From 04cfbc7854bb793481e9050264a1f0cac1c6198a Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Fri, 29 Aug 2003 01:15:53 +0000 Subject: Update pre-release of RC2. Note: Due to config errors not all manpages were rebuilt. (This used to be commit 01fde1a40b11e73cc98f09ab2ebbd14ed0bed4cf) --- docs/htmldocs/smb.conf.5.html | 550 ++++++++++++++++++++++-------------------- 1 file changed, 288 insertions(+), 262 deletions(-) (limited to 'docs/htmldocs/smb.conf.5.html') diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html index 926d8fcbb4..b6eb609bb0 100644 --- a/docs/htmldocs/smb.conf.5.html +++ b/docs/htmldocs/smb.conf.5.html @@ -21,7 +21,7 @@ values, but is preserved in string values. Some items such as create modes are numeric.

SECTION DESCRIPTIONS

Each section in the configuration file (except for the [global] section) describes a shared resource (known - as a "share"). The section name is the name of the + as a "share"). The section name is the name of the shared resource and the parameters within the section define the shares attributes.

There are three special sections, [global], [homes] and [printers], which are @@ -38,14 +38,14 @@ privileges in this case.

Sections other than guest services will require a password to access them. The client provides the username. As older clients only provide passwords and not usernames, you may specify a list - of usernames to check against the password using the "user =" + of usernames to check against the password using the "user =" option in the share definition. For modern clients such as Windows 95/98/ME/NT/2000, this should not be necessary.

Note that the access rights granted by the server are masked by the access rights granted to the specified or guest UNIX user by the host system. The server does not grant more access than the host system grants.

The following sample section defines a file space share. The user has write access to the path /home/bar. - The share is accessed via the share name "foo":

+	The share is accessed via the share name "foo":
 
 [foo]
 	path = /home/bar
@@ -83,7 +83,7 @@
 		for your PCs than for UNIX access.
This is a fast and simple way to give a large number 
 		of clients access to their home directories with a minimum 
 		of fuss.
A similar process occurs if the requested section 
-		name is "homes", except that the share name is not 
+		name is "homes", except that the share name is not 
 		changed to that of the requesting user. This method of using
 		the [homes] section works well if different users share 
 		a client PC.
The [homes] section can specify all the parameters 
@@ -147,8 +147,8 @@ alias|alias|alias|alias...
 		components (if there are more than one) are separated by vertical 
 		bar symbols ('|').
Note
On SYSV systems which use lpstat to determine what 
 		printers are defined on the system you may be able to use
-		"printcap name = lpstat" to automatically obtain a list 
-		of printers. See the "printcap name" option 
+		"printcap name = lpstat" to automatically obtain a list 
+		of printers. See the "printcap name" option 
 		for more details.

PARAMETERS

parameters define the specific attributes of sections.

Some parameters are specific to the [global] section (e.g., security). Some parameters are usable in all sections (e.g., create mode). All others @@ -164,16 +164,16 @@ alias|alias|alias|alias... not create best bedfellows, but at least you can find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred synonym.

VARIABLE SUBSTITUTIONS

Many of the strings that are settable in the config file - can take substitutions. For example the option "path = - /tmp/%u" would be interpreted as "path = - /tmp/john" if the user connected with the username john.

These substitutions are mostly noted in the descriptions below, + can take substitutions. For example the option "path = + /tmp/%u" would be interpreted as "path = + /tmp/john" if the user connected with the username john.

These substitutions are mostly noted in the descriptions below, but there are some general substitutions which apply whenever they might be relevant. These are:

%U

session user name (the user name that the client wanted, not necessarily the same as the one they got).

%G

primary group name of %U.

%h

the Internet hostname that Samba is running on.

%m

the NetBIOS name of the client machine (very useful).

%L

the NetBIOS name of the server. This allows you to change your config based on what the client calls you. Your - server can have a "dual personality".

Note that this parameter is not available when Samba listens + server can have a "dual personality".

Note that this parameter is not available when Samba listens on port 445, as clients no longer send this information

%M

the Internet name of the client machine.

%R

the selected protocol level after protocol negotiation. It can be one of CORE, COREPLUS, @@ -182,7 +182,7 @@ alias|alias|alias|alias... machine. Only some are recognized, and those may not be 100% reliable. It currently recognizes Samba, WfWg, Win95, WinNT and Win2k. Anything else will be known as - "UNKNOWN". If it gets it wrong then sending a level + "UNKNOWN". If it gets it wrong then sending a level 3 log to samba@samba.org should allow it to be fixed.

%I

The IP address of the client machine.

%T

the current date and time.

%D

Name of the domain or workgroup of the current user.

%$(envvar)

The value of the environment variable envar.

The following substitutes apply only to some configuration options(only those @@ -193,33 +193,33 @@ alias|alias|alias|alias... not compiled Samba with the --with-automount option then this value will be the same as %L.

%p

the path of the service's home directory, obtained from your NIS auto.map entry. The NIS auto.map entry - is split up as "%N:%p".

There are some quite creative things that can be done - with these substitutions and other smb.conf options.

NAME MANGLING

Samba supports "name mangling" so that DOS and + is split up as "%N:%p".

There are some quite creative things that can be done + with these substitutions and other smb.conf options.

NAME MANGLING

Samba supports "name mangling" so that DOS and Windows clients can use files that don't conform to the 8.3 format. It can also be set to adjust the case of 8.3 format filenames.

There are several options that control the way mangling is performed, and they are grouped here rather than listed separately. For the defaults look at the output of the testparm program.

All of these options can be set separately for each service (or globally, of course).

The options are:

mangle case = yes/no

controls if names that have characters that - aren't of the "default" case are mangled. For example, - if this is yes then a name like "Mail" would be mangled. + aren't of the "default" case are mangled. For example, + if this is yes then a name like "Mail" would be mangled. Default no.

case sensitive = yes/no

controls whether filenames are case sensitive. If they aren't then Samba must do a filename search and match on passed names. Default no.

default case = upper/lower

controls what the default case is for new filenames. Default lower.

preserve case = yes/no

controls if new files are created with the case that the client passes, or if they are forced to be the - "default" case. Default yes. + "default" case. Default yes.

short preserve case = yes/no

controls if new files which conform to 8.3 syntax, that is all in upper case and of suitable length, are created - upper case, or if they are forced to be the "default" - case. This option can be use with "preserve case = yes" + upper case, or if they are forced to be the "default" + case. This option can be use with "preserve case = yes" to permit long filenames to retain their case, while short names are lowercased. Default yes.

By default, Samba 3.0 has the same semantics as a Windows NT server, in that it is case insensitive but case preserving.

NOTE ABOUT USERNAME/PASSWORD VALIDATION

There are a number of ways in which a user can connect to a service. The server uses the following steps in determining if it will allow a connection to a specified service. If all the steps fail, then the connection request is rejected. However, if one of the - steps succeeds, then the following steps are not checked.

If the service is marked "guest only = yes" and the - server is running with share-level security ("security = share") + steps succeeds, then the following steps are not checked.

If the service is marked "guest only = yes" and the + server is running with share-level security ("security = share") then steps 1 to 5 are skipped.

  1. If the client has passed a username/password pair and that username/password pair is validated by the UNIX system's password programs then the connection is made as that @@ -232,23 +232,28 @@ alias|alias|alias|alias... they match then the connection is allowed as the corresponding user.

  2. If the client has previously validated a username/password pair with the server and the client has passed - the validation token then that username is used.

  3. If a "user = " field is given in the + the validation token then that username is used.

  4. If a "user = " field is given in the smb.conf file for the service and the client has supplied a password, and that password matches (according to the UNIX system's password checking) with one of the usernames - from the "user =" field then the connection is made as - the username in the "user =" line. If one - of the username in the "user =" list begins with a + from the "user =" field then the connection is made as + the username in the "user =" line. If one + of the username in the "user =" list begins with a '@' then that name expands to a list of names in the group of the same name.

  5. If the service is a guest service then a - connection is made as the username given in the "guest - account =" for the service, irrespective of the + connection is made as the username given in the "guest + account =" for the service, irrespective of the supplied password.

COMPLETE LIST OF GLOBAL PARAMETERS

Here is a list of all global parameters. See the section of - each parameter for details. Note that some are synonyms.

COMPLETE LIST OF SERVICE PARAMETERS

Here is a list of all service parameters. See the section on - each parameter for details. Note that some are synonyms.

EXPLANATION OF EACH PARAMETER

abort shutdown script (G)

This parameter only exists in the HEAD cvs branch + each parameter for details. Note that some are synonyms.

COMPLETE LIST OF SERVICE PARAMETERS

Here is a list of all service parameters. See the section on + each parameter for details. Note that some are synonyms.

EXPLANATION OF EACH PARAMETER

abort shutdown script (G)

This parameter only exists in the HEAD cvs branch This a full path name to a script called by smbd(8) that should stop a shutdown procedure issued by the - shutdown script.

This command will be run as user.

Default: None.

