summaryrefslogtreecommitdiff
path: root/docs/htmldocs/smb.conf.5.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/htmldocs/smb.conf.5.html')
-rw-r--r--docs/htmldocs/smb.conf.5.html19015
1 files changed, 19015 insertions, 0 deletions
diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html
new file mode 100644
index 0000000000..183cefbd3b
--- /dev/null
+++ b/docs/htmldocs/smb.conf.5.html
@@ -0,0 +1,19015 @@
+<HTML
+><HEAD
+><TITLE
+>smb.conf</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="SMB.CONF"
+>smb.conf</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN5"
+></A
+><H2
+>Name</H2
+>smb.conf&nbsp;--&nbsp;The configuration file for the Samba suite</DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN8"
+></A
+><H2
+>SYNOPSIS</H2
+><P
+>The <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file is a configuration
+ file for the Samba suite. <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> contains
+ runtime configuration information for the Samba programs. The
+ <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file is designed to be configured and
+ administered by the <A
+HREF="swat.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>swat(8)</B
+>
+ </A
+> program. The complete description of the file format and
+ possible parameters held within are here for reference purposes.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN16"
+></A
+><H2
+>FILE FORMAT</H2
+><P
+>The file consists of sections and parameters. A section
+ begins with the name of the section in square brackets and continues
+ until the next section begins. Sections contain parameters of the
+ form</P
+><P
+><TT
+CLASS="REPLACEABLE"
+><I
+>name</I
+></TT
+> = <TT
+CLASS="REPLACEABLE"
+><I
+>value
+ </I
+></TT
+></P
+><P
+>The file is line-based - that is, each newline-terminated
+ line represents either a comment, a section name or a parameter.</P
+><P
+>Section and parameter names are not case sensitive.</P
+><P
+>Only the first equals sign in a parameter is significant.
+ Whitespace before or after the first equals sign is discarded.
+ Leading, trailing and internal whitespace in section and parameter
+ names is irrelevant. Leading and trailing whitespace in a parameter
+ value is discarded. Internal whitespace within a parameter value
+ is retained verbatim.</P
+><P
+>Any line beginning with a semicolon (';') or a hash ('#')
+ character is ignored, as are lines containing only whitespace.</P
+><P
+>Any line ending in a '\' is continued
+ on the next line in the customary UNIX fashion.</P
+><P
+>The values following the equals sign in parameters are all
+ either a string (no quotes needed) or a boolean, which may be given
+ as yes/no, 0/1 or true/false. Case is not significant in boolean
+ values, but is preserved in string values. Some items such as
+ create modes are numeric.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN28"
+></A
+><H2
+>SECTION DESCRIPTIONS</H2
+><P
+>Each section in the configuration file (except for the
+ [global] section) describes a shared resource (known
+ as a "share"). The section name is the name of the
+ shared resource and the parameters within the section define
+ the shares attributes.</P
+><P
+>There are three special sections, [global],
+ [homes] and [printers], which are
+ described under <EM
+>special sections</EM
+>. The
+ following notes apply to ordinary section descriptions.</P
+><P
+>A share consists of a directory to which access is being
+ given plus a description of the access rights which are granted
+ to the user of the service. Some housekeeping options are
+ also specifiable.</P
+><P
+>Sections are either file share services (used by the
+ client as an extension of their native file systems) or
+ printable services (used by the client to access print services
+ on the host running the server).</P
+><P
+>Sections may be designated <EM
+>guest</EM
+> services,
+ in which case no password is required to access them. A specified
+ UNIX <EM
+>guest account</EM
+> is used to define access
+ privileges in this case.</P
+><P
+>Sections other than guest services will require a password
+ to access them. The client provides the username. As older clients
+ only provide passwords and not usernames, you may specify a list
+ of usernames to check against the password using the "user ="
+ option in the share definition. For modern clients such as
+ Windows 95/98/ME/NT/2000, this should not be necessary.</P
+><P
+>Note that the access rights granted by the server are
+ masked by the access rights granted to the specified or guest
+ UNIX user by the host system. The server does not grant more
+ access than the host system grants.</P
+><P
+>The following sample section defines a file space share.
+ The user has write access to the path <TT
+CLASS="FILENAME"
+>/home/bar</TT
+>.
+ The share is accessed via the share name "foo":</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SCREEN"
+> <TT
+CLASS="COMPUTEROUTPUT"
+> [foo]
+ path = /home/bar
+ writeable = true
+ </TT
+>
+ </PRE
+></TD
+></TR
+></TABLE
+><P
+>The following sample section defines a printable share.
+ The share is readonly, but printable. That is, the only write
+ access permitted is via calls to open, write to and close a
+ spool file. The <EM
+>guest ok</EM
+> parameter means
+ access will be permitted as the default guest user (specified
+ elsewhere):</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SCREEN"
+> <TT
+CLASS="COMPUTEROUTPUT"
+> [aprinter]
+ path = /usr/spool/public
+ writeable = false
+ printable = true
+ guest ok = true
+ </TT
+>
+ </PRE
+></TD
+></TR
+></TABLE
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN48"
+></A
+><H2
+>SPECIAL SECTIONS</H2
+><DIV
+CLASS="REFSECT2"
+><A
+NAME="AEN50"
+></A
+><H3
+>The [global] section</H3
+><P
+>parameters in this section apply to the server
+ as a whole, or are defaults for sections which do not
+ specifically define certain items. See the notes
+ under PARAMETERS for more information.</P
+></DIV
+><DIV
+CLASS="REFSECT2"
+><A
+NAME="AEN53"
+></A
+><H3
+>The [homes] section</H3
+><P
+>If a section called homes is included in the
+ configuration file, services connecting clients to their
+ home directories can be created on the fly by the server.</P
+><P
+>When the connection request is made, the existing
+ sections are scanned. If a match is found, it is used. If no
+ match is found, the requested section name is treated as a
+ user name and looked up in the local password file. If the
+ name exists and the correct password has been given, a share is
+ created by cloning the [homes] section.</P
+><P
+>Some modifications are then made to the newly
+ created share:</P
+><P
+></P
+><UL
+><LI
+><P
+>The share name is changed from homes to
+ the located username.</P
+></LI
+><LI
+><P
+>If no path was given, the path is set to
+ the user's home directory.</P
+></LI
+></UL
+><P
+>If you decide to use a <EM
+>path =</EM
+> line
+ in your [homes] section then you may find it useful
+ to use the %S macro. For example :</P
+><P
+><TT
+CLASS="USERINPUT"
+><B
+>path = /data/pchome/%S</B
+></TT
+></P
+><P
+>would be useful if you have different home directories
+ for your PCs than for UNIX access.</P
+><P
+>This is a fast and simple way to give a large number
+ of clients access to their home directories with a minimum
+ of fuss.</P
+><P
+>A similar process occurs if the requested section
+ name is "homes", except that the share name is not
+ changed to that of the requesting user. This method of using
+ the [homes] section works well if different users share
+ a client PC.</P
+><P
+>The [homes] section can specify all the parameters
+ a normal service section can specify, though some make more sense
+ than others. The following is a typical and suitable [homes]
+ section:</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SCREEN"
+> <TT
+CLASS="COMPUTEROUTPUT"
+> [homes]
+ writeable = yes
+ </TT
+>
+ </PRE
+></TD
+></TR
+></TABLE
+><P
+>An important point is that if guest access is specified
+ in the [homes] section, all home directories will be
+ visible to all clients <EM
+>without a password</EM
+>.
+ In the very unlikely event that this is actually desirable, it
+ would be wise to also specify <EM
+>read only
+ access</EM
+>.</P
+><P
+>Note that the <EM
+>browseable</EM
+> flag for
+ auto home directories will be inherited from the global browseable
+ flag, not the [homes] browseable flag. This is useful as
+ it means setting <EM
+>browseable = no</EM
+> in
+ the [homes] section will hide the [homes] share but make
+ any auto home directories visible.</P
+></DIV
+><DIV
+CLASS="REFSECT2"
+><A
+NAME="AEN79"
+></A
+><H3
+>The [printers] section</H3
+><P
+>This section works like [homes],
+ but for printers.</P
+><P
+>If a [printers] section occurs in the
+ configuration file, users are able to connect to any printer
+ specified in the local host's printcap file.</P
+><P
+>When a connection request is made, the existing sections
+ are scanned. If a match is found, it is used. If no match is found,
+ but a [homes] section exists, it is used as described
+ above. Otherwise, the requested section name is treated as a
+ printer name and the appropriate printcap file is scanned to see
+ if the requested section name is a valid printer share name. If
+ a match is found, a new printer share is created by cloning
+ the [printers] section.</P
+><P
+>A few modifications are then made to the newly created
+ share:</P
+><P
+></P
+><UL
+><LI
+><P
+>The share name is set to the located printer
+ name</P
+></LI
+><LI
+><P
+>If no printer name was given, the printer name
+ is set to the located printer name</P
+></LI
+><LI
+><P
+>If the share does not permit guest access and
+ no username was given, the username is set to the located
+ printer name.</P
+></LI
+></UL
+><P
+>Note that the [printers] service MUST be
+ printable - if you specify otherwise, the server will refuse
+ to load the configuration file.</P
+><P
+>Typically the path specified would be that of a
+ world-writeable spool directory with the sticky bit set on
+ it. A typical [printers] entry would look like
+ this:</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SCREEN"
+><TT
+CLASS="COMPUTEROUTPUT"
+> [printers]
+ path = /usr/spool/public
+ guest ok = yes
+ printable = yes
+ </TT
+></PRE
+></TD
+></TR
+></TABLE
+><P
+>All aliases given for a printer in the printcap file
+ are legitimate printer names as far as the server is concerned.
+ If your printing subsystem doesn't work like that, you will have
+ to set up a pseudo-printcap. This is a file consisting of one or
+ more lines like this:</P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SCREEN"
+> <TT
+CLASS="COMPUTEROUTPUT"
+> alias|alias|alias|alias...
+ </TT
+>
+ </PRE
+></TD
+></TR
+></TABLE
+><P
+>Each alias should be an acceptable printer name for
+ your printing subsystem. In the [global] section, specify
+ the new file as your printcap. The server will then only recognize
+ names found in your pseudo-printcap, which of course can contain
+ whatever aliases you like. The same technique could be used
+ simply to limit access to a subset of your local printers.</P
+><P
+>An alias, by the way, is defined as any component of the
+ first entry of a printcap record. Records are separated by newlines,
+ components (if there are more than one) are separated by vertical
+ bar symbols ('|').</P
+><P
+>NOTE: On SYSV systems which use lpstat to determine what
+ printers are defined on the system you may be able to use
+ "printcap name = lpstat" to automatically obtain a list
+ of printers. See the "printcap name" option
+ for more details.</P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN102"
+></A
+><H2
+>PARAMETERS</H2
+><P
+>parameters define the specific attributes of sections.</P
+><P
+>Some parameters are specific to the [global] section
+ (e.g., <EM
+>security</EM
+>). Some parameters are usable
+ in all sections (e.g., <EM
+>create mode</EM
+>). All others
+ are permissible only in normal sections. For the purposes of the
+ following descriptions the [homes] and [printers]
+ sections will be considered normal. The letter <EM
+>G</EM
+>
+ in parentheses indicates that a parameter is specific to the
+ [global] section. The letter <EM
+>S</EM
+>
+ indicates that a parameter can be specified in a service specific
+ section. Note that all <EM
+>S</EM
+> parameters can also be specified in
+ the [global] section - in which case they will define
+ the default behavior for all services.</P
+><P
+>parameters are arranged here in alphabetical order - this may
+ not create best bedfellows, but at least you can find them! Where
+ there are synonyms, the preferred synonym is described, others refer
+ to the preferred synonym.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN112"
+></A
+><H2
+>VARIABLE SUBSTITUTIONS</H2
+><P
+>Many of the strings that are settable in the config file
+ can take substitutions. For example the option "path =
+ /tmp/%u" would be interpreted as "path =
+ /tmp/john" if the user connected with the username john.</P
+><P
+>These substitutions are mostly noted in the descriptions below,
+ but there are some general substitutions which apply whenever they
+ might be relevant. These are:</P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>%S</DT
+><DD
+><P
+>the name of the current service, if any.</P
+></DD
+><DT
+>%P</DT
+><DD
+><P
+>the root directory of the current service,
+ if any.</P
+></DD
+><DT
+>%u</DT
+><DD
+><P
+>user name of the current service, if any.</P
+></DD
+><DT
+>%g</DT
+><DD
+><P
+>primary group name of %u.</P
+></DD
+><DT
+>%U</DT
+><DD
+><P
+>session user name (the user name that the client
+ wanted, not necessarily the same as the one they got).</P
+></DD
+><DT
+>%G</DT
+><DD
+><P
+>primary group name of %U.</P
+></DD
+><DT
+>%H</DT
+><DD
+><P
+>the home directory of the user given
+ by %u.</P
+></DD
+><DT
+>%v</DT
+><DD
+><P
+>the Samba version.</P
+></DD
+><DT
+>%h</DT
+><DD
+><P
+>the Internet hostname that Samba is running
+ on.</P
+></DD
+><DT
+>%m</DT
+><DD
+><P
+>the NetBIOS name of the client machine
+ (very useful).</P
+></DD
+><DT
+>%L</DT
+><DD
+><P
+>the NetBIOS name of the server. This allows you
+ to change your config based on what the client calls you. Your
+ server can have a "dual personality".</P
+><P
+>Note that this paramater is not available when Samba listens
+ on port 445, as clients no longer send this information </P
+></DD
+><DT
+>%M</DT
+><DD
+><P
+>the Internet name of the client machine.
+ </P
+></DD
+><DT
+>%N</DT
+><DD
+><P
+>the name of your NIS home directory server.
+ This is obtained from your NIS auto.map entry. If you have
+ not compiled Samba with the <EM
+>--with-automount</EM
+>
+ option then this value will be the same as %L.</P
+></DD
+><DT
+>%p</DT
+><DD
+><P
+>the path of the service's home directory,
+ obtained from your NIS auto.map entry. The NIS auto.map entry
+ is split up as "%N:%p".</P
+></DD
+><DT
+>%R</DT
+><DD
+><P
+>the selected protocol level after
+ protocol negotiation. It can be one of CORE, COREPLUS,
+ LANMAN1, LANMAN2 or NT1.</P
+></DD
+><DT
+>%d</DT
+><DD
+><P
+>The process id of the current server
+ process.</P
+></DD
+><DT
+>%a</DT
+><DD
+><P
+>the architecture of the remote
+ machine. Only some are recognized, and those may not be
+ 100% reliable. It currently recognizes Samba, WfWg, Win95,
+ WinNT and Win2k. Anything else will be known as
+ "UNKNOWN". If it gets it wrong then sending a level
+ 3 log to <A
+HREF="mailto:samba@samba.org"
+TARGET="_top"
+>samba@samba.org
+ </A
+> should allow it to be fixed.</P
+></DD
+><DT
+>%I</DT
+><DD
+><P
+>The IP address of the client machine.</P
+></DD
+><DT
+>%T</DT
+><DD
+><P
+>the current date and time.</P
+></DD
+><DT
+>%$(<TT
+CLASS="REPLACEABLE"
+><I
+>envvar</I
+></TT
+>)</DT
+><DD
+><P
+>The value of the environment variable
+ <TT
+CLASS="REPLACEABLE"
+><I
+>envar</I
+></TT
+>.</P
+></DD
+></DL
+></DIV
+><P
+>There are some quite creative things that can be done
+ with these substitutions and other smb.conf options.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN203"
+></A
+><H2
+>NAME MANGLING</H2
+><P
+>Samba supports "name mangling" so that DOS and
+ Windows clients can use files that don't conform to the 8.3 format.
+ It can also be set to adjust the case of 8.3 format filenames.</P
+><P
+>There are several options that control the way mangling is
+ performed, and they are grouped here rather than listed separately.
+ For the defaults look at the output of the testparm program. </P
+><P
+>All of these options can be set separately for each service
+ (or globally, of course). </P
+><P
+>The options are: </P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>mangle case = yes/no</DT
+><DD
+><P
+> controls if names that have characters that
+ aren't of the "default" case are mangled. For example,
+ if this is yes then a name like "Mail" would be mangled.
+ Default <EM
+>no</EM
+>.</P
+></DD
+><DT
+>case sensitive = yes/no</DT
+><DD
+><P
+>controls whether filenames are case sensitive. If
+ they aren't then Samba must do a filename search and match on passed
+ names. Default <EM
+>no</EM
+>.</P
+></DD
+><DT
+>default case = upper/lower</DT
+><DD
+><P
+>controls what the default case is for new
+ filenames. Default <EM
+>lower</EM
+>.</P
+></DD
+><DT
+>preserve case = yes/no</DT
+><DD
+><P
+>controls if new files are created with the
+ case that the client passes, or if they are forced to be the
+ "default" case. Default <EM
+>yes</EM
+>.
+ </P
+></DD
+><DT
+>short preserve case = yes/no</DT
+><DD
+><P
+>controls if new files which conform to 8.3 syntax,
+ that is all in upper case and of suitable length, are created
+ upper case, or if they are forced to be the "default"
+ case. This option can be use with "preserve case = yes"
+ to permit long filenames to retain their case, while short names
+ are lowercased. Default <EM
+>yes</EM
+>.</P
+></DD
+></DL
+></DIV
+><P
+>By default, Samba 2.2 has the same semantics as a Windows
+ NT server, in that it is case insensitive but case preserving.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN236"
+></A
+><H2
+>NOTE ABOUT USERNAME/PASSWORD VALIDATION</H2
+><P
+>There are a number of ways in which a user can connect
+ to a service. The server uses the following steps in determining
+ if it will allow a connection to a specified service. If all the
+ steps fail, then the connection request is rejected. However, if one of the
+ steps succeeds, then the following steps are not checked.</P
+><P
+>If the service is marked "guest only = yes" then
+ steps 1 to 5 are skipped.</P
+><P
+></P
+><OL
+TYPE="1"
+><LI
+><P
+>If the client has passed a username/password
+ pair and that username/password pair is validated by the UNIX
+ system's password programs then the connection is made as that
+ username. Note that this includes the
+ \\server\service%<TT
+CLASS="REPLACEABLE"
+><I
+>username</I
+></TT
+> method of passing
+ a username.</P
+></LI
+><LI
+><P
+>If the client has previously registered a username
+ with the system and now supplies a correct password for that
+ username then the connection is allowed.</P
+></LI
+><LI
+><P
+>The client's NetBIOS name and any previously
+ used user names are checked against the supplied password, if
+ they match then the connection is allowed as the corresponding
+ user.</P
+></LI
+><LI
+><P
+>If the client has previously validated a
+ username/password pair with the server and the client has passed
+ the validation token then that username is used. </P
+></LI
+><LI
+><P
+>If a "user = " field is given in the
+ <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file for the service and the client
+ has supplied a password, and that password matches (according to
+ the UNIX system's password checking) with one of the usernames
+ from the "user =" field then the connection is made as
+ the username in the "user =" line. If one
+ of the username in the "user =" list begins with a
+ '@' then that name expands to a list of names in
+ the group of the same name.</P
+></LI
+><LI
+><P
+>If the service is a guest service then a
+ connection is made as the username given in the "guest
+ account =" for the service, irrespective of the
+ supplied password.</P
+></LI
+></OL
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN255"
+></A
+><H2
+>COMPLETE LIST OF GLOBAL PARAMETERS</H2
+><P
+>Here is a list of all global parameters. See the section of
+ each parameter for details. Note that some are synonyms.</P
+><P
+></P
+><UL
+><LI
+><P
+><A
+HREF="#ABORTSHUTDOWNSCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>abort shutdown script</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ADDPRINTERCOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>add printer command</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ADDSHARECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>add share command</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ADDUSERSCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>add user script</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ADDMACHINESCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>add machine script</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ALLOWTRUSTEDDOMAINS"
+><TT
+CLASS="PARAMETER"
+><I
+>allow trusted domains</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ANNOUNCEAS"
+><TT
+CLASS="PARAMETER"
+><I
+>announce as</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ANNOUNCEVERSION"
+><TT
+CLASS="PARAMETER"
+><I
+>announce version</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#AUTHMETHODS"
+><TT
+CLASS="PARAMETER"
+><I
+>auth methods</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#AUTOSERVICES"
+><TT
+CLASS="PARAMETER"
+><I
+>auto services</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#BINDINTERFACESONLY"
+><TT
+CLASS="PARAMETER"
+><I
+>bind interfaces only</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#BROWSELIST"
+><TT
+CLASS="PARAMETER"
+><I
+>browse list</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#CHANGENOTIFYTIMEOUT"
+><TT
+CLASS="PARAMETER"
+><I
+>change notify timeout</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#CHANGESHARECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>change share command</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#CONFIGFILE"
+><TT
+CLASS="PARAMETER"
+><I
+>config file</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DEADTIME"
+><TT
+CLASS="PARAMETER"
+><I
+>deadtime</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DEBUGHIRESTIMESTAMP"
+><TT
+CLASS="PARAMETER"
+><I
+>debug hires timestamp</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DEBUGPID"
+><TT
+CLASS="PARAMETER"
+><I
+>debug pid</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DEBUGTIMESTAMP"
+><TT
+CLASS="PARAMETER"
+><I
+>debug timestamp</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DEBUGUID"
+><TT
+CLASS="PARAMETER"
+><I
+>debug uid</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DEBUGLEVEL"
+><TT
+CLASS="PARAMETER"
+><I
+>debuglevel</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DEFAULT"
+><TT
+CLASS="PARAMETER"
+><I
+>default</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DEFAULTSERVICE"
+><TT
+CLASS="PARAMETER"
+><I
+>default service</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DELETEPRINTERCOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>delete printer command</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DELETESHARECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>delete share command</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DELETEUSERSCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>delete user script</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DFREECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>dfree command</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DISABLESPOOLSS"
+><TT
+CLASS="PARAMETER"
+><I
+>disable spoolss</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DNSPROXY"
+><TT
+CLASS="PARAMETER"
+><I
+>dns proxy</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DOMAINADMINGROUP"
+><TT
+CLASS="PARAMETER"
+><I
+>domain admin group</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DOMAINGUESTGROUP"
+><TT
+CLASS="PARAMETER"
+><I
+>domain guest group</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DOMAINLOGONS"
+><TT
+CLASS="PARAMETER"
+><I
+>domain logons</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DOMAINMASTER"
+><TT
+CLASS="PARAMETER"
+><I
+>domain master</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ENCRYPTPASSWORDS"
+><TT
+CLASS="PARAMETER"
+><I
+>encrypt passwords</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ENHANCEDBROWSING"
+><TT
+CLASS="PARAMETER"
+><I
+>enhanced browsing</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ENUMPORTSCOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>enumports command</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#GETWDCACHE"
+><TT
+CLASS="PARAMETER"
+><I
+>getwd cache</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#HIDELOCALUSERS"
+><TT
+CLASS="PARAMETER"
+><I
+>hide local users</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#HIDEUNREADABLE"
+><TT
+CLASS="PARAMETER"
+><I
+>hide unreadable</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#HOMEDIRMAP"
+><TT
+CLASS="PARAMETER"
+><I
+>homedir map</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#HOSTMSDFS"
+><TT
+CLASS="PARAMETER"
+><I
+>host msdfs</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#HOSTSEQUIV"
+><TT
+CLASS="PARAMETER"
+><I
+>hosts equiv</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#INTERFACES"
+><TT
+CLASS="PARAMETER"
+><I
+>interfaces</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#KEEPALIVE"
+><TT
+CLASS="PARAMETER"
+><I
+>keepalive</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#KERNELOPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>kernel oplocks</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LANMANAUTH"
+><TT
+CLASS="PARAMETER"
+><I
+>lanman auth</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LARGEREADWRITE"
+><TT
+CLASS="PARAMETER"
+><I
+>large readwrite</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LDAPADMINDN"
+><TT
+CLASS="PARAMETER"
+><I
+>ldap admin dn</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LDAPFILTER"
+><TT
+CLASS="PARAMETER"
+><I
+>ldap filter</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LDAPPORT"
+><TT
+CLASS="PARAMETER"
+><I
+>ldap port</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LDAPSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+>ldap server</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LDAPSSL"
+><TT
+CLASS="PARAMETER"
+><I
+>ldap ssl</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LDAPSUFFIX"
+><TT
+CLASS="PARAMETER"
+><I
+>ldap suffix</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LMANNOUNCE"
+><TT
+CLASS="PARAMETER"
+><I
+>lm announce</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LMINTERVAL"
+><TT
+CLASS="PARAMETER"
+><I
+>lm interval</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LOADPRINTERS"
+><TT
+CLASS="PARAMETER"
+><I
+>load printers</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LOCALMASTER"
+><TT
+CLASS="PARAMETER"
+><I
+>local master</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LOCKDIR"
+><TT
+CLASS="PARAMETER"
+><I
+>lock dir</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LOCKDIRECTORY"
+><TT
+CLASS="PARAMETER"
+><I
+>lock directory</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LOGFILE"
+><TT
+CLASS="PARAMETER"
+><I
+>log file</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LOGLEVEL"
+><TT
+CLASS="PARAMETER"
+><I
+>log level</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LOGONDRIVE"
+><TT
+CLASS="PARAMETER"
+><I
+>logon drive</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LOGONHOME"
+><TT
+CLASS="PARAMETER"
+><I
+>logon home</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LOGONPATH"
+><TT
+CLASS="PARAMETER"
+><I
+>logon path</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LOGONSCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>logon script</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LPQCACHETIME"
+><TT
+CLASS="PARAMETER"
+><I
+>lpq cache time</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MACHINEPASSWORDTIMEOUT"
+><TT
+CLASS="PARAMETER"
+><I
+>machine password timeout</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MANGLEDSTACK"
+><TT
+CLASS="PARAMETER"
+><I
+>mangled stack</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MAPTOGUEST"
+><TT
+CLASS="PARAMETER"
+><I
+>map to guest</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MAXDISKSIZE"
+><TT
+CLASS="PARAMETER"
+><I
+>max disk size</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MAXLOGSIZE"
+><TT
+CLASS="PARAMETER"
+><I
+>max log size</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MAXMUX"
+><TT
+CLASS="PARAMETER"
+><I
+>max mux</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MAXOPENFILES"
+><TT
+CLASS="PARAMETER"
+><I
+>max open files</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MAXPROTOCOL"
+><TT
+CLASS="PARAMETER"
+><I
+>max protocol</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MAXSMBDPROCESSES"
+><TT
+CLASS="PARAMETER"
+><I
+>max smbd processes</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MAXTTL"
+><TT
+CLASS="PARAMETER"
+><I
+>max ttl</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MAXWINSTTL"
+><TT
+CLASS="PARAMETER"
+><I
+>max wins ttl</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MAXXMIT"
+><TT
+CLASS="PARAMETER"
+><I
+>max xmit</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MESSAGECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>message command</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MINPASSWDLENGTH"
+><TT
+CLASS="PARAMETER"
+><I
+>min passwd length</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MINPASSWORDLENGTH"
+><TT
+CLASS="PARAMETER"
+><I
+>min password length</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MINPROTOCOL"
+><TT
+CLASS="PARAMETER"
+><I
+>min protocol</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MINWINSTTL"
+><TT
+CLASS="PARAMETER"
+><I
+>min wins ttl</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#NAMERESOLVEORDER"
+><TT
+CLASS="PARAMETER"
+><I
+>name resolve order</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#NETBIOSALIASES"
+><TT
+CLASS="PARAMETER"
+><I
+>netbios aliases</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#NETBIOSNAME"
+><TT
+CLASS="PARAMETER"
+><I
+>netbios name</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#NETBIOSSCOPE"
+><TT
+CLASS="PARAMETER"
+><I
+>netbios scope</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#NISHOMEDIR"
+><TT
+CLASS="PARAMETER"
+><I
+>nis homedir</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#NONUNIXACCOUNTRANGE"
+><TT
+CLASS="PARAMETER"
+><I
+>non unix account range</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#NTPIPESUPPORT"
+><TT
+CLASS="PARAMETER"
+><I
+>nt pipe support</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#NULLPASSWORDS"
+><TT
+CLASS="PARAMETER"
+><I
+>null passwords</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#OBEYPAMRESTRICTIONS"
+><TT
+CLASS="PARAMETER"
+><I
+>obey pam restrictions</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#OPLOCKBREAKWAITTIME"
+><TT
+CLASS="PARAMETER"
+><I
+>oplock break wait time</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#OSLEVEL"
+><TT
+CLASS="PARAMETER"
+><I
+>os level</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#OS2DRIVERMAP"
+><TT
+CLASS="PARAMETER"
+><I
+>os2 driver map</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PAMPASSWORDCHANGE"
+><TT
+CLASS="PARAMETER"
+><I
+>pam password change</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PANICACTION"
+><TT
+CLASS="PARAMETER"
+><I
+>panic action</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PASSDBBACKEND"
+><TT
+CLASS="PARAMETER"
+><I
+>passdb backend</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PASSWDCHAT"
+><TT
+CLASS="PARAMETER"
+><I
+>passwd chat</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PASSWDCHATDEBUG"
+><TT
+CLASS="PARAMETER"
+><I
+>passwd chat debug</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PASSWDPROGRAM"
+><TT
+CLASS="PARAMETER"
+><I
+>passwd program</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PASSWORDLEVEL"
+><TT
+CLASS="PARAMETER"
+><I
+>password level</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PASSWORDSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PREFEREDMASTER"
+><TT
+CLASS="PARAMETER"
+><I
+>prefered master</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PREFERREDMASTER"
+><TT
+CLASS="PARAMETER"
+><I
+>preferred master</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PRELOAD"
+><TT
+CLASS="PARAMETER"
+><I
+>preload</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PRINTCAP"
+><TT
+CLASS="PARAMETER"
+><I
+>printcap</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PRINTCAPNAME"
+><TT
+CLASS="PARAMETER"
+><I
+>printcap name</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PRINTERDRIVERFILE"
+><TT
+CLASS="PARAMETER"
+><I
+>printer driver file</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PRIVATEDIR"
+><TT
+CLASS="PARAMETER"
+><I
+>private dir</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PROTOCOL"
+><TT
+CLASS="PARAMETER"
+><I
+>protocol</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#READBMPX"
+><TT
+CLASS="PARAMETER"
+><I
+>read bmpx</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#READRAW"
+><TT
+CLASS="PARAMETER"
+><I
+>read raw</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#READSIZE"
+><TT
+CLASS="PARAMETER"
+><I
+>read size</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#REMOTEANNOUNCE"
+><TT
+CLASS="PARAMETER"
+><I
+>remote announce</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#REMOTEBROWSESYNC"
+><TT
+CLASS="PARAMETER"
+><I
+>remote browse sync</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#RESTRICTANONYMOUS"
+><TT
+CLASS="PARAMETER"
+><I
+>restrict anonymous</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ROOT"
+><TT
+CLASS="PARAMETER"
+><I
+>root</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ROOTDIR"
+><TT
+CLASS="PARAMETER"
+><I
+>root dir</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ROOTDIRECTORY"
+><TT
+CLASS="PARAMETER"
+><I
+>root directory</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SECURITY"
+><TT
+CLASS="PARAMETER"
+><I
+>security</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SERVERSTRING"
+><TT
+CLASS="PARAMETER"
+><I
+>server string</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SHOWADDPRINTERWIZARD"
+><TT
+CLASS="PARAMETER"
+><I
+>show add printer wizard</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SHUTDOWNSCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>shutdown script</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SMBPASSWDFILE"
+><TT
+CLASS="PARAMETER"
+><I
+>smb passwd file</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SOCKETADDRESS"
+><TT
+CLASS="PARAMETER"
+><I
+>socket address</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SOCKETOPTIONS"
+><TT
+CLASS="PARAMETER"
+><I
+>socket options</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SOURCEENVIRONMENT"
+><TT
+CLASS="PARAMETER"
+><I
+>source environment</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSL"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLCACERTDIR"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl CA certDir</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLCACERTFILE"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl CA certFile</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLCIPHERS"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl ciphers</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLCLIENTCERT"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl client cert</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLCLIENTKEY"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl client key</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLCOMPATIBILITY"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl compatibility</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLEGDSOCKET"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl egd socket</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLENTROPYBYTES"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl entropy bytes</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLENTROPYFILE"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl entropy file</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLHOSTS"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl hosts</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLHOSTSRESIGN"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl hosts resign</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLREQUIRECLIENTCERT"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl require clientcert</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLREQUIRESERVERCERT"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl require servercert</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLSERVERCERT"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl server cert</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLSERVERKEY"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl server key</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SSLVERSION"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl version</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#STATCACHE"
+><TT
+CLASS="PARAMETER"
+><I
+>stat cache</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#STATCACHESIZE"
+><TT
+CLASS="PARAMETER"
+><I
+>stat cache size</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#STRIPDOT"
+><TT
+CLASS="PARAMETER"
+><I
+>strip dot</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SYSLOG"
+><TT
+CLASS="PARAMETER"
+><I
+>syslog</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SYSLOGONLY"
+><TT
+CLASS="PARAMETER"
+><I
+>syslog only</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#TEMPLATEHOMEDIR"
+><TT
+CLASS="PARAMETER"
+><I
+>template homedir</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#TEMPLATESHELL"
+><TT
+CLASS="PARAMETER"
+><I
+>template shell</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#TIMEOFFSET"
+><TT
+CLASS="PARAMETER"
+><I
+>time offset</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#TIMESERVER"
+><TT
+CLASS="PARAMETER"
+><I
+>time server</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#TIMESTAMPLOGS"
+><TT
+CLASS="PARAMETER"
+><I
+>timestamp logs</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#TOTALPRINTJOBS"
+><TT
+CLASS="PARAMETER"
+><I
+>total print jobs</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#UNIXEXTENSIONS"
+><TT
+CLASS="PARAMETER"
+><I
+>unix extensions</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#UNIXPASSWORDSYNC"
+><TT
+CLASS="PARAMETER"
+><I
+>unix password sync</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#UPDATEENCRYPTED"
+><TT
+CLASS="PARAMETER"
+><I
+>update encrypted</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#USEMMAP"
+><TT
+CLASS="PARAMETER"
+><I
+>use mmap</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#USERHOSTS"
+><TT
+CLASS="PARAMETER"
+><I
+>use rhosts</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#USERNAMELEVEL"
+><TT
+CLASS="PARAMETER"
+><I
+>username level</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#USERNAMEMAP"
+><TT
+CLASS="PARAMETER"
+><I
+>username map</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#UTMP"
+><TT
+CLASS="PARAMETER"
+><I
+>utmp</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#UTMPDIRECTORY"
+><TT
+CLASS="PARAMETER"
+><I
+>utmp directory</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WINBINDCACHETIME"
+><TT
+CLASS="PARAMETER"
+><I
+>winbind cache time</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WINBINDENUMUSERS"
+><TT
+CLASS="PARAMETER"
+><I
+>winbind enum users</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WINBINDENUMGROUPS"
+><TT
+CLASS="PARAMETER"
+><I
+>winbind enum groups</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WINBINDGID"
+><TT
+CLASS="PARAMETER"
+><I
+>winbind gid</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WINBINDSEPARATOR"
+><TT
+CLASS="PARAMETER"
+><I
+>winbind separator</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WINBINDUID"
+><TT
+CLASS="PARAMETER"
+><I
+>winbind uid</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WINBINDUSEDEFAULTDOMAIN"
+><TT
+CLASS="PARAMETER"
+><I
+>winbind use default domain</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WINSHOOK"
+><TT
+CLASS="PARAMETER"
+><I
+>wins hook</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WINSPROXY"
+><TT
+CLASS="PARAMETER"
+><I
+>wins proxy</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WINSSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+>wins server</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WINSSUPPORT"
+><TT
+CLASS="PARAMETER"
+><I
+>wins support</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WORKGROUP"
+><TT
+CLASS="PARAMETER"
+><I
+>workgroup</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WRITERAW"
+><TT
+CLASS="PARAMETER"
+><I
+>write raw</I
+></TT
+></A
+></P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN971"
+></A
+><H2
+>COMPLETE LIST OF SERVICE PARAMETERS</H2
+><P
+>Here is a list of all service parameters. See the section on
+ each parameter for details. Note that some are synonyms.</P
+><P
+></P
+><UL
+><LI
+><P
+><A
+HREF="#ADMINUSERS"
+><TT
+CLASS="PARAMETER"
+><I
+>admin users</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ALLOWHOSTS"
+><TT
+CLASS="PARAMETER"
+><I
+>allow hosts</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#AVAILABLE"
+><TT
+CLASS="PARAMETER"
+><I
+>available</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#BLOCKINGLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>blocking locks</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#BROWSABLE"
+><TT
+CLASS="PARAMETER"
+><I
+>browsable</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#BROWSEABLE"
+><TT
+CLASS="PARAMETER"
+><I
+>browseable</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#CASESENSITIVE"
+><TT
+CLASS="PARAMETER"
+><I
+>case sensitive</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#CASESIGNAMES"
+><TT
+CLASS="PARAMETER"
+><I
+>casesignames</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#COMMENT"
+><TT
+CLASS="PARAMETER"
+><I
+>comment</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#COPY"
+><TT
+CLASS="PARAMETER"
+><I
+>copy</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#CREATEMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#CREATEMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>create mode</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DEFAULTCASE"
+><TT
+CLASS="PARAMETER"
+><I
+>default case</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DEFAULTDEVMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>default devmode</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DELETEREADONLY"
+><TT
+CLASS="PARAMETER"
+><I
+>delete readonly</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DELETEVETOFILES"
+><TT
+CLASS="PARAMETER"
+><I
+>delete veto files</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DENYHOSTS"
+><TT
+CLASS="PARAMETER"
+><I
+>deny hosts</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DIRECTORY"
+><TT
+CLASS="PARAMETER"
+><I
+>directory</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DIRECTORYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>directory mask</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DIRECTORYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>directory mode</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DIRECTORYSECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>directory security mask</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DONTDESCEND"
+><TT
+CLASS="PARAMETER"
+><I
+>dont descend</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DOSFILEMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>dos filemode</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DOSFILETIMERESOLUTION"
+><TT
+CLASS="PARAMETER"
+><I
+>dos filetime resolution</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#DOSFILETIMES"
+><TT
+CLASS="PARAMETER"
+><I
+>dos filetimes</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#EXEC"
+><TT
+CLASS="PARAMETER"
+><I
+>exec</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#FAKEDIRECTORYCREATETIMES"
+><TT
+CLASS="PARAMETER"
+><I
+>fake directory create times</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#FAKEOPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>fake oplocks</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#FOLLOWSYMLINKS"
+><TT
+CLASS="PARAMETER"
+><I
+>follow symlinks</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#FORCECREATEMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force create mode</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#FORCEDIRECTORYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force directory mode</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#FORCEDIRECTORYSECURITYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force directory security mode</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#FORCEGROUP"
+><TT
+CLASS="PARAMETER"
+><I
+>force group</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#FORCESECURITYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force security mode</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#FORCEUSER"
+><TT
+CLASS="PARAMETER"
+><I
+>force user</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#FSTYPE"
+><TT
+CLASS="PARAMETER"
+><I
+>fstype</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#GROUP"
+><TT
+CLASS="PARAMETER"
+><I
+>group</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#GUESTACCOUNT"
+><TT
+CLASS="PARAMETER"
+><I
+>guest account</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#GUESTOK"
+><TT
+CLASS="PARAMETER"
+><I
+>guest ok</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#GUESTONLY"
+><TT
+CLASS="PARAMETER"
+><I
+>guest only</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#HIDEDOTFILES"
+><TT
+CLASS="PARAMETER"
+><I
+>hide dot files</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#HIDEFILES"
+><TT
+CLASS="PARAMETER"
+><I
+>hide files</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#HOSTSALLOW"
+><TT
+CLASS="PARAMETER"
+><I
+>hosts allow</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#HOSTSDENY"
+><TT
+CLASS="PARAMETER"
+><I
+>hosts deny</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#INCLUDE"
+><TT
+CLASS="PARAMETER"
+><I
+>include</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#INHERITPERMISSIONS"
+><TT
+CLASS="PARAMETER"
+><I
+>inherit permissions</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#INVALIDUSERS"
+><TT
+CLASS="PARAMETER"
+><I
+>invalid users</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LEVEL2OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>level2 oplocks</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LOCKING"
+><TT
+CLASS="PARAMETER"
+><I
+>locking</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LPPAUSECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>lppause command</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LPQCOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>lpq command</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LPRESUMECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>lpresume command</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#LPRMCOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>lprm command</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MAGICOUTPUT"
+><TT
+CLASS="PARAMETER"
+><I
+>magic output</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MAGICSCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>magic script</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MANGLECASE"
+><TT
+CLASS="PARAMETER"
+><I
+>mangle case</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MANGLEDMAP"
+><TT
+CLASS="PARAMETER"
+><I
+>mangled map</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MANGLEDNAMES"
+><TT
+CLASS="PARAMETER"
+><I
+>mangled names</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MANGLINGCHAR"
+><TT
+CLASS="PARAMETER"
+><I
+>mangling char</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MAPARCHIVE"
+><TT
+CLASS="PARAMETER"
+><I
+>map archive</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MAPHIDDEN"
+><TT
+CLASS="PARAMETER"
+><I
+>map hidden</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MAPSYSTEM"
+><TT
+CLASS="PARAMETER"
+><I
+>map system</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MAXCONNECTIONS"
+><TT
+CLASS="PARAMETER"
+><I
+>max connections</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MAXPRINTJOBS"
+><TT
+CLASS="PARAMETER"
+><I
+>max print jobs</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MINPRINTSPACE"
+><TT
+CLASS="PARAMETER"
+><I
+>min print space</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#MSDFSROOT"
+><TT
+CLASS="PARAMETER"
+><I
+>msdfs root</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#NTACLSUPPORT"
+><TT
+CLASS="PARAMETER"
+><I
+>nt acl support</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ONLYGUEST"
+><TT
+CLASS="PARAMETER"
+><I
+>only guest</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ONLYUSER"
+><TT
+CLASS="PARAMETER"
+><I
+>only user</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#OPLOCKCONTENTIONLIMIT"
+><TT
+CLASS="PARAMETER"
+><I
+>oplock contention limit</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>oplocks</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PATH"
+><TT
+CLASS="PARAMETER"
+><I
+>path</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#POSIXLOCKING"
+><TT
+CLASS="PARAMETER"
+><I
+>posix locking</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#POSTEXEC"
+><TT
+CLASS="PARAMETER"
+><I
+>postexec</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#POSTSCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>postscript</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PREEXEC"
+><TT
+CLASS="PARAMETER"
+><I
+>preexec</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PREEXECCLOSE"
+><TT
+CLASS="PARAMETER"
+><I
+>preexec close</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PRESERVECASE"
+><TT
+CLASS="PARAMETER"
+><I
+>preserve case</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PRINTCOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>print command</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PRINTOK"
+><TT
+CLASS="PARAMETER"
+><I
+>print ok</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PRINTABLE"
+><TT
+CLASS="PARAMETER"
+><I
+>printable</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PRINTER"
+><TT
+CLASS="PARAMETER"
+><I
+>printer</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PRINTERADMIN"
+><TT
+CLASS="PARAMETER"
+><I
+>printer admin</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PRINTERDRIVER"
+><TT
+CLASS="PARAMETER"
+><I
+>printer driver</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PRINTERDRIVERLOCATION"
+><TT
+CLASS="PARAMETER"
+><I
+>printer driver location</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PRINTERNAME"
+><TT
+CLASS="PARAMETER"
+><I
+>printer name</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#PUBLIC"
+><TT
+CLASS="PARAMETER"
+><I
+>public</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#QUEUEPAUSECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>queuepause command</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#QUEUERESUMECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>queueresume command</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#READLIST"
+><TT
+CLASS="PARAMETER"
+><I
+>read list</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#READONLY"
+><TT
+CLASS="PARAMETER"
+><I
+>read only</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ROOTPOSTEXEC"
+><TT
+CLASS="PARAMETER"
+><I
+>root postexec</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ROOTPREEXEC"
+><TT
+CLASS="PARAMETER"
+><I
+>root preexec</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#ROOTPREEXECCLOSE"
+><TT
+CLASS="PARAMETER"
+><I
+>root preexec close</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>security mask</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SETDIRECTORY"
+><TT
+CLASS="PARAMETER"
+><I
+>set directory</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SHORTPRESERVECASE"
+><TT
+CLASS="PARAMETER"
+><I
+>short preserve case</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#STATUS"
+><TT
+CLASS="PARAMETER"
+><I
+>status</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#STRICTALLOCATE"
+><TT
+CLASS="PARAMETER"
+><I
+>strict allocate</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#STRICTLOCKING"
+><TT
+CLASS="PARAMETER"
+><I
+>strict locking</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#STRICTSYNC"
+><TT
+CLASS="PARAMETER"
+><I
+>strict sync</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#SYNCALWAYS"
+><TT
+CLASS="PARAMETER"
+><I
+>sync always</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#USECLIENTDRIVER"
+><TT
+CLASS="PARAMETER"
+><I
+>use client driver</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#USER"
+><TT
+CLASS="PARAMETER"
+><I
+>user</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#USERNAME"
+><TT
+CLASS="PARAMETER"
+><I
+>username</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#USERS"
+><TT
+CLASS="PARAMETER"
+><I
+>users</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#VALIDUSERS"
+><TT
+CLASS="PARAMETER"
+><I
+>valid users</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#VETOFILES"
+><TT
+CLASS="PARAMETER"
+><I
+>veto files</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#VETOOPLOCKFILES"
+><TT
+CLASS="PARAMETER"
+><I
+>veto oplock files</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#VFSOBJECT"
+><TT
+CLASS="PARAMETER"
+><I
+>vfs object</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#VFSOPTIONS"
+><TT
+CLASS="PARAMETER"
+><I
+>vfs options</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#VOLUME"
+><TT
+CLASS="PARAMETER"
+><I
+>volume</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WIDELINKS"
+><TT
+CLASS="PARAMETER"
+><I
+>wide links</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WRITABLE"
+><TT
+CLASS="PARAMETER"
+><I
+>writable</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WRITECACHESIZE"
+><TT
+CLASS="PARAMETER"
+><I
+>write cache size</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WRITELIST"
+><TT
+CLASS="PARAMETER"
+><I
+>write list</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WRITEOK"
+><TT
+CLASS="PARAMETER"
+><I
+>write ok</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><A
+HREF="#WRITEABLE"
+><TT
+CLASS="PARAMETER"
+><I
+>writeable</I
+></TT
+></A
+></P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN1451"
+></A
+><H2
+>EXPLANATION OF EACH PARAMETER</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><A
+NAME="ABORTSHUTDOWNSCRIPT"
+></A
+>abort shutdown script (G)</DT
+><DD
+><P
+><EM
+>This parameter only exists in the HEAD cvs branch</EM
+>
+ This a full path name to a script called by
+ <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+> that
+ should stop a shutdown procedure issued by the <A
+HREF="#SHUTDOWNSCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>shutdown script</I
+></TT
+></A
+>.</P
+><P
+>This command will be run as user.</P
+><P
+>Default: <EM
+>None</EM
+>.</P
+><P
+>Example: <B
+CLASS="COMMAND"
+>abort shutdown script = /sbin/shutdown -c</B
+></P
+></DD
+><DT
+><A
+NAME="ADDPRINTERCOMMAND"
+></A
+>add printer command (G)</DT
+><DD
+><P
+>With the introduction of MS-RPC based printing
+ support for Windows NT/2000 clients in Samba 2.2, The MS Add
+ Printer Wizard (APW) icon is now also available in the
+ "Printers..." folder displayed a share listing. The APW
+ allows for printers to be add remotely to a Samba or Windows
+ NT/2000 print server.</P
+><P
+>For a Samba host this means that the printer must be
+ physically added to the underlying printing system. The <TT
+CLASS="PARAMETER"
+><I
+>add
+ printer command</I
+></TT
+> defines a script to be run which
+ will perform the necessary operations for adding the printer
+ to the print system and to add the appropriate service definition
+ to the <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file in order that it can be
+ shared by <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+>
+ </A
+>.</P
+><P
+>The <TT
+CLASS="PARAMETER"
+><I
+>add printer command</I
+></TT
+> is
+ automatically invoked with the following parameter (in
+ order:</P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>printer name</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>share name</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>port name</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>driver name</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>location</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>Windows 9x driver location</I
+></TT
+>
+ </P
+></LI
+></UL
+><P
+>All parameters are filled in from the PRINTER_INFO_2 structure sent
+ by the Windows NT/2000 client with one exception. The "Windows 9x
+ driver location" parameter is included for backwards compatibility
+ only. The remaining fields in the structure are generated from answers
+ to the APW questions.</P
+><P
+>Once the <TT
+CLASS="PARAMETER"
+><I
+>add printer command</I
+></TT
+> has
+ been executed, <B
+CLASS="COMMAND"
+>smbd</B
+> will reparse the <TT
+CLASS="FILENAME"
+> smb.conf</TT
+> to determine if the share defined by the APW
+ exists. If the sharename is still invalid, then <B
+CLASS="COMMAND"
+>smbd
+ </B
+> will return an ACCESS_DENIED error to the client.</P
+><P
+>See also <A
+HREF="#DELETEPRINTERCOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+> delete printer command</I
+></TT
+></A
+>, <A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing</I
+></TT
+></A
+>,
+ <A
+HREF="#SHOWADDPRINTERWIZARD"
+><TT
+CLASS="PARAMETER"
+><I
+>show add
+ printer wizard</I
+></TT
+></A
+></P
+><P
+>Default: <EM
+>none</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>addprinter command = /usr/bin/addprinter
+ </B
+></P
+></DD
+><DT
+><A
+NAME="ADDSHARECOMMAND"
+></A
+>add share command (G)</DT
+><DD
+><P
+>Samba 2.2.0 introduced the ability to dynamically
+ add and delete shares via the Windows NT 4.0 Server Manager. The
+ <TT
+CLASS="PARAMETER"
+><I
+>add share command</I
+></TT
+> is used to define an
+ external program or script which will add a new service definition
+ to <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>. In order to successfully
+ execute the <TT
+CLASS="PARAMETER"
+><I
+>add share command</I
+></TT
+>, <B
+CLASS="COMMAND"
+>smbd</B
+>
+ requires that the administrator be connected using a root account (i.e.
