summaryrefslogtreecommitdiff
path: root/docs/htmldocs/smb.conf.5.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/htmldocs/smb.conf.5.html')
-rw-r--r--docs/htmldocs/smb.conf.5.html1570
1 files changed, 1060 insertions, 510 deletions
diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html
index 0f8a83a939..75e2587689 100644
--- a/docs/htmldocs/smb.conf.5.html
+++ b/docs/htmldocs/smb.conf.5.html
@@ -859,11 +859,11 @@ NAME="AEN253"
><LI
><P
><A
-HREF="#ADDUSERSCRIPT"
+HREF="#ADDPRINTERCOMMAND"
><TT
CLASS="PARAMETER"
><I
->add user script</I
+>add printer command</I
></TT
></A
></P
@@ -871,11 +871,23 @@ CLASS="PARAMETER"
><LI
><P
><A
-HREF="#ADDPRINTERCOMMAND"
+HREF="#ADDSHARECOMMAND"
><TT
CLASS="PARAMETER"
><I
->addprinter command</I
+>add share command</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ADDUSERSCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>add user script</I
></TT
></A
></P
@@ -967,6 +979,18 @@ CLASS="PARAMETER"
><LI
><P
><A
+HREF="#CHANGESHARECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>change share command</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
HREF="#CHARACTERSET"
><TT
CLASS="PARAMETER"
@@ -1123,23 +1147,11 @@ CLASS="PARAMETER"
><LI
><P
><A
-HREF="#DELETEUSERSCRIPT"
-><TT
-CLASS="PARAMETER"
-><I
->delete user script</I
-></TT
-></A
-></P
-></LI
-><LI
-><P
-><A
HREF="#DELETEPRINTERCOMMAND"
><TT
CLASS="PARAMETER"
><I
->deleteprinter command</I
+>delete printer command</I
></TT
></A
></P
@@ -1147,11 +1159,11 @@ CLASS="PARAMETER"
><LI
><P
><A
-HREF="#DFREECOMMAND"
+HREF="#DELETESHARECOMMAND"
><TT
CLASS="PARAMETER"
><I
->dfree command</I
+>delete share command</I
></TT
></A
></P
@@ -1159,11 +1171,11 @@ CLASS="PARAMETER"
><LI
><P
><A
-HREF="#DNSPROXY"
+HREF="#DELETEUSERSCRIPT"
><TT
CLASS="PARAMETER"
><I
->dns proxy</I
+>delete user script</I
></TT
></A
></P
@@ -1171,11 +1183,11 @@ CLASS="PARAMETER"
><LI
><P
><A
-HREF="#DOMAINADMINGROUP"
+HREF="#DFREECOMMAND"
><TT
CLASS="PARAMETER"
><I
->domain admin group</I
+>dfree command</I
></TT
></A
></P
@@ -1183,11 +1195,11 @@ CLASS="PARAMETER"
><LI
><P
><A
-HREF="#DOMAINADMINUSERS"
+HREF="#DNSPROXY"
><TT
CLASS="PARAMETER"
><I
->domain admin users</I
+>dns proxy</I
></TT
></A
></P
@@ -1195,11 +1207,11 @@ CLASS="PARAMETER"
><LI
><P
><A
-HREF="#DOMAINGROUPS"
+HREF="#DOMAINADMINGROUP"
><TT
CLASS="PARAMETER"
><I
->domain groups</I
+>domain admin group</I
></TT
></A
></P
@@ -1219,18 +1231,6 @@ CLASS="PARAMETER"
><LI
><P
><A
-HREF="#DOMAINGUESTUSERS"
-><TT
-CLASS="PARAMETER"
-><I
->domain guest users</I
-></TT
-></A
-></P
-></LI
-><LI
-><P
-><A
HREF="#DOMAINLOGONS"
><TT
CLASS="PARAMETER"
@@ -1867,6 +1867,18 @@ CLASS="PARAMETER"
><LI
><P
><A
+HREF="#OBEYPAMRESTRICTIONS"
+><TT
+CLASS="PARAMETER"
+><I
+>obey pam restrictions</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
HREF="#OPLOCKBREAKWAITTIME"
><TT
CLASS="PARAMETER"
@@ -1903,6 +1915,18 @@ CLASS="PARAMETER"
><LI
><P
><A
+HREF="#PAMPASSWORDCHANGE"
+><TT
+CLASS="PARAMETER"
+><I
+>pam password change</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
HREF="#PANICACTION"
><TT
CLASS="PARAMETER"
@@ -2757,7 +2781,7 @@ CLASS="PARAMETER"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN889"
+NAME="AEN897"
></A
><H2
>COMPLETE LIST OF SERVICE PARAMETERS</H2
@@ -4176,7 +4200,7 @@ CLASS="PARAMETER"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN1361"
+NAME="AEN1369"
></A
><H2
>EXPLANATION OF EACH PARAMETER</H2
@@ -4187,154 +4211,9 @@ CLASS="VARIABLELIST"
><DL
><DT
><A
-NAME="ADDUSERSCRIPT"
-></A
->add user script (G)</DT
-><DD
-><P
->This is the full pathname to a script that will
- be run <EM
->AS ROOT</EM
-> by <A
-HREF="smbd.8.html"
-TARGET="_top"
->smbd(8)
- </A
-> under special circumstances described below.</P
-><P
->Normally, a Samba server requires that UNIX users are
- created for all users accessing files on this server. For sites
- that use Windows NT account databases as their primary user database
- creating these users and keeping the user list in sync with the
- Windows NT PDC is an onerous task. This option allows <A
-HREF="smbd.8.html"
-TARGET="_top"
->smbd</A
-> to create the required UNIX users
- <EM
->ON DEMAND</EM
-> when a user accesses the Samba server.</P
