diff options
Diffstat (limited to 'docs/manpages')
-rw-r--r-- | docs/manpages/net.8 | 5 | ||||
-rw-r--r-- | docs/manpages/smb.conf.5 | 535 | ||||
-rw-r--r-- | docs/manpages/smbsh.1 | 2 |
3 files changed, 323 insertions, 219 deletions
diff --git a/docs/manpages/net.8 b/docs/manpages/net.8 index 3f3f9340be..70a6090792 100644 --- a/docs/manpages/net.8 +++ b/docs/manpages/net.8 @@ -109,6 +109,11 @@ Note that specifying this parameter here will override the \fIlog level\fR param .SH "COMMANDS" +.SS "CHANGESECRETPW" + +.PP +This command allows the Samba machine account password to be set from an external application to a machine account password that has already been stored in Active Directory\&. DO NOT USE this command unless you know exactly what you are doing\&. The use of this command requires that the force flag (-f) be used also\&. There will be NO command prompt\&. Whatever information is piped into stdin, either by typing at the command line or otherwise, will be stored as the literal machine password\&. Do NOT use this without care and attention as it will overwrite a legitimate machine password without warning\&. YOU HAVE BEEN WARNED\&. + .SS "TIME" .PP diff --git a/docs/manpages/smb.conf.5 b/docs/manpages/smb.conf.5 index 6379e942ec..55fdc8be44 100644 --- a/docs/manpages/smb.conf.5 +++ b/docs/manpages/smb.conf.5 @@ -508,6 +508,18 @@ Here is a list of all global parameters\&. See the section of each parameter for .TP \(bu +\fIclient plaintext auth\fR + +.TP +\(bu +\fIclient schannel\fR + +.TP +\(bu +\fIclient signing\fR + +.TP +\(bu \fIclient use spnego\fR .TP @@ -540,11 +552,11 @@ Here is a list of all global parameters\&. See the section of each parameter for .TP \(bu -\fIdefault service\fR +\fIdefault\fR .TP \(bu -\fIdefault\fR +\fIdefault service\fR .TP \(bu @@ -672,6 +684,10 @@ Here is a list of all global parameters\&. See the section of each parameter for .TP \(bu +\fIkernel change notify\fR + +.TP +\(bu \fIkernel oplocks\fR .TP @@ -696,6 +712,14 @@ Here is a list of all global parameters\&. See the section of each parameter for .TP \(bu +\fIldap group suffix\fR + +.TP +\(bu +\fIldap idmap suffix\fR + +.TP +\(bu \fIldap machine suffix\fR .TP @@ -720,10 +744,6 @@ Here is a list of all global parameters\&. See the section of each parameter for .TP \(bu -\fIldap trust ids\fR - -.TP -\(bu \fIldap user suffix\fR .TP @@ -744,11 +764,11 @@ Here is a list of all global parameters\&. See the section of each parameter for .TP \(bu -\fIlock directory\fR +\fIlock dir\fR .TP \(bu -\fIlock dir\fR +\fIlock directory\fR .TP \(bu @@ -936,11 +956,11 @@ Here is a list of all global parameters\&. See the section of each parameter for .TP \(bu -\fIpasswd chat debug\fR +\fIpasswd chat\fR .TP \(bu -\fIpasswd chat\fR +\fIpasswd chat debug\fR .TP \(bu @@ -968,11 +988,11 @@ Here is a list of all global parameters\&. See the section of each parameter for .TP \(bu -\fIpreload modules\fR +\fIpreload\fR .TP \(bu -\fIpreload\fR +\fIpreload modules\fR .TP \(bu @@ -1016,7 +1036,7 @@ Here is a list of all global parameters\&. See the section of each parameter for .TP \(bu -\fIroot directory\fR +\fIroot\fR .TP \(bu @@ -1024,7 +1044,7 @@ Here is a list of all global parameters\&. See the section of each parameter for .TP \(bu -\fIroot\fR +\fIroot directory\fR .TP \(bu @@ -1036,6 +1056,10 @@ Here is a list of all global parameters\&. See the section of each parameter for .TP \(bu +\fIserver signing\fR + +.TP +\(bu \fIserver string\fR .TP @@ -1084,11 +1108,11 @@ Here is a list of all global parameters\&. See the section of each parameter for .TP \(bu -\fIsyslog only\fR +\fIsyslog\fR .TP \(bu -\fIsyslog\fR +\fIsyslog only\fR .TP \(bu @@ -1152,11 +1176,11 @@ Here is a list of all global parameters\&. See the section of each parameter for .TP \(bu -\fIutmp directory\fR +\fIutmp\fR .TP \(bu -\fIutmp\fR +\fIutmp directory\fR .TP \(bu @@ -1235,6 +1259,10 @@ Here is a list of all service parameters\&. See the section on each parameter fo .TP 3 \(bu +\fIacl compatibility\fR + +.TP +\(bu \fIadmin users\fR .TP @@ -1311,19 +1339,19 @@ Here is a list of all service parameters\&. See the section on each parameter fo .TP \(bu -\fIdirectory mask\fR +\fIdirectory\fR .TP \(bu -\fIdirectory mode\fR +\fIdirectory mask\fR .TP \(bu -\fIdirectory security mask\fR +\fIdirectory mode\fR .TP \(bu -\fIdirectory\fR +\fIdirectory security mask\fR .TP \(bu @@ -1563,11 +1591,11 @@ Here is a list of all service parameters\&. See the section on each parameter fo .TP \(bu -\fIpreexec close\fR +\fIpreexec\fR .TP \(bu -\fIpreexec\fR +\fIpreexec close\fR .TP \(bu @@ -1587,15 +1615,15 @@ Here is a list of all service parameters\&. See the section on each parameter fo .TP \(bu -\fIprinter admin\fR +\fIprinter\fR .TP \(bu -\fIprinter name\fR +\fIprinter admin\fR .TP \(bu -\fIprinter\fR +\fIprinter name\fR .TP \(bu @@ -1635,11 +1663,11 @@ Here is a list of all service parameters\&. See the section on each parameter fo .TP \(bu -\fIroot preexec close\fR +\fIroot preexec\fR .TP \(bu -\fIroot preexec\fR +\fIroot preexec close\fR .TP \(bu @@ -1679,15 +1707,15 @@ Here is a list of all service parameters\&. See the section on each parameter fo .TP \(bu -\fIusername\fR +\fIuser\fR .TP \(bu -\fIusers\fR +\fIusername\fR .TP \(bu -\fIuser\fR +\fIusers\fR .TP \(bu @@ -1695,11 +1723,11 @@ Here is a list of all service parameters\&. See the section on each parameter fo .TP \(bu -\fIvalid users\fR +\fI-valid\fR .TP \(bu -\fI-valid\fR +\fIvalid users\fR .TP \(bu @@ -1711,11 +1739,11 @@ Here is a list of all service parameters\&. See the section on each parameter fo .TP \(bu -\fIvfs objects\fR +\fIvfs object\fR .TP \(bu -\fIvfs object\fR +\fIvfs objects\fR .TP \(bu @@ -1764,6 +1792,17 @@ Example: \fBabort shutdown script = /sbin/shutdown -c\fR .TP +acl compatibility (S) +This parameter specifies what OS ACL semantics should be compatible with\&. Possible values are \fBwinnt\fR for Windows NT 4, \fBwin2k\fR for Windows 2000 and above and \fBauto\fR\&. If you specify \fBauto\fR, the value for this parameter will be based upon the version of the client\&. There should be no reason to change this parameter from the default\&. + + +Default: \fBacl compatibility = Auto\fR + + +Example: \fBacl compatibility = win2k\fR + + +.TP add group script (G) This is the full pathname to a script that will be run \fBAS ROOT\fR by \fBsmbd\fR(8) when a new group is requested\&. It will expand any \fI%g\fR to the group name passed\&. This script is only useful for installations using the Windows NT domain administration tools\&. The script is free to create a group with an arbitrary name to circumvent unix group name restrictions\&. In that case the script must print the numeric gid of the created group on stdout\&. @@ -2146,6 +2185,36 @@ Default : \fBclient ntlmv2 auth = no\fR .TP +client plaintext auth (G) +Specifies whether a client should send a plaintext password if the server does not support encrypted passwords\&. + + +Default: \fBclient plaintext auth = yes\fR + + +.TP +client schannel (G) +This controls whether the client offers or even demands the use of the netlogon schannel\&. \fIclient schannel = no\fR does not offer the schannel, \fIserver schannel = auto\fR offers the schannel but does not enforce it, and \fIserver schannel = yes\fR denies access if the server is not able to speak netlogon schannel\&. + + +Default: \fBclient schannel = auto\fR + + +Example: \fBclient schannel = yes\fR + + +.TP +client signing (G) +This controls whether the client offers or requires the server it talks to to use SMB signing\&. Possible values are \fBauto\fR, \fBmandatory\fR and \fBdisabled\fR\&. + + +When set to auto, SMB signing is offered, but not enforced\&. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either\&. + + +Default: \fBclient signing = auto\fR + + +.TP client use spnego (G) This variable controls controls whether samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 servers to agree upon an authentication mechanism\&. SPNEGO client support for SMB Signing is currently broken, so you might want to turn this option off when operating with Windows 2003 domain controllers in particular\&. @@ -2319,6 +2388,11 @@ Default: \fBdebug uid = no\fR .TP +default (G) +A synonym for \fI default service\fR\&. + + +.TP default case (S) See the section on NAME MANGLING\&. Also note the \fIshort preserve case\fR parameter\&. @@ -2374,11 +2448,6 @@ Example: .TP -default (G) -A synonym for \fI default service\fR\&. - - -.TP delete group script (G) This is the full pathname to a script that will be run \fBAS ROOT\fR \fBsmbd\fR(8) when a group is requested to be deleted\&. It will expand any \fI%g\fR to the group name passed\&. This script is only useful for installations using the Windows NT domain administration tools\&. @@ -2535,6 +2604,11 @@ Note that you may have to replace the command names with full path names on some .TP +directory (S) +Synonym for \fIpath\fR\&. + + +.TP directory mask (S) This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories\&. @@ -2595,11 +2669,6 @@ Example: \fBdirectory security mask = 0700\fR .TP -directory (S) -Synonym for \fIpath\fR\&. - - -.TP disable netbios (G) Enabling this parameter will disable netbios support in Samba\&. Netbios is the only available form of browsing in all windows versions except for 2000 and XP\&. @@ -3270,7 +3339,7 @@ The purpose of the idmap backend parameter is to allow idmap to NOT use the loca Default: \fBidmap backend = <empty string>\fR -Example: \fBidmap backend = ldapsam://ldapslave.example.com\fR +Example: \fBidmap backend = ldap:ldap://ldapslave.example.com\fR .TP @@ -3418,6 +3487,17 @@ Example: \fBkeepalive = 600\fR .TP +kernel change notify (G) +This parameter specifies whether Samba should ask the kernel for change notifications in directories so that SMB clients can refresh whenever the data on the server changes\&. + + +This parameter is only usd when your kernel supports change notification to user programs, using the F_NOTIFY fcntl\&. + + +Default: \fBYes\fR + + +.TP kernel oplocks (G) For UNIXes that support kernel based \fIoplocks\fR (currently only IRIX and the Linux 2\&.4 kernel), this parameter allows the use of them to be turned on or off\&. @@ -3481,6 +3561,28 @@ Default: \fBldap filter = (&(uid=%u)(objectclass=sambaAccount))\fR .TP +ldap group suffix (G) +This parameters specifies the suffix that is used for groups when these are added to the LDAP directory\&. If this parameter is unset, the value of \fIldap suffix\fR will be used instead\&. + + +Default: \fBnone\fR + + +Example: \fBdc=samba,ou=Groups\fR + + +.TP +ldap idmap suffix (G) +This parameters specifies the suffix that is used when storing idmap mappings\&. If this parameter is unset, the value of \fIldap suffix\fR will be used instead\&. + + +Default: \fBnone\fR + + +Example: \fBdc=samba,ou=Idmap\fR + + +.TP ldap machine suffix (G) It specifies where machines should be added to the ldap tree\&. @@ -3559,19 +3661,8 @@ Default: \fBnone\fR .TP -ldap trust ids (G) -Normally, Samba validates each entry in the LDAP server against getpwnam()\&. This allows LDAP to be used for Samba with the unix system using NIS (for example) and also ensures that Samba does not present accounts that do not otherwise exist\&. - - -This option is used to disable this functionality, and instead to rely on the presence of the appropriate attributes in LDAP directly, which can result in a significant performance boost in some situations\&. Setting this option to yes effectivly assumes that the local machine is running \fBnss_ldap\fR against the same LDAP server\&. - - -Default: \fBldap trust ids = No\fR - - -.TP ldap user suffix (G) -It specifies where users are added to the tree\&. +This parameter specifies where users are added to the tree\&. If this parameter is not specified, the value from \fBldap suffix\fR\&. Default: \fBnone\fR @@ -3651,6 +3742,11 @@ Default: \fBlocal master = yes\fR .TP +lock dir (G) +Synonym for \fI lock directory\fR\&. + + +.TP lock directory (G) This option specifies the directory where lock files will be placed\&. The lock files are used to implement the \fImax connections\fR option\&. @@ -3662,11 +3758,6 @@ Example: \fBlock directory = /var/run/samba/locks\fR .TP -lock dir (G) -Synonym for \fI lock directory\fR\&. - - -.TP locking (S) This controls whether or not locking will be performed by the server in response to lock requests from the client\&. @@ -4797,17 +4888,6 @@ Example: \fBpassdb backend = mysql:my_plugin_args tdbsam\fR .TP -passwd chat debug (G) -This boolean specifies if the passwd chat script parameter is run in \fBdebug\fR mode\&. In this mode the strings passed to and received from the passwd chat are printed in the \fBsmbd\fR(8) log with a \fIdebug level\fR of 100\&. This is a dangerous option as it will allow plaintext passwords to be seen in the \fBsmbd\fR log\&. It