From a1311b33ff3e1c9fa9593e56146325559b4b57f1 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 22 Feb 2001 13:53:09 +0000 Subject: generated man page and html version of smb.conf(5) (This used to be commit 14d8d881ec6e4d5e3541d14e8015d6b7e8fda349) --- docs/manpages/smb.conf.5 | 13481 ++++++++++++++++++++++----------------------- 1 file changed, 6454 insertions(+), 7027 deletions(-) (limited to 'docs/manpages') diff --git a/docs/manpages/smb.conf.5 b/docs/manpages/smb.conf.5 index f4b42282f5..db6f94f37d 100644 --- a/docs/manpages/smb.conf.5 +++ b/docs/manpages/smb.conf.5 @@ -1,7121 +1,6548 @@ -.TH "smb\&.conf " "5" "10 Jan 2001" "Samba" "SAMBA" -.PP -.SH "NAME" -smb\&.conf \- The configuration file for the Samba suite -.PP -.SH "SYNOPSIS" -.PP -\fBsmb\&.conf\fP The \fBsmb\&.conf\fP file is a configuration file for the -Samba suite\&. \fBsmb\&.conf\fP contains runtime configuration information -for the Samba programs\&. The \fBsmb\&.conf\fP file is designed to be -configured and administered by the \fBswat (8)\fP -program\&. The complete description of the file format and possible -parameters held within are here for reference purposes\&. -.PP -.SH "FILE FORMAT" -.PP -The file consists of sections and parameters\&. A section begins with -the name of the section in square brackets and continues until the -next section begins\&. Sections contain parameters of the form -.PP -\f(CW\'name = value\'\fP -.PP -The file is line-based - that is, each newline-terminated line -represents either a comment, a section name or a parameter\&. -.PP -Section and parameter names are not case sensitive\&. -.PP -Only the first equals sign in a parameter is significant\&. Whitespace -before or after the first equals sign is discarded\&. Leading, trailing -and internal whitespace in section and parameter names is -irrelevant\&. Leading and trailing whitespace in a parameter value is -discarded\&. Internal whitespace within a parameter value is retained -verbatim\&. -.PP -Any line beginning with a semicolon (\';\') or a hash (\'#\') character is -ignored, as are lines containing only whitespace\&. -.PP -Any line ending in a \f(CW\'\e\'\fP is "continued" on the next line in the -customary UNIX fashion\&. -.PP -The values following the equals sign in parameters are all either a -string (no quotes needed) or a boolean, which may be given as yes/no, -0/1 or true/false\&. Case is not significant in boolean values, but is -preserved in string values\&. Some items such as create modes are -numeric\&. -.PP -.SH "SECTION DESCRIPTIONS" -.PP +.\" This manpage has been automatically generated by docbook2man-spec +.\" from a DocBook document. docbook2man-spec can be found at: +.\" +.\" Please send any bug reports, improvements, comments, patches, +.\" etc. to Steve Cheng . +.TH "SMB.CONF" "5" "22 February 2001" "" "" +.SH NAME +smb.conf \- The configuration file for the Samba suite +.SH "SYNOPSIS" +.PP +The \fIsmb.conf\fR file is a configuration +file for the Samba suite. \fIsmb.conf\fR contains +runtime configuration information for the Samba programs. The +\fIsmb.conf\fR file is designed to be configured and +administered by the \fBswat(8)\fR + program. The complete description of the file format and +possible parameters held within are here for reference purposes. +.SH "FILE FORMAT" +.PP +The file consists of sections and parameters. A section +begins with the name of the section in square brackets and continues +until the next section begins. Sections contain parameters of the +form +.PP +\fIname\fR = \fIvalue +\fR.PP +The file is line-based - that is, each newline-terminated +line represents either a comment, a section name or a parameter. +.PP +Section and parameter names are not case sensitive. +.PP +Only the first equals sign in a parameter is significant. +Whitespace before or after the first equals sign is discarded. +Leading, trailing and internal whitespace in section and parameter +names is irrelevant. Leading and trailing whitespace in a parameter +value is discarded. Internal whitespace within a parameter value +is retained verbatim. +.PP +Any line beginning with a semicolon (';') or a hash ('#') +character is ignored, as are lines containing only whitespace. +.PP +Any line ending in a '\\' is continued +on the next line in the customary UNIX fashion. +.PP +The values following the equals sign in parameters are all +either a string (no quotes needed) or a boolean, which may be given +as yes/no, 0/1 or true/false. Case is not significant in boolean +values, but is preserved in string values. Some items such as +create modes are numeric. +.SH "SECTION DESCRIPTIONS" +.PP Each section in the configuration file (except for the -\fB[global]\fP section) describes a shared resource (known -as a \fI"share"\fP)\&. The section name is the name of the shared resource -and the parameters within the section define the shares attributes\&. -.PP -There are three special sections, \fB[global]\fP, -\fB[homes]\fP and \fB[printers]\fP, which are -described under \fB\'special sections\'\fP\&. The -following notes apply to ordinary section descriptions\&. -.PP -A share consists of a directory to which access is being given plus -a description of the access rights which are granted to the user of -the service\&. Some housekeeping options are also specifiable\&. -.PP -Sections are either filespace services (used by the client as an -extension of their native file systems) or printable services (used by -the client to access print services on the host running the server)\&. -.PP -Sections may be designated \fBguest\fP services, in which -case no password is required to access them\&. A specified UNIX -\fBguest account\fP is used to define access -privileges in this case\&. -.PP -Sections other than guest services will require a password to access -them\&. The client provides the username\&. As older clients only provide -passwords and not usernames, you may specify a list of usernames to -check against the password using the \fB"user="\fP option in -the share definition\&. For modern clients such as Windows 95/98 and -Windows NT, this should not be necessary\&. -.PP -Note that the access rights granted by the server are masked by the -access rights granted to the specified or guest UNIX user by the host -system\&. The server does not grant more access than the host system -grants\&. -.PP -The following sample section defines a file space share\&. The user has -write access to the path \f(CW/home/bar\fP\&. The share is accessed via -the share name "foo": -.PP - -.nf +[global] section) describes a shared resource (known +as a "share"). The section name is the name of the +shared resource and the parameters within the section define +the shares attributes. +.PP +There are three special sections, [global], +[homes] and [printers], which are +described under \fBspecial sections\fR. The +following notes apply to ordinary section descriptions. +.PP +A share consists of a directory to which access is being +given plus a description of the access rights which are granted +to the user of the service. Some housekeeping options are +also specifiable. +.PP +Sections are either filespace services (used by the +client as an extension of