p></li><li><p><a href="#UNIXEXTENSIONS"><i class="parameter"><tt>unix extensions</tt></i></a></p></li><li><p><a href="#UNIXPASSWORDSYNC"><i class="parameter"><tt>unix password sync</tt></i></a></p></li><li><p><a href="#UPDATEENCRYPTED"><i class="parameter"><tt>update encrypted</tt></i></a></p></li><li><p><a href="#USEMMAP"><i class="parameter"><tt>use mmap</tt></i></a></p></li><li><p><a href="#USERNAMELEVEL"><i class="parameter"><tt>username level</tt></i></a></p></li><li><p><a href="#USERNAMEMAP"><i class="parameter"><tt>username map</tt></i></a></p></li><li><p><a href="#USESPNEGO"><i class="parameter"><tt>use spnego</tt></i></a></p></li><li><p><a href="#UTMP"><i class="parameter"><tt>utmp</tt></i></a></p></li><li><p><a href="#UTMPDIRECTORY"><i class="parameter"><tt>utmp directory</tt></i></a></p></li><li><p><a href="#WINBINDCACHETIME"><i class="parameter"><tt>winbind cache time</tt></i></a></p></li><li><p><a href="#WINBINDENUMGROUPS"><i class="parameter"><tt>winbind enum groups</tt></i></a></p></li><li><p><a href="#WINBINDENUMUSERS"><i class="parameter"><tt>winbind enum users</tt></i></a></p></li><li><p><a href="#WINBINDGID"><i class="parameter"><tt>winbind gid</tt></i></a></p></li><li><p><a href="#WINBINDSEPARATOR"><i class="parameter"><tt>winbind separator</tt></i></a></p></li><li><p><a href="#WINBINDUID"><i class="parameter"><tt>winbind uid</tt></i></a></p></li><li><p><a href="#WINBINDUSEDDEFAULTDOMAIN"><i class="parameter"><tt>winbind used default domain</tt></i></a></p></li><li><p><a href="#WINSHOOK"><i class="parameter"><tt>wins hook</tt></i></a></p></li><li><p><a href="#WINSPARTNER"><i class="parameter"><tt>wins partner</tt></i></a></p></li><li><p><a href="#WINSPROXY"><i class="parameter"><tt>wins proxy</tt></i></a></p></li><li><p><a href="#WINSSERVER"><i class="parameter"><tt>wins server</tt></i></a></p></li><li><p><a href="#WINSSUPPORT"><i class="parameter"><tt>wins support</tt></i></a></p></li><li><p><a href="#WORKGROUP"><i class="parameter"><tt>workgroup</tt></i></a></p></li><li><p><a href="#WRITERAW"><i class="parameter"><tt>write raw</tt></i></a></p></li><li><p><a href="#WTMPDIRECTORY"><i class="parameter"><tt>wtmp directory</tt></i></a></p></li></ul></div></div><div class="refsect1" lang="en"><h2>COMPLETE LIST OF SERVICE PARAMETERS</h2><p>Here is a list of all service parameters. See the section on
+ each parameter for details. Note that some are synonyms.</p><div class="itemizedlist"><ul type="disc"><li><p><a href="#ADMINUSERS"><i class="parameter"><tt>admin users</tt></i></a></p></li><li><p><a href="#ALLOWHOSTS"><i class="parameter"><tt>allow hosts</tt></i></a></p></li><li><p><a href="#AVAILABLE"><i class="parameter"><tt>available</tt></i></a></p></li><li><p><a href="#BLOCKINGLOCKS"><i class="parameter"><tt>blocking locks</tt></i></a></p></li><li><p><a href="#BLOCKSIZE"><i class="parameter"><tt>block size</tt></i></a></p></li><li><p><a href="#BROWSABLE"><i class="parameter"><tt>browsable</tt></i></a></p></li><li><p><a href="#BROWSEABLE"><i class="parameter"><tt>browseable</tt></i></a></p></li><li><p><a href="#CASESENSITIVE"><i class="parameter"><tt>case sensitive</tt></i></a></p></li><li><p><a href="#CASESIGNAMES"><i class="parameter"><tt>casesignames</tt></i></a></p></li><li><p><a href="#COMMENT"><i class="parameter"><tt>comment</tt></i></a></p></li><li><p><a href="#COPY"><i class="parameter"><tt>copy</tt></i></a></p></li><li><p><a href="#CREATEMASK"><i class="parameter"><tt>create mask</tt></i></a></p></li><li><p><a href="#CREATEMODE"><i class="parameter"><tt>create mode</tt></i></a></p></li><li><p><a href="#CSCPOLICY"><i class="parameter"><tt>csc policy</tt></i></a></p></li><li><p><a href="#DEFAULTCASE"><i class="parameter"><tt>default case</tt></i></a></p></li><li><p><a href="#DEFAULTDEVMODE"><i class="parameter"><tt>default devmode</tt></i></a></p></li><li><p><a href="#DELETEREADONLY"><i class="parameter"><tt>delete readonly</tt></i></a></p></li><li><p><a href="#DELETEVETOFILES"><i class="parameter"><tt>delete veto files</tt></i></a></p></li><li><p><a href="#DENYHOSTS"><i class="parameter"><tt>deny hosts</tt></i></a></p></li><li><p><a href="#DIRECTORY"><i class="parameter"><tt>directory</tt></i></a></p></li><li><p><a href="#DIRECTORYMASK"><i class="parameter"><tt>directory mask</tt></i></a></p></li><li><p><a href="#DIRECTORYMODE"><i class="parameter"><tt>directory mode</tt></i></a></p></li><li><p><a href="#DIRECTORYSECURITYMASK"><i class="parameter"><tt>directory security mask</tt></i></a></p></li><li><p><a href="#DONTDESCEND"><i class="parameter"><tt>dont descend</tt></i></a></p></li><li><p><a href="#DOSFILEMODE"><i class="parameter"><tt>dos filemode</tt></i></a></p></li><li><p><a href="#DOSFILETIMERESOLUTION"><i class="parameter"><tt>dos filetime resolution</tt></i></a></p></li><li><p><a href="#DOSFILETIMES"><i class="parameter"><tt>dos filetimes</tt></i></a></p></li><li><p><a href="#EXEC"><i class="parameter"><tt>exec</tt></i></a></p></li><li><p><a href="#FAKEDIRECTORYCREATETIMES"><i class="parameter"><tt>fake directory create times</tt></i></a></p></li><li><p><a href="#FAKEOPLOCKS"><i class="parameter"><tt>fake oplocks</tt></i></a></p></li><li><p><a href="#FOLLOWSYMLINKS"><i class="parameter"><tt>follow symlinks</tt></i></a></p></li><li><p><a href="#FORCECREATEMODE"><i class="parameter"><tt>force create mode</tt></i></a></p></li><li><p><a href="#FORCEDIRECTORYMODE"><i class="parameter"><tt>force directory mode</tt></i></a></p></li><li><p><a href="#FORCEDIRECTORYSECURITYMODE"><i class="parameter"><tt>force directory security mode</tt></i></a></p></li><li><p><a href="#FORCEGROUP"><i class="parameter"><tt>force group</tt></i></a></p></li><li><p><a href="#FORCESECURITYMODE"><i class="parameter"><tt>force security mode</tt></i></a></p></li><li><p><a href="#FORCEUSER"><i class="parameter"><tt>force user</tt></i></a></p></li><li><p><a href="#FSTYPE"><i class="parameter"><tt>fstype</tt></i></a></p></li><li><p><a href="#GROUP"><i class="parameter"><tt>group</tt></i></a></p></li><li><p><a href="#GUESTACCOUNT"><i class="parameter"><tt>guest account</tt></i></a></p></li><li><p><a href="#GUESTOK"><i class="parameter"><tt>guest ok</tt></i></a></p></li><li><p><a href="#GUESTONLY"><i class="parameter"><tt>guest only</tt></i></a></p></li><li><p><a href="#HIDEDOTFILES"><i class="parameter"><tt>hide dot files</tt></i></a></p></li><li><p><a href="#HIDEFILES"><i class="parameter"><tt>hide files</tt></i></a></p></li><li><p><a href="#HIDESPECIALFILES"><i class="parameter"><tt>hide special files</tt></i></a></p></li><li><p><a href="#HIDEUNREADABLE"><i class="parameter"><tt>hide unreadable</tt></i></a></p></li><li><p><a href="#HIDEUNWRITEABLEFILES"><i class="parameter"><tt>hide unwriteable files</tt></i></a></p></li><li><p><a href="#HOSTSALLOW"><i class="parameter"><tt>hosts allow</tt></i></a></p></li><li><p><a href="#HOSTSDENY"><i class="parameter"><tt>hosts deny</tt></i></a></p></li><li><p><a href="#INHERITACLS"><i class="parameter"><tt>inherit acls</tt></i></a></p></li><li><p><a href="#INHERITPERMISSIONS"><i class="parameter"><tt>inherit permissions</tt></i></a></p></li><li><p><a href="#INVALIDUSERS"><i class="parameter"><tt>invalid users</tt></i></a></p></li><li><p><a href="#LEVEL2OPLOCKS"><i class="parameter"><tt>level2 oplocks</tt></i></a></p></li><li><p><a href="#LOCKING"><i class="parameter"><tt>locking</tt></i></a></p></li><li><p><a href="#LPPAUSECOMMAND"><i class="parameter"><tt>lppause command</tt></i></a></p></li><li><p><a href="#LPQCOMMAND"><i class="parameter"><tt>lpq command</tt></i></a></p></li><li><p><a href="#LPRESUMECOMMAND"><i class="parameter"><tt>lpresume command</tt></i></a></p></li><li><p><a href="#LPRMCOMMAND"><i class="parameter"><tt>lprm command</tt></i></a></p></li><li><p><a href="#MAGICOUTPUT"><i class="parameter"><tt>magic output</tt></i></a></p></li><li><p><a href="#MAGICSCRIPT"><i class="parameter"><tt>magic script</tt></i></a></p></li><li><p><a href="#MANGLECASE"><i class="parameter"><tt>mangle case</tt></i></a></p></li><li><p><a href="#MANGLEDMAP"><i class="parameter"><tt>mangled map</tt></i></a></p></li><li><p><a href="#MANGLEDNAMES"><i class="parameter"><tt>mangled names</tt></i></a></p></li><li><p><a href="#MANGLINGCHAR"><i class="parameter"><tt>mangling char</tt></i></a></p></li><li><p><a href="#MAPARCHIVE"><i class="parameter"><tt>map archive</tt></i></a></p></li><li><p><a href="#MAPHIDDEN"><i class="parameter"><tt>map hidden</tt></i></a></p></li><li><p><a href="#MAPSYSTEM"><i class="parameter"><tt>map system</tt></i></a></p></li><li><p><a href="#MAXCONNECTIONS"><i class="parameter"><tt>max connections</tt></i></a></p></li><li><p><a href="#MAXPRINTJOBS"><i class="parameter"><tt>max print jobs</tt></i></a></p></li><li><p><a href="#MAXREPORTEDPRINTJOBS"><i class="parameter"><tt>max reported print jobs</tt></i></a></p></li><li><p><a href="#MINPRINTSPACE"><i class="parameter"><tt>min print space</tt></i></a></p></li><li><p><a href="#MSDFSPROXY"><i class="parameter"><tt>msdfs proxy</tt></i></a></p></li><li><p><a href="#MSDFSROOT"><i class="parameter"><tt>msdfs root</tt></i></a></p></li><li><p><a href="#NTACLSUPPORT"><i class="parameter"><tt>nt acl support</tt></i></a></p></li><li><p><a href="#ONLYGUEST"><i class="parameter"><tt>only guest</tt></i></a></p></li><li><p><a href="#ONLYUSER"><i class="parameter"><tt>only user</tt></i></a></p></li><li><p><a href="#OPLOCKCONTENTIONLIMIT"><i class="parameter"><tt>oplock contention limit</tt></i></a></p></li><li><p><a href="#OPLOCKS"><i class="parameter"><tt>oplocks</tt></i></a></p></li><li><p><a href="#PATH"><i class="parameter"><tt>path</tt></i></a></p></li><li><p><a href="#POSIXLOCKING"><i class="parameter"><tt>posix locking</tt></i></a></p></li><li><p><a href="#POSTEXEC"><i class="parameter"><tt>postexec</tt></i></a></p></li><li><p><a href="#PREEXEC"><i class="parameter"><tt>preexec</tt></i></a></p></li><li><p><a href="#PREEXECCLOSE"><i class="parameter"><tt>preexec close</tt></i></a></p></li><li><p><a href="#PRESERVECASE"><i class="parameter"><tt>preserve case</tt></i></a></p></li><li><p><a href="#PRINTABLE"><i class="parameter"><tt>printable</tt></i></a></p></li><li><p><a href="#PRINTCAPNAME"><i class="parameter"><tt>printcap name</tt></i></a></p></li><li><p><a href="#PRINTCOMMAND"><i class="parameter"><tt>print command</tt></i></a></p></li><li><p><a href="#PRINTER"><i class="parameter"><tt>printer</tt></i></a></p></li><li><p><a href="#PRINTERADMIN"><i class="parameter"><tt>printer admin</tt></i></a></p></li><li><p><a href="#PRINTERNAME"><i class="parameter"><tt>printer name</tt></i></a></p></li><li><p><a href="#PRINTING"><i class="parameter"><tt>printing</tt></i></a></p></li><li><p><a href="#PRINTOK"><i class="parameter"><tt>print ok</tt></i></a></p></li><li><p><a href="#PUBLIC"><i class="parameter"><tt>public</tt></i></a></p></li><li><p><a href="#QUEUEPAUSECOMMAND"><i class="parameter"><tt>queuepause command</tt></i></a></p></li><li><p><a href="#QUEUERESUMECOMMAND"><i class="parameter"><tt>queueresume command</tt></i></a></p></li><li><p><a href="#READLIST"><i class="parameter"><tt>read list</tt></i></a></p></li><li><p><a href="#READONLY"><i class="parameter"><tt>read only</tt></i></a></p></li><li><p><a href="#ROOTPOSTEXEC"><i class="parameter"><tt>root postexec</tt></i></a></p></li><li><p><a href="#ROOTPREEXEC"><i class="parameter"><tt>root preexec</tt></i></a></p></li><li><p><a href="#ROOTPREEXECCLOSE"><i class="parameter"><tt>root preexec close</tt></i></a></p></li><li><p><a href="#SECURITYMASK"><i class="parameter"><tt>security mask</tt></i></a></p></li><li><p><a href="#SETDIRECTORY"><i class="parameter"><tt>set directory</tt></i></a></p></li><li><p><a href="#SHAREMODES"><i class="parameter"><tt>share modes</tt></i></a></p></li><li><p><a href="#SHORTPRESERVECASE"><i class="parameter"><tt>short preserve case</tt></i></a></p></li><li><p><a href="#STRICTALLOCATE"><i class="parameter"><tt>strict allocate</tt></i></a></p></li><li><p><a href="#STRICTLOCKING"><i class="parameter"><tt>strict locking</tt></i></a></p></li><li><p><a href="#STRICTSYNC"><i class="parameter"><tt>strict sync</tt></i></a></p></li><li><p><a href="#SYNCALWAYS"><i class="parameter"><tt>sync always</tt></i></a></p></li><li><p><a href="#USECLIENTDRIVER"><i class="parameter"><tt>use client driver</tt></i></a></p></li><li><p><a href="#USER"><i class="parameter"><tt>user</tt></i></a></p></li><li><p><a href="#USERNAME"><i class="parameter"><tt>username</tt></i></a></p></li><li><p><a href="#USERS"><i class="parameter"><tt>users</tt></i></a></p></li><li><p><a href="#USESENDFILE"><i class="parameter"><tt>use sendfile</tt></i></a></p></li><li><p><a href="#-VALID"><i class="parameter"><tt>-valid</tt></i></a></p></li><li><p><a href="#VALIDUSERS"><i class="parameter"><tt>valid users</tt></i></a></p></li><li><p><a href="#VETOFILES"><i class="parameter"><tt>veto files</tt></i></a></p></li><li><p><a href="#VETOOPLOCKFILES"><i class="parameter"><tt>veto oplock files</tt></i></a></p></li><li><p><a href="#VFSOBJECT"><i class="parameter"><tt>vfs object</tt></i></a></p></li><li><p><a href="#VFSOBJECTS"><i class="parameter"><tt>vfs objects</tt></i></a></p></li><li><p><a href="#VOLUME"><i class="parameter"><tt>volume</tt></i></a></p></li><li><p><a href="#WIDELINKS"><i class="parameter"><tt>wide links</tt></i></a></p></li><li><p><a href="#WRITABLE"><i class="parameter"><tt>writable</tt></i></a></p></li><li><p><a href="#WRITEABLE"><i class="parameter"><tt>writeable</tt></i></a></p></li><li><p><a href="#WRITECACHESIZE"><i class="parameter"><tt>write cache size</tt></i></a></p></li><li><p><a href="#WRITELIST"><i class="parameter"><tt>write list</tt></i></a></p></li><li><p><a href="#WRITEOK"><i class="parameter"><tt>write ok</tt></i></a></p></li></ul></div></div><div class="refsect1" lang="en"><h2>EXPLANATION OF EACH PARAMETER</h2><div class="variablelist"><dl><dt><span class="term"><a name="ABORTSHUTDOWNSCRIPT"></a>abort shutdown script (G)</span></dt><dd><p><span class="emphasis"><em>This parameter only exists in the HEAD cvs branch</em></span>
+ This a full path name to a script called by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> that
+ should stop a shutdown procedure issued by the <a href="#SHUTDOWNSCRIPT">
+ <i class="parameter"><tt>shutdown script</tt></i></a>.</p><p>This command will be run as user.</p><p>Default: <span class="emphasis"><em>None</em></span>.</p><p>Example: <b class="command">abort shutdown script = /sbin/shutdown -c</b></p></dd><dt><span class="term"><a name="ADDGROUPSCRIPT"></a>add group script (G)</span></dt><dd><p>This is the full pathname to a script that will be run
+ <span class="emphasis"><em>AS ROOT</em></span> by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>
+ when a new group is requested. It will expand any <i class="parameter"><tt>%g</tt></i> to the group name passed. This
+ script is only useful for installations using the Windows NT
+ domain administration tools. The script is free to create a
+ group with an arbitrary name to circumvent unix group name
+ restrictions. In that case the script must print the numeric gid
+ of the created group on stdout.</p></dd><dt><span class="term"><a name="ADDMACHINESCRIPT"></a>add machine script (G)</span></dt><dd><p>This is the full pathname to a script that will be run by
+ <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a machine is added
+ to it's domain using the administrator username and password
+ method. </p><p>This option is only required when using sam back-ends tied
+ to the Unix uid method of RID calculation such as smbpasswd.
+ This option is only available in Samba 3.0.</p><p>Default: <b class="command">add machine script = &lt;empty string&gt;</b></p><p>Example: <b class="command">add machine script = /usr/sbin/adduser -n -g
+ machines -c Machine -d /dev/null -s /bin/false %u</b></p></dd><dt><span class="term"><a name="ADDPRINTERCOMMAND"></a>addprinter command (G)</span></dt><dd><p>With the introduction of MS-RPC based printing
+ support for Windows NT/2000 clients in Samba 2.2, The MS Add
+ Printer Wizard (APW) icon is now also available in the
+ &quot;Printers...&quot; folder displayed a share listing. The APW
+ allows for printers to be add remotely to a Samba or Windows
+ NT/2000 print server.</p><p>For a Samba host this means that the printer must be
+ physically added to the underlying printing system. The <i class="parameter"><tt>add
+ printer command</tt></i> defines a script to be run which
+ will perform the necessary operations for adding the printer
+ to the print system and to add the appropriate service definition
+ to the <tt class="filename">smb.conf</tt> file in order that it can be
+ shared by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>.</p><p>The <i class="parameter"><tt>addprinter command</tt></i> is
+ automatically invoked with the following parameter (in
+ order):</p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>printer name</tt></i></p></li><li><p><i class="parameter"><tt>share name</tt></i></p></li><li><p><i class="parameter"><tt>port name</tt></i></p></li><li><p><i class="parameter"><tt>driver name</tt></i></p></li><li><p><i class="parameter"><tt>location</tt></i></p></li><li><p><i class="parameter"><tt>Windows 9x driver location</tt></i></p></li></ul></div><p>All parameters are filled in from the PRINTER_INFO_2 structure sent
+ by the Windows NT/2000 client with one exception. The &quot;Windows 9x
+ driver location&quot; parameter is included for backwards compatibility
+ only. The remaining fields in the structure are generated from answers
+ to the APW questions.</p><p>Once the <i class="parameter"><tt>addprinter command</tt></i> has
+ been executed, <b class="command">smbd</b> will reparse the <tt class="filename">
+ smb.conf</tt> to determine if the share defined by the APW
+ exists. If the sharename is still invalid, then <b class="command">smbd
+ </b> will return an ACCESS_DENIED error to the client.</p><p>
+ The &quot;add printer command&quot; program can output a single line of text,
+ which Samba will set as the port the new printer is connected to.
+ If this line isn't output, Samba won't reload its printer shares.
+ </p><p>See also <a href="#DELETEPRINTERCOMMAND"><i class="parameter"><tt>
+ deleteprinter command</tt></i></a>, <a href="#PRINTING">
+ <i class="parameter"><tt>printing</tt></i></a>,
+ <a href="#SHOWADDPRINTERWIZARD"><i class="parameter"><tt>show add
+ printer wizard</tt></i></a></p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b class="command">addprinter command = /usr/bin/addprinter</b></p></dd><dt><span class="term"><a name="ADDSHARECOMMAND"></a>add share command (G)</span></dt><dd><p>Samba 2.2.0 introduced the ability to dynamically
+ add and delete shares via the Windows NT 4.0 Server Manager. The
+ <i class="parameter"><tt>add share command</tt></i> is used to define an
+ external program or script which will add a new service definition
+ to <tt class="filename">smb.conf</tt>. In order to successfully
+ execute the <i class="parameter"><tt>add share command</tt></i>, <b class="command">smbd</b>
+ requires that the administrator be connected using a root account (i.e.
+ uid == 0).
+ </p><p>
+ When executed, <b class="command">smbd</b> will automatically invoke the
+ <i class="parameter"><tt>add share command</tt></i> with four parameters.
+ </p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>configFile</tt></i> - the location
+ of the global <tt class="filename">smb.conf</tt> file.
+ </p></li><li><p><i class="parameter"><tt>shareName</tt></i> - the name of the new
+ share.
+ </p></li><li><p><i class="parameter"><tt>pathName</tt></i> - path to an **existing**
+ directory on disk.
+ </p></li><li><p><i class="parameter"><tt>comment</tt></i> - comment string to associate
+ with the new share.
+ </p></li></ul></div><p>
+ This parameter is only used for add file shares. To add printer shares,
+ see the <a href="#ADDPRINTERCOMMAND"><i class="parameter"><tt>addprinter
+ command</tt></i></a>.
+ </p><p>
+ See also <a href="#CHANGESHARECOMMAND"><i class="parameter"><tt>change share
+ command</tt></i></a>, <a href="#DELETESHARECOMMAND"><i class="parameter"><tt>delete share
+ command</tt></i></a>.
+ </p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b class="command">add share command = /usr/local/bin/addshare</b></p></dd><dt><span class="term"><a name="ADDUSERSCRIPT"></a>add user script (G)</span></dt><dd><p>This is the full pathname to a script that will
+ be run <span class="emphasis"><em>AS ROOT</em></span> by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> under special circumstances described below.</p><p>Normally, a Samba server requires that UNIX users are
+ created for all users accessing files on this server. For sites
+ that use Windows NT account databases as their primary user database
+ creating these users and keeping the user list in sync with the
+ Windows NT PDC is an onerous task. This option allows <a href="smbd.8.html" target="_top">smbd</a> to create the required UNIX users
+ <span class="emphasis"><em>ON DEMAND</em></span> when a user accesses the Samba server.</p><p>In order to use this option, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must <span class="emphasis"><em>NOT</em></span> be set to <i class="parameter"><tt>security = share</tt></i>
+ and <i class="parameter"><tt>add user script</tt></i>
+ must be set to a full pathname for a script that will create a UNIX
+ user given one argument of <i class="parameter"><tt>%u</tt></i>, which expands into
+ the UNIX user name to create.</p><p>When the Windows user attempts to access the Samba server,
+ at login (session setup in the SMB protocol) time, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> contacts the <i class="parameter"><tt>password server</tt></i> and
+ attempts to authenticate the given user with the given password. If the
+ authentication succeeds then <b class="command">smbd</b>
+ attempts to find a UNIX user in the UNIX password database to map the
+ Windows user into. If this lookup fails, and <i class="parameter"><tt>add user script
+ </tt></i> is set then <b class="command">smbd</b> will
+ call the specified script <span class="emphasis"><em>AS ROOT</em></span>, expanding
+ any <i class="parameter"><tt>%u</tt></i> argument to be the user name to create.</p><p>If this script successfully creates the user then <b class="command">smbd
+ </b> will continue on as though the UNIX user
+ already existed. In this way, UNIX users are dynamically created to
+ match existing Windows NT accounts.</p><p>See also <a href="#SECURITY"><i class="parameter"><tt>
+ security</tt></i></a>, <a href="#PASSWORDSERVER">
+ <i class="parameter"><tt>password server</tt></i></a>,
+ <a href="#DELETEUSERSCRIPT"><i class="parameter"><tt>delete user
+ script</tt></i></a>.</p><p>Default: <b class="command">add user script = &lt;empty string&gt;</b></p><p>Example: <b class="command">add user script = /usr/local/samba/bin/add_user %u</b></p></dd><dt><span class="term"><a name="ADDUSERTOGROUPSCRIPT"></a>add user to group script (G)</span></dt><dd><p>Full path to the script that will be called when
+ a user is added to a group using the Windows NT domain administration
+ tools. It will be run by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> <span class="emphasis"><em>AS ROOT</em></span>.
+ Any <i class="parameter"><tt>%g</tt></i> will be replaced with the group name and
+ any <i class="parameter"><tt>%u</tt></i> will be replaced with the user name.
+ </p><p>Default: <b class="command">add user to group script = </b></p><p>Example: <b class="command">add user to group script = /usr/sbin/adduser %u %g</b></p></dd><dt><span class="term"><a name="ADMINUSERS"></a>admin users (S)</span></dt><dd><p>This is a list of users who will be granted
+ administrative privileges on the share. This means that they
+ will do all file operations as the super-user (root).</p><p>You should use this option very carefully, as any user in
+ this list will be able to do anything they like on the share,
+ irrespective of file permissions.</p><p>Default: <span class="emphasis"><em>no admin users</em></span></p><p>Example: <b class="command">admin users = jason</b></p></dd><dt><span class="term"><a name="ADSSERVER"></a>ads server (G)</span></dt><dd><p>If this option is specified, samba does not try to figure out what
+ ads server to use itself, but uses the specified ads server. Either one
+ DNS name or IP address can be used.</p><p>Default: <b class="command">ads server = </b></p><p>Example: <b class="command">ads server = 192.168.1.2</b></p></dd><dt><span class="term"><a name="ALGORITHMICRIDBASE"></a>algorithmic rid base (G)</span></dt><dd><p>This determines how Samba will use its
+ algorithmic mapping from uids/gid to the RIDs needed to construct
+ NT Security Identifiers.
+ </p><p>Setting this option to a larger value could be useful to sites
+ transitioning from WinNT and Win2k, as existing user and
+ group rids would otherwise clash with sytem users etc.
+ </p><p>All UIDs and GIDs must be able to be resolved into SIDs for
+ the correct operation of ACLs on the server. As such the algorithmic
+ mapping can't be 'turned off', but pushing it 'out of the way' should
+ resolve the issues. Users and groups can then be assigned 'low' RIDs
+ in arbitary-rid supporting backends.
+ </p><p>Default: <b class="command">algorithmic rid base = 1000</b></p><p>Example: <b class="command">algorithmic rid base = 100000</b></p></dd><dt><span class="term"><a name="ALLOWHOSTS"></a>allow hosts (S)</span></dt><dd><p>Synonym for <a href="#HOSTSALLOW">
+ <i class="parameter"><tt>hosts allow</tt></i></a>.</p></dd><dt><span class="term"><a name="ALLOWTRUSTEDDOMAINS"></a>allow trusted domains (G)</span></dt><dd><p>This option only takes effect when the <a href="#SECURITY">
+ <i class="parameter"><tt>security</tt></i></a> option is set to
+ <tt class="constant">server</tt> or <tt class="constant">domain</tt>.
+ If it is set to no, then attempts to connect to a resource from
+ a domain or workgroup other than the one which <a href="smbd.8.html" target="_top">smbd</a> is running
+ in will fail, even if that domain is trusted by the remote server
+ doing the authentication.</p><p>This is useful if you only want your Samba server to
+ serve resources to users in the domain it is a member of. As
+ an example, suppose that there are two domains DOMA and DOMB. DOMB
+ is trusted by DOMA, which contains the Samba server. Under normal
+ circumstances, a user with an account in DOMB can then access the
+ resources of a UNIX account with the same account name on the
+ Samba server even if they do not have an account in DOMA. This
+ can make implementing a security boundary difficult.</p><p>Default: <b class="command">allow trusted domains = yes</b></p></dd><dt><span class="term"><a name="ANNOUNCEAS"></a>announce as (G)</span></dt><dd><p>This specifies what type of server <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> will announce itself as, to a network neighborhood browse
+ list. By default this is set to Windows NT. The valid options
+ are : &quot;NT Server&quot; (which can also be written as &quot;NT&quot;),
+ &quot;NT Workstation&quot;, &quot;Win95&quot; or &quot;WfW&quot; meaning Windows NT Server,
+ Windows NT Workstation, Windows 95 and Windows for Workgroups
+ respectively. Do not change this parameter unless you have a
+ specific need to stop Samba appearing as an NT server as this
+ may prevent Samba servers from participating as browser servers
+ correctly.</p><p>Default: <b class="command">announce as = NT Server</b></p><p>Example: <b class="command">announce as = Win95</b></p></dd><dt><span class="term"><a name="ANNOUNCEVERSION"></a>announce version (G)</span></dt><dd><p>This specifies the major and minor version numbers
+ that nmbd will use when announcing itself as a server. The default
+ is 4.9. Do not change this parameter unless you have a specific
+ need to set a Samba server to be a downlevel server.</p><p>Default: <b class="command">announce version = 4.9</b></p><p>Example: <b class="command">announce version = 2.0</b></p></dd><dt><span class="term"><a name="AUTHMETHODS"></a>auth methods (G)</span></dt><dd><p>This option allows the administrator to chose what
+ authentication methods <b class="command">smbd</b> will use when authenticating
+ a user. This option defaults to sensible values based on <a href="#SECURITY">
+ <i class="parameter"><tt>security</tt></i></a>.</p><p>Each entry in the list attempts to authenticate the user in turn, until
+ the user authenticates. In practice only one method will ever actually
+ be able to complete the authentication.
+ </p><p>Default: <b class="command">auth methods = &lt;empty string&gt;</b></p><p>Example: <b class="command">auth methods = guest sam ntdomain</b></p></dd><dt><span class="term"><a name="AUTOSERVICES"></a>auto services (G)</span></dt><dd><p>This is a synonym for the <a href="#PRELOAD">
+ <i class="parameter"><tt>preload</tt></i></a>.</p></dd><dt><span class="term"><a name="AVAILABLE"></a>available (S)</span></dt><dd><p>This parameter lets you &quot;turn off&quot; a service. If
+ <i class="parameter"><tt>available = no</tt></i>, then <span class="emphasis"><em>ALL</em></span>
+ attempts to connect to the service will fail. Such failures are
+ logged.</p><p>Default: <b class="command">available = yes</b></p></dd><dt><span class="term"><a name="BINDINTERFACESONLY"></a>bind interfaces only (G)</span></dt><dd><p>This global parameter allows the Samba admin
+ to limit what interfaces on a machine will serve SMB requests. It
+ affects file service <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and name service <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> in a slightly different ways.</p><p>For name service it causes <b class="command">nmbd</b> to bind
+ to ports 137 and 138 on the interfaces listed in
+ the <a href="#INTERFACES">interfaces</a> parameter. <b class="command">nmbd</b> also
+ binds to the &quot;all addresses&quot; interface (0.0.0.0)
+ on ports 137 and 138 for the purposes of reading broadcast messages.
+ If this option is not set then <b class="command">nmbd</b> will service
+ name requests on all of these sockets. If <i class="parameter"><tt>bind interfaces
+ only</tt></i> is set then <b class="command">nmbd</b> will check the
+ source address of any packets coming in on the broadcast sockets
+ and discard any that don't match the broadcast addresses of the
+ interfaces in the <i class="parameter"><tt>interfaces</tt></i> parameter list.
+ As unicast packets are received on the other sockets it allows
+ <b class="command">nmbd</b> to refuse to serve names to machines that
+ send packets that arrive through any interfaces not listed in the
+ <i class="parameter"><tt>interfaces</tt></i> list. IP Source address spoofing
+ does defeat this simple check, however, so it must not be used
+ seriously as a security feature for <b class="command">nmbd</b>.</p><p>For file service it causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to bind only to the interface list
+ given in the <a href="#INTERFACES">interfaces</a> parameter. This
+ restricts the networks that <b class="command">smbd</b> will serve
+ to packets coming in those interfaces. Note that you should not use this parameter
+ for machines that are serving PPP or other intermittent or non-broadcast network
+ interfaces as it will not cope with non-permanent interfaces.</p><p>If <i class="parameter"><tt>bind interfaces only</tt></i> is set then
+ unless the network address <span class="emphasis"><em>127.0.0.1</em></span> is added
+ to the <i class="parameter"><tt>interfaces</tt></i> parameter
+ list <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> and <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> may not work as expected due
+ to the reasons covered below.</p><p>To change a users SMB password, the <b class="command">smbpasswd</b>
+ by default connects to the <span class="emphasis"><em>localhost - 127.0.0.1</em></span>
+ address as an SMB client to issue the password change request. If
+ <i class="parameter"><tt>bind interfaces only</tt></i> is set then unless the
+ network address <span class="emphasis"><em>127.0.0.1</em></span> is added to the
+ <i class="parameter"><tt>interfaces</tt></i> parameter list then <b class="command">
+ smbpasswd</b> will fail to connect in it's default mode.
+ <b class="command">smbpasswd</b> can be forced to use the primary IP interface
+ of the local host by using its <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> <i class="parameter"><tt>-r <i class="replaceable"><tt>remote machine</tt></i></tt></i>
+ parameter, with <i class="replaceable"><tt>remote machine</tt></i> set
+ to the IP name of the primary interface of the local host.</p><p>The <b class="command">swat</b> status page tries to connect with
+ <b class="command">smbd</b> and <b class="command">nmbd</b> at the address
+ <span class="emphasis"><em>127.0.0.1</em></span> to determine if they are running.
