From f62eaeb1a5add34ee7353d0d95db3c84a5c71c22 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 13 Aug 2003 06:07:10 +0000 Subject: regenerate (This used to be commit 75a8a906e8031b50e6583f2e0354073a8aa7f5f3) --- docs/htmldocs/smb.conf.5.html | 359 +++++++++++++++++++++--------------------- 1 file changed, 180 insertions(+), 179 deletions(-) (limited to 'docs/htmldocs/smb.conf.5.html') diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html index 2b3d51d6f6..4928d41048 100644 --- a/docs/htmldocs/smb.conf.5.html +++ b/docs/htmldocs/smb.conf.5.html @@ -244,8 +244,8 @@ alias|alias|alias|alias... connection is made as the username given in the "guest account =" for the service, irrespective of the supplied password.

COMPLETE LIST OF GLOBAL PARAMETERS

Here is a list of all global parameters. See the section of - each parameter for details. Note that some are synonyms.

COMPLETE LIST OF SERVICE PARAMETERS

Here is a list of all service parameters. See the section on - each parameter for details. Note that some are synonyms.

EXPLANATION OF EACH PARAMETER

abort shutdown script (G)

This parameter only exists in the HEAD cvs branch + each parameter for details. Note that some are synonyms.

COMPLETE LIST OF SERVICE PARAMETERS

Here is a list of all service parameters. See the section on + each parameter for details. Note that some are synonyms.

EXPLANATION OF EACH PARAMETER

abort shutdown script (G)

This parameter only exists in the HEAD cvs branch This a full path name to a script called by smbd(8) that should stop a shutdown procedure issued by the shutdown script.

This command will be run as user.

Default: None.

Example: abort shutdown script = /sbin/shutdown -c

add group script (G)

This is the full pathname to a script that will be run @@ -571,7 +571,7 @@ alias|alias|alias|alias... policy, and specifies how clients capable of offline caching will cache the files in the share. The valid values are: manual, documents, programs, disable.

These values correspond to those used on Windows servers.

For example, shares containing roaming profiles can have - offline caching disabled using csc policy = disable.

Default: csc policy = manual

Example: csc policy = programs

dead time (G)

The value of the parameter (a decimal integer) + offline caching disabled using csc policy = disable.

Default: csc policy = manual

Example: csc policy = programs

deadtime (G)

The value of the parameter (a decimal integer) represents the number of minutes of inactivity before a connection is considered dead, and it is disconnected. The deadtime only takes effect if the number of open files is zero.

This is useful to stop a server's resources being @@ -600,8 +600,7 @@ alias|alias|alias|alias... current euid, egid, uid and gid to the timestamp message headers in the log file if turned on.

Note that the parameter debug timestamp must be on for this to have an - effect.

Default: debug uid = no

default (G)

A synonym for - default service.

default case (S)

See the section on + effect.

Default: debug uid = no

default case (S)

See the section on NAME MANGLING. Also note the short preserve case parameter.

Default: default case = lower

default devmode (S)

This parameter is only applicable to printable services. When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba @@ -642,7 +641,8 @@ alias|alias|alias|alias... [pub] path = /%S -

delete group script (G)

This is the full pathname to a script that will +

default (G)

A synonym for + default service.

delete group script (G)

This is the full pathname to a script that will be run AS ROOT smbd(8) when a group is requested to be deleted. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. @@ -737,7 +737,7 @@ df $1 | tail -1 | awk '{print $2" "$4}'

or perhaps (on Sys V based systems):

 
 #!/bin/sh
 /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
-

Note that you may have to replace the command names with full path names on some systems.

directory (S)

Synonym for path.

directory mask (S)

This parameter is the octal modes which are +

Note that you may have to replace the command names with full path names on some systems.

directory mask (S)

This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories.

When a directory is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, @@ -777,7 +777,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' force directory security mode, security mask, force security mode - parameters.

Default: directory security mask = 0777

Example: directory security mask = 0700

disable netbios (G)

Enabling this parameter will disable netbios support + parameters.

Default: directory security mask = 0777

Example: directory security mask = 0700

directory (S)

Synonym for path.

disable netbios (G)

Enabling this parameter will disable netbios support in Samba. Netbios is the only available form of browsing in all windows versions except for 2000 and XP.

Note

Note that clients that only support netbios won't be able to see your samba server when netbios support is disabled. @@ -1054,7 +1054,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' calls. This can have a significant impact on performance, especially when the wide links parameter is set to no.

Default: getwd cache = yes

group (S)

Synonym for - force group.

guest account (G,S)

This is a username which will be used for access + force group.

guest account (G)

This is a username which will be used for access to services which are specified as guest ok (see below). Whatever privileges this user has will be available to any client connecting to the guest service. @@ -1062,7 +1062,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' have a valid login. The user account "ftp" is often a good choice for this parameter. If a username is specified in a given service, the specified username overrides this one. -

One some systems the default guest account "nobody" may not +

On some systems the default guest account "nobody" may not be able to print. Use another account in this case. You should test this by trying to log in as your guest user (perhaps by using the su - command) and trying to print using the @@ -1117,9 +1117,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' automounter) maps.