their native file systems) or +printable services (used by the client to access print services +on the host running the server). +.PP +Sections may be designated \fBguest\fR services, +in which case no password is required to access them. A specified +UNIX \fBguest account\fR is used to define access +privileges in this case. +.PP +Sections other than guest services will require a password +to access them. The client provides the username. As older clients +only provide passwords and not usernames, you may specify a list +of usernames to check against the password using the "user=" +option in the share definition. For modern clients such as +Windows 95/98/ME/NT/2000, this should not be necessary. +.PP +Note that the access rights granted by the server are +masked by the access rights granted to the specified or guest +UNIX user by the host system. The server does not grant more +access than the host system grants. +.PP +The following sample section defines a file space share. +The user has write access to the path \fI/home/bar\fR. +The share is accessed via the share name "foo": +.sp +.nf + [foo] + path = /home/bar + writeable = true + + +.sp +.fi +.PP +The following sample section defines a printable share. +The share is readonly, but printable. That is, the only write +access permitted is via calls to open, write to and close a +spool file. The \fBguest ok\fR parameter means +access will be permitted as the default guest user (specified +elsewhere): +.sp +.nf + [aprinter] + path = /usr/spool/public + writeable = false + printable = true + guest ok = true + + +.sp +.fi +.SH "SPECIAL SECTIONS" +.SS "THE GLOBAL SECTION" +.PP +parameters in this section apply to the server +as a whole, or are defaults for sections which do not +specifically define certain items. See the notes +under paraMETERS for more information. +.SS "THE HOMES SECTION" +.PP +If a section called homes is included in the +configuration file, services connecting clients to their +home directories can be created on the fly by the server. +.PP +When the connection request is made, the existing +sections are scanned. If a match is found, it is used. If no +match is found, the requested section name is treated as a +user name and looked up in the local password file. If the +name exists and the correct password has been given, a share is +created by cloning the [homes] section. +.PP +Some modifications are then made to the newly +created share: +.TP 0.2i +\(bu +The share name is changed from homes to +the located username. +.TP 0.2i +\(bu +If no path was given, the path is set to +the user's home directory. +.PP +If you decide to use a \fBpath=\fR line +in your [homes] section then you may find it useful +to use the %S macro. For example : +.PP +.PP +\fBpath=/data/pchome/%S\fR +.PP +.PP +would be useful if you have different home directories +for your PCs than for UNIX access. +.PP +.PP +This is a fast and simple way to give a large number +of clients access to their home directories with a minimum +of fuss. +.PP +.PP +A similar process occurs if the requested section +name is "homes", except that the share name is not +changed to that of the requesting user. This method of using +the [homes] section works well if different users share +a client PC. +.PP +.PP +The [homes] section can specify all the parameters +a normal service section can specify, though some make more sense +than others. The following is a typical and suitable [homes] +section: +.PP +.sp +.nf + [homes] + writeable = yes + + +.sp +.fi +.PP +An important point is that if guest access is specified +in the [homes] section, all