From 63c9afc82dca7c700c2f13feecc045679fe1b547 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 22 Feb 2001 13:03:24 +0000 Subject: Whew! smb.conf.5.yo completely converted to DocBook (only after 2 & 1/2 days :) ). The man page generation is fine. Some anchor tags need to be tweaked to get the HTML generation correct. Also, I have done very little editing which means that we'll have to go through and verify acurracy of things like default values, etc... (This used to be commit 9fb11c5ec6d439544549060903ea0f275f5de9a9) --- docs/docbook/smb.conf.5.sgml | 3077 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 3057 insertions(+), 20 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/smb.conf.5.sgml b/docs/docbook/smb.conf.5.sgml index 16d72a01ce..6e44a7a59a 100644 --- a/docs/docbook/smb.conf.5.sgml +++ b/docs/docbook/smb.conf.5.sgml @@ -215,7 +215,7 @@ - The [printers] section + The [printers] section This section works like [homes], but for printers. @@ -529,7 +529,7 @@ - NOTE ABOUT USERNAME/PASSWORD VALIDATION + NOTE ABOUT USERNAME/PASSWORD VALIDATION There are a number of ways in which a user can connect to a service. The server follows the following steps in determining @@ -670,7 +670,6 @@ ole locking compatibility oplock break wait time os level - packet size panic action passwd chat passwd chat debug @@ -1596,7 +1595,7 @@ default case (S) See the section on NAME MANGLING". Also note the - short preserve case"> parameter. + short preserve case" parameter. @@ -1688,7 +1687,7 @@ UNIX users are dynamically deleted to match existing Windows NT accounts. - See also security=domain, + See also security=domain, password server , add user script . @@ -2300,7 +2299,7 @@ it to 0000. See also the - directory security mask, + directory security mask, security mask, force security mode parameters. @@ -3001,7 +3000,7 @@ load printers (G) A boolean variable that controls whether all printers in the printcap will be loaded for browsing by default. - See the printers section for + See the printers section for more details. Default: load printers = yes @@ -3440,7 +3439,7 @@ machine password timeout (G) If a Samba server is a member of an Windows - NT Domain (see the security=domain) + NT Domain (see the security=domain) parameter) then periodically a running smbd(8) process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called private/secrets.tdb @@ -3449,7 +3448,7 @@ seconds), the same as a Windows NT Domain member server. See also smbpasswd(8) - , and the + , and the security=domain) parameter. Default: machine password timeout = 604800 @@ -3509,7 +3508,7 @@ mangle case (S) - See the section on + See the section on NAME MANGLING @@ -3840,15 +3839,6 @@ - - max packet (G) - Synonym for - packet size. - - - - - max ttl (G) This option tells nmbd(8) @@ -3866,7 +3856,7 @@ max wins ttl (G) This option tells nmbd(8) - when acting as a WINS server ( + when acting as a WINS server ( wins support=yes) what the maximum 'time to live' of NetBIOS names that nmbd will grant will be (in seconds). You should never need to change this @@ -4332,6 +4322,3053 @@ + + os level (G) + This integer value controls what level Samba + advertises itself as for browse elections. The value of this + parameter determines whether nmbd(8) + has a chance of becoming a local master browser for the + WORKGROUP in the local broadcast area. The default is + zero, which means nmbd will lose elections to + Windows machines. See BROWSING.txt in the + Samba docs/ directory for details. + + Default: os level = 20 + Example: os level = 65 + + + + + + + panic action (G) + This is a Samba developer option that allows a + system command to be called when either + smbd(8) or nmbd(8) + crashes. This is usually used to draw attention to the fact that + a problem occurred. + + Default: panic action = <empty string> + Example: panic action = "/bin/sleep 90000" + + + + + + passwd chat (G) + This string controls the "chat" + conversation that takes places between smbd and the local password changing + program to change the users password. The string describes a + sequence of response-receive pairs that + smbd(8) uses to determine what to send to the + passwd program + and what to expect back. If the expected output is not + received then the password is not changed. + + This chat sequence is often quite site specific, depending + on what local methods are used for password control (such as NIS + etc). + + The string can contain the macros %o + and %n which are substituted for the old + and new passwords respectively. It can also contain the standard + macros \n, \r, + \t and %s to give line-feed, + carriage-return, tab and space. + + The string can also contain a '*' which matches + any sequence of characters. + + Double quotes can be used to collect strings with spaces + in them into a single string. + + If the send string in any part of the chat sequence + is a fullstop ".", then no string is sent. Similarly, + is the expect string is a fullstop then no string is expected. + + Note that if the unix + password sync parameter is set to true, then this + sequence is called AS ROOT when the SMB password + in the smbpasswd file is being changed, without access to the old + password cleartext. In this case the old password cleartext is set + to "" (the empty string). + + See also unix password + sync, + passwd program and + passwd chat debug. + + Default: passwd chat = *old*password* %o\n *new* + password* %n\n *new*password* %n\n *changed* + Example: passwd chat = "*Enter OLD password*" %o\n + "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password + changed*" + + + + + + + passwd chat debug (G) + This boolean specifies if the passwd chat script + parameter is run in debug mode. In this mode the + strings passed to and received from the passwd chat are printed + in the smbd(8) log with a + debug level + of 100. This is a dangerous option as it will allow plaintext passwords + to be seen in the smbd log. It is available to help + Samba admins debug their passwd chat scripts + when calling the passwd program and should + be turned off after this has been done. This parameter is off by + default. + + See also <passwd chat + , passwd program + . + + Default: passwd chat debug = no + Example: passwd chat debug = yes + + + + + + + passwd program (G) + The name of a program that can be used to set + UNIX user passwords. Any occurrences of %u + will be replaced with the user name. The user name is checked for + existence before calling the password changing program. + + Also note that many passwd programs insist in reasonable + passwords, such as a minimum length, or the inclusion + of mixed case chars and digits. This can pose a problem as some clients + (such as Windows for Workgroups) uppercase the password before sending + it. + + Note that if the unix + password sync parameter is set to True + then this program is called AS ROOT + before the SMB password in the smbpasswd(5) + file is changed. If this UNIX password change fails, then + smbd will fail to change the SMB password also + (this is by design). + + If the unix password sync parameter + is set this parameter MUST USE ABSOLUTE PATHS + for ALL programs called, and must be examined + for security implications. Note that by default unix + password sync is set to False. + + See also unix + password sync. + + Default: passwd program = /bin/passwd + Example: passwd program = /sbin/npasswd %u + + + + + + + + password level (G) + Some client/server combinations have difficulty + with mixed-case passwords. One offending client is Windows for + Workgroups, which for some reason forces passwords to upper + case when using the LANMAN1 protocol, but leaves them alone when + using COREPLUS! + + This parameter defines the maximum number of characters + that may be upper case in passwords. + + For example, say the password given was "FRED". If + password level is set to 1, the following combinations + would be tried if "FRED" failed: + + "Fred", "fred", "fRed", "frEd","freD" + + If password level was set to 2, + the following combinations would also be tried: + + "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", .. + + And so on. + + The higher value this parameter is set to the more likely + it is that a mixed case password will be matched against a single + case password. However, you should be aware that use of this + parameter reduces security and increases the time taken to + process a new connection. + + A value of zero will cause only two attempts to be + made - the password as is and the password in all-lower case. + + Default: password level = 0 + Example: password level = 4 + + + + + + + password server (G) + By specifying the name of another SMB server (such + as a WinNT box) with this option, and using security = domain + or security = server you can get Samba + to do all its username/password validation via a remote server. + + This options sets the name of the password server to use. + It must be a NetBIOS name, so if the machine's NetBIOS name is + different from its internet name then you may have to add its NetBIOS + name to the lmhosts file which is stored in the same directory + as the smb.conf file. + + The name of the password server is looked up using the + parameter name + resolve order and so may resolved + by any method and order described in that parameter. + + The password server much be a machine capable of using + the "LM1.2X002" or the "LM NT 0.12" protocol, and it must be in + user level security mode. + + NOTE: Using a password server + means your UNIX box (running Samba) is only as secure as your + password server. DO NOT CHOOSE A PASSWORD SERVER THAT + YOU DON'T COMPLETELY TRUST. + + Never point a Samba server at itself for password + serving. This will cause a loop and could lock up your Samba + server! + + The name of the password server takes the standard + substitutions, but probably the only useful one is %m + , which means the Samba server will use the incoming + client as the passwordserver. If you use this then you better + trust your clients, and you better restrict them with hosts allow! + + If the security parameter is set to + domain, then the list of machines in this + option