The file is line-based - that is, each newline-terminated @@ -178,11 +174,11 @@ CLASS="FILENAME" The share is accessed via the share name "foo":

The following sample section defines a printable share. @@ -199,13 +195,13 @@ CLASS="EMPHASIS" elsewhere):

path = /data/pchome/%Spath = /data/pchome/%S

would be useful if you have different home directories @@ -300,10 +294,10 @@ CLASS="USERINPUT" section:

[homes]
-	read only = no

An important point is that if guest access is specified @@ -401,12 +395,12 @@ NAME="AEN80" this:

[printers]
 	path = /usr/spool/public
 	guest ok = yes
-	printable = yes

All aliases given for a printer in the printcap file @@ -416,9 +410,9 @@ CLASS="COMPUTEROUTPUT" more lines like this:

alias|alias|alias|alias...    alias|alias|alias|alias...

Each alias should be an acceptable printer name for @@ -614,20 +608,16 @@ TARGET="_top" >Name of the domain or workgroup of the current user.

%$(%$(envvarenvvar)

The value of the environment variable - envarenvar.

usernameusername method of passing a username.

abort shutdown scriptabort shutdown script

add group scriptadd group script

addprinter commandaddprinter command

add share commandadd share command

add user scriptadd user script

add user to group scriptadd user to group script

add machine scriptadd machine script

delete group scriptdelete group script

ads serverads server

algorithmic rid basealgorithmic rid base

allow trusted domainsallow trusted domains

announce asannounce as

announce versionannounce version

auth methodsauth methods

auto servicesauto services

bind interfaces onlybind interfaces only

browse listbrowse list

change notify timeoutchange notify timeout

change share commandchange share command

config fileconfig file

deadtimedeadtime

debug hires timestampdebug hires timestamp

debug piddebug pid

debug timestampdebug timestamp

debug uiddebug uid

debugleveldebuglevel

defaultdefault

default servicedefault service

deleteprinter commanddeleteprinter command

delete share commanddelete share command

delete user scriptdelete user script

delete user from group scriptdelete user from group script

dfree commanddfree command

disable netbiosdisable netbios

disable spoolssdisable spoolss

display charsetdisplay charset

dns proxydns proxy

domain logonsdomain logons

domain masterdomain master

dos charsetdos charset

encrypt passwordsencrypt passwords

enhanced browsingenhanced browsing

enumports commandenumports command

getwd cachegetwd cache

hide local usershide local users

hide unreadablehide unreadable

hide unwriteable fileshide unwriteable files

hide special fileshide special files

homedir maphomedir map

host msdfshost msdfs

hostname lookupshostname lookups

hosts equivhosts equiv

interfacesinterfaces

keepalivekeepalive

kernel oplockskernel oplocks

lanman authlanman auth

large readwritelarge readwrite

ldap admin dnldap admin dn

ldap filterldap filter

ldap portldap port

ldap serverldap server

ldap sslldap ssl

ldap suffixldap suffix

ldap user suffixldap user suffix

ldap machine suffixldap machine suffix

ldap passwd syncldap passwd sync

ldap trust idsldap trust ids

lm announcelm announce

lm intervallm interval

load printersload printers

local masterlocal master

lock dirlock dir

lock directorylock directory

lock spin countlock spin count

lock spin timelock spin time

pid directorypid directory

log filelog file

log levellog level

logon drivelogon drive

logon homelogon home

logon pathlogon path

logon scriptlogon script

lpq cache timelpq cache time

machine password timeoutmachine password timeout

mangle prefix

mangled stackmangled stack

map to guestmap to guest

max disk sizemax disk size

max log sizemax log size

max muxmax mux

max open filesmax open files

max protocolmax protocol

max smbd processesmax smbd processes

max ttlmax ttl

max wins ttlmax wins ttl

max xmitmax xmit

message commandmessage command

min passwd lengthmin passwd length

min password lengthmin password length

min protocolmin protocol

min wins ttlmin wins ttl

name cache timeoutname cache timeout

name resolve ordername resolve order

netbios aliasesnetbios aliases

netbios namenetbios name

netbios scopenetbios scope

nis homedirnis homedir

ntlm authntlm auth

non unix account rangenon unix account range

nt pipe supportnt pipe support

nt status supportnt status support

null passwordsnull passwords

obey pam restrictionsobey pam restrictions

oplock break wait timeoplock break wait time

os levelos level

os2 driver mapos2 driver map

pam password changepam password change

panic actionpanic action

paranoid server securityparanoid server security

passdb backendpassdb backend

passwd chatpasswd chat

passwd chat debugpasswd chat debug

passwd programpasswd program

password levelpassword level

password serverpassword server

prefered masterprefered master

preferred masterpreferred master

preloadpreload

printcapprintcap

printcap name

printer driver fileprintcap name

private dirprivate dir

remote announceremote announce

remote browse syncremote browse sync

restrict anonymousrestrict anonymous

rootroot

root dirroot dir

root directoryroot directory

securitysecurity

server stringserver string

show add printer wizardshow add printer wizard

shutdown scriptshutdown script

smb passwd filesmb passwd file

smb portssmb ports

socket addresssocket address

socket optionssocket options

source environmentsource environment

use spnegouse spnego

stat cachestat cache

stat cache sizestat cache size

strip dotstrip dot

syslogsyslog

syslog onlysyslog only

template homedirtemplate homedir

template shelltemplate shell

time offsettime offset

time servertime server

timestamp logstimestamp logs

total print jobstotal print jobs

unicodeunicode

unix charsetunix charset

unix extensionsunix extensions

unix password syncunix password sync

update encryptedupdate encrypted

use mmap

use rhostsuse mmap

use sendfileuse sendfile

username levelusername level

username mapusername map

utmputmp

utmp directoryutmp directory

wtmp directorywtmp directory

winbind cache timewinbind cache time

winbind enum userswinbind enum users

winbind enum groupswinbind enum groups

winbind gidwinbind gid

winbind separatorwinbind separator

winbind uidwinbind uid

winbind use default domainwinbind use default domain

wins hookwins hook

wins partnerswins partners

wins proxywins proxy

wins serverwins server

wins supportwins support

workgroupworkgroup

write rawwrite raw

COMPLETE LIST OF SERVICE PARAMETERS

admin usersadmin users

allow hostsallow hosts

availableavailable

blocking locksblocking locks

block sizeblock size

browsablebrowsable

browseablebrowseable

case sensitivecase sensitive

casesignamescasesignames

commentcomment

copycopy

create maskcreate mask

create modecreate mode

csc policycsc policy

default casedefault case

default devmodedefault devmode

delete readonlydelete readonly

delete veto filesdelete veto files

deny hostsdeny hosts

directorydirectory

directory maskdirectory mask

directory modedirectory mode

directory security maskdirectory security mask

dont descenddont descend

dos filemodedos filemode

dos filetime resolutiondos filetime resolution

dos filetimesdos filetimes

execexec

fake directory create timesfake directory create times

fake oplocksfake oplocks

follow symlinksfollow symlinks

force create modeforce create mode

force directory modeforce directory mode

force directory security modeforce directory security mode

force groupforce group

force security modeforce security mode

force userforce user

fstypefstype

groupgroup

guest accountguest account

guest okguest ok

guest onlyguest only

hide dot fileshide dot files

hide fileshide files

hosts allowhosts allow

hosts denyhosts deny

includeinclude

inherit aclsinherit acls

inherit permissionsinherit permissions

invalid usersinvalid users

level2 oplockslevel2 oplocks

lockinglocking

lppause commandlppause command

lpq commandlpq command

lpresume commandlpresume command

lprm commandlprm command

magic outputmagic output

magic scriptmagic script

mangle casemangle case

mangled mapmangled map

mangled namesmangled names

mangling charmangling char

mangling methodmangling method

map archivemap archive

map hiddenmap hidden

map systemmap system

max connectionsmax connections

max print jobsmax print jobs

min print spacemin print space

msdfs proxymsdfs proxy

msdfs rootmsdfs root

nt acl supportnt acl support

only guestonly guest

only useronly user

oplock contention limitoplock contention limit

oplocksoplocks

pathpath

posix lockingposix locking

postexec

postscriptpostexec

preexecpreexec

preexec closepreexec close

preserve casepreserve case

print commandprint command

printer driver locationprinter admin

printer nameprinter name

printingprinting

publicpublic

queuepause commandqueuepause command

queueresume commandqueueresume command

read listread list

read onlyread only

root postexecroot postexec

root preexecroot preexec

root preexec closeroot preexec close

security masksecurity mask

set directoryset directory

share modesshare modes

short preserve caseshort preserve case

strict allocatestrict allocate

strict lockingstrict locking

strict syncstrict sync

sync alwayssync always

use client driveruse client driver

useruser

usernameusername

usersusers

valid usersvalid users

veto filesveto files

veto oplock filesveto oplock files

vfs pathvfs path

vfs objectvfs object

vfs optionsvfs options

volumevolume

wide linkswide links

writablewritable

write cache sizewrite cache size

write listwrite list

write okwrite ok

writeablewriteable

EXPLANATION OF EACH PARAMETER

that should stop a shutdown procedure issued by the shutdown scriptshutdown script.

For a Samba host this means that the printer must be - physically added to the underlying printing system. The add - printer command defines a script to be run which will perform the necessary operations for adding the printer to the print system and to add the appropriate service definition @@ -4788,11 +4102,9 @@ CLASS="REFENTRYTITLE" >(8).

The The addprinter commandaddprinter command is automatically invoked with the following parameter (in order):

printer nameprinter name
share nameshare name
port nameport name
driver namedriver name
locationlocation
Windows 9x driver locationWindows 9x driver location

Once the Once the addprinter commandaddprinter command has been executed, will return an ACCESS_DENIED error to the client.

The "add printer command" program can output a single line of text, + which Samba will set as the port the new printer is connected to. + If this line isn't output, Samba won't reload its printer shares. +

Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The - add share commandadd share command is used to define an external program or script which will add a new service definition to smb.conf. In order to successfully - execute the add share commandadd share command, smbdsmbd will automatically invoke the - add share commandadd share command with four parameters.