Example: abort shutdown script = /sbin/shutdown -c

add group script (G)

This is the full pathname to a script that will be run + shutdown script.

This command will be run as user.

Default: None.

Example: abort shutdown script = /sbin/shutdown -c

acl compatibility (S)

This parameter specifies what OS ACL semantics should + be compatible with. Possible values are winnt for Windows NT 4, + win2k for Windows 2000 and above and auto. + If you specify auto, the value for this parameter + will be based upon the version of the client. There should + be no reason to change this parameter from the default.

Default: acl compatibility = Auto

Example: acl compatibility = win2k

add group script (G)

This is the full pathname to a script that will be run AS ROOT by smbd(8) when a new group is requested. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT @@ -264,7 +269,7 @@ alias|alias|alias|alias... machines -c Machine -d /dev/null -s /bin/false %u

addprinter command (G)

With the introduction of MS-RPC based printing support for Windows NT/2000 clients in Samba 2.2, The MS Add Printer Wizard (APW) icon is now also available in the - "Printers..." folder displayed a share listing. The APW + "Printers..." folder displayed a share listing. The APW allows for printers to be add remotely to a Samba or Windows NT/2000 print server.

For a Samba host this means that the printer must be physically added to the underlying printing system. The add @@ -275,15 +280,15 @@ alias|alias|alias|alias... shared by smbd(8).

The addprinter command is automatically invoked with the following parameter (in order):

  • printer name

  • share name

  • port name

  • driver name

  • location

  • Windows 9x driver location

All parameters are filled in from the PRINTER_INFO_2 structure sent - by the Windows NT/2000 client with one exception. The "Windows 9x - driver location" parameter is included for backwards compatibility + by the Windows NT/2000 client with one exception. The "Windows 9x + driver location" parameter is included for backwards compatibility only. The remaining fields in the structure are generated from answers to the APW questions.

Once the addprinter command has been executed, smbd will reparse the smb.conf to determine if the share defined by the APW exists. If the sharename is still invalid, then smbd will return an ACCESS_DENIED error to the client.

- The "add printer command" program can output a single line of text, + The "add printer command" program can output a single line of text, which Samba will set as the port the new printer is connected to. If this line isn't output, Samba won't reload its printer shares.

See also @@ -378,8 +383,8 @@ alias|alias|alias|alias... Samba server even if they do not have an account in DOMA. This can make implementing a security boundary difficult.

Default: allow trusted domains = yes

announce as (G)

This specifies what type of server nmbd(8) will announce itself as, to a network neighborhood browse list. By default this is set to Windows NT. The valid options - are : "NT Server" (which can also be written as "NT"), - "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, + are : "NT Server" (which can also be written as "NT"), + "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95 and Windows for Workgroups respectively. Do not change this parameter unless you have a specific need to stop Samba appearing as an NT server as this @@ -402,7 +407,7 @@ alias|alias|alias|alias... method of authentication for remote domain users; deprecated in favour of winbind method), trustdomain (authenticate trusted users by contacting the remote DC directly from smbd; deprecated in favour of winbind method).

Default: auth methods = <empty string>

Example: auth methods = guest sam winbind

auto services (G)

This is a synonym for the - preload.

available (S)

This parameter lets you "turn off" a service. If + preload.

available (S)

This parameter lets you "turn off" a service. If available = no, then ALL attempts to connect to the service will fail. Such failures are logged.

Default: available = yes

bind interfaces only (G)

This global parameter allows the Samba admin @@ -410,7 +415,7 @@ alias|alias|alias|alias... affects file service smbd(8) and name service nmbd(8) in a slightly different ways.

For name service it causes nmbd to bind to ports 137 and 138 on the interfaces listed in the interfaces parameter. nmbd also - binds to the "all addresses" interface (0.0.0.0) + binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast messages. If this option is not set then nmbd will service name requests on all of these sockets. If bind interfaces @@ -447,7 +452,7 @@ alias|alias|alias|alias... 127.0.0.1 to determine if they are running. Not adding 127.0.0.1 will cause smbd and nmbd to always show - "not running" even if they really are. This can prevent + "not running" even if they really are. This can prevent swat from starting/stopping/restarting smbd and nmbd.

Default: bind interfaces only = no

blocking locks (S)

This parameter controls the behavior of smbd(8) when given a request by a client @@ -474,7 +479,7 @@ alias|alias|alias|alias... a client doing a NetServerEnum call. Normally set to yes. You should never need to change this.

Default: browse list = yes

case sensitive (S)

See the discussion in the section NAME MANGLING.

Default: case sensitive = no

casesignames (S)

Synonym for case sensitive.

change notify timeout (G)

This SMB allows a client to tell a server to - "watch" a particular directory for any changes and only reply to + "watch" a particular directory for any changes and only reply to the SMB request when a change has occurred. Such constant scanning of a directory is expensive under UNIX, hence an smbd(8) daemon only performs such a scan on each requested directory once every change notify @@ -499,7 +504,7 @@ alias|alias|alias|alias... with the new share.

This parameter is only used modify existing file shares definitions. To modify - printer shares, use the "Printers..." folder as seen when browsing the Samba host. + printer shares, use the "Printers..." folder as seen when browsing the Samba host.

See also add share command, delete @@ -522,7 +527,21 @@ alias|alias|alias|alias... NTLMv2.

If disabled, an NTLM response (and possibly a LANMAN response) will be sent by the client, depending on the value of client lanman auth.

Note that some sites (particularly those following 'best practice' security polices) only allow NTLMv2 - responses, and not the weaker LM or NTLM.

Default : client ntlmv2 auth = no

client use spnego (G)

This variable controls controls whether samba clients will try + responses, and not the weaker LM or NTLM.

Default : client ntlmv2 auth = no

client plaintext auth (G)

Specifies whether a client should send a plaintext + password if the server does not support encrypted passwords.

Default: client plaintext auth = yes

client schannel (G)

This controls whether the client offers or even + demands the use of the netlogon schannel. + client schannel = no does not + offer the schannel, server schannel = + auto offers the schannel but does not + enforce it, and server schannel = + yes denies access if the server is not + able to speak netlogon schannel.

Default: client schannel = auto

Example: client schannel = yes

client signing (G)

This controls whether the client offers or requires + the server it talks to to use SMB signing. Possible values + are auto, mandatory + and disabled. +

When set to auto, SMB signing is offered, but not enforced. + When set to mandatory, SMB signing is required and if set + to disabled, SMB signing is not offered either.

Default: client signing = auto

client use spnego (G)

This variable controls controls whether samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 servers to agree upon an authentication mechanism. SPNEGO client support for SMB Signing is currently broken, so @@ -541,7 +560,7 @@ alias|alias|alias|alias... the new config file.

This option takes the usual substitutions, which can be very useful.

If the config file doesn't exist then it won't be loaded (allowing you to special case the config files of just a few - clients).

Example: config file = /usr/local/samba/lib/smb.conf.%m

copy (S)

This parameter allows you to "clone" service + clients).

Example: config file = /usr/local/samba/lib/smb.conf.%m

copy (S)

This parameter allows you to "clone" service entries. The specified service is simply duplicated under the current service's name. Any parameters specified in the current section will override those in the section being copied.

This feature lets you set up a 'template' service and @@ -603,7 +622,8 @@ alias|alias|alias|alias... current euid, egid, uid and gid to the timestamp message headers in the log file if turned on.

Note that the parameter debug timestamp must be on for this to have an - effect.

Default: debug uid = no

default case (S)

See the section on + effect.

Default: debug uid = no

default (G)

A synonym for + default service.

default case (S)

See the section on NAME MANGLING. Also note the short preserve case parameter.

Default: default case = lower

default devmode (S)

This parameter is only applicable to printable services. When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba @@ -636,16 +656,15 @@ alias|alias|alias|alias... read-only service.

Also note that the apparent service name will be changed to equal that of the requested service, this is very useful as it allows you to use macros like %S to make - a wildcard service.

Note also that any "_" characters in the name of the service - used in the default service will get mapped to a "/". This allows for + a wildcard service.

Note also that any "_" characters in the name of the service + used in the default service will get mapped to a "/". This allows for interesting things.

Example:

 [global]
 	default service = pub
         
 [pub]
 	path = /%S
-
default (G)

A synonym for - default service.

delete group script (G)

This is the full pathname to a script that will +

delete group script (G)

This is the full pathname to a script that will be run AS ROOT smbd(8) when a group is requested to be deleted. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. @@ -659,7 +678,7 @@ alias|alias|alias|alias... from the print system and from smb.conf.

The deleteprinter command is automatically called with only one parameter: - "printer name".

Once the deleteprinter command has + "printer name".

Once the deleteprinter command has been executed, smbd will reparse the smb.conf to associated printer no longer exists. If the sharename is still valid, then smbd @@ -721,8 +740,8 @@ alias|alias|alias|alias... should only be used on systems where a problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may occur with other operating systems. The - symptom that was seen was an error of "Abort Retry - Ignore" at the end of each directory listing.

This setting allows the replacement of the internal routines to + symptom that was seen was an error of "Abort Retry + Ignore" at the end of each directory listing.