must be a list of Primary or Backup Domain controllers for the + Domain or the character '*', as the Samba server is cryptographicly + in that domain, and will use cryptographicly authenticated RPC calls + to authenticate the user logging on. The advantage of using + security = domain is that if you list several hosts in the + password server option then smbd + will try each in turn till it finds one that responds. This + is useful in case your primary server goes down. + + If the password server option is set + to the character '*', then Samba will attempt to auto-locate the + Primary or Backup Domain controllers to authenticate against by + doing a query for the name WORKGROUP<1C> + and then contacting each server returned in the list of IP + addresses from the name resolution source. + + If the security parameter is + set to server, then there are different + restrictions that security = domain doesn't + suffer from: + + + You may list several password servers in + the password server parameter, however if an + smbd makes a connection to a password server, + and then the password server fails, no more users will be able + to be authenticated from this smbd. This is a + restriction of the SMB/CIFS protocol when in security=server + mode and cannot be fixed in Samba. + + If you are using a Windows NT server as your + password server then you will have to ensure that your users + are able to login from the Samba server, as when in + security=server mode the network logon will appear to + come from there rather than from the users workstation. + + + See also the security + parameter. + + Default: password server = <empty string> + + Example: password server = NT-PDC, NT-BDC1, NT-BDC2 + + Example: password server = * + + + + + + + path (S) + This parameter specifies a directory to which + the user of the service is to be given access. In the case of + printable services, this is where print data will spool prior to + being submitted to the host for printing. + + For a printable service offering guest access, the service + should be readonly and the path should be world-writeable and + have the sticky bit set. This is not mandatory of course, but + you probably won't get the results you expect if you do + otherwise. + + Any occurrences of %u in the path + will be replaced with the UNIX username that the client is using + on this connection. Any occurrences of %m + will be replaced by the NetBIOS name of the machine they are + connecting from. These replacements are very useful for setting + up pseudo home directories for users. + + Note that this path will be based on + root dir if one was specified. + + Default: none + Example: path = /home/fred + + + + + + + postexec (S) + This option specifies a command to be run + whenever the service is disconnected. It takes the usual + substitutions. The command may be run as the root on some + systems. + + An interesting example may be do unmount server + resources: + + postexec = /etc/umount /cdrom + + See also preexec + . + + Default: none (no command executed) + + + Example: postexec = echo \"%u disconnected from %S + from %m (%I)\" >> /tmp/log + + + + + + + postscript (S) + This parameter forces a printer to interpret + the print files as postscript. This is done by adding a %! + to the start of print output. + + This is most useful when you have lots of PCs that persist + in putting a control-D at the start of print jobs, which then + confuses your printer. + + Default: postscript = no + + + + + + + preexec (S) + This option specifies a command to be run whenever + the service is connected to. It takes the usual substitutions. + + An interesting example is to send the users a welcome + message every time they log in. Maybe a message of the day? Here + is an example: + + preexec = csh -c 'echo \"Welcome to %S!\" | + /usr/local/samba/bin/smbclient -M %m -I %I' & + + Of course, this could get annoying after a while :-) + + See also preexec close + and postexec + . + + Default: none (no command executed) + Example: preexec = echo \"%u connected to %S from %m + (%I)\" >> /tmp/log + + + + + + + preexec close (S) + This boolean option controls whether a non-zero + return code from preexec + should close the service being connected to. + + Default: preexec close = no + + + + + + preferred master (G) + This boolean parameter controls if nmbd(8) is a preferred master browser + for its workgroup. + + If this is set to true, on startup, nmbd + will force an election, and it will have a slight advantage in + winning the election. It is recommended that this parameter is + used in conjunction with + domain master = yes, so that + nmbd can guarantee becoming a domain master. + + Use this option with caution, because if there are several + hosts (whether Samba servers, Windows 95 or NT) that are preferred + master browsers on the same subnet, they will each periodically + and continuously attempt to become the local master browser. + This will result in unnecessary broadcast traffic and reduced browsing + capabilities. + + See also os level + . + + Default: preferred master = no + + + + + + + prefered master (G) + Synonym for + preferred master for people who cannot spell :-). + + + + + + + preload + Synonym for + auto services. + + + + + + preserve case (S) + This controls if new filenames are created + with the case that the client passes, or if they are forced to + be the derault case + . + + Default: preserve case = yes + + See the section on NAME + MANGLING" for a fuller discussion. + + + + + + print command (S) + After a print job has finished spooling to + a service, this command will be used via a system() + call to process the spool file. Typically the command specified will + submit the spool file to the host's printing subsystem, but there + is no requirement that this be the case. The server will not remove + the spool file, so whatever command you specify should remove the + spool file when it has been processed, otherwise you will need to + manually remove old spool files. + + The print command is simply a text string. It will be used + verbatim, with two exceptions: All occurrences of %s + and %f will be replaced by the + appropriate spool file name, and all occurrences of %p + will be replaced by the appropriate printer name. The + spool file name is generated automatically by the server, the printer + name is discussed below. + + The print command MUST contain at least + one occurrence of %s or %f + - the %p is optional. At the time + a job is submitted, if no printer name is supplied the %p + will be silently removed from the printer command. + + If specified in the [global] section, the print command given + will be used for any printable service that does not have its own + print command specified. + + If there is neither a specified print command for a + printable service nor a global print command, spool files will + be created but not processed and (most importantly) not removed. + + Note that printing may fail on some UNIXs from the + nobody account. If this happens then create + an alternative guest account that can print and set the guest account + in the [global] section. + + You can form quite complex print commands by realizing + that they are just passed to a shell. For example the following + will log a print job, print the file, then remove it. Note that + ';' is the usual separator for command in shell scripts. + + print command = echo Printing %s >> + /tmp/print.log; lpr -P %p %s; rm %s + + You may have to vary this command considerably depending + on how you normally print files on your system. The default for + the parameter varies depending on the setting of the + printing parameter. + + Default: For printing= BSD, AIX, QNX, LPRNG + or PLP : + print command = lpr -r -P%p %s + + For printing= SYS or HPUX : + print command = lp -c -d%p %s; rm %s + + For printing=SOFTQ : + print command = lp -d%p -s %s; rm %s + + Example: print command = /usr/local/samba/bin/myprintscript + %p %s + + + + + + + print ok (S) + Synonym for + printable. + + + + + + + + printable (S) + If this parameter is yes, then + clients may open, write to and submit spool files on the directory + specified for the service. + + Note that a printable service will ALWAYS allow writing + to the service path (user privileges permitting) via the spooling + of print data. The writeable + parameter controls only non-printing access to + the resource. + + Default: printable = no + + + + + + + printcap (G) + Synonym for + printcap name. + + + + + + + + printer admin (S) + This is a list of users that can do anything to + printers via the remote administration interfaces offered by MSRPC + (usually using a NT workstation). Note that the root user always + has admin rights. + + Default: printer admin = <empty string> + + Example: printer admin = admin, @staff + + + + + + + + + + printcap name (G) + This parameter may be used to override the + compiled-in default printcap name used by the server (usually + /etc/printcap). See the discussion of the [printers] section above for reasons + why you might want to do this. + + On System V systems that use lpstat to + list available printers you can use printcap name = lpstat + to automatically obtain lists of available printers. This + is the default for systems that define SYSV at configure time in + Samba (this includes most System V based systems). If + printcap name is set to lpstat on + these systems then Samba will launch lpstat -v and + attempt to parse the output to obtain a printer list. + + A minimal printcap file would look something like this: + + + print1|My Printer 1 + print2|My Printer 2 + print3|My Printer 3 + print4|My Printer 4 + print5|My Printer 5 + + + where the '|' separates aliases of a printer. The fact + that the second alias has a space in it gives a hint to Samba + that it's a comment. + + NOTE: Under AIX the default printcap + name is /etc/qconfig. Samba will assume the + file is in AIX qconfig format if the string + qconfig appears in the printcap filename. + + Default: printcap name = /etc/printcap + Example: printcap name = /etc/myprintcap + + + + + + + printer (S) + This parameter specifies the name of the printer + to which print