summaryrefslogtreecommitdiff
path: root/swat
diff options
context:
space:
mode:
Diffstat (limited to 'swat')
-rw-r--r--swat/help/parameters.html5525
1 files changed, 2189 insertions, 3336 deletions
diff --git a/swat/help/parameters.html b/swat/help/parameters.html
index 15cf563983..c6c1b34d0e 100644
--- a/swat/help/parameters.html
+++ b/swat/help/parameters.html
@@ -1,3367 +1,2220 @@
<HTML>
<BODY>
-SWAT Parameters help<p>
-
-We need to reformat the smb.conf man page as HTML with a label for
-each parameter. Anyone want to write a perl script? Currently I've
-just done a quick hack with an emacs macro to get something in
-place. Or maybe the SGML conversion will be the way to go?<p>
+<H1 ALIGN=CENTER>SWAT Parameters help</H1>
<hr>
-<a name="admin users">
-<H3>admin users (S)</H3><p>
-
-This is a list of users who will be granted administrative privileges
-on the share. This means that they will do all file operations as the
-super-user (root).<p>
-
-You should use this option very carefully, as any user in this list
-will be able to do anything they like on the share, irrespective of
-file permissions.<p>
-
-.B Default:
- no admin users<p>
-
-.B Example:
- admin users = jason<p>
-
-<a name="announce as">
-<H3>announce as (G)</H3><p>
-
-This specifies what type of server nmbd will announce itself as in
-browse lists. By default this is set to Windows NT. The valid options
-are "NT", "Win95" or "WfW" meaining Windows NT, Windows 95 and
-Windows for Workgroups respectively. Do not change this parameter
-unless you have a specific need to stop Samba appearing as an NT
-server as this may prevent Samba servers from participating as
-browser servers correctly.<p>
-
-.B Default:
- announce as = NT<p>
-
-.B Example
- announce as = Win95<p>
-
-<a name="announce version">
-<H3>announce version (G)</H3><p>
-
-This specifies the major and minor version numbers that nmbd
-will use when announcing itself as a server. The default is 4.2.
-Do not change this parameter unless you have a specific need to
-set a Samba server to be a downlevel server.<p>
-
-.B Default:
- announce version = 4.2<p>
-
-.B Example:
- announce version = 2.0<p>
-
-<a name="auto services">
-<H3>auto services (G)</H3>
-This is a list of services that you want to be automatically added to
-the browse lists. This is most useful for homes and printers services
-that would otherwise not be visible.<p>
-
-Note that if you just want all printers in your printcap file loaded
-then the "load printers" option is easier.<p>
-
-.B Default:
- no auto services<p>
-
-.B Example:
- auto services = fred lp colorlp<p>
-
-<a name="allow hosts">
-<H3>allow hosts (S)</H3>
-A synonym for this parameter is 'hosts allow'.<p>
-
-This parameter is a comma delimited set of hosts which are permitted to access
-a service. <p>
-
-If specified in the [global] section then it will apply to all
-services, regardless of whether the individual service has a different
-setting. <p>
-
-You can specify the hosts by name or IP number. For example, you could
-restrict access to only the hosts on a Class C subnet with something like
-"allow hosts = 150.203.5.". The full syntax of the list is described in
-the man page
-.BR hosts_access (5).<p>
-
-You can also specify hosts by network/netmask pairs and by netgroup
-names if your system supports netgroups. The EXCEPT keyword can also
-be used to limit a wildcard list. The following examples may provide
-some help:<p>
-
-Example 1: allow all IPs in 150.203.*.* except one<p>
-
- hosts allow = 150.203. EXCEPT 150.203.6.66<p>
-
-Example 2: allow hosts that match the given network/netmask<p>
-
- hosts allow = 150.203.15.0/255.255.255.0<p>
-
-Example 3: allow a couple of hosts<p>
-
- hosts allow = lapland, arvidsjaur<p>
-
-Example 4: allow only hosts in netgroup "foonet" or localhost, but
-deny access from one particular host<p>
-
- hosts allow = @foonet, localhost
- hosts deny = pirate<p>
-
-Note that access still requires suitable user-level passwords.<p>
-
-See
-.BR testparm (1)
-for a way of testing your host access to see if it
-does what you expect.<p>
-
-.B Default:
- none (i.e., all hosts permitted access)<p>
-
-.B Example:
- allow hosts = 150.203.5. myhost.mynet.edu.au<p>
-
-<a name="alternate permissions">
-<H3>alternate permissions (S)</H3><p>
-
-This option affects the way the "read only" DOS attribute is produced
-for UNIX files. If this is false then the read only bit is set for
-files on writeable shares which the user cannot write to.<p>
-
-If this is true then it is set for files whos user write bit is not set.<p>
-
-The latter behaviour is useful for when users copy files from each
-others directories, and use a file manager that preserves
-permissions. Without this option they may get annoyed as all copied
-files will have the "read only" bit set.<p>
-
-.B Default:
- alternate permissions = no<p>
-
-.B Example:
- alternate permissions = yes<p>
-
-<a name="available">
-<H3>available (S)</H3>
-This parameter lets you 'turn off' a service. If 'available = no', then
-ALL attempts to connect to the service will fail. Such failures are logged.<p>
-
-.B Default:
- available = yes<p>
-
-.B Example:
- available = no<p>
-
-<a name="bind interfaces only">
-<H3>bind interfaces only (G)</H3>
-This global parameter (new for 1.9.18) allows the Samba admin to limit
-what interfaces on a machine will serve smb requests. If affects file service
-(smbd) and name service (nmbd) in slightly different ways.<p>
-
-For name service it causes nmbd to bind to ports 137 and 138 on
-the interfaces listed in the 'interfaces' parameter. nmbd also binds
-to the 'all addresses' interface (0.0.0.0) on ports 137 and 138
-for the purposes of reading broadcast messages. If this option is
-not set then nmbd will service name requests on all of these
-sockets. If "bind interfaces only" is set then nmbd will check
-the source address of any packets coming in on the broadcast
-sockets and discard any that don't match the broadcast addresses
-of the interfaces in the 'interfaces' parameter list. As unicast
-packets are received on the other sockets it allows nmbd to
-refuse to serve names to machines that send packets that arrive
-through any interfaces not listed in the 'interfaces' list.
-IP Source address spoofing does defeat this simple check, however
-so it must not be used seriously as a security feature for nmbd.<p>
-
-For file service it causes smbd to bind only to the interface
-list given in the 'interfaces' parameter. This restricts the
-networks that smbd will serve to packets coming in those interfaces.
-Note that you should not use this parameter for machines that
-are serving ppp or other intermittant or non-broadcast network
-interfaces as it will not cope with non-permanent interfaces.<p>
-
-.B Default:
- bind interfaces only = False<p>
-
-.B Example:
- bind interfaces only = True<p>
-
-<a name="browseable">
-<H3>browseable (S)</H3>
-This controls whether this share is seen in the list of available
-shares in a net view and in the browse list.<p>
-
-.B Default:
- browseable = Yes<p>
-
-.B Example:
- browseable = No
-<a name="browse lis">
-<H3>browse list(G)</H3>
-This controls whether the smbd will serve a browse list to a client
-doing a NetServerEnum call. Normally set to true. You should never
-need to change this.<p>
-
-.B Default:
- browse list = Yes<p>
-
-<a name="case sensitive">
-<H3>case sensitive (G)</H3>
-See the discussion on NAME MANGLING.<p>
-
-<a name="case sig names">
-<H3>case sig names (G)</H3>
-See "case sensitive"<p>
-
-<a name="character set">
-<H3>character set (G)</H3>
-This allows a smbd to map incoming characters from a DOS 850 Code page
-to either a Western European (ISO8859-1) or Easter European (ISO8859-2)
-code page. Normally not set, meaning no filename translation is done.<p>
-
-.B Default<p>
-
- character set =<p>
-
-.B Example<p>
-
- character set = iso8859-1<p>
-
-<a name="client code page">
-<H3>client code page (G)</H3>
-Currently (Samba 1.9.17 and above) this may be set to one of two
-values, 850 or 437. It specifies the base DOS code page that the
-clients accessing Samba are using. To determine this, open a DOS
-command prompt and type the command "chcp". This will output the
-code page. The default for USA MS-DOS, Windows 95, and Windows NT
-releases is code page 437. The default for western european
-releases of the above operating systems is code page 850.<p>
-
-This parameter co-operates with the "valid chars" parameter in
-determining what characters are valid in filenames and how
-capitalization is done. It has been added as a convenience for
-clients whose code page is either 437 or 850 so a convoluted
-"valid chars" string does not have to be determined. If you
-set both this parameter and the "valid chars" parameter the
-"client code page" parameter MUST be set before the "valid chars"
-in the smb.conf file. The "valid chars" string will then augment
-the character settings in the "client code page" parameter.<p>
-
-If "client code page" is set to a value other than 850 or 437
-it will default to 850.<p>
-
-See also : "valid chars".<p>
-
-.B Default<p>
-
- client code page = 850<p>
-
-.B Example<p>
-
- client code page = 437<p>
-
-<a name="comment">
-<H3>comment (S)</H3>
-This is a text field that is seen next to a share when a client does a
-net view to list what shares are available.<p>
-
-If you want to set the string that is displayed next to the machine
-name then see the server string command.<p>
-
-.B Default:
- No comment string<p>
-
-.B Example:
- comment = Fred's Files<p>
-
-<a name="config file">
-<H3>config file (G)</H3><p>
-
-This allows you to override the config file to use, instead of the
-default (usually smb.conf). There is a chicken and egg problem here as
-this option is set in the config file! <p>
-
-For this reason, if the name of the config file has changed when the
-parameters are loaded then it will reload them from the new config
-file.<p>
-
-This option takes the usual substitutions, which can be very useful.<p>
-
-If the config file doesn't exist then it won't be loaded (allowing
-you to special case the config files of just a few clients).<p>
-
-.B Example:
- config file = /usr/local/samba/lib/smb.conf.%m<p>
-
-<a name="copy">
-<H3>copy (S)</H3>
-This parameter allows you to 'clone' service entries. The specified
-service is simply duplicated under the current service's name. Any
-parameters specified in the current section will override those in the
-section being copied.<p>
-
-This feature lets you set up a 'template' service and create similar
-services easily. Note that the service being copied must occur earlier
-in the configuration file than the service doing the copying.<p>
-
-.B Default:
- none<p>
-
-.B Example:
- copy = otherservice
-<a name="create mask">
-<H3>create mask (S)</H3>
-A synonym for this parameter is 'create mode'.<p>
-
-When a file is created, the neccessary permissions are calculated
-according to the mapping from DOS modes to UNIX permissions, and
-the resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
-This parameter may be thought of as a bit-wise MASK for the UNIX
-modes of a file. Any bit *not* set here will be removed from the
-modes set on a file when it is created.<p>
-
-The default value of this parameter removes the 'group' and 'other'
-write and execute bits from the UNIX modes.<p>
-
-Following this Samba will bit-wise 'OR' the UNIX mode created from
-this parameter with the value of the "force create mode" parameter
-which is set to 000 by default.<p>
-
-For Samba 1.9.17 and above this parameter no longer affects directory
-modes. See the parameter 'directory mode' for details.<p>
-
-See also the "force create mode" parameter for forcing particular
-mode bits to be set on created files.
-See also the "directory mode" parameter for masking mode bits on created
-directories.<p>
-
-.B Default:
- create mask = 0744<p>
-
-.B Example:
- create mask = 0775
-<a name="create mode">
-<H3>create mode (S)</H3>
-See
-.B create mask.<p>
-
-<a name="dead time">
-<H3>dead time (G)</H3>
-The value of the parameter (a decimal integer) represents the number of
-minutes of inactivity before a connection is considered dead, and it
-is disconnected. The deadtime only takes effect if the number of open files
-is zero.<p>
-
-This is useful to stop a server's resources being exhausted by a large
-number of inactive connections.<p>
-
-Most clients have an auto-reconnect feature when a connection is broken so
-in most cases this parameter should be transparent to users.<p>
-
-Using this parameter with a timeout of a few minutes is recommended
-for most systems.<p>
-
-A deadtime of zero indicates that no auto-disconnection should be performed.<p>
-
-.B Default:
- dead time = 0<p>
-
-.B Example:
- dead time = 15
-<a name="debug level">
-<H3>debug level (G)</H3>
-The value of the parameter (an integer) allows the debug level
-(logging level) to be specified in the
-.B smb.conf
-file. This is to give
-greater flexibility in the configuration of the system.<p>
-
-The default will be the debug level specified on the command line.<p>
-
-.B Example:
- debug level = 3
-<a name="default">
-<H3>default (G)</H3>
-See
-.B default service.
-<a name="default case">
-<H3>default case (S)</H3><p>
-
-See the section on "NAME MANGLING" Also note the addition of "short
-preserve case"<p>
-
-<a name="default service">
-<H3>default service (G)</H3>
-A synonym for this parameter is 'default'.<p>
-
-This parameter specifies the name of a service which will be connected to
-if the service actually requested cannot be found. Note that the square
-brackets are NOT given in the parameter value (see example below).<p>
-
-There is no default value for this parameter. If this parameter is not given,
-attempting to connect to a nonexistent service results in an error.<p>
-
-Typically the default service would be a public, read-only service.<p>
-
-Also note that as of 1.9.14 the apparent service name will be changed to
-equal that of the requested service, this is very useful as it allows
-you to use macros like %S to make a wildcard service.<p>
-
-Note also that any _ characters in the name of the service used in the
-default service will get mapped to a /. This allows for interesting
-things.<p>
-
-
-.B Example:
- default service = pub
-
- [pub]
- path = /%S
- <p>
-
-<a name="delete readonly">
-<H3>delete readonly (S)</H3>
-This parameter allows readonly files to be deleted. This is not normal DOS
-semantics, but is allowed by UNIX.<p>
-
-This option may be useful for running applications such as rcs, where UNIX
-file ownership prevents changing file permissions, and DOS semantics prevent
-deletion of a read only file.<p>
-
-.B Default:
- delete readonly = No<p>
-
-.B Example:
- delete readonly = Yes
-<a name="deny hosts">
-<H3>deny hosts (S)</H3>
-A synonym for this parameter is 'hosts deny'.<p>
-
-The opposite of 'allow hosts' - hosts listed here are NOT permitted
-access to services unless the specific services have their own lists to
-override this one. Where the lists conflict, the 'allow' list takes precedence.<p>
-
-.B Default:
- none (i.e., no hosts specifically excluded)<p>
-
-.B Example:
- deny hosts = 150.203.4. badhost.mynet.edu.au<p>
-
-<a name="delete veto files">
-<H3>delete veto files (S)</H3><p>
-
-This option is used when Samba is attempting to delete a directory
-that contains one or more vetoed directories (see the 'veto files' option).
-If this option is set to False (the default) then if a vetoed directory
-contains any non-vetoed files or directories then the directory delete
-will fail. This is usually what you want. <p>
-
-If this option is set to True, then Samba will attempt
-to recursively delete any files and directories within the vetoed
-directory. This can be useful for integration with file serving
-systems such as Netatalk, which create meta-files within directories
-you might normally veto DOS/Windows users from seeing (eg. .AppleDouble)<p>
-
-Setting 'delete veto files = True' allows these directories to be
-transparently deleted when the parent directory is deleted (so long
-as the user has permissions to do so).<p>
-
-.B Default:
- delete veto files = False<p>
-
-.B Example:
- delete veto files = True<p>
-
-See
-.B veto files<p>
-
-<a name="dfree command">
-<H3>dfree command (G)</H3>
-The dfree command setting should only be used on systems where a
-problem occurs with the internal disk space calculations. This has
-been known to happen with Ultrix, but may occur with other operating
-systems. The symptom that was seen was an error of "Abort Retry
-Ignore" at the end of each directory listing.<p>
-
-This setting allows the replacement of the internal routines to
-calculate the total disk space and amount available with an external
-routine. The example below gives a possible script that might fulfill
-this function. <p>
-
-The external program will be passed a single parameter indicating a
-directory in the filesystem being queried. This will typically consist
-of the string "./". The script should return two integers in ascii. The
-first should be the total disk space in blocks, and the second should
-be the number of available blocks. An optional third return value
-can give the block size in bytes. The default blocksize is 1024 bytes.<p>
-
-Note: Your script should NOT be setuid or setgid and should be owned by
-(and writable only by) root!<p>
-
-.B Default:
- By default internal routines for determining the disk capacity
-and remaining space will be used.<p>
-
-.B Example:
- dfree command = /usr/local/samba/bin/dfree<p>
-
- Where the script dfree (which must be made executable) could be<p>
-
-.nf
- #!/bin/sh
- df $1 | tail -1 | awk '{print $2" "$4}'
-.fi<p>
-
- or perhaps (on Sys V)<p>
-
-.nf
- #!/bin/sh
- /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
-.fi<p>
-
- Note that you may have to replace the command names with full
-path names on some systems.
-<a name="directory">
-<H3>directory (S)</H3>
-See
-.B path.<p>
-
-<a name="directory mask">
-<H3>directory mask (S)</H3>
-A synonym for this parameter is 'directory mode'.<p>
-
+<H3><A NAME="admin users">admin users (S)</A></H3>
+This is a list of users who will be granted administrative privileges on the
+share. This means that they will do all file operations as the super-user
+(root).<P>
+You should use this option very carefully, as any user in this list will be
+able to do anything they like on the share, irrespective of file permissions.<P>
+<B>Default:</B> no admin users <P>
+<B>Example:</B> admin users = jason <P>
+
+<H3><A NAME="announce as">announce as (G)</A></H3>
+This specifies what type of server nmbd will announce itself as in browse
+lists. By default this is set to Windows NT. The valid options are "NT",
+"Win95" or "WfW" meaining Windows NT, Windows 95 and Windows for Workgroups
+respectively. Do not change this parameter unless you have a specific need to
+stop Samba appearing as an NT server as this may prevent Samba servers from
+participating as browser servers correctly. <P>
+<B>Default:</B> announce as = NT <P>
+<B>Example:</B> announce as = Win95 <P>
+
+<H3><A NAME="announce version">announce version (G)</A></H3>
+This specifies the major and minor version numbers that nmbd will use when
+announcing itself as a server. The default is 4.2. Do not change this parameter
+unless you have a specific need to set a Samba server to be a downlevel
+server. <P>
+<B>Default:</B> announce version = 4.2 <P>
+<B>Example:</B> announce version = 2.0 <P>
+
+<H3><A NAME="alternate permissions">alternate permissions (S)</A></H3>
+This option affects the way the "read only" DOS attribute is produced for
+UNIX files. If this is No then the read only bit is set for files on
+writeable shares which the user cannot write to. <P>
+If this is Yes then "read only" is set for files when the user write bit is
+not set. <P>
+The latter behaviour is useful when users copy files from each others
+directories, and use a file manager that preserves permissions. Without this
+option they may get annoyed as all copied files will have the "read only"
+bit set. <P>
+<B>Default:</B> alternate permissions = no <P>
+<B>Example:</B> alternate permissions = yes <P>
+
+<H3><A NAME="available">available (S)</A></H3>
+This parameter lets you 'turn off' a service. If 'available = no', then ALL
+attempts to connect to the service will fail. Such failures are logged. <P>
+<B>Default:</B> available = yes <P>
+<B>Example:</B> available = no <P>
+
+<H3><A NAME="bind interfaces only">bind interfaces only (G)</A></H3>
+This global parameter (new for 1.9.18) allows the Samba admin to limit what
+interfaces on a machine will serve smb requests. If affects file service
+(smbd) and name service (nmbd) in slightly different ways. <P>
+For name service it causes nmbd to bind to ports 137 and 138 on the interfaces
+listed in the 'interfaces' parameter. nmbd also binds to the 'all addresses'
+interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast
+messages. If this option is not set then nmbd will service name requests on
+all of these sockets. If "bind interfaces only" is set then nmbd will check
+the source address of any packets coming in on the broadcast sockets and
+discard any that don't match the broadcast addresses of the interfaces in the
+<A HREF="#interfaces">interfaces</A> parameter list. As unicast packets are
+received on the other sockets it allows nmbd to refuse to serve names to
+machines that send packets that arrive through any interfaces not listed in
+the 'interfaces' list. IP Source address spoofing does defeat this simple
+check, however so it must not be used seriously as a security feature for
+nmbd. <P>
+For file service it causes smbd to bind only to the interface list given in
+the <A HREF="#interfaces">interfaces</A> parameter. This restricts
+the networks that smbd will serve to packets coming in those interfaces.
+Note that you should not use this parameter for machines that are serving
+ppp or other intermittant or non-broadcast network interfaces as it will
+not cope with non-permanent interfaces. <P>
+<B>Default:</B> bind interfaces only = No <P>
+<B>Example:</B> bind interfaces only = Yes <P>
+
+<H3><A NAME="browseable">browseable (S)</A></H3>
+This controls whether this share is seen in the list of available shares
+in a net view and in the browse list. <P>
+<B>Default:</B> browseable = Yes <P>
+<B>Example:</B> browseable = No <P>
+
+<H3><A NAME="browse list">browse list(G)</A></H3>
+This controls whether the smbd will serve a browse list to a client doing a
+NetServerEnum call. Normally set to Yes. You should never need to change
+this. <P>
+<B>Default:</B> browse list = Yes <P>
+
+<H3><A NAME="case sensitive">case sensitive (G)</A></H3>
+Controls whether filenames are case sensitive. If they aren't then Samba must
+do a filename search and match on passed names.<P>
+<B>Default:</B> case sensitive = No <P>
+See the discussion on <A HREF="#NAME MANGLING">NAME MANGLING</A>. <P>
+
+<H3><A NAME="character set">character set (G)</A></H3>
+This allows smbd to map incoming characters from a DOS 850 Code page to
+either a Western European (ISO8859-1) or Easter European (ISO8859-2) code page.
+Normally not set, meaning no filename translation is done. <P>
+<B>Default:</B> character set = <P>
+<B>Example:</B> character set = iso8859-1 <P>
+
+<H3><A NAME="client code page">client code page (G)</A></H3>
+Currently (Samba 1.9.19 and above) this may be set to one of the following
+values: 437, 850, 852, 866, 932, 936, 949, or 950. It specifies the base DOS
+code page that the clients accessing Samba are using. To determine this,
+open a DOS command prompt and type the command "chcp". This will output
+the code page. The default for USA MS-DOS, Windows 95, and Windows NT releases
+is code page 437. The default for western european releases of the above
+operating systems is code page 850. <P>
+This parameter co-operates with the <A HREF="#valid chars">valid chars</A>
+parameter in determining what characters are valid in filenames
+and how capitalization is done. It has been added as a convenience for
+clients whose code page is either 437 or 850 so a convoluted "valid chars"
+string does not have to be determined. If you set both this parameter and
+the "valid chars" parameter the "client code page" parameter MUST be
+set before the "valid chars" in the smb.conf file. The "valid chars" string
+will then augment the character settings in the "client code page" parameter.
+<P>
+If "client code page" is set to a value other than those listed above, it will
+default to 850. <P>
+See also : <A HREF="#valid chars">valid chars</A>. <P>
+<B>Default:</B> client code page = 850 <P>
+<B>Example:</B> client code page = 437 <P>
+
+<H3><A NAME="coding system">coding system (G)</A></H3>
+<B>Default:</B> coding system = <P>
+
+<H3><A NAME="comment">comment (S)</A></H3>
+This is a text field that is seen next to a share when a client does a net
+view to list what shares are available. <P>
+If you want to set the string that is displayed next to the machine name then
+see the <A HREF="#server string">server string</A> command. <P>
+<B>Default:</B> No comment string <P>
+<B>Example:</B> comment = Fred's Files <P>
+
+<H3><A NAME="create mask">create mask (S)</A></H3>
+A synonym for this parameter is 'create mode'. <P>
+When a file is created, the neccessary permissions are calculated according
+to the mapping from DOS modes to UNIX permissions, and the resulting UNIX
+mode is then bit-wise 'AND'ed with this parameter. This parameter may be
+thought of as a bit-wise MASK for the UNIX modes of a file. Any bit *not* set
+here will be removed from the modes set on a file when it is created. <P>
+The default value of this parameter removes the 'group' and 'other' write and
+execute bits from the UNIX modes. <P>
+Following this Samba will bit-wise 'OR' the UNIX mode created from this
+parameter with the value of the
+<A HREF="#force create mode">force create mode</A>
+parameter which is set to 000 by default. <P>
+For Samba 1.9.17 and above this parameter no longer affects directory modes.
