From 3878085eca35d5c3b08761f61281de0b1b49ce2d Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 1 Jul 2003 22:58:52 +0000 Subject: regenerate docs (This used to be commit cc02d3bc170fe5c8c4474156edb6c83720a47aa0) --- docs/htmldocs/smb.conf.5.html | 121 ++++++++++++++++++++++++++---------------- 1 file changed, 76 insertions(+), 45 deletions(-) (limited to 'docs/htmldocs/smb.conf.5.html') diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html index 9c01b5de56..f22afa5884 100644 --- a/docs/htmldocs/smb.conf.5.html +++ b/docs/htmldocs/smb.conf.5.html @@ -244,8 +244,8 @@ alias|alias|alias|alias... connection is made as the username given in the "guest account =" for the service, irrespective of the supplied password.

COMPLETE LIST OF GLOBAL PARAMETERS

Here is a list of all global parameters. See the section of - each parameter for details. Note that some are synonyms.

COMPLETE LIST OF SERVICE PARAMETERS

Here is a list of all service parameters. See the section on - each parameter for details. Note that some are synonyms.

EXPLANATION OF EACH PARAMETER

abort shutdown script (G)

This parameter only exists in the HEAD cvs branch + each parameter for details. Note that some are synonyms.

COMPLETE LIST OF SERVICE PARAMETERS

Here is a list of all service parameters. See the section on + each parameter for details. Note that some are synonyms.

EXPLANATION OF EACH PARAMETER

abort shutdown script (G)

This parameter only exists in the HEAD cvs branch This a full path name to a script called by smbd(8) that should stop a shutdown procedure issued by the shutdown script.

This command will be run as user.

Default: None.

Example: abort shutdown script = /sbin/shutdown -c

add group script (G)

This is the full pathname to a script that will be run @@ -351,9 +351,7 @@ alias|alias|alias|alias... administrative privileges on the share. This means that they will do all file operations as the super-user (root).

You should use this option very carefully, as any user in this list will be able to do anything they like on the share, - irrespective of file permissions.

Default: no admin users

Example: admin users = jason

ads server (G)

If this option is specified, samba does not try to figure out what - ads server to use itself, but uses the specified ads server. Either one - DNS name or IP address can be used.

Default: ads server =

Example: ads server = 192.168.1.2

algorithmic rid base (G)

This determines how Samba will use its + irrespective of file permissions.

Default: no admin users

Example: admin users = jason

algorithmic rid base (G)

This determines how Samba will use its algorithmic mapping from uids/gid to the RIDs needed to construct NT Security Identifiers.

Setting this option to a larger value could be useful to sites @@ -392,10 +390,18 @@ alias|alias|alias|alias... need to set a Samba server to be a downlevel server.

Default: announce version = 4.9

Example: announce version = 2.0

auth methods (G)

This option allows the administrator to chose what authentication methods smbd will use when authenticating a user. This option defaults to sensible values based on - security.

Each entry in the list attempts to authenticate the user in turn, until + security. This should be considered + a developer option and used only in rare circumstances. In the majority (if not all) + of production servers, the default setting should be adequate.

Each entry in the list attempts to authenticate the user in turn, until the user authenticates. In practice only one method will ever actually be able to complete the authentication. -

Default: auth methods = <empty string>

Example: auth methods = guest sam ntdomain

auto services (G)

This is a synonym for the +

Possible options include guest (anonymous access), + sam (lookups in local list of accounts based on netbios + name or domain name), winbind (relay authentication requests + for remote users through winbindd), ntdomain (pre-winbindd + method of authentication for remote domain users; deprecated in favour of winbind method), + trustdomain (authenticate trusted users by contacting the + remote DC directly from smbd; deprecated in favour of winbind method).

Default: auth methods = <empty string>

Example: auth methods = guest sam winbind

auto services (G)

This is a synonym for the preload.

available (S)

This parameter lets you "turn off" a service. If available = no, then ALL attempts to connect to the service will fail. Such failures are @@ -498,7 +504,13 @@ alias|alias|alias|alias... See also add share command, delete share command. -

Default: none

Example: change share command = /usr/local/bin/addshare

comment (S)

This is a text field that is seen next to a share +

Default: none

Example: change share command = /usr/local/bin/addshare

client use spnego (G)

This variable controls controls whether samba clients will try + to use Simple and Protected NEGOciation (as specified by rfc2478) with + WindowsXP and Windows2000 servers to agree upon an authentication mechanism. + SPNEGO client support with Sign and Seal is currently broken, so + you might want to turn this option off when doing joins to + Windows 2003 domains. +

Default: client use spnego = yes

comment (S)

This is a text field that is seen next to a share when a client does a queries the server, either via the network neighborhood or via net view to list what shares are available.