jobs spooled through a printable service will be sent. + + If specified in the [global] section, the printer + name given will be used for any printable service that does + not have its own printer name specified. + + Default: none (but may be lp + on many systems) + + Example: printer name = laserwriter + + + + + + + printer driver (S) + This option allows you to control the string + that clients receive when they ask the server for the printer driver + associated with a printer. If you are using Windows95 or WindowsNT + then you can use this to automate the setup of printers on your + system. + + You need to set this parameter to the exact string (case + sensitive) that describes the appropriate printer driver for your + system. If you don't know the exact string to use then you should + first try with no + printer driver option set and the client will + give you a list of printer drivers. The appropriate strings are + shown in a scrollbox after you have chosen the printer manufacturer. + + See also printer + driver file. + + Example: printer driver = HP LaserJet 4L + + + + + + + printer driver file (G) + This parameter tells Samba where the printer driver + definition file, used when serving drivers to Windows 95 clients, is + to be found. If this is not set, the default is : + + SAMBA_INSTALL_DIRECTORY + /lib/printers.def + + This file is created from Windows 95 msprint.inf + files found on the Windows 95 client system. For more + details on setting up serving of printer drivers to Windows 95 + clients, see the documentation file in the docs/ + directory, PRINTER_DRIVER.txt. + + See also + printer driver location. + + Default: None (set in compile). + + Example: printer driver file = + /usr/local/samba/printers/drivers.def + + + + + + + + printer driver location (S) + This parameter tells clients of a particular printer + share where to find the printer driver files for the automatic + installation of drivers for Windows 95 machines. If Samba is set up + to serve printer drivers to Windows 95 machines, this should be set to + + \\MACHINE\PRINTER$ + + Where MACHINE is the NetBIOS name of your Samba server, + and PRINTER$ is a share you set up for serving printer driver + files. For more details on setting this up see the documentation + file in the docs/ directory, + PRINTER_DRIVER.txt. + + See also + printer driver file. + + Default: none + Example: printer driver location = \\MACHINE\PRINTER$ + + + + + + + + printer name (S) + Synonym for + printer. + + + + + + + printing (S) + This parameters controls how printer status + information is interpreted on your system. It also affects the + default values for the print command, + lpq command, lppause command + , lpresume command, and + lprm command if specified in the + [global]f> section. + + Currently eight printing styles are supported. They are + BSD, AIX, + LPRNG, PLP, + SYSV, HPUX, + QNX, SOFTQ, + and CUPS. + + To see what the defaults are for the other print + commands when using the various options use the testparm(1) program. + + This option can be set on a per printer basis + + See also the discussion in the + [printers] section. + + + + + + + private dir(G) + The private dir parameter + allows an administator to define a directory path used to hold the + various databases Samba will use to store things like a the machine + trust account information when acting as a domain member (i.e. where + the secrets.tdb file will be located), where the passdb.tbd file + will stored in the case of using the experiemental tdbsam support, + etc... + + Default: private dir = <compile time location + of smbpasswd> + Example: private dir = /etc/smbprivate + + + + + + + protocol (G) + The value of the parameter (a string) is the highest + protocol level that will be supported by the server. + + Possible values are : + + CORE: Earliest version. No + concept of user names. + + COREPLUS: Slight improvements on + CORE for efficiency. + + LANMAN1: First + modern version of the protocol. Long filename + support. + + LANMAN2: Updates to Lanman1 protocol. + + + NT1: Current up to date version of + the protocol. Used by Windows NT. Known as CIFS. + + + Normally this option should not be set as the automatic + negotiation phase in the SMB protocol takes care of choosing + the appropriate protocol. + + Default: protocol = NT1 + Example: protocol = LANMAN1 + + + + + + public (S) + Synonym for guest + ok. + + + + + + + queuepause command (S) + This parameter specifies the command to be + executed on the server host in order to pause the printerqueue. + + This command should be a program or script which takes + a printer name as its only parameter and stops the printerqueue, + such that no longer jobs are submitted to the printer. + + This command is not supported by Windows for Workgroups, + but can be issued from the Printer's window under Windows 95 + and NT. + + If a %p is given then the printername + is put in its place. Otherwise it is placed at the end of the command. + + + Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server. + + Default: depends on the setting of printing + + Example: queuepause command = disable %p + + + + + + + queueresume command (S) + This parameter specifies the command to be + executed on the server host in order to resume the printerqueue. It + is the command to undo the behavior that is caused by the + previous parameter ( + queuepause command). + + This command should be a program or script which takes + a printer name as its only parameter and resumes the printerqueue, + such that queued jobs are resubmitted to the printer. + + This command is not supported by Windows for Workgroups, + but can be issued from the Printer's window under Windows 95 + and NT. + + If a %p is given then the printername + is put in its place. Otherwise it is placed at the end of the + command. + + Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server. + + Default: depends on the setting of printing + + + Example: queuepause command = enable %p + + + + + + + + read bmpx (G) + This boolean parameter controls whether smbd(8) will support the "Read + Block Multiplex" SMB. This is now rarely used and defaults to + no. You should never need to set this + parameter. + + Default: read bmpx = no + + + + + + + + read list (S) + This is a list of users that are given read-only + access to a service. If the connecting user is in this list then + they will not be given write access, no matter what the writeable + option is set to. The list can include group names using the + syntax described in the + invalid users parameter. + + See also the + write list parameter and the invalid users + parameter. + + Default: read list = <empty string> + Example: read list = mary, @students + + + + + + + read only (S) + Note that this is an inverted synonym for writeable. + + + + + + + read raw (G) + This parameter controls whether or not the server + will support the raw read SMB requests when transferring data + to clients. + + If enabled, raw reads allow reads of 65535 bytes in + one packet. This typically provides a major performance benefit. + + + However, some clients either negotiate the allowable + block size incorrectly or are incapable of supporting larger block + sizes, and for these clients you may need to disable raw reads. + + In general this parameter should be viewed as a system tuning + tool and left severely alone. See also + write raw. + + Default: read raw = yes + + + + + + read size (G) + The option read size + affects the overlap of disk reads/writes with network reads/writes. + If the amount of data being transferred in several of the SMB + commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger + than this value then the server begins writing the data before it + has received the whole packet from the network, or in the case of + SMBreadbraw, it begins writing to the network before all the data + has been read from disk. + + This overlapping works best when the speeds of disk and + network access are similar, having very little effect when the + speed of one is much greater than the other. + + The default value is 16384, but very little experimentation + has been done yet to determine the optimal value, and it is likely + that the best value will vary greatly between systems anyway. + A value over 65536 is pointless and will cause you to allocate + memory unnecessarily. + + Default: read size = 16384 + Example: read size = 8192 + + + + + + + remote announce (G) + This option allows you to setup nmbd(8) to periodically announce itself + to arbitrary IP addresses with an arbitrary workgroup name. + + This is useful if you want your Samba server to appear + in a remote workgroup for which the normal browse propagation + rules don't work. The remote workgroup can be anywhere that you + can send IP packets to. + + For example: + + remote announce = 192.168.2.255/SERVERS + 192.168.4.255/STAFF + + the above line would cause nmbd to announce itself + to the two given IP addresses using the given workgroup names. + If you leave out the workgroup name then the one given in + the workgroup + parameter is used instead. + + The IP addresses you choose would normally be the broadcast + addresses of the remote networks, but can also be the IP addresses + of known browse masters if your network config is that stable. + + See the documentation file BROWSING.txt + in the docs/ directory. + + Default: remote announce = <empty string> + + + + + + + + remote browse sync (G) + This option allows you to setup nmbd(8) to periodically request + synchronization of browse lists with the master browser of a samba + server that is on a remote segment. This option will allow you to + gain browse lists for multiple workgroups across routed networks. This + is done in a manner that does not work with any non-samba servers. + + This is useful if you want your Samba server and all local + clients to appear in a remote workgroup for which the normal browse + propagation rules don't work. The remote workgroup can be anywhere + that you can send IP packets to. + + For example: + + remote browse sync = 192.168.2.255 192.168.4.255 + + + the above line would cause nmbd to request + the master browser on the