-><P
->In order to use this option, <A
-HREF="smbd.8.html"
-TARGET="_top"
->smbd</A
->
- must be set to <TT
-CLASS="PARAMETER"
-><I
->security=server</I
-></TT
-> or <TT
-CLASS="PARAMETER"
-><I
-> security=domain</I
-></TT
-> and <TT
-CLASS="PARAMETER"
-><I
->add user script</I
-></TT
->
- must be set to a full pathname for a script that will create a UNIX
- user given one argument of <TT
-CLASS="PARAMETER"
-><I
->%u</I
-></TT
->, which expands into
- the UNIX user name to create.</P
-><P
->When the Windows user attempts to access the Samba server,
- at login (session setup in the SMB protocol) time, <A
-HREF="smbd.8.html"
-TARGET="_top"
-> smbd</A
-> contacts the <TT
-CLASS="PARAMETER"
-><I
->password server</I
-></TT
-> and
- attempts to authenticate the given user with the given password. If the
- authentication succeeds then <B
-CLASS="COMMAND"
->smbd</B
->
- attempts to find a UNIX user in the UNIX password database to map the
- Windows user into. If this lookup fails, and <TT
-CLASS="PARAMETER"
-><I
->add user script
- </I
-></TT
-> is set then <B
-CLASS="COMMAND"
->smbd</B
-> will
- call the specified script <EM
->AS ROOT</EM
->, expanding
- any <TT
-CLASS="PARAMETER"
-><I
->%u</I
-></TT
-> argument to be the user name to create.</P
-><P
->If this script successfully creates the user then <B
-CLASS="COMMAND"
->smbd
- </B
-> will continue on as though the UNIX user
- already existed. In this way, UNIX users are dynamically created to
- match existing Windows NT accounts.</P
-><P
->See also <A
-HREF="#SECURITY"
-><TT
-CLASS="PARAMETER"
-><I
-> security</I
-></TT
-></A
->, <A
-HREF="#PASSWORDSERVER"
-> <TT
-CLASS="PARAMETER"
-><I
->password server</I
-></TT
-></A
->,
- <A
-HREF="#DELETEUSERSCRIPT"
-><TT
-CLASS="PARAMETER"
-><I
->delete user
- script</I
-></TT
-></A
->.</P
-><P
->Default: <B
-CLASS="COMMAND"
->add user script = &#60;empty string&#62;
- </B
-></P
-><P
->Example: <B
-CLASS="COMMAND"
->add user script = /usr/local/samba/bin/add_user
- %u</B
-></P
-></DD
-><DT
-><A
NAME="ADDPRINTERCOMMAND"
></A
->addprinter command (G)</DT
+>add printer command (G)</DT
><DD
><P
>With the introduction of MS-RPC based printing
@@ -4348,7 +4227,8 @@ NAME="ADDPRINTERCOMMAND"
physically added to underlying printing system. The <TT
CLASS="PARAMETER"
><I
-> addprinter command</I
+>add
+ printer command</I
></TT
> defines a script to be run which
will perform the necessary operations for adding the printer
@@ -4370,7 +4250,7 @@ CLASS="COMMAND"
>The <TT
CLASS="PARAMETER"
><I
->addprinter command</I
+>add printer command</I
></TT
> is
automatically invoked with the following parameter (in
@@ -4444,7 +4324,7 @@ CLASS="PARAMETER"
>Once the <TT
CLASS="PARAMETER"
><I
->addprinter command</I
+>add printer command</I
></TT
> has
been executed, <B
@@ -4465,7 +4345,7 @@ HREF="#DELETEPRINTERCOMMAND"
><TT
CLASS="PARAMETER"
><I
-> deleteprinter command</I
+> delete printer command</I
></TT
></A
>, <A
@@ -4500,6 +4380,290 @@ CLASS="COMMAND"
></DD
><DT
><A
+NAME="ADDSHARECOMMAND"
+></A
+>add share command (G)</DT
+><DD
+><P
+>Samba 2.2.0 introduced the ability to dynamically
+ add and delete shares via the Windows NT 4.0 Server Manager. The
+ <TT
+CLASS="PARAMETER"
+><I
+>add share command</I
+></TT
+> is used to define an
+ external program or script which will add a new service definition
+ to <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>. In order to successfully
+ execute the <TT
+CLASS="PARAMETER"
+><I
+>add share command</I
+></TT
+>, <B
+CLASS="COMMAND"
+>smbd</B
+>
+ requires that the administrator be connected using a root account (i.e.
+ uid == 0).
+ </P
+><P
+> When executed, <B
+CLASS="COMMAND"
+>smbd</B
+> will automatically invoke the
+ <TT
+CLASS="PARAMETER"
+><I
+>add share command</I
+></TT
+> with four parameters.
+ </P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>configFile</I
+></TT
+> - the location
+ of the global <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file.
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>shareName</I
+></TT
+> - the name of the new
+ share.
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>pathName</I
+></TT
+> - path to an **existing**
+ directory on disk.
