From d069dacb6e17866dd5d3862e1837a9cae008644f Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 15 Aug 2003 18:26:34 +0000 Subject: Regenerate docs (This used to be commit dc33e94161e4fc1ca6bf66a321c708c89bb276e3) --- docs/htmldocs/smb.conf.5.html | 109 ++++++++++++++++++++++-------------------- 1 file changed, 58 insertions(+), 51 deletions(-) (limited to 'docs/htmldocs/smb.conf.5.html') diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html index 4928d41048..926d8fcbb4 100644 --- a/docs/htmldocs/smb.conf.5.html +++ b/docs/htmldocs/smb.conf.5.html @@ -244,8 +244,8 @@ alias|alias|alias|alias... connection is made as the username given in the "guest account =" for the service, irrespective of the supplied password.

COMPLETE LIST OF GLOBAL PARAMETERS

Here is a list of all global parameters. See the section of - each parameter for details. Note that some are synonyms.

COMPLETE LIST OF SERVICE PARAMETERS

Here is a list of all service parameters. See the section on - each parameter for details. Note that some are synonyms.

EXPLANATION OF EACH PARAMETER

abort shutdown script (G)

This parameter only exists in the HEAD cvs branch + each parameter for details. Note that some are synonyms.

COMPLETE LIST OF SERVICE PARAMETERS

Here is a list of all service parameters. See the section on + each parameter for details. Note that some are synonyms.

EXPLANATION OF EACH PARAMETER

abort shutdown script (G)

This parameter only exists in the HEAD cvs branch This a full path name to a script called by smbd(8) that should stop a shutdown procedure issued by the shutdown script.

This command will be run as user.

Default: None.

Example: abort shutdown script = /sbin/shutdown -c

add group script (G)

This is the full pathname to a script that will be run @@ -322,7 +322,7 @@ alias|alias|alias|alias... created for all users accessing files on this server. For sites that use Windows NT account databases as their primary user database creating these users and keeping the user list in sync with the - Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users + Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users ON DEMAND when a user accesses the Samba server.

In order to use this option, smbd(8) must NOT be set to security = share and add user script must be set to a full pathname for a script that will create a UNIX @@ -367,7 +367,7 @@ alias|alias|alias|alias... security option is set to server or domain. If it is set to no, then attempts to connect to a resource from - a domain or workgroup other than the one which smbd is running + a domain or workgroup other than the one which smbd is running in will fail, even if that domain is trusted by the remote server doing the authentication.

This is useful if you only want your Samba server to serve resources to users in the domain it is a member of. As @@ -525,6 +525,9 @@ alias|alias|alias|alias... responses, and not the weaker LM or NTLM.

Default : client ntlmv2 auth = no

client use spnego (G)

This variable controls controls whether samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 servers to agree upon an authentication mechanism. + SPNEGO client support for SMB Signing is currently broken, so + you might want to turn this option off when operating with + Windows 2003 domain controllers in particular.

Default: client use spnego = yes

comment (S)

This is a text field that is seen next to a share when a client does a queries the server, either via the network neighborhood or via net view to list what shares @@ -1049,12 +1052,18 @@ df $1 | tail -1 | awk '{print $2" "$4}' for a share. The default type is NTFS for compatibility with Windows NT but this can be changed to other strings such as Samba or FAT - if required.

Default: fstype = NTFS

Example: fstype = Samba

getwd cache (G)

This is a tuning option. When this is enabled a + if required.

Default: fstype = NTFS

Example: fstype = Samba

get quota command (G)

The get quota command should only be used + whenever there is no operating system API available from the OS that + samba can use.

This parameter should specify the path to a script that + queries the quota information for the specified + user/group for the partition that + the specified directory is on.

Such a script should take 3 arguments:

  • directory

  • type of query

  • uid of user or gid of group

The type of query can be one of :

  • 1 - user quotas

  • 2 - user default quotas (uid = -1)

  • 3 - group quotas

  • 4 - group default quotas (gid = -1)

This script should print its output according to the following format:

  • Line 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced)

  • Line 2 - number of currently used blocks

  • Line 3 - the softlimit number of blocks

  • Line 4 - the hardlimit number of blocks

  • Line 5 - currently used number of inodes

  • Line 6 - the softlimit number of inodes

  • Line 7 - the hardlimit number of inodes

  • Line 8(optional) - the number of bytes in a block(default is 1024)

See also the set quota command parameter. +

Default: get quota command =

Example: get quota command = /usr/local/sbin/query_quota

getwd cache (G)

This is a tuning option. When this is enabled a caching algorithm will be used to reduce the time taken for getwd() calls. This can have a significant impact on performance, especially when the wide links parameter is set to no.