specified subnets or addresses to + synchronize their browse lists with the local server. + + The IP addresses you choose would normally be the broadcast + addresses of the remote networks, but can also be the IP addresses + of known browse masters if your network config is that stable. If + a machine IP address is given Samba makes NO attempt to validate + that the remote machine is available, is listening, nor that it + is in fact the browse master on it's segment. + + Default: remote browse sync = <empty string> + + + + + + + + restrict anonymous (G) + This is a boolean parameter. If it is true, then + anonymous access to the server will be restricted, namely in the + case where the server is expecting the client to send a username, + but it doesn't. Setting it to true will force these anonymous + connections to be denied, and the client will be required to always + supply a username and password when connecting. Use of this parameter + is only recommened for homogenous NT client environments. + + This parameter makes the use of macro expansions that rely + on the username (%U, %G, etc) consistant. NT 4.0 + likes to use anonymous connections when refreshing the share list, + and this is a way to work around that. + + When restrict anonymous is true, all anonymous connections + are denied no matter what they are for. This can effect the ability + of a machine to access the samba Primary Domain Controller to revalidate + it's machine account after someone else has logged on the client + interactively. The NT client will display a message saying that + the machine's account in the domain doesn't exist or the password is + bad. The best way to deal with this is to reboot NT client machines + between interactive logons, using "Shutdown and Restart", rather + than "Close all programs and logon as a different user". + + Default: restrict anonymous = no + + + + + + + root (G) + Synonym for + root directory". + + + + + + + root dir (G) + Synonym for + root directory". + + + + + + root directory (G) + The server will chroot() (i.e. + Change it's root directory) to this directory on startup. This is + not strictly necessary for secure operation. Even without it the + server will deny access to files not in one of the service entries. + It may also check for, and deny access to, soft links to other + parts of the filesystem, or attempts to use ".." in file names + to access other directories (depending on the setting of the wide links + parameter). + + Adding a root directory entry other + than "/" adds an extra level of security, but at a price. It + absolutely ensures that no access is given to files not in the + sub-tree specified in the root directory + option, including some files needed for + complete operation of the server. To maintain full operability + of the server you will need to mirror some system files + into the root directory tree. In particular + you will need to mirror /etc/passwd (or a + subset of it), and any binaries or configuration files needed for + printing (if required). The set of files that must be mirrored is + operating system dependent. + + Default: root directory = / + Example: root directory = /homes/smb + + + + + + + root postexec (S) + This is the same as the postexec + parameter except that the command is run as root. This + is useful for unmounting filesystems + (such as cdroms) after a connection is closed. + + See also + postexec. + + + + + root preexec (S) + This is the same as the preexec + parameter except that the command is run as root. This + is useful for mounting filesystems + (such as cdroms) after a connection is closed. + + See also + preexec and + preexec close. + + + + + + + root preexec close (S) + This is the same as the preexec close + parameter except that the command is run as root. + + See also + preexec and + preexec close. + + + + + + security (G) + This option affects how clients respond to + Samba and is one of the most important settings in the + smb.conf file. + + The option sets the "security mode bit" in replies to + protocol negotiations with smbd(8) + to turn share level security on or off. Clients decide + based on this bit whether (and how) to transfer user and password + information to the server. + + + The default is security = user, as this is + the most common setting needed when talking to Windows 98 and + Windows NT. + + The alternatives are security = share, + security = server or security=domain + . + + In versions of Samba prior to 2..0, the default was + security = share mainly because that was + the only option at one stage. + + There is a bug in WfWg that has relevance to this + setting. When in user or server level security a WfWg client + will totally ignore the password you type in the "connect + drive" dialog box. This makes it very difficult (if not impossible) + to connect to a Samba service as anyone except the user that + you are logged into WfWg as. + + If your PCs use usernames that are the same as their + usernames on the UNIX machine then you will want to use + security = user. If you mostly use usernames + that don't exist on the UNIX box then use security = + share. + + You should also use security = share if you + want to mainly setup shares without a password (guest shares). This + is commonly used for a shared printer server. It is more difficult + to setup guest shares with security = user, see + the map to guest + parameter for details. + + It is possible to use smbd in a + hybrid mode where it is offers both user and share + level security under different + NetBIOS aliases. + + The different settings will now be explained. + + + SECURITY = SHARE + + + When clients connect to a share level security server then + need not log onto the server with a valid username and password before + attempting to connect to a shared resource (although modern clients + such as Windows 95/98 and Windows NT will send a logon request with + a username but no password when talking to a security = share + server). Instead, the clients send authentication information + (passwords) on a per-share basis, at the time they attempt to connect + to that share. + + Note that smbd ALWAYS + uses a valid UNIX user to act on behalf of the client, even in + security = share level security. + + As clients are not required to send a username to the server + in share level security, smbd uses several + techniques to determine the correct UNIX user to use on behalf + of the client. + + A list of possible UNIX usernames to match with the given + client password is constructed using the following methods : + + + If the guest + only parameter is set, then all the other + stages are missed and only the + guest account username is checked. + + + Is a username is sent with the share connection + request, then this username (after mapping - see username map), + is added as a potential username. + + If the client did a previous logon + request (the SessionSetup SMB call) then the + username sent in this SMB will be added as a potential username. + + + The name of the service the client requested is + added as a potential username. + + The NetBIOS name of the client is added to + the list as a potential username. + + Any users on the + user list are added as potential usernames. + + + + If the guest only parameter is + not set, then this list is then tried with the supplied password. + The first user for whom the password matches will be used as the + UNIX user. + + If the guest only parameter is + set, or no username can be determined then if the share is marked + as available to the guest account, then this + guest user will be used, otherwise access is denied. + + Note that it can be very confusing + in share-level security as to which UNIX username will eventually + be used in granting access. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + SECURIYT = USER + + + This is the default security setting in Samba 2.2. + With user-level security a client must first "log=on" with a + valid username and password (which can be mapped using the username map + parameter). Encrypted passwords (see the + encrypted passwords parameter) can also + be used in this security mode. Parameters such as + user and + guest only if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the guest account. + See the map to guest + parameter for details on doing this. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + SECURITY = SERVER + + + In this mode Samba will try to validate the username/password + by passing it to another SMB server, such as an NT box. If this + fails it will revert to security = user, but note + that if encrypted passwords have been negotiated then Samba cannot + revert back to checking the UNIX password file, it must have a valid + smbpasswd file to check users against. See the + documentation file in the docs/ directory + ENCRYPTION.txt for details on how to set this + up. + + Note that from the clients point of + view security = server is the same as + security = user. It only affects how the server deals + with the authentication, it does not in any way affect what the + client sees. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the guest account. + See the map to guest + parameter for details on doing this. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + See also the password + server parameter and the encrypted passwords + parameter. + + SECURITY = DOMAIN + + + This mode will only work correctly if smbpasswd(8) has been used to add this + machine into a Windows NT Domain. It expects the encrypted passwords + parameter to be set to true. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do. + + Note that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to. + + Note that from the clients point + of view security = domain is the same as security = user + . It only affects how the server deals with the authentication, + it does not in any way affect what the client sees. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the guest account. + See the map to guest + parameter for details on doing this. + + BUG: There is currently a bug in the + implementation of security = domain with respect + to multi-byte character set usernames. The communication with a + Domain Controller must be done in UNICODE and Samba currently + does not widen multi-byte user names to UNICODE correctly, thus + a multi-byte username will not be recognized correctly at the + Domain Controller. This issue will be addressed in a future release. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + See also the password + server parameter and the encrypted passwords + parameter. + + Default: security = USER + Example: security = DOMAIN + + + + + + + security mask (S) + This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security + dialog box. + + This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change. + + If not set explicitly this parameter is set to the same + value as the create mask + parameter. To allow a user to modify all the + user/group/world permissions on a file, set this parameter to + 0777. + + Note that users who can access the + Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone + "appliance" systems. Administrators of most normal systems will + probably want to set it to 0777. + + See also the + force directory security mode, + directory + security mask, + force security mode parameters. + + Default: security mask = <same as create mask> + + Example: security mask = 0777 + + + + + + server string (G) + This controls what string will show up in the + printer comment box in print manager and next to the IPC connection + in net view". It can be any string that you wish + to show to your users. + + It also sets what will appear in browse lists next + to the machine name. + + A %v will be replaced with the Samba + version number. + + A %h will be replaced with the + hostname. + + Default: server string = Samba %v + + Example: server string = University of GNUs Samba + Server + + + + + + + set directory (S) + If set directory = no, then + users of the service may not use the setdir command to change + directory. + + The setdir command is only implemented + in the Digital Pathworks client. See the Pathworks documentation + for details. + + Default: set directory = no + + + + + + + + share modes (S) + This enables or disables the honoring of + the share modes during a file open. These + modes are used by clients to gain exclusive read or write access + to a file. + + These open modes are not directly supported by UNIX, so + they are simulated using shared memory, or lock files if your + UNIX doesn't support shared memory (almost all do). + + The share modes that are enabled by this option are + DENY_DOS, DENY_ALL, + DENY_READ, DENY_WRITE, + DENY_NONE and DENY_FCB. + + + This option gives full share compatibility and enabled + by default. + + You should NEVER turn this parameter + off as many Windows applications will break if you do so. + + Default: share modes = yes + + + + + + + shared mem size (G) + It specifies the size of the shared memory (in + bytes) to use between smbd(8) + processes. This parameter defaults to one megabyte of shared + memory. It is possible that if you have a large erver with many + files open simultaneously that you may need to increase this + parameter. Signs that this parameter is set too low are users + reporting strange problems trying to save files (locking errors) + and error messages in the smbd log looking like ERROR + smb_shm_alloc : alloc of XX bytes failed. + + If your OS refuses the size that Samba asks for then + Samba will try a smaller size, reducing by a factor of 0.8 until + the OS accepts it. + + Default: shared mem size = 1048576 + Example: shared mem size = 5242880 ; Set to 5mb for a + large number of files. + + + + + + + short preserve case (S) + This boolean parameter controls if new files + which conform to 8.3 syntax, that is all in upper case and of + suitable length, are created upper case, or if they are forced + to be the default case + . This option can be use with preserve case = yes + to permit long filenames to retain their case, while short + names are lowered. + + See the section on + NAME MANGLING. + + Default: short preserve case = yes + + + + + + + smb passwd file (G) + This option sets the path to the encrypted + smbpasswd file. By default the path to the smbpasswd file + is compiled into Samba. + + Default: smb passwd file= <compiled + default> + + Example: smb passwd file = /usr/samba/private/smbpasswd + + + + + + + + smbrun (G) + This sets the full path to the smbrun + binary. This defaults to the value in the + Makefile. + + You must get this path right for many services + to work correctly. + + You should not need to change this parameter so + long as Samba is installed correctly. + + Default: smbrun=<compiled default> + + + Example: smbrun = /usr/local/samba/bin/smbrun + + + + + + + + socket address (G) + This option allows you to control what + address Samba will listen for connections on. This is used to + support multiple virtual interfaces on the one server, each + with a different configuration. + + By default samba will accept connections on any + address. + + Example: socket address = 192.168.2.20 + + + + + + + + socket options (G) + This option allows you to set socket options + to be used when talking with the client. + + Socket options are controls on the networking layer + of the operating systems which allow the connection to be + tuned. + + This option will typically be used to tune your Samba + server for optimal performance for your local network. There is + no way that Samba can know what the optimal parameters are for + your net, so you must experiment and choose them yourself. We + strongly suggest you read the appropriate documentation for your + operating system first (perhaps man setsockopt + will help). + + You may find that on some systems Samba will say + "Unknown socket option" when you supply an option. This means you + either incorrectly typed it or you need to add an include file + to includes.h for your OS. If the latter is the case please + send the patch to + samba@samba.org. + + Any of the supported socket options may be combined + in any way you like, as long as your OS allows it. + + This is the list of socket options currently settable + using this option: + + + SO_KEEPALIVE + SO_REUSEADDR + SO_BROADCAST + TCP_NODELAY + IPTOS_LOWDELAY + IPTOS_THROUGHPUT + SO_SNDBUF * + SO_RCVBUF * + SO_SNDLOWAT * + SO_RCVLOWAT * + + + Those marked with a '*' take an integer + argument. The others can optionally take a 1 or 0 argument to enable + or disable the option, by default they will be enabled if you + don't specify 1 or 0. + + To specify an argument use the syntax SOME_OPTION=VALUE + for example SO_SNDBUF=8192. Note that you must + not have any spaces before or after the = sign. + + If you are on a local network then a sensible option + might be + socket options = IPTOS_LOWDELAY + + If you have a local network then you could try: + socket options = IPTOS_LOWDELAY TCP_NODELAY + + If you are on a wide area network then perhaps try + setting IPTOS_THROUGHPUT. + + Note that several of the options may cause your Samba + server to fail completely. Use these options with caution! + + Default: socket options = TCP_NODELAY + Example: socket options = IPTOS_LOWDELAY + + + + + + + + source environment (G) + This parameter causes Samba to set environment + variables as per the content of the file named. + + If the value of this parameter starts with a "|" character + then Samba will treat that value as a pipe command to open and + will set the environment variables from the output of the pipe. + + The contents of the file or the output of the pipe should + be formatted as the output of the standard Unix env(1) + command. This is of the form : + Example environment entry: + SAMBA_NETBIOS_NAME=myhostname + + Default: No default value + Examples: source environment = |/etc/smb.conf.sh + + + Example: source environment = + /usr/local/smb_env_vars + + + + + + + ssl (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This variable enables or disables the entire SSL mode. If + it is set to no, the SSL enabled samba behaves + exactly like the non-SSL samba. If set to yes, + it depends on the variables + ssl hosts and + ssl hosts resign whether an SSL + connection will be required. + + Default: ssl=no + + + + + + + ssl CA certDir (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This variable defines where to look up the Certification + Authorities. The given directory should contain one file for + each CA that samba will trust. The file name must be the hash + value over the "Distinguished Name" of the CA. How this directory + is set up is explained later in this document. All files within the + directory that don't fit into this naming scheme are ignored. You + don't need this variable if you don't verify client certificates. + + Default: ssl CA certDir = /usr/local/ssl/certs + + + + + + + + ssl CA certFile (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This variable is a second way to define the trusted CAs. + The certificates of the trusted CAs are collected in one big + file and this variable points to the file. You will probably + only use one of the two ways to define your CAs. The first choice is + preferable if you have many CAs or want to be flexible, the second + is preferable if you only have one CA and want to keep things + simple (you won't need to create the hashed file names). You + don't need this variable if you don't verify client certificates. + + Default: ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem + + + + + + + ssl ciphers (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This variable defines the ciphers that should be offered + during SSL negotiation. You should not set this variable unless + you know what you are doing. + + + + + + ssl client cert (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + The certificate in this file is used by + smbclient(1) if it exists. It's needed + if the server requires a client certificate. + + Default: ssl client cert = /usr/local/ssl/certs/smbclient.pem + + + + + + + + ssl client key (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This is the private key for + smbclient(1). It's only needed if the + client should have a certificate. + + Default: ssl client key = /usr/local/ssl/private/smbclient.pem + + + + + + + + ssl compatibility (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This variable defines whether SSLeay should be configured + for bug compatibility with other SSL implementations. This is + probably not desirable because currently no clients with SSL + implementations other than SSLeay exist. + + Default: ssl compatibility = no + + + + + ssl hosts (G) + See + ssl hosts resign. + + + + + + ssl hosts resign (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + These two variables define whether samba will go + into SSL mode or not. If none of them is defined, samba will + allow only SSL connections. If the + ssl hosts variable lists + hosts (by IP-address, IP-address range, net group or name), + only these hosts will be forced into SSL mode. If the + ssl hosts resign variable lists hosts, only these + hosts will NOT be forced into SSL mode. The syntax for these two + variables is the same as for the + hosts allow and + hosts deny pair of variables, only + that the subject of the decision is different: It's not the access + right but whether SSL is used or not. + + The example below requires SSL connections from all hosts + outside the local net (which is 192.168.