From 5fa7c79c336584b9eb868abaae69f8fb5950c43b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 21 Feb 2001 15:12:55 +0000 Subject: update as we go. Almost there.... (This used to be commit f29e7f522f831db15409825cbd61709e46acb2b5) --- docs/docbook/smb.conf.5.sgml | 4036 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 3951 insertions(+), 85 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/smb.conf.5.sgml b/docs/docbook/smb.conf.5.sgml index ed2dd53f5d..16d72a01ce 100644 --- a/docs/docbook/smb.conf.5.sgml +++ b/docs/docbook/smb.conf.5.sgml @@ -25,7 +25,7 @@ - FILE FORMAT + FILE FORMAT The file consists of sections and parameters. A section begins with the name of the section in square brackets and continues @@ -47,10 +47,10 @@ value is discarded. Internal whitespace within a parameter value is retained verbatim. - Any line beginning with a semicolon (';') or a hash ('#') + Any line beginning with a semicolon (';') or a hash ('#') character is ignored, as are lines containing only whitespace. - Any line ending in a \ is "continued" + Any line ending in a '\' is continued on the next line in the customary UNIX fashion. The values following the equals sign in parameters are all @@ -64,13 +64,13 @@ SECTION DESCRIPTIONS Each section in the configuration file (except for the - [global] section) describes a shared resource (known - as a "share"). The section name is the name of the + [global] section) describes a shared resource (known + as a "share"). The section name is the name of the shared resource and the parameters within the section define the shares attributes. - There are three special sections, [global], - [homes] and [printers], which are + There are three special sections, [global], + [homes] and [printers], which are described under special sections. The following notes apply to ordinary section descriptions. @@ -92,7 +92,7 @@ Sections other than guest services will require a password to access them. The client provides the username. As older clients only provide passwords and not usernames, you may specify a list - of usernames to check against the password using the "user=" + of usernames to check against the password using the "user=" option in the share definition. For modern clients such as Windows 95/98/ME/NT/2000, this should not be necessary. @@ -103,7 +103,7 @@ The following sample section defines a file space share. The user has write access to the path /home/bar. - The share is accessed via the share name "foo": + The share is accessed via the share name "foo": @@ -135,16 +135,16 @@ SPECIAL SECTIONS - The [global] section + The [global] section - Parameters in this section apply to the server + parameters in this section apply to the server as a whole, or are defaults for sections which do not specifically define certain items. See the notes - under PARAMETERS for more information. + under paraMETERS for more information. - The [homes] section + The [homes] section If a section called homes is included in the configuration file, services connecting clients to their @@ -155,7 +155,7 @@ match is found, the requested section name is treated as a user name and looked up in the local password file. If the name exists and the correct password has been given, a share is - created by cloning the [homes] section. + created by cloning the [homes] section. Some modifications are then made to the newly created share: @@ -169,10 +169,10 @@ If you decide to use a path= line - in your [homes] section then you may find it useful - to use the %S macro. For example : + in your [homes] section then you may find it useful + to use the %S macro. For example : - path=/data/pchome/%S + path=/data/pchome/%S would be useful if you have different home directories for your PCs than for UNIX access. @@ -182,14 +182,14 @@ of fuss. A similar process occurs if the requested section - name is "homes", except that the share name is not + name is "homes", except that the share name is not changed to that of the requesting user. This method of using - the [homes] section works well if different users share + the [homes] section works well if different users share a client PC. - The [homes] section can specify all the parameters + The [homes] section can specify all the parameters a normal service section can specify, though some make more sense - than others. The following is a typical and suitable [homes] + than others. The following is a typical and suitable [homes] section: @@ -200,7 +200,7 @@ An important point is that if guest access is specified - in the [homes] section, all home directories will be + in the [homes] section, all home directories will be visible to all clients without a password. In the very unlikely event that this is actually desirable, it would be wise to also specify read only @@ -208,30 +208,30 @@ Note that the browseable flag for auto home directories will be inherited from the global browseable - flag, not the [homes] browseable flag. This is useful as - it means setting browseable=no in the [homes] section - will hide the [homes] share but make any auto home + flag, not the [homes] browseable flag. This is useful as + it means setting browseable=no in the [homes] section + will hide the [homes] share but make any auto home directories visible. - The [printers] section + The [printers] section - This section works like [homes], + This section works like [homes], but for printers. - If a [printers] section occurs in the + If a [printers] section occurs in the configuration file, users are able to connect to any printer specified in the local host's printcap file. When a connection request is made, the existing sections are scanned. If a match is found, it is used. If no match is found, - but a [homes] section exists, it is used as described + but a [homes] section exists, it is used as described above. Otherwise, the requested section name is treated as a printer name and the appropriate printcap file is scanned to see if the requested section name is a valid printer share name. If a match is found, a new printer share is created by cloning - the [printers] section. + the [printers] section. A few modifications are then made to the newly created share: @@ -248,13 +248,13 @@ printer name. - Note that the [printers] service MUST be + Note that the [printers] service MUST be printable - if you specify otherwise, the server will refuse to load the configuration file. Typically the path specified would be that of a world-writeable spool directory with the sticky bit set on - it. A typical [printers] entry would look like + it. A typical [printers] entry would look like this: @@ -277,7 +277,7 @@ Each alias should be an acceptable printer name for - your printing subsystem. In the [global] section, specify + your printing subsystem. In the [global] section, specify the new file as your printcap. The server will then only recognize names found in your pseudo-printcap, which of course can contain whatever aliases you like. The same technique could be used @@ -286,35 +286,35 @@ An alias, by the way, is defined as any component of the first entry of a printcap record. Records are separated by newlines, components (if there are more than one) are separated by vertical - bar symbols ("|"). + bar symbols ('|'). NOTE: On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use - "printcap name = lpstat" to automatically obtain a list - of printers. See the "printcap name" option + "printcap name = lpstat" to automatically obtain a list + of printers. See the "printcap name" option for more details. - PARAMETRS + paraMETRS - Parameters define the specific attributes of sections. + parameters define the specific attributes of sections. - Some parameters are specific to the [global] section + Some parameters are specific to the [global] section (e.g., security). Some parameters are usable in all sections (e.g., create mode). All others are permissible only in normal sections. For the purposes of the - following descriptions the [homes] and [printers] + following descriptions the [homes] and [printers] sections will be considered normal. The letter G in parentheses indicates that a parameter is specific to the - [global] section. The letter S + [global] section. The letter S indicates that a parameter can be specified in a service specific section. Note that all S parameters can also be specified in - the [global] section - in which case they will define + the [global] section - in which case they will define the default behavior for all services. - Parameters are arranged here in alphabetical order - this may + parameters are arranged here in alphabetical order - this may not create best bedfellows, but at least you can find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred synonym. @@ -324,9 +324,9 @@ VARIABLE SUBSTITUTIONS Many of the strings that are settable in the config file - can take substitutions. For example the option "path = - /tmp/%u" would be interpreted as "path = - /tmp/john" if the user connected with the username john. + can take substitutions. For example the option "path = + /tmp/%u" would be interpreted as "path = + /tmp/john" if the user connected with the username john. These substitutions are mostly noted in the descriptions below, but there are some general substitutions which apply whenever they @@ -334,128 +334,128 @@ - %S + %S the name of the current service, if any. - %P + %P the root directory of the current service, if any. - %u + %u user name of the current service, if any. - %g - primary group name of %u. + %g + primary group name of %u. - %U + %U session user name (the user name that the client wanted, not necessarily the same as the one they got). - %G - primary group name of %U. + %G + primary group name of %U. - %H + %H the home directory of the user given - by %u. + by %u. - %v + %v the Samba version. - %h + %h the internet hostname that Samba is running on. - %m + %m the NetBIOS name of the client machine (very useful). - %L + %L the NetBIOS name of the server. This allows you to change your config based on what the client calls you. Your - server can have a "dual personality". + server can have a "dual personality". - %M + %M the internet name of the client machine. - %N + %N the name of your NIS home directory server. This is obtained from your NIS auto.map entry. If you have not compiled Samba with the --with-automount - option then this value will be the same as %. + option then this value will be the same as %. - %p + %p the path of the service's home directory, obtained from your NIS auto.map entry. The NIS auto.map entry - is split up as "%N:%p". + is split up as "%N:%p". - %R + %R the selected protocol level after protocol negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1. - %d + %d The process id of the current server process. - %a + %a the architecture of the remote machine. Only some are recognized, and those may not be - 100% reliable. It currently recognizes Samba, WfWg, + 100% reliable. It currently recognizes Samba, WfWg, WinNT and Win95. Anything else will be known as - "UNKNOWN". If it gets it wrong then sending a level - 3 log to samba@samba.org + "UNKNOWN". If it gets it wrong then sending a level + 3 log to samba@samba.org should allow it to be fixed. - %I + %I The IP address of the client machine. - %T + %T the current date and time. - %$(envvar) + %$(envvar) The value of the environment variable envar. @@ -466,10 +466,66 @@ - NAME MANGLINGNAME MANGLING + + Samba supports "name mangling" so that DOS and + Windows clients can use files that don't conform to the 8.3 format. + It can also be set to adjust the case of 8.3 format filenames. + + There are several options that control the way mangling is + performed, and they are grouped here rather than listed separately. + For the defaults look at the output of the testparm program. + + All of these options can be set separately for each service + (or globally, of course). + + The options are: + + + + + mangle case= yes/no + controls if names that have characters that + aren't of the "default" case are mangled. For example, + if this is yes then a name like "Mail" would be mangled. + Default no. + + + + case sensitive = yes/no + controls whether filenames are case sensitive. If + they aren't then Samba must do a filename search and match on passed + names. Default no. + + + + default case = upper/lower + controls what the default case is for new + filenames. Default lower. + + + + preserve case = yes/no + controls if new files are created with the + case that the client passes, or if they are forced to be the + "default" case. Default yes. + + + + + short preserve case = yes/no + controls if new files which conform to 8.3 syntax, + that is all in upper case and of suitable length, are created + upper case, or if they are forced to be the "default" + case. This option can be use with "preserve case = yes" + to permit long filenames to retain their case, while short names + are lowered. Default yes. + + By default, Samba 2.2 has the same semantics as a Windows NT server, in that it is case insensitive but case preserving. + @@ -481,7 +537,7 @@ steps fail then the connection request is rejected. If one of the steps pass then the following steps are not checked. - If the service is marked "guest only = yes" then + If the service is marked "guest only = yes" then steps 1 to 5 are skipped. @@ -489,7 +545,7 @@ pair and that username/password pair is validated by the UNIX system's password programs then the connection is made as that username. Note that this includes the - \\server\service%username method of passing + \\server\service%username method of passing a username. If the client has previously registered a username @@ -505,19 +561,19 @@ username/password pair with the server and the client has passed the validation token then that username is used. - If a "user = " field is given in the + If a "user = " field is given in the smb.conf file for the service and the client has supplied a password, and that password matches (according to the UNIX system's password checking) with one of the usernames - from the "user=" field then the connection is made as - the username in the "user=" line. If one - of the username in the "user=" list begins with a - @ then that name expands to a list of names in + from the "user=" field then the connection is made as + the username in the "user=" line. If one + of the username in the "user=" list begins with a + '@' then that name expands to a list of names in the group of the same name. If the service is a guest service then