+ uid == 0).
+ </P
+><P
+> When executed, <B
+CLASS="COMMAND"
+>smbd</B
+> will automatically invoke the
+ <TT
+CLASS="PARAMETER"
+><I
+>add share command</I
+></TT
+> with four parameters.
+ </P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>configFile</I
+></TT
+> - the location
+ of the global <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file.
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>shareName</I
+></TT
+> - the name of the new
+ share.
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>pathName</I
+></TT
+> - path to an **existing**
+ directory on disk.
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>comment</I
+></TT
+> - comment string to associate
+ with the new share.
+ </P
+></LI
+></UL
+><P
+> This parameter is only used for add file shares. To add printer shares,
+ see the <A
+HREF="#ADDPRINTERCOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>add printer
+ command</I
+></TT
+></A
+>.
+ </P
+><P
+> See also <A
+HREF="#CHANGESHARECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>change share
+ command</I
+></TT
+></A
+>, <A
+HREF="#DELETESHARECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>delete share
+ command</I
+></TT
+></A
+>.
+ </P
+><P
+>Default: <EM
+>none</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>add share command = /usr/local/bin/addshare</B
+></P
+></DD
+><DT
+><A
+NAME="ADDMACHINESCRIPT"
+></A
+>add machine script (G)</DT
+><DD
+><P
+>This is the full pathname to a script that will
+ be run by <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> when a machine is added
+ to it's domain using the administrator username and password method. </P
+><P
+>This option is only required when using sam back-ends tied to the
+ Unix uid method of RID calculation such as smbpasswd. This option is only
+ available in Samba 3.0.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>add machine script = &#60;empty string&#62;
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
+ </B
+></P
+></DD
+><DT
+><A
+NAME="ADDUSERSCRIPT"
+></A
+>add user script (G)</DT
+><DD
+><P
+>This is the full pathname to a script that will
+ be run <EM
+>AS ROOT</EM
+> by <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)
+ </A
+> under special circumstances described below.</P
+><P
+>Normally, a Samba server requires that UNIX users are
+ created for all users accessing files on this server. For sites
+ that use Windows NT account databases as their primary user database
+ creating these users and keeping the user list in sync with the
+ Windows NT PDC is an onerous task. This option allows <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+> to create the required UNIX users
+ <EM
+>ON DEMAND</EM
+> when a user accesses the Samba server.</P
+><P
+>In order to use this option, <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+>
+ must <EM
+>NOT</EM
+> be set to <TT
+CLASS="PARAMETER"
+><I
+>security = share</I
+></TT
+>
+ and <TT
+CLASS="PARAMETER"
+><I
+>add user script</I
+></TT
+>
+ must be set to a full pathname for a script that will create a UNIX
+ user given one argument of <TT
+CLASS="PARAMETER"
+><I
+>%u</I
+></TT
+>, which expands into
+ the UNIX user name to create.</P
+><P
+>When the Windows user attempts to access the Samba server,
+ at login (session setup in the SMB protocol) time, <A
+HREF="smbd.8.html"
+TARGET="_top"
+> smbd</A
+> contacts the <TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+> and
+ attempts to authenticate the given user with the given password. If the
+ authentication succeeds then <B
+CLASS="COMMAND"
+>smbd</B
+>
+ attempts to find a UNIX user in the UNIX password database to map the
+ Windows user into. If this lookup fails, and <TT
+CLASS="PARAMETER"
+><I
+>add user script
+ </I
+></TT
+> is set then <B
+CLASS="COMMAND"
+>smbd</B
+> will
+ call the specified script <EM
+>AS ROOT</EM
+>, expanding
+ any <TT
+CLASS="PARAMETER"
+><I
+>%u</I
+></TT
+> argument to be the user name to create.</P
+><P
+>If this script successfully creates the user then <B
+CLASS="COMMAND"
+>smbd
+ </B
+> will continue on as though the UNIX user
+ already existed. In this way, UNIX users are dynamically created to
+ match existing Windows NT accounts.</P
+><P
+>See also <A
+HREF="#SECURITY"
+><TT
+CLASS="PARAMETER"
+><I
+> security</I
+></TT
+></A
+>, <A
+HREF="#PASSWORDSERVER"
+> <TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+></A
+>,
+ <A
+HREF="#DELETEUSERSCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>delete user
+ script</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>add user script = &#60;empty string&#62;
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>add user script = /usr/local/samba/bin/add_user
+ %u</B
+></P
+></DD
+><DT
+><A
+NAME="ADMINUSERS"
+></A
+>admin users (S)</DT
+><DD
+><P
+>This is a list of users who will be granted
+ administrative privileges on the share. This means that they
+ will do all file operations as the super-user (root).</P
+><P
+>You should use this option very carefully, as any user in
+ this list will be able to do anything they like on the share,
+ irrespective of file permissions.</P
+><P
+>Default: <EM
+>no admin users</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>admin users = jason</B
+></P
+></DD
+><DT
+><A
+NAME="ALLOWHOSTS"
+></A
+>allow hosts (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#HOSTSALLOW"
+> <TT
+CLASS="PARAMETER"
+><I
+>hosts allow</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="ALLOWTRUSTEDDOMAINS"
+></A
+>allow trusted domains (G)</DT
+><DD
+><P
+>This option only takes effect when the <A
+HREF="#SECURITY"
+><TT
+CLASS="PARAMETER"
+><I
+>security</I
+></TT
+></A
+> option is set to
+ <TT
+CLASS="CONSTANT"
+>server</TT
+> or <TT
+CLASS="CONSTANT"
+>domain</TT
+>.
+ If it is set to no, then attempts to connect to a resource from
+ a domain or workgroup other than the one which <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+> is running
+ in will fail, even if that domain is trusted by the remote server
+ doing the authentication.</P
+><P
+>This is useful if you only want your Samba server to
+ serve resources to users in the domain it is a member of. As
+ an example, suppose that there are two domains DOMA and DOMB. DOMB
+ is trusted by DOMA, which contains the Samba server. Under normal
+ circumstances, a user with an account in DOMB can then access the
+ resources of a UNIX account with the same account name on the
+ Samba server even if they do not have an account in DOMA. This
+ can make implementing a security boundary difficult.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>allow trusted domains = yes</B
+></P
+></DD
+><DT
+><A
+NAME="ANNOUNCEAS"
+></A
+>announce as (G)</DT
+><DD
+><P
+>This specifies what type of server
+ <A
+HREF="nmbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>nmbd</B
+></A
+>
+ will announce itself as, to a network neighborhood browse
+ list. By default this is set to Windows NT. The valid options
+ are : "NT Server" (which can also be written as "NT"),
+ "NT Workstation", "Win95" or "WfW" meaning Windows NT Server,
+ Windows NT Workstation, Windows 95 and Windows for Workgroups
+ respectively. Do not change this parameter unless you have a
+ specific need to stop Samba appearing as an NT server as this
+ may prevent Samba servers from participating as browser servers
+ correctly.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>announce as = NT Server</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>announce as = Win95</B
+></P
+></DD
+><DT
+><A
+NAME="ANNOUNCEVERSION"
+></A
+>announce version (G)</DT
+><DD
+><P
+>This specifies the major and minor version numbers
+ that nmbd will use when announcing itself as a server. The default
+ is 4.2. Do not change this parameter unless you have a specific
+ need to set a Samba server to be a downlevel server.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>announce version = 4.5</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>announce version = 2.0</B
+></P
+></DD
+><DT
+><A
+NAME="AUTOSERVICES"
+></A
+>auto services (G)</DT
+><DD
+><P
+>This is a synonym for the <A
+HREF="#PRELOAD"
+> <TT
+CLASS="PARAMETER"
+><I
+>preload</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="AUTHMETHODS"
+></A
+>auth methods (G)</DT
+><DD
+><P
+>This option allows the administrator to chose what
+ authentication methods <B
+CLASS="COMMAND"
+>smbd</B
+> will use when authenticating
+ a user. This option defaults to sensible values based on <A
+HREF="#SECURITY"
+><TT
+CLASS="PARAMETER"
+><I
+> security</I
+></TT
+></A
+>.
+
+ Each entry in the list attempts to authenticate the user in turn, until
+ the user authenticates. In practice only one method will ever actually
+ be able to complete the authentication.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>auth methods = &#60;empty string&#62;</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>auth methods = guest sam ntdomain</B
+></P
+></DD
+><DT
+><A
+NAME="AVAILABLE"
+></A
+>available (S)</DT
+><DD
+><P
+>This parameter lets you "turn off" a service. If
+ <TT
+CLASS="PARAMETER"
+><I
+>available = no</I
+></TT
+>, then <EM
+>ALL</EM
+>
+ attempts to connect to the service will fail. Such failures are
+ logged.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>available = yes</B
+></P
+></DD
+><DT
+><A
+NAME="BINDINTERFACESONLY"
+></A
+>bind interfaces only (G)</DT
+><DD
+><P
+>This global parameter allows the Samba admin
+ to limit what interfaces on a machine will serve SMB requests. If
+ affects file service <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> and
+ name service <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+> in slightly
+ different ways.</P
+><P
+>For name service it causes <B
+CLASS="COMMAND"
+>nmbd</B
+> to bind
+ to ports 137 and 138 on the interfaces listed in the <A
+HREF="#INTERFACES"
+>interfaces</A
+> parameter. <B
+CLASS="COMMAND"
+>nmbd
+ </B
+> also binds to the "all addresses" interface (0.0.0.0)
+ on ports 137 and 138 for the purposes of reading broadcast messages.
+ If this option is not set then <B
+CLASS="COMMAND"
+>nmbd</B
+> will service
+ name requests on all of these sockets. If <TT
+CLASS="PARAMETER"
+><I
+>bind interfaces
+ only</I
+></TT
+> is set then <B
+CLASS="COMMAND"
+>nmbd</B
+> will check the
+ source address of any packets coming in on the broadcast sockets
+ and discard any that don't match the broadcast addresses of the
+ interfaces in the <TT
+CLASS="PARAMETER"
+><I
+>interfaces</I
+></TT
+> parameter list.
+ As unicast packets are received on the other sockets it allows
+ <B
+CLASS="COMMAND"
+>nmbd</B
+> to refuse to serve names to machines that
+ send packets that arrive through any interfaces not listed in the
+ <TT
+CLASS="PARAMETER"
+><I
+>interfaces</I
+></TT
+> list. IP Source address spoofing
+ does defeat this simple check, however so it must not be used
+ seriously as a security feature for <B
+CLASS="COMMAND"
+>nmbd</B
+>.</P
+><P
+>For file service it causes <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+>
+ to bind only to the interface list given in the <A
+HREF="#INTERFACES"
+> interfaces</A
+> parameter. This restricts the networks that
+ <B
+CLASS="COMMAND"
+>smbd</B
+> will serve to packets coming in those
+ interfaces. Note that you should not use this parameter for machines
+ that are serving PPP or other intermittent or non-broadcast network
+ interfaces as it will not cope with non-permanent interfaces.</P
+><P
+>If <TT
+CLASS="PARAMETER"
+><I
+>bind interfaces only</I
+></TT
+> is set then
+ unless the network address <EM
+>127.0.0.1</EM
+> is added
+ to the <TT
+CLASS="PARAMETER"
+><I
+>interfaces</I
+></TT
+> parameter list <A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbpasswd(8)</B
+></A
+>
+ and <A
+HREF="swat.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>swat(8)</B
+></A
+> may
+ not work as expected due to the reasons covered below.</P
+><P
+>To change a users SMB password, the <B
+CLASS="COMMAND"
+>smbpasswd</B
+>
+ by default connects to the <EM
+>localhost - 127.0.0.1</EM
+>
+ address as an SMB client to issue the password change request. If
+ <TT
+CLASS="PARAMETER"
+><I
+>bind interfaces only</I
+></TT
+> is set then unless the
+ network address <EM
+>127.0.0.1</EM
+> is added to the
+ <TT
+CLASS="PARAMETER"
+><I
+>interfaces</I
+></TT
+> parameter list then <B
+CLASS="COMMAND"
+> smbpasswd</B
+> will fail to connect in it's default mode.
+ <B
+CLASS="COMMAND"
+>smbpasswd</B
+> can be forced to use the primary IP interface
+ of the local host by using its <A
+HREF="smbpasswd.8.html#minusr"
+TARGET="_top"
+> <TT
+CLASS="PARAMETER"
+><I
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>remote machine</I
+></TT
+></I
+></TT
+>
+ </A
+> parameter, with <TT
+CLASS="REPLACEABLE"
+><I
+>remote machine</I
+></TT
+> set
+ to the IP name of the primary interface of the local host.</P
+><P
+>The <B
+CLASS="COMMAND"
+>swat</B
+> status page tries to connect with
+ <B
+CLASS="COMMAND"
+>smbd</B
+> and <B
+CLASS="COMMAND"
+>nmbd</B
+> at the address
+ <EM
+>127.0.0.1</EM
+> to determine if they are running.
+ Not adding <EM
+>127.0.0.1</EM
+> will cause <B
+CLASS="COMMAND"
+> smbd</B
+> and <B
+CLASS="COMMAND"
+>nmbd</B
+> to always show
+ "not running" even if they really are. This can prevent <B
+CLASS="COMMAND"
+> swat</B
+> from starting/stopping/restarting <B
+CLASS="COMMAND"
+>smbd</B
+>
+ and <B
+CLASS="COMMAND"
+>nmbd</B
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>bind interfaces only = no</B
+></P
+></DD
+><DT
+><A
+NAME="BLOCKINGLOCKS"
+></A
+>blocking locks (S)</DT
+><DD
+><P
+>This parameter controls the behavior of <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> when given a request by a client
+ to obtain a byte range lock on a region of an open file, and the
+ request has a time limit associated with it.</P
+><P
+>If this parameter is set and the lock range requested
+ cannot be immediately satisfied, Samba 2.2 will internally
+ queue the lock request, and periodically attempt to obtain
+ the lock until the timeout period expires.</P
+><P
+>If this parameter is set to <TT
+CLASS="CONSTANT"
+>false</TT
+>, then
+ Samba 2.2 will behave as previous versions of Samba would and
+ will fail the lock request immediately if the lock range
+ cannot be obtained.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>blocking locks = yes</B
+></P
+></DD
+><DT
+><A
+NAME="BROWSABLE"
+></A
+>browsable (S)</DT
+><DD
+><P
+>See the <A
+HREF="#BROWSEABLE"
+><TT
+CLASS="PARAMETER"
+><I
+> browseable</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="BROWSELIST"
+></A
+>browse list (G)</DT
+><DD
+><P
+>This controls whether <A
+HREF="smbd.8.html"
+TARGET="_top"
+> <B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+> will serve a browse list to
+ a client doing a <B
+CLASS="COMMAND"
+>NetServerEnum</B
+> call. Normally
+ set to <TT
+CLASS="CONSTANT"
+>true</TT
+>. You should never need to change
+ this.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>browse list = yes</B
+></P
+></DD
+><DT
+><A
+NAME="BROWSEABLE"
+></A
+>browseable (S)</DT
+><DD
+><P
+>This controls whether this share is seen in
+ the list of available shares in a net view and in the browse list.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>browseable = yes</B
+></P
+></DD
+><DT
+><A
+NAME="CASESENSITIVE"
+></A
+>case sensitive (S)</DT
+><DD
+><P
+>See the discussion in the section <A
+HREF="#AEN203"
+>NAME MANGLING</A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>case sensitive = no</B
+></P
+></DD
+><DT
+><A
+NAME="CASESIGNAMES"
+></A
+>casesignames (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#CASESENSITIVE"
+>case
+ sensitive</A
+>.</P
+></DD
+><DT
+><A
+NAME="CHANGENOTIFYTIMEOUT"
+></A
+>change notify timeout (G)</DT
+><DD
+><P
+>This SMB allows a client to tell a server to
+ "watch" a particular directory for any changes and only reply to
+ the SMB request when a change has occurred. Such constant scanning of
+ a directory is expensive under UNIX, hence an <A
+HREF="smbd.8.html"
+TARGET="_top"
+> <B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+> daemon only performs such a scan
+ on each requested directory once every <TT
+CLASS="PARAMETER"
+><I
+>change notify
+ timeout</I
+></TT
+> seconds.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>change notify timeout = 60</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>change notify timeout = 300</B
+></P
+><P
+>Would change the scan time to every 5 minutes.</P
+></DD
+><DT
+><A
+NAME="CHANGESHARECOMMAND"
+></A
+>change share command (G)</DT
+><DD
+><P
+>Samba 2.2.0 introduced the ability to dynamically
+ add and delete shares via the Windows NT 4.0 Server Manager. The
+ <TT
+CLASS="PARAMETER"
+><I
+>change share command</I
+></TT
+> is used to define an
+ external program or script which will modify an existing service definition
+ in <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>. In order to successfully
+ execute the <TT
+CLASS="PARAMETER"
+><I
+>change share command</I
+></TT
+>, <B
+CLASS="COMMAND"
+>smbd</B
+>
+ requires that the administrator be connected using a root account (i.e.
+ uid == 0).
+ </P
+><P
+> When executed, <B
+CLASS="COMMAND"
+>smbd</B
+> will automatically invoke the
+ <TT
+CLASS="PARAMETER"
+><I
+>change share command</I
+></TT
+> with four parameters.
+ </P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>configFile</I
+></TT
+> - the location
+ of the global <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file.
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>shareName</I
+></TT
+> - the name of the new
+ share.
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>pathName</I
+></TT
+> - path to an **existing**
+ directory on disk.
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>comment</I
+></TT
+> - comment string to associate
+ with the new share.
+ </P
+></LI
+></UL
+><P
+> This parameter is only used modify existing file shares definitions. To modify
+ printer shares, use the "Printers..." folder as seen when browsing the Samba host.
+ </P
+><P
+> See also <A
+HREF="#ADDSHARECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>add share
+ command</I
+></TT
+></A
+>, <A
+HREF="#DELETESHARECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>delete
+ share command</I
+></TT
+></A
+>.
+ </P
+><P
+>Default: <EM
+>none</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>change share command = /usr/local/bin/addshare</B
+></P
+></DD
+><DT
+><A
+NAME="COMMENT"
+></A
+>comment (S)</DT
+><DD
+><P
+>This is a text field that is seen next to a share
+ when a client does a queries the server, either via the network
+ neighborhood or via <B
+CLASS="COMMAND"
+>net view</B
+> to list what shares
+ are available.</P
+><P
+>If you want to set the string that is displayed next to the
+ machine name then see the <A
+HREF="#SERVERSTRING"
+><TT
+CLASS="PARAMETER"
+><I
+> server string</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <EM
+>No comment string</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>comment = Fred's Files</B
+></P
+></DD
+><DT
+><A
+NAME="CONFIGFILE"
+></A
+>config file (G)</DT
+><DD
+><P
+>This allows you to override the config file
+ to use, instead of the default (usually <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>).
+ There is a chicken and egg problem here as this option is set
+ in the config file!</P
+><P
+>For this reason, if the name of the config file has changed
+ when the parameters are loaded then it will reload them from
+ the new config file.</P
+><P
+>This option takes the usual substitutions, which can
+ be very useful.</P
+><P
+>If the config file doesn't exist then it won't be loaded
+ (allowing you to special case the config files of just a few
+ clients).</P
+><P
+>Example: <B
+CLASS="COMMAND"
+>config file = /usr/local/samba/lib/smb.conf.%m
+ </B
+></P
+></DD
+><DT
+><A
+NAME="COPY"
+></A
+>copy (S)</DT
+><DD
+><P
+>This parameter allows you to "clone" service
+ entries. The specified service is simply duplicated under the
+ current service's name. Any parameters specified in the current
+ section will override those in the section being copied.</P
+><P
+>This feature lets you set up a 'template' service and
+ create similar services easily. Note that the service being
+ copied must occur earlier in the configuration file than the
+ service doing the copying.</P
+><P
+>Default: <EM
+>no value</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>copy = otherservice</B
+></P
+></DD
+><DT
+><A
+NAME="CREATEMASK"
+></A
+>create mask (S)</DT
+><DD
+><P
+>A synonym for this parameter is
+ <A
+HREF="#CREATEMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>create mode</I
+></TT
+>
+ </A
+>.</P
+><P
+>When a file is created, the necessary permissions are
+ calculated according to the mapping from DOS modes to UNIX
+ permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
+ with this parameter. This parameter may be thought of as a bit-wise
+ MASK for the UNIX modes of a file. Any bit <EM
+>not</EM
+>
+ set here will be removed from the modes set on a file when it is
+ created.</P
+><P
+>The default value of this parameter removes the
+ 'group' and 'other' write and execute bits from the UNIX modes.</P
+><P
+>Following this Samba will bit-wise 'OR' the UNIX mode created
+ from this parameter with the value of the <A
+HREF="#FORCECREATEMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force create mode</I
+></TT
+></A
+>
+ parameter which is set to 000 by default.</P
+><P
+>This parameter does not affect directory modes. See the
+ parameter <A
+HREF="#DIRECTORYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>directory mode
+ </I
+></TT
+></A
+> for details.</P
+><P
+>See also the <A
+HREF="#FORCECREATEMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force
+ create mode</I
+></TT
+></A
+> parameter for forcing particular mode
+ bits to be set on created files. See also the <A
+HREF="#DIRECTORYMODE"
+> <TT
+CLASS="PARAMETER"
+><I
+>directory mode</I
+></TT
+></A
+> parameter for masking
+ mode bits on created directories. See also the <A
+HREF="#INHERITPERMISSIONS"
+> <TT
+CLASS="PARAMETER"
+><I
+>inherit permissions</I
+></TT
+></A
+> parameter.</P
+><P
+>Note that this parameter does not apply to permissions
+ set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
+ a mask on access control lists also, they need to set the <A
+HREF="#SECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>security mask</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>create mask = 0744</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>create mask = 0775</B
+></P
+></DD
+><DT
+><A
+NAME="CREATEMODE"
+></A
+>create mode (S)</DT
+><DD
+><P
+>This is a synonym for <A
+HREF="#CREATEMASK"
+><TT
+CLASS="PARAMETER"
+><I
+> create mask</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="DEADTIME"
+></A
+>deadtime (G)</DT
+><DD
+><P
+>The value of the parameter (a decimal integer)
+ represents the number of minutes of inactivity before a connection
+ is considered dead, and it is disconnected. The deadtime only takes
+ effect if the number of open files is zero.</P
+><P
+>This is useful to stop a server's resources being
+ exhausted by a large number of inactive connections.</P
+><P
+>Most clients have an auto-reconnect feature when a
+ connection is broken so in most cases this parameter should be
+ transparent to users.</P
+><P
+>Using this parameter with a timeout of a few minutes
+ is recommended for most systems.</P
+><P
+>A deadtime of zero indicates that no auto-disconnection
+ should be performed.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>deadtime = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>deadtime = 15</B
+></P
+></DD
+><DT
+><A
+NAME="DEBUGHIRESTIMESTAMP"
+></A
+>debug hires timestamp (G)</DT
+><DD
+><P
+>Sometimes the timestamps in the log messages
+ are needed with a resolution of higher that seconds, this
+ boolean parameter adds microsecond resolution to the timestamp
+ message header when turned on.</P
+><P
+>Note that the parameter <A
+HREF="#DEBUGTIMESTAMP"
+><TT
+CLASS="PARAMETER"
+><I
+> debug timestamp</I
+></TT
+></A
+> must be on for this to have an
+ effect.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>debug hires timestamp = no</B
+></P
+></DD
+><DT
+><A
+NAME="DEBUGPID"
+></A
+>debug pid (G)</DT
+><DD
+><P
+>When using only one log file for more then one
+ forked <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+>-process there may be hard to follow which process
+ outputs which message. This boolean parameter is adds the process-id
+ to the timestamp message headers in the logfile when turned on.</P
+><P
+>Note that the parameter <A
+HREF="#DEBUGTIMESTAMP"
+><TT
+CLASS="PARAMETER"
+><I
+> debug timestamp</I
+></TT
+></A
+> must be on for this to have an
+ effect.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>debug pid = no</B
+></P
+></DD
+><DT
+><A
+NAME="DEBUGTIMESTAMP"
+></A
+>debug timestamp (G)</DT
+><DD
+><P
+>Samba 2.2 debug log messages are timestamped
+ by default. If you are running at a high <A
+HREF="#DEBUGLEVEL"
+> <TT
+CLASS="PARAMETER"
+><I
+>debug level</I
+></TT
+></A
+> these timestamps
+ can be distracting. This boolean parameter allows timestamping
+ to be turned off.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>debug timestamp = yes</B
+></P
+></DD
+><DT
+><A
+NAME="DEBUGUID"
+></A
+>debug uid (G)</DT
+><DD
+><P
+>Samba is sometimes run as root and sometime
+ run as the connected user, this boolean parameter inserts the
+ current euid, egid, uid and gid to the timestamp message headers
+ in the log file if turned on.</P
+><P
+>Note that the parameter <A
+HREF="#DEBUGTIMESTAMP"
+><TT
+CLASS="PARAMETER"
+><I
+> debug timestamp</I
+></TT
+></A
+> must be on for this to have an
+ effect.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>debug uid = no</B
+></P
+></DD
+><DT
+><A
+NAME="DEBUGLEVEL"
+></A
+>debuglevel (G)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#LOGLEVEL"
+><TT
+CLASS="PARAMETER"
+><I
+> log level</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="DEFAULT"
+></A
+>default (G)</DT
+><DD
+><P
+>A synonym for <A
+HREF="#DEFAULTSERVICE"
+><TT
+CLASS="PARAMETER"
+><I
+> default service</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="DEFAULTCASE"
+></A
+>default case (S)</DT
+><DD
+><P
+>See the section on <A
+HREF="#AEN203"
+> NAME MANGLING</A
+>. Also note the <A
+HREF="#SHORTPRESERVECASE"
+> <TT
+CLASS="PARAMETER"
+><I
+>short preserve case</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>default case = lower</B
+></P
+></DD
+><DT
+><A
+NAME="DEFAULTDEVMODE"
+></A
+>default devmode (S)</DT
+><DD
+><P
+>This parameter is only applicable to <A
+HREF="#PRINTOK"
+>printable</A
+> services. When smbd is serving
+ Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
+ server has a Device Mode which defines things such as paper size and
+ orientation and duplex settings. The device mode can only correctly be
+ generated by the printer driver itself (which can only be executed on a
+ Win32 platform). Because smbd is unable to execute the driver code
+ to generate the device mode, the default behavior is to set this field
+ to NULL.
+ </P
+><P
+>Most problems with serving printer drivers to Windows NT/2k/XP clients
+ can be traced to a problem with the generated device mode. Certain drivers
+ will do things such as crashing the client's Explorer.exe with a NULL devmode.
+ However, other printer drivers can cause the client's spooler service
+ (spoolsv.exe) to die if the devmode was not created by the driver itself
+ (i.e. smbd generates a default devmode).
+ </P
+><P
+>This parameter should be used with care and tested with the printer
+ driver in question. It is better to leave the device mode to NULL
+ and let the Windows client set the correct values. Because drivers do not
+ do this all the time, setting <B
+CLASS="COMMAND"
+>default devmode = yes</B
+>
+ will instruct smbd to generate a default one.
+ </P
+><P
+>For more information on Windows NT/2k printing and Device Modes,
+ see the <A
+HREF="http://msdn.microsoft.com/"
+TARGET="_top"
+>MSDN documentation</A
+>.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>default devmode = no</B
+></P
+></DD
+><DT
+><A
+NAME="DEFAULTSERVICE"
+></A
+>default service (G)</DT
+><DD
+><P
+>This parameter specifies the name of a service
+ which will be connected to if the service actually requested cannot
+ be found. Note that the square brackets are <EM
+>NOT</EM
+>
+ given in the parameter value (see example below).</P
+><P
+>There is no default value for this parameter. If this
+ parameter is not given, attempting to connect to a nonexistent
+ service results in an error.</P
+><P
+>Typically the default service would be a <A
+HREF="#GUESTOK"
+> <TT
+CLASS="PARAMETER"
+><I
+>guest ok</I
+></TT
+></A
+>, <A
+HREF="#READONLY"
+> <TT
+CLASS="PARAMETER"
+><I
+>read-only</I
+></TT
+></A
+> service.</P
+><P
+>Also note that the apparent service name will be changed
+ to equal that of the requested service, this is very useful as it
+ allows you to use macros like <TT
+CLASS="PARAMETER"
+><I
+>%S</I
+></TT
+> to make
+ a wildcard service.</P
+><P
+>Note also that any "_" characters in the name of the service
+ used in the default service will get mapped to a "/". This allows for
+ interesting things.</P
+><P
+>Example:</P
+><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>[global]
+ default service = pub
+
+[pub]
+ path = /%S
+ </PRE
+></TD
+></TR
+></TABLE
+></P
+></DD
+><DT
+><A
+NAME="DELETEPRINTERCOMMAND"
+></A
+>delete printer command (G)</DT
+><DD
+><P
+>With the introduction of MS-RPC based printer
+ support for Windows NT/2000 clients in Samba 2.2, it is now
+ possible to delete printer at run time by issuing the
+ DeletePrinter() RPC call.</P
+><P
+>For a Samba host this means that the printer must be
+ physically deleted from underlying printing system. The <TT
+CLASS="PARAMETER"
+><I
+> deleteprinter command</I
+></TT
+> defines a script to be run which
+ will perform the necessary operations for removing the printer
+ from the print system and from <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>.
+ </P
+><P
+>The <TT
+CLASS="PARAMETER"
+><I
+>delete printer command</I
+></TT
+> is
+ automatically called with only one parameter: <TT
+CLASS="PARAMETER"
+><I
+> "printer name"</I
+></TT
+>.</P
+><P
+>Once the <TT
+CLASS="PARAMETER"
+><I
+>delete printer command</I
+></TT
+> has
+ been executed, <B
+CLASS="COMMAND"
+>smbd</B
+> will reparse the <TT
+CLASS="FILENAME"
+> smb.conf</TT
+> to associated printer no longer exists.
+ If the sharename is still valid, then <B
+CLASS="COMMAND"
+>smbd
+ </B
+> will return an ACCESS_DENIED error to the client.</P
+><P
+>See also <A
+HREF="#ADDPRINTERCOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+> add printer command</I
+></TT
+></A
+>, <A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing</I
+></TT
+></A
+>,
+ <A
+HREF="#SHOWADDPRINTERWIZARD"
+><TT
+CLASS="PARAMETER"
+><I
+>show add
+ printer wizard</I
+></TT
+></A
+></P
+><P
+>Default: <EM
+>none</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>deleteprinter command = /usr/bin/removeprinter
+ </B
+></P
+></DD
+><DT
+><A
+NAME="DELETEREADONLY"
+></A
+>delete readonly (S)</DT
+><DD
+><P
+>This parameter allows readonly files to be deleted.
+ This is not normal DOS semantics, but is allowed by UNIX.</P
+><P
+>This option may be useful for running applications such
+ as rcs, where UNIX file ownership prevents changing file
+ permissions, and DOS semantics prevent deletion of a read only file.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>delete readonly = no</B
+></P
+></DD
+><DT
+><A
+NAME="DELETESHARECOMMAND"
+></A
+>delete share command (G)</DT
+><DD
+><P
+>Samba 2.2.0 introduced the ability to dynamically
+ add and delete shares via the Windows NT 4.0 Server Manager. The
+ <TT
+CLASS="PARAMETER"
+><I
+>delete share command</I
+></TT
+> is used to define an
+ external program or script which will remove an existing service
+ definition from <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>. In order to successfully
+ execute the <TT
+CLASS="PARAMETER"
+><I
+>delete share command</I
+></TT
+>, <B
+CLASS="COMMAND"
+>smbd</B
+>
+ requires that the administrator be connected using a root account (i.e.
+ uid == 0).
+ </P
+><P
+> When executed, <B
+CLASS="COMMAND"
+>smbd</B
+> will automatically invoke the
+ <TT
+CLASS="PARAMETER"
+><I
+>delete share command</I
+></TT
+> with two parameters.
+ </P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>configFile</I
+></TT
+> - the location
+ of the global <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file.
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>shareName</I
+></TT
+> - the name of
+ the existing service.
+ </P
+></LI
+></UL
+><P
+> This parameter is only used to remove file shares. To delete printer shares,
+ see the <A
+HREF="#DELETEPRINTERCOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>delete printer
+ command</I
+></TT
+></A
+>.
+ </P
+><P
+> See also <A
+HREF="#ADDSHARECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>add share
+ command</I
+></TT
+></A
+>, <A
+HREF="#CHANGESHARECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>change
+ share command</I
+></TT
+></A
+>.
