From ca9384623054fde64510edfbee3fc291f1d09fb9 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 16 Jul 2003 05:42:10 +0000 Subject: Documentation Update for Beta3. (This used to be commit a88dc502cb3b6b2d905106675f50680bf22e2cfa) --- docs/htmldocs/smb.conf.5.html | 145 +++++++++++++++++++++++++++++------------- 1 file changed, 100 insertions(+), 45 deletions(-) (limited to 'docs/htmldocs/smb.conf.5.html') diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html index f22afa5884..2b3d51d6f6 100644 --- a/docs/htmldocs/smb.conf.5.html +++ b/docs/htmldocs/smb.conf.5.html @@ -244,8 +244,8 @@ alias|alias|alias|alias... connection is made as the username given in the "guest account =" for the service, irrespective of the supplied password.

COMPLETE LIST OF GLOBAL PARAMETERS

Here is a list of all global parameters. See the section of - each parameter for details. Note that some are synonyms.

COMPLETE LIST OF SERVICE PARAMETERS

Here is a list of all service parameters. See the section on - each parameter for details. Note that some are synonyms.

EXPLANATION OF EACH PARAMETER

abort shutdown script (G)

This parameter only exists in the HEAD cvs branch + each parameter for details. Note that some are synonyms.

COMPLETE LIST OF SERVICE PARAMETERS

Here is a list of all service parameters. See the section on + each parameter for details. Note that some are synonyms.

EXPLANATION OF EACH PARAMETER

abort shutdown script (G)

This parameter only exists in the HEAD cvs branch This a full path name to a script called by smbd(8) that should stop a shutdown procedure issued by the shutdown script.

This command will be run as user.

Default: None.

Example: abort shutdown script = /sbin/shutdown -c

add group script (G)

This is the full pathname to a script that will be run @@ -504,12 +504,27 @@ alias|alias|alias|alias... See also add share command, delete share command. -

Default: none

Example: change share command = /usr/local/bin/addshare

client use spnego (G)

This variable controls controls whether samba clients will try +

Default: none

Example: change share command = /usr/local/bin/addshare

client lanman auth (G)

This parameter determines whether or not smbclient(8) and other samba client + tools will attempt to authenticate itself to servers using the + weaker LANMAN password hash. If disabled, only server which support NT + password hashes (e.g. Windows NT/2000, Samba, etc... but not + Windows 95/98) will be able to be connected from the Samba client.

The LANMAN encrypted response is easily broken, due to it's + case-insensitive nature, and the choice of algorithm. Clients + without Windows 95/98 servers are advised to disable + this option.

Disabling this option will also disable the client plaintext auth option

Likewise, if the client ntlmv2 + auth parameter is enabled, then only NTLMv2 logins will be + attempted. Not all servers support NTLMv2, and most will require + special configuration to us it.

Default : client lanman auth = yes

client ntlmv2 auth (G)

This parameter determines whether or not smbclient(8) will attempt to + authenticate itself to servers using the NTLMv2 encrypted password + response.

If enabled, only an NTLMv2 and LMv2 response (both much more + secure than earlier versions) will be sent. Many servers + (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with + NTLMv2.

If disabled, an NTLM response (and possibly a LANMAN response) + will be sent by the client, depending on the value of client lanman auth.

Note that some sites (particularly + those following 'best practice' security polices) only allow NTLMv2 + responses, and not the weaker LM or NTLM.

Default : client ntlmv2 auth = no

client use spnego (G)

This variable controls controls whether samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 servers to agree upon an authentication mechanism. - SPNEGO client support with Sign and Seal is currently broken, so - you might want to turn this option off when doing joins to - Windows 2003 domains.

Default: client use spnego = yes

comment (S)

This is a text field that is seen next to a share when a client does a queries the server, either via the network neighborhood or via net view to list what shares @@ -569,7 +584,7 @@ alias|alias|alias|alias... boolean parameter adds microsecond resolution to the timestamp message header when turned on.

