[foo] path = /home/bar - writeable = true + read only = no [aprinter] path = /usr/spool/public - writeable = false - printable = true - guest ok = true + read only = yes + printable = yes + guest ok = yes [homes] - writeable = yes + read only = no

ldap suffixldap user suffix

ldap suffixldap machine suffix

ldap passwd sync

use sendfile

COMPLETE LIST OF SERVICE PARAMETERS

status

that should stop a shutdown procedure issued by the will return an ACCESS_DENIED error to the client.

See also ,

See also , , smbd(8) when a new group is requested. It will expand any when a new group is + requested. It will expand any + %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. +> to the group name passed. + This script is only useful for installations using the + Windows NT domain administration tools. The script is + free to create a group with an arbitrary name to + circumvent unix group name restrictions. In that case + the script must print the numeric gid of the created + group on stdout.

Synonym for

This option only takes effect when the

This is a synonym for the smbd will use when authenticating a user. This option defaults to sensible values based on nmbd to bind to ports 137 and 138 on the interfaces listed in the interfaces parameter. smbd(8) to bind only to the interface list given in the interfaces parameter. This restricts the networks that

If this parameter is set to falseno, then Samba 2.2 will behave as previous versions of Samba would and will fail the lock request immediately if the lock range @@ -5882,7 +5891,7 @@ NAME="BROWSABLE" >

See the call. Normally set to trueyes. You should never need to change this.

See the discussion in the section NAME MANGLING.

Synonym for case sensitive.

A synonym for this parameter is

Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the

This parameter does not affect directory modes. See the parameter for details.

See also the parameter for forcing particular mode bits to be set on created files. See also the parameter for masking mode bits on created directories. See also the Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the

This is a synonym for

Note that the parameter

Samba 2.2 debug log messages are timestamped by default. If you are running at a high

Note that the parameter

Synonym for

A synonym for

See the section on NAME MANGLING. Also note the

This parameter is only applicable to printable services. When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba @@ -6686,7 +6695,7 @@ CLASS="EMPHASIS" service results in an error.

Typically the default service would be a , will return an ACCESS_DENIED error to the client.

If this option is set to trueyes, then Samba will attempt to recursively delete any files and directories within the vetoed directory. This can be useful for integration with file @@ -7128,7 +7137,7 @@ CLASS="COMMAND" is deleted (so long as the user has permissions to do so).

See also the

Synonym for

Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the .

See the

See also the parameter for masking mode bits on created files, and the parameter.

Also refer to the

Synonym for .

See also the , ,

See also use client driver

See also the parameter

domain admin group (G)

This parameter is intended as a temporary solution - to enable users to be a member of the "Domain Admins" group when - a Samba host is acting as a PDC. A complete solution will be provided - by a system for mapping Windows NT/2000 groups onto UNIX groups. - Please note that this parameter has a somewhat confusing name. It - accepts a list of usernames and of group names in standard - smb.conf notation. -

Default: no domain administrators

Example: domain admin group = root @wheel

domain guest group (G)

This parameter is intended as a temporary solution - to enable users to be a member of the "Domain Guests" group when - a Samba host is acting as a PDC. A complete solution will be provided - by a system for mapping Windows NT/2000 groups onto UNIX groups. - Please note that this parameter has a somewhat confusing name. It - accepts a list of usernames and of group names in standard - smb.conf notation. -

Default: no domain guests

Example: domain guest group = nobody @guest

domain logons (G)

If set to trueyes, the Samba server will serve Windows 95/98 Domain logons for the to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given

If domain logons = yes is acting on behalf of is not the file owner. Setting this option to true yes allows DOS semantics and program for information on how to set up and maintain this file), or set the security = [server|domain|ads] parameter which causes

This is a synonym for

It is generally much better to use the real

See also the

See also the parameter

See also the , ,

See also the , ,

This is a username which will be used for access to services which are specified as lp(1).

This paramater does not accept % marcos, becouse +>This paramater does not accept % macros, because many parts of the system require this value to be - constant for correct operation

Default: for a service, then no password is required to connect to the service. Privileges will be those of the .

See the section below on for a service, then only guest connections to the service are permitted. This parameter will have no effect if is not set for the service.