configFileconfigFile - the location of the global
shareNameshareName - the name of the new share.
pathNamepathName - path to an **existing** directory on disk.
commentcomment - comment string to associate with the new share.
This parameter is only used for add file shares. To add printer shares, see the addprinter - command. See also change share - command, delete share - command. Default: add machine script = <empty string> +>add machine script = <empty string> NOT be set to be set to security = sharesecurity = share - and add user scriptadd user script must be set to a full pathname for a script that will create a UNIX - user given one argument of %u%u, which expands into the UNIX user name to create. smbd(8) contacts the contacts the password serverpassword server and attempts to authenticate the given user with the given password. If the authentication succeeds then smbd attempts to find a UNIX user in the UNIX password database to map the - Windows user into. If this lookup fails, and add user script - is set then smbdAS ROOT, expanding - any %u%u argument to be the user name to create. If this script successfully creates the user then See also security security, password serverpassword server, delete user - script. Default: add user script = <empty string> +>add user script = <empty string> (8) when a new group is requested. It will expand any - %g%g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. The script is @@ -5370,17 +4627,13 @@ CLASS="EMPHASIS" >AS ROOT. - Any %g%g will be replaced with the group name and - any %u%u will be replaced with the user name. Synonym for hosts allowhosts allow. This option only takes effect when the securitysecurity option is set to - server or server or domaindomain. If it is set to no, then attempts to connect to a resource from a domain or workgroup other than the one which This is a synonym for the preloadpreload. will use when authenticating a user. This option defaults to sensible values based on security security. @@ -5590,7 +4835,7 @@ CLASS="PARAMETER" >Default: auth methods = <empty string>auth methods = <empty string> Example: This parameter lets you "turn off" a service. If - available = noavailable = no, then nmbd will service - name requests on all of these sockets. If bind interfaces - only is set then nmbd will check the source address of any packets coming in on the broadcast sockets and discard any that don't match the broadcast addresses of the - interfaces in the interfacesinterfaces parameter list. As unicast packets are received on the other sockets it allows nmbd to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the - interfacesinterfaces list. IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for If If bind interfaces onlybind interfaces only is set then unless the network address 127.0.0.1 is added - to the interfacesinterfaces parameter list address as an SMB client to issue the password change request. If - bind interfaces onlybind interfaces only is set then unless the network address 127.0.0.1 is added to the - interfacesinterfaces parameter list then smbpasswdsmbpasswd(8) -r -r remote machineremote machine - parameter, with remote machineremote machine set to the IP name of the primary interface of the local host. If this parameter is set to If this parameter is set to nono, then samba will behave as previous versions of Samba would and will fail the lock request immediately if the lock range @@ -5937,11 +5160,9 @@ NAME="BROWSABLE" > See the browseable browseable. NetServerEnum call. Normally - set to yesyes. You should never need to change this. smbd(8) daemon only performs such a scan - on each requested directory once every change notify - timeout seconds. Default: Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The - change share commandchange share command is used to define an external program or script which will modify an existing service definition in smb.conf. In order to successfully - execute the change share commandchange share command, smbdsmbd will automatically invoke the - change share commandchange share command with four parameters.
- commentcomment - comment string to associate with the new share. See also add share - command, delete - share command. If you want to set the string that is displayed next to the machine name then see the server string server string parameter. A synonym for this parameter is create modecreate mode .Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force create modeforce create mode parameter which is set to 000 by default.This parameter does not affect directory modes. See the parameter directory mode - for details. See also the force - create mode parameter for forcing particular mode bits to be set on created files. See also the directory modedirectory mode parameter for masking mode bits on created directories. See also the inherit permissionsinherit permissions parameter. security masksecurity mask. This is a synonym for create mask create mask. Note that the parameter debug timestamp debug timestamp must be on for this to have an effect. Note that the parameter debug timestamp debug timestamp must be on for this to have an effect.Samba debug log messages are timestamped by default. If you are running at a high debug leveldebug level these timestamps can be distracting. This boolean parameter allows timestamping @@ -6591,11 +5768,9 @@ NAME="DEBUGUID" >Note that the parameter debug timestamp debug timestamp must be on for this to have an effect. Synonym for log level log level. A synonym for default service default service. NAME MANGLING. Also note the short preserve caseshort preserve case parameter. Typically the default service would be a guest okguest ok, read-onlyread-only service. Also note that the apparent service name will be changed to equal that of the requested service, this is very useful as it - allows you to use macros like %S%S to make a wildcard service. smbd(8) when a group is requested to be deleted. - It will expand any %g%g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. For a Samba host this means that the printer must be - physically deleted from underlying printing system. The deleteprinter command deleteprinter command defines a script to be run which will perform the necessary operations for removing the printer from the print system and from . The The deleteprinter commanddeleteprinter command is - automatically called with only one parameter: "printer name" "printer name". Once the Once the deleteprinter commanddeleteprinter command has been executed, See also addprinter command addprinter command, printingprinting, show add - printer wizard Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The - delete share commanddelete share command is used to define an external program or script which will remove an existing service definition from smb.conf. In order to successfully - execute the delete share commanddelete share command, smbdsmbd will automatically invoke the - delete share commanddelete share command with two parameters. configFileconfigFile - the location of the global shareNameshareName - the name of the existing service. This parameter is only used to remove file shares. To delete printer shares, see the deleteprinter - command. See also add share - command, change - share command. Default: delete user script = <empty string> +>delete user script = <empty string> AS ROOT. - Any %g%g will be replaced with the group name and - any %u%u will be replaced with the user name. veto filesveto files - option). If this option is set to nono (the default) then if a vetoed directory contains any non-vetoed files or directories then the directory delete will fail. This is usually what you want. If this option is set to If this option is set to yesyes, then Samba will attempt to recursively delete any files and directories within the vetoed directory. This can be useful for integration with file @@ -7184,12 +6309,10 @@ CLASS="COMMAND" > See also the veto - files parameter. Synonym for hosts - deny. >dfree command (G)The The dfree commanddfree command setting should only be used on systems where a problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, @@ -7306,12 +6425,10 @@ NAME="DIRECTORY" > Synonym for path - .Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force directory mode - parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added). directory security maskdirectory security mask. See the force - directory mode parameter to cause particular mode bits to always be set on created directories. See also the create mode - parameter for masking mode bits on created files, and the directory - security mask parameter. Also refer to the inherit permissions inherit permissions parameter. Synonym for directory mask directory mask 07770777. See also the force directory security mode force directory security mode, security masksecurity mask, force security mode - parameters. See also the parameter wins support wins support. >domain logons (G)If set to If set to yesyes, the Samba server will serve Windows 95/98 Domain logons for the workgroupworkgroup it is in. Samba 2.2 has limited capability to act as a domain controller for Windows @@ -7698,18 +6791,14 @@ CLASS="COMMAND" claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroupworkgroup. Local master browsers - in the same workgroupworkgroup on broadcast-isolated subnets will give this Note that Windows NT Primary Domain Controllers expect to be - able to claim this workgroupworkgroup specific special NetBIOS name that identifies them as domain master browsers for - that workgroupworkgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting to do this). This means that if this parameter is set and nmbd claims - the special name for a workgroupworkgroup before a Windows NT PDC is able to do so then cross subnet browsing will behave strangely and may fail. domain logons = yes , then the default behavior is to enable the , then the default behavior is to enable the domain - master parameter. If parameter. If domain logonsdomain logons is - not enabled (the default setting), then neither will domain - master be enabled by default.Default: smbd is acting - on behalf of is not the file owner. Setting this option to yes yes allows DOS semantics and "Samba Printer Port""Samba Printer Port". Under Windows NT/2000, all printers must have a valid port name. If you wish to have a list of ports displayed (smbd does not use a port name for anything) other than - the default "Samba Printer Port""Samba Printer Port", you - can define enumports commandenumports command to point to a program which should generate a list of ports, one per line, to standard output. This listing will then be used in response @@ -8082,11 +7157,9 @@ NAME="EXEC" > This is a synonym for preexecpreexec. It is generally much better to use the real oplocksoplocks support rather than this parameter.(8) from following symbolic links in a particular share. Setting this - parameter to nono prevents any file or directory that is a symbolic link from being followed (the user will get an error). This option is very useful to stop users from adding a @@ -8240,33 +7311,27 @@ CLASS="EMPHASIS" the mode bits of a file that is being created or having its permissions changed. The default for this parameter is (in octal) 000. The modes in this parameter are bitwise 'OR'ed onto the file - mode after the mask set in the create maskcreate mask parameter is applied. See also the parameter create - mask for details on masking mode bits on files. See also the inherit - permissions parameter.directory maskdirectory mask is applied. See also the parameter directory mask directory mask for details on masking mode bits on created directories. See also the inherit permissions inherit permissions parameter. See also the directory security mask directory security mask, security masksecurity mask, force security mode - parameters. If the force user - parameter is also set the group specified in - force groupforce group will override the primary group - set in force userforce user. See also force - user. See also the force directory security mode force directory security mode, directory security - mask, security mask security mask parameters. See also force group - smbd(8) when a client queries the filesystem type - for a share. The default type is NTFSNTFS for compatibility with Windows NT but this can be changed to other - strings such as Samba or Samba or FAT - if required. Default: wide linkswide links parameter is set to parameter is set to nono. Default: Synonym for force - group. This is a username which will be used for access to services which are specified as guest ok guest ok (see below). Whatever privileges this user has will be available to any client connecting to the guest service. @@ -8764,40 +7795,34 @@ NAME="GUESTOK" >>guest ok (S)If this parameter is If this parameter is yesyes for a service, then no password is required to connect to the service. Privileges will be those of the guest account guest account. This paramater nullifies the benifits of setting restrict - anonymous = 2 See the section below on security security for more information about this option. >guest only (S)If this parameter is If this parameter is yesyes for a service, then only guest connections to the service are permitted. This parameter will have no effect if guest okguest ok is not set for the service. See the section below on security security for more information about this option. See also hide - dot files, veto files veto files and case sensitivecase sensitive. Ifnis homedir - is is yesyes, and smbd(8) is also acting - as a Win95/98 logon serverlogon server then this parameter specifies the NIS (or YP) map from which the server for the user's home directory should be extracted. At present, only the Sun @@ -9057,27 +8068,23 @@ CLASS="EMPHASIS" > See also nis homedirnis homedir , domain logonsdomain logons .Default: homedir map = <empty string>homedir map = <empty string> Example: --with-msdfs option. If set to option. If set to yesyes, Samba will act as a Dfs server, and allow Dfs-aware clients to browse Dfs trees hosted on the server. See also the msdfs root msdfs root share level parameter. For more information on setting up a Dfs tree on Samba, @@ -9161,12 +8166,10 @@ NAME="HOSTSALLOW" >>hosts allow (S) A synonym for this parameter is A synonym for this parameter is allow - hosts. This parameter is a comma, space, or tab delimited @@ -9193,11 +8196,9 @@ CLASS="FILENAME" >Note that the localhost address 127.0.0.1 will always be allowed access unless specifically denied by a hosts denyhosts deny option. >hosts deny (S) The opposite of The opposite of hosts allowhosts allow - hosts listed here are permitted access to services unless the specific services have their own lists to override - this one. Where the lists conflict, the allowallow list takes precedence. This is not be confused with hosts allowhosts allow which is about hosts - access to services and is more useful for guest services. hosts equiv hosts equiv may be useful for NT clients which will not supply passwords to Samba. NOTE : The use of The use of hosts equiv - can be a major security hole. This is because you are trusting the PC to supply the correct username. It is very easy to get a PC to supply a false username. I recommend that the - hosts equivhosts equiv option be only used if you really know what you are doing, or perhaps on a home network where you trust your spouse and kids. And only if you It takes the standard substitutions, except It takes the standard substitutions, except %u - , , %P and %P and %S%S. The permissions on new files and directories are normally governed by create mask create mask, directory maskdirectory mask, force create modeforce create mode and force - directory mode but the boolean inherit permissions parameter overrides this. map archivemap archive , map hiddenmap hidden and map systemmap system as usual. See also create mask - , directory mask directory mask, force create modeforce create mode and force directory modeforce directory mode . See also bind - interfaces only. A name starting with '+' is interpreted only by looking in the UNIX group database. A name starting with - '&' is interpreted only by looking in the NIS netgroup database + '&' is interpreted only by looking in the NIS netgroup database (this requires NIS to be working on your system). The characters - '+' and '&' may be used at the start of the name in either order - so the value +&group+&group means check the UNIX group database, followed by the NIS netgroup database, and - the value &+group&+group means check the NIS netgroup database, followed by the UNIX group database (the same as the '@' prefix). The current servicename is substituted for The current servicename is substituted for %S%S. This is useful in the [homes] section. See also valid users - . The value of the parameter (an integer) represents - the number of seconds between keepalivekeepalive packets. If this parameter is zero, no keepalive packets will be sent. Keepalive packets, if sent, allow the server to tell whether @@ -9765,11 +8714,9 @@ CLASS="PARAMETER" >Keepalives should, in general, not be needed if the socket being used has the SO_KEEPALIVE attribute set on it (see socket optionssocket options). Basically you should only use this option if you strike difficulties. For UNIXes that support kernel based oplocksoplocks (currently only IRIX and the Linux 2.4 kernel), this parameter allows the use of them to be turned on or off. Kernel oplocks support allows Samba Kernel oplocks support allows Samba oplocks - to be broken whenever a local UNIX process or NFS operation accesses a file that cool feature :-). This parameter defaults to This parameter defaults