+ </P
+><P
+>Default: <EM
+>none</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>delete share command = /usr/local/bin/delshare</B
+></P
+></DD
+><DT
+><A
+NAME="DELETEUSERSCRIPT"
+></A
+>delete user script (G)</DT
+><DD
+><P
+>This is the full pathname to a script that will
+ be run <EM
+>AS ROOT</EM
+> by <A
+HREF="smbd.8.html"
+TARGET="_top"
+> <B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+> under special circumstances
+ described below.</P
+><P
+>Normally, a Samba server requires that UNIX users are
+ created for all users accessing files on this server. For sites
+ that use Windows NT account databases as their primary user database
+ creating these users and keeping the user list in sync with the
+ Windows NT PDC is an onerous task. This option allows <B
+CLASS="COMMAND"
+> smbd</B
+> to delete the required UNIX users <EM
+>ON
+ DEMAND</EM
+> when a user accesses the Samba server and the
+ Windows NT user no longer exists.</P
+><P
+>In order to use this option, <B
+CLASS="COMMAND"
+>smbd</B
+> must be
+ set to <TT
+CLASS="PARAMETER"
+><I
+>security = domain</I
+></TT
+> or <TT
+CLASS="PARAMETER"
+><I
+>security =
+ user</I
+></TT
+> and <TT
+CLASS="PARAMETER"
+><I
+>delete user script</I
+></TT
+>
+ must be set to a full pathname for a script
+ that will delete a UNIX user given one argument of <TT
+CLASS="PARAMETER"
+><I
+>%u</I
+></TT
+>,
+ which expands into the UNIX user name to delete.</P
+><P
+>When the Windows user attempts to access the Samba server,
+ at <EM
+>login</EM
+> (session setup in the SMB protocol)
+ time, <B
+CLASS="COMMAND"
+>smbd</B
+> contacts the <A
+HREF="#PASSWORDSERVER"
+> <TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+></A
+> and attempts to authenticate
+ the given user with the given password. If the authentication fails
+ with the specific Domain error code meaning that the user no longer
+ exists then <B
+CLASS="COMMAND"
+>smbd</B
+> attempts to find a UNIX user in
+ the UNIX password database that matches the Windows user account. If
+ this lookup succeeds, and <TT
+CLASS="PARAMETER"
+><I
+>delete user script</I
+></TT
+> is
+ set then <B
+CLASS="COMMAND"
+>smbd</B
+> will all the specified script
+ <EM
+>AS ROOT</EM
+>, expanding any <TT
+CLASS="PARAMETER"
+><I
+>%u</I
+></TT
+>
+ argument to be the user name to delete.</P
+><P
+>This script should delete the given UNIX username. In this way,
+ UNIX users are dynamically deleted to match existing Windows NT
+ accounts.</P
+><P
+>See also <A
+HREF="#SECURITYEQUALSDOMAIN"
+>security = domain</A
+>,
+ <A
+HREF="#PASSWORDSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+>
+ </A
+>, <A
+HREF="#ADDUSERSCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>add user script</I
+></TT
+>
+ </A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>delete user script = &#60;empty string&#62;
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>delete user script = /usr/local/samba/bin/del_user
+ %u</B
+></P
+></DD
+><DT
+><A
+NAME="DELETEVETOFILES"
+></A
+>delete veto files (S)</DT
+><DD
+><P
+>This option is used when Samba is attempting to
+ delete a directory that contains one or more vetoed directories
+ (see the <A
+HREF="#VETOFILES"
+><TT
+CLASS="PARAMETER"
+><I
+>veto files</I
+></TT
+></A
+>
+ option). If this option is set to <TT
+CLASS="CONSTANT"
+>false</TT
+> (the default) then if a vetoed
+ directory contains any non-vetoed files or directories then the
+ directory delete will fail. This is usually what you want.</P
+><P
+>If this option is set to <TT
+CLASS="CONSTANT"
+>true</TT
+>, then Samba
+ will attempt to recursively delete any files and directories within
+ the vetoed directory. This can be useful for integration with file
+ serving systems such as NetAtalk which create meta-files within
+ directories you might normally veto DOS/Windows users from seeing
+ (e.g. <TT
+CLASS="FILENAME"
+>.AppleDouble</TT
+>)</P
+><P
+>Setting <B
+CLASS="COMMAND"
+>delete veto files = yes</B
+> allows these
+ directories to be transparently deleted when the parent directory
+ is deleted (so long as the user has permissions to do so).</P
+><P
+>See also the <A
+HREF="#VETOFILES"
+><TT
+CLASS="PARAMETER"
+><I
+>veto
+ files</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>delete veto files = no</B
+></P
+></DD
+><DT
+><A
+NAME="DENYHOSTS"
+></A
+>deny hosts (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#HOSTSDENY"
+><TT
+CLASS="PARAMETER"
+><I
+>hosts
+ deny</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="DFREECOMMAND"
+></A
+>dfree command (G)</DT
+><DD
+><P
+>The <TT
+CLASS="PARAMETER"
+><I
+>dfree command</I
+></TT
+> setting should
+ only be used on systems where a problem occurs with the internal
+ disk space calculations. This has been known to happen with Ultrix,
+ but may occur with other operating systems. The symptom that was
+ seen was an error of "Abort Retry Ignore" at the end of each
+ directory listing.</P
+><P
+>This setting allows the replacement of the internal routines to
+ calculate the total disk space and amount available with an external
+ routine. The example below gives a possible script that might fulfill
+ this function.</P
+><P
+>The external program will be passed a single parameter indicating
+ a directory in the filesystem being queried. This will typically consist
+ of the string <TT
+CLASS="FILENAME"
+>./</TT
+>. The script should return two
+ integers in ASCII. The first should be the total disk space in blocks,
+ and the second should be the number of available blocks. An optional
+ third return value can give the block size in bytes. The default
+ blocksize is 1024 bytes.</P
+><P
+>Note: Your script should <EM
+>NOT</EM
+> be setuid or
+ setgid and should be owned by (and writeable only by) root!</P
+><P
+>Default: <EM
+>By default internal routines for
+ determining the disk capacity and remaining space will be used.
+ </EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>dfree command = /usr/local/samba/bin/dfree
+ </B
+></P
+><P
+>Where the script dfree (which must be made executable) could be:</P
+><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>
+ #!/bin/sh
+ df $1 | tail -1 | awk '{print $2" "$4}'
+ </PRE
+></TD
+></TR
+></TABLE
+></P
+><P
+>or perhaps (on Sys V based systems):</P
+><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>
+ #!/bin/sh
+ /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
+ </PRE
+></TD
+></TR
+></TABLE
+></P
+><P
+>Note that you may have to replace the command names
+ with full path names on some systems.</P
+></DD
+><DT
+><A
+NAME="DIRECTORY"
+></A
+>directory (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#PATH"
+><TT
+CLASS="PARAMETER"
+><I
+>path
+ </I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="DIRECTORYMASK"
+></A
+>directory mask (S)</DT
+><DD
+><P
+>This parameter is the octal modes which are
+ used when converting DOS modes to UNIX modes when creating UNIX
+ directories.</P
+><P
+>When a directory is created, the necessary permissions are
+ calculated according to the mapping from DOS modes to UNIX permissions,
+ and the resulting UNIX mode is then bit-wise 'AND'ed with this
+ parameter. This parameter may be thought of as a bit-wise MASK for
+ the UNIX modes of a directory. Any bit <EM
+>not</EM
+> set
+ here will be removed from the modes set on a directory when it is
+ created.</P
+><P
+>The default value of this parameter removes the 'group'
+ and 'other' write bits from the UNIX mode, allowing only the
+ user who owns the directory to modify it.</P
+><P
+>Following this Samba will bit-wise 'OR' the UNIX mode
+ created from this parameter with the value of the <A
+HREF="#FORCEDIRECTORYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force directory mode
+ </I
+></TT
+></A
+> parameter. This parameter is set to 000 by
+ default (i.e. no extra mode bits are added).</P
+><P
+>Note that this parameter does not apply to permissions
+ set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
+ a mask on access control lists also, they need to set the <A
+HREF="#DIRECTORYSECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>directory security mask</I
+></TT
+></A
+>.</P
+><P
+>See the <A
+HREF="#FORCEDIRECTORYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force
+ directory mode</I
+></TT
+></A
+> parameter to cause particular mode
+ bits to always be set on created directories.</P
+><P
+>See also the <A
+HREF="#CREATEMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>create mode
+ </I
+></TT
+></A
+> parameter for masking mode bits on created files,
+ and the <A
+HREF="#DIRECTORYSECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>directory
+ security mask</I
+></TT
+></A
+> parameter.</P
+><P
+>Also refer to the <A
+HREF="#INHERITPERMISSIONS"
+><TT
+CLASS="PARAMETER"
+><I
+> inherit permissions</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>directory mask = 0755</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>directory mask = 0775</B
+></P
+></DD
+><DT
+><A
+NAME="DIRECTORYMODE"
+></A
+>directory mode (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#DIRECTORYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+> directory mask</I
+></TT
+></A
+></P
+></DD
+><DT
+><A
+NAME="DIRECTORYSECURITYMASK"
+></A
+>directory security mask (S)</DT
+><DD
+><P
+>This parameter controls what UNIX permission bits
+ can be modified when a Windows NT client is manipulating the UNIX
+ permission on a directory using the native NT security dialog
+ box.</P
+><P
+>This parameter is applied as a mask (AND'ed with) to
+ the changed permission bits, thus preventing any bits not in
+ this mask from being modified. Essentially, zero bits in this
+ mask may be treated as a set of bits the user is not allowed
+ to change.</P
+><P
+>If not set explicitly this parameter is set to 0777
+ meaning a user is allowed to modify all the user/group/world
+ permissions on a directory.</P
+><P
+><EM
+>Note</EM
+> that users who can access the
+ Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone "appliance" systems.
+ Administrators of most normal systems will probably want to leave
+ it as the default of <TT
+CLASS="CONSTANT"
+>0777</TT
+>.</P
+><P
+>See also the <A
+HREF="#FORCEDIRECTORYSECURITYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+> force directory security mode</I
+></TT
+></A
+>, <A
+HREF="#SECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>security mask</I
+></TT
+></A
+>,
+ <A
+HREF="#FORCESECURITYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force security mode
+ </I
+></TT
+></A
+> parameters.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>directory security mask = 0777</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>directory security mask = 0700</B
+></P
+></DD
+><DT
+><A
+NAME="DISABLESPOOLSS"
+></A
+>disable spoolss (G)</DT
+><DD
+><P
+>Enabling this parameter will disables Samba's support
+ for the SPOOLSS set of MS-RPC's and will yield identical behavior
+ as Samba 2.0.x. Windows NT/2000 clients will downgrade to using
+ Lanman style printing commands. Windows 9x/ME will be uneffected by
+ the parameter. However, this will also disable the ability to upload
+ printer drivers to a Samba server via the Windows NT Add Printer
+ Wizard or by using the NT printer properties dialog window. It will
+ also disable the capability of Windows NT/2000 clients to download
+ print drivers from the Samba host upon demand.
+ <EM
+>Be very careful about enabling this parameter.</EM
+>
+ </P
+><P
+>See also <A
+HREF="#USECLIENTDRIVER"
+>use client driver</A
+>
+ </P
+><P
+>Default : <B
+CLASS="COMMAND"
+>disable spoolss = no</B
+></P
+></DD
+><DT
+><A
+NAME="DNSPROXY"
+></A
+>dns proxy (G)</DT
+><DD
+><P
+>Specifies that <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+>
+ when acting as a WINS server and finding that a NetBIOS name has not
+ been registered, should treat the NetBIOS name word-for-word as a DNS
+ name and do a lookup with the DNS server for that name on behalf of
+ the name-querying client.</P
+><P
+>Note that the maximum length for a NetBIOS name is 15
+ characters, so the DNS name (or DNS alias) can likewise only be
+ 15 characters, maximum.</P
+><P
+><B
+CLASS="COMMAND"
+>nmbd</B
+> spawns a second copy of itself to do the
+ DNS name lookup requests, as doing a name lookup is a blocking
+ action.</P
+><P
+>See also the parameter <A
+HREF="#WINSSUPPORT"
+><TT
+CLASS="PARAMETER"
+><I
+> wins support</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>dns proxy = yes</B
+></P
+></DD
+><DT
+><A
+NAME="DOMAINADMINGROUP"
+></A
+>domain admin group (G)</DT
+><DD
+><P
+>This parameter is intended as a temporary solution
+ to enable users to be a member of the "Domain Admins" group when
+ a Samba host is acting as a PDC. A complete solution will be provided
+ by a system for mapping Windows NT/2000 groups onto UNIX groups.
+ Please note that this parameter has a somewhat confusing name. It
+ accepts a list of usernames and of group names in standard
+ <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> notation.
+ </P
+><P
+>See also <A
+HREF="#DOMAINGUESTGROUP"
+><TT
+CLASS="PARAMETER"
+><I
+>domain
+ guest group</I
+></TT
+></A
+>, <A
+HREF="#DOMAINLOGONS"
+><TT
+CLASS="PARAMETER"
+><I
+>domain
+ logons</I
+></TT
+></A
+>
+ </P
+><P
+>Default: <EM
+>no domain administrators</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>domain admin group = root @wheel</B
+></P
+></DD
+><DT
+><A
+NAME="DOMAINGUESTGROUP"
+></A
+>domain guest group (G)</DT
+><DD
+><P
+>This parameter is intended as a temporary solution
+ to enable users to be a member of the "Domain Guests" group when
+ a Samba host is acting as a PDC. A complete solution will be provided
+ by a system for mapping Windows NT/2000 groups onto UNIX groups.
+ Please note that this parameter has a somewhat confusing name. It
+ accepts a list of usernames and of group names in standard
+ <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> notation.
+ </P
+><P
+>See also <A
+HREF="#DOMAINADMINGROUP"
+><TT
+CLASS="PARAMETER"
+><I
+>domain
+ admin group</I
+></TT
+></A
+>, <A
+HREF="#DOMAINLOGONS"
+><TT
+CLASS="PARAMETER"
+><I
+>domain
+ logons</I
+></TT
+></A
+>
+ </P
+><P
+>Default: <EM
+>no domain guests</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>domain guest group = nobody @guest</B
+></P
+></DD
+><DT
+><A
+NAME="DOMAINLOGONS"
+></A
+>domain logons (G)</DT
+><DD
+><P
+>If set to <TT
+CLASS="CONSTANT"
+>true</TT
+>, the Samba server will serve
+ Windows 95/98 Domain logons for the <A
+HREF="#WORKGROUP"
+> <TT
+CLASS="PARAMETER"
+><I
+>workgroup</I
+></TT
+></A
+> it is in. Samba 2.2 also
+ has limited capability to act as a domain controller for Windows
+ NT 4 Domains. For more details on setting up this feature see
+ the Samba-PDC-HOWTO included in the <TT
+CLASS="FILENAME"
+>htmldocs/</TT
+>
+ directory shipped with the source code.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>domain logons = no</B
+></P
+></DD
+><DT
+><A
+NAME="DOMAINMASTER"
+></A
+>domain master (G)</DT
+><DD
+><P
+>Tell <A
+HREF="nmbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+> nmbd(8)</B
+></A
+> to enable WAN-wide browse list
+ collation. Setting this option causes <B
+CLASS="COMMAND"
+>nmbd</B
+> to
+ claim a special domain specific NetBIOS name that identifies
+ it as a domain master browser for its given <A
+HREF="#WORKGROUP"
+> <TT
+CLASS="PARAMETER"
+><I
+>workgroup</I
+></TT
+></A
+>. Local master browsers
+ in the same <TT
+CLASS="PARAMETER"
+><I
+>workgroup</I
+></TT
+> on broadcast-isolated
+ subnets will give this <B
+CLASS="COMMAND"
+>nmbd</B
+> their local browse lists,
+ and then ask <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+>
+ for a complete copy of the browse list for the whole wide area
+ network. Browser clients will then contact their local master browser,
+ and will receive the domain-wide browse list, instead of just the list
+ for their broadcast-isolated subnet.</P
+><P
+>Note that Windows NT Primary Domain Controllers expect to be
+ able to claim this <TT
+CLASS="PARAMETER"
+><I
+>workgroup</I
+></TT
+> specific special
+ NetBIOS name that identifies them as domain master browsers for
+ that <TT
+CLASS="PARAMETER"
+><I
+>workgroup</I
+></TT
+> by default (i.e. there is no
+ way to prevent a Windows NT PDC from attempting to do this). This
+ means that if this parameter is set and <B
+CLASS="COMMAND"
+>nmbd</B
+> claims
+ the special name for a <TT
+CLASS="PARAMETER"
+><I
+>workgroup</I
+></TT
+> before a Windows
+ NT PDC is able to do so then cross subnet browsing will behave
+ strangely and may fail.</P
+><P
+>If <A
+HREF="#DOMAINLOGONS"
+><B
+CLASS="COMMAND"
+>domain logons = yes</B
+>
+ </A
+>, then the default behavior is to enable the <TT
+CLASS="PARAMETER"
+><I
+>domain
+ master</I
+></TT
+> parameter. If <TT
+CLASS="PARAMETER"
+><I
+>domain logons</I
+></TT
+> is
+ not enabled (the default setting), then neither will <TT
+CLASS="PARAMETER"
+><I
+>domain
+ master</I
+></TT
+> be enabled by default.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>domain master = auto</B
+></P
+></DD
+><DT
+><A
+NAME="DONTDESCEND"
+></A
+>dont descend (S)</DT
+><DD
+><P
+>There are certain directories on some systems
+ (e.g., the <TT
+CLASS="FILENAME"
+>/proc</TT
+> tree under Linux) that are either not
+ of interest to clients or are infinitely deep (recursive). This
+ parameter allows you to specify a comma-delimited list of directories
+ that the server should always show as empty.</P
+><P
+>Note that Samba can be very fussy about the exact format
+ of the "dont descend" entries. For example you may need <TT
+CLASS="FILENAME"
+> ./proc</TT
+> instead of just <TT
+CLASS="FILENAME"
+>/proc</TT
+>.
+ Experimentation is the best policy :-) </P
+><P
+>Default: <EM
+>none (i.e., all directories are OK
+ to descend)</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>dont descend = /proc,/dev</B
+></P
+></DD
+><DT
+><A
+NAME="DOSFILEMODE"
+></A
+>dos filemode (S)</DT
+><DD
+><P
+> The default behavior in Samba is to provide
+ UNIX-like behavior where only the owner of a file/directory is
+ able to change the permissions on it. However, this behavior
+ is often confusing to DOS/Windows users. Enabling this parameter
+ allows a user who has write access to the file (by whatever
+ means) to modify the permissions on it. Note that a user
+ belonging to the group owning the file will not be allowed to
+ change permissions if the group is only granted read access.
+ Ownership of the file/directory is not changed, only the permissions
+ are modified.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>dos filemode = no</B
+></P
+></DD
+><DT
+><A
+NAME="DOSFILETIMERESOLUTION"
+></A
+>dos filetime resolution (S)</DT
+><DD
+><P
+>Under the DOS and Windows FAT filesystem, the finest
+ granularity on time resolution is two seconds. Setting this parameter
+ for a share causes Samba to round the reported time down to the
+ nearest two second boundary when a query call that requires one second
+ resolution is made to <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+>
+ </A
+>.</P
+><P
+>This option is mainly used as a compatibility option for Visual
+ C++ when used against Samba shares. If oplocks are enabled on a
+ share, Visual C++ uses two different time reading calls to check if a
+ file has changed since it was last read. One of these calls uses a
+ one-second granularity, the other uses a two second granularity. As
+ the two second call rounds any odd second down, then if the file has a
+ timestamp of an odd number of seconds then the two timestamps will not
+ match and Visual C++ will keep reporting the file has changed. Setting
+ this option causes the two timestamps to match, and Visual C++ is
+ happy.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>dos filetime resolution = no</B
+></P
+></DD
+><DT
+><A
+NAME="DOSFILETIMES"
+></A
+>dos filetimes (S)</DT
+><DD
+><P
+>Under DOS and Windows, if a user can write to a
+ file they can change the timestamp on it. Under POSIX semantics,
+ only the owner of the file or root may change the timestamp. By
+ default, Samba runs with POSIX semantics and refuses to change the
+ timestamp on a file if the user <B
+CLASS="COMMAND"
+>smbd</B
+> is acting
+ on behalf of is not the file owner. Setting this option to <TT
+CLASS="CONSTANT"
+> true</TT
+> allows DOS semantics and <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+> will change the file
+ timestamp as DOS requires.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>dos filetimes = no</B
+></P
+></DD
+><DT
+><A
+NAME="ENCRYPTPASSWORDS"
+></A
+>encrypt passwords (G)</DT
+><DD
+><P
+>This boolean controls whether encrypted passwords
+ will be negotiated with the client. Note that Windows NT 4.0 SP3 and
+ above and also Windows 98 will by default expect encrypted passwords
+ unless a registry entry is changed. To use encrypted passwords in
+ Samba see the file ENCRYPTION.txt in the Samba documentation
+ directory <TT
+CLASS="FILENAME"
+>docs/</TT
+> shipped with the source code.</P
+><P
+>In order for encrypted passwords to work correctly
+ <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+> must either
+ have access to a local <A
+HREF="smbpasswd.5.html"
+TARGET="_top"
+><TT
+CLASS="FILENAME"
+>smbpasswd(5)
+ </TT
+></A
+> file (see the <A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+> smbpasswd(8)</B
+></A
+> program for information on how to set up
+ and maintain this file), or set the <A
+HREF="#SECURITY"
+>security = [server|domain|ads]</A
+> parameter which
+ causes <B
+CLASS="COMMAND"
+>smbd</B
+> to authenticate against another
+ server.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>encrypt passwords = yes</B
+></P
+></DD
+><DT
+><A
+NAME="ENHANCEDBROWSING"
+></A
+>enhanced browsing (G)</DT
+><DD
+><P
+>This option enables a couple of enhancements to
+ cross-subnet browse propagation that have been added in Samba
+ but which are not standard in Microsoft implementations.
+ </P
+><P
+>The first enhancement to browse propagation consists of a regular
+ wildcard query to a Samba WINS server for all Domain Master Browsers,
+ followed by a browse synchronization with each of the returned
+ DMBs. The second enhancement consists of a regular randomised browse
+ synchronization with all currently known DMBs.</P
+><P
+>You may wish to disable this option if you have a problem with empty
+ workgroups not disappearing from browse lists. Due to the restrictions
+ of the browse protocols these enhancements can cause a empty workgroup
+ to stay around forever which can be annoying.</P
+><P
+>In general you should leave this option enabled as it makes
+ cross-subnet browse propagation much more reliable.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>enhanced browsing = yes</B
+></P
+></DD
+><DT
+><A
+NAME="ENUMPORTSCOMMAND"
+></A
+>enumports command (G)</DT
+><DD
+><P
+>The concept of a "port" is fairly foreign
+ to UNIX hosts. Under Windows NT/2000 print servers, a port
+ is associated with a port monitor and generally takes the form of
+ a local port (i.e. LPT1:, COM1:, FILE:) or a remote port
+ (i.e. LPD Port Monitor, etc...). By default, Samba has only one
+ port defined--<TT
+CLASS="CONSTANT"
+>"Samba Printer Port"</TT
+>. Under
+ Windows NT/2000, all printers must have a valid port name.
+ If you wish to have a list of ports displayed (<B
+CLASS="COMMAND"
+>smbd
+ </B
+> does not use a port name for anything) other than
+ the default <TT
+CLASS="CONSTANT"
+>"Samba Printer Port"</TT
+>, you
+ can define <TT
+CLASS="PARAMETER"
+><I
+>enumports command</I
+></TT
+> to point to
+ a program which should generate a list of ports, one per line,
+ to standard output. This listing will then be used in response
+ to the level 1 and 2 EnumPorts() RPC.</P
+><P
+>Default: <EM
+>no enumports command</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>enumports command = /usr/bin/listports
+ </B
+></P
+></DD
+><DT
+><A
+NAME="EXEC"
+></A
+>exec (S)</DT
+><DD
+><P
+>This is a synonym for <A
+HREF="#PREEXEC"
+> <TT
+CLASS="PARAMETER"
+><I
+>preexec</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="FAKEDIRECTORYCREATETIMES"
+></A
+>fake directory create times (S)</DT
+><DD
+><P
+>NTFS and Windows VFAT file systems keep a create
+ time for all files and directories. This is not the same as the
+ ctime - status change time - that Unix keeps, so Samba by default
+ reports the earliest of the various times Unix does keep. Setting
+ this parameter for a share causes Samba to always report midnight
+ 1-1-1980 as the create time for directories.</P
+><P
+>This option is mainly used as a compatibility option for
+ Visual C++ when used against Samba shares. Visual C++ generated
+ makefiles have the object directory as a dependency for each object
+ file, and a make rule to create the directory. Also, when NMAKE
+ compares timestamps it uses the creation time when examining a
+ directory. Thus the object directory will be created if it does not
+ exist, but once it does exist it will always have an earlier
+ timestamp than the object files it contains.</P
+><P
+>However, Unix time semantics mean that the create time
+ reported by Samba will be updated whenever a file is created or
+ or deleted in the directory. NMAKE finds all object files in
+ the object directory. The timestamp of the last one built is then
+ compared to the timestamp of the object directory. If the
+ directory's timestamp if newer, then all object files
+ will be rebuilt. Enabling this option
+ ensures directories always predate their contents and an NMAKE build
+ will proceed as expected.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>fake directory create times = no</B
+></P
+></DD
+><DT
+><A
+NAME="FAKEOPLOCKS"
+></A
+>fake oplocks (S)</DT
+><DD
+><P
+>Oplocks are the way that SMB clients get permission
+ from a server to locally cache file operations. If a server grants
+ an oplock (opportunistic lock) then the client is free to assume
+ that it is the only one accessing the file and it will aggressively
+ cache file data. With some oplock types the client may even cache
+ file open/close operations. This can give enormous performance benefits.
+ </P
+><P
+>When you set <B
+CLASS="COMMAND"
+>fake oplocks = yes</B
+>, <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+> will
+ always grant oplock requests no matter how many clients are using
+ the file.</P
+><P
+>It is generally much better to use the real <A
+HREF="#OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>oplocks</I
+></TT
+></A
+> support rather
+ than this parameter.</P
+><P
+>If you enable this option on all read-only shares or
+ shares that you know will only be accessed from one client at a
+ time such as physically read-only media like CDROMs, you will see
+ a big performance improvement on many operations. If you enable
+ this option on shares where multiple clients may be accessing the
+ files read-write at the same time you can get data corruption. Use
+ this option carefully!</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>fake oplocks = no</B
+></P
+></DD
+><DT
+><A
+NAME="FOLLOWSYMLINKS"
+></A
+>follow symlinks (S)</DT
+><DD
+><P
+>This parameter allows the Samba administrator
+ to stop <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+>
+ from following symbolic links in a particular share. Setting this
+ parameter to <TT
+CLASS="CONSTANT"
+>no</TT
+> prevents any file or directory
+ that is a symbolic link from being followed (the user will get an
+ error). This option is very useful to stop users from adding a
+ symbolic link to <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> in their home
+ directory for instance. However it will slow filename lookups
+ down slightly.</P
+><P
+>This option is enabled (i.e. <B
+CLASS="COMMAND"
+>smbd</B
+> will
+ follow symbolic links) by default.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>follow symlinks = yes</B
+></P
+></DD
+><DT
+><A
+NAME="FORCECREATEMODE"
+></A
+>force create mode (S)</DT
+><DD
+><P
+>This parameter specifies a set of UNIX mode bit
+ permissions that will <EM
+>always</EM
+> be set on a
+ file created by Samba. This is done by bitwise 'OR'ing these bits onto
+ the mode bits of a file that is being created or having its
+ permissions changed. The default for this parameter is (in octal)
+ 000. The modes in this parameter are bitwise 'OR'ed onto the file
+ mode after the mask set in the <TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+>
+ parameter is applied.</P
+><P
+>See also the parameter <A
+HREF="#CREATEMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>create
+ mask</I
+></TT
+></A
+> for details on masking mode bits on files.</P
+><P
+>See also the <A
+HREF="#INHERITPERMISSIONS"
+><TT
+CLASS="PARAMETER"
+><I
+>inherit
+ permissions</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>force create mode = 000</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>force create mode = 0755</B
+></P
+><P
+>would force all created files to have read and execute
+ permissions set for 'group' and 'other' as well as the
+ read/write/execute bits set for the 'user'.</P
+></DD
+><DT
+><A
+NAME="FORCEDIRECTORYMODE"
+></A
+>force directory mode (S)</DT
+><DD
+><P
+>This parameter specifies a set of UNIX mode bit
+ permissions that will <EM
+>always</EM
+> be set on a directory
+ created by Samba. This is done by bitwise 'OR'ing these bits onto the
+ mode bits of a directory that is being created. The default for this
+ parameter is (in octal) 0000 which will not add any extra permission
+ bits to a created directory. This operation is done after the mode
+ mask in the parameter <TT
+CLASS="PARAMETER"
+><I
+>directory mask</I
+></TT
+> is
+ applied.</P
+><P
+>See also the parameter <A
+HREF="#DIRECTORYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+> directory mask</I
+></TT
+></A
+> for details on masking mode bits
+ on created directories.</P
+><P
+>See also the <A
+HREF="#INHERITPERMISSIONS"
+><TT
+CLASS="PARAMETER"
+><I
+> inherit permissions</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>force directory mode = 000</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>force directory mode = 0755</B
+></P
+><P
+>would force all created directories to have read and execute
+ permissions set for 'group' and 'other' as well as the
+ read/write/execute bits set for the 'user'.</P
+></DD
+><DT
+><A
+NAME="FORCEDIRECTORYSECURITYMODE"
+></A
+>force directory
+ security mode (S)</DT
+><DD
+><P
+>This parameter controls what UNIX permission bits
+ can be modified when a Windows NT client is manipulating the UNIX
+ permission on a directory using the native NT security dialog box.</P
+><P
+>This parameter is applied as a mask (OR'ed with) to the
+ changed permission bits, thus forcing any bits in this mask that
+ the user may have modified to be on. Essentially, one bits in this
+ mask may be treated as a set of bits that, when modifying security
+ on a directory, the user has always set to be 'on'.</P
+><P
+>If not set explicitly this parameter is 000, which
+ allows a user to modify all the user/group/world permissions on a
+ directory without restrictions.</P
+><P
+><EM
+>Note</EM
+> that users who can access the
+ Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone "appliance" systems.
+ Administrators of most normal systems will probably want to leave
+ it set as 0000.</P
+><P
+>See also the <A
+HREF="#DIRECTORYSECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+> directory security mask</I
+></TT
+></A
+>, <A
+HREF="#SECURITYMASK"
+> <TT
+CLASS="PARAMETER"
+><I
+>security mask</I
+></TT
+></A
+>,
+ <A
+HREF="#FORCESECURITYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force security mode
+ </I
+></TT
+></A
+> parameters.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>force directory security mode = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>force directory security mode = 700</B
+></P
+></DD
+><DT
+><A
+NAME="FORCEGROUP"
+></A
+>force group (S)</DT
+><DD
+><P
+>This specifies a UNIX group name that will be
+ assigned as the default primary group for all users connecting
+ to this service. This is useful for sharing files by ensuring
+ that all access to files on service will use the named group for
+ their permissions checking. Thus, by assigning permissions for this
+ group to the files and directories within this service the Samba
+ administrator can restrict or allow sharing of these files.</P
+><P
+>In Samba 2.0.5 and above this parameter has extended
+ functionality in the following way. If the group name listed here
+ has a '+' character prepended to it then the current user accessing
+ the share only has the primary group default assigned to this group
+ if they are already assigned as a member of that group. This allows
+ an administrator to decide that only users who are already in a
+ particular group will create files with group ownership set to that
+ group. This gives a finer granularity of ownership assignment. For
+ example, the setting <TT
+CLASS="FILENAME"
+>force group = +sys</TT
+> means
+ that only users who are already in group sys will have their default
+ primary group assigned to sys when accessing this Samba share. All
+ other users will retain their ordinary primary group.</P
+><P
+>If the <A
+HREF="#FORCEUSER"
+><TT
+CLASS="PARAMETER"
+><I
+>force user
+ </I
+></TT
+></A
+> parameter is also set the group specified in
+ <TT
+CLASS="PARAMETER"
+><I
+>force group</I
+></TT
+> will override the primary group
+ set in <TT
+CLASS="PARAMETER"
+><I
+>force user</I
+></TT
+>.</P
+><P
+>See also <A
+HREF="#FORCEUSER"
+><TT
+CLASS="PARAMETER"
+><I
+>force
+ user</I
+></TT
+></A
+>.</P
+><P
+>Default: <EM
+>no forced group</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>force group = agroup</B
+></P
+></DD
+><DT
+><A
+NAME="FORCESECURITYMODE"
+></A
+>force security mode (S)</DT
+><DD
+><P
+>This parameter controls what UNIX permission
+ bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a file using the native NT security dialog
+ box.</P
+><P
+>This parameter is applied as a mask (OR'ed with) to the
+ changed permission bits, thus forcing any bits in this mask that
+ the user may have modified to be on. Essentially, one bits in this
+ mask may be treated as a set of bits that, when modifying security
+ on a file, the user has always set to be 'on'.</P
+><P
+>If not set explicitly this parameter is set to 0,
+ and allows a user to modify all the user/group/world permissions on a file,
+ with no restrictions.</P
+><P
+><EM
+>Note</EM
+> that users who can access
+ the Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone "appliance" systems.
+ Administrators of most normal systems will probably want to leave
+ this set to 0000.</P
+><P
+>See also the <A
+HREF="#FORCEDIRECTORYSECURITYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+> force directory security mode</I
+></TT
+></A
+>,
+ <A
+HREF="#DIRECTORYSECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>directory security
+ mask</I
+></TT
+></A
+>, <A
+HREF="#SECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+> security mask</I
+></TT
+></A
+> parameters.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>force security mode = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>force security mode = 700</B
+></P
+></DD
+><DT
+><A
+NAME="FORCEUSER"
+></A
+>force user (S)</DT
+><DD
+><P
+>This specifies a UNIX user name that will be
+ assigned as the default user for all users connecting to this service.
+ This is useful for sharing files. You should also use it carefully
+ as using it incorrectly can cause security problems.</P
+><P
+>This user name only gets used once a connection is established.
+ Thus clients still need to connect as a valid user and supply a
+ valid password. Once connected, all file operations will be performed
+ as the "forced user", no matter what username the client connected
+ as. This can be very useful.</P
+><P
+>In Samba 2.0.5 and above this parameter also causes the
+ primary group of the forced user to be used as the primary group
+ for all file activity. Prior to 2.0.5 the primary group was left
+ as the primary group of the connecting user (this was a bug).</P
+><P
+>See also <A
+HREF="#FORCEGROUP"
+><TT
+CLASS="PARAMETER"
+><I
+>force group
+ </I
+></TT
+></A
+></P
+><P
+>Default: <EM
+>no forced user</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>force user = auser</B
+></P
+></DD
+><DT
+><A
+NAME="FSTYPE"
+></A
+>fstype (S)</DT
+><DD
+><P
+>This parameter allows the administrator to
+ configure the string that specifies the type of filesystem a share
+ is using that is reported by <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)
+ </B
+></A
+> when a client queries the filesystem type
+ for a share. The default type is <TT
+CLASS="CONSTANT"
+>NTFS</TT
+> for
+ compatibility with Windows NT but this can be changed to other
+ strings such as <TT
+CLASS="CONSTANT"
+>Samba</TT
+> or <TT
+CLASS="CONSTANT"
+>FAT
+ </TT
+> if required.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>fstype = NTFS</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>fstype = Samba</B
+></P
+></DD
+><DT
+><A
+NAME="GETWDCACHE"
+></A
+>getwd cache (G)</DT
+><DD
+><P
+>This is a tuning option. When this is enabled a
+ caching algorithm will be used to reduce the time taken for getwd()
+ calls. This can have a significant impact on performance, especially
+ when the <A
+HREF="#WIDELINKS"
+><TT
+CLASS="PARAMETER"
+><I
+>wide links</I
+></TT
+>
+ </A
+>parameter is set to <TT
+CLASS="CONSTANT"
+>false</TT
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>getwd cache = yes</B
+></P
+></DD
+><DT
+><A
+NAME="GROUP"
+></A
+>group (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#FORCEGROUP"
+><TT
+CLASS="PARAMETER"
+><I
+>force
+ group</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="GUESTACCOUNT"
+></A
+>guest account (S)</DT
+><DD
+><P
+>This is a username which will be used for access
+ to services which are specified as <A
+HREF="#GUESTOK"
+><TT
+CLASS="PARAMETER"
+><I
+> guest ok</I
+></TT
+></A
+> (see below). Whatever privileges this
+ user has will be available to any client connecting to the guest service.
+ Typically this user will exist in the password file, but will not
+ have a valid login. The user account "ftp" is often a good choice
+ for this parameter. If a username is specified in a given service,
+ the specified username overrides this one.</P
+><P
+>One some systems the default guest account "nobody" may not
+ be able to print. Use another account in this case. You should test
+ this by trying to log in as your guest user (perhaps by using the
+ <B
+CLASS="COMMAND"
+>su -</B
+> command) and trying to print using the
+ system print command such as <B
+CLASS="COMMAND"
+>lpr(1)</B
+> or <B
+CLASS="COMMAND"
+> lp(1)</B
+>.</P
+><P
+>Default: <EM
+>specified at compile time, usually
+ "nobody"</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>guest account = ftp</B
+></P
+></DD
+><DT
+><A
+NAME="GUESTOK"
+></A
+>guest ok (S)</DT
+><DD
+><P
+>If this parameter is <TT
+CLASS="CONSTANT"
+>yes</TT
+> for
+ a service, then no password is required to connect to the service.
+ Privileges will be those of the <A
+HREF="#GUESTACCOUNT"
+><TT
+CLASS="PARAMETER"
+><I
+> guest account</I
+></TT
+></A
+>.</P
+><P
+>See the section below on <A
+HREF="#SECURITY"
+><TT
+CLASS="PARAMETER"
+><I
+> security</I
+></TT
+></A
+> for more information about this option.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>guest ok = no</B
+></P
+></DD
+><DT
+><A
+NAME="GUESTONLY"
+></A
+>guest only (S)</DT
+><DD
+><P
+>If this parameter is <TT
+CLASS="CONSTANT"
+>yes</TT
+> for
+ a service, then only guest connections to the service are permitted.
+ This parameter will have no effect if <A
+HREF="#GUESTOK"
+> <TT
+CLASS="PARAMETER"
+><I
+>guest ok</I
+></TT
+></A
+> is not set for the service.</P
+><P
+>See the section below on <A
+HREF="#SECURITY"
+><TT
+CLASS="PARAMETER"
+><I
+> security</I
+></TT
+></A
+> for more information about this option.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>guest only = no</B
+></P
+></DD
+><DT
+><A
+NAME="HIDEDOTFILES"
+></A
+>hide dot files (S)</DT
+><DD
+><P
+>This is a boolean parameter that controls whether
+ files starting with a dot appear as hidden files.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>hide dot files = yes</B
+></P
+></DD
+><DT
+><A
+NAME="HIDEFILES"
+></A
+>hide files(S)</DT
+><DD
+><P
+>This is a list of files or directories that are not
+ visible but are accessible. The DOS 'hidden' attribute is applied
+ to any files or directories that match.</P
+><P
+>Each entry in the list must be separated by a '/',
+ which allows spaces to be included in the entry. '*'
+ and '?' can be used to specify multiple files or directories
+ as in DOS wildcards.</P
+><P
+>Each entry must be a Unix path, not a DOS path and must
+ not include the Unix directory separator '/'.</P
+><P
+>Note that the case sensitivity option is applicable
+ in hiding files.</P
+><P
+>Setting this parameter will affect the performance of Samba,
+ as it will be forced to check all files and directories for a match
+ as they are scanned.</P
+><P
+>See also <A
+HREF="#HIDEDOTFILES"
+><TT
+CLASS="PARAMETER"
+><I
+>hide
+ dot files</I
+></TT
+></A
+>, <A
+HREF="#VETOFILES"
+><TT
+CLASS="PARAMETER"
+><I
+> veto files</I
+></TT
+></A
+> and <A
+HREF="#CASESENSITIVE"
+> <TT
+CLASS="PARAMETER"
+><I
+>case sensitive</I
+></TT
+></A
+>.</P
+><P
+>Default: <EM
+>no file are hidden</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>hide files =
+ /.*/DesktopFolderDB/TrashFor%m/resource.frk/</B
+></P
+><P
+>The above example is based on files that the Macintosh
+ SMB client (DAVE) available from <A
+HREF="http://www.thursby.com"
+TARGET="_top"
+>
+ Thursby</A
+> creates for internal use, and also still hides
+ all files beginning with a dot.</P
+></DD
+><DT
+><A
+NAME="HIDELOCALUSERS"
+></A
+>hide local users(G)</DT
+><DD
+><P
+>This parameter toggles the hiding of local UNIX
+ users (root, wheel, floppy, etc) from remote clients.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>hide local users = no</B
+></P
+></DD
+><DT
+><A
+NAME="HIDEUNREADABLE"
+></A
+>hide unreadable (S)</DT
+><DD
+><P
+>This parameter prevents clients from seeing the
+ existance of files that cannot be read. Defaults to off.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>hide unreadable = no</B
+></P
+></DD
+><DT
+><A
+NAME="HOMEDIRMAP"
+></A
+>homedir map (G)</DT
+><DD
+><P
+>If<A
+HREF="#NISHOMEDIR"
+><TT
+CLASS="PARAMETER"
+><I
+>nis homedir
+ </I
+></TT
+></A
+> is <TT
+CLASS="CONSTANT"
+>true</TT
+>, and <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+> is also acting
+ as a Win95/98 <TT
+CLASS="PARAMETER"
+><I
+>logon server</I
+></TT
+> then this parameter
+ specifies the NIS (or YP) map from which the server for the user's
+ home directory should be extracted. At present, only the Sun
+ auto.home map format is understood. The form of the map is:</P
+><P
+><B
+CLASS="COMMAND"
+>username server:/some/file/system</B
+></P
+><P
+>and the program will extract the servername from before
+ the first ':'. There should probably be a better parsing system
+ that copes with different map formats and also Amd (another
+ automounter) maps.</P
+><P
+><EM
+>NOTE :</EM
+>A working NIS client is required on
+ the system for this option to work.</P
+><P
+>See also <A
+HREF="#NISHOMEDIR"
+><TT
+CLASS="PARAMETER"
+><I
+>nis homedir</I
+></TT
+>
+ </A
+>, <A
+HREF="#DOMAINLOGONS"
+><TT
+CLASS="PARAMETER"
+><I
+>domain logons</I
+></TT
+>
+ </A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>homedir map = &#60;empty string&#62;</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>homedir map = amd.homedir</B
+></P
+></DD
+><DT
+><A
+NAME="HOSTMSDFS"
+></A
+>host msdfs (G)</DT
+><DD
+><P
+>This boolean parameter is only available
+ if Samba has been configured and compiled with the <B
+CLASS="COMMAND"
+> --with-msdfs</B
+> option. If set to <TT
+CLASS="CONSTANT"
+>yes</TT
+>,
+ Samba will act as a Dfs server, and allow Dfs-aware clients
+ to browse Dfs trees hosted on the server.</P
+><P
+>See also the <A
+HREF="#MSDFSROOT"
+><TT
+CLASS="PARAMETER"
+><I
+> msdfs root</I
+></TT
+></A
+> share level parameter. For
+ more information on setting up a Dfs tree on Samba,
+ refer to <A
+HREF="msdfs_setup.html"
+TARGET="_top"
+>msdfs_setup.html</A
+>.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>host msdfs = no</B
+></P
+></DD
+><DT
+><A
+NAME="HOSTSALLOW"
+></A
+>hosts allow (S)</DT
+><DD
+><P
+>A synonym for this parameter is <TT
+CLASS="PARAMETER"
+><I
+>allow
+ hosts</I
+></TT
+>.</P
+><P
+>This parameter is a comma, space, or tab delimited
+ set of hosts which are permitted to access a service.</P
+><P
+>If specified in the [global] section then it will
+ apply to all services, regardless of whether the individual
+ service has a different setting.</P
+><P
+>You can specify the hosts by name or IP number. For
+ example, you could restrict access to only the hosts on a
+ Class C subnet with something like <B
+CLASS="COMMAND"
+>allow hosts = 150.203.5.