This setting allows the replacement of the internal routines to calculate the total disk space and amount available with an external routine. The example below gives a possible script that might fulfill this function.

The external program will be passed a single parameter indicating @@ -736,11 +755,11 @@ alias|alias|alias|alias... determining the disk capacity and remaining space will be used.

Example: dfree command = /usr/local/samba/bin/dfree

Where the script dfree (which must be made executable) could be:

 
 #!/bin/sh
-df $1 | tail -1 | awk '{print $2" "$4}'
+df $1 | tail -1 | awk '{print $2" "$4}'

or perhaps (on Sys V based systems):

 
 #!/bin/sh
-/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
-

Note that you may have to replace the command names with full path names on some systems.

directory mask (S)

This parameter is the octal modes which are +/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' +

Note that you may have to replace the command names with full path names on some systems.

directory (S)

Synonym for path.

directory mask (S)

This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories.

When a directory is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, @@ -774,13 +793,13 @@ df $1 | tail -1 | awk '{print $2" "$4}' meaning a user is allowed to modify all the user/group/world permissions on a directory.

Note that users who can access the Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. + so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave it as the default of 0777.

See also the force directory security mode, security mask, force security mode - parameters.

Default: directory security mask = 0777

Example: directory security mask = 0700

directory (S)

Synonym for path.

disable netbios (G)

Enabling this parameter will disable netbios support + parameters.

Default: directory security mask = 0777

Example: directory security mask = 0700

disable netbios (G)

Enabling this parameter will disable netbios support in Samba. Netbios is the only available form of browsing in all windows versions except for 2000 and XP.

Note

Note that clients that only support netbios won't be able to see your samba server when netbios support is disabled. @@ -838,7 +857,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' of interest to clients or are infinitely deep (recursive). This parameter allows you to specify a comma-delimited list of directories that the server should always show as empty.

Note that Samba can be very fussy about the exact format - of the "dont descend" entries. For example you may need + of the "dont descend" entries. For example you may need ./proc instead of just /proc. Experimentation is the best policy :-)

Default: none (i.e., all directories are OK to descend)

Example: dont descend = /proc,/dev

dos charset (G)

DOS SMB clients assume the server has @@ -886,7 +905,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in - Samba see the chapter "User Database" in the Samba HOWTO Collection.

In order for encrypted passwords to work correctly + Samba see the chapter "User Database" in the Samba HOWTO Collection.

In order for encrypted passwords to work correctly smbd(8) must either have access to a local smbpasswd(5) file (see the smbpasswd(8) program for information on how to set up and maintain this file), or set the security = [server|domain|ads] parameter which @@ -902,16 +921,16 @@ df $1 | tail -1 | awk '{print $2" "$4}' workgroups not disappearing from browse lists. Due to the restrictions of the browse protocols these enhancements can cause a empty workgroup to stay around forever which can be annoying.

In general you should leave this option enabled as it makes - cross-subnet browse propagation much more reliable.

Default: enhanced browsing = yes

enumports command (G)

The concept of a "port" is fairly foreign + cross-subnet browse propagation much more reliable.

Default: enhanced browsing = yes

enumports command (G)

The concept of a "port" is fairly foreign to UNIX hosts. Under Windows NT/2000 print servers, a port is associated with a port monitor and generally takes the form of a local port (i.e. LPT1:, COM1:, FILE:) or a remote port (i.e. LPD Port Monitor, etc...). By default, Samba has only one - port defined--"Samba Printer Port". Under + port defined--"Samba Printer Port". Under Windows NT/2000, all printers must have a valid port name. If you wish to have a list of ports displayed (smbd does not use a port name for anything) other than - the default "Samba Printer Port", you + the default "Samba Printer Port", you can define enumports command to point to a program which should generate a list of ports, one per line, to standard output. This listing will then be used in response @@ -993,7 +1012,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' allows a user to modify all the user/group/world permissions on a directory without restrictions.

Note that users who can access the Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. + so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave it set as 0000.

See also the directory security mask, @@ -1030,7 +1049,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' and allows a user to modify all the user/group/world permissions on a file, with no restrictions.

Note that users who can access the Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. + so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave this set to 0000.

See also the force directory security mode, @@ -1042,7 +1061,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' as using it incorrectly can cause security problems.

This user name only gets used once a connection is established. Thus clients still need to connect as a valid user and supply a valid password. Once connected, all file operations will be performed - as the "forced user", no matter what username the client connected + as the "forced user", no matter what username the client connected as. This can be very useful.

In Samba 2.0.5 and above this parameter also causes the primary group of the forced user to be used as the primary group for all file activity. Prior to 2.0.5 the primary group was left @@ -1068,17 +1087,17 @@ df $1 | tail -1 | awk '{print $2" "$4}' guest ok (see below). Whatever privileges this user has will be available to any client connecting to the guest service. Typically this user will exist in the password file, but will not - have a valid login. The user account "ftp" is often a good choice + have a valid login. The user account "ftp" is often a good choice for this parameter. If a username is specified in a given service, the specified username overrides this one. -

One some systems the default guest account "nobody" may not +

One some systems the default guest account "nobody" may not be able to print. Use another account in this case. You should test this by trying to log in as your guest user (perhaps by using the su - command) and trying to print using the system print command such as lpr(1) or lp(1).

This parameter does not accept % macros, because many parts of the system require this value to be - constant for correct operation.

Default: specified at compile time, usually "nobody"

Example: guest account = ftp

guest ok (S)

If this parameter is yes for + constant for correct operation.

Default: specified at compile time, usually "nobody"

Example: guest account = ftp

guest ok (S)

If this parameter is yes for a service, then no password is required to connect to the service. Privileges will be those of the guest account.

This paramater nullifies the benifits of setting @@ -1153,7 +1172,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' hosts deny option.

You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups. The EXCEPT keyword can also be used to limit a - wildcard list. The following examples may provide some help:

Example 1: allow all IPs in 150.203.*.*; except one

hosts allow = 150.203. EXCEPT 150.203.6.66

Example 2: allow hosts that match the given network/netmask

hosts allow = 150.203.15.0/255.255.255.0

Example 3: allow a couple of hosts

hosts allow = lapland, arvidsjaur

Example 4: allow only hosts in NIS netgroup "foonet", but + wildcard list. The following examples may provide some help:

Example 1: allow all IPs in 150.203.*.*; except one

hosts allow = 150.203. EXCEPT 150.203.6.66

Example 2: allow hosts that match the given network/netmask

hosts allow = 150.203.15.0/255.255.255.0

Example 3: allow a couple of hosts

hosts allow = lapland, arvidsjaur

Example 4: allow only hosts in NIS netgroup "foonet", but deny access from one particular host

hosts allow = @foonet

hosts deny = pirate

Note

Note that access still requires suitable user-level passwords.

See testparm(1) for a way of testing your host access to see if it does what you expect.

Default: none (i.e., all hosts permitted access)

Example: allow hosts = 150.203.5. myhost.mynet.edu.au

hosts deny (S)

The opposite of hosts allow - hosts listed here are NOT permitted access to @@ -1179,7 +1198,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' LDAP backend. This way all domain members and controllers will have the same UID and GID to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux systems that are sharing information over protocols other than SMB/CIFS (ie: NFS). -

Default: idmap backend = <empty string>

Example: idmap backend = ldapsam://ldapslave.example.com

idmap gid (G)

The idmap gid parameter specifies the range of group ids that are allocated for +

Default: idmap backend = <empty string>

Example: idmap backend = ldap:ldap://ldapslave.example.com

idmap gid (G)

The idmap gid parameter specifies the range of group ids that are allocated for the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no existing local or NIS groups within it as strange conflicts can occur otherwise.

The availability of an idmap gid range is essential for correct operation of all group mapping.

Default: idmap gid = <empty string>

Example: idmap gid = 10000-20000

idmap uid (G)

The idmap uid parameter specifies the range of user ids that are allocated for use @@ -1222,11 +1241,11 @@ df $1 | tail -1 | awk '{print $2" "$4}' interfaces except 127.0.0.1 that are broadcast capable.

The option takes a list of interface strings. Each string can be in any of the following forms:

  • a network interface name (such as eth0). This may include shell-like wildcards so eth* will match - any interface starting with the substring "eth"

  • an IP address. In this case the netmask is + any interface starting with the substring "eth"

  • an IP address. In this case the netmask is determined from the list of interfaces obtained from the - kernel

  • an IP/mask pair.

  • a broadcast/mask pair.

The "mask" parameters can either be a bit length (such + kernel

  • an IP/mask pair.

  • a broadcast/mask pair.

    • The "mask" parameters can either be a bit length (such as 24 for a C class network) or a full netmask in dotted - decimal form.

    The "IP" parameters above can either be a full dotted + decimal form.

    The "IP" parameters above can either be a full dotted decimal IP address or a hostname which will be looked up via the OS's normal hostname resolution mechanisms.