Note that the parameter debug timestamp must be on for this to have an - effect.

Default: debug hires timestamp = no

debug level (G)

Synonym for + effect.

Default: debug hires timestamp = no

debuglevel (G)

Synonym for log level.

debug pid (G)

When using only one log file for more then one forked smbd(8)-process there may be hard to follow which process outputs which message. This boolean parameter @@ -857,7 +872,14 @@ df $1 | tail -1 | awk '{print $2" "$4}' timestamp on a file if the user smbd is acting on behalf of is not the file owner. Setting this option to yes allows DOS semantics and smbd(8) will change the file - timestamp as DOS requires.

Default: dos filetimes = no

encrypt passwords (G)

This boolean controls whether encrypted passwords + timestamp as DOS requires.

Default: dos filetimes = no

enable rid algorithm (G)

This option is used to control whether or not smbd in Samba 3.0 should fallback + to the algorithm used by Samba 2.2 to generate user and group RIDs. The longterm + development goal is to remove the algorithmic mappings of RIDs altogether, but + this has proved to be difficult. This parameter is mainly provided so that + developers can turn the algorithm on and off and see what breaks. This parameter + should not be disabled by non-developers because certain features in Samba will fail + to work without it. +

Default: enable rid algorithm = <yes>

encrypt passwords (G)

This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in @@ -1579,7 +1601,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' copied between UNIX directories from Windows/DOS while retaining the long UNIX filename. UNIX files can be renamed to a new extension from Windows/DOS and will retain the same basename. Mangled names - do not change between sessions.

Default: mangled names = yes

mangling stack (G)

This parameter controls the number of mangled names + do not change between sessions.

Default: mangled names = yes

mangled stack (G)

This parameter controls the number of mangled names that should be cached in the Samba server smbd(8).

This stack is a list of recently mangled base names (extensions are only maintained if they are longer than 3 characters or contains upper case characters).

The larger this value, the more likely it is that mangled @@ -1587,7 +1609,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' However, large stack sizes will slow most directory accesses. Smaller stacks save memory in the server (each stack element costs 256 bytes).

It is not possible to absolutely guarantee correct long - filenames, so be prepared for some surprises!

Default: mangled stack = 50

Example: mangled stack = 100

mangling prefix (G)

controls the number of prefix + filenames, so be prepared for some surprises!

Default: mangled stack = 50

Example: mangled stack = 100

mangle prefix (G)

controls the number of prefix characters from the original name used when generating the mangled names. A larger value will give a weaker hash and therefore more name collisions. The minimum @@ -1842,16 +1864,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' homedir map and return the server listed there.

Note that for this option to work there must be a working NIS system and the Samba server with this option must also - be a logon server.

Default: nis homedir = no

non unix account range (G)

The non unix account range parameter specifies - the range of 'user ids' that are allocated by the various 'non unix - account' passdb backends. These backends allow - the storage of passwords for users who don't exist in /etc/passwd. - This is most often used for machine account creation. - This range of ids should have no existing local or NIS users within - it as strange conflicts can occur otherwise.

Note

These userids never appear on the system and Samba will never - 'become' these users. They are used only to ensure that the algorithmic - RID mapping does not conflict with normal users. -

Default: non unix account range = <empty string>

Example: non unix account range = 10000-20000

nt acl support (S)

This boolean parameter controls whether smbd(8) will attempt to map + be a logon server.

Default: nis homedir = no

nt acl support (S)

This boolean parameter controls whether smbd(8) will attempt to map UNIX permissions into Windows NT access control lists. This parameter was formally a global parameter in releases prior to 2.2.2.

Default: nt acl support = yes

ntlm auth (G)

This parameter determines whether or not smbd(8) will attempt to @@ -1953,15 +1966,15 @@ df $1 | tail -1 | awk '{print $2" "$4}' to the logs and exit.

Disabling this option prevents Samba from making this check, which involves deliberatly attempting a - bad logon to the remote server.

