smb.conf

If you decide to use a path =If you decide to use a path = line in your [homes] section then you may find it useful to use the %S macro. For example :

An important point is that if guest access is specified in the [homes] section, all home directories will be - visible to all clients without a passwordwithout a password. In the very unlikely event that this is actually desirable, it - would be wise to also specify read only - access.

Note that the browseableNote that the browseable flag for auto home directories will be inherited from the global browseable flag, not the [homes] browseable flag. This is useful as - it means setting browseable = nobrowseable = no in the [homes] section will hide the [homes] share but make any auto home directories visible.

All aliases given for a printer in the printcap file are legitimate printer names as far as the server is concerned. If your printing subsystem doesn't work like that, you will have to set up a pseudo-printcap. This is a file consisting of one or more lines like this:

Each alias should be an acceptable printer name for your printing subsystem. In the [global] section, specify @@ -470,24 +461,44 @@ NAME="AEN102" >parameters define the specific attributes of sections.

Some parameters are specific to the [global] section - (e.g., securitysecurity). Some parameters are usable - in all sections (e.g., create modecreate mode). All others are permissible only in normal sections. For the purposes of the following descriptions the [homes] and [printers] - sections will be considered normal. The letter GG in parentheses indicates that a parameter is specific to the - [global] section. The letter SS indicates that a parameter can be specified in a service specific - section. Note that all SS parameters can also be specified in the [global] section - in which case they will define the default behavior for all services.

Note that this paramater is not available when Samba listens +>Note that this parameter is not available when Samba listens on port 445, as clients no longer send this information

the name of your NIS home directory server. This is obtained from your NIS auto.map entry. If you have - not compiled Samba with the --with-automount--with-automount option then this value will be the same as %L.

controls if names that have characters that aren't of the "default" case are mangled. For example, if this is yes then a name like "Mail" would be mangled. - Default nono.

controls whether filenames are case sensitive. If they aren't then Samba must do a filename search and match on passed - names. Default nono.

controls what the default case is for new - filenames. Default lowerlower.

controls if new files are created with the case that the client passes, or if they are forced to be the - "default" case. Default yesyes.

yesyes.

add group script
add printer commandaddprinter command
add user to group script
delete group script
ads server
delete printer commanddeleteprinter command
delete user from group script
disable netbios
display charset
dos charset
hide unwriteable files
hostname lookups
name cache timeout
ntlm auth
paranoid server security
realm
smb ports
unicode
unix charset
wtmp directory
wins partners
COMPLETE LIST OF SERVICE PARAMETERS
block size
mangling method
vfs path
EXPLANATION OF EACH PARAMETER abort shutdown script (G)

This parameter only exists in the HEAD cvs branchThis parameter only exists in the HEAD cvs branch This a full path name to a script called by that should stop a shutdown procedure issued by the

This command will be run as user.

Default: NoneDefault: None.

Example: add printer command (G)addprinter command (G)

With the introduction of MS-RPC based printing @@ -4440,7 +4747,7 @@ CLASS="COMMAND" >The add printer commandaddprinter command is automatically invoked with the following parameter (in @@ -4514,7 +4821,7 @@ CLASS="PARAMETER" >Once the add printer commandaddprinter command has been executed, will return an ACCESS_DENIED error to the client.

Default: noneDefault: none

Example:

This parameter is only used for add file shares. To add printer shares, see the add printer +>addprinter command

See also , .

Default: noneDefault: none

Example:

Default: add machine script = <empty string> +>add machine script = <empty string>

ads server (G)

If this option is specified, samba does + not try to figure out what ads server to use itself, but + uses the specified ads server. Either one DNS name or IP + address can be used.

Default: ads server =

Example: ads server = 192.168.1.2

add user script (G)

This is the full pathname to a script that will - be run AS ROOTAS ROOT by smbd to create the required UNIX users - ON DEMANDON DEMAND when a user accesses the Samba server.

In order to use this option, smbd - must NOTNOT be set to smbd will - call the specified script AS ROOTAS ROOT, expanding any

This is the full pathname to a script that will - be run AS ROOTAS ROOT by smbd(8) when a new group is requested. It will expand any smbd(8) when a new group is requested. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. -

Default: no admin usersDefault: no admin users Example: admin users = jason

add user to group script (G)

Full path to the script that will be called when + a user is added to a group using the Windows NT domain administration + tools. It will be run by smbd(8) + AS ROOT. Any %g will be + replaced with the group name and any %u will + be replaced with the user name. +

Default: add user to group script =

Example: admin users = jasonadd user to group script = /usr/sbin/adduser %u %g

Synonym for

This option only takes effect when the

This is a synonym for the smbdwill use when authenticating a user. This option defaults to sensible values based on

Default: auth methods = <empty string>auth methods = <empty string>

Example: available = no, then ALL, then ALL attempts to connect to the service will fail. Such failures are logged.