*.*). + + Default: ssl hosts = <empty string> + ssl hosts resign = <empty string> + + Example: ssl hosts resign = 192.168. + + + + + + + ssl require clientcert (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + If this variable is set to yes, the + server will not tolerate connections from clients that don't + have a valid certificate. The directory/file given in ssl CA certDir + and ssl CA certFile + will be used to look up the CAs that issued + the client's certificate. If the certificate can't be verified + positively, the connection will be terminated. If this variable + is set to no, clients don't need certificates. + Contrary to web applications you really should + require client certificates. In the web environment the client's + data is sensitive (credit card numbers) and the server must prove + to be trustworthy. In a file server environment the server's data + will be sensitive and the clients must prove to be trustworthy. + + Default: ssl require clientcert = no + + + + + + + ssl require servercert (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + If this variable is set to yes, the + smbclient(1) + will request a certificate from the server. Same as + ssl require + clientcert for the server. + + Default: ssl require servercert = no + + + + + + ssl server cert (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This is the file containing the server's certificate. + The server must have a certificate. The + file may also contain the server's private key. See later for + how certificates and private keys are created. + + Default: ssl server cert = <empty string> + + + + + + + ssl server key (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This file contains the private key of the server. If + this variable is not defined, the key is looked up in the + certificate file (it may be appended to the certificate). + The server must have a private key + and the certificate must + match this private key. + + Default: ssl server key = <empty string> + + + + + + + ssl version (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This enumeration variable defines the versions of the + SSL protocol that will be used. ssl2or3 allows + dynamic negotiation of SSL v2 or v3, ssl2 results + in SSL v2, ssl3 results in SSL v3 and + tls1 results in TLS v1. TLS (Transport Layer + Security) is the new standard for SSL. + + Default: ssl version = "ssl2or3" + + + + + + + stat cache (G) + This parameter determines if smbd(8) will use a cache in order to + speed up case insensitive name mappings. You should never need + to change this parameter. + + Default: stat cache = yes + + + + + stat cache size (G) + This parameter determines the number of + entries in the stat cache. You should + never need to change this parameter. + + Default: stat cache size = 50 + + + + + + + status (G) + This enables or disables logging of connections + to a status file that smbstatus(1) + can read. + + With this disabled smbstatus won't be able + to tell you what connections are active. You should never need to + change this parameter. + + Default: status = yes + + + + + + + strict locking (S) + This is a boolean that controls the handling of + file locking in the server. When this is set to yes + the server will check every read and write access for file locks, and + deny access if locks exist. This can be slow on some systems. + + When strict locking is no the server does file + lock checks only when the client explicitly asks for them. + + Well behaved clients always ask for lock checks when it + is important, so in the vast majority of cases strict + locking = no is preferable. + + Default: strict locking = no + + + + + + + strict sync (S) + Many Windows applications (including the Windows + 98 explorer shell) seem to confuse flushing buffer contents to + disk with doing a sync to disk. Under UNIX, a sync call forces + the process to be suspended until the kernel has ensured that + all outstanding data in kernel disk buffers has been safely stored + onto stable storage. This is very slow and should only be done + rarely. Setting this parameter to no (the + default) means that smbd ignores the Windows applications requests for + a sync call. There is only a possibility of losing data if the + operating system itself that Samba is running on crashes, so there is + little danger in this default setting. In addition, this fixes many + performance problems that people have reported with the new Windows98 + explorer shell file copies. + + See also the sync + always> parameter. + + Default: strict sync = no + + + + + + strip dot (G) + This is a boolean that controls whether to + strip trailing dots off UNIX filenames. This helps with some + CDROMs that have filenames ending in a single dot. + + Default: strip dot = no + + + + + + + sync always (S) + This is a boolean parameter that controls + whether writes will always be written to stable storage before + the write call returns. If this is false then the server will be + guided by the client's request in each write call (clients can + set a bit indicating that a particular write should be synchronous). + If this is true then every write will be followed by a fsync() + call to ensure the data is written to disk. Note that + the strict sync parameter must be set to + yes in order for this parameter to have + any affect. + + See also the strict + sync parameter. + + Default: sync always = no + + + + + + + syslog (G) + This parameter maps how Samba debug messages + are logged onto the system syslog logging levels. Samba debug + level zero maps onto syslog LOG_ERR, debug + level one maps onto LOG_WARNING, debug level + two maps onto LOG_NOTICE, debug level three + maps onto LOG_INFO. All higher levels are mapped to + LOG_DEBUG. + + This paramter sets the threshold for sending messages + to syslog. Only messages with debug level less than this value + will be sent to syslog. + + Default: syslog = 1 + + + + + + + syslog only (G) + If this parameter is set then Samba debug + messages are logged into the system syslog only, and not to + the debug log files. + + Default: syslog only = no + + + + + + + template homedir (G) + NOTE: this parameter is + only available in Samba 3.0. + + When filling out the user information for a Windows NT + user, the winbindd(8) daemon + uses this parameter to fill in the home directory for that user. + If the string %D is present it is substituted + with the user's Windows NT domain name. If the string %U + is present it is substituted with the user's Windows + NT user name. + + Default: template homedir = /home/%D/%U + + + + + + + template shell (G) + NOTE: this parameter is + only available in Samba 3.0. + + When filling out the user information for a Windows NT + user, the winbindd(8) daemon + uses this parameter to fill in the login shell for that user. + + Default: template shell = /bin/false + + + + + + + time offset (G) + This parameter is a setting in minutes to add + to the normal GMT to local time conversion. This is useful if + you are serving a lot of PCs that have incorrect daylight + saving time handling. + + Default: time offset = 0 + Example: time offset = 60 + + + + + + + time server (G) + This parameter determines if + nmbd(8) advertises itself as a time server to Windows + clients. + + Default: time server = no + + + + + + timestamp logs (G) + Synonym for + debug timestamp. + + + + + + + + unix password sync (G) + This boolean parameter controls whether Samba + attempts to synchronize the UNIX password with the SMB password + when the encrypted SMB password in the smbpasswd file is changed. + If this is set to true the program specified in the passwd + programparameter is called AS ROOT - + to allow the new UNIX password to be set without access to the + old UNIX password (as the SMB password has change code has no + access to the old password cleartext, only the new). + + See also passwd + program, + passwd chat. + + Default: unix password sync = no + + + + + + + unix realname (G) + This boolean parameter when set causes samba + to supply the real name field from the unix password file to + the client. This isuseful for setting up mail clients and WWW + browsers on systems used by more than one person. + + Default: unix realname = no + + + + + + + update encrypted (G) + This boolean parameter allows a user logging + on with a plaintext password to have their encrypted (hashed) + password in the smbpasswd file to be updated automatically as + they log on. This option allows a site to migrate from plaintext + password authentication (users authenticate with plaintext + password over the wire, and are checked against a UNIX account + database) to encrypted password authentication (the SMB + challenge/response authentication mechanism) without forcing + all users to re-enter their passwords via smbpasswd at the time the + change is made. This is a convenience option to allow the change over + to encrypted passwords to be made over a longer period. Once all users + have encrypted