Note

A working NIS client is required on the system for this option to work.

See also nis homedir , domain logons - .

Default: homedir map = <empty string>

Example: homedir map = amd.homedir

host msdfs (G)

This boolean parameter is only available - if Samba has been configured and compiled with the - --with-msdfs option. If set to yes, + .

Default: homedir map = <empty string>

Example: homedir map = amd.homedir

host msdfs (G)

If set to yes, Samba will act as a Dfs server, and allow Dfs-aware clients to browse Dfs trees hosted on the server.

See also the msdfs root share level parameter. For @@ -1164,8 +1162,14 @@ df $1 | tail -1 | awk '{print $2" "$4}' hosts equiv option be only used if you really know what you are doing, or perhaps on a home network where you trust your spouse and kids. And only if you really trust - them :-).

Default: no host equivalences

Example: hosts equiv = /etc/hosts.equiv

idmap gid (G)

The idmap gid parameter specifies the range of group ids that are allocated for - the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no + them :-).

Default: no host equivalences

Example: hosts equiv = /etc/hosts.equiv

idmap backend (G)

+ The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap + tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common + LDAP backend. This way all domain members and controllers will have the same UID and GID + to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux + systems that are sharing information over protocols other than SMB/CIFS (ie: NFS). +

Default: idmap backend = <empty string>

Example: idmap backend = ldapsam://ldapslave.example.com

idmap gid (G)

The idmap gid parameter specifies the range of group ids that are allocated for + the purpose of mapping UNIX groups to NT group SIDs. This range of group ids should have no existing local or NIS groups within it as strange conflicts can occur otherwise.

The availability of an idmap gid range is essential for correct operation of all group mapping.

Default: idmap gid = <empty string>

Example: idmap gid = 10000-20000

idmap uid (G)

The idmap uid parameter specifies the range of user ids that are allocated for use in mapping UNIX users to NT user SIDs. This range of ids should have no existing local @@ -1375,12 +1379,12 @@ df $1 | tail -1 | awk '{print $2" "$4}' yes doesn't mean that Samba will become the local master browser on a subnet, just that nmbd will participate in elections for local master browser.

Setting this value to no will cause nmbd never to become a local - master browser.

Default: local master = yes

lock dir (G)

Synonym for - lock directory. -

lock directory (G)

This option specifies the directory where lock + master browser.

Default: local master = yes

lock directory (G)

This option specifies the directory where lock files will be placed. The lock files are used to implement the max connections - option.

Default: lock directory = ${prefix}/var/locks

Example: lock directory = /var/run/samba/locks

locking (S)

This controls whether or not locking will be + option.

Default: lock directory = ${prefix}/var/locks

Example: lock directory = /var/run/samba/locks

lock dir (G)

Synonym for + lock directory. +

locking (S)

This controls whether or not locking will be performed by the server in response to lock requests from the client.

If locking = no, all lock and unlock requests will appear to succeed and all lock queries will report @@ -1398,7 +1402,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' in case the lock could later be aquired. This behavior is used to support PC database formats such as MS Access and FoxPro. -

Default: lock spin count = 2

lock spin time (G)

The time in microseconds that smbd should +

Default: lock spin count = 3

lock spin time (G)

The time in microseconds that smbd should pause before attempting to gain a failed lock. See lock spin count for more details.

Default: lock spin time = 10

log file (G)

This option allows you to override the name @@ -1613,10 +1617,12 @@ df $1 | tail -1 | awk '{print $2" "$4}' characters from the original name used when generating the mangled names. A larger value will give a weaker hash and therefore more name collisions. The minimum - value is 1 and the maximum value is 6.

Default: mangle prefix = 1

Example: mangle prefix = 4

mangling char (S)

This controls what character is used as + value is 1 and the maximum value is 6.

+ mangle prefix is effective only when mangling method is hash2. +

Default: mangle prefix = 1

Example: mangle prefix = 4

mangling char (S)

This controls what character is used as the magic character in name mangling. The default is a '~' but this may interfere with some software. Use this option to set - it to whatever you prefer.

Default: mangling char = ~

Example: mangling char = ^

mangling method (G)

controls the algorithm used for the generating + it to whatever you prefer. This is effective only when mangling method is hash.

Default: mangling char = ~

Example: mangling char = ^

mangling method (G)

controls the algorithm used for the generating the mangled names. Can take two different values, "hash" and "hash2". "hash" is the default and is the algorithm that has been used in Samba for many years. "hash2" is a newer and considered @@ -1702,7 +1708,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' this parameter so you should never need to touch this parameter.