See the section below on

See also , and

hide special files (G)

This parameter prevents clients from seeing + special files such as sockets, devices and fifo's in directory + listings. +

Default: hide special files = no

homedir map (G)

If is trueyes, and

See also ,

This is not be confused with

The permissions on new files and directories are normally governed by , , and New files inherit their read/write bits from the parent directory. Their execute bits continue to be determined by , and

See also , , and

For UNIXes that support kernel based

On = Always use SSL when contacting the + ldap server, (b) off - - Never use SSL when querying the directory, or (c) start_tls - - Use the LDAPv3 StartTLS extended operation - (RFC2830) for communicating with the directory server. -
.
Off = Never use SSL when querying the directory.
Start_tls = Use the LDAPv3 StartTLS extended operation + (RFC2830) for communicating with the directory server.

Default :

ldap passwd sync (G)

This option is used to define whether + or not Samba should sync the LDAP password with the NT + and LM hashes for normal accounts (NOT for + workstation, server or domain trusts) on a password + change via SAMBA. +

The ldap passwd sync can be set to one of three values: +

Yes = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time.
No = Update NT and LM passwords and update the pwdLastSet time.
Only = Only update the LDAP password and let the LDAP server do the rest.

Default : ldap passwd sync = no

level2 oplocks (S)

For more discussions on level2 oplocks see the CIFS spec. Currently, if yes). Note also, the parameter must be set to trueyes on this share in order for this parameter to have any effect.See also the and trueyes, falseno, or . If set to falseno Samba will never produce these broadcasts. If set to trueyes Samba will produce Lanman announce broadcasts at a frequency set by the parameter . See also If Samba is set to produce Lanman announce broadcasts needed by OS/2 clients (see the See also A boolean variable that controls whether all printers in the printcap will be loaded for browsing by default. See the printers section for more details. to try and become a local master browser on a subnet. If set to falseno then nmbdtrueyes. Setting this value to trueyes doesn't mean that Samba will
Setting this value to falseno will cause nmbd
Synonym for This option specifies the directory where lock files will be placed. The lock files are used to implement theThe time in microseconds that smbd should pause before attempting to gain a failed lock. See
This parameter specifies the local path to which the home directory will be connected (see
Note that in prior versions of Samba, the
The script must be a relative path to the [netlogon] service. If the [netlogon] service specifies a
See also the A value of 0 will disable caching completely.
See also the
See also the This command should be a program or script which takes a printer name and job number to resume the print job. See also the
See also the
See also the
If a Samba server is a member of a Windows NT Domain (see the security = domain) parameter) then periodically a running , and the security = domain) parameter.
This parameter specifies the name of a file which will contain output created by a magic script (see the
If the script generates output, output will be sent to the file specified by the
See the section on NAME MANGLING
See the section on NAME MANGLING for details on how to control the mangling process.
Note that the character to use may be specified using the magic character in name mangling. The default is a '~' but this may interfere with some software. Use this option to set @@ -11737,7 +11734,7 @@ CLASS="PARAMETER" > parameter to be set such that owner execute bit is not masked out (i.e. it must include 100). See the parameter to be set such that the world execute bit is not masked out (i.e. it must include 001). See the parameter to be set such that the group execute bit is not masked out (i.e. it must include 010). See the parameter
This parameter is only useful in security modes other than - Means user logins with an invalid password are treated as a guest login and mapped into the guest account. Note that this can cause problems as it means that any user incorrectly typing @@ -11969,7 +11966,7 @@ CLASS="PARAMETER" >
Record lock files are used to implement this feature. The lock files will be stored in the directory specified by the will remote "Out of Space" to the client. See all
See also nmbd(8) when acting as a WINS server (
See also the
Synonym for
See also , and
See also the The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support. Please refer to the
If you are viewing this parameter as a security measure, you should also refer to the nmbd(8) when acting as a WINS server (.
See also wins : Query a name with the IP address listed in the bcast : Do a broadcast on each of the known local interfaces listed in the
See also
See also list and is only really useful in shave level security.
See also the
A synonym for
Oplocks may be selectively turned off on certain files with a share. See the parameter for details.
See also the and . It should be possible to enable this without changing your
See also - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the - The TDB based password storage backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the directory.
See also )
See also smbd(8) uses to determine what to send to the
Note that this parameter only is only used if the passwd program must be executed on the NIS master. @@ -13852,7 +13849,7 @@ CLASS="CONSTANT" if the expect string is a full stop then no string is expected.