home directories will be +visible to all clients \fBwithout a password\fR. +In the very unlikely event that this is actually desirable, it +would be wise to also specify \fBread only +access\fR. +.PP +.PP +Note that the \fBbrowseable\fR flag for +auto home directories will be inherited from the global browseable +flag, not the [homes] browseable flag. This is useful as +it means setting browseable=no in the [homes] section +will hide the [homes] share but make any auto home +directories visible. +.PP +.SS "THE PRINTERS SECTION" +.PP +This section works like [homes], +but for printers. +.PP +If a [printers] section occurs in the +configuration file, users are able to connect to any printer +specified in the local host's printcap file. +.PP +When a connection request is made, the existing sections +are scanned. If a match is found, it is used. If no match is found, +but a [homes] section exists, it is used as described +above. Otherwise, the requested section name is treated as a +printer name and the appropriate printcap file is scanned to see +if the requested section name is a valid printer share name. If +a match is found, a new printer share is created by cloning +the [printers] section. +.PP +A few modifications are then made to the newly created +share: +.TP 0.2i +\(bu +The share name is set to the located printer +name +.TP 0.2i +\(bu +If no printer name was given, the printer name +is set to the located printer name +.TP 0.2i +\(bu +If the share does not permit guest access and +no username was given, the username is set to the located +printer name. +.PP +Note that the [printers] service MUST be +printable - if you specify otherwise, the server will refuse +to load the configuration file. +.PP +.PP +Typically the path specified would be that of a +world-writeable spool directory with the sticky bit set on +it. A typical [printers] entry would look like +this: +.PP +.sp +.nf + [printers] + path = /usr/spool/public + guest ok = yes + printable = yes + +.sp +.fi +.PP +All aliases given for a printer in the printcap file +are legitimate printer names as far as the server is concerned. +If your printing subsystem doesn't work like that, you will have +to set up a pseudo-printcap. This is a file consisting of one or +more lines like this: +.PP +.sp +.nf + alias|alias|alias|alias... + + +.sp +.fi +.PP +Each alias should be an acceptable printer name for +your printing subsystem. In the [global] section, specify +the new file as your printcap. The server will then only recognize +names found in your pseudo-printcap, which of course can contain +whatever aliases you like. The same technique could be used +simply to limit access to a subset of your local printers. +.PP +.PP +An alias, by the way, is defined as any component of the +first entry of a printcap record. Records are separated by newlines, +components (if there are more than one) are separated by vertical +bar symbols ('|'). +.PP +.PP +NOTE: On SYSV systems which use lpstat to determine what +printers are defined on the system you may be able to use +"printcap name = lpstat" to automatically obtain a list +of printers. See the "printcap name" option +for more details. +.PP +.SH "PARAMETRS" +.PP +parameters define the specific attributes of sections. +.PP +Some parameters are specific to the [global] section +(e.g., \fBsecurity\fR). Some parameters are usable +in all sections (e.g., \fBcreate mode\fR). All others +are permissible only in normal sections. For the purposes of the +following descriptions the [homes] and [printers] +sections will be considered normal. The letter \fBG\fR +in parentheses indicates that a parameter is specific to the +[global] section. The letter \fBS\fR +indicates that a parameter can be specified in a service specific +section. Note that all \fBS\fR parameters can also be specified in +the [global] section - in which case they will define +the default behavior for all services. +.PP +parameters are arranged here in alphabetical order - this may +not create best bedfellows, but at least you can find them! Where +there are synonyms, the preferred synonym is described, others refer +to the preferred synonym. +.SH "VARIABLE SUBSTITUTIONS" +.PP +Many of the strings that are settable in the config file +can take substitutions. For example the option "path = +/tmp/%u" would be interpreted as "path = +/tmp/john" if the user connected with the username john. +.PP +These substitutions are mostly noted in the descriptions below, +but there are some general substitutions which apply whenever they +might be relevant. These are: +.TP +\fB%S\fR +the name of the current service, if any. +.TP +\fB%P\fR +the root directory of the current service, +if any. +.TP +\fB%u\fR +user name of the current service, if any. +.TP +\fB%g\fR +primary group name of %u. +.TP +\fB%U\fR +session user name (the user name that the client +wanted, not necessarily the same as the one they got). +.TP +\fB%G\fR +primary group name of %U. +.TP +\fB%H\fR +the home directory of the user given +by %u. +.TP +\fB%v\fR +the Samba version. +.TP +\fB%h\fR +the internet hostname that Samba is running +on. +.TP +\fB%m\fR +the NetBIOS name of the client machine +(very useful). +.TP +\fB%L\fR +the NetBIOS name of the server. This allows you +to change your config based on what the client calls you. Your +server can have a "dual personality". +.TP +\fB%M\fR +the internet name of the client machine. +.TP +\fB%N\fR +the name of your NIS home directory server. +This is obtained from your NIS auto.map entry. If you have +not compiled Samba with the \fB--with-automount\fR +option then this value will be the same as %. +.TP +\fB%p\fR +the path of the service's home directory, +obtained from your NIS auto.map entry. The NIS auto.map entry +is split up as "%N:%p". +.TP +\fB%R\fR +the selected protocol level after +protocol negotiation. It can be one of CORE, COREPLUS, +LANMAN1, LANMAN2 or NT1. +.TP +\fB%d\fR +The process id of the current server +process. +.TP +\fB%a\fR +the architecture of the remote +machine. Only some are recognized, and those may not be +100% reliable. It currently recognizes Samba, WfWg, +WinNT and Win95. Anything else will be known as +"UNKNOWN". If it gets it wrong then sending a level +3 log to samba@samba.org + should allow it to be fixed. +.TP +\fB%I\fR +The IP address of the client machine. +.TP +\fB%T\fR +the current date and time. +.TP +\fB%$(\fIenvvar\fB)\fR +The value of the environment variable +\fIenvar\fR. +.PP +There are some quite creative things that can be done +with these substitutions and other smb.conf options. +.PP +.SH "NAME MANGLING" +.PP +Samba supports "name mangling" so that DOS and +Windows clients can use files that don't conform to the 8.3 format. +It can also be set to adjust the case of 8.3 format filenames. +.PP +There are several options that control the way mangling is +performed, and they are grouped here rather than listed separately. +For the defaults look at the output of the testparm program. +.PP +All of these options can be set separately for each service +(or globally, of course). +.PP +The options are: +.TP +\fBmangle case= yes/no\fR +controls if names that have characters that +aren't