Default: max open files = 10000

max print jobs (S)

This parameter limits the maximum number of jobs allowable in a Samba printer queue at any given moment. If this number is exceeded, smbd(8) will remote "Out of Space" to the client. - See all total + See all total print jobs.

Default: max print jobs = 1000

Example: max print jobs = 5000

max protocol (G)

The value of the parameter (a string) is the highest protocol level that will be supported by the server.

Possible values are :

  • CORE: Earliest version. No @@ -1719,7 +1725,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' A value of zero means there is no limit on the number of print jobs reported. - See all total + See all total print jobs and max print jobs parameters.

    Default: max reported print jobs = 0

    Example: max reported print jobs = 1000

max smbd processes (G)

This parameter limits the maximum number of smbd(8) processes concurrently running on a system and is intended @@ -1793,9 +1799,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' the SMB-Dfs protocol.

Only Dfs roots can act as proxy shares. Take a look at the msdfs root and host msdfs - options to find out how to set up a Dfs root share.

Example: msdfs proxy = \\\\otherserver\\someshare

msdfs root (S)

This boolean parameter is only available if - Samba is configured and compiled with the - --with-msdfs option. If set to yes, + options to find out how to set up a Dfs root share.

Example: msdfs proxy = \\\\otherserver\\someshare

msdfs root (S)

If set to yes, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory. Dfs links are specified in the share directory by symbolic @@ -1966,15 +1970,15 @@ df $1 | tail -1 | awk '{print $2" "$4}' to the logs and exit.

Disabling this option prevents Samba from making this check, which involves deliberatly attempting a - bad logon to the remote server.

Default: paranoid server security = yes

passdb backend (G)

This option allows the administrator to chose which backends + bad logon to the remote server.

Default: paranoid server security = yes

passdb backend (G)

This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both smbpasswd and tdbsam to be used without a recompile. Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified.

This parameter is in two parts, the backend's name, and a 'location' string that has meaning only to that particular backed. These are separated - by a : character.

Available backends can include: -

  • smbpasswd - The default smbpasswd + by a : character.

    Available backends can include: +

    • smbpasswd - The default smbpasswd backend. Takes a path to the smbpasswd file as an optional argument.

    • tdbsam - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb @@ -1995,8 +1999,22 @@ df $1 | tail -1 | awk '{print $2" "$4}' Very simple backend that only provides one user: the guest user. Only maps the NT guest user to the guest account. Required in pretty much all situations. -

    -

    Default: passdb backend = smbpasswd

    Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd guest

    Example: passdb backend = ldapsam:ldaps://ldap.example.com guest

    Example: passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb guest

passwd chat (G)

This string controls the "chat" +

+

Default: passdb backend = smbpasswd

Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd guest

Example: passdb backend = ldapsam:ldaps://ldap.example.com guest

Example: passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb guest

passwd chat debug (G)

This boolean specifies if the passwd chat script + parameter is run in debug mode. In this mode the + strings passed to and received from the passwd chat are printed + in the smbd(8) log with a + debug level + of 100. This is a dangerous option as it will allow plaintext passwords + to be seen in the smbd log. It is available to help + Samba admins debug their passwd chat scripts + when calling the passwd program and should + be turned off after this has been done. This option has no effect if the + pam password change + paramter is set. This parameter is off by default.

See also passwd chat + , pam password change + , passwd program + .

Default: passwd chat debug = no

passwd chat (G)

This string controls the "chat" conversation that takes places between smbd(8) and the local password changing program to change the user's password. The string describes a sequence of response-receive pairs that smbd(8) uses to determine what to send to the @@ -2030,21 +2048,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' pam password change.

Default: passwd chat = *new*password* %n\\n *new*password* %n\\n *changed*

Example: passwd chat = "*Enter OLD password*" %o\\n "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n - "*Password changed*"

passwd chat debug (G)

This boolean specifies if the passwd chat script - parameter is run in debug mode. In this mode the - strings passed to and received from the passwd chat are printed - in the smbd(8) log with a - debug level - of 100. This is a dangerous option as it will allow plaintext passwords - to be seen in the smbd log. It is available to help - Samba admins debug their passwd chat scripts - when calling the passwd program and should - be turned off after this has been done. This option has no effect if the - pam password change - paramter is set. This parameter is off by default.

See also passwd chat - , pam password change - , passwd program - .

Default: passwd chat debug = no

passwd program (G)

The name of a program that can be used to set + "*Password changed*"

passwd program (G)

The name of a program that can be used to set UNIX user passwords. Any occurrences of %u will be replaced with the user name. The user name is checked for existence before calling the password changing program.

Also note that many passwd programs insist in reasonable @@ -2061,7 +2065,12 @@ df $1 | tail -1 | awk '{print $2" "$4}' is set this parameter MUST USE ABSOLUTE PATHS for ALL programs called, and must be examined for security implications. Note that by default unix - password sync is set to no.