+ Not adding <span class="emphasis"><em>127.0.0.1</em></span> will cause <b class="command">
+ smbd</b> and <b class="command">nmbd</b> to always show
+ &quot;not running&quot; even if they really are. This can prevent <b class="command">
+ swat</b> from starting/stopping/restarting <b class="command">smbd</b>
+ and <b class="command">nmbd</b>.</p><p>Default: <b class="command">bind interfaces only = no</b></p></dd><dt><span class="term"><a name="BLOCKINGLOCKS"></a>blocking locks (S)</span></dt><dd><p>This parameter controls the behavior
+ of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when given a request by a client
+ to obtain a byte range lock on a region of an open file, and the
+ request has a time limit associated with it.</p><p>If this parameter is set and the lock range requested
+ cannot be immediately satisfied, samba will internally
+ queue the lock request, and periodically attempt to obtain
+ the lock until the timeout period expires.</p><p>If this parameter is set to <tt class="constant">no</tt>, then
+ samba will behave as previous versions of Samba would and
+ will fail the lock request immediately if the lock range
+ cannot be obtained.</p><p>Default: <b class="command">blocking locks = yes</b></p></dd><dt><span class="term"><a name="BLOCKSIZE"></a>block size (S)</span></dt><dd><p>This parameter controls the behavior of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when reporting disk free
+ sizes. By default, this reports a disk block size of 1024 bytes.
+ </p><p>Changing this parameter may have some effect on the
+ efficiency of client writes, this is not yet confirmed. This
+ parameter was added to allow advanced administrators to change
+ it (usually to a higher value) and test the effect it has on
+ client write performance without re-compiling the code. As this
+ is an experimental option it may be removed in a future release.
+ </p><p>Changing this option does not change the disk free reporting
+ size, just the block size unit reported to the client.
+ </p></dd><dt><span class="term"><a name="BROWSABLE"></a>browsable (S)</span></dt><dd><p>See the <a href="#BROWSEABLE">
+ <i class="parameter"><tt>browseable</tt></i></a>.</p></dd><dt><span class="term"><a name="BROWSEABLE"></a>browseable (S)</span></dt><dd><p>This controls whether this share is seen in
+ the list of available shares in a net view and in the browse list.</p><p>Default: <b class="command">browseable = yes</b></p></dd><dt><span class="term"><a name="BROWSELIST"></a>browse list (G)</span></dt><dd><p>This controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will serve a browse list to
+ a client doing a <b class="command">NetServerEnum</b> call. Normally
+ set to <tt class="constant">yes</tt>. You should never need to change
+ this.</p><p>Default: <b class="command">browse list = yes</b></p></dd><dt><span class="term"><a name="CASESENSITIVE"></a>case sensitive (S)</span></dt><dd><p>See the discussion in the section <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a>.</p><p>Default: <b class="command">case sensitive = no</b></p></dd><dt><span class="term"><a name="CASESIGNAMES"></a>casesignames (S)</span></dt><dd><p>Synonym for <a href="#CASESENSITIVE">case sensitive</a>.</p></dd><dt><span class="term"><a name="CHANGENOTIFYTIMEOUT"></a>change notify timeout (G)</span></dt><dd><p>This SMB allows a client to tell a server to
+ &quot;watch&quot; a particular directory for any changes and only reply to
+ the SMB request when a change has occurred. Such constant scanning of
+ a directory is expensive under UNIX, hence an <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> daemon only performs such a scan
+ on each requested directory once every <i class="parameter"><tt>change notify
+ timeout</tt></i> seconds.</p><p>Default: <b class="command">change notify timeout = 60</b></p><p>Example: <b class="command">change notify timeout = 300</b></p><p>Would change the scan time to every 5 minutes.</p></dd><dt><span class="term"><a name="CHANGESHARECOMMAND"></a>change share command (G)</span></dt><dd><p>Samba 2.2.0 introduced the ability to dynamically
+ add and delete shares via the Windows NT 4.0 Server Manager. The
+ <i class="parameter"><tt>change share command</tt></i> is used to define an
+ external program or script which will modify an existing service definition
+ in <tt class="filename">smb.conf</tt>. In order to successfully
+ execute the <i class="parameter"><tt>change share command</tt></i>, <b class="command">smbd</b>
+ requires that the administrator be connected using a root account (i.e.
+ uid == 0).
+ </p><p>
+ When executed, <b class="command">smbd</b> will automatically invoke the
+ <i class="parameter"><tt>change share command</tt></i> with four parameters.
+ </p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>configFile</tt></i> - the location
+ of the global <tt class="filename">smb.conf</tt> file.
+ </p></li><li><p><i class="parameter"><tt>shareName</tt></i> - the name of the new
+ share.
+ </p></li><li><p><i class="parameter"><tt>pathName</tt></i> - path to an **existing**
+ directory on disk.
+ </p></li><li><p><i class="parameter"><tt>comment</tt></i> - comment string to associate
+ with the new share.
+ </p></li></ul></div><p>
+ This parameter is only used modify existing file shares definitions. To modify
+ printer shares, use the &quot;Printers...&quot; folder as seen when browsing the Samba host.
+ </p><p>
+ See also <a href="#ADDSHARECOMMAND"><i class="parameter"><tt>add share
+ command</tt></i></a>, <a href="#DELETESHARECOMMAND"><i class="parameter"><tt>delete
+ share command</tt></i></a>.
+ </p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b class="command">change share command = /usr/local/bin/addshare</b></p></dd><dt><span class="term"><a name="COMMENT"></a>comment (S)</span></dt><dd><p>This is a text field that is seen next to a share
+ when a client does a queries the server, either via the network
+ neighborhood or via <b class="command">net view</b> to list what shares
+ are available.</p><p>If you want to set the string that is displayed next to the
+ machine name then see the <a href="#SERVERSTRING"><i class="parameter"><tt>
+ server string</tt></i></a> parameter.</p><p>Default: <span class="emphasis"><em>No comment string</em></span></p><p>Example: <b class="command">comment = Fred's Files</b></p></dd><dt><span class="term"><a name="CONFIGFILE"></a>config file (G)</span></dt><dd><p>This allows you to override the config file
+ to use, instead of the default (usually <tt class="filename">smb.conf</tt>).
+ There is a chicken and egg problem here as this option is set
+ in the config file!</p><p>For this reason, if the name of the config file has changed
+ when the parameters are loaded then it will reload them from
+ the new config file.</p><p>This option takes the usual substitutions, which can
+ be very useful.</p><p>If the config file doesn't exist then it won't be loaded
+ (allowing you to special case the config files of just a few
+ clients).</p><p>Example: <b class="command">config file = /usr/local/samba/lib/smb.conf.%m</b></p></dd><dt><span class="term"><a name="COPY"></a>copy (S)</span></dt><dd><p>This parameter allows you to &quot;clone&quot; service
+ entries. The specified service is simply duplicated under the
+ current service's name. Any parameters specified in the current
+ section will override those in the section being copied.</p><p>This feature lets you set up a 'template' service and
+ create similar services easily. Note that the service being
+ copied must occur earlier in the configuration file than the
+ service doing the copying.</p><p>Default: <span class="emphasis"><em>no value</em></span></p><p>Example: <b class="command">copy = otherservice</b></p></dd><dt><span class="term"><a name="CREATEMASK"></a>create mask (S)</span></dt><dd><p>A synonym for this parameter is
+ <a href="#CREATEMODE"><i class="parameter"><tt>create mode</tt></i>
+ </a>.</p><p>When a file is created, the necessary permissions are
+ calculated according to the mapping from DOS modes to UNIX
+ permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
+ with this parameter. This parameter may be thought of as a bit-wise
+ MASK for the UNIX modes of a file. Any bit <span class="emphasis"><em>not</em></span>
+ set here will be removed from the modes set on a file when it is
+ created.</p><p>The default value of this parameter removes the
+ 'group' and 'other' write and execute bits from the UNIX modes.</p><p>Following this Samba will bit-wise 'OR' the UNIX mode created
+ from this parameter with the value of the <a href="#FORCECREATEMODE">
+ <i class="parameter"><tt>force create mode</tt></i></a>
+ parameter which is set to 000 by default.</p><p>This parameter does not affect directory modes. See the
+ parameter <a href="#DIRECTORYMODE"><i class="parameter"><tt>directory mode
+ </tt></i></a> for details.</p><p>See also the <a href="#FORCECREATEMODE"><i class="parameter"><tt>force
+ create mode</tt></i></a> parameter for forcing particular mode
+ bits to be set on created files. See also the <a href="#DIRECTORYMODE">
+ <i class="parameter"><tt>directory mode</tt></i></a> parameter for masking
+ mode bits on created directories. See also the <a href="#INHERITPERMISSIONS">
+ <i class="parameter"><tt>inherit permissions</tt></i></a> parameter.</p><p>Note that this parameter does not apply to permissions
+ set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
+ a mask on access control lists also, they need to set the <a href="#SECURITYMASK">
+ <i class="parameter"><tt>security mask</tt></i></a>.</p><p>Default: <b class="command">create mask = 0744</b></p><p>Example: <b class="command">create mask = 0775</b></p></dd><dt><span class="term"><a name="CREATEMODE"></a>create mode (S)</span></dt><dd><p>This is a synonym for <a href="#CREATEMASK"><i class="parameter"><tt>
+ create mask</tt></i></a>.</p></dd><dt><span class="term"><a name="CSCPOLICY"></a>csc policy (S)</span></dt><dd><p>This stands for <span class="emphasis"><em>client-side caching
+ policy</em></span>, and specifies how clients capable of offline
+ caching will cache the files in the share. The valid values
+ are: manual, documents, programs, disable.</p><p>These values correspond to those used on Windows servers.</p><p>For example, shares containing roaming profiles can have
+ offline caching disabled using <b class="command">csc policy = disable</b>.</p><p>Default: <b class="command">csc policy = manual</b></p><p>Example: <b class="command">csc policy = programs</b></p></dd><dt><span class="term"><a name="DEADTIME"></a>dead time (G)</span></dt><dd><p>The value of the parameter (a decimal integer)
+ represents the number of minutes of inactivity before a connection
+ is considered dead, and it is disconnected. The deadtime only takes
+ effect if the number of open files is zero.</p><p>This is useful to stop a server's resources being
+ exhausted by a large number of inactive connections.</p><p>Most clients have an auto-reconnect feature when a
+ connection is broken so in most cases this parameter should be
+ transparent to users.</p><p>Using this parameter with a timeout of a few minutes
+ is recommended for most systems.</p><p>A deadtime of zero indicates that no auto-disconnection
+ should be performed.</p><p>Default: <b class="command">deadtime = 0</b></p><p>Example: <b class="command">deadtime = 15</b></p></dd><dt><span class="term"><a name="DEBUGHIRESTIMESTAMP"></a>debug hires timestamp (G)</span></dt><dd><p>Sometimes the timestamps in the log messages
+ are needed with a resolution of higher that seconds, this
+ boolean parameter adds microsecond resolution to the timestamp
+ message header when turned on.</p><p>Note that the parameter <a href="#DEBUGTIMESTAMP"><i class="parameter"><tt>
+ debug timestamp</tt></i></a> must be on for this to have an
+ effect.</p><p>Default: <b class="command">debug hires timestamp = no</b></p></dd><dt><span class="term"><a name="DEBUGLEVEL"></a>debug level (G)</span></dt><dd><p>Synonym for <a href="#LOGLEVEL"><i class="parameter"><tt>
+ log level</tt></i></a>.</p></dd><dt><span class="term"><a name="DEBUGPID"></a>debug pid (G)</span></dt><dd><p>When using only one log file for more then one forked
+ <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>-process there may be hard to
+ follow which process outputs which message. This boolean parameter
+ is adds the process-id to the timestamp message headers in the
+ logfile when turned on.</p><p>Note that the parameter <a href="#DEBUGTIMESTAMP"><i class="parameter"><tt>
+ debug timestamp</tt></i></a> must be on for this to have an
+ effect.</p><p>Default: <b class="command">debug pid = no</b></p></dd><dt><span class="term"><a name="DEBUGTIMESTAMP"></a>debug timestamp (G)</span></dt><dd><p>Samba debug log messages are timestamped
+ by default. If you are running at a high <a href="#DEBUGLEVEL">
+ <i class="parameter"><tt>debug level</tt></i></a> these timestamps
+ can be distracting. This boolean parameter allows timestamping
+ to be turned off.</p><p>Default: <b class="command">debug timestamp = yes</b></p></dd><dt><span class="term"><a name="DEBUGUID"></a>debug uid (G)</span></dt><dd><p>Samba is sometimes run as root and sometime
+ run as the connected user, this boolean parameter inserts the
+ current euid, egid, uid and gid to the timestamp message headers
+ in the log file if turned on.</p><p>Note that the parameter <a href="#DEBUGTIMESTAMP"><i class="parameter"><tt>
+ debug timestamp</tt></i></a> must be on for this to have an
+ effect.</p><p>Default: <b class="command">debug uid = no</b></p></dd><dt><span class="term"><a name="DEFAULT"></a>default (G)</span></dt><dd><p>A synonym for <a href="#DEFAULTSERVICE"><i class="parameter"><tt>
+ default service</tt></i></a>.</p></dd><dt><span class="term"><a name="DEFAULTCASE"></a>default case (S)</span></dt><dd><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">
+ NAME MANGLING</a>. Also note the <a href="#SHORTPRESERVECASE">
+ <i class="parameter"><tt>short preserve case</tt></i></a> parameter.</p><p>Default: <b class="command">default case = lower</b></p></dd><dt><span class="term"><a name="DEFAULTDEVMODE"></a>default devmode (S)</span></dt><dd><p>This parameter is only applicable to <a href="#PRINTOK">printable</a> services.
+ When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
+ server has a Device Mode which defines things such as paper size and
+ orientation and duplex settings. The device mode can only correctly be
+ generated by the printer driver itself (which can only be executed on a
+ Win32 platform). Because smbd is unable to execute the driver code
+ to generate the device mode, the default behavior is to set this field
+ to NULL.
+ </p><p>Most problems with serving printer drivers to Windows NT/2k/XP clients
+ can be traced to a problem with the generated device mode. Certain drivers
+ will do things such as crashing the client's Explorer.exe with a NULL devmode.
+ However, other printer drivers can cause the client's spooler service
+ (spoolsv.exe) to die if the devmode was not created by the driver itself
+ (i.e. smbd generates a default devmode).
+ </p><p>This parameter should be used with care and tested with the printer
+ driver in question. It is better to leave the device mode to NULL
+ and let the Windows client set the correct values. Because drivers do not
+ do this all the time, setting <b class="command">default devmode = yes</b>
+ will instruct smbd to generate a default one.
+ </p><p>For more information on Windows NT/2k printing and Device Modes,
+ see the <a href="http://msdn.microsoft.com/" target="_top">MSDN documentation</a>.
+ </p><p>Default: <b class="command">default devmode = no</b></p></dd><dt><span class="term"><a name="DEFAULTSERVICE"></a>default service (G)</span></dt><dd><p>This parameter specifies the name of a service
+ which will be connected to if the service actually requested cannot
+ be found. Note that the square brackets are <span class="emphasis"><em>NOT</em></span>
+ given in the parameter value (see example below).</p><p>There is no default value for this parameter. If this
+ parameter is not given, attempting to connect to a nonexistent
+ service results in an error.</p><p>Typically the default service would be a <a href="#GUESTOK">
+ <i class="parameter"><tt>guest ok</tt></i></a>, <a href="#READONLY">
+ <i class="parameter"><tt>read-only</tt></i></a> service.</p><p>Also note that the apparent service name will be changed
+ to equal that of the requested service, this is very useful as it
+ allows you to use macros like <i class="parameter"><tt>%S</tt></i> to make
+ a wildcard service.</p><p>Note also that any &quot;_&quot; characters in the name of the service
+ used in the default service will get mapped to a &quot;/&quot;. This allows for
+ interesting things.</p><p>Example:</p><pre class="programlisting">
+[global]
+ default service = pub
+
+[pub]
+ path = /%S
+</pre></dd><dt><span class="term"><a name="DELETEGROUPSCRIPT"></a>delete group script (G)</span></dt><dd><p>This is the full pathname to a script that will
+ be run <span class="emphasis"><em>AS ROOT</em></span> <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a group is requested to be deleted.
+ It will expand any <i class="parameter"><tt>%g</tt></i> to the group name passed.
+ This script is only useful for installations using the Windows NT domain administration tools.
+ </p></dd><dt><span class="term"><a name="DELETEPRINTERCOMMAND"></a>deleteprinter command (G)</span></dt><dd><p>With the introduction of MS-RPC based printer
+ support for Windows NT/2000 clients in Samba 2.2, it is now
+ possible to delete printer at run time by issuing the
+ DeletePrinter() RPC call.</p><p>For a Samba host this means that the printer must be
+ physically deleted from underlying printing system. The <i class="parameter"><tt>
+ deleteprinter command</tt></i> defines a script to be run which
+ will perform the necessary operations for removing the printer
+ from the print system and from <tt class="filename">smb.conf</tt>.
+ </p><p>The <i class="parameter"><tt>deleteprinter command</tt></i> is
+ automatically called with only one parameter: <i class="parameter"><tt>
+ &quot;printer name&quot;</tt></i>.</p><p>Once the <i class="parameter"><tt>deleteprinter command</tt></i> has
+ been executed, <b class="command">smbd</b> will reparse the <tt class="filename">
+ smb.conf</tt> to associated printer no longer exists.
+ If the sharename is still valid, then <b class="command">smbd
+ </b> will return an ACCESS_DENIED error to the client.</p><p>See also <a href="#ADDPRINTERCOMMAND"><i class="parameter"><tt>
+ addprinter command</tt></i></a>, <a href="#PRINTING">
+ <i class="parameter"><tt>printing</tt></i></a>,
+ <a href="#SHOWADDPRINTERWIZARD"><i class="parameter"><tt>show add
+ printer wizard</tt></i></a></p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b class="command">deleteprinter command = /usr/bin/removeprinter</b></p></dd><dt><span class="term"><a name="DELETEREADONLY"></a>delete readonly (S)</span></dt><dd><p>This parameter allows readonly files to be deleted.
+ This is not normal DOS semantics, but is allowed by UNIX.</p><p>This option may be useful for running applications such
+ as rcs, where UNIX file ownership prevents changing file
+ permissions, and DOS semantics prevent deletion of a read only file.</p><p>Default: <b class="command">delete readonly = no</b></p></dd><dt><span class="term"><a name="DELETESHARECOMMAND"></a>delete share command (G)</span></dt><dd><p>Samba 2.2.0 introduced the ability to dynamically
+ add and delete shares via the Windows NT 4.0 Server Manager. The
+ <i class="parameter"><tt>delete share command</tt></i> is used to define an
+ external program or script which will remove an existing service
+ definition from <tt class="filename">smb.conf</tt>. In order to successfully
+ execute the <i class="parameter"><tt>delete share command</tt></i>, <b class="command">smbd</b>
+ requires that the administrator be connected using a root account (i.e.
+ uid == 0).
+ </p><p>
+ When executed, <b class="command">smbd</b> will automatically invoke the
+ <i class="parameter"><tt>delete share command</tt></i> with two parameters.
+ </p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>configFile</tt></i> - the location
+ of the global <tt class="filename">smb.conf</tt> file.
+ </p></li><li><p><i class="parameter"><tt>shareName</tt></i> - the name of
+ the existing service.
+ </p></li></ul></div><p>
+ This parameter is only used to remove file shares. To delete printer shares,
+ see the <a href="#DELETEPRINTERCOMMAND"><i class="parameter"><tt>deleteprinter
+ command</tt></i></a>.
+ </p><p>
+ See also <a href="#ADDSHARECOMMAND"><i class="parameter"><tt>add share
+ command</tt></i></a>, <a href="#CHANGESHARECOMMAND"><i class="parameter"><tt>change
+ share command</tt></i></a>.
+ </p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b class="command">delete share command = /usr/local/bin/delshare</b></p></dd><dt><span class="term"><a name="DELETEUSERFROMGROUPSCRIPT"></a>delete user from group script (G)</span></dt><dd><p>Full path to the script that will be called when
+ a user is removed from a group using the Windows NT domain administration
+ tools. It will be run by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> <span class="emphasis"><em>AS ROOT</em></span>.
+ Any <i class="parameter"><tt>%g</tt></i> will be replaced with the group name and
+ any <i class="parameter"><tt>%u</tt></i> will be replaced with the user name.
+ </p><p>Default: <b class="command">delete user from group script = </b></p><p>Example: <b class="command">delete user from group script = /usr/sbin/deluser %u %g</b></p></dd><dt><span class="term"><a name="DELETEUSERSCRIPT"></a>delete user script (G)</span></dt><dd><p>This is the full pathname to a script that will
+ be run by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when managing users
+ with remote RPC (NT) tools.
+ </p><p>This script is called when a remote client removes a user
+ from the server, normally using 'User Manager for Domains' or
+ <b class="command">rpcclient</b>.</p><p>This script should delete the given UNIX username.</p><p>Default: <b class="command">delete user script = &lt;empty string&gt;</b></p><p>Example: <b class="command">delete user script = /usr/local/samba/bin/del_user %u</b></p></dd><dt><span class="term"><a name="DELETEVETOFILES"></a>delete veto files (S)</span></dt><dd><p>This option is used when Samba is attempting to
+ delete a directory that contains one or more vetoed directories
+ (see the <a href="#VETOFILES"><i class="parameter"><tt>veto files</tt></i></a>
+ option). If this option is set to <tt class="constant">no</tt> (the default) then if a vetoed
+ directory contains any non-vetoed files or directories then the
+ directory delete will fail. This is usually what you want.</p><p>If this option is set to <tt class="constant">yes</tt>, then Samba
+ will attempt to recursively delete any files and directories within
+ the vetoed directory. This can be useful for integration with file
+ serving systems such as NetAtalk which create meta-files within
+ directories you might normally veto DOS/Windows users from seeing
+ (e.g. <tt class="filename">.AppleDouble</tt>)</p><p>Setting <b class="command">delete veto files = yes</b> allows these
+ directories to be transparently deleted when the parent directory
+ is deleted (so long as the user has permissions to do so).</p><p>See also the <a href="#VETOFILES"><i class="parameter"><tt>veto
+ files</tt></i></a> parameter.</p><p>Default: <b class="command">delete veto files = no</b></p></dd><dt><span class="term"><a name="DENYHOSTS"></a>deny hosts (S)</span></dt><dd><p>Synonym for <a href="#HOSTSDENY"><i class="parameter"><tt>hosts
+ deny</tt></i></a>.</p></dd><dt><span class="term"><a name="DFREECOMMAND"></a>dfree command (G)</span></dt><dd><p>The <i class="parameter"><tt>dfree command</tt></i> setting
+ should only be used on systems where a problem occurs with the
+ internal disk space calculations. This has been known to happen
+ with Ultrix, but may occur with other operating systems. The
+ symptom that was seen was an error of &quot;Abort Retry
+ Ignore&quot; at the end of each directory listing.</p><p>This setting allows the replacement of the internal routines to
+ calculate the total disk space and amount available with an external
+ routine. The example below gives a possible script that might fulfill
+ this function.</p><p>The external program will be passed a single parameter indicating
+ a directory in the filesystem being queried. This will typically consist
+ of the string <tt class="filename">./</tt>. The script should return two
+ integers in ASCII. The first should be the total disk space in blocks,
+ and the second should be the number of available blocks. An optional
+ third return value can give the block size in bytes. The default
+ blocksize is 1024 bytes.</p><p>Note: Your script should <span class="emphasis"><em>NOT</em></span> be setuid or
+ setgid and should be owned by (and writeable only by) root!</p><p>Default: <span class="emphasis"><em>By default internal routines for
+ determining the disk capacity and remaining space will be used.
+ </em></span></p><p>Example: <b class="command">dfree command = /usr/local/samba/bin/dfree</b></p><p>Where the script dfree (which must be made executable) could be:</p><pre class="programlisting">
+#!/bin/sh
+df $1 | tail -1 | awk '{print $2&quot; &quot;$4}'
+</pre><p>or perhaps (on Sys V based systems):</p><pre class="programlisting">
+#!/bin/sh
+/usr/bin/df -k $1 | tail -1 | awk '{print $3&quot; &quot;$5}'
+</pre><p>Note that you may have to replace the command names with full path names on some systems.</p></dd><dt><span class="term"><a name="DIRECTORY"></a>directory (S)</span></dt><dd><p>Synonym for <a href="#PATH"><i class="parameter"><tt>path</tt></i></a>.</p></dd><dt><span class="term"><a name="DIRECTORYMASK"></a>directory mask (S)</span></dt><dd><p>This parameter is the octal modes which are
+ used when converting DOS modes to UNIX modes when creating UNIX
+ directories.</p><p>When a directory is created, the necessary permissions are
+ calculated according to the mapping from DOS modes to UNIX permissions,
+ and the resulting UNIX mode is then bit-wise 'AND'ed with this
+ parameter. This parameter may be thought of as a bit-wise MASK for
+ the UNIX modes of a directory. Any bit <span class="emphasis"><em>not</em></span> set
+ here will be removed from the modes set on a directory when it is
+ created.</p><p>The default value of this parameter removes the 'group'
+ and 'other' write bits from the UNIX mode, allowing only the
+ user who owns the directory to modify it.</p><p>Following this Samba will bit-wise 'OR' the UNIX mode
+ created from this parameter with the value of the <a href="#FORCEDIRECTORYMODE">
+ <i class="parameter"><tt>force directory mode</tt></i></a> parameter.
+ This parameter is set to 000 by default (i.e. no extra mode bits are added).</p><p>Note that this parameter does not apply to permissions
+ set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
+ a mask on access control lists also, they need to set the <a href="#DIRECTORYSECURITYMASK">
+ <i class="parameter"><tt>directory security mask</tt></i></a>.</p><p>See the <a href="#FORCEDIRECTORYMODE"><i class="parameter"><tt>force
+ directory mode</tt></i></a> parameter to cause particular mode
+ bits to always be set on created directories.</p><p>See also the <a href="#CREATEMODE"><i class="parameter"><tt>create mode
+ </tt></i></a> parameter for masking mode bits on created files,
+ and the <a href="#DIRECTORYSECURITYMASK"><i class="parameter"><tt>directory
+ security mask</tt></i></a> parameter.</p><p>Also refer to the <a href="#INHERITPERMISSIONS"><i class="parameter"><tt>
+ inherit permissions</tt></i></a> parameter.</p><p>Default: <b class="command">directory mask = 0755</b></p><p>Example: <b class="command">directory mask = 0775</b></p></dd><dt><span class="term"><a name="DIRECTORYMODE"></a>directory mode (S)</span></dt><dd><p>Synonym for <a href="#DIRECTORYMASK"><i class="parameter"><tt>
+ directory mask</tt></i></a></p></dd><dt><span class="term"><a name="DIRECTORYSECURITYMASK"></a>directory security mask (S)</span></dt><dd><p>This parameter controls what UNIX permission bits
+ can be modified when a Windows NT client is manipulating the UNIX
+ permission on a directory using the native NT security dialog
+ box.</p><p>This parameter is applied as a mask (AND'ed with) to
+ the changed permission bits, thus preventing any bits not in
+ this mask from being modified. Essentially, zero bits in this
+ mask may be treated as a set of bits the user is not allowed
+ to change.</p><p>If not set explicitly this parameter is set to 0777
+ meaning a user is allowed to modify all the user/group/world
+ permissions on a directory.</p><p><span class="emphasis"><em>Note</em></span> that users who can access the
+ Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone &quot;appliance&quot; systems.
+ Administrators of most normal systems will probably want to leave
+ it as the default of <tt class="constant">0777</tt>.</p><p>See also the <a href="#FORCEDIRECTORYSECURITYMODE"><i class="parameter"><tt>
+ force directory security mode</tt></i></a>, <a href="#SECURITYMASK">
+ <i class="parameter"><tt>security mask</tt></i></a>,
+ <a href="#FORCESECURITYMODE"><i class="parameter"><tt>force security mode
+ </tt></i></a> parameters.</p><p>Default: <b class="command">directory security mask = 0777</b></p><p>Example: <b class="command">directory security mask = 0700</b></p></dd><dt><span class="term"><a name="DISABLENETBIOS"></a>disable netbios (G)</span></dt><dd><p>Enabling this parameter will disable netbios support
+ in Samba. Netbios is the only available form of browsing in
+ all windows versions except for 2000 and XP. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Note that clients that only support netbios won't be able to
+ see your samba server when netbios support is disabled.
+ </p></div><p>Default: <b class="command">disable netbios = no</b></p><p>Example: <b class="command">disable netbios = yes</b></p></dd><dt><span class="term"><a name="DISABLESPOOLSS"></a>disable spoolss (G)</span></dt><dd><p>Enabling this parameter will disable Samba's support
+ for the SPOOLSS set of MS-RPC's and will yield identical behavior
+ as Samba 2.0.x. Windows NT/2000 clients will downgrade to using
+ Lanman style printing commands. Windows 9x/ME will be uneffected by
+ the parameter. However, this will also disable the ability to upload
+ printer drivers to a Samba server via the Windows NT Add Printer
+ Wizard or by using the NT printer properties dialog window. It will
+ also disable the capability of Windows NT/2000 clients to download
+ print drivers from the Samba host upon demand.
+ <span class="emphasis"><em>Be very careful about enabling this parameter.</em></span>
+ </p><p>See also <a href="#USECLIENTDRIVER">use client driver</a>
+ </p><p>Default : <b class="command">disable spoolss = no</b></p></dd><dt><span class="term"><a name="DISPLAYCHARSET"></a>display charset (G)</span></dt><dd><p>Specifies the charset that samba will use
+ to print messages to stdout and stderr and SWAT will use.
+ Should generally be the same as the <b class="command">unix charset</b>.
+ </p><p>Default: <b class="command">display charset = ASCII</b></p><p>Example: <b class="command">display charset = UTF8</b></p></dd><dt><span class="term"><a name="DNSPROXY"></a>dns proxy (G)</span></dt><dd><p>Specifies that <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> when acting as a WINS server and
+ finding that a NetBIOS name has not been registered, should treat the
+ NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server
+ for that name on behalf of the name-querying client.</p><p>Note that the maximum length for a NetBIOS name is 15
+ characters, so the DNS name (or DNS alias) can likewise only be
+ 15 characters, maximum.</p><p><b class="command">nmbd</b> spawns a second copy of itself to do the
+ DNS name lookup requests, as doing a name lookup is a blocking
+ action.</p><p>See also the parameter <a href="#WINSSUPPORT"><i class="parameter"><tt>
+ wins support</tt></i></a>.</p><p>Default: <b class="command">dns proxy = yes</b></p></dd><dt><span class="term"><a name="DOMAINLOGONS"></a>domain logons (G)</span></dt><dd><p>If set to <tt class="constant">yes</tt>, the Samba server will serve
+ Windows 95/98 Domain logons for the <a href="#WORKGROUP">
+ <i class="parameter"><tt>workgroup</tt></i></a> it is in. Samba 2.2
+ has limited capability to act as a domain controller for Windows
+ NT 4 Domains. For more details on setting up this feature see
+ the Samba-PDC-HOWTO included in the Samba documentation.</p><p>Default: <b class="command">domain logons = no</b></p></dd><dt><span class="term"><a name="DOMAINMASTER"></a>domain master (G)</span></dt><dd><p>Tell <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to enable WAN-wide browse list
+ collation. Setting this option causes <b class="command">nmbd</b> to
+ claim a special domain specific NetBIOS name that identifies
+ it as a domain master browser for its given <a href="#WORKGROUP">
+ <i class="parameter"><tt>workgroup</tt></i></a>. Local master browsers
+ in the same <i class="parameter"><tt>workgroup</tt></i> on broadcast-isolated
+ subnets will give this <b class="command">nmbd</b> their local browse lists,
+ and then ask <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> for a complete copy of the browse
+ list for the whole wide area network. Browser clients will then contact
+ their local master browser, and will receive the domain-wide browse list,
+ instead of just the list for their broadcast-isolated subnet.</p><p>Note that Windows NT Primary Domain Controllers expect to be
+ able to claim this <i class="parameter"><tt>workgroup</tt></i> specific special
+ NetBIOS name that identifies them as domain master browsers for
+ that <i class="parameter"><tt>workgroup</tt></i> by default (i.e. there is no
+ way to prevent a Windows NT PDC from attempting to do this). This
+ means that if this parameter is set and <b class="command">nmbd</b> claims
+ the special name for a <i class="parameter"><tt>workgroup</tt></i> before a Windows
+ NT PDC is able to do so then cross subnet browsing will behave
+ strangely and may fail.</p><p>If <a href="#DOMAINLOGONS"><b class="command">domain logons = yes</b>
+ </a>, then the default behavior is to enable the <i class="parameter"><tt>domain
+ master</tt></i> parameter. If <i class="parameter"><tt>domain logons</tt></i> is
+ not enabled (the default setting), then neither will <i class="parameter"><tt>domain
+ master</tt></i> be enabled by default.</p><p>Default: <b class="command">domain master = auto</b></p></dd><dt><span class="term"><a name="DONTDESCEND"></a>dont descend (S)</span></dt><dd><p>There are certain directories on some systems
+ (e.g., the <tt class="filename">/proc</tt> tree under Linux) that are either not
+ of interest to clients or are infinitely deep (recursive). This
+ parameter allows you to specify a comma-delimited list of directories
+ that the server should always show as empty.</p><p>Note that Samba can be very fussy about the exact format
+ of the &quot;dont descend&quot; entries. For example you may need <tt class="filename">
+ ./proc</tt> instead of just <tt class="filename">/proc</tt>.
+ Experimentation is the best policy :-) </p><p>Default: <span class="emphasis"><em>none (i.e., all directories are OK
+ to descend)</em></span></p><p>Example: <b class="command">dont descend = /proc,/dev</b></p></dd><dt><span class="term"><a name="DOSCHARSET"></a>dos charset (G)</span></dt><dd><p>DOS SMB clients assume the server has
+ the same charset as they do. This option specifies which
+ charset Samba should talk to DOS clients.
+ </p><p>The default depends on which charsets you have installed.
+ Samba tries to use charset 850 but falls back to ASCII in
+ case it is not available. Run <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a> to check the default on your system.</p></dd><dt><span class="term"><a name="DOSFILEMODE"></a>dos filemode (S)</span></dt><dd><p> The default behavior in Samba is to provide
+ UNIX-like behavior where only the owner of a file/directory is
+ able to change the permissions on it. However, this behavior
+ is often confusing to DOS/Windows users. Enabling this parameter
+ allows a user who has write access to the file (by whatever
+ means) to modify the permissions on it. Note that a user
+ belonging to the group owning the file will not be allowed to
+ change permissions if the group is only granted read access.
+ Ownership of the file/directory is not changed, only the permissions
+ are modified.</p><p>Default: <b class="command">dos filemode = no</b></p></dd><dt><span class="term"><a name="DOSFILETIMERESOLUTION"></a>dos filetime resolution (S)</span></dt><dd><p>Under the DOS and Windows FAT filesystem, the finest
+ granularity on time resolution is two seconds. Setting this parameter
+ for a share causes Samba to round the reported time down to the
+ nearest two second boundary when a query call that requires one second
+ resolution is made to <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>.</p><p>This option is mainly used as a compatibility option for Visual
+ C++ when used against Samba shares. If oplocks are enabled on a
+ share, Visual C++ uses two different time reading calls to check if a
+ file has changed since it was last read. One of these calls uses a
+ one-second granularity, the other uses a two second granularity. As
+ the two second call rounds any odd second down, then if the file has a
+ timestamp of an odd number of seconds then the two timestamps will not
+ match and Visual C++ will keep reporting the file has changed. Setting
+ this option causes the two timestamps to match, and Visual C++ is
+ happy.</p><p>Default: <b class="command">dos filetime resolution = no</b></p></dd><dt><span class="term"><a name="DOSFILETIMES"></a>dos filetimes (S)</span></dt><dd><p>Under DOS and Windows, if a user can write to a
+ file they can change the timestamp on it. Under POSIX semantics,
+ only the owner of the file or root may change the timestamp. By
+ default, Samba runs with POSIX semantics and refuses to change the
+ timestamp on a file if the user <b class="command">smbd</b> is acting
+ on behalf of is not the file owner. Setting this option to <tt class="constant">
+ yes</tt> allows DOS semantics and <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will change the file
+ timestamp as DOS requires.</p><p>Default: <b class="command">dos filetimes = no</b></p></dd><dt><span class="term"><a name="ENCRYPTPASSWORDS"></a>encrypt passwords (G)</span></dt><dd><p>This boolean controls whether encrypted passwords
+ will be negotiated with the client. Note that Windows NT 4.0 SP3 and
+ above and also Windows 98 will by default expect encrypted passwords
+ unless a registry entry is changed. To use encrypted passwords in
+ Samba see the chapter &quot;User Database&quot; in the Samba HOWTO Collection. </p><p>In order for encrypted passwords to work correctly
+ <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must either
+ have access to a local <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> file (see the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> program for information on how to set up
+ and maintain this file), or set the <a href="#SECURITY">security = [server|domain|ads]</a> parameter which
+ causes <b class="command">smbd</b> to authenticate against another
+ server.</p><p>Default: <b class="command">encrypt passwords = yes</b></p></dd><dt><span class="term"><a name="ENHANCEDBROWSING"></a>enhanced browsing (G)</span></dt><dd><p>This option enables a couple of enhancements to
+ cross-subnet browse propagation that have been added in Samba
+ but which are not standard in Microsoft implementations.