+See the parameter <A HREF="#directory mask">directory mask</A> for details. <P>
+See also the <A HREF="#force create mode">force create mode</A> parameter for
+forcing particular mode bits to be set on created files. See also the
+<A HREF="#directory mask">directory mask</A>
+parameter for masking mode bits on created directories. <P>
+<B>Default:</B> create mask = 0744 <P>
+<B>Example:</B> create mask = 0775 <P>
+
+<H3><A NAME="deadtime">deadtime (G)</A></H3>
+The value of the parameter (a decimal integer) represents the number of
+minutes of inactivity before a connection is considered dead, and it is
+disconnected. The deadtime only takes effect if the number of open files is
+zero. <P>
+This is useful to stop a server's resources being exhausted by a large number
+of inactive connections. <P>
+Most clients have an auto-reconnect feature when a connection is broken so in
+most cases this parameter should be transparent to users. <P>
+Using this parameter with a timeout of a few minutes is recommended for most
+systems. <P>
+A deadtime of zero indicates that no auto-disconnection should be performed.<P>
+<B>Default:</B> deadtime = 0 <P>
+<B>Example:</B> deadtime = 15
+
+<H3><A NAME="default case">default case (S)</A></H3>
+Controls what the default case (upper/lower) is for new filenames.<P>
+See the section on <A HREF="#NAME MANGLING">NAME MANGLING</A> <P>
+<B>Default:</B> default case = lower <P>
+<B>Example:</B> default case = upper <P>
+
+<H3><A NAME="default service">default service (G)</A></H3> A synonym for this
+parameter is 'default'. <P>
+This parameter specifies the name of a service which will be connected to if
+the service actually requested cannot be found. Note that the square brackets
+are NOT given in the parameter value (see example below). <P>
+There is no default value for this parameter. If this parameter is not given,
+attempting to connect to a nonexistent service results in an error. <P>
+Typically the default service would be a public, read-only service. <P>
+Also note that as of 1.9.14 the apparent service name will be changed to be
+that of the requested service, this is very useful as it allows
+you to use macros like %S to make a wildcard service. <P>
+Note also that any _ characters in the name of the service used in the default
+service will get mapped to a /. This allows for interesting things. <P>
+<B>Example:</B> default service = pub<P>
+<pre>
+[pub]
+ path = /%S
+</pre>
+
+<H3><A NAME="delete readonly">delete readonly (S)</A></H3>
+This parameter allows readonly files to be deleted. This is not normal DOS
+semantics, but is allowed by UNIX. <P>
+This option may be useful for running applications such as rcs, where UNIX
+file ownership prevents changing file permissions, and DOS semantics prevent
+deletion of a read only file. <P>
+<B>Default:</B> delete readonly = No <P>
+<B>Example:</B> delete readonly = Yes <P>
+
+<H3><A NAME="delete veto files">delete veto files (S)</A></H3>
+This option is used when Samba is attempting to delete a directory that
+contains one or more vetoed directories (see the
+<A HREF="#veto files">veto files</A> option). If this option is set to No
+(the default) then if a vetoed directory contains any non-vetoed files or
+directories then the directory delete will fail. This is usually what you
+want. <P>
+If this option is set to Yes, then Samba will attempt to recursively delete
+any files and directories within the vetoed directory. This can be useful
+for integration with file serving systems such as Netatalk, which create
+meta-files within directories you might normally veto DOS/Windows users
+from seeing (eg. .AppleDouble) <P>
+Setting 'delete veto files = Yes' allows these directories to be
+transparently deleted when the parent directory is deleted (so long as the
+user has permissions to do so). <P>
+<B>Default:</B> delete veto files = No <P>
+<B>Example:</B> delete veto files = Yes <P>
+See <A HREF="#veto files">veto files</A> <P>
+
+<H3><A NAME="dfree command">dfree command (G)</A></H3>
+The dfree command setting should only be used on systems where a problem
+occurs with the internal disk space calculations. This has been known to
+happen with Ultrix, but may occur with other operating systems. The symptom
+that was seen was an error of "Abort Retry Ignore" at the end of each
+directory listing. <P>
+This setting allows the replacement of the internal routines to calculate the
+total disk space and amount available with an external routine. The example
+below gives a possible script that might fulfill this function. <P>
+The external program will be passed a single parameter indicating a directory
+in the filesystem being queried. This will typically consist of the string
+"./". The script should return two integers in ascii. The first should be the
+total disk space in blocks, and the second should be the number of available
+blocks. An optional third return value can give the block size in bytes. The
+default blocksize is 1024 bytes. <P>
+Note: Your script should NOT be setuid or setgid and should be owned by
+(and writable only by) root! <P>
+<B>Default:</B> By default internal routines for determining the disk capacity
+and remaining space will be used. <P>
+<B>Example:</B> dfree command = /usr/local/samba/bin/dfree <P>
+Where the script dfree (which must be made executable) could be <P>
+<pre>
+ #!/bin/sh
+ df $1 | tail -1 | awk '{print $2" "$4}'
+</pre>
+or perhaps (on Sys V) <P>
+<pre>
+ #!/bin/sh
+ /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
+</pre>
+Note that you may have to replace the command names with full path names on
+some systems. <P>
+
+<H3><A NAME="directory mask">directory mask (S)</A></H3>
+A synonym for this parameter is 'directory mode'. <P>
This parameter is the octal modes which are used when converting DOS modes
-to UNIX modes when creating UNIX directories.<p>
-
-When a directory is created, the neccessary permissions are calculated
-according to the mapping from DOS modes to UNIX permissions, and
-the resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
-This parameter may be thought of as a bit-wise MASK for the UNIX
-modes of a directory. Any bit *not* set here will be removed from the
-modes set on a directory when it is created.<p>
-
-The default value of this parameter removes the 'group' and 'other'
-write bits from the UNIX mode, allowing only the user who owns the
-directory to modify it.<p>
-
-Following this Samba will bit-wise 'OR' the UNIX mode created from
-this parameter with the value of the "force directory mode" parameter.
-This parameter is set to 000 by default (ie. no extra mode bits are added).<p>
-
-See the "force directory mode" parameter to cause particular mode
-bits to always be set on created directories.<p>
-
-See also the "create mode" parameter for masking mode bits on created
-files.<p>
-
-.B Default:
- directory mask = 0755<p>
-
-.B Example:
- directory mask = 0775<p>
-
-<a name="directory mode">
-<H3>directory mode (S)</H3>
-See
-.B directory mask.<p>
-
-<a name="dns proxy">
-<H3>dns proxy (G)</H3><p>
-
-Specifies that nmbd should (as a WINS server), on finding that a NetBIOS
-name has not been registered, treat the NetBIOS name word-for-word as
-a DNS name.<p>
-
-Note that the maximum length for a NetBIOS name is 15
-characters, so the DNS name (or DNS alias) can likewise only be 15
-characters, maximum.<p>
-
-Note also that nmbd will block completely until the DNS name is resolved.
-This will result in temporary loss of browsing and WINS services.
-Enable this option only if you are certain that DNS resolution is fast,
-or you can live with the consequences of periodic pauses in nmbd service.<p>
-
-.B Default:
- dns proxy = yes<p>
-
-<a name="domain controller">
-<H3>domain controller (G)</H3><p>
-
-Specifies the DNS name or IP address of the machine to refer domain
-logons from Win95 machines to. You should never need to set this parameter.<p>
-
-.B Default:
- domain controller = no<p>
-
-<a name="domain logons">
-<H3>domain logons (G)</H3><p>
+to UNIX modes when creating UNIX directories. <P>
+When a directory is created, the neccessary permissions are calculated
+according to the mapping from DOS modes to UNIX permissions, and the resulting
+UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be
+thought of as a bit-wise MASK for the UNIX modes of a directory. Any bit *not*
+set here will be removed from the modes set on a directory when it is
+created. <P>
+The default value of this parameter removes the 'group' and 'other' write
+bits from the UNIX mode, allowing only the user who owns the directory to
+modify it. <P>
+Following this Samba will bit-wise 'OR' the UNIX mode created from this
+parameter with the value of the
+<A HREF="#force directory mode">force directory mode</A>
+parameter. This parameter is set to 000 by default (ie. no extra mode bits
+are added). <P>
+See the <A HREF="#force directory mode">force directory mode</A>
+parameter to cause particular mode bits to always be set on created
+directories. <P>
+See also the <A HREF="#create mask">create mask</A> parameter
+for masking mode bits on created files. <P>
+<B>Default:</B> directory mask = 0755 <P>
+<B>Example:</B> directory mask = 0775 <P>
+
+<H3><A NAME="dns proxy">dns proxy (G)</A></H3>
+Specifies that nmbd should (as a WINS server), on finding that a NetBIOS name
+has not been registered, treat the NetBIOS name word-for-word as a DNS name.<P>
+Note that the maximum length for a NetBIOS name is 15 characters, so the DNS
+name (or DNS alias) can likewise only be 15 characters, maximum. <P>
+<B>Default:</B> dns proxy = yes <P>
+
+<H3><A NAME="domain admin users">domain admin users (G)</A></H3>
+<P>
+
+<H3><A NAME="domain controller">domain controller (G)</A></H3>
+<h4>This is wrong</h4>
+Specifies the DNS name or IP address of the machine to refer domain logons
+from Win95 machines to. You should never need to set this parameter. <P>
+<B>Default:</B> domain controller = no <P>
+
+<H3><A NAME="domain groups">domain groups (G)</A></H3>
+<P>
-If set to true, the Samba server will serve Windows 95 domain logons
-for the workgroup it is in. For more details on setting up this feature
-see the file DOMAINS.txt in the Samba source documentation directory.<p>
+<H3><A NAME="domain guest users">domain guest users (G)</A></H3>
+<P>
-.B Default:
- domain logons = no<p>
+<H3><A NAME="domain hosts allow">domain hosts allow (G)</A></H3>
+<P>
-<a name="domain master">
-<H3>domain master (G)</H3><p>
+<H3><A NAME="domain hosts deny">domain hosts deny (G)</A></H3>
+<P>
-Enable WAN-wide browse list collation. Local master browsers on
+<H3><A NAME="domain logons">domain logons (G)</A></H3>
+If set to Yes, the Samba server will serve Windows 95 domain
+logons for the workgroup it is in. For more details on setting up this
+feature see the file DOMAINS.txt in the Samba source documentation directory.
+<P>
+<B>Default:</B> domain logons = no <P>
+
+<H3><A NAME="domain master">domain master (G)</A></H3>
+Enable WAN-wide browse list collation. Local master browsers on
broadcast-isolated subnets will give samba their local browse lists, and
-ask for a complete copy of the browse list for the whole wide area network.
-Browser clients will then contact their local master browser, and will
-receive the domain-wide browse list, instead of just the list for their
-broadcast-isolated subnet.<p>
-
-.B Default:
- domain master = no<p>
-
-<a name="dont descend">
-<H3>dont descend (S)</H3>
-There are certain directories on some systems (eg., the /proc tree under
-Linux) that are either not of interest to clients or are infinitely deep
-(recursive). This parameter allows you to specify a comma-delimited list
-of directories that the server should always show as empty.<p>
-
-Note that Samba can be very fussy about the exact format of the "dont
-descend" entries. For example you may need "./proc" instead of just
-"/proc". Experimentation is the best policy :-)<p>
-
-.B Default:
- none (i.e., all directories are OK to descend)<p>
-
-.B Example:
- dont descend = /proc,/dev<p>
-
-<a name="dos filetimes">
-<H3>dos filetimes (S)</H3>
-Under DOS and Windows, if a user can write to a file they can change
-the timestamp on it. Under POSIX semantics, only the owner of the file
-or root may change the timestamp. By default, Samba runs with POSIX
-semantics and refuses to change the timestamp on a file if the user
-smbd is acting on behalf of is not the file owner. Setting this option
-to True allows DOS semantics and smbd will change the file timstamp as
-DOS requires. This is a correct implementation of a previous compile-time
-options (UTIME_WORKAROUND) which was broken and is now removed.<p>
-
-.B Default:
- dos filetimes = False<p>
-
-.B Example:
- dos filetimes = True<p>
-
-<a name="dos filetime resolution">
-<H3>dos filetime resolution (S)</H3>
-Under the DOS and Windows FAT filesystem, the finest granulatity on
-time resolution is two seconds. Setting this parameter for a share
-causes Samba to round the reported time down to the nearest two
-second boundary when a query call that requires one second resolution
-is made to smbd. <p>
+ask for a complete copy of the browse list for the whole wide area network.
+Browser clients will then contact their local master browser, and will
+receive the domain-wide browse list, instead of just the list for their
+broadcast-isolated subnet. There should only be one "domain master" for
+each workgroup name.<P>
+<B>Default:</B> domain master = no <P>
+
+<H3><A NAME="domain other sid">domain other sid (G)</A></H3>
+<P>
+
+<H3><A NAME="domain sid">domain sid (G)</A></H3>
+<P>
+
+<H3><A NAME="dont descend">dont descend (S)</A></H3>
+There are certain directories on some systems (eg., the /proc tree under Linux)
+that are either not of interest to clients or are infinitely deep (recursive).
+This parameter allows you to specify a comma-delimited list of directories
+that the server should always show as empty. <P>
+Note that Samba can be very fussy about the exact format of the "dont descend"
+entries. For example you may need "./proc" instead of just "/proc".
+Experimentation is the best policy :-) <P>
+<B>Default:</B> none (i.e., all directories are OK to descend) <P>
+<B>Example:</B> dont descend = /proc,/dev <P>
+
+<H3><A NAME="dos filetimes">dos filetimes (S)</A></H3>
+Under DOS and Windows, if a user can write to a file they can change the
+timestamp on it. Under POSIX semantics, only the owner of the file or root
+may change the timestamp. By default, Samba runs with POSIX semantics and
+refuses to change the timestamp on a file if the user smbd is acting on
+behalf of is not the file owner. Setting this option to Yes allows DOS
+semantics and smbd will change the file timstamp as DOS requires. This is a
+correct implementation of a previous compile-time options (UTIME_WORKAROUND)
+which was broken and is now removed. <P>
+<B>Default:</B> dos filetimes = No <P>
+<B>Example:</B> dos filetimes = Yes <P>
+
+<H3><A NAME="dos filetime resolution">dos filetime resolution (S)</A></H3>
+Under the DOS and Windows FAT filesystem, the finest granulatity on time
+resolution is two seconds. Setting this parameter for a share causes Samba
+to round the reported time down to the nearest two second boundary when a
+query call that requires one second resolution is made to smbd. <P>
+This option is mainly used as a compatibility option for Visual C++ when
+used against Samba shares. If oplocks are enabled on a share, Visual C++
+uses two different time reading calls to check if a file has changed since
+it was last read. One of these calls uses a one-second granularity, the
+other uses a two second granularity. As the two second call rounds any odd
+second down, then if the file has a timestamp of an odd number of seconds
+then the two timestamps will not match and Visual C++ will keep reporting
+the file has changed. Setting this option causes the two timestamps to
+match, and Visual C++ is happy. <P>
+<B>Default:</B> dos filetime resolution = No <P>
+<B>Example:</B> dos filetime resolution = Yes <P>
+
+<H3><A NAME="encrypt passwords">encrypt passwords (G)</A></H3>
+This boolean controls whether encrypted passwords will be negotiated with
+the client. Note that Windows NT 4.0 SP3 and above will by default expect
+encrypted passwords unless a registry entry is changed. To use encrypted
+passwords in Samba see the file docs/ENCRYPTION.txt. <P>
+<B>Default:</B> encrypt passwords = No <P>
+
+<H3><A NAME="exec">exec (S)</A></H3>
+A synonym for this is preexec. <P>
+This option specifies a command to be run whenever a connection is made to
+the service. It takes the usual substitutions. <P>
+An interesting example is to send the users a welcome message every time
+they log in. Maybe a message of the day? Here is an example: <P>
+exec = csh -c 'echo \"Welcome to %S!\" | \ /usr/local/samba/bin/smbclient -M %m -I %I' &amp; <P>
+Of course, this could get annoying after a while :-) <P>
+See also <A HREF="#postexec">postexec</A> <P>
+<B>Default:</B> none (no command executed) <P>
+<B>Example:</B> exec = echo \"%u connected to %S from %m (%I)\" &gt;&gt; /tmp/log <P>
+
+<H3><A NAME="fake directory create times">fake directory create times (S)</A></H3>
+NTFS and Windows VFAT file systems keep a create time for all files and
+directories. This is not the same as the ctime - status change time - that
+Unix keeps, so Samba by default reports the earliest of the various times
+Unix does keep. Setting this parameter for a share causes Samba to always
+report midnight 1-1-1980 as the create time for directories. <P>
This option is mainly used as a compatibility option for Visual C++
-when used against Samba shares. If oplocks are enabled on a share,
-Visual C++ uses two different time reading calls to check if a file
-has changed since it was last read. One of these calls uses a one-second
-granularity, the other uses a two second granularity. As the two second
-call rounds any odd second down, then if the file has a timestamp of an
-odd number of seconds then the two timestamps will not match and Visual
-C++ will keep reporting the file has changed. Setting this option causes
-the two timestamps to match, and Visual C++ is happy.<p>
-
-.B Default:
- dos filetime resolution = False<p>
-
-.B Example:
- dos filetime resolution = True<p>
-
-<a name="encrypt passwords">
-<H3>encrypt passwords (G)</H3><p>
-
-This boolean controls whether encrypted passwords will be negotiated
-with the client. Note that this option has no effect if you haven't
-compiled in the necessary des libraries and encryption code. It
-defaults to no.<p>
-
-<a name="exec">
-<H3>exec (S)</H3><p>
-
-This is an alias for preexec<p>
-
-<a name="fake oplocks">
-<H3>fake oplocks (S)</H3><p>
-
-Oplocks are the way that SMB clients get permission from a server to
-locally cache file operations. If a server grants an oplock
-(opportunistic lock) then the client is free to assume that it is the
-only one accessing the file and it will aggressively cache file
-data. With some oplock types the client may even cache file open/close
-operations. This can give enormous performance benefits.<p>
-
-When you set "fake oplocks = yes" Samba will always grant oplock
-requests no matter how many clients are using the file. <p>
-
-By enabling this option on all read-only shares or shares that you know
-will only be accessed from one client at a time you will see a big
-performance improvement on many operations. If you enable this option
-on shares where multiple clients may be accessing the files read-write
-at the same time you can get data corruption. Use this option
-carefully! <p>
-
-It is generally much better to use the real oplock support except for
-physically read-only media such as CDROMs.<p>
-
-This option is disabled by default.<p>
-
-<a name="follow symlinks">
-<H3>follow symlinks (S)</H3><p>
-
-This parameter allows the Samba administrator to stop smbd from
-following symbolic links in a particular share. Setting this
-parameter to "No" prevents any file or directory that is a
-symbolic link from being followed (the user will get an error).
-This option is very useful to stop users from adding a symbolic
-link to /etc/pasword in their home directory for instance.
-However it will slow filename lookups down slightly.<p>
-
-This option is enabled (ie. smbd will follow symbolic links)
-by default.<p>
-
-<a name="force create mode">
-<H3>force create mode (S)</H3>
-This parameter specifies a set of UNIX mode bit permissions that
-will *always* be set on a file created by Samba. This is done
-by bitwise 'OR'ing these bits onto the mode bits of a file that
-is being created. The default for this parameter is (in octel)
-000. The modes in this parameter are bitwise 'OR'ed onto the
-file mode after the mask set in the "create mask" parameter
-is applied.<p>
-
-See also the parameter "create mask" for details on masking mode
-bits on created files.<p>
-
-.B Default:
- force create mode = 000<p>
-
-.B Example:
- force create mode = 0755<p>
-
-would force all created files to have read and execute permissions
-set for 'group' and 'other' as well as the read/write/execute bits
-set for the 'user'.<p>
-
-<a name="force directory mode">
-<H3>force directory mode (S)</H3>
-This parameter specifies a set of UNIX mode bit permissions that
-will *always* be set on a directory created by Samba. This is done
-by bitwise 'OR'ing these bits onto the mode bits of a directory that
-is being created. The default for this parameter is (in octel)
-0000 which will not add any extra permission bits to a created
-directory. This operation is done after the mode mask in the parameter
-"directory mask" is applied.<p>
-
-See also the parameter "directory mask" for details on masking mode
-bits on created directories.<p>
-
-.B Default:
- force directory mode = 000<p>
-
-.B Example:
- force directory mode = 0755<p>
-
-would force all created directories to have read and execute permissions
-set for 'group' and 'other' as well as the read/write/execute bits
-set for the 'user'.<p>
-
-<a name="force group">
-<H3>force group (S)</H3>
-This specifies a group name that all connections to this service
-should be made as. This may be useful for sharing files.<p>
-
-.B Default:
- no forced group<p>
-
-.B Example:
- force group = agroup<p>
-
-<a name="force user">
-<H3>force user (S)</H3>
-This specifies a user name that all connections to this service
-should be made as. This may be useful for sharing files. You should
-also use it carefully as using it incorrectly can cause security
-problems.<p>
-
-This user name only gets used once a connection is established. Thus
-clients still need to connect as a valid user and supply a valid
-password. Once connected, all file operations will be performed as the
-"forced user", not matter what username the client connected as.<p>
-
-.B Default:
- no forced user<p>
-
-.B Example:
- force user = auser<p>
-
-<a name="getwd cache">
-<H3>getwd cache (G)</H3>
-This is a tuning option. When this is enabled a cacheing algorithm will
-be used to reduce the time taken for getwd() calls. This can have a
-significant impact on performance, especially when widelinks is False.<p>
-
-.B Default:
- getwd cache = No<p>
-
-.B Example:
- getwd cache = Yes<p>
-
-<a name="group">
-<H3>group (S)</H3>
-This is an alias for "force group" and is only kept for compatibility
-with old versions of Samba. It may be removed in future versions.<p>
-
-<a name="guest account">
-<H3>guest account (S)</H3>
-This is a username which will be used for access to services which are
-specified as 'guest ok' (see below). Whatever privileges this user has
-will be available to any client connecting to the guest
-service. Typically this user will exist in the password file, but will
-not have a valid login. If a username is specified in a given service,
-the specified username overrides this one.<p>
-
-One some systems the account "nobody" may not be able to print. Use
-another account in this case. You should test this by trying to log in
-as your guest user (perhaps by using the "su \-" command) and trying to
-print using
-.BR lpr .<p>
-
-Note that as of version 1.9 of Samba this option may be set
-differently for each service.<p>
-
-.B Default:
- specified at compile time<p>
-
-.B Example:
- guest account = nobody
-<a name="guest ok">
-<H3>guest ok (S)</H3>
-See
-.B public.
-<a name="guest only">
-<H3>guest only (S)</H3>
-If this parameter is 'yes' for a service, then only guest connections to the
-service are permitted. This parameter will have no affect if "guest ok" or
-"public" is not set for the service.<p>
-
-See the section below on user/password validation for more information about
-this option.<p>
-
-.B Default:
- guest only = no<p>
-
-.B Example:
- guest only = yes
-<a name="hide dot files">
-<H3>hide dot files (S)</H3>
-This is a boolean parameter that controls whether files starting with
-a dot appear as hidden files.<p>
-
-.B Default:
- hide dot files = yes<p>
-
-.B Example:
- hide dot files = no<p>
-
-
-<a name="hide file">
-<H3>hide files(S)</H3>
-This is a list of files or directories that are not visible but are
-accessible. The DOS 'hidden' attribute is applied to any files or
-directories that match.<p>
-
-Each entry in the list must be separated by a "/", which allows spaces
-to be included in the entry. '*' and '?' can be used to specify multiple
-files or directories as in DOS wildcards.<p>
-
-Each entry must be a unix path, not a DOS path and must not include the
-unix directory separator "/".<p>
-
-Note that the case sensitivity option is applicable in hiding files.<p>
-
-Setting this parameter will affect the performance of Samba, as
-it will be forced to check all files and directories for a match
-as they are scanned.<p>
-
-See also "hide dot files", "veto files" and "case sensitive"<p>
-
-.B Default
- No files or directories are hidden by this option (dot files are
- hidden by default because of the "hide dot files" option).<p>
-
-.B Example
- hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/<p>
-
-The above example is based on files that the Macintosh client (DAVE)
-creates for internal use, and also still hides all files beginning with
-a dot.<p>
-
-<a name="homedir map">
-<H3>homedir map (G)</H3>
-If "nis homedir" is true, this parameter specifies the NIS (or YP) map
-from which the server for the user's home directory should be extracted.
-At present, only the Sun auto.home map format is understood. The form of
-the map is:<p>
-
-username server:/some/file/system<p>
-
-and the program will extract the servername from before the first ':'.
-There should probably be a better parsing system that copes with different
-map formats and also Amd (another automounter) maps.<p>
-
-NB: The -DNETGROUP option is required in the Makefile for option to work
-and on some architectures the line -lrpcsvc needs to be added to the
-LIBSM variable. This is required for Solaris 2, FreeBSD and HPUX.<p>
-
-See also "nis homedir"<p>
-
-.B Default:
- homedir map = auto.home<p>
-
-.B Example:
- homedir map = amd.homedir
-<a name="hosts allow">
-<H3>hosts allow (S)</H3>
-See
-.B allow hosts.
-<a name="hosts deny">
-<H3>hosts deny (S)</H3>
-See
-.B deny hosts.<p>
-
-<a name="hosts equiv">
-<H3>hosts equiv (G)</H3>
-If this global parameter is a non-null string, it specifies the name of
-a file to read for the names of hosts and users who will be allowed access
-without specifying a password.<p>
-
-This is not be confused with
-.B allow hosts
-which is about hosts access to services and is more useful for guest services.
-.B hosts equiv
-may be useful for NT clients which will not supply passwords to samba.<p>
-
-NOTE: The use of hosts.equiv can be a major security hole. This is
-because you are trusting the PC to supply the correct username. It is
-very easy to get a PC to supply a false username. I recommend that the
-hosts.equiv option be only used if you really know what you are doing,
-or perhaps on a home network where you trust your wife and kids :-)<p>
-
-.B Default
- No host equivalences<p>
-
-.B Example
- hosts equiv = /etc/hosts.equiv<p>
-
-<a name="include">
-<H3>include (G)</H3><p>
-
-This allows you to include one config file inside another. The file is
-included literally, as though typed in place.<p>
-
-It takes the standard substitutions, except %u, %P and %S<p>
-
-<a name="interfaces">
-<H3>interfaces (G)</H3><p>
-
-This option allows you to setup multiple network interfaces, so that
-Samba can properly handle browsing on all interfaces.<p>
-
-The option takes a list of ip/netmask pairs. The netmask may either be
-a bitmask, or a bitlength. <p>
-
-For example, the following line:<p>
-
-interfaces = 192.168.2.10/24 192.168.3.10/24<p>
-
-would configure two network interfaces with IP addresses 192.168.2.10
-and 192.168.3.10. The netmasks of both interfaces would be set to
-255.255.255.0. <p>
-
-You could produce an equivalent result by using:<p>
-
-interfaces = 192.168.2.10/255.255.255.0 192.168.3.10/255.255.255.0<p>
-
-if you prefer that format.<p>
-
-If this option is not set then Samba will attempt to find a primary
-interface, but won't attempt to configure more than one interface.<p>
-
-<a name="invalid users">
-<H3>invalid users (S)</H3>
-This is a list of users that should not be allowed to login to this
-service. This is really a "paranoid" check to absolutely ensure an
-improper setting does not breach your security.<p>
-
-A name starting with @ is interpreted as a UNIX group.<p>
-
-The current servicename is substituted for %S. This is useful in the
-[homes] section.<p>
-
-See also "valid users"<p>
-
-.B Default
- No invalid users<p>
-
-.B Example
- invalid users = root fred admin @wheel<p>
-
-<a name="keepalive">
-<H3>keepalive (G)</H3>
+when used against Samba shares. Visual C++ generated makefiles have the
+object directory as a dependency for each object file, and a make rule
+to create the directory. Also, when NMAKE compares timestamps it uses the
+creation time when examining a directory. Thus the object directory will
+be created if it does not exist, but once it does exist it will always
+have an earlier timestamp than the object files it contains. <P>
+However, Unix time semantics mean that the create time reported by Samba
+will be updated whenever a file is created or deleted in the directory.
+NMAKE therefore finds all object files in the object directory bar the last
+one built are out of date compared to the directory and rebuilds them.
+Enabling this option ensures directories always predate their contents and
+an NMAKE build will proceed as expected. <P>
+<B>Default:</B> fake directory create times = No <P>
+<B>Example:</B> fake directory create times = Yes <P>
+
+<H3><A NAME="fake oplocks">fake oplocks (S)</A></H3>
+Oplocks are the way that SMB clients get permission from a server to locally
+cache file operations. If a server grants an oplock (opportunistic
+lock) then the client is free to assume that it is the only one accessing
+the file and it will aggressively cache file data. With some oplock types
+the client may even cache file open/close operations. This can give enormous
+performance benefits. <P>
+When you set "fake oplocks = yes" Samba will always grant oplock requests
+no matter how many clients are using the file. <P>
+By enabling this option on all read-only shares or shares that you know
+will only be accessed from one client at a time you will see a big performance
+improvement on many operations. If you enable this option on shares where
+multiple clients may be accessing the files read-write at the same time
+you can get data corruption. Use this option carefully! <P>
+It is generally much better to use the real oplock support except for
+physically read-only media such as CDROMs. <P>
+<B>Default:</B> fake oplocks = No <P>
+<B>Example:</B> fake oplocks = Yes <P>
+
+<H3><A NAME="follow symlinks">follow symlinks (S)</A></H3>
+This parameter allows the Samba administrator to stop smbd from following
+symbolic links in a particular share. Setting this parameter to "No" prevents
+any file or directory that is a symbolic link from being followed (the
+user will get an error). This option is very useful to stop users from
+adding a symbolic link to /etc/pasword in their home directory for instance.