nmbd to bind to ports 137 and 138 on the interfaces listed in the interfaces parameter. smbd(8) to bind only to the interface list given in the interfaces parameter. This restricts the networks that bind interfaces only is set then - unless the network address 127.0.0.1127.0.0.1 is added to the smbpasswd - by default connects to the localhost - 127.0.0.1localhost - 127.0.0.1 address as an SMB client to issue the password change request. If bind interfaces only is set then unless the - network address 127.0.0.1127.0.0.1 is added to the nmbd at the address - 127.0.0.1127.0.0.1 to determine if they are running. - Not adding 127.0.0.1127.0.0.1 will cause smbd

block size (S)

This parameter controls the behavior of + smbd(8) when reporting disk free + sizes. By default, this reports a disk block size of 1024 bytes. +

Changing this parameter may have some effect on the + efficiency of client writes, this is not yet confirmed. This + parameter was added to allow advanced administrators to change + it (usually to a higher value) and test the effect it has on + client write performance without re-compiling the code. As this + is an experimental option it may be removed in a future release. +

Changing this option does not change the disk free reporting + size, just the block size unit reported to the client.

Default: block size = 1024

Example: block size = 65536

browsable (S)

See the

See the discussion in the section NAME MANGLING.

Synonym for case sensitive.

See also , .

Default: noneDefault: none

Example:

If you want to set the string that is displayed next to the machine name then see the parameter.

Default: No comment stringDefault: No comment string

Example:

Default: no valueDefault: no value

Example:

A synonym for this parameter is notnot set here will be removed from the modes set on a file when it is created.

Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the

This parameter does not affect directory modes. See the parameter for details.

See also the parameter for forcing particular mode bits to be set on created files. See also the parameter for masking mode bits on created directories. See also the Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the

This is a synonym for csc policy (S)

This stands for This stands for client-side caching - policy, and specifies how clients capable of offline caching will cache the files in the share. The valid values are: manual, documents, programs, disable.

Note that the parameter

Samba 2.2 debug log messages are timestamped by default. If you are running at a high

Note that the parameter

Synonym for

A synonym for

See the section on NAME MANGLING. Also note the

This parameter is only applicable to printable services. When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba @@ -6185,8 +6672,12 @@ NAME="DEFAULTSERVICE" >

This parameter specifies the name of a service which will be connected to if the service actually requested cannot - be found. Note that the square brackets are NOTNOT given in the parameter value (see example below).

Typically the default service would be a ,

Example:

[global] @@ -6242,16 +6727,39 @@ CLASS="PROGRAMLISTING" [pub] path = /%S

delete group script (G)

This is the full pathname to a script that will + be run AS ROOT by smbd(8) when a group is requested to be deleted. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. +

delete printer command (G)

