From 30129251f26a4b2b59817eb984cc76251e89691d Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 12 May 2000 13:05:24 +0000 Subject: Added mention of the CUPS option for the printing parameter -jerry (This used to be commit 3fed01f9c311bb81ce3013453a5dc9630201ccf1) --- docs/htmldocs/smb.conf.5.html | 1623 ++++++++++++++++++++++------------------- 1 file changed, 891 insertions(+), 732 deletions(-) (limited to 'docs/htmldocs/smb.conf.5.html') diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html index 521c70d653..adda876afd 100644 --- a/docs/htmldocs/smb.conf.5.html +++ b/docs/htmldocs/smb.conf.5.html @@ -5,7 +5,7 @@ smb.conf (5) - + @@ -59,12 +59,12 @@ numeric.

SECTION DESCRIPTIONS


Each section in the configuration file (except for the -[global] section) describes a shared resource (known +[global] section) describes a shared resource (known as a "share"). The section name is the name of the shared resource and the parameters within the section define the shares attributes. -


There are three special sections, [global], -[homes] and [printers], which are -described under 'special sections'. The +


There are three special sections, [global], +[homes] and [printers], which are +described under 'special sections'. The following notes apply to ordinary section descriptions.


A share consists of a directory to which access is being given plus a description of the access rights which are granted to the user of @@ -72,14 +72,14 @@ the service. Some housekeeping options are also specifiable.


Sections are either filespace services (used by the client as an extension of their native file systems) or printable services (used by the client to access print services on the host running the server). -


Sections may be designated guest services, in which +


Sections may be designated guest services, in which case no password is required to access them. A specified UNIX -guest account is used to define access +guest account is used to define access privileges in this case.


Sections other than guest services will require a password to access them. The client provides the username. As older clients only provide passwords and not usernames, you may specify a list of usernames to -check against the password using the "user=" option in +check against the password using the "user=" option in the share definition. For modern clients such as Windows 95/98 and Windows NT, this should not be necessary.


Note that the access rights granted by the server are masked by the @@ -102,13 +102,13 @@ the share name "foo":


The following sample section defines a printable share. The share is readonly, but printable. That is, the only write access permitted is via calls to open, write to and close a spool file. The -'guest ok' parameter means access will be permitted +'guest ok' parameter means access will be permitted as the default guest user (specified elsewhere): 


 
  	[aprinter]
  		path = /usr/spool/public
- 		read only = true
+ 		writeable = false
  		printable = true
  		guest ok = true
 
@@ -122,7 +122,7 @@ as the default guest user (specified elsewhere):
 
  • The [global] section
 

    Parameters in this section apply to the server as a whole, or are
 defaults for sections which do not specifically define certain
-items. See the notes under 'PARAMETERS' for more
+items. See the notes under 'PARAMETERS' for more
 information.
 

    
 
  • The [homes] section
@@ -141,8 +141,8 @@ username
 

  •  If no path was given, the path is set to the user's home
 directory.
 

    
-

    If you decide to use a path= line in your [homes]
-section then you may find it useful to use the %S
+

    If you decide to use a path= line in your [homes]
+section then you may find it useful to use the %S
 macro. For example :
 

    path=/data/pchome/%S
 

    would be useful if you have different home directories for your PCs
@@ -166,26 +166,26 @@ following is a typical and suitable [homes] section:
 

    An important point is that if guest access is specified in the [homes]
 section, all home directories will be visible to all clients
 without a password. In the very unlikely event that this is
-actually desirable, it would be wise to also specify read only
+actually desirable, it would be wise to also specify read only
 access.
-

    Note that the browseable flag for auto home
+

    Note that the browseable flag for auto home
 directories will be inherited from the global browseable flag, not the
 [homes] browseable flag. This is useful as it means setting
 browseable=no in the [homes] section will hide the [homes] share but
 make any auto home directories visible.
 

    
 
  • The [printers] section
-

    This section works like [homes], but for printers.
-

    If a [printers] section occurs in the configuration file, users are
+

    This section works like [homes], but for printers.
+

    If a [printers] section occurs in the configuration file, users are
 able to connect to any printer specified in the local host's printcap
 file.
 

    When a connection request is made, the existing sections are
 scanned. If a match is found, it is used. If no match is found, but a
-[homes] section exists, it is used as described
+[homes] section exists, it is used as described
 above. Otherwise, the requested section name is treated as a printer
 name and the appropriate printcap file is scanned to see if the
 requested section name is a valid printer share name. If a match is
-found, a new printer share is created by cloning the [printers]
+found, a new printer share is created by cloning the [printers]
 section.
 

    A few modifications are then made to the newly created share:
 

      
@@ -195,16 +195,15 @@ located printer name
 

    •  If the share does not permit guest access and no username was
 given, the username is set to the located printer name.
 

    
-

    Note that the [printers] service MUST be printable - if you specify
+

    Note that the [printers] service MUST be printable - if you specify
 otherwise, the server will refuse to load the configuration file.
 

    Typically the path specified would be that of a world-writeable spool
-directory with the sticky bit set on it. A typical [printers] entry
+directory with the sticky bit set on it. A typical [printers] entry
 would look like this:
 

     
  	[printers]
  		path = /usr/spool/public
- 		writeable = no
  		guest ok = yes
  		printable = yes 
 
@@ -220,7 +219,7 @@ this:
 
    
 
 

    Each alias should be an acceptable printer name for your printing
-subsystem. In the [global] section, specify the new
+subsystem. In the [global] section, specify the new
 file as your printcap.  The server will then only recognize names
 found in your pseudo-printcap, which of course can contain whatever
 aliases you like. The same technique could be used simply to limit
@@ -230,26 +229,26 @@ of a printcap record. Records are separated by newlines, components
 (if there are more than one) are separated by vertical bar symbols
 ("|").
 

    NOTE: On SYSV systems which use lpstat to determine what printers are
-defined on the system you may be able to use "printcap name =
+defined on the system you may be able to use "printcap name =
 lpstat" to automatically obtain a list of
-printers. See the "printcap name" option for
+printers. See the "printcap name" option for
 more details.
 

    
 

    
 
    PARAMETERS
    
     
 

    Parameters define the specific attributes of sections.
-

    Some parameters are specific to the [global] section
-(e.g., security).  Some parameters are usable in
-all sections (e.g., create mode). All others are
+

    Some parameters are specific to the [global] section
+(e.g., security).  Some parameters are usable in
+all sections (e.g., create mode). All others are
 permissible only in normal sections. For the purposes of the following
-descriptions the [homes] and
-[printers] sections will be considered normal.
+descriptions the [homes] and
+[printers] sections will be considered normal.
 The letter 'G' in parentheses indicates that a parameter is
-specific to the [global] section. The letter 'S'
+specific to the [global] section. The letter 'S'
 indicates that a parameter can be specified in a service specific
 section. Note that all 'S' parameters can also be specified in the
-[global] section - in which case they will define
+[global] section - in which case they will define
 the default behavior for all services.
 

    Parameters are arranged here in alphabetical order - this may not
 create best bedfellows, but at least you can find them! Where there
@@ -259,7 +258,7 @@ preferred synonym.
 
    VARIABLE SUBSTITUTIONS
    
     
 

    Many of the strings that are settable in the config file can take
-substitutions. For example the option "path =
+substitutions. For example the option "path =
 /tmp/%u" would be interpreted as "path = /tmp/john" if
 the user connected with the username john.
 

    These substitutions are mostly noted in the descriptions below, but
@@ -273,14 +272,14 @@ be relevant. These are:
 

    
 
  •  %u = user name of the current service, if any.
 

    
-
  •  %g = primary group name of %u.
+
  •  %g = primary group name of %u.
 

     
 
  •  %U = session user name (the user name that
 the client wanted, not necessarily the same as the one they got).
 

    
-
  •  %G = primary group name of %U.
+
  •  %G = primary group name of %U.
 

    
-
  •  %H = the home directory of the user given by %u.
+
  •  %H = the home directory of the user given by %u.
 

    
 
  •  %v = the Samba version.
 

    
@@ -297,7 +296,7 @@ personality".
 
  •  %N = the name of your NIS home directory server.  This is
 obtained from your NIS auto.map entry.  If you have not compiled Samba
 with the --with-automount option then this value will be the same
-as %L.
+as %L.
 

    
 
  •  %p = the path of the service's home directory, obtained from your NIS
 auto.map entry. The NIS auto.map entry is split up as "%N:%p".
@@ -311,7 +310,7 @@ negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1.
 machine. Only some are recognized, and those may not be 100%
 reliable. It currently recognizes Samba, WfWg, WinNT and
 Win95. Anything else will be known as "UNKNOWN". If it gets it wrong
-then sending a level 3 log to samba-bugs@samba.org
+then sending a level 3 log to samba@samba.org
 should allow it to be fixed.
 

    
 
  •  %I = The IP address of the client machine.
@@ -351,7 +350,7 @@ case. Default Yes.
 

    "short preserve case = yes/no" controls if new files which conform
 to 8.3 syntax, that is all in upper case and of suitable length, are
 created upper case, or if they are forced to be the "default"
-case. This option can be use with "preserve case =
+case. This option can be use with "preserve case =
 yes" to permit long filenames to retain their
 case, while short names are lowered. Default Yes.
 

    By default, Samba 2.0 has the same semantics as a Windows NT
@@ -364,7 +363,7 @@ service. The server follows the following steps in determining if it
 will allow a connection to a specified service. If all the steps fail
 then the connection request is rejected. If one of the steps pass then
 the following steps are not checked.
-

    If the service is marked "guest only = yes" then
+

    If the service is marked "guest only = yes" then
 steps 1 to 5 are skipped.
 

      
 

    1.  Step 1: If the client has passed a username/password pair and
@@ -381,17 +380,17 @@ the connection is allowed as the corresponding user.
 

    2.  Step 4: If the client has previously validated a
 username/password pair with the server and the client has passed the
 validation token then that username is used. This step is skipped if
-"revalidate = yes" for this service.
-

    3.  Step 5: If a "user = " field is given in the
+"revalidate = yes" for this service.
+

    4.  Step 5: If a "user = " field is given in the
 smb.conf file for the service and the client has supplied a password,
 and that password matches (according to the UNIX system's password
-checking) with one of the usernames from the user=
+checking) with one of the usernames from the user=
 field then the connection is made as the username in the
-"user=" line. If one of the username in the
-user= list begins with a '@' then that name
+"user=" line. If one of the username in the
+user= list begins with a '@' then that name
 expands to a list of names in the group of the same name.
 

    5.  Step 6: If the service is a guest service then a connection is
-made as the username given in the "guest account
+made as the username given in the "guest account
 =" for the service, irrespective of the supplied
 password.
 

    
@@ -401,154 +400,162 @@ password.
 

    Here is a list of all global parameters. See the section of each
 parameter for details.  Note that some are synonyms.
 

    
 

    
 
    COMPLETE LIST OF SERVICE PARAMETERS
    
@@ -556,116 +563,119 @@ parameter for details.  Note that some are synonyms.
 

    Here is a list of all service parameters. See the section of each
 parameter for details. Note that some are synonyms.
 

    
 

    
 
    EXPLANATION OF EACH PARAMETER
    
@@ -684,14 +694,14 @@ onerous task. This option allows smbd
 the required UNIX users ON DEMAND when a user accesses the Samba
 server.
 

    In order to use this option, smbd must be set to
-security=server or
-security=domain and "add user script"
+security=server or
+security=domain and "add user script"
 must be set to a full pathname for a script that will create a UNIX user
 given one argument of %u, which expands into the UNIX user name to
 create.
 

    When the Windows user attempts to access the Samba server, at
 "login"(session setup in the SMB protocol) time,
-smbd contacts the password
+smbd contacts the password
 server and attempts to authenticate the given user
 with the given password. If the authentication succeeds then
 smbd attempts to find a UNIX user in the UNIX
@@ -703,9 +713,9 @@ to be the user name to create.
 smbd will continue on as though the UNIX user
 already existed. In this way, UNIX users are dynamically created to
 match existing Windows NT accounts.
-

    See also security=server,
-security=domain, password
-server, delete user
+

    See also     security=server,
+security=domain, password
+server, delete user
 script.
 

    Default:
 	add user script = <empty string>
@@ -725,10 +735,10 @@ file permissions.
 	admin users = jason
 

    
 
  • allow hosts (S)
-

    Synonym for hosts allow.
+

    Synonym for hosts allow.
 

    
 
  • allow trusted domains (G)
-

    This option only takes effect when the security
+

    This option only takes effect when the security
 option is set to server or domain.  If it is set to no,
 then attempts to connect to a resource from a domain or workgroup other than
 the one which smbd is running in will fail, even if that domain
@@ -781,7 +791,7 @@ to be a downlevel server.
 the browse lists. This is most useful for homes and printers services
 that would otherwise not be visible.
 

    Note that if you just want all printers in your printcap file loaded
-then the "load printers" option is easier.
+then the "load printers" option is easier.
 

    Default:
 	no auto services
 

    Example:
@@ -803,7 +813,7 @@ on a machine will serve smb requests. If affects file service
 in slightly different ways.
 

    For name service it causes nmbd to bind to ports
 137 and 138 on the interfaces listed in the
-'interfaces'
+'interfaces'
 parameter. nmbd also binds to the 'all
 addresses' interface (0.0.0.0) on ports 137 and 138 for the purposes
 of reading broadcast messages. If this option is not set then
@@ -812,22 +822,22 @@ sockets. If "bind interfaces only" is set then
 nmbd will check the source address of any
 packets coming in on the broadcast sockets and discard any that don't
 match the broadcast addresses of the interfaces in the
-'interfaces' parameter list. As unicast packets
+'interfaces' parameter list. As unicast packets
 are received on the other sockets it allows nmbd
 to refuse to serve names to machines that send packets that arrive
 through any interfaces not listed in the
-"interfaces" list.  IP Source address spoofing
+"interfaces" list.  IP Source address spoofing
 does defeat this simple check, however so it must not be used
 seriously as a security feature for nmbd.
 

    For file service it causes smbd to bind only to
-the interface list given in the 'interfaces'
+the interface list given in the 'interfaces'
 parameter. This restricts the networks that smbd
 will serve to packets coming in those interfaces.  Note that you
 should not use this parameter for machines that are serving PPP or
 other intermittent or non-broadcast network interfaces as it will not
 cope with non-permanent interfaces.
 

