summaryrefslogtreecommitdiff
path: root/swat/help
diff options
context:
space:
mode:
Diffstat (limited to 'swat/help')
-rw-r--r--swat/help/parameters.html3368
-rw-r--r--swat/help/welcome.html8
2 files changed, 3376 insertions, 0 deletions
diff --git a/swat/help/parameters.html b/swat/help/parameters.html
new file mode 100644
index 0000000000..15cf563983
--- /dev/null
+++ b/swat/help/parameters.html
@@ -0,0 +1,3368 @@
+<HTML>
+<BODY>
+
+SWAT Parameters help<p>
+
+We need to reformat the smb.conf man page as HTML with a label for
+each parameter. Anyone want to write a perl script? Currently I've
+just done a quick hack with an emacs macro to get something in
+place. Or maybe the SGML conversion will be the way to go?<p>
+
+<hr>
+
+<a name="admin users">
+<H3>admin users (S)</H3><p>
+
+This is a list of users who will be granted administrative privileges
+on the share. This means that they will do all file operations as the
+super-user (root).<p>
+
+You should use this option very carefully, as any user in this list
+will be able to do anything they like on the share, irrespective of
+file permissions.<p>
+
+.B Default:
+ no admin users<p>
+
+.B Example:
+ admin users = jason<p>
+
+<a name="announce as">
+<H3>announce as (G)</H3><p>
+
+This specifies what type of server nmbd will announce itself as in
+browse lists. By default this is set to Windows NT. The valid options
+are "NT", "Win95" or "WfW" meaining Windows NT, Windows 95 and
+Windows for Workgroups respectively. Do not change this parameter
+unless you have a specific need to stop Samba appearing as an NT
+server as this may prevent Samba servers from participating as
+browser servers correctly.<p>
+
+.B Default:
+ announce as = NT<p>
+
+.B Example
+ announce as = Win95<p>
+
+<a name="announce version">
+<H3>announce version (G)</H3><p>
+
+This specifies the major and minor version numbers that nmbd
+will use when announcing itself as a server. The default is 4.2.
+Do not change this parameter unless you have a specific need to
+set a Samba server to be a downlevel server.<p>
+
+.B Default:
+ announce version = 4.2<p>
+
+.B Example:
+ announce version = 2.0<p>
+
+<a name="auto services">
+<H3>auto services (G)</H3>
+This is a list of services that you want to be automatically added to
+the browse lists. This is most useful for homes and printers services
+that would otherwise not be visible.<p>
+
+Note that if you just want all printers in your printcap file loaded
+then the "load printers" option is easier.<p>
+
+.B Default:
+ no auto services<p>
+
+.B Example:
+ auto services = fred lp colorlp<p>
+
+<a name="allow hosts">
+<H3>allow hosts (S)</H3>
+A synonym for this parameter is 'hosts allow'.<p>
+
+This parameter is a comma delimited set of hosts which are permitted to access
+a service. <p>
+
+If specified in the [global] section then it will apply to all
+services, regardless of whether the individual service has a different
+setting. <p>
+
+You can specify the hosts by name or IP number. For example, you could
+restrict access to only the hosts on a Class C subnet with something like
+"allow hosts = 150.203.5.". The full syntax of the list is described in
+the man page
+.BR hosts_access (5).<p>
+
+You can also specify hosts by network/netmask pairs and by netgroup
+names if your system supports netgroups. The EXCEPT keyword can also
+be used to limit a wildcard list. The following examples may provide
+some help:<p>
+
+Example 1: allow all IPs in 150.203.*.* except one<p>
+
+ hosts allow = 150.203. EXCEPT 150.203.6.66<p>
+
+Example 2: allow hosts that match the given network/netmask<p>
+
+ hosts allow = 150.203.15.0/255.255.255.0<p>
+
+Example 3: allow a couple of hosts<p>
+
+ hosts allow = lapland, arvidsjaur<p>
+
+Example 4: allow only hosts in netgroup "foonet" or localhost, but
+deny access from one particular host<p>
+
+ hosts allow = @foonet, localhost
+ hosts deny = pirate<p>
+
+Note that access still requires suitable user-level passwords.<p>
+
+See
+.BR testparm (1)
+for a way of testing your host access to see if it
+does what you expect.<p>
+
+.B Default:
+ none (i.e., all hosts permitted access)<p>
+
+.B Example:
+ allow hosts = 150.203.5. myhost.mynet.edu.au<p>
+
+<a name="alternate permissions">
+<H3>alternate permissions (S)</H3><p>
+
+This option affects the way the "read only" DOS attribute is produced
+for UNIX files. If this is false then the read only bit is set for
+files on writeable shares which the user cannot write to.<p>
+
+If this is true then it is set for files whos user write bit is not set.<p>
+
+The latter behaviour is useful for when users copy files from each
+others directories, and use a file manager that preserves
+permissions. Without this option they may get annoyed as all copied
+files will have the "read only" bit set.<p>
+
+.B Default:
+ alternate permissions = no<p>
+
+.B Example:
+ alternate permissions = yes<p>
+
+<a name="available">
+<H3>available (S)</H3>
+This parameter lets you 'turn off' a service. If 'available = no', then
+ALL attempts to connect to the service will fail. Such failures are logged.<p>
+
+.B Default:
+ available = yes<p>
+
+.B Example:
+ available = no<p>
+
+<a name="bind interfaces only">
+<H3>bind interfaces only (G)</H3>
+This global parameter (new for 1.9.18) allows the Samba admin to limit
+what interfaces on a machine will serve smb requests. If affects file service
+(smbd) and name service (nmbd) in slightly different ways.<p>
+
+For name service it causes nmbd to bind to ports 137 and 138 on
+the interfaces listed in the 'interfaces' parameter. nmbd also binds
+to the 'all addresses' interface (0.0.0.0) on ports 137 and 138
+for the purposes of reading broadcast messages. If this option is
+not set then nmbd will service name requests on all of these
+sockets. If "bind interfaces only" is set then nmbd will check
+the source address of any packets coming in on the broadcast
+sockets and discard any that don't match the broadcast addresses
+of the interfaces in the 'interfaces' parameter list. As unicast
+packets are received on the other sockets it allows nmbd to
+refuse to serve names to machines that send packets that arrive
+through any interfaces not listed in the 'interfaces' list.
+IP Source address spoofing does defeat this simple check, however
+so it must not be used seriously as a security feature for nmbd.<p>
+
+For file service it causes smbd to bind only to the interface
+list given in the 'interfaces' parameter. This restricts the
+networks that smbd will serve to packets coming in those interfaces.
+Note that you should not use this parameter for machines that
+are serving ppp or other intermittant or non-broadcast network
+interfaces as it will not cope with non-permanent interfaces.<p>
+
+.B Default:
+ bind interfaces only = False<p>
+
+.B Example:
+ bind interfaces only = True<p>
+
+<a name="browseable">
+<H3>browseable (S)</H3>
+This controls whether this share is seen in the list of available
+shares in a net view and in the browse list.<p>
+
+.B Default:
+ browseable = Yes<p>
+
+.B Example:
+ browseable = No
+<a name="browse lis">
+<H3>browse list(G)</H3>
+This controls whether the smbd will serve a browse list to a client
+doing a NetServerEnum call. Normally set to true. You should never
+need to change this.<p>
+
+.B Default:
+ browse list = Yes<p>
+
+<a name="case sensitive">
+<H3>case sensitive (G)</H3>
+See the discussion on NAME MANGLING.<p>
+
+<a name="case sig names">
+<H3>case sig names (G)</H3>
+See "case sensitive"<p>
+
+<a name="character set">
+<H3>character set (G)</H3>
+This allows a smbd to map incoming characters from a DOS 850 Code page
+to either a Western European (ISO8859-1) or Easter European (ISO8859-2)
+code page. Normally not set, meaning no filename translation is done.<p>
+
+.B Default<p>
+
+ character set =<p>
+
+.B Example<p>
+
+ character set = iso8859-1<p>
+
+<a name="client code page">
+<H3>client code page (G)</H3>
+Currently (Samba 1.9.17 and above) this may be set to one of two
+values, 850 or 437. It specifies the base DOS code page that the
+clients accessing Samba are using. To determine this, open a DOS
+command prompt and type the command "chcp". This will output the
+code page. The default for USA MS-DOS, Windows 95, and Windows NT
+releases is code page 437. The default for western european
+releases of the above operating systems is code page 850.<p>
+
+This parameter co-operates with the "valid chars" parameter in
+determining what characters are valid in filenames and how
+capitalization is done. It has been added as a convenience for
+clients whose code page is either 437 or 850 so a convoluted
+"valid chars" string does not have to be determined. If you
+set both this parameter and the "valid chars" parameter the
+"client code page" parameter MUST be set before the "valid chars"
+in the smb.conf file. The "valid chars" string will then augment
+the character settings in the "client code page" parameter.<p>
+
+If "client code page" is set to a value other than 850 or 437
+it will default to 850.<p>
+
+See also : "valid chars".<p>
+
+.B Default<p>
+
+ client code page = 850<p>
+
+.B Example<p>
+
+ client code page = 437<p>
+
+<a name="comment">
+<H3>comment (S)</H3>
+This is a text field that is seen next to a share when a client does a
+net view to list what shares are available.<p>
+
+If you want to set the string that is displayed next to the machine
+name then see the server string command.<p>
+
+.B Default:
+ No comment string<p>
+
+.B Example:
+ comment = Fred's Files<p>
+
+<a name="config file">
+<H3>config file (G)</H3><p>
+
+This allows you to override the config file to use, instead of the
+default (usually smb.conf). There is a chicken and egg problem here as
+this option is set in the config file! <p>
+
+For this reason, if the name of the config file has changed when the
+parameters are loaded then it will reload them from the new config
+file.<p>
+
+This option takes the usual substitutions, which can be very useful.<p>
+
+If the config file doesn't exist then it won't be loaded (allowing
+you to special case the config files of just a few clients).<p>
+
+.B Example:
+ config file = /usr/local/samba/lib/smb.conf.%m<p>
+
+<a name="copy">
+<H3>copy (S)</H3>
+This parameter allows you to 'clone' service entries. The specified
+service is simply duplicated under the current service's name. Any
+parameters specified in the current section will override those in the
+section being copied.<p>
+
+This feature lets you set up a 'template' service and create similar
+services easily. Note that the service being copied must occur earlier
+in the configuration file than the service doing the copying.<p>
+
+.B Default:
+ none<p>
+
+.B Example:
+ copy = otherservice
+<a name="create mask">
+<H3>create mask (S)</H3>
+A synonym for this parameter is 'create mode'.<p>
+
+When a file is created, the neccessary permissions are calculated
+according to the mapping from DOS modes to UNIX permissions, and
+the resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
+This parameter may be thought of as a bit-wise MASK for the UNIX
+modes of a file. Any bit *not* set here will be removed from the
+modes set on a file when it is created.<p>
+
+The default value of this parameter removes the 'group' and 'other'
+write and execute bits from the UNIX modes.<p>
+
+Following this Samba will bit-wise 'OR' the UNIX mode created from
+this parameter with the value of the "force create mode" parameter
+which is set to 000 by default.<p>
+
+For Samba 1.9.17 and above this parameter no longer affects directory
+modes. See the parameter 'directory mode' for details.<p>
+
+See also the "force create mode" parameter for forcing particular
+mode bits to be set on created files.
+See also the "directory mode" parameter for masking mode bits on created
+directories.<p>
+
+.B Default:
+ create mask = 0744<p>
+
+.B Example:
+ create mask = 0775
+<a name="create mode">
+<H3>create mode (S)</H3>
+See
+.B create mask.<p>
+
+<a name="dead time">
+<H3>dead time (G)</H3>
+The value of the parameter (a decimal integer) represents the number of
+minutes of inactivity before a connection is considered dead, and it
+is disconnected. The deadtime only takes effect if the number of open files
+is zero.<p>
+
+This is useful to stop a server's resources being exhausted by a large
+number of inactive connections.<p>
+
+Most clients have an auto-reconnect feature when a connection is broken so
+in most cases this parameter should be transparent to users.<p>
+
+Using this parameter with a timeout of a few minutes is recommended
+for most systems.<p>
+
+A deadtime of zero indicates that no auto-disconnection should be performed.<p>
+
+.B Default:
+ dead time = 0<p>
+
+.B Example:
+ dead time = 15
+<a name="debug level">
+<H3>debug level (G)</H3>
+The value of the parameter (an integer) allows the debug level
+(logging level) to be specified in the
+.B smb.conf
+file. This is to give
+greater flexibility in the configuration of the system.<p>
+
+The default will be the debug level specified on the command line.<p>
+
+.B Example:
+ debug level = 3
+<a name="default">
+<H3>default (G)</H3>
+See
+.B default service.