See also unix + password sync is set to no.

Not that this program is only invoked when a password change is + done via the smbd program, not when smbpasswd is used locally as root to + change a password. This means that you cannot run "smbpasswd USERNAME" as + root on the SMB server in order to test this parameter, but should run the + command "smbpasswd -r SMBMACHINE" as a non-root user instead if you want + to test the invocation of this program.

See also unix password sync.

Default: passwd program = /bin/passwd

Example: passwd program = /sbin/npasswd %u

password level (G)

Some client/server combinations have difficulty with mixed-case passwords. One offending client is Windows for Workgroups, which for some reason forces passwords to upper @@ -2158,13 +2167,13 @@ df $1 | tail -1 | awk '{print $2" "$4}' whenever the service is disconnected. It takes the usual substitutions. The command may be run as the root on some systems.

An interesting example may be to unmount server - resources:

postexec = /etc/umount /cdrom

See also preexec.

Default: none (no command executed)

Example: postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log

preexec (S)

This option specifies a command to be run whenever + resources:

postexec = /etc/umount /cdrom

See also preexec.

Default: none (no command executed)

Example: postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log

preexec close (S)

This boolean option controls whether a non-zero + return code from preexec + should close the service being connected to.

Default: preexec close = no

preexec (S)

This option specifies a command to be run whenever the service is connected to. It takes the usual substitutions.

An interesting example is to send the users a welcome message every time they log in. Maybe a message of the day? Here is an example:

preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' &

Of course, this could get annoying after a while :-)

See also preexec close and postexec - .

Default: none (no command executed)

Example: preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log

preexec close (S)

This boolean option controls whether a non-zero - return code from preexec - should close the service being connected to.

Default: preexec close = no

prefered master (G)

Synonym for + .

Default: none (no command executed)

Example: preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log

prefered master (G)

Synonym for preferred master for people who cannot spell :-).

preferred master (G)

This boolean parameter controls if nmbd(8) is a preferred master browser for its workgroup.

If this is set to yes, on startup, nmbd @@ -2177,15 +2186,15 @@ df $1 | tail -1 | awk '{print $2" "$4}' preferred master browsers on the same subnet, they will each periodically and continuously attempt to become the local master browser. This will result in unnecessary broadcast - traffic and reduced browsing capabilities.

See also os level.

Default: preferred master = auto

preload (G)

This is a list of services that you want to be + traffic and reduced browsing capabilities.

See also os level.

Default: preferred master = auto

preload modules (G)

This is a list of paths to modules that should + be loaded into smbd before a client connects. This improves + the speed of smbd when reacting to new connections somewhat.

It is recommended to only use this option on heavy-performance + servers.

Default: preload modules =

Example: preload modules = /usr/lib/samba/passdb/mysql.so+++

preload (G)

This is a list of services that you want to be automatically added to the browse lists. This is most useful for homes and printers services that would otherwise not be visible.

Note that if you just want all printers in your printcap file loaded then the - load printers option is easier.

Default: no preloaded services

Example: preload = fred lp colorlp

preload modules (G)

This is a list of paths to modules that should - be loaded into smbd before a client connects. This improves - the speed of smbd when reacting to new connections somewhat.

It is recommended to only use this option on heavy-performance - servers.

Default: preload modules =

Example: preload modules = /usr/lib/samba/passdb/mysql.so+++

preserve case (S)

This controls if new filenames are created + load printers option is easier.

Default: no preloaded services

Example: preload = fred lp colorlp

preserve case (S)

This controls if new filenames are created with the case that the client passes, or if they are forced to be the default case .

Default: preserve case = yes

See the section on NAME MANGLING for a fuller discussion.

printable (S)

If this parameter is yes, then @@ -2194,8 +2203,7 @@ df $1 | tail -1 | awk '{print $2" "$4}' to the service path (user privileges permitting) via the spooling of print data. The read only parameter controls only non-printing access to - the resource.

Default: printable = no

printcap (G)

Synonym for - printcap name.

printcap name (S)

This parameter may be used to override the + the resource.

Default: printable = no

printcap name (S)

This parameter may be used to override the compiled-in default printcap name used by the server (usually /etc/printcap). See the discussion of the [printers] section above for reasons why you might want to do this.

To use the CUPS printing interface set printcap name = cups @@ -2222,7 +2230,8 @@ print5|My Printer 5 that it's a comment.

Note

Under AIX the default printcap name is /etc/qconfig. Samba will assume the file is in AIX qconfig format if the string - qconfig appears in the printcap filename.

Default: printcap name = /etc/printcap

Example: printcap name = /etc/myprintcap

print command (S)

After a print job has finished spooling to + qconfig appears in the printcap filename.