to onon, but is translated to a no-op on systems that no not have the necessary kernel support. You should never need to touch this parameter. See also the oplocksoplocks and level2 oplocks - parameters. >ldap admin dn (G) The The ldap admin dnldap admin dn defines the Distinguished Name (DN) name used by Samba to contact the ldap server when retreiving - user account information. The ldap - admin dn is used in conjunction with the admin dn password stored in the This parameter specifies the RFC 2254 compliant LDAP search filter. - The default is to match the login name with the uiduid - attribute for all entries matching the sambaAccountsambaAccount objectclass. Note that this filter should only return one entry. Default : ldap filter = (&(uid=%u)(objectclass=sambaAccount))ldap filter = (&(uid=%u)(objectclass=sambaAccount)) This option is used to control the tcp port number used to contact the ldap serverldap server. The default is to use the stand LDAPS port 636. @@ -10070,11 +9003,9 @@ CLASS="FILENAME" script. The The ldap sslldap ssl can be set to one of three values: OffOff = Never use SSL when querying the directory. Start_tlsStart_tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server. OnOn = Use SSL on the ldaps port when contacting the - ldap serverldap server. Only available when the backwards-compatiblity option is specified to configure. See passdb backendpassdb backend The The ldap passwd syncldap passwd sync can be set to one of three values: YesYes = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time. NoNo = Update NT and LM passwords and update the pwdLastSet time. OnlyOnly = Only update the LDAP password and let the LDAP server do the rest. Currently, if kernel - oplocks are supported then level2 oplocks are - not granted (even if this parameter is set to yesyes). Note also, the oplocksoplocks parameter must be set to parameter must be set to yesyes on this share in order for this parameter to have any effect. See also the oplocksoplocks and kernel oplockskernel oplocks parameters. will produce Lanman announce broadcasts that are needed by OS/2 clients in order for them to see the Samba server in their browse list. This parameter can have three - values, yes, yes, nono, or - auto. The default is auto. The default is autoauto. - If set to nono Samba will never produce these - broadcasts. If set to yesyes Samba will produce Lanman announce broadcasts at a frequency set by the parameter - lm interval. If set to lm interval. If set to autoauto Samba will not send Lanman announce broadcasts by default but will listen for them. If it hears such a broadcast on the wire it will then start sending them at a frequency set by the parameter - lm intervallm interval. See also lm interval - . If Samba is set to produce Lanman announce broadcasts needed by OS/2 clients (see the lm announcelm announce parameter) then this parameter defines the frequency in seconds with which they will be made. If this is set to zero then no Lanman announcements will be - made despite the setting of the lm announcelm announce parameter. See also lm - announce. nmbd(8) to try and become a local master browser - on a subnet. If set to nono then nmbd will not attempt to become a local master browser on a subnet and will also lose in all browsing elections. By - default this value is set to yes. Setting this value to yes. Setting this value to yesyes doesn't mean that Samba will in elections for local master browser. Setting this value to Setting this value to nono will cause nmbd Synonym for lock directory lock directory. max connectionsmax connections option. lock spin - count for more details. may not need locking (such as - CDROM drives), although setting this parameter of nono is not really recommended even in this case. This parameter specifies the local path to which the home directory will be connected (see logon homelogon home) and is only used by NT Workstations. C:\> C:\> NET USE H: /HOMENET USE H: /HOME Note that in prior versions of Samba, the logon pathlogon path was returned rather than - logon homelogon home. This broke net use @@ -10902,11 +9781,9 @@ NAME="LOGONPATH" nothing to do with Win 9X roaming profiles. To find out how to handle roaming profiles for Win 9X system, see the logon homelogon home parameter. The script must be a relative path to the [netlogon] service. If the [netlogon] service specifies a pathpath of If a If a %p%p is given then the printer name - is put in its place. A %j%j is replaced with - the job number (an integer). On HPUX (see printing=hpux - ), if the ), if the -p%p-p%p option is added to the lpq command, the job will show up with the correct status, i.e. if the job priority is lower than the set fence priority it will @@ -11097,25 +9964,21 @@ CLASS="PARAMETER" > See also the printing - parameter. Default: Currently no default value is given to - this string, unless the value of the printingprinting - parameter is SYSVSYSV, in which case the default is : lp -i %p-%j -H hold or if the value of the or if the value of the printingprinting parameter - is SOFTQSOFTQ, then the default is: See also the printing - parameter. Currently nine styles of printer status information are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. This covers most UNIX systems. You control which type is expected - using the printing =printing = option. Some clients (notably Windows for Workgroups) may not @@ -11244,43 +10101,35 @@ CLASS="PARAMETER" server reports on the first printer service connected to by the client. This only happens if the connection number sent is invalid. If a If a %p%p is given then the printer name is put in its place. Otherwise it is placed at the end of the command. Note that it is good practice to include the absolute path - in the lpq command as the lpq command as the $PATH - may not be available to the server. When compiled with - the CUPS libraries, no lpq commandlpq command is needed because smbd will make a library call to obtain the print queue listing. See also the printing - parameter. depends on the setting of depends on the setting of printing printing lppause command - parameter. If a If a %p%p is given then the printer name - is put in its place. A %j%j is replaced with the job number (an integer). Note that it is good practice to include the absolute path - in the lpresume commandlpresume command as the PATH may not be available to the server. See also the printing - parameter. Default: Currently no default value is given - to this string, unless the value of the printingprinting - parameter is SYSVSYSV, in which case the default is : lp -i %p-%j -H resume or if the value of the or if the value of the printingprinting parameter - is SOFTQSOFTQ, then the default is: This command should be a program or script which takes a printer name and job number, and deletes the print job. If a If a %p%p is given then the printer name - is put in its place. A %j%j is replaced with the job number (an integer). Note that it is good practice to include the absolute - path in the lprm commandlprm command as the PATH may not be available to the server. See also the printing - parameter. depends on the setting of depends on the setting of printing - magic scriptmagic script parameter below). Warning: If two clients use the same Warning: If two clients use the same magic script - in the same directory the output file content is undefined. Default: magic output = <magic script name>.out +>magic output = <magic script name>.out If the script generates output, output will be sent to the file specified by the magic output magic output parameter (see above). Note that the character to use may be specified using the mangling charmangling char option, if you don't like '~'. Note that this requires the Note that this requires the create maskcreate mask parameter to be set such that owner execute bit is not masked out (i.e. it must include 100). See the parameter create maskcreate mask for details. This controls whether DOS style hidden files should be mapped to the UNIX world execute bit. Note that this requires the Note that this requires the create maskcreate mask to be set such that the world execute bit is not masked out (i.e. it must include 001). See the parameter create maskcreate mask for details. This controls whether DOS style system files should be mapped to the UNIX group execute bit. Note that this requires the Note that this requires the create maskcreate mask to be set such that the group execute bit is not masked out (i.e. it must include 010). See the parameter create maskcreate mask for details. This parameter is only useful in security modes other than modes other than security = sharesecurity = share - - i.e. user, user, serverserver, - and domaindomain. This parameter can take three different values, which tell @@ -12040,36 +10841,34 @@ CLASS="REFENTRYTITLE" > NeverNever - Means user