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>comment</I
+></TT
+> - comment string to associate
+ with the new share.
+ </P
+></LI
+></UL
+><P
+> This parameter is only used for add file shares. To add printer shares,
+ see the <A
+HREF="#ADDPRINTERCOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>add printer
+ command</I
+></TT
+></A
+>.
+ </P
+><P
+> See also <A
+HREF="#CHANGESHARECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>change share
+ command</I
+></TT
+></A
+>, <A
+HREF="#DELETESHARECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>delete share
+ command</I
+></TT
+></A
+>.
+ </P
+><P
+>Default: <EM
+>none</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>add share command = /usr/local/bin/addshare</B
+></P
+></DD
+><DT
+><A
+NAME="ADDUSERSCRIPT"
+></A
+>add user script (G)</DT
+><DD
+><P
+>This is the full pathname to a script that will
+ be run <EM
+>AS ROOT</EM
+> by <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)
+ </A
+> under special circumstances described below.</P
+><P
+>Normally, a Samba server requires that UNIX users are
+ created for all users accessing files on this server. For sites
+ that use Windows NT account databases as their primary user database
+ creating these users and keeping the user list in sync with the
+ Windows NT PDC is an onerous task. This option allows <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+> to create the required UNIX users
+ <EM
+>ON DEMAND</EM
+> when a user accesses the Samba server.</P
+><P
+>In order to use this option, <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+>
+ must be set to <TT
+CLASS="PARAMETER"
+><I
+>security=server</I
+></TT
+> or <TT
+CLASS="PARAMETER"
+><I
+> security=domain</I
+></TT
+> and <TT
+CLASS="PARAMETER"
+><I
+>add user script</I
+></TT
+>
+ must be set to a full pathname for a script that will create a UNIX
+ user given one argument of <TT
+CLASS="PARAMETER"
+><I
+>%u</I
+></TT
+>, which expands into
+ the UNIX user name to create.</P
+><P
+>When the Windows user attempts to access the Samba server,
+ at login (session setup in the SMB protocol) time, <A
+HREF="smbd.8.html"
+TARGET="_top"
+> smbd</A
+> contacts the <TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+> and
+ attempts to authenticate the given user with the given password. If the
+ authentication succeeds then <B
+CLASS="COMMAND"
+>smbd</B
+>
+ attempts to find a UNIX user in the UNIX password database to map the
+ Windows user into. If this lookup fails, and <TT
+CLASS="PARAMETER"
+><I
+>add user script
+ </I
+></TT
+> is set then <B
+CLASS="COMMAND"
+>smbd</B
+> will
+ call the specified script <EM
+>AS ROOT</EM
+>, expanding
+ any <TT
+CLASS="PARAMETER"
+><I
+>%u</I
+></TT
+> argument to be the user name to create.</P
+><P
+>If this script successfully creates the user then <B
+CLASS="COMMAND"
+>smbd
+ </B
+> will continue on as though the UNIX user
+ already existed. In this way, UNIX users are dynamically created to
+ match existing Windows NT accounts.</P
+><P
+>See also <A
+HREF="#SECURITY"
+><TT
+CLASS="PARAMETER"
+><I
+> security</I
+></TT
+></A
+>, <A
+HREF="#PASSWORDSERVER"
+> <TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+></A
+>,
+ <A
+HREF="#DELETEUSERSCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>delete user
+ script</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>add user script = &#60;empty string&#62;
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>add user script = /usr/local/samba/bin/add_user
+ %u</B
+></P
+></DD
+><DT
+><A
NAME="ADMINUSERS"
></A
>admin users (S)</DT
@@ -5061,6 +5225,136 @@ CLASS="COMMAND"
></DD
><DT
><A
+NAME="CHANGESHARECOMMAND"
+></A
+>change share command (G)</DT
+><DD
+><P
+>Samba 2.2.0 introduced the ability to dynamically
+ add and delete shares via the Windows NT 4.0 Server Manager. The
+ <TT
+CLASS="PARAMETER"
+><I
+>change share command</I
+></TT
+> is used to define an
+ external program or script which will modify an existing service definition
+ in <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>. In order to successfully
+ execute the <TT
+CLASS="PARAMETER"
+><I
+>change share command</I
+></TT
+>, <B
+CLASS="COMMAND"
+>smbd</B
+>
+ requires that the administrator be connected using a root account (i.e.
+ uid == 0).
+ </P
+><P
+> When executed, <B
+CLASS="COMMAND"
+>smbd</B
+> will automatically invoke the
+ <TT
+CLASS="PARAMETER"
+><I
+>change share command</I
+></TT
+> with four parameters.
+ </P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>configFile</I
+></TT
+> - the location
+ of the global <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file.
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>shareName</I
+></TT
+> - the name of the new
+ share.
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>pathName</I
+></TT
+> - path to an **existing**
+ directory on disk.
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>comment</I
+></TT
+> - comment string to associate
+ with the new share.
+ </P
+></LI
+></UL
+><P
+> This parameter is only used modify existing file shares definitions. To modify
+ printer shares, use the "Printers..." folder as seen when browsing the Samba host.
+ </P
+><P
+> See also <A
+HREF="#ADDSHARECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>add share
+ command</I
+></TT
+></A
+>, <A
+HREF="#DELETESHARECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>delete
+ share command</I
+></TT
+></A
+>.