+ </B
+>. The full syntax of the list is described in the man
+ page <TT
+CLASS="FILENAME"
+>hosts_access(5)</TT
+>. Note that this man
+ page may not be present on your system, so a brief description will
+ be given here also.</P
+><P
+>Note that the localhost address 127.0.0.1 will always
+ be allowed access unless specifically denied by a <A
+HREF="#HOSTSDENY"
+><TT
+CLASS="PARAMETER"
+><I
+>hosts deny</I
+></TT
+></A
+> option.</P
+><P
+>You can also specify hosts by network/netmask pairs and
+ by netgroup names if your system supports netgroups. The
+ <EM
+>EXCEPT</EM
+> keyword can also be used to limit a
+ wildcard list. The following examples may provide some help:</P
+><P
+>Example 1: allow all IPs in 150.203.*.*; except one</P
+><P
+><B
+CLASS="COMMAND"
+>hosts allow = 150.203. EXCEPT 150.203.6.66</B
+></P
+><P
+>Example 2: allow hosts that match the given network/netmask</P
+><P
+><B
+CLASS="COMMAND"
+>hosts allow = 150.203.15.0/255.255.255.0</B
+></P
+><P
+>Example 3: allow a couple of hosts</P
+><P
+><B
+CLASS="COMMAND"
+>hosts allow = lapland, arvidsjaur</B
+></P
+><P
+>Example 4: allow only hosts in NIS netgroup "foonet", but
+ deny access from one particular host</P
+><P
+><B
+CLASS="COMMAND"
+>hosts allow = @foonet</B
+></P
+><P
+><B
+CLASS="COMMAND"
+>hosts deny = pirate</B
+></P
+><P
+>Note that access still requires suitable user-level passwords.</P
+><P
+>See <A
+HREF="testparm.1.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>testparm(1)</B
+>
+ </A
+> for a way of testing your host access to see if it does
+ what you expect.</P
+><P
+>Default: <EM
+>none (i.e., all hosts permitted access)
+ </EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>allow hosts = 150.203.5. myhost.mynet.edu.au
+ </B
+></P
+></DD
+><DT
+><A
+NAME="HOSTSDENY"
+></A
+>hosts deny (S)</DT
+><DD
+><P
+>The opposite of <TT
+CLASS="PARAMETER"
+><I
+>hosts allow</I
+></TT
+>
+ - hosts listed here are <EM
+>NOT</EM
+> permitted access to
+ services unless the specific services have their own lists to override
+ this one. Where the lists conflict, the <TT
+CLASS="PARAMETER"
+><I
+>allow</I
+></TT
+>
+ list takes precedence.</P
+><P
+>Default: <EM
+>none (i.e., no hosts specifically excluded)
+ </EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>hosts deny = 150.203.4. badhost.mynet.edu.au
+ </B
+></P
+></DD
+><DT
+><A
+NAME="HOSTSEQUIV"
+></A
+>hosts equiv (G)</DT
+><DD
+><P
+>If this global parameter is a non-null string,
+ it specifies the name of a file to read for the names of hosts
+ and users who will be allowed access without specifying a password.
+ </P
+><P
+>This is not be confused with <A
+HREF="#HOSTSALLOW"
+> <TT
+CLASS="PARAMETER"
+><I
+>hosts allow</I
+></TT
+></A
+> which is about hosts
+ access to services and is more useful for guest services. <TT
+CLASS="PARAMETER"
+><I
+> hosts equiv</I
+></TT
+> may be useful for NT clients which will
+ not supply passwords to Samba.</P
+><P
+><EM
+>NOTE :</EM
+> The use of <TT
+CLASS="PARAMETER"
+><I
+>hosts equiv
+ </I
+></TT
+> can be a major security hole. This is because you are
+ trusting the PC to supply the correct username. It is very easy to
+ get a PC to supply a false username. I recommend that the
+ <TT
+CLASS="PARAMETER"
+><I
+>hosts equiv</I
+></TT
+> option be only used if you really
+ know what you are doing, or perhaps on a home network where you trust
+ your spouse and kids. And only if you <EM
+>really</EM
+> trust
+ them :-).</P
+><P
+>Default: <EM
+>no host equivalences</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>hosts equiv = /etc/hosts.equiv</B
+></P
+></DD
+><DT
+><A
+NAME="INCLUDE"
+></A
+>include (G)</DT
+><DD
+><P
+>This allows you to include one config file
+ inside another. The file is included literally, as though typed
+ in place.</P
+><P
+>It takes the standard substitutions, except <TT
+CLASS="PARAMETER"
+><I
+>%u
+ </I
+></TT
+>, <TT
+CLASS="PARAMETER"
+><I
+>%P</I
+></TT
+> and <TT
+CLASS="PARAMETER"
+><I
+>%S</I
+></TT
+>.
+ </P
+><P
+>Default: <EM
+>no file included</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>include = /usr/local/samba/lib/admin_smb.conf
+ </B
+></P
+></DD
+><DT
+><A
+NAME="INHERITPERMISSIONS"
+></A
+>inherit permissions (S)</DT
+><DD
+><P
+>The permissions on new files and directories
+ are normally governed by <A
+HREF="#CREATEMASK"
+><TT
+CLASS="PARAMETER"
+><I
+> create mask</I
+></TT
+></A
+>, <A
+HREF="#DIRECTORYMASK"
+> <TT
+CLASS="PARAMETER"
+><I
+>directory mask</I
+></TT
+></A
+>, <A
+HREF="#FORCECREATEMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force create mode</I
+></TT
+>
+ </A
+> and <A
+HREF="#FORCEDIRECTORYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force
+ directory mode</I
+></TT
+></A
+> but the boolean inherit
+ permissions parameter overrides this.</P
+><P
+>New directories inherit the mode of the parent directory,
+ including bits such as setgid.</P
+><P
+>New files inherit their read/write bits from the parent
+ directory. Their execute bits continue to be determined by
+ <A
+HREF="#MAPARCHIVE"
+><TT
+CLASS="PARAMETER"
+><I
+>map archive</I
+></TT
+>
+ </A
+>, <A
+HREF="#MAPHIDDEN"
+><TT
+CLASS="PARAMETER"
+><I
+>map hidden</I
+></TT
+>
+ </A
+> and <A
+HREF="#MAPSYSTEM"
+><TT
+CLASS="PARAMETER"
+><I
+>map system</I
+></TT
+>
+ </A
+> as usual.</P
+><P
+>Note that the setuid bit is <EM
+>never</EM
+> set via
+ inheritance (the code explicitly prohibits this).</P
+><P
+>This can be particularly useful on large systems with
+ many users, perhaps several thousand, to allow a single [homes]
+ share to be used flexibly by each user.</P
+><P
+>See also <A
+HREF="#CREATEMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>create mask
+ </I
+></TT
+></A
+>, <A
+HREF="#DIRECTORYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+> directory mask</I
+></TT
+></A
+>, <A
+HREF="#FORCECREATEMODE"
+> <TT
+CLASS="PARAMETER"
+><I
+>force create mode</I
+></TT
+></A
+> and <A
+HREF="#FORCEDIRECTORYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force directory mode</I
+></TT
+>
+ </A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>inherit permissions = no</B
+></P
+></DD
+><DT
+><A
+NAME="INTERFACES"
+></A
+>interfaces (G)</DT
+><DD
+><P
+>This option allows you to override the default
+ network interfaces list that Samba will use for browsing, name
+ registration and other NBT traffic. By default Samba will query
+ the kernel for the list of all active interfaces and use any
+ interfaces except 127.0.0.1 that are broadcast capable.</P
+><P
+>The option takes a list of interface strings. Each string
+ can be in any of the following forms:</P
+><P
+></P
+><UL
+><LI
+><P
+>a network interface name (such as eth0).
+ This may include shell-like wildcards so eth* will match
+ any interface starting with the substring "eth"</P
+></LI
+><LI
+><P
+>an IP address. In this case the netmask is
+ determined from the list of interfaces obtained from the
+ kernel</P
+></LI
+><LI
+><P
+>an IP/mask pair. </P
+></LI
+><LI
+><P
+>a broadcast/mask pair.</P
+></LI
+></UL
+><P
+>The "mask" parameters can either be a bit length (such
+ as 24 for a C class network) or a full netmask in dotted
+ decimal form.</P
+><P
+>The "IP" parameters above can either be a full dotted
+ decimal IP address or a hostname which will be looked up via
+ the OS's normal hostname resolution mechanisms.</P
+><P
+>For example, the following line:</P
+><P
+><B
+CLASS="COMMAND"
+>interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
+ </B
+></P
+><P
+>would configure three network interfaces corresponding
+ to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
+ The netmasks of the latter two interfaces would be set to 255.255.255.0.</P
+><P
+>See also <A
+HREF="#BINDINTERFACESONLY"
+><TT
+CLASS="PARAMETER"
+><I
+>bind
+ interfaces only</I
+></TT
+></A
+>.</P
+><P
+>Default: <EM
+>all active interfaces except 127.0.0.1
+ that are broadcast capable</EM
+></P
+></DD
+><DT
+><A
+NAME="INVALIDUSERS"
+></A
+>invalid users (S)</DT
+><DD
+><P
+>This is a list of users that should not be allowed
+ to login to this service. This is really a <EM
+>paranoid</EM
+>
+ check to absolutely ensure an improper setting does not breach
+ your security.</P
+><P
+>A name starting with a '@' is interpreted as an NIS
+ netgroup first (if your system supports NIS), and then as a UNIX
+ group if the name was not found in the NIS netgroup database.</P
+><P
+>A name starting with '+' is interpreted only
+ by looking in the UNIX group database. A name starting with
+ '&#38;' is interpreted only by looking in the NIS netgroup database
+ (this requires NIS to be working on your system). The characters
+ '+' and '&#38;' may be used at the start of the name in either order
+ so the value <TT
+CLASS="PARAMETER"
+><I
+>+&#38;group</I
+></TT
+> means check the
+ UNIX group database, followed by the NIS netgroup database, and
+ the value <TT
+CLASS="PARAMETER"
+><I
+>&#38;+group</I
+></TT
+> means check the NIS
+ netgroup database, followed by the UNIX group database (the
+ same as the '@' prefix).</P
+><P
+>The current servicename is substituted for <TT
+CLASS="PARAMETER"
+><I
+>%S</I
+></TT
+>.
+ This is useful in the [homes] section.</P
+><P
+>See also <A
+HREF="#VALIDUSERS"
+><TT
+CLASS="PARAMETER"
+><I
+>valid users
+ </I
+></TT
+></A
+>.</P
+><P
+>Default: <EM
+>no invalid users</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>invalid users = root fred admin @wheel
+ </B
+></P
+></DD
+><DT
+><A
+NAME="KEEPALIVE"
+></A
+>keepalive (G)</DT
+><DD
+><P
+>The value of the parameter (an integer) represents
+ the number of seconds between <TT
+CLASS="PARAMETER"
+><I
+>keepalive</I
+></TT
+>
+ packets. If this parameter is zero, no keepalive packets will be
+ sent. Keepalive packets, if sent, allow the server to tell whether
+ a client is still present and responding.</P
+><P
+>Keepalives should, in general, not be needed if the socket
+ being used has the SO_KEEPALIVE attribute set on it (see <A
+HREF="#SOCKETOPTIONS"
+><TT
+CLASS="PARAMETER"
+><I
+>socket options</I
+></TT
+></A
+>).
+ Basically you should only use this option if you strike difficulties.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>keepalive = 300</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>keepalive = 600</B
+></P
+></DD
+><DT
+><A
+NAME="KERNELOPLOCKS"
+></A
+>kernel oplocks (G)</DT
+><DD
+><P
+>For UNIXes that support kernel based <A
+HREF="#OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>oplocks</I
+></TT
+></A
+>
+ (currently only IRIX and the Linux 2.4 kernel), this parameter
+ allows the use of them to be turned on or off.</P
+><P
+>Kernel oplocks support allows Samba <TT
+CLASS="PARAMETER"
+><I
+>oplocks
+ </I
+></TT
+> to be broken whenever a local UNIX process or NFS operation
+ accesses a file that <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+>
+ </A
+> has oplocked. This allows complete data consistency between
+ SMB/CIFS, NFS and local file access (and is a <EM
+>very</EM
+>
+ cool feature :-).</P
+><P
+>This parameter defaults to <TT
+CLASS="CONSTANT"
+>on</TT
+>, but is translated
+ to a no-op on systems that no not have the necessary kernel support.
+ You should never need to touch this parameter.</P
+><P
+>See also the <A
+HREF="#OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>oplocks</I
+></TT
+>
+ </A
+> and <A
+HREF="#LEVEL2OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>level2 oplocks
+ </I
+></TT
+></A
+> parameters.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>kernel oplocks = yes</B
+></P
+></DD
+><DT
+><A
+NAME="LANMANAUTH"
+></A
+>lanman auth (G)</DT
+><DD
+><P
+>This parameter determines whether or not <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+> will
+ attempt to authenticate users using the LANMAN password hash.
+ If disabled, only clients which support NT password hashes (e.g. Windows
+ NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS
+ network client) will be able to connect to the Samba host.</P
+><P
+>Default : <B
+CLASS="COMMAND"
+>lanman auth = yes</B
+></P
+></DD
+><DT
+><A
+NAME="LARGEREADWRITE"
+></A
+>large readwrite (G)</DT
+><DD
+><P
+>This parameter determines whether or not <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+>
+ supports the new 64k streaming read and write varient SMB requests introduced
+ with Windows 2000. Note that due to Windows 2000 client redirector bugs
+ this requires Samba to be running on a 64-bit capable operating system such
+ as IRIX, Solaris or a Linux 2.4 kernel. Can improve performance by 10% with
+ Windows 2000 clients. Defaults to on. Not as tested as some other Samba
+ code paths.
+ </P
+><P
+>Default : <B
+CLASS="COMMAND"
+>large readwrite = yes</B
+></P
+></DD
+><DT
+><A
+NAME="LDAPADMINDN"
+></A
+>ldap admin dn (G)</DT
+><DD
+><P
+>This parameter is only available if Samba has been
+ configure to include the <B
+CLASS="COMMAND"
+>--with-ldapsam</B
+> option
+ at compile time. This option should be considered experimental and
+ under active development.
+ </P
+><P
+> The <TT
+CLASS="PARAMETER"
+><I
+>ldap admin dn</I
+></TT
+> defines the Distinguished
+ Name (DN) name used by Samba to contact the <A
+HREF="#LDAPSERVER"
+>ldap
+ server</A
+> when retreiving user account information. The <TT
+CLASS="PARAMETER"
+><I
+>ldap
+ admin dn</I
+></TT
+> is used in conjunction with the admin dn password
+ stored in the <TT
+CLASS="FILENAME"
+>private/secrets.tdb</TT
+> file. See the
+ <A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbpasswd(8)</B
+></A
+> man
+ page for more information on how to accmplish this.
+ </P
+><P
+>Default : <EM
+>none</EM
+></P
+></DD
+><DT
+><A
+NAME="LDAPFILTER"
+></A
+>ldap filter (G)</DT
+><DD
+><P
+>This parameter is only available if Samba has been
+ configure to include the <B
+CLASS="COMMAND"
+>--with-ldapsam</B
+> option
+ at compile time. This option should be considered experimental and
+ under active development.
+ </P
+><P
+> This parameter specifies the RFC 2254 compliant LDAP search filter.
+ The default is to match the login name with the <TT
+CLASS="CONSTANT"
+>uid</TT
+>
+ attribute for all entries matching the <TT
+CLASS="CONSTANT"
+>sambaAccount</TT
+>
+ objectclass. Note that this filter should only return one entry.
+ </P
+><P
+>Default : <B
+CLASS="COMMAND"
+>ldap filter = (&#38;(uid=%u)(objectclass=sambaAccount))</B
+></P
+></DD
+><DT
+><A
+NAME="LDAPPORT"
+></A
+>ldap port (G)</DT
+><DD
+><P
+>This parameter is only available if Samba has been
+ configure to include the <B
+CLASS="COMMAND"
+>--with-ldapsam</B
+> option
+ at compile time. This option should be considered experimental and
+ under active development.
+ </P
+><P
+> This option is used to control the tcp port number used to contact
+ the <A
+HREF="#LDAPSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+>ldap server</I
+></TT
+></A
+>.
+ The default is to use the stand LDAPS port 636.
+ </P
+><P
+>See Also: <A
+HREF="#LDAPSSL"
+>ldap ssl</A
+>
+ </P
+><P
+>Default : <B
+CLASS="COMMAND"
+>ldap port = 636</B
+></P
+></DD
+><DT
+><A
+NAME="LDAPSERVER"
+></A
+>ldap server (G)</DT
+><DD
+><P
+>This parameter is only available if Samba has been
+ configure to include the <B
+CLASS="COMMAND"
+>--with-ldapsam</B
+> option
+ at compile time. This option should be considered experimental and
+ under active development.
+ </P
+><P
+> This parameter should contains the FQDN of the ldap directory
+ server which should be queried to locate user account information.
+ </P
+><P
+>Default : <B
+CLASS="COMMAND"
+>ldap server = localhost</B
+></P
+></DD
+><DT
+><A
+NAME="LDAPSSL"
+></A
+>ldap ssl (G)</DT
+><DD
+><P
+>This parameter is only available if Samba has been
+ configure to include the <B
+CLASS="COMMAND"
+>--with-ldapsam</B
+> option
+ at compile time. This option should be considered experimental and
+ under active development.
+ </P
+><P
+> This option is used to define whether or not Samba should
+ use SSL when connecting to the <A
+HREF="#LDAPSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+>ldap
+ server</I
+></TT
+></A
+>. This is <EM
+>NOT</EM
+> related to
+ Samba SSL support which is enabled by specifying the
+ <B
+CLASS="COMMAND"
+>--with-ssl</B
+> option to the <TT
+CLASS="FILENAME"
+>configure</TT
+>
+ script (see <A
+HREF="#SSL"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl</I
+></TT
+></A
+>).
+ </P
+><P
+> The <TT
+CLASS="PARAMETER"
+><I
+>ldap ssl</I
+></TT
+> can be set to one of three values:
+ (a) <TT
+CLASS="CONSTANT"
+>on</TT
+> - Always use SSL when contacting the
+ <TT
+CLASS="PARAMETER"
+><I
+>ldap server</I
+></TT
+>, (b) <TT
+CLASS="CONSTANT"
+>off</TT
+> -
+ Never use SSL when querying the directory, or (c) <TT
+CLASS="CONSTANT"
+>start_tls</TT
+>
+ - Use the LDAPv3 StartTLS extended operation
+ (RFC2830) for communicating with the directory server.
+ </P
+><P
+>Default : <B
+CLASS="COMMAND"
+>ldap ssl = on</B
+></P
+></DD
+><DT
+><A
+NAME="LDAPSUFFIX"
+></A
+>ldap suffix (G)</DT
+><DD
+><P
+>This parameter is only available if Samba has been
+ configure to include the <B
+CLASS="COMMAND"
+>--with-ldapsam</B
+> option
+ at compile time. This option should be considered experimental and
+ under active development.
+ </P
+><P
+>Default : <EM
+>none</EM
+></P
+></DD
+><DT
+><A
+NAME="LEVEL2OPLOCKS"
+></A
+>level2 oplocks (S)</DT
+><DD
+><P
+>This parameter controls whether Samba supports
+ level2 (read-only) oplocks on a share.</P
+><P
+>Level2, or read-only oplocks allow Windows NT clients
+ that have an oplock on a file to downgrade from a read-write oplock
+ to a read-only oplock once a second client opens the file (instead
+ of releasing all oplocks on a second open, as in traditional,
+ exclusive oplocks). This allows all openers of the file that
+ support level2 oplocks to cache the file for read-ahead only (ie.
+ they may not cache writes or lock requests) and increases performance
+ for many accesses of files that are not commonly written (such as
+ application .EXE files).</P
+><P
+>Once one of the clients which have a read-only oplock
+ writes to the file all clients are notified (no reply is needed
+ or waited for) and told to break their oplocks to "none" and
+ delete any read-ahead caches.</P
+><P
+>It is recommended that this parameter be turned on
+ to speed access to shared executables.</P
+><P
+>For more discussions on level2 oplocks see the CIFS spec.</P
+><P
+>Currently, if <A
+HREF="#KERNELOPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>kernel
+ oplocks</I
+></TT
+></A
+> are supported then level2 oplocks are
+ not granted (even if this parameter is set to <TT
+CLASS="CONSTANT"
+>yes</TT
+>).
+ Note also, the <A
+HREF="#OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>oplocks</I
+></TT
+>
+ </A
+> parameter must be set to <TT
+CLASS="CONSTANT"
+>true</TT
+> on this share in order for
+ this parameter to have any effect.</P
+><P
+>See also the <A
+HREF="#OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>oplocks</I
+></TT
+>
+ </A
+> and <A
+HREF="#OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>kernel oplocks</I
+></TT
+>
+ </A
+> parameters.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>level2 oplocks = yes</B
+></P
+></DD
+><DT
+><A
+NAME="LMANNOUNCE"
+></A
+>lm announce (G)</DT
+><DD
+><P
+>This parameter determines if <A
+HREF="nmbd.8.html"
+TARGET="_top"
+> <B
+CLASS="COMMAND"
+>nmbd(8)</B
+></A
+> will produce Lanman announce
+ broadcasts that are needed by OS/2 clients in order for them to see
+ the Samba server in their browse list. This parameter can have three
+ values, <TT
+CLASS="CONSTANT"
+>true</TT
+>, <TT
+CLASS="CONSTANT"
+>false</TT
+>, or
+ <TT
+CLASS="CONSTANT"
+>auto</TT
+>. The default is <TT
+CLASS="CONSTANT"
+>auto</TT
+>.
+ If set to <TT
+CLASS="CONSTANT"
+>false</TT
+> Samba will never produce these
+ broadcasts. If set to <TT
+CLASS="CONSTANT"
+>true</TT
+> Samba will produce
+ Lanman announce broadcasts at a frequency set by the parameter
+ <TT
+CLASS="PARAMETER"
+><I
+>lm interval</I
+></TT
+>. If set to <TT
+CLASS="CONSTANT"
+>auto</TT
+>
+ Samba will not send Lanman announce broadcasts by default but will
+ listen for them. If it hears such a broadcast on the wire it will
+ then start sending them at a frequency set by the parameter
+ <TT
+CLASS="PARAMETER"
+><I
+>lm interval</I
+></TT
+>.</P
+><P
+>See also <A
+HREF="#LMINTERVAL"
+><TT
+CLASS="PARAMETER"
+><I
+>lm interval
+ </I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>lm announce = auto</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>lm announce = yes</B
+></P
+></DD
+><DT
+><A
+NAME="LMINTERVAL"
+></A
+>lm interval (G)</DT
+><DD
+><P
+>If Samba is set to produce Lanman announce
+ broadcasts needed by OS/2 clients (see the <A
+HREF="#LMANNOUNCE"
+> <TT
+CLASS="PARAMETER"
+><I
+>lm announce</I
+></TT
+></A
+> parameter) then this
+ parameter defines the frequency in seconds with which they will be
+ made. If this is set to zero then no Lanman announcements will be
+ made despite the setting of the <TT
+CLASS="PARAMETER"
+><I
+>lm announce</I
+></TT
+>
+ parameter.</P
+><P
+>See also <A
+HREF="#LMANNOUNCE"
+><TT
+CLASS="PARAMETER"
+><I
+>lm
+ announce</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>lm interval = 60</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>lm interval = 120</B
+></P
+></DD
+><DT
+><A
+NAME="LOADPRINTERS"
+></A
+>load printers (G)</DT
+><DD
+><P
+>A boolean variable that controls whether all
+ printers in the printcap will be loaded for browsing by default.
+ See the <A
+HREF="#AEN79"
+>printers</A
+> section for
+ more details.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>load printers = yes</B
+></P
+></DD
+><DT
+><A
+NAME="LOCALMASTER"
+></A
+>local master (G)</DT
+><DD
+><P
+>This option allows <A
+HREF="nmbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+> nmbd(8)</B
+></A
+> to try and become a local master browser
+ on a subnet. If set to <TT
+CLASS="CONSTANT"
+>false</TT
+> then <B
+CLASS="COMMAND"
+> nmbd</B
+> will not attempt to become a local master browser
+ on a subnet and will also lose in all browsing elections. By
+ default this value is set to <TT
+CLASS="CONSTANT"
+>true</TT
+>. Setting this value to <TT
+CLASS="CONSTANT"
+>true</TT
+> doesn't
+ mean that Samba will <EM
+>become</EM
+> the local master
+ browser on a subnet, just that <B
+CLASS="COMMAND"
+>nmbd</B
+> will <EM
+> participate</EM
+> in elections for local master browser.</P
+><P
+>Setting this value to <TT
+CLASS="CONSTANT"
+>false</TT
+> will cause <B
+CLASS="COMMAND"
+>nmbd</B
+>
+ <EM
+>never</EM
+> to become a local master browser.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>local master = yes</B
+></P
+></DD
+><DT
+><A
+NAME="LOCKDIR"
+></A
+>lock dir (G)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#LOCKDIRECTORY"
+><TT
+CLASS="PARAMETER"
+><I
+> lock directory</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="LOCKDIRECTORY"
+></A
+>lock directory (G)</DT
+><DD
+><P
+>This option specifies the directory where lock
+ files will be placed. The lock files are used to implement the
+ <A
+HREF="#MAXCONNECTIONS"
+><TT
+CLASS="PARAMETER"
+><I
+>max connections</I
+></TT
+>
+ </A
+> option.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>lock directory = ${prefix}/var/locks</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>lock directory = /var/run/samba/locks</B
+>
+ </P
+></DD
+><DT
+><A
+NAME="LOCKING"
+></A
+>locking (S)</DT
+><DD
+><P
+>This controls whether or not locking will be
+ performed by the server in response to lock requests from the
+ client.</P
+><P
+>If <B
+CLASS="COMMAND"
+>locking = no</B
+>, all lock and unlock
+ requests will appear to succeed and all lock queries will report
+ that the file in question is available for locking.</P
+><P
+>If <B
+CLASS="COMMAND"
+>locking = yes</B
+>, real locking will be performed
+ by the server.</P
+><P
+>This option <EM
+>may</EM
+> be useful for read-only
+ filesystems which <EM
+>may</EM
+> not need locking (such as
+ CDROM drives), although setting this parameter of <TT
+CLASS="CONSTANT"
+>no</TT
+>
+ is not really recommended even in this case.</P
+><P
+>Be careful about disabling locking either globally or in a
+ specific service, as lack of locking may result in data corruption.
+ You should never need to set this parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>locking = yes</B
+></P
+></DD
+><DT
+><A
+NAME="LOGFILE"
+></A
+>log file (G)</DT
+><DD
+><P
+>This option allows you to override the name
+ of the Samba log file (also known as the debug file).</P
+><P
+>This option takes the standard substitutions, allowing
+ you to have separate log files for each user or machine.</P
+><P
+>Example: <B
+CLASS="COMMAND"
+>log file = /usr/local/samba/var/log.%m
+ </B
+></P
+></DD
+><DT
+><A
+NAME="LOGLEVEL"
+></A
+>log level (G)</DT
+><DD
+><P
+>The value of the parameter (an integer) allows
+ the debug level (logging level) to be specified in the
+ <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file. This is to give greater
+ flexibility in the configuration of the system.</P
+><P
+>The default will be the log level specified on
+ the command line or level zero if none was specified.</P
+><P
+>Example: <B
+CLASS="COMMAND"
+>log level = 3</B
+></P
+></DD
+><DT
+><A
+NAME="LOGONDRIVE"
+></A
+>logon drive (G)</DT
+><DD
+><P
+>This parameter specifies the local path to
+ which the home directory will be connected (see <A
+HREF="#LOGONHOME"
+><TT
+CLASS="PARAMETER"
+><I
+>logon home</I
+></TT
+></A
+>)
+ and is only used by NT Workstations. </P
+><P
+>Note that this option is only useful if Samba is set up as a
+ logon server.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>logon drive = z:</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>logon drive = h:</B
+></P
+></DD
+><DT
+><A
+NAME="LOGONHOME"
+></A
+>logon home (G)</DT
+><DD
+><P
+>This parameter specifies the home directory
+ location when a Win95/98 or NT Workstation logs into a Samba PDC.
+ It allows you to do </P
+><P
+><TT
+CLASS="PROMPT"
+>C:\&#62; </TT
+><TT
+CLASS="USERINPUT"
+><B
+>NET USE H: /HOME</B
+></TT
+>
+ </P
+><P
+>from a command prompt, for example.</P
+><P
+>This option takes the standard substitutions, allowing
+ you to have separate logon scripts for each user or machine.</P
+><P
+>This parameter can be used with Win9X workstations to ensure
+ that roaming profiles are stored in a subdirectory of the user's
+ home directory. This is done in the following way:</P
+><P
+><B
+CLASS="COMMAND"
+>logon home = \\%N\%U\profile</B
+></P
+><P
+>This tells Samba to return the above string, with
+ substitutions made when a client requests the info, generally
+ in a NetUserGetInfo request. Win9X clients truncate the info to
+ \\server\share when a user does <B
+CLASS="COMMAND"
+>net use /home</B
+>
+ but use the whole string when dealing with profiles.</P
+><P
+>Note that in prior versions of Samba, the <A
+HREF="#LOGONPATH"
+> <TT
+CLASS="PARAMETER"
+><I
+>logon path</I
+></TT
+></A
+> was returned rather than
+ <TT
+CLASS="PARAMETER"
+><I
+>logon home</I
+></TT
+>. This broke <B
+CLASS="COMMAND"
+>net use
+ /home</B
+> but allowed profiles outside the home directory.
+ The current implementation is correct, and can be used for
+ profiles if you use the above trick.</P
+><P
+>This option is only useful if Samba is set up as a logon
+ server.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>logon home = "\\%N\%U"</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>logon home = "\\remote_smb_server\%U"</B
+>
+ </P
+></DD
+><DT
+><A
+NAME="LOGONPATH"
+></A
+>logon path (G)</DT
+><DD
+><P
+>This parameter specifies the home directory
+ where roaming profiles (NTuser.dat etc files for Windows NT) are
+ stored. Contrary to previous versions of these manual pages, it has
+ nothing to do with Win 9X roaming profiles. To find out how to
+ handle roaming profiles for Win 9X system, see the <A
+HREF="#LOGONHOME"
+> <TT
+CLASS="PARAMETER"
+><I
+>logon home</I
+></TT
+></A
+> parameter.</P
+><P
+>This option takes the standard substitutions, allowing you
+ to have separate logon scripts for each user or machine. It also
+ specifies the directory from which the "Application Data",
+ (<TT
+CLASS="FILENAME"
+>desktop</TT
+>, <TT
+CLASS="FILENAME"
+>start menu</TT
+>,
+ <TT
+CLASS="FILENAME"
+>network neighborhood</TT
+>, <TT
+CLASS="FILENAME"
+>programs</TT
+>
+ and other folders, and their contents, are loaded and displayed on
+ your Windows NT client.</P
+><P
+>The share and the path must be readable by the user for
+ the preferences and directories to be loaded onto the Windows NT
+ client. The share must be writeable when the user logs in for the first
+ time, in order that the Windows NT client can create the NTuser.dat
+ and other directories.</P
+><P
+>Thereafter, the directories and any of the contents can,
+ if required, be made read-only. It is not advisable that the
+ NTuser.dat file be made read-only - rename it to NTuser.man to
+ achieve the desired effect (a <EM
+>MAN</EM
+>datory
+ profile). </P
+><P
+>Windows clients can sometimes maintain a connection to
+ the [homes] share, even though there is no user logged in.
+ Therefore, it is vital that the logon path does not include a
+ reference to the homes share (i.e. setting this parameter to
+ \%N\%U\profile_path will cause problems).</P
+><P
+>This option takes the standard substitutions, allowing
+ you to have separate logon scripts for each user or machine.</P
+><P
+>Note that this option is only useful if Samba is set up
+ as a logon server.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>logon path = \\%N\%U\profile</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>logon path = \\PROFILESERVER\PROFILE\%U</B
+></P
+></DD
+><DT
+><A
+NAME="LOGONSCRIPT"
+></A
+>logon script (G)</DT
+><DD
+><P
+>This parameter specifies the batch file (.bat) or
+ NT command file (.cmd) to be downloaded and run on a machine when
+ a user successfully logs in. The file must contain the DOS
+ style CR/LF line endings. Using a DOS-style editor to create the
+ file is recommended.</P
+><P
+>The script must be a relative path to the [netlogon]
+ service. If the [netlogon] service specifies a <A
+HREF="#PATH"
+> <TT
+CLASS="PARAMETER"
+><I
+>path</I
+></TT
+></A
+> of <TT
+CLASS="FILENAME"
+>/usr/local/samba/netlogon
+ </TT
+>, and <B
+CLASS="COMMAND"
+>logon script = STARTUP.BAT</B
+>, then
+ the file that will be downloaded is:</P
+><P
+><TT
+CLASS="FILENAME"
+>/usr/local/samba/netlogon/STARTUP.BAT</TT
+></P
+><P
+>The contents of the batch file are entirely your choice. A
+ suggested command would be to add <B
+CLASS="COMMAND"
+>NET TIME \\SERVER /SET
+ /YES</B
+>, to force every machine to synchronize clocks with
+ the same time server. Another use would be to add <B
+CLASS="COMMAND"
+>NET USE
+ U: \\SERVER\UTILS</B
+> for commonly used utilities, or <B
+CLASS="COMMAND"
+> NET USE Q: \\SERVER\ISO9001_QA</B
+> for example.</P
+><P
+>Note that it is particularly important not to allow write
+ access to the [netlogon] share, or to grant users write permission
+ on the batch files in a secure environment, as this would allow
+ the batch files to be arbitrarily modified and security to be
+ breached.</P
+><P
+>This option takes the standard substitutions, allowing you
+ to have separate logon scripts for each user or machine.</P
+><P
+>This option is only useful if Samba is set up as a logon
+ server.</P
+><P
+>Default: <EM
+>no logon script defined</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>logon script = scripts\%U.bat</B
+></P
+></DD
+><DT
+><A
+NAME="LPPAUSECOMMAND"
+></A
+>lppause command (S)</DT
+><DD
+><P
+>This parameter specifies the command to be
+ executed on the server host in order to stop printing or spooling
+ a specific print job.</P
+><P
+>This command should be a program or script which takes
+ a printer name and job number to pause the print job. One way
+ of implementing this is by using job priorities, where jobs
+ having a too low priority won't be sent to the printer.</P
+><P
+>If a <TT
+CLASS="PARAMETER"
+><I
+>%p</I
+></TT
+> is given then the printer name
+ is put in its place. A <TT
+CLASS="PARAMETER"
+><I
+>%j</I
+></TT
+> is replaced with
+ the job number (an integer). On HPUX (see <TT
+CLASS="PARAMETER"
+><I
+>printing=hpux
+ </I
+></TT
+>), if the <TT
+CLASS="PARAMETER"
+><I
+>-p%p</I
+></TT
+> option is added
+ to the lpq command, the job will show up with the correct status, i.e.
+ if the job priority is lower than the set fence priority it will
+ have the PAUSED status, whereas if the priority is equal or higher it
+ will have the SPOOLED or PRINTING status.</P
+><P
+>Note that it is good practice to include the absolute path
+ in the lppause command as the PATH may not be available to the server.</P
+><P
+>See also the <A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>Default: Currently no default value is given to
+ this string, unless the value of the <TT
+CLASS="PARAMETER"
+><I
+>printing</I
+></TT
+>
+ parameter is <TT
+CLASS="CONSTANT"
+>SYSV</TT
+>, in which case the default is :</P
+><P
+><B
+CLASS="COMMAND"
+>lp -i %p-%j -H hold</B
+></P
+><P
+>or if the value of the <TT
+CLASS="PARAMETER"
+><I
+>printing</I
+></TT
+> parameter
+ is <TT
+CLASS="CONSTANT"
+>SOFTQ</TT
+>, then the default is:</P
+><P
+><B
+CLASS="COMMAND"
+>qstat -s -j%j -h</B
+></P
+><P
+>Example for HPUX: <B
+CLASS="COMMAND"
+>lppause command = /usr/bin/lpalt
+ %p-%j -p0</B
+></P
+></DD
+><DT
+><A
+NAME="LPQCACHETIME"
+></A
+>lpq cache time (G)</DT
+><DD
+><P
+>This controls how long lpq info will be cached
+ for to prevent the <B
+CLASS="COMMAND"
+>lpq</B
+> command being called too
+ often. A separate cache is kept for each variation of the <B
+CLASS="COMMAND"
+> lpq</B
+> command used by the system, so if you use different
+ <B
+CLASS="COMMAND"
+>lpq</B
+> commands for different users then they won't
+ share cache information.</P
+><P
+>The cache files are stored in <TT
+CLASS="FILENAME"
+>/tmp/lpq.xxxx</TT
+>
+ where xxxx is a hash of the <B
+CLASS="COMMAND"
+>lpq</B
+> command in use.</P
+><P
+>The default is 10 seconds, meaning that the cached results
+ of a previous identical <B
+CLASS="COMMAND"
+>lpq</B
+> command will be used
+ if the cached data is less than 10 seconds old. A large value may
+ be advisable if your <B
+CLASS="COMMAND"
+>lpq</B
+> command is very slow.</P
+><P
+>A value of 0 will disable caching completely.</P
+><P
+>See also the <A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>lpq cache time = 10</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>lpq cache time = 30</B
+></P
+></DD
+><DT
+><A
+NAME="LPQCOMMAND"
+></A
+>lpq command (S)</DT
+><DD
+><P
+>This parameter specifies the command to be
+ executed on the server host in order to obtain <B
+CLASS="COMMAND"
+>lpq
+ </B
+>-style printer status information.</P
+><P
+>This command should be a program or script which
+ takes a printer name as its only parameter and outputs printer
+ status information.</P
+><P
+>Currently eight styles of printer status information
+ are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ.
+ This covers most UNIX systems. You control which type is expected
+ using the <TT
+CLASS="PARAMETER"
+><I
+>printing =</I
+></TT
+> option.</P
+><P
+>Some clients (notably Windows for Workgroups) may not
+ correctly send the connection number for the printer they are
+ requesting status information about. To get around this, the
+ server reports on the first printer service connected to by the
+ client. This only happens if the connection number sent is invalid.</P
+><P
+>If a <TT
+CLASS="PARAMETER"
+><I
+>%p</I
+></TT
+> is given then the printer name
+ is put in its place. Otherwise it is placed at the end of the
+ command.</P
+><P
+>Note that it is good practice to include the absolute path
+ in the <TT
+CLASS="PARAMETER"
+><I
+>lpq command</I
+></TT
+> as the <TT
+CLASS="ENVAR"
+>$PATH
+ </TT
+> may not be available to the server.</P
+><P
+>See also the <A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <EM
+>depends on the setting of <TT
+CLASS="PARAMETER"
+><I
+> printing</I
+></TT
+></EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>lpq command = /usr/bin/lpq -P%p</B
+></P
+></DD
+><DT
+><A
+NAME="LPRESUMECOMMAND"
+></A
+>lpresume command (S)</DT
+><DD
+><P
+>This parameter specifies the command to be
+ executed on the server host in order to restart or continue
+ printing or spooling a specific print job.</P
+><P
+>This command should be a program or script which takes
+ a printer name and job number to resume the print job. See
+ also the <A
+HREF="#LPPAUSECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>lppause command
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>If a <TT
+CLASS="PARAMETER"
+><I
+>%p</I
+></TT
+> is given then the printer name
+ is put in its place. A <TT
+CLASS="PARAMETER"
+><I
+>%j</I
+></TT
+> is replaced with
+ the job number (an integer).</P
+><P
+>Note that it is good practice to include the absolute path
+ in the <TT
+CLASS="PARAMETER"
+><I
+>lpresume command</I
+></TT
+> as the PATH may not
+ be available to the server.</P
+><P
+>See also the <A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>Default: Currently no default value is given
+ to this string, unless the value of the <TT
+CLASS="PARAMETER"
+><I
+>printing</I
+></TT
+>
+ parameter is <TT
+CLASS="CONSTANT"
+>SYSV</TT
+>, in which case the default is :</P
+><P
+><B
+CLASS="COMMAND"
+>lp -i %p-%j -H resume</B
+></P
+><P
+>or if the value of the <TT
+CLASS="PARAMETER"
+><I
+>printing</I
+></TT
+> parameter
+ is <TT
+CLASS="CONSTANT"
+>SOFTQ</TT
+>, then the default is:</P
+><P
+><B
+CLASS="COMMAND"
+>qstat -s -j%j -r</B
+></P
+><P
+>Example for HPUX: <B
+CLASS="COMMAND"
+>lpresume command = /usr/bin/lpalt
+ %p-%j -p2</B
+></P
+></DD
+><DT
+><A
+NAME="LPRMCOMMAND"
+></A
+>lprm command (S)</DT
+><DD
+><P
+>This parameter specifies the command to be
+ executed on the server host in order to delete a print job.</P
+><P
+>This command should be a program or script which takes
+ a printer name and job number, and deletes the print job.</P
+><P
+>If a <TT
+CLASS="PARAMETER"
+><I
+>%p</I
+></TT
+> is given then the printer name
+ is put in its place. A <TT
+CLASS="PARAMETER"
+><I
+>%j</I
+></TT
+> is replaced with
+ the job number (an integer).</P
+><P
+>Note that it is good practice to include the absolute
+ path in the <TT
+CLASS="PARAMETER"
+><I
+>lprm command</I
+></TT
+> as the PATH may not be
+ available to the server.</P
+><P
+>See also the <A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <EM
+>depends on the setting of <TT
+CLASS="PARAMETER"
+><I
+>printing
+ </I
+></TT
+></EM
+></P
+><P
+>Example 1: <B
+CLASS="COMMAND"
+>lprm command = /usr/bin/lprm -P%p %j
+ </B
+></P
+><P
+>Example 2: <B
+CLASS="COMMAND"
+>lprm command = /usr/bin/cancel %p-%j
+ </B
+></P
+></DD
+><DT
+><A
+NAME="MACHINEPASSWORDTIMEOUT"
+></A
+>machine password timeout (G)</DT
+><DD
+><P
+>If a Samba server is a member of a Windows
+ NT Domain (see the <A
+HREF="#SECURITYEQUALSDOMAIN"
+>security = domain</A
+>)
+ parameter) then periodically a running <A
+HREF="smbd.8.html"
+TARGET="_top"
+> smbd(8)</A
+> process will try and change the MACHINE ACCOUNT
+ PASSWORD stored in the TDB called <TT
+CLASS="FILENAME"
+>private/secrets.tdb
+ </TT
+>. This parameter specifies how often this password
+ will be changed, in seconds. The default is one week (expressed in
+ seconds), the same as a Windows NT Domain member server.</P
+><P
+>See also <A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbpasswd(8)
+ </B
+></A
+>, and the <A
+HREF="#SECURITYEQUALSDOMAIN"
+> security = domain</A
+>) parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>machine password timeout = 604800</B
+></P
+></DD
+><DT
+><A
+NAME="MAGICOUTPUT"
+></A
+>magic output (S)</DT
+><DD
+><P
+>This parameter specifies the name of a file
+ which will contain output created by a magic script (see the
+ <A
+HREF="#MAGICSCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>magic script</I
+></TT
+></A
+>
+ parameter below).</P
+><P
+>Warning: If two clients use the same <TT
+CLASS="PARAMETER"
+><I
+>magic script
+ </I
+></TT
+> in the same directory the output file content
+ is undefined.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>magic output = &#60;magic script name&#62;.out
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>magic output = myfile.txt</B
+></P
+></DD
+><DT
+><A
+NAME="MAGICSCRIPT"
+></A
+>magic script (S)</DT
+><DD
+><P
+>This parameter specifies the name of a file which,
+ if opened, will be executed by the server when the file is closed.