representations of their passwords in the smbpasswd + file this parameter should be set to no. + + In order for this parameter to work correctly the encrypt passwords + parameter must be set to no when + this parameter is set to yes. + + Note that even when this parameter is set a user + authenticating to smbd must still enter a valid + password in order to connect correctly, and to update their hashed + (smbpasswd) passwords. + + Default: update encrypted = no + + + + + + + use rhosts (G) + If this global parameter is a true, it specifies + that the UNIX users .rhosts file in their home directory + will be read to find the names of hosts and users who will be allowed + access without specifying a password. + + NOTE: The use of use rhosts + can be a major security hole. This is because you are + trusting the PC to supply the correct username. It is very easy to + get a PC to supply a false username. I recommend that the + use rhosts option be only used if you really know what + you are doing. + + Default: use rhosts = no + + + + + + + user (S) + Synonym for + username. + + + + + + + users (S) + Synonym for + username. + + + + + + username (S) + Multiple users may be specified in a comma-delimited + list, in which case the supplied password will be tested against + each username in turn (left to right). + + The username line is needed only when + the PC is unable to supply its own username. This is the case + for the COREPLUS protocol or where your users have different WfWg + usernames to UNIX usernames. In both these cases you may also be + better using the \\server\share%user syntax instead. + + The username line is not a great + solution in many cases as it means Samba will try to validate + the supplied password against each of the usernames in the + username line in turn. This is slow and + a bad idea for lots of users in case of duplicate passwords. + You may get timeouts or security breaches using this parameter + unwisely. + + Samba relies on the underlying UNIX security. This + parameter does not restrict who can login, it just offers hints + to the Samba server as to what usernames might correspond to the + supplied password. Users can login as whoever they please and + they will be able to do no more damage than if they started a + telnet session. The daemon runs as the user that they log in as, + so they cannot do anything that user cannot do. + + To restrict a service to a particular set of users you + can use the valid users + parameter. + + If any of the usernames begin with a '@' then the name + will be looked up first in the yp netgroups list (if Samba + is compiled with netgroup support), followed by a lookup in + the UNIX groups database and will expand to a list of all users + in the group of that name. + + If any of the usernames begin with a '+' then the name + will be looked up only in the UNIX groups database and will + expand to a list of all users in the group of that name. + + If any of the usernames begin with a '&'then the name + will be looked up only in the yp netgroups database (if Samba + is compiled with netgroup support) and will expand to a list + of all users in the netgroup group of that name. + + Note that searching though a groups database can take + quite some time, snd some clients may time out during the + search. + + See the section NOTE ABOUT + USERNAME/PASSWORD VALIDATION for more information on how + this parameter determines access to the services. + + Default: The guest account if a guest service, + else the name of the service. + + Examples:username = fred, mary, jack, jane, + @users, @pcgroup + + + + + + + username level (G) + This option helps Samba to try and 'guess' at + the real UNIX username, as many DOS clients send an all-uppercase + username. By default Samba tries all lowercase, followed by the + username with the first letter capitalized, and fails if the + username is not found on the UNIX machine. + + If this parameter is set to non-zero the behavior changes. + This parameter is a number that specifies the number of uppercase + combinations to try whilst trying to determine the UNIX user name. The + higher the number the more combinations will be tried, but the slower + the discovery of usernames will be. Use this parameter when you have + strange usernames on your UNIX machine, such as AstrangeUser + . + + Default: username level = 0 + Example: username level = 5 + + + + + + + username map (G) + This option allows you to specify a file containing + a mapping of usernames from the clients to the server. This can be + used for several purposes. The most common is to map usernames + that users use on DOS or Windows machines to those that the UNIX + box uses. The other is to map multiple users to a single username + so that they can more easily share files. + + The map file is parsed line by line. Each line should + contain a single UNIX username on the left then a '=' followed + by a list of usernames on the right. The list of usernames on the + right may contain names of the form @group in which case they + will match any UNIX username in that group. The special client + name '*' is a wildcard and matches any name. Each line of the + map file may be up to 1023 characters long. + + The file is processed on each line by taking the + supplied username and comparing it with each username on the right + hand side of the '=' signs. If the supplied name matches any of + the names on the right hand side then it is replaced with the name + on the left. Processing then continues with the next line. + + If any line begins with a '#' or a ';' then it is + ignored + + If any line begins with an '!' then the processing + will stop after that line if a mapping was done by the line. + Otherwise mapping continues with every line being processed. + Using '!' is most useful when you have a wildcard mapping line + later in the file. + + For example to map from the name admin + or administrator to the UNIX name + root you would use: + + root = admin administrator + + Or to map anyone in the UNIX group system + to the UNIX name sys you would use: + + sys = @system + + You can have as many mappings as you like in a username + map file. + + + If your system supports the NIS NETGROUP option then + the netgroup database is checked before the /etc/group + database for matching groups. + + You can map Windows usernames that have spaces in them + by using double quotes around the name. For example: + + tridge = "Andrew Tridgell" + + would map the windows username "Andrew Tridgell" to the + unix username "tridge". + + The following example would map mary and fred to the + unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on + that line. + + + !sys = mary fred + guest = * + + + Note that the remapping is applied to all occurrences + of usernames. Thus if you connect to \\server\fred and + fred is remapped to mary then you + will actually be connecting to \\server\mary and will need to + supply a password suitable for mary not + fred. The only exception to this is the + username passed to the + password server (if you have one). The password + server will receive whatever username the client supplies without + modification. + + Also note that no reverse mapping is done. The main effect + this has is with printing. Users who have been mapped may have + trouble deleting print jobs as PrintManager under WfWg will think + they don't own the print job. + + Default: no username map + Example: username map = /usr/local/samba/lib/users.map + + + + + + + + utmp (S) + This boolean parameter is only available if + Samba has been configured and compiled with the option + --with-utmp. If set to True then Samba will attempt + to add utmp or utmpx records (depending on the UNIX system) whenever a + connection is made to a Samba server. Sites may use this to record the + user connecting to a Samba share. + + See also the + utmp directory parameter. + + Default: utmp = no + + + + + + + utmp directory(G) + This parameter is only available if Samba has + been configured and compiled with the option + --with-utmp. It specifies a directory pathname that is + used to store the utmp or utmpx files (depending on the UNIX system) that + record user connections to a Samba server. See also the + utmp parameter. By default this is + not set, meaning the system will use whatever utmp file the + native system is set to use (usually + /var/run/utmp on Linux). + + Default: no utmp directory + + + + + + winbind cache time + NOTE: this parameter is only + available in Samba 3.0. + + This parameter specifies the number of seconds the + winbindd(8) daemon will cache + user and group information before querying a Windows NT server + again. + + Default: winbind cache type = 15 + + + + + + + winbind gid + NOTE: this parameter is only + available in Samba 3.0. + + The winbind gid parameter specifies the range of group + ids that are allocated by the + winbindd(8) daemon. This range of group ids should have no + existing local or nis groups within it as strange conflicts can + occur otherwise. + + Default: winbind gid = <empty string> + + + Example: winbind gid = 10000-20000 + + + + + + + winbind uid + NOTE: this parameter is only + available in Samba 3.0. + + The winbind gid parameter specifies the range of group + ids that are allocated by the + winbindd(8) daemon. This range of ids should have no + existing local or nis users within it as strange conflicts can + occur otherwise. + + Default: winbind uid = <empty string> + + + Example: winbind uid = 10000-20000 + + + + + + + valid chars (G) + The option allows you to specify additional + characters that should be considered valid by the server in + filenames. This is particularly useful for national character + sets, such as adding u-umlaut or a-ring. + + The option takes a list of characters in either integer + or character form with spaces between them. If you give two + characters with a colon between them then it will be taken as + an lowercase:uppercase pair. + + If you have an editor capable of entering the characters + into the config file then it is probably easiest to use this + method. Otherwise you can specify the characters in octal, + decimal or hexadecimal