    For example, the following line:

    interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0

    would configure three network interfaces corresponding to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. @@ -1255,7 +1274,12 @@ df $1 | tail -1 | awk '{print $2" "$4}' a client is still present and responding.

    Keepalives should, in general, not be needed if the socket being used has the SO_KEEPALIVE attribute set on it (see socket options). - Basically you should only use this option if you strike difficulties.

    Default: keepalive = 300

    Example: keepalive = 600

    kernel oplocks (G)

    For UNIXes that support kernel based + Basically you should only use this option if you strike difficulties.

    Default: keepalive = 300

    Example: keepalive = 600

    kernel change notify (G)

    This parameter specifies whether Samba should ask the + kernel for change notifications in directories so that + SMB clients can refresh whenever the data on the server changes. +

    This parameter is only usd when your kernel supports + change notification to user programs, using the F_NOTIFY fcntl. +

    Default: Yes

    kernel oplocks (G)

    For UNIXes that support kernel based oplocks (currently only IRIX and the Linux 2.4 kernel), this parameter allows the use of them to be turned on or off.

    Kernel oplocks support allows Samba oplocks @@ -1300,7 +1324,12 @@ df $1 | tail -1 | awk '{print $2" "$4}' The default is to match the login name with the uid attribute for all entries matching the sambaAccount objectclass. Note that this filter should only return one entry. -

    Default: ldap filter = (&(uid=%u)(objectclass=sambaAccount))

    ldap machine suffix (G)

    It specifies where machines should be added to the ldap tree.

    Default: none

    ldap passwd sync (G)

    This option is used to define whether +

    Default: ldap filter = (&(uid=%u)(objectclass=sambaAccount))

    ldap group suffix (G)

    This parameters specifies the suffix that is + used for groups when these are added to the LDAP directory. + If this parameter is unset, the value of ldap suffix will be used instead.

    Default: none

    Example: dc=samba,ou=Groups

    ldap idmap suffix (G)

    This parameters specifies the suffix that is + used when storing idmap mappings. If this parameter + is unset, the value of ldap suffix + will be used instead.

    Default: none

    Example: dc=samba,ou=Idmap

    ldap machine suffix (G)

    It specifies where machines should be added to the ldap tree.

    Default: none

    ldap passwd sync (G)

    This option is used to define whether or not Samba should sync the LDAP password with the NT and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password @@ -1332,16 +1361,8 @@ df $1 | tail -1 | awk '{print $2" "$4}' tree. Can be overriden by ldap user suffix and ldap machine suffix. It also used as the base dn for all ldap - searches.

    Default: none

    ldap trust ids (G)

    Normally, Samba validates each entry in the LDAP server - against getpwnam(). This allows LDAP to be used for Samba with - the unix system using NIS (for example) and also ensures that - Samba does not present accounts that do not otherwise exist. -

    This option is used to disable this functionality, and - instead to rely on the presence of the appropriate attributes - in LDAP directly, which can result in a significant performance - boost in some situations. Setting this option to yes effectivly - assumes that the local machine is running nss_ldap against the same LDAP - server.

    Default: ldap trust ids = No

    ldap user suffix (G)

    It specifies where users are added to the tree.

    Default: none

    level2 oplocks (S)

    This parameter controls whether Samba supports + searches.

    Default: none

    ldap user suffix (G)

    This parameter specifies where users are added to the tree. + If this parameter is not specified, the value from ldap suffix.

    Default: none

    level2 oplocks (S)

    This parameter controls whether Samba supports level2 (read-only) oplocks on a share.

    Level2, or read-only oplocks allow Windows NT clients that have an oplock on a file to downgrade from a read-write oplock to a read-only oplock once a second client opens the file (instead @@ -1352,7 +1373,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' for many accesses of files that are not commonly written (such as application .EXE files).

    Once one of the clients which have a read-only oplock writes to the file all clients are notified (no reply is needed - or waited for) and told to break their oplocks to "none" and + or waited for) and told to break their oplocks to "none" and delete any read-ahead caches.

    It is recommended that this parameter be turned on to speed access to shared executables.

    For more discussions on level2 oplocks see the CIFS spec.

    Currently, if kernel oplocks are supported then level2 oplocks are @@ -1390,12 +1411,12 @@ df $1 | tail -1 | awk '{print $2" "$4}' yes doesn't mean that Samba will become the local master browser on a subnet, just that nmbd will participate in elections for local master browser.

    Setting this value to no will cause nmbd never to become a local - master browser.

    Default: local master = yes

    lock directory (G)

    This option specifies the directory where lock + master browser.

    Default: local master = yes

    lock dir (G)

    Synonym for + lock directory. +

    lock directory (G)

    This option specifies the directory where lock files will be placed. The lock files are used to implement the max connections - option.

    Default: lock directory = ${prefix}/var/locks

    Example: lock directory = /var/run/samba/locks

    lock dir (G)

    Synonym for - lock directory. -

    locking (S)

    This controls whether or not locking will be + option.

    Default: lock directory = ${prefix}/var/locks

    Example: lock directory = /var/run/samba/locks

    locking (S)

    This controls whether or not locking will be performed by the server in response to lock requests from the client.

    If locking = no, all lock and unlock requests will appear to succeed and all lock queries will report @@ -1444,14 +1465,14 @@ df $1 | tail -1 | awk '{print $2" "$4}' logon home. This broke net use /home but allowed profiles outside the home directory. The current implementation is correct, and can be used for profiles if you use the above trick.

    This option is only useful if Samba is set up as a logon - server.

    Default: logon home = "\\%N\%U"

    Example: logon home = "\\remote_smb_server\%U"

    logon path (G)

    This parameter specifies the home directory + server.

    Default: logon home = "\\%N\%U"

    Example: logon home = "\\remote_smb_server\%U"

    logon path (G)

    This parameter specifies the home directory where roaming profiles (NTuser.dat etc files for Windows NT) are stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming profiles. To find out how to handle roaming profiles for Win 9X system, see the logon home parameter.

    This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. It also - specifies the directory from which the "Application Data", + specifies the directory from which the "Application Data", (desktop, start menu, network neighborhood, programs and other folders, and their contents, are loaded and displayed on @@ -1589,12 +1610,12 @@ df $1 | tail -1 | awk '{print $2" "$4}' you would use:

    mangled map = (*.html *.htm)

    One very useful case is to remove the annoying ;1 off the ends of filenames on some CDROMs (only visible under some UNIXes). To do this use a map of (*;1 *;).

    Default: no mangled map

    Example: mangled map = (*;1 *;)

    mangled names (S)

    This controls whether non-DOS names under UNIX - should be mapped to DOS-compatible names ("mangled") and made visible, + should be mapped to DOS-compatible names ("mangled") and made visible, or whether non-DOS names should simply be ignored.

    See the section on NAME MANGLING for details on how to control the mangling process.

    If mangling is used then the mangling algorithm is as follows:

    • The first (up to) five alphanumeric characters before the rightmost dot of the filename are preserved, forced to upper case, and appear as the first (up to) five characters - of the mangled name.

    • A tilde "~" is appended to the first part of the mangled + of the mangled name.

    • A tilde "~" is appended to the first part of the mangled name, followed by a two-character unique sequence, based on the original root name (i.e., the original filename minus its final extension). The final extension is included in the hash calculation @@ -1606,9 +1627,9 @@ df $1 | tail -1 | awk '{print $2" "$4}' extension of the mangled name. The final extension is defined as that part of the original filename after the rightmost dot. If there are no dots in the filename, the mangled name will have no extension (except - in the case of "hidden files" - see below).

    • Files whose UNIX name begins with a dot will be + in the case of "hidden files" - see below).

    • Files whose UNIX name begins with a dot will be presented as DOS hidden files. The mangled name will be created as - for other filenames, but with the leading dot removed and "___" as + for other filenames, but with the leading dot removed and "___" as its extension regardless of actual original extension (that's three underscores).

    The two-digit hash value consists of upper case alphanumeric characters.

    This algorithm can cause name collisions only if files in a directory share the same first five alphanumeric characters. @@ -1634,9 +1655,9 @@ df $1 | tail -1 | awk '{print $2" "$4}' the magic character in name mangling. The default is a '~' but this may interfere with some software. Use this option to set it to whatever you prefer. This is effective only when mangling method is hash.

    Default: mangling char = ~

    Example: mangling char = ^

    mangling method (G)

    controls the algorithm used for the generating - the mangled names. Can take two different values, "hash" and - "hash2". "hash" is the default and is the algorithm that has been - used in Samba for many years. "hash2" is a newer and considered + the mangled names. Can take two different values, "hash" and + "hash2". "hash" is the default and is the algorithm that has been + used in Samba for many years. "hash2" is a newer and considered a better algorithm (generates less collisions) in the names. However, many Win32 applications store the mangled names and so changing to the new algorithm must not be done @@ -1677,18 +1698,18 @@ df $1 | tail -1 | awk '{print $2" "$4}' with an invalid password are treated as a guest login and mapped into the guest account. Note that this can cause problems as it means that any user incorrectly typing - their password will be silently logged on as "guest" - and + their password will be silently logged on as "guest" - and will not know the reason they cannot access files they think they should - there will have been no message given to them that they got their password wrong. Helpdesk services will hate you if you set the map to - guest parameter this way :-).