+However it will slow filename lookups down slightly. <P>
+<B>Default:</B> follow symlinks = Yes (smbd will follow symbolic links)<P>
+
+<H3><A NAME="force create mode">force create mode (S)</A></H3>
+This parameter specifies a set of UNIX mode bit permissions that will *always*
+be set on a file created by Samba. This is done by bitwise 'OR'ing these
+bits onto the mode bits of a file that is being created. The modes in this
+parameter are bitwise 'OR'ed onto the file mode after the mask set in the
+<A HREF="#create mask">create mask</A> parameter is applied. <P>
+See also the parameter <A HREF="#create mask">create mask</A> for details
+on masking mode bits on created files. <P>
+<B>Default:</B> force create mode = 000 <P>
+<B>Example:</B> force create mode = 0755 <P>
+would force all created files to have read and execute permissions set for
+'group' and 'other' as well as the read/write/execute bits set for the
+'user'. <P>
+
+<H3><A NAME="force directory mode">force directory mode (S)</A></H3>
+This parameter specifies a set of UNIX mode bit permissions that will *always*
+be set on a directory created by Samba. This is done by bitwise 'OR'ing these
+bits onto the mode bits of a directory that is being created. The default for
+this parameter is (in octel) 0000 which will not add any extra permission bits
+to a created directory. This operation is done after the mode mask in the
+parameter <A HREF="#directory mask">directory mask</A> is applied. <P>
+See also the parameter <A HREF="#directory mask">directory mask</A>
+for details on masking mode bits on created directories. <P>
+<B>Default:</B> force directory mode = 000 <P>
+<B>Example:</B> force directory mode = 0755 <P>
+would force all created directories to have read and execute permissions
+set for 'group' and 'other' as well as the read/write/execute bits set for
+the 'user'. <P>
+
+<H3><A NAME="force group">force group (S)</A></H3>
+This specifies a group name that all connections to this service should be
+made as. This may be useful for sharing files. <P>
+<B>Default:</B> no forced group <P>
+<B>Example:</B> force group = agroup <P>
+
+<H3><A NAME="force user">force user (S)</A></H3>
+This specifies a user name that all connections to this service should be
+made as. This may be useful for sharing files. You should also use it
+carefully as using it incorrectly can cause security problems. <P>
+This user name only gets used once a connection is established. Thus clients
+still need to connect as a valid user and supply a valid password. Once
+connected, all file operations will be performed as the "forced user",
+no matter what username the client connected as. <P>
+<B>Default:</B> no forced user <P>
+<B>Example:</B> force user = auser <P>
+
+<H3><A NAME="getwd cache">getwd cache (G)</A></H3>
+This is a tuning option. When this is enabled a cacheing algorithm will be
+used to reduce the time taken for getwd() calls. This can have a significant
+impact on performance, especially when widelinks is No. <P>
+<B>Default:</B>getwd cache = No <P>
+<B>Example:</B>getwd cache = Yes <P>
+
+<H3><A NAME="guest account">guest account (S)</A></H3>
+This is a username which will be used for access to services which are
+specified as <A HREF="#guest ok">guest ok</A>. Whatever privileges this
+user has will be available to any client connecting to the guest service.
+Typically this user will exist in the password file, but will not have a
+valid login. If a username is specified in a given service, the specified
+username overrides this one. <P>
+One some systems the account "nobody" may not be able to print. Use another
+account in this case. You should test this by trying to log in as your
+guest user (perhaps by using the "su -" command) and trying to print using
+<B>lpr</B>. <P>
+Note that as of version 1.9 of Samba this option may be set differently
+for each service. <P>
+<B>Default:</B>specified at compile time <P>
+<B>Example:</B>guest account = nobody
+
+<H3><A NAME="guest ok">guest ok (S)</A></H3>
+A synonym for this parameter is 'public'. <P>
+If this parameter is 'Yes' for a service, then no password is required
+to connect to the service. Privileges will be those of the guest account. <P>
+See the section below on
+<A HREF="#USERNAME/PASSWORD VALIDATION">USERNAME/PASSWORD VALIDATION</A>
+for more information about this option. <P>
+<B>Default:</B> guest ok = No <P>
+<B>Example:</B> guest ok = Yes
+
+<H3><A NAME="guest only">guest only (S)</A></H3>
+If this parameter is 'Yes' for a service, then only guest connections to the
+service are permitted. This parameter will have no affect if
+<A HREF="#guest ok">guest ok</A> is not set for the service. <P>
+See the section below on
+<A HREF="#USERNAME/PASSWORD VALIDATION">USERNAME/PASSWORD VALIDATION</A> for
+more information about this option. <P>
+<B>Default:</B> guest only = No <P>
+<B>Example:</B> guest only = Yes
+
+<H3><A NAME="hide dot files">hide dot files (S)</A></H3>
+This is a boolean parameter that controls whether files starting with a dot
+appear as hidden files. <P>
+<B>Default:</B> hide dot files = Yes <P>
+<B>Example:</B> hide dot files = No <P>
+
+<H3><A NAME="hide files">hide files (S)</A></H3>
+This is a list of files or directories that are not visible but are accessible.
+The DOS 'hidden' attribute is applied to any files or directories that match.<P>
+Each entry in the list must be separated by a "/", which allows spaces
+to be included in the entry. '*' and '?' can be used to specify multiple
+files or directories as in DOS wildcards. <P>
+Each entry must be a unix path, not a DOS path and must not include the unix
+directory separator "/". <P>
+Note that the case sensitivity option is applicable in hiding files. <P>
+Setting this parameter will affect the performance of Samba, as it will
+be forced to check all files and directories for a match as they are scanned.<P>
+See also <A HREF="#hide dot files">hide dot files</A>,
+<A HREF="#veto files">veto files</A> and
+<A HREF="#case sensitive">case sensitive</A> <P>
+<B>Default</B> No files or directories are hidden by this option
+(dot files are hidden by default because of the "hide dot files" option). <P>
+<B>Example</B> hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/ <P>
+The above example is based on files that the Macintosh client (DAVE) creates
+for internal use, and also still hides all files beginning with a dot. <P>
+
+<H3><A NAME="homedir map">homedir map (G)</A></H3>
+If <A HREF="#NIS homedir">NIS homedir</A> is Yes, this parameter specifies
+the NIS (or YP) map from which the server for the user's home directory should
+be extracted. At present, only the Sun auto.home map format is understood.
+The form of the map is: <P>
+&nbsp;&nbsp;&nbsp;&nbsp;username server:/some/file/system <P>
+and the program will extract the servername from before the first ':'. There
+should probably be a better parsing system that copes with different map
+formats and also Amd (another automounter) maps. <P>
+NB: The -DNETGROUP option is required in the Makefile for option
+to work and on some architectures the line -lrpcsvc needs to be added to
+the LIBSM variable. This is required for Solaris 2, FreeBSD and HPUX. <P>
+See also <A HREF="#NIS homedir">NIS homedir</A> <P>
+<B>Default:</B> homedir map = auto.home <P>
+<B>Example:</B> homedir map = amd.homedir
+
+<H3><A NAME="hosts allow">hosts allow (S)</A></H3>
+A synonym for this parameter is 'allow hosts'. <P>
+This parameter is a comma delimited set of hosts which are permitted to access
+a service. <P>
+If specified in the [global] section then it will apply to all services,
+regardless of whether the individual service has a different setting. <P>
+You can specify the hosts by name or IP number. For example, you could restrict
+access to only the hosts on a Class C subnet with something like
+"hosts allow = 150.203.5.". <P>
+You can also specify hosts by network/netmask pairs and by netgroup names
+if your system supports netgroups. The EXCEPT keyword can also be used
+to limit a wildcard list. The following examples may provide some help: <P>
+Example 1: allow all IPs in 150.203.*.* except one <P>
+&nbsp;&nbsp;hosts allow = 150.203. EXCEPT 150.203.6.66 <P>
+Example 2: allow hosts that match the given network/netmask <P>
+&nbsp;&nbsp;hosts allow = 150.203.15.0/255.255.255.0 <P>
+Example 3: allow a couple of hosts <P>
+&nbsp;&nbsp;hosts allow = lapland, arvidsjaur <P>
+Example 4: allow only hosts in netgroup "foonet" or localhost, but deny
+access from one particular host <P>
+&nbsp;&nbsp;hosts allow = @foonet, localhost<P>
+&nbsp;&nbsp;hosts deny = pirate <P>
+Note that access still requires suitable user-level passwords. <P>
+See <B>testparm</B>(1) for a way of testing your host access to see if it
+does what you expect. <P>
+<B>Default:</B> none (i.e., all hosts permitted access) <P>
+<B>Example:</B> hosts allow = 150.203.5. myhost.mynet.edu.au<P>
+
+<H3><A NAME="hosts deny">hosts deny (S)</A></H3>
+A synonym for this parameter is 'deny hosts'. <P>
+This is the opposite of <A HREF="#hosts allow">hosts allow</A> - hosts listed
+here are NOT permitted access to services unless the specific services have
+their own lists to override this one. Where the lists conflict, the 'allow'
+list takes precedence. <P>
+<B>Default:</B> none (i.e., no hosts specifically excluded) <P>
+<B>Example:</B>hosts deny = 150.203.4. badhost.mynet.edu.au <P>
+
+<H3><A NAME="hosts equiv">hosts equiv (G)</A></H3>
+If this global parameter is a non-null string, it specifies the name of a
+file to read for the names of hosts and users who will be allowed access
+without specifying a password. <P>
+This is not be confused with <A HREF="#hosts allow">hosts allow</A> which is
+about hosts access to services and is more useful for guest services.
+<B>hosts equiv</B> may be useful for NT clients which will not supply
+passwords to samba. <P>
+NOTE: The use of hosts.equiv can be a major security hole. This is because you
+are trusting the PC to supply the correct username. It is very easy to get a
+PC to supply a false username. I recommend that the hosts.equiv option be
+only used if you really know what you are doing, or perhaps on a home network
+where you trust your wife and kids :-) <P>
+<B>Default</B> No host equivalences <P>
+<B>Example</B> hosts equiv = /etc/hosts.equiv <P>
+
+<H3><A NAME="include">include (G)</A></H3>
+This allows you to include one config file
+inside another. The file is included literally, as though typed in place. <P>
+It takes the standard substitutions, except %u, %P and %S <P>
+
+<H3><A NAME="interfaces">interfaces (G)</A></H3>
+This option allows you to setup multiple network interfaces, so that
+Samba can properly handle browsing on all interfaces. <P>
+The option takes a list of ip/netmask pairs. The netmask may either be a
+bitmask, or a bitlength. <P>
+For example, the following line: <P>
+&nbsp;&nbsp;interfaces = 192.168.2.10/24 192.168.3.10/24 <P>
+would configure two network interfaces with IP addresses 192.168.2.10 and
+192.168.3.10. The netmasks of both interfaces would be set to 255.255.255.0.<P>
+You could produce an equivalent result by using: <P>
+&nbsp;&nbsp;interfaces = 192.168.2.10/255.255.255.0 192.168.3.10/255.255.255.0<P>
+if you prefer that format. <P>
+If this option is not set then Samba will attempt to find a primary interface,
+but won't attempt to configure more than one interface. <P>
+
+<H3><A NAME="invalid users">invalid users (S)</A></H3>
+This is a list of users that should not be allowed to login to this service.
+This is really a "paranoid" check to absolutely ensure an improper setting
+does not breach your security. <P>
+A name starting with @ is interpreted as a UNIX group. <P>
+The current servicename is substituted for %S. This is useful in the [homes]
+section. <P>
+See also <A HREF="#valid users">valid users</A> <P>
+<B>Default</B> No invalid users <P>
+<B>Example</B> invalid users = root fred admin @wheel <P>
+
+<H3><A NAME="keepalive">keepalive (G)</A></H3>
The value of the parameter (an integer) represents the number of seconds
-between 'keepalive' packets. If this parameter is zero, no keepalive packets
-will be sent. Keepalive packets, if sent, allow the server to tell whether a
-client is still present and responding.<p>
-
-Keepalives should, in general, not be needed if the socket being used
-has the SO_KEEPALIVE attribute set on it (see "socket
-options"). Basically you should only use this option if you strike
-difficulties.<p>
-
-.B Default:
- keep alive = 0<p>
-
-.B Example:
- keep alive = 60<p>
-
-<a name="lm announce">
-<H3>lm announce (G)</H3><p>
-
-This parameter determines if Samba will produce Lanman announce
-broadcasts that are needed by OS/2 clients in order for them to
-see the Samba server in their browse list. This parameter can
-have three values, true, false, or auto. The default is auto.
-If set to False Samba will never produce these broadcasts. If
-set to true Samba will produce Lanman announce broadcasts at
-a frequency set by the parameter 'lm interval'. If set to auto
-Samba will not send Lanman announce broadcasts by default but
-will listen for them. If it hears such a broadcast on the wire
-it will then start sending them at a frequency set by the parameter
-'lm interval'.<p>
-
-See also "lm interval".<p>
-
-.B Default:
- lm announce = auto<p>
-
-.B Example:
- lm announce = true<p>
-
-<a name="lm interval">
-<H3>lm interval (G)</H3><p>
-
-If Samba is set to produce Lanman announce broadcasts needed
-by OS/2 clients (see the "lm announce" parameter) this parameter
-defines the frequency in seconds with which they will be made.
-If this is set to zero then no Lanman announcements will be
-made despite the setting of the "lm announce" parameter.<p>
-
-See also "lm announce".<p>
-
-.B Default:
- lm interval = 60<p>
-
-.B Example:
- lm interval = 120<p>
-
-<a name="load printers">
-<H3>load printers (G)</H3>
-A boolean variable that controls whether all printers in the printcap
-will be loaded for browsing by default. <p>
-
-.B Default:
- load printers = yes<p>
-
-.B Example:
- load printers = no<p>
-
-<a name="local master">
-<H3>local master (G)</H3>
-This option allows the nmbd to become a local master browser on a
-subnet. If set to False then nmbd will not attempt to become a local
-master browser on a subnet and will also lose in all browsing elections.
-By default this value is set to true. Setting this value to true doesn't
-mean that Samba will become the local master browser on a subnet, just
-that the nmbd will participate in elections for local master browser.<p>
-
-.B Default:
- local master = yes<p>
-
-<a name="lock directory">
-<H3>lock directory (G)</H3>
-This option specifies the directory where lock files will be placed.
-The lock files are used to implement the "max connections" option.<p>
-
-.B Default:
- lock directory = /tmp/samba<p>
-
-.B Example:
- lock directory = /usr/local/samba/var/locks<p>
-
-<a name="locking">
-<H3>locking (S)</H3>
+between 'keepalive' packets. If this parameter is zero, no keepalive packets
+will be sent. Keepalive packets, if sent, allow the server to tell whether a
+client is still present and responding. <P>
+<B>Default:</B> keep alive = 300 <P>
+<B>Example:</B> keep alive = 60 <P>
+
+<H3><A NAME="lm announce">lm announce (G)</A></H3>
+This parameter determines if Samba will produce Lanman announce broadcasts
+that are needed by OS/2 clients in order for them to see the Samba server in
+their browse list. This parameter can have three values, True, False, or Auto.
+The default is Auto. If set to False Samba will never produce these broadcasts.
+If set to True Samba will produce Lanman announce broadcasts at a frequency
+set by the parameter <A HREF="#lm interval">lm interval</A>. If set to Auto
+Samba will not send Lanman announce broadcasts by default but will listen for
+them. If it hears such a broadcast on the wire it will then start sending
+them at a frequency set by the 'lm interval' parameter<P>
+See also <A HREF="#lm interval">lm interval</A>. <P>
+<B>Default:</B> lm announce = Auto <P>
+<B>Example:</B> lm announce = True <P>
+
+<H3><A NAME="lm interval">lm interval (G)</A></H3>
+If Samba is set to produce Lanman announce broadcasts needed by OS/2 clients
+(see the <A HREF="#lm announce">lm announce</A> parameter) this
+parameter defines the frequency in seconds with which they will be made.
+If this is set to zero then no Lanman announcements will be made despite
+the setting of the <A HREF="#lm announce">lm announce</A> parameter. <P>
+See also <A HREF="#lm announce">lm announce</A>. <P>
+<B>Default:</B> lm interval = 60 <P>
+<B>Example:</B> lm interval = 120 <P>
+
+<H3><A NAME="load printers">load printers (G)</A></H3>
+A boolean variable that controls whether all printers in the printcap
+will be loaded for browsing by default. <P>
+<B>Default:</B> load printers = Yes <P>
+<B>Example:</B> load printers = No <P>
+
+<H3><A NAME="local master">local master (G)</A></H3>
+This option allows nmbd to become a local master browser on a subnet. If set
+to No then nmbd will not attempt to become a local master browser on a subnet
+and will also lose in all browsing elections. By default this value is set
+to Yes. Setting this value to Yes doesn't mean that Samba will become the local
+master browser on a subnet, just that the nmbd will participate in elections
+for local master browser. <P>
+<B>Default:</B> local master = yes <P>
+
+<H3><A NAME="lock dir">lock dir (G)</A></H3>
+This option specifies the directory where lock files will be placed.
+The lock files are used to implement the
+<A HREF="#max connections">max connections</A> option. <P>
+<B>Default:</B> lock dir = /tmp/samba <P>
+<B>Example:</B> lock dir = /usr/local/samba/var/locks <P>
+
+<H3><A NAME="locking">locking (S)</A></H3>
This controls whether or not locking will be performed by the server in
-response to lock requests from the client.<p>
-
-If "locking = no", all lock and unlock requests will appear to succeed and
-all lock queries will indicate that the queried lock is clear.<p>
-
-If "locking = yes", real locking will be performed by the server.<p>
-
-This option may be particularly useful for read-only filesystems which
-do not need locking (such as cdrom drives).<p>
-
-Be careful about disabling locking either globally or in a specific
-service, as lack of locking may result in data corruption.<p>
-
-.B Default:
- locking = yes<p>
-
-.B Example:
- locking = no<p>
-
-<a name="log file">
-<H3>log file (G)</H3><p>
-
-This options allows you to override the name of the Samba log file
-(also known as the debug file).<p>
-
-This option takes the standard substitutions, allowing you to have
-separate log files for each user or machine.<p>
-
-.B Example:
- log file = /usr/local/samba/var/log.%m<p>
-
-<a name="log level">
-<H3>log level (G)</H3>
-see "debug level"<p>
-
-<a name="logon drive">
-<H3>logon drive (G)</H3><p>
-
-This parameter specifies the local path to which the home directory
-will be connected (see "logon home") and is only used by NT Workstations.<p>
-
-.B Example:
- logon drive = h:<p>
-
-<a name="logon home">
-<H3>logon home (G)</H3><p>
-
-This parameter specifies the home directory location when a Win95 or
-NT Workstation logs into a Samba PDC. It allows you to do "NET USE
-H: /HOME" from a command prompt, for example.<p>
-
-.B
-This option takes the standard substitutions, allowing you to have
-separate logon scripts for each user or machine.<p>
-
-.B Example:
- logon home = "\\\\remote_smb_server\\%U"<p>
-
-.B Default:
- logon home = "\\\\%N\\%U"<p>
-
-<a name="logon path">
-<H3>logon path (G)</H3><p>
-
-This parameter specifies the home directory where roaming profiles
-(USER.DAT / USER.MAN files for Windows 95) are stored.<p>
-
-This option takes the standard substitutions, allowing you to have
-separate logon scripts for each user or machine. It also specifies
-the directory from which the "desktop", "start menu", "nethood" and
-"programs" folders, and their contents, are loaded and displayed
-on your Windows 95 client.<p>
-
-The share and the path must be readable by the user for the preferences
-and directories to be loaded onto the Windows 95 client. The share
-must be writeable when the logs in for the first time, in order that
-the Windows 95 client can create the user.dat and other directories.<p>
-
-Thereafter, the directories and any of contents can, if required,
-be made read-only. It is not adviseable that the USER.DAT file be made
-read-only - rename it to USER.MAN to achieve the desired effect
-(a MANdatory profile).<p>
-
-Windows clients can sometimes maintain a connection to the [homes]
-share, even though there is no user logged in. Therefore, it is
-vital that the logon path does not include a reference to the
-homes share (i.e \\\\%N\\HOMES\profile_path will cause problems).<p>
-
-.B
-This option takes the standard substitutions, allowing you to have
-separate logon scripts for each user or machine.<p>
-
-.B Default:
- logon path = \\\\%N\\%U\\profile<p>
-
-.B Example:
- logon path = \\\\PROFILESERVER\\HOME_DIR\\%U\\PROFILE<p>
-
-<a name="logon script">
-<H3>logon script (G)</H3><p>
-
-This parameter specifies the batch file (.bat) or NT command file (.cmd)
-to be downloaded and run on a machine when a user successfully logs in.
-The file must contain the DOS style cr/lf line endings. Using a DOS-style
-editor to create the file is recommended.<p>
-
-The script must be a relative path to the [netlogon] service. If the
-[netlogon] service specifies a path of /usr/local/samba/netlogon, and
-logon script = STARTUP.BAT, then file that will be downloaded is:<p>
-
-.B /usr/local/samba/netlogon/STARTUP.BAT<p>
-
-The contents of the batch file is entirely your choice. A suggested
-command would be to add NET TIME \\\\SERVER /SET /YES, to force every
-machine to synchronise clocks with the same time server. Another use
-would be to add NET USE U: \\\\SERVER\\UTILS for commonly used utilities,
-or NET USE Q: \\\\SERVER\\ISO9001_QA.<p>
-
-Note that it is particularly important not to allow write access to
-the [netlogon] share, or to grant users write permission on the
-batch files in a secure environment, as this would allow the batch
-files to be arbitrarily modified.<p>
-
-.B
-This option takes the standard substitutions, allowing you to have
-separate logon scripts for each user or machine.<p>
-
-.B Example:
- logon script = scripts/%U.bat<p>
-
-<a name="lppause command">
-<H3>lppause command (S)</H3>
-This parameter specifies the command to be executed on the server host in
-order to stop printing or spooling a specific print job.<p>
-
-This command should be a program or script which takes a printer name and
-job number to pause the print job. Currently I don't know of any print
-spooler system that can do this with a simple option, except for the PPR
-system from Trinity College (ppr\-dist.trincoll.edu/pub/ppr). One way
-of implementing this is by using job priorities, where jobs having a too
-low priority won't be sent to the printer. See also the
-.B lppause
-command.<p>
-
-If a %p is given then the printername is put in its place. A %j is
-replaced with the job number (an integer).
-On HPUX (see printing=hpux), if the -p%p option is added to the lpq
-command, the job will show up with the correct status, i.e. if the job
-priority is lower than the set fence priority it will have the PAUSED
-status, whereas if the priority is equal or higher it will have the
-SPOOLED or PRINTING status.<p>
-
-Note that it is good practice to include the absolute path in the lppause
-command as the PATH may not be available to the server.<p>
-
-.B Default:
- Currently no default value is given to this string<p>
-
-.B Example for HPUX:
- lppause command = /usr/bin/lpalt %p-%j -p0<p>
-
-<a name="lpq cache time">
-<H3>lpq cache time (G)</H3><p>
-
-This controls how long lpq info will be cached for to prevent the lpq
-command being called too often. A separate cache is kept for each
-variation of the lpq command used by the system, so if you use
-different lpq commands for different users then they won't share cache
-information.<p>
-
-The cache files are stored in /tmp/lpq.xxxx where xxxx is a hash
-of the lpq command in use.<p>
-
-The default is 10 seconds, meaning that the cached results of a
-previous identical lpq command will be used if the cached data is less
-than 10 seconds old. A large value may be advisable if your lpq
-command is very slow.<p>
-
-A value of 0 will disable cacheing completely.<p>
-
-.B Default:
- lpq cache time = 10<p>
-
-.B Example:
- lpq cache time = 30<p>
-
-<a name="lpq command">
-<H3>lpq command (S)</H3>
-This parameter specifies the command to be executed on the server host in
-order to obtain "lpq"-style printer status information. <p>
-
-This command should be a program or script which takes a printer name
-as its only parameter and outputs printer status information. <p>
-
-Currently six styles of printer status information are supported; BSD,
-SYSV, AIX, HPUX, QNX, LPRNG and PLP. This covers most UNIX systems. You
-control which type is expected using the "printing =" option.<p>
-
-Some clients (notably Windows for Workgroups) may not correctly send the
-connection number for the printer they are requesting status information
-about. To get around this, the server reports on the first printer service
-connected to by the client. This only happens if the connection number sent
-is invalid.<p>
-
-If a %p is given then the printername is put in its place. Otherwise
-it is placed at the end of the command.<p>
-
-Note that it is good practice to include the absolute path in the lpq
-command as the PATH may not be available to the server.<p>
-
-.B Default:
- depends on the setting of "printing ="<p>
-
-.B Example:
- lpq command = /usr/bin/lpq %p<p>
-
-<a name="lpresume command">
-<H3>lpresume command (S)</H3>
-This parameter specifies the command to be executed on the server host in
-order to restart or continue printing or spooling a specific print job.<p>
-
-This command should be a program or script which takes a printer name and
-job number to resume the print job. See also the lppause command.<p>
-
-If a %p is given then the printername is put in its place. A %j is
-replaced with the job number (an integer).<p>
-
-Note that it is good practice to include the absolute path in the lpresume
-command as the PATH may not be available to the server.<p>
-
-.B Default:
- Currently no default value is given to this string<p>
-
-.B Example for HPUX:
- lpresume command = /usr/bin/lpalt %p-%j -p2<p>
-
-<a name="lprm command">
-<H3>lprm command (S)</H3>
-This parameter specifies the command to be executed on the server host in
-order to delete a print job.<p>
-
-This command should be a program or script which takes a printer name
-and job number, and deletes the print job.<p>
-
-Currently seven styles of printer control are supported; BSD, SYSV, AIX
-HPUX, QNX, LPRNG and PLP. This covers most UNIX systems. You control
-which type is expected using the "printing =" option.<p>
-
-If a %p is given then the printername is put in its place. A %j is
-replaced with the job number (an integer).<p>
-
-Note that it is good practice to include the absolute path in the lprm
-command as the PATH may not be available to the server.<p>
-
-.B Default:
- depends on the setting of "printing ="<p>
-
-.B Example 1:
- lprm command = /usr/bin/lprm -P%p %j<p>
-
-.B Example 2:
- lprm command = /usr/bin/cancel %p-%j<p>
-
-<a name="magic output">
-<H3>magic output (S)</H3>
-This parameter specifies the name of a file which will contain output
-created by a magic script (see
-.I magic script
-below).<p>
-
-Warning: If two clients use the same magic script in the same directory the
-output file content is undefined.