deleteprinter command (G)With the introduction of MS-RPC based printer @@ -6276,7 +6784,7 @@ CLASS="FILENAME" >The delete printer commanddeleteprinter command is automatically called with only one parameter: Once the delete printer commanddeleteprinter command has been executed, will return an ACCESS_DENIED error to the client.See also add printer command addprinter command, , Default: noneDefault: none Example: This parameter is only used to remove file shares. To delete printer shares, see the delete printer +>deleteprinter command See also , . Default: noneDefault: none Example: Default: delete user script = <empty string> +>delete user script = <empty string> delete user from group script (G) Full path to the script that will be called when + a user is removed from a group using the Windows NT domain administration + tools. It will be run by smbd(8) + AS ROOT. Any %g will be + replaced with the group name and any %u will + be replaced with the user name. + Default: delete user from group script = Example: delete user from group script = /usr/sbin/deluser %u %g delete veto files (S) This option is used when Samba is attempting to delete a directory that contains one or more vetoed directories (see the See also the Synonym for Note: Your script should NOTNote: Your script should NOT be setuid or setgid and should be owned by (and writeable only by) root! Default: Default: By default internal routines for determining the disk capacity and remaining space will be used. - Example: Where the script dfree (which must be made executable) could be: #!/bin/sh df $1 | tail -1 | awk '{print $2" "$4}' or perhaps (on Sys V based systems): #!/bin/sh /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' Note that you may have to replace the command names @@ -6701,7 +7252,7 @@ NAME="DIRECTORY" > Synonym for notnot set here will be removed from the modes set on a directory when it is created. Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the . See the See also the parameter for masking mode bits on created files, and the parameter. Also refer to the Synonym for NoteNote that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. @@ -6865,7 +7424,7 @@ CLASS="CONSTANT" >. See also the , , disable netbios (G) Enabling this parameter will disable netbios support + in Samba. Netbios is the only available form of browsing in + all windows versions except for 2000 and XP. Note that clients that only support netbios won't be able to + see your samba server when netbios support is disabled. + Default: disable netbios = no Example: disable netbios = yes disable spoolss (G) Enabling this parameter will disables Samba's support +>Enabling this parameter will disable Samba's support for the SPOOLSS set of MS-RPC's and will yield identical behavior as Samba 2.0.x. Windows NT/2000 clients will downgrade to using Lanman style printing commands. Windows 9x/ME will be uneffected by @@ -6918,13 +7502,17 @@ NAME="DISABLESPOOLSS" Wizard or by using the NT printer properties dialog window. It will also disable the capability of Windows NT/2000 clients to download print drivers from the Samba host upon demand. - Be very careful about enabling this parameter.Be very careful about enabling this parameter. See also use client driver display charset (G) Specifies the charset that samba will use + to print messages to stdout and stderr and SWAT will use. + Should generally be the same as the unix charset. + Default: display charset = ASCII Example: display charset = UTF8 dns proxy (G) See also the parameter See also , Default: no domain administratorsDefault: no domain administrators Example: See also , Default: no domain guestsDefault: no domain guests Example: true, the Samba server will serve Windows 95/98 Domain logons for the to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given If domain logons = yes. Experimentation is the best policy :-) Default: Default: none (i.e., all directories are OK - to descend) Example: dos charset (G) DOS SMB clients assume the server has + the same charset as they do. This option specifies which + charset Samba should talk to DOS clients. + The default depends on which charsets you have instaled. + Samba tries to use charset 850 but falls back to ASCII in + case it is not available. Run testparm(1) + to check the default on your system. + dos filemode (S) program for information on how to set up and maintain this file), or set the security = [server|domain|ads] parameter which causes Default: no enumports commandDefault: no enumports command Example: This is a synonym for It is generally much better to use the real This parameter specifies a set of UNIX mode bit - permissions that will alwaysalways be set on a file created by Samba. This is done by bitwise 'OR'ing these bits onto the mode bits of a file that is being created or having its @@ -7653,7 +8308,7 @@ CLASS="PARAMETER" parameter is applied. See also the parameter for details on masking mode bits on files. See also the This parameter specifies a set of UNIX mode bit - permissions that will alwaysalways be set on a directory created by Samba. This is done by bitwise 'OR'ing these bits onto the mode bits of a directory that is being created. The default for this @@ -7712,7 +8371,7 @@ CLASS="PARAMETER" applied. See also the parameter See also the force directory - security mode (S)force directory security mode (S) This parameter controls what UNIX permission bits @@ -7768,8 +8426,12 @@ NAME="FORCEDIRECTORYSECURITYMODE" allows a user to modify all the user/group/world permissions on a directory without restrictions. NoteNote that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. @@ -7777,7 +8439,7 @@ NAME="FORCEDIRECTORYSECURITYMODE" it set as 0000. See also the , , If the . See also . Default: no forced groupDefault: no forced group Example: NoteNote that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. @@ -7919,7 +8589,7 @@ NAME="FORCESECURITYMODE" this set to 0000. See also the , , See also Default: no forced userDefault: no forced user Example: Synonym for This is a username which will be used for access to services which are specified as lp(1). Default: This paramater does not accept % marcos, becouse + many parts of the system require this value to be + constant for correct operation Default: specified at compile time, usually - "nobody" Example: for a service, then no password is required to connect to the service. Privileges will be those of the . See the section below on for a service, then only guest connections to the service are permitted. This parameter will have no effect if is not set for the service. See the section below on See also , and . Default: no file are hiddenDefault: no file are hidden Example: hide unreadable (S)hide unreadable (G) This parameter prevents clients from seeing the @@ -8331,13 +9017,30 @@ CLASS="COMMAND" > hide unwriteable files (G) This parameter prevents clients from seeing + the existance of files that cannot be written to. Defaults to off. + Note that unwriteable directories are shown as usual. + Default: hide unwriteable = no homedir map (G) If NOTE :NOTE :A working NIS client is required on the system for this option to work. See also , Default: homedir map = <empty string>homedir map = <empty string> Example: See also the hostname lookups (G) Specifies whether samba should use (expensive) + hostname lookups or use the ip addresses instead. An example place + where hostname lookups are currently used is when checking + the hosts deny and hosts allow. + Default: hostname lookups = yes Example: hostname lookups = no hosts allow (S) Note that the localhost address 127.0.0.1 will always be allowed access unless specifically denied by a You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups. The - EXCEPTEXCEPT keyword can also be used to limit a wildcard list. The following examples may provide some help: for a way of testing your host access to see if it does what you expect. Default: Default: none (i.e., all hosts permitted access) - Example: hosts allow - - hosts listed here are NOTNOT permitted access to services unless the specific services have their own lists to override this one. Where the lists conflict, the list takes precedence. Default: Default: none (i.e., no hosts specifically excluded) - Example: This is not be confused with may be useful for NT clients which will not supply passwords to Samba. NOTE :NOTE : The use of option be only used if you really know what you are doing, or perhaps on a home network where you trust - your spouse and kids. And only if you reallyreally trust them :-). Default: no host equivalencesDefault: no host equivalences Example: . Default: no file includedDefault: no file included Example: The permissions on new files and directories are normally governed by , , and New files inherit their read/write bits from the parent directory. Their execute bits continue to be determined by , and as usual. Note that the setuid bit is neverNote that the setuid bit is never set via inheritance (the code explicitly prohibits this). See also , , and See also . Default: Default: all active interfaces except 127.0.0.1 - that are broadcast capable This is a list of users that should not be allowed - to login to this service. This is really a paranoidparanoid check to absolutely ensure an improper setting does not breach your security. +&group+&group means check the UNIX group database, followed by the NIS netgroup database, and @@ -8975,7 +9755,7 @@ CLASS="PARAMETER" This is useful in the [homes] section. See also . Default: no invalid usersDefault: no invalid users Example: Keepalives should, in general, not be needed if the socket being used has the SO_KEEPALIVE attribute set on it (see For UNIXes that support kernel based has oplocked. This allows complete data consistency between - SMB/CIFS, NFS and local file access (and is a veryvery cool feature :-). See also the and Default : noneDefault : none Default : ldap filter = (&(uid=%u)(objectclass=sambaAccount))ldap filter = (&(uid=%u)(objectclass=sambaAccount)) This option is used to define whether or not Samba should use SSL when connecting to the ldap server - This is NOTNOT related to Samba's previous SSL support which was enabled by specifying the ldap suffix (G) Default : noneDefault : none It specifies where users are added to the tree. Default : noneDefault : none Default : noneDefault : none For more discussions on level2 oplocks see the CIFS spec.Currently, if yes). Note also, the See also the and . See also If Samba is set to produce Lanman announce broadcasts needed by OS/2 clients (see the See also A boolean variable that controls whether all printers in the printcap will be loaded for browsing by default. See the printers section for more details. true doesn't - mean that Samba will becomebecome the local master browser on a subnet, just that nmbd will participate will participate in elections for local master browser.Setting this value to nmbd - nevernever to become a local master browser. Default: Synonym for This option specifies the directory where lock files will be placed. The lock files are used to implement the The time in microseconds that smbd should pause before attempting to gain a failed lock. See , real locking will be performed by the server. This option mayThis option may be useful for read-only - filesystems which maymay not need locking (such as CDROM drives), although setting this parameter of This parameter specifies the local path to which the home directory will be connected (see Note that in prior versions of Samba, the Thereafter, the directories and any of the contents can, if required, be made read-only. It is not advisable that the NTuser.dat file be made read-only - rename it to NTuser.man to - achieve the desired effect (a MANMANdatory profile). The script must be a relative path to the [netlogon] service. If the [netlogon] service specifies a This option is only useful if Samba is set up as a logon server. Default: no logon script definedDefault: no logon script defined Example: See also the A value of 0 will disable caching completely. See also the See also the parameter. Default: Default: depends on the setting of printing Example: This command should be a program or script which takes a printer name and job number to resume the print job. See also the See also the See also the parameter. Default: Default: depends on the setting of printing Example 1: If a Samba server is a member of a Windows NT Domain (see the security = domain) parameter) then periodically a running , and the security = domain) parameter. This parameter specifies the name of a file which will contain output created by a magic script (see the Default: magic output = <magic script name>.out +>magic output = <magic script name>.out If the script generates output, output will be sent to the file specified by the Note that some shells are unable to interpret scripts containing CR/LF instead of CR as the end-of-line marker. Magic scripts must be executable - as isas is on the host, which for some hosts and some shells will require filtering at the DOS end. Magic scripts are EXPERIMENTALMagic scripts are EXPERIMENTAL and - should NOTNOT be relied upon. Default: None. Magic scripts disabled.Default: None. Magic scripts disabled. Example: See the section on NAME MANGLING off the ends of filenames on some CDROMs (only visible under some UNIXes). To do this use a map of (*;1 *;). Default: no mangled mapDefault: no mangled map Example: See the section on NAME MANGLING for details on how to control the mangling process. Note that the character to use may be specified using the mangling method (G) controls the algorithm used for the generating + the mangled names. Can take two different values, "hash" and + "hash2". "hash" is the default and is the algorithm that has been + used in Samba for many years. "hash2" is a newer and considered + a better algorithm (generates less collisions) in the names. + However, many Win32 applications store the mangled names and so + changing to the new algorithm must not be done + lightly as these applications may break unless reinstalled. + New installations of Samba may set the default to hash2. Default: mangling method = hash Example: mangling method = hash2 mangled stack (G) This controls what character is used as - the magicmagic character in name mangling. The default is a '~' but this may interfere with some software. Use this option to set @@ -10842,7 +11737,7 @@ CLASS="PARAMETER" > parameter to be set such that owner execute bit is not masked out (i.e. it must include 100). See the parameter to be set such that the world execute bit is not masked out (i.e. it must include 001). See the parameter to be set such that the group execute bit is not masked out (i.e. it must include 010). See the parameter This parameter is only useful in security modes other than - Means user logins with an invalid password are treated as a guest login and mapped into the guest account. Note that this can cause problems as it means that any user incorrectly typing @@ -11003,8 +11898,12 @@ HREF="#GUESTACCOUNT" will not know the reason they cannot access files they think they should - there will have been no message given to them that they got their password wrong. Helpdesk services will - hatehate you if you set the modes other than share. This is because in these modes the name of the resource being - requested is notnot sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection @@ -11066,7 +11969,7 @@ CLASS="PARAMETER" > Record lock files are used to implement this feature. The lock files will be stored in the directory specified by the will remote "Out of Space" to the client. See all LANMAN1: First modern: First modern version of the protocol. Long filename support. See also nmbd(8) when acting as a WINS server ( See also the xedit, then - removes it afterwards. NOTE THAT IT IS VERY IMPORTANT - THAT THIS COMMAND RETURN IMMEDIATELY. That's why I have the '&' on the end. If it doesn't return immediately then your PCs may freeze when sending messages (they should recover @@ -11546,7 +12457,7 @@ CLASS="PARAMETER" >message command = /bin/mail -s 'message from %f on - %m' root < %s; rm %s If you don't have a message command then the message @@ -11562,8 +12473,12 @@ CLASS="COMMAND" >message command = rm %s Default: no message commandDefault: no message command Example: Synonym for See also , and See also the The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support. Please refer to the If you are viewing this parameter as a security measure, you should also refer to the nmbd(8) when acting as a WINS server (. See also name cache timeout (G) Specifies the number of seconds it takes before + entries in samba's hostname resolve cache time out. If + the timeout is set to 0. the caching is disabled. + Default: name cache timeout = 660 Example: name cache timeout = 0 name resolve order (G) wins : Query a name with the IP address listed in the bcast : Do a broadcast on each of the known local interfaces listed in the See also . Default: empty string (no additional names)Default: empty string (no additional names) Example: See also . Default: machine DNS nameDefault: machine DNS name Example: Default: non unix account range = <empty string> +>non unix account range = <empty string> list and is only really useful in shave level security. See also the A synonym for DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ - AND UNDERSTOOD THE SAMBA OPLOCK CODE. Default: oplock contention limit (S) This is a veryThis is a very advanced to behave in a similar way to Windows NT. DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ - AND UNDERSTOOD THE SAMBA OPLOCK CODE. Default: Oplocks may be selectively turned off on certain files with a share. See the parameter for details. See also the and ntlm auth (G) This parameter determines whether or not smbd will + attempt to authenticate users using the NTLM password hash. + If disabled, only the lanman password hashes will be used. + Please note that at least this option or lanman auth should be enabled in order to be able to log in. + Default : ntlm auth = yes os level (G) in the local broadcast area. Note :Note :By default, Samba will win a local master browsing election over all Microsoft operating systems except a Windows NT 4.0/2000 Domain Controller. This @@ -12459,8 +13447,8 @@ NAME="OS2DRIVERMAP" path to a file containing a mapping of Windows NT printer driver names to OS/2 printer driver names. The format is: <nt driver name> = <os2 driver - name>.<device name><nt driver name> = <os2 driver + name>.