    If "bind interfaces only" is set then unless the network address
-127.0.0.1 is added to the 'interfaces' parameter
+127.0.0.1 is added to the 'interfaces' parameter
 list smbpasswd and
 swat may not work as expected due to the
 reasons covered below.
@@ -835,7 +845,7 @@ reasons covered below.
 by default connects to the "localhost" - 127.0.0.1 address as an SMB
 client to issue the password change request. If "bind interfaces only"
 is set then unless the network address 127.0.0.1 is added to the
-'interfaces' parameter list then
+'interfaces' parameter list then
 smbpasswd will fail to connect in it's
 default mode. smbpasswd can be forced to
 use the primary IP interface of the local host by using its
@@ -872,7 +882,7 @@ request immediately if the lock range cannot be obtained.
 	blocking locks = False
 

    
 
  • browsable (S)
-

    Synonym for browseable.
+

    Synonym for browseable.
 

    
 
  • browse list(G)
 

    This controls whether smbd will serve a browse
@@ -889,11 +899,11 @@ shares in a net view and in the browse list.
 

    Example:
 	browseable = No
 

    
-
  • case sensitive (G)
-

    See the discussion in the section NAME MANGLING.
+
  • case sensitive (S)
+

    See the discussion in the section NAME MANGLING.
 

    
-
  • casesignames (G)
-

    Synonym for "case sensitive".
+
  • casesignames (S)
+

    Synonym for "case sensitive".
 

    
 
  • change notify timeout (G)
 

    One of the new NT SMB requests that Samba 2.0 supports is the
@@ -912,38 +922,38 @@ requested directory once every change notify timeout seconds.
 

    
 
  • character set (G)
 

    This allows a smbd to map incoming filenames from a DOS Code page (see
-the client code page parameter) to several
+the client code page parameter) to several
 built in UNIX character sets. The built in code page translations are:
 

      
 

    •  ISO8859-1 Western European UNIX character set. The parameter
-client code page MUST be set to code
+client code page MUST be set to code
 page 850 if the character set parameter is set to iso8859-1
 in order for the conversion to the UNIX character set to be done
 correctly.
 

    •  ISO8859-2 Eastern European UNIX character set. The parameter
-client code page MUST be set to code
+client code page MUST be set to code
 page 852 if the character set parameter is set to ISO8859-2
 in order for the conversion to the UNIX character set to be done
 correctly. 
 

    •  ISO8859-5 Russian Cyrillic UNIX character set. The parameter
-client code page MUST be set to code
+client code page MUST be set to code
 page 866 if the character set parameter is set to ISO8859-5
 in order for the conversion to the UNIX character set to be done
 correctly. 
 

    •  ISO8859-7 Greek UNIX character set. The parameter
-client code page MUST be set to code
+client code page MUST be set to code
 page 737 if the character set parameter is set to ISO8859-7
 in order for the conversion to the UNIX character set to be done
 correctly. 
 

    •  KOI8-R Alternate mapping for Russian Cyrillic UNIX
-character set. The parameter client code
+character set. The parameter client code
 page MUST be set to code page 866 if the
 character set parameter is set to KOI8-R in order for the
 conversion to the UNIX character set to be done correctly.
 

    
 

    BUG. These MSDOS code page to UNIX character set mappings should
 be dynamic, like the loading of MS DOS code pages, not static.
-

    See also client code page.  Normally this
+

    See also client code page.  Normally this
 parameter is not set, meaning no filename translation is done.
 

    Default:
 	character set = <empty string>
@@ -982,16 +992,16 @@ read the comments in one of the other codepage files and the
 make_smbcodepage (1) man page and
 write one. Please remember to donate it back to the Samba user
 community.
-

    This parameter co-operates with the "valid
+

    This parameter co-operates with the     "valid
 chars" parameter in determining what characters are
 valid in filenames and how capitalization is done. If you set both
-this parameter and the "valid chars" parameter
+this parameter and the "valid chars" parameter
 the "client code page" parameter MUST be set before the
-"valid chars" parameter in the smb.conf
-file. The "valid chars" string will then augment
+"valid chars" parameter in the smb.conf
+file. The "valid chars" string will then augment
 the character settings in the "client code page" parameter.
 

    If not set, "client code page" defaults to 850.
-

    See also : "valid chars"
+

    See also : "valid chars"
 

    Default:
 	client code page = 850
 

    Example:
@@ -999,9 +1009,9 @@ the character settings in the "client code page" parameter.
 

    
 
  • codingsystem (G)
 

    This parameter is used to determine how incoming Shift-JIS Japanese
-characters are mapped from the incoming "client code
+characters are mapped from the incoming "client code
 page" used by the client, into file names in the
-UNIX filesystem. Only useful if "client code
+UNIX filesystem. Only useful if "client code
 page" is set to 932 (Japanese Shift-JIS).
 

    The options are :
 

      
@@ -1060,7 +1070,7 @@ in the configuration file than the service doing the copying.
 	copy = otherservice
 

      
 
    • create mask (S)
-

      A synonym for this parameter is 'create mode'.
+

      A synonym for this parameter is 'create mode'.
 

      When a file is created, the necessary permissions are calculated
 according to the mapping from DOS modes to UNIX permissions, and the
 resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
@@ -1073,18 +1083,19 @@ write and execute bits from the UNIX modes.
 this parameter with the value of the "force create mode" parameter
 which is set to 000 by default.
 

      This parameter does not affect directory modes. See the parameter
-'directory mode' for details.
-

      See also the "force create mode" parameter
+'directory mode' for details.
+

      See also the "force create mode" parameter
 for forcing particular mode bits to be set on created files. See also
-the "directory mode" parameter for masking
+the "directory mode" parameter for masking
 mode bits on created directories.
+See also the "inherit permissions" parameter.
 

      Default:
 	create mask = 0744
 

      Example:
 	create mask = 0775
 

      
 
    • create mode (S)
-

      This is a synonym for create mask.
+

      This is a synonym for create mask.
 

      
 
    • deadtime (G)
 

      The value of the parameter (a decimal integer) represents the number
@@ -1108,7 +1119,7 @@ performed.
 

      Sometimes the timestamps in the log messages are needed with a
 resolution of higher that seconds, this boolean parameter adds
 microsecond resolution to the timestamp message header when turned on.
-

      Note that the parameter debug timestamp
+

      Note that the parameter debug timestamp
 must be on for this to have an effect.
 

      Default:
  debug hires timestamp = No
@@ -1117,8 +1128,8 @@ must be on for this to have an effect.
 

      
 
    • debug timestamp (G)
 

      Samba2.0 debug log messages are timestamped by default. If you are
-running at a high "debug level" these timestamps
-can be distracting. This boolean parameter allows them to be turned
+running at a high "debug level" these timestamps
+can be distracting. This boolean parameter allows timestamping to be turned
 off.
 

      Default:
 	debug timestamp = Yes
@@ -1130,7 +1141,7 @@ off.
 there may be hard to follow which process outputs which message.
 This boolean parameter is adds the process-id to the timestamp message
 headers in the logfile when turned on.
-

      Note that the parameter debug timestamp
+

      Note that the parameter debug timestamp
 must be on for this to have an effect.
 

      Default:
 	debug pid = No
@@ -1141,7 +1152,7 @@ must be on for this to have an effect.
 

      Samba is sometimes run as root and sometime run as the connected
 user, this boolean parameter inserts the current euid, egid, uid
 and gid to the timestamp message headers in the log file if turned on.
-

      Note that the parameter debug timestamp
+

      Note that the parameter debug timestamp
 must be on for this to have an effect.
 

      Default:
 	debug uid = No
@@ -1158,11 +1169,11 @@ or level zero if none was specified.
 	debug level = 3
 

      
 
    • default (G)
-

      A synonym for default service.
+

      A synonym for default service.
 

      
 
    • default case (S)
-

      See the section on "NAME MANGLING". Also note
-the "short preserve case" parameter.
+

      See the section on "NAME MANGLING". Also note
+the "short preserve case" parameter.
 

      
 
    • default service (G)
 

      This parameter specifies the name of a service which will be connected
@@ -1172,11 +1183,11 @@ below).
 

      There is no default value for this parameter. If this parameter is not
 given, attempting to connect to a nonexistent service results in an
 error.
-

      Typically the default service would be a guest ok,
-read-only service.
+

      Typically the default service would be a guest ok,
+read-only service.
 

      Also note that the apparent service name will be changed to equal that
 of the requested service, this is very useful as it allows you to use
-macros like %S to make a wildcard service.
+macros like %S to make a wildcard service.
 

      Note also that any '_' characters in the name of the service used
 in the default service will get mapped to a '/'. This allows for
 interesting things.
@@ -1203,21 +1214,21 @@ onerous task. This option allows smbd
 the required UNIX users ON DEMAND when a user accesses the Samba
 server and the Windows NT user no longer exists.
 

      In order to use this option, smbd must be set to
-security=domain and "delete user
+security=domain and "delete user
 script" must be set to a full pathname for a script that will delete
 a UNIX user given one argument of %u, which expands into the UNIX
 user name to delete. NOTE that this is different to the
-add user script which will work with the
-security=server option as well as
-security=domain. The reason for this
+add user script which will work with the
+security=server option as well as
+security=domain. The reason for this
 is only when Samba is a domain member does it get the information
 on an attempted user logon that a user no longer exists. In the
-security=server mode a missing user
+security=server mode a missing user
 is treated the same as an invalid password logon attempt. Deleting
 the user in this circumstance would not be a good idea.
 

      When the Windows user attempts to access the Samba server, at
 "login"(session setup in the SMB protocol) time,
-smbd contacts the password
+smbd contacts the password
 server and attempts to authenticate the given user
 with the given password. If the authentication fails with the specific
 Domain error code meaning that the user no longer exists then
@@ -1228,8 +1239,8 @@ call the specified script AS ROOT, expanding any %u ar
 to be the user name to delete.
 

      This script should delete the given UNIX username. In this way, UNIX
 users are dynamically deleted to match existing Windows NT accounts.
-

      See also security=domain,
-password server, add user
+

      See also       security=domain,
+password server, add user
 script.
 

      Default:
 	delete user script = <empty string>
@@ -1249,7 +1260,7 @@ semantics prevent deletion of a read only file.
 

      
 
    • delete veto files (S)
 

      This option is used when Samba is attempting to delete a directory
-that contains one or more vetoed directories (see the 'veto
+that contains one or more vetoed directories (see the 'veto
 files' option).  If this option is set to False (the
 default) then if a vetoed directory contains any non-vetoed files or
 directories then the directory delete will fail. This is usually what
@@ -1262,14 +1273,14 @@ DOS/Windows users from seeing (e.g. .AppleDouble)
 

      Setting 'delete veto files = True' allows these directories to be 
 transparently deleted when the parent directory is deleted (so long
 as the user has permissions to do so).
-

      See also the veto files parameter.
+

      See also the veto files parameter.
 

      Default:
 	delete veto files = False
 

      Example:
 	delete veto files = True
 

      
 
    • deny hosts (S)
-

      Synonym for hosts deny.
+

      Synonym for hosts deny.
 

      
 
    • dfree command (G)
 

      The dfree command setting should only be used on systems where a
@@ -1315,7 +1326,7 @@ and remaining space will be used.      
 path names on some systems.
 

      
 
    • directory (S)
-

      Synonym for path.
+

      Synonym for path.
 

      
 
    • directory mask (S)
 

      This parameter is the octal modes which are used when converting DOS
@@ -1333,18 +1344,19 @@ directory to modify it.
 this parameter with the value of the "force directory mode"
 parameter. This parameter is set to 000 by default (i.e. no extra mode
 bits are added).
-

      See the "force directory mode" parameter
+

      See the "force directory mode" parameter
 to cause particular mode bits to always be set on created directories.
-

      See also the "create mode" parameter for masking
-mode bits on created files, and the "directory security mask"
+

      See also the "create mode" parameter for masking
+mode bits on created files, and the "directory security mask"
 parameter.
+

      See also the "inherit permissions" parameter.
 

      Default:
 	directory mask = 0755
 

      Example:
 	directory mask = 0775
 

      
 
    • directory mode (S)
-

      Synonym for directory mask.
+

      Synonym for directory mask.
 

      
 
    • directory security mask (S)
 

      This parameter controls what UNIX permission bits can be modified
@@ -1355,16 +1367,16 @@ permission bits, thus preventing any bits not in this mask from
 being modified. Essentially, zero bits in this mask may be treated
 as a set of bits the user is not allowed to change.
 

      If not set explicitly this parameter is set to the same value as the
-directory mask parameter. To allow a user to
+directory mask parameter. To allow a user to
 modify all the user/group/world permissions on a directory, set this
 parameter to 0777.
 

      Note that users who can access the Samba server through other
 means can easily bypass this restriction, so it is primarily
 useful for standalone "appliance" systems.  Administrators of
 most normal systems will probably want to set it to 0777.
-

      See also the force directory security
-mode, security
-mask, force security mode
+

      See also the force directory security
+mode, security
+mask, force security mode
 parameters.
 

      Default:
 	directory security mask = <same as directory mask>
@@ -1382,7 +1394,7 @@ the DNS name (or DNS alias) can likewise only be 15 characters,
 maximum.
 

      nmbd spawns a second copy of itself to do the
 DNS name lookup requests, as doing a name lookup is a blocking action.
-

      See also the parameter wins support.
+

      See also the parameter wins support.
 

      Default:
 	dns proxy = yes
 

      
@@ -1401,11 +1413,6 @@ To work with the latest code builds that may have more support for
 Samba NT Domain Controller functionality please subscribe to the
 mailing list Samba-ntdom available by sending email to
 listproc@samba.org
-

      
-
    • domain controller (G)
-

      This is a DEPRECATED parameter. It is currently not used within
-the Samba source and should be removed from all current smb.conf
-files. It is left behind for compatibility reasons.
 

      
 
    • domain groups (G)
 

      This is an EXPERIMENTAL parameter that is part of the unfinished
@@ -1433,7 +1440,7 @@ mailing list Samba-ntdom available by sending email to
 

      
 
    • domain logons (G)
 

      If set to true, the Samba server will serve Windows 95/98 Domain
-logons for the workgroup it is in. For more
+logons for the workgroup it is in. For more
 details on setting up this feature see the file DOMAINS.txt in the
 Samba documentation directory docs/ shipped with the source code.
 

      Note that Win95/98 Domain logons are NOT the same as Windows
@@ -1449,20 +1456,20 @@ also.
 collation. Setting this option causes nmbd to
 claim a special domain specific NetBIOS name that identifies it as a
 domain master browser for its given
-workgroup. Local master browsers in the same
-workgroup on broadcast-isolated subnets will give
+workgroup. Local master browsers in the same
+workgroup on broadcast-isolated subnets will give
 this nmbd their local browse lists, and then
 ask smbd for a complete copy of the browse list
 for the whole wide area network.  Browser clients will then contact
 their local master browser, and will receive the domain-wide browse
 list, instead of just the list for their broadcast-isolated subnet.
 