-.B Default:
- magic output = <magic script name>.out<p>
-
-.B Example:
- magic output = myfile.txt
-<a name="magic script">
-<H3>magic script (S)</H3>
-This parameter specifies the name of a file which, if opened, will be
-executed by the server when the file is closed. This allows a UNIX script
-to be sent to the Samba host and executed on behalf of the connected user.<p>
-
-Scripts executed in this way will be deleted upon completion, permissions
-permitting.<p>
-
-If the script generates output, output will be sent to the file specified by
-the
-.I magic output
-parameter (see above).<p>
-
-Note that some shells are unable to interpret scripts containing
-carriage-return-linefeed instead of linefeed as the end-of-line
-marker. Magic scripts must be executable "as is" on the host, which
-for some hosts and some shells will require filtering at the DOS end.<p>
-
-Magic scripts are EXPERIMENTAL and should NOT be relied upon.<p>
-
-.B Default:
- None. Magic scripts disabled.<p>
-
-.B Example:
- magic script = user.csh<p>
-
-<a name="mangle case">
-<H3>mangle case (S)</H3><p>
-
-See the section on "NAME MANGLING"<p>
-
-<a name="mangled map">
-<H3>mangled map (S)</H3>
-This is for those who want to directly map UNIX file names which are
-not representable on DOS. The mangling of names is not always what is
-needed. In particular you may have documents with file extensions
-that differ between DOS and UNIX. For example, under UNIX it is common
-to use .html for HTML files, whereas under DOS .htm is more commonly
-used.<p>
-
-So to map 'html' to 'htm' you put:<p>
-
- mangled map = (*.html *.htm)<p>
-
-One very useful case is to remove the annoying ;1 off the ends of
-filenames on some CDROMS (only visible under some UNIXes). To do this
-use a map of (*;1 *)<p>
-
-.B default:
- no mangled map<p>
-
-.B Example:
- mangled map = (*;1 *)<p>
-
-<a name="mangled names">
-<H3>mangled names (S)</H3>
-This controls whether non-DOS names under UNIX should be mapped to
-DOS-compatible names ("mangled") and made visible, or whether non-DOS names
-should simply be ignored.<p>
-
-See the section on "NAME MANGLING" for details on how to control the
-mangling process.<p>
-
-If mangling is used then the mangling algorithm is as follows:
-.RS
-- the first (up to) five alphanumeric characters before the rightmost dot of
-the filename are preserved, forced to upper case, and appear as the first (up
-to) five characters of the mangled name.<p>
-
-- a tilde ("~") is appended to the first part of the mangled name, followed
-by a two-character unique sequence, based on the original root name
-(i.e., the original filename minus its final extension). The final
-extension is included in the hash calculation only if it contains any upper
-case characters or is longer than three characters.<p>
-
-Note that the character to use may be specified using the "mangling
-char" option, if you don't like ~.<p>
-
-- the first three alphanumeric characters of the final extension are preserved,
-forced to upper case and appear as the extension of the mangled name. The
-final extension is defined as that part of the original filename after the
-rightmost dot. If there are no dots in the filename, the mangled name will
-have no extension (except in the case of hidden files - see below).<p>
-
-- files whose UNIX name begins with a dot will be presented as DOS hidden
-files. The mangled name will be created as for other filenames, but with the
-leading dot removed and "___" as its extension regardless of actual original
-extension (that's three underscores).
-.RE<p>
-
-The two-digit hash value consists of upper case alphanumeric characters.<p>
-
-This algorithm can cause name collisions only if files in a directory share
-the same first five alphanumeric characters. The probability of such a clash
-is 1/1300.<p>
-
-The name mangling (if enabled) allows a file to be copied between UNIX
-directories from DOS while retaining the long UNIX filename. UNIX files can
+response to lock requests from the client. <P>
+If set to No, all lock and unlock requests will appear to succeed and all
+lock queries will indicate that the queried lock is clear. <P>
+If set to Yes, real locking will be performed by the server. <P>
+This option may be particularly useful for read-only filesystems which do not
+need locking (such as CDROM drives). <P>
+Be careful about disabling locking either globally or in a specific
+service, as lack of locking may result in data corruption. <P>
+<B>Default:</B> locking = Yes <P>
+<B>Example:</B> locking = No <P>
+
+<H3><A NAME="log file">log file (G)</A></H3>
+This options allows you to override the name of the Samba log file (also
+known as the debug file). <P>
+This option takes the standard substitutions, allowing you to have separate
+log files for each user or machine. <P>
+<B>Example:</B> log file = /usr/local/samba/var/log.%m <P>
+
+<H3><A NAME="log level">log level (G)</A></H3>
+A synonym for this is debuglevel<P>
+The value of the parameter (an integer) allows the logging level (debug level)
+to be specified in the <B>smb.conf</B> file. This is to give greater
+flexibility in the configuration of the system. <P>
+The default will be the logging level specified on the command line. <P>
+<B>Example:</B> log level = 3
+
+<H3><A NAME="logon drive">logon drive (G)</A></H3>
+This parameter specifies the local path to which the home directory will be
+connected (see <A HREF="#logon home">logon home</A>) and is only used by NT
+Workstations. <P>
+<B>Example:</B> logon drive = h: <P>
+
+<H3><A NAME="logon home">logon home (G)</A></H3>
+This parameter specifies the home directory location when a Win95 or NT
+Workstation logs into a Samba PDC. It allows you to do "NET USE H: /HOME"
+from a command prompt, for example. <P>
+This option takes the standard substitutions, allowing you to have separate
+logon scripts for each user or machine. <P>
+<B>Default:</B> logon home = "\\%N\%U" <P>
+<B>Example:</B> logon home = "\\remote_smb_server\%U" <P>
+
+<H3><A NAME="logon path">logon path (G)</A></H3>
+This parameter specifies the home directory where roaming profiles (USER.DAT
+/ USER.MAN files for Windows 95) are stored. <P>
+This option takes the standard substitutions, allowing you to have separate
+logon scripts for each user or machine. It also specifies the directory from
+which the "desktop", "start menu", "nethood" and "programs" folders, and their
+contents, are loaded and displayed on your Windows 95 client. <P>
+The share and the path must be readable by the user for the preferences and
+directories to be loaded onto the Windows 95 client. The share must be
+writeable when the user logs in for the first time, in order that the
+Windows 95 client can create the user.dat and other directories. <P>
+Thereafter, the directories and any of contents can, if required, be
+made read-only. It is not adviseable that the USER.DAT file be made read-only
+- rename it to USER.MAN to achieve the desired effect (a MANdatory profile). <P>
+Windows clients can sometimes maintain a connection to the [homes] share,
+even though there is no user logged in. Therefore, it is vital that the
+logon path does not include a reference to the homes share (i.e
+\\%N\HOMESprofile_path will cause problems). <P>
+This option takes the standard substitutions, allowing you to have separate
+logon scripts for each user or machine. <P>
+<B>Default:</B> logon path = \\%N\%U\profile <P>
+<B>Example:</B> logon path = \\PROFILESERVER\HOME_DIR\%U\PROFILE <P>
+
+<H3><A NAME="logon script">logon script (G)</A></H3>
+This parameter specifies the batch file (.bat) or NT command file (.cmd) to
+be downloaded and run on a machine when a user successfully logs in. The file
+must contain the DOS style cr/lf line endings. Using a DOS-style editor to
+create the file is recommended. <P>
+The script must be a relative path to the [netlogon] service. If the
+[netlogon] service specifies a path of /usr/local/samba/netlogon, and logon
+script = STARTUP.BAT, then file that will be downloaded is: <P>
+&nbsp;&nbsp;<B>/usr/local/samba/netlogon/STARTUP.BAT</B> <P>
+The contents of the batch file is entirely your choice. A suggested command
+would be to add NET TIME \\SERVER /SET /YES, to force every machine to
+synchronise clocks with the same time server. Another use would be to add
+NET USE U: \\SERVER\UTILS for commonly used utilities, or
+NET USE Q: \\SERVER\ISO9001_QA. <P>
+Note that it is particularly important not to allow write access to the
+[netlogon] share, or to grant users write permission on the batch files
+in a secure environment, as this would allow the batch files to be arbitrarily
+modified. <P>
+This option takes the standard substitutions, allowing you to have separate
+logon scripts for each user or machine. <P>
+<B>Example:</B> logon script = scripts/%U.bat <P>
+
+<H3><A NAME="lppause command">lppause command (S)</A></H3>
+This parameter specifies the command to be executed on the server host in
+order to stop printing or spooling a specific print job. <P>
+This command should be a program or script which takes a printer name and
+job number to pause the print job. Currently I don't know of any print spooler
+system that can do this with a simple option, except for the PPR system from
+Trinity College (ppr-dist.trincoll.edu/pub/ppr). One way of implementing this
+is by using job priorities, where jobs having a too low priority won't be
+sent to the printer. See also
+<A HREF="#lpresume command">lpresume command</A>.<P>
+If a %p is given then the printername is put in its place. A %j is replaced
+with the job number (an integer). On HPUX (see
+<A HREF="#printing">printing</A>=hpux), if the -p%p
+option is added to the lpq command, the job will show up with the correct
+status, i.e. if the job priority is lower than the set fence priority it
+will have the PAUSED status, whereas if the priority is equal or higher
+it will have the SPOOLED or PRINTING status. <P>
+Note that it is good practice to include the absolute path in the lppause
+command as the PATH may not be available to the server. <P>
+<B>Default:</B> Currently no default value is given to this string <P>
+<B>Example for HPUX:</B> lppause command = /usr/bin/lpalt %p-%j -p0 <P>
+
+<H3><A NAME="lpq cache time">lpq cache time (G)</A></H3>
+This controls how long lpq info will be cached for to prevent the lpq command
+being called too often. A separate cache is kept for each variation of the
+lpq command used by the system, so if you use different lpq commands for
+different users then they won't share cache information. <P>
+The cache files are stored in /tmp/lpq.xxxx where xxxx is a hash of the lpq
+command in use. <P>
+The default is 10 seconds, meaning that the cached results of a previous
+identical lpq command will be used if the cached data is less than 10 seconds
+old. A large value may be advisable if your lpq command is very slow. <P>
+A value of 0 will disable cacheing completely. <P>
+<B>Default:</B> lpq cache time = 10 <P>
+<B>Example:</B> lpq cache time = 30 <P>
+
+<H3><A NAME="lpq command">lpq command (S)</A></H3>
+This parameter specifies the command to be executed on the server host
+in order to obtain "lpq"-style printer status information. <P>
+This command should be a program or script which takes a printer name as its
+only parameter and outputs printer status information. <P>
+Currently six styles of printer status information are supported; BSD, SYSV,
+AIX, HPUX, QNX, LPRNG and PLP. This covers most UNIX systems. You control
+which type is expected using the <A HREF="#printing">printing</A> option. <P>
+Some clients (notably Windows for Workgroups) may not correctly send the
+connection number for the printer they are requesting status information
+about. To get around this, the server reports on the first printer service
+connected to by the client. This only happens if the connection number sent
+is invalid. <P>
+If a %p is given then the printername is put in its place. Otherwise it is
+placed at the end of the command. <P>
+Note that it is good practice to include the absolute path in the lpq
+command as the PATH may not be available to the server. <P>
+<B>Default:</B> depends on the setting of <A HREF="#printing">printing</A><P>
+<B>Example:</B> lpq command = /usr/bin/lpq %p <P>
+
+<H3><A NAME="lpresume command">lpresume command (S)</A></H3>
+This parameter specifies the command to be executed on the server host in
+order to restart or continue printing or spooling a specific print job. <P>
+This command should be a program or script which takes a printer name and
+job number to resume the print job. See also the
+<A HREF="#lppause command">lppause command</A>. <P>
+If a %p is given then the printername is put in its place.
+A %j is replaced with the job number (an integer). <P>
+Note that it is good practice to include the absolute path in the lpresume
+command as the PATH may not be available to the server. <P>
+<B>Default:</B> Currently no default value is given to this string <P>
+<B>Example for HPUX:</B> lpresume command = /usr/bin/lpalt %p-%j -p2 <P>
+
+<H3><A NAME="lprm command">lprm command (S)</A></H3>
+This parameter specifies the command to be executed on the server host in
+order to delete a print job. <P>
+This command should be a program or script which takes a printer name
+and job number, and deletes the print job. <P>
+Currently seven styles of printer control are supported; BSD, SYSV, AIX HPUX,
+QNX, LPRNG and PLP. This covers most UNIX systems. You control which type is
+expected using the <A HREF="#printing">printing</A> option. <P>
+If a %p is given then the printername is put in its place. A
+%j is replaced with the job number (an integer). <P>
+Note that it is good practice to include the absolute path in the lprm
+command as the PATH may not be available to the server. <P>
+<B>Default:</B> depends on the setting of <A HREF="#printing">printing</A><P>
+<B>Example 1:</B>lprm command = /usr/bin/lprm -P%p %j <P>
+<B>Example 2:</B>lprm command = /usr/bin/cancel %p-%j <P>
+
+<H3><A NAME="magic output">magic output (S)</A></H3>
+This parameter specifies the name of a file which will contain output
+created by a magic script (see <A HREF="#magic script">magic script</A>
+below). <P>
+Warning: If two clients use the same magic script in the same directory the
+output file content is undefined. <P>
+<B>Default:</B> magic output = &lt;magic script name&gt;.out <P>
+<B>Example:</B> magic output = myfile.txt <P>
+
+<H3><A NAME="magic script">magic script (S)</A></H3>
+This parameter specifies the name of a file which, if opened, will be
+executed by the server when the file is closed. This allows a UNIX script to
+be sent to the Samba host and executed on behalf of the connected user. <P>
+Scripts executed in this way will be deleted upon completion, permissions
+permitting. <P>
+If the script generates output, output will be sent to the file specified by
+the <A HREF="#magic output">magic output</A> parameter. <P>
+Note that some shells are unable to interpret scripts containing
+carriage-return-linefeed instead of linefeed as the end-of-line marker. Magic
+scripts must be executable "as is" on the host, which for some hosts and
+some shells will require filtering at the DOS end. <P>
+Magic scripts are EXPERIMENTAL and should NOT be relied upon. <P>
+<B>Default:</B> None. Magic scripts disabled. <P>
+<B>Example:</B> magic script = user.csh <P>
+
+<H3><A NAME="mangle case">mangle case (S)</A></H3>
+Controls if names that have characters that aren't of the "default" case are
+mangled. <P>
+See the section on <A HREF="#NAME MANGLING">NAME MANGLING</A> <P>
+
+<H3><A NAME="mangled map">mangled map (S)</A></H3>
+This is for those who want to directly map UNIX file names which are not
+representable on DOS. The mangling of names is not always what is needed. In
+particular you may have documents with file extensions that differ between
+DOS and UNIX. For example, under UNIX it is common to use .html for HTML
+files, whereas under DOS .htm is more commonly used. <P>
+So to map 'html' to 'htm' you put: <P>
+mangled map = (*.html *.htm) <P>
+One very useful case is to remove the annoying ;1 off the ends of filenames
+on some CDROMS (only visible under some UNIXes). To do this use a map of
+(*;1 *) <P>
+<B>default:</B> no mangled map <P>
+<B>Example:</B> mangled map = (*;1 *) <P>
+
+<H3><A NAME="mangled names">mangled names (S)</A></H3>
+This controls whether non-DOS names under UNIX should be mapped
+to DOS-compatible names ("mangled") and made visible, or whether non-DOS
+names should simply be ignored. <P>
+See the section on <A HREF="#NAME MANGLING">NAME MANGLING</A> for
+details on how to control the mangling process. <P>
+If mangling is used then the mangling algorithm is as follows:
+<blockquote>- the first (up to) five alphanumeric characters before the
+rightmost dot of the filename are preserved, forced to upper case, and appear
+as the first (up to) five characters of the mangled name. <P>
+- a tilde ("~") is appended to the first part of the mangled name, followed
+by a two-character unique sequence, based on the original root name (i.e.,
+the original filename minus its final extension). The final
+extension is included in the hash calculation only if it contains any
+upper case characters or is longer than three characters. <P>
+Note that the character to use may be specified using the
+<A HREF="#mangling char">mangling char</A> option, if you don't like ~. <P>
+- the first three alphanumeric characters of the final
+extension are preserved, forced to upper case and appear as the extension
+of the mangled name. The final extension is defined as that part of the
+original filename after the rightmost dot. If there are no dots in the
+filename, the mangled name will have no extension (except in the case
+of hidden files - see below). <P>
+- files whose UNIX name begins with a dot will be presented as DOS hidden
+files. The mangled name will be created as for other filenames, but with the
+leading dot removed and "___" as its extension regardless of actual original
+extension (that's three underscores).
+</blockquote>
+The two-digit hash value consists of upper case alphanumeric characters. <P>
+This algorithm can cause name collisions only if files in a directory
+share the same first five alphanumeric characters. The probability of such
+a clash is 1/1300. <P>
+The name mangling (if enabled) allows a file to be copied between UNIX
+directories from DOS while retaining the long UNIX filename. UNIX files can
be renamed to a new extension from DOS and will retain the same basename.
-Mangled names do not change between sessions.<p>
-
-.B Default:
- mangled names = yes<p>
-
-.B Example:
- mangled names = no
-<a name="mangling char">
-<H3>mangling char (S)</H3>
-This controls what character is used as the "magic" character in name
-mangling. The default is a ~ but this may interfere with some
-software. Use this option to set it to whatever you prefer.<p>
-
-.B Default:
- mangling char = ~<p>
-
-.B Example:
- mangling char = ^<p>
-
-<a name="mangled stack">
-<H3>mangled stack (G)</H3>
-This parameter controls the number of mangled names that should be cached in
-the Samba server.<p>
-
-This stack is a list of recently mangled base names (extensions are only
-maintained if they are longer than 3 characters or contains upper case
-characters).<p>
-
-The larger this value, the more likely it is that mangled names can be
-successfully converted to correct long UNIX names. However, large stack
-sizes will slow most directory access. Smaller stacks save memory in the
-server (each stack element costs 256 bytes).<p>
-
-It is not possible to absolutely guarantee correct long file names, so
-be prepared for some surprises!<p>
-
-.B Default:
- mangled stack = 50<p>
-
-.B Example:
- mangled stack = 100<p>
-
-<a name="map archive">
-<H3>map archive (S)</H3>
-This controls whether the DOS archive attribute should be mapped to the
-UNIX owner execute bit. The DOS archive bit is set when a file has been modified
-since its last backup. One motivation for this option it to keep Samba/your
-PC from making any file it touches from becoming executable under UNIX.
-This can be quite annoying for shared source code, documents, etc...<p>
-
-Note that this requires the 'create mask' to be set such that owner
-execute bit is not masked out (ie. it must include 100). See the
-parameter "create mask" for details.<p>
-
-.B Default:
- map archive = yes<p>
-
-.B Example:
- map archive = no<p>
-
-<a name="map hidden">
-<H3>map hidden (S)</H3>
-This controls whether DOS style hidden files should be mapped to the
-UNIX world execute bit.<p>
-
-Note that this requires the 'create mask' to be set such that the world
-execute bit is not masked out (ie. it must include 001).
-See the parameter "create mask" for details.<p>
-
-.B Default:
- map hidden = no<p>
-
-.B Example:
- map hidden = yes
-<a name="map system">
-<H3>map system (S)</H3>
-This controls whether DOS style system files should be mapped to the
-UNIX group execute bit.<p>
-
-Note that this requires the 'create mask' to be set such that the group
+Mangled names do not change between sessions. <P>
+<B>Default:</B> mangled names = Yes <P>
+<B>Example:</B> mangled names = No <P>
+
+<H3><A NAME="mangling char">mangling char (S)</A></H3>
+This controls what character is used as the "magic" character
+in name mangling. The default is a ~ but this may interfere with some software.
+Use this option to set it to whatever you prefer. <P>
+<B>Default:</B> mangling char = ~ <P>
+<B>Example:</B> mangling char = ^ <P>
+
+<H3><A NAME="mangled stack">mangled stack (G)</A></H3>
+This parameter controls the number of mangled names that should be cached in
+the Samba server. <P>
+This stack is a list of recently mangled base names (extensions are only
+maintained if they are longer than 3 characters or contains upper case
+characters). <P>
+The larger this value, the more likely it is that mangled
+names can be successfully converted to correct long UNIX names. However,
+large stack sizes will slow most directory access. Smaller stacks save
+memory in the server (each stack element costs 256 bytes). <P>
+It is not possible to absolutely guarantee correct long file names, so be
+prepared for some surprises! <P>
+<B>Default:</B> mangled stack = 50 <P>
+<B>Example:</B> mangled stack = 100 <P>
+
+<H3><A NAME="map archive">map archive (S)</A></H3>
+This controls whether the DOS archive attribute should
+be mapped to the UNIX owner execute bit. The DOS archive bit is set when
+a file has been modified since its last backup. One motivation for this
+option it to keep Samba/your PC from making any file it touches from becoming
+executable under UNIX. This can be quite annoying for shared source code,
+documents, etc... <P>
+Note that this requires the 'create mask' to be set such
+that owner execute bit is not masked out (ie. it must include 100). See
+the parameter <A HREF="#create mask">create mask</A> for details. <P>
+<B>Default:</B> map archive = Yes <P>
+<B>Example:</B> map archive = No <P>
+
+<H3><A NAME="map hidden">map hidden (S)</A></H3>
+This controls whether DOS style hidden files should be mapped to the UNIX
+world execute bit. <P>
+Note that this requires the 'create mask' to be set such that the world
+execute bit is not masked out (ie. it must include 001). See the parameter
+<A HREF="#create mask">create mask</A> for details. <P>
+<B>Default:</B> map hidden = No <P>
+<B>Example:</B> map hidden = Yes <P>
+
+<H3><A NAME="map system">map system (S)</A></H3>
+This controls whether DOS style system files should be mapped to the UNIX
+group execute bit. <P>
+Note that this requires the 'create mask' to be set such that the group
execute bit is not masked out (ie. it must include 010). See the parameter
-"create mask" for details.<p>
-
-.B Default:
- map system = no<p>
-
-.B Example:
- map system = yes
-<a name="max connections">
-<H3>max connections (S)</H3>
-This option allows the number of simultaneous connections to a
-service to be limited. If "max connections" is greater than 0 then
-connections will be refused if this number of connections to the
-service are already open. A value of zero mean an unlimited number of
-connections may be made.<p>
-
-Record lock files are used to implement this feature. The lock files
-will be stored in the directory specified by the "lock directory" option.<p>
-
-.B Default:
- max connections = 0<p>
-
-.B Example:
- max connections = 10<p>
-
-<a name="max disk size">
-<H3>max disk size (G)</H3>
-This option allows you to put an upper limit on the apparent size of
-disks. If you set this option to 100 then all shares will appear to be
-not larger than 100 MB in size.<p>
-
-Note that this option does not limit the amount of data you can put on
-the disk. In the above case you could still store much more than 100
-MB on the disk, but if a client ever asks for the amount of free disk
-space or the total disk size then the result will be bounded by the
-amount specified in "max disk size".<p>
-
-This option is primarily useful to work around bugs in some pieces of
-software that can't handle very large disks, particularly disks over
-1GB in size.<p>
-
-A "max disk size" of 0 means no limit.<p>
-
-.B Default:
- max disk size = 0<p>
-
-.B Example:
- max disk size = 1000<p>
-
-<a name="max log size">
-<H3>max log size (G)</H3><p>
-
-This option (an integer in kilobytes) specifies the max size the log
-file should grow to. Samba periodically checks the size and if it is
-exceeded it will rename the file, adding a .old extension.<p>
-
-A size of 0 means no limit.<p>
-
-.B Default:
- max log size = 5000<p>
-
-.B Example:
- max log size = 1000<p>
-
-<a name="max mux">
-<H3>max mux (G)</H3><p>
-
+<A HREF="#create mask">create mask</A> for details. <P>
+<B>Default:</B> map system = No <P>
+<B>Example:</B> map system = Yes <P>
+
+<H3><A NAME="max connections">max connections (S)</A></H3>
+This option allows the number of simultaneous connections to a service to be
+limited. If "max connections" is greater than 0 then connections will be
+refused if this number of connections to the service are already open. A value
+of zero mean an unlimited number of connections may be made. <P>
+Record lock files are used to implement this feature. The lock files will be
+stored in the directory specified by the
+<A HREF="#lock dir">lock dir</A> option. <P>
+<B>Default:</B> max connections = 0 <P>
+<B>Example:</B> max connections = 10 <P>
+
+<H3><A NAME="max disk size">max disk size (G)</A></H3>
+This option allows you to put an upper limit on the apparent size of disks.
+If you set this option to 100 then all shares will appear to be not larger
+than 100 MB in size. <P>
+Note that this option does not limit the amount of data you can put on the
+disk. In the above case you could still store much more than 100 MB on the
+disk, but if a client ever asks for the amount of free disk space or the
+total disk size then the result will be bounded by the amount specified in
+"max disk size". <P>
+This option is primarily useful to work around bugs in some pieces of
+software that can't handle very large disks, particularly disks over 1GB in
+size. <P>
+A "max disk size" of 0 means no limit. <P>
+<B>Default:</B> max disk size = 0 <P>
+<B>Example:</B> max disk size = 1000 <P>
+
+<H3><A NAME="max log size">max log size (G)</A></H3>
+This option (an integer in kilobytes) specifies the max size
+the log file should grow to. Samba periodically checks the size and if
+it is exceeded it will rename the file, adding a .old extension. <P>
+A size of 0 means no limit. <P>
+<B>Default:</B> max log size = 5000 <P>
+<B>Example:</B> max log size = 1000 <P>
+
+<H3><A NAME="max mux">max mux (G)</A></H3>
This option controls the maximum number of outstanding simultaneous SMB
operations that samba tells the client it will allow. You should never need
-to set this parameter.<p>
-
-.B Default:
- max mux = 50<p>
-
-<a name="max packet">
-<H3>max packet (G)</H3><p>
-
-A synonym for this parameter is 'packet size'.<p>
-
-<a name="max ttl">
-<H3>max ttl (G)</H3><p>
-
-This option tells nmbd what the default 'time to live' of NetBIOS
-names should be (in seconds) when nmbd is requesting a name using
-either a broadcast or from a WINS server. You should never need to
-change this parameter.<p>
-
-.B Default:
- max ttl = 14400<p>
-
-<a name="max wins ttl">
-<H3>max wins ttl (G)</H3><p>
-
-This option tells nmbd when acting as a WINS server (wins support = true)
-what the maximum 'time to live' of NetBIOS names that nmbd will grant will
-be (in seconds). You should never need to change this parameter.
-The default is 3 days (259200 seconds).<p>
-
-.B Default:
- max wins ttl = 259200<p>
-
-<a name="max xmit">
-<H3>max xmit (G)</H3><p>
-
-This option controls the maximum packet size that will be negotiated
-by Samba. The default is 65535, which is the maximum. In some cases
-you may find you get better performance with a smaller value. A value
-below 2048 is likely to cause problems.<p>
-
-.B Default:
- max xmit = 65535<p>
-
-.B Example:
- max xmit = 8192<p>
-
-<a name="message command">
-<H3>message command (G)</H3><p>
-
-This specifies what command to run when the server receives a WinPopup
-style message.<p>
-
-This would normally be a command that would deliver the message
-somehow. How this is to be done is up to your imagination.<p>
-
-What I use is:<p>
-
- message command = csh -c 'xedit %s;rm %s' &<p>
-
-This delivers the message using xedit, then removes it
-afterwards. NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN
-IMMEDIATELY. That's why I have the & on the end. If it doesn't return
-immediately then your PCs may freeze when sending messages (they
-should recover after 30secs, hopefully).<p>
-
-All messages are delivered as the global guest user. The command takes
-the standard substitutions, although %u won't work (%U may be better
-in this case).<p>
-
-Apart from the standard substitutions, some additional ones apply. In
-particular:<p>
-
-%s = the filename containing the message<p>
-
-%t = the destination that the message was sent to (probably the server
-name)<p>
-
-%f = who the message is from<p>
-
-You could make this command send mail, or whatever else takes your
-fancy. Please let me know of any really interesting ideas you have.<p>
-
-Here's a way of sending the messages as mail to root:<p>
-
-message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s<p>
-
-If you don't have a message command then the message won't be
-delivered and Samba will tell the sender there was an
-error. Unfortunately WfWg totally ignores the error code and carries
-on regardless, saying that the message was delivered.<p>
-
-If you want to silently delete it then try "message command = rm %s".<p>
-
-For the really adventurous, try something like this:<p>
-
-message command = csh -c 'csh < %s |& /usr/local/samba/bin/smbclient \e
- -M %m; rm %s' &<p>
-
-this would execute the command as a script on the server, then give
-them the result in a WinPopup message. Note that this could cause a
-loop if you send a message from the server using smbclient! You better
-wrap the above in a script that checks for this :-)<p>
-
-.B Default:
- no message command<p>
-
-.B Example:
- message command = csh -c 'xedit %s;rm %s' &<p>
-
-<a name="min print space">
-<H3>min print space (S)</H3><p>
-
-This sets the minimum amount of free disk space that must be available
-before a user will be able to spool a print job. It is specified in
-kilobytes. The default is 0, which means no limit.<p>
-
-.B Default:
- min print space = 0<p>
-
-.B Example:
- min print space = 2000<p>
-
-<a name="min wins ttl">
-<H3>min wins ttl (G)</H3><p>
-
-This option tells nmbd when acting as a WINS server (wins support = true)
-what the minimum 'time to live' of NetBIOS names that nmbd will grant will
-be (in seconds). You should never need to change this parameter.