+<a name="default case">
+<H3>default case (S)</H3><p>
+
+See the section on "NAME MANGLING" Also note the addition of "short
+preserve case"<p>
+
+<a name="default service">
+<H3>default service (G)</H3>
+A synonym for this parameter is 'default'.<p>
+
+This parameter specifies the name of a service which will be connected to
+if the service actually requested cannot be found. Note that the square
+brackets are NOT given in the parameter value (see example below).<p>
+
+There is no default value for this parameter. If this parameter is not given,
+attempting to connect to a nonexistent service results in an error.<p>
+
+Typically the default service would be a public, read-only service.<p>
+
+Also note that as of 1.9.14 the apparent service name will be changed to
+equal that of the requested service, this is very useful as it allows
+you to use macros like %S to make a wildcard service.<p>
+
+Note also that any _ characters in the name of the service used in the
+default service will get mapped to a /. This allows for interesting
+things.<p>
+
+
+.B Example:
+ default service = pub
+
+ [pub]
+ path = /%S
+ <p>
+
+<a name="delete readonly">
+<H3>delete readonly (S)</H3>
+This parameter allows readonly files to be deleted. This is not normal DOS
+semantics, but is allowed by UNIX.<p>
+
+This option may be useful for running applications such as rcs, where UNIX
+file ownership prevents changing file permissions, and DOS semantics prevent
+deletion of a read only file.<p>
+
+.B Default:
+ delete readonly = No<p>
+
+.B Example:
+ delete readonly = Yes
+<a name="deny hosts">
+<H3>deny hosts (S)</H3>
+A synonym for this parameter is 'hosts deny'.<p>
+
+The opposite of 'allow hosts' - hosts listed here are NOT permitted
+access to services unless the specific services have their own lists to
+override this one. Where the lists conflict, the 'allow' list takes precedence.<p>
+
+.B Default:
+ none (i.e., no hosts specifically excluded)<p>
+
+.B Example:
+ deny hosts = 150.203.4. badhost.mynet.edu.au<p>
+
+<a name="delete veto files">
+<H3>delete veto files (S)</H3><p>
+
+This option is used when Samba is attempting to delete a directory
+that contains one or more vetoed directories (see the 'veto files' option).
+If this option is set to False (the default) then if a vetoed directory
+contains any non-vetoed files or directories then the directory delete
+will fail. This is usually what you want. <p>
+
+If this option is set to True, then Samba will attempt
+to recursively delete any files and directories within the vetoed
+directory. This can be useful for integration with file serving
+systems such as Netatalk, which create meta-files within directories
+you might normally veto DOS/Windows users from seeing (eg. .AppleDouble)<p>
+
+Setting 'delete veto files = True' allows these directories to be
+transparently deleted when the parent directory is deleted (so long
+as the user has permissions to do so).<p>
+
+.B Default:
+ delete veto files = False<p>
+
+.B Example:
+ delete veto files = True<p>
+
+See
+.B veto files<p>
+
+<a name="dfree command">
+<H3>dfree command (G)</H3>
+The dfree command setting should only be used on systems where a
+problem occurs with the internal disk space calculations. This has
+been known to happen with Ultrix, but may occur with other operating
+systems. The symptom that was seen was an error of "Abort Retry
+Ignore" at the end of each directory listing.<p>
+
+This setting allows the replacement of the internal routines to
+calculate the total disk space and amount available with an external
+routine. The example below gives a possible script that might fulfill
+this function. <p>
+
+The external program will be passed a single parameter indicating a
+directory in the filesystem being queried. This will typically consist
+of the string "./". The script should return two integers in ascii. The
+first should be the total disk space in blocks, and the second should
+be the number of available blocks. An optional third return value
+can give the block size in bytes. The default blocksize is 1024 bytes.<p>
+
+Note: Your script should NOT be setuid or setgid and should be owned by
+(and writable only by) root!<p>
+
+.B Default:
+ By default internal routines for determining the disk capacity
+and remaining space will be used.<p>
+
+.B Example:
+ dfree command = /usr/local/samba/bin/dfree<p>
+
+ Where the script dfree (which must be made executable) could be<p>
+
+.nf
+ #!/bin/sh
+ df $1 | tail -1 | awk '{print $2" "$4}'
+.fi<p>
+
+ or perhaps (on Sys V)<p>
+
+.nf
+ #!/bin/sh
+ /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
+.fi<p>
+
+ Note that you may have to replace the command names with full
+path names on some systems.
+<a name="directory">
+<H3>directory (S)</H3>
+See
+.B path.<p>
+
+<a name="directory mask">
+<H3>directory mask (S)</H3>
+A synonym for this parameter is 'directory mode'.<p>
+
+This parameter is the octal modes which are used when converting DOS modes
+to UNIX modes when creating UNIX directories.<p>
+
+When a directory is created, the neccessary permissions are calculated
+according to the mapping from DOS modes to UNIX permissions, and
+the resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
+This parameter may be thought of as a bit-wise MASK for the UNIX
+modes of a directory. Any bit *not* set here will be removed from the
+modes set on a directory when it is created.<p>
+
+The default value of this parameter removes the 'group' and 'other'
+write bits from the UNIX mode, allowing only the user who owns the
+directory to modify it.<p>
+
+Following this Samba will bit-wise 'OR' the UNIX mode created from
+this parameter with the value of the "force directory mode" parameter.
+This parameter is set to 000 by default (ie. no extra mode bits are added).<p>
+
+See the "force directory mode" parameter to cause particular mode
+bits to always be set on created directories.<p>
+
+See also the "create mode" parameter for masking mode bits on created
+files.<p>
+
+.B Default:
+ directory mask = 0755<p>
+
+.B Example:
+ directory mask = 0775<p>
+
+<a name="directory mode">
+<H3>directory mode (S)</H3>
+See
+.B directory mask.<p>
+
+<a name="dns proxy">
+<H3>dns proxy (G)</H3><p>
+
+Specifies that nmbd should (as a WINS server), on finding that a NetBIOS
+name has not been registered, treat the NetBIOS name word-for-word as
+a DNS name.<p>
+
+Note that the maximum length for a NetBIOS name is 15
+characters, so the DNS name (or DNS alias) can likewise only be 15
+characters, maximum.<p>
+
+Note also that nmbd will block completely until the DNS name is resolved.
+This will result in temporary loss of browsing and WINS services.
+Enable this option only if you are certain that DNS resolution is fast,
+or you can live with the consequences of periodic pauses in nmbd service.<p>
+
+.B Default:
+ dns proxy = yes<p>
+
+<a name="domain controller">
+<H3>domain controller (G)</H3><p>
+
+Specifies the DNS name or IP address of the machine to refer domain
+logons from Win95 machines to. You should never need to set this parameter.<p>
+
+.B Default:
+ domain controller = no<p>
+
+<a name="domain logons">
+<H3>domain logons (G)</H3><p>
+
+If set to true, the Samba server will serve Windows 95 domain logons
+for the workgroup it is in. For more details on setting up this feature
+see the file DOMAINS.txt in the Samba source documentation directory.<p>
+
+.B Default:
+ domain logons = no<p>
+
+<a name="domain master">
+<H3>domain master (G)</H3><p>
+
+Enable WAN-wide browse list collation. Local master browsers on
+broadcast-isolated subnets will give samba their local browse lists, and
+ask for a complete copy of the browse list for the whole wide area network.
+Browser clients will then contact their local master browser, and will
+receive the domain-wide browse list, instead of just the list for their
+broadcast-isolated subnet.<p>
+
+.B Default:
+ domain master = no<p>
+
+<a name="dont descend">
+<H3>dont descend (S)</H3>
+There are certain directories on some systems (eg., the /proc tree under
+Linux) that are either not of interest to clients or are infinitely deep
+(recursive). This parameter allows you to specify a comma-delimited list
+of directories that the server should always show as empty.<p>
+
+Note that Samba can be very fussy about the exact format of the "dont
+descend" entries. For example you may need "./proc" instead of just
+"/proc". Experimentation is the best policy :-)<p>
+
+.B Default:
+ none (i.e., all directories are OK to descend)<p>
+
+.B Example:
+ dont descend = /proc,/dev<p>
+
+<a name="dos filetimes">
+<H3>dos filetimes (S)</H3>
+Under DOS and Windows, if a user can write to a file they can change
+the timestamp on it. Under POSIX semantics, only the owner of the file
+or root may change the timestamp. By default, Samba runs with POSIX
+semantics and refuses to change the timestamp on a file if the user
+smbd is acting on behalf of is not the file owner. Setting this option
+to True allows DOS semantics and smbd will change the file timstamp as
+DOS requires. This is a correct implementation of a previous compile-time
+options (UTIME_WORKAROUND) which was broken and is now removed.<p>
+
+.B Default:
+ dos filetimes = False<p>
+
+.B Example:
+ dos filetimes = True<p>
+
+<a name="dos filetime resolution">
+<H3>dos filetime resolution (S)</H3>
+Under the DOS and Windows FAT filesystem, the finest granulatity on
+time resolution is two seconds. Setting this parameter for a share
+causes Samba to round the reported time down to the nearest two
+second boundary when a query call that requires one second resolution
+is made to smbd. <p>
+
+This option is mainly used as a compatibility option for Visual C++
+when used against Samba shares. If oplocks are enabled on a share,
+Visual C++ uses two different time reading calls to check if a file
+has changed since it was last read. One of these calls uses a one-second
+granularity, the other uses a two second granularity. As the two second
+call rounds any odd second down, then if the file has a timestamp of an
+odd number of seconds then the two timestamps will not match and Visual
+C++ will keep reporting the file has changed. Setting this option causes
+the two timestamps to match, and Visual C++ is happy.<p>
+
+.B Default:
+ dos filetime resolution = False<p>
+
+.B Example:
+ dos filetime resolution = True<p>
+
+<a name="encrypt passwords">
+<H3>encrypt passwords (G)</H3><p>
+
+This boolean controls whether encrypted passwords will be negotiated
+with the client. Note that this option has no effect if you haven't
+compiled in the necessary des libraries and encryption code. It
+defaults to no.<p>
+
+<a name="exec">
+<H3>exec (S)</H3><p>
+
+This is an alias for preexec<p>
+
+<a name="fake oplocks">
+<H3>fake oplocks (S)</H3><p>
+
+Oplocks are the way that SMB clients get permission from a server to
+locally cache file operations. If a server grants an oplock
+(opportunistic lock) then the client is free to assume that it is the
+only one accessing the file and it will aggressively cache file
+data. With some oplock types the client may even cache file open/close
+operations. This can give enormous performance benefits.<p>
+
+When you set "fake oplocks = yes" Samba will always grant oplock
+requests no matter how many clients are using the file. <p>
+
+By enabling this option on all read-only shares or shares that you know
+will only be accessed from one client at a time you will see a big
+performance improvement on many operations. If you enable this option
+on shares where multiple clients may be accessing the files read-write
+at the same time you can get data corruption. Use this option
+carefully! <p>
+
+It is generally much better to use the real oplock support except for
+physically read-only media such as CDROMs.<p>
+
+This option is disabled by default.<p>
+
+<a name="follow symlinks">
+<H3>follow symlinks (S)</H3><p>
+
+This parameter allows the Samba administrator to stop smbd from
+following symbolic links in a particular share. Setting this
+parameter to "No" prevents any file or directory that is a
+symbolic link from being followed (the user will get an error).
+This option is very useful to stop users from adding a symbolic
+link to /etc/pasword in their home directory for instance.
+However it will slow filename lookups down slightly.<p>
+
+This option is enabled (ie. smbd will follow symbolic links)
+by default.<p>
+
+<a name="force create mode">
+<H3>force create mode (S)</H3>
+This parameter specifies a set of UNIX mode bit permissions that
+will *always* be set on a file created by Samba. This is done
+by bitwise 'OR'ing these bits onto the mode bits of a file that
+is being created. The default for this parameter is (in octel)
+000. The modes in this parameter are bitwise 'OR'ed onto the
+file mode after the mask set in the "create mask" parameter
+is applied.<p>
+
+See also the parameter "create mask" for details on masking mode
+bits on created files.<p>
+
+.B Default:
+ force create mode = 000<p>
+
+.B Example:
+ force create mode = 0755<p>
+
+would force all created files to have read and execute permissions
+set for 'group' and 'other' as well as the read/write/execute bits
+set for the 'user'.<p>
+
+<a name="force directory mode">
+<H3>force directory mode (S)</H3>
+This parameter specifies a set of UNIX mode bit permissions that
+will *always* be set on a directory created by Samba. This is done
+by bitwise 'OR'ing these bits onto the mode bits of a directory that
+is being created. The default for this parameter is (in octel)
+0000 which will not add any extra permission bits to a created
+directory. This operation is done after the mode mask in the parameter
+"directory mask" is applied.<p>
+
+See also the parameter "directory mask" for details on masking mode
+bits on created directories.<p>
+
+.B Default:
+ force directory mode = 000<p>
+
+.B Example:
+ force directory mode = 0755<p>
+
+would force all created directories to have read and execute permissions
+set for 'group' and 'other' as well as the read/write/execute bits
+set for the 'user'.<p>
+
+<a name="force group">
+<H3>force group (S)</H3>
+This specifies a group name that all connections to this service
+should be made as. This may be useful for sharing files.<p>
+
+.B Default:
+ no forced group<p>
+
+.B Example:
+ force group = agroup<p>
+
+<a name="force user">
+<H3>force user (S)</H3>
+This specifies a user name that all connections to this service
+should be made as. This may be useful for sharing files. You should
+also use it carefully as using it incorrectly can cause security
+problems.<p>
+
+This user name only gets used once a connection is established. Thus
+clients still need to connect as a valid user and supply a valid
+password. Once connected, all file operations will be performed as the
+"forced user", not matter what username the client connected as.<p>
+
+.B Default:
+ no forced user<p>
+
+.B Example:
+ force user = auser<p>
+
+<a name="getwd cache">
+<H3>getwd cache (G)</H3>
+This is a tuning option. When this is enabled a cacheing algorithm will
+be used to reduce the time taken for getwd() calls. This can have a
+significant impact on performance, especially when widelinks is False.<p>
+
+.B Default:
+ getwd cache = No<p>
+
+.B Example:
+ getwd cache = Yes<p>
+
+<a name="group">
+<H3>group (S)</H3>
+This is an alias for "force group" and is only kept for compatibility
+with old versions of Samba. It may be removed in future versions.<p>
+
+<a name="guest account">
+<H3>guest account (S)</H3>
+This is a username which will be used for access to services which are
+specified as 'guest ok' (see below). Whatever privileges this user has
+will be available to any client connecting to the guest
+service. Typically this user will exist in the password file, but will
+not have a valid login. If a username is specified in a given service,
+the specified username overrides this one.<p>
+
+One some systems the account "nobody" may not be able to print. Use
+another account in this case. You should test this by trying to log in
+as your guest user (perhaps by using the "su \-" command) and trying to
+print using
+.BR lpr .<p>
+
+Note that as of version 1.9 of Samba this option may be set
+differently for each service.<p>
+
+.B Default:
+ specified at compile time<p>
+
+.B Example:
+ guest account = nobody
+<a name="guest ok">
+<H3>guest ok (S)</H3>
+See
+.B public.