+ </P
+><P
+>Default: <EM
+>none</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>change share command = /usr/local/bin/addshare</B
+></P
+></DD
+><DT
+><A
NAME="CHARACTERSET"
></A
>character set (G)</DT
@@ -5731,6 +6025,18 @@ CLASS="PARAMETER"
></A
> parameter.</P
><P
+>Note that this parameter does not apply to permissions
+ set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
+ a mask on access control lists also, they need to set the <A
+HREF="#SECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>security mask</I
+></TT
+></A
+>.</P
+><P
>Default: <B
CLASS="COMMAND"
>create mask = 0744</B
@@ -5909,21 +6215,15 @@ NAME="DEBUGLEVEL"
>debuglevel (G)</DT
><DD
><P
->The value of the parameter (an integer) allows
- the debug level (logging level) to be specified in the
- <TT
-CLASS="FILENAME"
->smb.conf</TT
-> file. This is to give greater
- flexibility in the configuration of the system.</P
-><P
->The default will be the debug level specified on
- the command line or level zero if none was specified.</P
-><P
->Example: <B
-CLASS="COMMAND"
->debug level = 3</B
-></P
+>Synonym for <A
+HREF="#LOGLEVEL"
+><TT
+CLASS="PARAMETER"
+><I
+> log level</I
+></TT
+></A
+>.</P
></DD
><DT
><A
@@ -6040,6 +6340,102 @@ CLASS="PROGRAMLISTING"
></DD
><DT
><A
+NAME="DELETEPRINTERCOMMAND"
+></A
+>delete printer command (G)</DT
+><DD
+><P
+>With the introduction of MS-RPC based printer
+ support for Windows NT/2000 clients in Samba 2.2, it is now
+ possible to delete printer at run time by issuing the
+ DeletePrinter() RPC call.</P
+><P
+>For a Samba host this means that the printer must be
+ physically deleted from underlying printing system. The <TT
+CLASS="PARAMETER"
+><I
+> deleteprinter command</I
+></TT
+> defines a script to be run which
+ will perform the necessary operations for removing the printer
+ from the print system and from <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>.
+ </P
+><P
+>The <TT
+CLASS="PARAMETER"
+><I
+>delete printer command</I
+></TT
+> is
+ automatically called with only one parameter: <TT
+CLASS="PARAMETER"
+><I
+> "printer name"</I
+></TT
+>.</P
+><P
+>Once the <TT
+CLASS="PARAMETER"
+><I
+>delete printer command</I
+></TT
+> has
+ been executed, <B
+CLASS="COMMAND"
+>smbd</B
+> will reparse the <TT
+CLASS="FILENAME"
+> smb.conf</TT
+> to associated printer no longer exists.
+ If the sharename is still valid, then <B
+CLASS="COMMAND"
+>smbd
+ </B
+> will return an ACCESS_DENIED error to the client.</P
+><P
+>See also <A
+HREF="#ADDPRINTERCOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+> add printer command</I
+></TT
+></A
+>, <A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing</I
+></TT
+></A
+>,
+ <A
+HREF="#SHOWADDPRINTERWIZARD"
+><TT
+CLASS="PARAMETER"
+><I
+>show add
+ printer wizard</I
+></TT
+></A
+></P
+><P
+>Default: <EM
+>none</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>deleteprinter command = /usr/bin/removeprinter
+ </B
+></P
+></DD
+><DT
+><A
NAME="DELETEREADONLY"
></A
>delete readonly (S)</DT
@@ -6059,6 +6455,123 @@ CLASS="COMMAND"
></DD
><DT
><A
+NAME="DELETESHARECOMMAND"
+></A
+>delete share command (G)</DT
+><DD
+><P
+>Samba 2.2.0 introduced the ability to dynamically
+ add and delete shares via the Windows NT 4.0 Server Manager. The
+ <TT
+CLASS="PARAMETER"
+><I
+>delete share command</I
+></TT
+> is used to define an
+ external program or script which will remove an existing service
+ definition from <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>. In order to successfully
+ execute the <TT
+CLASS="PARAMETER"
+><I
+>delete share command</I
+></TT
+>, <B
+CLASS="COMMAND"
+>smbd</B
+>
+ requires that the administrator be connected using a root account (i.e.
+ uid == 0).
+ </P
+><P
+> When executed, <B
+CLASS="COMMAND"
+>smbd</B
+> will automatically invoke the
+ <TT
+CLASS="PARAMETER"
+><I
+>delete share command</I
+></TT
+> with two parameters.
+ </P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>configFile</I
+></TT
+> - the location
+ of the global <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file.
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>shareName</I
+></TT
+> - the name of
+ the existing service.
+ </P
+></LI
+></UL
+><P
+> This parameter is only used to remove file shares. To delete printer shares,
+ see the <A
+HREF="#DELETEPRINTERCOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>delete printer
+ command</I
+></TT
+></A
+>.
+ </P
+><P
+> See also <A
+HREF="#ADDSHARECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>delete share
+ command</I
+></TT
+></A
+>, <A
+HREF="#CHANGESHARECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>change
+ share</I
+></TT
+></A
+>.