    Note that this parameter is needed to set up "Guest" + guest parameter this way :-).

    Note that this parameter is needed to set up "Guest" share services when using security modes other than share. This is because in these modes the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection - to the share) for "Guest" shares.

    For people familiar with the older Samba releases, this + to the share) for "Guest" shares.

    For people familiar with the older Samba releases, this parameter maps to the old compile-time setting of the GUEST_SESSSETUP value in local.h.

    Default: map to guest = Never

    Example: map to guest = Bad User

    max connections (S)

    This option allows the number of simultaneous connections to a service to be limited. If max connections is greater than 0 then connections @@ -1718,7 +1739,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' by the UNIX per-process file descriptor limit rather than this parameter so you should never need to touch this parameter.

    Default: max open files = 10000

    max print jobs (S)

    This parameter limits the maximum number of jobs allowable in a Samba printer queue at any given moment. - If this number is exceeded, smbd(8) will remote "Out of Space" to the client. + If this number is exceeded, smbd(8) will remote "Out of Space" to the client. See all total print jobs.

    Default: max print jobs = 1000

    Example: max print jobs = 5000

    max protocol (G)

    The value of the parameter (a string) is the highest @@ -1825,8 +1846,8 @@ df $1 | tail -1 | awk '{print $2" "$4}' suite to determine what naming services to use and in what order to resolve host names to IP addresses. Its main purpose to is to control how netbios name resolution is performed. The option takes a space - separated string of name resolution options.

    The options are: "lmhosts", "host", - "wins" and "bcast". They cause names to be + separated string of name resolution options.

    The options are: "lmhosts", "host", + "wins" and "bcast". They cause names to be resolved as follows:

    • lmhosts : Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has no name type attached to the NetBIOS name (see the lmhosts(5) for details) then @@ -1975,7 +1996,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' passwd chat parameter for most setups.

      Default: pam password change = no

    panic action (G)

    This is a Samba developer option that allows a system command to be called when either smbd(8) or smbd(8) crashes. This is usually used to - draw attention to the fact that a problem occurred.

    Default: panic action = <empty string>

    Example: panic action = "/bin/sleep 90000"

    paranoid server security (G)

    Some version of NT 4.x allow non-guest + draw attention to the fact that a problem occurred.

    Default: panic action = <empty string>

    Example: panic action = "/bin/sleep 90000"

    paranoid server security (G)

    Some version of NT 4.x allow non-guest users with a bad passowrd. When this option is enabled, samba will not use a broken NT 4.x server as password server, but instead complain to the logs and exit. @@ -2007,21 +2028,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' argument. Read the Samba HOWTO Collection for configuration details.

    -

    Default: passdb backend = smbpasswd

    Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd

    Example: passdb backend = ldapsam:ldaps://ldap.example.com

    Example: passdb backend = mysql:my_plugin_args tdbsam

    passwd chat debug (G)

    This boolean specifies if the passwd chat script - parameter is run in debug mode. In this mode the - strings passed to and received from the passwd chat are printed - in the smbd(8) log with a - debug level - of 100. This is a dangerous option as it will allow plaintext passwords - to be seen in the smbd log. It is available to help - Samba admins debug their passwd chat scripts - when calling the passwd program and should - be turned off after this has been done. This option has no effect if the - pam password change - paramter is set. This parameter is off by default.

    See also passwd chat - , pam password change - , passwd program - .

    Default: passwd chat debug = no

    passwd chat (G)

    This string controls the "chat" +

    Default: passdb backend = smbpasswd

    Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd

    Example: passdb backend = ldapsam:ldaps://ldap.example.com

    Example: passdb backend = mysql:my_plugin_args tdbsam

    passwd chat (G)

    This string controls the "chat" conversation that takes places between smbd(8) and the local password changing program to change the user's password. The string describes a sequence of response-receive pairs that smbd(8) uses to determine what to send to the @@ -2043,7 +2050,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' give line-feed, carriage-return, tab and space. The chat sequence string can also contain a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces in them into a single string.

    If the send string in any part of the chat sequence is a full - stop ".", then no string is sent. Similarly, if the + stop ".", then no string is sent. Similarly, if the expect string is a full stop then no string is expected.

    If the pam password change parameter is set to yes, the chat pairs may be matched in any order, and success is determined by the PAM result, @@ -2053,9 +2060,23 @@ df $1 | tail -1 | awk '{print $2" "$4}' passwd program , passwd chat debug and pam password change.

    Default: passwd chat = *new*password* %n\\n - *new*password* %n\\n *changed*

    Example: passwd chat = "*Enter OLD password*" %o\\n - "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n - "*Password changed*"

    passwd program (G)

    The name of a program that can be used to set + *new*password* %n\\n *changed*

    Example: passwd chat = "*Enter OLD password*" %o\\n + "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n + "*Password changed*"

    passwd chat debug (G)

    This boolean specifies if the passwd chat script + parameter is run in debug mode. In this mode the + strings passed to and received from the passwd chat are printed + in the smbd(8) log with a + debug level + of 100. This is a dangerous option as it will allow plaintext passwords + to be seen in the smbd log. It is available to help + Samba admins debug their passwd chat scripts + when calling the passwd program and should + be turned off after this has been done. This option has no effect if the + pam password change + paramter is set. This parameter is off by default.

    See also passwd chat + , pam password change + , passwd program + .

    Default: passwd chat debug = no

    passwd program (G)

    The name of a program that can be used to set UNIX user passwords. Any occurrences of %u will be replaced with the user name. The user name is checked for existence before calling the password changing program.

    Also note that many passwd programs insist in reasonable @@ -2081,10 +2102,10 @@ df $1 | tail -1 | awk '{print $2" "$4}' family of operating systems. These clients upper case clear text passwords even when NT LM 0.12 selected by the protocol negotiation request/response.

    This parameter defines the maximum number of characters - that may be upper case in passwords.

    For example, say the password given was "FRED". If + that may be upper case in passwords.

    For example, say the password given was "FRED". If password level is set to 1, the following combinations - would be tried if "FRED" failed:

    "Fred", "fred", "fRed", "frEd","freD"

    If password level was set to 2, - the following combinations would also be tried:

    "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..

    And so on.

    The higher value this parameter is set to the more likely + would be tried if "FRED" failed:

    "Fred", "fred", "fRed", "frEd","freD"

    If password level was set to 2, + the following combinations would also be tried:

    "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..

    And so on.

    The higher value this parameter is set to the more likely it is that a mixed case password will be matched against a single case password. However, you should be aware that use of this parameter reduces security and increases the time taken to @@ -2104,7 +2125,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' parameter name resolve order and so may resolved by any method and order described in that parameter.

    The password server must be a machine capable of using - the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in + the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in user level security mode.

    Note

    Using a password server means your UNIX box (running Samba) is only as secure as your password server. DO NOT CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST. @@ -2169,13 +2190,13 @@ df $1 | tail -1 | awk '{print $2" "$4}' whenever the service is disconnected. It takes the usual substitutions. The command may be run as the root on some systems.

    An interesting example may be to unmount server - resources:

    postexec = /etc/umount /cdrom

    See also preexec.

    Default: none (no command executed)

    Example: postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log

    preexec close (S)

    This boolean option controls whether a non-zero - return code from preexec - should close the service being connected to.

    Default: preexec close = no

    preexec (S)

    This option specifies a command to be run whenever + resources:

    postexec = /etc/umount /cdrom

    See also preexec.

    Default: none (no command executed)

    Example: postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log

    preexec (S)

    This option specifies a command to be run whenever the service is connected to. It takes the usual substitutions.

    An interesting example is to send the users a welcome message every time they log in. Maybe a message of the day? Here - is an example:

    preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' &

    Of course, this could get annoying after a while :-)

    See also preexec close and postexec - .

    Default: none (no command executed)

    Example: preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log

    prefered master (G)

    Synonym for + is an example:

    preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' &

    Of course, this could get annoying after a while :-)

    See also preexec close and postexec + .

    Default: none (no command executed)

    Example: preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log

    preexec close (S)

    This boolean option controls whether a non-zero + return code from preexec + should close the service being connected to.

    Default: preexec close = no

    prefered master (G)

    Synonym for preferred master for people who cannot spell :-).

    preferred master (G)

    This boolean parameter controls if nmbd(8) is a preferred master browser for its workgroup.

    If this is set to yes, on startup, nmbd @@ -2188,15 +2209,14 @@ df $1 | tail -1 | awk '{print $2" "$4}' preferred master browsers on the same subnet, they will each periodically and continuously attempt to become the local master browser. This will result in unnecessary broadcast - traffic and reduced browsing capabilities.

    See also os level.

    Default: preferred master = auto

    preload modules (G)

    This is a list of paths to modules that should - be loaded into smbd before a client connects. This improves - the speed of smbd when reacting to new connections somewhat.