a - connection is made as the username given in the "guest - account =" for the service, irrespective of the + connection is made as the username given in the "guest + account =" for the service, irrespective of the supplied password. @@ -529,5 +585,3815 @@ Here is a list of all global parameters. See the section of each parameter for details. Note that some are synonyms. + + add user script + allow trusted domains + announce as + announce version + auto services + bind interfaces only + browse list + change notify timeout + character set + client code page + coding system + config file + deadtime + debug hires timestamp + debug pid + debug timestamp + debug uid + debug level + default + default service + delete user script + dfree command + dns proxy + domain admin group + domain admin users + domain groups + domain guest group + domain guest users + domain logons + domain master + encrypt passwords + getwd cache + hide local users + homedir map + hosts equiv + interfaces + keepalive + kernel oplocks + ldap filter + ldap port + ldap root + ldap root passwd + ldap server + ldap suffix + lm announce + lm interval + load printers + local master + lock dir + lock directory + log file + log level + logon drive + logon home + logon path + logon script + lpq cache time + machine password timeout + mangled stack + map to guest + max disk size + max log size + max mux + max open files + max packet + max ttl + max wins ttl + max xmit + message command + min passwd length + min password length + min wins ttl + name resolve order + netbios aliases + netbios name + netbios scope + nis homedir + nt acl support + nt pipe support + nt smb support + null passwords + ole locking compatibility + oplock break wait time + os level + packet size + panic action + passwd chat + passwd chat debug + passwd program + password level + password server + prefered master + preferred master + preload + printcap + printcap name + printer driver file + private dir + protocol + read bmpx + read prediction + read raw + read size + remote announce + remote browse sync + restrict anonymous + root + root dir + root directory + security + server string + shared mem size + smb passwd file + smbrun + socket address + socket options + source environment + ssl + ssl CA certDir + ssl CA certFile + ssl ciphers + ssl client cert + ssl client key + ssl compatibility + ssl hosts + ssl hosts resign + ssl require clientcert + ssl require servercert + ssl server cert + ssl server key + ssl version + stat cache + stat cache size + strip dot + syslog + syslog only + template homedir + template shell + time offset + time server + timestamp logs + unix password sync + unix realname + update encrypted + use rhosts + username level + username map + utmp directory + valid chars + winbind cache time + winbind gid + winbind uid + wins hook + wins proxy + wins server + wins support + workgroup + write raw + + + + + + COMPLETE LIST OF SERVICE PARAMETERS + + Here is a list of all service parameters. See the section of + each parameter for details. Note that some are synonyms. + + + admin users + allow hosts + alternate permissions + available + blocking locks + browsable + browseable + case sensitive + casesignames + comment + copy + create mask + create mode + default case + delete readonly + delete veto files + deny hosts + directory + directory mask + directory mode + directory security mask + dont descend + dos filetime resolution + dos filetimes + exec + fake directory create times + fake oplocks + follow symlinks + force create mode + force directory mode + force directory security mode + force group + force security mode + force user + fstype + group + guest account + guest ok + guest only + hide dot files + hide files + hosts allow + hosts deny + include + inherit permissions + invalid users + level2 oplocks + locking + lppause command + lpq command + lpresume command + lprm command + magic output + magic script + mangle case + mangle locks + mangled map + mangled names + mangling char + map archive + map hidden + map system + max connections + min print space + only guest + only user + oplock contention limit + oplocks + path + postexec + postscript + preexec + preexec close + preserve case + print command + print ok + printable + printer + printer admin + printer driver + printer driver location + printer name + printing + public + queuepause command + queueresume command + read list + read only + root postexec + root preexec + root preexec close + security mask + set directory + share modes + short preserve case + status + strict locking + strict sync + sync always + user + username + users + utmp + valid users + veto files + veto oplock files + volume + wide links + writable + write cache size + write list + write ok + writeable + + + + + EXPLANATION OF EACH PARAMETER + + + + + add user script (G) + This is the full pathname to a script that will + be run AS ROOT by smbd(8) + under special circumstances decribed below. + + Normally, a Samba server requires that UNIX users are + created for all users accessing files on this server. For sites + that use Windows NT account databases as their primary user database + creating these users and keeping the user list in sync with the + Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users + ON DEMAND when a user accesses the Samba server. + + In order to use this option, smbd + must be set to security=server or + security=domain and add user script + must be set to a full pathname for a script that will create a UNIX + user given one argument of %u, which expands into + the UNIX user name to create. + + When the Windows user attempts to access the Samba server, + at login (session setup in the SMB protocol) time, + smbd contacts the password server and + attempts to authenticate the given user with the given password. If the + authentication succeeds then smbd + attempts to find a UNIX user in the UNIX password database to map the + Windows user into. If this lookup fails, and add user script + is set then smbd will + call the specified script AS ROOT, expanding + any %u argument to be the user name to create. + + If this script successfully creates the user then smbd will continue on as though the UNIX user + already existed. In this way, UNIX users are dynamically created to + match existing Windows NT accounts. + + See also + security, + password server, delete user + script. + + Default: add user script = <empty string> + + + Example: add user script = /usr/local/samba/bin/add_user + %u + + + + + + + admin users (S) + This is a list of users who will be granted + administrative privileges on the share. This means that they + will do all file operations as the super-user (root). + + You should use this option very carefully, as any user in + this list will be able to do anything they like on the share, + irrespective of file permissions. + + Default: no admin users + + Example: admin users = jason + + + + + + + allow hosts (S) + Synonym for + hosts allow. + + + + + + allow trusted domains (G) + This option only takes effect when the security option is set to + server or domain. + If it is set to no, then attempts to connect to a resource from + a domain or workgroup other than the one which smbd is running + in will fail, even if that domain is trusted by the remote server + doing the authentication. + + This is useful if you only want your Samba server to + serve resources to users in the domain it is a member of. As + an example, suppose that there are two domains DOMA and DOMB. DOMB + is trusted by DOMA, which contains the Samba server. Under normal + circumstances, a user with an account in DOMB can then access the + resources of a UNIX account with the same account name on the + Samba server even if they do not have an account in DOMA. This + can make implementing a security boundary difficult. + + Default: allow trusted domains = yes + + + + + + + + announce as (G) + This specifies what type of server + nmbd + will announce itself as, to a network neighborhood browse + list. By default this is set to Windows NT. The valid options + are : "NT" (which is a synonym for "NT Server"), "NT Server", + "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, + Windows NT Workstation, Windows 95 and Windows for Workgroups + respectively. Do not change this parameter unless you have a + specific need to stop Samba appearing as an NT server as this + may prevent Samba servers from participating as browser servers + correctly. + + Default: announce as = NT Server + + Example: announce as = Win95 + + + + + + + annouce version (G) + This specifies the major and minor version numbers + that nmbd will use when announcing itself as a server. The default + is 4.2. Do not change this parameter unless you have a specific + need to set a Samba server to be a downlevel server. + + Default: announce version = 4.2 + + Example: announce version = 2.0 + + + + + + + auto services (G) + This is a list of services that you want to be + automatically added to the browse lists. This is most useful + for homes and printers services that would otherwise not be + visible. + + Note that if you just want all printers in your + printcap file loaded then the + load printers option is easier. + + Default: no auto services + + Example: auto services = fred lp colorlp + + + + + + + available (S) + This parameter lets you "turn off" a service. If + available = no, then ALL + attempts to connect to the service will fail. Such failures are + logged. + + Default: available = yes + + + + + + + + bind interfaces only (G) + This global parameter allows the Samba admin + to limit what interfaces on a machine will serve smb requests. If + affects file service smbd(8) and + name service nmbd(8) in slightly + different ways. + + For name service it causes nmbd to bind + to ports 137 and 138 on the interfaces listed in the interfaces parameter. nmbd + also binds to the "all addresses" interface (0.0.0.0) + on ports 137 and 138 for the purposes of reading broadcast messages. + If this option is not set then nmbd will service + name requests on all of these sockets. If bind interfaces + only is set then nmbd will check the + source address of any packets coming in on the broadcast sockets + and discard any that don't match the broadcast addresses of the + interfaces in the interfaces parameter list. + As unicast packets are received on the other sockets it allows + nmbd to refuse to serve names to machines that + send packets that arrive through any interfaces not listed in the + interfaces list. IP Source address spoofing + does defeat this simple check, however so it must not be used + seriously as a security feature for nmbd. + + For file service it causes smbd(8) + to bind only to the interface list given in the + interfaces parameter. This restricts the networks that + smbd will serve to packets coming in those + interfaces. Note that you should not use this parameter for machines + that are serving PPP or other intermittent or non-broadcast network + interfaces as it will not cope with non-permanent interfaces. + + If bind interfaces only is set then + unless the network address 127.0.0.1 is added + to the interfaces parameter list smbpasswd(8) + and swat(8) may + not work as expected due to the reasons covered below. + + To change a users SMB password, the smbpasswd + by default connects to the localhost - 127.0.0.1 + address as an SMB client to issue the password change request. If + bind interfaces only is set then unless the + network address 127.0.0.1 is added to the + interfaces parameter list then + smbpasswd will fail to connect in it's default mode. + smbpasswd can be forced to use the primary IP interface + of the local host by using its + -r remote machine + parameter, with remote machine set + to the IP name of the primary interface of the local host. + + The swat status page tries to connect with + smbd and nmbd at the address + 127.0.0.1 to determine if they are running. + Not adding 127.0.0.1 will cause + smbd and nmbd to always show + "not running" even if they really are. This can prevent + swat from starting/stopping/restarting smbd + and nmbd. + + Default: bind interfaces only = no + + + + + + + + blocking locks (S) + This parameter controls the behavior of smbd(8) when given a request by a client + to obtain a byte range lock on a region of an open file, and the + request has a time limit associated with it. + + If this parameter is set and the lock range requested + cannot be immediately satisfied, Samba 2.2 will internally + queue the lock request, and periodically attempt to obtain + the lock until the timeout period expires. + + If this parameter is set to False, then + Samba 2.2 will behave as previous versions of Samba would and + will fail the lock request immediately if the lock range + cannot be obtained. + + Default: blocking locks = yes + + + + + + + + browsable (S) + See the + browseable. + + + + + + browse list (G) + This controls whether + smbd(8) will serve a browse list to + a client doing a NetServerEnum call. Normally + set to true. You should never need to change + this. + + Default: browse list = yes + + + + + + browseable (S) + This controls whether this share is seen in + the list of available shares in a net view and in the browse list. + + Default: browseable = yes + + + + + + + case sensitive (S) + See the discussion in the section NAME MANGLING. + + + + + + casesignames (S) + Synonym for case + sensitive. + + + + + + change notify timeout (G) + This SMB allows a client to tell a server to + "watch" a particular directory for any changes and only reply to + the SMB request when a change has occurred. Such constant scanning of + a directory is expensive under UNIX, hence an + smbd(8) daemon only performs such a scan + on each requested directory once every change notify + timeout seconds. + + Default: change notify timeout = 60 + Example: change notify timeout = 300 + + Would change the scan time to every 5 minutes. + + + + + + character set (G) + This allows a smbd to map incoming filenames + from a DOS Code page (see the client + code page parameter) to several built in UNIX character sets. + The built in code page translations are: + + + ISO8859-1 : Western European + UNIX character set. The parameter client code page + MUST be set to code page 850 if the + character set parameter is set to + ISO8859-1 in order for the conversion to the + UNIX character set to be done correctly. + + ISO8859-2 : Eastern European + UNIX character set. The parameter client code page + MUST be set