-The default is 6 hours (21600 seconds).<p>
-
-.B Default:
- min wins ttl = 21600<p>
-
-
-<a name="netbios aliases">
-<H3>netbios aliases (G)</H3><p>
-
-This is a list of names that nmbd will advertise as additional
-names by which the Samba server is known. This allows one machine
-to appear in browse lists under multiple names. If a machine is
-acting as a browse server or logon server none of these names
-will be advertised as either browse server or logon servers, only
-the primary name of the machine will be advertised with these
-capabilities.<p>
-
-See also 'netbios name'.<p>
-
-.B Example:
- netbios aliases = TEST TEST1 TEST2<p>
-
-<a name="netbios name">
-<H3>netbios name (G)</H3><p>
-
-This sets the NetBIOS name by which a Samba server is known. By
-default it is the same as the first component of the host's DNS name.
-If a machine is a browse server or logon server this name (or the
-first component of the hosts DNS name) will be the name that these
-services are advertised under.<p>
-
-See also 'netbios aliases'.<p>
-
-.B Example:
- netbios name = MYNAME<p>
-
-<a name="nis homedir">
-<H3>nis homedir (G)</H3>
-Get the home share server from a NIS (or YP) map. For unix systems that
-use an automounter, the user's home directory will often be mounted on
-a workstation on demand from a remote server. When the Samba logon server
-is not the actual home directory server, two network hops are required
-to access the home directory and this can be very slow especially with
-writing via Samba to an NFS mounted directory. This option allows samba
-to return the home share as being on a different server to the logon
-server and as long as a samba daemon is running on the home directory
-server, it will be mounted on the Samba client directly from the directory
-server. When Samba is returning the home share to the client, it will
-consult the NIS (or YP) map specified in "homedir map" and return the
-server listed there.<p>
-
-.B Default:
- nis homedir = false<p>
-
-.B Example:
- nis homedir = true<p>
-
-<a name="networkstation user login">
-<H3>networkstation user login (G)</H3>
-This global parameter (new for 1.9.18p3) affects server level security.
-With this set (recommended) samba will do a full NetWkstaUserLogon to
-confirm that the client really should have login rights. This can cause
-problems with machines in trust relationships in which case you can
-disable it here, but be warned, we have heard that some NT machines
-will then allow anyone in with any password! Make sure you test it.<p>
-
-.B Default:
- networkstation user login = yes<p>
-
-.B Example:
- networkstation user login = no<p>
-
-<a name="null passwords">
-<H3>null passwords (G)</H3>
-Allow or disallow access to accounts that have null passwords. <p>
-
-.B Default:
- null passwords = no<p>
-
-.B Example:
- null passwords = yes<p>
-
-<a name="only guest">
-<H3>only guest (S)</H3>
-A synonym for this command is 'guest only'.<p>
-
-<a name="only user">
-<H3>only user (S)</H3>
-This is a boolean option that controls whether connections with
-usernames not in the user= list will be allowed. By default this
-option is disabled so a client can supply a username to be used by
-the server.<p>
-
-Note that this also means Samba won't try to deduce usernames from the
-service name. This can be annoying for the [homes] section. To get
-around this you could use "user = %S" which means your "user" list
-will be just the service name, which for home directories is the name
-of the user.<p>
-
-.B Default:
- only user = False<p>
-
-.B Example:
- only user = True<p>
-
-<a name="oplocks">
-<H3>oplocks (S)</H3>
-This boolean option tells smbd whether to issue oplocks (opportunistic
-locks) to file open requests on this share. The oplock code was introduced in
-Samba 1.9.18 and can dramatically (approx 30% or more) improve the speed
-of access to files on Samba servers. It allows the clients to agressively
-cache files locally and you may want to disable this option for unreliable
-network environments (it is turned on by default in Windows NT Servers).
-For more information see the file Speed.txt in the Samba docs/ directory.<p>
-
-Oplocks may be selectively turned off on certain files on a per share basis.
-See the 'veto oplock files' parameter.<p>
-
-.B Default:
- oplocks = True<p>
-
-.B Example:
- oplocks = False<p>
-
-
-<a name="os level">
-<H3>os level (G)</H3>
-This integer value controls what level Samba advertises itself as for
-browse elections. See BROWSING.txt for details.<p>
-
-<a name="packet size">
-<H3>packet size (G)</H3>
-The maximum transmit packet size during a raw read. This option is no
-longer implemented as of version 1.7.00, and is kept only so old
-configuration files do not become invalid.<p>
-
-<a name="passwd chat">
-<H3>passwd chat (G)</H3>
-This string controls the "chat" conversation that takes places
-between smbd and the local password changing program to change the
-users password. The string describes a sequence of response-receive
-pairs that smbd uses to determine what to send to the passwd program
-and what to expect back. If the expected output is not received then
-the password is not changed.<p>
-
-This chat sequence is often quite site specific, depending on what
-local methods are used for password control (such as NIS+ etc).<p>
-
-The string can contain the macros %o and %n which are substituted for
-the old and new passwords respectively. It can also contain the
-standard macros \en \er \et and \es to give line-feed, carriage-return,
-tab and space.<p>
-
-The string can also contain a * which matches any sequence of
-characters.<p>
-
-Double quotes can be used to collect strings with spaces in them into
-a single string.<p>
-
-If the send string in any part of the chat sequence is a fullstop "."
-then no string is sent. Similarly, is the expect string is a fullstop
-then no string is expected.<p>
-
-.B Example:
- passwd chat = "*Enter OLD password*" %o\en "*Enter NEW password*" %n\en \e
- "*Reenter NEW password*" %n\en "*Password changed*"<p>
-
-
-.B Default:
- passwd chat = *old*password* %o\en *new*password* %n\en *new*password* %n\en *changed*<p>
-
-<a name="passwd program">
-<H3>passwd program (G)</H3>
-The name of a program that can be used to set user passwords.<p>
-
-This is only necessary if you have enabled remote password changing at
-compile time. Any occurrences of %u will be replaced with the user
-name.<p>
-
-Also note that many passwd programs insist in "reasonable" passwords,
-such as a minimum length, or the inclusion of mixed case chars and
-digits. This can pose a problem as some clients (such as Windows for
-Workgroups) uppercase the password before sending it. <p>
-
-.B Default:
- passwd program = /bin/passwd<p>
-
-.B Example:
- passwd program = /sbin/passwd %u<p>
-
-<a name="password level">
-<H3>password level (G)</H3>
-Some client/server combinations have difficulty with mixed-case passwords.
-One offending client is Windows for Workgroups, which for some reason forces
-passwords to upper case when using the LANMAN1 protocol, but leaves them alone
-when using COREPLUS!<p>
-
-This parameter defines the maximum number of characters that may be upper case
-in passwords.<p>
-
-For example, say the password given was "FRED". If
-.B password level
-is set to 1 (one), the following combinations would be tried if "FRED" failed:
-"Fred", "fred", "fRed", "frEd", "freD". If
-.B password level was set to 2 (two), the following combinations would also be
-tried: "FRed", "FrEd", "FreD", "fREd", "fReD", "frED". And so on.<p>
-
-The higher value this parameter is set to the more likely it is that a mixed
-case password will be matched against a single case password. However, you
-should be aware that use of this parameter reduces security and increases the
-time taken to process a new connection.<p>
-
-A value of zero will cause only two attempts to be made - the password as is
-and the password in all-lower case.<p>
-
-If you find the connections are taking too long with this option then
-you probably have a slow crypt() routine. Samba now comes with a fast
-"ufc crypt" that you can select in the Makefile. You should also make
-sure the PASSWORD_LENGTH option is correct for your system in local.h
-and includes.h. On most systems only the first 8 chars of a password
-are significant so PASSWORD_LENGTH should be 8, but on some longer
-passwords are significant. The includes.h file tries to select the
-right length for your system.<p>
-
-.B Default:
- password level = 0<p>
-
-.B Example:
- password level = 4<p>
-
-<a name="password server">
-<H3>password server (G)</H3><p>
-
-By specifying the name of another SMB server (such as a WinNT box)
-with this option, and using "security = server" you can get Samba to
-do all its username/password validation via a remote server.<p>
-
-This options sets the name of the password server to use. It must be a
-netbios name, so if the machine's netbios name is different from its
-internet name then you may have to add its netbios name to
-/etc/hosts.<p>
-
-The password server much be a machine capable of using the "LM1.2X002"
-or the "LM NT 0.12" protocol, and it must be in user level security
-mode. <p>
-
-NOTE: Using a password server means your UNIX box (running Samba) is
-only as secure as your password server. DO NOT CHOOSE A PASSWORD
-SERVER THAT YOU DON'T COMPLETELY TRUST.<p>
-
-Never point a Samba server at itself for password serving. This will
-cause a loop and could lock up your Samba server!<p>
-
-The name of the password server takes the standard substitutions, but
-probably the only useful one is %m, which means the Samba server will
-use the incoming client as the password server. If you use this then
-you better trust your clients, and you better restrict them with hosts
-allow!<p>
-
-If you list several hosts in the "password server" option then smbd
-will try each in turn till it finds one that responds. This is useful
-in case your primary server goes down.<p>
-
-If you are using a WindowsNT server as your password server then you
-will have to ensure that your users are able to login from the Samba
-server, as the network logon will appear to come from there rather
-than from the users workstation.<p>
-
-<a name="path">
-<H3>path (S)</H3>
-A synonym for this parameter is 'directory'.<p>
-
-This parameter specifies a directory to which the user of the service is to
+to set this parameter. <P>
+<B>Default:</B> max mux = 50 <P>
+
+<H3><A NAME="max packet">max packet (G)</A></H3>
+A synonym for this parameter is 'packet size'. <P>
+The maximum transmit packet size during a raw read. This option is no longer
+implemented as of version 1.7.00, and is kept only so old configuration files
+do not become invalid. <P>
+
+<H3><A NAME="max ttl">max ttl (G)</A></H3>
+This option tells nmbd what the default 'time to live' of NetBIOS names should
+be (in seconds) when nmbd is requesting a name using either a broadcast
+or from a WINS server. You should never need to change this parameter. <P>
+<B>Default:</B> max ttl = 14400 <P>
+
+<H3><A NAME="max wins ttl">max wins ttl (G)</A></H3>
+This option tells nmbd when acting as a WINS server
+(<A HREF="#wins support">wins support</A> = Yes) what the maximum 'time to
+live' of NetBIOS names that nmbd will grant will be (in seconds). You should
+never need to change this parameter. The default is 3 days (259200
+seconds). <P>
+<B>Default:</B> max wins ttl = 259200 <P>
+
+<H3><A NAME="max xmit">max xmit (G)</A></H3>
+This option controls the maximum packet size that will be negotiated by
+Samba. The default is 65535, which is the maximum. In some cases you may find
+you get better performance with a smaller value. A value below 2048 is likely
+to cause problems. <P>
+<B>Default:</B> max xmit = 65535 <P>
+<B>Example:</B> max xmit = 8192 <P>
+
+<H3><A NAME="message command">message command (G)</A></H3>
+This specifies what command to run when the server receives a WinPopup style
+message. <P>
+This would normally be a command that would deliver the message somehow.
+How this is to be done is up to your imagination. <P>
+What I use is: <P>
+message command = csh -c 'xedit %s;rm %s' &amp; <P>
+This delivers the message using xedit, then removes it afterwards. NOTE
+THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN IMMEDIATELY. That's why
+I have the &amp; on the end. If it doesn't return immediately then your PCs may
+freeze when sending messages (they should recover after 30secs, hopefully). <P>
+All messages are delivered as the global guest user. The command takes
+the standard substitutions, although %u won't work (%U may be better in
+this case). <P>
+Apart from the standard substitutions, some additional ones apply. In
+particular: <P>
+%s = the filename containing the message <P>
+%t = the destination that the message was sent to (probably the server name) <P>
+%f = who the message is from <P>
+You could make this command send mail, or whatever else takes your fancy.
+Please let me know of any really interesting ideas you have. <P>
+Here's a way of sending the messages as mail to root: <P>
+message command = /bin/mail -s 'message from %f on %m' root &lt; %s; rm %s <P>
+If you don't have a message command then the message won't be delivered and
+Samba will tell the sender there was an error. Unfortunately WfWg totally
+ignores the error code and carries on regardless, saying that the message was
+delivered. <P>
+If you want to silently delete it then try "message command = rm %s". <P>
+For the really adventurous, try something like this: <P>
+message command = csh -c 'csh &lt; %s |&amp; /usr/local/samba/bin/smbclient \
+ -M %m; rm %s' &amp; <P>
+this would execute the command as a script on the server,
+then give them the result in a WinPopup message. Note that this could cause
+a loop if you send a message from the server using smbclient! You better
+wrap the above in a script that checks for this :-) <P>
+<B>Default:</B> no message command <P>
+<B>Example:</B> message command = csh -c 'xedit %s;rm %s' &amp; <P>
+
+<H3><A NAME="min print space">min print space (S)</A></H3>
+This sets the minimum amount of free disk space that must
+be available before a user will be able to spool a print job. It is specified
+in kilobytes. The default is 0, which means no limit. <P>
+<B>Default:</B> min print space = 0 <P>
+<B>Example:</B> min print space = 2000 <P>
+
+<H3><A NAME="min wins ttl">min wins ttl (G)</A></H3>
+This option tells nmbd when acting as a WINS server
+(<A HREF="#wins support">wins support</A> = Yes) what the
+minimum 'time to live' of NetBIOS names that nmbd will grant will be (in
+seconds). You should never need to change this parameter. The default is
+6 hours (21600 seconds). <P>
+<B>Default:</B> min wins ttl = 21600 <P>
+
+<H3><A NAME="name resolve order">name resolve order (G)</A></H3>
+This option is used by the programs smbd, nmbd and smbclient
+to determine what naming services and in what order to resolve host names
+to IP addresses. This option is most useful in smbclient. The option takes
+a space separated string of different name resolution options. These are
+"lmhosts", "host", "wins" and "bcast". They cause names to be resolved
+as follows : <P>
+<pre>
+lmhosts Lookup an IP address in the Samba lmhosts file.
+host Do a standard host name to IP address resolution, using the
+ system /etc/hosts, NIS, or DNS lookups. This method of name
+ resolution is operating system depended (for instance on Solaris
+ this may be controlled by the /etc/nsswitch.conf file).
+wins Query a name with the IP address listed in the "wins server ="
+ parameter. If no WINS server has been specified this method will
+ be ignored.
+bcast Do a broadcast on each of the known local
+ interfaces listed in the "interfaces =" parameter. This is the
+ least reliable of the name resolution methods as it depends
+ on the target host being on a locally connected subnet.
+</pre>
+The default order is lmhosts, host, wins, bcast and these name resolution
+methods will be attempted in this order. <P>
+This option was first introduced in Samba 1.9.18p4. <P>
+<B>Default:</B> name resolve order = lmhosts host wins bcast <P>
+<B>example:</B> name resolve order = lmhosts bcast host <P>
+This will cause the local lmhosts file to be examined first, followed by a
+broadcast attempt, followed by a normal system hostname lookup. <P>
+
+<H3><A NAME="netbios aliases">netbios aliases (G)</A></H3>
+This is a list of names that nmbd will advertise as additional names by which
+the Samba server is known. This allows one machine to appear in browse
+lists under multiple names. If a machine is acting as a browse server or
+logon server none of these names will be advertised as either browse server
+or logon servers, only the primary name of the machine will be advertised
+with these capabilities. <P>
+See also <A HREF="#netbios name">netbios name</A>. <P>
+<B>Example:</B>netbios aliases = TEST TEST1 TEST2 <P>
+
+<H3><A NAME="netbios name">netbios name (G)</A></H3>
+This sets the NetBIOS name by which a Samba server is known. By default it is
+the same as the first component of the host's DNS name. If a machine is a
+browse server or logon server this name (or the first component of the hosts
+DNS name) will be the name that these services are advertised under. <P>
+See also <A HREF="#netbios aliases">netbios aliases</A>. <P>
+<B>Example:</B> netbios name = MYNAME <P>
+
+<H3><A NAME="NIS homedir">NIS homedir (G)</A></H3>
+Get the home share server from a NIS (or YP) map. For unix systems that use
+an automounter, the user's home directory will often be mounted on a
+workstation on demand from a remote server. When the Samba logon server is
+not the actual home directory server, two network hops are required to access
+the home directory and this can be very slow especially with writing via
+Samba to an NFS mounted directory. This option allows samba to return the
+home share as being on a different server to the logon server and as long as
+a samba daemon is running on the home directory server, it will be mounted
+on the Samba client directly from the directory server. When Samba is
+returning the home share to the client, it will consult the NIS (or YP) map
+specified in <A HREF="#homedir map">homedir map</A> and return the server
+listed there. <P>
+<B>Default:</B> NIS homedir = No <P>
+<B>Example:</B> NIS homedir = Yes <P>
+
+<H3><A NAME="networkstation user login">networkstation user login (G)</A></H3>
+This global parameter (new for 1.9.18p3) affects server level security. With
+this set (recommended) samba will do a full NetWkstaUserLogon to confirm that
+the client really should have login rights. This can cause problems with
+machines in trust relationships in which case you can disable it here,
+but be warned, we have heard that some NT machines will then allow anyone
+in with any password! Make sure you test it. <P>
+<B>Default:</B> networkstation user login = Yes <P>
+<B>Example:</B> networkstation user login = No <P>
+
+<H3><A NAME="null passwords">null passwords (G)</A></H3>
+Allow or disallow access to accounts that have null passwords. <P>
+<B>Default:</B> null passwords = No <P>
+<B>Example:</B> null passwords = Yes <P>
+
+<H3><A NAME="only user">only user (S)</A></H3>
+This is a boolean option that controls whether connections with usernames not
+in the <A HREF="#username">username</A> list will be allowed. By default this
+option is disabled so a client can supply a username to be used by the
+server. <P>
+Note that this also means Samba won't try to deduce usernames from the
+service name. This can be annoying for the [homes] section. To get around
+this you could use "<A HREF="#username">username</A> = %S" which means your
+"username" list will be just the service name, which for home directories
+is the name of the user. <P>
+<B>Default: </B> only user = No <P>
+<B>Example: </B> only user = Yes <P>
+
+<H3><A NAME="oplocks">oplocks (S)</A></H3>
+This boolean option tells smbd whether to issue oplocks (opportunistic locks)
+to file open requests on this share. The oplock code
+was introduced in Samba 1.9.18 and can dramatically (approx 30% or more)
+improve the speed of access to files on Samba servers. It allows the clients
+to agressively cache files locally and you may want to disable this option
+for unreliable network environments (it is turned on by default in Windows
+NT Servers). For more information see the file Speed.txt in the Samba docs/
+directory. <P>
+Oplocks may be selectively turned off on certain files on a per share basis.
+See the <A HREF="#veto oplock files">veto oplock files</A> parameter. <P>
+<B>Default:</B> oplocks = Yes <P>
+<B>Example:</B> oplocks = No <P>
+
+<H3><A NAME="os level">os level (G)</A></H3>
+This integer value controls what level Samba advertises itself as for browse
+elections. See BROWSING.txt for details. <P>
+
+<H3><A NAME="passwd chat debug">passwd chat debug (G)</A></H3>
+<B>Default: </B> passwd chat debug = No <P>
+
+<H3><A NAME="passwd chat">passwd chat (G)</A></H3>
+This string controls the "chat" conversation that takes places
+between smbd and the local password changing program to change the users
+password. The string describes a sequence of response-receive pairs that
+smbd uses to determine what to send to the passwd program and what to
+expect back. If the expected output is not received then the password is
+not changed. <P>
+This chat sequence is often quite site specific, depending
+on what local methods are used for password control (such as NIS+ etc). <P>
+The string can contain the macros %o and %n which are substituted for
+the old and new passwords respectively. It can also contain the standard
+macros \n \r \t and \s to give line-feed, carriage-return, tab and space. <P>
+The string can also contain a * which matches any sequence of characters. <P>
+Double quotes can be used to collect strings with spaces in them into
+a single string. <P>
+If the send string in any part of the chat sequence is
+a fullstop "." then no string is sent. Similarly, is the expect string is
+a fullstop then no string is expected. <P>
+<B>Default:</B> passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed* <P>
+<B>Example:</B> passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n \
+ "*Reenter NEW password*" %n\n "*Password changed*" <P>
+
+<H3><A NAME="passwd program">passwd program (G)</A></H3>
+The name of a program that can be used to set user passwords. <P>
+This is only necessary if you have enabled remote password changing at
+compile time. Any occurrences of %u will be replaced with the user name. <P>
+Also note that many passwd programs insist in "reasonable"
+passwords, such as a minimum length, or the inclusion of mixed case chars
+and digits. This can pose a problem as some clients (such as Windows for
+Workgroups) uppercase the password before sending it. <P>
+<B>Default:</B> passwd program = /bin/passwd <P>
+<B>Example:</B> passwd program = /sbin/passwd %u <P>
+
+<H3><A NAME="password level">password level (G)</A></H3>
+Some client/server combinations have difficulty with mixed-case
+passwords. One offending client is Windows for Workgroups, which for some
+reason forces passwords to upper case when using the LANMAN1 protocol,
+but leaves them alone when using COREPLUS! <P>
+This parameter defines the maximum number of characters that may be upper
+case in passwords. <P>
+For example, say the password given was "FRED". If password level is set to
+1 (one), the following combinations would be tried if "FRED" failed: "Fred",
+"fred", "fRed", "frEd", "freD". If password level was set to 2 (two), the
+following combinations would also be tried: "FRed", "FrEd", "FreD", "fREd",
+"fReD", "frED". And so on. <P>
+The higher value this parameter is set to the more likely it is that a mixed
+case password will be matched against a single case password. However, you
+should be aware that use of this parameter reduces security and increases the
+time taken to process a new connection. <P>
+A value of zero will cause only two attempts to be made - the password
+as is and the password in all-lower case. <P>
+If you find the connections are taking too long with this option then you
+probably have a slow crypt() routine. Samba now comes with a fast "ufc crypt"
+that you can select in the Makefile. You should also make sure the
+PASSWORD_LENGTH option is correct for your system in local.h and includes.h.
+On most systems only the first 8 chars of a password are significant so
+PASSWORD_LENGTH should be 8, but on some longer passwords are significant.
+The includes.h file tries to select the right length for your system. <P>
+<B>Default:</B> password level = 0 <P>
+<B>Example:</B> password level = 4 <P>
+
+<H3><A NAME="password server">password server (G)</A></H3>
+By specifying the name of another SMB server (such as a WinNT box) with this
+option, and using "<A HREF="#security">security</A> = server" you can get
+Samba to do all its username/password validation via a remote server. <P>
+This options sets the name of the password server to use. It must be a netbios
+name, so if the machine's netbios name is different from its internet name
+then you may have to add its netbios name to /etc/hosts. <P>
+Note that with Samba 1.9.18p4 and above the name of the password server is
+looked up using the <A HREF="#name resolve order">name resolve order</A>
+parameter and so may resolved by any method and order described in that
+parameter. <P>
+The password server much be a machine capable of using the "LM1.2X002"
+or the "LM NT 0.12" protocol, and it must be in user level security mode. <P>
+NOTE: Using a password server means your UNIX box (running Samba) is
+only as secure as your password server. DO NOT CHOOSE A PASSWORD SERVER
+THAT YOU DON'T COMPLETELY TRUST. <P>
+Never point a Samba server at itself for password serving. This will cause a
+loop and could lock up your Samba server! <P>
+The name of the password server takes the standard substitutions, but
+probably the only useful one is %m, which means the Samba server will
+use the incoming client as the password server. If you use this then you
+better trust your clients, and you better restrict them with
+<A HREF="#hosts allow">hosts allow</A>! <P>
+If you list several hosts in the "password server" option then smbd will
+try each in turn till it finds one that responds. This is useful in case
+your primary server goes down. <P>
+If you are using a WindowsNT server as your password server then you will
+have to ensure that your users are able to login from the Samba server, as
+the network logon will appear to come from there rather than from the users
+workstation. <P>
+
+<H3><A NAME="path">path (S)</A></H3>
+A synonym for this parameter is "directory". <P>
+This parameter specifies a directory to which the user of the service is to
be given access. In the case of printable services, this is where print data
-will spool prior to being submitted to the host for printing.<p>
-
-For a printable service offering guest access, the service should be readonly
-and the path should be world-writable and have the sticky bit set. This is not
-mandatory of course, but you probably won't get the results you expect if you
-do otherwise.<p>
-
-Any occurrences of %u in the path will be replaced with the username
-that the client is connecting as. Any occurrences of %m will be
-replaced by the name of the machine they are connecting from. These
-replacements are very useful for setting up pseudo home directories
-for users.<p>
-
-Note that this path will be based on 'root dir' if one was specified.
-.B Default:
- none<p>
-
-.B Example:
- path = /home/fred+ <p>
-
-<a name="postexec">
-<H3>postexec (S)</H3><p>
-
-This option specifies a command to be run whenever the service is
-disconnected. It takes the usual substitutions. The command may be run
-as the root on some systems.<p>
-
-An interesting example may be do unmount server resources:<p>
-
-postexec = /etc/umount /cdrom<p>
-
-See also preexec<p>
-
-.B Default:
- none (no command executed)<p>
-
-.B Example:
- postexec = echo \e"%u disconnected from %S from %m (%I)\e" >> /tmp/log<p>
-
-<a name="postscript">
-<H3>postscript (S)</H3>
-This parameter forces a printer to interpret the print files as
-postscript. This is done by adding a %! to the start of print output. <p>
-
-This is most useful when you have lots of PCs that persist in putting
-a control-D at the start of print jobs, which then confuses your
-printer.<p>
-
-.B Default:
- postscript = False<p>
-
-.B Example:
- postscript = True<p>
-
-<a name="preexec">
-<H3>preexec (S)</H3><p>
-
-This option specifies a command to be run whenever the service is
-connected to. It takes the usual substitutions.<p>
-
-An interesting example is to send the users a welcome message every
-time they log in. Maybe a message of the day? Here is an example:<p>
-
-preexec = csh -c 'echo \e"Welcome to %S!\e" | \e
- /usr/local/samba/bin/smbclient -M %m -I %I' &<p>
-
-Of course, this could get annoying after a while :-)<p>
-
-See also postexec<p>
-
-.B Default:
- none (no command executed)<p>
-
-.B Example:
- preexec = echo \e"%u connected to %S from %m (%I)\e" >> /tmp/log<p>
-
-<a name="preferred master">
-<H3>preferred master (G)</H3>
-This boolean parameter controls if Samba is a preferred master browser
-for its workgroup.