      Note that Windows NT Primary Domain Controllers expect to be able to
-claim this workgroup specific special NetBIOS
+claim this workgroup specific special NetBIOS
 name that identifies them as domain master browsers for that
-workgroup by default (i.e. there is no way to
+workgroup by default (i.e. there is no way to
 prevent a Windows NT PDC from attempting to do this). This means that
 if this parameter is set and nmbd claims the
-special name for a workgroup before a Windows NT
+special name for a workgroup before a Windows NT
 PDC is able to do so then cross subnet browsing will behave strangely
 and may fail.
 

      Default:
@@ -1528,13 +1535,13 @@ shipped with the source code.
 smbpasswd (5) file (see the
 smbpasswd (8) program for information on
 how to set up and maintain this file), or set the
-security= parameter to either
-"server" or
-"domain" which causes
+security= parameter to either
+"server" or
+"domain" which causes
 smbd to authenticate against another server.
 

      
 
    • exec (S)
-

      This is a synonym for preexec.
+

      This is a synonym for preexec.
 

      
 
    • fake directory create times (S)
 

      NTFS and Windows VFAT file systems keep a create time for all files
@@ -1573,7 +1580,7 @@ operations. This can give enormous performance benefits.
 

      When you set "fake oplocks = yes" smbd will
 always grant oplock requests no matter how many clients are using the
 file.
-

      It is generally much better to use the real oplocks
+

      It is generally much better to use the real oplocks
 support rather than this parameter.
 

      If you enable this option on all read-only shares or shares that you
 know will only be accessed from one client at a time such as
@@ -1596,13 +1603,15 @@ symbolic links) by default.
 

      
 
    • force create mode (S)
 

      This parameter specifies a set of UNIX mode bit permissions that will
-*always* be set on a file created by Samba. This is done by
-bitwise 'OR'ing these bits onto the mode bits of a file that is being
-created. The default for this parameter is (in octal) 000. The modes
-in this parameter are bitwise 'OR'ed onto the file mode after the mask
-set in the "create mask" parameter is applied.
-

      See also the parameter "create mask" for details
-on masking mode bits on created files.
+*always* be set on a file by Samba. This is done by bitwise
+'OR'ing these bits onto the mode bits of a file that is being created
+or having its permissions changed. The default for this parameter is
+(in octal) 000. The modes in this parameter are bitwise 'OR'ed onto
+the file mode after the mask set in the "create
+mask" parameter is applied.
+

      See also the parameter "create mask" for details
+on masking mode bits on files.
+

      See also the "inherit permissions" parameter.
 

      Default:
 	force create mode = 000
 

      Example:
@@ -1618,9 +1627,10 @@ bitwise 'OR'ing these bits onto the mode bits of a directory that is
 being created. The default for this parameter is (in octal) 0000 which
 will not add any extra permission bits to a created directory. This
 operation is done after the mode mask in the parameter
-"directory mask" is applied.
-

      See also the parameter "directory mask" for
+"directory mask" is applied.
+

      See also the parameter "directory mask" for
 details on masking mode bits on created directories.
+

      See also the "inherit permissions" parameter.
 

      Default:
 	force directory mode = 000
 

      Example:
@@ -1639,15 +1649,15 @@ have modified to be on. Essentially, one bits in this mask may be
 treated as a set of bits that, when modifying security on a directory,
 the user has always set to be 'on'.
 

      If not set explicitly this parameter is set to the same value as the
-force directory mode parameter. To allow
+force directory mode parameter. To allow
 a user to modify all the user/group/world permissions on a directory,
 with restrictions set this parameter to 000.
 

      Note that users who can access the Samba server through other
 means can easily bypass this restriction, so it is primarily
 useful for standalone "appliance" systems.  Administrators of
 most normal systems will probably want to set it to 0000.
-

      See also the directory security mask,
-security mask, force security
+

      See also the       directory security mask,
+security mask, force security
 mode parameters.
 

      Default:
 	force directory security mode = <same as force directory mode>
@@ -1673,10 +1683,10 @@ assignment. For example, the setting force group = +sys means
 that only users who are already in group sys will have their default
 primary group assigned to sys when accessing this Samba share. All
 other users will retain their ordinary primary group.
-

      If the "force user" parameter is also set the
+

      If the "force user" parameter is also set the
 group specified in force group will override the primary group
-set in "force user".
-

      See also "force user"
+set in "force user".
+

      See also "force user"
 

      Default:
 	no forced group
 

      Example:
@@ -1692,16 +1702,16 @@ have modified to be on. Essentially, one bits in this mask may be
 treated as a set of bits that, when modifying security on a file, the
 user has always set to be 'on'.
 

      If not set explicitly this parameter is set to the same value as the
-force create mode parameter. To allow
+force create mode parameter. To allow
 a user to modify all the user/group/world permissions on a file,
 with no restrictions set this parameter to 000.
 

      Note that users who can access the Samba server through other
 means can easily bypass this restriction, so it is primarily
 useful for standalone "appliance" systems.  Administrators of
 most normal systems will probably want to set it to 0000.
-

      See also the force directory security
-mode, directory security
-mask, security mask
+

      See also the force directory security
+mode, directory security
+mask, security mask
 parameters.
 

      Default:
 	force security mode = <same as force create mode>
@@ -1722,7 +1732,7 @@ password. Once connected, all file operations will be performed as the
 group of the forced user to be used as the primary group for all
 file activity. Prior to 2.0.5 the primary group was left as the
 primary group of the connecting user (this was a bug).
-

      See also "force group"
+

      See also "force group"
 

      Default:
 	no forced user
 

      Example:
@@ -1744,18 +1754,18 @@ Windows NT but this can be changed to other strings such as "Samba" or
 

      This is a tuning option. When this is enabled a caching algorithm
 will be used to reduce the time taken for getwd() calls. This can have
 a significant impact on performance, especially when the
-widelinks parameter is set to False.
+widelinks parameter is set to False.
 

      Default:
 	getwd cache = No
 

      Example:
 	getwd cache = Yes
 

      
 
    • group (S)
-

      Synonym for "force group".
+

      Synonym for "force group".
 

      
 
    • guest account (S)
 

      This is a username which will be used for access to services which are
-specified as 'guest ok' (see below). Whatever
+specified as 'guest ok' (see below). Whatever
 privileges this user has will be available to any client connecting to
 the guest service. Typically this user will exist in the password
 file, but will not have a valid login. The user account "ftp" is
@@ -1774,8 +1784,8 @@ command) and trying to print using the system print command such as
 
    • guest ok (S)
 

      If this parameter is 'yes' for a service, then no password is
 required to connect to the service. Privileges will be those of the
-guest account.
-

      See the section below on security for more
+guest account.
+

      See the section below on security for more
 information about this option.
 

      Default:
 	guest ok = no
@@ -1785,9 +1795,9 @@ information about this option.
 
    • guest only (S)
 

      If this parameter is 'yes' for a service, then only guest
 connections to the service are permitted. This parameter will have no
-affect if "guest ok" or "public"
+affect if "guest ok" or "public"
 is not set for the service.
-

      See the section below on security for more
+

      See the section below on security for more
 information about this option.
 

      Default:
 	guest only = no
@@ -1815,8 +1825,8 @@ Unix directory separator '/'.
 

      Setting this parameter will affect the performance of Samba, as it
 will be forced to check all files and directories for a match as they
 are scanned.
-

      See also "hide dot files", "veto
-files" and "case sensitive".
+

      See also "hide dot files", "veto
+files" and "case sensitive".
 

      Default
 
       
@@ -1832,8 +1842,8 @@ files" and "case se
 internal use, and also still hides all files beginning with a dot.
 

      
 
    • homedir map (G)
-

      If "nis homedir" is true, and
-smbd is also acting as a Win95/98 logon
+

      If       "nis homedir" is true, and
+smbd is also acting as a Win95/98 logon
 server then this parameter specifies the NIS (or YP)
 map from which the server for the user's home directory should be
 extracted.  At present, only the Sun auto.home map format is
@@ -1843,7 +1853,7 @@ understood. The form of the map is:
 ':'.  There should probably be a better parsing system that copes
 with different map formats and also Amd (another automounter) maps.
 

      NB: A working NIS is required on the system for this option to work.
-

      See also "nis homedir", domain
+

      See also       "nis homedir", domain
 logons.
 

      Default:
 	homedir map = auto.home
@@ -1851,10 +1861,10 @@ logons      .
 	homedir map = amd.homedir
 

      
 
    • hosts allow (S)
-

      A synonym for this parameter is 'allow hosts'
+

      A synonym for this parameter is 'allow hosts'
 

      This parameter is a comma, space, or tab delimited set of hosts which
 are permitted to access a service.
-

      If specified in the [global] section then it will
+

      If specified in the [global] section then it will
 apply to all services, regardless of whether the individual service
 has a different setting.
 

      You can specify the hosts by name or IP number. For example, you could
@@ -1888,10 +1898,10 @@ host access to see if it does what you expect.
 	allow hosts = 150.203.5. myhost.mynet.edu.au
 

      
 
    • hosts deny (S)
-

      The opposite of 'hosts allow' - hosts listed
+

      The opposite of 'hosts allow' - hosts listed
 here are NOT permitted access to services unless the specific
 services have their own lists to override this one. Where the lists
-conflict, the 'allow' list takes precedence.
+conflict, the 'allow' list takes precedence.
 

      Default:
 	none (i.e., no hosts specifically excluded)
 

      Example:
@@ -1901,7 +1911,7 @@ conflict, the 'allow'
 

      If this global parameter is a non-null string, it specifies the name
 of a file to read for the names of hosts and users who will be allowed
 access without specifying a password.
-

      This is not be confused with hosts allow which
+

      This is not be confused with hosts allow which
 is about hosts access to services and is more useful for guest
 services. hosts equiv may be useful for NT clients which will not
 supply passwords to samba.
@@ -1919,8 +1929,35 @@ kids. And only if you really trust them :-).
 
    • include (G)
 

      This allows you to include one config file inside another.  The file
 is included literally, as though typed in place.
-

      It takes the standard substitutions, except %u,
-%P and %S.
+

      It takes the standard substitutions, except %u,
+%P and %S.
+

      
+
    • inherit permissions (S)
+

      The permissions on new files and directories are normally governed by
+"create mask",
+"directory mask",
+"force create mode" and
+"force directory mode"
+but the boolean inherit permissions parameter overrides this.
+

      New directories inherit the mode of the parent directory,
+including bits such as setgid.
+

      New files inherit their read/write bits from the parent directory.
+Their execute bits continue to be determined by
+"map archive",
+"map hidden" and
+"map system" as usual.
+

      Note that the setuid bit is *never* set via inheritance
+(the code explicitly prohibits this).
+

      This can be particularly useful on large systems with many users,
+perhaps several thousand,
+to allow a single [homes] share to be used flexibly by each user.
+

      See also "create mask", "directory mask",
+"force create mode" and
+"force directory mode".
+

      Default
+   inherit permissions = no
+

      Example
+   inherit permissions = yes
 

      
 
    • interfaces (G)
 

      This option allows you to override the default network interfaces list
@@ -1934,10 +1971,10 @@ any of the following forms:
 
    •  a network interface name (such as eth0). This may include
      shell-like wildcards so eth* will match any interface starting
      with the substring "eth"
-if() a IP address. In this case the netmask is determined
+
    •  an IP address. In this case the netmask is determined
      from the list of interfaces obtained from the kernel
-if() a IP/mask pair. 
-if() a broadcast/mask pair. 
+
    •  an IP/mask pair. 
+
    •  a broadcast/mask pair. 
 
    
 

    The "mask" parameters can either be a bit length (such as 24 for a C
 class network) or a full netmask in dotted decmal form.
@@ -1949,7 +1986,7 @@ hostname resolution mechanisms.
 

    would configure three network interfaces corresponding to the eth0
 device and IP addresses 192.168.2.10 and 192.168.3.10. The netmasks of
 the latter two interfaces would be set to 255.255.255.0.
-

    See also "bind interfaces only".
+

    See also "bind interfaces only".
 

    
 
  • invalid users (S)
 

    This is a list of users that should not be allowed to login to this
@@ -1968,9 +2005,9 @@ netgroup database, and the value "&+group" means check the NIS
 netgroup database, followed by the UNIX group database (the same as
 the '@' prefix).
 

    The current servicename is substituted for
-%S. This is useful in the [homes]
+%S. This is useful in the [homes]
 section.
-

    See also "valid users".
+

    See also "valid users".
 

    Default:
 	No invalid users
 

    Example:
@@ -1982,7 +2019,7 @@ seconds between 'keepalive' packets. If this parameter is zero,
 keepalive packets will be sent. Keepalive packets, if sent, allow the
 server to tell whether a client is still present and responding.
 

    Keepalives should, in general, not be needed if the socket being used
-has the SO_KEEPALIVE attribute set on it (see "socket
+has the SO_KEEPALIVE attribute set on it (see "socket
 options"). Basically you should only use this option
 if you strike difficulties.
 

    Default:
@@ -1991,10 +2028,10 @@ if you strike difficulties.
 	keepalive = 60
 

    
 
  • kernel oplocks (G)
-

    For UNIXs that support kernel based oplocks
+

    For UNIXs that support kernel based oplocks
 (currently only IRIX but hopefully also Linux and FreeBSD soon) this
 parameter allows the use of them to be turned on or off.
-

    Kernel oplocks support allows Samba oplocks to be
+

    Kernel oplocks support allows Samba oplocks to be
 broken whenever a local UNIX process or NFS operation accesses a file
 that smbd has oplocked. This allows complete
 data consistency between SMB/CIFS, NFS and local file access (and is a
@@ -2002,7 +2039,7 @@ data consistency between SMB/CIFS, NFS and local file access (and is a
 

    This parameter defaults to "On" on systems that have the support,
 and "off" on systems that don't. You should never need to touch
 this parameter.
-

    See also the "oplocks" and "level2 oplocks"
+

    See also the "oplocks" and "level2 oplocks"
 parameters.
 

    
 
  • ldap filter (G)
@@ -2012,7 +2049,7 @@ are only available if your version of Samba was configured with
 the --with-ldap option.
 

    This parameter specifies an LDAP search filter used to search for a
 user name in the LDAP database. It must contain the string
-%u which will be replaced with the user being
+%u which will be replaced with the user being
 searched for.
 

    Default:
 	empty string.
@@ -2035,7 +2072,7 @@ the --with-ldap option.
 

    This parameter specifies the entity to bind to the LDAP server
 as (essentially the LDAP username) in order to be able to perform
 queries and modifications on the LDAP database.
-

    See also ldap root passwd.
+

    See also ldap root passwd.
 