+ </p><p>The first enhancement to browse propagation consists of a regular
+ wildcard query to a Samba WINS server for all Domain Master Browsers,
+ followed by a browse synchronization with each of the returned
+ DMBs. The second enhancement consists of a regular randomised browse
+ synchronization with all currently known DMBs.</p><p>You may wish to disable this option if you have a problem with empty
+ workgroups not disappearing from browse lists. Due to the restrictions
+ of the browse protocols these enhancements can cause a empty workgroup
+ to stay around forever which can be annoying.</p><p>In general you should leave this option enabled as it makes
+ cross-subnet browse propagation much more reliable.</p><p>Default: <b class="command">enhanced browsing = yes</b></p></dd><dt><span class="term"><a name="ENUMPORTSCOMMAND"></a>enumports command (G)</span></dt><dd><p>The concept of a &quot;port&quot; is fairly foreign
+ to UNIX hosts. Under Windows NT/2000 print servers, a port
+ is associated with a port monitor and generally takes the form of
+ a local port (i.e. LPT1:, COM1:, FILE:) or a remote port
+ (i.e. LPD Port Monitor, etc...). By default, Samba has only one
+ port defined--<tt class="constant">&quot;Samba Printer Port&quot;</tt>. Under
+ Windows NT/2000, all printers must have a valid port name.
+ If you wish to have a list of ports displayed (<b class="command">smbd
+ </b> does not use a port name for anything) other than
+ the default <tt class="constant">&quot;Samba Printer Port&quot;</tt>, you
+ can define <i class="parameter"><tt>enumports command</tt></i> to point to
+ a program which should generate a list of ports, one per line,
+ to standard output. This listing will then be used in response
+ to the level 1 and 2 EnumPorts() RPC.</p><p>Default: <span class="emphasis"><em>no enumports command</em></span></p><p>Example: <b class="command">enumports command = /usr/bin/listports</b></p></dd><dt><span class="term"><a name="EXEC"></a>exec (S)</span></dt><dd><p>This is a synonym for <a href="#PREEXEC">
+ <i class="parameter"><tt>preexec</tt></i></a>.</p></dd><dt><span class="term"><a name="FAKEDIRECTORYCREATETIMES"></a>fake directory create times (S)</span></dt><dd><p>NTFS and Windows VFAT file systems keep a create
+ time for all files and directories. This is not the same as the
+ ctime - status change time - that Unix keeps, so Samba by default
+ reports the earliest of the various times Unix does keep. Setting
+ this parameter for a share causes Samba to always report midnight
+ 1-1-1980 as the create time for directories.</p><p>This option is mainly used as a compatibility option for
+ Visual C++ when used against Samba shares. Visual C++ generated
+ makefiles have the object directory as a dependency for each object
+ file, and a make rule to create the directory. Also, when NMAKE
+ compares timestamps it uses the creation time when examining a
+ directory. Thus the object directory will be created if it does not
+ exist, but once it does exist it will always have an earlier
+ timestamp than the object files it contains.</p><p>However, Unix time semantics mean that the create time
+ reported by Samba will be updated whenever a file is created or
+ or deleted in the directory. NMAKE finds all object files in
+ the object directory. The timestamp of the last one built is then
+ compared to the timestamp of the object directory. If the
+ directory's timestamp if newer, then all object files
+ will be rebuilt. Enabling this option
+ ensures directories always predate their contents and an NMAKE build
+ will proceed as expected.</p><p>Default: <b class="command">fake directory create times = no</b></p></dd><dt><span class="term"><a name="FAKEOPLOCKS"></a>fake oplocks (S)</span></dt><dd><p>Oplocks are the way that SMB clients get permission
+ from a server to locally cache file operations. If a server grants
+ an oplock (opportunistic lock) then the client is free to assume
+ that it is the only one accessing the file and it will aggressively
+ cache file data. With some oplock types the client may even cache
+ file open/close operations. This can give enormous performance benefits.
+ </p><p>When you set <b class="command">fake oplocks = yes</b>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will
+ always grant oplock requests no matter how many clients are using the file.</p><p>It is generally much better to use the real <a href="#OPLOCKS">
+ <i class="parameter"><tt>oplocks</tt></i></a> support rather
+ than this parameter.</p><p>If you enable this option on all read-only shares or
+ shares that you know will only be accessed from one client at a
+ time such as physically read-only media like CDROMs, you will see
+ a big performance improvement on many operations. If you enable
+ this option on shares where multiple clients may be accessing the
+ files read-write at the same time you can get data corruption. Use
+ this option carefully!</p><p>Default: <b class="command">fake oplocks = no</b></p></dd><dt><span class="term"><a name="FOLLOWSYMLINKS"></a>follow symlinks (S)</span></dt><dd><p>This parameter allows the Samba administrator
+ to stop <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> from following symbolic
+ links in a particular share. Setting this
+ parameter to <tt class="constant">no</tt> prevents any file or directory
+ that is a symbolic link from being followed (the user will get an
+ error). This option is very useful to stop users from adding a
+ symbolic link to <tt class="filename">/etc/passwd</tt> in their home
+ directory for instance. However it will slow filename lookups
+ down slightly.</p><p>This option is enabled (i.e. <b class="command">smbd</b> will
+ follow symbolic links) by default.</p><p>Default: <b class="command">follow symlinks = yes</b></p></dd><dt><span class="term"><a name="FORCECREATEMODE"></a>force create mode (S)</span></dt><dd><p>This parameter specifies a set of UNIX mode bit
+ permissions that will <span class="emphasis"><em>always</em></span> be set on a
+ file created by Samba. This is done by bitwise 'OR'ing these bits onto
+ the mode bits of a file that is being created or having its
+ permissions changed. The default for this parameter is (in octal)
+ 000. The modes in this parameter are bitwise 'OR'ed onto the file
+ mode after the mask set in the <i class="parameter"><tt>create mask</tt></i>
+ parameter is applied.</p><p>See also the parameter <a href="#CREATEMASK"><i class="parameter"><tt>create
+ mask</tt></i></a> for details on masking mode bits on files.</p><p>See also the <a href="#INHERITPERMISSIONS"><i class="parameter"><tt>inherit
+ permissions</tt></i></a> parameter.</p><p>Default: <b class="command">force create mode = 000</b></p><p>Example: <b class="command">force create mode = 0755</b></p><p>would force all created files to have read and execute
+ permissions set for 'group' and 'other' as well as the
+ read/write/execute bits set for the 'user'.</p></dd><dt><span class="term"><a name="FORCEDIRECTORYMODE"></a>force directory mode (S)</span></dt><dd><p>This parameter specifies a set of UNIX mode bit
+ permissions that will <span class="emphasis"><em>always</em></span> be set on a directory
+ created by Samba. This is done by bitwise 'OR'ing these bits onto the
+ mode bits of a directory that is being created. The default for this
+ parameter is (in octal) 0000 which will not add any extra permission
+ bits to a created directory. This operation is done after the mode
+ mask in the parameter <i class="parameter"><tt>directory mask</tt></i> is
+ applied.</p><p>See also the parameter <a href="#DIRECTORYMASK"><i class="parameter"><tt>
+ directory mask</tt></i></a> for details on masking mode bits
+ on created directories.</p><p>See also the <a href="#INHERITPERMISSIONS"><i class="parameter"><tt>
+ inherit permissions</tt></i></a> parameter.</p><p>Default: <b class="command">force directory mode = 000</b></p><p>Example: <b class="command">force directory mode = 0755</b></p><p>would force all created directories to have read and execute
+ permissions set for 'group' and 'other' as well as the
+ read/write/execute bits set for the 'user'.</p></dd><dt><span class="term"><a name="FORCEDIRECTORYSECURITYMODE"></a>force directory security mode (S)</span></dt><dd><p>This parameter controls what UNIX permission bits
+ can be modified when a Windows NT client is manipulating the UNIX
+ permission on a directory using the native NT security dialog box.</p><p>This parameter is applied as a mask (OR'ed with) to the
+ changed permission bits, thus forcing any bits in this mask that
+ the user may have modified to be on. Essentially, one bits in this
+ mask may be treated as a set of bits that, when modifying security
+ on a directory, the user has always set to be 'on'.</p><p>If not set explicitly this parameter is 000, which
+ allows a user to modify all the user/group/world permissions on a
+ directory without restrictions.</p><p><span class="emphasis"><em>Note</em></span> that users who can access the
+ Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone &quot;appliance&quot; systems.
+ Administrators of most normal systems will probably want to leave
+ it set as 0000.</p><p>See also the <a href="#DIRECTORYSECURITYMASK"><i class="parameter"><tt>
+ directory security mask</tt></i></a>, <a href="#SECURITYMASK">
+ <i class="parameter"><tt>security mask</tt></i></a>,
+ <a href="#FORCESECURITYMODE"><i class="parameter"><tt>force security mode
+ </tt></i></a> parameters.</p><p>Default: <b class="command">force directory security mode = 0</b></p><p>Example: <b class="command">force directory security mode = 700</b></p></dd><dt><span class="term"><a name="FORCEGROUP"></a>force group (S)</span></dt><dd><p>This specifies a UNIX group name that will be
+ assigned as the default primary group for all users connecting
+ to this service. This is useful for sharing files by ensuring
+ that all access to files on service will use the named group for
+ their permissions checking. Thus, by assigning permissions for this
+ group to the files and directories within this service the Samba
+ administrator can restrict or allow sharing of these files.</p><p>In Samba 2.0.5 and above this parameter has extended
+ functionality in the following way. If the group name listed here
+ has a '+' character prepended to it then the current user accessing
+ the share only has the primary group default assigned to this group
+ if they are already assigned as a member of that group. This allows
+ an administrator to decide that only users who are already in a
+ particular group will create files with group ownership set to that
+ group. This gives a finer granularity of ownership assignment. For
+ example, the setting <tt class="filename">force group = +sys</tt> means
+ that only users who are already in group sys will have their default
+ primary group assigned to sys when accessing this Samba share. All
+ other users will retain their ordinary primary group.</p><p>If the <a href="#FORCEUSER"><i class="parameter"><tt>force user</tt></i>
+ </a> parameter is also set the group specified in
+ <i class="parameter"><tt>force group</tt></i> will override the primary group
+ set in <i class="parameter"><tt>force user</tt></i>.</p><p>See also <a href="#FORCEUSER"><i class="parameter"><tt>force user</tt></i></a>.</p><p>Default: <span class="emphasis"><em>no forced group</em></span></p><p>Example: <b class="command">force group = agroup</b></p></dd><dt><span class="term"><a name="FORCESECURITYMODE"></a>force security mode (S)</span></dt><dd><p>This parameter controls what UNIX permission
+ bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a file using the native NT security dialog
+ box.</p><p>This parameter is applied as a mask (OR'ed with) to the
+ changed permission bits, thus forcing any bits in this mask that
+ the user may have modified to be on. Essentially, one bits in this
+ mask may be treated as a set of bits that, when modifying security
+ on a file, the user has always set to be 'on'.</p><p>If not set explicitly this parameter is set to 0,
+ and allows a user to modify all the user/group/world permissions on a file,
+ with no restrictions.</p><p><span class="emphasis"><em>Note</em></span> that users who can access
+ the Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone &quot;appliance&quot; systems.
+ Administrators of most normal systems will probably want to leave
+ this set to 0000.</p><p>See also the <a href="#FORCEDIRECTORYSECURITYMODE"><i class="parameter"><tt>
+ force directory security mode</tt></i></a>,
+ <a href="#DIRECTORYSECURITYMASK"><i class="parameter"><tt>directory security
+ mask</tt></i></a>, <a href="#SECURITYMASK"><i class="parameter"><tt>
+ security mask</tt></i></a> parameters.</p><p>Default: <b class="command">force security mode = 0</b></p><p>Example: <b class="command">force security mode = 700</b></p></dd><dt><span class="term"><a name="FORCEUSER"></a>force user (S)</span></dt><dd><p>This specifies a UNIX user name that will be
+ assigned as the default user for all users connecting to this service.
+ This is useful for sharing files. You should also use it carefully
+ as using it incorrectly can cause security problems.</p><p>This user name only gets used once a connection is established.
+ Thus clients still need to connect as a valid user and supply a
+ valid password. Once connected, all file operations will be performed
+ as the &quot;forced user&quot;, no matter what username the client connected
+ as. This can be very useful.</p><p>In Samba 2.0.5 and above this parameter also causes the
+ primary group of the forced user to be used as the primary group
+ for all file activity. Prior to 2.0.5 the primary group was left
+ as the primary group of the connecting user (this was a bug).</p><p>See also <a href="#FORCEGROUP"><i class="parameter"><tt>force group</tt></i></a></p><p>Default: <span class="emphasis"><em>no forced user</em></span></p><p>Example: <b class="command">force user = auser</b></p></dd><dt><span class="term"><a name="FSTYPE"></a>fstype (S)</span></dt><dd><p>This parameter allows the administrator to
+ configure the string that specifies the type of filesystem a share
+ is using that is reported by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a client queries the filesystem type
+ for a share. The default type is <tt class="constant">NTFS</tt> for
+ compatibility with Windows NT but this can be changed to other
+ strings such as <tt class="constant">Samba</tt> or <tt class="constant">FAT
+ </tt> if required.</p><p>Default: <b class="command">fstype = NTFS</b></p><p>Example: <b class="command">fstype = Samba</b></p></dd><dt><span class="term"><a name="GETWDCACHE"></a>getwd cache (G)</span></dt><dd><p>This is a tuning option. When this is enabled a
+ caching algorithm will be used to reduce the time taken for getwd()
+ calls. This can have a significant impact on performance, especially
+ when the <a href="#WIDELINKS"><i class="parameter"><tt>wide links</tt></i>
+ </a> parameter is set to <tt class="constant">no</tt>.</p><p>Default: <b class="command">getwd cache = yes</b></p></dd><dt><span class="term"><a name="GROUP"></a>group (S)</span></dt><dd><p>Synonym for <a href="#FORCEGROUP">
+ <i class="parameter"><tt>force group</tt></i></a>.</p></dd><dt><span class="term"><a name="GUESTACCOUNT"></a>guest account (G,S)</span></dt><dd><p>This is a username which will be used for access
+ to services which are specified as <a href="#GUESTOK"><i class="parameter"><tt>
+ guest ok</tt></i></a> (see below). Whatever privileges this
+ user has will be available to any client connecting to the guest service.
+ Typically this user will exist in the password file, but will not
+ have a valid login. The user account &quot;ftp&quot; is often a good choice
+ for this parameter. If a username is specified in a given service,
+ the specified username overrides this one.
+ </p><p>One some systems the default guest account &quot;nobody&quot; may not
+ be able to print. Use another account in this case. You should test
+ this by trying to log in as your guest user (perhaps by using the
+ <b class="command">su -</b> command) and trying to print using the
+ system print command such as <b class="command">lpr(1)</b> or <b class="command">
+ lp(1)</b>.</p><p>This parameter does not accept % macros, because
+ many parts of the system require this value to be
+ constant for correct operation.</p><p>Default: <span class="emphasis"><em>specified at compile time, usually &quot;nobody&quot;</em></span></p><p>Example: <b class="command">guest account = ftp</b></p></dd><dt><span class="term"><a name="GUESTOK"></a>guest ok (S)</span></dt><dd><p>If this parameter is <tt class="constant">yes</tt> for
+ a service, then no password is required to connect to the service.
+ Privileges will be those of the <a href="#GUESTACCOUNT"><i class="parameter"><tt>
+ guest account</tt></i></a>.</p><p>This paramater nullifies the benifits of setting
+ <a href="#RESTRICTANONYMOUS"><i class="parameter"><tt>restrict
+ anonymous</tt></i></a> = 2</p><p>See the section below on <a href="#SECURITY"><i class="parameter"><tt>
+ security</tt></i></a> for more information about this option.
+ </p><p>Default: <b class="command">guest ok = no</b></p></dd><dt><span class="term"><a name="GUESTONLY"></a>guest only (S)</span></dt><dd><p>If this parameter is <tt class="constant">yes</tt> for
+ a service, then only guest connections to the service are permitted.
+ This parameter will have no effect if <a href="#GUESTOK">
+ <i class="parameter"><tt>guest ok</tt></i></a> is not set for the service.</p><p>See the section below on <a href="#SECURITY"><i class="parameter"><tt>
+ security</tt></i></a> for more information about this option.
+ </p><p>Default: <b class="command">guest only = no</b></p></dd><dt><span class="term"><a name="HIDEDOTFILES"></a>hide dot files (S)</span></dt><dd><p>This is a boolean parameter that controls whether
+ files starting with a dot appear as hidden files.</p><p>Default: <b class="command">hide dot files = yes</b></p></dd><dt><span class="term"><a name="HIDEFILES"></a>hide files (S)</span></dt><dd><p>This is a list of files or directories that are not
+ visible but are accessible. The DOS 'hidden' attribute is applied
+ to any files or directories that match.</p><p>Each entry in the list must be separated by a '/',
+ which allows spaces to be included in the entry. '*'
+ and '?' can be used to specify multiple files or directories
+ as in DOS wildcards.</p><p>Each entry must be a Unix path, not a DOS path and must
+ not include the Unix directory separator '/'.</p><p>Note that the case sensitivity option is applicable
+ in hiding files.</p><p>Setting this parameter will affect the performance of Samba,
+ as it will be forced to check all files and directories for a match
+ as they are scanned.</p><p>See also <a href="#HIDEDOTFILES"><i class="parameter"><tt>hide
+ dot files</tt></i></a>, <a href="#VETOFILES"><i class="parameter"><tt>
+ veto files</tt></i></a> and <a href="#CASESENSITIVE">
+ <i class="parameter"><tt>case sensitive</tt></i></a>.</p><p>Default: <span class="emphasis"><em>no file are hidden</em></span></p><p>Example: <b class="command">hide files =
+ /.*/DesktopFolderDB/TrashFor%m/resource.frk/</b></p><p>The above example is based on files that the Macintosh
+ SMB client (DAVE) available from <a href="http://www.thursby.com" target="_top">
+ Thursby</a> creates for internal use, and also still hides
+ all files beginning with a dot.</p></dd><dt><span class="term"><a name="HIDELOCALUSERS"></a>hide local users (G)</span></dt><dd><p>This parameter toggles the hiding of local UNIX
+ users (root, wheel, floppy, etc) from remote clients.</p><p>Default: <b class="command">hide local users = no</b></p></dd><dt><span class="term"><a name="HIDESPECIALFILES"></a>hide special files (S)</span></dt><dd><p>This parameter prevents clients from seeing
+ special files such as sockets, devices and fifo's in directory
+ listings.
+ </p><p>Default: <b class="command">hide special files = no</b></p></dd><dt><span class="term"><a name="HIDEUNREADABLE"></a>hide unreadable (S)</span></dt><dd><p>This parameter prevents clients from seeing the
+ existance of files that cannot be read. Defaults to off.</p><p>Default: <b class="command">hide unreadable = no</b></p></dd><dt><span class="term"><a name="HIDEUNWRITEABLEFILES"></a>hide unwriteable files (S)</span></dt><dd><p>This parameter prevents clients from seeing
+ the existance of files that cannot be written to. Defaults to off.
+ Note that unwriteable directories are shown as usual.
+ </p><p>Default: <b class="command">hide unwriteable = no</b></p></dd><dt><span class="term"><a name="HOMEDIRMAP"></a>homedir map (G)</span></dt><dd><p>If<a href="#NISHOMEDIR"><i class="parameter"><tt>nis homedir
+ </tt></i></a> is <tt class="constant">yes</tt>, and <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> is also acting
+ as a Win95/98 <i class="parameter"><tt>logon server</tt></i> then this parameter
+ specifies the NIS (or YP) map from which the server for the user's
+ home directory should be extracted. At present, only the Sun
+ auto.home map format is understood. The form of the map is:</p><p><b class="command">username server:/some/file/system</b></p><p>and the program will extract the servername from before
+ the first ':'. There should probably be a better parsing system
+ that copes with different map formats and also Amd (another
+ automounter) maps.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>A working NIS client is required on
+ the system for this option to work.</p></div><p>See also <a href="#NISHOMEDIR"><i class="parameter"><tt>nis homedir</tt></i>
+ </a>, <a href="#DOMAINLOGONS"><i class="parameter"><tt>domain logons</tt></i>
+ </a>.</p><p>Default: <b class="command">homedir map = &lt;empty string&gt;</b></p><p>Example: <b class="command">homedir map = amd.homedir</b></p></dd><dt><span class="term"><a name="HOSTMSDFS"></a>host msdfs (G)</span></dt><dd><p>This boolean parameter is only available
+ if Samba has been configured and compiled with the <b class="command">
+ --with-msdfs</b> option. If set to <tt class="constant">yes</tt>,
+ Samba will act as a Dfs server, and allow Dfs-aware clients
+ to browse Dfs trees hosted on the server.</p><p>See also the <a href="#MSDFSROOT"><i class="parameter"><tt>
+ msdfs root</tt></i></a> share level parameter. For
+ more information on setting up a Dfs tree on Samba,
+ refer to <a href="msdfs_setup.html" target="_top">msdfs_setup.html</a>.
+ </p><p>Default: <b class="command">host msdfs = no</b></p></dd><dt><span class="term"><a name="HOSTNAMELOOKUPS"></a>hostname lookups (G)</span></dt><dd><p>Specifies whether samba should use (expensive)
+ hostname lookups or use the ip addresses instead. An example place
+ where hostname lookups are currently used is when checking
+ the <b class="command">hosts deny</b> and <b class="command">hosts allow</b>.
+ </p><p>Default: <b class="command">hostname lookups = yes</b></p><p>Example: <b class="command">hostname lookups = no</b></p></dd><dt><span class="term"><a name="HOSTSALLOW"></a>hosts allow (S)</span></dt><dd><p>A synonym for this parameter is <i class="parameter"><tt>allow
+ hosts</tt></i>.</p><p>This parameter is a comma, space, or tab delimited
+ set of hosts which are permitted to access a service.</p><p>If specified in the [global] section then it will
+ apply to all services, regardless of whether the individual
+ service has a different setting.</p><p>You can specify the hosts by name or IP number. For
+ example, you could restrict access to only the hosts on a
+ Class C subnet with something like <b class="command">allow hosts = 150.203.5.
+ </b>. The full syntax of the list is described in the man
+ page <tt class="filename">hosts_access(5)</tt>. Note that this man
+ page may not be present on your system, so a brief description will
+ be given here also.</p><p>Note that the localhost address 127.0.0.1 will always
+ be allowed access unless specifically denied by a <a href="#HOSTSDENY">
+ <i class="parameter"><tt>hosts deny</tt></i></a> option.</p><p>You can also specify hosts by network/netmask pairs and
+ by netgroup names if your system supports netgroups. The
+ <span class="emphasis"><em>EXCEPT</em></span> keyword can also be used to limit a
+ wildcard list. The following examples may provide some help:</p><p>Example 1: allow all IPs in 150.203.*.*; except one</p><p><b class="command">hosts allow = 150.203. EXCEPT 150.203.6.66</b></p><p>Example 2: allow hosts that match the given network/netmask</p><p><b class="command">hosts allow = 150.203.15.0/255.255.255.0</b></p><p>Example 3: allow a couple of hosts</p><p><b class="command">hosts allow = lapland, arvidsjaur</b></p><p>Example 4: allow only hosts in NIS netgroup &quot;foonet&quot;, but
+ deny access from one particular host</p><p><b class="command">hosts allow = @foonet</b></p><p><b class="command">hosts deny = pirate</b></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Note that access still requires suitable user-level passwords.</p></div><p>See <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a> for a way of testing your host access
+ to see if it does what you expect.</p><p>Default: <span class="emphasis"><em>none (i.e., all hosts permitted access)</em></span></p><p>Example: <b class="command">allow hosts = 150.203.5. myhost.mynet.edu.au</b></p></dd><dt><span class="term"><a name="HOSTSDENY"></a>hosts deny (S)</span></dt><dd><p>The opposite of <i class="parameter"><tt>hosts allow</tt></i>
+ - hosts listed here are <span class="emphasis"><em>NOT</em></span> permitted access to
+ services unless the specific services have their own lists to override
+ this one. Where the lists conflict, the <i class="parameter"><tt>allow</tt></i>
+ list takes precedence.</p><p>Default: <span class="emphasis"><em>none (i.e., no hosts specifically excluded)</em></span></p><p>Example: <b class="command">hosts deny = 150.203.4. badhost.mynet.edu.au</b></p></dd><dt><span class="term"><a name="HOSTSEQUIV"></a>hosts equiv (G)</span></dt><dd><p>If this global parameter is a non-null string,
+ it specifies the name of a file to read for the names of hosts
+ and users who will be allowed access without specifying a password.
+ </p><p>This is not be confused with <a href="#HOSTSALLOW">
+ <i class="parameter"><tt>hosts allow</tt></i></a> which is about hosts
+ access to services and is more useful for guest services. <i class="parameter"><tt>
+ hosts equiv</tt></i> may be useful for NT clients which will
+ not supply passwords to Samba.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The use of <i class="parameter"><tt>hosts equiv
+ </tt></i> can be a major security hole. This is because you are
+ trusting the PC to supply the correct username. It is very easy to
+ get a PC to supply a false username. I recommend that the
+ <i class="parameter"><tt>hosts equiv</tt></i> option be only used if you really
+ know what you are doing, or perhaps on a home network where you trust
+ your spouse and kids. And only if you <span class="emphasis"><em>really</em></span> trust
+ them :-).</p></div><p>Default: <span class="emphasis"><em>no host equivalences</em></span></p><p>Example: <b class="command">hosts equiv = /etc/hosts.equiv</b></p></dd><dt><span class="term"><a name="INCLUDE"></a>include (G)</span></dt><dd><p>This allows you to include one config file
+ inside another. The file is included literally, as though typed
+ in place.</p><p>It takes the standard substitutions, except <i class="parameter"><tt>%u
+ </tt></i>, <i class="parameter"><tt>%P</tt></i> and <i class="parameter"><tt>%S</tt></i>.
+ </p><p>Default: <span class="emphasis"><em>no file included</em></span></p><p>Example: <b class="command">include = /usr/local/samba/lib/admin_smb.conf</b></p></dd><dt><span class="term"><a name="INHERITACLS"></a>inherit acls (S)</span></dt><dd><p>This parameter can be used to ensure that if default acls
+ exist on parent directories, they are always honored when creating a
+ subdirectory. The default behavior is to use the mode specified when
+ creating the directory. Enabling this option sets the mode to 0777,
+ thus guaranteeing that default directory acls are propagated.
+ </p><p>Default: <b class="command">inherit acls = no</b>
+</p></dd><dt><span class="term"><a name="INHERITPERMISSIONS"></a>inherit permissions (S)</span></dt><dd><p>The permissions on new files and directories
+ are normally governed by <a href="#CREATEMASK"><i class="parameter"><tt>
+ create mask</tt></i></a>, <a href="#DIRECTORYMASK">
+ <i class="parameter"><tt>directory mask</tt></i></a>, <a href="#FORCECREATEMODE">
+ <i class="parameter"><tt>force create mode</tt></i>
+ </a> and <a href="#FORCEDIRECTORYMODE"><i class="parameter"><tt>force
+ directory mode</tt></i></a> but the boolean inherit
+ permissions parameter overrides this.</p><p>New directories inherit the mode of the parent directory,
+ including bits such as setgid.</p><p>New files inherit their read/write bits from the parent
+ directory. Their execute bits continue to be determined by
+ <a href="#MAPARCHIVE"><i class="parameter"><tt>map archive</tt></i>
+ </a>, <a href="#MAPHIDDEN"><i class="parameter"><tt>map hidden</tt></i>
+ </a> and <a href="#MAPSYSTEM"><i class="parameter"><tt>map system</tt></i>
+ </a> as usual.</p><p>Note that the setuid bit is <span class="emphasis"><em>never</em></span> set via
+ inheritance (the code explicitly prohibits this).</p><p>This can be particularly useful on large systems with
+ many users, perhaps several thousand, to allow a single [homes]
+ share to be used flexibly by each user.</p><p>See also <a href="#CREATEMASK"><i class="parameter"><tt>create mask
+ </tt></i></a>, <a href="#DIRECTORYMASK"><i class="parameter"><tt>
+ directory mask</tt></i></a>, <a href="#FORCECREATEMODE">
+ <i class="parameter"><tt>force create mode</tt></i></a> and <a href="#FORCEDIRECTORYMODE">
+ <i class="parameter"><tt>force directory mode</tt></i>
+ </a>.</p><p>Default: <b class="command">inherit permissions = no</b></p></dd><dt><span class="term"><a name="INTERFACES"></a>interfaces (G)</span></dt><dd><p>This option allows you to override the default
+ network interfaces list that Samba will use for browsing, name
+ registration and other NBT traffic. By default Samba will query
+ the kernel for the list of all active interfaces and use any
+ interfaces except 127.0.0.1 that are broadcast capable.</p><p>The option takes a list of interface strings. Each string
+ can be in any of the following forms:</p><div class="itemizedlist"><ul type="disc"><li><p>a network interface name (such as eth0).
+ This may include shell-like wildcards so eth* will match
+ any interface starting with the substring &quot;eth&quot;</p></li><li><p>an IP address. In this case the netmask is
+ determined from the list of interfaces obtained from the
+ kernel</p></li><li><p>an IP/mask pair. </p></li><li><p>a broadcast/mask pair.</p></li></ul></div><p>The &quot;mask&quot; parameters can either be a bit length (such
+ as 24 for a C class network) or a full netmask in dotted
+ decimal form.</p><p>The &quot;IP&quot; parameters above can either be a full dotted
+ decimal IP address or a hostname which will be looked up via
+ the OS's normal hostname resolution mechanisms.</p><p>For example, the following line:</p><p><b class="command">interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0</b></p><p>would configure three network interfaces corresponding
+ to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
+ The netmasks of the latter two interfaces would be set to 255.255.255.0.</p><p>See also <a href="#BINDINTERFACESONLY"><i class="parameter"><tt>bind
+ interfaces only</tt></i></a>.</p><p>Default: <span class="emphasis"><em>all active interfaces except 127.0.0.1
+ that are broadcast capable</em></span></p></dd><dt><span class="term"><a name="INVALIDUSERS"></a>invalid users (S)</span></dt><dd><p>This is a list of users that should not be allowed
+ to login to this service. This is really a <span class="emphasis"><em>paranoid</em></span>
+ check to absolutely ensure an improper setting does not breach
+ your security.</p><p>A name starting with a '@' is interpreted as an NIS
+ netgroup first (if your system supports NIS), and then as a UNIX
+ group if the name was not found in the NIS netgroup database.</p><p>A name starting with '+' is interpreted only
+ by looking in the UNIX group database. A name starting with
+ '&amp;' is interpreted only by looking in the NIS netgroup database
+ (this requires NIS to be working on your system). The characters
+ '+' and '&amp;' may be used at the start of the name in either order
+ so the value <i class="parameter"><tt>+&amp;group</tt></i> means check the
+ UNIX group database, followed by the NIS netgroup database, and
+ the value <i class="parameter"><tt>&amp;+group</tt></i> means check the NIS
+ netgroup database, followed by the UNIX group database (the
+ same as the '@' prefix).</p><p>The current servicename is substituted for <i class="parameter"><tt>%S</tt></i>.
+ This is useful in the [homes] section.</p><p>See also <a href="#VALIDUSERS"><i class="parameter"><tt>valid users
+ </tt></i></a>.</p><p>Default: <span class="emphasis"><em>no invalid users</em></span></p><p>Example: <b class="command">invalid users = root fred admin @wheel</b></p></dd><dt><span class="term"><a name="KEEPALIVE"></a>keepalive (G)</span></dt><dd><p>The value of the parameter (an integer) represents
+ the number of seconds between <i class="parameter"><tt>keepalive</tt></i>
+ packets. If this parameter is zero, no keepalive packets will be
+ sent. Keepalive packets, if sent, allow the server to tell whether
+ a client is still present and responding.</p><p>Keepalives should, in general, not be needed if the socket
+ being used has the SO_KEEPALIVE attribute set on it (see <a href="#SOCKETOPTIONS">
+ <i class="parameter"><tt>socket options</tt></i></a>).
+ Basically you should only use this option if you strike difficulties.</p><p>Default: <b class="command">keepalive = 300</b></p><p>Example: <b class="command">keepalive = 600</b></p></dd><dt><span class="term"><a name="KERNELOPLOCKS"></a>kernel oplocks (G)</span></dt><dd><p>For UNIXes that support kernel based <a href="#OPLOCKS">
+ <i class="parameter"><tt>oplocks</tt></i></a>
+ (currently only IRIX and the Linux 2.4 kernel), this parameter
+ allows the use of them to be turned on or off.</p><p>Kernel oplocks support allows Samba <i class="parameter"><tt>oplocks
+ </tt></i> to be broken whenever a local UNIX process or NFS operation
+ accesses a file that <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> has oplocked. This allows complete
+ data consistency between SMB/CIFS, NFS and local file access (and is
+ a <span class="emphasis"><em>very</em></span> cool feature :-).</p><p>This parameter defaults to <tt class="constant">on</tt>, but is translated
+ to a no-op on systems that no not have the necessary kernel support.