+ </P
+><P
+>Default: <EM
+>none</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>delete share command = /usr/local/bin/delshare</B
+></P
+></DD
+><DT
+><A
NAME="DELETEUSERSCRIPT"
></A
>delete user script (G)</DT
@@ -6232,102 +6745,6 @@ CLASS="COMMAND"
></DD
><DT
><A
-NAME="DELETEPRINTERCOMMAND"
-></A
->deleteprinter command (G)</DT
-><DD
-><P
->With the introduction of MS-RPC based printer
- support for Windows NT/2000 clients in Samba 2.2, it is now
- possible to delete printer at run time by issuing the
- DeletePrinter() RPC call.</P
-><P
->For a Samba host this means that the printer must be
- physically deleted from underlying printing system. The <TT
-CLASS="PARAMETER"
-><I
-> deleteprinter command</I
-></TT
-> defines a script to be run which
- will perform the necessary operations for removing the printer
- from the print system and from <TT
-CLASS="FILENAME"
->smb.conf</TT
->.
- </P
-><P
->The <TT
-CLASS="PARAMETER"
-><I
->deleteprinter command</I
-></TT
-> is
- automatically called with only one parameter: <TT
-CLASS="PARAMETER"
-><I
-> "printer name"</I
-></TT
->.</P
-><P
->Once the <TT
-CLASS="PARAMETER"
-><I
->deleteprinter command</I
-></TT
-> has
- been executed, <B
-CLASS="COMMAND"
->smbd</B
-> will reparse the <TT
-CLASS="FILENAME"
-> smb.conf</TT
-> to associated printer no longer exists.
- If the sharename is still valid, then <B
-CLASS="COMMAND"
->smbd
- </B
-> will return an ACCESS_DENIED error to the client.</P
-><P
->See also <A
-HREF="#ADDPRINTERCOMMAND"
-><TT
-CLASS="PARAMETER"
-><I
-> addprinter command</I
-></TT
-></A
->, <A
-HREF="#PRINTING"
-><TT
-CLASS="PARAMETER"
-><I
->printing</I
-></TT
-></A
->,
- <A
-HREF="#SHOWADDPRINTERWIZARD"
-><TT
-CLASS="PARAMETER"
-><I
->show add
- printer wizard</I
-></TT
-></A
-></P
-><P
->Default: <EM
->none</EM
-></P
-><P
->Example: <B
-CLASS="COMMAND"
->deleteprinter command = /usr/bin/removeprinter
- </B
-></P
-></DD
-><DT
-><A
NAME="DELETEVETOFILES"
></A
>delete veto files (S)</DT
@@ -6551,6 +6968,18 @@ CLASS="PARAMETER"
> parameter. This parameter is set to 000 by
default (i.e. no extra mode bits are added).</P
><P
+>Note that this parameter does not apply to permissions
+ set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
+ a mask on access control lists also, they need to set the <A
+HREF="#DIRECTORYSECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>directory security mask</I
+></TT
+></A
+>.</P
+><P
>See the <A
HREF="#FORCEDIRECTORYMODE"
><TT
@@ -6639,27 +7068,17 @@ NAME="DIRECTORYSECURITYMASK"
mask may be treated as a set of bits the user is not allowed
to change.</P
><P
->If not set explicitly this parameter is set to the same
- value as the <A
-HREF="#DIRECTORYMASK"
-><TT
-CLASS="PARAMETER"
-><I
->directory
- mask</I
-></TT
-></A
-> parameter. To allow a user to
- modify all the user/group/world permissions on a directory, set
- this parameter to 0777.</P
+>If not set explicitly this parameter is set to 0777
+ meaning a user is allowed to modify all the user/group/world
+ permissions on a directory.</P
><P
><EM
>Note</EM
> that users who can access the
Samba server through other means can easily bypass this restriction,
so it is primarily useful for standalone "appliance" systems.
- Administrators of most normal systems will probably want to set
- it to 0777.</P
+ Administrators of most normal systems will probably want to leave
+ it as the default of 0777.</P
><P
>See also the <A
HREF="#FORCEDIRECTORYSECURITYMODE"
@@ -6691,13 +7110,12 @@ CLASS="PARAMETER"
><P
>Default: <B
CLASS="COMMAND"
->directory security mask = &#60;same as
- directory mask&#62;</B
+>directory security mask = 0777</B
></P
><P
>Example: <B
CLASS="COMMAND"
->directory security mask = 0777</B
+>directory security mask = 0700</B
></P
></DD
><DT
@@ -6750,70 +7168,47 @@ NAME="DOMAINADMINGROUP"
>domain admin group (G)</DT
><DD
><P
->This is an <EM
->EXPERIMENTAL</EM
-> parameter
- that is part of the unfinished Samba NT Domain Controller Code. It may
- be removed in a later release. To work with the latest code builds
- that may have more support for Samba NT Domain Controller functionality
- please subscribe to the mailing list <A
-HREF="mailto:samba-ntdom@samba.org"
-TARGET="_top"
->samba-ntdom</A
-> available by
- visiting the web page at <A
-HREF="http://lists.samba.org/"
-TARGET="_top"
-> http://lists.samba.org/</A
->.</P
-></DD
-><DT
-><A
-NAME="DOMAINADMINUSERS"
-></A
->domain admin users (G)</DT
-><DD
+>This parameter is intended as a temporary solution
+ to enable users to be a member of the "Domain Admins" group when
+ a Samba host is acting as a PDC. A complete solution will be provided
+ by a system for mapping Windows NT/2000 groups onto UNIX groups.
+ Please note that this parameter has a somewhat confusing name. It
+ accepts a list of usernames and of group names in standard
+ <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> notation.