to code page 852 if + the character set parameter is set + to ISO8859-2 in order for the conversion + to the UNIX character set to be done correctly. + + ISO8859-5 : Russian Cyrillic + UNIX character set. The parameter client code page + MUST be set to code page + 866 if the character set parameter is + set to ISO8859-5 in order for the conversion + to the UNIX character set to be done correctly. + + ISO8859-7 : Greek UNIX + character set. The parameter client code page + MUST be set to code page + 737 if the character set parameter is + set to ISO8859-7 in order for the conversion + to the UNIX character set to be done correctly. + + KOI8-R : Alternate mapping + for Russian Cyrillic UNIX character set. The parameter + client code page MUST + be set to code page 866 if the character set + parameter is set to KOI8-R in order for the + conversion to the UNIX character set to be done correctly. + + + + BUG. These MSDOS code page to UNIX character + set mappings should be dynamic, like the loading of MS DOS code pages, + not static. + + Normally this parameter is not set, meaning no filename + translation is done. + + Default: character set = <empty string> + Example: character set = ISO8859-1 + + + + + + client code page (G) + This parameter specifies the DOS code page + that the clients accessing Samba are using. To determine what code + page a Windows or DOS client is using, open a DOS command prompt + and type the command chcp. This will output + the code page. The default for USA MS-DOS, Windows 95, and + Windows NT releases is code page 437. The default for western + european releases of the above operating systems is code page 850. + + This parameter tells smbd(8) + which of the codepage.XXX + files to dynamically load on startup. These files, + described more fully in the manual page + make_smbcodepage(1), tell + smbd how to map lower to upper case characters to provide + the case insensitivity of filenames that Windows clients expect. + + Samba currently ships with the following code page files : + + + Code Page 437 - MS-DOS Latin US + Code Page 737 - Windows '95 Greek + Code Page 850 - MS-DOS Latin 1 + Code Page 852 - MS-DOS Latin 2 + Code Page 861 - MS-DOS Icelandic + Code Page 866 - MS-DOS Cyrillic + Code Page 932 - MS-DOS Japanese SJIS + Code Page 936 - MS-DOS Simplified Chinese + Code Page 949 - MS-DOS Korean Hangul + Code Page 950 - MS-DOS Traditional Chinese + + + Thus this parameter may have any of the values 437, 737, 850, 852, + 861, 932, 936, 949, or 950. If you don't find the codepage you need, + read the comments in one of the other codepage files and the + make_smbcodepage(1) man page and write one. Please + remember to donate it back to the Samba user community. + + This parameter co-operates with the valid + chars parameter in determining what characters are + valid in filenames and how capitalization is done. If you set both + this parameter and the valid chars parameter + the client code page parameter + MUST be set before the valid + chars parameter in the smb.conf + file. The valid chars string will then + augment the character settings in the client code page + parameter. + + If not set, client code page defaults + to 850. + + See also : valid + chars + + Default: client code page = 850 + Example: client code page = 936 + + + + + + codingsystem (G) + This parameter is used to determine how incoming + Shift-JIS Japanese characters are mapped from the incoming client code page + used by the client, into file names in the UNIX filesystem. + Only useful if client code page is set to + 932 (Japanese Shift-JIS). The options are : + + + SJIS - Shift-JIS. Does no + conversion of the incoming filename. + + JIS8, J8BB, J8BH, J8@B, + J8@J, J8@H - Convert from incoming Shift-JIS to eight + bit JIS code with different shift-in, shift out codes. + + JIS7, J7BB, J7BH, J7@B, J7@J, + J7@H - Convert from incoming Shift-JIS to seven bit + JIS code with different shift-in, shift out codes. + + JUNET, JUBB, JUBH, JU@B, JU@J, JU@H + - Convert from incoming Shift-JIS to JUNET code with different shift-in, + shift out codes. + + + EUC - Convert an incoming + Shift-JIS character to EUC code. + + HEX - Convert an incoming + Shift-JIS character to a 3 byte hex representation, i.e. + :AB. + + CAP - Convert an incoming + Shift-JIS character to the 3 byte hex representation used by + the Columbia AppleTalk Program (CAP), i.e. :AB. + This is used for compatibility between Samba and CAP. + + + + + + + + comment (S) + This is a text field that is seen next to a share + when a client does a queries the server, either via the network + neighborhood or via net view to list what shares + are available. + + If you want to set the string that is displayed next to the + machine name then see the + server string parameter. + + Default: No comment string + Example: comment = Fred's Files + + + + + + config file (G) + This allows you to override the config file + to use, instead of the default (usually smb.conf). + There is a chicken and egg problem here as this option is set + in the config file! + + For this reason, if the name of the config file has changed + when the parameters are loaded then it will reload them from + the new config file. + + This option takes the usual substitutions, which can + be very useful. + + If the config file doesn't exist then it won't be loaded + (allowing you to special case the config files of just a few + clients). + + Example: config file = /usr/local/samba/lib/smb.conf.%m + + + + + + + copy (S) + This parameter allows you to "clone" service + entries. The specified service is simply duplicated under the + current service's name. Any parameters specified in the current + section will override those in the section being copied. + + This feature lets you set up a 'template' service and + create similar services easily. Note that the service being + copied must occur earlier in the configuration file than the + service doing the copying. + + Default: none + Example: copy = otherservice + + + + + + create mask (S) + A synonym for this parameter is + create mode + . + + When a file is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX + permissions, and the resulting UNIX mode is then bit-wise 'AND'ed + with this parameter. This parameter may be thought of as a bit-wise + MASK for the UNIX modes of a file. Any bit not + set here will be removed from the modes set on a file when it is + created. + + The default value of this parameter removes the + 'group' and 'other' write and execute bits from the UNIX modes. + + Following this Samba will bit-wise 'OR' the UNIX mode created + from this parameter with the value of the force create mode + parameter which is set to 000 by default. + + This parameter does not affect directory modes. See the + parameter directory mode + for details. + + See also the force + create mode parameter for forcing particular mode + bits to be set on created files. See also the + directory mode" parameter for masking + mode bits on created directories. See also the + inherit permissions parameter. + + Default: create mask = 0744 + Example: create mask = 0775 + + + + + + create mode (S) + This is a synonym for + create mask. + + + + + + deadtime (G) + The value of the parameter (a decimal integer) + represents the number of minutes of inactivity before a connection + is considered dead, and it is disconnected. The deadtime only takes + effect if the number of open files is zero. + + This is useful to stop a server's resources being + exhausted by a large number of inactive connections. + + Most clients have an auto-reconnect feature when a + connection is broken so in most cases this parameter should be + transparent to users. + + Using this parameter with a timeout of a few minutes + is recommended for most systems. + + A deadtime of zero indicates that no auto-disconnection + should be performed. + + Default: deadtime = 0 + Example: deadtime = 15 + + + + + + debug hires timestamp (G) + Sometimes the timestamps in the log messages + are needed with a resolution of higher that seconds, this + boolean parameter adds microsecond resolution to the timestamp + message header when turned on. + + Note that the parameter + debug timestamp must be on for this to have an + effect. + + Default: debug hires timestamp = no + + + + + + + debug timestamp (G) + Samba 2.2 debug log messages are timestamped + by default. If you are running at a high + debug level these timestamps + can be distracting. This boolean parameter allows timestamping + to be turned off. + + Default: debug timestamp = yes + + + + + + debug pid (G) + When using only one log file for more then one + forked smbd-process there may be hard to follow which process + outputs which message. This boolean parameter is adds the process-id + to the timestamp message headers in the logfile when turned on. + + Note that the parameter + debug timestamp must be on for this to have an + effect. + + Default: debug pid = no + + + + + + debug uid (G) + Samba is sometimes run as root and sometime + run as the connected user, this boolean parameter inserts the + current euid, egid, uid and gid to the timestamp message headers + in the log file if turned on. + + Note that the parameter + debug timestamp must be on for this to have an + effect. + + Default: debug uid = no + + + + + + debug level (G) + The value of the parameter (an integer) allows + the debug level (logging level) to be specified in the + smb.conf file. This is to give greater + flexibility in the configuration of the system. + + The default will be the debug level specified on + the command line or level zero if none was specified. + + Example: debug level = 3 + + + + + + default (G) + A synonym for + default service. + + + + + + default case (S) + See the section on + NAME MANGLING". Also note the + short preserve case"> parameter. + + + + + + + default service (G) + This parameter specifies the name of a service + which will be connected to if the service actually requested cannot + be found. Note that the square brackets are NOT + given in the parameter value (see example below). + + There is no default value for this parameter. If this + parameter is not given, attempting to connect to a nonexistent + service results in an error. + + Typically the default service would be a + guest ok, + read-only service. + + Also note that the apparent service name will be changed + to equal that of the requested service, this is very useful as it + allows you to use macros like %S to make + a wildcard service. + + Note also that any "_" characters in the name of the service + used in the default service will get mapped to a "/". This allows for + interesting things. + + + Example: + + + default service = pub + + [pub] + path = /%S + + + + + + + + delete user script (G) + This is the full pathname to a script that will + be run AS ROOT by + smbd(8) under special circumstances + decribed below. + + Normally, a Samba server requires that UNIX users are + created for all users accessing files on this server. For sites + that use Windows NT account databases as their primary user database + creating these users and keeping the user list in sync with the + Windows NT PDC is an onerous task. This option allows + smbd to delete the required UNIX users ON + DEMAND when a user accesses the Samba server and the + Windows NT user no longer exists. + + In order to use this option, smbd must be + set to security=domain and delete + user script must be set to a full pathname for a script + that will delete a UNIX user given one argument of %u + , which expands into the UNIX user name to delete. + NOTE that this is different to the add user script + which will work with the security=server option + as well as security=domain. The reason for this + is only when Samba is a domain member does it get the information + on an attempted user logon that a user no longer exists. In the + security=server mode a missing user + is treated the same as an invalid password logon attempt. Deleting + the user in this circumstance would not be a good idea. + + When the Windows user attempts to access the Samba server, + at login (session setup in the SMB protocol) + time, smbd contacts the + password server and attempts to authenticate + the given user with the given password. If the authentication fails + with the specific Domain error code meaning that the user no longer + exists then smbd attempts to find a UNIX user in + the UNIX password database that matches the Windows user account. If + this lookup succeeds, and delete user script is + set then smbd will all the specified script + AS ROOT, expanding any %u + argument to be the user name to delete. + + This script should delete the given UNIX username. In this way, + UNIX users are dynamically deleted to match existing Windows NT + accounts. + + See also security=domain, + password server + , add user script + . + + Default: delete user script = <empty string> + + Example: delete user script = /usr/local/samba/bin/del_user + %u + + + + + + delete readonly (S) + This parameter allows readonly files to be deleted. + This is not normal DOS semantics, but is allowed by UNIX. + + This option may be useful for running applications such + as rcs, where UNIX file ownership prevents changing file + permissions, and DOS semantics prevent deletion of a read only file. + + Default: delete readonly = no + + + + + + delete veto files (S) + This option is used when Samba is attempting to + delete a directory that contains one or more vetoed directories + (see the veto files + option). If this option is set to False (the default) then if a vetoed + directory contains any non-vetoed files or directories then the + directory delete will fail. This is usually what you want. + + If this option is set to True, then Samba + will attempt to recursively delete any files and directories within + the vetoed directory. This can be useful for integration with file + serving systems such as NetAtalk which create meta-files within + directories you might normally veto DOS/Windows users from seeing + (e.g. .AppleDouble) + + Setting delete veto files = yes allows these + directories to be transparently deleted when the parent directory + is deleted (so long as the user has permissions to do so). + + See also the veto + files parameter. + + Default: delete veto files = no + + + + + + deny hosts (S) + Synonym for hosts + deny. + + + + + + dfree command (G) + The dfree command setting should + only be used on systems where a problem occurs with the internal + disk space calculations. This has been known to happen with Ultrix, + but may occur with other operating systems. The symptom that was + seen was an error of "Abort Retry Ignore" at the end of each + directory listing. + + This setting allows the replacement of the internal routines to + calculate the total disk space and amount available with an external + routine. The example below gives a possible script that might fulfill + this function. + + The external program will be passed a single parameter indicating + a directory in the filesystem being queried. This will typically consist + of the string ./. The script should return two + integers in ascii. The first should be the total disk space in blocks, + and the second should be the number of available blocks. An optional + third return value can give the block size in bytes. The default + blocksize is 1024 bytes. + + Note: Your script should NOT be setuid or + setgid and should be owned by (and writeable only by) root! + + Default: By default internal routines for + determining the disk capacity and remaining space will be used. + + + Example: dfree command = /usr/local/samba/bin/dfree + + + Where the script dfree (which must be made executable) could be: + + + #!