If you want to set the string that is displayed next to the @@ -1130,7 +1142,12 @@ df $1 | tail -1 | awk '{print $2" "$4}' hosts equiv option be only used if you really know what you are doing, or perhaps on a home network where you trust your spouse and kids. And only if you really trust - them :-).

Default: no host equivalences

Example: hosts equiv = /etc/hosts.equiv

include (G)

This allows you to include one config file + them :-).

Default: no host equivalences

Example: hosts equiv = /etc/hosts.equiv

idmap gid (G)

The idmap gid parameter specifies the range of group ids that are allocated for + the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no + existing local or NIS groups within it as strange conflicts can occur otherwise.

The availability of an idmap gid range is essential for correct operation of + all group mapping.

Default: idmap gid = <empty string>

Example: idmap gid = 10000-20000

idmap uid (G)

The idmap uid parameter specifies the range of user ids that are allocated for use + in mapping UNIX users to NT user SIDs. This range of ids should have no existing local + or NIS users within it as strange conflicts can occur otherwise.

Default: idmap uid = <empty string>

Example: idmap uid = 10000-20000

include (G)

This allows you to include one config file inside another. The file is included literally, as though typed in place.

It takes the standard substitutions, except %u , %P and %S. @@ -1584,7 +1601,13 @@ df $1 | tail -1 | awk '{print $2" "$4}' a better algorithm (generates less collisions) in the names. However, many Win32 applications store the mangled names and so changing to the new algorithm must not be done - lightly as these applications may break unless reinstalled.

Default: mangling method = hash2

Example: mangling method = hash

map archive (S)

This controls whether the DOS archive attribute + lightly as these applications may break unless reinstalled.

Default: mangling method = hash2

Example: mangling method = hash

map acl inherit (S)

This boolean parameter controls whether smbd(8) will attempt to map the 'inherit' and 'protected' + access control entry flags stored in Windows ACLs into an extended attribute + called user.SAMBA_PAI. This parameter only takes effect if Samba is being run + on a platform that supports extended attributes (Linux and IRIX so far) and + allows the Windows 2000 ACL editor to correctly use inheritance with the Samba + POSIX ACL mapping code. +

Default: map acl inherit = no

map archive (S)

This controls whether the DOS archive attribute should be mapped to the UNIX owner execute bit. The DOS archive bit is set when a file has been modified since its last backup. One motivation for this option it to keep Samba/your PC from making @@ -1762,7 +1785,8 @@ df $1 | tail -1 | awk '{print $2" "$4}' the timeout is set to 0. the caching is disabled.

Default: name cache timeout = 660

Example: name cache timeout = 0

name resolve order (G)

This option is used by the programs in the Samba suite to determine what naming services to use and in what order - to resolve host names to IP addresses. The option takes a space + to resolve host names to IP addresses. Its main purpose to is to + control how netbios name resolution is performed. The option takes a space separated string of name resolution options.

The options are: "lmhosts", "host", "wins" and "bcast". They cause names to be resolved as follows:

  • lmhosts : Lookup an IP @@ -1773,9 +1797,10 @@ df $1 | tail -1 | awk '{print $2" "$4}' , NIS, or DNS lookups. This method of name resolution is operating system depended for instance on IRIX or Solaris this may be controlled by the /etc/nsswitch.conf - file. Note that this method is only used if the NetBIOS name - type being queried is the 0x20 (server) name type, otherwise - it is ignored.

  • wins : Query a name with + file. Note that this method is used only if the NetBIOS name + type being queried is the 0x20 (server) name type or 0x1c (domain controllers). + The latter case is only useful for active directory domains and results in a DNS + query for the SRV RR entry matching _ldap._tcp.domain.

  • wins : Query a name with the IP address listed in the wins server parameter. If no WINS server has been specified this method will be ignored.

  • bcast : Do a broadcast on @@ -1784,7 +1809,9 @@ df $1 | tail -1 | awk '{print $2" "$4}' methods as it depends on the target host being on a locally connected subnet.

Default: name resolve order = lmhosts host wins bcast

Example: name resolve order = lmhosts bcast host

This will cause the local lmhosts file to be examined first, followed by a broadcast attempt, followed by a normal - system hostname lookup.

netbios aliases (G)

This is a list of NetBIOS names that nmbd(8) will + system hostname lookup.

When Samba is functioning in ADS security mode (security = ads) + it is advised to use following settings for name resolve order:

name resolve order = wins bcast

DC lookups will still be done via DNS, but fallbacks to netbios names will + not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.

netbios aliases (G)

This is a list of NetBIOS names that nmbd(8) will advertise as additional names by which the Samba server is known. This allows one machine to appear in browse lists under multiple names. If a machine is acting as a browse server or logon server none of these names will be advertised as either browse server or logon @@ -1926,15 +1953,15 @@ df $1 | tail -1 | awk '{print $2" "$4}' to the logs and exit.