+<a name="guest only">
+<H3>guest only (S)</H3>
+If this parameter is 'yes' for a service, then only guest connections to the
+service are permitted. This parameter will have no affect if "guest ok" or
+"public" is not set for the service.<p>
+
+See the section below on user/password validation for more information about
+this option.<p>
+
+.B Default:
+ guest only = no<p>
+
+.B Example:
+ guest only = yes
+<a name="hide dot files">
+<H3>hide dot files (S)</H3>
+This is a boolean parameter that controls whether files starting with
+a dot appear as hidden files.<p>
+
+.B Default:
+ hide dot files = yes<p>
+
+.B Example:
+ hide dot files = no<p>
+
+
+<a name="hide file">
+<H3>hide files(S)</H3>
+This is a list of files or directories that are not visible but are
+accessible. The DOS 'hidden' attribute is applied to any files or
+directories that match.<p>
+
+Each entry in the list must be separated by a "/", which allows spaces
+to be included in the entry. '*' and '?' can be used to specify multiple
+files or directories as in DOS wildcards.<p>
+
+Each entry must be a unix path, not a DOS path and must not include the
+unix directory separator "/".<p>
+
+Note that the case sensitivity option is applicable in hiding files.<p>
+
+Setting this parameter will affect the performance of Samba, as
+it will be forced to check all files and directories for a match
+as they are scanned.<p>
+
+See also "hide dot files", "veto files" and "case sensitive"<p>
+
+.B Default
+ No files or directories are hidden by this option (dot files are
+ hidden by default because of the "hide dot files" option).<p>
+
+.B Example
+ hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/<p>
+
+The above example is based on files that the Macintosh client (DAVE)
+creates for internal use, and also still hides all files beginning with
+a dot.<p>
+
+<a name="homedir map">
+<H3>homedir map (G)</H3>
+If "nis homedir" is true, this parameter specifies the NIS (or YP) map
+from which the server for the user's home directory should be extracted.
+At present, only the Sun auto.home map format is understood. The form of
+the map is:<p>
+
+username server:/some/file/system<p>
+
+and the program will extract the servername from before the first ':'.
+There should probably be a better parsing system that copes with different
+map formats and also Amd (another automounter) maps.<p>
+
+NB: The -DNETGROUP option is required in the Makefile for option to work
+and on some architectures the line -lrpcsvc needs to be added to the
+LIBSM variable. This is required for Solaris 2, FreeBSD and HPUX.<p>
+
+See also "nis homedir"<p>
+
+.B Default:
+ homedir map = auto.home<p>
+
+.B Example:
+ homedir map = amd.homedir
+<a name="hosts allow">
+<H3>hosts allow (S)</H3>
+See
+.B allow hosts.
+<a name="hosts deny">
+<H3>hosts deny (S)</H3>
+See
+.B deny hosts.<p>
+
+<a name="hosts equiv">
+<H3>hosts equiv (G)</H3>
+If this global parameter is a non-null string, it specifies the name of
+a file to read for the names of hosts and users who will be allowed access
+without specifying a password.<p>
+
+This is not be confused with
+.B allow hosts
+which is about hosts access to services and is more useful for guest services.
+.B hosts equiv
+may be useful for NT clients which will not supply passwords to samba.<p>
+
+NOTE: The use of hosts.equiv can be a major security hole. This is
+because you are trusting the PC to supply the correct username. It is
+very easy to get a PC to supply a false username. I recommend that the
+hosts.equiv option be only used if you really know what you are doing,
+or perhaps on a home network where you trust your wife and kids :-)<p>
+
+.B Default
+ No host equivalences<p>
+
+.B Example
+ hosts equiv = /etc/hosts.equiv<p>
+
+<a name="include">
+<H3>include (G)</H3><p>
+
+This allows you to include one config file inside another. The file is
+included literally, as though typed in place.<p>
+
+It takes the standard substitutions, except %u, %P and %S<p>
+
+<a name="interfaces">
+<H3>interfaces (G)</H3><p>
+
+This option allows you to setup multiple network interfaces, so that
+Samba can properly handle browsing on all interfaces.<p>
+
+The option takes a list of ip/netmask pairs. The netmask may either be
+a bitmask, or a bitlength. <p>
+
+For example, the following line:<p>
+
+interfaces = 192.168.2.10/24 192.168.3.10/24<p>
+
+would configure two network interfaces with IP addresses 192.168.2.10
+and 192.168.3.10. The netmasks of both interfaces would be set to
+255.255.255.0. <p>
+
+You could produce an equivalent result by using:<p>
+
+interfaces = 192.168.2.10/255.255.255.0 192.168.3.10/255.255.255.0<p>
+
+if you prefer that format.<p>
+
+If this option is not set then Samba will attempt to find a primary
+interface, but won't attempt to configure more than one interface.<p>
+
+<a name="invalid users">
+<H3>invalid users (S)</H3>
+This is a list of users that should not be allowed to login to this
+service. This is really a "paranoid" check to absolutely ensure an
+improper setting does not breach your security.<p>
+
+A name starting with @ is interpreted as a UNIX group.<p>
+
+The current servicename is substituted for %S. This is useful in the
+[homes] section.<p>
+
+See also "valid users"<p>
+
+.B Default
+ No invalid users<p>
+
+.B Example
+ invalid users = root fred admin @wheel<p>
+
+<a name="keepalive">
+<H3>keepalive (G)</H3>
+The value of the parameter (an integer) represents the number of seconds
+between 'keepalive' packets. If this parameter is zero, no keepalive packets
+will be sent. Keepalive packets, if sent, allow the server to tell whether a
+client is still present and responding.<p>
+
+Keepalives should, in general, not be needed if the socket being used
+has the SO_KEEPALIVE attribute set on it (see "socket
+options"). Basically you should only use this option if you strike
+difficulties.<p>
+
+.B Default:
+ keep alive = 0<p>
+
+.B Example:
+ keep alive = 60<p>
+
+<a name="lm announce">
+<H3>lm announce (G)</H3><p>
+
+This parameter determines if Samba will produce Lanman announce
+broadcasts that are needed by OS/2 clients in order for them to
+see the Samba server in their browse list. This parameter can
+have three values, true, false, or auto. The default is auto.
+If set to False Samba will never produce these broadcasts. If
+set to true Samba will produce Lanman announce broadcasts at
+a frequency set by the parameter 'lm interval'. If set to auto
+Samba will not send Lanman announce broadcasts by default but
+will listen for them. If it hears such a broadcast on the wire
+it will then start sending them at a frequency set by the parameter
+'lm interval'.<p>
+
+See also "lm interval".<p>
+
+.B Default:
+ lm announce = auto<p>
+
+.B Example:
+ lm announce = true<p>
+
+<a name="lm interval">
+<H3>lm interval (G)</H3><p>
+
+If Samba is set to produce Lanman announce broadcasts needed
+by OS/2 clients (see the "lm announce" parameter) this parameter
+defines the frequency in seconds with which they will be made.
+If this is set to zero then no Lanman announcements will be
+made despite the setting of the "lm announce" parameter.<p>
+
+See also "lm announce".<p>
+
+.B Default:
+ lm interval = 60<p>
+
+.B Example:
+ lm interval = 120<p>
+
+<a name="load printers">
+<H3>load printers (G)</H3>
+A boolean variable that controls whether all printers in the printcap
+will be loaded for browsing by default. <p>
+
+.B Default:
+ load printers = yes<p>
+
+.B Example:
+ load printers = no<p>
+
+<a name="local master">
+<H3>local master (G)</H3>
+This option allows the nmbd to become a local master browser on a
+subnet. If set to False then nmbd will not attempt to become a local
+master browser on a subnet and will also lose in all browsing elections.
+By default this value is set to true. Setting this value to true doesn't
+mean that Samba will become the local master browser on a subnet, just
+that the nmbd will participate in elections for local master browser.<p>
+
+.B Default:
+ local master = yes<p>
+
+<a name="lock directory">
+<H3>lock directory (G)</H3>
+This option specifies the directory where lock files will be placed.
+The lock files are used to implement the "max connections" option.<p>
+
+.B Default:
+ lock directory = /tmp/samba<p>
+
+.B Example:
+ lock directory = /usr/local/samba/var/locks<p>
+
+<a name="locking">
+<H3>locking (S)</H3>
+This controls whether or not locking will be performed by the server in
+response to lock requests from the client.<p>
+
+If "locking = no", all lock and unlock requests will appear to succeed and
+all lock queries will indicate that the queried lock is clear.<p>
+
+If "locking = yes", real locking will be performed by the server.<p>
+
+This option may be particularly useful for read-only filesystems which
+do not need locking (such as cdrom drives).<p>
+
+Be careful about disabling locking either globally or in a specific
+service, as lack of locking may result in data corruption.<p>
+
+.B Default:
+ locking = yes<p>
+
+.B Example:
+ locking = no<p>
+
+<a name="log file">
+<H3>log file (G)</H3><p>
+
+This options allows you to override the name of the Samba log file
+(also known as the debug file).<p>
+
+This option takes the standard substitutions, allowing you to have
+separate log files for each user or machine.<p>
+
+.B Example:
+ log file = /usr/local/samba/var/log.%m<p>
+
+<a name="log level">
+<H3>log level (G)</H3>
+see "debug level"<p>
+
+<a name="logon drive">
+<H3>logon drive (G)</H3><p>
+
+This parameter specifies the local path to which the home directory
+will be connected (see "logon home") and is only used by NT Workstations.<p>
+
+.B Example:
+ logon drive = h:<p>
+
+<a name="logon home">
+<H3>logon home (G)</H3><p>
+
+This parameter specifies the home directory location when a Win95 or
+NT Workstation logs into a Samba PDC. It allows you to do "NET USE
+H: /HOME" from a command prompt, for example.<p>
+
+.B
+This option takes the standard substitutions, allowing you to have
+separate logon scripts for each user or machine.<p>
+
+.B Example:
+ logon home = "\\\\remote_smb_server\\%U"<p>
+
+.B Default:
+ logon home = "\\\\%N\\%U"<p>
+
+<a name="logon path">
+<H3>logon path (G)</H3><p>
+
+This parameter specifies the home directory where roaming profiles
+(USER.DAT / USER.MAN files for Windows 95) are stored.<p>
+
+This option takes the standard substitutions, allowing you to have
+separate logon scripts for each user or machine. It also specifies
+the directory from which the "desktop", "start menu", "nethood" and
+"programs" folders, and their contents, are loaded and displayed
+on your Windows 95 client.<p>
+
+The share and the path must be readable by the user for the preferences
+and directories to be loaded onto the Windows 95 client. The share
+must be writeable when the logs in for the first time, in order that
+the Windows 95 client can create the user.dat and other directories.<p>
+
+Thereafter, the directories and any of contents can, if required,
+be made read-only. It is not adviseable that the USER.DAT file be made
+read-only - rename it to USER.MAN to achieve the desired effect
+(a MANdatory profile).<p>
+
+Windows clients can sometimes maintain a connection to the [homes]
+share, even though there is no user logged in. Therefore, it is
+vital that the logon path does not include a reference to the
+homes share (i.e \\\\%N\\HOMES\profile_path will cause problems).<p>
+
+.B
+This option takes the standard substitutions, allowing you to have
+separate logon scripts for each user or machine.<p>
+
+.B Default:
+ logon path = \\\\%N\\%U\\profile<p>
+
+.B Example:
+ logon path = \\\\PROFILESERVER\\HOME_DIR\\%U\\PROFILE<p>
+
+<a name="logon script">
+<H3>logon script (G)</H3><p>
+
+This parameter specifies the batch file (.bat) or NT command file (.cmd)
+to be downloaded and run on a machine when a user successfully logs in.
+The file must contain the DOS style cr/lf line endings. Using a DOS-style
+editor to create the file is recommended.<p>
+
+The script must be a relative path to the [netlogon] service. If the
+[netlogon] service specifies a path of /usr/local/samba/netlogon, and
+logon script = STARTUP.BAT, then file that will be downloaded is:<p>
+
+.B /usr/local/samba/netlogon/STARTUP.BAT<p>
+
+The contents of the batch file is entirely your choice. A suggested
+command would be to add NET TIME \\\\SERVER /SET /YES, to force every
+machine to synchronise clocks with the same time server. Another use
+would be to add NET USE U: \\\\SERVER\\UTILS for commonly used utilities,
+or NET USE Q: \\\\SERVER\\ISO9001_QA.<p>
+
+Note that it is particularly important not to allow write access to
+the [netlogon] share, or to grant users write permission on the
+batch files in a secure environment, as this would allow the batch
+files to be arbitrarily modified.<p>
+
+.B
+This option takes the standard substitutions, allowing you to have
+separate logon scripts for each user or machine.<p>
+
+.B Example:
+ logon script = scripts/%U.bat<p>
+
+<a name="lppause command">
+<H3>lppause command (S)</H3>
+This parameter specifies the command to be executed on the server host in
+order to stop printing or spooling a specific print job.<p>
+
+This command should be a program or script which takes a printer name and
+job number to pause the print job. Currently I don't know of any print
+spooler system that can do this with a simple option, except for the PPR
+system from Trinity College (ppr\-dist.trincoll.edu/pub/ppr). One way
+of implementing this is by using job priorities, where jobs having a too
+low priority won't be sent to the printer. See also the
+.B lppause
+command.<p>
+
+If a %p is given then the printername is put in its place. A %j is
+replaced with the job number (an integer).