    Default:
 	empty string (no user defined)
 

    
@@ -2050,7 +2087,7 @@ able to perform queries and modifications on the LDAP database.
 

    BUGS: This parameter should NOT be a readable parameter
 in the smb.conf file and will be removed once a correct
 storage place is found.
-

    See also ldap root.
+

    See also ldap root.
 

    Default:
 	empty string.
 

    
@@ -2077,7 +2114,7 @@ for an entry in the LDAP password database.
 

    
 
  • level2 oplocks (S)
 

    This parameter (new in Samba 2.0.5) controls whether Samba supports
-level2 (read-only) oplocks on a share. In Samba 2.0.4 this parameter
+level2 (read-only) oplocks on a share. In Samba 2.0.5 this parameter
 defaults to "False" as the code is new, but will default to "True"
 in a later release.
 

    Level2, or read-only oplocks allow Windows NT clients that have an
@@ -2095,12 +2132,12 @@ read-ahead caches.
 

    It is recommended that this parameter be turned on to speed access
 to shared executables (and also to test the code :-).
 

    For more discussions on level2 oplocks see the CIFS spec.
-

    Currently, if "kernel oplocks" are supported
+

    Currently, if "kernel oplocks" are supported
 then level2 oplocks are not granted (even if this parameter is set
-to "true"). Note also, the "oplocks" parameter must
+to "true"). Note also, the "oplocks" parameter must
 be set to "true" on this share in order for this parameter to have any
 effect.
-

    See also the "oplocks" and "kernel oplocks" parameters.
+

    See also the "oplocks" and "kernel oplocks" parameters.
 

    Default:
  level2 oplocks = False
 

    Example:
@@ -2113,12 +2150,12 @@ for them to see the Samba server in their browse list. This parameter
 can have three values, "true", "false", or "auto". The
 default is "auto".  If set to "false" Samba will never produce
 these broadcasts. If set to "true" Samba will produce Lanman
-announce broadcasts at a frequency set by the parameter "lm
+announce broadcasts at a frequency set by the parameter "lm
 interval". If set to "auto" Samba will not send Lanman
 announce broadcasts by default but will listen for them. If it hears
 such a broadcast on the wire it will then start sending them at a
-frequency set by the parameter "lm interval".
-

    See also "lm interval".
+frequency set by the parameter "lm interval".
+

    See also "lm interval".
 

    Default:
 	lm announce = auto
 

    Example:
@@ -2126,12 +2163,12 @@ frequency set by the parameter "lm
 

    
 
  • lm interval (G)
 

    If Samba is set to produce Lanman announce broadcasts needed by
-OS/2 clients (see the "lm announce"
+OS/2 clients (see the "lm announce"
 parameter) then this parameter defines the frequency in seconds with
 which they will be made.  If this is set to zero then no Lanman
-announcements will be made despite the setting of the "lm
+announcements will be made despite the setting of the "lm
 announce" parameter.
-

    See also "lm announce".
+

    See also "lm announce".
 

    Default:
 	lm interval = 60
 

    Example:
@@ -2140,7 +2177,7 @@ announce"     parameter.
 
  • load printers (G)
 

    A boolean variable that controls whether all printers in the printcap
 will be loaded for browsing by default. See the
-"printers" section for more details.
+"printers" section for more details.
 

    Default:
 	load printers = yes
 

    Example:
@@ -2161,11 +2198,11 @@ elections for local master browser.
 	local master = yes
 

    
 
  • lock dir (G)
-

    Synonym for "lock directory".
+

    Synonym for "lock directory".
 

    
 
  • lock directory (G)
 

    This option specifies the directory where lock files will be placed.
-The lock files are used to implement the "max
+The lock files are used to implement the "max
 connections" option.
 

    Default:
 	lock directory = /tmp/samba
@@ -2199,14 +2236,14 @@ separate log files for each user or machine.
 	log file = /usr/local/samba/var/log.%m
 

    
 
  • log level (G)
-

    Synonym for "debug level".
+

    Synonym for "debug level".
 

    
 
  • logon drive (G)
 

    This parameter specifies the local path to which the home directory
-will be connected (see "logon home") and is only
+will be connected (see "logon home") and is only
 used by NT Workstations. 
 

    Note that this option is only useful if Samba is set up as a
-logon server.
+logon server.
 

    Example:
 	logon drive = h:
 

    
@@ -2217,8 +2254,20 @@ NT Workstation logs into a Samba PDC.  It allows you to do
 

    from a command prompt, for example.
 

    This option takes the standard substitutions, allowing you to have
 separate logon scripts for each user or machine.
+

    This parameter can be used with Win9X workstations to ensure that
+roaming profiles are stored in a subdirectory of the user's home
+directory.  This is done in the following way:
+

    "     logon home = \\%L\%U\profile"
+

    This tells Samba to return the above string, with substitutions made
+when a client requests the info, generally in a NetUserGetInfo request.
+Win9X clients truncate the info to \\server\share when a user does "net use /home",
+but use the whole string when dealing with profiles.
+

    Note that in prior versions of Samba, the "logon path" was returned rather than
+"logon home".  This broke "net use /home" but allowed profiles outside the 
+home directory.  The current implementation is correct, and can be used for profiles
+if you use the above trick.
 

    Note that this option is only useful if Samba is set up as a
-logon server.
+logon server.
 

    Example:
 	logon home = "\\remote_smb_server\%U"
 

    Default:
@@ -2226,21 +2275,24 @@ separate logon scripts for each user or machine.
 

    
 
  • logon path (G)
 

    This parameter specifies the home directory where roaming profiles
-(USER.DAT / USER.MAN files for Windows 95/98) are stored.
+(NTuser.dat etc files for Windows NT) are stored.  Contrary to previous 
+versions of these manual pages, it has nothing to do with Win 9X roaming
+profiles.  To find out how to handle roaming profiles for Win 9X system, see 
+the "logon home" parameter.
 

    This option takes the standard substitutions, allowing you to have
 separate logon scripts for each user or machine.  It also specifies
-the directory from which the "desktop", "start menu",
-"network neighborhood" and "programs" folders, and their
-contents, are loaded and displayed on your Windows 95/98 client.
+the directory from which the "application data", ("desktop", "start menu",
+"network neighborhood", "programs" and other folders, and their
+contents, are loaded and displayed on your Windows NT client.
 

    The share and the path must be readable by the user for the
-preferences and directories to be loaded onto the Windows 95/98
+preferences and directories to be loaded onto the Windows NT
 client.  The share must be writeable when the logs in for the first
-time, in order that the Windows 95/98 client can create the user.dat
+time, in order that the Windows NT client can create the NTuser.dat
 and other directories.
 

    Thereafter, the directories and any of the contents can, if required, be
-made read-only.  It is not advisable that the USER.DAT file be made
-read-only - rename it to USER.MAN to achieve the desired effect (a
-MANdatory profile).
+made read-only.  It is not advisable that the NTuser.dat file be made
+read-only - rename it to NTuser.man to achieve the desired effect (a
+MANdatory profile). 
 

    Windows clients can sometimes maintain a connection to the [homes]
 share, even though there is no user logged in.  Therefore, it is vital
 that the logon path does not include a reference to the homes share
@@ -2249,7 +2301,7 @@ problems).
 

    This option takes the standard substitutions, allowing you to have
 separate logon scripts for each user or machine.
 

    Note that this option is only useful if Samba is set up as a
-logon server.
+logon server.
 

    Default:
  	logon path = \\%N\%U\profile
 

    Example:
@@ -2261,7 +2313,7 @@ separate logon scripts for each user or machine.
 logs in.  The file must contain the DOS style cr/lf line endings.
 Using a DOS-style editor to create the file is recommended.
 

    The script must be a relative path to the [netlogon] service.  If
-the [netlogon] service specifies a path of
+the [netlogon] service specifies a path of
 /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the
 file that will be downloaded is:
 

    /usr/local/samba/netlogon/STARTUP.BAT
@@ -2277,7 +2329,7 @@ files to be arbitrarily modified and security to be breached.
 

    This option takes the standard substitutions, allowing you to have
 separate logon scripts for each user or machine.
 

    Note that this option is only useful if Samba is set up as a
-logon server.
+logon server.
 

    Example:
 	logon script = scripts\%U.bat
 

    
@@ -2290,20 +2342,20 @@ by using job priorities, where jobs having a too low priority won't be
 sent to the printer.
 

    If a "%p" is given then the printername is put in its place. A
 "%j" is replaced with the job number (an integer).  On HPUX (see
-printing=hpux), if the "-p%p" option is added
+printing=hpux), if the "-p%p" option is added
 to the lpq command, the job will show up with the correct status,
 i.e. if the job priority is lower than the set fence priority it will
 have the PAUSED status, whereas if the priority is equal or higher it
 will have the SPOOLED or PRINTING status.
 

    Note that it is good practice to include the absolute path in the
 lppause command as the PATH may not be available to the server.
-

    See also the "printing" parameter.
+

    See also the "printing" parameter.
 

    Default:
         Currently no default value is given to this string, unless the
-value of the "printing" parameter is SYSV, in
+value of the "printing" parameter is SYSV, in
 which case the default is :
 

    	lp -i %p-%j -H hold
-

    or if the value of the "printing" parameter is softq,
+

    or if the value of the "printing" parameter is softq,
 then the default is:
 

    	qstat -s -j%j -h
 

    Example for HPUX:
@@ -2322,7 +2374,7 @@ previous identical lpq command will be used if the cached data
 less than 10 seconds old. A large value may be advisable if your
 lpq command is very slow.
 

    A value of 0 will disable caching completely.
-

    See also the "printing" parameter.
+

    See also the "printing" parameter.
 

    Default:
 	lpq cache time = 10
 

    Example:
@@ -2336,7 +2388,7 @@ as its only parameter and outputs printer status information.
 

    Currently eight styles of printer status information are supported;
 BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ. This covers most UNIX
 systems. You control which type is expected using the
-"printing =" option.
+"printing =" option.
 

    Some clients (notably Windows for Workgroups) may not correctly send
 the connection number for the printer they are requesting status
 information about. To get around this, the server reports on the first
@@ -2346,7 +2398,7 @@ connection number sent is invalid.
 it is placed at the end of the command.
 

    Note that it is good practice to include the absolute path in the lpq
 command as the PATH may not be available to the server.
-

    See also the "printing" parameter.
+

    See also the "printing" parameter.
 

    Default:
         depends on the setting of printing =
 

    Example:
@@ -2357,19 +2409,19 @@ command     as the PATH may not be available to the server.
 in order to restart or continue printing or spooling a specific print
 job.
 

    This command should be a program or script which takes a printer name
-and job number to resume the print job. See also the "lppause
+and job number to resume the print job. See also the "lppause
 command" parameter.
 

    If a %p is given then the printername is put in its place. A
 %j is replaced with the job number (an integer).
 

    Note that it is good practice to include the absolute path in the lpresume
 command as the PATH may not be available to the server.
-

    See also the "printing" parameter.
+

    See also the "printing" parameter.
 

    Default:
 

    Currently no default value is given to this string, unless the
-value of the "printing" parameter is SYSV, in
+value of the "printing" parameter is SYSV, in
 which case the default is :
 

    	lp -i %p-%j -H resume
-

    or if the value of the "printing" parameter is softq,
+

    or if the value of the "printing" parameter is softq,
 then the default is:
 

    	qstat -s -j%j -r
 

    Example for HPUX:
@@ -2384,7 +2436,7 @@ and job number, and deletes the print job.
 %j is replaced with the job number (an integer).
 

    Note that it is good practice to include the absolute path in the
 lprm command as the PATH may not be available to the server.
-

    See also the "printing" parameter.
+

    See also the "printing" parameter.
 

    Default:
 	depends on the setting of "printing ="
 

    Example 1:
@@ -2394,26 +2446,26 @@ and job number, and deletes the print job.
 

    
 
  • machine password timeout (G)
 

    If a Samba server is a member of an Windows NT Domain (see the
-"security=domain") parameter) then
+"security=domain") parameter) then
 periodically a running smbd process will try and
 change the MACHINE ACCOUNT PASWORD stored in the file called
 <Domain>.<Machine>.mac where <Domain> is the name of the
 Domain we are a member of and <Machine> is the primary
-"NetBIOS name" of the machine
+"NetBIOS name" of the machine
 smbd is running on. This parameter specifies how
 often this password will be changed, in seconds. The default is one
 week (expressed in seconds), the same as a Windows NT Domain member
 server.
 

    See also smbpasswd (8), and the
-"security=domain") parameter.
+"security=domain") parameter.
 

    Default:
 	machine password timeout = 604800
 

    
 
  • magic output (S)
 

    This parameter specifies the name of a file which will contain output
-created by a magic script (see the "magic
+created by a magic script (see the "magic
 script" parameter below).
-

    Warning: If two clients use the same "magic
+

    Warning: If two clients use the same     "magic
 script" in the same directory the output file content
 is undefined.
 

    Default:
@@ -2429,7 +2481,7 @@ connected user.
 

    Scripts executed in this way will be deleted upon completion,
 permissions permitting.
 

    If the script generates output, output will be sent to the file
-specified by the "magic output" parameter (see
+specified by the "magic output" parameter (see
 above).
 

    Note that some shells are unable to interpret scripts containing
 carriage-return-linefeed instead of linefeed as the end-of-line
@@ -2443,7 +2495,7 @@ end.
  	magic script = user.csh
 

    
 
  • mangle case (S)
-

    See the section on "NAME MANGLING".
+

    See the section on "NAME MANGLING".
 

    
 
  • mangle locks (S)
 

    This option is was introduced with Samba 2.0.4 and above and has been
@@ -2471,7 +2523,7 @@ this use a map of (*;1 *).
 

    This controls whether non-DOS names under UNIX should be mapped to
 DOS-compatible names ("mangled") and made visible, or whether non-DOS
 names should simply be ignored.
-

    See the section on "NAME MANGLING" for details
+

    See the section on "NAME MANGLING" for details
 on how to control the mangling process.
 

    If mangling is used then the mangling algorithm is as follows:
 

      
@@ -2485,14 +2537,14 @@ extension). The final extension is included in the hash calculation
 only if it contains any upper case characters or is longer than three
 characters.
 

      Note that the character to use may be specified using the
-"mangling char" option, if you don't like
+"mangling char" option, if you don't like
 '~'.
 

    •  The first three alphanumeric characters of the final extension
 are preserved, forced to upper case and appear as the extension of the
 mangled name. The final extension is defined as that part of the
 original filename after the rightmost dot. If there are no dots in the
 filename, the mangled name will have no extension (except in the case
-of "hidden files" - see below).
+of "hidden files" - see below).
 