If the parameter is set to true, the chat pairs +> parameter is set to yes, the chat pairs may be matched in any order, and success is determined by the PAM result, not any particular output. The \n macro is ignored for PAM conversions.
See also , , and smbd(8) log with a and should be turned off after this has been done. This option has no effect if the
See also , , parameter is set to true +>yes then this program is called is set to falseno.
See also
The name of the password server is looked up using the parameter
See also the
Note that this path will be based on
See also Of course, this could get annoying after a while :-)
See also and
This boolean option controls whether a non-zero return code from
If this is set to trueyes, on startup, nmbd
See also
Synonym for preloadpreload (G)
This is a list of services that you want to be @@ -14733,7 +14733,7 @@ NAME="PRELOAD" >
Note that if you just want all printers in your printcap file loaded then the This controls if new filenames are created with the case that the client passes, or if they are forced to be the
See the section on NAME MANGLING for a fuller discussion.
nobody account. If this happens then create an alternative guest account that can print and set the You may have to vary this command considerably depending on how you normally print files on your system. The default for the parameter varies depending on the setting of the For printing = CUPS : If SAMBA is compiled against libcups, then printcap = cups uses the CUPS API to @@ -14966,7 +14966,7 @@ NAME="PRINTOK" >
Synonym for Note that a printable service will ALWAYS allow writing to the service path (user privileges permitting) via the spooling of print data. The writeable +>read only
Synonym for /etc/printcap). See the discussion of the [printers] section above for reasons why you might want to do this.
. This should be supplemented by an addtional setting printing = cups in the [global] section. See also . See also . See also
Synonym for This option can be set on a per printer basis
See also the discussion in the [printers] section.
Synonym for
Synonym for depends on the setting of This is a list of users that are given read-only access to a service. If the connecting user is in this list then they will not be given write access, no matter what the writeableread only option is set to. The list can include group names using the syntax described in the parameter.
See also the parameter and the read only (S)
Note that this is an inverted synonym for An inverted synonym is writeable.
If this parameter is yes, then users + of a service may not create or modify files in the service's + directory.
Note that a printable service (printable = yes) + will ALWAYS allow writing to the directory + (user privileges permitting), but only via spooling operations.
Default: read only = yes
In general this parameter should be viewed as a system tuning tool and left severely alone. See also This is a boolean parameter. If it is trueyes, then anonymous access to the server will be restricted, namely in the case where the server is expecting the client to send a username, but it doesn't. Setting it to trueyes will force these anonymous connections to be denied, and the client will be required to always supply a username and password when connecting. Use of this parameter @@ -16010,7 +16035,7 @@ CLASS="CONSTANT" >When restrict anonymous is trueyes, all anonymous connections are denied no matter what they are for. This can effect the ability of a machine to access the Samba Primary Domain Controller to revalidate @@ -16034,7 +16059,7 @@ NAME="ROOT" >
Synonym for
Synonym for
See also
See also and parameter except that the command is run as root.
See also and security = user, see the where it is offers both user and share level security under different
If the parameter is set, then all the other stages are missed and only the
Is a username is sent with the share connection request, then this username (after mapping - see
Any users on the
See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
This is the default security setting in Samba 2.2. With user-level security a client must first "log-on" with a valid username and password (which can be mapped using the parameter). Encrypted passwords (see the parameter) can also be used in this security mode. Parameters such as and . See the parameter for details on doing this.
See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
. See the parameter for details on doing this.
See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
See also the parameter and the smbpasswd(8) has been used to add this machine into a Windows NT Domain. It expects the parameter to be set to trueyes. In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactly @@ -16809,7 +16834,7 @@ CLASS="EMPHASIS" the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing the server to automatically map unknown users into the . See the
See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
See also the parameter and the .
See also the , , . This option can be use with preserve case = yes
See the section on NAME MANGLING.
See also , ,
See also
status (G)
This enables or disables logging of connections - to a status file that smbstatus(1) - can read.
With this disabled smbstatus won't be able - to tell you what connections are active. You should never need to - change this parameter.
Default: status = yes
strict allocate (S)
See also the falseno then the server will be guided by the client's request in each write call (clients can set a bit indicating that a particular write should be synchronous). If this is trueyes then every write will be followed by a fsync() @@ -17812,7 +17810,7 @@ CLASS="CONSTANT" any affect.
See also the
Synonym for trueyes the program specified in the
See also , .
In order for this parameter to work correctly the
See also disable spoolss