+On HPUX (see printing=hpux), if the -p%p option is added to the lpq
+command, the job will show up with the correct status, i.e. if the job
+priority is lower than the set fence priority it will have the PAUSED
+status, whereas if the priority is equal or higher it will have the
+SPOOLED or PRINTING status.<p>
+
+Note that it is good practice to include the absolute path in the lppause
+command as the PATH may not be available to the server.<p>
+
+.B Default:
+ Currently no default value is given to this string<p>
+
+.B Example for HPUX:
+ lppause command = /usr/bin/lpalt %p-%j -p0<p>
+
+<a name="lpq cache time">
+<H3>lpq cache time (G)</H3><p>
+
+This controls how long lpq info will be cached for to prevent the lpq
+command being called too often. A separate cache is kept for each
+variation of the lpq command used by the system, so if you use
+different lpq commands for different users then they won't share cache
+information.<p>
+
+The cache files are stored in /tmp/lpq.xxxx where xxxx is a hash
+of the lpq command in use.<p>
+
+The default is 10 seconds, meaning that the cached results of a
+previous identical lpq command will be used if the cached data is less
+than 10 seconds old. A large value may be advisable if your lpq
+command is very slow.<p>
+
+A value of 0 will disable cacheing completely.<p>
+
+.B Default:
+ lpq cache time = 10<p>
+
+.B Example:
+ lpq cache time = 30<p>
+
+<a name="lpq command">
+<H3>lpq command (S)</H3>
+This parameter specifies the command to be executed on the server host in
+order to obtain "lpq"-style printer status information. <p>
+
+This command should be a program or script which takes a printer name
+as its only parameter and outputs printer status information. <p>
+
+Currently six styles of printer status information are supported; BSD,
+SYSV, AIX, HPUX, QNX, LPRNG and PLP. This covers most UNIX systems. You
+control which type is expected using the "printing =" option.<p>
+
+Some clients (notably Windows for Workgroups) may not correctly send the
+connection number for the printer they are requesting status information
+about. To get around this, the server reports on the first printer service
+connected to by the client. This only happens if the connection number sent
+is invalid.<p>
+
+If a %p is given then the printername is put in its place. Otherwise
+it is placed at the end of the command.<p>
+
+Note that it is good practice to include the absolute path in the lpq
+command as the PATH may not be available to the server.<p>
+
+.B Default:
+ depends on the setting of "printing ="<p>
+
+.B Example:
+ lpq command = /usr/bin/lpq %p<p>
+
+<a name="lpresume command">
+<H3>lpresume command (S)</H3>
+This parameter specifies the command to be executed on the server host in
+order to restart or continue printing or spooling a specific print job.<p>
+
+This command should be a program or script which takes a printer name and
+job number to resume the print job. See also the lppause command.<p>
+
+If a %p is given then the printername is put in its place. A %j is
+replaced with the job number (an integer).<p>
+
+Note that it is good practice to include the absolute path in the lpresume
+command as the PATH may not be available to the server.<p>
+
+.B Default:
+ Currently no default value is given to this string<p>
+
+.B Example for HPUX:
+ lpresume command = /usr/bin/lpalt %p-%j -p2<p>
+
+<a name="lprm command">
+<H3>lprm command (S)</H3>
+This parameter specifies the command to be executed on the server host in
+order to delete a print job.<p>
+
+This command should be a program or script which takes a printer name
+and job number, and deletes the print job.<p>
+
+Currently seven styles of printer control are supported; BSD, SYSV, AIX
+HPUX, QNX, LPRNG and PLP. This covers most UNIX systems. You control
+which type is expected using the "printing =" option.<p>
+
+If a %p is given then the printername is put in its place. A %j is
+replaced with the job number (an integer).<p>
+
+Note that it is good practice to include the absolute path in the lprm
+command as the PATH may not be available to the server.<p>
+
+.B Default:
+ depends on the setting of "printing ="<p>
+
+.B Example 1:
+ lprm command = /usr/bin/lprm -P%p %j<p>
+
+.B Example 2:
+ lprm command = /usr/bin/cancel %p-%j<p>
+
+<a name="magic output">
+<H3>magic output (S)</H3>
+This parameter specifies the name of a file which will contain output
+created by a magic script (see
+.I magic script
+below).<p>
+
+Warning: If two clients use the same magic script in the same directory the
+output file content is undefined.
+.B Default:
+ magic output = <magic script name>.out<p>
+
+.B Example:
+ magic output = myfile.txt
+<a name="magic script">
+<H3>magic script (S)</H3>
+This parameter specifies the name of a file which, if opened, will be
+executed by the server when the file is closed. This allows a UNIX script
+to be sent to the Samba host and executed on behalf of the connected user.<p>
+
+Scripts executed in this way will be deleted upon completion, permissions
+permitting.<p>
+
+If the script generates output, output will be sent to the file specified by
+the
+.I magic output
+parameter (see above).<p>
+
+Note that some shells are unable to interpret scripts containing
+carriage-return-linefeed instead of linefeed as the end-of-line
+marker. Magic scripts must be executable "as is" on the host, which
+for some hosts and some shells will require filtering at the DOS end.<p>
+
+Magic scripts are EXPERIMENTAL and should NOT be relied upon.<p>
+
+.B Default:
+ None. Magic scripts disabled.<p>
+
+.B Example:
+ magic script = user.csh<p>
+
+<a name="mangle case">
+<H3>mangle case (S)</H3><p>
+
+See the section on "NAME MANGLING"<p>
+
+<a name="mangled map">
+<H3>mangled map (S)</H3>
+This is for those who want to directly map UNIX file names which are
+not representable on DOS. The mangling of names is not always what is
+needed. In particular you may have documents with file extensions
+that differ between DOS and UNIX. For example, under UNIX it is common
+to use .html for HTML files, whereas under DOS .htm is more commonly
+used.<p>
+
+So to map 'html' to 'htm' you put:<p>
+
+ mangled map = (*.html *.htm)<p>
+
+One very useful case is to remove the annoying ;1 off the ends of
+filenames on some CDROMS (only visible under some UNIXes). To do this
+use a map of (*;1 *)<p>
+
+.B default:
+ no mangled map<p>
+
+.B Example:
+ mangled map = (*;1 *)<p>
+
+<a name="mangled names">
+<H3>mangled names (S)</H3>
+This controls whether non-DOS names under UNIX should be mapped to
+DOS-compatible names ("mangled") and made visible, or whether non-DOS names
+should simply be ignored.<p>
+
+See the section on "NAME MANGLING" for details on how to control the
+mangling process.<p>
+
+If mangling is used then the mangling algorithm is as follows:
+.RS
+- the first (up to) five alphanumeric characters before the rightmost dot of
+the filename are preserved, forced to upper case, and appear as the first (up
+to) five characters of the mangled name.<p>
+
+- a tilde ("~") is appended to the first part of the mangled name, followed
+by a two-character unique sequence, based on the original root name
+(i.e., the original filename minus its final extension). The final
+extension is included in the hash calculation only if it contains any upper
+case characters or is longer than three characters.<p>
+
+Note that the character to use may be specified using the "mangling
+char" option, if you don't like ~.<p>
+
+- the first three alphanumeric characters of the final extension are preserved,
+forced to upper case and appear as the extension of the mangled name. The
+final extension is defined as that part of the original filename after the
+rightmost dot. If there are no dots in the filename, the mangled name will
+have no extension (except in the case of hidden files - see below).<p>
+
+- files whose UNIX name begins with a dot will be presented as DOS hidden
+files. The mangled name will be created as for other filenames, but with the
+leading dot removed and "___" as its extension regardless of actual original
+extension (that's three underscores).
+.RE<p>
+
+The two-digit hash value consists of upper case alphanumeric characters.<p>
+
+This algorithm can cause name collisions only if files in a directory share
+the same first five alphanumeric characters. The probability of such a clash
+is 1/1300.<p>
+
+The name mangling (if enabled) allows a file to be copied between UNIX
+directories from DOS while retaining the long UNIX filename. UNIX files can
+be renamed to a new extension from DOS and will retain the same basename.
+Mangled names do not change between sessions.<p>
+
+.B Default:
+ mangled names = yes<p>
+
+.B Example:
+ mangled names = no
+<a name="mangling char">
+<H3>mangling char (S)</H3>
+This controls what character is used as the "magic" character in name
+mangling. The default is a ~ but this may interfere with some
+software. Use this option to set it to whatever you prefer.<p>
+
+.B Default:
+ mangling char = ~<p>
+
+.B Example:
+ mangling char = ^<p>
+
+<a name="mangled stack">
+<H3>mangled stack (G)</H3>
+This parameter controls the number of mangled names that should be cached in
+the Samba server.<p>
+
+This stack is a list of recently mangled base names (extensions are only
+maintained if they are longer than 3 characters or contains upper case
+characters).<p>
+
+The larger this value, the more likely it is that mangled names can be
+successfully converted to correct long UNIX names. However, large stack
+sizes will slow most directory access. Smaller stacks save memory in the
+server (each stack element costs 256 bytes).<p>
+
+It is not possible to absolutely guarantee correct long file names, so
+be prepared for some surprises!<p>
+
+.B Default:
+ mangled stack = 50<p>
+
+.B Example:
+ mangled stack = 100<p>
+
+<a name="map archive">
+<H3>map archive (S)</H3>
+This controls whether the DOS archive attribute should be mapped to the
+UNIX owner execute bit. The DOS archive bit is set when a file has been modified
+since its last backup. One motivation for this option it to keep Samba/your
+PC from making any file it touches from becoming executable under UNIX.
+This can be quite annoying for shared source code, documents, etc...<p>
+
+Note that this requires the 'create mask' to be set such that owner
+execute bit is not masked out (ie. it must include 100). See the
+parameter "create mask" for details.<p>
+
+.B Default:
+ map archive = yes<p>
+
+.B Example:
+ map archive = no<p>
+
+<a name="map hidden">
+<H3>map hidden (S)</H3>
+This controls whether DOS style hidden files should be mapped to the
+UNIX world execute bit.<p>
+
+Note that this requires the 'create mask' to be set such that the world
+execute bit is not masked out (ie. it must include 001).
+See the parameter "create mask" for details.<p>
+
+.B Default:
+ map hidden = no<p>
+
+.B Example:
+ map hidden = yes
+<a name="map system">
+<H3>map system (S)</H3>
+This controls whether DOS style system files should be mapped to the
+UNIX group execute bit.<p>
+
+Note that this requires the 'create mask' to be set such that the group
+execute bit is not masked out (ie. it must include 010). See the parameter
+"create mask" for details.<p>
+
+.B Default:
+ map system = no<p>
+
+.B Example:
+ map system = yes
+<a name="max connections">
+<H3>max connections (S)</H3>
+This option allows the number of simultaneous connections to a
+service to be limited. If "max connections" is greater than 0 then
+connections will be refused if this number of connections to the
+service are already open. A value of zero mean an unlimited number of
+connections may be made.<p>
+
+Record lock files are used to implement this feature. The lock files
+will be stored in the directory specified by the "lock directory" option.<p>
+
+.B Default:
+ max connections = 0<p>
+
+.B Example:
+ max connections = 10<p>
+
+<a name="max disk size">
+<H3>max disk size (G)</H3>
+This option allows you to put an upper limit on the apparent size of
+disks. If you set this option to 100 then all shares will appear to be
+not larger than 100 MB in size.<p>
+
+Note that this option does not limit the amount of data you can put on
+the disk. In the above case you could still store much more than 100
+MB on the disk, but if a client ever asks for the amount of free disk
+space or the total disk size then the result will be bounded by the
+amount specified in "max disk size".<p>
+
+This option is primarily useful to work around bugs in some pieces of
+software that can't handle very large disks, particularly disks over
+1GB in size.<p>
+
+A "max disk size" of 0 means no limit.<p>
+
+.B Default:
+ max disk size = 0<p>
+
+.B Example:
+ max disk size = 1000<p>
+
+<a name="max log size">
+<H3>max log size (G)</H3><p>
+
+This option (an integer in kilobytes) specifies the max size the log
+file should grow to. Samba periodically checks the size and if it is
+exceeded it will rename the file, adding a .old extension.<p>
+
+A size of 0 means no limit.<p>
+
+.B Default:
+ max log size = 5000<p>
+
+.B Example:
+ max log size = 1000<p>
+
+<a name="max mux">
+<H3>max mux (G)</H3><p>
+
+This option controls the maximum number of outstanding simultaneous SMB
+operations that samba tells the client it will allow. You should never need
+to set this parameter.<p>
+
+.B Default:
+ max mux = 50<p>
+
+<a name="max packet">
+<H3>max packet (G)</H3><p>
+
+A synonym for this parameter is 'packet size'.<p>
+
+<a name="max ttl">
+<H3>max ttl (G)</H3><p>
+
+This option tells nmbd what the default 'time to live' of NetBIOS
+names should be (in seconds) when nmbd is requesting a name using
+either a broadcast or from a WINS server. You should never need to
+change this parameter.<p>
+
+.B Default:
+ max ttl = 14400<p>
+
+<a name="max wins ttl">
+<H3>max wins ttl (G)</H3><p>
+
+This option tells nmbd when acting as a WINS server (wins support = true)
+what the maximum 'time to live' of NetBIOS names that nmbd will grant will
+be (in seconds). You should never need to change this parameter.