+ </P
><P
->This is an <EM
->EXPERIMENTAL</EM
-> parameter
- that is part of the unfinished Samba NT Domain Controller Code. It may
- be removed in a later release. To work with the latest code builds
- that may have more support for Samba NT Domain Controller functionality
- please subscribe to the mailing list <A
-HREF="mailto:samba-ntdom@samba.org"
-TARGET="_top"
->samba-ntdom</A
-> available by
- visiting the web page at <A
-HREF="http://lists.samba.org/"
-TARGET="_top"
-> http://lists.samba.org/</A
->.</P
-></DD
-><DT
-><A
-NAME="DOMAINGROUPS"
+>See also <A
+HREF="#DOMAINGUESTGROUP"
+><TT
+CLASS="PARAMETER"
+><I
+>domain
+ guest group</I
+></TT
></A
->domain groups (G)</DT
-><DD
+>, <A
+HREF="#DOMAINLOGONS"
+><TT
+CLASS="PARAMETER"
+><I
+>domain
+ logons</I
+></TT
+></A
+>
+ </P
><P
->This is an <EM
->EXPERIMENTAL</EM
-> parameter
- that is part of the unfinished Samba NT Domain Controller Code. It may
- be removed in a later release. To work with the latest code builds
- that may have more support for Samba NT Domain Controller functionality
- please subscribe to the mailing list <A
-HREF="mailto:samba-ntdom@samba.org"
-TARGET="_top"
->samba-ntdom</A
-> available by
- visiting the web page at <A
-HREF="http://lists.samba.org/"
-TARGET="_top"
-> http://lists.samba.org/</A
->.</P
+>Default: <EM
+>no domain administrators</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>domain admin group = root @wheel</B
+></P
></DD
><DT
><A
@@ -6822,46 +7217,47 @@ NAME="DOMAINGUESTGROUP"
>domain guest group (G)</DT
><DD
><P
->This is an <EM
->EXPERIMENTAL</EM
-> parameter
- that is part of the unfinished Samba NT Domain Controller Code. It may
- be removed in a later release. To work with the latest code builds
- that may have more support for Samba NT Domain Controller functionality
- please subscribe to the mailing list <A
-HREF="mailto:samba-ntdom@samba.org"
-TARGET="_top"
->samba-ntdom</A
-> available by
- visiting the web page at <A
-HREF="http://lists.samba.org/"
-TARGET="_top"
-> http://lists.samba.org/</A
->.</P
-></DD
-><DT
-><A
-NAME="DOMAINGUESTUSERS"
+>This parameter is intended as a temporary solution
+ to enable users to be a member of the "Domain Guests" group when
+ a Samba host is acting as a PDC. A complete solution will be provided
+ by a system for mapping Windows NT/2000 groups onto UNIX groups.
+ Please note that this parameter has a somewhat confusing name. It
+ accepts a list of usernames and of group names in standard
+ <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> notation.
+ </P
+><P
+>See also <A
+HREF="#DOMAINADMINGROUP"
+><TT
+CLASS="PARAMETER"
+><I
+>domain
+ admin group</I
+></TT
></A
->domain guest users (G)</DT
-><DD
+>, <A
+HREF="#DOMAINLOGONS"
+><TT
+CLASS="PARAMETER"
+><I
+>domain
+ logons</I
+></TT
+></A
+>
+ </P
><P
->This is an <EM
->EXPERIMENTAL</EM
-> parameter
- that is part of the unfinished Samba NT Domain Controller Code. It may
- be removed in a later release. To work with the latest code builds
- that may have more support for Samba NT Domain Controller functionality
- please subscribe to the mailing list <A
-HREF="mailto:samba-ntdom@samba.org"
-TARGET="_top"
->samba-ntdom</A
-> available by
- visiting the web page at <A
-HREF="http://lists.samba.org/"
-TARGET="_top"
-> http://lists.samba.org/</A
->.</P
+>Default: <EM
+>no domain guests</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>domain guest group = nobody @guest</B
+></P
></DD
><DT
><A
@@ -7436,6 +7832,19 @@ CLASS="PARAMETER"
>
parameter is applied.</P
><P
+>Note that by default this parameter does not apply to permissions
+ set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
+ this mask on access control lists also, they need to set the <A
+HREF="#RESTRICTACLWITHMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>restrict acl with
+ mask</I
+></TT
+></A
+> to true.</P
+><P
>See also the parameter <A
HREF="#CREATEMASK"
><TT
@@ -7495,6 +7904,19 @@ CLASS="PARAMETER"
> is
applied.</P
><P
+>Note that by default this parameter does not apply to permissions
+ set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
+ this mask on access control lists also, they need to set the <A
+HREF="#RESTRICTACLWITHMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>restrict acl with
+ mask</I
+></TT
+></A
+> to true.</P
+><P
>See also the parameter <A
HREF="#DIRECTORYMASK"
><TT
@@ -7548,27 +7970,17 @@ NAME="FORCEDIRECTORYSECURITYMODE"
mask may be treated as a set of bits that, when modifying security
on a directory, the user has always set to be 'on'.</P
><P
->If not set explicitly this parameter is set to the same
- value as the <A
-HREF="#FORCEDIRECTORYMODE"
-><TT
-CLASS="PARAMETER"
-><I
->force
- directory mode</I
-></TT
-></A
-> parameter. To allow
- a user to modify all the user/group/world permissions on a
- directory without restrictions, set this parameter to 000.</P
+>If not set explicitly this parameter is 000, which
+ allows a user to modify all the user/group/world permissions on a
+ directory without restrictions.</P
><P
><EM
>Note</EM
> that users who can access the
Samba server through other means can easily bypass this restriction,
so it is primarily useful for standalone "appliance" systems.