login requests with an invalid password are rejected. This is the default. Bad UserBad User - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the guest account guest account. Bad PasswordBad Password - Means user logins with an invalid password are treated as a guest login and mapped into the hate you if you set the you if you set the map to - guest parameter this way :-). Note that this parameter is needed to set up "Guest" - share services when using securitysecurity modes other than share. This is because in these modes the name of the resource being requested is For people familiar with the older Samba releases, this - parameter maps to the old compile-time setting of the GUEST_SESSSETUP GUEST_SESSSETUP value in local.h. Default: This option allows the number of simultaneous - connections to a service to be limited. If max connections - is greater than 0 then connections will be refused if this number of connections to the service are already open. A value of zero mean an unlimited number of connections may be made. Record lock files are used to implement this feature. The lock files will be stored in the directory specified by the lock directorylock directory option. max - disk size. This option is primarily useful to work around bugs in some pieces of software that can't handle very large disks, particularly disks over 1GB in size. A A max disk sizemax disk size of 0 means no limit. Default: will remote "Out of Space" to the client. See all total - print jobs. CORECORE: Earliest version. No concept of user names. COREPLUSCOREPLUS: Slight improvements on CORE for efficiency. LANMAN1LANMAN1: First LANMAN2LANMAN2: Updates to Lanman1 protocol. NT1NT1: Current up to date version of the protocol. Used by Windows NT. Known as CIFS. See also min - protocol (8) when acting as a WINS server ( wins support = yeswins support = yes) what the maximum 'time to live' of NetBIOS names that See also the min - wins ttl parameter. message command = csh -c 'xedit %s;rm %s' &message command = csh -c 'xedit %s;rm %s' & . That's why I - have the '&' on the end. If it doesn't return immediately then + have the '&' on the end. If it doesn't return immediately then your PCs may freeze when sending messages (they should recover after 30 seconds, hopefully). All messages are delivered as the global guest user. - The command takes the standard substitutions, although %u won't work ( %u won't work (%U%U may be better in this case). %s%s = the filename containing the message. %t%t = the destination that the message was sent to (probably the server name). %f%f = who the message is from. message command = /bin/mail -s 'message from %f on - %m' root < %s; rm %s If you don't have a message command then the message @@ -12673,7 +11442,7 @@ CLASS="EMPHASIS" >Example: message command = csh -c 'xedit %s; - rm %s' & Synonym for min password lengthmin password length. See also unix - password sync, passwd programpasswd program and passwd chat debugpasswd chat debug . See also the printing - parameter. max protocolmax protocol parameter for a list of valid protocol names and a brief description @@ -12802,12 +11559,10 @@ CLASS="FILENAME" >If you are viewing this parameter as a security measure, you should also refer to the lanman - auth parameter. Otherwise, you should never need to change this parameter. when acting as a WINS server ( wins support = yes wins support = yes) what the minimum 'time to live' of NetBIOS names that Only Dfs roots can act as proxy shares. Take a look at the msdfs rootmsdfs root and host msdfshost msdfs options to find out how to set up a Dfs root share. --with-msdfs option. If set to option. If set to yesyes, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory. @@ -12930,12 +11679,10 @@ TARGET="_top" >See also host msdfs - lmhostslmhosts : Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has no name type attached to the NetBIOS name (see the hosthost : Do a standard host name to IP address resolution, using the system winswins : Query a name with the IP address listed in the wins server wins server parameter. If no WINS server has been specified this method will be ignored.bcastbcast : Do a broadcast on each of the known local interfaces listed in the interfacesinterfaces parameter. This is the least reliable of the name resolution @@ -13092,12 +11835,10 @@ TARGET="_top" > See also netbios - name. See also netbios - aliases. homedir maphomedir map and return the server listed there. Default: non unix account range = <empty string> +>non unix account range = <empty string> smbd(8) will allow Windows NT - clients to connect to the NT SMB specific IPC$IPC$ pipes. This is a developer debugging option and can be left alone. will negotiate NT specific status support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone. - If this option is set to nono then Samba offers exactly the same DOS error codes that versions prior to Samba 2.2.3 reported. encrypt passwords = yesencrypt passwords = yes . The reason is that PAM modules cannot support the challenge/response @@ -13376,20 +12111,16 @@ NAME="ONLYUSER" >This is a boolean option that controls whether - connections with usernames not in the useruser list will be allowed. By default this option is disabled so that a client can supply a username to be used by the server. Enabling this parameter will force the server to only use the login - names from the useruser list and is only really useful in user = %S which means your which means your useruser list will be just the service name, which for home directories is the name of the user. See also the useruser parameter. A synonym for guest only guest only.Oplocks may be selectively turned off on certain files with a share. See the veto oplock files veto oplock files parameter. On some systems oplocks are recognized by the underlying operating system. This allows data synchronization between all access to oplocked files, whether it be via Samba or NFS or a local UNIX process. See the - kernel oplockskernel oplocks parameter for details. See also the kernel - oplocks and level2 oplocks level2 oplocks parameters. nmbd(8) - has a chance of becoming a local master browser for the WORKGROUP WORKGROUP in the local broadcast area. <nt driver name> = <os2 driver - name>.<device name><nt driver name> = <os2 driver + name>.<device name> For example, a valid entry using the HP LaserJet 5 printer driver would appear as Default: os2 driver map = <empty string> +>os2 driver map = <empty string> passwd programpasswd program. It should be possible to enable this without changing your passwd chatpasswd chat parameter for most setups. @@ -13777,7 +12488,7 @@ CLASS="REFENTRYTITLE" >Default: panic action = <empty string>panic action = <empty string> Example: See also non unix account rangenon unix account range private dirprivate dir directory. private dirprivate dir directory. See also non unix account rangenon unix account range See also non unix account - range ldap sslldap ssl) or by - specifying ldaps://ldaps:// in the URL argument. uses to determine what to send to the passwd programpasswd program and what to expect back. If the expected output is not @@ -14066,16 +12761,14 @@ CLASS="PARAMETER" >Note that this parameter only is only used if the unix - password sync parameter is set to parameter is set to yesyes. This sequence is then called The string can contain the macro The string can contain the macro %n%n which is substituted for the new password. The chat sequence can also contain the standard - macros \\n, \\n, \\r, \\r, \\t and \\t and \\s\\s to give line-feed, carriage-return, tab and space. The chat sequence string can also contain a '*' which matches any sequence of characters. @@ -14125,16 +12816,14 @@ CLASS="CONSTANT" > If the pam - password change parameter is set to parameter is set to yesyes, the chat pairs may be matched in any order, and success is determined by the PAM result, not any particular output. The \n macro is ignored for PAM conversions. @@ -14142,36 +12831,28 @@ CLASS="CONSTANT" > See also unix password - sync, passwd program passwd program , passwd chat debugpasswd chat debug and pam password changepam password change. log with a debug leveldebug level of 100. This is a dangerous option as it will allow plaintext passwords @@ -14225,55 +12904,43 @@ CLASS="PARAMETER" CLASS="COMMAND" >smbd log. It is available to help - Samba admins debug their passwd chatpasswd chat scripts - when calling the passwd programpasswd program and should be turned off after this has been done. This option has no effect if the pam password changepam password change paramter is set. This parameter is off by default. See also passwd chatpasswd chat , pam password changepam password change , passwd programpasswd program .The name of a program that can be used to set - UNIX user passwords. Any occurrences of %u%u will be replaced with the user name. The