    It is recommended to only use this option on heavy-performance - servers.

    Default: preload modules =

    Example: preload modules = /usr/lib/samba/passdb/mysql.so+++

    preload (G)

    This is a list of services that you want to be + traffic and reduced browsing capabilities.

    See also os level.

    Default: preferred master = auto

    preload (G)

    This is a list of services that you want to be automatically added to the browse lists. This is most useful for homes and printers services that would otherwise not be visible.

    Note that if you just want all printers in your printcap file loaded then the - load printers option is easier.

    Default: no preloaded services

    Example: preload = fred lp colorlp

    preserve case (S)

    This controls if new filenames are created + load printers option is easier.

    Default: no preloaded services

    Example: preload = fred lp colorlp

    preload modules (G)

    This is a list of paths to modules that should + be loaded into smbd before a client connects. This improves + the speed of smbd when reacting to new connections somewhat.

    Default: preload modules =

    Example: preload modules = /usr/lib/samba/passdb/mysql.so+++

    preserve case (S)

    This controls if new filenames are created with the case that the client passes, or if they are forced to be the default case .

    Default: preserve case = yes

    See the section on NAME MANGLING for a fuller discussion.

    printable (S)

    If this parameter is yes, then @@ -2205,14 +2225,15 @@ df $1 | tail -1 | awk '{print $2" "$4}' to the service path (user privileges permitting) via the spooling of print data. The read only parameter controls only non-printing access to - the resource.

    Default: printable = no

    printcap name (S)

    This parameter may be used to override the + the resource.

    Default: printable = no

    printcap (G)

    Synonym for + printcap name.

    printcap name (S)

    This parameter may be used to override the compiled-in default printcap name used by the server (usually /etc/printcap). See the discussion of the [printers] section above for reasons why you might want to do this.

    To use the CUPS printing interface set printcap name = cups . This should be supplemented by an addtional setting printing = cups in the [global] section. printcap name = cups will use the - "dummy" printcap created by CUPS, as specified in your CUPS + "dummy" printcap created by CUPS, as specified in your CUPS configuration file.

    On System V systems that use lpstat to list available printers you can use printcap name = lpstat @@ -2232,8 +2253,7 @@ print5|My Printer 5 that it's a comment.

    Note

    Under AIX the default printcap name is /etc/qconfig. Samba will assume the file is in AIX qconfig format if the string - qconfig appears in the printcap filename.

    Default: printcap name = /etc/printcap

    Example: printcap name = /etc/myprintcap

    printcap (G)

    Synonym for - printcap name.

    print command (S)

    After a print job has finished spooling to + qconfig appears in the printcap filename.

    Default: printcap name = /etc/printcap

    Example: printcap name = /etc/myprintcap

    print command (S)

    After a print job has finished spooling to a service, this command will be used via a system() call to process the spool file. Typically the command specified will submit the spool file to the host's printing subsystem, but there @@ -2274,15 +2294,15 @@ print5|My Printer 5 uses lp -c -d%p -oraw; rm %s. With printing = cups, and if SAMBA is compiled against libcups, any manually - set print command will be ignored.

    Example: print command = /usr/local/samba/bin/myprintscript %p %s

    printer admin (S)

    This is a list of users that can do anything to + set print command will be ignored.

    Example: print command = /usr/local/samba/bin/myprintscript %p %s

    printer (S)

    Synonym for + printer name.

    printer admin (S)

    This is a list of users that can do anything to printers via the remote administration interfaces offered by MS-RPC (usually using a NT workstation). Note that the root user always has admin rights.

    Default: printer admin = <empty string>

    Example: printer admin = admin, @staff

    printer name (S)

    This parameter specifies the name of the printer to which print jobs spooled through a printable service will be sent.

    If specified in the [global] section, the printer name given will be used for any printable service that does not have its own printer name specified.

    Default: none (but may be lp - on many systems)

    Example: printer name = laserwriter

    printer (S)

    Synonym for - printer name.

    printing (S)

    This parameters controls how printer status information is + on many systems)

    Example: printer name = laserwriter

    printing (S)

    This parameters controls how printer status information is interpreted on your system. It also affects the default values for the print command, lpq command, lppause command , lpresume command, and lprm command if specified in the [global] section.

    Currently nine printing styles are supported. They are @@ -2310,11 +2330,11 @@ print5|My Printer 5 returned Windows ACL. Firstly it changes the owner and group owner of all reported files and directories to be BUILTIN\\Administrators, BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly - it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to + it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to every returned ACL. This will allow any Windows 2000 or XP workstation user to access the profile.

    Note that if you have multiple users logging on to a workstation then in order to prevent them from being able to access - each others profiles you must remove the "Bypass traverse checking" advanced + each others profiles you must remove the "Bypass traverse checking" advanced user right. This will prevent access to other users profile directories as the top level profile directory (named after the user) is created by the workstation profile code and has an ACL restricting entry to the directory @@ -2344,8 +2364,8 @@ print5|My Printer 5 path in the command as the PATH may not be available to the server.

    Default: depends on the setting of printing

    Example: queuepause command = enable %p

    read bmpx (G)

    This boolean parameter controls whether - smbd(8) will support the "Read - Block Multiplex" SMB. This is now rarely used and defaults to + smbd(8) will support the "Read + Block Multiplex" SMB. This is now rarely used and defaults to no. You should never need to set this parameter.

    Default: read bmpx = no

    read list (S)

    This is a list of users that are given read-only access to a service. If the connecting user is in this list then @@ -2429,17 +2449,21 @@ print5|My Printer 5 The security advantage of using restrict anonymous = 2 is removed by setting guest ok = yes on any share. -

    Default: restrict anonymous = 0

    root directory (G)

    The server will chroot() (i.e. +

    Default: restrict anonymous = 0

    root (G)

    Synonym for + root directory". +

    root dir (G)

    Synonym for + root directory". +

    root directory (G)

    The server will chroot() (i.e. Change its root directory) to this directory on startup. This is not strictly necessary for secure operation. Even without it the server will deny access to files not in one of the service entries. It may also check for, and deny access to, soft links to other - parts of the filesystem, or attempts to use ".." in file names + parts of the filesystem, or attempts to use ".." in file names to access other directories (depending on the setting of the wide links parameter).

    Adding a root directory entry other - than "/" adds an extra level of security, but at a price. It + than "/" adds an extra level of security, but at a price. It absolutely ensures that no access is given to files not in the sub-tree specified in the root directory option, including some files needed for @@ -2449,42 +2473,21 @@ print5|My Printer 5 you will need to mirror /etc/passwd (or a subset of it), and any binaries or configuration files needed for printing (if required). The set of files that must be mirrored is - operating system dependent.

    Default: root directory = /

    Example: root directory = /homes/smb

    root dir (G)

    Synonym for - root directory". -

    root postexec (S)

    This is the same as the postexec + operating system dependent.

    Default: root directory = /

    Example: root directory = /homes/smb

    root postexec (S)

    This is the same as the postexec parameter except that the command is run as root. This is useful for unmounting filesystems (such as CDROMs) after a connection is closed.

    See also - postexec.

    Default: root postexec = <empty string>

    root preexec close (S)

    This is the same as the preexec close - parameter except that the command is run as root.

    See also - preexec and - preexec close.

    Default: root preexec close = no

    root preexec (S)

    This is the same as the preexec + postexec.

    Default: root postexec = <empty string>

    root preexec (S)

    This is the same as the preexec parameter except that the command is run as root. This is useful for mounting filesystems (such as CDROMs) when a connection is opened.

    See also preexec and - preexec close.

    Default: root preexec = <empty string>

    root (G)

    Synonym for - root directory". -

    security mask (S)

    This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security - dialog box.

    This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change.

    If not set explicitly this parameter is 0777, allowing - a user to modify all the user/group/world permissions on a file. -

    Note that users who can access the - Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone - "appliance" systems. Administrators of most normal systems will - probably want to leave it set to 0777.

    See also the - force directory security mode, - directory - security mask, - force security mode parameters.

    Default: security mask = 0777

    Example: security mask = 0770

    security (G)

    This option affects how clients respond to + preexec close.

    Default: root preexec = <empty string>

    root preexec close (S)

    This is the same as the preexec close + parameter except that the command is run as root.

    See also + preexec and + preexec close.

    Default: root preexec close = no

    security (G)

    This option affects how clients respond to Samba and is one of the most important settings in the - smb.conf file.

    The option sets the "security mode bit" in replies to + smb.conf file.

    The option sets the "security mode bit" in replies to protocol negotiations with smbd(8) to turn share level security on or off. Clients decide based on this bit whether (and how) to transfer user and password information to the server.

    The default is security = user, as this is @@ -2495,8 +2498,8 @@ print5|My Printer 5 security = share mainly because that was the only option at one stage.

    There is a bug in WfWg that has relevance to this setting. When in user or server level security a WfWg client - will totally ignore the password you type in the "connect - drive" dialog box. This makes it very difficult (if not impossible) + will totally ignore the password you type in the "connect + drive" dialog box. This makes it very difficult (if not impossible) to connect to a Samba service as anyone except the user that you are logged into WfWg as.