+ This allows a UNIX script to be sent to the Samba host and
+ executed on behalf of the connected user.</P
+><P
+>Scripts executed in this way will be deleted upon
+ completion assuming that the user has the appropriate level
+ of privilege and the file permissions allow the deletion.</P
+><P
+>If the script generates output, output will be sent to
+ the file specified by the <A
+HREF="#MAGICOUTPUT"
+><TT
+CLASS="PARAMETER"
+><I
+> magic output</I
+></TT
+></A
+> parameter (see above).</P
+><P
+>Note that some shells are unable to interpret scripts
+ containing CR/LF instead of CR as
+ the end-of-line marker. Magic scripts must be executable
+ <EM
+>as is</EM
+> on the host, which for some hosts and
+ some shells will require filtering at the DOS end.</P
+><P
+>Magic scripts are <EM
+>EXPERIMENTAL</EM
+> and
+ should <EM
+>NOT</EM
+> be relied upon.</P
+><P
+>Default: <EM
+>None. Magic scripts disabled.</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>magic script = user.csh</B
+></P
+></DD
+><DT
+><A
+NAME="MANGLECASE"
+></A
+>mangle case (S)</DT
+><DD
+><P
+>See the section on <A
+HREF="#AEN203"
+> NAME MANGLING</A
+></P
+><P
+>Default: <B
+CLASS="COMMAND"
+>mangle case = no</B
+></P
+></DD
+><DT
+><A
+NAME="MANGLEDMAP"
+></A
+>mangled map (S)</DT
+><DD
+><P
+>This is for those who want to directly map UNIX
+ file names which cannot be represented on Windows/DOS. The mangling
+ of names is not always what is needed. In particular you may have
+ documents with file extensions that differ between DOS and UNIX.
+ For example, under UNIX it is common to use <TT
+CLASS="FILENAME"
+>.html</TT
+>
+ for HTML files, whereas under Windows/DOS <TT
+CLASS="FILENAME"
+>.htm</TT
+>
+ is more commonly used.</P
+><P
+>So to map <TT
+CLASS="FILENAME"
+>html</TT
+> to <TT
+CLASS="FILENAME"
+>htm</TT
+>
+ you would use:</P
+><P
+><B
+CLASS="COMMAND"
+>mangled map = (*.html *.htm)</B
+></P
+><P
+>One very useful case is to remove the annoying <TT
+CLASS="FILENAME"
+>;1
+ </TT
+> off the ends of filenames on some CDROMs (only visible
+ under some UNIXes). To do this use a map of (*;1 *;).</P
+><P
+>Default: <EM
+>no mangled map</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>mangled map = (*;1 *;)</B
+></P
+></DD
+><DT
+><A
+NAME="MANGLEDNAMES"
+></A
+>mangled names (S)</DT
+><DD
+><P
+>This controls whether non-DOS names under UNIX
+ should be mapped to DOS-compatible names ("mangled") and made visible,
+ or whether non-DOS names should simply be ignored.</P
+><P
+>See the section on <A
+HREF="#AEN203"
+> NAME MANGLING</A
+> for details on how to control the mangling process.</P
+><P
+>If mangling is used then the mangling algorithm is as follows:</P
+><P
+></P
+><UL
+><LI
+><P
+>The first (up to) five alphanumeric characters
+ before the rightmost dot of the filename are preserved, forced
+ to upper case, and appear as the first (up to) five characters
+ of the mangled name.</P
+></LI
+><LI
+><P
+>A tilde "~" is appended to the first part of the mangled
+ name, followed by a two-character unique sequence, based on the
+ original root name (i.e., the original filename minus its final
+ extension). The final extension is included in the hash calculation
+ only if it contains any upper case characters or is longer than three
+ characters.</P
+><P
+>Note that the character to use may be specified using
+ the <A
+HREF="#MANGLINGCHAR"
+><TT
+CLASS="PARAMETER"
+><I
+>mangling char</I
+></TT
+>
+ </A
+> option, if you don't like '~'.</P
+></LI
+><LI
+><P
+>The first three alphanumeric characters of the final
+ extension are preserved, forced to upper case and appear as the
+ extension of the mangled name. The final extension is defined as that
+ part of the original filename after the rightmost dot. If there are no
+ dots in the filename, the mangled name will have no extension (except
+ in the case of "hidden files" - see below).</P
+></LI
+><LI
+><P
+>Files whose UNIX name begins with a dot will be
+ presented as DOS hidden files. The mangled name will be created as
+ for other filenames, but with the leading dot removed and "___" as
+ its extension regardless of actual original extension (that's three
+ underscores).</P
+></LI
+></UL
+><P
+>The two-digit hash value consists of upper case
+ alphanumeric characters.</P
+><P
+>This algorithm can cause name collisions only if files
+ in a directory share the same first five alphanumeric characters.
+ The probability of such a clash is 1/1300.</P
+><P
+>The name mangling (if enabled) allows a file to be
+ copied between UNIX directories from Windows/DOS while retaining
+ the long UNIX filename. UNIX files can be renamed to a new extension
+ from Windows/DOS and will retain the same basename. Mangled names
+ do not change between sessions.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>mangled names = yes</B
+></P
+></DD
+><DT
+><A
+NAME="MANGLEDSTACK"
+></A
+>mangled stack (G)</DT
+><DD
+><P
+>This parameter controls the number of mangled names
+ that should be cached in the Samba server <A
+HREF="smbd.8.html"
+TARGET="_top"
+> smbd(8)</A
+>.</P
+><P
+>This stack is a list of recently mangled base names
+ (extensions are only maintained if they are longer than 3 characters
+ or contains upper case characters).</P
+><P
+>The larger this value, the more likely it is that mangled
+ names can be successfully converted to correct long UNIX names.
+ However, large stack sizes will slow most directory accesses. Smaller
+ stacks save memory in the server (each stack element costs 256 bytes).
+ </P
+><P
+>It is not possible to absolutely guarantee correct long
+ filenames, so be prepared for some surprises!</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>mangled stack = 50</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>mangled stack = 100</B
+></P
+></DD
+><DT
+><A
+NAME="MANGLINGCHAR"
+></A
+>mangling char (S)</DT
+><DD
+><P
+>This controls what character is used as
+ the <EM
+>magic</EM
+> character in <A
+HREF="#AEN203"
+>name mangling</A
+>. The default is a '~'
+ but this may interfere with some software. Use this option to set
+ it to whatever you prefer.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>mangling char = ~</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>mangling char = ^</B
+></P
+></DD
+><DT
+><A
+NAME="MAPARCHIVE"
+></A
+>map archive (S)</DT
+><DD
+><P
+>This controls whether the DOS archive attribute
+ should be mapped to the UNIX owner execute bit. The DOS archive bit
+ is set when a file has been modified since its last backup. One
+ motivation for this option it to keep Samba/your PC from making
+ any file it touches from becoming executable under UNIX. This can
+ be quite annoying for shared source code, documents, etc...</P
+><P
+>Note that this requires the <TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+>
+ parameter to be set such that owner execute bit is not masked out
+ (i.e. it must include 100). See the parameter <A
+HREF="#CREATEMASK"
+> <TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+></A
+> for details.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>map archive = yes</B
+></P
+></DD
+><DT
+><A
+NAME="MAPHIDDEN"
+></A
+>map hidden (S)</DT
+><DD
+><P
+>This controls whether DOS style hidden files
+ should be mapped to the UNIX world execute bit.</P
+><P
+>Note that this requires the <TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+>
+ to be set such that the world execute bit is not masked out (i.e.
+ it must include 001). See the parameter <A
+HREF="#CREATEMASK"
+> <TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+></A
+> for details.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>map hidden = no</B
+></P
+></DD
+><DT
+><A
+NAME="MAPSYSTEM"
+></A
+>map system (S)</DT
+><DD
+><P
+>This controls whether DOS style system files
+ should be mapped to the UNIX group execute bit.</P
+><P
+>Note that this requires the <TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+>
+ to be set such that the group execute bit is not masked out (i.e.
+ it must include 010). See the parameter <A
+HREF="#CREATEMASK"
+> <TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+></A
+> for details.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>map system = no</B
+></P
+></DD
+><DT
+><A
+NAME="MAPTOGUEST"
+></A
+>map to guest (G)</DT
+><DD
+><P
+>This parameter is only useful in <A
+HREF="#SECURITY"
+> security</A
+> modes other than <TT
+CLASS="PARAMETER"
+><I
+>security = share</I
+></TT
+>
+ - i.e. <TT
+CLASS="CONSTANT"
+>user</TT
+>, <TT
+CLASS="CONSTANT"
+>server</TT
+>,
+ and <TT
+CLASS="CONSTANT"
+>domain</TT
+>.</P
+><P
+>This parameter can take three different values, which tell
+ <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> what to do with user
+ login requests that don't match a valid UNIX user in some way.</P
+><P
+>The three settings are :</P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>Never</TT
+> - Means user login
+ requests with an invalid password are rejected. This is the
+ default.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>Bad User</TT
+> - Means user
+ logins with an invalid password are rejected, unless the username
+ does not exist, in which case it is treated as a guest login and
+ mapped into the <A
+HREF="#GUESTACCOUNT"
+><TT
+CLASS="PARAMETER"
+><I
+> guest account</I
+></TT
+></A
+>.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>Bad Password</TT
+> - Means user logins
+ with an invalid password are treated as a guest login and mapped
+ into the <A
+HREF="#GUESTACCOUNT"
+>guest account</A
+>. Note that
+ this can cause problems as it means that any user incorrectly typing
+ their password will be silently logged on as "guest" - and
+ will not know the reason they cannot access files they think
+ they should - there will have been no message given to them
+ that they got their password wrong. Helpdesk services will
+ <EM
+>hate</EM
+> you if you set the <TT
+CLASS="PARAMETER"
+><I
+>map to
+ guest</I
+></TT
+> parameter this way :-).</P
+></LI
+></UL
+><P
+>Note that this parameter is needed to set up "Guest"
+ share services when using <TT
+CLASS="PARAMETER"
+><I
+>security</I
+></TT
+> modes other than
+ share. This is because in these modes the name of the resource being
+ requested is <EM
+>not</EM
+> sent to the server until after
+ the server has successfully authenticated the client so the server
+ cannot make authentication decisions at the correct time (connection
+ to the share) for "Guest" shares.</P
+><P
+>For people familiar with the older Samba releases, this
+ parameter maps to the old compile-time setting of the <TT
+CLASS="CONSTANT"
+> GUEST_SESSSETUP</TT
+> value in local.h.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>map to guest = Never</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>map to guest = Bad User</B
+></P
+></DD
+><DT
+><A
+NAME="MAXCONNECTIONS"
+></A
+>max connections (S)</DT
+><DD
+><P
+>This option allows the number of simultaneous
+ connections to a service to be limited. If <TT
+CLASS="PARAMETER"
+><I
+>max connections
+ </I
+></TT
+> is greater than 0 then connections will be refused if
+ this number of connections to the service are already open. A value
+ of zero mean an unlimited number of connections may be made.</P
+><P
+>Record lock files are used to implement this feature. The
+ lock files will be stored in the directory specified by the <A
+HREF="#LOCKDIRECTORY"
+><TT
+CLASS="PARAMETER"
+><I
+>lock directory</I
+></TT
+></A
+>
+ option.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max connections = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>max connections = 10</B
+></P
+></DD
+><DT
+><A
+NAME="MAXDISKSIZE"
+></A
+>max disk size (G)</DT
+><DD
+><P
+>This option allows you to put an upper limit
+ on the apparent size of disks. If you set this option to 100
+ then all shares will appear to be not larger than 100 MB in
+ size.</P
+><P
+>Note that this option does not limit the amount of
+ data you can put on the disk. In the above case you could still
+ store much more than 100 MB on the disk, but if a client ever asks
+ for the amount of free disk space or the total disk size then the
+ result will be bounded by the amount specified in <TT
+CLASS="PARAMETER"
+><I
+>max
+ disk size</I
+></TT
+>.</P
+><P
+>This option is primarily useful to work around bugs
+ in some pieces of software that can't handle very large disks,
+ particularly disks over 1GB in size.</P
+><P
+>A <TT
+CLASS="PARAMETER"
+><I
+>max disk size</I
+></TT
+> of 0 means no limit.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max disk size = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>max disk size = 1000</B
+></P
+></DD
+><DT
+><A
+NAME="MAXLOGSIZE"
+></A
+>max log size (G)</DT
+><DD
+><P
+>This option (an integer in kilobytes) specifies
+ the max size the log file should grow to. Samba periodically checks
+ the size and if it is exceeded it will rename the file, adding
+ a <TT
+CLASS="FILENAME"
+>.old</TT
+> extension.</P
+><P
+>A size of 0 means no limit.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max log size = 5000</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>max log size = 1000</B
+></P
+></DD
+><DT
+><A
+NAME="MAXMUX"
+></A
+>max mux (G)</DT
+><DD
+><P
+>This option controls the maximum number of
+ outstanding simultaneous SMB operations that Samba tells the client
+ it will allow. You should never need to set this parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max mux = 50</B
+></P
+></DD
+><DT
+><A
+NAME="MAXOPENFILES"
+></A
+>max open files (G)</DT
+><DD
+><P
+>This parameter limits the maximum number of
+ open files that one <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> file
+ serving process may have open for a client at any one time. The
+ default for this parameter is set very high (10,000) as Samba uses
+ only one bit per unopened file.</P
+><P
+>The limit of the number of open files is usually set
+ by the UNIX per-process file descriptor limit rather than
+ this parameter so you should never need to touch this parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max open files = 10000</B
+></P
+></DD
+><DT
+><A
+NAME="MAXPRINTJOBS"
+></A
+>max print jobs (S)</DT
+><DD
+><P
+>This parameter limits the maximum number of
+ jobs allowable in a Samba printer queue at any given moment.
+ If this number is exceeded, <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+> smbd(8)</B
+></A
+> will remote "Out of Space" to the client.
+ See all <A
+HREF="#TOTALPRINTJOBS"
+><TT
+CLASS="PARAMETER"
+><I
+>total
+ print jobs</I
+></TT
+></A
+>.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max print jobs = 1000</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>max print jobs = 5000</B
+></P
+></DD
+><DT
+><A
+NAME="MAXPROTOCOL"
+></A
+>max protocol (G)</DT
+><DD
+><P
+>The value of the parameter (a string) is the highest
+ protocol level that will be supported by the server.</P
+><P
+>Possible values are :</P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>CORE</TT
+>: Earliest version. No
+ concept of user names.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>COREPLUS</TT
+>: Slight improvements on
+ CORE for efficiency.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>LANMAN1</TT
+>: First <EM
+> modern</EM
+> version of the protocol. Long filename
+ support.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>LANMAN2</TT
+>: Updates to Lanman1 protocol.
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>NT1</TT
+>: Current up to date version of
+ the protocol. Used by Windows NT. Known as CIFS.</P
+></LI
+></UL
+><P
+>Normally this option should not be set as the automatic
+ negotiation phase in the SMB protocol takes care of choosing
+ the appropriate protocol.</P
+><P
+>See also <A
+HREF="#MINPROTOCOL"
+><TT
+CLASS="PARAMETER"
+><I
+>min
+ protocol</I
+></TT
+></A
+></P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max protocol = NT1</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>max protocol = LANMAN1</B
+></P
+></DD
+><DT
+><A
+NAME="MAXSMBDPROCESSES"
+></A
+>max smbd processes (G)</DT
+><DD
+><P
+>This parameter limits the maximum number of
+ <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+>
+ processes concurrently running on a system and is intended
+ as a stopgap to prevent degrading service to clients in the event
+ that the server has insufficient resources to handle more than this
+ number of connections. Remember that under normal operating
+ conditions, each user will have an <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+> associated with him or her
+ to handle connections to all shares from a given host.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max smbd processes = 0</B
+> ## no limit</P
+><P
+>Example: <B
+CLASS="COMMAND"
+>max smbd processes = 1000</B
+></P
+></DD
+><DT
+><A
+NAME="MAXTTL"
+></A
+>max ttl (G)</DT
+><DD
+><P
+>This option tells <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+>
+ what the default 'time to live' of NetBIOS names should be (in seconds)
+ when <B
+CLASS="COMMAND"
+>nmbd</B
+> is requesting a name using either a
+ broadcast packet or from a WINS server. You should never need to
+ change this parameter. The default is 3 days.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max ttl = 259200</B
+></P
+></DD
+><DT
+><A
+NAME="MAXWINSTTL"
+></A
+>max wins ttl (G)</DT
+><DD
+><P
+>This option tells <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)
+ </A
+> when acting as a WINS server (<A
+HREF="#WINSSUPPORT"
+> <TT
+CLASS="PARAMETER"
+><I
+>wins support = yes</I
+></TT
+></A
+>) what the maximum
+ 'time to live' of NetBIOS names that <B
+CLASS="COMMAND"
+>nmbd</B
+>
+ will grant will be (in seconds). You should never need to change this
+ parameter. The default is 6 days (518400 seconds).</P
+><P
+>See also the <A
+HREF="#MINWINSTTL"
+><TT
+CLASS="PARAMETER"
+><I
+>min
+ wins ttl</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max wins ttl = 518400</B
+></P
+></DD
+><DT
+><A
+NAME="MAXXMIT"
+></A
+>max xmit (G)</DT
+><DD
+><P
+>This option controls the maximum packet size
+ that will be negotiated by Samba. The default is 65535, which
+ is the maximum. In some cases you may find you get better performance
+ with a smaller value. A value below 2048 is likely to cause problems.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max xmit = 65535</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>max xmit = 8192</B
+></P
+></DD
+><DT
+><A
+NAME="MESSAGECOMMAND"
+></A
+>message command (G)</DT
+><DD
+><P
+>This specifies what command to run when the
+ server receives a WinPopup style message.</P
+><P
+>This would normally be a command that would
+ deliver the message somehow. How this is to be done is
+ up to your imagination.</P
+><P
+>An example is:</P
+><P
+><B
+CLASS="COMMAND"
+>message command = csh -c 'xedit %s;rm %s' &#38;</B
+>
+ </P
+><P
+>This delivers the message using <B
+CLASS="COMMAND"
+>xedit</B
+>, then
+ removes it afterwards. <EM
+>NOTE THAT IT IS VERY IMPORTANT
+ THAT THIS COMMAND RETURN IMMEDIATELY</EM
+>. That's why I
+ have the '&#38;' on the end. If it doesn't return immediately then
+ your PCs may freeze when sending messages (they should recover
+ after 30 seconds, hopefully).</P
+><P
+>All messages are delivered as the global guest user.
+ The command takes the standard substitutions, although <TT
+CLASS="PARAMETER"
+><I
+> %u</I
+></TT
+> won't work (<TT
+CLASS="PARAMETER"
+><I
+>%U</I
+></TT
+> may be better
+ in this case).</P
+><P
+>Apart from the standard substitutions, some additional
+ ones apply. In particular:</P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>%s</I
+></TT
+> = the filename containing
+ the message.</P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>%t</I
+></TT
+> = the destination that
+ the message was sent to (probably the server name).</P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>%f</I
+></TT
+> = who the message
+ is from.</P
+></LI
+></UL
+><P
+>You could make this command send mail, or whatever else
+ takes your fancy. Please let us know of any really interesting
+ ideas you have.</P
+><P
+>Here's a way of sending the messages as mail to root:</P
+><P
+><B
+CLASS="COMMAND"
+>message command = /bin/mail -s 'message from %f on
+ %m' root &#60; %s; rm %s</B
+></P
+><P
+>If you don't have a message command then the message
+ won't be delivered and Samba will tell the sender there was
+ an error. Unfortunately WfWg totally ignores the error code
+ and carries on regardless, saying that the message was delivered.
+ </P
+><P
+>If you want to silently delete it then try:</P
+><P
+><B
+CLASS="COMMAND"
+>message command = rm %s</B
+></P
+><P
+>Default: <EM
+>no message command</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>message command = csh -c 'xedit %s;
+ rm %s' &#38;</B
+></P
+></DD
+><DT
+><A
+NAME="MINPASSWDLENGTH"
+></A
+>min passwd length (G)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#MINPASSWORDLENGTH"
+> <TT
+CLASS="PARAMETER"
+><I
+>min password length</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="MINPASSWORDLENGTH"
+></A
+>min password length (G)</DT
+><DD
+><P
+>This option sets the minimum length in characters
+ of a plaintext password that <B
+CLASS="COMMAND"
+>smbd</B
+> will accept when performing
+ UNIX password changing.</P
+><P
+>See also <A
+HREF="#UNIXPASSWORDSYNC"
+><TT
+CLASS="PARAMETER"
+><I
+>unix
+ password sync</I
+></TT
+></A
+>, <A
+HREF="#PASSWDPROGRAM"
+> <TT
+CLASS="PARAMETER"
+><I
+>passwd program</I
+></TT
+></A
+> and <A
+HREF="#PASSWDCHATDEBUG"
+><TT
+CLASS="PARAMETER"
+><I
+>passwd chat debug</I
+></TT
+>
+ </A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>min password length = 5</B
+></P
+></DD
+><DT
+><A
+NAME="MINPRINTSPACE"
+></A
+>min print space (S)</DT
+><DD
+><P
+>This sets the minimum amount of free disk
+ space that must be available before a user will be able to spool
+ a print job. It is specified in kilobytes. The default is 0, which
+ means a user can always spool a print job.</P
+><P
+>See also the <A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>min print space = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>min print space = 2000</B
+></P
+></DD
+><DT
+><A
+NAME="MINPROTOCOL"
+></A
+>min protocol (G)</DT
+><DD
+><P
+>The value of the parameter (a string) is the
+ lowest SMB protocol dialect than Samba will support. Please refer
+ to the <A
+HREF="#MAXPROTOCOL"
+><TT
+CLASS="PARAMETER"
+><I
+>max protocol</I
+></TT
+></A
+>
+ parameter for a list of valid protocol names and a brief description
+ of each. You may also wish to refer to the C source code in
+ <TT
+CLASS="FILENAME"
+>source/smbd/negprot.c</TT
+> for a listing of known protocol
+ dialects supported by clients.</P
+><P
+>If you are viewing this parameter as a security measure, you should
+ also refer to the <A
+HREF="#LANMANAUTH"
+><TT
+CLASS="PARAMETER"
+><I
+>lanman
+ auth</I
+></TT
+></A
+> parameter. Otherwise, you should never need
+ to change this parameter.</P
+><P
+>Default : <B
+CLASS="COMMAND"
+>min protocol = CORE</B
+></P
+><P
+>Example : <B
+CLASS="COMMAND"
+>min protocol = NT1</B
+> # disable DOS
+ clients</P
+></DD
+><DT
+><A
+NAME="MINWINSTTL"
+></A
+>min wins ttl (G)</DT
+><DD
+><P
+>This option tells <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+>
+ when acting as a WINS server (<A
+HREF="#WINSSUPPORT"
+><TT
+CLASS="PARAMETER"
+><I
+> wins support = yes</I
+></TT
+></A
+>) what the minimum 'time to live'
+ of NetBIOS names that <B
+CLASS="COMMAND"
+>nmbd</B
+> will grant will be (in
+ seconds). You should never need to change this parameter. The default
+ is 6 hours (21600 seconds).</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>min wins ttl = 21600</B
+></P
+></DD
+><DT
+><A
+NAME="MSDFSROOT"
+></A
+>msdfs root (S)</DT
+><DD
+><P
+>This boolean parameter is only available if
+ Samba is configured and compiled with the <B
+CLASS="COMMAND"
+> --with-msdfs</B
+> option. If set to <TT
+CLASS="CONSTANT"
+>yes</TT
+>,
+ Samba treats the share as a Dfs root and allows clients to browse
+ the distributed file system tree rooted at the share directory.
+ Dfs links are specified in the share directory by symbolic
+ links of the form <TT
+CLASS="FILENAME"
+>msdfs:serverA\shareA,serverB\shareB
+ </TT
+> and so on. For more information on setting up a Dfs tree
+ on Samba, refer to <A
+HREF="msdfs_setup.html"
+TARGET="_top"
+>msdfs_setup.html
+ </A
+>.</P
+><P
+>See also <A
+HREF="#HOSTMSDFS"
+><TT
+CLASS="PARAMETER"
+><I
+>host msdfs
+ </I
+></TT
+></A
+></P
+><P
+>Default: <B
+CLASS="COMMAND"
+>msdfs root = no</B
+></P
+></DD
+><DT
+><A
+NAME="NAMERESOLVEORDER"
+></A
+>name resolve order (G)</DT
+><DD
+><P
+>This option is used by the programs in the Samba
+ suite to determine what naming services to use and in what order
+ to resolve host names to IP addresses. The option takes a space
+ separated string of name resolution options.</P
+><P
+>The options are :"lmhosts", "host", "wins" and "bcast". They
+ cause names to be resolved as follows :</P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>lmhosts</TT
+> : Lookup an IP
+ address in the Samba lmhosts file. If the line in lmhosts has
+ no name type attached to the NetBIOS name (see the <A
+HREF="lmhosts.5.html"
+TARGET="_top"
+>lmhosts(5)</A
+> for details) then
+ any name type matches for lookup.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>host</TT
+> : Do a standard host
+ name to IP address resolution, using the system <TT
+CLASS="FILENAME"
+>/etc/hosts
+ </TT
+>, NIS, or DNS lookups. This method of name resolution
+ is operating system depended for instance on IRIX or Solaris this
+ may be controlled by the <TT
+CLASS="FILENAME"
+>/etc/nsswitch.conf</TT
+>
+ file. Note that this method is only used if the NetBIOS name
+ type being queried is the 0x20 (server) name type, otherwise
+ it is ignored.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>wins</TT
+> : Query a name with
+ the IP address listed in the <A
+HREF="#WINSSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+> wins server</I
+></TT
+></A
+> parameter. If no WINS server has
+ been specified this method will be ignored.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>bcast</TT
+> : Do a broadcast on
+ each of the known local interfaces listed in the <A
+HREF="#INTERFACES"
+><TT
+CLASS="PARAMETER"
+><I
+>interfaces</I
+></TT
+></A
+>
+ parameter. This is the least reliable of the name resolution
+ methods as it depends on the target host being on a locally
+ connected subnet.</P
+></LI
+></UL
+><P
+>Default: <B
+CLASS="COMMAND"
+>name resolve order = lmhosts host wins bcast
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>name resolve order = lmhosts bcast host
+ </B
+></P
+><P
+>This will cause the local lmhosts file to be examined
+ first, followed by a broadcast attempt, followed by a normal
+ system hostname lookup.</P
+></DD
+><DT
+><A
+NAME="NETBIOSALIASES"
+></A
+>netbios aliases (G)</DT
+><DD
+><P
+>This is a list of NetBIOS names that <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+> will advertise as additional
+ names by which the Samba server is known. This allows one machine
+ to appear in browse lists under multiple names. If a machine is
+ acting as a browse server or logon server none
+ of these names will be advertised as either browse server or logon
+ servers, only the primary name of the machine will be advertised
+ with these capabilities.</P
+><P
+>See also <A
+HREF="#NETBIOSNAME"
+><TT
+CLASS="PARAMETER"
+><I
+>netbios
+ name</I
+></TT
+></A
+>.</P
+><P
+>Default: <EM
+>empty string (no additional names)</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>netbios aliases = TEST TEST1 TEST2</B
+></P
+></DD
+><DT
+><A
+NAME="NETBIOSNAME"
+></A
+>netbios name (G)</DT
+><DD
+><P
+>This sets the NetBIOS name by which a Samba
+ server is known. By default it is the same as the first component
+ of the host's DNS name. If a machine is a browse server or
+ logon server this name (or the first component
+ of the hosts DNS name) will be the name that these services are
+ advertised under.</P
+><P
+>See also <A
+HREF="#NETBIOSALIASES"
+><TT
+CLASS="PARAMETER"
+><I
+>netbios
+ aliases</I
+></TT
+></A
+>.</P
+><P
+>Default: <EM
+>machine DNS name</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>netbios name = MYNAME</B
+></P
+></DD
+><DT
+><A
+NAME="NETBIOSSCOPE"
+></A
+>netbios scope (G)</DT
+><DD
+><P
+>This sets the NetBIOS scope that Samba will
+ operate under. This should not be set unless every machine
+ on your LAN also sets this value.</P
+></DD
+><DT
+><A
+NAME="NISHOMEDIR"
+></A
+>nis homedir (G)</DT
+><DD
+><P
+>Get the home share server from a NIS map. For
+ UNIX systems that use an automounter, the user's home directory
+ will often be mounted on a workstation on demand from a remote
+ server. </P
+><P
+>When the Samba logon server is not the actual home directory
+ server, but is mounting the home directories via NFS then two
+ network hops would be required to access the users home directory
+ if the logon server told the client to use itself as the SMB server
+ for home directories (one over SMB and one over NFS). This can
+ be very slow.</P
+><P
+>This option allows Samba to return the home share as
+ being on a different server to the logon server and as
+ long as a Samba daemon is running on the home directory server,
+ it will be mounted on the Samba client directly from the directory
+ server. When Samba is returning the home share to the client, it
+ will consult the NIS map specified in <A
+HREF="#HOMEDIRMAP"
+> <TT
+CLASS="PARAMETER"
+><I
+>homedir map</I
+></TT
+></A
+> and return the server
+ listed there.</P
+><P
+>Note that for this option to work there must be a working
+ NIS system and the Samba server with this option must also
+ be a logon server.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>nis homedir = no</B
+></P
+></DD
+><DT
+><A
+NAME="NONUNIXACCOUNTRANGE"
+></A
+>non unix account range (G)</DT
+><DD
+><P
+>The non unix account range parameter specifies
+ the range of 'user ids' that are allocated by the various 'non unix
+ account' passdb backends. These backends allow
+ the storage of passwords for users who don't exist in /etc/passwd.
+ This is most often used for machine account creation.
+ This range of ids should have no existing local or NIS users within
+ it as strange conflicts can occur otherwise.</P
+><P
+>NOTE: These userids never appear on the system and Samba will never
+ 'become' these users. They are used only to ensure that the algorithmic
+ RID mapping does not conflict with normal users.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>non unix account range = &#60;empty string&#62;
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>non unix account range = 10000-20000</B
+></P
+></DD
+><DT
+><A
+NAME="NTACLSUPPORT"
+></A
+>nt acl support (S)</DT
+><DD
+><P
+>This boolean parameter controls whether
+ <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> will attempt to map
+ UNIX permissions into Windows NT access control lists.
+ This parameter was formally a global parameter in releases
+ prior to 2.2.2.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>nt acl support = yes</B
+></P
+></DD
+><DT
+><A
+NAME="NTPIPESUPPORT"
+></A
+>nt pipe support (G)</DT
+><DD
+><P
+>This boolean parameter controls whether
+ <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> will allow Windows NT
+ clients to connect to the NT SMB specific <TT
+CLASS="CONSTANT"
+>IPC$</TT
+>
+ pipes. This is a developer debugging option and can be left
+ alone.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>nt pipe support = yes</B
+></P
+></DD
+><DT
+><A
+NAME="NULLPASSWORDS"
+></A
+>null passwords (G)</DT
+><DD
+><P
+>Allow or disallow client access to accounts
+ that have null passwords. </P
+><P
+>See also <A
+HREF="smbpasswd.5.html"
+TARGET="_top"
+>smbpasswd (5)</A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>null passwords = no</B
+></P
+></DD
+><DT
+><A
+NAME="OBEYPAMRESTRICTIONS"
+></A
+>obey pam restrictions (G)</DT
+><DD
+><P
+>When Samba 2.2 is configured to enable PAM support
+ (i.e. --with-pam), this parameter will control whether or not Samba
+ should obey PAM's account and session management directives. The
+ default behavior is to use PAM for clear text authentication only
+ and to ignore any account or session management. Note that Samba
+ always ignores PAM for authentication in the case of <A
+HREF="#ENCRYPTPASSWORDS"
+><TT
+CLASS="PARAMETER"
+><I
+>encrypt passwords = yes</I
+></TT
+>
+ </A
+>. The reason is that PAM modules cannot support the challenge/response
+ authentication mechanism needed in the presence of SMB password encryption.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>obey pam restrictions = no</B
+></P
+></DD
+><DT
+><A
+NAME="ONLYUSER"
+></A
+>only user (S)</DT
+><DD
+><P
+>This is a boolean option that controls whether
+ connections with usernames not in the <TT
+CLASS="PARAMETER"
+><I
+>user</I
+></TT
+>
+ list will be allowed. By default this option is disabled so that a
+ client can supply a username to be used by the server. Enabling
+ this parameter will force the server to only user the login
+ names from the <TT
+CLASS="PARAMETER"
+><I
+>user</I
+></TT
+> list and is only really
+ useful in <A
+HREF="#SECURITYEQUALSSHARE"
+>shave level</A
+>
+ security.</P
+><P
+>Note that this also means Samba won't try to deduce
+ usernames from the service name. This can be annoying for
+ the [homes] section. To get around this you could use <B
+CLASS="COMMAND"
+>user =
+ %S</B
+> which means your <TT
+CLASS="PARAMETER"
+><I
+>user</I
+></TT
+> list
+ will be just the service name, which for home directories is the
+ name of the user.</P
+><P
+>See also the <A
+HREF="#USER"
+><TT
+CLASS="PARAMETER"
+><I
+>user</I
+></TT
+>
+ </A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>only user = no</B
+></P
+></DD
+><DT
+><A
+NAME="ONLYGUEST"
+></A
+>only guest (S)</DT
+><DD
+><P
+>A synonym for <A
+HREF="#GUESTONLY"
+><TT
+CLASS="PARAMETER"
+><I
+> guest only</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="OPLOCKBREAKWAITTIME"
+></A
+>oplock break wait time (G)</DT
+><DD
+><P
+>This is a tuning parameter added due to bugs in
+ both Windows 9x and WinNT. If Samba responds to a client too
+ quickly when that client issues an SMB that can cause an oplock
+ break request, then the network client can fail and not respond
+ to the break request. This tuning parameter (which is set in milliseconds)
+ is the amount of time Samba will wait before sending an oplock break
+ request to such (broken) clients.</P
+><P
+><EM
+>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
+ AND UNDERSTOOD THE SAMBA OPLOCK CODE</EM
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>oplock break wait time = 0</B
+></P
+></DD
+><DT
+><A
+NAME="OPLOCKCONTENTIONLIMIT"
+></A
+>oplock contention limit (S)</DT
+><DD
+><P
+>This is a <EM
+>very</EM
+> advanced
+ <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> tuning option to
+ improve the efficiency of the granting of oplocks under multiple
+ client contention for the same file.</P
+><P
+>In brief it specifies a number, which causes <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+> not to
+ grant an oplock even when requested if the approximate number of
+ clients contending for an oplock on the same file goes over this
+ limit. This causes <B
+CLASS="COMMAND"
+>smbd</B
+> to behave in a similar
+ way to Windows NT.</P
+><P
+><EM
+>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
+ AND UNDERSTOOD THE SAMBA OPLOCK CODE</EM
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>oplock contention limit = 2</B
+></P
+></DD
+><DT
+><A
+NAME="OPLOCKS"
+></A
+>oplocks (S)</DT
+><DD
+><P
+>This boolean option tells <B
+CLASS="COMMAND"
+>smbd</B
+> whether to
+ issue oplocks (opportunistic locks) to file open requests on this
+ share. The oplock code can dramatically (approx. 30% or more) improve
+ the speed of access to files on Samba servers. It allows the clients
+ to aggressively cache files locally and you may want to disable this
+ option for unreliable network environments (it is turned on by
+ default in Windows NT Servers). For more information see the file
+ <TT
+CLASS="FILENAME"
+>Speed.txt</TT
+> in the Samba <TT
+CLASS="FILENAME"
+>docs/</TT
+>
+ directory.</P
+><P
+>Oplocks may be selectively turned off on certain files with a
+ share. See the <A
+HREF="#VETOOPLOCKFILES"
+><TT
+CLASS="PARAMETER"
+><I
+> veto oplock files</I
+></TT
+></A
+> parameter. On some systems
+ oplocks are recognized by the underlying operating system. This
+ allows data synchronization between all access to oplocked files,
+ whether it be via Samba or NFS or a local UNIX process. See the
+ <TT
+CLASS="PARAMETER"
+><I
+>kernel oplocks</I
+></TT
+> parameter for details.</P
+><P
+>See also the <A
+HREF="#KERNELOPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>kernel
+ oplocks</I
+></TT
+></A
+> and <A
+HREF="#LEVEL2OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+> level2 oplocks</I
+></TT
+></A
+> parameters.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>oplocks = yes</B
+></P
+></DD
+><DT
+><A
+NAME="OSLEVEL"
+></A
+>os level (G)</DT
+><DD
+><P
+>This integer value controls what level Samba
+ advertises itself as for browse elections. The value of this
+ parameter determines whether <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+>
+ has a chance of becoming a local master browser for the <TT
+CLASS="PARAMETER"
+><I
+> WORKGROUP</I
+></TT
+> in the local broadcast area.</P
+><P
+><EM
+>Note :</EM
+>By default, Samba will win
+ a local master browsing election over all Microsoft operating
+ systems except a Windows NT 4.0/2000 Domain Controller. This
+ means that a misconfigured Samba host can effectively isolate
+ a subnet for browsing purposes. See <TT
+CLASS="FILENAME"
+>BROWSING.txt
+ </TT
+> in the Samba <TT
+CLASS="FILENAME"
+>docs/</TT
+> directory
+ for details.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>os level = 20</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>os level = 65 </B
+></P
+></DD
+><DT
+><A
+NAME="OS2DRIVERMAP"
+></A
+>os2 driver map (G)</DT
+><DD
+><P
+>The parameter is used to define the absolute
+ path to a file containing a mapping of Windows NT printer driver
+ names to OS/2 printer driver names. The format is:</P
+><P
+>&#60;nt driver name&#62; = &#60;os2 driver
+ name&#62;.&#60;device name&#62;</P
+><P
+>For example, a valid entry using the HP LaserJet 5
+ printer driver would appear as <B
+CLASS="COMMAND"
+>HP LaserJet 5L = LASERJET.HP
+ LaserJet 5L</B
+>.</P
+><P
+>The need for the file is due to the printer driver namespace
+ problem described in the <A
+HREF="printer_driver2.html"
+TARGET="_top"
+>Samba
+ Printing HOWTO</A
+>. For more details on OS/2 clients, please
+ refer to the <A
+HREF="OS2-Client-HOWTO.html"
+TARGET="_top"
+>OS2-Client-HOWTO
+ </A
+> containing in the Samba documentation.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>os2 driver map = &#60;empty string&#62;
+ </B
+></P
+></DD
+><DT
+><A
+NAME="PAMPASSWORDCHANGE"
+></A
+>pam password change (G)</DT
+><DD
+><P
+>With the addition of better PAM support in Samba 2.2,
+ this parameter, it is possible to use PAM's password change control
+ flag for Samba. If enabled, then PAM will be used for password
+ changes when requested by an SMB client instead of the program listed in
+ <A
+HREF="#PASSWDPROGRAM"
+><TT
+CLASS="PARAMETER"
+><I
+>passwd program</I
+></TT
+></A
+>.
+ It should be possible to enable this without changing your
+ <A
+HREF="#PASSWDCHAT"
+><TT
+CLASS="PARAMETER"
+><I
+>passwd chat</I
+></TT
+></A
+>
+ parameter for most setups.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>pam password change = no</B
+></P
+></DD
+><DT
+><A
+NAME="PANICACTION"
+></A
+>panic action (G)</DT
+><DD
+><P
+>This is a Samba developer option that allows a
+ system command to be called when either <A
+HREF="smbd.8.html"
+TARGET="_top"
+> smbd(8)</A
+> or <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+>
+ crashes. This is usually used to draw attention to the fact that
+ a problem occurred.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>panic action = &#60;empty string&#62;</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>panic action = "/bin/sleep 90000"</B
+></P
+></DD
+><DT
+><A
+NAME="PASSDBBACKEND"
+></A
+>passdb backend (G)</DT
+><DD
+><P
+>This option allows the administrator to chose what
+ backend in which to store passwords. This allows (for example) both
+ smbpasswd and tdbsam to be used without a recompile. Only one can
+ be used at a time however, and experimental backends must still be selected
+ (eg --with-tdbsam) at configure time.
+ </P
+><P
+>This paramater is in two parts, the backend's name, and a 'location'
+ string that has meaning only to that particular backed. These are separated
+ by a : character.</P
+><P
+>Available backends can include:
+ <P
+></P
+><UL
+><LI
+><P
+><B
+CLASS="COMMAND"
+>smbpasswd</B
+> - The default smbpasswd
+ backend. Takes a path to the smbpasswd file as an optional argument.</P
+></LI
+><LI
+><P
+><B
+CLASS="COMMAND"
+>smbpasswd_nua</B
+> - The smbpasswd
+ backend, but with support for 'not unix accounts'.
+ Takes a path to the smbpasswd file as an optional argument.</P
+><P
+>See also <A
+HREF="#NONUNIXACCOUNTRANGE"
+> <TT
+CLASS="PARAMETER"
+><I
+>non unix account range</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><B
+CLASS="COMMAND"
+>tdbsam</B
+> - The TDB based password storage
+ backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
+ in the <A
+HREF="#PRIVATEDIR"
+> <TT
+CLASS="PARAMETER"
+><I
+>private dir</I
+></TT
+></A
+> directory.</P
+></LI
+><LI
+><P
+><B
+CLASS="COMMAND"
+>tdbsam_nua</B
+> - The TDB based password storage
+ backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
+ in the <A
+HREF="#PRIVATEDIR"
+> <TT
+CLASS="PARAMETER"
+><I
+>private dir</I
+></TT
+></A
+> directory.</P
+><P
+>See also <A
+HREF="#NONUNIXACCOUNTRANGE"
+> <TT
+CLASS="PARAMETER"
+><I
+>non unix account range</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><B
+CLASS="COMMAND"
+>ldapsam</B
+> - The LDAP based passdb
+ backend. Takes an LDAP URL as an optional argument (defaults to
+ <B
+CLASS="COMMAND"
+>ldap://localhost</B
+>)</P
+></LI
+><LI
+><P
+><B
+CLASS="COMMAND"
+>ldapsam_nua</B
+> - The LDAP based passdb
+ backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to
+ <B
+CLASS="COMMAND"
+>ldap://localhost</B
+>)</P
+><P
+>See also <A
+HREF="#NONUNIXACCOUNTRANGE"
+> <TT
+CLASS="PARAMETER"
+><I
+>non unix account range</I
+></TT
+></A
+></P
+></LI
+><LI
+><P
+><B
+CLASS="COMMAND"
+>plugin</B
+> - Allows Samba to load an
+ arbitary passdb backend from the .so specified as a compulsary argument.