-If this is set to true, on startup, samba will force an election,
-and it will have a slight advantage in winning the election.
-It is recommended that this parameter is used in conjunction
-with domain master = yes, so that samba can guarantee becoming
-a domain master. <p>
-
-Use this option with caution, because if there are several hosts
-(whether samba servers, Windows 95 or NT) that are preferred master
-browsers on the same subnet, they will each periodically and continuously
-attempt to become the local master browser. This will result in
-unnecessary broadcast traffic and reduced browsing capabilities.<p>
-
-See
-.B os level = nn<p>
-
-.B Default:
- preferred master = no<p>
-
-<H3>preload</H3>
-This is an alias for "auto services"<p>
-
-<a name="preload">
-<H3>preload</H3>
-This is an alias for "auto services"<p>
-
-<a name="preserve case">
-<H3>preserve case (S)</H3><p>
-
-This controls if new filenames are created with the case that the
-client passes, or if they are forced to be the "default" case.<p>
-
-.B Default:
- preserve case = no<p>
-
-See the section on "NAME MANGLING" for a fuller discussion.<p>
-
-<a name="print command">
-<H3>print command (S)</H3>
-After a print job has finished spooling to a service, this command will be
+will spool prior to being submitted to the host for printing. <P>
+For a printable service offering guest access, the service should be readonly
+and the path should be world-writable and have the sticky bit set. This is
+not mandatory of course, but you probably won't get the results you expect if
+you do otherwise. <P>
+Any occurrences of %u in the path will be replaced with the username that the
+client is connecting as. Any occurrences of %m will be replaced by the name
+of the machine they are connecting from. These replacements are very useful
+for setting up pseudo home directories for users. <P>
+Note that this path will be based on
+<A HREF="#root directory">root directory</A> if one was specified.<P>
+<B>Default:</B> none <P>
+<B>Example:</B> path = /home/fred <P>
+
+<H3><A NAME="postexec">postexec (S)</A></H3>
+This option specifies a command to be run whenever the
+service is disconnected. It takes the usual substitutions. The command may
+be run as the root on some systems. <P>
+An interesting example may be do unmount server resources: <P>
+postexec = /etc/umount /cdrom <P>
+See also <A HREF="#preexec">preexec</A> <P>
+<B>Default:</B> none (no command executed) <P>
+<B>Example:</B> postexec = echo \"%u disconnected from %S from %m (%I)\" &gt;&gt; /tmp/log <P>
+
+<H3><A NAME="postscript">postscript (S)</A></H3>
+This parameter forces a printer to interpret the print files as postscript.
+This is done by adding a %! to the start of print output. <P>
+This is most useful when you have lots of PCs that persist in putting a
+control-D at the start of print jobs, which then confuses your printer. <P>
+<B>Default:</B> postscript = No <P>
+<B>Example:</B> postscript = Yes <P>
+
+<H3><A NAME="preferred master">preferred master (G)</A></H3>
+This boolean parameter controls if Samba is a preferred master browser for
+its workgroup. If this is set to Yes, on startup, samba will force an
+election, and it will have a slight advantage in winning the election.
+It is recommended that this parameter is used in conjunction with
+<A HREF="#domain master">domain master</A> = yes, so that samba can guarantee
+becoming a domain master. <P>
+Use this option with caution, because if there are several hosts (whether
+samba servers, Windows 95 or NT) that are preferred master browsers on
+the same subnet, they will each periodically and continuously attempt
+to become the local master browser. This will result in unnecessary broadcast
+traffic and reduced browsing capabilities. <P>
+See <A HREF="#os level">os level</A> = nn <P>
+<B>Default:</B> preferred master = no <P>
+
+<H3><A NAME="preload">preload</A></H3>
+An alias is "auto services". This is a list of services that you want to be
+automatically added to the browse lists. This is most useful for homes and
+printers services that would otherwise not be visible. <P>
+Note that if you just want all printers in your printcap file loaded then the
+<A HREF="#load printers">load printers</A> option is easier. <P>
+<B>Default:</B> no preloaded services <P>
+<B>Example:</B> preload = fred lp colorlp <P>
+
+<H3><A NAME="preserve case">preserve case (S)</A></H3>
+This controls if new filenames are created with the case that
+the client passes, or if they are forced to be the "default" case. <P>
+<B>Default:</B> preserve case = no <P>
+See the section on <A HREF="#NAME MANGLING">NAME MANGLING</A> for a fuller
+discussion. <P>
+
+<H3><A NAME="print command">print command (S)</A></H3>
+After a print job has finished spooling to a service, this command will be
used via a system() call to process the spool file. Typically the command
-specified will submit the spool file to the host's printing subsystem, but
-there is no requirement that this be the case. The server will not remove the
-spool file, so whatever command you specify should remove the spool file when
-it has been processed, otherwise you will need to manually remove old spool
-files.<p>
-
-The print command is simply a text string. It will be used verbatim,
-with two exceptions: All occurrences of "%s" will be replaced by the
-appropriate spool file name, and all occurrences of "%p" will be
-replaced by the appropriate printer name. The spool file name is
-generated automatically by the server, the printer name is discussed
-below.<p>
-
-The full path name will be used for the filename if %s is not preceded
-by a /. If you don't like this (it can stuff up some lpq output) then
-use %f instead. Any occurrences of %f get replaced by the spool
-filename without the full path at the front.<p>
-
-The print command MUST contain at least one occurrence of "%s" or %f -
-the "%p" is optional. At the time a job is submitted, if no printer
-name is supplied the "%p" will be silently removed from the printer
-command.<p>
-
-If specified in the [global] section, the print command given will be used
-for any printable service that does not have its own print command specified.<p>
-
+specified will submit the spool file to the host's printing subsystem, but
+there is no requirement that this be the case. The server will not remove
+the spool file, so whatever command you specify should remove the spool file
+when it has been processed, otherwise you will need to manually remove old
+spool files. <P>
+The print command is simply a text string. It will be used verbatim, with
+two exceptions: All occurrences of "%s" will be replaced by the appropriate
+spool file name, and all occurrences of "%p" will be replaced by the
+appropriate printer name. The spool file name is generated automatically by
+the server, the <A HREF="#printer name">printer name</A> is discussed below. <P>
+The full path name will be used for the filename if %s is not preceded by a
+/. If you don't like this (it can stuff up some lpq output) then use %f
+instead. Any occurrences of %f get replaced by the spool filename without
+the full path at the front. <P>
+The print command MUST contain at least one occurrence of "%s" or %f -
+the "%p" is optional. At the time a job is submitted, if no printer name is
+supplied the "%p" will be silently removed from the printer command. <P>
+If specified in the [global] section, the print command given will be used for
+any printable service that does not have its own print command specified.<P>
If there is neither a specified print command for a printable service nor a
-global print command, spool files will be created but not processed and (most
-importantly) not removed.<p>
-
-Note that printing may fail on some UNIXes from the "nobody"
-account. If this happens then create an alternative guest account that
-can print and set the "guest account" in the [global] section.<p>
-
-You can form quite complex print commands by realising that they are
-just passed to a shell. For example the following will log a print
-job, print the file, then remove it. Note that ; is the usual
-separator for command in shell scripts.<p>
-
-print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s<p>
-
-You may have to vary this command considerably depending on how you
-normally print files on your system.<p>
-
-.B Default:
- print command = lpr -r -P %p %s<p>
-
-.B Example:
- print command = /usr/local/samba/bin/myprintscript %p %s
-<a name="print ok">
-<H3>print ok (S)</H3>
-See
-.B printable.
-<a name="printable">
-<H3>printable (S)</H3>
-A synonym for this parameter is 'print ok'.<p>
-
-If this parameter is 'yes', then clients may open, write to and submit spool
-files on the directory specified for the service.<p>
-
-Note that a printable service will ALWAYS allow writing to the service path
-(user privileges permitting) via the spooling of print data. The 'read only'
-parameter controls only non-printing access to the resource.<p>
-
-.B Default:
- printable = no<p>
-
-.B Example:
- printable = yes<p>
-
-<a name="printcap name">
-<H3>printcap name (G)</H3>
-This parameter may be used to override the compiled-in default printcap
-name used by the server (usually /etc/printcap). See the discussion of the
-[printers] section above for reasons why you might want to do this.<p>
-
-On SystemV systems that use lpstat to list available printers you
-can use "printcap name = lpstat" to automatically obtain lists of
-available printers. This is the default for systems that define
-SYSV at compile time in Samba (this includes most SystemV based
-systems). If "printcap name" is set to lpstat on these systems then
-Samba will launch "lpstat -v" and attempt to parse the output to
-obtain a printer list.<p>
-
-A minimal printcap file would look something like this:<p>
-
-print1|My Printer 1
-.br
-print2|My Printer 2
-.br
-print3|My Printer 3
-.br
-print4|My Printer 4
-.br
-print5|My Printer 5<p>
-
-where the | separates aliases of a printer. The fact that the second
-alias has a space in it gives a hint to Samba that it's a comment.<p>
-
-NOTE: Under AIX the default printcap name is "/etc/qconfig". Samba
-will assume the file is in AIX "qconfig" format if the string
-"/qconfig" appears in the printcap filename.<p>
-
-.B Default:
- printcap name = /etc/printcap<p>
-
-.B Example:
- printcap name = /etc/myprintcap<p>
-
-<a name="printer">
-<H3>printer (S)</H3>
-A synonym for this parameter is 'printer name'.<p>
-
-This parameter specifies the name of the printer to which print jobs spooled
-through a printable service will be sent.<p>
-
-If specified in the [global] section, the printer name given will be used
-for any printable service that does not have its own printer name specified.<p>
-
-.B Default:
- none (but may be 'lp' on many systems)<p>
-
-.B Example:
- printer name = laserwriter<p>
-
-<a name="printer driver">
-<H3>printer driver (S)</H3>
-This option allows you to control the string that clients receive when
-they ask the server for the printer driver associated with a
-printer. If you are using Windows95 or WindowsNT then you can use this
-to automate the setup of printers on your system.<p>
-
-You need to set this parameter to the exact string (case sensitive)
-that describes the appropriate printer driver for your system.
-If you don't know the exact string to use then you should first try
-with no "printer driver" option set and the client will give you a
-list of printer drivers. The appropriate strings are shown in a
-scrollbox after you have chosen the printer manufacturer.<p>
-
-.B Example:
- printer driver = HP LaserJet 4L<p>
-
-<a name="printer name">
-<H3>printer name (S)</H3>
-See
-.B printer.<p>
-
-<a name="printer driver file">
-<H3>printer driver file (G)</H3>
-This parameter tells Samba where the printer driver definition file,
-used when serving drivers to Windows 95 clients, is to be found. If
-this is not set, the default is :<p>
-
-SAMBA_INSTALL_DIRECTORY/lib/printers.def<p>
-
-This file is created from Windows 95 'msprint.def' files found on the
-Windows 95 client system. For more details on setting up serving of
-printer drivers to Windows 95 clients, see the documentation file
-docs/PRINTER_DRIVER.txt.<p>
-
-.B Default:
- None (set in compile).<p>
-
-.B Example:
- printer driver file = /usr/local/samba/printers/drivers.def<p>
-
-Related parameters.
-.B printer driver location<p>
-
-<a name="printer driver location">
-<H3>printer driver location (S)</H3>
-This parameter tells clients of a particular printer share where
-to find the printer driver files for the automatic installation
-of drivers for Windows 95 machines. If Samba is set up to serve
-printer drivers to Windows 95 machines, this should be set to<p>
-
-\e\eMACHINE\ePRINTER$<p>
-
-Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$
-is a share you set up for serving printer driver files. For more
-details on setting this up see the documentation file
-docs/PRINTER_DRIVER.txt.<p>
-
-.B Default:
- None<p>
-
-.B Example:
- printer driver location = \e\eMACHINE\ePRINTER$<p>
-
-Related paramerers.
-.B printer driver file<p>
-
-
-<a name="printing">
-<H3>printing (S)</H3>
-This parameters controls how printer status information is interpreted
-on your system, and also affects the default values for the "print
-command", "lpq command" and "lprm command".<p>
-
-Currently six printing styles are supported. They are "printing =
-bsd", "printing = sysv", "printing = hpux", "printing = aix",
-"printing = qnx" and "printing = plp".<p>
-
-To see what the defaults are for the other print commands when using
-these three options use the "testparm" program.<p>
-
-As of version 1.9.18 of Samba this option can be set on a per printer basis<p>
-
-<a name="protocol">
-<H3>protocol (G)</H3>
-The value of the parameter (a string) is the highest protocol level that will
-be supported by the server. <p>
-
-Possible values are CORE, COREPLUS, LANMAN1, LANMAN2 and NT1. The relative
-merits of each are discussed in the README file.<p>
-
-Normally this option should not be set as the automatic negotiation
-phase in the SMB protocol takes care of choosing the appropriate protocol.<p>
-
-.B Default:
- protocol = NT1<p>
-
-.B Example:
- protocol = LANMAN1
-<a name="public">
-<H3>public (S)</H3>
-A synonym for this parameter is 'guest ok'.<p>
-
-If this parameter is 'yes' for a service, then no password is required
-to connect to the service. Privileges will be those of the guest
-account.<p>
-
-See the section below on user/password validation for more information about
-this option.<p>
-
-.B Default:
- public = no<p>
-
-.B Example:
- public = yes
-<a name="read list">
-<H3>read list (S)</H3>
-This is a list of users that are given read-only access to a
-service. If the connecting user is in this list then they will
-not be given write access, no matter what the "read only" option
-is set to. The list can include group names using the @group syntax.<p>
-
-See also the "write list" option<p>
-
-.B Default:
- read list =<p>
-
-.B Example:
- read list = mary, @students<p>
-
-<a name="read only">
-<H3>read only (S)</H3>
-See
-.B writable
-and
-.B write ok.
-Note that this is an inverted synonym for writable and write ok.
-<a name="read prediction">
-<H3>read prediction (G)</H3>
-This options enables or disables the read prediction code used to
-speed up reads from the server. When enabled the server will try to
-pre-read data from the last accessed file that was opened read-only
-while waiting for packets.<p>
-
-<H3>Default:</H3>
- read prediction = False<p>
-
-<H3>Example:</H3>
- read prediction = True
-<a name="Default:</H3>
- read prediction = False<p>
-
-<H3>Example:</H3>
- read prediction = True
-<H3>read raw">
-<H3>read raw (G)</H3>
-This parameter controls whether or not the server will support raw reads when
-transferring data to clients.<p>
-
-If enabled, raw reads allow reads of 65535 bytes in one packet. This
-typically provides a major performance benefit.<p>
-
-However, some clients either negotiate the allowable block size incorrectly
-or are incapable of supporting larger block sizes, and for these clients you
-may need to disable raw reads.<p>
-
-In general this parameter should be viewed as a system tuning tool and left
-severely alone. See also
-.B write raw.<p>
-
-.B Default:
- read raw = yes<p>
-
-.B Example:
- read raw = no
-<a name="read size">
-<H3>read size (G)</H3><p>
-
-The option "read size" affects the overlap of disk reads/writes with
-network reads/writes. If the amount of data being transferred in
-several of the SMB commands (currently SMBwrite, SMBwriteX and
-SMBreadbraw) is larger than this value then the server begins writing
-the data before it has received the whole packet from the network, or
-in the case of SMBreadbraw, it begins writing to the network before
-all the data has been read from disk.<p>
-
-This overlapping works best when the speeds of disk and network access
-are similar, having very little effect when the speed of one is much
-greater than the other.<p>
-
-The default value is 2048, but very little experimentation has been
-done yet to determine the optimal value, and it is likely that the best
-value will vary greatly between systems anyway. A value over 65536 is
-pointless and will cause you to allocate memory unnecessarily.<p>
-
-.B Default:
- read size = 2048<p>
-
-.B Example:
- read size = 8192<p>
-
-<a name="remote announce">
-<H3>remote announce (G)</H3><p>
-
-This option allows you to setup nmbd to periodically announce itself
-to arbitrary IP addresses with an arbitrary workgroup name. <p>
-
-This is useful if you want your Samba server to appear in a remote
-workgroup for which the normal browse propagation rules don't
-work. The remote workgroup can be anywhere that you can send IP
-packets to.<p>
-
-For example:<p>
-
- remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF<p>
-
-the above line would cause nmbd to announce itself to the two given IP
-addresses using the given workgroup names. If you leave out the
-workgroup name then the one given in the "workgroup" option is used
-instead. <p>
-
-The IP addresses you choose would normally be the broadcast addresses
-of the remote networks, but can also be the IP addresses of known
-browse masters if your network config is that stable.<p>
-
-This option replaces similar functionality from the nmbd lmhosts file.<p>
-
-<a name="remote browse sync">
-<H3>remote browse sync (G)</H3><p>
-
-This option allows you to setup nmbd to periodically request synchronisation
-of browse lists with the master browser of a samba server that is on a remote
-segment. This option will allow you to gain browse lists for multiple
-workgroups across routed networks. This is done in a manner that does not work
-with any non-samba servers.<p>
-
-This is useful if you want your Samba server and all local clients
-to appear in a remote workgroup for which the normal browse propagation
-rules don't work. The remote workgroup can be anywhere that you can send IP
-packets to.<p>
-
-For example:<p>
-
- remote browse sync = 192.168.2.255 192.168.4.255<p>
-
-the above line would cause nmbd to request the master browser on the
-specified subnets or addresses to synchronise their browse lists with
-the local server.<p>
-
-The IP addresses you choose would normally be the broadcast addresses
-of the remote networks, but can also be the IP addresses of known
-browse masters if your network config is that stable. If a machine IP
-address is given Samba makes NO attempt to validate that the remote
-machine is available, is listening, nor that it is in fact the browse
-master on it's segment.<p>
-
-
-<a name="revalidate">
-<H3>revalidate (S)</H3><p>
-
-This options controls whether Samba will allow a previously validated
-username/password pair to be used to attach to a share. Thus if you
-connect to \e\eserver\eshare1 then to \e\eserver\eshare2 it won't
-automatically allow the client to request connection to the second
-share as the same username as the first without a password.<p>
-
-If "revalidate" is True then the client will be denied automatic
-access as the same username.<p>
-
-.B Default:
- revalidate = False<p>
-
-.B Example:
- revalidate = True<p>
-
-<a name="root">
-<H3>root (G)</H3>
-See
-.B root directory.
-<a name="root dir">
-<H3>root dir (G)</H3>
-See
-.B root directory.
-<a name="root directory">
-<H3>root directory (G)</H3>
-Synonyms for this parameter are 'root dir' and 'root'.<p>
-
-The server will chroot() to this directory on startup. This is not
-strictly necessary for secure operation. Even without it the server
-will deny access to files not in one of the service entries. It may
-also check for, and deny access to, soft links to other parts of the
-filesystem, or attempts to use .. in file names to access other
-directories (depending on the setting of the "wide links" parameter).<p>
-
-Adding a "root dir" entry other than "/" adds an extra level of security,
-but at a price. It absolutely ensures that no access is given to files not
-in the sub-tree specified in the "root dir" option, *including* some files
-needed for complete operation of the server. To maintain full operability
-of the server you will need to mirror some system files into the "root dir"
-tree. In particular you will need to mirror /etc/passwd (or a subset of it),
-and any binaries or configuration files needed for printing (if required).
-The set of files that must be mirrored is operating system dependent.<p>
-
-.B Default:
- root directory = /<p>
-
-.B Example:
- root directory = /homes/smb
-<a name="root postexec">
-<H3>root postexec (S)</H3><p>
-
-This is the same as postexec except that the command is run as
-root. This is useful for unmounting filesystems (such as cdroms) after
-a connection is closed.<p>
-
-<a name="root preexec">
-<H3>root preexec (S)</H3><p>
-
-This is the same as preexec except that the command is run as
-root. This is useful for mounting filesystems (such as cdroms) before
-a connection is finalised.<p>
-
-<a name="security">
-<H3>security (G)</H3>
-This option affects how clients respond to Samba.<p>
-
-The option sets the "security mode bit" in replies to protocol negotiations
+global print command, spool files will be created but not processed and (most
+importantly) not removed. <P>
+Note that printing may fail on some UNIXes from the "nobody" account. If this
+happens then create an alternative guest account that can print and set the
+<A HREF="#guest account">guest account</A> in the [global] section. <P>
+You can form quite complex print commands by realising that they are
+just passed to a shell. For example the following will log a print job,
+print the file, then remove it. Note that ; is the usual separator for
+command in shell scripts. <P>
+print command = echo Printing %s &gt;&gt; /tmp/print.log; lpr -P %p %s; rm %s<P>
+You may have to vary this command considerably depending on how you normally
+print files on your system. <P>
+<B>Default:</B> print command = lpr -r -P %p %s <P>
+<B>Example:</B>print command = /usr/local/samba/bin/myprintscript %p %s <P>
+
+<H3><A NAME="print ok">print ok (S)</A></H3>
+A synonym for this parameter is 'printable'. <P>
+If this parameter is 'Yes', then clients may open, write to
+and submit spool files on the directory specified for the service. <P>
+Note that a printable service will ALWAYS allow writing to the service path
+(user privileges permitting) via the spooling of print data. The
+<A HREF="#read only">read only</A> parameter controls only non-printing
+access to the resource. <P>
+<B>Default:</B> print ok = No <P>
+<B>Example:</B> print ok = Yes <P>
+
+<H3><A NAME="printcap name">printcap name (G)</A></H3>
+This parameter may be used to override the compiled-in default printcap name
+used by the server (usually /etc/printcap). On SystemV systems that
+use lpstat to list available printers you can use "printcap name = lpstat"
+to automatically obtain lists of available printers. This is the default
+for systems that define SYSV at compile time in Samba (this includes
+most SystemV based systems). If "printcap name" is set to lpstat on these
+systems then Samba will launch "lpstat -v" and attempt to parse the output
+to obtain a printer list. <P>
+A minimal printcap file would look something like this: <P>
+print1|My Printer 1 <BR>
+print2|My Printer 2 <BR>
+print3|My Printer 3 <BR>
+print4|My Printer 4 <BR>
+print5|My Printer 5 <P>
+where the | separates aliases of a printer. The fact that the second alias
+has a space in it gives a hint to Samba that it's a comment. <P>
+NOTE: Under AIX the default printcap name is "/etc/qconfig".
+Samba will assume the file is in AIX "qconfig" format if the string "/qconfig"
+appears in the printcap filename. <P>
+<B>Default:</B> printcap name = /etc/printcap <P>
+<B>Example:</B> printcap name = /etc/myprintcap <P>
+
+<H3><A NAME="printer driver">printer driver (S)</A></H3>
+This option allows you to control the string that clients receive when they
+ask the server for the printer driver associated with a printer. If you are
+using Windows95 or WindowsNT then you can use this to automate the setup of
+printers on your system. <P>
+You need to set this parameter to the exact string (case sensitive) that
+describes the appropriate printer driver for your system. If you don't know
+the exact string to use then you should first try with no "printer driver"
+option set and the client will give you a list of printer drivers. The
+appropriate strings are shown in a scrollbox after you have chosen the
+printer manufacturer. <P>
+<B>Example:</B> printer driver = HP LaserJet 4L <P>
+
+<H3><A NAME="printer name">printer name (S)</A></H3>
+A synonym for this parameter is 'printer'. <P>
+This parameter specifies the name of the printer to which print jobs spooled
+through a printable service will be sent. <P>
+If specified in the [global] section, the printer name given will be used for
+any printable service that does not have its own printer name specified. <P>
+<B>Default:</B> none (but may be 'lp' on many systems) <P>
+<B>Example:</B> printer name = laserwriter <P>
+
+<H3><A NAME="printer driver file">printer driver file (G)</A></H3>
+This parameter tells Samba where the printer driver definition file, used
+when serving drivers to Windows 95 clients, is to be found. If this is not
+set, the default is : <P>
+SAMBA_INSTALL_DIRECTORY/lib/printers.def <P>
+This file is created from Windows 95 'msprint.def' files found on the Windows
+95 client system. For more details on setting up serving of printer drivers
+to Windows 95 clients, see the documentation file docs/PRINTER_DRIVER.txt. <P>
+<B>Default:</B> None (set in compile). <P>
+<B>Example:</B> printer driver file = /usr/local/samba/printers/drivers.def <P>
+Related parameters.
+<A HREF="#printer driver location">printer driver location</A> <P>
+
+<H3><A NAME="printer driver location">printer driver location (S)</A></H3>
+This parameter tells clients of a particular printer share where to find the
+printer driver files for the automatic installation of drivers for Windows 95
+machines. If Samba is set up to serve printer drivers to Windows 95 machines,
+this should be set to <P>
+\\MACHINE\PRINTER$ <P>
+Where MACHINE is the NetBIOS name of your Samba
+server, and PRINTER$ is a share you set up for serving printer driver
+files. For more details on setting this up see the documentation file
+docs/PRINTER_DRIVER.txt. <P>
+<B>Default:</B> None <P>
+<B>Example:</B> printer driver location = \\MACHINE\PRINTER$ <P>
+Related paramerers.
+<A HREF="#printer driver file">printer driver file</A><P>
+
+<H3><A NAME="printing">printing (S)</A></H3>
+This parameters controls how printer status information is interpreted
+on your system, and also affects the default values for the
+<A HREF="#print command">print command</A>,
+<A HREF="#lpq command">lpq command</A> and
+<A HREF="#lprm command">lprm command</A>. <P>
+Currently six printing styles are supported. They are bsd, sysv, hpux, aix,
+qnx and plp. <P>
+To see what the defaults are for the other print commands when using these
+options use the "testparm" program. <P>
+As of version 1.9.18 of Samba this option can be set on a per printer basis <P>
+<B>Example:</B> printing = sysv <P>
+
+<H3><A NAME="protocol">protocol (G)</A></H3>
+The value of the parameter (a string) is the highest protocol level that will
+be supported by the server. <P>
+Possible values are CORE, COREPLUS, LANMAN1, LANMAN2 and NT1. The relative
+merits of each are discussed in the README file. <P>
+Normally this option should not be set as the automatic negotiation phase in
+the SMB protocol takes care of choosing the appropriate protocol. <P>
+<B>Default:</B> protocol = NT1 <P>
+<B>Example:</B> protocol = LANMAN1 <P>
+
+<H3><A NAME="read bmpx">read bmpx (S)</A></H3>
+<B>Default:</B> read bmpx = Yes <P>
+
+<H3><A NAME="read list">read list (S)</A></H3>
+This is a list of users that are given read-only access to a service.