Default: paranoid server security = yes

passdb backend (G)

This option allows the administrator to chose which backends + bad logon to the remote server.

Default: paranoid server security = yes

passdb backend (G)

This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both smbpasswd and tdbsam to be used without a recompile. Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified.

This parameter is in two parts, the backend's name, and a 'location' string that has meaning only to that particular backed. These are separated - by a : character.

Available backends can include: -

  • smbpasswd - The default smbpasswd + by a : character.

    Available backends can include: +

    • smbpasswd - The default smbpasswd backend. Takes a path to the smbpasswd file as an optional argument.

    • tdbsam - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb @@ -1982,8 +1995,8 @@ df $1 | tail -1 | awk '{print $2" "$4}' Very simple backend that only provides one user: the guest user. Only maps the NT guest user to the guest account. Required in pretty much all situations. -

    -

    Default: passdb backend = smbpasswd

    Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd guest

    Example: passdb backend = ldapsam:ldaps://ldap.example.com guest

    Example: passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb guest

passwd chat (G)

This string controls the "chat" +

+

Default: passdb backend = smbpasswd

Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd guest

Example: passdb backend = ldapsam:ldaps://ldap.example.com guest

Example: passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb guest

passwd chat (G)

This string controls the "chat" conversation that takes places between smbd(8) and the local password changing program to change the user's password. The string describes a sequence of response-receive pairs that smbd(8) uses to determine what to send to the @@ -2272,7 +2285,29 @@ print5|My Printer 5 printable.

private dir (G)

This parameters defines the directory smbd will use for storing such files as smbpasswd and secrets.tdb. -

Default :private dir = ${prefix}/private

protocol (G)

Synonym for +

Default :private dir = ${prefix}/private

profile acls (S)

This boolean parameter controls whether smbd(8) + This boolean parameter was added to fix the problems that people have been + having with storing user profiles on Samba shares from Windows 2000 or + Windows XP clients. New versions of Windows 2000 or Windows XP service + packs do security ACL checking on the owner and ability to write of the + profile directory stored on a local workstation when copied from a Samba + share. When not in domain mode with winbindd then the security info copied + onto the local workstation has no meaning to the logged in user (SID) on + that workstation so the profile storing fails. Adding this parameter + onto a share used for profile storage changes two things about the + returned Windows ACL. Firstly it changes the owner and group owner + of all reported files and directories to be BUILTIN\\Administrators, + BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly + it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to + every returned ACL. This will allow any Windows 2000 or XP workstation + user to access the profile. Note that if you have multiple users logging + on to a workstation then in order to prevent them from being able to access + each others profiles you must remove the "Bypass traverse checking" advanced + user right. This will prevent access to other users profile directories as + the top level profile directory (named after the user) is created by the + workstation profile code and has an ACL restricting entry to the directory + tree to the owning user. +

Default: profile acls = no

protocol (G)

Synonym for max protocol.

public (S)

Synonym for guest ok.

queuepause command (S)

This parameter specifies the command to be executed on the server host in order to pause the printer queue.

This command should be a program or script which takes @@ -2536,7 +2571,7 @@ print5|My Printer 5 does not support them. However note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have a valid smbpasswd file to check - users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up.

Note this mode of operation has + users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up.

Note

This mode of operation has significant pitfalls, due to the fact that is activly initiates a man-in-the-middle attack on the remote SMB server. In particular, this mode of operation can cause significant resource consuption on @@ -2544,11 +2579,11 @@ print5|My Printer 5 of the user's session. Furthermore, if this connection is lost, there is no way to reestablish it, and futher authenticaions to the Samba server may fail. (From a single client, till it disconnects). -

Note that from the client's point of +

Note

From the client's point of view security = server is the same as security = user. It only affects how the server deals with the authentication, it does - not in any way affect what the client sees.

Note that the name of the resource being + not in any way affect what the client sees.

Note that the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing @@ -2558,6 +2593,13 @@ print5|My Printer 5 parameter for details on doing this.