- Administrators of most normal systems will probably want to set
- it to 0000.</P
+ Administrators of most normal systems will probably want to leave
+ it set as 0000.</P
><P
>See also the <A
HREF="#DIRECTORYSECURITYMASK"
@@ -7600,13 +8012,12 @@ CLASS="PARAMETER"
><P
>Default: <B
CLASS="COMMAND"
->force directory security mode = &#60;same as
- force directory mode&#62;</B
+>force directory security mode = 0</B
></P
><P
>Example: <B
CLASS="COMMAND"
->force directory security mode = 0</B
+>force directory security mode = 700</B
></P
></DD
><DT
@@ -7701,27 +8112,17 @@ NAME="FORCESECURITYMODE"
mask may be treated as a set of bits that, when modifying security
on a file, the user has always set to be 'on'.</P
><P
->If not set explicitly this parameter is set to the same
- value as the <A
-HREF="#FORCECREATEMODE"
-><TT
-CLASS="PARAMETER"
-><I
->force
- create mode</I
-></TT
-></A
-> parameter. To allow a user to
- modify all the user/group/world permissions on a file, with no
- restrictions set this parameter to 000.</P
+>If not set explicitly this parameter is set to 0,
+ and allows a user to modify all the user/group/world permissions on a file,
+ with no restrictions.</P
><P
><EM
>Note</EM
> that users who can access
the Samba server through other means can easily bypass this restriction,
so it is primarily useful for standalone "appliance" systems.
- Administrators of most normal systems will probably want to set
- it to 0000.</P
+ Administrators of most normal systems will probably want to leave
+ this set to 0000.</P
><P
>See also the <A
HREF="#FORCEDIRECTORYSECURITYMODE"
@@ -7753,13 +8154,12 @@ CLASS="PARAMETER"
><P
>Default: <B
CLASS="COMMAND"
->force security mode = &#60;same as force
- create mode&#62;</B
+>force security mode = 0</B
></P
><P
>Example: <B
CLASS="COMMAND"
->force security mode = 0</B
+>force security mode = 700</B
></P
></DD
><DT
@@ -9292,15 +9692,21 @@ NAME="LOGLEVEL"
>log level (G)</DT
><DD
><P
->Synonym for <A
-HREF="#DEBUGLEVEL"
-><TT
-CLASS="PARAMETER"
-><I
-> debug level</I
-></TT
-></A
->.</P
+>The value of the parameter (an integer) allows
+ the debug level (logging level) to be specified in the
+ <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file. This is to give greater
+ flexibility in the configuration of the system.</P
+><P
+>The default will be the log level specified on
+ the command line or level zero if none was specified.</P
+><P
+>Example: <B
+CLASS="COMMAND"
+>log level = 3</B
+></P
></DD
><DT
><A
@@ -11634,6 +12040,36 @@ CLASS="COMMAND"
></DD
><DT
><A
+NAME="OBEYPAMRESTRICTIONS"
+></A
+>obey pam restrictions (G)</DT
+><DD
+><P
+>When Samba 2.2 is configure to enable PAM support
+ (i.e. --with-pam), this parameter will control whether or not Samba
+ should obey PAM's account and session management directives. The
+ default behavior is to use PAM for clear text authentication only
+ and to ignore any account or session management. Note that Samba
+ always ignores PAM for authentication in the case of <A
+HREF="#ENCRYPTPASSWORDS"
+><TT
+CLASS="PARAMETER"
+><I
+>encrypt passwords = yes</I
+></TT
+>
+ </A
+>. The reason is that PAM modules cannot support the challenge/response
+ authentication mechanism needed in the presence of SMB password encryption.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>obey pam restrictions = no</B
+></P
+></DD
+><DT
+><A
NAME="ONLYUSER"
></A
>only user (S)</DT
@@ -11694,30 +12130,6 @@ CLASS="COMMAND"
></DD
><DT
><A
-NAME="OLELOCKINGCOMPATIBILITY"
-></A
->ole locking compatibility (G)</DT
-><DD
-><P
->This parameter allows an administrator to turn
- off the byte range lock manipulation that is done within Samba to
- give compatibility for OLE applications. Windows OLE applications
- use byte range locking as a form of inter-process communication, by
- locking ranges of bytes around the 2^32 region of a file range. This
- can cause certain UNIX lock managers to crash or otherwise cause
- problems. Setting this parameter to <TT
-CLASS="CONSTANT"
->no</TT
-> means you
- trust your UNIX lock manager to handle such cases correctly.</P
-><P
->Default: <B
-CLASS="COMMAND"
->ole locking compatibility = yes</B
-></P
-></DD
-><DT
-><A
NAME="ONLYGUEST"
></A
>only guest (S)</DT
@@ -11952,6 +12364,33 @@ CLASS="COMMAND"
></DD
><DT
><A
+NAME="PAMPASSWORDCHANGE"
+></A
+>pam password change (G)</DT
+><DD
+><P
+>With the addition of better PAM support in Samba 2.2,
+ this parameter, it is possible to use PAM's password change control
+ flag for Samba. If enabled, then PAM will be used for password
+ changes when requested by an SMB client, and the <A
+HREF="#PASSWDCHAT"
+><TT
+CLASS="PARAMETER"
+><I
+>passwd chat</I
+></TT
+></A
+> must be
+ be changed to work with the pam prompts.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>pam password change = no</B
+></P
+></DD
+><DT
+><A
NAME="PANICACTION"
></A
>panic action (G)</DT
@@ -12072,6 +12511,24 @@ CLASS="PARAMETER"
password cleartext. In this case the old password cleartext is set
to "" (the empty string).</P
><P
+>Also, if the <A
+HREF="#PAMPASSWORDCHANGE"
+><TT
+CLASS="PARAMETER"
+><I
+>pam
+ password change</I
+></TT
+></A
+> parameter is set to true, then the
+ chat sequence should consist of three elements. The first element should
+ match the pam prompt for the old password, the second element should match
+ the pam prompt for the first request for the new password, and the final
+ element should match the pam prompt for the second request for the new password.