is available to help Samba admins debug their \fIpasswd chat\fR scripts when calling the \fIpasswd program\fR and should be turned off after this has been done\&. This option has no effect if the \fIpam password change\fR paramter is set\&. This parameter is off by default\&. - - -See also \fIpasswd chat\fR , \fIpam password change\fR , \fIpasswd program\fR \&. - - -Default: \fBpasswd chat debug = no\fR - - -.TP passwd chat (G) This string controls the \fB"chat"\fR conversation that takes places between \fBsmbd\fR(8) and the local password changing program to change the user's password\&. The string describes a sequence of response-receive pairs that \fBsmbd\fR(8) uses to determine what to send to the \fIpasswd program\fR and what to expect back\&. If the expected output is not received then the password is not changed\&. @@ -4837,6 +4917,17 @@ Example: \fBpasswd chat = "*Enter OLD password*" %o\\n "*Enter NEW password*" %n .TP +passwd chat debug (G) +This boolean specifies if the passwd chat script parameter is run in \fBdebug\fR mode\&. In this mode the strings passed to and received from the passwd chat are printed in the \fBsmbd\fR(8) log with a \fIdebug level\fR of 100\&. This is a dangerous option as it will allow plaintext passwords to be seen in the \fBsmbd\fR log\&. It is available to help Samba admins debug their \fIpasswd chat\fR scripts when calling the \fIpasswd program\fR and should be turned off after this has been done\&. This option has no effect if the \fIpam password change\fR paramter is set\&. This parameter is off by default\&. + + +See also \fIpasswd chat\fR , \fIpam password change\fR , \fIpasswd program\fR \&. + + +Default: \fBpasswd chat debug = no\fR + + +.TP passwd program (G) The name of a program that can be used to set UNIX user passwords\&. Any occurrences of \fI%u\fR will be replaced with the user name\&. The user name is checked for existence before calling the password changing program\&. @@ -5007,14 +5098,6 @@ Example: \fBpostexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log .TP -preexec close (S) -This boolean option controls whether a non-zero return code from \fIpreexec \fR should close the service being connected to\&. - - -Default: \fBpreexec close = no\fR - - -.TP preexec (S) This option specifies a command to be run whenever the service is connected to\&. It takes the usual substitutions\&. @@ -5038,6 +5121,14 @@ Example: \fBpreexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log\fR .TP +preexec close (S) +This boolean option controls whether a non-zero return code from \fIpreexec \fR should close the service being connected to\&. + + +Default: \fBpreexec close = no\fR + + +.TP prefered master (G) Synonym for \fI preferred master\fR for people who cannot spell :-)\&. @@ -5060,31 +5151,28 @@ Default: \fBpreferred master = auto\fR .TP -preload modules (G) -This is a list of paths to modules that should be loaded into smbd before a client connects\&. This improves the speed of smbd when reacting to new connections somewhat\&. +preload (G) +This is a list of services that you want to be automatically added to the browse lists\&. This is most useful for homes and printers services that would otherwise not be visible\&. -It is recommended to only use this option on heavy-performance servers\&. +Note that if you just want all printers in your printcap file loaded then the \fIload printers\fR option is easier\&. -Default: \fBpreload modules = \fR +Default: \fBno preloaded services\fR -Example: \fBpreload modules = /usr/lib/samba/passdb/mysql.so+++ \fR +Example: \fBpreload = fred lp colorlp\fR .TP -preload (G) -This is a list of services that you want to be automatically added to the browse lists\&. This is most useful for homes and printers services that would otherwise not be visible\&. - - -Note that if you just want all printers in your printcap file loaded then the \fIload printers\fR option is easier\&. +preload modules (G) +This is a list of paths to modules that should be loaded into smbd before a client connects\&. This improves the speed of smbd when reacting to new connections somewhat\&. -Default: \fBno preloaded services\fR +Default: \fBpreload modules = \fR -Example: \fBpreload = fred lp colorlp\fR +Example: \fBpreload modules = /usr/lib/samba/passdb/mysql.so+++ \fR .TP @@ -5110,6 +5198,11 @@ Default: \fBprintable = no\fR .TP +printcap (G) +Synonym for \fI printcap name\fR\&. + + +.TP printcap name (S) This parameter may be used to override the compiled-in default printcap name used by the server (usually \fI /etc/printcap\fR)\&. See the discussion of the [printers] section above for reasons why you might want to do this\&. @@ -5145,11 +5238,6 @@ Example: \fBprintcap name = /etc/myprintcap\fR .TP -printcap (G) -Synonym for \fI printcap name\fR\&. - - -.TP print command (S) After a print job has finished spooling to a service, this command will be used via a \fBsystem()\fR call to process the spool file\&. Typically the command specified will submit the spool file to the host's printing subsystem, but there is no requirement that this be the case\&. The server will not remove the spool file, so whatever command you specify should remove the spool file when it has been processed, otherwise you will need to manually remove old spool files\&. @@ -5218,6 +5306,11 @@ Example: \fBprint command = /usr/local/samba/bin/myprintscript %p %s\fR .TP +printer (S) +Synonym for \fI printer name\fR\&. + + +.TP printer admin (S) This is a list of users that can do anything to printers via the remote administration interfaces offered by MS-RPC (usually using a NT workstation)\&. Note that the root user always has admin rights\&. @@ -5243,11 +5336,6 @@ Example: \fBprinter name = laserwriter\fR .TP -printer (S) -Synonym for \fI printer name\fR\&. - - -.TP printing (S) This parameters controls how printer status information is interpreted on your system\&. It also affects the default values for the \fIprint command\fR, \fIlpq command\fR, \fIlppause command \fR, \fIlpresume command\fR, and \fIlprm command\fR if specified in the [global] section\&. @@ -5491,6 +5579,16 @@ Default: \fBrestrict anonymous = 0\fR .TP +root (G) +Synonym for \fIroot directory"\fR\&. + + +.TP +root dir (G) +Synonym for \fIroot directory"\fR\&. + + +.TP root directory (G) The server will \fBchroot()\fR (i\&.e\&. Change its root directory) to this directory on startup\&. This is not strictly necessary for secure operation\&. Even without it the server will deny access to files not in one of the service entries\&. It may also check for, and deny access to, soft links to other parts of the filesystem, or attempts to use "\&.\&." in file names to access other directories (depending on the setting of the \fIwide links\fR parameter)\&. @@ -5505,11 +5603,6 @@ Example: \fBroot directory = /homes/smb\fR .TP -root dir (G) -Synonym for \fIroot directory"\fR\&. - - -.TP root postexec (S) This is the same as the \fIpostexec\fR parameter except that the command is run as root\&. This is useful for unmounting filesystems (such as CDROMs) after a connection is closed\&. @@ -5521,17 +5614,6 @@ Default: \fBroot postexec = <empty string>\fR .TP -root preexec close (S) -This is the same as the \fIpreexec close \fR parameter except that the command is run as root\&. - - -See also \fI preexec\fR and \fIpreexec close\fR\&. - - -Default: \fBroot preexec close = no\fR - - -.TP root preexec (S) This is the same as the \fIpreexec\fR parameter except that the command is run as root\&. This is useful for mounting filesystems (such as CDROMs) when a connection is opened\&. @@ -5543,31 +5625,14 @@ Default: \fBroot preexec = <empty string>\fR .TP -root (G) -Synonym for \fIroot directory"\fR\&. - - -.TP -security mask (S) -This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box\&. - - -This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified\&. Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change\&. - - -If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file\&. - - -\fBNote\fR that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave it set to \fB0777\fR\&. - - -See also the \fIforce directory security mode\fR, \fIdirectory security mask\fR, \fIforce security mode\fR parameters\&. +root preexec close (S) +This is the same as the \fIpreexec close \fR parameter except that the command is run as root\&. -Default: \fBsecurity mask = 0777\fR +See also \fI preexec\fR and \fIpreexec close\fR\&. -Example: \fBsecurity mask = 0770\fR +Default: \fBroot preexec close = no\fR .TP @@ -5715,6 +5780,29 @@ Example: \fBsecurity = DOMAIN\fR .TP +security mask (S) +This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box\&. + + +This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified\&. Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change\&. + + +If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file\&. + + +\fBNote\fR that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave it set to \fB0777\fR\&. + + +See also the \fIforce directory security mode\fR, \fIdirectory security mask\fR, \fIforce security mode\fR parameters\&. + + +Default: \fBsecurity mask = 0777\fR + + +Example: \fBsecurity mask = 0770\fR + + +.TP server schannel (G) This controls whether the server offers or even demands the use of the netlogon schannel\&. \fIserver schannel = no\fR does not offer the schannel, \fIserver schannel = auto\fR offers the schannel but does not enforce it, and \fIserver schannel = yes\fR denies access if the client is not able to speak netlogon schannel\&. This is only the case for Windows NT4 before SP4\&. @@ -5729,6 +5817,17 @@ Example: \fBserver schannel = yes\fR .TP +server signing (G) +This controls whether the server offers or requires the client it talks to to use SMB signing\&. Possible values are \fBauto\fR, \fBmandatory\fR and \fBdisabled\fR\&. + + +When set to auto, SMB signing is offered, but not enforced\&. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either\&. + + +Default: \fBclient signing = False\fR + + +.TP server string (G) This controls what string will show up in the printer comment box in print manager and next to the IPC connection in \fBnet view\fR\&. It can be any string that you wish to show to your users\&. @@ -6093,14 +6192,6 @@ Default: \fBsync always = no\fR .TP -syslog only (G) -If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files\&. - - -Default: \fBsyslog only = no\fR - - -.TP syslog (G) This parameter maps how Samba debug messages are logged onto the system syslog logging levels\&. Samba debug level zero maps onto syslog \fBLOG_ERR\fR, debug level one maps onto \fBLOG_WARNING\fR, debug level two maps onto \fBLOG_NOTICE\fR, debug level three maps onto LOG_INFO\&. All higher levels are mapped to \fB LOG_DEBUG\fR\&. @@ -6112,6 +6203,14 @@ Default: \fBsyslog = 1\fR .TP +syslog only (G) +If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files\&. + + +Default: \fBsyslog only = no\fR + + +.TP template homedir (G) When filling out the user information for a Windows NT user, the \fBwinbindd\fR(8) daemon uses this parameter to fill in the home directory for that user\&. If the string \fI%D\fR is present it is substituted with the user's Windows NT domain name\&. If the string \fI%U\fR is present it is substituted with the user's Windows NT user name\&. @@ -6183,7 +6282,7 @@ unix extensions (G) This boolean parameter controls whether Samba implments the CIFS UNIX extensions, as defined by HP\&. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc\&.\&.\&. These extensions require a similarly enabled client, and are of no current use to Windows clients\&. -Default: \fBunix extensions = no\fR +Default: \fBunix extensions = yes\fR .TP @@ -6237,6 +6336,49 @@ Default: \fBuse mmap = yes\fR .TP +user (S) +Synonym for \fIusername\fR\&. + + +.TP +username (S) +Multiple users may be specified in a comma-delimited list, in which case the supplied password will be tested against each username in turn (left to right)\&. + + +The \fIusername\fR line is needed only when the PC is unable to supply its own username\&. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX usernames\&. In both these cases you may also be better using the \\\\server\\share%user syntax instead\&. + + +The \fIusername\fR line is not a great solution in many cases as it means Samba will try to validate the supplied password against each of the usernames in the \fIusername\fR line in turn\&. This is slow and a bad idea for lots of users in case of duplicate passwords\&. You may get timeouts or security breaches using this parameter unwisely\&. + + +Samba relies on the underlying UNIX security\&. This parameter does not restrict who can login, it just offers hints to the Samba server as to what usernames might correspond to the supplied password\&. Users can login as whoever they please and they will be able to do no more damage than if they started a telnet session\&. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do\&. + + +To restrict a service to a particular set of users you can use the \fIvalid users \fR parameter\&. + + +If any of the usernames begin with a '@' then the name will be looked up first in the NIS netgroups list (if Samba is compiled with netgroup support), followed by a lookup in the UNIX groups database and will expand to a list of all users in the group of that name\&. + + +If any of the usernames begin with a '+' then the name will be looked up only in the UNIX groups database and will expand to a list of all users in the group of that name\&. + + +If any of the usernames begin with a '&' then the name will be looked up only in the NIS netgroups database (if Samba is compiled with netgroup support) and will expand to a list of all users in the netgroup group of that name\&. + + +Note that searching though a groups database can take quite some time, and some clients may time out during the search\&. + + +See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more information on how this parameter determines access to the services\&. + + +Default: \fBThe guest account if a guest service, else <empty string>.\fR + + +Examples:\fBusername = fred, mary, jack, jane, @users, @pcgroup\fR + + +.TP username level (G) This option helps Samba to try and 'guess' at the real UNIX username, as many DOS clients send an all-uppercase username\&. By default Samba tries all lowercase, followed by the username with the first letter capitalized, and fails if the username is not found on the UNIX machine\&. @@ -6317,54 +6459,11 @@ Example: \fBusername map = /usr/local/samba/lib/users.map\fR .TP -username (S) -Multiple users may be specified in a comma-delimited list, in which case the supplied password will be tested against each username in turn (left to right)\&. - - -The \fIusername\fR line is needed only when the PC is unable to supply its own username\&. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX usernames\&. In both these cases you may also be better using the \\\\server\\share%user syntax instead\&. - - -The \fIusername\fR line is not a great solution in many cases as it means Samba will try to validate the supplied password against each of the usernames in the \fIusername\fR line in turn\&. This is slow and a bad idea for lots of users in case of duplicate passwords\&. You may get timeouts or security breaches using this parameter unwisely\&. - - -Samba relies on the underlying UNIX security\&. This parameter does not restrict who can login, it just offers hints to the Samba server as to what usernames might correspond to the supplied password\&. Users can login as whoever they please and they will be able to do no more damage than if they started a telnet session\&. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do\&. - - -To restrict a service to a particular set of users you can use the \fIvalid users \fR parameter\&. - - -If any of the usernames begin with a '@' then the name will be looked up first in the NIS netgroups list (if Samba is compiled with netgroup support), followed by a lookup in the UNIX groups database and will expand to a list of all users in the group of that name\&. - - -If any of the usernames begin with a '+' then the name will be looked up only in the UNIX groups database and will expand to a list of all users in the group of that name\&. - - -If any of the usernames begin with a '&' then the name will be looked up only in the NIS netgroups database (if Samba is compiled with netgroup support) and will expand to a list of all users in the netgroup group of that name\&. - - -Note that searching though a groups database can take quite some time, and some clients may time out during the search\&. - - -See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more information on how this parameter determines access to the services\&. - - -Default: \fBThe guest account if a guest service, else <empty string>.