<device name> For example, a valid entry using the HP LaserJet 5 printer driver would appear as Default: os2 driver map = <empty string> +>os2 driver map = <empty string> . It should be possible to enable this without changing your Default: panic action = <empty string>panic action = <empty string> Example: paranoid server security (G) Some version of NT 4.x allow non-guest + users with a bad passowrd. When this option is enabled, samba will not + use a broken NT 4.x server as password server, but instead complain + to the logs and exit. + Default: paranoid server security = yes passdb backend (G) This paramater is in two parts, the backend's name, and a 'location' +>This parameter is in two parts, the backend's name, and a 'location' string that has meaning only to that particular backed. These are separated by a : character. See also - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the - The TDB based password storage backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the directory. See also ) See also nisplussam - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers. plugin - Allows Samba to load an arbitary passdb backend from the .so specified as a compulsary argument. @@ -12745,8 +13758,12 @@ NAME="PASSWDCHAT" >passwd chat (G) This string controls the "chat"This string controls the "chat" conversation that takes places between smbd(8) uses to determine what to send to the Note that this parameter only is only used if the yes. This - sequence is then called AS ROOTAS ROOT when the SMB password in the smbpasswd file is being changed, without access to the old password cleartext. This means that root must be able to reset the user's password without knowing the text of the previous password. In the presence of NIS/YP, this means that the passwd program must be executed on the NIS master. @@ -12831,7 +13852,7 @@ CLASS="CONSTANT" if the expect string is a full stop then no string is expected. If the See also , , and This boolean specifies if the passwd chat script - parameter is run in debugdebug mode. In this mode the strings passed to and received from the passwd chat are printed in the smbd(8) log with a and should be turned off after this has been done. This option has no effect if the See also , , Also note that many passwd programs insist in Also note that many passwd programs insist in reasonable - passwords, such as a minimum length, or the inclusion of mixed case chars and digits. This can pose a problem as some clients (such as Windows for Workgroups) uppercase the password before sending it. NoteNote that if the true then this program is called AS ROOT then this program is called AS ROOT before the SMB password in the unix password sync parameter - is set this parameter MUST USE ABSOLUTE PATHSMUST USE ABSOLUTE PATHS - for ALLALL programs called, and must be examined for security implications. Note that by default . See also The name of the password server is looked up using the parameter NOTE:NOTE: Using a password server means your UNIX box (running Samba) is only as secure as your - password server. DO NOT CHOOSE A PASSWORD SERVER THAT - YOU DON'T COMPLETELY TRUST. Never point a Samba server at itself for password @@ -13245,7 +14298,7 @@ CLASS="PARAMETER" Primary or Backup Domain controllers to authenticate against by doing a query for the name WORKGROUP<1C>WORKGROUP<1C> and then contacting each server returned in the list of IP addresses from the name resolution source. See also the Default: password server = <empty string>password server = <empty string> Note that this path will be based on if one was specified. Default: noneDefault: none Example: See also . Default: none (no command executed)Default: none (no command executed) Example: postexec = echo \"%u disconnected from %S - from %m (%I)\" >> /tmp/log Of course, this could get annoying after a while :-)See also and . Default: none (no command executed)Default: none (no command executed) Example: preexec = echo \"%u connected to %S from %m - (%I)\" >> /tmp/log This boolean option controls whether a non-zero return code from See also Synonym for Note that if you just want all printers in your printcap file loaded then the option is easier. Default: no preloaded servicesDefault: no preloaded services Example: This controls if new filenames are created with the case that the client passes, or if they are forced to be the See the section on NAME MANGLING for a fuller discussion. %z - the size of the spooled print job (in bytes) The print command MUSTThe print command MUST contain at least one occurrence of nobody account. If this happens then create an alternative guest account that can print and set the print command = echo Printing %s >> +>print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s You may have to vary this command considerably depending on how you normally print files on your system. The default for the parameter varies depending on the setting of the For printing = CUPS : If SAMBA is compiled against libcups, then printcap = cups uses the CUPS API to @@ -13893,7 +14966,7 @@ NAME="PRINTOK" > Synonym for Note that a printable service will ALWAYS allow writing to the service path (user privileges permitting) via the spooling of print data. The Synonym for /etc/printcap). See the discussion of the [printers] section above for reasons why you might want to do this. . This should be supplemented by an addtional setting printing = cups in the [global] section. A minimal printcap file would look something like this: print1|My Printer 1 @@ -14027,17 +15094,18 @@ CLASS="PROGRAMLISTING" print4|My Printer 4 print5|My Printer 5 where the '|' separates aliases of a printer. The fact that the second alias has a space in it gives a hint to Samba that it's a comment. NOTENOTE: Under AIX the default printcap name is Default: printer admin = <empty string>printer admin = <empty string> printer driver (S) Note :Note :This is a deprecated parameter and will be removed in the next major release following version 2.2. Please see the instructions in @@ -14116,7 +15188,7 @@ TARGET="_top" sensitive) that describes the appropriate printer driver for your system. If you don't know the exact string to use then you should first try with no See also printer driver file (G) Note :Note :This is a deprecated parameter and will be removed in the next major release following version 2.2. Please see the instructions in @@ -14195,7 +15271,7 @@ CLASS="FILENAME" >. See also . Default: None (set in compile).Default: None (set in compile). Example: printer driver location (S) Note :Note :This is a deprecated parameter and will be removed in the next major release following version 2.2. Please see the instructions in @@ -14257,7 +15341,7 @@ CLASS="FILENAME" >. See