+ You should never need to touch this parameter.</p><p>See also the <a href="#OPLOCKS"><i class="parameter"><tt>oplocks</tt></i>
+ </a> and <a href="#LEVEL2OPLOCKS"><i class="parameter"><tt>level2 oplocks
+ </tt></i></a> parameters.</p><p>Default: <b class="command">kernel oplocks = yes</b></p></dd><dt><span class="term"><a name="LANMANAUTH"></a>lanman auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to authenticate users
+ using the LANMAN password hash. If disabled, only clients which support NT
+ password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not
+ Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</p><p>The LANMAN encrypted response is easily broken, due to it's
+ case-insensitive nature, and the choice of algorithm. Servers
+ without Windows 95/98 or MS DOS clients are advised to disable
+ this option. </p><p>Unlike the <b class="command">encypt
+ passwords</b> option, this parameter cannot alter client
+ behaviour, and the LANMAN response will still be sent over the
+ network. See the <b class="command">client lanman
+ auth</b> to disable this for Samba's clients (such as smbclient)</p><p>If this option, and <b class="command">ntlm
+ auth</b> are both disabled, then only NTLMv2 logins will be
+ permited. Not all clients support NTLMv2, and most will require
+ special configuration to us it.</p><p>Default : <b class="command">lanman auth = yes</b></p></dd><dt><span class="term"><a name="LARGEREADWRITE"></a>large readwrite (G)</span></dt><dd><p>This parameter determines whether or not
+ <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> supports the new 64k
+ streaming read and write varient SMB requests introduced with
+ Windows 2000. Note that due to Windows 2000 client redirector bugs
+ this requires Samba to be running on a 64-bit capable operating
+ system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve
+ performance by 10% with Windows 2000 clients. Defaults to on. Not as
+ tested as some other Samba code paths.</p><p>Default: <b class="command">large readwrite = yes</b></p></dd><dt><span class="term"><a name="LDAPADMINDN"></a>ldap admin dn (G)</span></dt><dd><p> The <i class="parameter"><tt>ldap admin dn</tt></i>
+ defines the Distinguished Name (DN) name used by Samba to
+ contact the ldap server when retreiving user account
+ information. The <i class="parameter"><tt>ldap admin
+ dn</tt></i> is used in conjunction with the admin dn password
+ stored in the <tt class="filename">private/secrets.tdb</tt> file.
+ See the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> man page for more
+ information on how to accmplish this.</p></dd><dt><span class="term"><a name="LDAPDELETEDN"></a>ldap delete dn (G)</span></dt><dd><p> This parameter specifies whether a delete
+ operation in the ldapsam deletes the complete entry or only the attributes
+ specific to Samba.
+ </p><p>Default: <span class="emphasis"><em>ldap delete dn = no</em></span></p></dd><dt><span class="term"><a name="LDAPFILTER"></a>ldap filter (G)</span></dt><dd><p>This parameter specifies the RFC 2254 compliant LDAP search filter.
+ The default is to match the login name with the <tt class="constant">uid</tt>
+ attribute for all entries matching the <tt class="constant">sambaAccount</tt>
+ objectclass. Note that this filter should only return one entry.
+ </p><p>Default: <b class="command">ldap filter = (&amp;(uid=%u)(objectclass=sambaAccount))</b></p></dd><dt><span class="term"><a name="LDAPMACHINESUFFIX"></a>ldap machine suffix (G)</span></dt><dd><p>It specifies where machines should be added to the ldap tree.</p><p>Default: <span class="emphasis"><em>none</em></span></p></dd><dt><span class="term"><a name="LDAPPASSWDSYNC"></a>ldap passwd sync (G)</span></dt><dd><p>This option is used to define whether
+ or not Samba should sync the LDAP password with the NT
+ and LM hashes for normal accounts (NOT for
+ workstation, server or domain trusts) on a password
+ change via SAMBA.
+ </p><p>The <i class="parameter"><tt>ldap passwd
+ sync</tt></i> can be set to one of three values: </p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>Yes</tt></i> = Try
+ to update the LDAP, NT and LM passwords and update the pwdLastSet time.</p></li><li><p><i class="parameter"><tt>No</tt></i> = Update NT and
+ LM passwords and update the pwdLastSet time.</p></li><li><p><i class="parameter"><tt>Only</tt></i> = Only update
+ the LDAP password and let the LDAP server do the rest.</p></li></ul></div><p>Default: <b class="command">ldap passwd sync = no</b></p></dd><dt><span class="term"><a name="LDAPPORT"></a>ldap port (G)</span></dt><dd><p>This parameter is only available if Samba has been
+ configure to include the <b class="command">--with-ldapsam</b> option
+ at compile time.</p><p>This option is used to control the tcp port number used to contact
+ the <a href="#LDAPSERVER"><i class="parameter"><tt>ldap server</tt></i></a>.
+ The default is to use the stand LDAPS port 636.</p><p>See Also: <a href="#LDAPSSL">ldap ssl</a></p><p>Default : <b class="command">ldap port = 636 ; if ldap ssl = on</b></p><p>Default : <b class="command">ldap port = 389 ; if ldap ssl = off</b></p></dd><dt><span class="term"><a name="LDAPSERVER"></a>ldap server (G)</span></dt><dd><p>This parameter is only available if Samba has been
+ configure to include the <b class="command">--with-ldapsam</b>
+ option at compile time.</p><p>This parameter should contain the FQDN of the ldap directory
+ server which should be queried to locate user account information.
+ </p><p>Default : <b class="command">ldap server = localhost</b></p></dd><dt><span class="term"><a name="LDAPSSL"></a>ldap ssl (G)</span></dt><dd><p>This option is used to define whether or not Samba should
+ use SSL when connecting to the ldap server
+ This is <span class="emphasis"><em>NOT</em></span> related to
+ Samba's previous SSL support which was enabled by specifying the
+ <b class="command">--with-ssl</b> option to the <tt class="filename">configure</tt>
+ script.</p><p>The <i class="parameter"><tt>ldap ssl</tt></i> can be set to one of three values:</p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>Off</tt></i> = Never
+ use SSL when querying the directory.</p></li><li><p><i class="parameter"><tt>Start_tls</tt></i> = Use
+ the LDAPv3 StartTLS extended operation (RFC2830) for
+ communicating with the directory server.</p></li><li><p><i class="parameter"><tt>On</tt></i> = Use SSL
+ on the ldaps port when contacting the <i class="parameter"><tt>ldap server</tt></i>. Only available when the
+ backwards-compatiblity <b class="command">--with-ldapsam</b> option is specified
+ to configure. See <a href="#PASSDBBACKEND"><i class="parameter"><tt>passdb backend</tt></i></a></p></li></ul></div><p>Default : <b class="command">ldap ssl = start_tls</b></p></dd><dt><span class="term"><a name="LDAPSUFFIX"></a>ldap suffix (G)</span></dt><dd><p>Specifies where user and machine accounts are added to the
+ tree. Can be overriden by <b class="command">ldap user
+ suffix</b> and <b class="command">ldap machine
+ suffix</b>. It also used as the base dn for all ldap
+ searches. </p><p>Default: <span class="emphasis"><em>none</em></span></p></dd><dt><span class="term"><a name="LDAPTRUSTIDS"></a>ldap trust ids (G)</span></dt><dd><p>Normally, Samba validates each entry in the LDAP server
+ against getpwnam(). This allows LDAP to be used for Samba with
+ the unix system using NIS (for example) and also ensures that
+ Samba does not present accounts that do not otherwise exist.
+ </p><p>This option is used to disable this functionality, and
+ instead to rely on the presence of the appropriate attributes
+ in LDAP directly, which can result in a significant performance
+ boost in some situations. Setting this option to yes effectivly
+ assumes that the local machine is running <b class="command">nss_ldap</b> against the same LDAP
+ server.</p><p>Default: <b class="command">ldap trust ids = No</b></p></dd><dt><span class="term"><a name="LDAPUSERSUFFIX"></a>ldap user suffix (G)</span></dt><dd><p>It specifies where users are added to the tree.</p><p>Default: <span class="emphasis"><em>none</em></span></p></dd><dt><span class="term"><a name="LEVEL2OPLOCKS"></a>level2 oplocks (S)</span></dt><dd><p>This parameter controls whether Samba supports
+ level2 (read-only) oplocks on a share.</p><p>Level2, or read-only oplocks allow Windows NT clients
+ that have an oplock on a file to downgrade from a read-write oplock
+ to a read-only oplock once a second client opens the file (instead
+ of releasing all oplocks on a second open, as in traditional,
+ exclusive oplocks). This allows all openers of the file that
+ support level2 oplocks to cache the file for read-ahead only (ie.
+ they may not cache writes or lock requests) and increases performance
+ for many accesses of files that are not commonly written (such as
+ application .EXE files).</p><p>Once one of the clients which have a read-only oplock
+ writes to the file all clients are notified (no reply is needed
+ or waited for) and told to break their oplocks to &quot;none&quot; and
+ delete any read-ahead caches.</p><p>It is recommended that this parameter be turned on to
+ speed access to shared executables.</p><p>For more discussions on level2 oplocks see the CIFS spec.</p><p>Currently, if <a href="#KERNELOPLOCKS"><i class="parameter"><tt>kernel
+ oplocks</tt></i></a> are supported then level2 oplocks are
+ not granted (even if this parameter is set to <tt class="constant">yes</tt>).
+ Note also, the <a href="#OPLOCKS"><i class="parameter"><tt>oplocks</tt></i>
+ </a> parameter must be set to <tt class="constant">yes</tt> on this share in order for
+ this parameter to have any effect.</p><p>See also the <a href="#OPLOCKS"><i class="parameter"><tt>oplocks</tt></i>
+ </a> and <a href="#OPLOCKS"><i class="parameter"><tt>kernel oplocks</tt></i>
+ </a> parameters.</p><p>Default: <b class="command">level2 oplocks = yes</b></p></dd><dt><span class="term"><a name="LMANNOUNCE"></a>lm announce (G)</span></dt><dd><p>This parameter determines if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> will produce Lanman announce
+ broadcasts that are needed by OS/2 clients in order for them to see
+ the Samba server in their browse list. This parameter can have three
+ values, <tt class="constant">yes</tt>, <tt class="constant">no</tt>, or
+ <tt class="constant">auto</tt>. The default is <tt class="constant">auto</tt>.
+ If set to <tt class="constant">no</tt> Samba will never produce these
+ broadcasts. If set to <tt class="constant">yes</tt> Samba will produce
+ Lanman announce broadcasts at a frequency set by the parameter
+ <i class="parameter"><tt>lm interval</tt></i>. If set to <tt class="constant">auto</tt>
+ Samba will not send Lanman announce broadcasts by default but will
+ listen for them. If it hears such a broadcast on the wire it will
+ then start sending them at a frequency set by the parameter
+ <i class="parameter"><tt>lm interval</tt></i>.</p><p>See also <a href="#LMINTERVAL"><i class="parameter"><tt>lm interval</tt></i></a>.</p><p>Default: <b class="command">lm announce = auto</b></p><p>Example: <b class="command">lm announce = yes</b></p></dd><dt><span class="term"><a name="LMINTERVAL"></a>lm interval (G)</span></dt><dd><p>If Samba is set to produce Lanman announce
+ broadcasts needed by OS/2 clients (see the <a href="#LMANNOUNCE">
+ <i class="parameter"><tt>lm announce</tt></i></a> parameter) then this
+ parameter defines the frequency in seconds with which they will be
+ made. If this is set to zero then no Lanman announcements will be
+ made despite the setting of the <i class="parameter"><tt>lm announce</tt></i>
+ parameter.</p><p>See also <a href="#LMANNOUNCE"><i class="parameter"><tt>lm announce</tt></i></a>.</p><p>Default: <b class="command">lm interval = 60</b></p><p>Example: <b class="command">lm interval = 120</b></p></dd><dt><span class="term"><a name="LOADPRINTERS"></a>load printers (G)</span></dt><dd><p>A boolean variable that controls whether all
+ printers in the printcap will be loaded for browsing by default.
+ See the <a href="#PRINTERSSECT" title="The [printers] section">printers</a> section for
+ more details.</p><p>Default: <b class="command">load printers = yes</b></p></dd><dt><span class="term"><a name="LOCALMASTER"></a>local master (G)</span></dt><dd><p>This option allows <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> to try and become a local master browser
+ on a subnet. If set to <tt class="constant">no</tt> then <b class="command">
+ nmbd</b> will not attempt to become a local master browser
+ on a subnet and will also lose in all browsing elections. By
+ default this value is set to <tt class="constant">yes</tt>. Setting this value to
+ <tt class="constant">yes</tt> doesn't mean that Samba will <span class="emphasis"><em>become</em></span> the
+ local master browser on a subnet, just that <b class="command">nmbd</b>
+ will <span class="emphasis"><em>participate</em></span> in elections for local master browser.</p><p>Setting this value to <tt class="constant">no</tt> will cause <b class="command">nmbd</b> <span class="emphasis"><em>never</em></span> to become a local
+ master browser.</p><p>Default: <b class="command">local master = yes</b></p></dd><dt><span class="term"><a name="LOCKDIR"></a>lock dir (G)</span></dt><dd><p>Synonym for <a href="#LOCKDIRECTORY"><i class="parameter"><tt>
+ lock directory</tt></i></a>.
+</p></dd><dt><span class="term"><a name="LOCKDIRECTORY"></a>lock directory (G)</span></dt><dd><p>This option specifies the directory where lock
+ files will be placed. The lock files are used to implement the
+ <a href="#MAXCONNECTIONS"><i class="parameter"><tt>max connections</tt></i>
+ </a> option.</p><p>Default: <b class="command">lock directory = ${prefix}/var/locks</b></p><p>Example: <b class="command">lock directory = /var/run/samba/locks</b></p></dd><dt><span class="term"><a name="LOCKING"></a>locking (S)</span></dt><dd><p>This controls whether or not locking will be
+ performed by the server in response to lock requests from the
+ client.</p><p>If <b class="command">locking = no</b>, all lock and unlock
+ requests will appear to succeed and all lock queries will report
+ that the file in question is available for locking.</p><p>If <b class="command">locking = yes</b>, real locking will be performed
+ by the server.</p><p>This option <span class="emphasis"><em>may</em></span> be useful for read-only
+ filesystems which <span class="emphasis"><em>may</em></span> not need locking (such as
+ CDROM drives), although setting this parameter of <tt class="constant">no</tt>
+ is not really recommended even in this case.</p><p>Be careful about disabling locking either globally or in a
+ specific service, as lack of locking may result in data corruption.
+ You should never need to set this parameter.</p><p>Default: <b class="command">locking = yes</b></p></dd><dt><span class="term"><a name="LOCKSPINCOUNT"></a>lock spin count (G)</span></dt><dd><p>This parameter controls the number of times
+ that smbd should attempt to gain a byte range lock on the
+ behalf of a client request. Experiments have shown that
+ Windows 2k servers do not reply with a failure if the lock
+ could not be immediately granted, but try a few more times
+ in case the lock could later be aquired. This behavior
+ is used to support PC database formats such as MS Access
+ and FoxPro.
+ </p><p>Default: <b class="command">lock spin count = 2</b></p></dd><dt><span class="term"><a name="LOCKSPINTIME"></a>lock spin time (G)</span></dt><dd><p>The time in microseconds that smbd should
+ pause before attempting to gain a failed lock. See
+ <a href="#LOCKSPINCOUNT"><i class="parameter"><tt>lock spin
+ count</tt></i></a> for more details.</p><p>Default: <b class="command">lock spin time = 10</b></p></dd><dt><span class="term"><a name="LOGFILE"></a>log file (G)</span></dt><dd><p>This option allows you to override the name
+ of the Samba log file (also known as the debug file).</p><p>This option takes the standard substitutions, allowing
+ you to have separate log files for each user or machine.</p><p>Example: <b class="command">log file = /usr/local/samba/var/log.%m</b></p></dd><dt><span class="term"><a name="LOGLEVEL"></a>log level (G)</span></dt><dd><p>The value of the parameter (a astring) allows
+ the debug level (logging level) to be specified in the
+ <tt class="filename">smb.conf</tt> file. This parameter has been
+ extended since the 2.2.x series, now it allow to specify the debug
+ level for multiple debug classes. This is to give greater
+ flexibility in the configuration of the system.</p><p>The default will be the log level specified on
+ the command line or level zero if none was specified.</p><p>Example: <b class="command">log level = 3 passdb:5 auth:10 winbind:2</b></p></dd><dt><span class="term"><a name="LOGONDRIVE"></a>logon drive (G)</span></dt><dd><p>This parameter specifies the local path to
+ which the home directory will be connected (see <a href="#LOGONHOME">
+ <i class="parameter"><tt>logon home</tt></i></a>)
+ and is only used by NT Workstations. </p><p>Note that this option is only useful if Samba is set up as a
+ logon server.</p><p>Default: <b class="command">logon drive = z:</b></p><p>Example: <b class="command">logon drive = h:</b></p></dd><dt><span class="term"><a name="LOGONHOME"></a>logon home (G)</span></dt><dd><p>This parameter specifies the home directory
+ location when a Win95/98 or NT Workstation logs into a Samba PDC.
+ It allows you to do </p><p><tt class="prompt">C:\&gt;</tt>
+ <b class="userinput"><tt>NET USE H: /HOME</tt></b>
+ </p><p>from a command prompt, for example.</p><p>This option takes the standard substitutions, allowing
+ you to have separate logon scripts for each user or machine.</p><p>This parameter can be used with Win9X workstations to ensure
+ that roaming profiles are stored in a subdirectory of the user's
+ home directory. This is done in the following way:</p><p><b class="command">logon home = \\%N\%U\profile</b></p><p>This tells Samba to return the above string, with
+ substitutions made when a client requests the info, generally
+ in a NetUserGetInfo request. Win9X clients truncate the info to
+ \\server\share when a user does <b class="command">net use /home</b>
+ but use the whole string when dealing with profiles.</p><p>Note that in prior versions of Samba, the <a href="#LOGONPATH">
+ <i class="parameter"><tt>logon path</tt></i></a> was returned rather than
+ <i class="parameter"><tt>logon home</tt></i>. This broke <b class="command">net use /home</b> but allowed profiles outside the home directory.
+ The current implementation is correct, and can be used for profiles if you use
+ the above trick.</p><p>This option is only useful if Samba is set up as a logon
+ server.</p><p>Default: <b class="command">logon home = &quot;\\%N\%U&quot;</b></p><p>Example: <b class="command">logon home = &quot;\\remote_smb_server\%U&quot;</b></p></dd><dt><span class="term"><a name="LOGONPATH"></a>logon path (G)</span></dt><dd><p>This parameter specifies the home directory
+ where roaming profiles (NTuser.dat etc files for Windows NT) are
+ stored. Contrary to previous versions of these manual pages, it has
+ nothing to do with Win 9X roaming profiles. To find out how to
+ handle roaming profiles for Win 9X system, see the <a href="#LOGONHOME">
+ <i class="parameter"><tt>logon home</tt></i></a> parameter.</p><p>This option takes the standard substitutions, allowing you
+ to have separate logon scripts for each user or machine. It also
+ specifies the directory from which the &quot;Application Data&quot;,
+ (<tt class="filename">desktop</tt>, <tt class="filename">start menu</tt>,
+ <tt class="filename">network neighborhood</tt>, <tt class="filename">programs</tt>
+ and other folders, and their contents, are loaded and displayed on
+ your Windows NT client.</p><p>The share and the path must be readable by the user for
+ the preferences and directories to be loaded onto the Windows NT
+ client. The share must be writeable when the user logs in for the first
+ time, in order that the Windows NT client can create the NTuser.dat
+ and other directories.</p><p>Thereafter, the directories and any of the contents can,
+ if required, be made read-only. It is not advisable that the
+ NTuser.dat file be made read-only - rename it to NTuser.man to
+ achieve the desired effect (a <span class="emphasis"><em>MAN</em></span>datory
+ profile). </p><p>Windows clients can sometimes maintain a connection to
+ the [homes] share, even though there is no user logged in.
+ Therefore, it is vital that the logon path does not include a
+ reference to the homes share (i.e. setting this parameter to
+ \%N\%U\profile_path will cause problems).</p><p>This option takes the standard substitutions, allowing
+ you to have separate logon scripts for each user or machine.</p><p>Note that this option is only useful if Samba is set up
+ as a logon server.</p><p>Default: <b class="command">logon path = \\%N\%U\profile</b></p><p>Example: <b class="command">logon path = \\PROFILESERVER\PROFILE\%U</b></p></dd><dt><span class="term"><a name="LOGONSCRIPT"></a>logon script (G)</span></dt><dd><p>This parameter specifies the batch file (.bat) or
+ NT command file (.cmd) to be downloaded and run on a machine when
+ a user successfully logs in. The file must contain the DOS
+ style CR/LF line endings. Using a DOS-style editor to create the
+ file is recommended.</p><p>The script must be a relative path to the [netlogon]
+ service. If the [netlogon] service specifies a <a href="#PATH">
+ <i class="parameter"><tt>path</tt></i></a> of <tt class="filename">/usr/local/samba/netlogon</tt>, and <b class="command">logon script = STARTUP.BAT</b>, then
+ the file that will be downloaded is:</p><p><tt class="filename">/usr/local/samba/netlogon/STARTUP.BAT</tt></p><p>The contents of the batch file are entirely your choice. A
+ suggested command would be to add <b class="command">NET TIME \\SERVER /SET
+ /YES</b>, to force every machine to synchronize clocks with
+ the same time server. Another use would be to add <b class="command">NET USE
+ U: \\SERVER\UTILS</b> for commonly used utilities, or <b class="command">
+ NET USE Q: \\SERVER\ISO9001_QA</b> for example.</p><p>Note that it is particularly important not to allow write
+ access to the [netlogon] share, or to grant users write permission
+ on the batch files in a secure environment, as this would allow
+ the batch files to be arbitrarily modified and security to be
+ breached.</p><p>This option takes the standard substitutions, allowing you
+ to have separate logon scripts for each user or machine.</p><p>This option is only useful if Samba is set up as a logon
+ server.</p><p>Default: <span class="emphasis"><em>no logon script defined</em></span></p><p>Example: <b class="command">logon script = scripts\%U.bat</b></p></dd><dt><span class="term"><a name="LPPAUSECOMMAND"></a>lppause command (S)</span></dt><dd><p>This parameter specifies the command to be
+ executed on the server host in order to stop printing or spooling
+ a specific print job.</p><p>This command should be a program or script which takes
+ a printer name and job number to pause the print job. One way
+ of implementing this is by using job priorities, where jobs
+ having a too low priority won't be sent to the printer.</p><p>If a <i class="parameter"><tt>%p</tt></i> is given then the printer name
+ is put in its place. A <i class="parameter"><tt>%j</tt></i> is replaced with
+ the job number (an integer). On HPUX (see <i class="parameter"><tt>printing=hpux
+ </tt></i>), if the <i class="parameter"><tt>-p%p</tt></i> option is added
+ to the lpq command, the job will show up with the correct status, i.e.
+ if the job priority is lower than the set fence priority it will
+ have the PAUSED status, whereas if the priority is equal or higher it
+ will have the SPOOLED or PRINTING status.</p><p>Note that it is good practice to include the absolute path
+ in the lppause command as the PATH may not be available to the server.</p><p>See also the <a href="#PRINTING"><i class="parameter"><tt>printing
+ </tt></i></a> parameter.</p><p>Default: Currently no default value is given to
+ this string, unless the value of the <i class="parameter"><tt>printing</tt></i>
+ parameter is <tt class="constant">SYSV</tt>, in which case the default is :</p><p><b class="command">lp -i %p-%j -H hold</b></p><p>or if the value of the <i class="parameter"><tt>printing</tt></i> parameter
+ is <tt class="constant">SOFTQ</tt>, then the default is:</p><p><b class="command">qstat -s -j%j -h</b></p><p>Example for HPUX: <b class="command">lppause command = /usr/bin/lpalt %p-%j -p0</b></p></dd><dt><span class="term"><a name="LPQCACHETIME"></a>lpq cache time (G)</span></dt><dd><p>This controls how long lpq info will be cached
+ for to prevent the <b class="command">lpq</b> command being called too
+ often. A separate cache is kept for each variation of the <b class="command">
+ lpq</b> command used by the system, so if you use different
+ <b class="command">lpq</b> commands for different users then they won't
+ share cache information.</p><p>The cache files are stored in <tt class="filename">/tmp/lpq.xxxx</tt>
+ where xxxx is a hash of the <b class="command">lpq</b> command in use.</p><p>The default is 10 seconds, meaning that the cached results
+ of a previous identical <b class="command">lpq</b> command will be used
+ if the cached data is less than 10 seconds old. A large value may
+ be advisable if your <b class="command">lpq</b> command is very slow.</p><p>A value of 0 will disable caching completely.</p><p>See also the <a href="#PRINTING"><i class="parameter"><tt>printing</tt></i></a> parameter.</p><p>Default: <b class="command">lpq cache time = 10</b></p><p>Example: <b class="command">lpq cache time = 30</b></p></dd><dt><span class="term"><a name="LPQCOMMAND"></a>lpq command (S)</span></dt><dd><p>This parameter specifies the command to be
+ executed on the server host in order to obtain <b class="command">lpq
+ </b>-style printer status information.</p><p>This command should be a program or script which
+ takes a printer name as its only parameter and outputs printer
+ status information.</p><p>Currently nine styles of printer status information
+ are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ.
+ This covers most UNIX systems. You control which type is expected
+ using the <i class="parameter"><tt>printing =</tt></i> option.</p><p>Some clients (notably Windows for Workgroups) may not
+ correctly send the connection number for the printer they are
+ requesting status information about. To get around this, the
+ server reports on the first printer service connected to by the
+ client. This only happens if the connection number sent is invalid.</p><p>If a <i class="parameter"><tt>%p</tt></i> is given then the printer name
+ is put in its place. Otherwise it is placed at the end of the
+ command.</p><p>Note that it is good practice to include the absolute path
+ in the <i class="parameter"><tt>lpq command</tt></i> as the <tt class="envar">$PATH
+ </tt> may not be available to the server. When compiled with
+ the CUPS libraries, no <i class="parameter"><tt>lpq command</tt></i> is
+ needed because smbd will make a library call to obtain the
+ print queue listing.</p><p>See also the <a href="#PRINTING"><i class="parameter"><tt>printing
+ </tt></i></a> parameter.</p><p>Default: <span class="emphasis"><em>depends on the setting of <i class="parameter"><tt>
+ printing</tt></i></em></span></p><p>Example: <b class="command">lpq command = /usr/bin/lpq -P%p</b></p></dd><dt><span class="term"><a name="LPRESUMECOMMAND"></a>lpresume command (S)</span></dt><dd><p>This parameter specifies the command to be
+ executed on the server host in order to restart or continue
+ printing or spooling a specific print job.</p><p>This command should be a program or script which takes
+ a printer name and job number to resume the print job. See
+ also the <a href="#LPPAUSECOMMAND"><i class="parameter"><tt>lppause command
+ </tt></i></a> parameter.</p><p>If a <i class="parameter"><tt>%p</tt></i> is given then the printer name
+ is put in its place. A <i class="parameter"><tt>%j</tt></i> is replaced with
+ the job number (an integer).</p><p>Note that it is good practice to include the absolute path
+ in the <i class="parameter"><tt>lpresume command</tt></i> as the PATH may not
+ be available to the server.</p><p>See also the <a href="#PRINTING"><i class="parameter"><tt>printing
+ </tt></i></a> parameter.</p><p>Default: Currently no default value is given
+ to this string, unless the value of the <i class="parameter"><tt>printing</tt></i>
+ parameter is <tt class="constant">SYSV</tt>, in which case the default is :</p><p><b class="command">lp -i %p-%j -H resume</b></p><p>or if the value of the <i class="parameter"><tt>printing</tt></i> parameter
+ is <tt class="constant">SOFTQ</tt>, then the default is:</p><p><b class="command">qstat -s -j%j -r</b></p><p>Example for HPUX: <b class="command">lpresume command = /usr/bin/lpalt %p-%j -p2</b></p></dd><dt><span class="term"><a name="LPRMCOMMAND"></a>lprm command (S)</span></dt><dd><p>This parameter specifies the command to be
+ executed on the server host in order to delete a print job.</p><p>This command should be a program or script which takes
+ a printer name and job number, and deletes the print job.</p><p>If a <i class="parameter"><tt>%p</tt></i> is given then the printer name
+ is put in its place. A <i class="parameter"><tt>%j</tt></i> is replaced with
+ the job number (an integer).</p><p>Note that it is good practice to include the absolute
+ path in the <i class="parameter"><tt>lprm command</tt></i> as the PATH may not be
+ available to the server.</p><p>See also the <a href="#PRINTING"><i class="parameter"><tt>printing
+ </tt></i></a> parameter.</p><p>Default: <span class="emphasis"><em>depends on the setting of <i class="parameter"><tt>printing
+ </tt></i></em></span></p><p>Example 1: <b class="command">lprm command = /usr/bin/lprm -P%p %j</b></p><p>Example 2: <b class="command">lprm command = /usr/bin/cancel %p-%j</b></p></dd><dt><span class="term"><a name="MACHINEPASSWORDTIMEOUT"></a>machine password timeout (G)</span></dt><dd><p>If a Samba server is a member of a Windows
+ NT Domain (see the <a href="#SECURITYEQUALSDOMAIN">security = domain</a>)
+ parameter) then periodically a running <a href="smbd.8.html" target="_top">
+ smbd(8)</a> process will try and change the MACHINE ACCOUNT
+ PASSWORD stored in the TDB called <tt class="filename">private/secrets.tdb
+ </tt>. This parameter specifies how often this password
+ will be changed, in seconds. The default is one week (expressed in
+ seconds), the same as a Windows NT Domain member server.</p><p>See also <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, and the <a href="#SECURITYEQUALSDOMAIN">
+ security = domain</a>) parameter.</p><p>Default: <b class="command">machine password timeout = 604800</b></p></dd><dt><span class="term"><a name="MAGICOUTPUT"></a>magic output (S)</span></dt><dd><p>This parameter specifies the name of a file
+ which will contain output created by a magic script (see the
+ <a href="#MAGICSCRIPT"><i class="parameter"><tt>magic script</tt></i></a>
+ parameter below).</p><p>Warning: If two clients use the same <i class="parameter"><tt>magic script
+ </tt></i> in the same directory the output file content
+ is undefined.</p><p>Default: <b class="command">magic output = &lt;magic script name&gt;.out</b></p><p>Example: <b class="command">magic output = myfile.txt</b></p></dd><dt><span class="term"><a name="MAGICSCRIPT"></a>magic script (S)</span></dt><dd><p>This parameter specifies the name of a file which,
+ if opened, will be executed by the server when the file is closed.
+ This allows a UNIX script to be sent to the Samba host and
+ executed on behalf of the connected user.</p><p>Scripts executed in this way will be deleted upon
+ completion assuming that the user has the appropriate level
+ of privilege and the file permissions allow the deletion.</p><p>If the script generates output, output will be sent to
+ the file specified by the <a href="#MAGICOUTPUT"><i class="parameter"><tt>
+ magic output</tt></i></a> parameter (see above).</p><p>Note that some shells are unable to interpret scripts
+ containing CR/LF instead of CR as
+ the end-of-line marker. Magic scripts must be executable
+ <span class="emphasis"><em>as is</em></span> on the host, which for some hosts and
+ some shells will require filtering at the DOS end.</p><p>Magic scripts are <span class="emphasis"><em>EXPERIMENTAL</em></span> and
+ should <span class="emphasis"><em>NOT</em></span> be relied upon.</p><p>Default: <span class="emphasis"><em>None. Magic scripts disabled.</em></span></p><p>Example: <b class="command">magic script = user.csh</b></p></dd><dt><span class="term"><a name="MANGLECASE"></a>mangle case (S)</span></dt><dd><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a></p><p>Default: <b class="command">mangle case = no</b></p></dd><dt><span class="term"><a name="MANGLEDMAP"></a>mangled map (S)</span></dt><dd><p>This is for those who want to directly map UNIX
+ file names which cannot be represented on Windows/DOS. The mangling
+ of names is not always what is needed. In particular you may have
+ documents with file extensions that differ between DOS and UNIX.
+ For example, under UNIX it is common to use <tt class="filename">.html</tt>
+ for HTML files, whereas under Windows/DOS <tt class="filename">.htm</tt>
+ is more commonly used.</p><p>So to map <tt class="filename">html</tt> to <tt class="filename">htm</tt>
+ you would use:</p><p><b class="command">mangled map = (*.html *.htm)</b></p><p>One very useful case is to remove the annoying <tt class="filename">;1
+ </tt> off the ends of filenames on some CDROMs (only visible
+ under some UNIXes). To do this use a map of (*;1 *;).</p><p>Default: <span class="emphasis"><em>no mangled map</em></span></p><p>Example: <b class="command">mangled map = (*;1 *;)</b></p></dd><dt><span class="term"><a name="MANGLEDNAMES"></a>mangled names (S)</span></dt><dd><p>This controls whether non-DOS names under UNIX
+ should be mapped to DOS-compatible names (&quot;mangled&quot;) and made visible,
+ or whether non-DOS names should simply be ignored.</p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a> for
+ details on how to control the mangling process.</p><p>If mangling is used then the mangling algorithm is as follows:</p><div class="itemizedlist"><ul type="disc"><li><p>The first (up to) five alphanumeric characters
+ before the rightmost dot of the filename are preserved, forced
+ to upper case, and appear as the first (up to) five characters
+ of the mangled name.</p></li><li><p>A tilde &quot;~&quot; is appended to the first part of the mangled
+ name, followed by a two-character unique sequence, based on the
+ original root name (i.e., the original filename minus its final
+ extension). The final extension is included in the hash calculation
+ only if it contains any upper case characters or is longer than three
+ characters.</p><p>Note that the character to use may be specified using
+ the <a href="#MANGLINGCHAR"><i class="parameter"><tt>mangling char</tt></i>
+ </a> option, if you don't like '~'.</p></li><li><p>The first three alphanumeric characters of the final
+ extension are preserved, forced to upper case and appear as the
+ extension of the mangled name. The final extension is defined as that
+ part of the original filename after the rightmost dot. If there are no
+ dots in the filename, the mangled name will have no extension (except
+ in the case of &quot;hidden files&quot; - see below).</p></li><li><p>Files whose UNIX name begins with a dot will be
+ presented as DOS hidden files. The mangled name will be created as
+ for other filenames, but with the leading dot removed and &quot;___&quot; as
+ its extension regardless of actual original extension (that's three
+ underscores).</p></li></ul></div><p>The two-digit hash value consists of upper case alphanumeric characters.</p><p>This algorithm can cause name collisions only if files
+ in a directory share the same first five alphanumeric characters.
+ The probability of such a clash is 1/1300.</p><p>The name mangling (if enabled) allows a file to be
+ copied between UNIX directories from Windows/DOS while retaining
+ the long UNIX filename. UNIX files can be renamed to a new extension
+ from Windows/DOS and will retain the same basename. Mangled names
+ do not change between sessions.</p><p>Default: <b class="command">mangled names = yes</b></p></dd><dt><span class="term"><a name="MANGLINGSTACK"></a>mangling stack (G)</span></dt><dd><p>This parameter controls the number of mangled names
+ that should be cached in the Samba server <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>.</p><p>This stack is a list of recently mangled base names
+ (extensions are only maintained if they are longer than 3 characters
+ or contains upper case characters).</p><p>The larger this value, the more likely it is that mangled
+ names can be successfully converted to correct long UNIX names.
+ However, large stack sizes will slow most directory accesses. Smaller
+ stacks save memory in the server (each stack element costs 256 bytes).
+ </p><p>It is not possible to absolutely guarantee correct long
+ filenames, so be prepared for some surprises!</p><p>Default: <b class="command">mangled stack = 50</b></p><p>Example: <b class="command">mangled stack = 100</b></p></dd><dt><span class="term"><a name="MANGLINGPREFIX"></a>mangling prefix (G)</span></dt><dd><p> controls the number of prefix
+ characters from the original name used when generating
+ the mangled names. A larger value will give a weaker
+ hash and therefore more name collisions. The minimum
+ value is 1 and the maximum value is 6.</p><p>Default: <b class="command">mangle prefix = 1</b></p><p>Example: <b class="command">mangle prefix = 4</b></p></dd><dt><span class="term"><a name="MANGLINGCHAR"></a>mangling char (S)</span></dt><dd><p>This controls what character is used as
+ the <span class="emphasis"><em>magic</em></span> character in <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">name mangling</a>. The
+ default is a '~' but this may interfere with some software. Use this option to set
+ it to whatever you prefer.</p><p>Default: <b class="command">mangling char = ~</b></p><p>Example: <b class="command">mangling char = ^</b></p></dd><dt><span class="term"><a name="MANGLINGMETHOD"></a>mangling method (G)</span></dt><dd><p> controls the algorithm used for the generating
+ the mangled names. Can take two different values, &quot;hash&quot; and
+ &quot;hash2&quot;. &quot;hash&quot; is the default and is the algorithm that has been
+ used in Samba for many years. &quot;hash2&quot; is a newer and considered
+ a better algorithm (generates less collisions) in the names.