+The default is 3 days (259200 seconds).<p>
+
+.B Default:
+ max wins ttl = 259200<p>
+
+<a name="max xmit">
+<H3>max xmit (G)</H3><p>
+
+This option controls the maximum packet size that will be negotiated
+by Samba. The default is 65535, which is the maximum. In some cases
+you may find you get better performance with a smaller value. A value
+below 2048 is likely to cause problems.<p>
+
+.B Default:
+ max xmit = 65535<p>
+
+.B Example:
+ max xmit = 8192<p>
+
+<a name="message command">
+<H3>message command (G)</H3><p>
+
+This specifies what command to run when the server receives a WinPopup
+style message.<p>
+
+This would normally be a command that would deliver the message
+somehow. How this is to be done is up to your imagination.<p>
+
+What I use is:<p>
+
+ message command = csh -c 'xedit %s;rm %s' &<p>
+
+This delivers the message using xedit, then removes it
+afterwards. NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN
+IMMEDIATELY. That's why I have the & on the end. If it doesn't return
+immediately then your PCs may freeze when sending messages (they
+should recover after 30secs, hopefully).<p>
+
+All messages are delivered as the global guest user. The command takes
+the standard substitutions, although %u won't work (%U may be better
+in this case).<p>
+
+Apart from the standard substitutions, some additional ones apply. In
+particular:<p>
+
+%s = the filename containing the message<p>
+
+%t = the destination that the message was sent to (probably the server
+name)<p>
+
+%f = who the message is from<p>
+
+You could make this command send mail, or whatever else takes your
+fancy. Please let me know of any really interesting ideas you have.<p>
+
+Here's a way of sending the messages as mail to root:<p>
+
+message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s<p>
+
+If you don't have a message command then the message won't be
+delivered and Samba will tell the sender there was an
+error. Unfortunately WfWg totally ignores the error code and carries
+on regardless, saying that the message was delivered.<p>
+
+If you want to silently delete it then try "message command = rm %s".<p>
+
+For the really adventurous, try something like this:<p>
+
+message command = csh -c 'csh < %s |& /usr/local/samba/bin/smbclient \e
+ -M %m; rm %s' &<p>
+
+this would execute the command as a script on the server, then give
+them the result in a WinPopup message. Note that this could cause a
+loop if you send a message from the server using smbclient! You better
+wrap the above in a script that checks for this :-)<p>
+
+.B Default:
+ no message command<p>
+
+.B Example:
+ message command = csh -c 'xedit %s;rm %s' &<p>
+
+<a name="min print space">
+<H3>min print space (S)</H3><p>
+
+This sets the minimum amount of free disk space that must be available
+before a user will be able to spool a print job. It is specified in
+kilobytes. The default is 0, which means no limit.<p>
+
+.B Default:
+ min print space = 0<p>
+
+.B Example:
+ min print space = 2000<p>
+
+<a name="min wins ttl">
+<H3>min wins ttl (G)</H3><p>
+
+This option tells nmbd when acting as a WINS server (wins support = true)
+what the minimum 'time to live' of NetBIOS names that nmbd will grant will
+be (in seconds). You should never need to change this parameter.
+The default is 6 hours (21600 seconds).<p>
+
+.B Default:
+ min wins ttl = 21600<p>
+
+
+<a name="netbios aliases">
+<H3>netbios aliases (G)</H3><p>
+
+This is a list of names that nmbd will advertise as additional
+names by which the Samba server is known. This allows one machine
+to appear in browse lists under multiple names. If a machine is
+acting as a browse server or logon server none of these names
+will be advertised as either browse server or logon servers, only
+the primary name of the machine will be advertised with these
+capabilities.<p>
+
+See also 'netbios name'.<p>
+
+.B Example:
+ netbios aliases = TEST TEST1 TEST2<p>
+
+<a name="netbios name">
+<H3>netbios name (G)</H3><p>
+
+This sets the NetBIOS name by which a Samba server is known. By
+default it is the same as the first component of the host's DNS name.
+If a machine is a browse server or logon server this name (or the
+first component of the hosts DNS name) will be the name that these
+services are advertised under.<p>
+
+See also 'netbios aliases'.<p>
+
+.B Example:
+ netbios name = MYNAME<p>
+
+<a name="nis homedir">
+<H3>nis homedir (G)</H3>
+Get the home share server from a NIS (or YP) map. For unix systems that
+use an automounter, the user's home directory will often be mounted on
+a workstation on demand from a remote server. When the Samba logon server
+is not the actual home directory server, two network hops are required
+to access the home directory and this can be very slow especially with
+writing via Samba to an NFS mounted directory. This option allows samba
+to return the home share as being on a different server to the logon
+server and as long as a samba daemon is running on the home directory
+server, it will be mounted on the Samba client directly from the directory
+server. When Samba is returning the home share to the client, it will
+consult the NIS (or YP) map specified in "homedir map" and return the
+server listed there.<p>
+
+.B Default:
+ nis homedir = false<p>
+
+.B Example:
+ nis homedir = true<p>
+
+<a name="networkstation user login">
+<H3>networkstation user login (G)</H3>
+This global parameter (new for 1.9.18p3) affects server level security.
+With this set (recommended) samba will do a full NetWkstaUserLogon to
+confirm that the client really should have login rights. This can cause
+problems with machines in trust relationships in which case you can
+disable it here, but be warned, we have heard that some NT machines
+will then allow anyone in with any password! Make sure you test it.<p>
+
+.B Default:
+ networkstation user login = yes<p>
+
+.B Example:
+ networkstation user login = no<p>
+
+<a name="null passwords">
+<H3>null passwords (G)</H3>
+Allow or disallow access to accounts that have null passwords. <p>
+
+.B Default:
+ null passwords = no<p>
+
+.B Example:
+ null passwords = yes<p>
+
+<a name="only guest">
+<H3>only guest (S)</H3>
+A synonym for this command is 'guest only'.<p>
+
+<a name="only user">
+<H3>only user (S)</H3>
+This is a boolean option that controls whether connections with
+usernames not in the user= list will be allowed. By default this
+option is disabled so a client can supply a username to be used by
+the server.<p>
+
+Note that this also means Samba won't try to deduce usernames from the
+service name. This can be annoying for the [homes] section. To get
+around this you could use "user = %S" which means your "user" list
+will be just the service name, which for home directories is the name
+of the user.<p>
+
+.B Default:
+ only user = False<p>
+
+.B Example:
+ only user = True<p>
+
+<a name="oplocks">
+<H3>oplocks (S)</H3>
+This boolean option tells smbd whether to issue oplocks (opportunistic
+locks) to file open requests on this share. The oplock code was introduced in
+Samba 1.9.18 and can dramatically (approx 30% or more) improve the speed
+of access to files on Samba servers. It allows the clients to agressively
+cache files locally and you may want to disable this option for unreliable
+network environments (it is turned on by default in Windows NT Servers).
+For more information see the file Speed.txt in the Samba docs/ directory.<p>
+
+Oplocks may be selectively turned off on certain files on a per share basis.
+See the 'veto oplock files' parameter.<p>
+
+.B Default:
+ oplocks = True<p>
+
+.B Example:
+ oplocks = False<p>
+
+
+<a name="os level">
+<H3>os level (G)</H3>
+This integer value controls what level Samba advertises itself as for
+browse elections. See BROWSING.txt for details.<p>
+
+<a name="packet size">
+<H3>packet size (G)</H3>
+The maximum transmit packet size during a raw read. This option is no
+longer implemented as of version 1.7.00, and is kept only so old
+configuration files do not become invalid.<p>
+
+<a name="passwd chat">
+<H3>passwd chat (G)</H3>
+This string controls the "chat" conversation that takes places
+between smbd and the local password changing program to change the
+users password. The string describes a sequence of response-receive
+pairs that smbd uses to determine what to send to the passwd program
+and what to expect back. If the expected output is not received then
+the password is not changed.<p>
+
+This chat sequence is often quite site specific, depending on what
+local methods are used for password control (such as NIS+ etc).<p>
+
+The string can contain the macros %o and %n which are substituted for
+the old and new passwords respectively. It can also contain the
+standard macros \en \er \et and \es to give line-feed, carriage-return,
+tab and space.<p>
+
+The string can also contain a * which matches any sequence of
+characters.<p>
+
+Double quotes can be used to collect strings with spaces in them into
+a single string.<p>
+
+If the send string in any part of the chat sequence is a fullstop "."
+then no string is sent. Similarly, is the expect string is a fullstop
+then no string is expected.<p>
+
+.B Example:
+ passwd chat = "*Enter OLD password*" %o\en "*Enter NEW password*" %n\en \e
+ "*Reenter NEW password*" %n\en "*Password changed*"<p>
+
+
+.B Default:
+ passwd chat = *old*password* %o\en *new*password* %n\en *new*password* %n\en *changed*<p>
+
+<a name="passwd program">
+<H3>passwd program (G)</H3>
+The name of a program that can be used to set user passwords.<p>
+
+This is only necessary if you have enabled remote password changing at
+compile time. Any occurrences of %u will be replaced with the user
+name.<p>
+
+Also note that many passwd programs insist in "reasonable" passwords,
+such as a minimum length, or the inclusion of mixed case chars and
+digits. This can pose a problem as some clients (such as Windows for
+Workgroups) uppercase the password before sending it. <p>
+
+.B Default:
+ passwd program = /bin/passwd<p>
+
+.B Example:
+ passwd program = /sbin/passwd %u<p>
+
+<a name="password level">
+<H3>password level (G)</H3>
+Some client/server combinations have difficulty with mixed-case passwords.
+One offending client is Windows for Workgroups, which for some reason forces
+passwords to upper case when using the LANMAN1 protocol, but leaves them alone
+when using COREPLUS!<p>
+
+This parameter defines the maximum number of characters that may be upper case
+in passwords.<p>
+
+For example, say the password given was "FRED". If
+.B password level
+is set to 1 (one), the following combinations would be tried if "FRED" failed:
+"Fred", "fred", "fRed", "frEd", "freD". If
+.B password level was set to 2 (two), the following combinations would also be
+tried: "FRed", "FrEd", "FreD", "fREd", "fReD", "frED". And so on.<p>
+
+The higher value this parameter is set to the more likely it is that a mixed
+case password will be matched against a single case password. However, you
+should be aware that use of this parameter reduces security and increases the
+time taken to process a new connection.<p>
+
+A value of zero will cause only two attempts to be made - the password as is
+and the password in all-lower case.<p>
+
+If you find the connections are taking too long with this option then
+you probably have a slow crypt() routine. Samba now comes with a fast
+"ufc crypt" that you can select in the Makefile. You should also make
+sure the PASSWORD_LENGTH option is correct for your system in local.h
+and includes.h. On most systems only the first 8 chars of a password
+are significant so PASSWORD_LENGTH should be 8, but on some longer
+passwords are significant. The includes.h file tries to select the
+right length for your system.<p>
+
+.B Default:
+ password level = 0<p>
+
+.B Example:
+ password level = 4<p>
+
+<a name="password server">
+<H3>password server (G)</H3><p>
+
+By specifying the name of another SMB server (such as a WinNT box)
+with this option, and using "security = server" you can get Samba to
+do all its username/password validation via a remote server.<p>
+
+This options sets the name of the password server to use. It must be a
+netbios name, so if the machine's netbios name is different from its
+internet name then you may have to add its netbios name to
+/etc/hosts.<p>
+
+The password server much be a machine capable of using the "LM1.2X002"
+or the "LM NT 0.12" protocol, and it must be in user level security
+mode. <p>
+
+NOTE: Using a password server means your UNIX box (running Samba) is
+only as secure as your password server. DO NOT CHOOSE A PASSWORD
+SERVER THAT YOU DON'T COMPLETELY TRUST.<p>
+
+Never point a Samba server at itself for password serving. This will
+cause a loop and could lock up your Samba server!<p>
+
+The name of the password server takes the standard substitutions, but
+probably the only useful one is %m, which means the Samba server will
+use the incoming client as the password server. If you use this then
+you better trust your clients, and you better restrict them with hosts
+allow!<p>
+
+If you list several hosts in the "password server" option then smbd
+will try each in turn till it finds one that responds. This is useful
+in case your primary server goes down.<p>
+
+If you are using a WindowsNT server as your password server then you
+will have to ensure that your users are able to login from the Samba
+server, as the network logon will appear to come from there rather
+than from the users workstation.<p>
+
+<a name="path">
+<H3>path (S)</H3>
+A synonym for this parameter is 'directory'.<p>
+
+This parameter specifies a directory to which the user of the service is to
+be given access. In the case of printable services, this is where print data
+will spool prior to being submitted to the host for printing.<p>
+
+For a printable service offering guest access, the service should be readonly
+and the path should be world-writable and have the sticky bit set. This is not
+mandatory of course, but you probably won't get the results you expect if you
+do otherwise.<p>
+
+Any occurrences of %u in the path will be replaced with the username
+that the client is connecting as. Any occurrences of %m will be
+replaced by the name of the machine they are connecting from. These
+replacements are very useful for setting up pseudo home directories
+for users.<p>
+
+Note that this path will be based on 'root dir' if one was specified.