Default: printcap name = /etc/printcap

Example: printcap name = /etc/myprintcap

printcap (G)

Synonym for + printcap name.

print command (S)

After a print job has finished spooling to a service, this command will be used via a system() call to process the spool file. Typically the command specified will submit the spool file to the host's printing subsystem, but there @@ -2263,15 +2272,15 @@ print5|My Printer 5 uses lp -c -d%p -oraw; rm %s. With printing = cups, and if SAMBA is compiled against libcups, any manually - set print command will be ignored.

Example: print command = /usr/local/samba/bin/myprintscript %p %s

printer (S)

Synonym for - printer name.

printer admin (S)

This is a list of users that can do anything to + set print command will be ignored.

Example: print command = /usr/local/samba/bin/myprintscript %p %s

printer admin (S)

This is a list of users that can do anything to printers via the remote administration interfaces offered by MS-RPC (usually using a NT workstation). Note that the root user always has admin rights.

Default: printer admin = <empty string>

Example: printer admin = admin, @staff

printer name (S)

This parameter specifies the name of the printer to which print jobs spooled through a printable service will be sent.

If specified in the [global] section, the printer name given will be used for any printable service that does not have its own printer name specified.

Default: none (but may be lp - on many systems)

Example: printer name = laserwriter

printing (S)

This parameters controls how printer status information is + on many systems)

Example: printer name = laserwriter

printer (S)

Synonym for + printer name.

printing (S)

This parameters controls how printer status information is interpreted on your system. It also affects the default values for the print command, lpq command, lppause command , lpresume command, and lprm command if specified in the [global] section.

Currently nine printing styles are supported. They are @@ -2418,11 +2427,7 @@ print5|My Printer 5 The security advantage of using restrict anonymous = 2 is removed by setting guest ok = yes on any share. -

Default: restrict anonymous = 0

root (G)

Synonym for - root directory". -

root dir (G)

Synonym for - root directory". -

root directory (G)

The server will chroot() (i.e. +

Default: restrict anonymous = 0

root directory (G)

The server will chroot() (i.e. Change its root directory) to this directory on startup. This is not strictly necessary for secure operation. Even without it the server will deny access to files not in one of the service entries. @@ -2442,19 +2447,40 @@ print5|My Printer 5 you will need to mirror /etc/passwd (or a subset of it), and any binaries or configuration files needed for printing (if required). The set of files that must be mirrored is - operating system dependent.

Default: root directory = /

Example: root directory = /homes/smb

root postexec (S)

This is the same as the postexec + operating system dependent.

Default: root directory = /

Example: root directory = /homes/smb

root dir (G)

Synonym for + root directory". +

root postexec (S)

This is the same as the postexec parameter except that the command is run as root. This is useful for unmounting filesystems (such as CDROMs) after a connection is closed.

See also - postexec.

Default: root postexec = <empty string>

root preexec (S)

This is the same as the preexec + postexec.

Default: root postexec = <empty string>

root preexec close (S)

This is the same as the preexec close + parameter except that the command is run as root.

See also + preexec and + preexec close.

Default: root preexec close = no

root preexec (S)

This is the same as the preexec parameter except that the command is run as root. This is useful for mounting filesystems (such as CDROMs) when a connection is opened.

See also preexec and - preexec close.

Default: root preexec = <empty string>

root preexec close (S)

This is the same as the preexec close - parameter except that the command is run as root.

See also - preexec and - preexec close.

Default: root preexec close = no

security (G)

This option affects how clients respond to + preexec close.

Default: root preexec = <empty string>

root (G)

Synonym for + root directory". +

security mask (S)

This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security + dialog box.

This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change.

If not set explicitly this parameter is 0777, allowing + a user to modify all the user/group/world permissions on a file. +

Note that users who can access the + Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone + "appliance" systems. Administrators of most normal systems will + probably want to leave it set to 0777.

See also the + force directory security mode, + directory + security mask, + force security mode parameters.

Default: security mask = 0777

Example: security mask = 0770

security (G)

This option affects how clients respond to Samba and is one of the most important settings in the smb.conf file.

The option sets the "security mode bit" in replies to protocol negotiations with smbd(8) to turn share level security on or off. Clients decide @@ -2462,8 +2488,8 @@ print5|My Printer 5 information to the server.

The default is security = user, as this is the most common setting needed when talking to Windows 98 and Windows NT.

The alternatives are security = share, - security = server or security = domain - .

In versions of Samba prior to 2.0.0, the default was + security = server, security = domain + , or security = ads.

In versions of Samba prior to 2.0.0, the default was security = share mainly because that was the only option at one stage.

There is a bug in WfWg that has relevance to this setting. When in user or server level security a WfWg client @@ -2600,24 +2626,7 @@ print5|My Printer 5 Controller.

Read the chapter about Domain Membership in the HOWTO for details.

See also the ads server parameter, the realm paramter and the - encrypted passwords parameter.

Default: security = USER

Example: security = DOMAIN

security mask (S)

This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security - dialog box.