+If the connecting user is in this list then they will not be given write
+access, no matter what the <A HREF="#read only">read only</A> option is set
+to. The list can include group names using the @group syntax. <P>
+See also the <A HREF="#write list">write list</A> option <P>
+<B>Default:</B> read list = <P>
+<B>Example:</B> read list = mary, @students <P>
+
+<H3><A NAME="read only">read only (S)</A></H3>
+Inverted synonyms for this parameter are 'writable' and 'write ok'. <P>
+If this parameter is 'Yes', then users of the service may not create or
+modify files in the service's directory. <P>
+Note that a printable service ('<A HREF="#printable">printable</A> = Yes')
+will ALWAYS allow writing to the directory (user privileges permitting), but
+only via spooling operations. <P>
+<B>Default:</B> read only = Yes <P>
+<B>Examples:</B> read only = No <BR>
+writable = No <BR>
+write ok = Yes <P>
+
+<H3><A NAME="read prediction">read prediction (G)</A></H3>
+This options enables or disables the read prediction code used to speed up
+reads from the server. When enabled the server will try to pre-read data
+from the last accessed file that was opened read-only while waiting for
+packets. <P>
+<B>Default:</B> read prediction = No <P>
+<B>Example:</B> read prediction = Yes <P>
+
+<H3><A NAME="read raw">read raw (G)</A></H3>
+This parameter controls whether or not the server will support raw reads when
+transferring data to clients. <P>
+If enabled, raw reads allow reads of 65535 bytes in one packet. This typically
+provides a major performance benefit. <P>
+However, some clients either negotiate the allowable block size incorrectly
+or are incapable of supporting larger block sizes, and for these clients you
+may need to disable raw reads. <P>
+In general this parameter should be viewed as a system tuning tool and left
+severely alone. See also <A HREF="#write raw">write raw.</A> <P>
+<B>Default:</B> read raw = Yes <P>
+<B>Example:</B> read raw = No <P>
+
+<H3><A NAME="read size">read size (G)</A></H3>
+The option "read size" affects the overlap of disk reads/writes with network
+reads/writes. If the amount of data being transferred in several of the SMB
+commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger than this
+value then the server begins writing the data before it has received the
+whole packet from the network, or in the case of SMBreadbraw, it begins
+writing to the network before all the data has been read from disk. <P>
+This overlapping works best when the speeds of disk and network access are
+similar, having very little effect when the speed of one is much greater
+than the other. <P>
+The default value is 2048, but very little experimentation has been done
+yet to determine the optimal value, and it is likely that the best value
+will vary greatly between systems anyway. A value over 65536 is pointless
+and will cause you to allocate memory unnecessarily. <P>
+<B>Default:</B> read size = 2048 <P>
+<B>Example:</B> read size = 8192 <P>
+
+<H3><A NAME="remote announce">remote announce (G)</A></H3>
+This option allows you to setup nmbd to periodically announce itself to
+arbitrary IP addresses with an arbitrary workgroup name. <P>
+This is useful if you want your Samba server to appear in a remote workgroup
+for which the normal browse propagation rules don't work. The remote
+workgroup can be anywhere that you can send IP packets to. <P>
+For example: <P>
+remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF <P>
+the above line would cause nmbd to announce itself to the two given IP
+addresses using the given workgroup names. If you leave out the workgroup
+name then the one given in the <A HREF="#workgroup">workgroup</A> option is
+used instead. <P>
+The IP addresses you choose would normally be the broadcast
+addresses of the remote networks, but can also be the IP addresses of
+known browse masters if your network config is that stable. <P>
+This option replaces similar functionality from the nmbd lmhosts file. <P>
+
+<H3><A NAME="remote browse sync">remote browse sync (G)</A></H3>
+This option allows you to setup nmbd to periodically request
+synchronisation of browse lists with the master browser of a samba server
+that is on a remote segment. This option will allow you to gain browse
+lists for multiple workgroups across routed networks. This is done in a
+manner that does not work with any non-samba servers. <P>
+This is useful if you want your Samba server and all local clients to appear
+in a remote workgroup for which the normal browse propagation rules don't
+work. The remote workgroup can be anywhere that you can send IP packets to.<P>
+For example: <P>
+remote browse sync = 192.168.2.255 192.168.4.255 <P>
+the above line would cause nmbd to request the master browser on the
+specified subnets or addresses to synchronise their browse lists with the
+local server. <P>
+The IP addresses you choose would normally be the broadcast addresses
+of the remote networks, but can also be the IP addresses of known browse
+masters if your network config is that stable. If a machine IP address
+is given Samba makes NO attempt to validate that the remote machine is
+available, is listening, nor that it is in fact the browse master on it's
+segment. <P>
+
+<H3><A NAME="revalidate">revalidate (S)</A></H3>
+This options controls whether Samba will allow a previously validated
+username/password pair to be used to attach to a share. Thus if you connect
+to \\server\share1 then to \\server\share2 it won't automatically allow the
+client to request connection to the second share as the same username as the
+first without a password. <P>
+If "revalidate" is Yes then the client will be denied automatic access as
+the same username. <P>
+<B>Default:</B> revalidate = No <P>
+<B>Example:</B> revalidate = Yes <P>
+
+<H3><A NAME="root directory">root directory (G)</A></H3>
+Synonyms for this parameter are 'root dir' and 'root'. <P>
+The server will chroot() to this directory on startup. This is not strictly
+necessary for secure operation. Even without it the server will deny access
+to files not in one of the service entries. It may also check for, and deny
+access to, soft links to other parts of the filesystem, or attempts to use
+.. in file names to access other directories (depending on the setting of
+the <A HREF="#wide links">wide links</A> parameter). <P>
+Adding a "root dir" entry other than "/" adds an extra level
+of security, but at a price. It absolutely ensures that no access is given
+to files not in the sub-tree specified in the "root dir" option, *including*
+some files needed for complete operation of the server. To maintain full
+operability of the server you will need to mirror some system files into
+the "root dir" tree. In particular you will need to mirror /etc/passwd
+(or a subset of it), and any binaries or configuration files needed for
+printing (if required). The set of files that must be mirrored is operating
+system dependent. <P>
+<B>Default:</B> root directory = / <P>
+<B>Example:</B> root directory = /homes/smb <P>
+
+<H3><A NAME="root postexec">root postexec (S)</A></H3>
+This is the same as <A HREF="#postexec">postexec</A> except that
+the command is run as root. This is useful for unmounting filesystems (such
+as CDROMS) after a connection is closed. <P>
+
+<H3><A NAME="root preexec">root preexec (S)</A></H3>
+This is the same as <A HREF="#exec">exec</A> except that the command is run
+as root. This is useful for mounting filesystems (such as CDROMS) before a
+connection is finalised. <P>
+
+<H3><A NAME="security">security (G)</A></H3>
+This option affects how clients respond to Samba. <P>
+The option sets the "security mode bit" in replies to protocol negotiations
to turn share level security on or off. Clients decide based on this bit
-whether (and how) to transfer user and password information to the server.<p>
-
-The default is "security=SHARE", mainly because that was the only
-option at one stage.<p>
-
-The alternatives are "security = user" or "security = server". <p>
-
-If your PCs use usernames that are the same as their usernames on the
-UNIX machine then you will want to use "security = user". If you
-mostly use usernames that don't exist on the UNIX box then use
-"security = share".<p>
-
-There is a bug in WfWg that may affect your decision. When in user
-level security a WfWg client will totally ignore the password you type
-in the "connect drive" dialog box. This makes it very difficult (if
-not impossible) to connect to a Samba service as anyone except the
-user that you are logged into WfWg as.<p>
-
-If you use "security = server" then Samba will try to validate the
-username/password by passing it to another SMB server, such as an NT
-box. If this fails it will revert to "security = USER".<p>
-
-See the "password server" option for more details.<p>
-
-.B Default:
- security = SHARE<p>
-
-.B Example:
- security = USER
-<a name="server string">
-<H3>server string (G)</H3>
-This controls what string will show up in the printer comment box in
-print manager and next to the IPC connection in "net view". It can be
-any string that you wish to show to your users.<p>
-
-It also sets what will appear in browse lists next to the machine name.<p>
-
-A %v will be replaced with the Samba version number.<p>
-
-A %h will be replaced with the hostname.<p>
-
-.B Default:
- server string = Samba %v<p>
-
-.B Example:
- server string = University of GNUs Samba Server<p>
-
-<a name="set directory">
-<H3>set directory (S)</H3>
-If 'set directory = no', then users of the service may not use the setdir
-command to change directory.<p>
-
-The setdir command is only implemented in the Digital Pathworks client. See the
-Pathworks documentation for details.<p>
-
-.B Default:
- set directory = no<p>
-
-.B Example:
- set directory = yes<p>
-
-<a name="shared file entries">
-<H3>shared file entries (G)</H3>
-This parameter has been removed (as of Samba 1.9.18 and above). The new
-System V shared memory code prohibits the user from allocating the
-share hash bucket size directly.<p>
-
-<a name="shared mem size">
-<H3>shared mem size (G)</H3>
-This parameter is only useful when Samba has been compiled with FAST_SHARE_MODES.
-It specifies the size of the shared memory (in bytes) to use between smbd
-processes. You should never change this parameter unless you have studied
-the source and know what you are doing. This parameter defaults to 1024
-multiplied by the setting of the maximum number of open files in the
-file local.h in the Samba source code. MAX_OPEN_FILES is normally set
-to 100, so this parameter defaults to 102400 bytes.<p>
-
-.B Default
- shared mem size = 102400<p>
-
-<a name="smb passwd file">
-<H3>smb passwd file (G)</H3>
-This option sets the path to the encrypted smbpasswd file. This is a *VERY
-DANGEROUS OPTION* if the smb.conf is user writable. By default the path
-to the smbpasswd file is compiled into Samba.<p>
-
-<a name="smbrun">
-<H3>smbrun (G)</H3>
-This sets the full path to the smbrun binary. This defaults to the
-value in the Makefile.<p>
-
-You must get this path right for many services to work correctly.<p>
-
-.B Default:
-taken from Makefile<p>
-
-.B Example:
- smbrun = /usr/local/samba/bin/smbrun<p>
-
-<a name="share modes">
-<H3>share modes (S)</H3><p>
-
-This enables or disables the honouring of the "share modes" during a
-file open. These modes are used by clients to gain exclusive read or
-write access to a file. <p>
-
-These open modes are not directly supported by UNIX, so they are
-simulated using lock files in the "lock directory". The "lock
-directory" specified in smb.conf must be readable by all users.<p>
-
-The share modes that are enabled by this option are DENY_DOS,
-DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB.<p>
-
-Enabling this option gives full share compatibility but may cost a bit
-of processing time on the UNIX server. They are enabled by default.<p>
-
-.B Default:
- share modes = yes<p>
-
-.B Example:
- share modes = no<p>
-
-<a name="short preserve case">
-<H3>short preserve case (S)</H3><p>
-
-This controls if new short filenames are created with the case that
-the client passes, or if they are forced to be the "default" case.<p>
-
-.B Default:
- short preserve case = no<p>
-
-See the section on "NAME MANGLING" for a fuller discussion.<p>
-
-<a name="socket address">
-<H3>socket address (G)</H3><p>
-
-This option allows you to control what address Samba will listen for
-connections on. This is used to support multiple virtual interfaces on
-the one server, each with a different configuration.<p>
-
-By default samba will accept connections on any address.<p>
-
-.B Example:
- socket address = 192.168.2.20<p>
-
-<a name="socket options">
-<H3>socket options (G)</H3>
-This option (which can also be invoked with the -O command line
-option) allows you to set socket options to be used when talking with
-the client.<p>
-
-Socket options are controls on the networking layer of the operating
-systems which allow the connection to be tuned.<p>
-
-This option will typically be used to tune your Samba server for
-optimal performance for your local network. There is no way that Samba
-can know what the optimal parameters are for your net, so you must
-experiment and choose them yourself. I strongly suggest you read the
-appropriate documentation for your operating system first (perhaps
-"man setsockopt" will help).<p>
-
-You may find that on some systems Samba will say "Unknown socket
-option" when you supply an option. This means you either mis-typed it
-or you need to add an include file to includes.h for your OS. If the
-latter is the case please send the patch to me
-(samba-bugs@samba.anu.edu.au).<p>
-
-Any of the supported socket options may be combined in any way you
-like, as long as your OS allows it.<p>
-
-This is the list of socket options currently settable using this
-option:<p>
-
- SO_KEEPALIVE<p>
-
- SO_REUSEADDR<p>
-
- SO_BROADCAST<p>
-
- TCP_NODELAY<p>
-
- IPTOS_LOWDELAY<p>
-
- IPTOS_THROUGHPUT<p>
-
- SO_SNDBUF *<p>
-
- SO_RCVBUF *<p>
-
- SO_SNDLOWAT *<p>
-
- SO_RCVLOWAT *<p>
-
-Those marked with a * take an integer argument. The others can
-optionally take a 1 or 0 argument to enable or disable the option, by
-default they will be enabled if you don't specify 1 or 0.<p>
-
-To specify an argument use the syntax SOME_OPTION=VALUE for example
-SO_SNDBUF=8192. Note that you must not have any spaces before or after
-the = sign.<p>
-
-If you are on a local network then a sensible option might be<p>
-
-socket options = IPTOS_LOWDELAY<p>
-
-If you have an almost unloaded local network and you don't mind a lot
-of extra CPU usage in the server then you could try<p>
-
-socket options = IPTOS_LOWDELAY TCP_NODELAY<p>
-
-If you are on a wide area network then perhaps try setting
-IPTOS_THROUGHPUT. <p>
-
-Note that several of the options may cause your Samba server to fail
-completely. Use these options with caution!<p>
-
-.B Default:
- no socket options<p>
-
-.B Example:
- socket options = IPTOS_LOWDELAY <p>
-
-<p>
-
-
-<a name="status">
-<H3>status (G)</H3>
-This enables or disables logging of connections to a status file that
-.B smbstatus
-can read.<p>
-
-With this disabled
-.B smbstatus
-won't be able to tell you what
-connections are active.<p>
-
-.B Default:
- status = yes<p>
-
-.B Example:
- status = no<p>
-
-<a name="strict locking">
-<H3>strict locking (S)</H3>
-This is a boolean that controls the handling of file locking in the
-server. When this is set to yes the server will check every read and
-write access for file locks, and deny access if locks exist. This can
-be slow on some systems.<p>
-
-When strict locking is "no" the server does file lock checks only when
-the client explicitly asks for them. <p>
-
-Well behaved clients always ask for lock checks when it is important,
-so in the vast majority of cases "strict locking = no" is preferable.<p>
-
-.B Default:
- strict locking = no<p>
-
-.B Example:
- strict locking = yes<p>
-
-<a name="strip dot">
-<H3>strip dot (G)</H3>
-This is a boolean that controls whether to strip trailing dots off
-UNIX filenames. This helps with some CDROMs that have filenames ending in a
-single dot.<p>
-
-.B Default:
- strip dot = no<p>
-
-.B Example:
- strip dot = yes<p>
-
-<a name="syslog">
-<H3>syslog (G)</H3>
-This parameter maps how Samba debug messages are logged onto the
-system syslog logging levels. Samba debug level zero maps onto
-syslog LOG_ERR, debug level one maps onto LOG_WARNING, debug
-level two maps to LOG_NOTICE, debug level three maps onto LOG_INFO.
-The paramter sets the threshold for doing the mapping, all Samba
-debug messages above this threashold are mapped to syslog LOG_DEBUG
-messages.<p>
-
-.B Default:<p>
-
- syslog = 1<p>
-
-<a name="syslog only">
-<H3>syslog only (G)</H3>
-If this parameter is set then Samba debug messages are logged into
-the system syslog only, and not to the debug log files.<p>
-
-.B Default:
- syslog only = no<p>
-
-<a name="sync always">
-<H3>sync always (S)</H3><p>
-
-This is a boolean parameter that controls whether writes will always
-be written to stable storage before the write call returns. If this is
-false then the server will be guided by the client's request in each
-write call (clients can set a bit indicating that a particular write
-should be synchronous). If this is true then every write will be
-followed by a fsync() call to ensure the data is written to disk.<p>
-
-.B Default:
- sync always = no<p>
-
-.B Example:
- sync always = yes<p>
-
-<a name="time offset">
-<H3>time offset (G)</H3>
-This parameter is a setting in minutes to add to the normal GMT to
-local time conversion. This is useful if you are serving a lot of PCs
-that have incorrect daylight saving time handling.<p>
-
-.B Default:
- time offset = 0<p>
-
-.B Example:
- time offset = 60<p>
-
-<a name="time server">
-<H3>time server (G)</H3>
-This parameter determines if nmbd advertises itself as a time server
-to Windows clients. The default is False.<p>
-
-.B Default:
- time server = False<p>
-
-.B Example:
- time server = True<p>
-
-<a name="unix realname">
-<H3>unix realname (G)</H3>
-This boolean parameter when set causes samba to supply the real name field
-from the unix password file to the client. This is useful for setting up
-mail clients and WWW browsers on systems used by more than one person.<p>
-
-.B Default:
- unix realname = no<p>
-
-.B Example:
- unix realname = yes<p>
-
-<a name="user">
-<H3>user (S)</H3>
-See
-.B username.
-<a name="username">
-<H3>username (S)</H3>
-A synonym for this parameter is 'user'.<p>
-
-Multiple users may be specified in a comma-delimited list, in which case the
-supplied password will be tested against each username in turn (left to right).<p>
-
-The username= line is needed only when the PC is unable to supply its own
-username. This is the case for the coreplus protocol or where your
-users have different WfWg usernames to UNIX usernames. In both these
-cases you may also be better using the \e\eserver\eshare%user syntax
-instead. <p>
-
-The username= line is not a great solution in many cases as it means Samba
-will try to validate the supplied password against each of the
-usernames in the username= line in turn. This is slow and a bad idea for
-lots of users in case of duplicate passwords. You may get timeouts or
-security breaches using this parameter unwisely.<p>
-
-Samba relies on the underlying UNIX security. This parameter does not
-restrict who can login, it just offers hints to the Samba server as to
-what usernames might correspond to the supplied password. Users can
-login as whoever they please and they will be able to do no more
-damage than if they started a telnet session. The daemon runs as the
-user that they log in as, so they cannot do anything that user cannot
-do.<p>
-
-To restrict a service to a particular set of users you can use the
-"valid users=" line.<p>
-
-If any of the usernames begin with a @ then the name will be looked up
-in the groups file and will expand to a list of all users in the group
-of that name. Note that searching though a groups file can take quite
-some time, and some clients may time out during the search.<p>
-
-See the section below on username/password validation for more information
-on how this parameter determines access to the services.<p>
-
-.B Default:
- The guest account if a guest service, else the name of the service.<p>
-
-.B Examples:
- username = fred
- username = fred, mary, jack, jane, @users, @pcgroup<p>
-
-<a name="username level">
-<H3>username level (G)</H3><p>
-
-This option helps Samba to try and 'guess' at the real UNIX username,
-as many DOS clients send an all-uppercase username. By default Samba
-tries all lowercase, followed by the username with the first letter
-capitalized, and fails if the username is not found on the UNIX machine.<p>
-
-If this parameter is set to non-zero the behaviour changes. This
-parameter is a number that specifies the number of uppercase combinations
-to try whilst trying to determine the UNIX user name. The higher the number
-the more combinations will be tried, but the slower the discovery
-of usernames will be. Use this parameter when you have strange
-usernames on your UNIX machine, such as 'AstrangeUser'.<p>
-
-.B Default:
- username level = 0<p>
-
-.B Example:
- username level = 5<p>
-
-<a name="username map">
-<H3>username map (G)</H3><p>
-
-This option allows you to to specify a file containing a mapping of
-usernames from the clients to the server. This can be used for several
-purposes. The most common is to map usernames that users use on DOS or
-Windows machines to those that the UNIX box uses. The other is to map
-multiple users to a single username so that they can more easily share
-files.<p>
-
-The map file is parsed line by line. Each line should contain a single
-UNIX username on the left then a '=' followed by a list of usernames
-on the right. The list of usernames on the right may contain names of
-the form @group in which case they will match any UNIX username in
-that group. The special client name '*' is a wildcard and matches any
-name.<p>
-
-The file is processed on each line by taking the supplied username and
-comparing it with each username on the right hand side of the '='
-signs. If the supplied name matches any of the names on the right
-hand side then it is replaced with the name on the left. Processing
-then continues with the next line.<p>
-
-If any line begins with a '#' or a ';' then it is ignored<p>
-
-If any line begins with an ! then the processing will stop after that
-line if a mapping was done by the line. Otherwise mapping continues
-with every line being processed. Using ! is most useful when you have
-a wildcard mapping line later in the file.<p>
-
-For example to map from the name "admin" or "administrator" to the UNIX
-name "root" you would use<p>
-
- root = admin administrator<p>
-
-Or to map anyone in the UNIX group "system" to the UNIX name "sys" you
-would use<p>
-
- sys = @system<p>
-
-You can have as many mappings as you like in a username map file.<p>
-
-You can map Windows usernames that have spaces in them by using double
-quotes around the name. For example:<p>
-
- tridge = "Andrew Tridgell"<p>
-
-would map the windows username "Andrew Tridgell" to the unix username
-tridge.<p>
-
-The following example would map mary and fred to the unix user sys,
-and map the rest to guest. Note the use of the ! to tell Samba to stop
-processing if it gets a match on that line.<p>
-
- !sys = mary fred
- guest = *<p>
-
-
-Note that the remapping is applied to all occurrences of
-usernames. Thus if you connect to "\e\eserver\efred" and "fred" is
-remapped to "mary" then you will actually be connecting to
-"\e\eserver\emary" and will need to supply a password suitable for
-"mary" not "fred". The only exception to this is the username passed
-to the "password server" (if you have one). The password server will
-receive whatever username the client supplies without modification.<p>
-
-Also note that no reverse mapping is done. The main effect this has is
-with printing. Users who have been mapped may have trouble deleting
-print jobs as PrintManager under WfWg will think they don't own the
-print job.<p>
-
-.B Default
- no username map<p>
-
-.B Example
- username map = /usr/local/samba/lib/users.map<p>
-
-<a name="valid chars">
-<H3>valid chars (S)</H3><p>
-
-The option allows you to specify additional characters that should be
-considered valid by the server in filenames. This is particularly
-useful for national character sets, such as adding u-umlaut or a-ring.<p>
-
-The option takes a list of characters in either integer or character
-form with spaces between them. If you give two characters with a colon
-between them then it will be taken as an lowercase:uppercase pair.<p>
-
-If you have an editor capable of entering the characters into the
-config file then it is probably easiest to use this method. Otherwise
-you can specify the characters in octal, decimal or hexadecimal form
-using the usual C notation.<p>
-
-For example to add the single character 'Z' to the charset (which is a
-pointless thing to do as it's already there) you could do one of the
-following<p>
-
-valid chars = Z
-valid chars = z:Z
-valid chars = 0132:0172<p>
-
-The last two examples above actually add two characters, and alter
-the uppercase and lowercase mappings appropriately.<p>
-
-Note that you MUST specify this parameter after the "client code page"
-parameter if you have both set. If "client code page" is set after
-the "valid chars" parameter the "valid chars" settings will be
-overwritten.<p>
-
-See also the "client code page" parameter.<p>
-
-.B Default
-.br
- Samba defaults to using a reasonable set of valid characters
-.br
- for english systems<p>
-
-.B Example
- valid chars = 0345:0305 0366:0326 0344:0304<p>
-
-The above example allows filenames to have the swedish characters in
-them. <p>
-
-NOTE: It is actually quite difficult to correctly produce a "valid
-chars" line for a particular system. To automate the process
-tino@augsburg.net has written a package called "validchars" which will
-automatically produce a complete "valid chars" line for a given client
-system. Look in the examples subdirectory for this package.<p>
-
-<a name="valid users">
-<H3>valid users (S)</H3>
-This is a list of users that should be allowed to login to this
-service. A name starting with @ is interpreted as a UNIX group.<p>
-
-If this is empty (the default) then any user can login. If a username
-is in both this list and the "invalid users" list then access is
-denied for that user.<p>
-
-The current servicename is substituted for %S. This is useful in the
-[homes] section.<p>
-
-See also "invalid users"<p>
-
-.B Default
- No valid users list. (anyone can login)<p>
-
-.B Example
- valid users = greg, @pcusers<p>
-
-
-<a name="veto file">
-<H3>veto files(S)</H3>
-This is a list of files and directories that are neither visible nor
-accessible. Each entry in the list must be separated by a "/", which
-allows spaces to be included in the entry. '*' and '?' can be used to
-specify multiple files or directories as in DOS wildcards.<p>
-
+whether (and how) to transfer user and password information to the server.<P>
+The default is "security=SHARE", mainly because that was the only option at
+one stage. <P>
+The alternatives are "security = user" or "security = server". <P>
+If your PCs use usernames that are the same as their usernames on the
+UNIX machine then you will want to use "security = user". If you mostly
+use usernames that don't exist on the UNIX box then use "security = share".<P>
+There is a bug in WfWg that may affect your decision. When in user level
+security a WfWg client will totally ignore the password you type in the
+"connect drive" dialog box. This makes it very difficult (if not impossible)
+to connect to a Samba service as anyone except the user that you are logged
+into WfWg as. <P>
+If you use "security = server" then Samba will try to validate
+the username/password by passing it to another SMB server, such as an
+NT box. If this fails it will revert to "security = USER". <P>
+See the <A HREF="#password server">password server</A> option for more
+details. <P>
+<B>Default:</B> security = SHARE <P>
+<B>Example:</B> security = USER <P>
+
+<H3><A NAME="server string">server string (G)</A></H3>
+This controls what string will show up in the printer comment box in print
+manager and next to the IPC connection in "net view". It can be any string
+that you wish to show to your users. <P>
+It also sets what will appear in browse lists next to the machine name. <P>
+A %v will be replaced with the Samba version number. <P>
+A %h will be replaced with the hostname. <P>
+<B>Default:</B> server string = Samba %v <P>
+<B>Example:</B> server string = University of GNUs Samba Server <P>
+
+<H3><A NAME="set directory">set directory (S)</A></H3>
+If 'set directory = No', then users of the service may not use the setdir
+command to change directory. <P>
+The setdir command is only implemented in the Digital Pathworks
+client. See the Pathworks documentation for details. <P>
+<B>Default:</B> set directory = No <P>
+<B>Example:</B> set directory = Yes <P>
+
+<H3><A NAME="shared mem size">shared mem size (G)</A></H3>
+This parameter is only useful when Samba has been compiled with
+FAST_SHARE_MODES. It specifies the size of the shared
+memory (in bytes) to use between smbd processes. You should never change
+this parameter unless you have studied the source and know what you are
+doing. This parameter defaults to 1024 multiplied by the setting of the
+maximum number of open files in the file local.h in the Samba source code.