+.B Default:
+ none<p>
+
+.B Example:
+ path = /home/fred+ <p>
+
+<a name="postexec">
+<H3>postexec (S)</H3><p>
+
+This option specifies a command to be run whenever the service is
+disconnected. It takes the usual substitutions. The command may be run
+as the root on some systems.<p>
+
+An interesting example may be do unmount server resources:<p>
+
+postexec = /etc/umount /cdrom<p>
+
+See also preexec<p>
+
+.B Default:
+ none (no command executed)<p>
+
+.B Example:
+ postexec = echo \e"%u disconnected from %S from %m (%I)\e" >> /tmp/log<p>
+
+<a name="postscript">
+<H3>postscript (S)</H3>
+This parameter forces a printer to interpret the print files as
+postscript. This is done by adding a %! to the start of print output. <p>
+
+This is most useful when you have lots of PCs that persist in putting
+a control-D at the start of print jobs, which then confuses your
+printer.<p>
+
+.B Default:
+ postscript = False<p>
+
+.B Example:
+ postscript = True<p>
+
+<a name="preexec">
+<H3>preexec (S)</H3><p>
+
+This option specifies a command to be run whenever the service is
+connected to. It takes the usual substitutions.<p>
+
+An interesting example is to send the users a welcome message every
+time they log in. Maybe a message of the day? Here is an example:<p>
+
+preexec = csh -c 'echo \e"Welcome to %S!\e" | \e
+ /usr/local/samba/bin/smbclient -M %m -I %I' &<p>
+
+Of course, this could get annoying after a while :-)<p>
+
+See also postexec<p>
+
+.B Default:
+ none (no command executed)<p>
+
+.B Example:
+ preexec = echo \e"%u connected to %S from %m (%I)\e" >> /tmp/log<p>
+
+<a name="preferred master">
+<H3>preferred master (G)</H3>
+This boolean parameter controls if Samba is a preferred master browser
+for its workgroup.
+If this is set to true, on startup, samba will force an election,
+and it will have a slight advantage in winning the election.
+It is recommended that this parameter is used in conjunction
+with domain master = yes, so that samba can guarantee becoming
+a domain master. <p>
+
+Use this option with caution, because if there are several hosts
+(whether samba servers, Windows 95 or NT) that are preferred master
+browsers on the same subnet, they will each periodically and continuously
+attempt to become the local master browser. This will result in
+unnecessary broadcast traffic and reduced browsing capabilities.<p>
+
+See
+.B os level = nn<p>
+
+.B Default:
+ preferred master = no<p>
+
+<H3>preload</H3>
+This is an alias for "auto services"<p>
+
+<a name="preload">
+<H3>preload</H3>
+This is an alias for "auto services"<p>
+
+<a name="preserve case">
+<H3>preserve case (S)</H3><p>
+
+This controls if new filenames are created with the case that the
+client passes, or if they are forced to be the "default" case.<p>
+
+.B Default:
+ preserve case = no<p>
+
+See the section on "NAME MANGLING" for a fuller discussion.<p>
+
+<a name="print command">
+<H3>print command (S)</H3>
+After a print job has finished spooling to a service, this command will be
+used via a system() call to process the spool file. Typically the command
+specified will submit the spool file to the host's printing subsystem, but
+there is no requirement that this be the case. The server will not remove the
+spool file, so whatever command you specify should remove the spool file when
+it has been processed, otherwise you will need to manually remove old spool
+files.<p>
+
+The print command is simply a text string. It will be used verbatim,
+with two exceptions: All occurrences of "%s" will be replaced by the
+appropriate spool file name, and all occurrences of "%p" will be
+replaced by the appropriate printer name. The spool file name is
+generated automatically by the server, the printer name is discussed
+below.<p>
+
+The full path name will be used for the filename if %s is not preceded
+by a /. If you don't like this (it can stuff up some lpq output) then
+use %f instead. Any occurrences of %f get replaced by the spool
+filename without the full path at the front.<p>
+
+The print command MUST contain at least one occurrence of "%s" or %f -
+the "%p" is optional. At the time a job is submitted, if no printer
+name is supplied the "%p" will be silently removed from the printer
+command.<p>
+
+If specified in the [global] section, the print command given will be used
+for any printable service that does not have its own print command specified.<p>
+
+If there is neither a specified print command for a printable service nor a
+global print command, spool files will be created but not processed and (most
+importantly) not removed.<p>
+
+Note that printing may fail on some UNIXes from the "nobody"
+account. If this happens then create an alternative guest account that
+can print and set the "guest account" in the [global] section.<p>
+
+You can form quite complex print commands by realising that they are
+just passed to a shell. For example the following will log a print
+job, print the file, then remove it. Note that ; is the usual
+separator for command in shell scripts.<p>
+
+print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s<p>
+
+You may have to vary this command considerably depending on how you
+normally print files on your system.<p>
+
+.B Default:
+ print command = lpr -r -P %p %s<p>
+
+.B Example:
+ print command = /usr/local/samba/bin/myprintscript %p %s
+<a name="print ok">
+<H3>print ok (S)</H3>
+See
+.B printable.
+<a name="printable">
+<H3>printable (S)</H3>
+A synonym for this parameter is 'print ok'.<p>
+
+If this parameter is 'yes', then clients may open, write to and submit spool
+files on the directory specified for the service.<p>
+
+Note that a printable service will ALWAYS allow writing to the service path
+(user privileges permitting) via the spooling of print data. The 'read only'
+parameter controls only non-printing access to the resource.<p>
+
+.B Default:
+ printable = no<p>
+
+.B Example:
+ printable = yes<p>
+
+<a name="printcap name">
+<H3>printcap name (G)</H3>
+This parameter may be used to override the compiled-in default printcap
+name used by the server (usually /etc/printcap). See the discussion of the
+[printers] section above for reasons why you might want to do this.<p>
+
+On SystemV systems that use lpstat to list available printers you
+can use "printcap name = lpstat" to automatically obtain lists of
+available printers. This is the default for systems that define
+SYSV at compile time in Samba (this includes most SystemV based
+systems). If "printcap name" is set to lpstat on these systems then
+Samba will launch "lpstat -v" and attempt to parse the output to
+obtain a printer list.<p>
+
+A minimal printcap file would look something like this:<p>
+
+print1|My Printer 1
+.br
+print2|My Printer 2
+.br
+print3|My Printer 3
+.br
+print4|My Printer 4
+.br
+print5|My Printer 5<p>
+
+where the | separates aliases of a printer. The fact that the second
+alias has a space in it gives a hint to Samba that it's a comment.<p>
+
+NOTE: Under AIX the default printcap name is "/etc/qconfig". Samba
+will assume the file is in AIX "qconfig" format if the string
+"/qconfig" appears in the printcap filename.<p>
+
+.B Default:
+ printcap name = /etc/printcap<p>
+
+.B Example:
+ printcap name = /etc/myprintcap<p>
+
+<a name="printer">
+<H3>printer (S)</H3>
+A synonym for this parameter is 'printer name'.<p>
+
+This parameter specifies the name of the printer to which print jobs spooled
+through a printable service will be sent.<p>
+
+If specified in the [global] section, the printer name given will be used
+for any printable service that does not have its own printer name specified.<p>
+
+.B Default:
+ none (but may be 'lp' on many systems)<p>
+
+.B Example:
+ printer name = laserwriter<p>
+
+<a name="printer driver">
+<H3>printer driver (S)</H3>
+This option allows you to control the string that clients receive when
+they ask the server for the printer driver associated with a
+printer. If you are using Windows95 or WindowsNT then you can use this
+to automate the setup of printers on your system.<p>
+
+You need to set this parameter to the exact string (case sensitive)
+that describes the appropriate printer driver for your system.
+If you don't know the exact string to use then you should first try
+with no "printer driver" option set and the client will give you a
+list of printer drivers. The appropriate strings are shown in a
+scrollbox after you have chosen the printer manufacturer.<p>
+
+.B Example:
+ printer driver = HP LaserJet 4L<p>
+
+<a name="printer name">
+<H3>printer name (S)</H3>
+See
+.B printer.<p>
+
+<a name="printer driver file">
+<H3>printer driver file (G)</H3>
+This parameter tells Samba where the printer driver definition file,
+used when serving drivers to Windows 95 clients, is to be found. If
+this is not set, the default is :<p>
+
+SAMBA_INSTALL_DIRECTORY/lib/printers.def<p>
+
+This file is created from Windows 95 'msprint.def' files found on the
+Windows 95 client system. For more details on setting up serving of
+printer drivers to Windows 95 clients, see the documentation file
+docs/PRINTER_DRIVER.txt.<p>
+
+.B Default:
+ None (set in compile).<p>
+
+.B Example:
+ printer driver file = /usr/local/samba/printers/drivers.def<p>
+
+Related parameters.
+.B printer driver location<p>
+
+<a name="printer driver location">
+<H3>printer driver location (S)</H3>
+This parameter tells clients of a particular printer share where
+to find the printer driver files for the automatic installation
+of drivers for Windows 95 machines. If Samba is set up to serve
+printer drivers to Windows 95 machines, this should be set to<p>
+
+\e\eMACHINE\ePRINTER$<p>
+
+Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$
+is a share you set up for serving printer driver files. For more
+details on setting this up see the documentation file
+docs/PRINTER_DRIVER.txt.<p>
+
+.B Default:
+ None<p>
+
+.B Example:
+ printer driver location = \e\eMACHINE\ePRINTER$<p>
+
+Related paramerers.
+.B printer driver file<p>
+
+
+<a name="printing">
+<H3>printing (S)</H3>
+This parameters controls how printer status information is interpreted
+on your system, and also affects the default values for the "print
+command", "lpq command" and "lprm command".<p>
+
+Currently six printing styles are supported. They are "printing =
+bsd", "printing = sysv", "printing = hpux", "printing = aix",
+"printing = qnx" and "printing = plp".<p>
+
+To see what the defaults are for the other print commands when using
+these three options use the "testparm" program.<p>
+
+As of version 1.9.18 of Samba this option can be set on a per printer basis<p>
+
+<a name="protocol">
+<H3>protocol (G)</H3>
+The value of the parameter (a string) is the highest protocol level that will
+be supported by the server. <p>
+
+Possible values are CORE, COREPLUS, LANMAN1, LANMAN2 and NT1. The relative
+merits of each are discussed in the README file.<p>
+
+Normally this option should not be set as the automatic negotiation
+phase in the SMB protocol takes care of choosing the appropriate protocol.<p>
+
+.B Default:
+ protocol = NT1<p>
+
+.B Example:
+ protocol = LANMAN1
+<a name="public">
+<H3>public (S)</H3>
+A synonym for this parameter is 'guest ok'.<p>
+
+If this parameter is 'yes' for a service, then no password is required
+to connect to the service. Privileges will be those of the guest
+account.<p>
+
+See the section below on user/password validation for more information about
+this option.<p>
+
+.B Default:
+ public = no<p>
+
+.B Example:
+ public = yes
+<a name="read list">
+<H3>read list (S)</H3>
+This is a list of users that are given read-only access to a
+service. If the connecting user is in this list then they will
+not be given write access, no matter what the "read only" option
+is set to. The list can include group names using the @group syntax.<p>
+
+See also the "write list" option<p>
+
+.B Default:
+ read list =<p>
+
+.B Example:
+ read list = mary, @students<p>
+
+<a name="read only">
+<H3>read only (S)</H3>
+See
+.B writable
+and
+.B write ok.
+Note that this is an inverted synonym for writable and write ok.
+<a name="read prediction">
+<H3>read prediction (G)</H3>
+This options enables or disables the read prediction code used to
+speed up reads from the server. When enabled the server will try to
+pre-read data from the last accessed file that was opened read-only
+while waiting for packets.<p>
+
+<H3>Default:</H3>
+ read prediction = False<p>
+
+<H3>Example:</H3>
+ read prediction = True
+<a name="Default:</H3>
+ read prediction = False<p>
+
+<H3>Example:</H3>
+ read prediction = True
+<H3>read raw">
+<H3>read raw (G)</H3>
+This parameter controls whether or not the server will support raw reads when
+transferring data to clients.<p>
+
+If enabled, raw reads allow reads of 65535 bytes in one packet. This
+typically provides a major performance benefit.<p>
+
+However, some clients either negotiate the allowable block size incorrectly
+or are incapable of supporting larger block sizes, and for these clients you
+may need to disable raw reads.<p>
+
+In general this parameter should be viewed as a system tuning tool and left
+severely alone. See also
+.B write raw.<p>
+
+.B Default:
+ read raw = yes<p>
+
+.B Example:
+ read raw = no
+<a name="read size">
+<H3>read size (G)</H3><p>
+
+The option "read size" affects the overlap of disk reads/writes with
+network reads/writes. If the amount of data being transferred in
+several of the SMB commands (currently SMBwrite, SMBwriteX and
+SMBreadbraw) is larger than this value then the server begins writing
+the data before it has received the whole packet from the network, or
+in the case of SMBreadbraw, it begins writing to the network before
+all the data has been read from disk.<p>
+
+This overlapping works best when the speeds of disk and network access
+are similar, having very little effect when the speed of one is much
+greater than the other.<p>
+
+The default value is 2048, but very little experimentation has been
+done yet to determine the optimal value, and it is likely that the best
+value will vary greatly between systems anyway. A value over 65536 is
+pointless and will cause you to allocate memory unnecessarily.<p>
+
+.B Default:
+ read size = 2048<p>
+
+.B Example:
+ read size = 8192<p>
+
+<a name="remote announce">
+<H3>remote announce (G)</H3><p>
+
+This option allows you to setup nmbd to periodically announce itself
+to arbitrary IP addresses with an arbitrary workgroup name. <p>
+
+This is useful if you want your Samba server to appear in a remote
+workgroup for which the normal browse propagation rules don't
+work. The remote workgroup can be anywhere that you can send IP
+packets to.<p>
+
+For example:<p>
+
+ remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF<p>
+
+the above line would cause nmbd to announce itself to the two given IP
+addresses using the given workgroup names. If you leave out the
+workgroup name then the one given in the "workgroup" option is used
+instead. <p>
+
+The IP addresses you choose would normally be the broadcast addresses
+of the remote networks, but can also be the IP addresses of known
+browse masters if your network config is that stable.<p>
+
+This option replaces similar functionality from the nmbd lmhosts file.<p>
+
+<a name="remote browse sync">
+<H3>remote browse sync (G)</H3><p>
+
+This option allows you to setup nmbd to periodically request synchronisation
+of browse lists with the master browser of a samba server that is on a remote
+segment. This option will allow you to gain browse lists for multiple
+workgroups across routed networks. This is done in a manner that does not work
+with any non-samba servers.<p>
+
+This is useful if you want your Samba server and all local clients
+to appear in a remote workgroup for which the normal browse propagation
+rules don't work. The remote workgroup can be anywhere that you can send IP
+packets to.<p>
+
+For example:<p>
+
+ remote browse sync = 192.168.2.255 192.168.4.255<p>
+
+the above line would cause nmbd to request the master browser on the
+specified subnets or addresses to synchronise their browse lists with
+the local server.<p>
+
+The IP addresses you choose would normally be the broadcast addresses
+of the remote networks, but can also be the IP addresses of known
+browse masters if your network config is that stable. If a machine IP
+address is given Samba makes NO attempt to validate that the remote
+machine is available, is listening, nor that it is in fact the browse
+master on it's segment.<p>
+
+
+<a name="revalidate">
+<H3>revalidate (S)</H3><p>
+
+This options controls whether Samba will allow a previously validated
+username/password pair to be used to attach to a share. Thus if you
+connect to \e\eserver\eshare1 then to \e\eserver\eshare2 it won't
+automatically allow the client to request connection to the second
+share as the same username as the first without a password.<p>
+
+If "revalidate" is True then the client will be denied automatic
+access as the same username.<p>
+
+.B Default:
+ revalidate = False<p>
+
+.B Example:
+ revalidate = True<p>
+
+<a name="root">
+<H3>root (G)</H3>
+See
+.B root directory.