This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change.

If not set explicitly this parameter is 0777, allowing - a user to modify all the user/group/world permissions on a file. -

Note that users who can access the - Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone - "appliance" systems. Administrators of most normal systems will - probably want to leave it set to 0777.

See also the - force directory security mode, - directory - security mask, - force security mode parameters.

Default: security mask = 0777

Example: security mask = 0770

server schannel (G)

This controls whether the server offers or even + encrypted passwords parameter.

Default: security = USER

Example: security = DOMAIN

server schannel (G)

This controls whether the server offers or even demands the use of the netlogon schannel. server schannel = no does not offer the schannel, server schannel = @@ -2682,7 +2691,7 @@ print5|My Printer 5 administrative privilege on an individual printer.

See also addprinter command, deleteprinter command, - printer admin

Default :show add printer wizard = yes

shutdown script (G)

This parameter only exists in the HEAD cvs branch + printer admin

Default :show add printer wizard = yes

shutdown script (G)

This parameter only exists in the HEAD cvs branch This a full path name to a script called by smbd(8) that should start a shutdown procedure.

This command will be run as the user connected to the server.

%m %t %r %f parameters are expanded:

  • %m will be substituted with the shutdown message sent to the server.

  • %t will be substituted with the number of seconds to wait before effectively starting the @@ -2690,8 +2699,8 @@ print5|My Printer 5 switch -r. It means reboot after shutdown for NT.

  • %f will be substituted with the switch -f. It means force the shutdown - even if applications do not respond for NT.

Default: None.

Example: abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f

Shutdown script example: -
+			even if applications do not respond for NT.
Default: None.
Example: abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f
Shutdown script example:
+
 #!/bin/bash
 		
 $time=0
@@ -2699,9 +2708,9 @@ let "time/60"
 let "time++"
 
 /sbin/shutdown $3 $4 +$time $1 &
-

+

Shutdown does not return so we need to launch it in background. -

See also +

See also abort shutdown script.

smb passwd file (G)

This option sets the path to the encrypted smbpasswd file. By default the path to the smbpasswd file is compiled into Samba.

Default: smb passwd file = ${prefix}/private/smbpasswd

Example: smb passwd file = /etc/samba/smbpasswd

smb ports (G)

Specifies which ports the server should listen on for SMB traffic.

Default: smb ports = 445 139

socket address (G)

This option allows you to control what address Samba will listen for connections on. This is used to @@ -2779,7 +2788,9 @@ Shutdown does not return so we need to launch it in background. the strict sync parameter must be set to yes in order for this parameter to have any affect.

See also the strict - sync parameter.

Default: sync always = no

syslog (G)

This parameter maps how Samba debug messages + sync parameter.

Default: sync always = no

syslog only (G)

If this parameter is set then Samba debug + messages are logged into the system syslog only, and not to + the debug log files.

Default: syslog only = no

syslog (G)

This parameter maps how Samba debug messages are logged onto the system syslog logging levels. Samba debug level zero maps onto syslog LOG_ERR, debug level one maps onto LOG_WARNING, debug level @@ -2787,9 +2798,7 @@ Shutdown does not return so we need to launch it in background. maps onto LOG_INFO. All higher levels are mapped to LOG_DEBUG.

This parameter sets the threshold for sending messages to syslog. Only messages with debug level less than this value - will be sent to syslog.

Default: syslog = 1

syslog only (G)

If this parameter is set then Samba debug - messages are logged into the system syslog only, and not to - the debug log files.

Default: syslog only = no

template homedir (G)

When filling out the user information for a Windows NT + will be sent to syslog.

Default: syslog = 1

template homedir (G)

When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this parameter to fill in the home directory for that user. If the string %D is present it @@ -2805,16 +2814,7 @@ Shutdown does not return so we need to launch it in background. you are serving a lot of PCs that have incorrect daylight saving time handling.

Default: time offset = 0

Example: time offset = 60

time server (G)

This parameter determines if nmbd(8) advertises itself as a time server to Windows clients.

Default: time server = no

timestamp logs (G)

Synonym for - debug timestamp.

total print jobs (G)

This parameter accepts an integer value which defines - a limit on the maximum number of print jobs that will be accepted - system wide at any given time. If a print job is submitted - by a client which will exceed this number, then smbd(8) will return an - error indicating that no space is available on the server. The - default value of 0 means that no such limit exists. This parameter - can be used to prevent a server from exceeding its capacity and is - designed as a printing throttle. See also - max print jobs. -

Default: total print jobs = 0

Example: total print jobs = 5000

unicode (G)

Specifies whether Samba should try + debug timestamp.

unicode (G)

Specifies whether Samba should try to use unicode on the wire by default. Note: This does NOT mean that samba will assume that the unix machine uses unicode!