/bin/sh + df $1 | tail -1 | awk '{print $2" "$4}' + + + or perhaps (on Sys V based systems): + + + #!/bin/sh + /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' + + + Note that you may have to replace the command names + with full path names on some systems. + + + + + + + + directory (S) + Synonym for path + . + + + + + + directory mask (S) + This parameter is the octal modes which are + used when converting DOS modes to UNIX modes when creating UNIX + directories. + + When a directory is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX permissions, + and the resulting UNIX mode is then bit-wise 'AND'ed with this + parameter. This parameter may be thought of as a bit-wise MASK for + the UNIX modes of a directory. Any bit not set + here will be removed from the modes set on a directory when it is + created. + + The default value of this parameter removes the 'group' + and 'other' write bits from the UNIX mode, allowing only the + user who owns the directory to modify it. + + Following this Samba will bit-wise 'OR' the UNIX mode + created from this parameter with the value of the force directory mode + parameter. This parameter is set to 000 by + default (i.e. no extra mode bits are added). + + See the force + directory mode parameter to cause particular mode + bits to always be set on created directories. + + See also the create mode + parameter for masking mode bits on created files, + and the directory + security mask parameter. + + Also refer to the + inherit permissions parameter. + + Default: directory mask = 0755 + Example: directory mask = 0775 + + + + + + + directory mode (S) + Synonym for + directory mask + + + + + + directory security mask (S) + This parameter controls what UNIX permission bits + can be modified when a Windows NT client is manipulating the UNIX + permission on a directory using the native NT security dialog + box. + + This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change. + + If not set explicitly this parameter is set to the same + value as the directory + mask parameter. To allow a user to + modify all the user/group/world permissions on a directory, set + this parameter to 0777. + + Note that users who can access the + Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to set + it to 0777. + + See also the + force directory security mode, security mask, + force security mode + parameters. + + Default: directory security mask = <same as + directory mask> + Example: directory security mask = 0777 + + + + + + + dns proxy (G) + Specifies that nmbd(8) + when acting as a WINS server and finding that a NetBIOS name has not + been registered, should treat the NetBIOS name word-for-word as a DNS + name and do a lookup with the DNS server for that name on behalf of + the name-querying client. + + Note that the maximum length for a NetBIOS name is 15 + characters, so the DNS name (or DNS alias) can likewise only be + 15 characters, maximum. + + nmbd spawns a second copy of itself to do the + DNS name lookup requests, as doing a name lookup is a blocking + action. + + See also the parameter + wins support. + + Default: dns proxy = yes + + + + + + domain admin group (G) + This is an EXPERIMENTAL parameter + that is part of the unfinished Samba NT Domain Controller Code. It may + be removed in a later release. To work with the latest code builds + that may have more support for Samba NT Domain Controller functionality + please subscribe to the mailing list samba-ntdom available by + visiting the web page at + http://lists.samba.org/. + + + + + domain admin users (G) + This is an EXPERIMENTAL parameter + that is part of the unfinished Samba NT Domain Controller Code. It may + be removed in a later release. To work with the latest code builds + that may have more support for Samba NT Domain Controller functionality + please subscribe to the mailing list samba-ntdom available by + visiting the web page at + http://lists.samba.org/. + + + + + domain groups (G) + This is an EXPERIMENTAL parameter + that is part of the unfinished Samba NT Domain Controller Code. It may + be removed in a later release. To work with the latest code builds + that may have more support for Samba NT Domain Controller functionality + please subscribe to the mailing list samba-ntdom available by + visiting the web page at + http://lists.samba.org/. + + + + + + domain guest group (G) + This is an EXPERIMENTAL parameter + that is part of the unfinished Samba NT Domain Controller Code. It may + be removed in a later release. To work with the latest code builds + that may have more support for Samba NT Domain Controller functionality + please subscribe to the mailing list samba-ntdom available by + visiting the web page at + http://lists.samba.org/. + + + + + domain guest users (G) + This is an EXPERIMENTAL parameter + that is part of the unfinished Samba NT Domain Controller Code. It may + be removed in a later release. To work with the latest code builds + that may have more support for Samba NT Domain Controller functionality + please subscribe to the mailing list samba-ntdom available by + visiting the web page at + http://lists.samba.org/. + + + + + domain logons (G) + If set to true, the Samba server will serve + Windows 95/98 Domain logons for the + workgroup it is in. Samba 2.2 also + has limited capability to act as a domain controller for Windows + NT 4 Domains. For more details on setting up this feature see + the file DOMAINS.txt in the Samba documentation directory docs/ + shipped with the source code. + + Default: domain logons = no + + + + + + domain master (G) + Tell + nmbd(8) to enable WAN-wide browse list + collation. Setting this option causes nmbd to + claim a special domain specific NetBIOS name that identifies + it as a domain master browser for its given + workgroup. Local master browsers + in the same workgroup on broadcast-isolated + subnets will give this nmbd their local browse lists, + and then ask smbd(8) + for a complete copy of the browse list for the whole wide area + network. Browser clients will then contact their local master browser, + and will receive the domain-wide browse list, instead of just the list + for their broadcast-isolated subnet. + + Note that Windows NT Primary Domain Controllers expect to be + able to claim this workgroup specific special + NetBIOS name that identifies them as domain master browsers for + that workgroup by default (i.e. there is no + way to prevent a Windows NT PDC from attempting to do this). This + means that if this parameter is set and nmbd claims + the special name for a workgroup before a Windows + NT PDC is able to do so then cross subnet browsing will behave + strangely and may fail. + + Default: domain master = no + + + + + + dont descend (S) + There are certain directories on some systems + (e.g., the /proc tree under Linux) that are either not + of interest to clients or are infinitely deep (recursive). This + parameter allows you to specify a comma-delimited list of directories + that the server should always show as empty. + + Note that Samba can be very fussy about the exact format + of the "dont descend" entries. For example you may need + ./proc instead of just /proc. + Experimentation is the best policy :-) + + Default: none (i.e., all directories are OK + to descend) + Example: dont descend = /proc,/dev + + + + + + + dos filetime resolution (S) + Under the DOS and Windows FAT filesystem, the finest + granularity on time resolution is two seconds. Setting this parameter + for a share causes Samba to round the reported time down to the + nearest two second boundary when a query call that requires one second + resolution is made to smbd(8) + . + + This option is mainly used as a compatibility option for Visual + C++ when used against Samba shares. If oplocks are enabled on a + share, Visual C++ uses two different time reading calls to check if a + file has changed since it was last read. One of these calls uses a + one-second granularity, the other uses a two second granularity. As + the two second call rounds any odd second down, then if the file has a + timestamp of an odd number of seconds then the two timestamps will not + match and Visual C++ will keep reporting the file has changed. Setting + this option causes the two timestamps to match, and Visual C++ is + happy. + + Default: dos filetime resolution = no + + + + + + + dos filetimes (S) + Under DOS and Windows, if a user can write to a + file they can change the timestamp on it. Under POSIX semantics, + only the owner of the file or root may change the timestamp. By + default, Samba runs with POSIX semantics and refuses to change the + timestamp on a file if the user smbd is acting + on behalf of is not the file owner. Setting this option to + True allows DOS semantics and smbd will change the file + timestamp as DOS requires. + + Default: dos filetimes = no + + + + + + encrypt passwords (G) + This boolean controls whether encrypted passwords + will be negotiated with the client. Note that Windows NT 4.0 SP3 and + above and also Windows 98 will by default expect encrypted passwords + unless a registry entry is changed. To use encrypted passwords in + Samba see the file ENCRYPTION.txt in the Samba documentation + directory docs/ shipped with the source code. + + In order for encrypted passwords to work correctly + smbd(8) must either + have access to a local smbpasswd(5) + file (see the + smbpasswd(8) program for information on how to set up + and maintain this file), or set the security=[serve|domain] parameter which + causes smbd to authenticate against another + server. + + Default: encrypt passwords = no + + + + + + exec (S) + This is a synonym for + preexec. + + + + + + fake directory create times (S) + NTFS and Windows VFAT file systems keep a create + time for all files and directories. This is not the same as the + ctime - status change time - that Unix keeps, so Samba by default + reports the earliest of the various times Unix does keep. Setting + this parameter for a share causes Samba to always report midnight + 1-1-1980 as the create time for directories. + + This option is mainly used as a compatibility option for + Visual C++ when used against Samba shares. Visual C++ generated + makefiles have the object directory as a dependency for each object + file, and a make rule to create the directory. Also, when NMAKE + compares timestamps it uses the creation time when examining a + directory. Thus the object directory will be created if it does not + exist, but once it does exist it will always have an earlier + timestamp than the object files it contains. + + However, Unix time semantics mean that the create time + reported by Samba will be updated whenever a file is created or + deleted in the directory. NMAKE therefore finds all object files + in the object directory bar the last one built are out of date + compared to the directory and rebuilds them. Enabling this option + ensures directories always predate their contents and an NMAKE build + will proceed as expected. + + Default: fake directory create times = no + + + + + + + fake oplocks (S) + Oplocks are the way that SMB clients get permission + from a server to locally cache file operations. If a server grants + an oplock (opportunistic lock) then the client is free to assume + that it is the only one accessing the file and it will aggressively + cache file data. With some oplock types the client may even cache + file open/close operations. This can give enormous performance benefits. + + + When you set fake oplocks = yes, smbd(8) will + always grant oplock requests no matter how many clients are using + the file. + + It is generally much better to use the real oplocks support rather + than this parameter. + + If you enable this option on all read-only shares or + shares that you know will only be accessed from one client at a + time such as physically read-only media like CDROMs, you will see + a big performance improvement on many operations. If you enable + this option on shares where multiple clients may be accessing the + files read-write at the same time you can get data corruption. Use + this option carefully! + + Default: fake oplocks = no + + + + + + follow symlinks (S) + This parameter allows the Samba administrator + to stop smbd(8) + from following symbolic links in a particular share. Setting this + parameter to no prevents any file or directory + that is a symbolic link from being followed (the user will get an + error). This option is very useful to stop users from adding a + symbolic link to /etc/passwd in their home + directory for instance. However it will slow filename lookups + down slightly. + + This option is enabled (i.e. smbd will + follow symbolic links) by default. + + Default: follow symlinks = yes + + + + + + force create mode (S) + This parameter specifies a set of UNIX mode bit + permissions that will always be set on a + file by Samba. This is done by bitwise 'OR'ing these bits onto + the mode bits of a file that is being created or having its + permissions changed. The default for this parameter is (in octal) + 000. The modes in this parameter are bitwise 'OR'ed onto the file + mode after the mask set in the create mask + parameter is applied. + + See also the parameter create + mask for details on masking mode bits on