Default: getwd cache = yes

group (S)

Synonym for - force group.

guest account (G)

This is a username which will be used for access + force group.

guest account (G,S)

This is a username which will be used for access to services which are specified as guest ok (see below). Whatever privileges this user has will be available to any client connecting to the guest service. @@ -1062,7 +1071,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' have a valid login. The user account "ftp" is often a good choice for this parameter. If a username is specified in a given service, the specified username overrides this one. -

On some systems the default guest account "nobody" may not +

One some systems the default guest account "nobody" may not be able to print. Use another account in this case. You should test this by trying to log in as your guest user (perhaps by using the su - command) and trying to print using the @@ -1117,12 +1126,14 @@ df $1 | tail -1 | awk '{print $2" "$4}' automounter) maps.

Note

A working NIS client is required on the system for this option to work.

See also nis homedir , domain logons - .

Default: homedir map = <empty string>

Example: homedir map = amd.homedir

host msdfs (G)

If set to yes, + .

Default: homedir map = <empty string>

Example: homedir map = amd.homedir

host msdfs (G)

This boolean parameter is only available + if Samba has been configured and compiled with the + --with-msdfs option. If set to yes, Samba will act as a Dfs server, and allow Dfs-aware clients to browse Dfs trees hosted on the server.

See also the msdfs root share level parameter. For more information on setting up a Dfs tree on Samba, - refer to msdfs_setup.html. + refer to ???.

Default: host msdfs = no

hostname lookups (G)

Specifies whether samba should use (expensive) hostname lookups or use the ip addresses instead. An example place where hostname lookups are currently used is when checking @@ -1169,7 +1180,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux systems that are sharing information over protocols other than SMB/CIFS (ie: NFS).

Default: idmap backend = <empty string>

Example: idmap backend = ldapsam://ldapslave.example.com

idmap gid (G)

The idmap gid parameter specifies the range of group ids that are allocated for - the purpose of mapping UNIX groups to NT group SIDs. This range of group ids should have no + the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no existing local or NIS groups within it as strange conflicts can occur otherwise.

The availability of an idmap gid range is essential for correct operation of all group mapping.

Default: idmap gid = <empty string>

Example: idmap gid = 10000-20000

idmap uid (G)

The idmap uid parameter specifies the range of user ids that are allocated for use in mapping UNIX users to NT user SIDs. This range of ids should have no existing local @@ -1469,8 +1480,8 @@ df $1 | tail -1 | awk '{print $2" "$4}' suggested command would be to add NET TIME \\SERVER /SET /YES, to force every machine to synchronize clocks with the same time server. Another use would be to add NET USE - U: \\SERVER\UTILS for commonly used utilities, or - NET USE Q: \\SERVER\ISO9001_QA for example.

Note that it is particularly important not to allow write + U: \\SERVER\UTILS for commonly used utilities, or 

+	NET USE Q: \\SERVER\ISO9001_QA

for example.

Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users write permission on the batch files in a secure environment, as this would allow the batch files to be arbitrarily modified and security to be @@ -1545,8 +1556,8 @@ df $1 | tail -1 | awk '{print $2" "$4}' parameter.

Default: depends on the setting of printing

Example 1: lprm command = /usr/bin/lprm -P%p %j

Example 2: lprm command = /usr/bin/cancel %p-%j

machine password timeout (G)

If a Samba server is a member of a Windows NT Domain (see the security = domain) - parameter) then periodically a running - smbd(8) process will try and change the MACHINE ACCOUNT + parameter) then periodically a running smbd + process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called private/secrets.tdb . This parameter specifies how often this password will be changed, in seconds. The default is one week (expressed in @@ -1799,14 +1810,15 @@ df $1 | tail -1 | awk '{print $2" "$4}' the SMB-Dfs protocol.

Only Dfs roots can act as proxy shares. Take a look at the msdfs root and host msdfs - options to find out how to set up a Dfs root share.