See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

See also the password server parameter and the + encrypted passwords parameter.

SECURITY = ADS

In this mode, Samba will act as a domain member in an ADS realm. To operate + in this mode, the machine running Samba will need to have Kerberos installed + and configured and Samba will need to be joined to the ADS realm using the + net utility.

Note that this mode does NOT make Samba operate as a Active Directory Domain + Controller.

Read the chapter about Domain Membership in the HOWTO for details.

See also the ads server + parameter, the realm + paramter and the encrypted passwords parameter.

Default: security = USER

Example: security = DOMAIN

security mask (S)

This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security @@ -2640,7 +2682,7 @@ print5|My Printer 5 administrative privilege on an individual printer.

See also addprinter command, deleteprinter command, - printer admin

Default :show add printer wizard = yes

shutdown script (G)

This parameter only exists in the HEAD cvs branch + printer admin

Default :show add printer wizard = yes

shutdown script (G)

This parameter only exists in the HEAD cvs branch This a full path name to a script called by smbd(8) that should start a shutdown procedure.

This command will be run as the user connected to the server.

%m %t %r %f parameters are expanded:

  • %m will be substituted with the shutdown message sent to the server.

  • %t will be substituted with the number of seconds to wait before effectively starting the @@ -2648,8 +2690,8 @@ print5|My Printer 5 switch -r. It means reboot after shutdown for NT.

  • %f will be substituted with the switch -f. It means force the shutdown - even if applications do not respond for NT.

Default: None.

Example: abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f

Shutdown script example: -

+			even if applications do not respond for NT.

Default: None.

Example: abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f

Shutdown script example: +
 #!/bin/bash
 		
 $time=0
@@ -2657,9 +2699,9 @@ let "time/60"
 let "time++"
 
 /sbin/shutdown $3 $4 +$time $1 &
-

+ Shutdown does not return so we need to launch it in background. -

See also +

See also abort shutdown script.

smb passwd file (G)

This option sets the path to the encrypted smbpasswd file. By default the path to the smbpasswd file is compiled into Samba.

Default: smb passwd file = ${prefix}/private/smbpasswd

Example: smb passwd file = /etc/samba/smbpasswd

smb ports (G)

Specifies which ports the server should listen on for SMB traffic.

Default: smb ports = 445 139

socket address (G)

This option allows you to control what address Samba will listen for connections on. This is used to @@ -2696,9 +2738,7 @@ Shutdown does not return so we need to launch it in background. be formatted as the output of the standard Unix env(1) command. This is of the form:

Example environment entry:

SAMBA_NETBIOS_NAME = myhostname

Default: No default value

Examples: source environment = |/etc/smb.conf.sh

Example: source environment = /usr/local/smb_env_vars

stat cache (G)

This parameter determines if smbd(8) will use a cache in order to speed up case insensitive name mappings. You should never need - to change this parameter.

Default: stat cache = yes

stat cache size (G)

This parameter determines the number of - entries in the stat cache. You should - never need to change this parameter.

Default: stat cache size = 50

strict allocate (S)

This is a boolean that controls the handling of + to change this parameter.

Default: stat cache = yes

strict allocate (S)

This is a boolean that controls the handling of disk space allocation in the server. When this is set to yes the server will change from UNIX behaviour of not committing real disk storage blocks when a file is extended to the Windows behaviour @@ -2755,7 +2795,10 @@ Shutdown does not return so we need to launch it in background. string %D is present it is substituted with the user's Windows NT domain name. If the string %U is present it - is substituted with the user's Windows NT user name.

Default: template homedir = /home/%D/%U

template shell (G)

When filling out the user information for a Windows NT + is substituted with the user's Windows NT user name.

Default: template homedir = /home/%D/%U

template primary group (G)

This option defines the default primary group for + each user created by winbindd(8)'s local account management + functions (similar to the 'add user script'). +

Default: template primary group = nobody

template shell (G)

When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this parameter to fill in the login shell for that user.