Default: unicode = yes

unix charset (G)

Specifies the charset the unix machine @@ -2883,42 +2883,7 @@ Shutdown does not return so we need to launch it in background. default on HPUX. On all other systems this parameter should be left alone. This parameter is provided to help the Samba developers track down problems with the tdb internal code. -

Default: use mmap = yes

user (S)

Synonym for username.

username (S)

Multiple users may be specified in a comma-delimited - list, in which case the supplied password will be tested against - each username in turn (left to right).

The username line is needed only when - the PC is unable to supply its own username. This is the case - for the COREPLUS protocol or where your users have different WfWg - usernames to UNIX usernames. In both these cases you may also be - better using the \\server\share%user syntax instead.

The username line is not a great - solution in many cases as it means Samba will try to validate - the supplied password against each of the usernames in the - username line in turn. This is slow and - a bad idea for lots of users in case of duplicate passwords. - You may get timeouts or security breaches using this parameter - unwisely.

Samba relies on the underlying UNIX security. This - parameter does not restrict who can login, it just offers hints - to the Samba server as to what usernames might correspond to the - supplied password. Users can login as whoever they please and - they will be able to do no more damage than if they started a - telnet session. The daemon runs as the user that they log in as, - so they cannot do anything that user cannot do.

To restrict a service to a particular set of users you - can use the valid users - parameter.

If any of the usernames begin with a '@' then the name - will be looked up first in the NIS netgroups list (if Samba - is compiled with netgroup support), followed by a lookup in - the UNIX groups database and will expand to a list of all users - in the group of that name.

If any of the usernames begin with a '+' then the name - will be looked up only in the UNIX groups database and will - expand to a list of all users in the group of that name.

If any of the usernames begin with a '&' then the name - will be looked up only in the NIS netgroups database (if Samba - is compiled with netgroup support) and will expand to a list - of all users in the netgroup group of that name.

Note that searching though a groups database can take - quite some time, and some clients may time out during the - search.

See the section NOTE ABOUT - USERNAME/PASSWORD VALIDATION for more information on how - this parameter determines access to the services.

Default: The guest account if a guest service, - else <empty string>.

Examples:username = fred, mary, jack, jane, - @users, @pcgroup

username level (G)

This option helps Samba to try and 'guess' at +

Default: use mmap = yes

username level (G)

This option helps Samba to try and 'guess' at the real UNIX username, as many DOS clients send an all-uppercase username. By default Samba tries all lowercase, followed by the username with the first letter capitalized, and fails if the @@ -2972,19 +2937,60 @@ guest = * modification.

Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been mapped may have trouble deleting print jobs as PrintManager under WfWg will think - they don't own the print job.

Default: no username map

Example: username map = /usr/local/samba/lib/users.map

users (S)

Synonym for - username.

use sendfile (S)

If this parameter is yes, and Samba - was built with the --with-sendfile-support option, and the underlying operating + they don't own the print job.

Default: no username map

Example: username map = /usr/local/samba/lib/users.map

username (S)

Multiple users may be specified in a comma-delimited + list, in which case the supplied password will be tested against + each username in turn (left to right).

The username line is needed only when + the PC is unable to supply its own username. This is the case + for the COREPLUS protocol or where your users have different WfWg + usernames to UNIX usernames. In both these cases you may also be + better using the \\server\share%user syntax instead.

The username line is not a great + solution in many cases as it means Samba will try to validate + the supplied password against each of the usernames in the + username line in turn. This is slow and + a bad idea for lots of users in case of duplicate passwords. + You may get timeouts or security breaches using this parameter + unwisely.

Samba relies on the underlying UNIX security. This + parameter does not restrict who can login, it just offers hints + to the Samba server as to what usernames might correspond to the + supplied password. Users can login as whoever they please and + they will be able to do no more damage than if they started a + telnet session. The daemon runs as the user that they log in as, + so they cannot do anything that user cannot do.

To restrict a service to a particular set of users you + can use the valid users + parameter.

If any of the usernames begin with a '@' then the name + will be looked up first in the NIS netgroups list (if Samba + is compiled with netgroup support), followed by a lookup in + the UNIX groups database and will expand to a list of all users + in the group of that name.

If any of the usernames begin with a '+' then the name + will be looked up only in the UNIX groups database and will + expand to a list of all users in the group of that name.

If any of the usernames begin with a '&' then the name + will be looked up only in the NIS netgroups database (if Samba + is compiled with netgroup support) and will expand to a list + of all users in the netgroup group of that name.

Note that searching though a groups database can take + quite some time, and some clients may time out during the + search.

See the section NOTE ABOUT + USERNAME/PASSWORD VALIDATION for more information on how + this parameter determines access to the services.

Default: The guest account if a guest service, + else <empty string>.