Example: msdfs proxy = \\\\otherserver\\someshare

msdfs root (S)

If set to yes, + options to find out how to set up a Dfs root share.

Example: msdfs proxy = \\\\otherserver\\someshare

msdfs root (S)

This boolean parameter is only available if + Samba is configured and compiled with the + --with-msdfs option. If set to yes, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory. Dfs links are specified in the share directory by symbolic links of the form msdfs:serverA\\shareA,serverB\\shareB and so on. For more information on setting up a Dfs tree - on Samba, refer to "Hosting a Microsoft - Distributed File System tree on Samba" document.

See also host msdfs

Default: msdfs root = no

name cache timeout (G)

Specifies the number of seconds it takes before + on Samba, refer to ???.

See also host msdfs

Default: msdfs root = no

name cache timeout (G)

Specifies the number of seconds it takes before entries in samba's hostname resolve cache time out. If the timeout is set to 0. the caching is disabled.

Default: name cache timeout = 660

Example: name cache timeout = 0

name resolve order (G)

This option is used by the programs in the Samba @@ -1837,7 +1849,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' first, followed by a broadcast attempt, followed by a normal system hostname lookup.

When Samba is functioning in ADS security mode (security = ads) it is advised to use following settings for name resolve order:

name resolve order = wins bcast

DC lookups will still be done via DNS, but fallbacks to netbios names will - not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.

netbios aliases (G)

This is a list of NetBIOS names that nmbd(8) will + not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.

netbios aliases (G)

This is a list of NetBIOS names that nmbd will advertise as additional names by which the Samba server is known. This allows one machine to appear in browse lists under multiple names. If a machine is acting as a browse server or logon server none of these names will be advertised as either browse server or logon @@ -1943,9 +1955,8 @@ df $1 | tail -1 | awk '{print $2" "$4}' names to OS/2 printer driver names. The format is:

<nt driver name> = <os2 driver name>.<device name>

For example, a valid entry using the HP LaserJet 5 printer driver would appear as HP LaserJet 5L = LASERJET.HP LaserJet 5L.

The need for the file is due to the printer driver namespace - problem described in the Samba - Printing HOWTO. For more details on OS/2 clients, please - refer to the OS2-Client-HOWTO containing in the Samba documentation.

Default: os2 driver map = <empty string>

os level (G)

This integer value controls what level Samba + problem described in ???. For more details on OS/2 clients, please + refer to ???.

Default: os2 driver map = <empty string>

os level (G)

This integer value controls what level Samba advertises itself as for browse elections. The value of this parameter determines whether nmbd(8) has a chance of becoming a local master browser for the @@ -1995,12 +2006,8 @@ df $1 | tail -1 | awk '{print $2" "$4}' The MySQL based passdb backend. Takes an identifier as argument. Read the Samba HOWTO Collection for configuration details. -

  • guest - - Very simple backend that only provides one user: the guest user. - Only maps the NT guest user to the guest account. - Required in pretty much all situations.

    • -

    Default: passdb backend = smbpasswd

    Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd guest

    Example: passdb backend = ldapsam:ldaps://ldap.example.com guest

    Example: passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb guest

    passwd chat debug (G)

    This boolean specifies if the passwd chat script +

    Default: passdb backend = smbpasswd

    Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd

    Example: passdb backend = ldapsam:ldaps://ldap.example.com

    Example: passdb backend = mysql:my_plugin_args tdbsam

    passwd chat debug (G)

    This boolean specifies if the passwd chat script parameter is run in debug mode. In this mode the strings passed to and received from the passwd chat are printed in the smbd(8) log with a @@ -2058,19 +2065,14 @@ df $1 | tail -1 | awk '{print $2" "$4}' it.

    Note that if the unix password sync parameter is set to yes then this program is called AS ROOT - before the SMB password in the smbpasswd(5) - file is changed. If this UNIX password change fails, then + before the SMB password in the smbpasswd + file is changed. If this UNIX password change fails, then smbd will fail to change the SMB password also (this is by design).

    If the unix password sync parameter is set this parameter MUST USE ABSOLUTE PATHS for ALL programs called, and must be examined for security implications. Note that by default unix - password sync is set to no.