Disabling this option prevents Samba from making this check, which involves deliberatly attempting a - bad logon to the remote server.

Default: paranoid server security = yes

passdb backend (G)

This option allows the administrator to chose which backends + bad logon to the remote server.

Default: paranoid server security = yes

passdb backend (G)

This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both smbpasswd and tdbsam to be used without a recompile. Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified.

This parameter is in two parts, the backend's name, and a 'location' string that has meaning only to that particular backed. These are separated - by a : character.

Available backends can include: -

  • smbpasswd - The default smbpasswd + by a : character.

    Available backends can include: +

    • smbpasswd - The default smbpasswd backend. Takes a path to the smbpasswd file as an optional argument.

    • tdbsam - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb @@ -1955,8 +1982,8 @@ df $1 | tail -1 | awk '{print $2" "$4}' Very simple backend that only provides one user: the guest user. Only maps the NT guest user to the guest account. Required in pretty much all situations. -

    -

    Default: passdb backend = smbpasswd guest

    Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd guest

    Example: passdb backend = ldapsam:ldaps://ldap.example.com guest

    Example: passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb guest

passwd chat (G)

This string controls the "chat" +

+

Default: passdb backend = smbpasswd

Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd guest

Example: passdb backend = ldapsam:ldaps://ldap.example.com guest

Example: passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb guest

passwd chat (G)

This string controls the "chat" conversation that takes places between smbd(8) and the local password changing program to change the user's password. The string describes a sequence of response-receive pairs that smbd(8) uses to determine what to send to the @@ -2038,14 +2065,18 @@ df $1 | tail -1 | awk '{print $2" "$4}' case password. However, you should be aware that use of this parameter reduces security and increases the time taken to process a new connection.

A value of zero will cause only two attempts to be - made - the password as is and the password in all-lower case.

Default: password level = 0

Example: password level = 4

password server (G)

By specifying the name of another SMB server (such - as a WinNT box) with this option, and using security = domain - or security = server you can get Samba - to do all its username/password validation via a remote server.

This option sets the name of the password server to use. - It must be a NetBIOS name, so if the machine's NetBIOS name is - different from its Internet name then you may have to add its NetBIOS - name to the lmhosts file which is stored in the same directory - as the smb.conf file.

The name of the password server is looked up using the + made - the password as is and the password in all-lower case.

Default: password level = 0

Example: password level = 4

password server (G)

By specifying the name of another SMB server + or Active Directory domain controller with this option, + and using security = [ads|domain|server] + it is possible to get Samba to + to do all its username/password validation using a specific remote server.

This option sets the name or IP address of the password server to use. + New syntax has been added to support defining the port to use when connecting + to the server the case of an ADS realm. To define a port other than the + default LDAP port of 389, add the port number using a colon after the + name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, + Samba will use the standard LDAP port of tcp/389. Note that port numbers + have no effect on password servers for Windows NT 4.0 domains or netbios + connections.

If parameter is a name, it is looked up using the parameter name resolve order and so may resolved by any method and order described in that parameter.

The password server must be a machine capable of using @@ -2059,20 +2090,20 @@ df $1 | tail -1 | awk '{print $2" "$4}' , which means the Samba server will use the incoming client as the password server. If you use this then you better trust your clients, and you had better restrict them with hosts allow!

If the security parameter is set to - domain, then the list of machines in this + domain or ads, then the list of machines in this option must be a list of Primary or Backup Domain controllers for the Domain or the character '*', as the Samba server is effectively in that domain, and will use cryptographically authenticated RPC calls to authenticate the user logging on. The advantage of using security = domain is that if you list several hosts in the password server option then smbd - will try each in turn till it finds one that responds. This + will try each in turn till it finds one that responds. This is useful in case your primary server goes down.

If the password server option is set to the character '*', then Samba will attempt to auto-locate the Primary or Backup Domain controllers to authenticate against by doing a query for the name WORKGROUP<1C> and then contacting each server returned in the list of IP - addresses from the name resolution source.

If the list of servers contains both names and the '*' + addresses from the name resolution source.

If the list of servers contains both names/IP's and the '*' character, the list is treated as a list of preferred domain controllers, but an auto lookup of all remaining DC's will be added to the list as well. Samba will not attempt to optimize @@ -2090,7 +2121,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' are able to login from the Samba server, as when in security = server mode the network logon will appear to come from there rather than from the users workstation.

See also the security - parameter.

Default: password server = <empty string>

Example: password server = NT-PDC, NT-BDC1, NT-BDC2, *

Example: password server = *

path (S)

This parameter specifies a directory to which + parameter.