    •  Files whose UNIX name begins with a dot will be presented as DOS
 hidden files. The mangled name will be created as for other filenames,
 but with the leading dot removed and "___" as its extension regardless
@@ -2515,7 +2567,7 @@ change between sessions.
 

      
 
    • mangling char (S)
 

      This controls what character is used as the "magic" character in
-name mangling. The default is a '~' but
+name mangling. The default is a '~' but
 this may interfere with some software. Use this option to set it to
 whatever you prefer.
 

      Default:
@@ -2547,9 +2599,9 @@ has been modified since its last backup.  One motivation for this
 option it to keep Samba/your PC from making any file it touches from
 becoming executable under UNIX.  This can be quite annoying for shared
 source code, documents, etc...
-

      Note that this requires the "create mask"
+

      Note that this requires the "create mask"
 parameter to be set such that owner execute bit is not masked out
-(i.e. it must include 100). See the parameter "create
+(i.e. it must include 100). See the parameter "create
 mask" for details.
 

      Default:
       map archive = yes
@@ -2559,9 +2611,9 @@ mask"       for details.
 
    • map hidden (S)
 

      This controls whether DOS style hidden files should be mapped to the
 UNIX world execute bit.
-

      Note that this requires the "create mask" to be
+

      Note that this requires the "create mask" to be
 set such that the world execute bit is not masked out (i.e. it must
-include 001). See the parameter "create mask"
+include 001). See the parameter "create mask"
 for details.
 

      Default:
  	map hidden = no
@@ -2571,9 +2623,9 @@ for details.
 
    • map system (S)
 

      This controls whether DOS style system files should be mapped to the
 UNIX group execute bit.
-

      Note that this requires the "create mask" to be
+

      Note that this requires the "create mask" to be
 set such that the group execute bit is not masked out (i.e. it must
-include 010). See the parameter "create mask"
+include 010). See the parameter "create mask"
 for details.
 

      Default:
  	map system = no
@@ -2581,8 +2633,8 @@ for details.
  	map system = yes
 

      
 
    • map to guest (G)
-

      This parameter is only useful in security modes
-other than "security=share" - i.e. user,
+

      This parameter is only useful in security modes
+other than "security=share" - i.e. user,
 server, and domain.
 

      This parameter can take three different values, which tell
 smbd what to do with user login requests that
@@ -2593,11 +2645,11 @@ don't match a valid UNIX user in some way.
 are rejected. This is the default.
 

    •  "Bad User" - Means user logins with an invalid password are
 rejected, unless the username does not exist, in which case it is
-treated as a guest login and mapped into the "guest
+treated as a guest login and mapped into the "guest
 account".
 

    •  "Bad Password" - Means user logins with an invalid
 password are treated as a guest login and mapped into the
-"guest account". Note that this can
+"guest account". Note that this can
 cause problems as it means that any user incorrectly typing their
 password will be silently logged on a "guest" - and 
 will not know the reason they cannot access files they think
@@ -2607,7 +2659,7 @@ that they got their password wrong. Helpdesk services will
 this way :-).
 

    
 

    Note that this parameter is needed to set up "Guest" share
-services when using security modes other than
+services when using security modes other than
 share. This is because in these modes the name of the resource being
 requested is *not* sent to the server until after the server has
 successfully authenticated the client so the server cannot make
@@ -2628,7 +2680,7 @@ connections will be refused if this number of connections to the
 service are already open. A value of zero mean an unlimited number of
 connections may be made.
 

    Record lock files are used to implement this feature. The lock files
-will be stored in the directory specified by the "lock
+will be stored in the directory specified by the "lock
 directory" option.
 

    Default:
 	max connections = 0
@@ -2682,7 +2734,7 @@ so you should never need to touch this parameter.
 	max open files = 10000
 

    
 
  • max packet (G)
-

    Synonym for ">(packetsize).
+

    Synonym for "packet size".
 

    
 
  • max ttl (G)
 

    This option tells nmbd what the default 'time
@@ -2695,11 +2747,11 @@ change this parameter. The default is 3 days.
 

    
 
  • max wins ttl (G)
 

    This option tells nmbd when acting as a WINS
-server (wins support =true) what the maximum
+server (wins support =true) what the maximum
 'time to live' of NetBIOS names that nmbd will
 grant will be (in seconds). You should never need to change this
 parameter.  The default is 6 days (518400 seconds).
-

    See also the "min wins ttl" parameter.
+

    See also the "min wins ttl" parameter.
 

    Default:
         max wins ttl = 518400
 

    
@@ -2726,8 +2778,8 @@ IMMEDIATELY. That's why I have the '&' on the end. If it d
 return immediately then your PCs may freeze when sending messages
 (they should recover after 30secs, hopefully).
 

    All messages are delivered as the global guest user. The command takes
-the standard substitutions, although %u won't work
-(%U may be better in this case).
+the standard substitutions, although %u won't work
+(%U may be better in this case).
 

    Apart from the standard substitutions, some additional ones apply. In
 particular:
 

      
@@ -2756,24 +2808,27 @@ on regardless, saying that the message was delivered.
 before a user will be able to spool a print job. It is specified in
 kilobytes. The default is 0, which means a user can always spool a print
 job.
-

      See also the printing parameter.
+

      See also the printing parameter.
 

      Default:
 	min print space = 0
 

      Example:
 	min print space = 2000
 

      
 
    • min passwd length (G)
+

      Synonym for "min password length".
+

      
+
    • min password length (G)
 

      This option sets the minimum length in characters of a plaintext password
 than smbd will accept when performing UNIX password changing.
-

      See also "unix password sync",
-"passwd program" and "passwd chat
+

      See also       "unix password sync",
+"passwd program" and "passwd chat
 debug".
 

      Default:
-	min passwd length = 5
+	min password length = 5
 

      
 
    • min wins ttl (G)
 

      This option tells nmbd when acting as a WINS
-server (wins support = true) what the minimum
+server (wins support = true) what the minimum
 'time to live' of NetBIOS names that nmbd will
 grant will be (in seconds). You should never need to change this
 parameter.  The default is 6 hours (21600 seconds).
@@ -2799,10 +2854,10 @@ Solaris this may be controlled by the /etc/nsswitch.conf file).
 Note that this method is only used if the NetBIOS name type being
 queried is the 0x20 (server) name type, otherwise it is ignored.
 

    •  wins : Query a name with the IP address listed in the
-wins server parameter. If no WINS server has
+wins server parameter. If no WINS server has
 been specified this method will be ignored.
 

    •  bcast : Do a broadcast on each of the known local interfaces
-listed in the interfaces parameter. This is the
+listed in the interfaces parameter. This is the
 least reliable of the name resolution methods as it depends on the
 target host being on a locally connected subnet.
 

    
@@ -2817,11 +2872,11 @@ by a broadcast attempt, followed by a normal system hostname lookup.
 

    This is a list of NetBIOS names that nmbd will
 advertise as additional names by which the Samba server is known. This
 allows one machine to appear in browse lists under multiple names. If
-a machine is acting as a browse server or
-logon server none of these names will be
+a machine is acting as a browse server or
+logon server none of these names will be
 advertised as either browse server or logon servers, only the primary
 name of the machine will be advertised with these capabilities.
-

    See also "netbios name".
+

    See also "netbios name".
 

    Default:
 	empty string (no additional names)
 

    Example:
@@ -2830,15 +2885,19 @@ name of the machine will be advertised with these capabilities.
 
  • netbios name (G)
 

    This sets the NetBIOS name by which a Samba server is known. By
 default it is the same as the first component of the host's DNS name.
-If a machine is a browse server or
-logon server this name (or the first component
+If a machine is a browse server or
+logon server this name (or the first component
 of the hosts DNS name) will be the name that these services are
 advertised under.
-

    See also "netbios aliases".
+

    See also "netbios aliases".
 

    Default:
 	Machine DNS name.
 

    Example:
 	netbios name = MYNAME
+

    
+
  • netbios scope (G)
+

    This sets the NetBIOS scope that Samba will operate under. This should
+not be set unless every machine on your LAN also sets this value.
 

    
 
  • nis homedir (G)
 

    Get the home share server from a NIS map. For UNIX systems that use an
@@ -2855,11 +2914,11 @@ different server to the logon server and as long as a Samba daemon is
 running on the home directory server, it will be mounted on the Samba
 client directly from the directory server. When Samba is returning the
 home share to the client, it will consult the NIS map specified in
-"homedir map" and return the server listed
+"homedir map" and return the server listed
 there.
 

    Note that for this option to work there must be a working NIS
 system and the Samba server with this option must also be a
-logon server.
+logon server.
 

    Default:
 	nis homedir = false
 

    Example:
@@ -2917,20 +2976,20 @@ correctly.
 	ole locking compatibility = no
 

    
 
  • only guest (S)
-

    A synonym for "guest only".
+

    A synonym for "guest only".
 

    
 
  • only user (S)
 

    This is a boolean option that controls whether connections with
-usernames not in the user= list will be allowed. By
+usernames not in the user= list will be allowed. By
 default this option is disabled so a client can supply a username to
 be used by the server.
 

    Note that this also means Samba won't try to deduce usernames from the
-service name. This can be annoying for the [homes]
-section. To get around this you could use "user =
-%S" which means your "user" list
+service name. This can be annoying for the [homes]
+section. To get around this you could use "user =
+%S" which means your "user" list
 will be just the service name, which for home directories is the name
 of the user.
-

    See also the user parameter.
+

    See also the user parameter.
 

    Default:
 	only user = False
 

    Example:
@@ -2948,10 +3007,10 @@ more information see the file Speed.txt in the Samba docs/ directory.
 See the 'veto oplock files' parameter. On some systems oplocks are recognized
 by the underlying operating system. This allows data synchronization between
 all access to oplocked files, whether it be via Samba or NFS or a local
-UNIX process. See the kernel oplocks parameter
+UNIX process. See the kernel oplocks parameter
 for details.
-

    See also the "kernel oplocks" and
-"level2 oplocks" parameters.
+

    See also the "kernel oplocks" and
+"level2 oplocks" parameters.
 

    Default:
 	oplocks = True
 

    Example:
@@ -2985,7 +3044,7 @@ OPLOCK CODE.
 

    This integer value controls what level Samba advertises itself as for
 browse elections. The value of this parameter determines whether
 nmbd has a chance of becoming a local master
-browser for the WORKGROUP in the local broadcast
+browser for the WORKGROUP in the local broadcast
 area. The default is zero, which means nmbd will
 lose elections to Windows machines. See BROWSING.txt in the Samba
 docs/ directory for details.
@@ -2995,7 +3054,7 @@ docs/ directory for details.
 	os level = 65    ; This will win against any NT Server
 

    
 
  • packet size (G)
-

    This is a deprecated parameter that how no effect on the current
+

    This is a deprecated parameter that has no effect on the current
 Samba code. It is left in the parameter list to prevent breaking
 old smb.conf files.
 

    
@@ -3012,7 +3071,7 @@ attention to the fact that a problem occurred.
 between smbd and the local password changing
 program to change the users password. The string describes a sequence
 of response-receive pairs that smbd uses to
-determine what to send to the passwd program
+determine what to send to the passwd program
 and what to expect back. If the expected output is not received then
 the password is not changed.
 

    This chat sequence is often quite site specific, depending on what
@@ -3028,13 +3087,13 @@ a single string.
 

    If the send string in any part of the chat sequence is a fullstop
 "."  then no string is sent. Similarly, is the expect string is a
 fullstop then no string is expected.
-

    Note that if the "unix password sync"
+

    Note that if the "unix password sync"
 parameter is set to true, then this sequence is called *AS ROOT*
 when the SMB password in the smbpasswd file is being changed, without
 access to the old password cleartext. In this case the old password
 cleartext is set to "" (the empty string).
-

    See also "unix password sync",
-"passwd program" and "passwd chat
+

    See also     "unix password sync",
+"passwd program" and "passwd chat
 debug".
 

    Example: 
 
    @@ -3052,13 +3111,13 @@ debug".
 

    This boolean specifies if the passwd chat script parameter is run in
 "debug" mode. In this mode the strings passed to and received from
 the passwd chat are printed in the smbd log with
-a "debug level" of 100. This is a dangerous
+a "debug level" of 100. This is a dangerous
 option as it will allow plaintext passwords to be seen in the
 smbd log. It is available to help Samba admins
-debug their "passwd chat" scripts when calling
-the "passwd program" and should be turned off
+debug their "passwd chat" scripts when calling
+the "passwd program" and should be turned off
 after this has been done. This parameter is off by default.
-

    See also "passwd chat", "passwd
+

    See also     "passwd chat", "passwd
 program".
 

    Example:
      passwd chat debug = True
@@ -3067,25 +3126,25 @@ program"    .
 

    
 
  • passwd program (G)
 

    The name of a program that can be used to set UNIX user passwords.
-Any occurrences of %u will be replaced with the
+Any occurrences of %u will be replaced with the
 user name. The user name is checked for existence before calling the
 password changing program.
 

    Also note that many passwd programs insist in "reasonable"
 passwords, such as a minimum length, or the inclusion of mixed case
 chars and digits. This can pose a problem as some clients (such as
 Windows for Workgroups) uppercase the password before sending it.
-

    Note that if the "unix password sync"
+

    Note that if the "unix password sync"
 parameter is set to "True" then this program is called *AS
 ROOT* before the SMB password in the
 smbpasswd file is changed. If this UNIX
 password change fails, then smbd will fail to
 change the SMB password also (this is by design).
-

    If the "unix password sync" parameter is
+

    If the "unix password sync" parameter is
 set this parameter MUST USE ABSOLUTE PATHS for ALL programs
 called, and must be examined for security implications. Note that by
-default "unix password sync" is set to
+default "unix password sync" is set to
 "False".
-

    See also "unix password sync".
+

    See also "unix password sync".
 

    Default:
 	passwd program = /bin/passwd
 

    Example:
@@ -3121,15 +3180,15 @@ as is and the password in all-lower case.
 

    
 
  • password server (G)
 

    By specifying the name of another SMB server (such as a WinNT box)
-with this option, and using "security = domain" or
-"security = server" you can get Samba to do all
+with this option, and using "security = domain" or
+"security = server" you can get Samba to do all
 its username/password validation via a remote server.
 

    This options sets the name of the password server to use. It must be a
 NetBIOS name, so if the machine's NetBIOS name is different from its
 internet name then you may have to add its NetBIOS name to the lmhosts 
 file which is stored in the same directory as the smb.conf file.
 

    The name of the password server is looked up using the parameter
-"name resolve order=" and so may resolved
+"name resolve order=" and so may resolved
 by any method and order described in that parameter.
 