+ However, many Win32 applications store the mangled names and so
+ changing to the new algorithm must not be done
+ lightly as these applications may break unless reinstalled.</p><p>Default: <b class="command">mangling method = hash2</b></p><p>Example: <b class="command">mangling method = hash</b></p></dd><dt><span class="term"><a name="MAPARCHIVE"></a>map archive (S)</span></dt><dd><p>This controls whether the DOS archive attribute
+ should be mapped to the UNIX owner execute bit. The DOS archive bit
+ is set when a file has been modified since its last backup. One
+ motivation for this option it to keep Samba/your PC from making
+ any file it touches from becoming executable under UNIX. This can
+ be quite annoying for shared source code, documents, etc...</p><p>Note that this requires the <i class="parameter"><tt>create mask</tt></i>
+ parameter to be set such that owner execute bit is not masked out
+ (i.e. it must include 100). See the parameter <a href="#CREATEMASK">
+ <i class="parameter"><tt>create mask</tt></i></a> for details.</p><p>Default: <b class="command">map archive = yes</b></p></dd><dt><span class="term"><a name="MAPHIDDEN"></a>map hidden (S)</span></dt><dd><p>This controls whether DOS style hidden files
+ should be mapped to the UNIX world execute bit.</p><p>Note that this requires the <i class="parameter"><tt>create mask</tt></i>
+ to be set such that the world execute bit is not masked out (i.e.
+ it must include 001). See the parameter <a href="#CREATEMASK">
+ <i class="parameter"><tt>create mask</tt></i></a> for details.</p><p>Default: <b class="command">map hidden = no</b></p></dd><dt><span class="term"><a name="MAPSYSTEM"></a>map system (S)</span></dt><dd><p>This controls whether DOS style system files
+ should be mapped to the UNIX group execute bit.</p><p>Note that this requires the <i class="parameter"><tt>create mask</tt></i>
+ to be set such that the group execute bit is not masked out (i.e.
+ it must include 010). See the parameter <a href="#CREATEMASK">
+ <i class="parameter"><tt>create mask</tt></i></a> for details.</p><p>Default: <b class="command">map system = no</b></p></dd><dt><span class="term"><a name="MAPTOGUEST"></a>map to guest (G)</span></dt><dd><p>This parameter is only useful in <a href="#SECURITY">
+ security</a> modes other than <i class="parameter"><tt>security = share</tt></i>
+ - i.e. <tt class="constant">user</tt>, <tt class="constant">server</tt>,
+ and <tt class="constant">domain</tt>.</p><p>This parameter can take three different values, which tell
+ <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> what to do with user
+ login requests that don't match a valid UNIX user in some way.</p><p>The three settings are :</p><div class="itemizedlist"><ul type="disc"><li><p><tt class="constant">Never</tt> - Means user login
+ requests with an invalid password are rejected. This is the
+ default.</p></li><li><p><tt class="constant">Bad User</tt> - Means user
+ logins with an invalid password are rejected, unless the username
+ does not exist, in which case it is treated as a guest login and
+ mapped into the <a href="#GUESTACCOUNT"><i class="parameter"><tt>
+ guest account</tt></i></a>.</p></li><li><p><tt class="constant">Bad Password</tt> - Means user logins
+ with an invalid password are treated as a guest login and mapped
+ into the <a href="#GUESTACCOUNT">guest account</a>. Note that
+ this can cause problems as it means that any user incorrectly typing
+ their password will be silently logged on as &quot;guest&quot; - and
+ will not know the reason they cannot access files they think
+ they should - there will have been no message given to them
+ that they got their password wrong. Helpdesk services will
+ <span class="emphasis"><em>hate</em></span> you if you set the <i class="parameter"><tt>map to
+ guest</tt></i> parameter this way :-).</p></li></ul></div><p>Note that this parameter is needed to set up &quot;Guest&quot;
+ share services when using <i class="parameter"><tt>security</tt></i> modes other than
+ share. This is because in these modes the name of the resource being
+ requested is <span class="emphasis"><em>not</em></span> sent to the server until after
+ the server has successfully authenticated the client so the server
+ cannot make authentication decisions at the correct time (connection
+ to the share) for &quot;Guest&quot; shares.</p><p>For people familiar with the older Samba releases, this
+ parameter maps to the old compile-time setting of the <tt class="constant">
+ GUEST_SESSSETUP</tt> value in local.h.</p><p>Default: <b class="command">map to guest = Never</b></p><p>Example: <b class="command">map to guest = Bad User</b></p></dd><dt><span class="term"><a name="MAXCONNECTIONS"></a>max connections (S)</span></dt><dd><p>This option allows the number of simultaneous connections to a service to be limited.
+ If <i class="parameter"><tt>max connections</tt></i> is greater than 0 then connections
+ will be refused if this number of connections to the service are already open. A value
+ of zero mean an unlimited number of connections may be made.</p><p>Record lock files are used to implement this feature. The lock files will be stored in
+ the directory specified by the <a href="#LOCKDIRECTORY">
+ <i class="parameter"><tt>lock directory</tt></i></a> option.</p><p>Default: <b class="command">max connections = 0</b></p><p>Example: <b class="command">max connections = 10</b></p></dd><dt><span class="term"><a name="MAXDISKSIZE"></a>max disk size (G)</span></dt><dd><p>This option allows you to put an upper limit
+ on the apparent size of disks. If you set this option to 100
+ then all shares will appear to be not larger than 100 MB in
+ size.</p><p>Note that this option does not limit the amount of
+ data you can put on the disk. In the above case you could still
+ store much more than 100 MB on the disk, but if a client ever asks
+ for the amount of free disk space or the total disk size then the
+ result will be bounded by the amount specified in <i class="parameter"><tt>max
+ disk size</tt></i>.</p><p>This option is primarily useful to work around bugs
+ in some pieces of software that can't handle very large disks,
+ particularly disks over 1GB in size.</p><p>A <i class="parameter"><tt>max disk size</tt></i> of 0 means no limit.</p><p>Default: <b class="command">max disk size = 0</b></p><p>Example: <b class="command">max disk size = 1000</b></p></dd><dt><span class="term"><a name="MAXLOGSIZE"></a>max log size (G)</span></dt><dd><p>This option (an integer in kilobytes) specifies
+ the max size the log file should grow to. Samba periodically checks
+ the size and if it is exceeded it will rename the file, adding
+ a <tt class="filename">.old</tt> extension.</p><p>A size of 0 means no limit.</p><p>Default: <b class="command">max log size = 5000</b></p><p>Example: <b class="command">max log size = 1000</b></p></dd><dt><span class="term"><a name="MAXMUX"></a>max mux (G)</span></dt><dd><p>This option controls the maximum number of
+ outstanding simultaneous SMB operations that Samba tells the client
+ it will allow. You should never need to set this parameter.</p><p>Default: <b class="command">max mux = 50</b></p></dd><dt><span class="term"><a name="MAXOPENFILES"></a>max open files (G)</span></dt><dd><p>This parameter limits the maximum number of
+ open files that one <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> file
+ serving process may have open for a client at any one time. The
+ default for this parameter is set very high (10,000) as Samba uses
+ only one bit per unopened file.</p><p>The limit of the number of open files is usually set
+ by the UNIX per-process file descriptor limit rather than
+ this parameter so you should never need to touch this parameter.</p><p>Default: <b class="command">max open files = 10000</b></p></dd><dt><span class="term"><a name="MAXPRINTJOBS"></a>max print jobs (S)</span></dt><dd><p>This parameter limits the maximum number of
+ jobs allowable in a Samba printer queue at any given moment.
+ If this number is exceeded, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will remote &quot;Out of Space&quot; to the client.
+ See all <a href="#TOTALPRINTJOBS"><i class="parameter"><tt>total
+ print jobs</tt></i></a>.
+ </p><p>Default: <b class="command">max print jobs = 1000</b></p><p>Example: <b class="command">max print jobs = 5000</b></p></dd><dt><span class="term"><a name="MAXPROTOCOL"></a>max protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the highest
+ protocol level that will be supported by the server.</p><p>Possible values are :</p><div class="itemizedlist"><ul type="disc"><li><p><tt class="constant">CORE</tt>: Earliest version. No
+ concept of user names.</p></li><li><p><tt class="constant">COREPLUS</tt>: Slight improvements on
+ CORE for efficiency.</p></li><li><p><tt class="constant">LANMAN1</tt>: First <span class="emphasis"><em>
+ modern</em></span> version of the protocol. Long filename
+ support.</p></li><li><p><tt class="constant">LANMAN2</tt>: Updates to Lanman1 protocol.</p></li><li><p><tt class="constant">NT1</tt>: Current up to date version of the protocol.
+ Used by Windows NT. Known as CIFS.</p></li></ul></div><p>Normally this option should not be set as the automatic
+ negotiation phase in the SMB protocol takes care of choosing
+ the appropriate protocol.</p><p>See also <a href="#MINPROTOCOL"><i class="parameter"><tt>min
+ protocol</tt></i></a></p><p>Default: <b class="command">max protocol = NT1</b></p><p>Example: <b class="command">max protocol = LANMAN1</b></p></dd><dt><span class="term"><a name="MAXREPORTEDPRINTJOBS"></a>max reported print jobs (S)</span></dt><dd><p>This parameter limits the maximum number of
+ jobs displayed in a port monitor for Samba printer queue at any given
+ moment. If this number is exceeded, the excess jobs will not be shown.
+ A value of zero means there is no limit on the number of print
+ jobs reported.
+
+ See all <a href="#TOTALPRINTJOBS"><i class="parameter"><tt>total
+ print jobs</tt></i></a> and <a href="#MAXPRINTJOBS"><i class="parameter"><tt>max print
+ jobs</tt></i></a> parameters.
+ </p><p>Default: <b class="command">max reported print jobs = 0</b></p><p>Example: <b class="command">max reported print jobs = 1000</b></p></dd><dt><span class="term"><a name="MAXSMBDPROCESSES"></a>max smbd processes (G)</span></dt><dd><p>This parameter limits the maximum number of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> processes concurrently running on a system and is intended
+ as a stopgap to prevent degrading service to clients in the event that the server has insufficient
+ resources to handle more than this number of connections. Remember that under normal operating
+ conditions, each user will have an <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> associated with him or her to handle connections to all
+ shares from a given host.</p><p>Default: <b class="command">max smbd processes = 0</b> ## no limit</p><p>Example: <b class="command">max smbd processes = 1000</b></p></dd><dt><span class="term"><a name="MAXTTL"></a>max ttl (G)</span></dt><dd><p>This option tells <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> what the default 'time to live'
+ of NetBIOS names should be (in seconds) when <b class="command">nmbd</b> is
+ requesting a name using either a broadcast packet or from a WINS server. You should
+ never need to change this parameter. The default is 3 days.</p><p>Default: <b class="command">max ttl = 259200</b></p></dd><dt><span class="term"><a name="MAXWINSTTL"></a>max wins ttl (G)</span></dt><dd><p>This option tells <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when acting as a WINS server (<a href="#WINSSUPPORT">
+ <i class="parameter"><tt>wins support = yes</tt></i></a>) what the maximum
+ 'time to live' of NetBIOS names that <b class="command">nmbd</b>
+ will grant will be (in seconds). You should never need to change this
+ parameter. The default is 6 days (518400 seconds).</p><p>See also the <a href="#MINWINSTTL"><i class="parameter"><tt>min
+ wins ttl</tt></i></a> parameter.</p><p>Default: <b class="command">max wins ttl = 518400</b></p></dd><dt><span class="term"><a name="MAXXMIT"></a>max xmit (G)</span></dt><dd><p>This option controls the maximum packet size
+ that will be negotiated by Samba. The default is 65535, which
+ is the maximum. In some cases you may find you get better performance
+ with a smaller value. A value below 2048 is likely to cause problems.
+ </p><p>Default: <b class="command">max xmit = 65535</b></p><p>Example: <b class="command">max xmit = 8192</b></p></dd><dt><span class="term"><a name="MESSAGECOMMAND"></a>message command (G)</span></dt><dd><p>This specifies what command to run when the
+ server receives a WinPopup style message.</p><p>This would normally be a command that would
+ deliver the message somehow. How this is to be done is
+ up to your imagination.</p><p>An example is:</p><p><b class="command">message command = csh -c 'xedit %s;rm %s' &amp;</b>
+ </p><p>This delivers the message using <b class="command">xedit</b>, then
+ removes it afterwards. <span class="emphasis"><em>NOTE THAT IT IS VERY IMPORTANT
+ THAT THIS COMMAND RETURN IMMEDIATELY</em></span>. That's why I
+ have the '&amp;' on the end. If it doesn't return immediately then
+ your PCs may freeze when sending messages (they should recover
+ after 30 seconds, hopefully).</p><p>All messages are delivered as the global guest user.
+ The command takes the standard substitutions, although <i class="parameter"><tt>
+ %u</tt></i> won't work (<i class="parameter"><tt>%U</tt></i> may be better
+ in this case).</p><p>Apart from the standard substitutions, some additional
+ ones apply. In particular:</p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>%s</tt></i> = the filename containing
+ the message.</p></li><li><p><i class="parameter"><tt>%t</tt></i> = the destination that
+ the message was sent to (probably the server name).</p></li><li><p><i class="parameter"><tt>%f</tt></i> = who the message
+ is from.</p></li></ul></div><p>You could make this command send mail, or whatever else
+ takes your fancy. Please let us know of any really interesting
+ ideas you have.</p><p>Here's a way of sending the messages as mail to root:</p><p><b class="command">message command = /bin/mail -s 'message from %f on
+ %m' root &lt; %s; rm %s</b></p><p>If you don't have a message command then the message
+ won't be delivered and Samba will tell the sender there was
+ an error. Unfortunately WfWg totally ignores the error code
+ and carries on regardless, saying that the message was delivered.
+ </p><p>If you want to silently delete it then try:</p><p><b class="command">message command = rm %s</b></p><p>Default: <span class="emphasis"><em>no message command</em></span></p><p>Example: <b class="command">message command = csh -c 'xedit %s; rm %s' &amp;</b></p></dd><dt><span class="term"><a name="MINPASSWDLENGTH"></a>min passwd length (G)</span></dt><dd><p>Synonym for <a href="#MINPASSWORDLENGTH">
+ <i class="parameter"><tt>min password length</tt></i></a>.
+ </p></dd><dt><span class="term"><a name="MINPASSWORDLENGTH"></a>min password length (G)</span></dt><dd><p>This option sets the minimum length in characters of a
+ plaintext password that <b class="command">smbd</b> will
+ accept when performing UNIX password changing.</p><p>See also <a href="#UNIXPASSWORDSYNC"><i class="parameter"><tt>unix
+ password sync</tt></i></a>, <a href="#PASSWDPROGRAM">
+ <i class="parameter"><tt>passwd program</tt></i></a> and <a href="#PASSWDCHATDEBUG">
+ <i class="parameter"><tt>passwd chat debug</tt></i></a>.</p><p>Default: <b class="command">min password length = 5</b></p></dd><dt><span class="term"><a name="MINPRINTSPACE"></a>min print space (S)</span></dt><dd><p>This sets the minimum amount of free disk
+ space that must be available before a user will be able to spool
+ a print job. It is specified in kilobytes. The default is 0, which
+ means a user can always spool a print job.</p><p>See also the <a href="#PRINTING"><i class="parameter"><tt>printing
+ </tt></i></a> parameter.</p><p>Default: <b class="command">min print space = 0</b></p><p>Example: <b class="command">min print space = 2000</b></p></dd><dt><span class="term"><a name="MINPROTOCOL"></a>min protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the
+ lowest SMB protocol dialect than Samba will support. Please refer
+ to the <a href="#MAXPROTOCOL"><i class="parameter"><tt>max protocol</tt></i></a>
+ parameter for a list of valid protocol names and a brief description
+ of each. You may also wish to refer to the C source code in
+ <tt class="filename">source/smbd/negprot.c</tt> for a listing of known protocol
+ dialects supported by clients.</p><p>If you are viewing this parameter as a security measure, you should
+ also refer to the <a href="#LANMANAUTH"><i class="parameter"><tt>lanman
+ auth</tt></i></a> parameter. Otherwise, you should never need
+ to change this parameter.</p><p>Default : <b class="command">min protocol = CORE</b></p><p>Example : <b class="command">min protocol = NT1</b> # disable DOS clients</p></dd><dt><span class="term"><a name="MINWINSTTL"></a>min wins ttl (G)</span></dt><dd><p>This option tells <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>
+ when acting as a WINS server (<a href="#WINSSUPPORT"><i class="parameter"><tt>
+ wins support = yes</tt></i></a>) what the minimum 'time to live'
+ of NetBIOS names that <b class="command">nmbd</b> will grant will be (in
+ seconds). You should never need to change this parameter. The default
+ is 6 hours (21600 seconds).</p><p>Default: <b class="command">min wins ttl = 21600</b></p></dd><dt><span class="term"><a name="MSDFSPROXY"></a>msdfs proxy (S)</span></dt><dd><p>This parameter indicates that the share is a
+ stand-in for another CIFS share whose location is specified by
+ the value of the parameter. When clients attempt to connect to
+ this share, they are redirected to the proxied share using
+ the SMB-Dfs protocol.</p><p>Only Dfs roots can act as proxy shares. Take a look at the
+ <a href="#MSDFSROOT"><i class="parameter"><tt>msdfs root</tt></i></a>
+ and <a href="#HOSTMSDFS"><i class="parameter"><tt>host msdfs</tt></i></a>
+ options to find out how to set up a Dfs root share.</p><p>Example: <b class="command">msdfs proxy = \\\\otherserver\\someshare</b></p></dd><dt><span class="term"><a name="MSDFSROOT"></a>msdfs root (S)</span></dt><dd><p>This boolean parameter is only available if
+ Samba is configured and compiled with the <b class="command">
+ --with-msdfs</b> option. If set to <tt class="constant">yes</tt>,
+ Samba treats the share as a Dfs root and allows clients to browse
+ the distributed file system tree rooted at the share directory.
+ Dfs links are specified in the share directory by symbolic
+ links of the form <tt class="filename">msdfs:serverA\\shareA,serverB\\shareB</tt>
+ and so on. For more information on setting up a Dfs tree
+ on Samba, refer to <a href="msdfs.html" target="_top">&quot;Hosting a Microsoft
+ Distributed File System tree on Samba&quot;</a> document.</p><p>See also <a href="#HOSTMSDFS"><i class="parameter"><tt>host msdfs</tt></i></a></p><p>Default: <b class="command">msdfs root = no</b></p></dd><dt><span class="term"><a name="NAMECACHETIMEOUT"></a>name cache timeout (G)</span></dt><dd><p>Specifies the number of seconds it takes before
+ entries in samba's hostname resolve cache time out. If
+ the timeout is set to 0. the caching is disabled.
+ </p><p>Default: <b class="command">name cache timeout = 660</b></p><p>Example: <b class="command">name cache timeout = 0</b></p></dd><dt><span class="term"><a name="NAMERESOLVEORDER"></a>name resolve order (G)</span></dt><dd><p>This option is used by the programs in the Samba
+ suite to determine what naming services to use and in what order
+ to resolve host names to IP addresses. The option takes a space
+ separated string of name resolution options.</p><p>The options are: &quot;lmhosts&quot;, &quot;host&quot;,
+ &quot;wins&quot; and &quot;bcast&quot;. They cause names to be
+ resolved as follows:</p><div class="itemizedlist"><ul type="disc"><li><p><tt class="constant">lmhosts</tt> : Lookup an IP
+ address in the Samba lmhosts file. If the line in lmhosts has
+ no name type attached to the NetBIOS name (see the <a href="lmhosts.5.html" target="_top">lmhosts(5)</a> for details) then
+ any name type matches for lookup.</p></li><li><p><tt class="constant">host</tt> : Do a standard host
+ name to IP address resolution, using the system <tt class="filename">/etc/hosts
+ </tt>, NIS, or DNS lookups. This method of name resolution
+ is operating system depended for instance on IRIX or Solaris this
+ may be controlled by the <tt class="filename">/etc/nsswitch.conf</tt>
+ file. Note that this method is only used if the NetBIOS name
+ type being queried is the 0x20 (server) name type, otherwise
+ it is ignored.</p></li><li><p><tt class="constant">wins</tt> : Query a name with
+ the IP address listed in the <a href="#WINSSERVER"><i class="parameter"><tt>
+ wins server</tt></i></a> parameter. If no WINS server has
+ been specified this method will be ignored.</p></li><li><p><tt class="constant">bcast</tt> : Do a broadcast on
+ each of the known local interfaces listed in the <a href="#INTERFACES"><i class="parameter"><tt>interfaces</tt></i></a>
+ parameter. This is the least reliable of the name resolution
+ methods as it depends on the target host being on a locally
+ connected subnet.</p></li></ul></div><p>Default: <b class="command">name resolve order = lmhosts host wins bcast</b></p><p>Example: <b class="command">name resolve order = lmhosts bcast host</b></p><p>This will cause the local lmhosts file to be examined
+ first, followed by a broadcast attempt, followed by a normal
+ system hostname lookup.</p></dd><dt><span class="term"><a name="NETBIOSALIASES"></a>netbios aliases (G)</span></dt><dd><p>This is a list of NetBIOS names that <a href="nmbd.8.html" target="_top">nmbd(8)</a> will
+ advertise as additional names by which the Samba server is known. This allows one machine
+ to appear in browse lists under multiple names. If a machine is acting as a browse server
+ or logon server none of these names will be advertised as either browse server or logon
+ servers, only the primary name of the machine will be advertised with these capabilities.
+ </p><p>See also <a href="#NETBIOSNAME"><i class="parameter"><tt>netbios
+ name</tt></i></a>.</p><p>Default: <span class="emphasis"><em>empty string (no additional names)</em></span></p><p>Example: <b class="command">netbios aliases = TEST TEST1 TEST2</b></p></dd><dt><span class="term"><a name="NETBIOSNAME"></a>netbios name (G)</span></dt><dd><p>This sets the NetBIOS name by which a Samba
+ server is known. By default it is the same as the first component
+ of the host's DNS name. If a machine is a browse server or
+ logon server this name (or the first component
+ of the hosts DNS name) will be the name that these services are
+ advertised under.</p><p>See also <a href="#NETBIOSALIASES"><i class="parameter"><tt>netbios
+ aliases</tt></i></a>.</p><p>Default: <span class="emphasis"><em>machine DNS name</em></span></p><p>Example: <b class="command">netbios name = MYNAME</b></p></dd><dt><span class="term"><a name="NETBIOSSCOPE"></a>netbios scope (G)</span></dt><dd><p>This sets the NetBIOS scope that Samba will
+ operate under. This should not be set unless every machine
+ on your LAN also sets this value.</p></dd><dt><span class="term"><a name="NISHOMEDIR"></a>nis homedir (G)</span></dt><dd><p>Get the home share server from a NIS map. For
+ UNIX systems that use an automounter, the user's home directory
+ will often be mounted on a workstation on demand from a remote
+ server. </p><p>When the Samba logon server is not the actual home directory
+ server, but is mounting the home directories via NFS then two
+ network hops would be required to access the users home directory
+ if the logon server told the client to use itself as the SMB server
+ for home directories (one over SMB and one over NFS). This can
+ be very slow.</p><p>This option allows Samba to return the home share as
+ being on a different server to the logon server and as
+ long as a Samba daemon is running on the home directory server,
+ it will be mounted on the Samba client directly from the directory
+ server. When Samba is returning the home share to the client, it
+ will consult the NIS map specified in <a href="#HOMEDIRMAP">
+ <i class="parameter"><tt>homedir map</tt></i></a> and return the server
+ listed there.</p><p>Note that for this option to work there must be a working
+ NIS system and the Samba server with this option must also
+ be a logon server.</p><p>Default: <b class="command">nis homedir = no</b></p></dd><dt><span class="term"><a name="NONUNIXACCOUNTRANGE"></a>non unix account range (G)</span></dt><dd><p>The non unix account range parameter specifies
+ the range of 'user ids' that are allocated by the various 'non unix
+ account' passdb backends. These backends allow
+ the storage of passwords for users who don't exist in /etc/passwd.
+ This is most often used for machine account creation.
+ This range of ids should have no existing local or NIS users within
+ it as strange conflicts can occur otherwise.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>These userids never appear on the system and Samba will never
+ 'become' these users. They are used only to ensure that the algorithmic
+ RID mapping does not conflict with normal users.
+ </p></div><p>Default: <b class="command">non unix account range = &lt;empty string&gt;</b></p><p>Example: <b class="command">non unix account range = 10000-20000</b></p></dd><dt><span class="term"><a name="NTACLSUPPORT"></a>nt acl support (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to map
+ UNIX permissions into Windows NT access control lists.
+ This parameter was formally a global parameter in releases
+ prior to 2.2.2.</p><p>Default: <b class="command">nt acl support = yes</b></p></dd><dt><span class="term"><a name="NTLMAUTH"></a>ntlm auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to
+ authenticate users using the NTLM encrypted password response.
+ If disabled, either the lanman password hash or an NTLMv2 response
+ will need to be sent by the client.</p><p>If this option, and <b class="command">lanman
+ auth</b> are both disabled, then only NTLMv2 logins will be
+ permited. Not all clients support NTLMv2, and most will require
+ special configuration to us it.</p><p>Default : <b class="command">ntlm auth = yes</b></p></dd><dt><span class="term"><a name="NTPIPESUPPORT"></a>nt pipe support (G)</span></dt><dd><p>This boolean parameter controls whether
+ <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will allow Windows NT
+ clients to connect to the NT SMB specific <tt class="constant">IPC$</tt>
+ pipes. This is a developer debugging option and can be left
+ alone.</p><p>Default: <b class="command">nt pipe support = yes</b></p></dd><dt><span class="term"><a name="NTSTATUSSUPPORT"></a>nt status support (G)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will negotiate NT specific status
+ support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone.
+ If this option is set to <tt class="constant">no</tt> then Samba offers
+ exactly the same DOS error codes that versions prior to Samba 2.2.3
+ reported.</p><p>You should not need to ever disable this parameter.</p><p>Default: <b class="command">nt status support = yes</b></p></dd><dt><span class="term"><a name="NULLPASSWORDS"></a>null passwords (G)</span></dt><dd><p>Allow or disallow client access to accounts that have null passwords. </p><p>See also <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a>.</p><p>Default: <b class="command">null passwords = no</b></p></dd><dt><span class="term"><a name="OBEYPAMRESTRICTIONS"></a>obey pam restrictions (G)</span></dt><dd><p>When Samba 3.0 is configured to enable PAM support
+ (i.e. --with-pam), this parameter will control whether or not Samba
+ should obey PAM's account and session management directives. The
+ default behavior is to use PAM for clear text authentication only
+ and to ignore any account or session management. Note that Samba
+ always ignores PAM for authentication in the case of <a href="#ENCRYPTPASSWORDS">
+ <i class="parameter"><tt>encrypt passwords = yes</tt></i></a>. The reason
+ is that PAM modules cannot support the challenge/response
+ authentication mechanism needed in the presence of SMB password encryption.
+ </p><p>Default: <b class="command">obey pam restrictions = no</b></p></dd><dt><span class="term"><a name="ONLYGUEST"></a>only guest (S)</span></dt><dd><p>A synonym for <a href="#GUESTONLY"><i class="parameter"><tt>
+ guest only</tt></i></a>.</p></dd><dt><span class="term"><a name="ONLYUSER"></a>only user (S)</span></dt><dd><p>This is a boolean option that controls whether
+ connections with usernames not in the <i class="parameter"><tt>user</tt></i>
+ list will be allowed. By default this option is disabled so that a
+ client can supply a username to be used by the server. Enabling
+ this parameter will force the server to only use the login
+ names from the <i class="parameter"><tt>user</tt></i> list and is only really
+ useful in <a href="#SECURITYEQUALSSHARE">share level</a>
+ security.</p><p>Note that this also means Samba won't try to deduce
+ usernames from the service name. This can be annoying for
+ the [homes] section. To get around this you could use <b class="command">user =
+ %S</b> which means your <i class="parameter"><tt>user</tt></i> list
+ will be just the service name, which for home directories is the
+ name of the user.</p><p>See also the <a href="#USER"><i class="parameter"><tt>user</tt></i>
+ </a> parameter.</p><p>Default: <b class="command">only user = no</b></p></dd><dt><span class="term"><a name="OPLOCKBREAKWAITTIME"></a>oplock break wait time (G)</span></dt><dd><p>This is a tuning parameter added due to bugs in
+ both Windows 9x and WinNT. If Samba responds to a client too
+ quickly when that client issues an SMB that can cause an oplock
+ break request, then the network client can fail and not respond
+ to the break request. This tuning parameter (which is set in milliseconds)
+ is the amount of time Samba will wait before sending an oplock break
+ request to such (broken) clients.</p><p><span class="emphasis"><em>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND
+ UNDERSTOOD THE SAMBA OPLOCK CODE</em></span>.</p><p>Default: <b class="command">oplock break wait time = 0</b></p></dd><dt><span class="term"><a name="OPLOCKCONTENTIONLIMIT"></a>oplock contention limit (S)</span></dt><dd><p>This is a <span class="emphasis"><em>very</em></span> advanced
+ <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> tuning option to
+ improve the efficiency of the granting of oplocks under multiple
+ client contention for the same file.</p><p>In brief it specifies a number, which causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>not to grant an oplock even when requested
+ if the approximate number of clients contending for an oplock on the same file goes over this
+ limit. This causes <b class="command">smbd</b> to behave in a similar
+ way to Windows NT.</p><p><span class="emphasis"><em>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
+ AND UNDERSTOOD THE SAMBA OPLOCK CODE</em></span>.</p><p>Default: <b class="command">oplock contention limit = 2</b></p></dd><dt><span class="term"><a name="OPLOCKS"></a>oplocks (S)</span></dt><dd><p>This boolean option tells <b class="command">smbd</b> whether to
+ issue oplocks (opportunistic locks) to file open requests on this
+ share. The oplock code can dramatically (approx. 30% or more) improve
+ the speed of access to files on Samba servers. It allows the clients
+ to aggressively cache files locally and you may want to disable this
+ option for unreliable network environments (it is turned on by
+ default in Windows NT Servers). For more information see the file
+ <tt class="filename">Speed.txt</tt> in the Samba <tt class="filename">docs/</tt>
+ directory.</p><p>Oplocks may be selectively turned off on certain files with a
+ share. See the <a href="#VETOOPLOCKFILES"><i class="parameter"><tt>
+ veto oplock files</tt></i></a> parameter. On some systems
+ oplocks are recognized by the underlying operating system. This
+ allows data synchronization between all access to oplocked files,
+ whether it be via Samba or NFS or a local UNIX process. See the
+ <i class="parameter"><tt>kernel oplocks</tt></i> parameter for details.</p><p>See also the <a href="#KERNELOPLOCKS"><i class="parameter"><tt>kernel
+ oplocks</tt></i></a> and <a href="#LEVEL2OPLOCKS"><i class="parameter"><tt>
+ level2 oplocks</tt></i></a> parameters.</p><p>Default: <b class="command">oplocks = yes</b></p></dd><dt><span class="term"><a name="OS2DRIVERMAP"></a>os2 driver map (G)</span></dt><dd><p>The parameter is used to define the absolute
+ path to a file containing a mapping of Windows NT printer driver
+ names to OS/2 printer driver names. The format is:</p><p>&lt;nt driver name&gt; = &lt;os2 driver name&gt;.&lt;device name&gt;</p><p>For example, a valid entry using the HP LaserJet 5
+ printer driver would appear as <b class="command">HP LaserJet 5L = LASERJET.HP
+ LaserJet 5L</b>.</p><p>The need for the file is due to the printer driver namespace
+ problem described in the <a href="printing.html" target="_top">Samba
+ Printing HOWTO</a>. For more details on OS/2 clients, please
+ refer to the OS2-Client-HOWTO containing in the Samba documentation.</p><p>Default: <b class="command">os2 driver map = &lt;empty string&gt;</b></p></dd><dt><span class="term"><a name="OSLEVEL"></a>os level (G)</span></dt><dd><p>This integer value controls what level Samba
+ advertises itself as for browse elections. The value of this
+ parameter determines whether <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>
+ has a chance of becoming a local master browser for the <i class="parameter"><tt>
+ WORKGROUP</tt></i> in the local broadcast area.</p><p><span class="emphasis"><em>Note :</em></span>By default, Samba will win
+ a local master browsing election over all Microsoft operating
+ systems except a Windows NT 4.0/2000 Domain Controller. This
+ means that a misconfigured Samba host can effectively isolate
+ a subnet for browsing purposes. See <tt class="filename">BROWSING.txt
+ </tt> in the Samba <tt class="filename">docs/</tt> directory
+ for details.</p><p>Default: <b class="command">os level = 20</b></p><p>Example: <b class="command">os level = 65 </b></p></dd><dt><span class="term"><a name="PAMPASSWORDCHANGE"></a>pam password change (G)</span></dt><dd><p>With the addition of better PAM support in Samba 2.2,
+ this parameter, it is possible to use PAM's password change control
+ flag for Samba. If enabled, then PAM will be used for password
+ changes when requested by an SMB client instead of the program listed in
+ <a href="#PASSWDPROGRAM"><i class="parameter"><tt>passwd program</tt></i></a>.
+ It should be possible to enable this without changing your
+ <a href="#PASSWDCHAT"><i class="parameter"><tt>passwd chat</tt></i></a>
+ parameter for most setups.</p><p>Default: <b class="command">pam password change = no</b></p></dd><dt><span class="term"><a name="PANICACTION"></a>panic action (G)</span></dt><dd><p>This is a Samba developer option that allows a
+ system command to be called when either <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> or <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> crashes. This is usually used to
+ draw attention to the fact that a problem occurred.</p><p>Default: <b class="command">panic action = &lt;empty string&gt;</b></p><p>Example: <b class="command">panic action = &quot;/bin/sleep 90000&quot;</b></p></dd><dt><span class="term"><a name="PARANOIDSERVERSECURITY"></a>paranoid server security (G)</span></dt><dd><p>Some version of NT 4.x allow non-guest
+ users with a bad passowrd. When this option is enabled, samba will not
+ use a broken NT 4.x server as password server, but instead complain
+ to the logs and exit.
+ </p><p>Disabling this option prevents Samba from making
+ this check, which involves deliberatly attempting a
+ bad logon to the remote server.</p><p>Default: <b class="command">paranoid server security = yes</b></p></dd><dt><span class="term"><a name="PASSDBBACKEND"></a>passdb backend (G)</span></dt><dd xmlns:ns1=""><p>This option allows the administrator to chose which backends
+ to retrieve and store passwords with. This allows (for example) both
+ smbpasswd and tdbsam to be used without a recompile. Multiple
+ backends can be specified, separated by spaces. The backends will be
+ searched in the order they are specified. New users are always added
+ to the first backend specified. </p><p>This parameter is in two parts, the backend's name, and a 'location'
+ string that has meaning only to that particular backed. These are separated
+ by a : character.</p><ns1:p>Available backends can include:
+ </ns1:p><div class="itemizedlist"><ul type="disc"><li><p><b class="command">smbpasswd</b> - The default smbpasswd
+ backend. Takes a path to the smbpasswd file as an optional argument.