of the "default" case are mangled. For example, +if this is yes then a name like "Mail" would be mangled. +Default \fBno\fR. +.TP +\fBcase sensitive = yes/no\fR +controls whether filenames are case sensitive. If +they aren't then Samba must do a filename search and match on passed +names. Default \fBno\fR. +.TP +\fBdefault case = upper/lower\fR +controls what the default case is for new +filenames. Default \fBlower\fR. +.TP +\fBpreserve case = yes/no\fR +controls if new files are created with the +case that the client passes, or if they are forced to be the +"default" case. Default \fByes\fR. +.TP +\fBshort preserve case = yes/no\fR +controls if new files which conform to 8.3 syntax, +that is all in upper case and of suitable length, are created +upper case, or if they are forced to be the "default" +case. This option can be use with "preserve case = yes" +to permit long filenames to retain their case, while short names +are lowered. Default \fByes\fR. +.PP +By default, Samba 2.2 has the same semantics as a Windows +NT server, in that it is case insensitive but case preserving. +.PP +.SH "NOTE ABOUT USERNAME/PASSWORD VALIDATION" +.PP +There are a number of ways in which a user can connect +to a service. The server follows the following steps in determining +if it will allow a connection to a specified service. If all the +steps fail then the connection request is rejected. If one of the +steps pass then the following steps are not checked. +.PP +If the service is marked "guest only = yes" then +steps 1 to 5 are skipped. +.IP 1. +If the client has passed a username/password +pair and that username/password pair is validated by the UNIX +system's password programs then the connection is made as that +username. Note that this includes the +\\\\server\\service%\fIusername\fR method of passing +a username. +.IP 2. +If the client has previously registered a username +with the system and now supplies a correct password for that +username then the connection is allowed. +.IP 3. +The client's netbios name and any previously +used user names are checked against the supplied password, if +they match then the connection is allowed as the corresponding +user. +.IP 4. +If the client has previously validated a +username/password pair with the server and the client has passed +the validation token then that username is used. +.IP 5. +If a "user = " field is given in the +\fIsmb.conf\fR file for the service and the client +has supplied a password, and that password matches (according to +the UNIX system's password checking) with one of the usernames +from the "user=" field then the connection is made as +the username in the "user=" line. If one +of the username in the "user=" list begins with a +\&'@' then that name expands to a list of names in +the group of the same name. +.IP 6. +If the service is a guest service then a +connection is made as the username given in the "guest +account =" for the service, irrespective of the +supplied password. +.SH "COMPLETE LIST OF GLOBAL PARAMETERS" +.PP +Here is a list of all global parameters. See the section of +each parameter for details. Note that some are synonyms. +.TP 0.2i +\(bu +\fIadd user script\fR +.TP 0.2i +\(bu +\fIallow trusted domains\fR +.TP 0.2i +\(bu +\fIannounce as\fR +.TP 0.2i +\(bu +\fIannounce version\fR +.TP 0.2i +\(bu +\fIauto services\fR +.TP 0.2i +\(bu +\fIbind interfaces only\fR +.TP 0.2i +\(bu +\fIbrowse list\fR +.TP 0.2i +\(bu +\fIchange notify timeout\fR +.TP 0.2i +\(bu +\fIcharacter set\fR +.TP 0.2i +\(bu +\fIclient code page\fR +.TP 0.2i +\(bu +\fIcoding system\fR +.TP 0.2i +\(bu +\fIconfig