    Not that this program is only invoked when a password change is - done via the smbd program, not when smbpasswd is used locally as root to - change a password. This means that you cannot run "smbpasswd USERNAME" as - root on the SMB server in order to test this parameter, but should run the - command "smbpasswd -r SMBMACHINE" as a non-root user instead if you want - to test the invocation of this program.

    See also unix + password sync is set to no.

    See also unix password sync.

    Default: passwd program = /bin/passwd

    Example: passwd program = /sbin/npasswd %u

    password level (G)

    Some client/server combinations have difficulty with mixed-case passwords. One offending client is Windows for Workgroups, which for some reason forces passwords to upper @@ -2300,7 +2302,8 @@ print5|My Printer 5 Windows XP clients. New versions of Windows 2000 or Windows XP service packs do security ACL checking on the owner and ability to write of the profile directory stored on a local workstation when copied from a Samba - share. When not in domain mode with winbindd then the security info copied + share. +

    When not in domain mode with winbindd then the security info copied onto the local workstation has no meaning to the logged in user (SID) on that workstation so the profile storing fails. Adding this parameter onto a share used for profile storage changes two things about the @@ -2309,14 +2312,14 @@ print5|My Printer 5 BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to every returned ACL. This will allow any Windows 2000 or XP workstation - user to access the profile. Note that if you have multiple users logging + user to access the profile.

    Note that if you have multiple users logging on to a workstation then in order to prevent them from being able to access each others profiles you must remove the "Bypass traverse checking" advanced user right. This will prevent access to other users profile directories as the top level profile directory (named after the user) is created by the workstation profile code and has an ACL restricting entry to the directory tree to the owning user. -

    Default: profile acls = no

    protocol (G)

    Synonym for +

    Default: profile acls = no

    protocol (G)

    Synonym for max protocol.

    public (S)

    Synonym for guest ok.

    queuepause command (S)

    This parameter specifies the command to be executed on the server host in order to pause the printer queue.

    This command should be a program or script which takes @@ -2393,8 +2396,7 @@ print5|My Printer 5 the workgroup parameter is used instead.

    The IP addresses you choose would normally be the broadcast addresses of the remote networks, but can also be the IP addresses - of known browse masters if your network config is that stable.

    See the documentation file BROWSING - in the docs/ directory.

    Default: remote announce = <empty string>

    remote browse sync (G)

    This option allows you to setup nmbd(8) to periodically request + of known browse masters if your network config is that stable.

    See ???.

    Default: remote announce = <empty string>

    remote browse sync (G)

    This option allows you to setup nmbd(8) to periodically request synchronization of browse lists with the master browser of a Samba server that is on a remote segment. This option will allow you to gain browse lists for multiple workgroups across routed networks. This @@ -2488,8 +2490,8 @@ print5|My Printer 5 information to the server.

    The default is security = user, as this is the most common setting needed when talking to Windows 98 and Windows NT.

    The alternatives are security = share, - security = server, security = domain - , or security = ads.

    In versions of Samba prior to 2.0.0, the default was + security = server or security = domain + .

    In versions of Samba prior to 2.0.0, the default was security = share mainly because that was the only option at one stage.

    There is a bug in WfWg that has relevance to this setting. When in user or server level security a WfWg client @@ -2655,7 +2657,13 @@ print5|My Printer 5 vampire. %u will be replaced with the user whose primary group is to be set. %g will be replaced with the group to - set.

    Default: No default value

    Example: set primary group script = /usr/sbin/usermod -g '%g' '%u'

    share modes (S)

    This enables or disables the honoring of + set.

    Default: No default value

    Example: set primary group script = /usr/sbin/usermod -g '%g' '%u'

    set quota command (G)

    The set quota command should only be used + whenever there is no operating system API available from the OS that + samba can use.

    This parameter should specify the path to a script that + can set quota for the specified arguments.

    The specified script should take the following arguments:

    • 1 - quota type +

      • 1 - user quotas

      • 2 - user default quotas (uid = -1)

      • 3 - group quotas

      • 4 - group default quotas (gid = -1)

      +

    • 2 - id (uid for user, gid for group, -1 if N/A)

    • 3 - quota state (0 = disable, 1 = enable, 2 = enable and enforce)

    • 4 - block softlimit

    • 5 - block hardlimit

    • 6 - inode softlimit

    • 7 - inode hardlimit

    • 8(optional) - block size, defaults to 1024

    The script should output at least one line of data.