+ </P
+><P
+>Any characters after the (optional) second : are passed to the plugin
+ for its own processing</P
+></LI
+></UL
+>
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>passdb backend = smbpasswd</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>passdb backend = tdbsam:/etc/samba/private/passdb.tdb</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>passdb backend = ldapsam_nua:ldaps://ldap.example.com</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>passdb backend = plugin:/usr/local/samba/lib/my_passdb.so:my_plugin_args</B
+></P
+></DD
+><DT
+><A
+NAME="PASSWDCHAT"
+></A
+>passwd chat (G)</DT
+><DD
+><P
+>This string controls the <EM
+>"chat"</EM
+>
+ conversation that takes places between <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+> and the local password changing
+ program to change the user's password. The string describes a
+ sequence of response-receive pairs that <A
+HREF="smbd.8.html"
+TARGET="_top"
+> smbd(8)</A
+> uses to determine what to send to the
+ <A
+HREF="#PASSWDPROGRAM"
+><TT
+CLASS="PARAMETER"
+><I
+>passwd program</I
+></TT
+>
+ </A
+> and what to expect back. If the expected output is not
+ received then the password is not changed.</P
+><P
+>This chat sequence is often quite site specific, depending
+ on what local methods are used for password control (such as NIS
+ etc).</P
+><P
+>Note that this parameter only is only used if the <A
+HREF="#UNIXPASSWORDSYNC"
+><TT
+CLASS="PARAMETER"
+><I
+>unix
+ password sync</I
+></TT
+></A
+> parameter is set to <TT
+CLASS="CONSTANT"
+>yes</TT
+>. This
+ sequence is then called <EM
+>AS ROOT</EM
+> when the SMB password
+ in the smbpasswd file is being changed, without access to the old
+ password cleartext. This means that root must be able to reset the user's password
+ without knowing the text of the previous password. In the presence of NIS/YP,
+ this means that the <A
+HREF="#PASSWDPROGRAM"
+>passwd program</A
+> must be
+ executed on the NIS master.
+ </P
+><P
+>The string can contain the macro <TT
+CLASS="PARAMETER"
+><I
+>%n</I
+></TT
+> which is substituted
+ for the new password. The chat sequence can also contain the standard
+ macros <TT
+CLASS="CONSTANT"
+>\n</TT
+>, <TT
+CLASS="CONSTANT"
+>\r</TT
+>, <TT
+CLASS="CONSTANT"
+> \t</TT
+> and <TT
+CLASS="CONSTANT"
+>\s</TT
+> to give line-feed,
+ carriage-return, tab and space. The chat sequence string can also contain
+ a '*' which matches any sequence of characters.
+ Double quotes can be used to collect strings with spaces
+ in them into a single string.</P
+><P
+>If the send string in any part of the chat sequence
+ is a full stop ".", then no string is sent. Similarly,
+ if the expect string is a full stop then no string is expected.</P
+><P
+>If the <A
+HREF="#PAMPASSWORDCHANGE"
+><TT
+CLASS="PARAMETER"
+><I
+>pam
+ password change</I
+></TT
+></A
+> parameter is set to true, the chat pairs
+ may be matched in any order, and success is determined by the PAM result,
+ not any particular output. The \n macro is ignored for PAM conversions.
+ </P
+><P
+>See also <A
+HREF="#UNIXPASSWORDSYNC"
+><TT
+CLASS="PARAMETER"
+><I
+>unix password
+ sync</I
+></TT
+></A
+>, <A
+HREF="#PASSWDPROGRAM"
+><TT
+CLASS="PARAMETER"
+><I
+> passwd program</I
+></TT
+></A
+> ,<A
+HREF="#PASSWDCHATDEBUG"
+> <TT
+CLASS="PARAMETER"
+><I
+>passwd chat debug</I
+></TT
+></A
+> and <A
+HREF="#PAMPASSWORDCHANGE"
+> <TT
+CLASS="PARAMETER"
+><I
+>pam password change</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>passwd chat = *new*password* %n\n
+ *new*password* %n\n *changed*</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>passwd chat = "*Enter OLD password*" %o\n
+ "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password
+ changed*"</B
+></P
+></DD
+><DT
+><A
+NAME="PASSWDCHATDEBUG"
+></A
+>passwd chat debug (G)</DT
+><DD
+><P
+>This boolean specifies if the passwd chat script
+ parameter is run in <EM
+>debug</EM
+> mode. In this mode the
+ strings passed to and received from the passwd chat are printed
+ in the <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> log with a
+ <A
+HREF="#DEBUGLEVEL"
+><TT
+CLASS="PARAMETER"
+><I
+>debug level</I
+></TT
+></A
+>
+ of 100. This is a dangerous option as it will allow plaintext passwords
+ to be seen in the <B
+CLASS="COMMAND"
+>smbd</B
+> log. It is available to help
+ Samba admins debug their <TT
+CLASS="PARAMETER"
+><I
+>passwd chat</I
+></TT
+> scripts
+ when calling the <TT
+CLASS="PARAMETER"
+><I
+>passwd program</I
+></TT
+> and should
+ be turned off after this has been done. This option has no effect if the
+ <A
+HREF="#PAMPASSWORDCHANGE"
+><TT
+CLASS="PARAMETER"
+><I
+>pam password change</I
+></TT
+></A
+>
+ paramter is set. This parameter is off by default.</P
+><P
+>See also <A
+HREF="#PASSWDCHAT"
+><TT
+CLASS="PARAMETER"
+><I
+>passwd chat</I
+></TT
+>
+ </A
+>, <A
+HREF="#PAMPASSWORDCHANGE"
+><TT
+CLASS="PARAMETER"
+><I
+>pam password change</I
+></TT
+>
+ </A
+>, <A
+HREF="#PASSWDPROGRAM"
+><TT
+CLASS="PARAMETER"
+><I
+>passwd program</I
+></TT
+>
+ </A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>passwd chat debug = no</B
+></P
+></DD
+><DT
+><A
+NAME="PASSWDPROGRAM"
+></A
+>passwd program (G)</DT
+><DD
+><P
+>The name of a program that can be used to set
+ UNIX user passwords. Any occurrences of <TT
+CLASS="PARAMETER"
+><I
+>%u</I
+></TT
+>
+ will be replaced with the user name. The user name is checked for
+ existence before calling the password changing program.</P
+><P
+>Also note that many passwd programs insist in <EM
+>reasonable
+ </EM
+> passwords, such as a minimum length, or the inclusion
+ of mixed case chars and digits. This can pose a problem as some clients
+ (such as Windows for Workgroups) uppercase the password before sending
+ it.</P
+><P
+><EM
+>Note</EM
+> that if the <TT
+CLASS="PARAMETER"
+><I
+>unix
+ password sync</I
+></TT
+> parameter is set to <TT
+CLASS="CONSTANT"
+>true
+ </TT
+> then this program is called <EM
+>AS ROOT</EM
+>
+ before the SMB password in the <A
+HREF="smbpasswd.5.html"
+TARGET="_top"
+>smbpasswd(5)
+ </A
+> file is changed. If this UNIX password change fails, then
+ <B
+CLASS="COMMAND"
+>smbd</B
+> will fail to change the SMB password also
+ (this is by design).</P
+><P
+>If the <TT
+CLASS="PARAMETER"
+><I
+>unix password sync</I
+></TT
+> parameter
+ is set this parameter <EM
+>MUST USE ABSOLUTE PATHS</EM
+>
+ for <EM
+>ALL</EM
+> programs called, and must be examined
+ for security implications. Note that by default <TT
+CLASS="PARAMETER"
+><I
+>unix
+ password sync</I
+></TT
+> is set to <TT
+CLASS="CONSTANT"
+>false</TT
+>.</P
+><P
+>See also <A
+HREF="#UNIXPASSWORDSYNC"
+><TT
+CLASS="PARAMETER"
+><I
+>unix
+ password sync</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>passwd program = /bin/passwd</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>passwd program = /sbin/npasswd %u</B
+>
+ </P
+></DD
+><DT
+><A
+NAME="PASSWORDLEVEL"
+></A
+>password level (G)</DT
+><DD
+><P
+>Some client/server combinations have difficulty
+ with mixed-case passwords. One offending client is Windows for
+ Workgroups, which for some reason forces passwords to upper
+ case when using the LANMAN1 protocol, but leaves them alone when
+ using COREPLUS! Another problem child is the Windows 95/98
+ family of operating systems. These clients upper case clear
+ text passwords even when NT LM 0.12 selected by the protocol
+ negotiation request/response.</P
+><P
+>This parameter defines the maximum number of characters
+ that may be upper case in passwords.</P
+><P
+>For example, say the password given was "FRED". If <TT
+CLASS="PARAMETER"
+><I
+> password level</I
+></TT
+> is set to 1, the following combinations
+ would be tried if "FRED" failed:</P
+><P
+>"Fred", "fred", "fRed", "frEd","freD"</P
+><P
+>If <TT
+CLASS="PARAMETER"
+><I
+>password level</I
+></TT
+> was set to 2,
+ the following combinations would also be tried: </P
+><P
+>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</P
+><P
+>And so on.</P
+><P
+>The higher value this parameter is set to the more likely
+ it is that a mixed case password will be matched against a single
+ case password. However, you should be aware that use of this
+ parameter reduces security and increases the time taken to
+ process a new connection.</P
+><P
+>A value of zero will cause only two attempts to be
+ made - the password as is and the password in all-lower case.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>password level = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>password level = 4</B
+></P
+></DD
+><DT
+><A
+NAME="PASSWORDSERVER"
+></A
+>password server (G)</DT
+><DD
+><P
+>By specifying the name of another SMB server (such
+ as a WinNT box) with this option, and using <B
+CLASS="COMMAND"
+>security = domain
+ </B
+> or <B
+CLASS="COMMAND"
+>security = server</B
+> you can get Samba
+ to do all its username/password validation via a remote server.</P
+><P
+>This option sets the name of the password server to use.
+ It must be a NetBIOS name, so if the machine's NetBIOS name is
+ different from its Internet name then you may have to add its NetBIOS
+ name to the lmhosts file which is stored in the same directory
+ as the <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file.</P
+><P
+>The name of the password server is looked up using the
+ parameter <A
+HREF="#NAMERESOLVEORDER"
+><TT
+CLASS="PARAMETER"
+><I
+>name
+ resolve order</I
+></TT
+></A
+> and so may resolved
+ by any method and order described in that parameter.</P
+><P
+>The password server much be a machine capable of using
+ the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
+ user level security mode.</P
+><P
+><EM
+>NOTE:</EM
+> Using a password server
+ means your UNIX box (running Samba) is only as secure as your
+ password server. <EM
+>DO NOT CHOOSE A PASSWORD SERVER THAT
+ YOU DON'T COMPLETELY TRUST</EM
+>.</P
+><P
+>Never point a Samba server at itself for password
+ serving. This will cause a loop and could lock up your Samba
+ server!</P
+><P
+>The name of the password server takes the standard
+ substitutions, but probably the only useful one is <TT
+CLASS="PARAMETER"
+><I
+>%m
+ </I
+></TT
+>, which means the Samba server will use the incoming
+ client as the password server. If you use this then you better
+ trust your clients, and you had better restrict them with hosts allow!</P
+><P
+>If the <TT
+CLASS="PARAMETER"
+><I
+>security</I
+></TT
+> parameter is set to
+ <TT
+CLASS="CONSTANT"
+>domain</TT
+>, then the list of machines in this
+ option must be a list of Primary or Backup Domain controllers for the
+ Domain or the character '*', as the Samba server is effectively
+ in that domain, and will use cryptographically authenticated RPC calls
+ to authenticate the user logging on. The advantage of using <B
+CLASS="COMMAND"
+> security = domain</B
+> is that if you list several hosts in the
+ <TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+> option then <B
+CLASS="COMMAND"
+>smbd
+ </B
+> will try each in turn till it finds one that responds. This
+ is useful in case your primary server goes down.</P
+><P
+>If the <TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+> option is set
+ to the character '*', then Samba will attempt to auto-locate the
+ Primary or Backup Domain controllers to authenticate against by
+ doing a query for the name <TT
+CLASS="CONSTANT"
+>WORKGROUP&#60;1C&#62;</TT
+>
+ and then contacting each server returned in the list of IP
+ addresses from the name resolution source. </P
+><P
+>If the <TT
+CLASS="PARAMETER"
+><I
+>security</I
+></TT
+> parameter is
+ set to <TT
+CLASS="CONSTANT"
+>server</TT
+>, then there are different
+ restrictions that <B
+CLASS="COMMAND"
+>security = domain</B
+> doesn't
+ suffer from:</P
+><P
+></P
+><UL
+><LI
+><P
+>You may list several password servers in
+ the <TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+> parameter, however if an
+ <B
+CLASS="COMMAND"
+>smbd</B
+> makes a connection to a password server,
+ and then the password server fails, no more users will be able
+ to be authenticated from this <B
+CLASS="COMMAND"
+>smbd</B
+>. This is a
+ restriction of the SMB/CIFS protocol when in <B
+CLASS="COMMAND"
+>security = server
+ </B
+> mode and cannot be fixed in Samba.</P
+></LI
+><LI
+><P
+>If you are using a Windows NT server as your
+ password server then you will have to ensure that your users
+ are able to login from the Samba server, as when in <B
+CLASS="COMMAND"
+> security = server</B
+> mode the network logon will appear to
+ come from there rather than from the users workstation.</P
+></LI
+></UL
+><P
+>See also the <A
+HREF="#SECURITY"
+><TT
+CLASS="PARAMETER"
+><I
+>security
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>password server = &#60;empty string&#62;</B
+>
+ </P
+><P
+>Example: <B
+CLASS="COMMAND"
+>password server = NT-PDC, NT-BDC1, NT-BDC2
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>password server = *</B
+></P
+></DD
+><DT
+><A
+NAME="PATH"
+></A
+>path (S)</DT
+><DD
+><P
+>This parameter specifies a directory to which
+ the user of the service is to be given access. In the case of
+ printable services, this is where print data will spool prior to
+ being submitted to the host for printing.</P
+><P
+>For a printable service offering guest access, the service
+ should be readonly and the path should be world-writeable and
+ have the sticky bit set. This is not mandatory of course, but
+ you probably won't get the results you expect if you do
+ otherwise.</P
+><P
+>Any occurrences of <TT
+CLASS="PARAMETER"
+><I
+>%u</I
+></TT
+> in the path
+ will be replaced with the UNIX username that the client is using
+ on this connection. Any occurrences of <TT
+CLASS="PARAMETER"
+><I
+>%m</I
+></TT
+>
+ will be replaced by the NetBIOS name of the machine they are
+ connecting from. These replacements are very useful for setting
+ up pseudo home directories for users.</P
+><P
+>Note that this path will be based on <A
+HREF="#ROOTDIR"
+> <TT
+CLASS="PARAMETER"
+><I
+>root dir</I
+></TT
+></A
+> if one was specified.</P
+><P
+>Default: <EM
+>none</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>path = /home/fred</B
+></P
+></DD
+><DT
+><A
+NAME="POSIXLOCKING"
+></A
+>posix locking (S)</DT
+><DD
+><P
+>The <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+>
+ daemon maintains an database of file locks obtained by SMB clients.
+ The default behavior is to map this internal database to POSIX
+ locks. This means that file locks obtained by SMB clients are
+ consistent with those seen by POSIX compliant applications accessing
+ the files via a non-SMB method (e.g. NFS or local file access).
+ You should never need to disable this parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>posix locking = yes</B
+></P
+></DD
+><DT
+><A
+NAME="POSTEXEC"
+></A
+>postexec (S)</DT
+><DD
+><P
+>This option specifies a command to be run
+ whenever the service is disconnected. It takes the usual
+ substitutions. The command may be run as the root on some
+ systems.</P
+><P
+>An interesting example may be to unmount server
+ resources:</P
+><P
+><B
+CLASS="COMMAND"
+>postexec = /etc/umount /cdrom</B
+></P
+><P
+>See also <A
+HREF="#PREEXEC"
+><TT
+CLASS="PARAMETER"
+><I
+>preexec</I
+></TT
+>
+ </A
+>.</P
+><P
+>Default: <EM
+>none (no command executed)</EM
+>
+ </P
+><P
+>Example: <B
+CLASS="COMMAND"
+>postexec = echo \"%u disconnected from %S
+ from %m (%I)\" &#62;&#62; /tmp/log</B
+></P
+></DD
+><DT
+><A
+NAME="POSTSCRIPT"
+></A
+>postscript (S)</DT
+><DD
+><P
+>This parameter forces a printer to interpret
+ the print files as PostScript. This is done by adding a <TT
+CLASS="CONSTANT"
+>%!
+ </TT
+> to the start of print output.</P
+><P
+>This is most useful when you have lots of PCs that persist
+ in putting a control-D at the start of print jobs, which then
+ confuses your printer.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>postscript = no</B
+></P
+></DD
+><DT
+><A
+NAME="PREEXEC"
+></A
+>preexec (S)</DT
+><DD
+><P
+>This option specifies a command to be run whenever
+ the service is connected to. It takes the usual substitutions.</P
+><P
+>An interesting example is to send the users a welcome
+ message every time they log in. Maybe a message of the day? Here
+ is an example:</P
+><P
+><B
+CLASS="COMMAND"
+>preexec = csh -c 'echo \"Welcome to %S!\" |
+ /usr/local/samba/bin/smbclient -M %m -I %I' &#38; </B
+></P
+><P
+>Of course, this could get annoying after a while :-)</P
+><P
+>See also <A
+HREF="#PREEXECCLOSE"
+><TT
+CLASS="PARAMETER"
+><I
+>preexec close
+ </I
+></TT
+></A
+> and <A
+HREF="#POSTEXEC"
+><TT
+CLASS="PARAMETER"
+><I
+>postexec
+ </I
+></TT
+></A
+>.</P
+><P
+>Default: <EM
+>none (no command executed)</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>preexec = echo \"%u connected to %S from %m
+ (%I)\" &#62;&#62; /tmp/log</B
+></P
+></DD
+><DT
+><A
+NAME="PREEXECCLOSE"
+></A
+>preexec close (S)</DT
+><DD
+><P
+>This boolean option controls whether a non-zero
+ return code from <A
+HREF="#PREEXEC"
+><TT
+CLASS="PARAMETER"
+><I
+>preexec
+ </I
+></TT
+></A
+> should close the service being connected to.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>preexec close = no</B
+></P
+></DD
+><DT
+><A
+NAME="PREFERREDMASTER"
+></A
+>preferred master (G)</DT
+><DD
+><P
+>This boolean parameter controls if <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+> is a preferred master browser
+ for its workgroup.</P
+><P
+>If this is set to <TT
+CLASS="CONSTANT"
+>true</TT
+>, on startup, <B
+CLASS="COMMAND"
+>nmbd</B
+>
+ will force an election, and it will have a slight advantage in
+ winning the election. It is recommended that this parameter is
+ used in conjunction with <B
+CLASS="COMMAND"
+><A
+HREF="#DOMAINMASTER"
+><TT
+CLASS="PARAMETER"
+><I
+> domain master</I
+></TT
+></A
+> = yes</B
+>, so that <B
+CLASS="COMMAND"
+> nmbd</B
+> can guarantee becoming a domain master.</P
+><P
+>Use this option with caution, because if there are several
+ hosts (whether Samba servers, Windows 95 or NT) that are preferred
+ master browsers on the same subnet, they will each periodically
+ and continuously attempt to become the local master browser.
+ This will result in unnecessary broadcast traffic and reduced browsing
+ capabilities.</P
+><P
+>See also <A
+HREF="#OSLEVEL"
+><TT
+CLASS="PARAMETER"
+><I
+>os level</I
+></TT
+>
+ </A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>preferred master = auto</B
+></P
+></DD
+><DT
+><A
+NAME="PREFEREDMASTER"
+></A
+>prefered master (G)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#PREFERREDMASTER"
+><TT
+CLASS="PARAMETER"
+><I
+> preferred master</I
+></TT
+></A
+> for people who cannot spell :-).</P
+></DD
+><DT
+><A
+NAME="PRELOAD"
+></A
+>preload</DT
+><DD
+><P
+>This is a list of services that you want to be
+ automatically added to the browse lists. This is most useful
+ for homes and printers services that would otherwise not be
+ visible.</P
+><P
+>Note that if you just want all printers in your
+ printcap file loaded then the <A
+HREF="#LOADPRINTERS"
+> <TT
+CLASS="PARAMETER"
+><I
+>load printers</I
+></TT
+></A
+> option is easier.</P
+><P
+>Default: <EM
+>no preloaded services</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>preload = fred lp colorlp</B
+></P
+></DD
+><DT
+><A
+NAME="PRESERVECASE"
+></A
+>preserve case (S)</DT
+><DD
+><P
+> This controls if new filenames are created
+ with the case that the client passes, or if they are forced to
+ be the <A
+HREF="#DEFAULTCASE"
+><TT
+CLASS="PARAMETER"
+><I
+>default case
+ </I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>preserve case = yes</B
+></P
+><P
+>See the section on <A
+HREF="#AEN203"
+>NAME
+ MANGLING</A
+> for a fuller discussion.</P
+></DD
+><DT
+><A
+NAME="PRINTCOMMAND"
+></A
+>print command (S)</DT
+><DD
+><P
+>After a print job has finished spooling to
+ a service, this command will be used via a <B
+CLASS="COMMAND"
+>system()</B
+>
+ call to process the spool file. Typically the command specified will
+ submit the spool file to the host's printing subsystem, but there
+ is no requirement that this be the case. The server will not remove
+ the spool file, so whatever command you specify should remove the
+ spool file when it has been processed, otherwise you will need to
+ manually remove old spool files.</P
+><P
+>The print command is simply a text string. It will be used
+ verbatim, with two exceptions: All occurrences of <TT
+CLASS="PARAMETER"
+><I
+>%s
+ </I
+></TT
+> and <TT
+CLASS="PARAMETER"
+><I
+>%f</I
+></TT
+> will be replaced by the
+ appropriate spool file name, and all occurrences of <TT
+CLASS="PARAMETER"
+><I
+>%p
+ </I
+></TT
+> will be replaced by the appropriate printer name. The
+ spool file name is generated automatically by the server. The
+ <TT
+CLASS="PARAMETER"
+><I
+>%J</I
+></TT
+> macro can be used to access the job
+ name as transmitted by the client.</P
+><P
+>The print command <EM
+>MUST</EM
+> contain at least
+ one occurrence of <TT
+CLASS="PARAMETER"
+><I
+>%s</I
+></TT
+> or <TT
+CLASS="PARAMETER"
+><I
+>%f
+ </I
+></TT
+> - the <TT
+CLASS="PARAMETER"
+><I
+>%p</I
+></TT
+> is optional. At the time
+ a job is submitted, if no printer name is supplied the <TT
+CLASS="PARAMETER"
+><I
+>%p
+ </I
+></TT
+> will be silently removed from the printer command.</P
+><P
+>If specified in the [global] section, the print command given
+ will be used for any printable service that does not have its own
+ print command specified.</P
+><P
+>If there is neither a specified print command for a
+ printable service nor a global print command, spool files will
+ be created but not processed and (most importantly) not removed.</P
+><P
+>Note that printing may fail on some UNIXes from the
+ <TT
+CLASS="CONSTANT"
+>nobody</TT
+> account. If this happens then create
+ an alternative guest account that can print and set the <A
+HREF="#GUESTACCOUNT"
+><TT
+CLASS="PARAMETER"
+><I
+>guest account</I
+></TT
+></A
+>
+ in the [global] section.</P
+><P
+>You can form quite complex print commands by realizing
+ that they are just passed to a shell. For example the following
+ will log a print job, print the file, then remove it. Note that
+ ';' is the usual separator for command in shell scripts.</P
+><P
+><B
+CLASS="COMMAND"
+>print command = echo Printing %s &#62;&#62;
+ /tmp/print.log; lpr -P %p %s; rm %s</B
+></P
+><P
+>You may have to vary this command considerably depending
+ on how you normally print files on your system. The default for
+ the parameter varies depending on the setting of the <A
+HREF="#PRINTING"
+> <TT
+CLASS="PARAMETER"
+><I
+>printing</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: For <B
+CLASS="COMMAND"
+>printing = BSD, AIX, QNX, LPRNG
+ or PLP :</B
+></P
+><P
+><B
+CLASS="COMMAND"
+>print command = lpr -r -P%p %s</B
+></P
+><P
+>For <B
+CLASS="COMMAND"
+>printing = SYSV or HPUX :</B
+></P
+><P
+><B
+CLASS="COMMAND"
+>print command = lp -c -d%p %s; rm %s</B
+></P
+><P
+>For <B
+CLASS="COMMAND"
+>printing = SOFTQ :</B
+></P
+><P
+><B
+CLASS="COMMAND"
+>print command = lp -d%p -s %s; rm %s</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>print command = /usr/local/samba/bin/myprintscript
+ %p %s</B
+></P
+></DD
+><DT
+><A
+NAME="PRINTOK"
+></A
+>print ok (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#PRINTABLE"
+> <TT
+CLASS="PARAMETER"
+><I
+>printable</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="PRINTABLE"
+></A
+>printable (S)</DT
+><DD
+><P
+>If this parameter is <TT
+CLASS="CONSTANT"
+>yes</TT
+>, then
+ clients may open, write to and submit spool files on the directory
+ specified for the service. </P
+><P
+>Note that a printable service will ALWAYS allow writing
+ to the service path (user privileges permitting) via the spooling
+ of print data. The <A
+HREF="#WRITEABLE"
+><TT
+CLASS="PARAMETER"
+><I
+>writeable
+ </I
+></TT
+></A
+> parameter controls only non-printing access to
+ the resource.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>printable = no</B
+></P
+></DD
+><DT
+><A
+NAME="PRINTCAP"
+></A
+>printcap (G)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#PRINTCAPNAME"
+><TT
+CLASS="PARAMETER"
+><I
+> printcap name</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="PRINTCAPNAME"
+></A
+>printcap name (G)</DT
+><DD
+><P
+>This parameter may be used to override the
+ compiled-in default printcap name used by the server (usually <TT
+CLASS="FILENAME"
+> /etc/printcap</TT
+>). See the discussion of the <A
+HREF="#AEN79"
+>[printers]</A
+> section above for reasons
+ why you might want to do this.</P
+><P
+>On System V systems that use <B
+CLASS="COMMAND"
+>lpstat</B
+> to
+ list available printers you can use <B
+CLASS="COMMAND"
+>printcap name = lpstat
+ </B
+> to automatically obtain lists of available printers. This
+ is the default for systems that define SYSV at configure time in
+ Samba (this includes most System V based systems). If <TT
+CLASS="PARAMETER"
+><I
+> printcap name</I
+></TT
+> is set to <B
+CLASS="COMMAND"
+>lpstat</B
+> on
+ these systems then Samba will launch <B
+CLASS="COMMAND"
+>lpstat -v</B
+> and
+ attempt to parse the output to obtain a printer list.</P
+><P
+>A minimal printcap file would look something like this:</P
+><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+> print1|My Printer 1
+ print2|My Printer 2
+ print3|My Printer 3
+ print4|My Printer 4
+ print5|My Printer 5
+ </PRE
+></TD
+></TR
+></TABLE
+></P
+><P
+>where the '|' separates aliases of a printer. The fact
+ that the second alias has a space in it gives a hint to Samba
+ that it's a comment.</P
+><P
+><EM
+>NOTE</EM
+>: Under AIX the default printcap
+ name is <TT
+CLASS="FILENAME"
+>/etc/qconfig</TT
+>. Samba will assume the
+ file is in AIX <TT
+CLASS="FILENAME"
+>qconfig</TT
+> format if the string
+ <TT
+CLASS="FILENAME"
+>qconfig</TT
+> appears in the printcap filename.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>printcap name = /etc/printcap</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>printcap name = /etc/myprintcap</B
+></P
+></DD
+><DT
+><A
+NAME="PRINTERADMIN"
+></A
+>printer admin (S)</DT
+><DD
+><P
+>This is a list of users that can do anything to
+ printers via the remote administration interfaces offered by MS-RPC
+ (usually using a NT workstation). Note that the root user always
+ has admin rights.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>printer admin = &#60;empty string&#62;</B
+>
+ </P
+><P
+>Example: <B
+CLASS="COMMAND"
+>printer admin = admin, @staff</B
+></P
+></DD
+><DT
+><A
+NAME="PRINTERDRIVER"
+></A
+>printer driver (S)</DT
+><DD
+><P
+><EM
+>Note :</EM
+>This is a deprecated
+ parameter and will be removed in the next major release
+ following version 2.2. Please see the instructions in
+ the <A
+HREF="printer_driver2.html"
+TARGET="_top"
+>Samba 2.2. Printing
+ HOWTO</A
+> for more information
+ on the new method of loading printer drivers onto a Samba server.
+ </P
+><P
+>This option allows you to control the string
+ that clients receive when they ask the server for the printer driver
+ associated with a printer. If you are using Windows95 or Windows NT
+ then you can use this to automate the setup of printers on your
+ system.</P
+><P
+>You need to set this parameter to the exact string (case
+ sensitive) that describes the appropriate printer driver for your
+ system. If you don't know the exact string to use then you should
+ first try with no <A
+HREF="#PRINTERDRIVER"
+><TT
+CLASS="PARAMETER"
+><I
+> printer driver</I
+></TT
+></A
+> option set and the client will
+ give you a list of printer drivers. The appropriate strings are
+ shown in a scroll box after you have chosen the printer manufacturer.</P
+><P
+>See also <A
+HREF="#PRINTERDRIVERFILE"
+><TT
+CLASS="PARAMETER"
+><I
+>printer
+ driver file</I
+></TT
+></A
+>.</P
+><P
+>Example: <B
+CLASS="COMMAND"
+>printer driver = HP LaserJet 4L</B
+></P
+></DD
+><DT
+><A
+NAME="PRINTERDRIVERFILE"
+></A
+>printer driver file (G)</DT
+><DD
+><P
+><EM
+>Note :</EM
+>This is a deprecated
+ parameter and will be removed in the next major release
+ following version 2.2. Please see the instructions in
+ the <A
+HREF="printer_driver2.html"
+TARGET="_top"
+>Samba 2.2. Printing
+ HOWTO</A
+> for more information
+ on the new method of loading printer drivers onto a Samba server.
+ </P
+><P
+>This parameter tells Samba where the printer driver
+ definition file, used when serving drivers to Windows 95 clients, is
+ to be found. If this is not set, the default is :</P
+><P
+><TT
+CLASS="FILENAME"
+><TT
+CLASS="REPLACEABLE"
+><I
+>SAMBA_INSTALL_DIRECTORY</I
+></TT
+>
+ /lib/printers.def</TT
+></P
+><P
+>This file is created from Windows 95 <TT
+CLASS="FILENAME"
+>msprint.inf
+ </TT
+> files found on the Windows 95 client system. For more
+ details on setting up serving of printer drivers to Windows 95
+ clients, see the outdated documentation file in the <TT
+CLASS="FILENAME"
+>docs/</TT
+>
+ directory, <TT
+CLASS="FILENAME"
+>PRINTER_DRIVER.txt</TT
+>.</P
+><P
+>See also <A
+HREF="#PRINTERDRIVERLOCATION"
+><TT
+CLASS="PARAMETER"
+><I
+> printer driver location</I
+></TT
+></A
+>.</P
+><P
+>Default: <EM
+>None (set in compile).</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>printer driver file =
+ /usr/local/samba/printers/drivers.def</B
+></P
+></DD
+><DT
+><A
+NAME="PRINTERDRIVERLOCATION"
+></A
+>printer driver location (S)</DT
+><DD
+><P
+><EM
+>Note :</EM
+>This is a deprecated
+ parameter and will be removed in the next major release
+ following version 2.2. Please see the instructions in
+ the <A
+HREF="printer_driver2.html"
+TARGET="_top"
+>Samba 2.2. Printing
+ HOWTO</A
+> for more information
+ on the new method of loading printer drivers onto a Samba server.
+ </P
+><P
+>This parameter tells clients of a particular printer
+ share where to find the printer driver files for the automatic
+ installation of drivers for Windows 95 machines. If Samba is set up
+ to serve printer drivers to Windows 95 machines, this should be set to</P
+><P
+><B
+CLASS="COMMAND"
+>\\MACHINE\PRINTER$</B
+></P
+><P
+>Where MACHINE is the NetBIOS name of your Samba server,
+ and PRINTER$ is a share you set up for serving printer driver
+ files. For more details on setting this up see the outdated documentation
+ file in the <TT
+CLASS="FILENAME"
+>docs/</TT
+> directory, <TT
+CLASS="FILENAME"
+> PRINTER_DRIVER.txt</TT
+>.</P
+><P
+>See also <A
+HREF="#PRINTERDRIVERFILE"
+><TT
+CLASS="PARAMETER"
+><I
+> printer driver file</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>none</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>printer driver location = \\MACHINE\PRINTER$
+ </B
+></P
+></DD
+><DT
+><A
+NAME="PRINTERNAME"
+></A
+>printer name (S)</DT
+><DD
+><P
+>This parameter specifies the name of the printer
+ to which print jobs spooled through a printable service will be sent.</P
+><P
+>If specified in the [global] section, the printer
+ name given will be used for any printable service that does
+ not have its own printer name specified.</P
+><P
+>Default: <EM
+>none (but may be <TT
+CLASS="CONSTANT"
+>lp</TT
+>
+ on many systems)</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>printer name = laserwriter</B
+></P
+></DD
+><DT
+><A
+NAME="PRINTER"
+></A
+>printer (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#PRINTERNAME"
+><TT
+CLASS="PARAMETER"
+><I
+> printer name</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="PRINTING"
+></A
+>printing (S)</DT
+><DD
+><P
+>This parameters controls how printer status
+ information is interpreted on your system. It also affects the
+ default values for the <TT
+CLASS="PARAMETER"
+><I
+>print command</I
+></TT
+>,
+ <TT
+CLASS="PARAMETER"
+><I
+>lpq command</I
+></TT
+>, <TT
+CLASS="PARAMETER"
+><I
+>lppause command
+ </I
+></TT
+>, <TT
+CLASS="PARAMETER"
+><I
+>lpresume command</I
+></TT
+>, and
+ <TT
+CLASS="PARAMETER"
+><I
+>lprm command</I
+></TT
+> if specified in the
+ [global] section.</P
+><P
+>Currently nine printing styles are supported. They are
+ <TT
+CLASS="CONSTANT"
+>BSD</TT
+>, <TT
+CLASS="CONSTANT"
+>AIX</TT
+>,
+ <TT
+CLASS="CONSTANT"
+>LPRNG</TT
+>, <TT
+CLASS="CONSTANT"
+>PLP</TT
+>,
+ <TT
+CLASS="CONSTANT"
+>SYSV</TT
+>, <TT
+CLASS="CONSTANT"
+>HPUX</TT
+>,
+ <TT
+CLASS="CONSTANT"
+>QNX</TT
+>, <TT
+CLASS="CONSTANT"
+>SOFTQ</TT
+>,
+ and <TT
+CLASS="CONSTANT"
+>CUPS</TT
+>.</P
+><P
+>To see what the defaults are for the other print
+ commands when using the various options use the <A
+HREF="testparm.1.html"
+TARGET="_top"
+>testparm(1)</A
+> program.</P
+><P
+>This option can be set on a per printer basis</P
+><P
+>See also the discussion in the <A
+HREF="#AEN79"
+> [printers]</A
+> section.</P
+></DD
+><DT
+><A
+NAME="PRIVATEDIR"
+></A
+>private dir (G)</DT
+><DD
+><P
+>This parameters defines the directory
+ smbd will use for storing such files as <TT
+CLASS="FILENAME"
+>smbpasswd</TT
+>
+ and <TT
+CLASS="FILENAME"
+>secrets.tdb</TT
+>.
+ </P
+><P
+>Default :<B
+CLASS="COMMAND"
+>private dir = ${prefix}/private</B
+></P
+></DD
+><DT
+><A
+NAME="PROTOCOL"
+></A
+>protocol (G)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#MAXPROTOCOL"
+> <TT
+CLASS="PARAMETER"
+><I
+>max protocol</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="PUBLIC"
+></A
+>public (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#GUESTOK"
+><TT
+CLASS="PARAMETER"
+><I
+>guest
+ ok</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="QUEUEPAUSECOMMAND"
+></A
+>queuepause command (S)</DT
+><DD
+><P
+>This parameter specifies the command to be
+ executed on the server host in order to pause the printer queue.</P
+><P
+>This command should be a program or script which takes
+ a printer name as its only parameter and stops the printer queue,
+ such that no longer jobs are submitted to the printer.</P
+><P
+>This command is not supported by Windows for Workgroups,
+ but can be issued from the Printers window under Windows 95
+ and NT.</P
+><P
+>If a <TT
+CLASS="PARAMETER"
+><I
+>%p</I
+></TT
+> is given then the printer name
+ is put in its place. Otherwise it is placed at the end of the command.
+ </P
+><P
+>Note that it is good practice to include the absolute
+ path in the command as the PATH may not be available to the
+ server.</P
+><P
+>Default: <EM
+>depends on the setting of <TT
+CLASS="PARAMETER"
+><I
+>printing
+ </I
+></TT
+></EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>queuepause command = disable %p</B
+></P
+></DD
+><DT
+><A
+NAME="QUEUERESUMECOMMAND"
+></A
+>queueresume command (S)</DT
+><DD
+><P
+>This parameter specifies the command to be
+ executed on the server host in order to resume the printer queue. It
+ is the command to undo the behavior that is caused by the
+ previous parameter (<A
+HREF="#QUEUEPAUSECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+> queuepause command</I
+></TT
+></A
+>).</P
+><P
+>This command should be a program or script which takes
+ a printer name as its only parameter and resumes the printer queue,
+ such that queued jobs are resubmitted to the printer.</P
+><P
+>This command is not supported by Windows for Workgroups,
+ but can be issued from the Printers window under Windows 95
+ and NT.</P
+><P
+>If a <TT
+CLASS="PARAMETER"
+><I
+>%p</I
+></TT
+> is given then the printer name
+ is put in its place. Otherwise it is placed at the end of the
+ command.</P
+><P
+>Note that it is good practice to include the absolute
+ path in the command as the PATH may not be available to the
+ server.</P
+><P
+>Default: <EM
+>depends on the setting of <A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing</I
+></TT
+></A
+></EM
+>
+ </P
+><P
+>Example: <B
+CLASS="COMMAND"
+>queuepause command = enable %p
+ </B
+></P
+></DD
+><DT
+><A
+NAME="READBMPX"
+></A
+>read bmpx (G)</DT
+><DD
+><P
+>This boolean parameter controls whether <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> will support the "Read
+ Block Multiplex" SMB. This is now rarely used and defaults to
+ <TT
+CLASS="CONSTANT"
+>no</TT
+>. You should never need to set this
+ parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>read bmpx = no</B
+></P
+></DD
+><DT
+><A
+NAME="READLIST"
+></A
+>read list (S)</DT
+><DD
+><P
+>This is a list of users that are given read-only
+ access to a service. If the connecting user is in this list then
+ they will not be given write access, no matter what the <A
+HREF="#WRITEABLE"
+><TT
+CLASS="PARAMETER"
+><I
+>writeable</I
+></TT
+></A
+>
+ option is set to. The list can include group names using the
+ syntax described in the <A
+HREF="#INVALIDUSERS"
+><TT
+CLASS="PARAMETER"
+><I
+> invalid users</I
+></TT
+></A
+> parameter.</P
+><P
+>See also the <A
+HREF="#WRITELIST"
+><TT
+CLASS="PARAMETER"
+><I
+> write list</I
+></TT
+></A
+> parameter and the <A
+HREF="#INVALIDUSERS"
+><TT
+CLASS="PARAMETER"
+><I
+>invalid users</I
+></TT
+>
+ </A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>read list = &#60;empty string&#62;</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>read list = mary, @students</B
+></P
+></DD
+><DT
+><A
+NAME="READONLY"
+></A
+>read only (S)</DT
+><DD
+><P
+>Note that this is an inverted synonym for <A
+HREF="#WRITEABLE"
+><TT
+CLASS="PARAMETER"
+><I
+>writeable</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="READRAW"
+></A
+>read raw (G)</DT
+><DD
+><P
+>This parameter controls whether or not the server
+ will support the raw read SMB requests when transferring data
+ to clients.</P
+><P
+>If enabled, raw reads allow reads of 65535 bytes in
+ one packet. This typically provides a major performance benefit.
+ </P
+><P
+>However, some clients either negotiate the allowable
+ block size incorrectly or are incapable of supporting larger block
+ sizes, and for these clients you may need to disable raw reads.</P
+><P
+>In general this parameter should be viewed as a system tuning
+ tool and left severely alone. See also <A
+HREF="#WRITERAW"
+> <TT
+CLASS="PARAMETER"
+><I
+>write raw</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>read raw = yes</B
+></P
+></DD
+><DT
+><A
+NAME="READSIZE"
+></A
+>read size (G)</DT
+><DD
+><P
+>The option <TT
+CLASS="PARAMETER"
+><I
+>read size</I
+></TT
+>
+ affects the overlap of disk reads/writes with network reads/writes.
+ If the amount of data being transferred in several of the SMB
+ commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
+ than this value then the server begins writing the data before it
+ has received the whole packet from the network, or in the case of
+ SMBreadbraw, it begins writing to the network before all the data
+ has been read from disk.</P
+><P
+>This overlapping works best when the speeds of disk and
+ network access are similar, having very little effect when the
+ speed of one is much greater than the other.</P
+><P
+>The default value is 16384, but very little experimentation
+ has been done yet to determine the optimal value, and it is likely
+ that the best value will vary greatly between systems anyway.
+ A value over 65536 is pointless and will cause you to allocate
+ memory unnecessarily.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>read size = 16384</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>read size = 8192</B
+></P
+></DD
+><DT
+><A
+NAME="REMOTEANNOUNCE"
+></A
+>remote announce (G)</DT
+><DD
+><P
+>This option allows you to setup <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+> to periodically announce itself
+ to arbitrary IP addresses with an arbitrary workgroup name.</P
+><P
+>This is useful if you want your Samba server to appear
+ in a remote workgroup for which the normal browse propagation
+ rules don't work. The remote workgroup can be anywhere that you
+ can send IP packets to.</P
+><P
+>For example:</P
+><P
+><B
+CLASS="COMMAND"
+>remote announce = 192.168.2.255/SERVERS
+ 192.168.4.255/STAFF</B
+></P
+><P
+>the above line would cause <B
+CLASS="COMMAND"
+>nmbd</B
+> to announce itself
+ to the two given IP addresses using the given workgroup names.