also Default: Default: none (but may be lp - on many systems) Example: Synonym for This option can be set on a per printer basis See also the discussion in the [printers] section. Synonym for Synonym for Default: Default: depends on the setting of printing Example: Default: Default: depends on the setting of printing This is a list of users that are given read-only access to a service. If the connecting user is in this list then they will not be given write access, no matter what the option is set to. The list can include group names using the syntax described in the parameter. See also the parameter and the Default: read list = <empty string>read list = <empty string> Example: Note that this is an inverted synonym for In general this parameter should be viewed as a system tuning tool and left severely alone. See also realm (G) This option specifies the kerberos realm to use. The realm is + used as the ADS equivalent of the NT4domain. It + is usually set to the DNS name of the kerberos server. + Default: realm = Example: realm = mysambabox.mycompany.com remote announce (G) Default: remote announce = <empty string> +>remote announce = <empty string> Default: remote browse sync = <empty string> +>remote browse sync = <empty string> Synonym for Synonym for root directory - option, includingincluding some files needed for complete operation of the server. To maintain full operability of the server you will need to mirror some system files @@ -15027,7 +16152,7 @@ CLASS="PARAMETER" (such as CDROMs) after a connection is closed. See also Default: root postexec = <empty string> +>root postexec = <empty string> See also and Default: root preexec = <empty string> +>root preexec = <empty string> parameter except that the command is run as root.See also and security = user, see the It is possible to use smbd in a hybrid mode in a hybrid mode where it is offers both user and share level security under different SECURITY = SHARE - When clients connect to a share level security server they @@ -15252,8 +16385,12 @@ CLASS="COMMAND" >Note that smbd ALWAYS ALWAYS uses a valid UNIX user to act on behalf of the client, even in If the parameter is set, then all the other stages are missed and only the Is a username is sent with the share connection request, then this username (after mapping - see If the client did a previous If the client did a previous logon - request (the SessionSetup SMB call) then the username sent in this SMB will be added as a potential username. Any users on the , then this guest user will be used, otherwise access is denied. Note that it can be veryNote that it can be very confusing in share-level security as to which UNIX username will eventually be used in granting access. See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. SECURITY = USER - This is the default security setting in Samba 2.2. With user-level security a client must first "log-on" with a valid username and password (which can be mapped using the parameter). Encrypted passwords (see the parameter) can also be used in this security mode. Parameters such as and NoteNote that the name of the resource being - requested is notnot sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing the server to automatically map unknown users into the . See the parameter for details on doing this. See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. SECURITY = SERVER - In this mode Samba will try to validate the username/password @@ -15492,8 +16653,12 @@ CLASS="FILENAME" > for details on how to set this up. NoteNote that from the client's point of view NoteNote that the name of the resource being - requested is notnot sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing the server to automatically map unknown users into the . See the parameter for details on doing this. See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. See also the parameter and the SECURITY = DOMAIN - This mode will only work correctly if smbpasswd(8) has been used to add this machine into a Windows NT Domain. It expects the NoteNote that a valid UNIX user must still exist as well as the account on the Domain Controller to allow Samba to have a valid UNIX account to map file access to. NoteNote that from the client's point of view . It only affects how the server deals with the authentication, it does not in any way affect what the client sees. NoteNote that the name of the resource being - requested is notnot sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing the server to automatically map unknown users into the . See the parameter for details on doing this. BUG:BUG: There is currently a bug in the implementation of See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. See also the parameter and the NoteNote that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone @@ -15717,7 +16918,7 @@ CLASS="CONSTANT" >. See also the , , This option gives full share compatibility and enabled by default. You should NEVERYou should NEVER turn this parameter off as many Windows applications will break if you do so. . This option can be use with preserve case = yes See the section on NAME MANGLING. parameter will always cause the OpenPrinterEx() on the server - to fail. Thus the APW icon will never be displayed. Note : Note :This does not prevent the same user from having administrative privilege on an individual printer. See also , , shutdown script (G) This parameter only exists in the HEAD cvs branchThis parameter only exists in the HEAD cvs branch This a full path name to a script called by %r will be substituted with the - switch -r-r. It means reboot after shutdown for NT. %f will be substituted with the - switch -f-f. It means force the shutdown even if applications do not respond for NT. Default: NoneDefault: None. Example: Shutdown script example: - #!