    See also the get quota command parameter. +

    Default: set quota command =

    Example: set quota command = /usr/local/sbin/set_quota

    share modes (S)

    This enables or disables the honoring of the share modes during a file open. These modes are used by clients to gain exclusive read or write access to a file.

    These open modes are not directly supported by UNIX, so @@ -2699,7 +2707,7 @@ print5|My Printer 5 switch -r. It means reboot after shutdown for NT.

  • %f will be substituted with the switch -f. It means force the shutdown - even if applications do not respond for NT.

    • Default: None.

    Example: abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f

    Shutdown script example: + even if applications do not respond for NT.

    Default: None.

    Example: shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f

    Shutdown script example: 

     #!/bin/bash
 		
@@ -2973,11 +2981,13 @@ guest = *
     this parameter determines access to the services.
    Default: The guest account if a guest service, 
     else <empty string>.
    Examples:username = fred, mary, jack, jane, 
     @users, @pcgroup
    users (S)
    Synonym for 
-    username.
    user (S)
    Synonym for username.
    use sendfile (S)
    If this parameter is yes, and the underlying operating
+    username.
    user (S)
    Synonym for username.
    use sendfile (S)
    If this parameter is yes, and Samba
+    was built with the --with-sendfile-support option, and the underlying operating
     system supports sendfile system call, then some SMB read calls (mainly ReadAndX
     and ReadRaw) will use the more efficient sendfile system call for files that
     are exclusively oplocked. This may make more efficient use of the system CPU's
-    and cause Samba to be faster.
    Default: use sendfile = no
    use spnego (G)
     This variable controls controls whether samba will try 
+    and cause Samba to be faster. This is off by default as it's effects are unknown
+    as yet.
    Default: use sendfile = no
    use spnego (G)
     This variable controls controls whether samba will try 
     to use Simple and Protected NEGOciation (as specified by rfc2478) with 
     WindowsXP and Windows2000 clients to agree upon an authentication mechanism. 
     Unless further issues are discovered with our SPNEGO
@@ -3055,13 +3065,10 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
 	client contention for files ending in .SEM. 
 	To cause Samba not to grant oplocks on these files you would use 
 	the line (either in the [global] section or in the section for 
-	the particular NetBench share :
    Example: veto oplock files = /*.SEM/
    vfs objects (S)
    This parameter specifies the backend module names which 
+	the particular NetBench share :
    Example: veto oplock files = /*.SEM/
    vfs objects (S)
    This parameter specifies the backend names which 
 	are used for Samba VFS I/O operations.  By default, normal 
 	disk I/O operations are used but these can be overloaded 
-	with one or more VFS objects. 
    Options for a given VFS module are specified one per line
-	smb.conf perfaced by the module name and a colon (:).  Such as
    foo:bar=biddle
    where 'foo' is the name of VFS module, 'bar' is a parameter supported
-	by ;foo;, and 'biddle' is the value of the option 'bar'.  Refer to the 
-	manpage for a given VFS modules regarding the options supported by that module.
    Default: no value
    Example: vfs objects = extd_audit recycle
    vfs object (S)
    Synonym for
+	with one or more VFS objects. 
    Default: no value
    Example: vfs objects = extd_audit recycle
    vfs object (S)
    Synonym for
 	
 	vfs objects
 	.
@@ -3162,7 +3169,7 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
 	seperated from the ip address by a colon.
 	
    Note
    You need to set up Samba to point 
 	to a WINS server if you have multiple subnets and wish cross-subnet 
-	browsing to work correctly.
    See the documentation file Browsing in the samba howto collection.
    Default: not enabled
    Example: wins server = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61
    For this example when querying a certain name, 192.19.200.1 will 
+	browsing to work correctly.
    See the ???.
    Default: not enabled
    Example: wins server = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61
    For this example when querying a certain name, 192.19.200.1 will 
 	be asked first and if that doesn't respond 192.168.2.61. If either 
 	of those doesn't know the name 192.168.3.199 will be queried.
 	
    Example: wins server = 192.9.200.1 192.168.2.61
    wins support (G)
    This boolean controls if the nmbd(8) process in Samba will act as a WINS server. You should 
-- 
cgit