    The password server much be a machine capable of using the "LM1.2X002"
 or the "LM NT 0.12" protocol, and it must be in user level security
@@ -3140,17 +3199,17 @@ SERVER THAT YOU DON'T COMPLETELY TRUST.
 

    Never point a Samba server at itself for password serving. This will
 cause a loop and could lock up your Samba server!
 

    The name of the password server takes the standard substitutions, but
-probably the only useful one is %m, which means
+probably the only useful one is %m, which means
 the Samba server will use the incoming client as the password
 server. If you use this then you better trust your clients, and you
 better restrict them with hosts allow!
-

    If the "security" parameter is set to
+

    If the "security" parameter is set to
 "domain", then the list of machines in this option must be a list
 of Primary or Backup Domain controllers for the
-Domain or the character *, as the Samba server is cryptographicly
+Domain or the character *, as the Samba server is cryptographicly
 in that domain, and will use cryptographicly authenticated RPC calls
 to authenticate the user logging on. The advantage of using
-"security=domain" is that if you list
+"security=domain" is that if you list
 several hosts in the "password server" option then
 smbd will try each in turn till it finds one
 that responds. This is useful in case your primary server goes down.
@@ -3158,10 +3217,10 @@ that responds. This is useful in case your primary server goes down.
 then Samba will attempt to auto-locate the Primary or Backup Domain controllers
 to authenticate against by doing a query for the name WORKGROUP<1C>
 and then contacting each server returned in the list of IP addresses
-from the name resolution source.
-

    If the "security" parameter is set to
-"server", then there are different
-restrictions that "security=domain"
+from the name resolution source.
+

    If the "security" parameter is set to
+"server", then there are different
+restrictions that "security=domain"
 doesn't suffer from:
 

      
 

    •  You may list several password servers in the "password server"
@@ -3169,16 +3228,16 @@ parameter, however if an smbd makes a
 to a password server, and then the password server fails, no more
 users will be able to be authenticated from this
 smbd.  This is a restriction of the SMB/CIFS
-protocol when in "security=server" mode
+protocol when in "security=server" mode
 and cannot be fixed in Samba.
 

    •  If you are using a Windows NT server as your password server then
 you will have to ensure that your users are able to login from the
 Samba server, as when in
-"security=server" mode the network
+"security=server" mode the network
 logon will appear to come from there rather than from the users
 workstation.
 

    
-

    See also the "security" parameter.
+

    See also the "security" parameter.
 

    Default:
 	password server = <empty string>
 

    Example:
@@ -3195,13 +3254,13 @@ printing.
 readonly and the path should be world-writeable and have the sticky bit
 set. This is not mandatory of course, but you probably won't get the
 results you expect if you do otherwise.
-

    Any occurrences of %u in the path will be replaced
+

    Any occurrences of %u in the path will be replaced
 with the UNIX username that the client is using on this
-connection. Any occurrences of %m will be replaced
+connection. Any occurrences of %m will be replaced
 by the NetBIOS name of the machine they are connecting from. These
 replacements are very useful for setting up pseudo home directories
 for users.
-

    Note that this path will be based on "root dir" if
+

    Note that this path will be based on "root dir" if
 one was specified.
 

    Default:
 	none
@@ -3214,7 +3273,7 @@ disconnected. It takes the usual substitutions. The command may be run
 as the root on some systems.
 

    An interesting example may be do unmount server resources:
 

    postexec = /etc/umount /cdrom
-

    See also preexec.
+

    See also preexec.
 

    Default:
       none (no command executed)
 

    Example:
@@ -3243,7 +3302,7 @@ time they log in. Maybe a message of the day? Here is an example:
 
    • 
 
 

    Of course, this could get annoying after a while :-)
-

    See also preexec close and postexec.
+

    See also preexec close and postexec.
 

    Default:
 	none (no command executed)
 

    Example:
@@ -3251,7 +3310,7 @@ time they log in. Maybe a message of the day? Here is an example:
 

    
 
  • preexec close (S)
 

    This boolean option controls whether a non-zero return code from
-"preexec" should close the service being connected to.
+"preexec" should close the service being connected to.
 

    Default:
  	preexec close = no
 

    Example:
@@ -3263,7 +3322,7 @@ preferred master browser for its workgroup.
 

    If this is set to true, on startup, nmbd will
 force an election, and it will have a slight advantage in winning the
 election.  It is recommended that this parameter is used in
-conjunction with "domain master = yes", so
+conjunction with "domain master = yes", so
 that nmbd can guarantee becoming a domain
 master.
 

    Use this option with caution, because if there are several hosts
@@ -3272,25 +3331,25 @@ browsers on the same subnet, they will each periodically and
 continuously attempt to become the local master browser.  This will
 result in unnecessary broadcast traffic and reduced browsing
 capabilities.
-

    See also os level.
+

    See also os level.
 

    Default:
  	preferred master = no
 

    Example:
  	preferred master = yes
 

    
 
  • prefered master (G)
-

    Synonym for "preferred master" for people
+

    Synonym for "preferred master" for people
 who cannot spell :-).
 

    
 
  • preload
-Synonym for "auto services".
+Synonym for "auto services".
 

    
 
  • preserve case (S)
 

    This controls if new filenames are created with the case that the
 client passes, or if they are forced to be the "default" case.
 

    Default:
        preserve case = yes
-

    See the section on "NAME MANGLING" for a
+

    See the section on "NAME MANGLING" for a
 fuller discussion.
 

    
 
  • print command (S)
@@ -3302,20 +3361,16 @@ be the case. The server will not remove the spool file, so whatever
 command you specify should remove the spool file when it has been
 processed, otherwise you will need to manually remove old spool files.
 

    The print command is simply a text string. It will be used verbatim,
-with two exceptions: All occurrences of "%s" will be replaced by
-the appropriate spool file name, and all occurrences of "%p" will
-be replaced by the appropriate printer name. The spool file name is
-generated automatically by the server, the printer name is discussed
-below.
-

    The full path name will be used for the filename if "%s" is not
-preceded by a '/'. If you don't like this (it can stuff up some
-lpq output) then use "%f" instead. Any occurrences of "%f" get
-replaced by the spool filename without the full path at the front.
+with two exceptions: All occurrences of "%s" and "%f" will be
+replaced by the appropriate spool file name, and all occurrences of
+"%p" will be replaced by the appropriate printer name. The spool
+file name is generated automatically by the server, the printer name
+is discussed below.
 

    The print command MUST contain at least one occurrence of "%s"
 or "%f" - the "%p" is optional. At the time a job is
 submitted, if no printer name is supplied the "%p" will be
 silently removed from the printer command.
-

    If specified in the "[global]" section, the print
+

    If specified in the "[global]" section, the print
 command given will be used for any printable service that does not
 have its own print command specified.
 

    If there is neither a specified print command for a printable service
@@ -3323,8 +3378,8 @@ nor a global print command, spool files will be created but not
 processed and (most importantly) not removed.
 

    Note that printing may fail on some UNIXs from the "nobody"
 account. If this happens then create an alternative guest account that
-can print and set the "guest account" in the
-"[global]" section.
+can print and set the "guest account" in the
+"[global]" section.
 

    You can form quite complex print commands by realizing that they are
 just passed to a shell. For example the following will log a print
 job, print the file, then remove it. Note that ';' is the usual
@@ -3332,27 +3387,27 @@ separator for command in shell scripts.
 

    print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s
 

    You may have to vary this command considerably depending on how you
 normally print files on your system. The default for the parameter
-varies depending on the setting of the "printing="
+varies depending on the setting of the "printing="
 parameter.
 

    Default:
-	For "printing=" BSD, AIX, QNX, LPRNG or PLP :
+	For "printing=" BSD, AIX, QNX, LPRNG or PLP :
 	print command = lpr -r -P%p %s
-

    For "printing=" SYS or HPUX :
+

    For "printing=" SYS or HPUX :
 	print command = lp -c -d%p %s; rm %s
-

    For "printing=" SOFTQ :
+

    For "printing=" SOFTQ :
 	print command = lp -d%p -s %s; rm %s
 

    Example:
  	print command = /usr/local/samba/bin/myprintscript %p %s
 

    
 
  • print ok (S)
-

    Synonym for printable.
+

    Synonym for printable.
 

    
 
  • printable (S)
 

    If this parameter is "yes", then clients may open, write to and
 submit spool files on the directory specified for the service.
 

    Note that a printable service will ALWAYS allow writing to the service
 path (user privileges permitting) via the spooling of print data. The
-"read only" parameter controls only non-printing
+"writeable" parameter controls only non-printing
 access to the resource.
 

    Default:
  	printable = no
@@ -3360,12 +3415,12 @@ access to the resource.
  	printable = yes
 

    
 
  • printcap (G)
-

    Synonym for printcapname.
+

    Synonym for printcapname.
 

    
 
  • printcap name (G)
 

    This parameter may be used to override the compiled-in default
 printcap name used by the server (usually /etc/printcap). See the
-discussion of the [printers] section above for
+discussion of the [printers] section above for
 reasons why you might want to do this.
 

    On System V systems that use lpstat to list available printers you
 can use "printcap name = lpstat" to automatically obtain lists of
@@ -3399,7 +3454,7 @@ format if the string "/qconfig" appears in the printcap filename.
 
  • printer (S)
 

    This parameter specifies the name of the printer to which print jobs
 spooled through a printable service will be sent.
-

    If specified in the [global] section, the printer
+

    If specified in the [global] section, the printer
 name given will be used for any printable service that does not have
 its own printer name specified.
 

    Default:
@@ -3418,7 +3473,7 @@ don't know the exact string to use then you should first try with no
 "printer driver" option set and the client will give you a list of
 printer drivers. The appropriate strings are shown in a scrollbox
 after you have chosen the printer manufacturer.
-

    See also "printer driver file".
+

    See also "printer driver file".
 

    Example:
 	printer driver = HP LaserJet 4L
 

    
@@ -3435,14 +3490,14 @@ in the docs/ directory, PRINTER_DRIVER.txt.
 	None (set in compile).
 

    Example:
 	printer driver file = /usr/local/samba/printers/drivers.def
-

    See also "printer driver location".
+

    See also "printer driver location".
 

    
 
  • printer driver location (S)
 

    This parameter tells clients of a particular printer share where to
 find the printer driver files for the automatic installation of
 drivers for Windows 95 machines. If Samba is set up to serve printer
 drivers to Windows 95 machines, this should be set to
-

    \\MACHINE\aPRINTER$
+

    \\MACHINE\PRINTER$
 

    Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$
 is a share you set up for serving printer driver files. For more
 details on setting this up see the documentation file in the docs/
@@ -3451,27 +3506,28 @@ directory, PRINTER_DRIVER.txt.
 	None
 

    Example:
 	printer driver location = \\MACHINE\PRINTER$
-

    See also "printer driver file".
+

    See also "printer driver file".
 

    
 
  • printer name (S)
-

    Synonym for printer.
+

    Synonym for printer.
 

    
 
  • printing (S)
 

    This parameters controls how printer status information is interpreted
-on your system, and also affects the default values for the
-"print command", "lpq
-command" "lppause command",
-"lpresume command", and "lprm
-command".
+on your system. It also affects the default values for the
+"print command", "lpq
+command" "lppause command",
+"lpresume command", and "lprm
+command" if specified in the [global]
+section.
 

    Currently eight printing styles are supported. They are
-"printing=BSD", "printing=AIX", "printing=LPRNG",
-"printing=PLP",
-"printing=SYSV","printing="HPUX","printing=QNX" and
-"printing=SOFTQ".
+"printing=BSD", "printing=AIX", 
+"printing=LPRNG", "printing=PLP", "printing=SYSV", 
+"printing="HPUX", "printing=QNX", "printing=SOFTQ",
+and "printing=CUPS".
 

    To see what the defaults are for the other print commands when using
-these three options use the "testparm" program.
+the various options use the "testparm" program.
 

    This option can be set on a per printer basis
-

    See also the discussion in the [printers] section.
+

    See also the discussion in the [printers] section.
 

    
 
  • protocol (G)
 

    The value of the parameter (a string) is the highest protocol level
@@ -3495,7 +3551,7 @@ protocol.
 	protocol = LANMAN1
 

    
 
  • public (S)
-

    Synonym for "guest ok".
+

    Synonym for "guest ok".
 

    
 
  • queuepause command (S)
 

    This parameter specifies the command to be executed on the server host
@@ -3518,7 +3574,7 @@ command as the PATH may not be available to the server.
 

    This parameter specifies the command to be executed on the server host
 in order to resume the printerqueue. It is the command to undo the
 behavior that is caused by the previous parameter
-("queuepause command).
+("queuepause command).
 

    This command should be a program or script which takes a printer name
 as its only parameter and resumes the printerqueue, such that queued
 jobs are resubmitted to the printer.
@@ -3543,11 +3599,11 @@ and defaults to off. You should never need to set this parameter.
 
  • read list (S)
 

    This is a list of users that are given read-only access to a
 service. If the connecting user is in this list then they will not be
-given write access, no matter what the "read only"
+given write access, no matter what the "writeable"
 option is set to. The list can include group names using the syntax
-described in the "invalid users" parameter.
-

    See also the "write list" parameter and
-the "invalid users" parameter.
+described in the "invalid users" parameter.
+

    See also the "write list" parameter and
+the "invalid users" parameter.
 

    Default:
 	read list = <empty string>
 

    Example:
@@ -3555,9 +3611,7 @@ the "invalid users"
 

    
 
  • read only (S)
 

    Note that this is an inverted synonym for
-"writeable" and "write ok".
-

    See also "writeable" and "write
-ok".
+"writeable".
 

    
 
  • read prediction (G)
 

    NOTE: This code is currently disabled in Samba2.0 and
@@ -3579,7 +3633,7 @@ typically provides a major performance benefit.
 incorrectly or are incapable of supporting larger block sizes, and for
 these clients you may need to disable raw reads.
 

    In general this parameter should be viewed as a system tuning tool and left
-severely alone. See also "write raw".
+severely alone. See also "write raw".
 

    Default:
  	read raw = yes
 

    
@@ -3617,7 +3671,7 @@ packets to.
 

    the above line would cause nmbd to announce itself to the two given IP
 addresses using the given workgroup names. If you leave out the
 workgroup name then the one given in the
-"workgroup" parameter is used instead.
+"workgroup" parameter is used instead.
 

    The IP addresses you choose would normally be the broadcast addresses
 of the remote networks, but can also be the IP addresses of known
 browse masters if your network config is that stable.
@@ -3682,7 +3736,7 @@ as a different user".
 

    
 
  • revalidate (S)
 

    Note that this option only works with
-"security=share" and will be ignored if
+"security=share" and will be ignored if
 this is not the case.
 