falseno by default on HPUX. On all other systems this parameter should be left alone. This parameter is provided to help the Samba developers track down problems with @@ -18279,7 +18277,7 @@ NAME="USERHOSTS" >If this global parameter is trueyes, it specifies that the UNIX user's
Synonym for
Synonym for
To restrict a service to a particular set of users you can use the
See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more information on how @@ -18512,16 +18510,16 @@ NAME="USERNAMEMAP" >If any line begins with a '#' or a ';' then it is ignored
If any line begins with an '!' then the processing - will stop after that line if a mapping was done by the line. - Otherwise mapping continues with every line being processed. - Using '!' is most useful when you have a wildcard mapping line +>If any line begins with an '!' then the processing + will stop after that line if a mapping was done by the line. + Otherwise mapping continues with every line being processed. + Using '!' is most useful when you have a wildcard mapping line later in the file.
For example to map from the name admin +> or administratorOr to map anyone in the UNIX group system +> to the UNIX name syssys = @system
You can have as many mappings as you like in a username +>You can have as many mappings as you like in a username map file.
If your system supports the NIS NETGROUP option then +>If your system supports the NIS NETGROUP option then the netgroup database is checked before the /etc/group @@ -18567,12 +18565,12 @@ CLASS="COMMAND" >tridge = "Andrew Tridgell"
would map the windows username "Andrew Tridgell" to the +>would map the windows username "Andrew Tridgell" to the unix username "tridge".
The following example would map mary and fred to the - unix user sys, and map the rest to guest. Note the use of the - '!' to tell Samba to stop processing if it gets a match on +>The following example would map mary and fred to the + unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on that line.
Note that the remapping is applied to all occurrences +>Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and fred is remapped to mary then you - will actually be connecting to \\server\mary and will need to +> then you + will actually be connecting to \\server\mary and will need to supply a password suitable for mary not +> not fred. The only exception to this is the +>. The only exception to this is the username passed to the password server (if you have one). The password - server will receive whatever username the client supplies without +> (if you have one). The password + server will receive whatever username the client supplies without modification.
Also note that no reverse mapping is done. The main effect - this has is with printing. Users who have been mapped may have - trouble deleting print jobs as PrintManager under WfWg will think +>Also note that no reverse mapping is done. The main effect + this has is with printing. Users who have been mapped may have + trouble deleting print jobs as PrintManager under WfWg will think they don't own the print job.
Default:
use sendfile (S)
If this parameter is yes, and Samba + was built with the --with-sendfile-support option, and the underlying operating + system supports sendfile system call, then some SMB read calls (mainly ReadAndX + and ReadRaw) will use the more efficient sendfile system call for files that + are exclusively oplocked. This may make more efficient use of the system CPU's + and cause Samba to be faster. This is off by default as it's effects are unknown + as yet. +
Default: use sendfile = no
utmp (G)
This boolean parameter is only available if +>This boolean parameter is only available if Samba has been configured and compiled with the option --with-utmp. If set to trueyes then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server. Sites may use this to record the @@ -18656,7 +18678,7 @@ CLASS="CONSTANT" performance on large installations.
See also the . It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server. See also the . This is useful in the [homes] section.
See also
See also and
This parameter is only valid when the winbind enum users parameter is - false, calls to the no, calls to the getpwent system call @@ -19195,7 +19220,10 @@ CLASS="PARAMETER" >winbind enum groups parameter is - false, calls to the no, calls to the getgrent() system @@ -19319,7 +19347,7 @@ CLASS="COMMAND" >winbind use default domain, winbind use default domainwinbind use default domain (G)
This parameter specifies whether the
Default: winbind use default domain = <falseg> +>winbind use default domain = <no>
Example: winbind use default domain = truewinbind use default domain = yes
process in Samba will act as a WINS server. You should not set this to trueyes unless you have a multi-subnetted network and you wish a particular set this to trueyes on more than one machine in your network.
This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with the security = domain
Synonym for This is a list of users that are given read-write access to a service. If the connecting user is in this list then they will be given write access, no matter what thewriteableread only @@ -19633,7 +19661,7 @@ CLASS="PARAMETER" write list then they will be given write access.
See also the write ok (S)
Synonym for Inverted synonym for writeable read only.
writeable (S)
An inverted synonym is Inverted synonym for read only read only.
If this parameter is no, then users - of a service may not create or modify files in the service's - directory.
Note that a printable service (printable = yes) - will ALWAYS allow writing to the directory - (user privileges permitting), but only via spooling operations.
Default: writeable = no

smb.conf

COMPLETE LIST OF SERVICE PARAMETERS

WARNINGS

VERSION

SEE ALSO

AUTHOR