    If your PCs use usernames that are the same as their usernames on the UNIX machine then you will want to use @@ -2550,7 +2553,7 @@ print5|My Printer 5 in share-level security as to which UNIX username will eventually be used in granting access.

    See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

    SECURITY = USER

    This is the default security setting in Samba 3.0. - With user-level security a client must first "log-on" with a + With user-level security a client must first "log-on" with a valid username and password (which can be mapped using the username map parameter). Encrypted passwords (see the @@ -2628,7 +2631,24 @@ print5|My Printer 5 Controller.

    Read the chapter about Domain Membership in the HOWTO for details.

    See also the ads server parameter, the realm paramter and the - encrypted passwords parameter.

    Default: security = USER

    Example: security = DOMAIN

    server schannel (G)

    This controls whether the server offers or even + encrypted passwords parameter.

    Default: security = USER

    Example: security = DOMAIN

    security mask (S)

    This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security + dialog box.

    This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change.

    If not set explicitly this parameter is 0777, allowing + a user to modify all the user/group/world permissions on a file. +

    Note that users who can access the + Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone + "appliance" systems. Administrators of most normal systems will + probably want to leave it set to 0777.

    See also the + force directory security mode, + directory + security mask, + force security mode parameters.

    Default: security mask = 0777

    Example: security mask = 0770

    server schannel (G)

    This controls whether the server offers or even demands the use of the netlogon schannel. server schannel = no does not offer the schannel, server schannel = @@ -2639,7 +2659,13 @@ print5|My Printer 5 for Windows NT4 before SP4.

    Please note that with this set to no you will have to apply the WindowsXP requireSignOrSeal-Registry patch found in - the docs/Registry subdirectory.

    Default: server schannel = auto

    Example: server schannel = yes

    server string (G)

    This controls what string will show up in the printer comment box in print + the docs/Registry subdirectory.

    Default: server schannel = auto

    Example: server schannel = yes

    server signing (G)

    This controls whether the server offers or requires + the client it talks to to use SMB signing. Possible values + are auto, mandatory + and disabled. +

    When set to auto, SMB signing is offered, but not enforced. + When set to mandatory, SMB signing is required and if set + to disabled, SMB signing is not offered either.

    Default: client signing = False

    server string (G)

    This controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view. It can be any string that you wish to show to your users.

    It also sets what will appear in browse lists next to the machine name.

    A %v will be replaced with the Samba @@ -2681,7 +2707,7 @@ print5|My Printer 5 . This option can be use with preserve case = yes to permit long filenames to retain their case, while short names are lowered.

    See the section on NAME MANGLING.

    Default: short preserve case = yes

    show add printer wizard (G)

    With the introduction of MS-RPC based printing support - for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will + for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will appear on Samba hosts in the share listing. Normally this folder will contain an icon for the MS Add Printer Wizard (APW). However, it is possible to disable this feature regardless of the level of privilege @@ -2712,8 +2738,8 @@ print5|My Printer 5 #!/bin/bash $time=0 -let "time/60" -let "time++" +let "time/60" +let "time++" /sbin/shutdown $3 $4 +$time $1 &

    @@ -2734,7 +2760,7 @@ Shutdown does not return so we need to launch it in background. suggest you read the appropriate documentation for your operating system first (perhaps man setsockopt will help).

    You may find that on some systems Samba will say - "Unknown socket option" when you supply an option. This means you + "Unknown socket option" when you supply an option. This means you either incorrectly typed it or you need to add an include file to includes.h for your OS. If the latter is the case please send the patch to @@ -2749,7 +2775,7 @@ Shutdown does not return so we need to launch it in background. might be:

    socket options = IPTOS_LOWDELAY

    If you have a local network then you could try:

    socket options = IPTOS_LOWDELAY TCP_NODELAY

    If you are on a wide area network then perhaps try setting IPTOS_THROUGHPUT.

    Note that several of the options may cause your Samba server to fail completely. Use these options with caution!

    Default: socket options = TCP_NODELAY

    Example: socket options = IPTOS_LOWDELAY

    source environment (G)

    This parameter causes Samba to set environment - variables as per the content of the file named.

    If the value of this parameter starts with a "|" character + variables as per the content of the file named.

    If the value of this parameter starts with a "|" character then Samba will treat that value as a pipe command to open and will set the environment variables from the output of the pipe.

    The contents of the file or the output of the pipe should be formatted as the output of the standard Unix env(1) command. This is of the form:

    Example environment entry:

    SAMBA_NETBIOS_NAME = myhostname

    Default: No default value

    Examples: source environment = |/etc/smb.conf.sh

    Example: source environment = @@ -2796,9 +2822,7 @@ Shutdown does not return so we need to launch it in background. the strict sync parameter must be set to yes in order for this parameter to have any affect.

    See also the strict - sync parameter.

    Default: sync always = no

    syslog only (G)

    If this parameter is set then Samba debug - messages are logged into the system syslog only, and not to - the debug log files.

    Default: syslog only = no

    syslog (G)

    This parameter maps how Samba debug messages + sync parameter.

    Default: sync always = no

    syslog (G)

    This parameter maps how Samba debug messages are logged onto the system syslog logging levels. Samba debug level zero maps onto syslog LOG_ERR, debug level one maps onto LOG_WARNING, debug level @@ -2806,7 +2830,9 @@ Shutdown does not return so we need to launch it in background. maps onto LOG_INFO. All higher levels are mapped to LOG_DEBUG.

    This parameter sets the threshold for sending messages to syslog. Only messages with debug level less than this value - will be sent to syslog.

    Default: syslog = 1

    template homedir (G)

    When filling out the user information for a Windows NT + will be sent to syslog.

    Default: syslog = 1

    syslog only (G)

    If this parameter is set then Samba debug + messages are logged into the system syslog only, and not to + the debug log files.

    Default: syslog only = no

    template homedir (G)

    When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this parameter to fill in the home directory for that user. If the string %D is present it @@ -2833,7 +2859,7 @@ Shutdown does not return so we need to launch it in background. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of - no current use to Windows clients.

    Default: unix extensions = no

    unix password sync (G)

    This boolean parameter controls whether Samba + no current use to Windows clients.

    Default: unix extensions = yes

    unix password sync (G)

    This boolean parameter controls whether Samba attempts to synchronize the UNIX password with the SMB password when the encrypted SMB password in the smbpasswd file is changed. If this is set to yes the program specified in the passwd @@ -2877,7 +2903,7 @@ Shutdown does not return so we need to launch it in background. logged on user. If the user possesses local administator rights but not root privilegde on the Samba host (often the case), the OpenPrinterEx() call will fail. The result is that the client will - now display an "Access Denied; Unable to connect" message + now display an "Access Denied; Unable to connect" message in the printer queue window (even though jobs may successfully be printed).

    If this parameter is enabled for a printer, then any attempt to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped @@ -2891,7 +2917,42 @@ Shutdown does not return so we need to launch it in background. default on HPUX. On all other systems this parameter should be left alone. This parameter is provided to help the Samba developers track down problems with the tdb internal code. -

    Default: use mmap = yes

    username level (G)

    This option helps Samba to try and 'guess' at +

    Default: use mmap = yes

    user (S)

    Synonym for username.

    username (S)

    Multiple users may be specified in a comma-delimited + list, in which case the supplied password will be tested against + each username in turn (left to right).

    The username line is needed only when + the PC is unable to supply its own username. This is the case + for the COREPLUS protocol or where your users have different WfWg + usernames to UNIX usernames. In both these cases you may also be + better using the \\server\share%user syntax instead.

    The username line is not a great + solution in many cases as it means Samba will try to validate + the supplied password against each of the usernames in the + username line in turn. This is slow and + a bad idea for lots of users in case of duplicate passwords. + You may get timeouts or security breaches using this parameter + unwisely.

    Samba relies on the underlying UNIX security. This + parameter does not restrict who can login, it just offers hints + to the Samba server as to what usernames might correspond to the + supplied password. Users can login as whoever they please and + they will be able to do no more damage than if they started a + telnet session. The daemon runs as the user that they log in as, + so they cannot do anything that user cannot do.

    To restrict a service to a particular set of users you + can use the valid users + parameter.

    If any of the usernames begin with a '@' then the name + will be looked up first in the NIS netgroups list (if Samba + is compiled with netgroup support), followed by a lookup in + the UNIX groups database and will expand to a list of all users + in the group of that name.

    If any of the usernames begin with a '+' then the name + will be looked up only in the UNIX groups database and will + expand to a list of all users in the group of that name.

    If any of the usernames begin with a '&' then the name + will be looked up only in the NIS netgroups database (if Samba + is compiled with netgroup support) and will expand to a list + of all users in the netgroup group of that name.

    Note that searching though a groups database can take + quite some time, and some clients may time out during the + search.

    See the section NOTE ABOUT + USERNAME/PASSWORD VALIDATION for more information on how + this parameter determines access to the services.