Default: template shell = /bin/false

time offset (G)

This parameter is a setting in minutes to add to the normal GMT to local time conversion. This is useful if @@ -2974,7 +3017,7 @@ guest = * users list then access is denied for that user.

The current servicename is substituted for %S . This is useful in the [homes] section.

See also invalid users

Default: No valid users list (anyone can login) -

Example: valid users = greg, @pcusers

veto files (S)

This is a list of files and directories that +

Example: valid users = greg, @pcusers

veto files (S)

This is a list of files and directories that are neither visible nor accessible. Each entry in the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' can be used to specify multiple files @@ -2992,8 +3035,8 @@ guest = * for a match as they are scanned.

See also hide files and case sensitive.

Default: No files or directories are vetoed. -

Examples: -

+	
Examples:
+
 ; Veto any files containing the word Security, 
 ; any ending in .tmp, and any directory containing the
 ; word root.
@@ -3032,7 +3075,13 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
 	that Samba has to  do in order to perform the link checks.
Default: wide links = yes
winbind cache time (G)

This parameter specifies the number of seconds the winbindd(8) daemon will cache user and group information before querying a Windows NT server - again.

Default: winbind cache type = 15

winbind enum groups (G)

On large installations using winbindd(8) it may be necessary to suppress + again.

Default: winbind cache type = 15

winbind enable local accounts (G)

This parameter controls whether or not winbindd + will act as a stand in replacement for the various account + management hooks in smb.conf (e.g. 'add user script'). + If enabled, winbindd will support the creation of local + users and groups as another source of UNIX account information + available via getpwnam() or getgrgid(), etc... +

Default: winbind enable local accounts = yes

winbind enum groups (G)

On large installations using winbindd(8) it may be necessary to suppress the enumeration of groups through the setgrent(), getgrent() and endgrent() group of system calls. If @@ -3060,10 +3109,16 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ and nss_winbind.so modules for UNIX services.

Please note that setting this parameter to + causes problems with group membership at least on glibc systems, as the character + - is used as a special character for NIS in /etc/group.

Default: winbind separator = '\'

Example: winbind separator = +

winbind uid (G)

This parameter is now an alias for idmap uid

The winbind gid parameter specifies the range of user ids that are allocated by the + is used as a special character for NIS in /etc/group.

Default: winbind separator = '\'

Example: winbind separator = +

winbind trusted domains only (G)

This parameter is designed to allow Samba servers that + are members of a Samba controlled domain to use UNIX accounts + distributed vi NIS, rsync, or LDAP as the uid's for winbindd users + in the hosts primary domain. Therefore, the user 'SAMBA\user1' would + be mapped to the account 'user1' in /etc/passwd instead of allocating + a new uid for him or her. +

Default: winbind trusted domains only = <no>

winbind uid (G)

This parameter is now an alias for idmap uid

The winbind gid parameter specifies the range of user ids that are allocated by the winbindd(8) daemon. This range of ids should have no existing local or NIS users within it as strange - conflicts can occur otherwise.

Default: winbind uid = <empty string>

Example: winbind uid = 10000-20000

winbind used default domain (G)

This parameter specifies whether the + conflicts can occur otherwise.

Default: winbind uid = <empty string>

Example: winbind uid = 10000-20000

winbind use default domain (G)

This parameter specifies whether the winbindd(8) daemon should operate on users without domain component in their username. Users without a domain component are treated as is part of the winbindd server's own @@ -3090,7 +3145,7 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ addresses currently registered for that name. If this list is empty then the name should be deleted.

An example script that calls the BIND dynamic DNS update program nsupdate is provided in the examples - directory of the Samba source code.

wins partner (G)

A space separated list of partners' IP addresses for + directory of the Samba source code.

wins partners (G)

A space separated list of partners' IP addresses for WINS replication. WINS partners are always defined as push/pull partners as defining only one way WINS replication is unreliable. WINS replication is currently experimental and unreliable between -- cgit