\fR - - -Examples:\fBusername = fred, mary, jack, jane, @users, @pcgroup\fR - - -.TP users (S) Synonym for \fI username\fR\&. .TP -user (S) -Synonym for \fIusername\fR\&. - - -.TP use sendfile (S) If this parameter is \fByes\fR, and Samba was built with the --with-sendfile-support option, and the underlying operating system supports sendfile system call, then some SMB read calls (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that are exclusively oplocked\&. This may make more efficient use of the system CPU's and cause Samba to be faster\&. This is off by default as it's effects are unknown as yet\&. @@ -6381,6 +6480,20 @@ Default: \fBuse spnego = yes\fR .TP +utmp (G) +This boolean parameter is only available if Samba has been configured and compiled with the option \fB --with-utmp\fR\&. If set to \fByes\fR then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server\&. Sites may use this to record the user connecting to a Samba share\&. + + +Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user\&. Enabling this option creates an n^2 algorithm to find this number\&. This may impede performance on large installations\&. + + +See also the \fI utmp directory\fR parameter\&. + + +Default: \fButmp = no\fR + + +.TP utmp directory (G) This parameter is only available if Samba has been configured and compiled with the option \fB --with-utmp\fR\&. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server\&. See also the \fIutmp\fR parameter\&. By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually \fI/var/run/utmp\fR on Linux)\&. @@ -6392,17 +6505,14 @@ Example: \fButmp directory = /var/run/utmp\fR .TP -utmp (G) -This boolean parameter is only available if Samba has been configured and compiled with the option \fB --with-utmp\fR\&. If set to \fByes\fR then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server\&. Sites may use this to record the user connecting to a Samba share\&. - - -Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user\&. Enabling this option creates an n^2 algorithm to find this number\&. This may impede performance on large installations\&. +-valid (S) +This parameter indicates whether a share is valid and thus can be used\&. When this parameter is set to false, the share will be in no way visible nor accessible\&. -See also the \fI utmp directory\fR parameter\&. +This option should not be used by regular users but might be of help to developers\&. Samba uses this option internally to mark shares as deleted\&. -Default: \fButmp = no\fR +Default: \fBTrue\fR .TP @@ -6426,17 +6536,6 @@ Example: \fBvalid users = greg, @pcusers\fR .TP --valid (S) -This parameter indicates whether a share is valid and thus can be used\&. When this parameter is set to false, the share will be in no way visible nor accessible\&. - - -This option should not be used by regular users but might be of help to developers\&. Samba uses this option internally to mark shares as deleted\&. - - -Default: \fBTrue\fR - - -.TP veto files (S) This is a list of files and directories that are neither visible nor accessible\&. Each entry in the list must be separated by a '/', which allows spaces to be included in the entry\&. '*' and '?' can be used to specify multiple files or directories as in DOS wildcards\&. @@ -6488,6 +6587,11 @@ Example: \fBveto oplock files = /*.SEM/\fR .TP +vfs object (S) +Synonym for \fIvfs objects\fR \&. + + +.TP vfs objects (S) This parameter specifies the backend names which are used for Samba VFS I/O operations\&. By default, normal disk I/O operations are used but these can be overloaded with one or more VFS objects\&. @@ -6499,11 +6603,6 @@ Example: \fBvfs objects = extd_audit recycle\fR .TP -vfs object (S) -Synonym for \fIvfs objects\fR \&. - - -.TP volume (S) This allows you to override the volume label returned for a share\&. Useful for CDROMs with installation programs that insist on a particular volume label\&. @@ -6527,7 +6626,7 @@ winbind cache time (G) This parameter specifies the number of seconds the \fBwinbindd\fR(8) daemon will cache user and group information before querying a Windows NT server again\&. -Default: \fBwinbind cache type = 15\fR +Default: \fBwinbind cache type = 300\fR .TP diff --git a/docs/manpages/smbsh.1 b/docs/manpages/smbsh.1 index 0788237aca..3b9e507246 100644 --- a/docs/manpages/smbsh.1 +++ b/docs/manpages/smbsh.1 @@ -19,7 +19,7 @@ .. .TH "SMBSH" 1 "" "" "" .SH NAME -smbsh \- Allows access to Windows NT filesystem using UNIX commands +smbsh \- Allows access to remote SMB shares using UNIX commands .SH "SYNOPSIS" .nf |