form using the usual C notation. + + For example to add the single character 'Z' to the charset + (which is a pointless thing to do as it's already there) you could + do one of the following + + + valid chars = Z + valid chars = z:Z + valid chars = 0132:0172 + + + The last two examples above actually add two characters, + and alter the uppercase and lowercase mappings appropriately. + + Note that you MUST specify this parameter + after the client code page parameter if you + have both set. If client code page is set after + the valid chars parameter the valid + chars settings will be overwritten. + + See also the client + code page parameter. + + Default: Samba defaults to using a reasonable set + of valid characters for English systems + + Example: valid chars = 0345:0305 0366:0326 0344:0304 + + + The above example allows filenames to have the Swedish + characters in them. + + NOTE: It is actually quite difficult to + correctly produce a valid chars line for + a particular system. To automate the process tino@augsburg.net has written + a package called validchars which will automatically + produce a complete valid chars line for + a given client system. Look in the examples/validchars/ + subdirectory of your Samba source code distribution + for this package. + + + + + + + valid users (S) + This is a list of users that should be allowed + to login to this service. Names starting with '@', '+' and '&' + are interpreted using the same rules as described in the + invalid users parameter. + + If this is empty (the default) then any user can login. + If a username is in both this list and the invalid + users list then access is denied for that user. + + The current servicename is substituted for %S + . This is useful in the [homes] section. + + See also invalid users + + + Default: No valid users list (anyone can login) + + + Example: valid users = greg, @pcusers + + + + + + + + veto files(S) + This is a list of files and directories that + are neither visible nor accessible. Each entry in the list must + be separated by a '/', which allows spaces to be included + in the entry. '*' and '?' can be used to specify multiple files + or directories as in DOS wildcards. + + Each entry must be a unix path, not a DOS path and + must not include the unix directory + separator '/'. + + Note that the case sensitive option + is applicable in vetoing files. + + One feature of the veto files parameter that it is important + to be aware of, is that if a directory contains nothing but files + that match the veto files parameter (which means that Windows/DOS + clients cannot ever see them) is deleted, the veto files within + that directory are automatically deleted along + with it, if the user has UNIX permissions to do so. + + Setting this parameter will affect the performance + of Samba, as it will be forced to check all files and directories + for a match as they are scanned. + + See also hide files + and + case sensitive. + + Default: No files or directories are vetoed. + + + Examples: + ; Veto any files containing the word Security, + ; any ending in .tmp, and any directory containing the + ; word root. + veto files = /*Security*/*.tmp/*root*/ + + ; Veto the Apple specific files that a NetAtalk server + ; creates. + veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ + + + + + + + veto oplock files (S) + This parameter is only valid when the oplocks + parameter is turned on for a share. It allows the Samba administrator + to selectively turn off the granting of oplocks on selected files that + match a wildcarded list, similar to the wildcarded list used in the + veto files + parameter. + + Default: No files are vetoed for oplock + grants + + You might want to do this on files that you know will + be heavily contended for by clients. A good example of this + is in the NetBench SMB benchmark program, which causes heavy + client contention for files ending in .SEM. + To cause Samba not to grant oplocks on these files you would use + the line (either in the [global] section or in the section for + the particular NetBench share : + + Example: veto oplock files = /*;.SEM/ + + + + + + + + volume (S) + This allows you to override the volume label + returned for a share. Useful for CDROMs with installation programs + that insist on a particular volume label. + + Default: the name of the share + + + + + + + wide links (S) + This parameter controls whether or not links + in the UNIX file system may be followed by the server. Links + that point to areas within the directory tree exported by the + server are always allowed; this parameter controls access only + to areas that are outside the directory tree being exported. + + Note that setting this parameter can have a negative + effect on your server performance due to the extra system calls + that Samba has to do in order to perform the link checks. + + Default: wide links = yes + + + + + + + wins proxy (G) + This is a boolean that controls if nmbd(8) will respond to broadcast name + queries on behalf of other hosts. You may need to set this + to yes for some older clients. + + Default: wins proxy = no + + + + + + + + wins server (G) + This specifies the IP address (or DNS name: IP + address for preference) of the WINS server that + nmbd(8) should register with. If you have a WINS server on + your network then you should set this to the WINS server's IP. + + You should point this at your WINS server if you have a + multi-subnetted network. + + NOTE. You need to set up Samba to point + to a WINS server if you have multiple subnets and wish cross-subnet + browsing to work correctly. + + See the documentation file BROWSING.txt + in the docs/ directory of your Samba source distribution. + + Default: not enabled + Example: wins server = 192.9.200.1 + + + + + + + wins hook (G) + When Samba is running as a WINS server this + allows you to call an external program for all changes to the + WINS database. The primary use for this option is to allow the + dynamic update of external name resolution databases such as + dynamic DNS. + + The wins hook parameter specifies the name of a script + or executable that will be called as follows: + + wins_hook operation name nametype ttl IP_list + + + + The first argument is the operation and is one + of "add", "delete", or "refresh". In most cases the operation can + be ignored as the rest of the parameters provide sufficient + information. Note that "refresh" may sometimes be called when the + name has not previously been added, in that case it should be treated + as an add. + + The second argument is the netbios name. If the + name is not a legal name then the wins hook is not called. + Legal names contain only letters, digits, hyphens, underscores + and periods. + + The third argument is the netbios name + type as a 2 digit hexadecimal number. + + The fourth argument is the TTL (time to live) + for the name in seconds. + + The fifth and subsequent arguments are the IP + addresses currently registered for that name. If this list is + empty then the name should be deleted. + + + An example script that calls the BIND dynamic DNS update + program nsupdate is provided in the examples + directory of the Samba source code. + + + + + + + wins support (G) + This boolean controls if the + nmbd(8) process in Samba will act as a WINS server. You should + not set this to true unless you have a multi-subnetted network and + you wish a particular nmbd to be your WINS server. + Note that you should NEVER set this to true + on more than one machine in your network. + + Default: wins support = no + + + + + + workgroup (G) + This controls what workgroup your server will + appear to be in when queried by clients. Note that this parameter + also controls the Domain name used with the security=domain + setting. + + Default: set at compile time to WORKGROUP + Example: workgroup = MYGROUP + + + + + + + + writable (S) + Synonym for + writeable for people who can't spell :-). + + + + + + + write list (S) + This is a list of users that are given read-write + access to a service. If the connecting user is in this list then + they will be given write access, no matter what the writeable + option is set to. The list can include group names using the + @group syntax. + + Note that if a user is in both the read list and the + write list then they will be given write access. + + See also the read list + option. + + Default: write list = <empty string> + + + Example: write list = admin, root, @staff + + + + + + + + write cache size (S) + This integer parameter (new with Samba 2.0.7) + if set to non-zero causes Samba to create an in-memory cache for + each oplocked file (it does not do this for + non-oplocked files). All writes that the client does not request + to be flushed directly to disk will be stored in this cache if possible. + The cache is flushed onto disk when a write comes in whose offset + would not fit into the cache or when the file is closed by the client. + Reads for the file are also served from this cache if the data is stored + within it. + + This cache allows Samba to batch client writes into a more + efficient write size for RAID disks (ie. writes may be tuned to + be the RAID stripe size) and can improve performance on systems + where the disk subsystem is a bottleneck but there is free + memory for userspace programs. + + The integer parameter specifies the size of this cache + (per oplocked file) in bytes. + + Default: write cache size = 0 + Example: write cache size = 262144 + + for a 256k cache size per file. + + + + + + + + + + write ok (S) + Synonym for + writeable. + + + + + + + write raw (G) + This parameter controls whether or not the server + will support raw writes SMB's when transferring data from clients. + You should never need to change this parameter. + + Default: write raw = yes + + + + + + + writeable (S) + An inverted synonym is + read only. + + If this parameter is no, then users + of a service may not create or modify files in the service's + directory. + + Note that a printable service (printable = yes) + will ALWAYS allow writing to the directory + (user privileges permitting), but only via spooling operations. + + Default: writeable = no + + + + -- cgit