file\fR +.TP 0.2i +\(bu +\fIdeadtime\fR +.TP 0.2i +\(bu +\fIdebug hires timestamp\fR +.TP 0.2i +\(bu +\fIdebug pid\fR +.TP 0.2i +\(bu +\fIdebug timestamp\fR +.TP 0.2i +\(bu +\fIdebug uid\fR +.TP 0.2i +\(bu +\fIdebug level\fR +.TP 0.2i +\(bu +\fIdefault\fR +.TP 0.2i +\(bu +\fIdefault service\fR +.TP 0.2i +\(bu +\fIdelete user script\fR +.TP 0.2i +\(bu +\fIdfree command\fR +.TP 0.2i +\(bu +\fIdns proxy\fR +.TP 0.2i +\(bu +\fIdomain admin group\fR +.TP 0.2i +\(bu +\fIdomain admin users\fR +.TP 0.2i +\(bu +\fIdomain groups\fR +.TP 0.2i +\(bu +\fIdomain guest group\fR +.TP 0.2i +\(bu +\fIdomain guest users\fR +.TP 0.2i +\(bu +\fIdomain logons\fR +.TP 0.2i +\(bu +\fIdomain master\fR +.TP 0.2i +\(bu +\fIencrypt passwords\fR +.TP 0.2i +\(bu +\fIgetwd cache\fR +.TP 0.2i +\(bu +\fIhide local users\fR +.TP 0.2i +\(bu +\fIhomedir map\fR +.TP 0.2i +\(bu +\fIhosts equiv\fR +.TP 0.2i +\(bu +\fIinterfaces\fR +.TP 0.2i +\(bu +\fIkeepalive\fR +.TP 0.2i +\(bu +\fIkernel oplocks\fR +.TP 0.2i +\(bu +\fIlm announce\fR +.TP 0.2i +\(bu +\fIlm interval\fR +.TP 0.2i +\(bu +\fIload printers\fR +.TP 0.2i +\(bu +\fIlocal master\fR +.TP 0.2i +\(bu +\fIlock dir\fR +.TP 0.2i +\(bu +\fIlock directory\fR +.TP 0.2i +\(bu +\fIlog file\fR +.TP 0.2i +\(bu +\fIlog level\fR +.TP 0.2i +\(bu +\fIlogon drive\fR +.TP 0.2i +\(bu +\fIlogon home\fR +.TP 0.2i +\(bu +\fIlogon path\fR +.TP 0.2i +\(bu +\fIlogon script\fR +.TP 0.2i +\(bu +\fIlpq cache time\fR +.TP 0.2i +\(bu +\fImachine password timeout\fR +.TP 0.2i +\(bu +\fImangled stack\fR +.TP 0.2i +\(bu +\fImap to guest\fR +.TP 0.2i +\(bu +\fImax disk size\fR +.TP 0.2i +\(bu +\fImax log size\fR +.TP 0.2i +\(bu +\fImax mux\fR +.TP 0.2i +\(bu +\fImax open files\fR +.TP 0.2i +\(bu +\fImax packet\fR +.TP 0.2i +\(bu +\fImax ttl\fR +.TP 0.2i +\(bu +\fImax wins ttl\fR +.TP 0.2i +\(bu +\fImax xmit\fR +.TP 0.2i +\(bu +\fImessage command\fR +.TP 0.2i +\(bu +\fImin passwd length\fR +.TP 0.2i +\(bu +\fImin password length\fR +.TP 0.2i +\(bu +\fImin wins ttl\fR +.TP 0.2i +\(bu +\fIname resolve order\fR +.TP 0.2i +\(bu +\fInetbios aliases\fR +.TP 0.2i +\(bu +\fInetbios name\fR +.TP 0.2i +\(bu +\fInetbios scope\fR +.TP 0.2i +\(bu +\fInis homedir\fR +.TP 0.2i +\(bu +\fInt acl support\fR +.TP 0.2i +\(bu +\fInt pipe support\fR +.TP 0.2i +\(bu +\fInt smb support\fR +.TP 0.2i +\(bu +\fInull passwords\fR +.TP 0.2i +\(bu +\fIole locking compatibility\fR +.TP 0.2i +\(bu +\fIoplock break wait time\fR +.TP 0.2i +\(bu +\fIos level\fR +.TP 0.2i +\(bu +\fIpanic action\fR +.TP 0.2i +\(bu +\fIpasswd chat\fR +.TP 0.2i +\(bu +\fIpasswd chat debug\fR +.TP 0.2i +\(bu +\fIpasswd program\fR +.TP 0.2i +\(bu +\fIpassword level\fR +.TP 0.2i +\(bu +\fIpassword server\fR +.TP 0.2i +\(bu +\fIprefered master\fR +.TP 0.2i +\(bu +\fIpreferred master\fR +.TP 0.2i +\(bu +\fIpreload\fR +.TP 0.2i +\(bu +\fIprintcap\fR +.TP 0.2i +\(bu +\fIprintcap name\fR +.TP 0.2i +\(bu +\fIprinter driver file\fR +.TP 0.2i +\(bu +\fIprivate dir\fR +.TP 0.2i +\(bu +\fIprotocol\fR +.TP 0.2i +\(bu +\fIread bmpx\fR +.TP 0.2i +\(bu +\fIread prediction\fR +.TP 0.2i +\(bu +\fIread raw\fR +.TP 0.2i +\(bu +\fIread size\fR +.TP 0.2i +\(bu +\fIremote announce\fR +.TP 0.2i +\(bu +\fIremote browse sync\fR +.TP 0.2i +\(bu +\fIrestrict anonymous\fR +.TP 0.2i +\(bu +\fIroot\fR +.TP 0.2i +\(bu +\fIroot dir\fR +.TP 0.2i +\(bu +\fIroot directory\fR +.TP 0.2i +\(bu +\fIsecurity\fR +.TP 0.2i +\(bu +\fIserver string\fR +.TP 0.2i +\(bu +\fIshared mem size\fR +.TP 0.2i +\(bu +\fIsmb passwd file\fR +.TP 0.2i +\(bu +\fIsmbrun\fR +.TP 0.2i +\(bu +\fIsocket address\fR +.TP 0.2i +\(bu +\fIsocket options\fR +.TP 0.2i +\(bu +\fIsource