+MAX_OPEN_FILES is normally set to 100, so this parameter defaults to 102400
+bytes. <P>
+<B>Default</B> shared mem size = 102400 <P>
+
+<H3><A NAME="smb passwd file">smb passwd file (G)</A></H3>
+This option sets the path to the encrypted smbpasswd file. This is a
+*VERY DANGEROUS OPTION* if the smb.conf is user writable. By default the
+path to the smbpasswd file is compiled into Samba. <P>
+
+<H3><A NAME="smbrun">smbrun (G)</A></H3>
+This sets the full path to the smbrun binary. This defaults to the value in
+the Makefile. <P>
+You must get this path right for many services to work correctly. <P>
+<B>Default:</B> taken from Makefile <P>
+<B>Example:</B> smbrun = /usr/local/samba/bin/smbrun <P>
+
+<H3><A NAME="share modes">share modes (S)</A></H3>
+This enables or disables the honouring of the "share modes" during a file
+open. These modes are used by clients to gain exclusive read or write access
+to a file. <P>
+These open modes are not directly supported by UNIX, so they are simulated
+using lock files in the <A HREF="#lock dir">lock dir</A>. The "lock dir"
+specified in smb.conf must be readable by all users. <P>
+The share modes that are enabled by this option are DENY_DOS, DENY_ALL,
+DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB. <P>
+Enabling this option gives full share compatibility but may cost a bit of
+processing time on the UNIX server. They are enabled by default. <P>
+<B>Default:</B> share modes = Yes <P>
+<B>Example:</B> share modes = No <P>
+
+<H3><A NAME="short preserve case">short preserve case (S)</A></H3>
+This controls if new short filenames are created with the case that the client
+passes, or if they are forced to be the "default" case. <P>
+<B>Default:</B> short preserve case = No <P>
+See the section on <A HREF="#NAME MANGLING">NAME MANGLING</A> for a fuller
+discussion. <P>
+
+<H3><A NAME="socket address">socket address (G)</A></H3>
+This option allows you to control what address Samba will listen for
+connections on. This is used to support multiple virtual interfaces on the
+one server, each with a different configuration. <P>
+By default samba will accept connections on any address. <P>
+<B>Example:</B> socket address = 192.168.2.20 <P>
+
+<H3><A NAME="socket options">socket options (G)</A></H3>
+This option (which can also be invoked with the -O command line option) allows
+you to set socket options to be used when talking with the client. <P>
+Socket options are controls on the networking layer of the operating systems
+which allow the connection to be tuned. <P>
+This option will typically be used to tune your Samba server for optimal
+performance for your local network. There is no way that Samba can know what
+the optimal parameters are for your net, so you must experiment and choose
+them yourself. I strongly suggest you read the appropriate documentation for
+your operating system first (perhaps "man setsockopt" will help). <P>
+You may find that on some systems Samba will say "Unknown socket option" when
+you supply an option. This means you either mis-typed it or you need to add
+an include file to includes.h for your OS. If the latter is the case please
+send the patch to me (samba-bugs@samba.anu.edu.au). <P>
+Any of the supported socket options may be combined in any way you like, as
+long as your OS allows it. <P>
+This is the list of socket options currently settable using this option: <P>
+SO_KEEPALIVE <BR>
+SO_REUSEADDR <BR>
+SO_BROADCAST <BR>
+TCP_NODELAY <BR>
+IPTOS_LOWDELAY <BR>
+IPTOS_THROUGHPUT <BR>
+SO_SNDBUF * <BR>
+SO_RCVBUF * <BR>
+SO_SNDLOWAT * <BR>
+SO_RCVLOWAT * <P>
+Those marked with a * take an integer argument. The others can optionally take
+a 1 or 0 argument to enable or disable the option, by default they will
+be enabled if you don't specify 1 or 0. <P>
+To specify an argument use the syntax SOME_OPTION=VALUE for example
+SO_SNDBUF=8192. Note that you must not have any spaces before or after the =
+sign. <P>
+If you are on a local network then a sensible option might be <P>
+socket options = IPTOS_LOWDELAY <P>
+If you have an almost unloaded local network and you don't mind a lot
+of extra CPU usage in the server then you could try <P>
+socket options = IPTOS_LOWDELAY TCP_NODELAY <P>
+If you are on a wide area network then perhaps try setting IPTOS_THROUGHPUT. <P>
+Note that several of the options may cause your Samba server to fail
+completely. Use these options with caution! <P>
+<B>Default:</B> no socket options <P>
+<B>Example:</B> socket options = IPTOS_LOWDELAY <P>
+
+<H3><A NAME="status">status (G)</A></H3>
+This enables or disables logging of connections to a status
+file that <B>smbstatus</B> can read. <P>
+With this disabled <B>smbstatus</B> won't be able to tell you what connections
+are active. <P>
+<B>Default:</B> status = Yes <P>
+<B>Example:</B> status = No <P>
+
+<H3><A NAME="strict locking">strict locking (S)</A></H3>
+This is a boolean that controls the handling of file locking in the server.
+When this is set to yes the server will check every read and write access
+for file locks, and deny access if locks exist. This can be slow on some
+systems. <P>
+When strict locking is "no" the server does file lock checks only when the
+client explicitly asks for them. <P>
+Well behaved clients always ask for lock checks when it is important,
+so in the vast majority of cases "strict locking = no" is preferable. <P>
+<B>Default:</B> strict locking = No <P>
+<B>Example:</B> strict locking = Yes <P>
+
+<H3><A NAME="strip dot">strip dot (G)</A></H3>
+This is a boolean that controls whether to strip trailing dots off
+UNIX filenames. This helps with some CDROMs that have filenames ending
+in a single dot. <P>
+<B>Default:</B> strip dot = No <P>
+<B>Example:</B> strip dot = Yes <P>
+
+<H3><A NAME="syslog">syslog (G)</A></H3>
+This parameter maps how Samba debug messages are logged onto
+the system syslog logging levels. Samba debug level zero maps onto syslog
+LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps to
+LOG_NOTICE, debug level three maps onto LOG_INFO. The paramter sets the
+threshold for doing the mapping, all Samba debug messages above this threashold
+are mapped to syslog LOG_DEBUG messages. <P>
+<B>Default:</B> syslog = 1 <P>
+
+<H3><A NAME="syslog only">syslog only (G)</A></H3>
+If this parameter is set then Samba debug messages are logged
+into the system syslog only, and not to the debug log files. <P>
+<B>Default:</B> syslog only = no <P>
+
+<H3><A NAME="sync always">sync always (S)</A></H3>
+This is a boolean parameter that controls whether writes will always be
+written to stable storage before the write call returns. If this is No then
+the server will be guided by the client's request in each write call (clients
+can set a bit indicating that a particular write should be synchronous). If
+this is Yes then every write will be followed by a fsync() call to ensure the
+data is written to disk. <P>
+<B>Default:</B> sync always = No <P>
+<B>Example:</B> sync always = Yes <P>
+
+<H3><A NAME="time offset">time offset (G)</A></H3>
+This parameter is a setting in minutes to add to the normal GMT to local time
+conversion. This is useful if you are serving a lot of PCs that have incorrect
+daylight saving time handling. <P>
+<B>Default:</B> time offset = 0 <P>
+<B>Example:</B> time offset = 60 <P>
+
+<H3><A NAME="time server">time server (G)</A></H3>
+This parameter determines if nmbd advertises itself as a time server to
+Windows clients. <P>
+<B>Default:</B> time server = No <P>
+<B>Example:</B> time server = Yes <P>
+
+<H3><A NAME="unix realname">unix realname (G)</A></H3>
+This boolean parameter when set causes samba to supply the real name field
+from the unix password file to the client. This is useful for setting up mail
+clients and WWW browsers on systems used by more than one person. <P>
+<B>Default:</B> unix realname = No <P>
+<B>Example:</B> unix realname = Yes <P>
+
+<H3><A NAME="update encrypted">update encrypted (S)</A></H3>
+<B>Default:</B> update encrypted = No <P>
+
+<H3><A NAME="use rhosts">use rhosts (S)</A></H3>
+<B>Default:</B> use rhosts = No <P>
+
+<H3><A NAME="username">username (S)</A></H3>
+A synonym for this parameter is 'user'. <P>
+Multiple users may be specified in a comma-delimited list, in which case the
+supplied password will be tested against each username in turn (left to
+right). <P>
+The username= line is needed only when the PC is unable to supply its own
+username. This is the case for the coreplus protocol or where your users have
+different WfWg usernames to UNIX usernames. In both these cases you may also
+be better using the \\server\share%user syntax instead. <P>
+The username= line is not a great solution in many cases as it means Samba
+will try to validate the supplied password against each of the usernames in
+the username= line in turn. This is slow and a bad idea for lots of users in
+case of duplicate passwords. You may get timeouts or security breaches using
+this parameter unwisely. <P>
+Samba relies on the underlying UNIX security. This parameter does not restrict
+who can login, it just offers hints to the Samba server as to what usernames
+might correspond to the supplied password. Users can login as whoever they
+please and they will be able to do no more damage than if they started a
+telnet session. The daemon runs as the user that they log in as, so they
+cannot do anything that user cannot do. <P>
+To restrict a service to a particular set of users you can use the
+<A HREF="#valid users">valid users</A> line. <P>
+If any of the usernames begin with a @ then the name will be looked
+up in the groups file and will expand to a list of all users in the group
+of that name. Note that searching though a groups file can take quite some
+time, and some clients may time out during the search. <P>
+See the section below on
+<A HREF="#USERNAME/PASSWORD VALIDATION">USERNAME/PASSWORD VALIDATION</A>
+for more information on how this parameter determines access to the services.<P>
+<B>Default:</B> The guest account if a guest service, else the name of the service. <P>
+<B>Examples:</B>username = fredusername = fred, mary, jack, jane, @users, @pcgroup <P>
+
+<H3><A NAME="username level">username level (G)</A></H3>
+This option helps Samba to try and 'guess' at the real UNIX username,
+as many DOS clients send an all-uppercase username. By default Samba tries
+all lowercase, followed by the username with the first letter capitalized,
+and fails if the username is not found on the UNIX machine. <P>
+If this parameter is set to non-zero the behaviour changes. This parameter
+is a number that specifies the number of uppercase combinations to try whilst
+trying to determine the UNIX user name. The higher the number the more
+combinations will be tried, but the slower the discovery of usernames will be.
+Use this parameter when you have strange usernames on your UNIX machine,
+such as 'AstrangeUser'. <P>
+<B>Default:</B> username level = 0 <P>
+<B>Example:</B> username level = 5 <P>
+
+<H3><A NAME="username map">username map (G)</A></H3>
+This option allows you to to specify a file containing
+a mapping of usernames from the clients to the server. This can be used
+for several purposes. The most common is to map usernames that users use
+on DOS or Windows machines to those that the UNIX box uses. The other is
+to map multiple users to a single username so that they can more easily
+share files. <P>
+The map file is parsed line by line. Each line should contain
+a single UNIX username on the left then a '=' followed by a list of usernames
+on the right. The list of usernames on the right may contain names of the
+form @group in which case they will match any UNIX username in that group.
+The special client name '*' is a wildcard and matches any name. <P>
+The file is processed on each line by taking the supplied username and
+comparing it with each username on the right hand side of the '=' signs. If
+the supplied name matches any of the names on the right hand side then it is
+replaced with the name on the left. Processing then continues with the next
+line. <P>
+If any line begins with a '#' or a ';' then it is ignored <P>
+If any line begins with an ! then the processing will stop after that line if
+a mapping was done by the line. Otherwise mapping continues with every line
+being processed. Using ! is most useful when you have a wildcard mapping line
+later in the file. <P>
+For example to map from the name "admin" or "administrator" to the UNIX name
+"root" you would use <P>
+root = admin administrator <P>
+Or to map anyone in the UNIX group "system" to the UNIX name "sys" you would
+use <P>
+sys = @system <P>
+You can have as many mappings as you like in a username map file. <P>
+You can map Windows usernames that have spaces in them by using
+double quotes around the name. For example: <P>
+tridge = "Andrew Tridgell" <P>
+would map the windows username "Andrew Tridgell" to the unix username
+tridge. <P>
+The following example would map mary and fred to the unix user
+sys, and map the rest to guest. Note the use of the ! to tell Samba to
+stop processing if it gets a match on that line. <P>
+!sys = mary fred guest = * <P>
+Note that the remapping is applied to all occurrences of usernames.
+Thus if you connect to "\\server\fred" and "fred" is remapped to "mary" then
+you will actually be connecting to "\\server\mary" and will need to supply
+a password suitable for "mary" not "fred". The only exception to this is
+the username passed to the <A HREF="#password server">password server</A>
+(if you have one). The password server will receive whatever username the
+client supplies without modification. <P>
+Also note that no reverse mapping is done. The main effect this has is
+with printing. Users who have been mapped may have trouble deleting print
+jobs as PrintManager under WfWg will think they don't own the print job. <P>
+<B>Default</B> no username map <P>
+<B>Example</B> username map = /usr/local/samba/lib/users.map <P>
+
+<H3><A NAME="valid chars">valid chars (S)</A></H3>
+The option allows you to specify additional characters that should be
+considered valid by the server in filenames. This is particularly
+useful for national character sets, such as adding u-umlaut or a-ring. <P>
+The option takes a list of characters in either integer or character form
+with spaces between them. If you give two characters with a colon between
+them then it will be taken as an lowercase:uppercase pair. <P>
+If you have an editor capable of entering the characters into the config file
+then it is probably easiest to use this method. Otherwise you can specify the
+characters in octal, decimal or hexadecimal form using the usual C notation.<P>
+For example to add the single character 'Z' to the charset (which is a
+pointless thing to do as it's already there) you could do one of the following
+<P>
+valid chars = Z <BR>
+valid chars = z:Z <BR>
+valid chars = 0132:0172 <P>
+The last two examples above actually add two characters, and alter the
+uppercase and lowercase mappings appropriately. <P>
+Note that you MUST specify this parameter after the
+<A HREF="#client code page">client code page</A> parameter if you have both
+set. If "client code page" is set after the "valid chars" parameter the
+"valid chars" settings will be overwritten. <P>
+See also the <A HREF="#client code page">client code page</A> parameter. <P>
+<B>Default:</B> Samba defaults to using a reasonable set of valid characters
+for english systems <P>
+<B>Example:</B> valid chars = 0345:0305 0366:0326 0344:0304 <P>
+The above example allows filenames to have the swedish characters in them. <P>
+NOTE: It is actually quite difficult to correctly produce a "valid chars" line
+for a particular system. To automate the process tino@augsburg.net
+has written a package called "validchars" which will automatically produce
+a complete "valid chars" line for a given client system. Look in the examples
+subdirectory for this package. <P>
+
+<H3><A NAME="valid users">valid users (S)</A></H3>
+This is a list of users that should be allowed to login to this service. A
+name starting with @ is interpreted as a UNIX group. <P>
+If this is empty (the default) then any user can login. If a username is in
+both this list and the <A HREF="#invalid users">invalid users</A> list then
+access is denied for that user. <P>
+The current servicename is substituted for %S. This is useful in the [homes]
+section. <P>
+See also <A HREF="#invalid users">invalid users</A> <P>
+<B>Default</B> No valid users list. (anyone can login) <P>
+<B>Example</B> valid users = greg, @pcusers <P>
+
+<H3><A NAME="veto files">veto files (S)</A></H3>
+This is a list of files and directories that are neither visible nor
+accessible. Each entry in the list must be separated by a "/", which allows
+spaces to be included in the entry. '*' and '?' can be used to specify
+multiple files or directories as in DOS wildcards. <P>
Each entry must be a unix path, not a DOS path and must not include the
-unix directory separator "/".<p>
-
-Note that the case sensitivity option is applicable in vetoing files.<p>
-
-One feature of the veto files parameter that it is important to be
-aware of, is that if a directory contains nothing but files that
-match the veto files parameter (which means that Windows/DOS clients
-cannot ever see them) is deleted, the veto files within that directory
-*are automatically deleted* along with it, if the user has UNIX permissions
-to do so.
-
-Setting this parameter will affect the performance of Samba, as
-it will be forced to check all files and directories for a match
-as they are scanned.<p>
-
-See also "hide files" and "case sensitive"<p>
-
-.B Default
- No files or directories are vetoed.<p>
-
-.B Examples
- Example 1.
- Veto any files containing the word Security,
- any ending in .tmp, and any directory containing the
- word root.<p>
-
- veto files = /*Security*/*.tmp/*root*/<p>
-
- Example 2.
- Veto the Apple specific files that a NetAtalk server
- creates.<p>
-
- veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/<p>
-
-<a name="veto oplock files">
-<H3>veto oplock files (S)</H3>
-This parameter is only valid when the 'oplocks' parameter is turned on
-for a share. It allows the Samba administrator to selectively turn off
-the granting of oplocks on selected files that match a wildcarded list,
-similar to the wildcarded list used in the 'veto files' parameter.<p>
-
-.B Default
- No files are vetoed for oplock grants.<p>
-
-.B Examples
-You might want to do this on files that you know will be heavily
-contended for by clients. A good example of this is in the NetBench
-SMB benchmark program, which causes heavy client contention for files
-ending in .SEM. To cause Samba not to grant oplocks on these files
-you would use the line (either in the [global] section or in the section
-for the particular NetBench share :<p>
-
- veto oplock files = /*.SEM/<p>
-
-<a name="volume">
-<H3>volume (S)</H3>
-This allows you to override the volume label returned for a
-share. Useful for CDROMs with installation programs that insist on a
-particular volume label.<p>
-
-The default is the name of the share<p>
-
-<a name="wide links">
-<H3>wide links (S)</H3>
-This parameter controls whether or not links in the UNIX file system may be
-followed by the server. Links that point to areas within the directory tree
-exported by the server are always allowed; this parameter controls access
-only to areas that are outside the directory tree being exported.<p>
-
-.B Default:
- wide links = yes<p>
-
-.B Example:
- wide links = no<p>
-
-<a name="wins proxy">
-<H3>wins proxy (G)</H3><p>
-
-This is a boolean that controls if nmbd will respond to broadcast name
-queries on behalf of other hosts. You may need to set this to no for
-some older clients.<p>
-
-.B Default:
- wins proxy = no
-<a name="wins server">
-<H3>wins server (G)</H3><p>
+unix directory separator "/". <P>
+Note that the case sensitivity option is applicable in vetoing files. <P>
+One feature of the veto files parameter that it is important to be aware of,
+is that if a directory contains nothing but files that match the veto files
+parameter (which means that Windows/DOS clients cannot ever see them) is
+deleted, the veto files within that directory *are automatically deleted*
+along with it, if the user has UNIX permissions to do so.Setting this
+parameter will affect the performance of Samba, as it will be forced to check
+all files and directories for a match as they are scanned. <P>
+See also <A HREF="#hide files">hide files</A> and
+<A HREF="#case sensitive">case sensitive</A> <P>
+<B>Default</B> No files or directories are vetoed. <P>
+<B>Examples</B> Example 1. Veto any files containing the word Security, any
+ending in .tmp, and any directory containing the word root. <P>
+veto files = /*Security*/*.tmp/*root*/ <P>
+Example 2. Veto the Apple specific files that a NetAtalk server creates. <P>
+veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ <P>
+
+<H3><A NAME="veto oplock files">veto oplock files (S)</A></H3>
+This parameter is only valid when the <A HREF="#oplocks">oplocks</A>
+parameter is turned on for a share. It allows the Samba administrator to
+selectively turn off the granting of oplocks on selected files that match
+a wildcarded list, similar to the wildcarded list used in the
+<A HREF="#veto files">veto files</A> parameter. <P>
+<B>Default</B> No files are vetoed for oplock grants. <P>
+<B>Examples</B> You might want to do this on files that you know will be
+heavily contended for by clients. A good example of this is in the NetBench
+SMB benchmark program, which causes heavy client contention for files ending
+in .SEM. To cause Samba not to grant oplocks on these files you would use the
+line (either in the [global] section or in the section for the particular
+NetBench share : <P>
+veto oplock files = /*.SEM/ <P>
+
+<H3><A NAME="volume">volume (S)</A></H3>
+This allows you to override the volume label returned for a share. Useful for
+CDROMs with installation programs that insist on a particular volume label.<P>
+The default is the name of the share <P>
+
+<H3><A NAME="wide links">wide links (S)</A></H3>
+This parameter controls whether or not links in the UNIX file system may be
+followed by the server. Links that point to areas within the directory tree
+exported by the server are always allowed; this parameter controls access only
+to areas that are outside the directory tree being exported. <P>
+<B>Default:</B> wide links = Yes <P>
+<B>Example:</B> wide links = No <P>
+
+<H3><A NAME="wins proxy">wins proxy (G)</A></H3>
+This is a boolean that controls if nmbd will respond to broadcast name queries
+on behalf of other hosts. You may need to set this to no for some older
+clients. <P>
+<B>Default:</B> wins proxy = No <P>
+<H3><A NAME="wins server">wins server (G)</A></H3>
This specifies the DNS name (or IP address) of the WINS server that Samba
-should register with. If you have a WINS server on your network then you
-should set this to the WINS servers name.<p>
-
-You should point this at your WINS server if you have a multi-subnetted
-network.
-.B Default:
- wins server = <p>
-
-<a name="wins support">
-<H3>wins support (G)</H3><p>
-
+should register with. If you have a WINS server on your network then you
+should set this to the WINS servers name. <P>
+You should point this at your WINS server if you have a multi-subnetted
+network. <P>
+<B>Default:</B> wins server = <P>
+
+<H3><A NAME="wins support">wins support (G)</A></H3>
This boolean controls if the nmbd process in Samba will act as a WINS server.
-You should not set this to true unless you have a multi-subnetted network and
-you wish a particular nmbd to be your WINS server. Note that you
-should *NEVER* set this to true on more than one machine in your
-network.<p>
-
-.B Default:
- wins support = no<p>
-
-<a name="workgroup">
-<H3>workgroup (G)</H3><p>
-
-This controls what workgroup your server will appear to be in when
-queried by clients. <p>
-
-.B Default:
- set in the Makefile<p>
-
-.B Example:
- workgroup = MYGROUP<p>
-
-<a name="writable">
-<H3>writable (S)</H3>
-A synonym for this parameter is 'write ok'. An inverted synonym is 'read only'.<p>
-
-If this parameter is 'no', then users of a service may not create or modify
-files in the service's directory.<p>
-
-Note that a printable service ('printable = yes') will ALWAYS allow
-writing to the directory (user privileges permitting), but only via
-spooling operations.<p>
-
-.B Default:
- writable = no<p>
-
-.B Examples:
- read only = no
- writable = yes
- write ok = yes
-<a name="write list">
-<H3>write list (S)</H3>
-This is a list of users that are given read-write access to a
-service. If the connecting user is in this list then they will be
-given write access, no matter what the "read only" option is set
-to. The list can include group names using the @group syntax.<p>
-
-Note that if a user is in both the read list and the write list then
-they will be given write access.<p>
-
-See also the "read list" option<p>
-
-.B Default:
- write list =<p>
-
-.B Example:
- write list = admin, root, @staff<p>
-
-<a name="write ok">
-<H3>write ok (S)</H3>
-See
-.B writable
-and
-.B read only.<p>
-
-<a name="write raw">
-<H3>write raw (G)</H3>
-This parameter controls whether or not the server will support raw writes when
-transferring data from clients.<p>
-
-.B Default:
- write raw = yes<p>
-
-.B Example:
- write raw = no<p>
-
+You should not set this to Yes unless you have a multi-subnetted network and
+you wish a particular nmbd to be your WINS server. Note that you should
+*NEVER* set this to Yes on more than one machine in your network. <P>
+<B>Default:</B> wins support = No <P>
+
+<H3><A NAME="workgroup">workgroup (G)</A></H3>
+This controls what workgroup your server will appear to be in when queried by
+clients. <P>
+<B>Default:</B> set in the Makefile <P>
+<B>Example:</B> workgroup = MYGROUP <P>
+
+<H3><A NAME="write list">write list (S)</A></H3>
+This is a list of users that are given read-write access to a service. If
+the connecting user is in this list then they will be given write access,
+no matter what the <A HREF="#writable">writable</A> option is set to.
+The list can include group names using the @group syntax. <P>
+Note that if a user is in both the read list and the write list then they
+will be given write access. <P>
+See also the <A HREF="#read list">read list</A> option <P>
+<B>Default:</B> write list = <P>
+<B>Example:</B> write list = admin, root, @staff <P>
+
+<H3><A NAME="write raw">write raw (G)</A></H3>
+This parameter controls whether or not the server will support raw writes
+when transferring data from clients. <P>
+<B>Default:</B> write raw = Yes <P>
+<B>Example:</B> write raw = No <P>
+
+<H3><A NAME="USERNAME/PASSWORD VALIDATION">USERNAME/PASSWORD VALIDATION</A></H3>
+There are a number of ways in which a user can connect to a
+service. The server follows the following steps in determining if it will
+allow a connection to a specified service. If all the steps fail then the
+connection request is rejected. If one of the steps pass then the following
+steps are not checked. <P>
+If the service is marked "<A HREF="#guest only">guest only</A> = yes" then
+steps 1 to 5 are skipped <P>
+Step 1: If the client has passed a username/password
+pair and that username/password pair is validated by the UNIX system's
+password programs then the connection is made as that username. Note that
+this includes the \\server\service%username method of passing a username. <P>
+Step 2: If the client has previously registered a username with the system
+and now supplies a correct password for that username then the connection
+is allowed. <P>
+Step 3: The client's netbios name and any previously used user
+names are checked against the supplied password, if they match then the
+connection is allowed as the corresponding user. <P>
+Step 4: If the client has previously validated a username/password pair with
+the server and the client has passed the validation token then that username
+is used. This step is skipped if "<A HREF="#revalidate">revalidate</A> = yes"
+for this service. <P>
+Step 5: If a "<A HREF="#username">username</A> = " field is given in the
+smb.conf file for the service and the client has supplied a password, and
+that password matches (according to the UNIX system's password checking) with
+one of the usernames from the username= field then the connection is made as
+the username in the "username=" line. If one of the username in the username=
+list begins with a @ then that name expands to a list of names in the group
+of the same name. <P>
+Step 6: If the service is a guest service then a connection is made as the
+username given in the "<A HREF="#guest account">guest account</A> =" for the
+service, irrespective of the supplied password.<P>
+
+<H3><A NAME="NAME MANGLING">NAME MANGLING </A></H3>
+Samba supports "name mangling" so that DOS and Windows clients can use files
+that don't conform to the 8.3 format. It can also be set to adjust the case of
+8.3 format filenames. <P>
+There are several options that control the way mangling is
+performed, and they are grouped here rather than listed separately. <P>
+All of these options can be set separately for each service (or globally,
+of course). <P>
+The options are: <P>
+"<A HREF="#mangle case">mangle case</A> = yes/no" controls if names that have
+characters that aren't of the "default" case are mangled. For example, if
+this is yes then a name like "Mail" would be mangled. Default no. <P>
+"<A HREF="#case sensitive">case sensitive</A> = yes/no" controls whether
+filenames are case sensitive. If they aren't then Samba must do a filename
+search and match on passed names. Default no. <P>
+"<A HREF="#default case">default case</A> = upper/lower" controls what the
+default case is for new filenames. Default lower. <P>
+"<A HREF="#preserve case">preserve case</A> = yes/no" controls if new
+files are created with the case that the client passes, or if they are
+forced to be the "default" case. Default no. <P>
+"<A HREF="#short preserve case">short preserve case</A> = yes/no"
+controls if new files which conform to 8.3 syntax, that is all in upper
+case and of suitable length, are created upper case, or if they are forced
+to be the "default" case. This option can be use with "preserve case =
+yes" to permit long filenames to retain their case, while short names
+are lowered. Default no. <P>
+
</BODY>
</HTML>