user name is checked for existence before calling the password changing program. Note that if the that if the unix - password sync parameter is set to parameter is set to yes - then this program is called will fail to change the SMB password also (this is by design).If the If the unix password syncunix password sync parameter is set this parameter ALL programs called, and must be examined - for security implications. Note that by default unix - password sync is set to is set to nono. See also unix - password sync. This parameter defines the maximum number of characters that may be upper case in passwords. For example, say the password given was "FRED". If For example, say the password given was "FRED". If password level password level is set to 1, the following combinations would be tried if "FRED" failed: "Fred", "fred", "fRed", "frEd","freD" If If password levelpassword level was set to 2, the following combinations would also be tried: The name of the password server is looked up using the parameter name - resolve order and so may resolved by any method and order described in that parameter. The name of the password server takes the standard - substitutions, but probably the only useful one is %m - , which means the Samba server will use the incoming client as the password server. If you use this then you better trust your clients, and you had better restrict them with hosts allow!If the If the securitysecurity parameter is set to - domaindomain, then the list of machines in this option must be a list of Primary or Backup Domain controllers for the Domain or the character '*', as the Samba server is effectively @@ -14553,11 +13200,9 @@ CLASS="CONSTANT" CLASS="COMMAND" > security = domain is that if you list several hosts in the - password serverpassword server option then smbd @@ -14565,17 +13210,15 @@ CLASS="COMMAND" > will try each in turn till it finds one that responds. This is useful in case your primary server goes down. If the If the password serverpassword server option is set to the character '*', then Samba will attempt to auto-locate the Primary or Backup Domain controllers to authenticate against by - doing a query for the name WORKGROUP<1C>WORKGROUP<1C> and then contacting each server returned in the list of IP addresses from the name resolution source. If the If the securitysecurity parameter is - set to serverserver, then there are different restrictions that You may list several password servers in - the password serverpassword server parameter, however if an See also the security - parameter. Default: password server = <empty string>password server = <empty string> Any occurrences of Any occurrences of %u%u in the path will be replaced with the UNIX username that the client is using - on this connection. Any occurrences of %m%m will be replaced by the NetBIOS name of the machine they are connecting from. These replacements are very useful for setting @@ -14705,11 +13338,9 @@ CLASS="PARAMETER" > Note that this path will be based on root dirroot dir if one was specified. See also preexecpreexec . Example: postexec = echo \"%u disconnected from %S - from %m (%I)\" >> /tmp/log >postscript (S) This parameter forces a printer to interpret - the print files as PostScript. This is done by adding a %! - to the start of print output. This is most useful when you have lots of PCs that persist - in putting a control-D at the start of print jobs, which then - confuses your printer. Default: postscript = no preexec = csh -c 'echo \"Welcome to %S!\" | - /usr/local/samba/bin/smbclient -M %m -I %I' & Of course, this could get annoying after a while :-) See also preexec close - and postexec - . Example: preexec = echo \"%u connected to %S from %m - (%I)\" >> /tmp/log This boolean option controls whether a non-zero return code from preexec - should close the service being connected to. is a preferred master browser for its workgroup.If this is set to If this is set to yesyes, on startup, nmbd domain master domain master = yes, so that See also os levelos level . Synonym for preferred master preferred master for people who cannot spell :-). Note that if you just want all printers in your printcap file loaded then the load printersload printers option is easier. default case - . MUST contain at least - one occurrence of %s or %s or %f - - the - the %p%p is optional. At the time - a job is submitted, if no printer name is supplied the %p - will be silently removed from the printer command. If specified in the [global] section, the print command given @@ -15146,17 +13728,15 @@ CLASS="PARAMETER" be created but not processed and (most importantly) not removed. Note that printing may fail on some UNIXes from the - nobodynobody account. If this happens then create an alternative guest account that can print and set the guest accountguest account in the [global] section. print command = echo Printing %s >> +>print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s printingprinting parameter. Synonym for printableprintable. >printable (S) If this parameter is If this parameter is yesyes, then clients may open, write to and submit spool files on the directory specified for the service. read only - parameter controls only non-printing access to the resource. Synonym for printcap name printcap name. to automatically obtain lists of available printers. This is the default for systems that define SYSV at configure time in - Samba (this includes most System V based systems). If printcap name printcap name is set to lpstatDefault: printer admin = <empty string>printer admin = <empty string> >printer driver (S) Note :This is a deprecated - parameter and will be removed in the next major release - following version 2.2. Please see the instructions in - the Samba 2.2. Printing - HOWTO for more information - on the new method of loading printer drivers onto a Samba server. - This option allows you to control the string - that clients receive when they ask the server for the printer driver - associated with a printer. If you are using Windows95 or Windows NT - then you can use this to automate the setup of printers on your - system. You need to set this parameter to the exact string (case - sensitive) that describes the appropriate printer driver for your - system. If you don't know the exact string to use then you should - first try with no printer driver option set and the client will - give you a list of printer drivers. The appropriate strings are - shown in a scroll box after you have chosen the printer manufacturer. See also printer - driver file. Example: printer driver = HP LaserJet 4L >printer driver file (G) Note :This is a deprecated - parameter and will be removed in the next major release - following version 2.2. Please see the instructions in - the Samba 2.2. Printing - HOWTO for more information - on the new method of loading printer drivers onto a Samba server. - This parameter tells Samba where the printer driver - definition file, used when serving drivers to Windows 95 clients, is - to be found. If this is not set, the default is : SAMBA_INSTALL_DIRECTORY - /lib/printers.def This file is created from Windows 95 msprint.inf - files found on the Windows 95 client system. For more - details on setting up serving of printer drivers to Windows 95 - clients, see the outdated documentation file in the docs/ - directory, PRINTER_DRIVER.txt. See also printer driver location. Default: None (set in compile). Example: printer driver file = - /usr/local/samba/printers/drivers.def >printer driver location (S) Note :This is a deprecated - parameter and will be removed in the next major release - following version 2.2. Please see the instructions in - the Samba 2.2. Printing - HOWTO for more information - on the new method of loading printer drivers onto a Samba server. - This parameter tells clients of a particular printer - share where to find the printer driver files for the automatic - installation of drivers for Windows 95 machines. If Samba is set up - to serve printer drivers to Windows 95 machines, this should be set to \\MACHINE\PRINTER$ Where MACHINE is the NetBIOS name of your Samba server, - and PRINTER$ is a share you set up for serving printer driver - files. For more details on setting this up see the outdated documentation - file in the docs/ directory, PRINTER_DRIVER.txt. See also printer driver file. Default: none Example: printer driver location = \\MACHINE\PRINTER$ - >printer name (S) none (but may be none (but may be lplp on many systems)Synonym for printer name printer name. This parameters controls how printer status information is interpreted on your system. It also affects the - default values for the print commandprint command, - lpq command, lpq command, lppause command - , , lpresume commandlpresume command, and - lprm commandlprm command if specified in the [global] section. Currently nine printing styles are