files. + + See also the inherit + permissions parameter. + + Default: force create mode = 000 + Example: force create mode = 0755 + + would force all created files to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'. + + + + + + + force directory mode (S) + This parameter specifies a set of UNIX mode bit + permissions that will always be set on a directory + created by Samba. This is done by bitwise 'OR'ing these bits onto the + mode bits of a directory that is being created. The default for this + parameter is (in octal) 0000 which will not add any extra permission + bits to a created directory. This operation is done after the mode + mask in the parameter directory mask is + applied. + + See also the parameter + directory mask for details on masking mode bits + on created directories. + + See also the + inherit permissions parameter. + + Default: force directory mode = 000 + Example: force directory mode = 0755 + + would force all created directories to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'. + + + + + + + force directory security mode (S) + This parameter controls what UNIX permission bits + can be modified when a Windows NT client is manipulating the UNIX + permission on a directory using the native NT security dialog box. + + This parameter is applied as a mask (OR'ed with) to the + changed permission bits, thus forcing any bits in this mask that + the user may have modified to be on. Essentially, one bits in this + mask may be treated as a set of bits that, when modifying security + on a directory, the user has always set to be 'on'. + + If not set explicitly this parameter is set to the same + value as the force + directory mode parameter. To allow + a user to modify all the user/group/world permissions on a + directory, with restrictions set this parameter to 000. + + Note that users who can access the + Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to set + it to 0000. + + See also the + directory security mask, + security mask, + force security mode + parameters. + + Default: force directory security mode = <same as + force directory mode> + Example: force directory security mode = 0 + + + + + + + + force group (S) + This specifies a UNIX group name that will be + assigned as the default primary group for all users connecting + to this service. This is useful for sharing files by ensuring + that all access to files on service will use the named group for + their permissions checking. Thus, by assigning permissions for this + group to the files and directories within this service the Samba + administrator can restrict or allow sharing of these files. + + In Samba 2.0.5 and above this parameter has extended + functionality in the following way. If the group name listed here + has a '+' character prepended to it then the current user accessing + the share only has the primary group default assigned to this group + if they are already assigned as a member of that group. This allows + an administrator to decide that only users who are already in a + particular group will create files with group ownership set to that + group. This gives a finer granularity of ownership assignment. For + example, the setting force group = +sys means + that only users who are already in group sys will have their default + primary group assigned to sys when accessing this Samba share. All + other users will retain their ordinary primary group. + + If the force user + parameter is also set the group specified in + force group will override the primary group + set in force user. + + See also force + user. + + Default: no forced group + Example: force group = agroup + + + + + + + force security mode (S) + This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security dialog + box. + + This parameter is applied as a mask (OR'ed with) to the + changed permission bits, thus forcing any bits in this mask that + the user may have modified to be on. Essentially, one bits in this + mask may be treated as a set of bits that, when modifying security + on a file, the user has always set to be 'on'. + + If not set explicitly this parameter is set to the same + value as the force + create mode parameter. To allow a user to + modify all the user/group/world permissions on a file, with no + restrictions set this parameter to 000. + + Note that users who can access + the Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to set + it to 0000. + + See also the + force directory security mode, + directory security + mask, + security mask parameters. + + Default: force security mode = <same as force + create mode> + Example: force security mode = 0 + + + + + + + force user (S) + This specifies a UNIX user name that will be + assigned as the default user for all users connecting to this service. + This is useful for sharing files. You should also use it carefully + as using it incorrectly can cause security problems. + + This user name only gets used once a connection is established. + Thus clients still need to connect as a valid user and supply a + valid password. Once connected, all file operations will be performed + as the "forced user", no matter what username the client connected + as. + + This can be very useful. + + In Samba 2.0.5 and above this parameter also causes the + primary group of the forced user to be used as the primary group + for all file activity. Prior to 2.0.5 the primary group was left + as the primary group of the connecting user (this was a bug). + + See also force group + + + Default: no forced user + Example: force user = auser + + + + + + + fstype (S) + This parameter allows the administrator to + configure the string that specifies the type of filesystem a share + is using that is reported by smbd(8) + when a client queries the filesystem type + for a share. The default type is NTFS for + compatibility with Windows NT but this can be changed to other + strings such as Samba or FAT + if required. + + Default: fstype = NTFS + Example: fstype = Samba + + + + + + getwd cache (G) + This is a tuning option. When this is enabled a + caching algorithm will be used to reduce the time taken for getwd() + calls. This can have a significant impact on performance, especially + when the wide links + parameter is set to False. + + Default: getwd cache = No + + + + + + + group (S) + Synonym for force + group. + + + + + + guest account (S) + This is a username which will be used for access + to services which are specified as + guest ok (see below). Whatever privileges this + ser has will be available to any client connecting to the guest service. + Typically this user will exist in the password file, but will not + have a valid login. The user account "ftp" is often a good choice + for this parameter. If a username is specified in a given service, + the specified username overrides this one. + + One some systems the default guest account "nobody" may not + be able to print. Use another account in this case. You should test + this by trying to log in as your guest user (perhaps by using the + su - command) and trying to print using the + system print command such as lpr(1) or + lp(1). + + Default: specified at compile time, usually + "nobody" + + Example: guest account = ftp + + + + + + guest ok (S) + If this parameter is yes for + a service, then no password is equired to connect to the service. + Privileges will be those of the + guest account. + + See the section below on + security for more information about this option. + + + Default: guest ok = no + + + + + + guest only (S) + If this parameter is yes for + a service, then only guest connections to the service are permitted. + This parameter will have no affect if + guest ok is not set for the service. + + See the section below on + security for more information about this option. + + + Default: guest only = no + + + + + + hide dot files (S) + This is a boolean parameter that controls whether + files starting with a dot appear as hidden files. + + Default: hide dot files = yes + + + + + + hide files(S) + This is a list of files or directories that are not + visible but are accessible. The DOS 'hidden' attribute is applied + to any files or directories that match. + + Each entry in the list must be separated by a '/', + which allows spaces to be included in the entry. '*' + and '?' can be used to specify multiple files or directories + as in DOS wildcards. + + Each entry must be a Unix path, not a DOS path and must + not include the Unix directory separator '/'. + + Note that the case sensitivity option is applicable + in hiding files. + + Setting this parameter will affect the performance of Samba, + as it will be forced to check all files and directories for a match + as they are scanned. + + See also hide + dot files, + veto files and + case sensitive. + + Default: no file are hidden + Example: hide files = + /.*/DesktopFolderDB/TrashFor%m/resource.frk/ + + The above example is based on files that the Macintosh + SMB client (DAVE) available from + Thursby creates for internal use, and also still hides + all files beginning with a dot. + + + + + + hide local users(G) + This parameter toggles the hiding of local UNIX + users (root, wheel, floppy, etc) from remote clients. + + Default: hide local users = no + + + + + + homedir map (G) + Ifnis homedir + is True, and smbd(8) is also acting + as a Win95/98 logon server then this parameter + specifies the NIS (or YP) map from which the server for the user's + home directory should be extracted. At present, only the Sun + auto.home map format is understood. The form of the map is: + + username server:/some/file/system + + and the program will extract the servername from before + the first ':'. There should probably be a better parsing system + that copes with different map formats and also Amd (another + automounter) maps. + + NOTE :A working NIS client is required on + the system for this option to work. + + See also nis homedir + , domain logons + . + + Default: homedir map = auto.home + Example: homedir map = amd.homedir + + + + + + + hosts allow (S) + A synonym for this parameter is allow + hosts. + + This parameter is a comma, space, or tab delimited + set of hosts which are permitted to access a service. + + If specified in the [global] section then it will + apply to all services, regardless of whether the individual + service has a different setting. + + You can specify the hosts by name or IP number. For + example, you could restrict access to only the hosts on a + Class C subnet with something like allow hosts = 150.203.5. + . The full syntax of the list is described in the man + page hosts_access(5). Note that this man + page may not be present on your system, so a brief description will + be given here also. + + Note that the localhost address 127.0.0.1 will always + be allowed access unless specifically denied by a hosts deny option. + + You can also specify hosts by network/netmask pairs and + by netgroup names if your system supports netgroups. The + EXCEPT keyword can also be used to limit a + wildcard list. The following examples may provide some help: + + Example 1: allow all IPs in 150.203.*.*; except one + + hosts allow = 150.203. EXCEPT 150.203.6.66 + + Example 2: allow hosts that match the given network/netmask + + hosts allow = 150.203.15.0/255.255.255.0 + + Example 3: allow a couple of hosts + + hosts allow = lapland, arvidsjaur + + Example 4: allow only hosts in NIS netgroup "foonet", but + deny access from one particular host + + hosts allow = @foonet + + hosts deny = pirate + + Note that access still requires suitable user-level passwords. + + See testparm(1) + for a way of testing your host access to see if it does + what you expect. + + Default: none (i.e., all hosts permitted access) + + + Example: allow hosts = 150.203.5. myhost.mynet.edu.au + + + + + + + + hosts deny (S) + The opposite of hosts allow + - hosts listed here are NOT permitted access to + services unless the specific services have their own lists to override + this one. Where the lists conflict, the allow + list takes precedence. + + Default: none (i.e., no hosts specifically excluded) + + + Example: hosts deny = 150.203.4. badhost.mynet.edu.au + + + + + + + hosts equiv (G) + If this global parameter is a non-null string, + it specifies the name of a file to read for the names of hosts + and users who will be allowed access without specifying a password. + + + This is not be confused with + hosts allow which is about hosts + access to services and is more useful for guest services. + hosts equiv may be useful for NT clients which will + not supply passwords to samba. + + NOTE : The use of hosts equiv + can be a major security hole. This is because you are + trusting the PC to supply the correct username. It is very easy to + get a PC to supply a false username. I recommend that the + hosts equiv option be only used if you really + know what you are doing, or perhaps on a home network where you trust + your spouse and kids. And only if you really trust + them :-). + + Default: no host equivalences + Example: hosts equiv = /etc/hosts.equiv + + + + + + + include (G) + This allows you to include one config file + inside another. The file is included literally, as though typed + in place. + + It takes the standard substitutions, except %u + , %P and %S. + + + Default: no file included + Example: include = /usr/local/samba/lib/admin_smb.conf + + + + + + + inherit permissions (S) + The permissions on new files and directories + are normally governed by + create mask, + directory mask, force create mode + and force + directory mode but the boolean inherit + permissions parameter overrides this. + + New directories inherit the mode of the parent directory, + including bits such as setgid. + + New files inherit their read/write bits from the parent + directory. Their execute bits continue to be determined by + map archive + , map hidden + and map system + as usual. + + Note that the setuid bit is never set via + inheritance (the code explicitly prohibits this). + + This can be particularly useful on large systems with + many users, perhaps several thousand,to allow a single [homes] + share to be used flexibly by each user. + + See also create mask + , + directory mask, + force create mode and force directory mode + . + + Default: inherit permissions = no + + + + + + + interfaces (G) + This option allows you to override the default + network interfaces list that Samba will use for browsing, name + registration and other NBT traffic. By default Samba will query + the kernel for the list of all