    Default: The guest account if a guest service, + else <empty string>.

    Examples:username = fred, mary, jack, jane, + @users, @pcgroup

    username level (G)

    This option helps Samba to try and 'guess' at the real UNIX username, as many DOS clients send an all-uppercase username. By default Samba tries all lowercase, followed by the username with the first letter capitalized, and fails if the @@ -2926,8 +2987,8 @@ Shutdown does not return so we need to launch it in background. to the UNIX name sys you would use:

    sys = @system

    You can have as many mappings as you like in a username map file.

    If your system supports the NIS NETGROUP option then the netgroup database is checked before the /etc/group database for matching groups.

    You can map Windows usernames that have spaces in them - by using double quotes around the name. For example:

    tridge = "Andrew Tridgell"

    would map the windows username "Andrew Tridgell" to the - unix username "tridge".

    The following example would map mary and fred to the + by using double quotes around the name. For example:

    tridge = "Andrew Tridgell"

    would map the windows username "Andrew Tridgell" to the + unix username "tridge".

    The following example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the '!' to tell Samba to stop processing if it gets a match on that line.

    @@ -2945,43 +3006,8 @@ guest = *
     modification.
    Also note that no reverse mapping is done. The main effect
     this has is with printing. Users who have been mapped may have
     trouble deleting print jobs as PrintManager under WfWg will think
-    they don't own the print job.
    Default: no username map
    Example: username map = /usr/local/samba/lib/users.map
    username (S)

    Multiple users may be specified in a comma-delimited - list, in which case the supplied password will be tested against - each username in turn (left to right).

    The username line is needed only when - the PC is unable to supply its own username. This is the case - for the COREPLUS protocol or where your users have different WfWg - usernames to UNIX usernames. In both these cases you may also be - better using the \\server\share%user syntax instead.

    The username line is not a great - solution in many cases as it means Samba will try to validate - the supplied password against each of the usernames in the - username line in turn. This is slow and - a bad idea for lots of users in case of duplicate passwords. - You may get timeouts or security breaches using this parameter - unwisely.

    Samba relies on the underlying UNIX security. This - parameter does not restrict who can login, it just offers hints - to the Samba server as to what usernames might correspond to the - supplied password. Users can login as whoever they please and - they will be able to do no more damage than if they started a - telnet session. The daemon runs as the user that they log in as, - so they cannot do anything that user cannot do.

    To restrict a service to a particular set of users you - can use the valid users - parameter.

    If any of the usernames begin with a '@' then the name - will be looked up first in the NIS netgroups list (if Samba - is compiled with netgroup support), followed by a lookup in - the UNIX groups database and will expand to a list of all users - in the group of that name.

    If any of the usernames begin with a '+' then the name - will be looked up only in the UNIX groups database and will - expand to a list of all users in the group of that name.

    If any of the usernames begin with a '&' then the name - will be looked up only in the NIS netgroups database (if Samba - is compiled with netgroup support) and will expand to a list - of all users in the netgroup group of that name.

    Note that searching though a groups database can take - quite some time, and some clients may time out during the - search.

    See the section NOTE ABOUT - USERNAME/PASSWORD VALIDATION for more information on how - this parameter determines access to the services.

    Default: The guest account if a guest service, - else <empty string>.

    Examples:username = fred, mary, jack, jane, - @users, @pcgroup

    users (S)

    Synonym for - username.

    user (S)

    Synonym for username.

    use sendfile (S)

    If this parameter is yes, and Samba + they don't own the print job.

    Default: no username map

    Example: username map = /usr/local/samba/lib/users.map

    users (S)

    Synonym for + username.

    use sendfile (S)

    If this parameter is yes, and Samba was built with the --with-sendfile-support option, and the underlying operating system supports sendfile system call, then some SMB read calls (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that @@ -2992,15 +3018,7 @@ guest = * WindowsXP and Windows2000 clients to agree upon an authentication mechanism. Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be - disabled.

    Default: use spnego = yes

    utmp directory (G)

    This parameter is only available if Samba has - been configured and compiled with the option - --with-utmp. It specifies a directory pathname that is - used to store the utmp or utmpx files (depending on the UNIX system) that - record user connections to a Samba server. See also the - utmp parameter. By default this is - not set, meaning the system will use whatever utmp file the - native system is set to use (usually - /var/run/utmp on Linux).

    Default: no utmp directory

    Example: utmp directory = /var/run/utmp

    utmp (G)

    This boolean parameter is only available if + disabled.

    Default: use spnego = yes

    utmp (G)

    This boolean parameter is only available if Samba has been configured and compiled with the option --with-utmp. If set to yes then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a @@ -3010,7 +3028,22 @@ guest = * incoming user. Enabling this option creates an n^2 algorithm to find this number. This may impede performance on large installations.

    See also the - utmp directory parameter.

    Default: utmp = no

    valid users (S)

    This is a list of users that should be allowed + utmp directory parameter.

    Default: utmp = no

    utmp directory (G)

    This parameter is only available if Samba has + been configured and compiled with the option + --with-utmp. It specifies a directory pathname that is + used to store the utmp or utmpx files (depending on the UNIX system) that + record user connections to a Samba server. See also the + utmp parameter. By default this is + not set, meaning the system will use whatever utmp file the + native system is set to use (usually + /var/run/utmp on Linux).

    Default: no utmp directory

    Example: utmp directory = /var/run/utmp

    -valid (S)

    This parameter indicates whether a share is + valid and thus can be used. When this parameter is set to false, + the share will be in no way visible nor accessible. +

    + This option should not be + used by regular users but might be of help to developers. + Samba uses this option internally to mark shares as deleted. +

    Default: True

    valid users (S)

    This is a list of users that should be allowed to login to this service. Names starting with '@', '+' and '&' are interpreted using the same rules as described in the invalid users parameter.

    If this is empty (the default) then any user can login. @@ -3018,14 +3051,7 @@ guest = * users list then access is denied for that user.

    The current servicename is substituted for %S . This is useful in the [homes] section.

    See also invalid users

    Default: No valid users list (anyone can login) -

    Example: valid users = greg, @pcusers

    -valid (S)

    This parameter indicates whether a share is - valid and thus can be used. When this parameter is set to false, - the share will be in no way visible nor accessible. -

    - This option should not be - used by regular users but might be of help to developers. - Samba uses this option internally to mark shares as deleted. -

    Default: True

    veto files (S)

    This is a list of files and directories that +

    Example: valid users = greg, @pcusers

    veto files (S)

    This is a list of files and directories that are neither visible nor accessible. Each entry in the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' can be used to specify multiple files @@ -3065,14 +3091,14 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ client contention for files ending in .SEM. To cause Samba not to grant oplocks on these files you would use the line (either in the [global] section or in the section for - the particular NetBench share :

    Example: veto oplock files = /*.SEM/

    vfs objects (S)

    This parameter specifies the backend names which - are used for Samba VFS I/O operations. By default, normal - disk I/O operations are used but these can be overloaded - with one or more VFS objects.

    Default: no value

    Example: vfs objects = extd_audit recycle

    vfs object (S)

    Synonym for + the particular NetBench share :

    Example: veto oplock files = /*.SEM/

    vfs object (S)

    Synonym for vfs objects . -

    volume (S)

    This allows you to override the volume label +

    vfs objects (S)

    This parameter specifies the backend names which + are used for Samba VFS I/O operations. By default, normal + disk I/O operations are used but these can be overloaded + with one or more VFS objects.

    Default: no value

    Example: vfs objects = extd_audit recycle

    volume (S)

    This allows you to override the volume label returned for a share. Useful for CDROMs with installation programs that insist on a particular volume label.

    Default: the name of the share

    wide links (S)

    This parameter controls whether or not links in the UNIX file system may be followed by the server. Links @@ -3083,7 +3109,7 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ that Samba has to do in order to perform the link checks.

    Default: wide links = yes

    winbind cache time (G)

    This parameter specifies the number of seconds the winbindd(8) daemon will cache user and group information before querying a Windows NT server - again.

    Default: winbind cache type = 15

    winbind enable local accounts (G)

    This parameter controls whether or not winbindd + again.

    Default: winbind cache type = 300

    winbind enable local accounts (G)

    This parameter controls whether or not winbindd will act as a stand in replacement for the various account management hooks in smb.conf (e.g. 'add user script'). If enabled, winbindd will support the creation of local @@ -3138,11 +3164,11 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ dynamic update of external name resolution databases such as dynamic DNS.

    The wins hook parameter specifies the name of a script or executable that will be called as follows:

    wins_hook operation name nametype ttl IP_list

    • The first argument is the operation and is - one of "add", "delete", or - "refresh". In most cases the operation + one of "add", "delete", or + "refresh". In most cases the operation can be ignored as the rest of the parameters provide sufficient information. Note that - "refresh" may sometimes be called when + "refresh" may sometimes be called when the name has not previously been added, in that case it should be treated as an add.

    • The second argument is the NetBIOS name. If the name is not a legal name then the wins hook is not called. -- cgit