/bin/bash @@ -16086,15 +17305,12 @@ CLASS="PROGRAMLISTING" /sbin/shutdown $3 $4 +$time $1 & Shutdown does not return so we need to launch it in background. See also smb ports (G) Specifies which ports the server should listen on + for SMB traffic. + Default: smb ports = 445 139 socket address (G) Those marked with a '*'Those marked with a '*' take an integer argument. The others can optionally take a 1 or 0 argument to enable or disable the option, by default they will be enabled if you @@ -16305,8 +17541,12 @@ CLASS="COMMAND" >SAMBA_NETBIOS_NAME = myhostname Default: No default valueDefault: No default value Examples: This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism. As of samba 3.0alpha it must be set to "no" for these clients to join a samba domain controller. It can be set to "yes" to allow samba to participate in an AD domain controlled by a Windows2000 domain controller. Default: use spnego = yesDefault: use spnego = yes See also the See also the Synonym for unicode (G) Specifies whether Samba should try + to use unicode on the wire by default. + Default: unicode = yes unix charset (G) Specifies the charset the unix machine + Samba runs on uses. Samba needs to know this in order to be able to + convert text to the charsets other SMB clients use. + Default: unix charset = ASCII unix extensions(G) passwd programparameter is called AS ROOTparameter is called AS ROOT - to allow the new UNIX password to be set without access to the old UNIX password (as the SMB password change code has no access to the old password cleartext, only the new). See also , . In order for this parameter to work correctly the If this parameter is enabled for a printer, then any attempt to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() - call to succeed. This parameter MUST not be able enabled on a print share which has valid print driver installed on the Samba - server. See also disable spoolss NOTE:NOTE: The use of Synonym for Synonym for To restrict a service to a particular set of users you can use the See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more information on how @@ -17149,7 +18438,7 @@ HREF="#AEN236" >Default: The guest account if a guest service, - else <empty string>. Examples: !sys = mary fred guest = * Note that the remapping is applied to all occurrences @@ -17320,7 +18600,7 @@ CLASS="CONSTANT" >fred. The only exception to this is the username passed to the Default: no username mapDefault: no username map Example: See also the . It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server. See also the /var/run/utmp on Linux). Default: no utmp directoryDefault: no utmp directory Example: utmp directory = /var/run/utmp wtmp directory(G) This parameter is only available if Samba has + been configured and compiled with the option --with-utmp. It specifies a directory pathname that is + used to store the wtmp or wtmpx files (depending on the UNIX system) that + record user connections to a Samba server. The difference with + the utmp directory is the fact that user info is kept after a user + has logged out. + + See also the utmp parameter. By default this is + not set, meaning the system will use whatever utmp file the + native system is set to use (usually + /var/run/wtmp on Linux). Default: no wtmp directory Example: wtmp directory = /var/log/wtmp . This is useful in the [homes] section. See also Default: Default: No valid users list (anyone can login) - Example: Each entry must be a unix path, not a DOS path and - must notnot include the unix directory separator '/'. failfail unless you also set the See also and . Default: Default: No files or directories are vetoed. - Examples:Examples:; Veto any files containing the word Security, ; any ending in .tmp, and any directory containing the @@ -17565,9 +18914,6 @@ veto files = /*Security*/*.tmp/*root*/ ; Veto the Apple specific files that a NetAtalk server ; creates. veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ This parameter is only valid when the parameter. Default: Default: No files are vetoed for oplock - grants You might want to do this on files that you know will @@ -17624,6 +18974,31 @@ CLASS="COMMAND" > vfs path (S) This parameter specifies the directory + to look in for vfs modules. The name of every vfs object + will be prepended by this directory + Default: vfs path = Example: vfs path = /usr/lib/samba/vfs vfs object (S) Default : no valueDefault : no value . Default : no valueDefault : no value Default: the name of the shareDefault: the name of the share system call will not return any data. Warning:Warning: Turning off user enumeration may cause some programs to behave oddly. For example, the finger program relies on having access to the @@ -17810,8 +19201,12 @@ CLASS="COMMAND" > system call will not return any data. Warning:Warning: Turning off group enumeration may cause some programs to behave oddly. Default: winbind gid = <empty string> +>winbind gid = <empty string> Default: winbind uid = <empty string> +>winbind uid = <empty string> Default: winbind use default domain = <falseg> +>winbind use default domain = <falseg> You should point this at your WINS server if you have a multi-subnetted network. NOTENOTE. You need to set up Samba to point to a WINS server if you have multiple subnets and wish cross-subnet browsing to work correctly. in the docs/ directory of your Samba source distribution. Default: not enabledDefault: not enabled Example: nmbd to be your WINS server. - Note that you should NEVERNEVER set this to trueThis controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with the security = domain setting. Default: set at compile time to WORKGROUPDefault: set at compile time to WORKGROUP Example: Synonym for If this integer parameter is set to non-zero value, Samba will create an in-memory cache for each oplocked file - (it does notnot do this for non-oplocked files). All writes that the client does not request to be flushed directly to disk will be stored in this cache if possible. @@ -18203,7 +19618,7 @@ NAME="WRITELIST" >This is a list of users that are given read-write access to a service. If the connecting user is in this list then they will be given write access, no matter what the See also the Default: write list = <empty string> +>write list = <empty string> wins partners (G) A space separated list of partners' IP addresses for + WINS replication. WINS partners are always defined as push/pull + partners as defining only one way WINS replication is unreliable. + WINS replication is currently experimental and unreliable between + samba servers. + Default: wins partners = Example: wins partners = 192.168.0.1 172.16.1.2 write ok (S) Synonym for An inverted synonym is printable = yes) - will ALWAYSALWAYS allow writing to the directory (user privileges permitting), but only via spooling operations. WARNINGS VERSION SEE ALSO AUTHOR