active interfaces and use any + interfaces except 127.0.0.1 that are broadcast capable. + + The option takes a list of interface strings. Each string + can be in any of the following forms: + + + a network interface name (such as eth0). + This may include shell-like wildcards so eth* will match + any interface starting with the substring "eth" + + an IP address. In this case the netmask is + determined from the list of interfaces obtained from the + kernel + + an IP/mask pair. + + a broadcast/mask pair. + + + The "mask" parameters can either be a bit length (such + as 24 for a C class network) or a full netmask in dotted + decmal form. + + The "IP" parameters above can either be a full dotted + decimal IP address or a hostname which will be looked up via + the OSes normal hostname resolution mechanisms. + + For example, the following line: + + interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0 + + + would configure three network interfaces corresponding + to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. + The netmasks of the latter two interfaces would be set to 255.255.255.0. + + See also bind + interfaces only. + + + + + + invalid users (S) + This is a list of users that should not be allowed + to login to this service. This is really a paranoid + check to absolutely ensure an improper setting does not breach + your security. + + A name starting with a '@' is interpreted as an NIS + netgroup first (if your system supports NIS), and then as a UNIX + group if the name was not found in the NIS netgroup database. + + A name starting with '+' is interpreted only + by looking in the UNIX group database. A name starting with + '&' is interpreted only by looking in the NIS netgroup database + (this requires NIS to be working on your system). The characters + '+' and '&' may be used at the start of the name in either order + so the value +&group means check the + UNIX group database, followed by the NIS netgroup database, and + the value &+group" means check the NIS + netgroup database, followed by the UNIX group database (the + same as the '@' prefix). + + The current servicename is substituted for %S. + This is useful in the [homes] section. + + See also valid users + . + + Default: no invalid users + Example: invalid users = root fred admin @wheel + + + + + + + + keepalive (G) + The value of the parameter (an integer) represents + the number of seconds between keepalive + packets. If this parameter is zero, no keepalive packets will be + sent. Keepalive packets, if sent, allow the server to tell whether + a client is still present and responding. + + Keepalives should, in general, not be needed if the socket + being used has the SO_KEEPALIVE attribute set on it (see socket options). + Basically you should only use this option if you strike difficulties. + + Default: keepalive = 0 + Example: keepalive = 60 + + + + + + + kernel oplocks (G) + For UNIXs that support kernel based oplocks + (currently only IRIX and the Linux 2.4 kernel), this parameter + allows the use of them to be turned on or off. + + Kernel oplocks support allows Samba oplocks + to be broken whenever a local UNIX process or NFS operation + accesses a file that smbd(8) + has oplocked. This allows complete data consistency between + SMB/CIFS, NFS and local file access (and is a very + cool feature :-). + + This parameter defaults to on on systems + that have the support, and off on systems that + don't. You should never need to touch this parameter. + + See also the oplocks + and level2 oplocks + parameters. + + Default: kernel oplocks = yes + + + + + + + level2 oplocks (S) + This parameter controls whether Samba supports + level2 (read-only) oplocks on a share. + + Level2, or read-only oplocks allow Windows NT clients + that have an oplock on a file to downgrade from a read-write oplock + to a read-only oplock once a second client opens the file (instead + of releasing all oplocks on a second open, as in traditional, + exclusive oplocks). This allows all openers of the file that + support level2 oplocks to cache the file for read-ahead only (ie. + they may not cache writes or lock requests) and increases performance + for many acesses of files that are not commonly written (such as + application .EXE files). + + Once one of the clients which have a read-only oplock + writes to the file all clients are notified (no reply is needed + or waited for) and told to break their oplocks to "none" and + delete any read-ahead caches. + + It is recommended that this parameter be turned on + to speed access to shared executables (and also to test + the code :-). + + For more discussions on level2 oplocks see the CIFS spec. + + Currently, if kernel + oplocks are supported then level2 oplocks are + not granted (even if this parameter is set to yes). + Note also, the oplocks + parameter must be set to "true" on this share in order for + this parameter to have any effect. + + See also the oplocks + and kernel oplocks + parameters. + + Default: level2 oplocks = False + + + + + + + lm announce (G) + This parameter determines if + nmbd(8) will produce Lanman announce + broadcasts that are needed by OS/2 clients in order for them to see + the Samba server in their browse list. This parameter can have three + values, true, false, or + auto. The default is auto. + If set to false Samba will never produce these + broadcasts. If set to true Samba will produce + Lanman announce broadcasts at a frequency set by the parameter + lm interval. If set to auto + Samba will not send Lanman announce broadcasts by default but will + listen for them. If it hears such a broadcast on the wire it will + then start sending them at a frequency set by the parameter + lm interval. + + See also lm interval + . + + Default: lm announce = auto + Example: lm announce = true + + + + + + + lm interval (G) + If Samba is set to produce Lanman announce + broadcasts needed by OS/2 clients (see the + lm announce parameter) then this + parameter defines the frequency in seconds with which they will be + made. If this is set to zero then no Lanman announcements will be + made despite the setting of the lm announce + parameter. + + See also lm + announce. + + Default: lm interval = 60 + Example: lm interval = 120 + + + + + + + load printers (G) + A boolean variable that controls whether all + printers in the printcap will be loaded for browsing by default. + See the printers section for + more details. + + Default: load printers = yes + + + + + + + local master (G) + This option allows + nmbd(8) to try and become a local master browser + on a subnet. If set to False then + nmbd will not attempt to become a local master browser + on a subnet and will also lose in all browsing elections. By + default this value is set to true. Setting this value to true doesn't + mean that Samba will become the local master + browser on a subnet, just that nmbd will + participate in elections for local master browser. + + Setting this value to False will cause nmbd + never to become a local master browser. + + Default: local master = yes + + + + + + + lock dir (G) + Synonym for + lock directory. + + + + + + lock directory (G) + This option specifies the directory where lock + files will be placed. The lock files are used to implement the + max connections + option. + + Default: lock directory = /tmp/samba + Example: lock directory = /usr/local/samba/var/locks + + + + + + + locking (S) + This controls whether or not locking will be + performed by the server in response to lock requests from the + client. + + If locking = no, all lock and unlock requests + will appear to succeed and all lock queries will indicate that the + queried lock is clear. + + If locking = yes, real locking will be performed + by the server. + + This option may be useful for read-only + filesystems which may not need locking (such as + cdrom drives), although setting this parameter of no + is not really recommended even in this case. + + Be careful about disabling locking either globally or in a + specific service, as lack of locking may result in data corruption. + You should never need to set this parameter. + + Default: locking = yes + + + + + + + log file (G) + This options allows you to override the name + of the Samba log file (also known as the debug file). + + This option takes the standard substitutions, allowing + you to have separate log files for each user or machine. + + Example: log file = /usr/local/samba/var/log.%m + + + + + + + log level (G) + Synonym for + debug level. + + + + + + + logon drive (G) + This parameter specifies the local path to + which the home directory will be connected (see logon home) + and is only used by NT Workstations. + + Note that this option is only useful if Samba is set up as a + logon server. + + Default: logon drive = z: + Example: logon drive = h: + + + + + + + logon home (G) + This parameter specifies the home directory + location when a Win95/98 or NT Workstation logs into a Samba PDC. + It allows you to do + + C:\> NET USE H: /HOME + + + from a command prompt, for example. + + This option takes the standard substitutions, allowing + you to have separate logon scripts for each user or machine. + + This parameter can be used with Win9X workstations to ensure + that roaming profiles are stored in a subdirectory of the user's + home directory. This is done in the following way: + + logon home = \\%L\%U\profile + + This tells Samba to return the above string, with + substitutions made when a client requests the info, generally + in a NetUserGetInfo request. Win9X clients truncate the info to + \\server\share when a user does net use /home" + but use the whole string when dealing with profiles. + + Note that in prior versions of Samba, the + logon path was returned rather than + logon home. This broke net use + /home but allowed profiles outside the home directory. + The current implementation is correct, and can be used for + profiles if you use the above trick. + + This option is only useful if Samba is set up as a logon + server. + + Default: logon home = "\\%N\%U" + Example: logon home = "\\remote_smb_server\%U" + + + + + + logon path (G) + This parameter specifies the home directory + where roaming profiles (NTuser.dat etc files for Windows NT) are + stored. Contrary to previous versions of these manual pages, it has + nothing to do with Win 9X roaming profiles. To find out how to + handle roaming profiles for Win 9X system, see the + logon home parameter. + + This option takes the standard substitutions, allowing you + to have separate logon scripts for each user or machine. It also + specifies the directory from which the "Application Data", + (desktop, start menu, + network neighborhood, programs + and other folders, and their contents, are loaded and displayed on + your Windows NT client. + + The share and the path must be readable by the user for + the preferences and directories to be loaded onto the Windows NT + client. The share must be writeable when the logs in for the first + time, in order that the Windows NT client can create the NTuser.dat + and other directories. + + Thereafter, the directories and any of the contents can, + if required, be made read-only. It is not advisable that the + NTuser.dat file be made read-only - rename it to NTuser.man to + achieve the desired effect (a MANdatory + profile). + + Windows clients can sometimes maintain a connection to + the [homes] share, even though there is no user logged in. + Therefore, it is vital that the logon path does not include a + reference to the homes share (i.e. setting this parameter to + \%N\%U\profile_path will cause problems). + + This option takes the standard substitutions, allowing + you to have separate logon scripts for each user or machine. + + Note that this option is only useful if Samba is set up + as a logon server. + + Default: logon path = \\%N\%U\profile + Example: logon path = \\PROFILESERVER\PROFILE\%U + + + + + + + logon script (G) + This parameter specifies the batch file (.bat) or + NT command file (.cmd) to be downloaded and run on a machine when + a user successfully logs in. The file must contain the DOS + style cr/lf line endings. Using a DOS-style editor to create the + file is recommended. + + The script must be a relative path to the [netlogon] + service. If the [netlogon] service specifies a + path of /usr/local/samba/netlogon + , and logon script = STARTUP.BAT, then + the file that will be downloaded is: + + /usr/local/samba/netlogon/STARTUP.BAT + + The contents of the batch file is entirely your choice. A + suggested command would be to add NET TIME \\SERVER /SET + /YES, to force every machine to synchronize clocks with + the same time server. Another use would be to add NET USE + U: \\SERVER\UTILS for commonly used utilities, or + NET USE Q: \\SERVER\ISO9001_QA for example. + + Note that it is particularly important not to allow write + access to the [netlogon] share, or to grant users write permission + on the batch files in a secure environment, as this would allow + the batch files to be arbitrarily modified and security to be + breached. + + This option takes the standard substitutions, allowing you + to have separate logon scripts for each user or machine. + + This option is only useful if Samba is set up as a logon + server. + + Default: no logon script defined + Example: logon script = scripts\%U.bat + + + + + + + lppause command (S) + This parameter specifies the command to be + executed on the server host in order to stop printing or spooling + a specific print job. + + This command should be a program or script which takes + a printer name and job number to pause the print job. One way + of implementing this is by using job priorities, where jobs + having a too low priority won't be sent to the printer. + + If a %p is given then the printername + is put in its place. A %j is replaced with + the job number (an integer). On HPUX (see printing=hpux + ), if the -p%p option is added + to the lpq command, the job will show up with the correct status, i.e. + if the job priority is lower than the set fence priority it will + have the PAUSED status, whereas if the priority is equal or higher it + will have the SPOOLED or PRINTING status. + + Note that it is good practice to include the absolute path + in the lppause command as the PATH may not be available to the server. + + See also the printing + parameter. + + Default: Currently no default value is given to + this string, unless the value of the printing + parameter is SYSV, in which case the default