+ If you leave out the workgroup name then the one given in
+ the <A
+HREF="#WORKGROUP"
+><TT
+CLASS="PARAMETER"
+><I
+>workgroup</I
+></TT
+></A
+>
+ parameter is used instead.</P
+><P
+>The IP addresses you choose would normally be the broadcast
+ addresses of the remote networks, but can also be the IP addresses
+ of known browse masters if your network config is that stable.</P
+><P
+>See the documentation file <TT
+CLASS="FILENAME"
+>BROWSING.txt</TT
+>
+ in the <TT
+CLASS="FILENAME"
+>docs/</TT
+> directory.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>remote announce = &#60;empty string&#62;
+ </B
+></P
+></DD
+><DT
+><A
+NAME="REMOTEBROWSESYNC"
+></A
+>remote browse sync (G)</DT
+><DD
+><P
+>This option allows you to setup <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+> to periodically request
+ synchronization of browse lists with the master browser of a Samba
+ server that is on a remote segment. This option will allow you to
+ gain browse lists for multiple workgroups across routed networks. This
+ is done in a manner that does not work with any non-Samba servers.</P
+><P
+>This is useful if you want your Samba server and all local
+ clients to appear in a remote workgroup for which the normal browse
+ propagation rules don't work. The remote workgroup can be anywhere
+ that you can send IP packets to.</P
+><P
+>For example:</P
+><P
+><B
+CLASS="COMMAND"
+>remote browse sync = 192.168.2.255 192.168.4.255
+ </B
+></P
+><P
+>the above line would cause <B
+CLASS="COMMAND"
+>nmbd</B
+> to request
+ the master browser on the specified subnets or addresses to
+ synchronize their browse lists with the local server.</P
+><P
+>The IP addresses you choose would normally be the broadcast
+ addresses of the remote networks, but can also be the IP addresses
+ of known browse masters if your network config is that stable. If
+ a machine IP address is given Samba makes NO attempt to validate
+ that the remote machine is available, is listening, nor that it
+ is in fact the browse master on its segment.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>remote browse sync = &#60;empty string&#62;
+ </B
+></P
+></DD
+><DT
+><A
+NAME="RESTRICTANONYMOUS"
+></A
+>restrict anonymous (G)</DT
+><DD
+><P
+>This is a boolean parameter. If it is <TT
+CLASS="CONSTANT"
+>true</TT
+>, then
+ anonymous access to the server will be restricted, namely in the
+ case where the server is expecting the client to send a username,
+ but it doesn't. Setting it to <TT
+CLASS="CONSTANT"
+>true</TT
+> will force these anonymous
+ connections to be denied, and the client will be required to always
+ supply a username and password when connecting. Use of this parameter
+ is only recommended for homogeneous NT client environments.</P
+><P
+>This parameter makes the use of macro expansions that rely
+ on the username (%U, %G, etc) consistent. NT 4.0
+ likes to use anonymous connections when refreshing the share list,
+ and this is a way to work around that.</P
+><P
+>When restrict anonymous is <TT
+CLASS="CONSTANT"
+>true</TT
+>, all anonymous connections
+ are denied no matter what they are for. This can effect the ability
+ of a machine to access the Samba Primary Domain Controller to revalidate
+ its machine account after someone else has logged on the client
+ interactively. The NT client will display a message saying that
+ the machine's account in the domain doesn't exist or the password is
+ bad. The best way to deal with this is to reboot NT client machines
+ between interactive logons, using "Shutdown and Restart", rather
+ than "Close all programs and logon as a different user".</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>restrict anonymous = no</B
+></P
+></DD
+><DT
+><A
+NAME="ROOT"
+></A
+>root (G)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#ROOTDIRECTORY"
+> <TT
+CLASS="PARAMETER"
+><I
+>root directory"</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="ROOTDIR"
+></A
+>root dir (G)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#ROOTDIRECTORY"
+> <TT
+CLASS="PARAMETER"
+><I
+>root directory"</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="ROOTDIRECTORY"
+></A
+>root directory (G)</DT
+><DD
+><P
+>The server will <B
+CLASS="COMMAND"
+>chroot()</B
+> (i.e.
+ Change its root directory) to this directory on startup. This is
+ not strictly necessary for secure operation. Even without it the
+ server will deny access to files not in one of the service entries.
+ It may also check for, and deny access to, soft links to other
+ parts of the filesystem, or attempts to use ".." in file names
+ to access other directories (depending on the setting of the <A
+HREF="#WIDELINKS"
+><TT
+CLASS="PARAMETER"
+><I
+>wide links</I
+></TT
+></A
+>
+ parameter).</P
+><P
+>Adding a <TT
+CLASS="PARAMETER"
+><I
+>root directory</I
+></TT
+> entry other
+ than "/" adds an extra level of security, but at a price. It
+ absolutely ensures that no access is given to files not in the
+ sub-tree specified in the <TT
+CLASS="PARAMETER"
+><I
+>root directory</I
+></TT
+>
+ option, <EM
+>including</EM
+> some files needed for
+ complete operation of the server. To maintain full operability
+ of the server you will need to mirror some system files
+ into the <TT
+CLASS="PARAMETER"
+><I
+>root directory</I
+></TT
+> tree. In particular
+ you will need to mirror <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> (or a
+ subset of it), and any binaries or configuration files needed for
+ printing (if required). The set of files that must be mirrored is
+ operating system dependent.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>root directory = /</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>root directory = /homes/smb</B
+></P
+></DD
+><DT
+><A
+NAME="ROOTPOSTEXEC"
+></A
+>root postexec (S)</DT
+><DD
+><P
+>This is the same as the <TT
+CLASS="PARAMETER"
+><I
+>postexec</I
+></TT
+>
+ parameter except that the command is run as root. This
+ is useful for unmounting filesystems
+ (such as CDROMs) after a connection is closed.</P
+><P
+>See also <A
+HREF="#POSTEXEC"
+><TT
+CLASS="PARAMETER"
+><I
+> postexec</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>root postexec = &#60;empty string&#62;
+ </B
+></P
+></DD
+><DT
+><A
+NAME="ROOTPREEXEC"
+></A
+>root preexec (S)</DT
+><DD
+><P
+>This is the same as the <TT
+CLASS="PARAMETER"
+><I
+>preexec</I
+></TT
+>
+ parameter except that the command is run as root. This
+ is useful for mounting filesystems (such as CDROMs) when a
+ connection is opened.</P
+><P
+>See also <A
+HREF="#PREEXEC"
+><TT
+CLASS="PARAMETER"
+><I
+> preexec</I
+></TT
+></A
+> and <A
+HREF="#PREEXECCLOSE"
+> <TT
+CLASS="PARAMETER"
+><I
+>preexec close</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>root preexec = &#60;empty string&#62;
+ </B
+></P
+></DD
+><DT
+><A
+NAME="ROOTPREEXECCLOSE"
+></A
+>root preexec close (S)</DT
+><DD
+><P
+>This is the same as the <TT
+CLASS="PARAMETER"
+><I
+>preexec close
+ </I
+></TT
+> parameter except that the command is run as root.</P
+><P
+>See also <A
+HREF="#PREEXEC"
+><TT
+CLASS="PARAMETER"
+><I
+> preexec</I
+></TT
+></A
+> and <A
+HREF="#PREEXECCLOSE"
+> <TT
+CLASS="PARAMETER"
+><I
+>preexec close</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>root preexec close = no</B
+></P
+></DD
+><DT
+><A
+NAME="SECURITY"
+></A
+>security (G)</DT
+><DD
+><P
+>This option affects how clients respond to
+ Samba and is one of the most important settings in the <TT
+CLASS="FILENAME"
+> smb.conf</TT
+> file.</P
+><P
+>The option sets the "security mode bit" in replies to
+ protocol negotiations with <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)
+ </A
+> to turn share level security on or off. Clients decide
+ based on this bit whether (and how) to transfer user and password
+ information to the server.</P
+><P
+>The default is <B
+CLASS="COMMAND"
+>security = user</B
+>, as this is
+ the most common setting needed when talking to Windows 98 and
+ Windows NT.</P
+><P
+>The alternatives are <B
+CLASS="COMMAND"
+>security = share</B
+>,
+ <B
+CLASS="COMMAND"
+>security = server</B
+> or <B
+CLASS="COMMAND"
+>security = domain
+ </B
+>.</P
+><P
+>In versions of Samba prior to 2.0.0, the default was
+ <B
+CLASS="COMMAND"
+>security = share</B
+> mainly because that was
+ the only option at one stage.</P
+><P
+>There is a bug in WfWg that has relevance to this
+ setting. When in user or server level security a WfWg client
+ will totally ignore the password you type in the "connect
+ drive" dialog box. This makes it very difficult (if not impossible)
+ to connect to a Samba service as anyone except the user that
+ you are logged into WfWg as.</P
+><P
+>If your PCs use usernames that are the same as their
+ usernames on the UNIX machine then you will want to use
+ <B
+CLASS="COMMAND"
+>security = user</B
+>. If you mostly use usernames
+ that don't exist on the UNIX box then use <B
+CLASS="COMMAND"
+>security =
+ share</B
+>.</P
+><P
+>You should also use <B
+CLASS="COMMAND"
+>security = share</B
+> if you
+ want to mainly setup shares without a password (guest shares). This
+ is commonly used for a shared printer server. It is more difficult
+ to setup guest shares with <B
+CLASS="COMMAND"
+>security = user</B
+>, see
+ the <A
+HREF="#MAPTOGUEST"
+><TT
+CLASS="PARAMETER"
+><I
+>map to guest</I
+></TT
+>
+ </A
+>parameter for details.</P
+><P
+>It is possible to use <B
+CLASS="COMMAND"
+>smbd</B
+> in a <EM
+> hybrid mode</EM
+> where it is offers both user and share
+ level security under different <A
+HREF="#NETBIOSALIASES"
+> <TT
+CLASS="PARAMETER"
+><I
+>NetBIOS aliases</I
+></TT
+></A
+>. </P
+><P
+>The different settings will now be explained.</P
+><P
+><A
+NAME="SECURITYEQUALSSHARE"
+></A
+><EM
+>SECURITY = SHARE
+ </EM
+></P
+><P
+>When clients connect to a share level security server they
+ need not log onto the server with a valid username and password before
+ attempting to connect to a shared resource (although modern clients
+ such as Windows 95/98 and Windows NT will send a logon request with
+ a username but no password when talking to a <B
+CLASS="COMMAND"
+>security = share
+ </B
+> server). Instead, the clients send authentication information
+ (passwords) on a per-share basis, at the time they attempt to connect
+ to that share.</P
+><P
+>Note that <B
+CLASS="COMMAND"
+>smbd</B
+> <EM
+>ALWAYS</EM
+>
+ uses a valid UNIX user to act on behalf of the client, even in
+ <B
+CLASS="COMMAND"
+>security = share</B
+> level security.</P
+><P
+>As clients are not required to send a username to the server
+ in share level security, <B
+CLASS="COMMAND"
+>smbd</B
+> uses several
+ techniques to determine the correct UNIX user to use on behalf
+ of the client.</P
+><P
+>A list of possible UNIX usernames to match with the given
+ client password is constructed using the following methods :</P
+><P
+></P
+><UL
+><LI
+><P
+>If the <A
+HREF="#GUESTONLY"
+><TT
+CLASS="PARAMETER"
+><I
+>guest
+ only</I
+></TT
+></A
+> parameter is set, then all the other
+ stages are missed and only the <A
+HREF="#GUESTACCOUNT"
+> <TT
+CLASS="PARAMETER"
+><I
+>guest account</I
+></TT
+></A
+> username is checked.
+ </P
+></LI
+><LI
+><P
+>Is a username is sent with the share connection
+ request, then this username (after mapping - see <A
+HREF="#USERNAMEMAP"
+><TT
+CLASS="PARAMETER"
+><I
+>username map</I
+></TT
+></A
+>),
+ is added as a potential username.</P
+></LI
+><LI
+><P
+>If the client did a previous <EM
+>logon
+ </EM
+> request (the SessionSetup SMB call) then the
+ username sent in this SMB will be added as a potential username.
+ </P
+></LI
+><LI
+><P
+>The name of the service the client requested is
+ added as a potential username.</P
+></LI
+><LI
+><P
+>The NetBIOS name of the client is added to
+ the list as a potential username.</P
+></LI
+><LI
+><P
+>Any users on the <A
+HREF="#USER"
+><TT
+CLASS="PARAMETER"
+><I
+> user</I
+></TT
+></A
+> list are added as potential usernames.
+ </P
+></LI
+></UL
+><P
+>If the <TT
+CLASS="PARAMETER"
+><I
+>guest only</I
+></TT
+> parameter is
+ not set, then this list is then tried with the supplied password.
+ The first user for whom the password matches will be used as the
+ UNIX user.</P
+><P
+>If the <TT
+CLASS="PARAMETER"
+><I
+>guest only</I
+></TT
+> parameter is
+ set, or no username can be determined then if the share is marked
+ as available to the <TT
+CLASS="PARAMETER"
+><I
+>guest account</I
+></TT
+>, then this
+ guest user will be used, otherwise access is denied.</P
+><P
+>Note that it can be <EM
+>very</EM
+> confusing
+ in share-level security as to which UNIX username will eventually
+ be used in granting access.</P
+><P
+>See also the section <A
+HREF="#AEN236"
+> NOTE ABOUT USERNAME/PASSWORD VALIDATION</A
+>.</P
+><P
+><A
+NAME="SECURITYEQUALSUSER"
+></A
+><EM
+>SECURITY = USER
+ </EM
+></P
+><P
+>This is the default security setting in Samba 2.2.
+ With user-level security a client must first "log-on" with a
+ valid username and password (which can be mapped using the <A
+HREF="#USERNAMEMAP"
+><TT
+CLASS="PARAMETER"
+><I
+>username map</I
+></TT
+></A
+>
+ parameter). Encrypted passwords (see the <A
+HREF="#ENCRYPTPASSWORDS"
+> <TT
+CLASS="PARAMETER"
+><I
+>encrypted passwords</I
+></TT
+></A
+> parameter) can also
+ be used in this security mode. Parameters such as <A
+HREF="#USER"
+> <TT
+CLASS="PARAMETER"
+><I
+>user</I
+></TT
+></A
+> and <A
+HREF="#GUESTONLY"
+> <TT
+CLASS="PARAMETER"
+><I
+>guest only</I
+></TT
+></A
+> if set are then applied and
+ may change the UNIX user to use on this connection, but only after
+ the user has been successfully authenticated.</P
+><P
+><EM
+>Note</EM
+> that the name of the resource being
+ requested is <EM
+>not</EM
+> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <A
+HREF="#GUESTACCOUNT"
+><TT
+CLASS="PARAMETER"
+><I
+>guest account</I
+></TT
+></A
+>.
+ See the <A
+HREF="#MAPTOGUEST"
+><TT
+CLASS="PARAMETER"
+><I
+>map to guest</I
+></TT
+>
+ </A
+> parameter for details on doing this.</P
+><P
+>See also the section <A
+HREF="#AEN236"
+> NOTE ABOUT USERNAME/PASSWORD VALIDATION</A
+>.</P
+><P
+><A
+NAME="SECURITYEQUALSSERVER"
+></A
+><EM
+>SECURITY = SERVER
+ </EM
+></P
+><P
+>In this mode Samba will try to validate the username/password
+ by passing it to another SMB server, such as an NT box. If this
+ fails it will revert to <B
+CLASS="COMMAND"
+>security = user</B
+>, but note
+ that if encrypted passwords have been negotiated then Samba cannot
+ revert back to checking the UNIX password file, it must have a valid
+ <TT
+CLASS="FILENAME"
+>smbpasswd</TT
+> file to check users against. See the
+ documentation file in the <TT
+CLASS="FILENAME"
+>docs/</TT
+> directory
+ <TT
+CLASS="FILENAME"
+>ENCRYPTION.txt</TT
+> for details on how to set this
+ up.</P
+><P
+><EM
+>Note</EM
+> that from the client's point of
+ view <B
+CLASS="COMMAND"
+>security = server</B
+> is the same as <B
+CLASS="COMMAND"
+> security = user</B
+>. It only affects how the server deals
+ with the authentication, it does not in any way affect what the
+ client sees.</P
+><P
+><EM
+>Note</EM
+> that the name of the resource being
+ requested is <EM
+>not</EM
+> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <A
+HREF="#GUESTACCOUNT"
+><TT
+CLASS="PARAMETER"
+><I
+>guest account</I
+></TT
+></A
+>.
+ See the <A
+HREF="#MAPTOGUEST"
+><TT
+CLASS="PARAMETER"
+><I
+>map to guest</I
+></TT
+>
+ </A
+> parameter for details on doing this.</P
+><P
+>See also the section <A
+HREF="#AEN236"
+> NOTE ABOUT USERNAME/PASSWORD VALIDATION</A
+>.</P
+><P
+>See also the <A
+HREF="#PASSWORDSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+>password
+ server</I
+></TT
+></A
+> parameter and the <A
+HREF="#ENCRYPTPASSWORDS"
+><TT
+CLASS="PARAMETER"
+><I
+>encrypted passwords</I
+></TT
+>
+ </A
+> parameter.</P
+><P
+><A
+NAME="SECURITYEQUALSDOMAIN"
+></A
+><EM
+>SECURITY = DOMAIN
+ </EM
+></P
+><P
+>This mode will only work correctly if <A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+>smbpasswd(8)</A
+> has been used to add this
+ machine into a Windows NT Domain. It expects the <A
+HREF="#ENCRYPTPASSWORDS"
+><TT
+CLASS="PARAMETER"
+><I
+>encrypted passwords</I
+></TT
+>
+ </A
+> parameter to be set to <TT
+CLASS="CONSTANT"
+>true</TT
+>. In this
+ mode Samba will try to validate the username/password by passing
+ it to a Windows NT Primary or Backup Domain Controller, in exactly
+ the same way that a Windows NT Server would do.</P
+><P
+><EM
+>Note</EM
+> that a valid UNIX user must still
+ exist as well as the account on the Domain Controller to allow
+ Samba to have a valid UNIX account to map file access to.</P
+><P
+><EM
+>Note</EM
+> that from the client's point
+ of view <B
+CLASS="COMMAND"
+>security = domain</B
+> is the same as <B
+CLASS="COMMAND"
+>security = user
+ </B
+>. It only affects how the server deals with the authentication,
+ it does not in any way affect what the client sees.</P
+><P
+><EM
+>Note</EM
+> that the name of the resource being
+ requested is <EM
+>not</EM
+> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <A
+HREF="#GUESTACCOUNT"
+><TT
+CLASS="PARAMETER"
+><I
+>guest account</I
+></TT
+></A
+>.
+ See the <A
+HREF="#MAPTOGUEST"
+><TT
+CLASS="PARAMETER"
+><I
+>map to guest</I
+></TT
+>
+ </A
+> parameter for details on doing this.</P
+><P
+><EM
+>BUG:</EM
+> There is currently a bug in the
+ implementation of <B
+CLASS="COMMAND"
+>security = domain</B
+> with respect
+ to multi-byte character set usernames. The communication with a
+ Domain Controller must be done in UNICODE and Samba currently
+ does not widen multi-byte user names to UNICODE correctly, thus
+ a multi-byte username will not be recognized correctly at the
+ Domain Controller. This issue will be addressed in a future release.</P
+><P
+>See also the section <A
+HREF="#AEN236"
+> NOTE ABOUT USERNAME/PASSWORD VALIDATION</A
+>.</P
+><P
+>See also the <A
+HREF="#PASSWORDSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+>password
+ server</I
+></TT
+></A
+> parameter and the <A
+HREF="#ENCRYPTPASSWORDS"
+><TT
+CLASS="PARAMETER"
+><I
+>encrypted passwords</I
+></TT
+>
+ </A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>security = USER</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>security = DOMAIN</B
+></P
+></DD
+><DT
+><A
+NAME="SECURITYMASK"
+></A
+>security mask (S)</DT
+><DD
+><P
+>This parameter controls what UNIX permission
+ bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a file using the native NT security
+ dialog box.</P
+><P
+>This parameter is applied as a mask (AND'ed with) to
+ the changed permission bits, thus preventing any bits not in
+ this mask from being modified. Essentially, zero bits in this
+ mask may be treated as a set of bits the user is not allowed
+ to change.</P
+><P
+>If not set explicitly this parameter is 0777, allowing
+ a user to modify all the user/group/world permissions on a file.
+ </P
+><P
+><EM
+>Note</EM
+> that users who can access the
+ Samba server through other means can easily bypass this
+ restriction, so it is primarily useful for standalone
+ "appliance" systems. Administrators of most normal systems will
+ probably want to leave it set to <TT
+CLASS="CONSTANT"
+>0777</TT
+>.</P
+><P
+>See also the <A
+HREF="#FORCEDIRECTORYSECURITYMODE"
+> <TT
+CLASS="PARAMETER"
+><I
+>force directory security mode</I
+></TT
+></A
+>,
+ <A
+HREF="#DIRECTORYSECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>directory
+ security mask</I
+></TT
+></A
+>, <A
+HREF="#FORCESECURITYMODE"
+> <TT
+CLASS="PARAMETER"
+><I
+>force security mode</I
+></TT
+></A
+> parameters.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>security mask = 0777</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>security mask = 0770</B
+></P
+></DD
+><DT
+><A
+NAME="SERVERSTRING"
+></A
+>server string (G)</DT
+><DD
+><P
+>This controls what string will show up in the
+ printer comment box in print manager and next to the IPC connection
+ in <B
+CLASS="COMMAND"
+>net view</B
+>. It can be any string that you wish
+ to show to your users.</P
+><P
+>It also sets what will appear in browse lists next
+ to the machine name.</P
+><P
+>A <TT
+CLASS="PARAMETER"
+><I
+>%v</I
+></TT
+> will be replaced with the Samba
+ version number.</P
+><P
+>A <TT
+CLASS="PARAMETER"
+><I
+>%h</I
+></TT
+> will be replaced with the
+ hostname.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>server string = Samba %v</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>server string = University of GNUs Samba
+ Server</B
+></P
+></DD
+><DT
+><A
+NAME="SETDIRECTORY"
+></A
+>set directory (S)</DT
+><DD
+><P
+>If <B
+CLASS="COMMAND"
+>set directory = no</B
+>, then
+ users of the service may not use the setdir command to change
+ directory.</P
+><P
+>The <B
+CLASS="COMMAND"
+>setdir</B
+> command is only implemented
+ in the Digital Pathworks client. See the Pathworks documentation
+ for details.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>set directory = no</B
+></P
+></DD
+><DT
+><A
+NAME="SHORTPRESERVECASE"
+></A
+>short preserve case (S)</DT
+><DD
+><P
+>This boolean parameter controls if new files
+ which conform to 8.3 syntax, that is all in upper case and of
+ suitable length, are created upper case, or if they are forced
+ to be the <A
+HREF="#DEFAULTCASE"
+><TT
+CLASS="PARAMETER"
+><I
+>default case
+ </I
+></TT
+></A
+>. This option can be use with <A
+HREF="#PRESERVECASE"
+><B
+CLASS="COMMAND"
+>preserve case = yes</B
+>
+ </A
+> to permit long filenames to retain their case, while short
+ names are lowered. </P
+><P
+>See the section on <A
+HREF="#AEN203"
+> NAME MANGLING</A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>short preserve case = yes</B
+></P
+></DD
+><DT
+><A
+NAME="SHOWADDPRINTERWIZARD"
+></A
+>show add printer wizard (G)</DT
+><DD
+><P
+>With the introduction of MS-RPC based printing support
+ for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will
+ appear on Samba hosts in the share listing. Normally this folder will
+ contain an icon for the MS Add Printer Wizard (APW). However, it is
+ possible to disable this feature regardless of the level of privilege
+ of the connected user.</P
+><P
+>Under normal circumstances, the Windows NT/2000 client will
+ open a handle on the printer server with OpenPrinterEx() asking for
+ Administrator privileges. If the user does not have administrative
+ access on the print server (i.e is not root or a member of the
+ <TT
+CLASS="PARAMETER"
+><I
+>printer admin</I
+></TT
+> group), the OpenPrinterEx()
+ call fails and the client makes another open call with a request for
+ a lower privilege level. This should succeed, however the APW
+ icon will not be displayed.</P
+><P
+>Disabling the <TT
+CLASS="PARAMETER"
+><I
+>show add printer wizard</I
+></TT
+>
+ parameter will always cause the OpenPrinterEx() on the server
+ to fail. Thus the APW icon will never be displayed. <EM
+> Note :</EM
+>This does not prevent the same user from having
+ administrative privilege on an individual printer.</P
+><P
+>See also <A
+HREF="#ADDPRINTERCOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>addprinter
+ command</I
+></TT
+></A
+>, <A
+HREF="#DELETEPRINTERCOMMAND"
+> <TT
+CLASS="PARAMETER"
+><I
+>deleteprinter command</I
+></TT
+></A
+>, <A
+HREF="#PRINTERADMIN"
+><TT
+CLASS="PARAMETER"
+><I
+>printer admin</I
+></TT
+></A
+></P
+><P
+>Default :<B
+CLASS="COMMAND"
+>show add printer wizard = yes</B
+></P
+></DD
+><DT
+><A
+NAME="SHUTDOWNSCRIPT"
+></A
+>shutdown script (G)</DT
+><DD
+><P
+><EM
+>This parameter only exists in the HEAD cvs branch</EM
+>
+ This a full path name to a script called by
+ <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+> that
+ should start a shutdown procedure.</P
+><P
+>This command will be run as the user connected to the
+ server.</P
+><P
+>%m %t %r %f parameters are expanded</P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>%m</I
+></TT
+> will be substituted with the
+ shutdown message sent to the server.</P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>%t</I
+></TT
+> will be substituted with the
+ number of seconds to wait before effectively starting the
+ shutdown procedure.</P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>%r</I
+></TT
+> will be substituted with the
+ switch <EM
+>-r</EM
+>. It means reboot after shutdown
+ for NT.
+ </P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>%f</I
+></TT
+> will be substituted with the
+ switch <EM
+>-f</EM
+>. It means force the shutdown
+ even if applications do not respond for NT.</P
+><P
+>Default: <EM
+>None</EM
+>.</P
+><P
+>Example: <B
+CLASS="COMMAND"
+>abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f</B
+></P
+><P
+>Shutdown script example:
+ <TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+> #!/bin/bash
+
+ $time=0
+ let "time/60"
+ let "time++"
+
+ /sbin/shutdown $3 $4 +$time $1 &#38;
+ </PRE
+></TD
+></TR
+></TABLE
+>
+ Shutdown does not return so we need to launch it in background.
+ </P
+><P
+>See also <A
+HREF="#ABORTSHUTDOWNSCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>abort shutdown script</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="SMBPASSWDFILE"
+></A
+>smb passwd file (G)</DT
+><DD
+><P
+>This option sets the path to the encrypted
+ smbpasswd file. By default the path to the smbpasswd file
+ is compiled into Samba.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>smb passwd file = ${prefix}/private/smbpasswd
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>smb passwd file = /etc/samba/smbpasswd
+ </B
+></P
+></DD
+><DT
+><A
+NAME="SOCKETADDRESS"
+></A
+>socket address (G)</DT
+><DD
+><P
+>This option allows you to control what
+ address Samba will listen for connections on. This is used to
+ support multiple virtual interfaces on the one server, each
+ with a different configuration.</P
+><P
+>By default Samba will accept connections on any
+ address.</P
+><P
+>Example: <B
+CLASS="COMMAND"
+>socket address = 192.168.2.20</B
+>
+ </P
+></DD
+><DT
+><A
+NAME="SOCKETOPTIONS"
+></A
+>socket options (G)</DT
+><DD
+><P
+>This option allows you to set socket options
+ to be used when talking with the client.</P
+><P
+>Socket options are controls on the networking layer
+ of the operating systems which allow the connection to be
+ tuned.</P
+><P
+>This option will typically be used to tune your Samba
+ server for optimal performance for your local network. There is
+ no way that Samba can know what the optimal parameters are for
+ your net, so you must experiment and choose them yourself. We
+ strongly suggest you read the appropriate documentation for your
+ operating system first (perhaps <B
+CLASS="COMMAND"
+>man setsockopt</B
+>
+ will help).</P
+><P
+>You may find that on some systems Samba will say
+ "Unknown socket option" when you supply an option. This means you
+ either incorrectly typed it or you need to add an include file
+ to includes.h for your OS. If the latter is the case please
+ send the patch to <A
+HREF="mailto:samba@samba.org"
+TARGET="_top"
+> samba@samba.org</A
+>.</P
+><P
+>Any of the supported socket options may be combined
+ in any way you like, as long as your OS allows it.</P
+><P
+>This is the list of socket options currently settable
+ using this option:</P
+><P
+></P
+><UL
+><LI
+><P
+>SO_KEEPALIVE</P
+></LI
+><LI
+><P
+>SO_REUSEADDR</P
+></LI
+><LI
+><P
+>SO_BROADCAST</P
+></LI
+><LI
+><P
+>TCP_NODELAY</P
+></LI
+><LI
+><P
+>IPTOS_LOWDELAY</P
+></LI
+><LI
+><P
+>IPTOS_THROUGHPUT</P
+></LI
+><LI
+><P
+>SO_SNDBUF *</P
+></LI
+><LI
+><P
+>SO_RCVBUF *</P
+></LI
+><LI
+><P
+>SO_SNDLOWAT *</P
+></LI
+><LI
+><P
+>SO_RCVLOWAT *</P
+></LI
+></UL
+><P
+>Those marked with a <EM
+>'*'</EM
+> take an integer
+ argument. The others can optionally take a 1 or 0 argument to enable
+ or disable the option, by default they will be enabled if you
+ don't specify 1 or 0.</P
+><P
+>To specify an argument use the syntax SOME_OPTION = VALUE
+ for example <B
+CLASS="COMMAND"
+>SO_SNDBUF = 8192</B
+>. Note that you must
+ not have any spaces before or after the = sign.</P
+><P
+>If you are on a local network then a sensible option
+ might be</P
+><P
+><B
+CLASS="COMMAND"
+>socket options = IPTOS_LOWDELAY</B
+></P
+><P
+>If you have a local network then you could try:</P
+><P
+><B
+CLASS="COMMAND"
+>socket options = IPTOS_LOWDELAY TCP_NODELAY</B
+></P
+><P
+>If you are on a wide area network then perhaps try
+ setting IPTOS_THROUGHPUT. </P
+><P
+>Note that several of the options may cause your Samba
+ server to fail completely. Use these options with caution!</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>socket options = TCP_NODELAY</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>socket options = IPTOS_LOWDELAY</B
+></P
+></DD
+><DT
+><A
+NAME="SOURCEENVIRONMENT"
+></A
+>source environment (G)</DT
+><DD
+><P
+>This parameter causes Samba to set environment
+ variables as per the content of the file named.</P
+><P
+>If the value of this parameter starts with a "|" character
+ then Samba will treat that value as a pipe command to open and
+ will set the environment variables from the output of the pipe.</P
+><P
+>The contents of the file or the output of the pipe should
+ be formatted as the output of the standard Unix <B
+CLASS="COMMAND"
+>env(1)
+ </B
+> command. This is of the form :</P
+><P
+>Example environment entry:</P
+><P
+><B
+CLASS="COMMAND"
+>SAMBA_NETBIOS_NAME = myhostname</B
+></P
+><P
+>Default: <EM
+>No default value</EM
+></P
+><P
+>Examples: <B
+CLASS="COMMAND"
+>source environment = |/etc/smb.conf.sh
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>source environment =
+ /usr/local/smb_env_vars</B
+></P
+></DD
+><DT
+><A
+NAME="SSL"
+></A
+>ssl (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+>This variable enables or disables the entire SSL mode. If
+ it is set to <TT
+CLASS="CONSTANT"
+>no</TT
+>, the SSL-enabled Samba behaves
+ exactly like the non-SSL Samba. If set to <TT
+CLASS="CONSTANT"
+>yes</TT
+>,
+ it depends on the variables <A
+HREF="#SSLHOSTS"
+><TT
+CLASS="PARAMETER"
+><I
+> ssl hosts</I
+></TT
+></A
+> and <A
+HREF="#SSLHOSTSRESIGN"
+> <TT
+CLASS="PARAMETER"
+><I
+>ssl hosts resign</I
+></TT
+></A
+> whether an SSL
+ connection will be required.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl = no</B
+></P
+></DD
+><DT
+><A
+NAME="SSLCACERTDIR"
+></A
+>ssl CA certDir (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+>This variable defines where to look up the Certification
+ Authorities. The given directory should contain one file for
+ each CA that Samba will trust. The file name must be the hash
+ value over the "Distinguished Name" of the CA. How this directory
+ is set up is explained later in this document. All files within the
+ directory that don't fit into this naming scheme are ignored. You
+ don't need this variable if you don't verify client certificates.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl CA certDir = /usr/local/ssl/certs
+ </B
+></P
+></DD
+><DT
+><A
+NAME="SSLCACERTFILE"
+></A
+>ssl CA certFile (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+>This variable is a second way to define the trusted CAs.
+ The certificates of the trusted CAs are collected in one big
+ file and this variable points to the file. You will probably
+ only use one of the two ways to define your CAs. The first choice is
+ preferable if you have many CAs or want to be flexible, the second
+ is preferable if you only have one CA and want to keep things
+ simple (you won't need to create the hashed file names). You
+ don't need this variable if you don't verify client certificates.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem
+ </B
+></P
+></DD
+><DT
+><A
+NAME="SSLCIPHERS"
+></A
+>ssl ciphers (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+>This variable defines the ciphers that should be offered
+ during SSL negotiation. You should not set this variable unless
+ you know what you are doing.</P
+></DD
+><DT
+><A
+NAME="SSLCLIENTCERT"
+></A
+>ssl client cert (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+>The certificate in this file is used by <A
+HREF="smbclient.1.html"
+TARGET="_top"
+> <B
+CLASS="COMMAND"
+>smbclient(1)</B
+></A
+> if it exists. It's needed
+ if the server requires a client certificate.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl client cert = /usr/local/ssl/certs/smbclient.pem
+ </B
+></P
+></DD
+><DT
+><A
+NAME="SSLCLIENTKEY"
+></A
+>ssl client key (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+>This is the private key for <A
+HREF="smbclient.1.html"
+TARGET="_top"
+> <B
+CLASS="COMMAND"
+>smbclient(1)</B
+></A
+>. It's only needed if the
+ client should have a certificate. </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl client key = /usr/local/ssl/private/smbclient.pem
+ </B
+></P
+></DD
+><DT
+><A
+NAME="SSLCOMPATIBILITY"
+></A
+>ssl compatibility (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+>This variable defines whether OpenSSL should be configured
+ for bug compatibility with other SSL implementations. This is
+ probably not desirable because currently no clients with SSL
+ implementations other than OpenSSL exist.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl compatibility = no</B
+></P
+></DD
+><DT
+><A
+NAME="SSLEGDSOCKET"
+></A
+>ssl egd socket (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+> This option is used to define the location of the communiation socket of
+ an EGD or PRNGD daemon, from which entropy can be retrieved. This option
+ can be used instead of or together with the <A
+HREF="#SSLENTROPYFILE"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl entropy file</I
+></TT
+></A
+>
+ directive. 255 bytes of entropy will be retrieved from the daemon.
+ </P
+><P
+>Default: <EM
+>none</EM
+></P
+></DD
+><DT
+><A
+NAME="SSLENTROPYBYTES"
+></A
+>ssl entropy bytes (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+> This parameter is used to define the number of bytes which should
+ be read from the <A
+HREF="#SSLENTROPYFILE"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl entropy
+ file</I
+></TT
+></A
+> If a -1 is specified, the entire file will
+ be read.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl entropy bytes = 255</B
+></P
+></DD
+><DT
+><A
+NAME="SSLENTROPYFILE"
+></A
+>ssl entropy file (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+> This parameter is used to specify a file from which processes will
+ read "random bytes" on startup. In order to seed the internal pseudo
+ random number generator, entropy must be provided. On system with a
+ <TT
+CLASS="FILENAME"
+>/dev/urandom</TT
+> device file, the processes
+ will retrieve its entropy from the kernel. On systems without kernel
+ entropy support, a file can be supplied that will be read on startup
+ and that will be used to seed the PRNG.
+ </P
+><P
+>Default: <EM
+>none</EM
+></P
+></DD
+><DT
+><A
+NAME="SSLHOSTS"
+></A
+>ssl hosts (G)</DT
+><DD
+><P
+>See <A
+HREF="#SSLHOSTSRESIGN"
+><TT
+CLASS="PARAMETER"
+><I
+> ssl hosts resign</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="SSLHOSTSRESIGN"
+></A
+>ssl hosts resign (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+>These two variables define whether Samba will go
+ into SSL mode or not. If none of them is defined, Samba will
+ allow only SSL connections. If the <A
+HREF="#SSLHOSTS"
+> <TT
+CLASS="PARAMETER"
+><I
+>ssl hosts</I
+></TT
+></A
+> variable lists
+ hosts (by IP-address, IP-address range, net group or name),
+ only these hosts will be forced into SSL mode. If the <TT
+CLASS="PARAMETER"
+><I
+> ssl hosts resign</I
+></TT
+> variable lists hosts, only these
+ hosts will <EM
+>NOT</EM
+> be forced into SSL mode. The syntax for these two
+ variables is the same as for the <A
+HREF="#HOSTSALLOW"
+><TT
+CLASS="PARAMETER"
+><I
+> hosts allow</I
+></TT
+></A
+> and <A
+HREF="#HOSTSDENY"
+> <TT
+CLASS="PARAMETER"
+><I
+>hosts deny</I
+></TT
+></A
+> pair of variables, only
+ that the subject of the decision is different: It's not the access
+ right but whether SSL is used or not. </P
+><P
+>The example below requires SSL connections from all hosts
+ outside the local net (which is 192.168.*.*).</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl hosts = &#60;empty string&#62;</B
+></P
+><P
+><B
+CLASS="COMMAND"
+>ssl hosts resign = &#60;empty string&#62;</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>ssl hosts resign = 192.168.</B
+></P
+></DD
+><DT
+><A
+NAME="SSLREQUIRECLIENTCERT"
+></A
+>ssl require clientcert (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+>If this variable is set to <TT
+CLASS="CONSTANT"
+>yes</TT
+>, the
+ server will not tolerate connections from clients that don't
+ have a valid certificate. The directory/file given in <A
+HREF="#SSLCACERTDIR"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl CA certDir</I
+></TT
+>
+ </A
+> and <A
+HREF="#SSLCACERTFILE"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl CA certFile
+ </I
+></TT
+></A
+> will be used to look up the CAs that issued
+ the client's certificate. If the certificate can't be verified
+ positively, the connection will be terminated. If this variable
+ is set to <TT
+CLASS="CONSTANT"
+>no</TT
+>, clients don't need certificates.
+ Contrary to web applications you really <EM
+>should</EM
+>
+ require client certificates. In the web environment the client's
+ data is sensitive (credit card numbers) and the server must prove
+ to be trustworthy. In a file server environment the server's data
+ will be sensitive and the clients must prove to be trustworthy.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl require clientcert = no</B
+></P
+></DD
+><DT
+><A
+NAME="SSLREQUIRESERVERCERT"
+></A
+>ssl require servercert (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+>If this variable is set to <TT
+CLASS="CONSTANT"
+>yes</TT
+>, the
+ <A
+HREF="smbclient.1.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbclient(1)</B
+>
+ </A
+> will request a certificate from the server. Same as
+ <A
+HREF="#SSLREQUIRECLIENTCERT"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl require
+ clientcert</I
+></TT
+></A
+> for the server.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl require servercert = no</B
+>
+ </P
+></DD
+><DT
+><A
+NAME="SSLSERVERCERT"
+></A
+>ssl server cert (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+>This is the file containing the server's certificate.
+ The server <EM
+>must</EM
+> have a certificate. The
+ file may also contain the server's private key. See later for
+ how certificates and private keys are created.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl server cert = &#60;empty string&#62;
+ </B
+></P
+></DD
+><DT
+><A
+NAME="SSLSERVERKEY"
+></A
+>ssl server key (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+>This file contains the private key of the server. If
+ this variable is not defined, the key is looked up in the
+ certificate file (it may be appended to the certificate).
+ The server <EM
+>must</EM
+> have a private key
+ and the certificate <EM
+>must</EM
+>
+ match this private key.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl server key = &#60;empty string&#62;
+ </B
+></P
+></DD
+><DT
+><A
+NAME="SSLVERSION"
+></A
+>ssl version (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+>This enumeration variable defines the versions of the
+ SSL protocol that will be used. <TT
+CLASS="CONSTANT"
+>ssl2or3</TT
+> allows
+ dynamic negotiation of SSL v2 or v3, <TT
+CLASS="CONSTANT"
+>ssl2</TT
+> results
+ in SSL v2, <TT
+CLASS="CONSTANT"
+>ssl3</TT
+> results in SSL v3 and
+ <TT
+CLASS="CONSTANT"
+>tls1</TT
+> results in TLS v1. TLS (Transport Layer
+ Security) is the new standard for SSL.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl version = "ssl2or3"</B
+></P
+></DD
+><DT
+><A
+NAME="STATCACHE"
+></A
+>stat cache (G)</DT
+><DD
+><P
+>This parameter determines if <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> will use a cache in order to
+ speed up case insensitive name mappings. You should never need
+ to change this parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>stat cache = yes</B
+></P
+></DD
+><DT
+><A
+NAME="STATCACHESIZE"
+></A
+>stat cache size (G)</DT
+><DD
+><P
+>This parameter determines the number of
+ entries in the <TT
+CLASS="PARAMETER"
+><I
+>stat cache</I
+></TT
+>. You should
+ never need to change this parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>stat cache size = 50</B
+></P
+></DD
+><DT
+><A
+NAME="STATUS"
+></A
+>status (G)</DT
+><DD
+><P
+>This enables or disables logging of connections
+ to a status file that <A
+HREF="smbstatus.1.html"
+TARGET="_top"
+>smbstatus(1)</A
+>
+ can read.</P
+><P
+>With this disabled <B
+CLASS="COMMAND"
+>smbstatus</B
+> won't be able
+ to tell you what connections are active. You should never need to
+ change this parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>status = yes</B
+></P
+></DD
+><DT
+><A
+NAME="STRICTALLOCATE"
+></A
+>strict allocate (S)</DT
+><DD
+><P
+>This is a boolean that controls the handling of
+ disk space allocation in the server. When this is set to <TT
+CLASS="CONSTANT"
+>yes</TT
+>
+ the server will change from UNIX behaviour of not committing real
+ disk storage blocks when a file is extended to the Windows behaviour
+ of actually forcing the disk system to allocate real storage blocks
+ when a file is created or extended to be a given size. In UNIX
+ terminology this means that Samba will stop creating sparse files.