+ These matches are done case insentively. Under most conditions this change
+ is done as root so the prompt for the old password will never be matched.
+ </P
+><P
>See also <A
HREF="#UNIXPASSWORDSYNC"
><TT
@@ -12089,7 +12546,7 @@ CLASS="PARAMETER"
> passwd program</I
></TT
></A
-> and <A
+> ,<A
HREF="#PASSWDCHATDEBUG"
> <TT
CLASS="PARAMETER"
@@ -12097,6 +12554,14 @@ CLASS="PARAMETER"
>passwd chat debug</I
></TT
></A
+> and <A
+HREF="#PAMPASSWORDCHANGE"
+> <TT
+CLASS="PARAMETER"
+><I
+>pam password change</I
+></TT
+></A
>.</P
><P
>Default: <B
@@ -13990,6 +14455,102 @@ CLASS="COMMAND"
></DD
><DT
><A
+NAME="RESTRICTACLWITHMASK"
+></A
+>restrict acl with mask (S)</DT
+><DD
+><P
+>This is a boolean parameter. If set to false (default), then
+ Creation of files with access control lists (ACLS) and modification of ACLs
+ using the Windows NT/2000 ACL editor will be applied directly to the file
+ or directory.</P
+><P
+>If set to True, then all requests to set an ACL on a file will have the
+ parameters <A
+HREF="#CREATEMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+></A
+>,
+ <A
+HREF="#FORCECREATEMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force create mode</I
+></TT
+></A
+>
+ applied before setting the ACL, and all requests to set an ACL on a directory will
+ have the parameters <A
+HREF="#DIRECTORYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>directory
+ mask</I
+></TT
+></A
+>, <A
+HREF="#FORCEDIRECTORYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force
+ directory mode</I
+></TT
+></A
+> applied before setting the ACL.
+ </P
+><P
+>See also <A
+HREF="#CREATEMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+></A
+>,
+ <A
+HREF="#FORCECREATEMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force create mode</I
+></TT
+></A
+>,
+ <A
+HREF="#DIRECTORYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>directory mask</I
+></TT
+></A
+>,
+ <A
+HREF="#FORCEDIRECTORYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force directory mode</I
+></TT
+></A
+>
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>restrict acl with mask = no</B
+></P
+></DD
+><DT
+><A
NAME="RESTRICTANONYMOUS"
></A
>restrict anonymous (G)</DT
@@ -14819,19 +15380,9 @@ NAME="SECURITYMASK"
mask may be treated as a set of bits the user is not allowed
to change.</P
><P
->If not set explicitly this parameter is set to the same
- value as the <A
-HREF="#CREATEMASK"
-><TT
-CLASS="PARAMETER"
-><I
->create mask
- </I
-></TT
-></A
-> parameter. To allow a user to modify all the
- user/group/world permissions on a file, set this parameter to
- 0777.</P
+>If not set explicitly this parameter is 0777, allowing
+ a user to modify all the user/group/world permissions on a file.
+ </P
><P
><EM
>Note</EM
@@ -14839,7 +15390,7 @@ CLASS="PARAMETER"
Samba server through other means can easily bypass this
restriction, so it is primarily useful for standalone
"appliance" systems. Administrators of most normal systems will
- probably want to set it to 0777.</P
+ probably want to leave it set to 0777.</P
><P
>See also the <A
HREF="#FORCEDIRECTORYSECURITYMODE"
@@ -14871,13 +15422,12 @@ CLASS="PARAMETER"
><P
>Default: <B
CLASS="COMMAND"
->security mask = &#60;same as create mask&#62;
- </B
+>security mask = 0777</B
></P
><P
>Example: <B
CLASS="COMMAND"
->security mask = 0777</B
+>security mask = 0770</B
></P
></DD
><DT
@@ -17781,7 +18331,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN5643"
+NAME="AEN5791"
></A
><H2
>WARNINGS</H2
@@ -17811,7 +18361,7 @@ TARGET="_top"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN5649"
+NAME="AEN5797"
></A
><H2
>VERSION</H2
@@ -17822,7 +18372,7 @@ NAME="AEN5649"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN5652"
+NAME="AEN5800"
></A
><H2
>SEE ALSO</H2
@@ -17901,7 +18451,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN5672"
+NAME="AEN5820"
></A
><H2
>AUTHOR</H2