is : + + lp -i %p-%j -H hold + + or if the value of the printing parameter + is SOFTQ, then the default is: + + qstat -s -j%j -h + + Example for HPUX: lppause command = /usr/bin/lpalt + %p-%j -p0 + + + + + + + lpq cache time (G) + This controls how long lpq info will be cached + for to prevent the lpq command being called too + often. A separate cache is kept for each variation of the + lpq command used by the system, so if you use different + lpq commands for different users then they won't + share cache information. + + The cache files are stored in /tmp/lpq.xxxx + where xxxx is a hash of the lpq command in use. + + The default is 10 seconds, meaning that the cached results + of a previous identical lpq command will be used + if the cached data is less than 10 seconds old. A large value may + be advisable if your lpq command is very slow. + + A value of 0 will disable caching completely. + + See also the printing + parameter. + + Default: lpq cache time = 10 + Example: lpq cache time = 30 + + + + + + + lpq command (S) + This parameter specifies the command to be + executed on the server host in order to obtain lpq + -style printer status information. + + This command should be a program or script which + takes a printer name as its only parameter and outputs printer + status information. + + Currently eight styles of printer status information + are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ. + This covers most UNIX systems. You control which type is expected + using the printing = option. + + Some clients (notably Windows for Workgroups) may not + correctly send the connection number for the printer they are + requesting status information about. To get around this, the + server reports on the first printer service connected to by the + client. This only happens if the connection number sent is invalid. + + If a %p is given then the printername + is put in its place. Otherwise it is placed at the end of the + command. + + Note that it is good practice to include the absolute path + in the lpq command as the PATH may not be + available to the server. + + See also the printing + parameter. + + Default: depends on the setting of + printing + + Example: lpq command = /usr/bin/lpq %p + + + + + + + lpresume command (S) + This parameter specifies the command to be + executed on the server host in order to restart or continue + printing or spooling a specific print job. + + This command should be a program or script which takes + a printer name and job number to resume the print job. See + also the lppause command + parameter. + + If a %p is given then the printername + is put in its place. A %j is replaced with + the job number (an integer). + + Note that it is good practice to include the absolute path + in the lpresume command as the PATH may not + be available to the server. + + See also the printing + parameter. + + Default: Currently no default value is given + to this string, unless the value of the printing + parameter is SYSV, in which case the default is : + + lp -i %p-%j -H resume + + or if the value of the printing parameter + is SOFTQ, then the default is: + + qstat -s -j%j -r + + Example for HPUX: lpresume command = /usr/bin/lpalt + %p-%j -p2 + + + + + + + lprm command (S) + This parameter specifies the command to be + executed on the server host in order to delete a print job. + + This command should be a program or script which takes + a printer name and job number, and deletes the print job. + + If a %p is given then the printername + is put in its place. A %j is replaced with + the job number (an integer). + + Note that it is good practice to include the absolute + path in the lprm command as the PATH may not be + available to the server. + + See also the printing + parameter. + + Default: depends on the setting of printing + + + Example 1: lprm command = /usr/bin/lprm -P%p %j + + Example 2: lprm command = /usr/bin/cancel %p-%j + + + + + + + machine password timeout (G) + If a Samba server is a member of an Windows + NT Domain (see the security=domain) + parameter) then periodically a running + smbd(8) process will try and change the MACHINE ACCOUNT + PASSWORD stored in the TDB called private/secrets.tdb + . This parameter specifies how often this password + will be changed, in seconds. The default is one week (expressed in + seconds), the same as a Windows NT Domain member server. + + See also smbpasswd(8) + , and the + security=domain) parameter. + + Default: machine password timeout = 604800 + + + + + + magic output (S) + This parameter specifies the name of a file + which will contain output created by a magic script (see the + magic script + parameter below). + + Warning: If two clients use the same magic script + in the same directory the output file content + is undefined. + + Default: magic output = <magic script name>.out + + + Example: magic output = myfile.txt + + + + + + + magic script (S) + This parameter specifies the name of a file which, + if opened, will be executed by the server when the file is closed. + This allows a UNIX script to be sent to the Samba host and + executed on behalf of the connected user. + + Scripts executed in this way will be deleted upon + completion, permissions permitting. + + If the script generates output, output will be sent to + the file specified by the + magic output parameter (see above). + + Note that some shells are unable to interpret scripts + containing carriage-return-linefeed instead of linefeed as + the end-of-line marker. Magic scripts must be executable + as is on the host, which for some hosts and + some shells will require filtering at the DOS end. + + Magic scripts are EXPERIMENTAL and + should NOT be relied upon. + + Default: None. Magic scripts disabled. + Example: magic script = user.csh + + + + + + + mangle case (S) + See the section on + NAME MANGLING + + + + + + mangled map (S) + This is for those who want to directly map UNIX + file names which can not be represented on Windows/DOS. The mangling + of names is not always what is needed. In particular you may have + documents with file extensions that differ between DOS and UNIX. + For example, under UNIX it is common to use .html + for HTML files, whereas under Windows/DOS .htm + is more commonly used. + + So to map html to htm + you would use: + + mangled map = (*.html *.htm) + + One very useful case is to remove the annoying ;1 + off the ends of filenames on some CDROMS (only visible + under some UNIXs). To do this use a map of (*;1 *;). + + Default: no mangled map + Example: mangled map = (*;1 *;) + + + + + + mangled names (S) + This controls whether non-DOS names under UNIX + should be mapped to DOS-compatible names ("mangled") and made visible, + or whether non-DOS names should simply be ignored. + + See the section on + NAME MANGLING for details on how to control the mangling process. + + If mangling is used then the mangling algorithm is as follows: + + + The first (up to) five alphanumeric characters + before the rightmost dot of the filename are preserved, forced + to upper case, and appear as the first (up to) five characters + of the mangled name. + + A tilde "~" is appended to the first part of the mangled + name, followed by a two-character unique sequence, based on the + original root name (i.e., the original filename minus its final + extension). The final extension is included in the hash calculation + only if it contains any upper case characters or is longer than three + characters. + + Note that the character to use may be specified using + the mangling char + option, if you don't like '~'. + + The first three alphanumeric characters of the final + extension are preserved, forced to upper case and appear as the + extension of the mangled name. The final extension is defined as that + part of the original filename after the rightmost dot. If there are no + dots in the filename, the mangled name will have no extension (except + in the case of "hidden files" - see below). + + Files whose UNIX name begins with a dot will be + presented as DOS hidden files. The mangled name will be created as + for other filenames, but with the leading dot removed and "___" as + its extension regardless of actual original extension (that's three + underscores). + + + The two-digit hash value consists of upper case + alphanumeric characters. + + This algorithm can cause name collisions only if files + in a directory share the same first five alphanumeric characters. + The probability of such a clash is 1/1300. + + The name mangling (if enabled) allows a file to be + copied between UNIX directories from Windows/DOS while retaining + the long UNIX filename. UNIX files can be renamed to a new extension + from Windows/DOS and will retain the same basename. Mangled names + do not change between sessions. + + Default: mangled names = yes + + + + + + + mangling char (S) + This controls what character is used as + the magic character in name mangling. The default is a '~' + but this may interfere with some software. Use this option to set + it to whatever you prefer. + + Default: mangling char = ~ + Example: mangling char = ^ + + + + + + + mangled stack (G) + This parameter controls the number of mangled names + that should be cached in the Samba server + smbd(8). + + This stack is a list of recently mangled base names + (extensions are only maintained if they are longer than 3 characters + or contains upper case characters). + + The larger this value, the more likely it is that mangled + names can be successfully converted to correct long UNIX names. + However, large stack sizes will slow most directory access. Smaller + stacks save memory in the server (each stack element costs 256 bytes). + + + It is not possible to absolutely guarantee correct long + file names, so be prepared for some surprises! + + Default: mangled stack = 50 + Example: mangled stack = 100 + + + + + + + map archive (S) + This controls whether the DOS archive attribute + should be mapped to the UNIX owner execute bit. The DOS archive bit + is set when a file has been modified since its last backup. One + motivation for this option it to keep Samba/your PC from making + any file it touches from becoming executable under UNIX. This can + be quite annoying for shared source code, documents, etc... + + Note that this requires the create mask + parameter to be set such that owner execute bit is not masked out + (i.e. it must include 100). See the parameter + create mask for details. + + Default: map archive = yes + + + + + + + map hidden (S) + This controls whether DOS style hidden files + should be mapped to the UNIX world execute bit. + + Note that this requires the create mask + to be set such that the world execute bit is not masked out (i.e. + it must include 001). See the parameter + create mask for details. + + Default: map hidden = no + + + + + + map system (S) + This controls whether DOS style system files + should be mapped to the UNIX group execute bit. + + Note that this requires the create mask + to be set such that the group execute bit is not masked out (i.e. + it must include 010). See the parameter + create mask for details. + + Default: map system = no + + + + + + map to guest (G) + This parameter is only useful in + security modes other than security=share + - i.e. user, server, + and domain. + + This parameter can take three different values, which tell + smbd(8) what to do with user + login requests that don't match a valid UNIX user in some way. + + The three settings are : + + + Never - Means user login + requests with an invalid password are rejected. This is the + default. + + Bad User - Means user + logins with an invalid password are rejected, unless the username + does not exist, in which case it is treated as a guest login and + mapped into the + guest account. + + Bad Password - Means user logins + with an invalid password are treated as a guest login and mapped + into the guest account. Note that + this can cause problems as it means that any user incorrectly typing + their password will be silently logged on as a "guest" - and + will not know the reason they cannot access files they think + they should - there will have been no message given to them + that they got their password wrong. Helpdesk services will + hate you if you set the map to + guest parameter this way :-). + + + Note that this parameter is needed to set up "Guest" + share services when using security modes other than + share. This is because in these modes the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client so the server + cannot make authentication decisions at the correct time (connection + to the share) for "Guest" shares. + + For people familiar with the older Samba releases, this + parameter maps to the old compile-time setting of the + GUEST_SESSSETUP value in local.h. + + Default: map to guest = Never + Example: map to guest = Bad User + + + + + + + max connections (S) + This option allows the number of simultaneous + connections to a service to be limited. If max connections + is greater than 0 then connections will be refused if + this number of connections to the service are already open. A value + of zero mean an unlimited number of connections may be made. + + Record lock files are used to implement this feature. The + lock files will be stored in the directory specified by the lock directory + option. + + Default: max connections = 0 + Example: max connections = 10 + + + + + + + max disk size (G) + This option allows you to put an upper limit + on the apparent size of disks. If you set this option to 100 + then all shares will appear to be not larger than 100 MB in + size. + + Note that this option does not limit the amount of + data you can put on the disk. In the above case you could still + store much more than 100 MB on the disk, but if a client ever asks + for the amount of free disk space or the total disk size then the + result will be bounded by the amount specified in max + disk size. + + This option is primarily useful to work around bugs + in some pieces of software that can't handle very large disks, + particularly disks over 1GB in size. + + A max disk size of 0 means no limit. + + Default: max disk size = 0 + Example: max disk size = 1000 + + + + + + + max log size (G) + This option (an integer in kilobytes) specifies + the max size the log file should grow to. Samba periodically checks + the size and if it is exceeded it will rename the file, adding + a .old extension. + + A size of 0 means no limit. + + Default: max log size = 5000 + Example: max log size = 1000 + + + + + + + max mux (G) + This option controls the maximum number of + outstanding simultaneous SMB operations that samba tells the client + it will allow. You should never need to set this parameter. + + Default: max mux = 50 + + + + + + + max open files (G) + This parameter limits the maximum number of + open files that one smbd(8) file + serving process may have open for a client at any one time. The + default for this parameter is set very high (10,000) as Samba uses + only one bit per unopened file. + + The limit of the number of open files is usually set + by the UNIX per-process file descriptor limit rather than + this parameter so you should never need to touch this parameter. + + Default: max open files = 10000 + + + + + + + max packet (G) + Synonym for + packet size. + + + + + + + max ttl (G) + This option tells nmbd(8) + what the default 'time to live' of NetBIOS names should be (in seconds) + when nmbd is requesting a name using either a + broadcast packet or from a WINS server. You should never need to + change this parameter. The default is 3 days. + + Default: max ttl = 259200 + + + + + + + max wins ttl (G) + This option tells nmbd(8) + when acting as a WINS server ( + wins support=yes) what the maximum + 'time to live' of NetBIOS names that nmbd + will grant will be (in seconds). You should never need to change this + parameter. The default is 6 days (518400 seconds). + + See also the min + wins ttl" parameter. + + Default: max wins ttl = 518400 + + + + + + + max xmit (G) + This option controls the maximum packet size + that will be negotiated by Samba. The default is 65535, which + is the maximum. In some cases you may find you get better performance + with a smaller value. A value below 2048 is likely to cause problems. + + + Default: max xmit = 65535 + Example: max xmit = 8192 + + + + + + + message command (G) + This specifies what command to run when the + server receives a WinPopup style message. + + This would normally be a command that would + deliver the message somehow. How this is to be done is + up to your imagination. + + An example is: + + message command = csh -c 'xedit %s;rm %s' & + + + This delivers the message using xedit, then + removes it afterwards. NOTE THAT IT IS VERY IMPORTANT + THAT THIS COMMAND RETURN IMMEDIATELY. That's why I + have the '&' on the end. If it doesn't return immediately then + your PCs may freeze when sending messages (they should recover + after 30secs, hopefully). + + All messages are delivered as the global guest user. + The command takes the standard substitutions, although + %u won't work (%U may be better + in this case). + + Apart from the standard substitutions, some additional + ones apply. In particular: + + + %s = the filename containing + the message. + + %t = the destination that + the message was sent to (probably the server name). + + %f = who the message + is from. + + + You could make this command send mail, or whatever else + takes your fancy. Please let us know of any really interesting + ideas you have. + + + Here's a way of sending the messages as mail to root: + + message command = /bin/mail -s 'message from %f on + %m' root < %s; rm %s + + If you don't have a message command then the message + won't be delivered and Samba will tell the sender there was + an error. Unfortunately WfWg totally ignores the error code + and carries on regardless, saying that the message was delivered. + + + If you want to silently delete it then try: + + message command = rm %s + + Default: no message command + Example: message command = csh -c 'xedit %s; + rm %s' & + + + + + + + min print space (S) + This sets the minimum amount of free disk + space that must be available before a user will be able to spool + a print job. It is specified in kilobytes. The default is 0, which + means a user can always spool a print job. + + See also the printing + parameter. + + Default: min print space = 0 + Example: min print space = 2000 + + + + + + + min passwd length (G) + Synonym for + min password length. + + + + + + + min password length (G) + This option sets the minimum length in characters + of a plaintext password than smbd will accept when performing + UNIX password changing. + + See also unix + password sync, + passwd program and passwd chat debug + . + + Default: min password length = 5 + + + + + + min wins ttl (G) + This option tells nmbd(8) + when acting as a WINS server ( + wins support = yes) what the minimum 'time to live' + of NetBIOS names that nmbd will grant will be (in + seconds). You should never need to change this parameter. The default + is 6 hours (21600 seconds). + + Default: min wins ttl = 21600 + + + + + + + name resolve order (G) + This option is used by the programs in the Samba + suite to determine what naming services and in what order to resolve + host names to IP addresses. The option takes a space separated + string of different name resolution options. + + The options are :"lmhosts", "host", "wins" and "bcast". They + cause names to be resolved as follows : + + + lmhosts : Lookup an IP + address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the lmhosts(5) for details) then + any name type matches for lookup. + + host : Do a standard host + name to IP address resolution, using the system /etc/hosts + , NIS, or DNS lookups. This method of name resolution + is operating system depended for instance on IRIX or Solaris this + may be controlled by the /etc/nsswitch.conf + file). Note that this method is only used if the NetBIOS name + type being queried is the 0x20 (server) name type, otherwise + it is ignored. + + wins : Query a name with + the IP address listed in the + wins server parameter. If no WINS server has + been specified this method will be ignored. + + bcast : Do a broadcast on + each of the known local interfaces listed in the interfaces + parameter. This is the least reliable of the name resolution + methods as it depends on the target host being on a locally + connected subnet. + + + Default: name resolve order = lmhosts host wins bcast + + Example: name resolve order = lmhosts bcast host + + + This will cause the local lmhosts file to be examined + first, followed by a broadcast attempt, followed by a normal + system hostname lookup. + + + + + + + + netbios aliases (G) + This is a list of NetBIOS names that nmbd(8) will advertise as additional + names by which the Samba server is known. This allows one machine + to appear in browse lists under multiple names. If a machine is + acting as a browse server or logon server none + of these names will be advertised as either browse server or logon + servers, only the primary name of the machine will be advertised + with these capabilities. + + See also netbios + name. + + Default: empty string (no additional names) + Example: netbios aliases = TEST TEST1 TEST2 + + + + + + + netbios name (G) + This sets the NetBIOS name by which a Samba + server is known. By default it is the same as the first component + of the host's DNS name. If a machine is a browse server or + logon server this name (or the first component + of the hosts DNS name) will be the name that these services are + advertised under. + + See also netbios + aliases. + + Default: machine DNS name + Example: netbios name = MYNAME + + + + + + + netbios scope (G) + This sets the NetBIOS scope that Samba will + operate under. This should not be set unless every machine + on your LAN also sets this value. + + + + + + nis homedir (G) + Get the home share server from a NIS map. For + UNIX systems that use an automounter, the user's home directory + will often be mounted on a workstation on demand from a remote + server. + + When the Samba logon server is not the actual home directory + server, but is mounting the home directories via NFS then two + network hops would be required to access the users home directory + if the logon server told the client to use itself as the SMB server + for home directories (one over SMB and one over NFS). This can + be very slow. + + This option allows Samba to return the home share as + being on a different server to the logon server and as + long as a Samba daemon is running on the home directory server, + it will be mounted on the Samba client directly from the directory + server. When Samba is returning the home share to the client, it + will consult the NIS map specified in + homedir map and return the server + listed there. + + Note that for this option to work there must be a working + NIS system and the Samba server with this option must also + be a logon server. + + Default: nis homedir = no + + + + + + + nt acl support (G) + This boolean parameter controls whether + smbd(8) will attempt to map + UNIX permissions into Windows NT access control lists. + + Default: nt acl support = yes + + + + + + + nt pipe support (G) + This boolean parameter controls whether + smbd(8) will allow Windows NT + clients to connect to the NT SMB specific IPC$ + pipes. This is a developer debugging option and can be left + alone. + + Default: nt pipe support = yes + + + + + + + nt smb support (G) + This boolean parameter controls whether smbd(8) will negotiate NT specific SMB + support with Windows NT clients. Although this is a developer + debugging option and should be left alone, benchmarking has discovered + that Windows NT clients give faster performance with this option + set to no. This is still being investigated. + If this option is set to no then Samba offers + exactly the same SMB calls that versions prior to Samba 2.0 offered. + This information may be of use if any users are having problems + with NT SMB support. + + Default: nt support = yes + + + + + + + null passwords (G) + Allow or disallow client access to accounts + that have null passwords. + + See also smbpasswd (5). + + Default: null passwords = no + + + + + + ole locking compatibility (G) + This parameter allows an administrator to turn + off the byte range lock manipulation that is done within Samba to + give compatibility for OLE applications. Windows OLE applications + use byte range locking as a form of inter-process communication, by + locking ranges of bytes around the 2^32 region of a file range. This + can cause certain UNIX lock managers to crash or otherwise cause + problems. Setting this parameter to no means you + trust your UNIX lock manager to handle such cases correctly. + + Default: ole locking compatibility = yes + + + + + + + only guest (S) + A synonym for + guest only. + + + + + + + only user (S) + This is a boolean option that controls whether + connections with usernames not in the user + list will be allowed. By default this option is disabled so a client + can supply a username to be used by the server. + + Note that this also means Samba won't try to deduce + usernames from the service name. This can be annoying for + the [homes] section. To get around this you could use user = + %S which means your user list + will be just the service name, which for home directories is the + name of the user. + + See also the user + parameter. + + Default: only user = no + + + + + + + oplocks (S) + This boolean option tells smbd whether to + issue oplocks (opportunistic locks) to file open requests on this + share. The oplock code can dramatically (approx. 30% or more) improve + the speed of access to files on Samba servers. It allows the clients + to aggressively cache files ocally and you may want to disable this + option for unreliable network environments (it is turned on by + default in Windows NT Servers). For more information see the file + Speed.txt in the Samba docs/ + directory. + + Oplocks may be selectively turned off on certain files on + a per share basis. See the + veto oplock files parameter. On some systems + oplocks are recognized by the underlying operating system. This + allows data synchronization between all access to oplocked files, + whether it be via Samba or NFS or a local UNIX process. See the + kernel oplocks parameter for details. + + See also the kernel + oplocks and + level2 oplocks parameters. + + Default: oplocks = yes + + + + + + + oplock break wait time (G) + This is a tuning parameter added due to bugs in + both Windows 9x and WinNT. If Samba responds to a client too + quickly when that client issues an SMB that can cause an oplock + break request, then the client redirector can fail and not respond + to the break request. This tuning parameter (which is set in milliseconds) + is the amount of time Samba will wait before sending an oplock break + request to such (broken) clients. + + DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ + AND UNDERSTOOD THE SAMBA OPLOCK CODE. + + Default: oplock break wait time = 10 + + + + + + oplock contention limit (S) + This is a very advanced + smbd(8) tuning option to + improve the efficiency of the granting of oplocks under multiple + client contention for the same file. + + In brief it specifies a number, which causes smbd not to + grant an oplock even when requested if the approximate number of + clients contending for an oplock on the same file goes over this + limit. This causes smbd to behave in a similar + way to Windows NT. + + DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ + AND UNDERSTOOD THE SAMBA OPLOCK CODE. + + Default: oplock contention limit = 2 + + + + + + + + + + WARNINGS + + Although the configuration file permits service names + to contain spaces, your client software may not. Spaces will + be ignored in comparisons anyway, so it shouldn't be a + problem - but be aware of the possibility. + + On a similar note, many clients - especially DOS clients - + limit service names to eight characters. smbd(8) + has no such limitation, but attempts to connect from such + clients will fail if they truncate the service names. For this reason + you should probably keep your service names down to eight characters + in length. + + Use of the [homes] and [printers] special sections make life + for an administrator easy, but the various combinations of default + attributes can be tricky. Take extreme care when designing these + sections. In particular, ensure that the permissions on spool + directories are correct. + + + + VERSION + + This man page is correct for version 2.2 of + the Samba suite. + + + + SEE ALSO + samba(7), + smbpasswd(8), + swat(8), + smbd(8), + nmbd(8), + smbclient(1), + nmblookup(1), + testparm(1), + testprns(1) + + + + + AUTHOR + + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + + The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter + + -- cgit