+ </p></li><li><p><b class="command">tdbsam</b> - The TDB based password storage
+ backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
+ in the <a href="#PRIVATEDIR">
+ <i class="parameter"><tt>private dir</tt></i></a> directory.</p></li><li><p><b class="command">ldapsam</b> - The LDAP based passdb
+ backend. Takes an LDAP URL as an optional argument (defaults to
+ <b class="command">ldap://localhost</b>)</p><p>LDAP connections should be secured where possible. This may be done using either
+ Start-TLS (see <a href="#LDAPSSL"><i class="parameter"><tt>ldap ssl</tt></i></a>) or by
+ specifying <i class="parameter"><tt>ldaps://</tt></i> in
+ the URL argument. </p></li><li><p><b class="command">nisplussam</b> -
+ The NIS+ based passdb backend. Takes name NIS domain as
+ an optional argument. Only works with sun NIS+ servers.
+ </p></li><li><p><b class="command">mysql</b> -
+ The MySQL based passdb backend. Takes an identifier as
+ argument. Read the Samba HOWTO Collection for configuration
+ details.
+ </p></li><li><p><b class="command">guest</b> -
+ Very simple backend that only provides one user: the guest user.
+ Only maps the NT guest user to the <i class="parameter"><tt>guest account</tt></i>.
+ Required in pretty much all situations.
+ </p></li></ul></div><ns1:p>
+ </ns1:p><p>Default: <b class="command">passdb backend = smbpasswd guest</b></p><p>Example: <b class="command">passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd guest</b></p><p>Example: <b class="command">passdb backend = ldapsam:ldaps://ldap.example.com guest</b></p><p>Example: <b class="command">passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb guest</b></p></dd><dt><span class="term"><a name="PASSWDCHAT"></a>passwd chat (G)</span></dt><dd><p>This string controls the <span class="emphasis"><em>&quot;chat&quot;</em></span>
+ conversation that takes places between <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and the local password changing
+ program to change the user's password. The string describes a
+ sequence of response-receive pairs that <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> uses to determine what to send to the
+ <a href="#PASSWDPROGRAM"><i class="parameter"><tt>passwd program</tt></i>
+ </a> and what to expect back. If the expected output is not
+ received then the password is not changed.</p><p>This chat sequence is often quite site specific, depending
+ on what local methods are used for password control (such as NIS
+ etc).</p><p>Note that this parameter only is only used if the <a href="#UNIXPASSWORDSYNC"> <i class="parameter"><tt>unix password sync</tt></i>
+ </a> parameter is set to <tt class="constant">yes</tt>. This sequence is
+ then called <span class="emphasis"><em>AS ROOT</em></span> when the SMB password in the
+ smbpasswd file is being changed, without access to the old password
+ cleartext. This means that root must be able to reset the user's password without
+ knowing the text of the previous password. In the presence of
+ NIS/YP, this means that the <a href="#PASSWDPROGRAM">passwd program</a> must
+ be executed on the NIS master.
+ </p><p>The string can contain the macro <i class="parameter"><tt>%n</tt></i> which is substituted
+ for the new password. The chat sequence can also contain the standard
+ macros <tt class="constant">\\n</tt>, <tt class="constant">\\r</tt>, <tt class="constant">\\t</tt> and <tt class="constant">\\s</tt> to
+ give line-feed, carriage-return, tab and space. The chat sequence string can also contain
+ a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces
+ in them into a single string.</p><p>If the send string in any part of the chat sequence is a full
+ stop &quot;.&quot;, then no string is sent. Similarly, if the
+ expect string is a full stop then no string is expected.</p><p>If the <a href="#PAMPASSWORDCHANGE"><i class="parameter"><tt>pam
+ password change</tt></i></a> parameter is set to <tt class="constant">yes</tt>, the chat pairs
+ may be matched in any order, and success is determined by the PAM result,
+ not any particular output. The \n macro is ignored for PAM conversions.
+ </p><p>See also <a href="#UNIXPASSWORDSYNC"><i class="parameter"><tt>unix password
+ sync</tt></i></a>, <a href="#PASSWDPROGRAM"><i class="parameter"><tt>
+ passwd program</tt></i></a> ,<a href="#PASSWDCHATDEBUG">
+ <i class="parameter"><tt>passwd chat debug</tt></i></a> and <a href="#PAMPASSWORDCHANGE">
+ <i class="parameter"><tt>pam password change</tt></i></a>.</p><p>Default: <b class="command">passwd chat = *new*password* %n\\n
+ *new*password* %n\\n *changed*</b></p><p>Example: <b class="command">passwd chat = &quot;*Enter OLD password*&quot; %o\\n
+ &quot;*Enter NEW password*&quot; %n\\n &quot;*Reenter NEW password*&quot; %n\\n
+ &quot;*Password changed*&quot;</b></p></dd><dt><span class="term"><a name="PASSWDCHATDEBUG"></a>passwd chat debug (G)</span></dt><dd><p>This boolean specifies if the passwd chat script
+ parameter is run in <span class="emphasis"><em>debug</em></span> mode. In this mode the
+ strings passed to and received from the passwd chat are printed
+ in the <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> log with a
+ <a href="#DEBUGLEVEL"><i class="parameter"><tt>debug level</tt></i></a>
+ of 100. This is a dangerous option as it will allow plaintext passwords
+ to be seen in the <b class="command">smbd</b> log. It is available to help
+ Samba admins debug their <i class="parameter"><tt>passwd chat</tt></i> scripts
+ when calling the <i class="parameter"><tt>passwd program</tt></i> and should
+ be turned off after this has been done. This option has no effect if the
+ <a href="#PAMPASSWORDCHANGE"><i class="parameter"><tt>pam password change</tt></i></a>
+ paramter is set. This parameter is off by default.</p><p>See also <a href="#PASSWDCHAT"><i class="parameter"><tt>passwd chat</tt></i>
+ </a>, <a href="#PAMPASSWORDCHANGE"><i class="parameter"><tt>pam password change</tt></i>
+ </a>, <a href="#PASSWDPROGRAM"><i class="parameter"><tt>passwd program</tt></i>
+ </a>.</p><p>Default: <b class="command">passwd chat debug = no</b></p></dd><dt><span class="term"><a name="PASSWDPROGRAM"></a>passwd program (G)</span></dt><dd><p>The name of a program that can be used to set
+ UNIX user passwords. Any occurrences of <i class="parameter"><tt>%u</tt></i>
+ will be replaced with the user name. The user name is checked for
+ existence before calling the password changing program.</p><p>Also note that many passwd programs insist in <span class="emphasis"><em>reasonable
+ </em></span> passwords, such as a minimum length, or the inclusion
+ of mixed case chars and digits. This can pose a problem as some clients
+ (such as Windows for Workgroups) uppercase the password before sending
+ it.</p><p><span class="emphasis"><em>Note</em></span> that if the <i class="parameter"><tt>unix
+ password sync</tt></i> parameter is set to <tt class="constant">yes
+ </tt> then this program is called <span class="emphasis"><em>AS ROOT</em></span>
+ before the SMB password in the <a href="smbpasswd.5.html" target="_top"><a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a>
+ </a> file is changed. If this UNIX password change fails, then
+ <b class="command">smbd</b> will fail to change the SMB password also
+ (this is by design).</p><p>If the <i class="parameter"><tt>unix password sync</tt></i> parameter
+ is set this parameter <span class="emphasis"><em>MUST USE ABSOLUTE PATHS</em></span>
+ for <span class="emphasis"><em>ALL</em></span> programs called, and must be examined
+ for security implications. Note that by default <i class="parameter"><tt>unix
+ password sync</tt></i> is set to <tt class="constant">no</tt>.</p><p>See also <a href="#UNIXPASSWORDSYNC"><i class="parameter"><tt>unix
+ password sync</tt></i></a>.</p><p>Default: <b class="command">passwd program = /bin/passwd</b></p><p>Example: <b class="command">passwd program = /sbin/npasswd %u</b></p></dd><dt><span class="term"><a name="PASSWORDLEVEL"></a>password level (G)</span></dt><dd><p>Some client/server combinations have difficulty
+ with mixed-case passwords. One offending client is Windows for
+ Workgroups, which for some reason forces passwords to upper
+ case when using the LANMAN1 protocol, but leaves them alone when
+ using COREPLUS! Another problem child is the Windows 95/98
+ family of operating systems. These clients upper case clear
+ text passwords even when NT LM 0.12 selected by the protocol
+ negotiation request/response.</p><p>This parameter defines the maximum number of characters
+ that may be upper case in passwords.</p><p>For example, say the password given was &quot;FRED&quot;. If <i class="parameter"><tt>
+ password level</tt></i> is set to 1, the following combinations
+ would be tried if &quot;FRED&quot; failed:</p><p>&quot;Fred&quot;, &quot;fred&quot;, &quot;fRed&quot;, &quot;frEd&quot;,&quot;freD&quot;</p><p>If <i class="parameter"><tt>password level</tt></i> was set to 2,
+ the following combinations would also be tried: </p><p>&quot;FRed&quot;, &quot;FrEd&quot;, &quot;FreD&quot;, &quot;fREd&quot;, &quot;fReD&quot;, &quot;frED&quot;, ..</p><p>And so on.</p><p>The higher value this parameter is set to the more likely
+ it is that a mixed case password will be matched against a single
+ case password. However, you should be aware that use of this
+ parameter reduces security and increases the time taken to
+ process a new connection.</p><p>A value of zero will cause only two attempts to be
+ made - the password as is and the password in all-lower case.</p><p>Default: <b class="command">password level = 0</b></p><p>Example: <b class="command">password level = 4</b></p></dd><dt><span class="term"><a name="PASSWORDSERVER"></a>password server (G)</span></dt><dd><p>By specifying the name of another SMB server (such
+ as a WinNT box) with this option, and using <b class="command">security = domain
+ </b> or <b class="command">security = server</b> you can get Samba
+ to do all its username/password validation via a remote server.</p><p>This option sets the name of the password server to use.
+ It must be a NetBIOS name, so if the machine's NetBIOS name is
+ different from its Internet name then you may have to add its NetBIOS
+ name to the lmhosts file which is stored in the same directory
+ as the <tt class="filename">smb.conf</tt> file.</p><p>The name of the password server is looked up using the
+ parameter <a href="#NAMERESOLVEORDER"><i class="parameter"><tt>name
+ resolve order</tt></i></a> and so may resolved
+ by any method and order described in that parameter.</p><p>The password server must be a machine capable of using
+ the &quot;LM1.2X002&quot; or the &quot;NT LM 0.12&quot; protocol, and it must be in
+ user level security mode.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Using a password server means your UNIX box (running
+ Samba) is only as secure as your password server. <span class="emphasis"><em>DO NOT
+ CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</em></span>.
+ </p></div><p>Never point a Samba server at itself for password serving.
+ This will cause a loop and could lock up your Samba server!</p><p>The name of the password server takes the standard
+ substitutions, but probably the only useful one is <i class="parameter"><tt>%m
+ </tt></i>, which means the Samba server will use the incoming
+ client as the password server. If you use this then you better
+ trust your clients, and you had better restrict them with hosts allow!</p><p>If the <i class="parameter"><tt>security</tt></i> parameter is set to
+ <tt class="constant">domain</tt>, then the list of machines in this
+ option must be a list of Primary or Backup Domain controllers for the
+ Domain or the character '*', as the Samba server is effectively
+ in that domain, and will use cryptographically authenticated RPC calls
+ to authenticate the user logging on. The advantage of using <b class="command">
+ security = domain</b> is that if you list several hosts in the
+ <i class="parameter"><tt>password server</tt></i> option then <b class="command">smbd
+ </b> will try each in turn till it finds one that responds. This
+ is useful in case your primary server goes down.</p><p>If the <i class="parameter"><tt>password server</tt></i> option is set
+ to the character '*', then Samba will attempt to auto-locate the
+ Primary or Backup Domain controllers to authenticate against by
+ doing a query for the name <tt class="constant">WORKGROUP&lt;1C&gt;</tt>
+ and then contacting each server returned in the list of IP
+ addresses from the name resolution source. </p><p>If the list of servers contains both names and the '*'
+ character, the list is treated as a list of preferred
+ domain controllers, but an auto lookup of all remaining DC's
+ will be added to the list as well. Samba will not attempt to optimize
+ this list by locating the closest DC.</p><p>If the <i class="parameter"><tt>security</tt></i> parameter is
+ set to <tt class="constant">server</tt>, then there are different
+ restrictions that <b class="command">security = domain</b> doesn't
+ suffer from:</p><div class="itemizedlist"><ul type="disc"><li><p>You may list several password servers in
+ the <i class="parameter"><tt>password server</tt></i> parameter, however if an
+ <b class="command">smbd</b> makes a connection to a password server,
+ and then the password server fails, no more users will be able
+ to be authenticated from this <b class="command">smbd</b>. This is a
+ restriction of the SMB/CIFS protocol when in <b class="command">security = server
+ </b> mode and cannot be fixed in Samba.</p></li><li><p>If you are using a Windows NT server as your
+ password server then you will have to ensure that your users
+ are able to login from the Samba server, as when in <b class="command">
+ security = server</b> mode the network logon will appear to
+ come from there rather than from the users workstation.</p></li></ul></div><p>See also the <a href="#SECURITY"><i class="parameter"><tt>security
+ </tt></i></a> parameter.</p><p>Default: <b class="command">password server = &lt;empty string&gt;</b></p><p>Example: <b class="command">password server = NT-PDC, NT-BDC1, NT-BDC2, *</b></p><p>Example: <b class="command">password server = *</b></p></dd><dt><span class="term"><a name="PATH"></a>path (S)</span></dt><dd><p>This parameter specifies a directory to which
+ the user of the service is to be given access. In the case of
+ printable services, this is where print data will spool prior to
+ being submitted to the host for printing.</p><p>For a printable service offering guest access, the service
+ should be readonly and the path should be world-writeable and
+ have the sticky bit set. This is not mandatory of course, but
+ you probably won't get the results you expect if you do
+ otherwise.</p><p>Any occurrences of <i class="parameter"><tt>%u</tt></i> in the path
+ will be replaced with the UNIX username that the client is using
+ on this connection. Any occurrences of <i class="parameter"><tt>%m</tt></i>
+ will be replaced by the NetBIOS name of the machine they are
+ connecting from. These replacements are very useful for setting
+ up pseudo home directories for users.</p><p>Note that this path will be based on <a href="#ROOTDIR">
+ <i class="parameter"><tt>root dir</tt></i></a> if one was specified.</p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b class="command">path = /home/fred</b></p></dd><dt><span class="term"><a name="PIDDIRECTORY"></a>pid directory (G)</span></dt><dd><p>This option specifies the directory where pid
+ files will be placed. </p><p>Default: <b class="command">pid directory = ${prefix}/var/locks</b></p><p>Example: <b class="command">pid directory = /var/run/</b></p></dd><dt><span class="term"><a name="POSIXLOCKING"></a>posix locking (S)</span></dt><dd><p>The <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>
+ daemon maintains an database of file locks obtained by SMB clients.
+ The default behavior is to map this internal database to POSIX
+ locks. This means that file locks obtained by SMB clients are
+ consistent with those seen by POSIX compliant applications accessing
+ the files via a non-SMB method (e.g. NFS or local file access).
+ You should never need to disable this parameter.</p><p>Default: <b class="command">posix locking = yes</b></p></dd><dt><span class="term"><a name="POSTEXEC"></a>postexec (S)</span></dt><dd><p>This option specifies a command to be run
+ whenever the service is disconnected. It takes the usual
+ substitutions. The command may be run as the root on some
+ systems.</p><p>An interesting example may be to unmount server
+ resources:</p><p><b class="command">postexec = /etc/umount /cdrom</b></p><p>See also <a href="#PREEXEC"><i class="parameter"><tt>preexec</tt></i></a>.</p><p>Default: <span class="emphasis"><em>none (no command executed)</em></span></p><p>Example: <b class="command">postexec = echo \&quot;%u disconnected from %S from %m (%I)\&quot; &gt;&gt; /tmp/log</b></p></dd><dt><span class="term"><a name="PREEXEC"></a>preexec (S)</span></dt><dd><p>This option specifies a command to be run whenever
+ the service is connected to. It takes the usual substitutions.</p><p>An interesting example is to send the users a welcome
+ message every time they log in. Maybe a message of the day? Here
+ is an example:</p><p><b class="command">preexec = csh -c 'echo \&quot;Welcome to %S!\&quot; | /usr/local/samba/bin/smbclient -M %m -I %I' &amp; </b></p><p>Of course, this could get annoying after a while :-)</p><p>See also <a href="#PREEXECCLOSE"><i class="parameter"><tt>preexec close</tt></i></a> and <a href="#POSTEXEC"><i class="parameter"><tt>postexec
+ </tt></i></a>.</p><p>Default: <span class="emphasis"><em>none (no command executed)</em></span></p><p>Example: <b class="command">preexec = echo \&quot;%u connected to %S from %m (%I)\&quot; &gt;&gt; /tmp/log</b></p></dd><dt><span class="term"><a name="PREEXECCLOSE"></a>preexec close (S)</span></dt><dd><p>This boolean option controls whether a non-zero
+ return code from <a href="#PREEXEC"><i class="parameter"><tt>preexec
+ </tt></i></a> should close the service being connected to.</p><p>Default: <b class="command">preexec close = no</b></p></dd><dt><span class="term"><a name="PREFEREDMASTER"></a>prefered master (G)</span></dt><dd><p>Synonym for <a href="#PREFERREDMASTER"><i class="parameter"><tt>
+ preferred master</tt></i></a> for people who cannot spell :-).</p></dd><dt><span class="term"><a name="PREFERREDMASTER"></a>preferred master (G)</span></dt><dd><p>This boolean parameter controls if
+ <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> is a preferred master
+ browser for its workgroup.</p><p>If this is set to <tt class="constant">yes</tt>, on startup, <b class="command">nmbd</b>
+ will force an election, and it will have a slight advantage in
+ winning the election. It is recommended that this parameter is
+ used in conjunction with <b class="command"><a href="#DOMAINMASTER">
+ <i class="parameter"><tt>domain master</tt></i></a> = yes</b>, so
+ that <b class="command">nmbd</b> can guarantee becoming a domain master.</p><p>Use this option with caution, because if there are several
+ hosts (whether Samba servers, Windows 95 or NT) that are
+ preferred master browsers on the same subnet, they will each
+ periodically and continuously attempt to become the local
+ master browser. This will result in unnecessary broadcast
+ traffic and reduced browsing capabilities.</p><p>See also <a href="#OSLEVEL"><i class="parameter"><tt>os level</tt></i></a>.</p><p>Default: <b class="command">preferred master = auto</b></p></dd><dt><span class="term"><a name="PRELOAD"></a>preload (G)</span></dt><dd><p>This is a list of services that you want to be
+ automatically added to the browse lists. This is most useful
+ for homes and printers services that would otherwise not be
+ visible.</p><p>Note that if you just want all printers in your
+ printcap file loaded then the <a href="#LOADPRINTERS">
+ <i class="parameter"><tt>load printers</tt></i></a> option is easier.</p><p>Default: <span class="emphasis"><em>no preloaded services</em></span></p><p>Example: <b class="command">preload = fred lp colorlp</b></p></dd><dt><span class="term"><a name="PRELOADMODULES"></a>preload modules (G)</span></dt><dd><p>This is a list of paths to modules that should
+ be loaded into smbd before a client connects. This improves
+ the speed of smbd when reacting to new connections somewhat. </p><p>It is recommended to only use this option on heavy-performance
+ servers.</p><p>Default: <b class="command">preload modules = </b></p><p>Example: <b class="command">preload modules = /usr/lib/samba/passdb/mysql.so+++ </b></p></dd><dt><span class="term"><a name="PRESERVECASE"></a>preserve case (S)</span></dt><dd><p> This controls if new filenames are created
+ with the case that the client passes, or if they are forced to
+ be the <a href="#DEFAULTCASE"><i class="parameter"><tt>default case
+ </tt></i></a>.</p><p>Default: <b class="command">preserve case = yes</b></p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a> for a fuller discussion.</p></dd><dt><span class="term"><a name="PRINTABLE"></a>printable (S)</span></dt><dd><p>If this parameter is <tt class="constant">yes</tt>, then
+ clients may open, write to and submit spool files on the directory
+ specified for the service. </p><p>Note that a printable service will ALWAYS allow writing
+ to the service path (user privileges permitting) via the spooling
+ of print data. The <a href="#READONLY"><i class="parameter"><tt>read only
+ </tt></i></a> parameter controls only non-printing access to
+ the resource.</p><p>Default: <b class="command">printable = no</b></p></dd><dt><span class="term"><a name="PRINTCAP"></a>printcap (G)</span></dt><dd><p>Synonym for <a href="#PRINTCAPNAME"><i class="parameter"><tt>
+ printcap name</tt></i></a>.</p></dd><dt><span class="term"><a name="PRINTCAPNAME"></a>printcap name (S)</span></dt><dd><p>This parameter may be used to override the
+ compiled-in default printcap name used by the server (usually <tt class="filename">
+ /etc/printcap</tt>). See the discussion of the <a href="#PRINTERSSECT" title="The [printers] section">[printers]</a> section above for reasons
+ why you might want to do this.</p><p>To use the CUPS printing interface set <b class="command">printcap name = cups
+ </b>. This should be supplemented by an addtional setting
+ <a href="#PRINTING">printing = cups</a> in the [global]
+ section. <b class="command">printcap name = cups</b> will use the
+ &quot;dummy&quot; printcap created by CUPS, as specified in your CUPS
+ configuration file.
+ </p><p>On System V systems that use <b class="command">lpstat</b> to
+ list available printers you can use <b class="command">printcap name = lpstat
+ </b> to automatically obtain lists of available printers. This
+ is the default for systems that define SYSV at configure time in
+ Samba (this includes most System V based systems). If <i class="parameter"><tt>
+ printcap name</tt></i> is set to <b class="command">lpstat</b> on
+ these systems then Samba will launch <b class="command">lpstat -v</b> and
+ attempt to parse the output to obtain a printer list.</p><p>A minimal printcap file would look something like this:</p><pre class="programlisting">
+print1|My Printer 1
+print2|My Printer 2
+print3|My Printer 3
+print4|My Printer 4
+print5|My Printer 5
+</pre><p>where the '|' separates aliases of a printer. The fact
+ that the second alias has a space in it gives a hint to Samba
+ that it's a comment.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Under AIX the default printcap
+ name is <tt class="filename">/etc/qconfig</tt>. Samba will assume the
+ file is in AIX <tt class="filename">qconfig</tt> format if the string
+ <tt class="filename">qconfig</tt> appears in the printcap filename.</p></div><p>Default: <b class="command">printcap name = /etc/printcap</b></p><p>Example: <b class="command">printcap name = /etc/myprintcap</b></p></dd><dt><span class="term"><a name="PRINTCOMMAND"></a>print command (S)</span></dt><dd><p>After a print job has finished spooling to
+ a service, this command will be used via a <b class="command">system()</b>
+ call to process the spool file. Typically the command specified will
+ submit the spool file to the host's printing subsystem, but there
+ is no requirement that this be the case. The server will not remove
+ the spool file, so whatever command you specify should remove the
+ spool file when it has been processed, otherwise you will need to
+ manually remove old spool files.</p><p>The print command is simply a text string. It will be used
+ verbatim after macro substitutions have been made:</p><p>%s, %f - the path to the spool
+ file name</p><p>%p - the appropriate printer
+ name</p><p>%J - the job
+ name as transmitted by the client.</p><p>%c - The number of printed pages
+ of the spooled job (if known).</p><p>%z - the size of the spooled
+ print job (in bytes)</p><p>The print command <span class="emphasis"><em>MUST</em></span> contain at least
+ one occurrence of <i class="parameter"><tt>%s</tt></i> or <i class="parameter"><tt>%f
+ </tt></i> - the <i class="parameter"><tt>%p</tt></i> is optional. At the time
+ a job is submitted, if no printer name is supplied the <i class="parameter"><tt>%p
+ </tt></i> will be silently removed from the printer command.</p><p>If specified in the [global] section, the print command given
+ will be used for any printable service that does not have its own
+ print command specified.</p><p>If there is neither a specified print command for a
+ printable service nor a global print command, spool files will
+ be created but not processed and (most importantly) not removed.</p><p>Note that printing may fail on some UNIXes from the
+ <tt class="constant">nobody</tt> account. If this happens then create
+ an alternative guest account that can print and set the <a href="#GUESTACCOUNT">
+ <i class="parameter"><tt>guest account</tt></i></a>
+ in the [global] section.</p><p>You can form quite complex print commands by realizing
+ that they are just passed to a shell. For example the following
+ will log a print job, print the file, then remove it. Note that
+ ';' is the usual separator for command in shell scripts.</p><p><b class="command">print command = echo Printing %s &gt;&gt;
+ /tmp/print.log; lpr -P %p %s; rm %s</b></p><p>You may have to vary this command considerably depending
+ on how you normally print files on your system. The default for
+ the parameter varies depending on the setting of the <a href="#PRINTING">
+ <i class="parameter"><tt>printing</tt></i></a> parameter.</p><p>Default: For <b class="command">printing = BSD, AIX, QNX, LPRNG
+ or PLP :</b></p><p><b class="command">print command = lpr -r -P%p %s</b></p><p>For <b class="command">printing = SYSV or HPUX :</b></p><p><b class="command">print command = lp -c -d%p %s; rm %s</b></p><p>For <b class="command">printing = SOFTQ :</b></p><p><b class="command">print command = lp -d%p -s %s; rm %s</b></p><p>For printing = CUPS : If SAMBA is compiled against
+ libcups, then <a href="#PRINTING">printcap = cups</a>
+ uses the CUPS API to
+ submit jobs, etc. Otherwise it maps to the System V
+ commands with the -oraw option for printing, i.e. it
+ uses <b class="command">lp -c -d%p -oraw; rm %s</b>.
+ With <b class="command">printing = cups</b>,
+ and if SAMBA is compiled against libcups, any manually
+ set print command will be ignored.</p><p>Example: <b class="command">print command = /usr/local/samba/bin/myprintscript %p %s</b></p></dd><dt><span class="term"><a name="PRINTER"></a>printer (S)</span></dt><dd><p>Synonym for <a href="#PRINTERNAME"><i class="parameter"><tt>
+ printer name</tt></i></a>.</p></dd><dt><span class="term"><a name="PRINTERADMIN"></a>printer admin (S)</span></dt><dd><p>This is a list of users that can do anything to
+ printers via the remote administration interfaces offered by MS-RPC
+ (usually using a NT workstation). Note that the root user always
+ has admin rights.</p><p>Default: <b class="command">printer admin = &lt;empty string&gt;</b></p><p>Example: <b class="command">printer admin = admin, @staff</b></p></dd><dt><span class="term"><a name="PRINTERNAME"></a>printer name (S)</span></dt><dd><p>This parameter specifies the name of the printer
+ to which print jobs spooled through a printable service will be sent.</p><p>If specified in the [global] section, the printer
+ name given will be used for any printable service that does
+ not have its own printer name specified.</p><p>Default: <span class="emphasis"><em>none (but may be <tt class="constant">lp</tt>
+ on many systems)</em></span></p><p>Example: <b class="command">printer name = laserwriter</b></p></dd><dt><span class="term"><a name="PRINTING"></a>printing (S)</span></dt><dd><p>This parameters controls how printer status information is
+ interpreted on your system. It also affects the default values for
+ the <i class="parameter"><tt>print command</tt></i>, <i class="parameter"><tt>lpq command</tt></i>, <i class="parameter"><tt>lppause command </tt></i>, <i class="parameter"><tt>lpresume command</tt></i>, and <i class="parameter"><tt>lprm command</tt></i> if specified in the
+ [global] section.</p><p>Currently nine printing styles are supported. They are
+ <tt class="constant">BSD</tt>, <tt class="constant">AIX</tt>,
+ <tt class="constant">LPRNG</tt>, <tt class="constant">PLP</tt>,
+ <tt class="constant">SYSV</tt>, <tt class="constant">HPUX</tt>,
+ <tt class="constant">QNX</tt>, <tt class="constant">SOFTQ</tt>,
+ and <tt class="constant">CUPS</tt>.</p><p>To see what the defaults are for the other print
+ commands when using the various options use the <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a> program.</p><p>This option can be set on a per printer basis</p><p>See also the discussion in the <a href="#PRINTERSSECT" title="The [printers] section">
+ [printers]</a> section.</p></dd><dt><span class="term"><a name="PRINTOK"></a>print ok (S)</span></dt><dd><p>Synonym for <a href="#PRINTABLE">
+ <i class="parameter"><tt>printable</tt></i></a>.</p></dd><dt><span class="term"><a name="PRIVATEDIR"></a>private dir (G)</span></dt><dd><p>This parameters defines the directory
+ smbd will use for storing such files as <tt class="filename">smbpasswd</tt>
+ and <tt class="filename">secrets.tdb</tt>.
+ </p><p>Default :<b class="command">private dir = ${prefix}/private</b></p></dd><dt><span class="term"><a name="PROTOCOL"></a>protocol (G)</span></dt><dd><p>Synonym for <a href="#MAXPROTOCOL">
+ <i class="parameter"><tt>max protocol</tt></i></a>.</p></dd><dt><span class="term"><a name="PUBLIC"></a>public (S)</span></dt><dd><p>Synonym for <a href="#GUESTOK"><i class="parameter"><tt>guest
+ ok</tt></i></a>.</p></dd><dt><span class="term"><a name="QUEUEPAUSECOMMAND"></a>queuepause command (S)</span></dt><dd><p>This parameter specifies the command to be
+ executed on the server host in order to pause the printer queue.</p><p>This command should be a program or script which takes
+ a printer name as its only parameter and stops the printer queue,
+ such that no longer jobs are submitted to the printer.</p><p>This command is not supported by Windows for Workgroups,
+ but can be issued from the Printers window under Windows 95
+ and NT.</p><p>If a <i class="parameter"><tt>%p</tt></i> is given then the printer name
+ is put in its place. Otherwise it is placed at the end of the command.
+ </p><p>Note that it is good practice to include the absolute
+ path in the command as the PATH may not be available to the
+ server.</p><p>Default: <span class="emphasis"><em>depends on the setting of <i class="parameter"><tt>printing</tt></i></em></span></p><p>Example: <b class="command">queuepause command = disable %p</b></p></dd><dt><span class="term"><a name="QUEUERESUMECOMMAND"></a>queueresume command (S)</span></dt><dd><p>This parameter specifies the command to be
+ executed on the server host in order to resume the printer queue. It
+ is the command to undo the behavior that is caused by the
+ previous parameter (<a href="#QUEUEPAUSECOMMAND"><i class="parameter"><tt>
+ queuepause command</tt></i></a>).</p><p>This command should be a program or script which takes
+ a printer name as its only parameter and resumes the printer queue,
+ such that queued jobs are resubmitted to the printer.</p><p>This command is not supported by Windows for Workgroups,
+ but can be issued from the Printers window under Windows 95
+ and NT.</p><p>If a <i class="parameter"><tt>%p</tt></i> is given then the printer name
+ is put in its place. Otherwise it is placed at the end of the
+ command.</p><p>Note that it is good practice to include the absolute
+ path in the command as the PATH may not be available to the
+ server.</p><p>Default: <span class="emphasis"><em>depends on the setting of <a href="#PRINTING">
+ <i class="parameter"><tt>printing</tt></i></a></em></span></p><p>Example: <b class="command">queuepause command = enable %p</b></p></dd><dt><span class="term"><a name="READBMPX"></a>read bmpx (G)</span></dt><dd><p>This boolean parameter controls whether
+ <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will support the &quot;Read
+ Block Multiplex&quot; SMB. This is now rarely used and defaults to
+ <tt class="constant">no</tt>. You should never need to set this
+ parameter.</p><p>Default: <b class="command">read bmpx = no</b></p></dd><dt><span class="term"><a name="READLIST"></a>read list (S)</span></dt><dd><p>This is a list of users that are given read-only
+ access to a service. If the connecting user is in this list then
+ they will not be given write access, no matter what the <a href="#READONLY">
+ <i class="parameter"><tt>read only</tt></i></a>
+ option is set to. The list can include group names using the
+ syntax described in the <a href="#INVALIDUSERS"><i class="parameter"><tt>
+ invalid users</tt></i></a> parameter.</p><p>See also the <a href="#WRITELIST"><i class="parameter"><tt>
+ write list</tt></i></a> parameter and the <a href="#INVALIDUSERS">
+ <i class="parameter"><tt>invalid users</tt></i>
+ </a> parameter.</p><p>Default: <b class="command">read list = &lt;empty string&gt;</b></p><p>Example: <b class="command">read list = mary, @students</b></p></dd><dt><span class="term"><a name="READONLY"></a>read only (S)</span></dt><dd><p>An inverted synonym is <a href="#WRITEABLE">
+ <i class="parameter"><tt>writeable</tt></i></a>.</p><p>If this parameter is <tt class="constant">yes</tt>, then users
+ of a service may not create or modify files in the service's
+ directory.</p><p>Note that a printable service (<b class="command">printable = yes</b>)
+ will <span class="emphasis"><em>ALWAYS</em></span> allow writing to the directory
+ (user privileges permitting), but only via spooling operations.</p><p>Default: <b class="command">read only = yes</b></p></dd><dt><span class="term"><a name="READRAW"></a>read raw (G)</span></dt><dd><p>This parameter controls whether or not the server
+ will support the raw read SMB requests when transferring data
+ to clients.</p><p>If enabled, raw reads allow reads of 65535 bytes in
+ one packet. This typically provides a major performance benefit.
+ </p><p>However, some clients either negotiate the allowable
+ block size incorrectly or are incapable of supporting larger block
+ sizes, and for these clients you may need to disable raw reads.</p><p>In general this parameter should be viewed as a system tuning
+ tool and left severely alone. See also <a href="#WRITERAW">
+ <i class="parameter"><tt>write raw</tt></i></a>.</p><p>Default: <b class="command">read raw = yes</b></p></dd><dt><span class="term"><a name="READSIZE"></a>read size (G)</span></dt><dd><p>The option <i class="parameter"><tt>read size</tt></i>
+ affects the overlap of disk reads/writes with network reads/writes.
+ If the amount of data being transferred in several of the SMB
+ commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
+ than this value then the server begins writing the data before it
+ has received the whole packet from the network, or in the case of
+ SMBreadbraw, it begins writing to the network before all the data
+ has been read from disk.</p><p>This overlapping works best when the speeds of disk and
+ network access are similar, having very little effect when the
+ speed of one is much greater than the other.</p><p>The default value is 16384, but very little experimentation
+ has been done yet to determine the optimal value, and it is likely
+ that the best value will vary greatly between systems anyway.
+ A value over 65536 is pointless and will cause you to allocate
+ memory unnecessarily.</p><p>Default: <b class="command">read size = 16384</b></p><p>Example: <b class="command">read size = 8192</b></p></dd><dt><span class="term"><a name="REALM"></a>realm (G)</span></dt><dd><p>This option specifies the kerberos realm to use. The realm is
+ used as the ADS equivalent of the NT4 <b class="command">domain</b>. It
+ is usually set to the DNS name of the kerberos server.