Default: password server = <empty string>

Example: password server = NT-PDC, NT-BDC1, NT-BDC2, *

Example: password server = windc.mydomain.com:389 192.168.1.101 *

Example: password server = *

path (S)

This parameter specifies a directory to which the user of the service is to be given access. In the case of printable services, this is where print data will spool prior to being submitted to the host for printing.

For a printable service offering guest access, the service @@ -2609,7 +2640,7 @@ print5|My Printer 5 administrative privilege on an individual printer.

See also addprinter command, deleteprinter command, - printer admin

Default :show add printer wizard = yes

shutdown script (G)

This parameter only exists in the HEAD cvs branch + printer admin

Default :show add printer wizard = yes

shutdown script (G)

This parameter only exists in the HEAD cvs branch This a full path name to a script called by smbd(8) that should start a shutdown procedure.

This command will be run as the user connected to the server.

%m %t %r %f parameters are expanded:

  • %m will be substituted with the shutdown message sent to the server.

  • %t will be substituted with the number of seconds to wait before effectively starting the @@ -2617,8 +2648,8 @@ print5|My Printer 5 switch -r. It means reboot after shutdown for NT.

  • %f will be substituted with the switch -f. It means force the shutdown - even if applications do not respond for NT.

Default: None.

Example: abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f

Shutdown script example: -
+			even if applications do not respond for NT.
Default: None.
Example: abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f
Shutdown script example:
+
 #!/bin/bash
 		
 $time=0
@@ -2626,9 +2657,9 @@ let "time/60"
 let "time++"
 
 /sbin/shutdown $3 $4 +$time $1 &
-

+

Shutdown does not return so we need to launch it in background. -

See also +

See also abort shutdown script.

smb passwd file (G)

This option sets the path to the encrypted smbpasswd file. By default the path to the smbpasswd file is compiled into Samba.

Default: smb passwd file = ${prefix}/private/smbpasswd

Example: smb passwd file = /etc/samba/smbpasswd

smb ports (G)

Specifies which ports the server should listen on for SMB traffic.

Default: smb ports = 445 139

socket address (G)

This option allows you to control what address Samba will listen for connections on. This is used to @@ -2943,7 +2974,7 @@ guest = * users list then access is denied for that user.

The current servicename is substituted for %S . This is useful in the [homes] section.

See also invalid users

Default: No valid users list (anyone can login) -

Example: valid users = greg, @pcusers

veto files (S)

This is a list of files and directories that +

Example: valid users = greg, @pcusers

veto files (S)

This is a list of files and directories that are neither visible nor accessible. Each entry in the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' can be used to specify multiple files @@ -2961,8 +2992,8 @@ guest = * for a match as they are scanned.

See also hide files and case sensitive.

Default: No files or directories are vetoed. -

Examples: -
+	
Examples:
+
 ; Veto any files containing the word Security, 
 ; any ending in .tmp, and any directory containing the
 ; word root.
@@ -3019,7 +3050,7 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
 	enumeration may cause some programs to behave oddly.  For
 	example, the finger program relies on having access to the
 	full user list when searching for matching
-	usernames. 
Default: winbind enum users = yes
winbind gid (G)

The winbind gid parameter specifies the range of group + usernames.

Default: winbind enum users = yes

winbind gid (G)

This parameter is now an alias for idmap gid

The winbind gid parameter specifies the range of group ids that are allocated by the winbindd(8) daemon. This range of group ids should have no existing local or NIS groups within it as strange conflicts can occur otherwise.

Default: winbind gid = <empty string>

Example: winbind gid = 10000-20000

winbind separator (G)

This parameter allows an admin to define the character @@ -3029,10 +3060,10 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ and nss_winbind.so modules for UNIX services.

Please note that setting this parameter to + causes problems with group membership at least on glibc systems, as the character + - is used as a special character for NIS in /etc/group.

Default: winbind separator = '\'

Example: winbind separator = +

winbind uid (G)

The winbind gid parameter specifies the range of group - ids that are allocated by the winbindd(8) daemon. This range of ids should have no - existing local or NIS users within it as strange conflicts can - occur otherwise.

Default: winbind uid = <empty string>

Example: winbind uid = 10000-20000

winbind used default domain (G)

This parameter specifies whether the + is used as a special character for NIS in /etc/group.

Default: winbind separator = '\'

Example: winbind separator = +

winbind uid (G)

This parameter is now an alias for idmap uid

The winbind gid parameter specifies the range of user ids that are allocated by the + winbindd(8) + daemon. This range of ids should have no existing local or NIS users within it as strange + conflicts can occur otherwise.

Default: winbind uid = <empty string>

Example: winbind uid = 10000-20000

winbind used default domain (G)

This parameter specifies whether the winbindd(8) daemon should operate on users without domain component in their username. Users without a domain component are treated as is part of the winbindd server's own -- cgit