+ This can be slow on some systems.</P
+><P
+>When strict allocate is <TT
+CLASS="CONSTANT"
+>no</TT
+> the server does sparse
+ disk block allocation when a file is extended.</P
+><P
+>Setting this to <TT
+CLASS="CONSTANT"
+>yes</TT
+> can help Samba return
+ out of quota messages on systems that are restricting the disk quota
+ of users.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>strict allocate = no</B
+></P
+></DD
+><DT
+><A
+NAME="STRICTLOCKING"
+></A
+>strict locking (S)</DT
+><DD
+><P
+>This is a boolean that controls the handling of
+ file locking in the server. When this is set to <TT
+CLASS="CONSTANT"
+>yes</TT
+>
+ the server will check every read and write access for file locks, and
+ deny access if locks exist. This can be slow on some systems.</P
+><P
+>When strict locking is <TT
+CLASS="CONSTANT"
+>no</TT
+> the server does file
+ lock checks only when the client explicitly asks for them.</P
+><P
+>Well-behaved clients always ask for lock checks when it
+ is important, so in the vast majority of cases <B
+CLASS="COMMAND"
+>strict
+ locking = no</B
+> is preferable.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>strict locking = no</B
+></P
+></DD
+><DT
+><A
+NAME="STRICTSYNC"
+></A
+>strict sync (S)</DT
+><DD
+><P
+>Many Windows applications (including the Windows
+ 98 explorer shell) seem to confuse flushing buffer contents to
+ disk with doing a sync to disk. Under UNIX, a sync call forces
+ the process to be suspended until the kernel has ensured that
+ all outstanding data in kernel disk buffers has been safely stored
+ onto stable storage. This is very slow and should only be done
+ rarely. Setting this parameter to <TT
+CLASS="CONSTANT"
+>no</TT
+> (the
+ default) means that <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+> ignores the Windows applications requests for
+ a sync call. There is only a possibility of losing data if the
+ operating system itself that Samba is running on crashes, so there is
+ little danger in this default setting. In addition, this fixes many
+ performance problems that people have reported with the new Windows98
+ explorer shell file copies.</P
+><P
+>See also the <A
+HREF="#SYNCALWAYS"
+><TT
+CLASS="PARAMETER"
+><I
+>sync
+ always&#62;</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>strict sync = no</B
+></P
+></DD
+><DT
+><A
+NAME="STRIPDOT"
+></A
+>strip dot (G)</DT
+><DD
+><P
+>This is a boolean that controls whether to
+ strip trailing dots off UNIX filenames. This helps with some
+ CDROMs that have filenames ending in a single dot.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>strip dot = no</B
+></P
+></DD
+><DT
+><A
+NAME="SYNCALWAYS"
+></A
+>sync always (S)</DT
+><DD
+><P
+>This is a boolean parameter that controls
+ whether writes will always be written to stable storage before
+ the write call returns. If this is <TT
+CLASS="CONSTANT"
+>false</TT
+> then the server will be
+ guided by the client's request in each write call (clients can
+ set a bit indicating that a particular write should be synchronous).
+ If this is <TT
+CLASS="CONSTANT"
+>true</TT
+> then every write will be followed by a <B
+CLASS="COMMAND"
+>fsync()
+ </B
+> call to ensure the data is written to disk. Note that
+ the <TT
+CLASS="PARAMETER"
+><I
+>strict sync</I
+></TT
+> parameter must be set to
+ <TT
+CLASS="CONSTANT"
+>yes</TT
+> in order for this parameter to have
+ any affect.</P
+><P
+>See also the <A
+HREF="#STRICTSYNC"
+><TT
+CLASS="PARAMETER"
+><I
+>strict
+ sync</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>sync always = no</B
+></P
+></DD
+><DT
+><A
+NAME="SYSLOG"
+></A
+>syslog (G)</DT
+><DD
+><P
+>This parameter maps how Samba debug messages
+ are logged onto the system syslog logging levels. Samba debug
+ level zero maps onto syslog <TT
+CLASS="CONSTANT"
+>LOG_ERR</TT
+>, debug
+ level one maps onto <TT
+CLASS="CONSTANT"
+>LOG_WARNING</TT
+>, debug level
+ two maps onto <TT
+CLASS="CONSTANT"
+>LOG_NOTICE</TT
+>, debug level three
+ maps onto LOG_INFO. All higher levels are mapped to <TT
+CLASS="CONSTANT"
+> LOG_DEBUG</TT
+>.</P
+><P
+>This parameter sets the threshold for sending messages
+ to syslog. Only messages with debug level less than this value
+ will be sent to syslog.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>syslog = 1</B
+></P
+></DD
+><DT
+><A
+NAME="SYSLOGONLY"
+></A
+>syslog only (G)</DT
+><DD
+><P
+>If this parameter is set then Samba debug
+ messages are logged into the system syslog only, and not to
+ the debug log files.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>syslog only = no</B
+></P
+></DD
+><DT
+><A
+NAME="TEMPLATEHOMEDIR"
+></A
+>template homedir (G)</DT
+><DD
+><P
+>When filling out the user information for a Windows NT
+ user, the <A
+HREF="winbindd.8.html"
+TARGET="_top"
+>winbindd(8)</A
+> daemon
+ uses this parameter to fill in the home directory for that user.
+ If the string <TT
+CLASS="PARAMETER"
+><I
+>%D</I
+></TT
+> is present it is substituted
+ with the user's Windows NT domain name. If the string <TT
+CLASS="PARAMETER"
+><I
+>%U
+ </I
+></TT
+> is present it is substituted with the user's Windows
+ NT user name.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>template homedir = /home/%D/%U</B
+></P
+></DD
+><DT
+><A
+NAME="TEMPLATESHELL"
+></A
+>template shell (G)</DT
+><DD
+><P
+>When filling out the user information for a Windows NT
+ user, the <A
+HREF="winbindd.8.html"
+TARGET="_top"
+>winbindd(8)</A
+> daemon
+ uses this parameter to fill in the login shell for that user.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>template shell = /bin/false</B
+></P
+></DD
+><DT
+><A
+NAME="TIMEOFFSET"
+></A
+>time offset (G)</DT
+><DD
+><P
+>This parameter is a setting in minutes to add
+ to the normal GMT to local time conversion. This is useful if
+ you are serving a lot of PCs that have incorrect daylight
+ saving time handling.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>time offset = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>time offset = 60</B
+></P
+></DD
+><DT
+><A
+NAME="TIMESERVER"
+></A
+>time server (G)</DT
+><DD
+><P
+>This parameter determines if <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>
+ nmbd(8)</A
+> advertises itself as a time server to Windows
+ clients.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>time server = no</B
+></P
+></DD
+><DT
+><A
+NAME="TIMESTAMPLOGS"
+></A
+>timestamp logs (G)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#DEBUGTIMESTAMP"
+><TT
+CLASS="PARAMETER"
+><I
+> debug timestamp</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="TOTALPRINTJOBS"
+></A
+>total print jobs (G)</DT
+><DD
+><P
+>This parameter accepts an integer value which defines
+ a limit on the maximum number of print jobs that will be accepted
+ system wide at any given time. If a print job is submitted
+ by a client which will exceed this number, then <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+> will return an
+ error indicating that no space is available on the server. The
+ default value of 0 means that no such limit exists. This parameter
+ can be used to prevent a server from exceeding its capacity and is
+ designed as a printing throttle. See also
+ <A
+HREF="#MAXPRINTJOBS"
+><TT
+CLASS="PARAMETER"
+><I
+>max print jobs</I
+></TT
+></A
+>.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>total print jobs = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>total print jobs = 5000</B
+></P
+></DD
+><DT
+><A
+NAME="UNIXEXTENSIONS"
+></A
+>unix extensions(G)</DT
+><DD
+><P
+>This boolean parameter controls whether Samba
+ implments the CIFS UNIX extensions, as defined by HP. These
+ extensions enable CIFS to server UNIX clients to UNIX servers
+ better, and allow such things as symbolic links, hard links etc.
+ These extensions require a similarly enabled client, and are of
+ no current use to Windows clients.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>unix extensions = no</B
+></P
+></DD
+><DT
+><A
+NAME="UNIXPASSWORDSYNC"
+></A
+>unix password sync (G)</DT
+><DD
+><P
+>This boolean parameter controls whether Samba
+ attempts to synchronize the UNIX password with the SMB password
+ when the encrypted SMB password in the smbpasswd file is changed.
+ If this is set to <TT
+CLASS="CONSTANT"
+>true</TT
+> the program specified in the <TT
+CLASS="PARAMETER"
+><I
+>passwd
+ program</I
+></TT
+>parameter is called <EM
+>AS ROOT</EM
+> -
+ to allow the new UNIX password to be set without access to the
+ old UNIX password (as the SMB password change code has no
+ access to the old password cleartext, only the new).</P
+><P
+>See also <A
+HREF="#PASSWDPROGRAM"
+><TT
+CLASS="PARAMETER"
+><I
+>passwd
+ program</I
+></TT
+></A
+>, <A
+HREF="#PASSWDCHAT"
+><TT
+CLASS="PARAMETER"
+><I
+> passwd chat</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>unix password sync = no</B
+></P
+></DD
+><DT
+><A
+NAME="UPDATEENCRYPTED"
+></A
+>update encrypted (G)</DT
+><DD
+><P
+>This boolean parameter allows a user logging
+ on with a plaintext password to have their encrypted (hashed)
+ password in the smbpasswd file to be updated automatically as
+ they log on. This option allows a site to migrate from plaintext
+ password authentication (users authenticate with plaintext
+ password over the wire, and are checked against a UNIX account
+ database) to encrypted password authentication (the SMB
+ challenge/response authentication mechanism) without forcing
+ all users to re-enter their passwords via smbpasswd at the time the
+ change is made. This is a convenience option to allow the change over
+ to encrypted passwords to be made over a longer period. Once all users
+ have encrypted representations of their passwords in the smbpasswd
+ file this parameter should be set to <TT
+CLASS="CONSTANT"
+>no</TT
+>.</P
+><P
+>In order for this parameter to work correctly the <A
+HREF="#ENCRYPTPASSWORDS"
+><TT
+CLASS="PARAMETER"
+><I
+>encrypt passwords</I
+></TT
+>
+ </A
+> parameter must be set to <TT
+CLASS="CONSTANT"
+>no</TT
+> when
+ this parameter is set to <TT
+CLASS="CONSTANT"
+>yes</TT
+>.</P
+><P
+>Note that even when this parameter is set a user
+ authenticating to <B
+CLASS="COMMAND"
+>smbd</B
+> must still enter a valid
+ password in order to connect correctly, and to update their hashed
+ (smbpasswd) passwords.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>update encrypted = no</B
+></P
+></DD
+><DT
+><A
+NAME="USECLIENTDRIVER"
+></A
+>use client driver (S)</DT
+><DD
+><P
+>This parameter applies only to Windows NT/2000
+ clients. It has no affect on Windows 95/98/ME clients. When
+ serving a printer to Windows NT/2000 clients without first installing
+ a valid printer driver on the Samba host, the client will be required
+ to install a local printer driver. From this point on, the client
+ will treat the print as a local printer and not a network printer
+ connection. This is much the same behavior that will occur
+ when <B
+CLASS="COMMAND"
+>disable spoolss = yes</B
+>. </P
+><P
+>The differentiating
+ factor is that under normal circumstances, the NT/2000 client will
+ attempt to open the network printer using MS-RPC. The problem is that
+ because the client considers the printer to be local, it will attempt
+ to issue the OpenPrinterEx() call requesting access rights associated
+ with the logged on user. If the user possesses local administator rights
+ but not root privilegde on the Samba host (often the case), the OpenPrinterEx()
+ call will fail. The result is that the client will now display an "Access
+ Denied; Unable to connect" message in the printer queue window (even though
+ jobs may successfully be printed). </P
+><P
+>If this parameter is enabled for a printer, then any attempt
+ to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped
+ to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx()
+ call to succeed. <EM
+>This parameter MUST not be able enabled
+ on a print share which has valid print driver installed on the Samba
+ server.</EM
+></P
+><P
+>See also <A
+HREF="#DISABLESPOOLSS"
+>disable spoolss</A
+>
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>use client driver = no</B
+></P
+></DD
+><DT
+><A
+NAME="USEMMAP"
+></A
+>use mmap (G)</DT
+><DD
+><P
+>This global parameter determines if the tdb internals of Samba can
+ depend on mmap working correctly on the running system. Samba requires a coherent
+ mmap/read-write system memory cache. Currently only HPUX does not have such a
+ coherent cache, and so this parameter is set to <TT
+CLASS="CONSTANT"
+>false</TT
+> by
+ default on HPUX. On all other systems this parameter should be left alone. This
+ parameter is provided to help the Samba developers track down problems with
+ the tdb internal code.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>use mmap = yes</B
+></P
+></DD
+><DT
+><A
+NAME="USERHOSTS"
+></A
+>use rhosts (G)</DT
+><DD
+><P
+>If this global parameter is <TT
+CLASS="CONSTANT"
+>true</TT
+>, it specifies
+ that the UNIX user's <TT
+CLASS="FILENAME"
+>.rhosts</TT
+> file in their home directory
+ will be read to find the names of hosts and users who will be allowed
+ access without specifying a password.</P
+><P
+><EM
+>NOTE:</EM
+> The use of <TT
+CLASS="PARAMETER"
+><I
+>use rhosts
+ </I
+></TT
+> can be a major security hole. This is because you are
+ trusting the PC to supply the correct username. It is very easy to
+ get a PC to supply a false username. I recommend that the <TT
+CLASS="PARAMETER"
+><I
+> use rhosts</I
+></TT
+> option be only used if you really know what
+ you are doing.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>use rhosts = no</B
+></P
+></DD
+><DT
+><A
+NAME="USER"
+></A
+>user (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#USERNAME"
+><TT
+CLASS="PARAMETER"
+><I
+> username</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="USERS"
+></A
+>users (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#USERNAME"
+><TT
+CLASS="PARAMETER"
+><I
+> username</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="USERNAME"
+></A
+>username (S)</DT
+><DD
+><P
+>Multiple users may be specified in a comma-delimited
+ list, in which case the supplied password will be tested against
+ each username in turn (left to right).</P
+><P
+>The <TT
+CLASS="PARAMETER"
+><I
+>username</I
+></TT
+> line is needed only when
+ the PC is unable to supply its own username. This is the case
+ for the COREPLUS protocol or where your users have different WfWg
+ usernames to UNIX usernames. In both these cases you may also be
+ better using the \\server\share%user syntax instead.</P
+><P
+>The <TT
+CLASS="PARAMETER"
+><I
+>username</I
+></TT
+> line is not a great
+ solution in many cases as it means Samba will try to validate
+ the supplied password against each of the usernames in the
+ <TT
+CLASS="PARAMETER"
+><I
+>username</I
+></TT
+> line in turn. This is slow and
+ a bad idea for lots of users in case of duplicate passwords.
+ You may get timeouts or security breaches using this parameter
+ unwisely.</P
+><P
+>Samba relies on the underlying UNIX security. This
+ parameter does not restrict who can login, it just offers hints
+ to the Samba server as to what usernames might correspond to the
+ supplied password. Users can login as whoever they please and
+ they will be able to do no more damage than if they started a
+ telnet session. The daemon runs as the user that they log in as,
+ so they cannot do anything that user cannot do.</P
+><P
+>To restrict a service to a particular set of users you
+ can use the <A
+HREF="#VALIDUSERS"
+><TT
+CLASS="PARAMETER"
+><I
+>valid users
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>If any of the usernames begin with a '@' then the name
+ will be looked up first in the NIS netgroups list (if Samba
+ is compiled with netgroup support), followed by a lookup in
+ the UNIX groups database and will expand to a list of all users
+ in the group of that name.</P
+><P
+>If any of the usernames begin with a '+' then the name
+ will be looked up only in the UNIX groups database and will
+ expand to a list of all users in the group of that name.</P
+><P
+>If any of the usernames begin with a '&#38;'then the name
+ will be looked up only in the NIS netgroups database (if Samba
+ is compiled with netgroup support) and will expand to a list
+ of all users in the netgroup group of that name.</P
+><P
+>Note that searching though a groups database can take
+ quite some time, and some clients may time out during the
+ search.</P
+><P
+>See the section <A
+HREF="#AEN236"
+>NOTE ABOUT
+ USERNAME/PASSWORD VALIDATION</A
+> for more information on how
+ this parameter determines access to the services.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>The guest account if a guest service,
+ else &#60;empty string&#62;.</B
+></P
+><P
+>Examples:<B
+CLASS="COMMAND"
+>username = fred, mary, jack, jane,
+ @users, @pcgroup</B
+></P
+></DD
+><DT
+><A
+NAME="USERNAMELEVEL"
+></A
+>username level (G)</DT
+><DD
+><P
+>This option helps Samba to try and 'guess' at
+ the real UNIX username, as many DOS clients send an all-uppercase
+ username. By default Samba tries all lowercase, followed by the
+ username with the first letter capitalized, and fails if the
+ username is not found on the UNIX machine.</P
+><P
+>If this parameter is set to non-zero the behavior changes.
+ This parameter is a number that specifies the number of uppercase
+ combinations to try while trying to determine the UNIX user name. The
+ higher the number the more combinations will be tried, but the slower
+ the discovery of usernames will be. Use this parameter when you have
+ strange usernames on your UNIX machine, such as <TT
+CLASS="CONSTANT"
+>AstrangeUser
+ </TT
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>username level = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>username level = 5</B
+></P
+></DD
+><DT
+><A
+NAME="USERNAMEMAP"
+></A
+>username map (G)</DT
+><DD
+><P
+>This option allows you to specify a file containing
+ a mapping of usernames from the clients to the server. This can be
+ used for several purposes. The most common is to map usernames
+ that users use on DOS or Windows machines to those that the UNIX
+ box uses. The other is to map multiple users to a single username
+ so that they can more easily share files.</P
+><P
+>The map file is parsed line by line. Each line should
+ contain a single UNIX username on the left then a '=' followed
+ by a list of usernames on the right. The list of usernames on the
+ right may contain names of the form @group in which case they
+ will match any UNIX username in that group. The special client
+ name '*' is a wildcard and matches any name. Each line of the
+ map file may be up to 1023 characters long.</P
+><P
+>The file is processed on each line by taking the
+ supplied username and comparing it with each username on the right
+ hand side of the '=' signs. If the supplied name matches any of
+ the names on the right hand side then it is replaced with the name
+ on the left. Processing then continues with the next line.</P
+><P
+>If any line begins with a '#' or a ';' then it is
+ ignored</P
+><P
+>If any line begins with an '!' then the processing
+ will stop after that line if a mapping was done by the line.
+ Otherwise mapping continues with every line being processed.
+ Using '!' is most useful when you have a wildcard mapping line
+ later in the file.</P
+><P
+>For example to map from the name <TT
+CLASS="CONSTANT"
+>admin</TT
+>
+ or <TT
+CLASS="CONSTANT"
+>administrator</TT
+> to the UNIX name <TT
+CLASS="CONSTANT"
+> root</TT
+> you would use:</P
+><P
+><B
+CLASS="COMMAND"
+>root = admin administrator</B
+></P
+><P
+>Or to map anyone in the UNIX group <TT
+CLASS="CONSTANT"
+>system</TT
+>
+ to the UNIX name <TT
+CLASS="CONSTANT"
+>sys</TT
+> you would use:</P
+><P
+><B
+CLASS="COMMAND"
+>sys = @system</B
+></P
+><P
+>You can have as many mappings as you like in a username
+ map file.</P
+><P
+>If your system supports the NIS NETGROUP option then
+ the netgroup database is checked before the <TT
+CLASS="FILENAME"
+>/etc/group
+ </TT
+> database for matching groups.</P
+><P
+>You can map Windows usernames that have spaces in them
+ by using double quotes around the name. For example:</P
+><P
+><B
+CLASS="COMMAND"
+>tridge = "Andrew Tridgell"</B
+></P
+><P
+>would map the windows username "Andrew Tridgell" to the
+ unix username "tridge".</P
+><P
+>The following example would map mary and fred to the
+ unix user sys, and map the rest to guest. Note the use of the
+ '!' to tell Samba to stop processing if it gets a match on
+ that line.</P
+><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+> !sys = mary fred
+ guest = *
+ </PRE
+></TD
+></TR
+></TABLE
+></P
+><P
+>Note that the remapping is applied to all occurrences
+ of usernames. Thus if you connect to \\server\fred and <TT
+CLASS="CONSTANT"
+> fred</TT
+> is remapped to <TT
+CLASS="CONSTANT"
+>mary</TT
+> then you
+ will actually be connecting to \\server\mary and will need to
+ supply a password suitable for <TT
+CLASS="CONSTANT"
+>mary</TT
+> not
+ <TT
+CLASS="CONSTANT"
+>fred</TT
+>. The only exception to this is the
+ username passed to the <A
+HREF="#PASSWORDSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+> password server</I
+></TT
+></A
+> (if you have one). The password
+ server will receive whatever username the client supplies without
+ modification.</P
+><P
+>Also note that no reverse mapping is done. The main effect
+ this has is with printing. Users who have been mapped may have
+ trouble deleting print jobs as PrintManager under WfWg will think
+ they don't own the print job.</P
+><P
+>Default: <EM
+>no username map</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>username map = /usr/local/samba/lib/users.map
+ </B
+></P
+></DD
+><DT
+><A
+NAME="UTMP"
+></A
+>utmp (G)</DT
+><DD
+><P
+>This boolean parameter is only available if
+ Samba has been configured and compiled with the option <B
+CLASS="COMMAND"
+> --with-utmp</B
+>. If set to <TT
+CLASS="CONSTANT"
+>true</TT
+> then Samba will attempt
+ to add utmp or utmpx records (depending on the UNIX system) whenever a
+ connection is made to a Samba server. Sites may use this to record the
+ user connecting to a Samba share.</P
+><P
+>See also the <A
+HREF="#UTMPDIRECTORY"
+><TT
+CLASS="PARAMETER"
+><I
+> utmp directory</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>utmp = no</B
+></P
+></DD
+><DT
+><A
+NAME="UTMPDIRECTORY"
+></A
+>utmp directory(G)</DT
+><DD
+><P
+>This parameter is only available if Samba has
+ been configured and compiled with the option <B
+CLASS="COMMAND"
+> --with-utmp</B
+>. It specifies a directory pathname that is
+ used to store the utmp or utmpx files (depending on the UNIX system) that
+ record user connections to a Samba server. See also the <A
+HREF="#UTMP"
+> <TT
+CLASS="PARAMETER"
+><I
+>utmp</I
+></TT
+></A
+> parameter. By default this is
+ not set, meaning the system will use whatever utmp file the
+ native system is set to use (usually
+ <TT
+CLASS="FILENAME"
+>/var/run/utmp</TT
+> on Linux).</P
+><P
+>Default: <EM
+>no utmp directory</EM
+></P
+></DD
+><DT
+><A
+NAME="VALIDUSERS"
+></A
+>valid users (S)</DT
+><DD
+><P
+>This is a list of users that should be allowed
+ to login to this service. Names starting with '@', '+' and '&#38;'
+ are interpreted using the same rules as described in the
+ <TT
+CLASS="PARAMETER"
+><I
+>invalid users</I
+></TT
+> parameter.</P
+><P
+>If this is empty (the default) then any user can login.
+ If a username is in both this list and the <TT
+CLASS="PARAMETER"
+><I
+>invalid
+ users</I
+></TT
+> list then access is denied for that user.</P
+><P
+>The current servicename is substituted for <TT
+CLASS="PARAMETER"
+><I
+>%S
+ </I
+></TT
+>. This is useful in the [homes] section.</P
+><P
+>See also <A
+HREF="#INVALIDUSERS"
+><TT
+CLASS="PARAMETER"
+><I
+>invalid users
+ </I
+></TT
+></A
+></P
+><P
+>Default: <EM
+>No valid users list (anyone can login)
+ </EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>valid users = greg, @pcusers</B
+></P
+></DD
+><DT
+><A
+NAME="VETOFILES"
+></A
+>veto files(S)</DT
+><DD
+><P
+>This is a list of files and directories that
+ are neither visible nor accessible. Each entry in the list must
+ be separated by a '/', which allows spaces to be included
+ in the entry. '*' and '?' can be used to specify multiple files
+ or directories as in DOS wildcards.</P
+><P
+>Each entry must be a unix path, not a DOS path and
+ must <EM
+>not</EM
+> include the unix directory
+ separator '/'.</P
+><P
+>Note that the <TT
+CLASS="PARAMETER"
+><I
+>case sensitive</I
+></TT
+> option
+ is applicable in vetoing files.</P
+><P
+>One feature of the veto files parameter that it
+ is important to be aware of is Samba's behaviour when
+ trying to delete a directory. If a directory that is
+ to be deleted contains nothing but veto files this
+ deletion will <EM
+>fail</EM
+> unless you also set
+ the <TT
+CLASS="PARAMETER"
+><I
+>delete veto files</I
+></TT
+> parameter to
+ <TT
+CLASS="PARAMETER"
+><I
+>yes</I
+></TT
+>.</P
+><P
+>Setting this parameter will affect the performance
+ of Samba, as it will be forced to check all files and directories
+ for a match as they are scanned.</P
+><P
+>See also <A
+HREF="#HIDEFILES"
+><TT
+CLASS="PARAMETER"
+><I
+>hide files
+ </I
+></TT
+></A
+> and <A
+HREF="#CASESENSITIVE"
+><TT
+CLASS="PARAMETER"
+><I
+> case sensitive</I
+></TT
+></A
+>.</P
+><P
+>Default: <EM
+>No files or directories are vetoed.
+ </EM
+></P
+><P
+>Examples:<TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>; Veto any files containing the word Security,
+; any ending in .tmp, and any directory containing the
+; word root.
+veto files = /*Security*/*.tmp/*root*/
+
+; Veto the Apple specific files that a NetAtalk server
+; creates.
+veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/</PRE
+></TD
+></TR
+></TABLE
+></P
+></DD
+><DT
+><A
+NAME="VETOOPLOCKFILES"
+></A
+>veto oplock files (S)</DT
+><DD
+><P
+>This parameter is only valid when the <A
+HREF="#OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>oplocks</I
+></TT
+></A
+>
+ parameter is turned on for a share. It allows the Samba administrator
+ to selectively turn off the granting of oplocks on selected files that
+ match a wildcarded list, similar to the wildcarded list used in the
+ <A
+HREF="#VETOFILES"
+><TT
+CLASS="PARAMETER"
+><I
+>veto files</I
+></TT
+></A
+>
+ parameter.</P
+><P
+>Default: <EM
+>No files are vetoed for oplock
+ grants</EM
+></P
+><P
+>You might want to do this on files that you know will
+ be heavily contended for by clients. A good example of this
+ is in the NetBench SMB benchmark program, which causes heavy
+ client contention for files ending in <TT
+CLASS="FILENAME"
+>.SEM</TT
+>.
+ To cause Samba not to grant oplocks on these files you would use
+ the line (either in the [global] section or in the section for
+ the particular NetBench share :</P
+><P
+>Example: <B
+CLASS="COMMAND"
+>veto oplock files = /*.SEM/
+ </B
+></P
+></DD
+><DT
+><A
+NAME="VFSOBJECT"
+></A
+>vfs object (S)</DT
+><DD
+><P
+>This parameter specifies a shared object file that
+ is used for Samba VFS I/O operations. By default, normal
+ disk I/O operations are used but these can be overloaded
+ with a VFS object. The Samba VFS layer is new to Samba 2.2 and
+ must be enabled at compile time with --with-vfs.</P
+><P
+>Default : <EM
+>no value</EM
+></P
+></DD
+><DT
+><A
+NAME="VFSOPTIONS"
+></A
+>vfs options (S)</DT
+><DD
+><P
+>This parameter allows parameters to be passed
+ to the vfs layer at initialization time. The Samba VFS layer
+ is new to Samba 2.2 and must be enabled at compile time
+ with --with-vfs. See also <A
+HREF="#VFSOBJECT"
+><TT
+CLASS="PARAMETER"
+><I
+> vfs object</I
+></TT
+></A
+>.</P
+><P
+>Default : <EM
+>no value</EM
+></P
+></DD
+><DT
+><A
+NAME="VOLUME"
+></A
+>volume (S)</DT
+><DD
+><P
+> This allows you to override the volume label
+ returned for a share. Useful for CDROMs with installation programs
+ that insist on a particular volume label.</P
+><P
+>Default: <EM
+>the name of the share</EM
+></P
+></DD
+><DT
+><A
+NAME="WIDELINKS"
+></A
+>wide links (S)</DT
+><DD
+><P
+>This parameter controls whether or not links
+ in the UNIX file system may be followed by the server. Links
+ that point to areas within the directory tree exported by the
+ server are always allowed; this parameter controls access only
+ to areas that are outside the directory tree being exported.</P
+><P
+>Note that setting this parameter can have a negative
+ effect on your server performance due to the extra system calls
+ that Samba has to do in order to perform the link checks.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>wide links = yes</B
+></P
+></DD
+><DT
+><A
+NAME="WINBINDCACHETIME"
+></A
+>winbind cache time</DT
+><DD
+><P
+>This parameter specifies the number of seconds the
+ <A
+HREF="winbindd.8.html"
+TARGET="_top"
+>winbindd(8)</A
+> daemon will cache
+ user and group information before querying a Windows NT server
+ again.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>winbind cache type = 15</B
+></P
+></DD
+><DT
+><A
+NAME="WINBINDENUMUSERS"
+></A
+>winbind enum
+ users</DT
+><DD
+><P
+>On large installations using
+ <A
+HREF="winbindd.8.html"
+TARGET="_top"
+>winbindd(8)</A
+> it may be
+ necessary to suppress the enumeration of users through the
+ <B
+CLASS="COMMAND"
+> setpwent()</B
+>,
+ <B
+CLASS="COMMAND"
+>getpwent()</B
+> and
+ <B
+CLASS="COMMAND"
+>endpwent()</B
+> group of system calls. If
+ the <TT
+CLASS="PARAMETER"
+><I
+>winbind enum users</I
+></TT
+> parameter is
+ false, calls to the <B
+CLASS="COMMAND"
+>getpwent</B
+> system call
+ will not return any data. </P
+><P
+><EM
+>Warning:</EM
+> Turning off user
+ enumeration may cause some programs to behave oddly. For
+ example, the finger program relies on having access to the
+ full user list when searching for matching
+ usernames. </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>winbind enum users = yes </B
+></P
+></DD
+><DT
+><A
+NAME="WINBINDENUMGROUPS"
+></A
+>winbind enum
+ groups</DT
+><DD
+><P
+>On large installations using
+ <A
+HREF="winbindd.8.html"
+TARGET="_top"
+>winbindd(8)</A
+> it may be
+ necessary to suppress the enumeration of groups through the
+ <B
+CLASS="COMMAND"
+> setgrent()</B
+>,
+ <B
+CLASS="COMMAND"
+>getgrent()</B
+> and
+ <B
+CLASS="COMMAND"
+>endgrent()</B
+> group of system calls. If
+ the <TT
+CLASS="PARAMETER"
+><I
+>winbind enum groups</I
+></TT
+> parameter is
+ false, calls to the <B
+CLASS="COMMAND"
+>getgrent()</B
+> system
+ call will not return any data. </P
+><P
+><EM
+>Warning:</EM
+> Turning off group
+ enumeration may cause some programs to behave oddly.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>winbind enum groups = yes </B
+>
+ </P
+></DD
+><DT
+><A
+NAME="WINBINDGID"
+></A
+>winbind gid</DT
+><DD
+><P
+>The winbind gid parameter specifies the range of group
+ ids that are allocated by the <A
+HREF="winbindd.8.html"
+TARGET="_top"
+> winbindd(8)</A
+> daemon. This range of group ids should have no
+ existing local or NIS groups within it as strange conflicts can
+ occur otherwise.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>winbind gid = &#60;empty string&#62;
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>winbind gid = 10000-20000</B
+></P
+></DD
+><DT
+><A
+NAME="WINBINDSEPARATOR"
+></A
+>winbind separator</DT
+><DD
+><P
+>This parameter allows an admin to define the character
+ used when listing a username of the form of <TT
+CLASS="REPLACEABLE"
+><I
+>DOMAIN
+ </I
+></TT
+>\<TT
+CLASS="REPLACEABLE"
+><I
+>user</I
+></TT
+>. This parameter
+ is only applicable when using the <TT
+CLASS="FILENAME"
+>pam_winbind.so</TT
+>
+ and <TT
+CLASS="FILENAME"
+>nss_winbind.so</TT
+> modules for UNIX services.
+ </P
+><P
+>Example: <B
+CLASS="COMMAND"
+>winbind separator = \</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>winbind separator = +</B
+></P
+></DD
+><DT
+><A
+NAME="WINBINDUID"
+></A
+>winbind uid</DT
+><DD
+><P
+>The winbind gid parameter specifies the range of group
+ ids that are allocated by the <A
+HREF="winbindd.8.html"
+TARGET="_top"
+> winbindd(8)</A
+> daemon. This range of ids should have no
+ existing local or NIS users within it as strange conflicts can
+ occur otherwise.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>winbind uid = &#60;empty string&#62;
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>winbind uid = 10000-20000</B
+></P
+></DD
+><DT
+>winbind use default domain, <A
+NAME="WINBINDUSEDEFAULTDOMAIN"
+></A
+>winbind use default domain</DT
+><DD
+><P
+>This parameter specifies whether the <A
+HREF="winbindd.8.html"
+TARGET="_top"
+> winbindd(8)</A
+>
+ daemon should operate on users without domain component in their username.
+ Users without a domain component are treated as is part of the winbindd server's
+ own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail
+ function in a way much closer to the way they would in a native unix system.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>winbind use default domain = &#60;falseg&#62;
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>winbind use default domain = true</B
+></P
+></DD
+><DT
+><A
+NAME="WINSHOOK"
+></A
+>wins hook (G)</DT
+><DD
+><P
+>When Samba is running as a WINS server this
+ allows you to call an external program for all changes to the
+ WINS database. The primary use for this option is to allow the
+ dynamic update of external name resolution databases such as
+ dynamic DNS.</P
+><P
+>The wins hook parameter specifies the name of a script
+ or executable that will be called as follows:</P
+><P
+><B
+CLASS="COMMAND"
+>wins_hook operation name nametype ttl IP_list
+ </B
+></P
+><P
+></P
+><UL
+><LI
+><P
+>The first argument is the operation and is one
+ of "add", "delete", or "refresh". In most cases the operation can
+ be ignored as the rest of the parameters provide sufficient
+ information. Note that "refresh" may sometimes be called when the
+ name has not previously been added, in that case it should be treated
+ as an add.</P
+></LI
+><LI
+><P
+>The second argument is the NetBIOS name. If the
+ name is not a legal name then the wins hook is not called.
+ Legal names contain only letters, digits, hyphens, underscores
+ and periods.</P
+></LI
+><LI
+><P
+>The third argument is the NetBIOS name
+ type as a 2 digit hexadecimal number. </P
+></LI
+><LI
+><P
+>The fourth argument is the TTL (time to live)
+ for the name in seconds.</P
+></LI
+><LI
+><P
+>The fifth and subsequent arguments are the IP
+ addresses currently registered for that name. If this list is
+ empty then the name should be deleted.</P
+></LI
+></UL
+><P
+>An example script that calls the BIND dynamic DNS update
+ program <B
+CLASS="COMMAND"
+>nsupdate</B
+> is provided in the examples
+ directory of the Samba source code. </P
+></DD
+><DT
+><A
+NAME="WINSPROXY"
+></A
+>wins proxy (G)</DT
+><DD
+><P
+>This is a boolean that controls if <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+> will respond to broadcast name
+ queries on behalf of other hosts. You may need to set this
+ to <TT
+CLASS="CONSTANT"
+>yes</TT
+> for some older clients.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>wins proxy = no</B
+></P
+></DD
+><DT
+><A
+NAME="WINSSERVER"
+></A
+>wins server (G)</DT
+><DD
+><P
+>This specifies the IP address (or DNS name: IP
+ address for preference) of the WINS server that <A
+HREF="nmbd.8.html"
+TARGET="_top"
+> nmbd(8)</A
+> should register with. If you have a WINS server on
+ your network then you should set this to the WINS server's IP.</P
+><P
+>You should point this at your WINS server if you have a
+ multi-subnetted network.</P
+><P
+><EM
+>NOTE</EM
+>. You need to set up Samba to point
+ to a WINS server if you have multiple subnets and wish cross-subnet
+ browsing to work correctly.</P
+><P
+>See the documentation file <TT
+CLASS="FILENAME"
+>BROWSING.txt</TT
+>
+ in the docs/ directory of your Samba source distribution.</P
+><P
+>Default: <EM
+>not enabled</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>wins server = 192.9.200.1</B
+></P
+></DD
+><DT
+><A
+NAME="WINSSUPPORT"
+></A
+>wins support (G)</DT
+><DD
+><P
+>This boolean controls if the <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>
+ nmbd(8)</A
+> process in Samba will act as a WINS server. You should
+ not set this to <TT
+CLASS="CONSTANT"
+>true</TT
+> unless you have a multi-subnetted network and
+ you wish a particular <B
+CLASS="COMMAND"
+>nmbd</B
+> to be your WINS server.
+ Note that you should <EM
+>NEVER</EM
+> set this to <TT
+CLASS="CONSTANT"
+>true</TT
+>
+ on more than one machine in your network.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>wins support = no</B
+></P
+></DD
+><DT
+><A
+NAME="WORKGROUP"
+></A
+>workgroup (G)</DT
+><DD
+><P
+>This controls what workgroup your server will
+ appear to be in when queried by clients. Note that this parameter
+ also controls the Domain name used with the <A
+HREF="#SECURITYEQUALSDOMAIN"
+><B
+CLASS="COMMAND"
+>security = domain</B
+></A
+>
+ setting.</P
+><P
+>Default: <EM
+>set at compile time to WORKGROUP</EM
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>workgroup = MYGROUP</B
+></P
+></DD
+><DT
+><A
+NAME="WRITABLE"
+></A
+>writable (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#WRITEABLE"
+><TT
+CLASS="PARAMETER"
+><I
+> writeable</I
+></TT
+></A
+> for people who can't spell :-).</P
+></DD
+><DT
+><A
+NAME="WRITECACHESIZE"
+></A
+>write cache size (S)</DT
+><DD
+><P
+>If this integer parameter is set to non-zero value,
+ Samba will create an in-memory cache for each oplocked file
+ (it does <EM
+>not</EM
+> do this for
+ non-oplocked files). All writes that the client does not request
+ to be flushed directly to disk will be stored in this cache if possible.
+ The cache is flushed onto disk when a write comes in whose offset
+ would not fit into the cache or when the file is closed by the client.
+ Reads for the file are also served from this cache if the data is stored
+ within it.</P
+><P
+>This cache allows Samba to batch client writes into a more
+ efficient write size for RAID disks (i.e. writes may be tuned to
+ be the RAID stripe size) and can improve performance on systems
+ where the disk subsystem is a bottleneck but there is free
+ memory for userspace programs.</P
+><P
+>The integer parameter specifies the size of this cache
+ (per oplocked file) in bytes.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>write cache size = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>write cache size = 262144</B
+></P
+><P
+>for a 256k cache size per file.</P
+></DD
+><DT
+><A
+NAME="WRITELIST"
+></A
+>write list (S)</DT
+><DD
+><P
+>This is a list of users that are given read-write
+ access to a service. If the connecting user is in this list then
+ they will be given write access, no matter what the <A
+HREF="#WRITEABLE"
+><TT
+CLASS="PARAMETER"
+><I
+>writeable</I
+></TT
+></A
+>
+ option is set to. The list can include group names using the
+ @group syntax.</P
+><P
+>Note that if a user is in both the read list and the
+ write list then they will be given write access.</P
+><P
+>See also the <A
+HREF="#READLIST"
+><TT
+CLASS="PARAMETER"
+><I
+>read list
+ </I
+></TT
+></A
+> option.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>write list = &#60;empty string&#62;
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>write list = admin, root, @staff
+ </B
+></P
+></DD
+><DT
+><A
+NAME="WRITEOK"
+></A
+>write ok (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#WRITEABLE"
+><TT
+CLASS="PARAMETER"
+><I
+> writeable</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="WRITERAW"
+></A
+>write raw (G)</DT
+><DD
+><P
+>This parameter controls whether or not the server
+ will support raw write SMB's when transferring data from clients.
+ You should never need to change this parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>write raw = yes</B
+></P
+></DD
+><DT
+><A
+NAME="WRITEABLE"
+></A
+>writeable (S)</DT
+><DD
+><P
+>An inverted synonym is <A
+HREF="#READONLY"
+> <TT
+CLASS="PARAMETER"
+><I
+>read only</I
+></TT
+></A
+>.</P
+><P
+>If this parameter is <TT
+CLASS="CONSTANT"
+>no</TT
+>, then users
+ of a service may not create or modify files in the service's
+ directory.</P
+><P
+>Note that a printable service (<B
+CLASS="COMMAND"
+>printable = yes</B
+>)
+ will <EM
+>ALWAYS</EM
+> allow writing to the directory
+ (user privileges permitting), but only via spooling operations.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>writeable = no</B
+></P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN5973"
+></A
+><H2
+>WARNINGS</H2
+><P
+>Although the configuration file permits service names
+ to contain spaces, your client software may not. Spaces will
+ be ignored in comparisons anyway, so it shouldn't be a
+ problem - but be aware of the possibility.</P
+><P
+>On a similar note, many clients - especially DOS clients -
+ limit service names to eight characters. <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)
+ </A
+> has no such limitation, but attempts to connect from such
+ clients will fail if they truncate the service names. For this reason
+ you should probably keep your service names down to eight characters
+ in length.</P
+><P
+>Use of the [homes] and [printers] special sections make life
+ for an administrator easy, but the various combinations of default
+ attributes can be tricky. Take extreme care when designing these
+ sections. In particular, ensure that the permissions on spool
+ directories are correct.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN5979"
+></A
+><H2
+>VERSION</H2
+><P
+>This man page is correct for version 2.2 of
+ the Samba suite.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN5982"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><A
+HREF="samba.7.html"
+TARGET="_top"
+>samba(7)</A
+>,
+ <A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbpasswd(8)</B
+></A
+>,
+ <A
+HREF="swat.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>swat(8)</B
+></A
+>,
+ <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+>,
+ <A
+HREF="nmbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>nmbd(8)</B
+></A
+>,
+ <A
+HREF="smbclient.1.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbclient(1)</B
+></A
+>,
+ <A
+HREF="nmblookup.1.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>nmblookup(1)</B
+></A
+>,
+ <A
+HREF="testparm.1.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>testparm(1)</B
+></A
+>,
+ <A
+HREF="testprns.1.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>testprns(1)</B
+></A
+>
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN6002"
+></A
+><H2
+>AUTHOR</H2
+><P
+>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</P
+><P
+>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <A
+HREF="ftp://ftp.icce.rug.nl/pub/unix/"
+TARGET="_top"
+> ftp://ftp.icce.rug.nl/pub/unix/</A
+>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</P
+></DIV
+></BODY
+></HTML
+> \ No newline at end of file
generated by cgit (git 2.34.1) at 2024-12-22 11:17:38 +0000