    This option controls whether Samba will allow a previously validated
 username/password pair to be used to attach to a share. Thus if you
@@ -3697,10 +3751,10 @@ automatic access as the same username.
 	revalidate = True
 

    
 
  • root (G)
-

    Synonym for "root directory".
+

    Synonym for "root directory".
 

    
 
  • root dir (G)
-

    Synonym for "root directory".
+

    Synonym for "root directory".
 

    
 
  • root directory (G)
 

    The server will "chroot()" (i.e. Change it's root directory) to
@@ -3709,7 +3763,7 @@ operation. Even without it the server will deny access to files not in
 one of the service entries. It may also check for, and deny access to,
 soft links to other parts of the filesystem, or attempts to use
 ".." in file names to access other directories (depending on the
-setting of the "wide links" parameter).
+setting of the "wide links" parameter).
 

    Adding a "root directory" entry other than "/" adds an extra
 level of security, but at a price. It absolutely ensures that no
 access is given to files not in the sub-tree specified in the "root
@@ -3726,22 +3780,22 @@ operating system dependent.
 	root directory = /homes/smb
 

    
 
  • root postexec (S)
-

    This is the same as the "postexec" parameter
+

    This is the same as the "postexec" parameter
 except that the command is run as root. This is useful for unmounting
 filesystems (such as cdroms) after a connection is closed.
-

    See also "postexec".
+

    See also "postexec".
 

    
 
  • root preexec (S)
-

    This is the same as the "preexec" parameter except
+

    This is the same as the "preexec" parameter except
 that the command is run as root. This is useful for mounting
 filesystems (such as cdroms) before a connection is finalized.
-

    See also "preexec"
-and "root preexec close".
+

    See also "preexec"
+and "root preexec close".
 

    
 
  • root preexec close (S)
-

    This is the same as the "preexec close" parameter
+

    This is the same as the "preexec close" parameter
 except that the command is run as root.
-

    See also "preexec", "preexec close".
+

    See also "preexec", "preexec close".
 

    
 
  • security (G)
 

    This option affects how clients respond to Samba and is one of the most
@@ -3750,16 +3804,16 @@ important settings in the smb.conf file.
 negotiations with smbd to turn share level
 security on or off. Clients decide based on this bit whether (and how)
 to transfer user and password information to the server.
-

    The default is "security=user", as this is
+

    The default is "security=user", as this is
 the most common setting needed when talking to Windows 98 and Windows
 NT.
-

    The alternatives are "security = share",
-"security = server" or
-"security=domain".
+

    The alternatives are "security = share",
+"security = server" or
+"security=domain".
 

    *****NOTE THAT THIS DEFAULT IS DIFFERENT IN SAMBA2.0 THAN FOR
 PREVIOUS VERSIONS OF SAMBA *******.
 

    In previous versions of Samba the default was
-"security=share" mainly because that was
+"security=share" mainly because that was
 the only option at one stage.
 

    There is a bug in WfWg that has relevance to this setting. When in
 user or server level security a WfWg client will totally ignore the
@@ -3770,17 +3824,17 @@ anyone except the user that you are logged into WfWg as.
 UNIX machine then you will want to use "security = user". If you
 mostly use usernames that don't exist on the UNIX box then use
 "security = share".
-

    You should also use security=share if
+

    You should also use security=share if
 you want to mainly setup shares without a password (guest
 shares). This is commonly used for a shared printer server. It is more
 difficult to setup guest shares with
-security=user, see the "map to
+security=user, see the "map to
 guest"parameter for details.
 

    It is possible to use smbd in a "hybrid
 mode" where it is offers both user and share level security under
-different NetBIOS aliases. See the
-NetBIOS aliases and the
-include parameters for more information.
+different NetBIOS aliases. See the
+NetBIOS aliases and the
+include parameters for more information.
 

    The different settings will now be explained.
 

      
 

      
@@ -3802,11 +3856,11 @@ of the client.
 

      A list of possible UNIX usernames to match with the given
 client password is constructed using the following methods :
 

        
-

      •  If the "guest only" parameter is set, then
-all the other stages are missed and only the "guest
+

      •  If the "guest only" parameter is set, then
+all the other stages are missed and only the "guest
 account" username is checked.
 

      •  Is a username is sent with the share connection request, then
-this username (after mapping - see "username
+this username (after mapping - see "username
 map"), is added as a potential username.
 

      •  If the client did a previous "logon" request (the
 SessionSetup SMB call) then the username sent in this SMB
@@ -3815,29 +3869,29 @@ will be added as a potential username.
 as a potential username.
 

      •  The NetBIOS name of the client is added to the list as a
 potential username.
-

      •  Any users on the "user" list are added
+

      •  Any users on the "user" list are added
 as potential usernames.
 

      
-

      If the "guest only" parameter is not set, then
+

      If the "guest only" parameter is not set, then
 this list is then tried with the supplied password. The first user for
 whom the password matches will be used as the UNIX user.
-

      If the "guest only" parameter is set, or no
+

      If the "guest only" parameter is set, or no
 username can be determined then if the share is marked as available to
-the "guest account", then this guest user will
+the "guest account", then this guest user will
 be used, otherwise access is denied.
 

      Note that it can be *very* confusing in share-level security as to
 which UNIX username will eventually be used in granting access.
-

      See also the section "NOTE ABOUT USERNAME/PASSWORD
+

      See also the section       "NOTE ABOUT USERNAME/PASSWORD
 VALIDATION".
 

      
 
    • "security=user"
 

      This is the default security setting in Samba2.0. With user-level
 security a client must first "log-on" with a valid username and
-password (which can be mapped using the "username
+password (which can be mapped using the "username
 map" parameter). Encrypted passwords (see the
-"encrypted passwords" parameter) can also
+"encrypted passwords" parameter) can also
 be used in this security mode. Parameters such as
-"user" and "guest only", if set
+"user" and "guest only", if set
 are then applied and may change the UNIX user to use on this
 connection, but only after the user has been successfully
 authenticated.
@@ -3845,10 +3899,10 @@ authenticated.
 *not* sent to the server until after the server has successfully
 authenticated the client. This is why guest shares don't work in user
 level security without allowing the server to automatically map unknown
-users into the "guest account". See the
-"map to guest" parameter for details on
+users into the "guest account". See the
+"map to guest" parameter for details on
 doing this.
-

      See also the section "NOTE ABOUT USERNAME/PASSWORD
+

      See also the section       "NOTE ABOUT USERNAME/PASSWORD
 VALIDATION".
 

      
 
    • "security=server"
@@ -3860,25 +3914,25 @@ checking the UNIX password file, it must have a valid smbpasswd file
 to check users against. See the documentation file in the docs/
 directory ENCRYPTION.txt for details on how to set this up.
 

      Note that from the clients point of view "security=server" is
-the same as "security=user". It only
+the same as "security=user". It only
 affects how the server deals with the authentication, it does not in
 any way affect what the client sees.
 

      Note that the name of the resource being requested is
 *not* sent to the server until after the server has successfully
 authenticated the client. This is why guest shares don't work in server
 level security without allowing the server to automatically map unknown
-users into the "guest account". See the
-"map to guest" parameter for details on
+users into the "guest account". See the
+"map to guest" parameter for details on
 doing this.
-

      See also the section "NOTE ABOUT USERNAME/PASSWORD
+

      See also the section       "NOTE ABOUT USERNAME/PASSWORD
 VALIDATION".
-

      See also the "password server" parameter.
-and the "encrypted passwords" parameter.
+

      See also the "password server" parameter.
+and the "encrypted passwords" parameter.
 

      
 
    • "security=domain"
 

      This mode will only work correctly if
 smbpasswd has been used to add this machine
-into a Windows NT Domain. It expects the "encrypted
+into a Windows NT Domain. It expects the "encrypted
 passwords" parameter to be set to "true". In
 this mode Samba will try to validate the username/password by passing
 it to a Windows NT Primary or Backup Domain Controller, in exactly the
@@ -3887,15 +3941,15 @@ same way that a Windows NT Server would do.
 account on the Domain Controller to allow Samba to have a valid
 UNIX account to map file access to.
 

      Note that from the clients point of view "security=domain" is
-the same as "security=user". It only
+the same as "security=user". It only
 affects how the server deals with the authentication, it does not in
 any way affect what the client sees.
 

      Note that the name of the resource being requested is
 *not* sent to the server until after the server has successfully
 authenticated the client. This is why guest shares don't work in domain
 level security without allowing the server to automatically map unknown
-users into the "guest account". See the
-"map to guest" parameter for details on
+users into the "guest account". See the
+"map to guest" parameter for details on
 doing this.
 

      BUG: There is currently a bug in the implementation of
 "security=domain with respect to multi-byte character
@@ -3904,10 +3958,10 @@ must be done in UNICODE and Samba currently does not widen
 multi-byte user names to UNICODE correctly, thus a multi-byte
 username will not be recognized correctly at the Domain Controller.
 This issue will be addressed in a future release.
-

      See also the section "NOTE ABOUT USERNAME/PASSWORD
+

      See also the section       "NOTE ABOUT USERNAME/PASSWORD
 VALIDATION".
-

      See also the "password server" parameter.
-and the "encrypted passwords" parameter.
+

      See also the "password server" parameter.
+and the "encrypted passwords" parameter.
 

    
 

    Default:
  	security = USER
@@ -3923,16 +3977,16 @@ permission bits, thus preventing any bits not in this mask from
 being modified. Essentially, zero bits in this mask may be treated
 as a set of bits the user is not allowed to change.
 

    If not set explicitly this parameter is set to the same value as the
-create mask parameter. To allow a user to
+create mask parameter. To allow a user to
 modify all the user/group/world permissions on a file, set this
 parameter to 0777.
 

    Note that users who can access the Samba server through other
 means can easily bypass this restriction, so it is primarily
 useful for standalone "appliance" systems.  Administrators of
 most normal systems will probably want to set it to 0777.
-

    See also the force directory security
-mode, directory security
-mask, force security
+

    See also the     force directory security
+mode, directory security
+mask, force security
 mode parameters.
 

    Default:
 	security mask = <same as create mask>
@@ -3993,14 +4047,14 @@ smaller size, reducing by a factor of 0.8 until the OS accepts it.
 

    Example:
 	shared mem size = 5242880 ; Set to 5mb for a large number of files.
 

    
-
  • short preserve case (G)
+
  • short preserve case (S)
 

    This boolean parameter controls if new files which conform to 8.3
 syntax, that is all in upper case and of suitable length, are created
 upper case, or if they are forced to be the "default" case. This
-option can be use with "preserve case
+option can be use with "preserve case
 =yes" to permit long filenames to retain their
 case, while short names are lowered. Default Yes.
-

    See the section on NAME MANGLING.
+

    See the section on NAME MANGLING.
 

    Default:
 	short preserve case = yes
 

    
@@ -4046,7 +4100,7 @@ appropriate documentation for your operating system first (perhaps
 option" when you supply an option. This means you either incorrectly 
 typed it or you need to add an include file to includes.h for your OS. 
 If the latter is the case please send the patch to
-samba-bugs@samba.org.
+samba@samba.org.
 

    Any of the supported socket options may be combined in any way you
 like, as long as your OS allows it.
 

    This is the list of socket options currently settable using this
@@ -4081,6 +4135,25 @@ completely. Use these options with caution!
 	socket options = TCP_NODELAY
 

    Example:
 	socket options = IPTOS_LOWDELAY
+

    
+
  • source environment (G)
+

    This parameter causes Samba to set environment variables as per the
+content of the file named.
+

    The file must be owned by root and not world writable in order
+to be read (this is a security check).
+

    If the value of this parameter starts with a "|" character then Samba will
+treat that value as a pipe command to open and will set the environment
+variables from the oput of the pipe. This command must not be world writable
+and must reside in a directory that is not world writable.
+

    The contents of the file or the output of the pipe should be formatted
+as the output of the standard Unix env(1) command. This is of the form :
+

    Example environment entry:
+ SAMBA_NETBIOS_NAME=myhostname 
+

    Default:
+No default value
+

    Examples:
+

    	source environment = |/etc/smb.conf.sh
+

    	source environment = /usr/local/smb_env_vars
 

    
 
  • ssl (G)
 

    This variable is part of SSL-enabled Samba. This is only available if
@@ -4090,8 +4163,8 @@ option "--with-ssl" was given at configure time.
 enabled by default in any current binary version of Samba.
 

    This variable enables or disables the entire SSL mode. If it is set to
 "no", the SSL enabled samba behaves exactly like the non-SSL samba. If
-set to "yes", it depends on the variables "ssl
-hosts" and "ssl hosts resign"
+set to "yes", it depends on the variables "ssl
+hosts" and "ssl hosts resign"
 whether an SSL connection will be required.
 

    Default:
 	ssl=no
@@ -4178,7 +4251,7 @@ than SSLeay exist.
 	ssl compatibility = no
 

    
 
  • ssl hosts (G)
-

    See "ssl hosts resign".
+

    See "ssl hosts resign".
 

    
 
  • ssl hosts resign (G)
 

    This variable is part of SSL-enabled Samba. This is only available if
@@ -4188,15 +4261,15 @@ option "--with-ssl" was given at configure time.
 enabled by default in any current binary version of Samba.
 

    These two variables define whether samba will go into SSL mode or
 not. If none of them is defined, samba will allow only SSL
-connections. If the "ssl hosts" variable lists
+connections. If the "ssl hosts" variable lists
 hosts (by IP-address, IP-address range, net group or name), only these
 hosts will be forced into SSL mode. If the "ssl hosts resign"
 variable lists hosts, only these hosts will NOT be forced into SSL
 mode. The syntax for these two variables is the same as for the
-"hosts allow" and "hosts
+"hosts allow" and "hosts
 deny" pair of variables, only that the subject of the
 decision is different: It's not the access right but whether SSL is
-used or not. See the "allow hosts" parameter for
+used or not. See the "allow hosts" parameter for
 details. The example below requires SSL connections from all hosts
 outside the local net (which is 192.168.*.*).
 

    Default:
@@ -4213,8 +4286,8 @@ option "--with-ssl" was given at configure time.
 enabled by default in any current binary version of Samba.
 

    If this variable is set to "yes", the server will not tolerate
 connections from clients that don't have a valid certificate. The
-directory/file given in "ssl CA certDir" and
-"ssl CA certFile" will be used to look up the
+directory/file given in "ssl CA certDir" and
+"ssl CA certFile" will be used to look up the
 CAs that issued the client's certificate. If the certificate can't be
 verified positively, the connection will be terminated.  If this
 variable is set to "no", clients don't need certificates. Contrary
@@ -4234,7 +4307,7 @@ option "--with-ssl" was given at configure time.
 enabled by default in any current binary version of Samba.
 