supported. They are - BSD, BSD, AIXAIX, - LPRNG, LPRNG, PLPPLP, - SYSV, SYSV, HPUXHPUX, - QNX, QNX, SOFTQSOFTQ, - and CUPSCUPS. To see what the defaults are for the other print @@ -15810,11 +14160,9 @@ NAME="PROTOCOL" > Synonym for max protocolmax protocol. Synonym for guest - ok. If a If a %p%p is given then the printer name is put in its place. Otherwise it is placed at the end of the command. depends on the setting of depends on the setting of printing - queuepause command queuepause command). If a If a %p%p is given then the printer name is put in its place. Otherwise it is placed at the end of the command. depends on the setting of printingprintingsmbd(8) will support the "Read Block Multiplex" SMB. This is now rarely used and defaults to - nono. You should never need to set this parameter. read onlyread only option is set to. The list can include group names using the syntax described in the invalid users invalid users parameter. See also the write list write list parameter and the invalid usersinvalid users parameter.Default: read list = <empty string>read list = <empty string> Example: An inverted synonym is writeablewriteable. If this parameter is If this parameter is yesyes, then users of a service may not create or modify files in the service's directory. In general this parameter should be viewed as a system tuning tool and left severely alone. See also write rawwrite raw. >read size (G) The option The option read sizeread size affects the overlap of disk reads/writes with network reads/writes. If the amount of data being transferred in several of the SMB @@ -16210,11 +14532,9 @@ CLASS="COMMAND" If you leave out the workgroup name then the one given in the workgroupworkgroup parameter is used instead. Default: remote announce = <empty string> +>remote announce = <empty string> Default: remote browse sync = <empty string> +>remote browse sync = <empty string> This is a integer parameter, and mirrors as much as possible the functinality the - RestrictAnonymousRestrictAnonymous registry key does on NT/Win2k. Synonym for root directory"root directory". Synonym for root directory"root directory". wide linkswide links parameter). Adding a Adding a root directoryroot directory entry other than "/" adds an extra level of security, but at a price. It absolutely ensures that no access is given to files not in the - sub-tree specified in the root directoryroot directory option, some files needed for complete operation of the server. To maintain full operability of the server you will need to mirror some system files - into the root directoryroot directory tree. In particular you will need to mirror >root postexec (S) This is the same as the This is the same as the postexecpostexec parameter except that the command is run as root. This is useful for unmounting filesystems @@ -16436,17 +14742,15 @@ CLASS="PARAMETER" > See also postexec postexec. Default: root postexec = <empty string> +>root postexec = <empty string> >root preexec (S)This is the same as the This is the same as the preexecpreexec parameter except that the command is run as root. This is useful for mounting filesystems (such as CDROMs) when a @@ -16469,25 +14771,21 @@ CLASS="PARAMETER" > See also preexec preexec and preexec closepreexec close. Default: root preexec = <empty string> +>root preexec = <empty string> >root preexec close (S)This is the same as the This is the same as the preexec close - parameter except that the command is run as root. See also preexec preexec and preexec closepreexec close. , see the map to guestmap to guest parameter for details. where it is offers both user and share level security under different NetBIOS aliasesNetBIOS aliases. If the guest - only parameter is set, then all the other stages are missed and only the guest accountguest account username is checked. Is a username is sent with the share connection request, then this username (after mapping - see username mapusername map), is added as a potential username. Any users on the user user list are added as potential usernames. If the If the guest onlyguest only parameter is not set, then this list is then tried with the supplied password. The first user for whom the password matches will be used as the UNIX user. If the If the guest onlyguest only parameter is set, or no username can be determined then if the share is marked - as available to the guest accountguest account, then this guest user will be used, otherwise access is denied. username mapusername map parameter). Encrypted passwords (see the encrypted passwordsencrypted passwords parameter) can also be used in this security mode. Parameters such as useruser and guest onlyguest only if set are then applied and may change the UNIX user to use on this connection, but only after @@ -16880,20 +15146,16 @@ CLASS="EMPHASIS" guest shares don't work in user level security without allowing the server to automatically map unknown users into the guest accountguest account. See the map to guestmap to guest parameter for details on doing this. has been used to add this machine into a Windows NT Domain. It expects the encrypted passwordsencrypted passwords parameter to be set to parameter to be set to yesyes. In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactly @@ -16985,20 +15245,16 @@ CLASS="EMPHASIS" guest shares don't work in user level security without allowing the server to automatically map unknown users into the guest accountguest account. See the map to guestmap to guest parameter for details on doing this. See also the password - server parameter and the encrypted passwordsencrypted passwords parameter. . It expects the encrypted passwordsencrypted passwords parameter to be set to - yesyes, unless the remote server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot @@ -17130,20 +15380,16 @@ CLASS="EMPHASIS" guest shares don't work in user level security without allowing the server to automatically map unknown users into the guest accountguest account. See the map to guestmap to guest parameter for details on doing this. See also the password - server parameter and the encrypted passwordsencrypted passwords parameter. 07770777. See also the force directory security modeforce directory security mode, directory - security mask, force security modeforce security mode parameters. It also sets what will appear in browse lists next to the machine name. A A %v%v will be replaced with the Samba version number. A A %h%h will be replaced with the hostname. This enables or disables the honoring of - the share modesshare modes during a file open. These modes are used by clients to gain exclusive read or write access to a file. The share modes that are enabled by this option are - DENY_DOS, DENY_DOS, DENY_ALLDENY_ALL, - DENY_READ, DENY_READ, DENY_WRITEDENY_WRITE, - DENY_NONE and DENY_NONE and DENY_FCBDENY_FCB. default case - . This option can be use with printer adminprinter admin group), the OpenPrinterEx() call fails and the client makes another open call with a request for a lower privilege level. This should succeed, however the APW icon will not be displayed. Disabling the Disabling the show add printer wizardshow add printer wizard parameter will always cause the OpenPrinterEx() on the server to fail. Thus the APW icon will never be displayed. See also addprinter - command, deleteprinter commanddeleteprinter command, printer adminprinter admin %m %t %r %f parameters are expanded %m%m will be substituted with the shutdown message sent to the server. %t%t will be substituted with the number of seconds to wait before effectively starting the shutdown procedure. %r%r will be substituted with the switch %f%f will be substituted with the switch Shutdown does not return so we need to launch it in background. See also abort shutdown scriptabort shutdown script. This parameter determines the number of - entries in the stat cachestat cache. You should never need to change this parameter. This is a boolean that controls the handling of - disk space allocation in the server. When this is set to yesyes the server will change from UNIX behaviour of not committing real disk storage blocks when a file is extended to the Windows behaviour @@ -17947,15 +16153,15 @@ CLASS="CONSTANT" terminology this means that Samba will stop creating sparse files. This can be slow on some systems. When strict allocate is When strict allocate is nono the server does sparse disk block allocation when a file is extended. Setting this to Setting this to yesyes can help Samba return out of quota messages on systems that are restricting the disk quota of users.This is a boolean that controls the handling of - file locking in the server. When this is set to yesyes the server will check every read and write access for file locks, and deny access if locks exist. This can be slow on some systems. When strict locking is When strict locking is nono the server does file