+ </p><p>Default: <b class="command">realm = </b></p><p>Example: <b class="command">realm = mysambabox.mycompany.com</b></p></dd><dt><span class="term"><a name="REMOTEANNOUNCE"></a>remote announce (G)</span></dt><dd><p>This option allows you to setup <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>to periodically announce itself
+ to arbitrary IP addresses with an arbitrary workgroup name.</p><p>This is useful if you want your Samba server to appear
+ in a remote workgroup for which the normal browse propagation
+ rules don't work. The remote workgroup can be anywhere that you
+ can send IP packets to.</p><p>For example:</p><p><b class="command">remote announce = 192.168.2.255/SERVERS
+ 192.168.4.255/STAFF</b></p><p>the above line would cause <b class="command">nmbd</b> to announce itself
+ to the two given IP addresses using the given workgroup names.
+ If you leave out the workgroup name then the one given in
+ the <a href="#WORKGROUP"><i class="parameter"><tt>workgroup</tt></i></a>
+ parameter is used instead.</p><p>The IP addresses you choose would normally be the broadcast
+ addresses of the remote networks, but can also be the IP addresses
+ of known browse masters if your network config is that stable.</p><p>See the documentation file <a href="improved-browsing.html" target="_top">BROWSING</a>
+ in the <tt class="filename">docs/</tt> directory.</p><p>Default: <b class="command">remote announce = &lt;empty string&gt;</b></p></dd><dt><span class="term"><a name="REMOTEBROWSESYNC"></a>remote browse sync (G)</span></dt><dd><p>This option allows you to setup <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> to periodically request
+ synchronization of browse lists with the master browser of a Samba
+ server that is on a remote segment. This option will allow you to
+ gain browse lists for multiple workgroups across routed networks. This
+ is done in a manner that does not work with any non-Samba servers.</p><p>This is useful if you want your Samba server and all local
+ clients to appear in a remote workgroup for which the normal browse
+ propagation rules don't work. The remote workgroup can be anywhere
+ that you can send IP packets to.</p><p>For example:</p><p><b class="command">remote browse sync = 192.168.2.255 192.168.4.255</b></p><p>the above line would cause <b class="command">nmbd</b> to request
+ the master browser on the specified subnets or addresses to
+ synchronize their browse lists with the local server.</p><p>The IP addresses you choose would normally be the broadcast
+ addresses of the remote networks, but can also be the IP addresses
+ of known browse masters if your network config is that stable. If
+ a machine IP address is given Samba makes NO attempt to validate
+ that the remote machine is available, is listening, nor that it
+ is in fact the browse master on its segment.</p><p>Default: <b class="command">remote browse sync = &lt;empty string&gt;</b></p></dd><dt><span class="term"><a name="RESTRICTANONYMOUS"></a>restrict anonymous (G)</span></dt><dd><p>The setting of this parameter determines whether user and
+ group list information is returned for an anonymous connection.
+ and mirrors the effects of the
+ <tt class="constant">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous</tt> registry key in Windows
+ 2000 and Windows NT. When set to 0, user and group list
+ information is returned to anyone who asks. When set
+ to 1, only an authenticated user can retrive user and
+ group list information. For the value 2, supported by
+ Windows 2000/XP and Samba, no anonymous connections are allowed at
+ all. This can break third party and Microsoft
+ applications which expect to be allowed to perform
+ operations anonymously.</p><p>
+ The security advantage of using restrict anonymous = 1 is dubious,
+ as user and group list information can be obtained using other
+ means.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ The security advantage of using restrict anonymous = 2 is removed
+ by setting <a href="#GUESTOK"><i class="parameter"><tt>guest
+ ok</tt></i> = yes</a> on any share.
+ </p></div><p>Default: <b class="command">restrict anonymous = 0</b></p></dd><dt><span class="term"><a name="ROOT"></a>root (G)</span></dt><dd><p>Synonym for <a href="#ROOTDIRECTORY">
+ <i class="parameter"><tt>root directory&quot;</tt></i></a>.
+ </p></dd><dt><span class="term"><a name="ROOTDIR"></a>root dir (G)</span></dt><dd><p>Synonym for <a href="#ROOTDIRECTORY">
+ <i class="parameter"><tt>root directory&quot;</tt></i></a>.
+ </p></dd><dt><span class="term"><a name="ROOTDIRECTORY"></a>root directory (G)</span></dt><dd><p>The server will <b class="command">chroot()</b> (i.e.
+ Change its root directory) to this directory on startup. This is
+ not strictly necessary for secure operation. Even without it the
+ server will deny access to files not in one of the service entries.
+ It may also check for, and deny access to, soft links to other
+ parts of the filesystem, or attempts to use &quot;..&quot; in file names
+ to access other directories (depending on the setting of the <a href="#WIDELINKS">
+ <i class="parameter"><tt>wide links</tt></i></a>
+ parameter).
+ </p><p>Adding a <i class="parameter"><tt>root directory</tt></i> entry other
+ than &quot;/&quot; adds an extra level of security, but at a price. It
+ absolutely ensures that no access is given to files not in the
+ sub-tree specified in the <i class="parameter"><tt>root directory</tt></i>
+ option, <span class="emphasis"><em>including</em></span> some files needed for
+ complete operation of the server. To maintain full operability
+ of the server you will need to mirror some system files
+ into the <i class="parameter"><tt>root directory</tt></i> tree. In particular
+ you will need to mirror <tt class="filename">/etc/passwd</tt> (or a
+ subset of it), and any binaries or configuration files needed for
+ printing (if required). The set of files that must be mirrored is
+ operating system dependent.</p><p>Default: <b class="command">root directory = /</b></p><p>Example: <b class="command">root directory = /homes/smb</b></p></dd><dt><span class="term"><a name="ROOTPOSTEXEC"></a>root postexec (S)</span></dt><dd><p>This is the same as the <i class="parameter"><tt>postexec</tt></i>
+ parameter except that the command is run as root. This
+ is useful for unmounting filesystems
+ (such as CDROMs) after a connection is closed.</p><p>See also <a href="#POSTEXEC"><i class="parameter"><tt>
+ postexec</tt></i></a>.</p><p>Default: <b class="command">root postexec = &lt;empty string&gt;</b></p></dd><dt><span class="term"><a name="ROOTPREEXEC"></a>root preexec (S)</span></dt><dd><p>This is the same as the <i class="parameter"><tt>preexec</tt></i>
+ parameter except that the command is run as root. This
+ is useful for mounting filesystems (such as CDROMs) when a
+ connection is opened.</p><p>See also <a href="#PREEXEC"><i class="parameter"><tt>
+ preexec</tt></i></a> and <a href="#PREEXECCLOSE">
+ <i class="parameter"><tt>preexec close</tt></i></a>.</p><p>Default: <b class="command">root preexec = &lt;empty string&gt;</b></p></dd><dt><span class="term"><a name="ROOTPREEXECCLOSE"></a>root preexec close (S)</span></dt><dd><p>This is the same as the <i class="parameter"><tt>preexec close
+ </tt></i> parameter except that the command is run as root.</p><p>See also <a href="#PREEXEC"><i class="parameter"><tt>
+ preexec</tt></i></a> and <a href="#PREEXECCLOSE">
+ <i class="parameter"><tt>preexec close</tt></i></a>.</p><p>Default: <b class="command">root preexec close = no</b></p></dd><dt><span class="term"><a name="SECURITY"></a>security (G)</span></dt><dd><p>This option affects how clients respond to
+ Samba and is one of the most important settings in the <tt class="filename">
+ smb.conf</tt> file.</p><p>The option sets the &quot;security mode bit&quot; in replies to
+ protocol negotiations with <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to turn share level security on or off. Clients decide
+ based on this bit whether (and how) to transfer user and password
+ information to the server.</p><p>The default is <b class="command">security = user</b>, as this is
+ the most common setting needed when talking to Windows 98 and
+ Windows NT.</p><p>The alternatives are <b class="command">security = share</b>,
+ <b class="command">security = server</b> or <b class="command">security = domain
+ </b>.</p><p>In versions of Samba prior to 2.0.0, the default was
+ <b class="command">security = share</b> mainly because that was
+ the only option at one stage.</p><p>There is a bug in WfWg that has relevance to this
+ setting. When in user or server level security a WfWg client
+ will totally ignore the password you type in the &quot;connect
+ drive&quot; dialog box. This makes it very difficult (if not impossible)
+ to connect to a Samba service as anyone except the user that
+ you are logged into WfWg as.</p><p>If your PCs use usernames that are the same as their
+ usernames on the UNIX machine then you will want to use
+ <b class="command">security = user</b>. If you mostly use usernames
+ that don't exist on the UNIX box then use <b class="command">security =
+ share</b>.</p><p>You should also use <b class="command">security = share</b> if you
+ want to mainly setup shares without a password (guest shares). This
+ is commonly used for a shared printer server. It is more difficult
+ to setup guest shares with <b class="command">security = user</b>, see
+ the <a href="#MAPTOGUEST"><i class="parameter"><tt>map to guest</tt></i>
+ </a>parameter for details.</p><p>It is possible to use <b class="command">smbd</b> in a <span class="emphasis"><em>
+ hybrid mode</em></span> where it is offers both user and share
+ level security under different <a href="#NETBIOSALIASES">
+ <i class="parameter"><tt>NetBIOS aliases</tt></i></a>. </p><p>The different settings will now be explained.</p><p><a name="SECURITYEQUALSSHARE"></a><span class="emphasis"><em>SECURITY = SHARE</em></span></p><p>When clients connect to a share level security server they
+ need not log onto the server with a valid username and password before
+ attempting to connect to a shared resource (although modern clients
+ such as Windows 95/98 and Windows NT will send a logon request with
+ a username but no password when talking to a <b class="command">security = share
+ </b> server). Instead, the clients send authentication information
+ (passwords) on a per-share basis, at the time they attempt to connect
+ to that share.</p><p>Note that <b class="command">smbd</b> <span class="emphasis"><em>ALWAYS</em></span>
+ uses a valid UNIX user to act on behalf of the client, even in
+ <b class="command">security = share</b> level security.</p><p>As clients are not required to send a username to the server
+ in share level security, <b class="command">smbd</b> uses several
+ techniques to determine the correct UNIX user to use on behalf
+ of the client.</p><p>A list of possible UNIX usernames to match with the given
+ client password is constructed using the following methods :</p><div class="itemizedlist"><ul type="disc"><li><p>If the <a href="#GUESTONLY"><i class="parameter"><tt>guest
+ only</tt></i></a> parameter is set, then all the other
+ stages are missed and only the <a href="#GUESTACCOUNT">
+ <i class="parameter"><tt>guest account</tt></i></a> username is checked.
+ </p></li><li><p>Is a username is sent with the share connection
+ request, then this username (after mapping - see <a href="#USERNAMEMAP">
+ <i class="parameter"><tt>username map</tt></i></a>),
+ is added as a potential username.
+ </p></li><li><p>If the client did a previous <span class="emphasis"><em>logon
+ </em></span> request (the SessionSetup SMB call) then the
+ username sent in this SMB will be added as a potential username.
+ </p></li><li><p>The name of the service the client requested is
+ added as a potential username.
+ </p></li><li><p>The NetBIOS name of the client is added to
+ the list as a potential username.
+ </p></li><li><p>Any users on the <a href="#USER"><i class="parameter"><tt>
+ user</tt></i></a> list are added as potential usernames.
+ </p></li></ul></div><p>If the <i class="parameter"><tt>guest only</tt></i> parameter is
+ not set, then this list is then tried with the supplied password.
+ The first user for whom the password matches will be used as the
+ UNIX user.</p><p>If the <i class="parameter"><tt>guest only</tt></i> parameter is
+ set, or no username can be determined then if the share is marked
+ as available to the <i class="parameter"><tt>guest account</tt></i>, then this
+ guest user will be used, otherwise access is denied.</p><p>Note that it can be <span class="emphasis"><em>very</em></span> confusing
+ in share-level security as to which UNIX username will eventually
+ be used in granting access.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSUSER"></a><span class="emphasis"><em>SECURITY = USER</em></span></p><p>This is the default security setting in Samba 3.0.
+ With user-level security a client must first &quot;log-on&quot; with a
+ valid username and password (which can be mapped using the <a href="#USERNAMEMAP">
+ <i class="parameter"><tt>username map</tt></i></a>
+ parameter). Encrypted passwords (see the <a href="#ENCRYPTPASSWORDS">
+ <i class="parameter"><tt>encrypted passwords</tt></i></a> parameter) can also
+ be used in this security mode. Parameters such as <a href="#USER">
+ <i class="parameter"><tt>user</tt></i></a> and <a href="#GUESTONLY">
+ <i class="parameter"><tt>guest only</tt></i></a> if set are then applied and
+ may change the UNIX user to use on this connection, but only after
+ the user has been successfully authenticated.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being
+ requested is <span class="emphasis"><em>not</em></span> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <a href="#GUESTACCOUNT">
+ <i class="parameter"><tt>guest account</tt></i></a>.
+ See the <a href="#MAPTOGUEST"><i class="parameter"><tt>map to guest</tt></i>
+ </a> parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSDOMAIN"></a><span class="emphasis"><em>SECURITY = DOMAIN</em></span></p><p>This mode will only work correctly if <a href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a> has been used to add this
+ machine into a Windows NT Domain. It expects the <a href="#ENCRYPTPASSWORDS">
+ <i class="parameter"><tt>encrypted passwords</tt></i>
+ </a> parameter to be set to <tt class="constant">yes</tt>. In this
+ mode Samba will try to validate the username/password by passing
+ it to a Windows NT Primary or Backup Domain Controller, in exactly
+ the same way that a Windows NT Server would do.</p><p><span class="emphasis"><em>Note</em></span> that a valid UNIX user must still
+ exist as well as the account on the Domain Controller to allow
+ Samba to have a valid UNIX account to map file access to.</p><p><span class="emphasis"><em>Note</em></span> that from the client's point
+ of view <b class="command">security = domain</b> is the same
+ as <b class="command">security = user</b>. It only
+ affects how the server deals with the authentication,
+ it does not in any way affect what the client sees.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being
+ requested is <span class="emphasis"><em>not</em></span> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <a href="#GUESTACCOUNT">
+ <i class="parameter"><tt>guest account</tt></i></a>.
+ See the <a href="#MAPTOGUEST"><i class="parameter"><tt>map to guest</tt></i>
+ </a> parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a href="#PASSWORDSERVER"><i class="parameter"><tt>password
+ server</tt></i></a> parameter and the <a href="#ENCRYPTPASSWORDS">
+ <i class="parameter"><tt>encrypted passwords</tt></i>
+ </a> parameter.</p><p><a name="SECURITYEQUALSSERVER"></a><span class="emphasis"><em>SECURITY = SERVER</em></span></p><p>In this mode Samba will try to validate the username/password
+ by passing it to another SMB server, such as an NT box. If this
+ fails it will revert to <b class="command">security =
+ user</b>. It expects the <a href="#ENCRYPTPASSWORDS">
+ <i class="parameter"><tt>encrypted passwords</tt></i></a> parameter
+ to be set to <tt class="constant">yes</tt>, unless the remote server
+ does not support them. However note that if encrypted passwords have been
+ negotiated then Samba cannot revert back to checking the UNIX password file,
+ it must have a valid <tt class="filename">smbpasswd</tt> file to check
+ users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up.</p><p><span class="emphasis"><em>Note</em></span> this mode of operation has
+ significant pitfalls, due to the fact that is activly initiates a
+ man-in-the-middle attack on the remote SMB server. In particular,
+ this mode of operation can cause significant resource consuption on
+ the PDC, as it must maintain an active connection for the duration
+ of the user's session. Furthermore, if this connection is lost,
+ there is no way to reestablish it, and futher authenticaions to the
+ Samba server may fail. (From a single client, till it disconnects).
+ </p><p><span class="emphasis"><em>Note</em></span> that from the client's point of
+ view <b class="command">security = server</b> is the
+ same as <b class="command">security = user</b>. It
+ only affects how the server deals with the authentication, it does
+ not in any way affect what the client sees.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being
+ requested is <span class="emphasis"><em>not</em></span> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <a href="#GUESTACCOUNT">
+ <i class="parameter"><tt>guest account</tt></i></a>.
+ See the <a href="#MAPTOGUEST"><i class="parameter"><tt>map to guest</tt></i>
+ </a> parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a href="#PASSWORDSERVER"><i class="parameter"><tt>password
+ server</tt></i></a> parameter and the <a href="#ENCRYPTPASSWORDS">
+ <i class="parameter"><tt>encrypted passwords</tt></i></a> parameter.</p><p>Default: <b class="command">security = USER</b></p><p>Example: <b class="command">security = DOMAIN</b></p></dd><dt><span class="term"><a name="SECURITYMASK"></a>security mask (S)</span></dt><dd><p>This parameter controls what UNIX permission
+ bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a file using the native NT security
+ dialog box.</p><p>This parameter is applied as a mask (AND'ed with) to
+ the changed permission bits, thus preventing any bits not in
+ this mask from being modified. Essentially, zero bits in this
+ mask may be treated as a set of bits the user is not allowed
+ to change.</p><p>If not set explicitly this parameter is 0777, allowing
+ a user to modify all the user/group/world permissions on a file.
+ </p><p><span class="emphasis"><em>Note</em></span> that users who can access the
+ Samba server through other means can easily bypass this
+ restriction, so it is primarily useful for standalone
+ &quot;appliance&quot; systems. Administrators of most normal systems will
+ probably want to leave it set to <tt class="constant">0777</tt>.</p><p>See also the <a href="#FORCEDIRECTORYSECURITYMODE">
+ <i class="parameter"><tt>force directory security mode</tt></i></a>,
+ <a href="#DIRECTORYSECURITYMASK"><i class="parameter"><tt>directory
+ security mask</tt></i></a>, <a href="#FORCESECURITYMODE">
+ <i class="parameter"><tt>force security mode</tt></i></a> parameters.</p><p>Default: <b class="command">security mask = 0777</b></p><p>Example: <b class="command">security mask = 0770</b></p></dd><dt><span class="term"><a name="SERVERSCHANNEL"></a>server schannel (G)</span></dt><dd><p>This controls whether the server offers or even
+ demands the use of the netlogon schannel.
+ <i class="parameter"><tt>server schannel = no</tt></i> does not
+ offer the schannel, <i class="parameter"><tt>server schannel =
+ auto</tt></i> offers the schannel but does not
+ enforce it, and <i class="parameter"><tt>server schannel =
+ yes</tt></i> denies access if the client is not
+ able to speak netlogon schannel. This is only the case
+ for Windows NT4 before SP4.</p><p>Please note that with this set to
+ <i class="parameter"><tt>no</tt></i> you will have to apply the
+ WindowsXP requireSignOrSeal-Registry patch found in
+ the docs/Registry subdirectory.</p><p>Default: <b class="command">server schannel = auto</b></p><p>Example: <b class="command">server schannel = yes</b></p></dd><dt><span class="term"><a name="SERVERSTRING"></a>server string (G)</span></dt><dd><p>This controls what string will show up in the printer comment box in print
+ manager and next to the IPC connection in <b class="command">net view</b>. It
+ can be any string that you wish to show to your users.</p><p>It also sets what will appear in browse lists next
+ to the machine name.</p><p>A <i class="parameter"><tt>%v</tt></i> will be replaced with the Samba
+ version number.</p><p>A <i class="parameter"><tt>%h</tt></i> will be replaced with the
+ hostname.</p><p>Default: <b class="command">server string = Samba %v</b></p><p>Example: <b class="command">server string = University of GNUs Samba
+ Server</b></p></dd><dt><span class="term"><a name="SETDIRECTORY"></a>set directory (S)</span></dt><dd><p>If <b class="command">set directory = no</b>, then
+ users of the service may not use the setdir command to change
+ directory.</p><p>The <b class="command">setdir</b> command is only implemented
+ in the Digital Pathworks client. See the Pathworks documentation
+ for details.</p><p>Default: <b class="command">set directory = no</b></p></dd><dt><span class="term"><a name="SETPRIMARYGROUPSCRIPT"></a>set primary group script (G)</span></dt><dd><p>Thanks to the Posix subsystem in NT a Windows User has a
+ primary group in addition to the auxiliary groups. This script
+ sets the primary group in the unix userdatase when an
+ administrator sets the primary group from the windows user
+ manager or when fetching a SAM with <b class="command">net rpc
+ vampire</b>. <i class="parameter"><tt>%u</tt></i> will be replaced
+ with the user whose primary group is to be set.
+ <i class="parameter"><tt>%g</tt></i> will be replaced with the group to
+ set.</p><p>Default: <span class="emphasis"><em>No default value</em></span></p><p>Example: <b class="command">set primary group script = /usr/sbin/usermod -g '%g' '%u'</b></p></dd><dt><span class="term"><a name="SHAREMODES"></a>share modes (S)</span></dt><dd><p>This enables or disables the honoring of
+ the <i class="parameter"><tt>share modes</tt></i> during a file open. These
+ modes are used by clients to gain exclusive read or write access
+ to a file.</p><p>These open modes are not directly supported by UNIX, so
+ they are simulated using shared memory, or lock files if your
+ UNIX doesn't support shared memory (almost all do).</p><p>The share modes that are enabled by this option are
+ <tt class="constant">DENY_DOS</tt>, <tt class="constant">DENY_ALL</tt>,
+ <tt class="constant">DENY_READ</tt>, <tt class="constant">DENY_WRITE</tt>,
+ <tt class="constant">DENY_NONE</tt> and <tt class="constant">DENY_FCB</tt>.
+ </p><p>This option gives full share compatibility and enabled
+ by default.</p><p>You should <span class="emphasis"><em>NEVER</em></span> turn this parameter
+ off as many Windows applications will break if you do so.</p><p>Default: <b class="command">share modes = yes</b></p></dd><dt><span class="term"><a name="SHORTPRESERVECASE"></a>short preserve case (S)</span></dt><dd><p>This boolean parameter controls if new files
+ which conform to 8.3 syntax, that is all in upper case and of
+ suitable length, are created upper case, or if they are forced
+ to be the <a href="#DEFAULTCASE"><i class="parameter"><tt>default case
+ </tt></i></a>. This option can be use with <a href="#PRESERVECASE"><b class="command">preserve case = yes</b>
+ </a> to permit long filenames to retain their case, while short
+ names are lowered. </p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a>.</p><p>Default: <b class="command">short preserve case = yes</b></p></dd><dt><span class="term"><a name="SHOWADDPRINTERWIZARD"></a>show add printer wizard (G)</span></dt><dd><p>With the introduction of MS-RPC based printing support
+ for Windows NT/2000 client in Samba 2.2, a &quot;Printers...&quot; folder will
+ appear on Samba hosts in the share listing. Normally this folder will
+ contain an icon for the MS Add Printer Wizard (APW). However, it is
+ possible to disable this feature regardless of the level of privilege
+ of the connected user.</p><p>Under normal circumstances, the Windows NT/2000 client will
+ open a handle on the printer server with OpenPrinterEx() asking for
+ Administrator privileges. If the user does not have administrative
+ access on the print server (i.e is not root or a member of the
+ <i class="parameter"><tt>printer admin</tt></i> group), the OpenPrinterEx()
+ call fails and the client makes another open call with a request for
+ a lower privilege level. This should succeed, however the APW
+ icon will not be displayed.</p><p>Disabling the <i class="parameter"><tt>show add printer wizard</tt></i>
+ parameter will always cause the OpenPrinterEx() on the server
+ to fail. Thus the APW icon will never be displayed. <span class="emphasis"><em>
+ Note :</em></span>This does not prevent the same user from having
+ administrative privilege on an individual printer.</p><p>See also <a href="#ADDPRINTERCOMMAND"><i class="parameter"><tt>addprinter
+ command</tt></i></a>, <a href="#DELETEPRINTERCOMMAND">
+ <i class="parameter"><tt>deleteprinter command</tt></i></a>, <a href="#PRINTERADMIN">
+ <i class="parameter"><tt>printer admin</tt></i></a></p><p>Default :<b class="command">show add printer wizard = yes</b></p></dd><dt><span class="term"><a name="SHUTDOWNSCRIPT"></a>shutdown script (G)</span></dt><dd xmlns:ns2=""><p><span class="emphasis"><em>This parameter only exists in the HEAD cvs branch</em></span>
+ This a full path name to a script called by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> that should start a shutdown procedure.</p><p>This command will be run as the user connected to the server.</p><p>%m %t %r %f parameters are expanded:</p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>%m</tt></i> will be substituted with the
+ shutdown message sent to the server.</p></li><li><p><i class="parameter"><tt>%t</tt></i> will be substituted with the
+ number of seconds to wait before effectively starting the
+ shutdown procedure.</p></li><li><p><i class="parameter"><tt>%r</tt></i> will be substituted with the
+ switch <span class="emphasis"><em>-r</em></span>. It means reboot after shutdown
+ for NT.</p></li><li><p><i class="parameter"><tt>%f</tt></i> will be substituted with the
+ switch <span class="emphasis"><em>-f</em></span>. It means force the shutdown
+ even if applications do not respond for NT.</p></li></ul></div><p>Default: <span class="emphasis"><em>None</em></span>.</p><p>Example: <b class="command">abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f</b></p><ns2:p>Shutdown script example:
+</ns2:p><pre class="programlisting">
+#!/bin/bash
+
+$time=0
+let &quot;time/60&quot;
+let &quot;time++&quot;
+
+/sbin/shutdown $3 $4 +$time $1 &amp;
+</pre><ns2:p>
+Shutdown does not return so we need to launch it in background.
+</ns2:p><p>See also <a href="#ABORTSHUTDOWNSCRIPT">
+ <i class="parameter"><tt>abort shutdown script</tt></i></a>.</p></dd><dt><span class="term"><a name="SMBPASSWDFILE"></a>smb passwd file (G)</span></dt><dd><p>This option sets the path to the encrypted smbpasswd file. By
+ default the path to the smbpasswd file is compiled into Samba.</p><p>Default: <b class="command">smb passwd file = ${prefix}/private/smbpasswd</b></p><p>Example: <b class="command">smb passwd file = /etc/samba/smbpasswd</b></p></dd><dt><span class="term"><a name="SMBPORTS"></a>smb ports (G)</span></dt><dd><p>Specifies which ports the server should listen on for SMB traffic.</p><p>Default: <b class="command">smb ports = 445 139</b></p></dd><dt><span class="term"><a name="SOCKETADDRESS"></a>socket address (G)</span></dt><dd><p>This option allows you to control what
+ address Samba will listen for connections on. This is used to
+ support multiple virtual interfaces on the one server, each
+ with a different configuration.</p><p>By default Samba will accept connections on any
+ address.</p><p>Example: <b class="command">socket address = 192.168.2.20</b></p></dd><dt><span class="term"><a name="SOCKETOPTIONS"></a>socket options (G)</span></dt><dd><p>This option allows you to set socket options
+ to be used when talking with the client.</p><p>Socket options are controls on the networking layer
+ of the operating systems which allow the connection to be
+ tuned.</p><p>This option will typically be used to tune your Samba server
+ for optimal performance for your local network. There is no way
+ that Samba can know what the optimal parameters are for your net,
+ so you must experiment and choose them yourself. We strongly
+ suggest you read the appropriate documentation for your operating
+ system first (perhaps <b class="command">man
+ setsockopt</b> will help).</p><p>You may find that on some systems Samba will say
+ &quot;Unknown socket option&quot; when you supply an option. This means you
+ either incorrectly typed it or you need to add an include file
+ to includes.h for your OS. If the latter is the case please
+ send the patch to <a href="mailto:samba-technical@samba.org" target="_top">
+ samba-technical@samba.org</a>.</p><p>Any of the supported socket options may be combined
+ in any way you like, as long as your OS allows it.</p><p>This is the list of socket options currently settable
+ using this option:</p><div class="itemizedlist"><ul type="disc"><li><p>SO_KEEPALIVE</p></li><li><p>SO_REUSEADDR</p></li><li><p>SO_BROADCAST</p></li><li><p>TCP_NODELAY</p></li><li><p>IPTOS_LOWDELAY</p></li><li><p>IPTOS_THROUGHPUT</p></li><li><p>SO_SNDBUF *</p></li><li><p>SO_RCVBUF *</p></li><li><p>SO_SNDLOWAT *</p></li><li><p>SO_RCVLOWAT *</p></li></ul></div><p>Those marked with a <span class="emphasis"><em>'*'</em></span> take an integer
+ argument. The others can optionally take a 1 or 0 argument to enable
+ or disable the option, by default they will be enabled if you
+ don't specify 1 or 0.</p><p>To specify an argument use the syntax SOME_OPTION = VALUE
+ for example <b class="command">SO_SNDBUF = 8192</b>. Note that you must
+ not have any spaces before or after the = sign.</p><p>If you are on a local network then a sensible option
+ might be:</p><p><b class="command">socket options = IPTOS_LOWDELAY</b></p><p>If you have a local network then you could try:</p><p><b class="command">socket options = IPTOS_LOWDELAY TCP_NODELAY</b></p><p>If you are on a wide area network then perhaps try
+ setting IPTOS_THROUGHPUT. </p><p>Note that several of the options may cause your Samba
+ server to fail completely. Use these options with caution!</p><p>Default: <b class="command">socket options = TCP_NODELAY</b></p><p>Example: <b class="command">socket options = IPTOS_LOWDELAY</b></p></dd><dt><span class="term"><a name="SOURCEENVIRONMENT"></a>source environment (G)</span></dt><dd><p>This parameter causes Samba to set environment
+ variables as per the content of the file named.</p><p>If the value of this parameter starts with a &quot;|&quot; character
+ then Samba will treat that value as a pipe command to open and
+ will set the environment variables from the output of the pipe.</p><p>The contents of the file or the output of the pipe should
+ be formatted as the output of the standard Unix <b class="command">env(1)</b> command. This is of the form:</p><p>Example environment entry:</p><p><b class="command">SAMBA_NETBIOS_NAME = myhostname</b></p><p>Default: <span class="emphasis"><em>No default value</em></span></p><p>Examples: <b class="command">source environment = |/etc/smb.conf.sh</b></p><p>Example: <b class="command">source environment =
+ /usr/local/smb_env_vars</b></p></dd><dt><span class="term"><a name="STATCACHE"></a>stat cache (G)</span></dt><dd><p>This parameter determines if <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will use a cache in order to
+ speed up case insensitive name mappings. You should never need
+ to change this parameter.</p><p>Default: <b class="command">stat cache = yes</b></p></dd><dt><span class="term"><a name="STATCACHESIZE"></a>stat cache size (G)</span></dt><dd><p>This parameter determines the number of
+ entries in the <i class="parameter"><tt>stat cache</tt></i>. You should
+ never need to change this parameter.</p><p>Default: <b class="command">stat cache size = 50</b></p></dd><dt><span class="term"><a name="STRICTALLOCATE"></a>strict allocate (S)</span></dt><dd><p>This is a boolean that controls the handling of
+ disk space allocation in the server. When this is set to <tt class="constant">yes</tt>
+ the server will change from UNIX behaviour of not committing real
+ disk storage blocks when a file is extended to the Windows behaviour
+ of actually forcing the disk system to allocate real storage blocks
+ when a file is created or extended to be a given size. In UNIX
+ terminology this means that Samba will stop creating sparse files.
+ This can be slow on some systems.</p><p>When strict allocate is <tt class="constant">no</tt> the server does sparse
+ disk block allocation when a file is extended.</p><p>Setting this to <tt class="constant">yes</tt> can help Samba return
+ out of quota messages on systems that are restricting the disk quota
+ of users.</p><p>Default: <b class="command">strict allocate = no</b></p></dd><dt><span class="term"><a name="STRICTLOCKING"></a>strict locking (S)</span></dt><dd><p>This is a boolean that controls the handling of
+ file locking in the server. When this is set to <tt class="constant">yes</tt>
+ the server will check every read and write access for file locks, and
+ deny access if locks exist. This can be slow on some systems.</p><p>When strict locking is <tt class="constant">no</tt> the server does file
+ lock checks only when the client explicitly asks for them.</p><p>Well-behaved clients always ask for lock checks when it
+ is important, so in the vast majority of cases <b class="command">strict
+ locking = no</b> is preferable.</p><p>Default: <b class="command">strict locking = no</b></p></dd><dt><span class="term"><a name="STRICTSYNC"></a>strict sync (S)</span></dt><dd><p>Many Windows applications (including the Windows 98 explorer
+ shell) seem to confuse flushing buffer contents to disk with doing
+ a sync to disk. Under UNIX, a sync call forces the process to be
+ suspended until the kernel has ensured that all outstanding data in
+ kernel disk buffers has been safely stored onto stable storage.
+ This is very slow and should only be done rarely. Setting this
+ parameter to <tt class="constant">no</tt> (the default) means that
+ <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> ignores the Windows
+ applications requests for a sync call. There is only a possibility
+ of losing data if the operating system itself that Samba is running
+ on crashes, so there is little danger in this default setting. In
+ addition, this fixes many performance problems that people have
+ reported with the new Windows98 explorer shell file copies.</p><p>See also the <a href="#SYNCALWAYS"><i class="parameter"><tt>sync
+ always</tt></i></a> parameter.</p><p>Default: <b class="command">strict sync = no</b></p></dd><dt><span class="term"><a name="STRIPDOT"></a>strip dot (G)</span></dt><dd><p>This is a boolean that controls whether to
+ strip trailing dots off UNIX filenames. This helps with some
+ CDROMs that have filenames ending in a single dot.</p><p>Default: <b class="command">strip dot = no</b></p></dd><dt><span class="term"><a name="SYNCALWAYS"></a>sync always (S)</span></dt><dd><p>This is a boolean parameter that controls
+ whether writes will always be written to stable storage before
+ the write call returns. If this is <tt class="constant">no</tt> then the server will be
+ guided by the client's request in each write call (clients can
+ set a bit indicating that a particular write should be synchronous).