+<a name="root dir">
+<H3>root dir (G)</H3>
+See
+.B root directory.
+<a name="root directory">
+<H3>root directory (G)</H3>
+Synonyms for this parameter are 'root dir' and 'root'.<p>
+
+The server will chroot() to this directory on startup. This is not
+strictly necessary for secure operation. Even without it the server
+will deny access to files not in one of the service entries. It may
+also check for, and deny access to, soft links to other parts of the
+filesystem, or attempts to use .. in file names to access other
+directories (depending on the setting of the "wide links" parameter).<p>
+
+Adding a "root dir" entry other than "/" adds an extra level of security,
+but at a price. It absolutely ensures that no access is given to files not
+in the sub-tree specified in the "root dir" option, *including* some files
+needed for complete operation of the server. To maintain full operability
+of the server you will need to mirror some system files into the "root dir"
+tree. In particular you will need to mirror /etc/passwd (or a subset of it),
+and any binaries or configuration files needed for printing (if required).
+The set of files that must be mirrored is operating system dependent.<p>
+
+.B Default:
+ root directory = /<p>
+
+.B Example:
+ root directory = /homes/smb
+<a name="root postexec">
+<H3>root postexec (S)</H3><p>
+
+This is the same as postexec except that the command is run as
+root. This is useful for unmounting filesystems (such as cdroms) after
+a connection is closed.<p>
+
+<a name="root preexec">
+<H3>root preexec (S)</H3><p>
+
+This is the same as preexec except that the command is run as
+root. This is useful for mounting filesystems (such as cdroms) before
+a connection is finalised.<p>
+
+<a name="security">
+<H3>security (G)</H3>
+This option affects how clients respond to Samba.<p>
+
+The option sets the "security mode bit" in replies to protocol negotiations
+to turn share level security on or off. Clients decide based on this bit
+whether (and how) to transfer user and password information to the server.<p>
+
+The default is "security=SHARE", mainly because that was the only
+option at one stage.<p>
+
+The alternatives are "security = user" or "security = server". <p>
+
+If your PCs use usernames that are the same as their usernames on the
+UNIX machine then you will want to use "security = user". If you
+mostly use usernames that don't exist on the UNIX box then use
+"security = share".<p>
+
+There is a bug in WfWg that may affect your decision. When in user
+level security a WfWg client will totally ignore the password you type
+in the "connect drive" dialog box. This makes it very difficult (if
+not impossible) to connect to a Samba service as anyone except the
+user that you are logged into WfWg as.<p>
+
+If you use "security = server" then Samba will try to validate the
+username/password by passing it to another SMB server, such as an NT
+box. If this fails it will revert to "security = USER".<p>
+
+See the "password server" option for more details.<p>
+
+.B Default:
+ security = SHARE<p>
+
+.B Example:
+ security = USER
+<a name="server string">
+<H3>server string (G)</H3>
+This controls what string will show up in the printer comment box in
+print manager and next to the IPC connection in "net view". It can be
+any string that you wish to show to your users.<p>
+
+It also sets what will appear in browse lists next to the machine name.<p>
+
+A %v will be replaced with the Samba version number.<p>
+
+A %h will be replaced with the hostname.<p>
+
+.B Default:
+ server string = Samba %v<p>
+
+.B Example:
+ server string = University of GNUs Samba Server<p>
+
+<a name="set directory">
+<H3>set directory (S)</H3>
+If 'set directory = no', then users of the service may not use the setdir
+command to change directory.<p>
+
+The setdir command is only implemented in the Digital Pathworks client. See the
+Pathworks documentation for details.<p>
+
+.B Default:
+ set directory = no<p>
+
+.B Example:
+ set directory = yes<p>
+
+<a name="shared file entries">
+<H3>shared file entries (G)</H3>
+This parameter has been removed (as of Samba 1.9.18 and above). The new
+System V shared memory code prohibits the user from allocating the
+share hash bucket size directly.<p>
+
+<a name="shared mem size">
+<H3>shared mem size (G)</H3>
+This parameter is only useful when Samba has been compiled with FAST_SHARE_MODES.
+It specifies the size of the shared memory (in bytes) to use between smbd
+processes. You should never change this parameter unless you have studied
+the source and know what you are doing. This parameter defaults to 1024
+multiplied by the setting of the maximum number of open files in the
+file local.h in the Samba source code. MAX_OPEN_FILES is normally set
+to 100, so this parameter defaults to 102400 bytes.<p>
+
+.B Default
+ shared mem size = 102400<p>
+
+<a name="smb passwd file">
+<H3>smb passwd file (G)</H3>
+This option sets the path to the encrypted smbpasswd file. This is a *VERY
+DANGEROUS OPTION* if the smb.conf is user writable. By default the path
+to the smbpasswd file is compiled into Samba.<p>
+
+<a name="smbrun">
+<H3>smbrun (G)</H3>
+This sets the full path to the smbrun binary. This defaults to the
+value in the Makefile.<p>
+
+You must get this path right for many services to work correctly.<p>
+
+.B Default:
+taken from Makefile<p>
+
+.B Example:
+ smbrun = /usr/local/samba/bin/smbrun<p>
+
+<a name="share modes">
+<H3>share modes (S)</H3><p>
+
+This enables or disables the honouring of the "share modes" during a
+file open. These modes are used by clients to gain exclusive read or
+write access to a file. <p>
+
+These open modes are not directly supported by UNIX, so they are
+simulated using lock files in the "lock directory". The "lock
+directory" specified in smb.conf must be readable by all users.<p>
+
+The share modes that are enabled by this option are DENY_DOS,
+DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB.<p>
+
+Enabling this option gives full share compatibility but may cost a bit
+of processing time on the UNIX server. They are enabled by default.<p>
+
+.B Default:
+ share modes = yes<p>
+
+.B Example:
+ share modes = no<p>
+
+<a name="short preserve case">
+<H3>short preserve case (S)</H3><p>
+
+This controls if new short filenames are created with the case that
+the client passes, or if they are forced to be the "default" case.<p>
+
+.B Default:
+ short preserve case = no<p>
+
+See the section on "NAME MANGLING" for a fuller discussion.<p>
+
+<a name="socket address">
+<H3>socket address (G)</H3><p>
+
+This option allows you to control what address Samba will listen for
+connections on. This is used to support multiple virtual interfaces on
+the one server, each with a different configuration.<p>
+
+By default samba will accept connections on any address.<p>
+
+.B Example:
+ socket address = 192.168.2.20<p>
+
+<a name="socket options">
+<H3>socket options (G)</H3>
+This option (which can also be invoked with the -O command line
+option) allows you to set socket options to be used when talking with
+the client.<p>
+
+Socket options are controls on the networking layer of the operating
+systems which allow the connection to be tuned.<p>
+
+This option will typically be used to tune your Samba server for
+optimal performance for your local network. There is no way that Samba
+can know what the optimal parameters are for your net, so you must
+experiment and choose them yourself. I strongly suggest you read the
+appropriate documentation for your operating system first (perhaps
+"man setsockopt" will help).<p>
+
+You may find that on some systems Samba will say "Unknown socket
+option" when you supply an option. This means you either mis-typed it
+or you need to add an include file to includes.h for your OS. If the
+latter is the case please send the patch to me
+(samba-bugs@samba.anu.edu.au).<p>
+
+Any of the supported socket options may be combined in any way you
+like, as long as your OS allows it.<p>
+
+This is the list of socket options currently settable using this
+option:<p>
+
+ SO_KEEPALIVE<p>
+
+ SO_REUSEADDR<p>
+
+ SO_BROADCAST<p>
+
+ TCP_NODELAY<p>
+
+ IPTOS_LOWDELAY<p>
+
+ IPTOS_THROUGHPUT<p>
+
+ SO_SNDBUF *<p>
+
+ SO_RCVBUF *<p>
+
+ SO_SNDLOWAT *<p>
+
+ SO_RCVLOWAT *<p>
+
+Those marked with a * take an integer argument. The others can
+optionally take a 1 or 0 argument to enable or disable the option, by
+default they will be enabled if you don't specify 1 or 0.<p>
+
+To specify an argument use the syntax SOME_OPTION=VALUE for example
+SO_SNDBUF=8192. Note that you must not have any spaces before or after
+the = sign.<p>
+
+If you are on a local network then a sensible option might be<p>
+
+socket options = IPTOS_LOWDELAY<p>
+
+If you have an almost unloaded local network and you don't mind a lot
+of extra CPU usage in the server then you could try<p>
+
+socket options = IPTOS_LOWDELAY TCP_NODELAY<p>
+
+If you are on a wide area network then perhaps try setting
+IPTOS_THROUGHPUT. <p>
+
+Note that several of the options may cause your Samba server to fail
+completely. Use these options with caution!<p>
+
+.B Default:
+ no socket options<p>
+
+.B Example:
+ socket options = IPTOS_LOWDELAY <p>
+
+<p>
+
+
+<a name="status">
+<H3>status (G)</H3>
+This enables or disables logging of connections to a status file that
+.B smbstatus
+can read.<p>
+
+With this disabled
+.B smbstatus
+won't be able to tell you what
+connections are active.<p>
+
+.B Default:
+ status = yes<p>
+
+.B Example:
+ status = no<p>
+
+<a name="strict locking">
+<H3>strict locking (S)</H3>
+This is a boolean that controls the handling of file locking in the
+server. When this is set to yes the server will check every read and
+write access for file locks, and deny access if locks exist. This can
+be slow on some systems.<p>
+
+When strict locking is "no" the server does file lock checks only when
+the client explicitly asks for them. <p>
+
+Well behaved clients always ask for lock checks when it is important,
+so in the vast majority of cases "strict locking = no" is preferable.<p>
+
+.B Default:
+ strict locking = no<p>
+
+.B Example:
+ strict locking = yes<p>
+
+<a name="strip dot">
+<H3>strip dot (G)</H3>
+This is a boolean that controls whether to strip trailing dots off
+UNIX filenames. This helps with some CDROMs that have filenames ending in a
+single dot.<p>
+
+.B Default:
+ strip dot = no<p>
+
+.B Example:
+ strip dot = yes<p>
+
+<a name="syslog">
+<H3>syslog (G)</H3>
+This parameter maps how Samba debug messages are logged onto the
+system syslog logging levels. Samba debug level zero maps onto
+syslog LOG_ERR, debug level one maps onto LOG_WARNING, debug
+level two maps to LOG_NOTICE, debug level three maps onto LOG_INFO.
+The paramter sets the threshold for doing the mapping, all Samba
+debug messages above this threashold are mapped to syslog LOG_DEBUG
+messages.<p>
+
+.B Default:<p>
+
+ syslog = 1<p>
+
+<a name="syslog only">
+<H3>syslog only (G)</H3>
+If this parameter is set then Samba debug messages are logged into
+the system syslog only, and not to the debug log files.<p>
+
+.B Default:
+ syslog only = no<p>
+
+<a name="sync always">
+<H3>sync always (S)</H3><p>
+
+This is a boolean parameter that controls whether writes will always
+be written to stable storage before the write call returns. If this is
+false then the server will be guided by the client's request in each
+write call (clients can set a bit indicating that a particular write
+should be synchronous). If this is true then every write will be
+followed by a fsync() call to ensure the data is written to disk.<p>
+
+.B Default:
+ sync always = no<p>
+
+.B Example:
+ sync always = yes<p>
+
+<a name="time offset">
+<H3>time offset (G)</H3>
+This parameter is a setting in minutes to add to the normal GMT to
+local time conversion. This is useful if you are serving a lot of PCs
+that have incorrect daylight saving time handling.<p>
+
+.B Default:
+ time offset = 0<p>
+
+.B Example:
+ time offset = 60<p>
+
+<a name="time server">
+<H3>time server (G)</H3>
+This parameter determines if nmbd advertises itself as a time server
+to Windows clients. The default is False.<p>
+
+.B Default:
+ time server = False<p>
+
+.B Example:
+ time server = True<p>
+
+<a name="unix realname">
+<H3>unix realname (G)</H3>
+This boolean parameter when set causes samba to supply the real name field
+from the unix password file to the client. This is useful for setting up
+mail clients and WWW browsers on systems used by more than one person.<p>
+
+.B Default:
+ unix realname = no<p>
+
+.B Example:
+ unix realname = yes<p>
+
+<a name="user">
+<H3>user (S)</H3>
+See
+.B username.