lock checks only when the client explicitly asks for them.nono (the default) means that See also the sync - always> parameter. This is a boolean parameter that controls whether writes will always be written to stable storage before - the write call returns. If this is nono then the server will be guided by the client's request in each write call (clients can set a bit indicating that a particular write should be synchronous). - If this is yesyes then every write will be followed by a fsync() call to ensure the data is written to disk. Note that - the strict syncstrict sync parameter must be set to - yesyes in order for this parameter to have any affect. See also the strict - sync parameter. This parameter maps how Samba debug messages are logged onto the system syslog logging levels. Samba debug - level zero maps onto syslog LOG_ERRLOG_ERR, debug - level one maps onto LOG_WARNINGLOG_WARNING, debug level - two maps onto LOG_NOTICELOG_NOTICE, debug level three - maps onto LOG_INFO. All higher levels are mapped to LOG_DEBUG LOG_DEBUG. This parameter sets the threshold for sending messages @@ -18176,18 +16376,14 @@ TARGET="_top" >winbindd(8) daemon uses this parameter to fill in the home directory for that user. - If the string %D%D is present it is substituted - with the user's Windows NT domain name. If the string %U - is present it is substituted with the user's Windows NT user name. Synonym for debug timestamp debug timestamp. max print jobsmax print jobs. This boolean parameter controls whether Samba attempts to synchronize the UNIX password with the SMB password when the encrypted SMB password in the smbpasswd file is changed. - If this is set to yes the program specified in the yes the program specified in the passwd - programparameter is called See also passwd - program, passwd chat passwd chat.
  nono.
  In order for this parameter to work correctly the encrypt passwordsencrypt passwords parameter must be set to parameter must be set to nono when - this parameter is set to yesyes.
  Note that even when this parameter is set a user @@ -18551,9 +16735,9 @@ NAME="USEMMAP" >This global parameter determines if the tdb internals of Samba can depend on mmap working correctly on the running system. Samba requires a coherent mmap/read-write system memory cache. Currently only HPUX does not have such a - coherent cache, and so this parameter is set to nono by default on HPUX. On all other systems this parameter should be left alone. This parameter is provided to help the Samba developers track down problems with @@ -18567,51 +16751,6 @@ CLASS="COMMAND" >
  >use rhosts (G)
  If this global parameter is yes, it specifies - that the UNIX user's .rhosts file in their home directory - will be read to find the names of hosts and users who will be allowed - access without specifying a password.
  NOTE: The use of use rhosts - can be a major security hole. This is because you are - trusting the PC to supply the correct username. It is very easy to - get a PC to supply a false username. I recommend that the use rhosts option be only used if you really know what - you are doing.
  Default: use rhosts = no
  >user (S)
  Synonym for username username.
  Synonym for username username.
  The The usernameusername line is needed only when the PC is unable to supply its own username. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX usernames. In both these cases you may also be better using the \\server\share%user syntax instead.
  The The usernameusername line is not a great solution in many cases as it means Samba will try to validate the supplied password against each of the usernames in the - usernameusername line in turn. This is slow and a bad idea for lots of users in case of duplicate passwords. You may get timeouts or security breaches using this parameter @@ -18695,12 +16824,10 @@ CLASS="PARAMETER" >To restrict a service to a particular set of users you can use the valid users - parameter.
  If any of the usernames begin with a '&' then the name +>If any of the usernames begin with a '&' then the name will be looked up only in the NIS netgroups database (if Samba is compiled with netgroup support) and will expand to a list of all users in the netgroup group of that name.
  Default: The guest account if a guest service, - else <empty string>.
  Examples:AstrangeUser - .
  Default:
  For example to map from the name For example to map from the name adminadmin - or administrator to the UNIX name administrator to the UNIX name root root you would use:
  root = admin administrator
  Or to map anyone in the UNIX group Or to map anyone in the UNIX group systemsystem - to the UNIX name syssys you would use:
  Note that the remapping is applied to all occurrences - of usernames. Thus if you connect to \\server\fred and fred is remapped to fred is remapped to marymary then you will actually be connecting to \\server\mary and will need to - supply a password suitable for marymary not - fredfred. The only exception to this is the username passed to the password server password server (if you have one). The password server will receive whatever username the client supplies without @@ -18931,9 +17056,9 @@ NAME="USESENDFILE" >>use sendfile (S)
  If this parameter is If this parameter is yesyes, and Samba was built with the --with-sendfile-support option, and the underlying operating system supports sendfile system call, then some SMB read calls (mainly ReadAndX @@ -18959,9 +17084,9 @@ NAME="UTMP" Samba has been configured and compiled with the option --with-utmp. If set to . If set to yesyes then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server. Sites may use this to record the @@ -18975,11 +17100,9 @@ CLASS="CONSTANT" >
  See also the utmp directory utmp directory parameter.
  utmputmp parameter. By default this is not set, meaning the system will use whatever utmp file the @@ -19049,11 +17170,9 @@ CLASS="COMMAND" See also the utmputmp parameter. By default this is not set, meaning the system will use whatever utmp file the @@ -19084,40 +17203,32 @@ NAME="VALIDUSERS" >
  This is a list of users that should be allowed - to login to this service. Names starting with '@', '+' and '&' + to login to this service. Names starting with '@', '+' and '&' are interpreted using the same rules as described in the - invalid usersinvalid users parameter.
  If this is empty (the default) then any user can login. - If a username is in both this list and the invalid - users list then access is denied for that user.
  The current servicename is substituted for The current servicename is substituted for %S -. This is useful in the [homes] section.
  See also invalid users -
  include the unix directory separator '/'.
  Note that the Note that the case sensitivecase sensitive option is applicable in vetoing files.
  fail unless you also set - the delete veto filesdelete veto files parameter to - yesyes.
  Setting this parameter will affect the performance @@ -19196,20 +17301,16 @@ CLASS="PARAMETER" >
  See also hide files - and case sensitive case sensitive.
  This parameter is only valid when the oplocksoplocks parameter is turned on for a share. It allows the Samba administrator @@ -19255,11 +17354,9 @@ CLASS="PARAMETER" match a wildcarded list, similar to the wildcarded list used in the veto filesveto files parameter.
  vfs object vfs object.
  endpwent() group of system calls. If - the winbind enum userswinbind enum users parameter is - nono, calls to the getpwentendgrent() group of system calls. If - the winbind enum groupswinbind enum groups parameter is - nono, calls to the getgrent()
  Default: winbind gid = <empty string> +>winbind gid = <empty string>
  This parameter allows an admin to define the character - used when listing a username of the form of DOMAIN -\\useruser. This parameter is only applicable when using the
  Default: winbind uid = <empty string> +>winbind uid = <empty string>
  Default: winbind use default domain = <no> +>winbind use default domain = <no>
  nmbd(8) will respond to broadcast name queries on behalf of other hosts. You may need to set this - to yesyes for some older clients.
  Default: nmbd(8) process in Samba will act as a WINS server. You should - not set this to yesyes unless you have a multi-subnetted network and you wish a particular NEVER set this to set this to yesyes on more than one machine in your network.
  Synonym for writeable writeable for people who can't spell :-).
  read onlyread only option is set to. The list can include group names using the @@ -19968,18 +18051,16 @@ CLASS="PARAMETER" >See also the read list - option. Default: write list = <empty string> +>write list = <empty string> Inverted synonym for read only read only. Inverted synonym for read only read only. WARNINGS VERSION SEE ALSO AUTHOR

COMPLETE LIST OF SERVICE PARAMETERS

EXPLANATION OF EACH PARAMETER

WARNINGS

VERSION

SEE ALSO

AUTHOR