    If this variable is set to "yes", the
 smbclient will request a certificate from
-the server. Same as "ssl require
+the server. Same as "ssl require
 clientcert" for the server.
 

    Default:
 	ssl require servercert = no
@@ -4286,7 +4359,7 @@ never need to change this parameter.
 	stat cache = yes
 

    
 
  • stat cache size (G)
-

    This parameter determines the number of entries in the stat
+

    This parameter determines the number of entries in the     stat
 cache.  You should never need to change this parameter.
 

    Default:
 	stat cache size = 50
@@ -4328,7 +4401,7 @@ operating system itself that Samba is running on crashes, so there is
 little danger in this default setting. In addition, this fixes many
 performance problems that people have reported with the new Windows98
 explorer shell file copies.
-

    See also the "sync always" parameter.
+

    See also the "sync always" parameter.
 

    Default:
 	strict sync = no
 

    Example:
@@ -4350,9 +4423,9 @@ false then the server will be guided by the client's request in each
 write call (clients can set a bit indicating that a particular write
 should be synchronous). If this is true then every write will be
 followed by a fsync() call to ensure the data is written to disk.
-Note that the "strict sync" parameter must be
+Note that the "strict sync" parameter must be
 set to "yes" in order for this parameter to have any affect.
-

    See also the "strict sync" parameter.
+

    See also the "strict sync" parameter.
 

    Default:
 	sync always = no
 

    Example:
@@ -4375,6 +4448,24 @@ to syslog.
 system syslog only, and not to the debug log files.
 

    Default:
 	syslog only = no
+

    
+
  • template homedir (G)
+

    NOTE: this parameter is only available in Samba 3.0.
+

    When filling out the user information for a Windows NT user, the
+winbindd daemon uses this parameter to fill in
+the home directory for that user.  If the string %D is present it is
+substituted with the user's Windows NT domain name.  If the string %U
+is present it is substituted with the user's Windows NT user name.
+

    Default:
+     template homedir = /home/%D/%U
+

    
+
  • template shell (G)
+

    NOTE: this parameter is only available in Samba 3.0.
+

    When filling out the user information for a Windows NT user, the
+winbindd daemon uses this parameter to fill in
+the login shell for that user.
+

    Default:
+     template shell = /bin/false
 

    
 
  • time offset (G)
 

    This parameter is a setting in minutes to add to the normal GMT to
@@ -4394,24 +4485,18 @@ itself as a time server to Windows clients. The default is False.
 	time server = True
 

    
 
  • timestamp logs (G)
-

    Samba2.0 will a timestamps to all log entries by default. This
-can be distracting if you are attempting to debug a problem. This
-parameter allows the timestamping to be turned off.
-

    Default:
-	timestamp logs = True
-

    Example:
-	timestamp logs = False
+

    Synonym for "debug timestamp".
 

    
 
  • unix password sync (G)
 

    This boolean parameter controls whether Samba attempts to synchronize
 the UNIX password with the SMB password when the encrypted SMB
 password in the smbpasswd file is changed. If this is set to true the
-program specified in the "passwd program"
+program specified in the "passwd program"
 parameter is called *AS ROOT* - to allow the new UNIX password to be
 set without access to the old UNIX password (as the SMB password has
 change code has no access to the old password cleartext, only the
 new). By default this is set to "false".
-

    See also "passwd program", "passwd
+

    See also     "passwd program", "passwd
 chat".
 

    Default:
 	unix password sync = False
@@ -4441,7 +4526,7 @@ change is made. This is a convenience option to allow the change over
 to encrypted passwords to be made over a longer period. Once all users
 have encrypted representations of their passwords in the smbpasswd
 file this parameter should be set to "off".
-

    In order for this parameter to work correctly the "encrypt
+

    In order for this parameter to work correctly the     "encrypt
 passwords" parameter must be set to "no" when
 this parameter is set to "yes".
 

    Note that even when this parameter is set a user authenticating to
@@ -4468,10 +4553,10 @@ doing.
 	use rhosts = yes
 

    
 
  • user (S)
-

    Synonym for "username".
+

    Synonym for "username".
 

    
 
  • users (S)
-

    Synonym for "username".
+

    Synonym for "username".
 

    
 
  • username (S)
 

    Multiple users may be specified in a comma-delimited list, in which
@@ -4495,7 +4580,7 @@ damage than if they started a telnet session. The daemon runs as the
 user that they log in as, so they cannot do anything that user cannot
 do.
 

    To restrict a service to a particular set of users you can use the
-"valid users=" parameter.
+"valid users=" parameter.
 

    If any of the usernames begin with a '@' then the name will be
 looked up first in the yp netgroups list (if Samba is compiled with
 netgroup support), followed by a lookup in the UNIX groups database
@@ -4509,7 +4594,7 @@ netgroup support) and will expand to a list of all users in the
 netgroup group of that name.
 

    Note that searching though a groups database can take quite some time,
 and some clients may time out during the search.
-

    See the section "NOTE ABOUT USERNAME/PASSWORD
+

    See the section     "NOTE ABOUT USERNAME/PASSWORD
 VALIDATION" for more
 information on how this parameter determines access to the services.
 

    Default:
@@ -4594,7 +4679,7 @@ usernames. Thus if you connect to "\\server\fred" and "fred"<
 is remapped to "mary" then you will actually be connecting to
 "\\server\mary" and will need to supply a password suitable for
 "mary" not "fred". The only exception to this is the username
-passed to the "password server" (if you have
+passed to the "password server" (if you have
 one). The password server will receive whatever username the client
 supplies without modification.
 

    Also note that no reverse mapping is done. The main effect this has is
@@ -4605,8 +4690,62 @@ print job.
 	no username map
 

    Example:
 	username map = /usr/local/samba/lib/users.map
+

    
+
  • utmp (S)
+

    This boolean parameter is only available if Samba has been configured and compiled 
+with the option --with-utmp. If set to True then Samba will attempt
+to add utmp or utmpx records (depending on the UNIX system) whenever a
+connection is made to a Samba server. Sites may use this to record the
+user connecting to a Samba share.
+

    See also the "utmp directory" parameter.
+

    Default:
+utmp = False
+

    Example:
+utmp = True
+

    
+
  • utmp directory(G)
+

    This parameter is only available if Samba has been configured and compiled
+with the option --with-utmp. It specifies a directory pathname that is
+used to store the utmp or utmpx files (depending on the UNIX system) that
+record user connections to a Samba server. See also the "utmp"
+parameter. By default this is not set, meaning the system will use whatever
+utmp file the native system is set to use (usually /var/run/utmp on Linux).
+

    Default:
+no utmp directory
+

    Example:
+utmp directory = /var/adm/
+

    
+
  • winbind cache time
+

    NOTE: this parameter is only available in Samba 3.0.
+

    This parameter specifies the number of seconds the
+winbindd daemon will cache user and group
+information before querying a Windows NT server again.
+

    Default:
+     winbind cache type = 15
+

    
+
  • winbind gid
+

    NOTE: this parameter is only available in Samba 3.0.
+

    The winbind gid parameter specifies the range of group ids that are
+allocated by the winbindd daemon.  This range of
+group ids should have no existing local or nis groups within it as strange
+conflicts can occur otherwise.
+

    Default:
+     winbind gid = <empty string>
+

    Example:
+     winbind gid = 10000-20000
+

    
+
  • winbind uid
+

    NOTE: this parameter is only available in Samba 3.0.
+

    The winbind uid parameter specifies the range of user ids that are
+allocated by the winbindd daemon.  This range of
+ids should have no existing local or nis users within it as strange
+conflicts can occur otherwise.
+

    Default:
+     winbind uid = <empty string>
+

    Example:
+     winbind uid = 10000-20000
 

    
-
  • valid chars (S)
+
  • valid chars (G)
 

    The option allows you to specify additional characters that should be
 considered valid by the server in filenames. This is particularly
 useful for national character sets, such as adding u-umlaut or a-ring.
@@ -4630,12 +4769,12 @@ the following
 
 

    The last two examples above actually add two characters, and alter the
 uppercase and lowercase mappings appropriately.
-

    Note that you MUST specify this parameter after the "client
+

    Note that you MUST specify this parameter after the     "client
 code page" parameter if you have both set. If
-"client code page" is set after the
+"client code page" is set after the
 "valid chars" parameter the "valid chars" settings will be
 overwritten.
-

    See also the "client code page" parameter.
+

    See also the "client code page" parameter.
 

    Default:
 
     
@@ -4658,15 +4797,15 @@ of your Samba source code distribution for this package.
 
  • valid users (S)
 

    This is a list of users that should be allowed to login to this
 service. Names starting with '@', '+' and '&' are
-interpreted using the same rules as described in the "invalid
+interpreted using the same rules as described in the "invalid
 users" parameter.
 

    If this is empty (the default) then any user can login. If a username
-is in both this list and the "invalid users"
+is in both this list and the "invalid users"
 list then access is denied for that user.
 

    The current servicename is substituted for
-"%S". This is useful in the
-[homes] section.
-

    See also "invalid users".
+"%S". This is useful in the
+[homes] section.
+

    See also "invalid users".
 

    Default:
 	No valid users list. (anyone can login)
 

    Example:
@@ -4680,7 +4819,7 @@ can be used to specify multiple files or directories as in DOS
 wildcards.
 

    Each entry must be a unix path, not a DOS path and must *not* include the 
 unix directory separator '/'.
-

    Note that the "case sensitive" option is
+

    Note that the "case sensitive" option is
 applicable in vetoing files.
 

    One feature of the veto files parameter that it is important to be
 aware of, is that if a directory contains nothing but files that match
@@ -4691,7 +4830,7 @@ to do so.
 

    Setting this parameter will affect the performance of Samba, as it
 will be forced to check all files and directories for a match as they
 are scanned.
-

    See also "hide files" and "case
+

    See also     "hide files" and "case
 sensitive".
 

    Default:
 	No files or directories are vetoed.
@@ -4720,11 +4859,11 @@ sensitive"    .
 
 

    
 
  • veto oplock files (S)
-

    This parameter is only valid when the "oplocks"
+

    This parameter is only valid when the "oplocks"
 parameter is turned on for a share. It allows the Samba administrator
 to selectively turn off the granting of oplocks on selected files that
 match a wildcarded list, similar to the wildcarded list used in the
-"veto files" parameter.
+"veto files" parameter.
 

    Default:
 	No files are vetoed for oplock grants.
 

    Examples:
@@ -4732,7 +4871,7 @@ match a wildcarded list, similar to the wildcarded list used in the
 contended for by clients. A good example of this is in the NetBench
 SMB benchmark program, which causes heavy client contention for files
 ending in ".SEM". To cause Samba not to grant oplocks on these
-files you would use the line (either in the [global]
+files you would use the line (either in the [global]
 section or in the section for the particular NetBench share :
 

         veto oplock files = /*.SEM/
 

    
@@ -4818,7 +4957,7 @@ network.
 
  • workgroup (G)
 

    This controls what workgroup your server will appear to be in when
 queried by clients. Note that this parameter also controls the Domain
-name used with the "security=domain"
+name used with the "security=domain"
 setting.
 

    Default:
  	set at compile time to WORKGROUP
@@ -4826,24 +4965,44 @@ setting.
  	workgroup = MYGROUP
 

    
 
  • writable (S)
-

    Synonym for "writeable" for people who can't spell :-).
+

    Synonym for "writeable" for people who can't spell :-).
 

    
 
  • write list (S)
 

    This is a list of users that are given read-write access to a
 service. If the connecting user is in this list then they will be
-given write access, no matter what the "read only"
+given write access, no matter what the "writeable"
 option is set to. The list can include group names using the @group
 syntax.
 

    Note that if a user is in both the read list and the write list then
 they will be given write access.
-

    See also the "read list" option.
+

    See also the "read list" option.
 

    Default:
      write list = <empty string>
 

    Example:
 	write list = admin, root, @staff
+

    
+
  • write cache size (S)
+

    This integer parameter (new with Samba 2.0.7) if set to non-zero causes Samba to create an in-memory
+cache for each oplocked file (it does not do this for non-oplocked files). All
+writes that the client does not request to be flushed directly to disk will be
+stored in this cache if possible. The cache is flushed onto disk when a write
+comes in whose offset would not fit into the cache or when the file is closed
+by the client. Reads for the file are also served from this cache if the data
+is stored within it.
+

    This cache allows Samba to batch client writes into a more efficient write
+size for RAID disks (ie. writes may be tuned to be the RAID stripe size) and
+can improve performance on systems where the disk subsystem is a bottleneck
+but there is free memory for userspace programs.
+

    The integer parameter specifies the size of this cache (per oplocked file)
+in bytes.
+

    Default:
+     write cache size = 0
+

    Example:
+	     write cache size = 262144
+for a 256k cache size per file.
 

    
 
  • write ok (S)
-

    Synonym for writeable.
+

    Synonym for writeable.
 

    
 
  • write raw (G)
 

    This parameter controls whether or not the server will support raw
@@ -4853,10 +5012,10 @@ need to change this parameter.
  	write raw = yes
 

    
 
  • writeable
-

    An inverted synonym is "read only".
+

    An inverted synonym is "read only".
 

    If this parameter is "no", then users of a service may not create
 or modify files in the service's directory.
-

    Note that a printable service ("printable = yes")
+

    Note that a printable service ("printable = yes")
 will *ALWAYS* allow writing to the directory (user privileges
 permitting), but only via spooling operations.
 

    Default:
@@ -4883,7 +5042,7 @@ service names to eight characters. Smbd
    Use of the     [homes] and [printers]
+

    Use of the [homes] and [printers]
 special sections make life for an administrator easy, but the various
 combinations of default attributes can be tricky. Take extreme care
 when designing these sections. In particular, ensure that the
@@ -4904,7 +5063,7 @@ permissions on spool directories are correct.
 
    AUTHOR
    
     
 

    The original Samba software and related utilities were created by
-Andrew Tridgell samba-bugs@samba.org. Samba is now developed
+Andrew Tridgell samba@samba.org. Samba is now developed
 by the Samba Team as an Open Source project similar to the way the
 Linux kernel is developed.
 

    The original Samba man pages were written by Karl Auer. The man page
@@ -4912,7 +5071,7 @@ sources were converted to YODL format (another excellent piece of Open
 Source software, available at
 ftp://ftp.icce.rug.nl/pub/unix/)
 and updated for the Samba2.0 release by Jeremy Allison.
-samba-bugs@samba.org.
+samba@samba.org.
 

    See samba (7) to find out how to get a full
 list of contributors and details on how to submit bug reports,
 comments etc.
-- 
cgit