Examples:username = fred, mary, jack, jane, + @users, @pcgroup

users (S)

Synonym for + username.

user (S)

Synonym for username.

use sendfile (S)

If this parameter is yes, and the underlying operating system supports sendfile system call, then some SMB read calls (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that are exclusively oplocked. This may make more efficient use of the system CPU's - and cause Samba to be faster. This is off by default as it's effects are unknown - as yet.

Default: use sendfile = no

use spnego (G)

This variable controls controls whether samba will try + and cause Samba to be faster.

Default: use sendfile = no

use spnego (G)

This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism. Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be - disabled.

Default: use spnego = yes

utmp (G)

This boolean parameter is only available if + disabled.

Default: use spnego = yes

utmp directory (G)

This parameter is only available if Samba has + been configured and compiled with the option + --with-utmp. It specifies a directory pathname that is + used to store the utmp or utmpx files (depending on the UNIX system) that + record user connections to a Samba server. See also the + utmp parameter. By default this is + not set, meaning the system will use whatever utmp file the + native system is set to use (usually + /var/run/utmp on Linux).

Default: no utmp directory

Example: utmp directory = /var/run/utmp

utmp (G)

This boolean parameter is only available if Samba has been configured and compiled with the option --with-utmp. If set to yes then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a @@ -2994,22 +3000,7 @@ guest = * incoming user. Enabling this option creates an n^2 algorithm to find this number. This may impede performance on large installations.

See also the - utmp directory parameter.

Default: utmp = no

utmp directory (G)

This parameter is only available if Samba has - been configured and compiled with the option - --with-utmp. It specifies a directory pathname that is - used to store the utmp or utmpx files (depending on the UNIX system) that - record user connections to a Samba server. See also the - utmp parameter. By default this is - not set, meaning the system will use whatever utmp file the - native system is set to use (usually - /var/run/utmp on Linux).

Default: no utmp directory

Example: utmp directory = /var/run/utmp

-valid (S)

This parameter indicates whether a share is - valid and thus can be used. When this parameter is set to false, - the share will be in no way visible nor accessible. -

- This option should not be - used by regular users but might be of help to developers. - Samba uses this option internally to mark shares as deleted. -

Default: True

valid users (S)

This is a list of users that should be allowed + utmp directory parameter.

Default: utmp = no

valid users (S)

This is a list of users that should be allowed to login to this service. Names starting with '@', '+' and '&' are interpreted using the same rules as described in the invalid users parameter.

If this is empty (the default) then any user can login. @@ -3017,7 +3008,14 @@ guest = * users list then access is denied for that user.

The current servicename is substituted for %S . This is useful in the [homes] section.

See also invalid users

Default: No valid users list (anyone can login) -

Example: valid users = greg, @pcusers

veto files (S)

This is a list of files and directories that +

Example: valid users = greg, @pcusers

-valid (S)

This parameter indicates whether a share is + valid and thus can be used. When this parameter is set to false, + the share will be in no way visible nor accessible. +

+ This option should not be + used by regular users but might be of help to developers. + Samba uses this option internally to mark shares as deleted. +

Default: True

veto files (S)

This is a list of files and directories that are neither visible nor accessible. Each entry in the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' can be used to specify multiple files @@ -3035,8 +3033,8 @@ guest = * for a match as they are scanned.

See also hide files and case sensitive.

Default: No files or directories are vetoed. -

Examples: -
+	
Examples:
+
 ; Veto any files containing the word Security, 
 ; any ending in .tmp, and any directory containing the
 ; word root.
@@ -3057,14 +3055,17 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
 	client contention for files ending in .SEM. 
 	To cause Samba not to grant oplocks on these files you would use 
 	the line (either in the [global] section or in the section for 
-	the particular NetBench share :
Example: veto oplock files = /*.SEM/
vfs object (S)

Synonym for + the particular NetBench share :

Example: veto oplock files = /*.SEM/

vfs objects (S)

This parameter specifies the backend module names which + are used for Samba VFS I/O operations. By default, normal + disk I/O operations are used but these can be overloaded + with one or more VFS objects.

Options for a given VFS module are specified one per line + smb.conf perfaced by the module name and a colon (:). Such as

foo:bar=biddle

where 'foo' is the name of VFS module, 'bar' is a parameter supported + by ;foo;, and 'biddle' is the value of the option 'bar'. Refer to the + manpage for a given VFS modules regarding the options supported by that module.

Default: no value

Example: vfs objects = extd_audit recycle

vfs object (S)

Synonym for vfs objects . -

vfs objects (S)

This parameter specifies the backend names which - are used for Samba VFS I/O operations. By default, normal - disk I/O operations are used but these can be overloaded - with one or more VFS objects.

Default: no value

Example: vfs objects = extd_audit recycle

volume (S)

This allows you to override the volume label +

volume (S)

This allows you to override the volume label returned for a share. Useful for CDROMs with installation programs that insist on a particular volume label.

Default: the name of the share

wide links (S)

This parameter controls whether or not links in the UNIX file system may be followed by the server. Links -- cgit