+ If this is <tt class="constant">yes</tt> then every write will be followed by a <b class="command">fsync()
+ </b> call to ensure the data is written to disk. Note that
+ the <i class="parameter"><tt>strict sync</tt></i> parameter must be set to
+ <tt class="constant">yes</tt> in order for this parameter to have
+ any affect.</p><p>See also the <a href="#STRICTSYNC"><i class="parameter"><tt>strict
+ sync</tt></i></a> parameter.</p><p>Default: <b class="command">sync always = no</b></p></dd><dt><span class="term"><a name="SYSLOG"></a>syslog (G)</span></dt><dd><p>This parameter maps how Samba debug messages
+ are logged onto the system syslog logging levels. Samba debug
+ level zero maps onto syslog <tt class="constant">LOG_ERR</tt>, debug
+ level one maps onto <tt class="constant">LOG_WARNING</tt>, debug level
+ two maps onto <tt class="constant">LOG_NOTICE</tt>, debug level three
+ maps onto LOG_INFO. All higher levels are mapped to <tt class="constant">
+ LOG_DEBUG</tt>.</p><p>This parameter sets the threshold for sending messages
+ to syslog. Only messages with debug level less than this value
+ will be sent to syslog.</p><p>Default: <b class="command">syslog = 1</b></p></dd><dt><span class="term"><a name="SYSLOGONLY"></a>syslog only (G)</span></dt><dd><p>If this parameter is set then Samba debug
+ messages are logged into the system syslog only, and not to
+ the debug log files.</p><p>Default: <b class="command">syslog only = no</b></p></dd><dt><span class="term"><a name="TEMPLATEHOMEDIR"></a>template homedir (G)</span></dt><dd><p>When filling out the user information for a Windows NT
+ user, the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon uses this
+ parameter to fill in the home directory for that user. If the
+ string <i class="parameter"><tt>%D</tt></i> is present it
+ is substituted with the user's Windows NT domain name. If the
+ string <i class="parameter"><tt>%U</tt></i> is present it
+ is substituted with the user's Windows NT user name.</p><p>Default: <b class="command">template homedir = /home/%D/%U</b></p></dd><dt><span class="term"><a name="TEMPLATESHELL"></a>template shell (G)</span></dt><dd><p>When filling out the user information for a Windows NT
+ user, the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon uses this
+ parameter to fill in the login shell for that user.</p><p>Default: <b class="command">template shell = /bin/false</b></p></dd><dt><span class="term"><a name="TIMEOFFSET"></a>time offset (G)</span></dt><dd><p>This parameter is a setting in minutes to add
+ to the normal GMT to local time conversion. This is useful if
+ you are serving a lot of PCs that have incorrect daylight
+ saving time handling.</p><p>Default: <b class="command">time offset = 0</b></p><p>Example: <b class="command">time offset = 60</b></p></dd><dt><span class="term"><a name="TIMESERVER"></a>time server (G)</span></dt><dd><p>This parameter determines if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> advertises itself as a time server to Windows
+ clients.</p><p>Default: <b class="command">time server = no</b></p></dd><dt><span class="term"><a name="TIMESTAMPLOGS"></a>timestamp logs (G)</span></dt><dd><p>Synonym for <a href="#DEBUGTIMESTAMP"><i class="parameter"><tt>
+ debug timestamp</tt></i></a>.</p></dd><dt><span class="term"><a name="TOTALPRINTJOBS"></a>total print jobs (G)</span></dt><dd><p>This parameter accepts an integer value which defines
+ a limit on the maximum number of print jobs that will be accepted
+ system wide at any given time. If a print job is submitted
+ by a client which will exceed this number, then <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will return an
+ error indicating that no space is available on the server. The
+ default value of 0 means that no such limit exists. This parameter
+ can be used to prevent a server from exceeding its capacity and is
+ designed as a printing throttle. See also <a href="#MAXPRINTJOBS">
+ <i class="parameter"><tt>max print jobs</tt></i></a>.
+ </p><p>Default: <b class="command">total print jobs = 0</b></p><p>Example: <b class="command">total print jobs = 5000</b></p></dd><dt><span class="term"><a name="UNICODE"></a>unicode (G)</span></dt><dd><p>Specifies whether Samba should try
+ to use unicode on the wire by default. Note: This does NOT
+ mean that samba will assume that the unix machine uses unicode!
+ </p><p>Default: <b class="command">unicode = yes</b></p></dd><dt><span class="term"><a name="UNIXCHARSET"></a>unix charset (G)</span></dt><dd><p>Specifies the charset the unix machine
+ Samba runs on uses. Samba needs to know this in order to be able to
+ convert text to the charsets other SMB clients use.
+ </p><p>Default: <b class="command">unix charset = UTF8</b></p><p>Example: <b class="command">unix charset = ASCII</b></p></dd><dt><span class="term"><a name="UNIXEXTENSIONS"></a>unix extensions (G)</span></dt><dd><p>This boolean parameter controls whether Samba
+ implments the CIFS UNIX extensions, as defined by HP.
+ These extensions enable Samba to better serve UNIX CIFS clients
+ by supporting features such as symbolic links, hard links, etc...
+ These extensions require a similarly enabled client, and are of
+ no current use to Windows clients.</p><p>Default: <b class="command">unix extensions = no</b></p></dd><dt><span class="term"><a name="UNIXPASSWORDSYNC"></a>unix password sync (G)</span></dt><dd><p>This boolean parameter controls whether Samba
+ attempts to synchronize the UNIX password with the SMB password
+ when the encrypted SMB password in the smbpasswd file is changed.
+ If this is set to <tt class="constant">yes</tt> the program specified in the <i class="parameter"><tt>passwd
+ program</tt></i>parameter is called <span class="emphasis"><em>AS ROOT</em></span> -
+ to allow the new UNIX password to be set without access to the
+ old UNIX password (as the SMB password change code has no
+ access to the old password cleartext, only the new).</p><p>See also <a href="#PASSWDPROGRAM"><i class="parameter"><tt>passwd
+ program</tt></i></a>, <a href="#PASSWDCHAT"><i class="parameter"><tt>
+ passwd chat</tt></i></a>.
+ </p><p>Default: <b class="command">unix password sync = no</b></p></dd><dt><span class="term"><a name="UPDATEENCRYPTED"></a>update encrypted (G)</span></dt><dd><p>This boolean parameter allows a user logging on with
+ a plaintext password to have their encrypted (hashed) password in
+ the smbpasswd file to be updated automatically as they log
+ on. This option allows a site to migrate from plaintext
+ password authentication (users authenticate with plaintext
+ password over the wire, and are checked against a UNIX account
+ database) to encrypted password authentication (the SMB
+ challenge/response authentication mechanism) without forcing all
+ users to re-enter their passwords via smbpasswd at the time the
+ change is made. This is a convenience option to allow the change
+ over to encrypted passwords to be made over a longer period.
+ Once all users have encrypted representations of their passwords
+ in the smbpasswd file this parameter should be set to
+ <tt class="constant">no</tt>.</p><p>In order for this parameter to work correctly the <a href="#ENCRYPTPASSWORDS">
+ <i class="parameter"><tt>encrypt passwords</tt></i></a> parameter must
+ be set to <tt class="constant">no</tt> when this parameter is set to <tt class="constant">yes</tt>.</p><p>Note that even when this parameter is set a user
+ authenticating to <b class="command">smbd</b> must still enter a valid
+ password in order to connect correctly, and to update their hashed
+ (smbpasswd) passwords.</p><p>Default: <b class="command">update encrypted = no</b></p></dd><dt><span class="term"><a name="USECLIENTDRIVER"></a>use client driver (S)</span></dt><dd><p>This parameter applies only to Windows NT/2000
+ clients. It has no effect on Windows 95/98/ME clients. When
+ serving a printer to Windows NT/2000 clients without first installing
+ a valid printer driver on the Samba host, the client will be required
+ to install a local printer driver. From this point on, the client
+ will treat the print as a local printer and not a network printer
+ connection. This is much the same behavior that will occur
+ when <b class="command">disable spoolss = yes</b>.
+ </p><p>The differentiating factor is that under normal
+ circumstances, the NT/2000 client will attempt to open the network
+ printer using MS-RPC. The problem is that because the client
+ considers the printer to be local, it will attempt to issue the
+ OpenPrinterEx() call requesting access rights associated with the
+ logged on user. If the user possesses local administator rights but
+ not root privilegde on the Samba host (often the case), the
+ OpenPrinterEx() call will fail. The result is that the client will
+ now display an &quot;Access Denied; Unable to connect&quot; message
+ in the printer queue window (even though jobs may successfully be
+ printed). </p><p>If this parameter is enabled for a printer, then any attempt
+ to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped
+ to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx()
+ call to succeed. <span class="emphasis"><em>This parameter MUST not be able enabled
+ on a print share which has valid print driver installed on the Samba
+ server.</em></span></p><p>See also <a href="#DISABLESPOOLSS"><i class="parameter"><tt>disable spoolss</tt></i></a></p><p>Default: <b class="command">use client driver = no</b></p></dd><dt><span class="term"><a name="USEMMAP"></a>use mmap (G)</span></dt><dd><p>This global parameter determines if the tdb internals of Samba can
+ depend on mmap working correctly on the running system. Samba requires a coherent
+ mmap/read-write system memory cache. Currently only HPUX does not have such a
+ coherent cache, and so this parameter is set to <tt class="constant">no</tt> by
+ default on HPUX. On all other systems this parameter should be left alone. This
+ parameter is provided to help the Samba developers track down problems with
+ the tdb internal code.
+ </p><p>Default: <b class="command">use mmap = yes</b></p></dd><dt><span class="term"><a name="USER"></a>user (S)</span></dt><dd><p>Synonym for <a href="#USERNAME"><i class="parameter"><tt>username</tt></i></a>.</p></dd><dt><span class="term"><a name="USERNAME"></a>username (S)</span></dt><dd><p>Multiple users may be specified in a comma-delimited
+ list, in which case the supplied password will be tested against
+ each username in turn (left to right).</p><p>The <i class="parameter"><tt>username</tt></i> line is needed only when
+ the PC is unable to supply its own username. This is the case
+ for the COREPLUS protocol or where your users have different WfWg
+ usernames to UNIX usernames. In both these cases you may also be
+ better using the \\server\share%user syntax instead.</p><p>The <i class="parameter"><tt>username</tt></i> line is not a great
+ solution in many cases as it means Samba will try to validate
+ the supplied password against each of the usernames in the
+ <i class="parameter"><tt>username</tt></i> line in turn. This is slow and
+ a bad idea for lots of users in case of duplicate passwords.
+ You may get timeouts or security breaches using this parameter
+ unwisely.</p><p>Samba relies on the underlying UNIX security. This
+ parameter does not restrict who can login, it just offers hints
+ to the Samba server as to what usernames might correspond to the
+ supplied password. Users can login as whoever they please and
+ they will be able to do no more damage than if they started a
+ telnet session. The daemon runs as the user that they log in as,
+ so they cannot do anything that user cannot do.</p><p>To restrict a service to a particular set of users you
+ can use the <a href="#VALIDUSERS"><i class="parameter"><tt>valid users
+ </tt></i></a> parameter.</p><p>If any of the usernames begin with a '@' then the name
+ will be looked up first in the NIS netgroups list (if Samba
+ is compiled with netgroup support), followed by a lookup in
+ the UNIX groups database and will expand to a list of all users
+ in the group of that name.</p><p>If any of the usernames begin with a '+' then the name
+ will be looked up only in the UNIX groups database and will
+ expand to a list of all users in the group of that name.</p><p>If any of the usernames begin with a '&amp;' then the name
+ will be looked up only in the NIS netgroups database (if Samba
+ is compiled with netgroup support) and will expand to a list
+ of all users in the netgroup group of that name.</p><p>Note that searching though a groups database can take
+ quite some time, and some clients may time out during the
+ search.</p><p>See the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT
+ USERNAME/PASSWORD VALIDATION</a> for more information on how
+ this parameter determines access to the services.</p><p>Default: <b class="command">The guest account if a guest service,
+ else &lt;empty string&gt;.</b></p><p>Examples:<b class="command">username = fred, mary, jack, jane,
+ @users, @pcgroup</b></p></dd><dt><span class="term"><a name="USERNAMELEVEL"></a>username level (G)</span></dt><dd><p>This option helps Samba to try and 'guess' at
+ the real UNIX username, as many DOS clients send an all-uppercase
+ username. By default Samba tries all lowercase, followed by the
+ username with the first letter capitalized, and fails if the
+ username is not found on the UNIX machine.</p><p>If this parameter is set to non-zero the behavior changes.
+ This parameter is a number that specifies the number of uppercase
+ combinations to try while trying to determine the UNIX user name. The
+ higher the number the more combinations will be tried, but the slower
+ the discovery of usernames will be. Use this parameter when you have
+ strange usernames on your UNIX machine, such as <tt class="constant">AstrangeUser
+ </tt>.</p><p>Default: <b class="command">username level = 0</b></p><p>Example: <b class="command">username level = 5</b></p></dd><dt><span class="term"><a name="USERNAMEMAP"></a>username map (G)</span></dt><dd><p>This option allows you to specify a file containing
+ a mapping of usernames from the clients to the server. This can be
+ used for several purposes. The most common is to map usernames
+ that users use on DOS or Windows machines to those that the UNIX
+ box uses. The other is to map multiple users to a single username
+ so that they can more easily share files.</p><p>The map file is parsed line by line. Each line should
+ contain a single UNIX username on the left then a '=' followed
+ by a list of usernames on the right. The list of usernames on the
+ right may contain names of the form @group in which case they
+ will match any UNIX username in that group. The special client
+ name '*' is a wildcard and matches any name. Each line of the
+ map file may be up to 1023 characters long.</p><p>The file is processed on each line by taking the
+ supplied username and comparing it with each username on the right
+ hand side of the '=' signs. If the supplied name matches any of
+ the names on the right hand side then it is replaced with the name
+ on the left. Processing then continues with the next line.</p><p>If any line begins with a '#' or a ';' then it is ignored</p><p>If any line begins with an '!' then the processing
+ will stop after that line if a mapping was done by the line.
+ Otherwise mapping continues with every line being processed.
+ Using '!' is most useful when you have a wildcard mapping line
+ later in the file.</p><p>For example to map from the name <tt class="constant">admin</tt>
+ or <tt class="constant">administrator</tt> to the UNIX name <tt class="constant">
+ root</tt> you would use:</p><p><b class="command">root = admin administrator</b></p><p>Or to map anyone in the UNIX group <tt class="constant">system</tt>
+ to the UNIX name <tt class="constant">sys</tt> you would use:</p><p><b class="command">sys = @system</b></p><p>You can have as many mappings as you like in a username map file.</p><p>If your system supports the NIS NETGROUP option then
+ the netgroup database is checked before the <tt class="filename">/etc/group
+ </tt> database for matching groups.</p><p>You can map Windows usernames that have spaces in them
+ by using double quotes around the name. For example:</p><p><b class="command">tridge = &quot;Andrew Tridgell&quot;</b></p><p>would map the windows username &quot;Andrew Tridgell&quot; to the
+ unix username &quot;tridge&quot;.</p><p>The following example would map mary and fred to the
+ unix user sys, and map the rest to guest. Note the use of the
+ '!' to tell Samba to stop processing if it gets a match on
+ that line.</p><pre class="programlisting">
+!sys = mary fred
+guest = *
+</pre><p>Note that the remapping is applied to all occurrences
+ of usernames. Thus if you connect to \\server\fred and <tt class="constant">
+ fred</tt> is remapped to <tt class="constant">mary</tt> then you
+ will actually be connecting to \\server\mary and will need to
+ supply a password suitable for <tt class="constant">mary</tt> not
+ <tt class="constant">fred</tt>. The only exception to this is the
+ username passed to the <a href="#PASSWORDSERVER"><i class="parameter"><tt>
+ password server</tt></i></a> (if you have one). The password
+ server will receive whatever username the client supplies without
+ modification.</p><p>Also note that no reverse mapping is done. The main effect
+ this has is with printing. Users who have been mapped may have
+ trouble deleting print jobs as PrintManager under WfWg will think
+ they don't own the print job.</p><p>Default: <span class="emphasis"><em>no username map</em></span></p><p>Example: <b class="command">username map = /usr/local/samba/lib/users.map</b></p></dd><dt><span class="term"><a name="USERS"></a>users (S)</span></dt><dd><p>Synonym for <a href="#USERNAME"><i class="parameter"><tt>
+ username</tt></i></a>.</p></dd><dt><span class="term"><a name="USESENDFILE"></a>use sendfile (S)</span></dt><dd><p>If this parameter is <tt class="constant">yes</tt>, and Samba
+ was built with the --with-sendfile-support option, and the underlying operating
+ system supports sendfile system call, then some SMB read calls (mainly ReadAndX
+ and ReadRaw) will use the more efficient sendfile system call for files that
+ are exclusively oplocked. This may make more efficient use of the system CPU's
+ and cause Samba to be faster. This is off by default as it's effects are unknown
+ as yet.</p><p>Default: <b class="command">use sendfile = no</b></p></dd><dt><span class="term"><a name="USESPNEGO"></a>use spnego (G)</span></dt><dd><p> This variable controls controls whether samba will try
+ to use Simple and Protected NEGOciation (as specified by rfc2478) with
+ WindowsXP and Windows2000 clients to agree upon an authentication mechanism.
+ Unless further issues are discovered with our SPNEGO
+ implementation, there is no reason this should ever be
+ disabled.</p><p>Default: <span class="emphasis"><em>use spnego = yes</em></span></p></dd><dt><span class="term"><a name="UTMP"></a>utmp (G)</span></dt><dd><p>This boolean parameter is only available if
+ Samba has been configured and compiled with the option <b class="command">
+ --with-utmp</b>. If set to <tt class="constant">yes</tt> then Samba will attempt
+ to add utmp or utmpx records (depending on the UNIX system) whenever a
+ connection is made to a Samba server. Sites may use this to record the
+ user connecting to a Samba share.</p><p>Due to the requirements of the utmp record, we
+ are required to create a unique identifier for the
+ incoming user. Enabling this option creates an n^2
+ algorithm to find this number. This may impede
+ performance on large installations. </p><p>See also the <a href="#UTMPDIRECTORY"><i class="parameter"><tt>
+ utmp directory</tt></i></a> parameter.</p><p>Default: <b class="command">utmp = no</b></p></dd><dt><span class="term"><a name="UTMPDIRECTORY"></a>utmp directory (G)</span></dt><dd><p>This parameter is only available if Samba has
+ been configured and compiled with the option <b class="command">
+ --with-utmp</b>. It specifies a directory pathname that is
+ used to store the utmp or utmpx files (depending on the UNIX system) that
+ record user connections to a Samba server. See also the <a href="#UTMP">
+ <i class="parameter"><tt>utmp</tt></i></a> parameter. By default this is
+ not set, meaning the system will use whatever utmp file the
+ native system is set to use (usually
+ <tt class="filename">/var/run/utmp</tt> on Linux).</p><p>Default: <span class="emphasis"><em>no utmp directory</em></span></p><p>Example: <b class="command">utmp directory = /var/run/utmp</b></p></dd><dt><span class="term"><a name="-VALID"></a>-valid (S)</span></dt><dd><p> This parameter indicates whether a share is
+ valid and thus can be used. When this parameter is set to false,
+ the share will be in no way visible nor accessible.
+ </p><p>
+ This option should not be
+ used by regular users but might be of help to developers.
+ Samba uses this option internally to mark shares as deleted.
+ </p><p>Default: <span class="emphasis"><em>True</em></span></p></dd><dt><span class="term"><a name="VALIDUSERS"></a>valid users (S)</span></dt><dd><p>This is a list of users that should be allowed
+ to login to this service. Names starting with '@', '+' and '&amp;'
+ are interpreted using the same rules as described in the
+ <i class="parameter"><tt>invalid users</tt></i> parameter.</p><p>If this is empty (the default) then any user can login.
+ If a username is in both this list and the <i class="parameter"><tt>invalid
+ users</tt></i> list then access is denied for that user.</p><p>The current servicename is substituted for <i class="parameter"><tt>%S
+ </tt></i>. This is useful in the [homes] section.</p><p>See also <a href="#INVALIDUSERS"><i class="parameter"><tt>invalid users
+ </tt></i></a></p><p>Default: <span class="emphasis"><em>No valid users list (anyone can login)
+ </em></span></p><p>Example: <b class="command">valid users = greg, @pcusers</b></p></dd><dt><span class="term"><a name="VETOFILES"></a>veto files (S)</span></dt><dd xmlns:ns3=""><p>This is a list of files and directories that
+ are neither visible nor accessible. Each entry in the list must
+ be separated by a '/', which allows spaces to be included
+ in the entry. '*' and '?' can be used to specify multiple files
+ or directories as in DOS wildcards.</p><p>Each entry must be a unix path, not a DOS path and
+ must <span class="emphasis"><em>not</em></span> include the unix directory
+ separator '/'.</p><p>Note that the <i class="parameter"><tt>case sensitive</tt></i> option
+ is applicable in vetoing files.</p><p>One feature of the veto files parameter that it
+ is important to be aware of is Samba's behaviour when
+ trying to delete a directory. If a directory that is
+ to be deleted contains nothing but veto files this
+ deletion will <span class="emphasis"><em>fail</em></span> unless you also set
+ the <i class="parameter"><tt>delete veto files</tt></i> parameter to
+ <i class="parameter"><tt>yes</tt></i>.</p><p>Setting this parameter will affect the performance
+ of Samba, as it will be forced to check all files and directories
+ for a match as they are scanned.</p><p>See also <a href="#HIDEFILES"><i class="parameter"><tt>hide files
+ </tt></i></a> and <a href="#CASESENSITIVE"><i class="parameter"><tt>
+ case sensitive</tt></i></a>.</p><p>Default: <span class="emphasis"><em>No files or directories are vetoed.
+ </em></span></p><ns3:p>Examples:
+</ns3:p><pre class="programlisting">
+; Veto any files containing the word Security,
+; any ending in .tmp, and any directory containing the
+; word root.
+veto files = /*Security*/*.tmp/*root*/
+
+; Veto the Apple specific files that a NetAtalk server
+; creates.
+veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
+</pre></dd><dt><span class="term"><a name="VETOOPLOCKFILES"></a>veto oplock files (S)</span></dt><dd><p>This parameter is only valid when the <a href="#OPLOCKS">
+ <i class="parameter"><tt>oplocks</tt></i></a>
+ parameter is turned on for a share. It allows the Samba administrator
+ to selectively turn off the granting of oplocks on selected files that
+ match a wildcarded list, similar to the wildcarded list used in the
+ <a href="#VETOFILES"><i class="parameter"><tt>veto files</tt></i></a>
+ parameter.</p><p>Default: <span class="emphasis"><em>No files are vetoed for oplock grants</em></span></p><p>You might want to do this on files that you know will
+ be heavily contended for by clients. A good example of this
+ is in the NetBench SMB benchmark program, which causes heavy
+ client contention for files ending in <tt class="filename">.SEM</tt>.
+ To cause Samba not to grant oplocks on these files you would use
+ the line (either in the [global] section or in the section for
+ the particular NetBench share :</p><p>Example: <b class="command">veto oplock files = /*.SEM/</b></p></dd><dt><span class="term"><a name="VFSOBJECT"></a>vfs object (S)</span></dt><dd><p>Synonym for
+ <a href="#VFSOBJECTS">
+ <i class="parameter"><tt>vfs objects</tt></i>
+ </a>.
+ </p></dd><dt><span class="term"><a name="VFSOBJECTS"></a>vfs objects (S)</span></dt><dd><p>This parameter specifies the backend names which
+ are used for Samba VFS I/O operations. By default, normal
+ disk I/O operations are used but these can be overloaded
+ with one or more VFS objects. </p><p>Default: <span class="emphasis"><em>no value</em></span></p><p>Example: <b class="command">vfs objects = extd_audit recycle</b></p></dd><dt><span class="term"><a name="VOLUME"></a>volume (S)</span></dt><dd><p> This allows you to override the volume label
+ returned for a share. Useful for CDROMs with installation programs
+ that insist on a particular volume label.</p><p>Default: <span class="emphasis"><em>the name of the share</em></span></p></dd><dt><span class="term"><a name="WIDELINKS"></a>wide links (S)</span></dt><dd><p>This parameter controls whether or not links
+ in the UNIX file system may be followed by the server. Links
+ that point to areas within the directory tree exported by the
+ server are always allowed; this parameter controls access only
+ to areas that are outside the directory tree being exported.</p><p>Note that setting this parameter can have a negative
+ effect on your server performance due to the extra system calls
+ that Samba has to do in order to perform the link checks.</p><p>Default: <b class="command">wide links = yes</b></p></dd><dt><span class="term"><a name="WINBINDCACHETIME"></a>winbind cache time (G)</span></dt><dd><p>This parameter specifies the number of
+ seconds the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon will cache
+ user and group information before querying a Windows NT server
+ again.</p><p>Default: <b class="command">winbind cache type = 15</b></p></dd><dt><span class="term"><a name="WINBINDENUMGROUPS"></a>winbind enum groups (G)</span></dt><dd><p>On large installations using <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> it may be necessary to suppress
+ the enumeration of groups through the <b class="command">setgrent()</b>,
+ <b class="command">getgrent()</b> and
+ <b class="command">endgrent()</b> group of system calls. If
+ the <i class="parameter"><tt>winbind enum groups</tt></i> parameter is
+ <tt class="constant">no</tt>, calls to the <b class="command">getgrent()</b> system
+ call will not return any data. </p><p><span class="emphasis"><em>Warning:</em></span> Turning off group
+ enumeration may cause some programs to behave oddly.
+ </p><p>Default: <b class="command">winbind enum groups = yes </b></p></dd><dt><span class="term"><a name="WINBINDENUMUSERS"></a>winbind enum users (G)</span></dt><dd><p>On large installations using <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> it may be
+ necessary to suppress the enumeration of users through the <b class="command">setpwent()</b>,
+ <b class="command">getpwent()</b> and
+ <b class="command">endpwent()</b> group of system calls. If
+ the <i class="parameter"><tt>winbind enum users</tt></i> parameter is
+ <tt class="constant">no</tt>, calls to the <b class="command">getpwent</b> system call
+ will not return any data. </p><p><span class="emphasis"><em>Warning:</em></span> Turning off user
+ enumeration may cause some programs to behave oddly. For
+ example, the finger program relies on having access to the
+ full user list when searching for matching
+ usernames. </p><p>Default: <b class="command">winbind enum users = yes </b></p></dd><dt><span class="term"><a name="WINBINDGID"></a>winbind gid (G)</span></dt><dd><p>The winbind gid parameter specifies the range of group
+ ids that are allocated by the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon. This range of group ids should have no
+ existing local or NIS groups within it as strange conflicts can
+ occur otherwise.</p><p>Default: <b class="command">winbind gid = &lt;empty string&gt;</b></p><p>Example: <b class="command">winbind gid = 10000-20000</b></p></dd><dt><span class="term"><a name="WINBINDSEPARATOR"></a>winbind separator (G)</span></dt><dd><p>This parameter allows an admin to define the character
+ used when listing a username of the form of <i class="replaceable"><tt>DOMAIN
+ </tt></i>\<i class="replaceable"><tt>user</tt></i>. This parameter
+ is only applicable when using the <tt class="filename">pam_winbind.so</tt>
+ and <tt class="filename">nss_winbind.so</tt> modules for UNIX services.
+ </p><p>Please note that setting this parameter to + causes problems
+ with group membership at least on glibc systems, as the character +
+ is used as a special character for NIS in /etc/group.</p><p>Default: <b class="command">winbind separator = '\'</b></p><p>Example: <b class="command">winbind separator = +</b></p></dd><dt><span class="term"><a name="WINBINDUID"></a>winbind uid (G)</span></dt><dd><p>The winbind gid parameter specifies the range of group
+ ids that are allocated by the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon. This range of ids should have no
+ existing local or NIS users within it as strange conflicts can
+ occur otherwise.</p><p>Default: <b class="command">winbind uid = &lt;empty string&gt;</b></p><p>Example: <b class="command">winbind uid = 10000-20000</b></p></dd><dt><span class="term"><a name="WINBINDUSEDDEFAULTDOMAIN"></a>winbind used default domain (G)</span></dt><dd><p>This parameter specifies whether the
+ <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon should operate on users
+ without domain component in their username. Users without a domain
+ component are treated as is part of the winbindd server's own
+ domain. While this does not benifit Windows users, it makes SSH, FTP and
+ e-mail function in a way much closer to the way they
+ would in a native unix system.</p><p>Default: <b class="command">winbind use default domain = &lt;no&gt;</b></p><p>Example: <b class="command">winbind use default domain = yes</b></p></dd><dt><span class="term"><a name="WINSHOOK"></a>wins hook (G)</span></dt><dd><p>When Samba is running as a WINS server this
+ allows you to call an external program for all changes to the
+ WINS database. The primary use for this option is to allow the
+ dynamic update of external name resolution databases such as
+ dynamic DNS.</p><p>The wins hook parameter specifies the name of a script
+ or executable that will be called as follows:</p><p><b class="command">wins_hook operation name nametype ttl IP_list</b></p><div class="itemizedlist"><ul type="disc"><li><p>The first argument is the operation and is
+ one of &quot;add&quot;, &quot;delete&quot;, or
+ &quot;refresh&quot;. In most cases the operation
+ can be ignored as the rest of the parameters
+ provide sufficient information. Note that
+ &quot;refresh&quot; may sometimes be called when
+ the name has not previously been added, in that
+ case it should be treated as an add.</p></li><li><p>The second argument is the NetBIOS name. If the
+ name is not a legal name then the wins hook is not called.
+ Legal names contain only letters, digits, hyphens, underscores
+ and periods.</p></li><li><p>The third argument is the NetBIOS name
+ type as a 2 digit hexadecimal number. </p></li><li><p>The fourth argument is the TTL (time to live)
+ for the name in seconds.</p></li><li><p>The fifth and subsequent arguments are the IP
+ addresses currently registered for that name. If this list is
+ empty then the name should be deleted.</p></li></ul></div><p>An example script that calls the BIND dynamic DNS update
+ program <b class="command">nsupdate</b> is provided in the examples
+ directory of the Samba source code. </p></dd><dt><span class="term"><a name="WINSPARTNER"></a>wins partner (G)</span></dt><dd><p>A space separated list of partners' IP addresses for
+ WINS replication. WINS partners are always defined as push/pull
+ partners as defining only one way WINS replication is unreliable.
+ WINS replication is currently experimental and unreliable between
+ samba servers.
+ </p><p>Default: <b class="command">wins partners = </b></p><p>Example: <b class="command">wins partners = 192.168.0.1 172.16.1.2</b></p></dd><dt><span class="term"><a name="WINSPROXY"></a>wins proxy (G)</span></dt><dd><p>This is a boolean that controls if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> will respond to broadcast name
+ queries on behalf of other hosts. You may need to set this
+ to <tt class="constant">yes</tt> for some older clients.</p><p>Default: <b class="command">wins proxy = no</b></p></dd><dt><span class="term"><a name="WINSSERVER"></a>wins server (G)</span></dt><dd><p>This specifies the IP address (or DNS name: IP
+ address for preference) of the WINS server that <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> should register with. If you have a WINS server on
+ your network then you should set this to the WINS server's IP.</p><p>You should point this at your WINS server if you have a
+ multi-subnetted network.</p><p>If you want to work in multiple namespaces, you can
+ give every wins server a 'tag'. For each tag, only one
+ (working) server will be queried for a name. The tag should be
+ seperated from the ip address by a colon.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You need to set up Samba to point
+ to a WINS server if you have multiple subnets and wish cross-subnet
+ browsing to work correctly.</p></div><p>See the documentation file <a href="improved-browsing.html" target="_top">Browsing</a> in the samba howto collection.</p><p>Default: <span class="emphasis"><em>not enabled</em></span></p><p>Example: <b class="command">wins server = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61</b></p><p>For this example when querying a certain name, 192.19.200.1 will
+ be asked first and if that doesn't respond 192.168.2.61. If either
+ of those doesn't know the name 192.168.3.199 will be queried.
+ </p><p>Example: <b class="command">wins server = 192.9.200.1 192.168.2.61</b></p></dd><dt><span class="term"><a name="WINSSUPPORT"></a>wins support (G)</span></dt><dd><p>This boolean controls if the <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> process in Samba will act as a WINS server. You should
+ not set this to <tt class="constant">yes</tt> unless you have a multi-subnetted network and
+ you wish a particular <b class="command">nmbd</b> to be your WINS server.
+ Note that you should <span class="emphasis"><em>NEVER</em></span> set this to <tt class="constant">yes</tt>
+ on more than one machine in your network.</p><p>Default: <b class="command">wins support = no</b></p></dd><dt><span class="term"><a name="WORKGROUP"></a>workgroup (G)</span></dt><dd><p>This controls what workgroup your server will
+ appear to be in when queried by clients. Note that this parameter
+ also controls the Domain name used with
+ the <a href="#SECURITYEQUALSDOMAIN"><b class="command">security = domain</b></a>
+ setting.</p><p>Default: <span class="emphasis"><em>set at compile time to WORKGROUP</em></span></p><p>Example: <b class="command">workgroup = MYGROUP</b></p></dd><dt><span class="term"><a name="WRITABLE"></a>writable (S)</span></dt><dd><p>Synonym for <a href="#WRITEABLE"><i class="parameter"><tt>
+ writeable</tt></i></a> for people who can't spell :-).</p></dd><dt><span class="term"><a name="WRITEABLE"></a>writeable (S)</span></dt><dd><p>Inverted synonym for <a href="#READONLY">
+ <i class="parameter"><tt>read only</tt></i></a>.</p></dd><dt><span class="term"><a name="WRITECACHESIZE"></a>write cache size (S)</span></dt><dd><p>If this integer parameter is set to non-zero value,
+ Samba will create an in-memory cache for each oplocked file
+ (it does <span class="emphasis"><em>not</em></span> do this for
+ non-oplocked files). All writes that the client does not request
+ to be flushed directly to disk will be stored in this cache if possible.
+ The cache is flushed onto disk when a write comes in whose offset
+ would not fit into the cache or when the file is closed by the client.
+ Reads for the file are also served from this cache if the data is stored
+ within it.</p><p>This cache allows Samba to batch client writes into a more
+ efficient write size for RAID disks (i.e. writes may be tuned to
+ be the RAID stripe size) and can improve performance on systems
+ where the disk subsystem is a bottleneck but there is free
+ memory for userspace programs.</p><p>The integer parameter specifies the size of this cache
+ (per oplocked file) in bytes.</p><p>Default: <b class="command">write cache size = 0</b></p><p>Example: <b class="command">write cache size = 262144</b></p><p>for a 256k cache size per file.</p></dd><dt><span class="term"><a name="WRITELIST"></a>write list (S)</span></dt><dd><p>This is a list of users that are given read-write
+ access to a service. If the connecting user is in this list then
+ they will be given write access, no matter what the <a href="#READONLY">
+ <i class="parameter"><tt>read only</tt></i></a>
+ option is set to. The list can include group names using the
+ @group syntax.</p><p>Note that if a user is in both the read list and the
+ write list then they will be given write access.</p><p>See also the <a href="#READLIST"><i class="parameter"><tt>read list
+ </tt></i></a> option.</p><p>Default: <b class="command">write list = &lt;empty string&gt;</b></p><p>Example: <b class="command">write list = admin, root, @staff</b></p></dd><dt><span class="term"><a name="WRITEOK"></a>write ok (S)</span></dt><dd><p>Inverted synonym for <a href="#READONLY">
+ <i class="parameter"><tt>read only</tt></i></a>.</p></dd><dt><span class="term"><a name="WRITERAW"></a>write raw (G)</span></dt><dd><p>This parameter controls whether or not the server
+ will support raw write SMB's when transferring data from clients.
+ You should never need to change this parameter.</p><p>Default: <b class="command">write raw = yes</b></p></dd><dt><span class="term"><a name="WTMPDIRECTORY"></a>wtmp directory (G)</span></dt><dd><p>This parameter is only available if Samba has
+ been configured and compiled with the option <b class="command">
+ --with-utmp</b>. It specifies a directory pathname that is
+ used to store the wtmp or wtmpx files (depending on the UNIX system) that
+ record user connections to a Samba server. The difference with
+ the utmp directory is the fact that user info is kept after a user
+ has logged out.</p><p>See also the <a href="#UTMP">
+ <i class="parameter"><tt>utmp</tt></i></a> parameter. By default this is
+ not set, meaning the system will use whatever utmp file the
+ native system is set to use (usually
+ <tt class="filename">/var/run/wtmp</tt> on Linux).</p><p>Default: <span class="emphasis"><em>no wtmp directory</em></span></p><p>Example: <b class="command">wtmp directory = /var/log/wtmp</b></p></dd></dl></div></div><div class="refsect1" lang="en"><h2>WARNINGS</h2><p>Although the configuration file permits service names
to contain spaces, your client software may not. Spaces will
be ignored in comparisons anyway, so it shouldn't be a
problem - but be aware of the possibility.</p><p>On a similar note, many clients - especially DOS clients -