+<a name="username">
+<H3>username (S)</H3>
+A synonym for this parameter is 'user'.<p>
+
+Multiple users may be specified in a comma-delimited list, in which case the
+supplied password will be tested against each username in turn (left to right).<p>
+
+The username= line is needed only when the PC is unable to supply its own
+username. This is the case for the coreplus protocol or where your
+users have different WfWg usernames to UNIX usernames. In both these
+cases you may also be better using the \e\eserver\eshare%user syntax
+instead. <p>
+
+The username= line is not a great solution in many cases as it means Samba
+will try to validate the supplied password against each of the
+usernames in the username= line in turn. This is slow and a bad idea for
+lots of users in case of duplicate passwords. You may get timeouts or
+security breaches using this parameter unwisely.<p>
+
+Samba relies on the underlying UNIX security. This parameter does not
+restrict who can login, it just offers hints to the Samba server as to
+what usernames might correspond to the supplied password. Users can
+login as whoever they please and they will be able to do no more
+damage than if they started a telnet session. The daemon runs as the
+user that they log in as, so they cannot do anything that user cannot
+do.<p>
+
+To restrict a service to a particular set of users you can use the
+"valid users=" line.<p>
+
+If any of the usernames begin with a @ then the name will be looked up
+in the groups file and will expand to a list of all users in the group
+of that name. Note that searching though a groups file can take quite
+some time, and some clients may time out during the search.<p>
+
+See the section below on username/password validation for more information
+on how this parameter determines access to the services.<p>
+
+.B Default:
+ The guest account if a guest service, else the name of the service.<p>
+
+.B Examples:
+ username = fred
+ username = fred, mary, jack, jane, @users, @pcgroup<p>
+
+<a name="username level">
+<H3>username level (G)</H3><p>
+
+This option helps Samba to try and 'guess' at the real UNIX username,
+as many DOS clients send an all-uppercase username. By default Samba
+tries all lowercase, followed by the username with the first letter
+capitalized, and fails if the username is not found on the UNIX machine.<p>
+
+If this parameter is set to non-zero the behaviour changes. This
+parameter is a number that specifies the number of uppercase combinations
+to try whilst trying to determine the UNIX user name. The higher the number
+the more combinations will be tried, but the slower the discovery
+of usernames will be. Use this parameter when you have strange
+usernames on your UNIX machine, such as 'AstrangeUser'.<p>
+
+.B Default:
+ username level = 0<p>
+
+.B Example:
+ username level = 5<p>
+
+<a name="username map">
+<H3>username map (G)</H3><p>
+
+This option allows you to to specify a file containing a mapping of
+usernames from the clients to the server. This can be used for several
+purposes. The most common is to map usernames that users use on DOS or
+Windows machines to those that the UNIX box uses. The other is to map
+multiple users to a single username so that they can more easily share
+files.<p>
+
+The map file is parsed line by line. Each line should contain a single
+UNIX username on the left then a '=' followed by a list of usernames
+on the right. The list of usernames on the right may contain names of
+the form @group in which case they will match any UNIX username in
+that group. The special client name '*' is a wildcard and matches any
+name.<p>
+
+The file is processed on each line by taking the supplied username and
+comparing it with each username on the right hand side of the '='
+signs. If the supplied name matches any of the names on the right
+hand side then it is replaced with the name on the left. Processing
+then continues with the next line.<p>
+
+If any line begins with a '#' or a ';' then it is ignored<p>
+
+If any line begins with an ! then the processing will stop after that
+line if a mapping was done by the line. Otherwise mapping continues
+with every line being processed. Using ! is most useful when you have
+a wildcard mapping line later in the file.<p>
+
+For example to map from the name "admin" or "administrator" to the UNIX
+name "root" you would use<p>
+
+ root = admin administrator<p>
+
+Or to map anyone in the UNIX group "system" to the UNIX name "sys" you
+would use<p>
+
+ sys = @system<p>
+
+You can have as many mappings as you like in a username map file.<p>
+
+You can map Windows usernames that have spaces in them by using double
+quotes around the name. For example:<p>
+
+ tridge = "Andrew Tridgell"<p>
+
+would map the windows username "Andrew Tridgell" to the unix username
+tridge.<p>
+
+The following example would map mary and fred to the unix user sys,
+and map the rest to guest. Note the use of the ! to tell Samba to stop
+processing if it gets a match on that line.<p>
+
+ !sys = mary fred
+ guest = *<p>
+
+
+Note that the remapping is applied to all occurrences of
+usernames. Thus if you connect to "\e\eserver\efred" and "fred" is
+remapped to "mary" then you will actually be connecting to
+"\e\eserver\emary" and will need to supply a password suitable for
+"mary" not "fred". The only exception to this is the username passed
+to the "password server" (if you have one). The password server will
+receive whatever username the client supplies without modification.<p>
+
+Also note that no reverse mapping is done. The main effect this has is
+with printing. Users who have been mapped may have trouble deleting
+print jobs as PrintManager under WfWg will think they don't own the
+print job.<p>
+
+.B Default
+ no username map<p>
+
+.B Example
+ username map = /usr/local/samba/lib/users.map<p>
+
+<a name="valid chars">
+<H3>valid chars (S)</H3><p>
+
+The option allows you to specify additional characters that should be
+considered valid by the server in filenames. This is particularly
+useful for national character sets, such as adding u-umlaut or a-ring.<p>
+
+The option takes a list of characters in either integer or character
+form with spaces between them. If you give two characters with a colon
+between them then it will be taken as an lowercase:uppercase pair.<p>
+
+If you have an editor capable of entering the characters into the
+config file then it is probably easiest to use this method. Otherwise
+you can specify the characters in octal, decimal or hexadecimal form
+using the usual C notation.<p>
+
+For example to add the single character 'Z' to the charset (which is a
+pointless thing to do as it's already there) you could do one of the
+following<p>
+
+valid chars = Z
+valid chars = z:Z
+valid chars = 0132:0172<p>
+
+The last two examples above actually add two characters, and alter
+the uppercase and lowercase mappings appropriately.<p>
+
+Note that you MUST specify this parameter after the "client code page"
+parameter if you have both set. If "client code page" is set after
+the "valid chars" parameter the "valid chars" settings will be
+overwritten.<p>
+
+See also the "client code page" parameter.<p>
+
+.B Default
+.br
+ Samba defaults to using a reasonable set of valid characters
+.br
+ for english systems<p>
+
+.B Example
+ valid chars = 0345:0305 0366:0326 0344:0304<p>
+
+The above example allows filenames to have the swedish characters in
+them. <p>
+
+NOTE: It is actually quite difficult to correctly produce a "valid
+chars" line for a particular system. To automate the process
+tino@augsburg.net has written a package called "validchars" which will
+automatically produce a complete "valid chars" line for a given client
+system. Look in the examples subdirectory for this package.<p>
+
+<a name="valid users">
+<H3>valid users (S)</H3>
+This is a list of users that should be allowed to login to this
+service. A name starting with @ is interpreted as a UNIX group.<p>
+
+If this is empty (the default) then any user can login. If a username
+is in both this list and the "invalid users" list then access is
+denied for that user.<p>
+
+The current servicename is substituted for %S. This is useful in the
+[homes] section.<p>
+
+See also "invalid users"<p>
+
+.B Default
+ No valid users list. (anyone can login)<p>
+
+.B Example
+ valid users = greg, @pcusers<p>
+
+
+<a name="veto file">
+<H3>veto files(S)</H3>
+This is a list of files and directories that are neither visible nor
+accessible. Each entry in the list must be separated by a "/", which
+allows spaces to be included in the entry. '*' and '?' can be used to
+specify multiple files or directories as in DOS wildcards.<p>
+
+Each entry must be a unix path, not a DOS path and must not include the
+unix directory separator "/".<p>
+
+Note that the case sensitivity option is applicable in vetoing files.<p>
+
+One feature of the veto files parameter that it is important to be
+aware of, is that if a directory contains nothing but files that
+match the veto files parameter (which means that Windows/DOS clients
+cannot ever see them) is deleted, the veto files within that directory
+*are automatically deleted* along with it, if the user has UNIX permissions
+to do so.
+
+Setting this parameter will affect the performance of Samba, as
+it will be forced to check all files and directories for a match
+as they are scanned.<p>
+
+See also "hide files" and "case sensitive"<p>
+
+.B Default
+ No files or directories are vetoed.<p>
+
+.B Examples
+ Example 1.
+ Veto any files containing the word Security,
+ any ending in .tmp, and any directory containing the
+ word root.<p>
+
+ veto files = /*Security*/*.tmp/*root*/<p>
+
+ Example 2.
+ Veto the Apple specific files that a NetAtalk server
+ creates.<p>
+
+ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/<p>
+
+<a name="veto oplock files">
+<H3>veto oplock files (S)</H3>
+This parameter is only valid when the 'oplocks' parameter is turned on
+for a share. It allows the Samba administrator to selectively turn off
+the granting of oplocks on selected files that match a wildcarded list,
+similar to the wildcarded list used in the 'veto files' parameter.<p>
+
+.B Default
+ No files are vetoed for oplock grants.<p>
+
+.B Examples
+You might want to do this on files that you know will be heavily
+contended for by clients. A good example of this is in the NetBench
+SMB benchmark program, which causes heavy client contention for files
+ending in .SEM. To cause Samba not to grant oplocks on these files
+you would use the line (either in the [global] section or in the section
+for the particular NetBench share :<p>
+
+ veto oplock files = /*.SEM/<p>
+
+<a name="volume">
+<H3>volume (S)</H3>
+This allows you to override the volume label returned for a
+share. Useful for CDROMs with installation programs that insist on a
+particular volume label.<p>
+
+The default is the name of the share<p>
+
+<a name="wide links">
+<H3>wide links (S)</H3>
+This parameter controls whether or not links in the UNIX file system may be
+followed by the server. Links that point to areas within the directory tree
+exported by the server are always allowed; this parameter controls access
+only to areas that are outside the directory tree being exported.<p>
+
+.B Default:
+ wide links = yes<p>
+
+.B Example:
+ wide links = no<p>
+
+<a name="wins proxy">
+<H3>wins proxy (G)</H3><p>
+
+This is a boolean that controls if nmbd will respond to broadcast name
+queries on behalf of other hosts. You may need to set this to no for
+some older clients.<p>
+
+.B Default:
+ wins proxy = no
+<a name="wins server">
+<H3>wins server (G)</H3><p>
+
+This specifies the DNS name (or IP address) of the WINS server that Samba
+should register with. If you have a WINS server on your network then you
+should set this to the WINS servers name.<p>
+
+You should point this at your WINS server if you have a multi-subnetted
+network.
+.B Default:
+ wins server = <p>
+
+<a name="wins support">
+<H3>wins support (G)</H3><p>
+
+This boolean controls if the nmbd process in Samba will act as a WINS server.
+You should not set this to true unless you have a multi-subnetted network and
+you wish a particular nmbd to be your WINS server. Note that you
+should *NEVER* set this to true on more than one machine in your
+network.<p>
+
+.B Default:
+ wins support = no<p>
+
+<a name="workgroup">
+<H3>workgroup (G)</H3><p>
+
+This controls what workgroup your server will appear to be in when
+queried by clients. <p>
+
+.B Default:
+ set in the Makefile<p>
+
+.B Example:
+ workgroup = MYGROUP<p>
+
+<a name="writable">
+<H3>writable (S)</H3>
+A synonym for this parameter is 'write ok'. An inverted synonym is 'read only'.<p>
+
+If this parameter is 'no', then users of a service may not create or modify
+files in the service's directory.<p>
+
+Note that a printable service ('printable = yes') will ALWAYS allow
+writing to the directory (user privileges permitting), but only via
+spooling operations.<p>
+
+.B Default:
+ writable = no<p>
+
+.B Examples:
+ read only = no
+ writable = yes
+ write ok = yes
+<a name="write list">
+<H3>write list (S)</H3>
+This is a list of users that are given read-write access to a
+service. If the connecting user is in this list then they will be
+given write access, no matter what the "read only" option is set
+to. The list can include group names using the @group syntax.<p>
+
+Note that if a user is in both the read list and the write list then
+they will be given write access.<p>
+
+See also the "read list" option<p>
+
+.B Default:
+ write list =<p>
+
+.B Example:
+ write list = admin, root, @staff<p>
+
+<a name="write ok">
+<H3>write ok (S)</H3>
+See
+.B writable
+and
+.B read only.<p>
+
+<a name="write raw">
+<H3>write raw (G)</H3>
+This parameter controls whether or not the server will support raw writes when
+transferring data from clients.<p>
+
+.B Default:
+ write raw = yes<p>
+
+.B Example:
+ write raw = no<p>
+
+</BODY>
+</HTML>
+
+
diff --git a/swat/help/welcome.html b/swat/help/welcome.html
new file mode 100644
index 0000000000..4f0d8608ce
--- /dev/null
+++ b/swat/help/welcome.html
@@ -0,0 +1,8 @@
+Welcome to SWAT!<p>
+
+need to edit help/welcome.html to fill out this welcome page<p>
+
+
+
+
+