environment\fR +.TP 0.2i +\(bu +\fIssl\fR +.TP 0.2i +\(bu +\fIssl CA certDir\fR +.TP 0.2i +\(bu +\fIssl CA certFile\fR +.TP 0.2i +\(bu +\fIssl ciphers\fR +.TP 0.2i +\(bu +\fIssl client cert\fR +.TP 0.2i +\(bu +\fIssl client key\fR +.TP 0.2i +\(bu +\fIssl compatibility\fR +.TP 0.2i +\(bu +\fIssl hosts\fR +.TP 0.2i +\(bu +\fIssl hosts resign\fR +.TP 0.2i +\(bu +\fIssl require clientcert\fR +.TP 0.2i +\(bu +\fIssl require servercert\fR +.TP 0.2i +\(bu +\fIssl server cert\fR +.TP 0.2i +\(bu +\fIssl server key\fR +.TP 0.2i +\(bu +\fIssl version\fR +.TP 0.2i +\(bu +\fIstat cache\fR +.TP 0.2i +\(bu +\fIstat cache size\fR +.TP 0.2i +\(bu +\fIstrip dot\fR +.TP 0.2i +\(bu +\fIsyslog\fR +.TP 0.2i +\(bu +\fIsyslog only\fR +.TP 0.2i +\(bu +\fItemplate homedir\fR +.TP 0.2i +\(bu +\fItemplate shell\fR +.TP 0.2i +\(bu +\fItime offset\fR +.TP 0.2i +\(bu +\fItime server\fR +.TP 0.2i +\(bu +\fItimestamp logs\fR +.TP 0.2i +\(bu +\fIunix password sync\fR +.TP 0.2i +\(bu +\fIunix realname\fR +.TP 0.2i +\(bu +\fIupdate encrypted\fR +.TP 0.2i +\(bu +\fIuse rhosts\fR +.TP 0.2i +\(bu +\fIusername level\fR +.TP 0.2i +\(bu +\fIusername map\fR +.TP 0.2i +\(bu +\fIutmp directory\fR +.TP 0.2i +\(bu +\fIvalid chars\fR +.TP 0.2i +\(bu +\fIwinbind cache time\fR +.TP 0.2i +\(bu +\fIwinbind gid\fR +.TP 0.2i +\(bu +\fIwinbind uid\fR +.TP 0.2i +\(bu +\fIwins hook\fR +.TP 0.2i +\(bu +\fIwins proxy\fR +.TP 0.2i +\(bu +\fIwins server\fR +.TP 0.2i +\(bu +\fIwins support\fR +.TP 0.2i +\(bu +\fIworkgroup\fR +.TP 0.2i +\(bu +\fIwrite raw\fR +.SH "COMPLETE LIST OF SERVICE PARAMETERS" +.PP +Here is a list of all service parameters. See the section of +each parameter for details. Note that some are synonyms. +.TP 0.2i +\(bu +\fIadmin users\fR +.TP 0.2i +\(bu +\fIallow hosts\fR +.TP 0.2i +\(bu +\fIalternate permissions\fR +.TP 0.2i +\(bu +\fIavailable\fR +.TP 0.2i +\(bu +\fIblocking locks\fR +.TP 0.2i +\(bu +\fIbrowsable\fR +.TP 0.2i +\(bu +\fIbrowseable\fR +.TP 0.2i +\(bu +\fIcase sensitive\fR +.TP 0.2i +\(bu +\fIcasesignames\fR +.TP 0.2i +\(bu +\fIcomment\fR +.TP 0.2i +\(bu +\fIcopy\fR +.TP 0.2i +\(bu +\fIcreate mask\fR +.TP 0.2i +\(bu +\fIcreate mode\fR +.TP 0.2i +\(bu +\fIdefault case\fR +.TP 0.2i +\(bu +\fIdelete readonly\fR +.TP 0.2i +\(bu +\fIdelete veto files\fR +.TP 0.2i +\(bu +\fIdeny hosts\fR +.TP 0.2i +\(bu +\fIdirectory\fR +.TP 0.2i +\(bu +\fIdirectory mask\fR +.TP 0.2i +\(bu +\fIdirectory mode\fR +.TP 0.2i +\(bu +\fIdirectory security mask\fR +.TP 0.2i +\(bu +\fIdont descend\fR +.TP 0.2i +\(bu +\fIdos filetime resolution\fR +.TP 0.2i +\(bu +\fIdos filetimes\fR +.TP 0.2i +\(bu +\fIexec\fR +.TP 0.2i +\(bu +\fIfake directory create times\fR +.TP 0.2i +\(bu +\fIfake oplocks\fR +.TP 0.2i +\(bu +\fIfollow symlinks\fR +.TP 0.2i +\(bu +\fIforce create mode\fR +.TP 0.2i +\(bu +\fIforce directory mode\fR +.TP 0.2i +\(bu +\fIforce directory security mode\fR +.TP 0.2i +\(bu +\fIforce group\fR +.TP 0.2i +\(bu +\fIforce security mode\fR +.TP 0.2i +\(bu +\fIforce user\fR +.TP 0.2i +\(bu +\fIfstype\fR +.TP 0.2i +\(bu +\fIgroup\fR +.TP 0.2i +\(bu +\fIguest account\fR +.TP 0.2i +\(bu +\fIguest ok\fR +.TP 0.2i +\(bu +\fIguest only\fR +.TP 0.2i +\(bu +\fIhide dot files\fR +.TP 0.2i +\(bu +\fIhide files\fR +.TP 0.2i +\(bu +\fIhosts allow\fR +.TP 0.2i +\(bu +\fIhosts deny\fR +.TP 0.2i +\(bu +\fIinclude\fR +.TP 0.2i +\(bu +\fIinherit permissions\fR +.TP 0.2i +\(bu +\fIinvalid users\fR +.TP 0.2i +\(bu +\fIlevel2 oplocks\fR +.TP 0.2i +\(bu +\fIlocking\fR +.TP 0.2i +\(bu +\fIlppause command\fR +.TP 0.2i +\(bu +\fIlpq command\fR +.TP 0.2i +\(bu +\fIlpresume command\fR +.TP 0.2i +\(bu +\fIlprm command\fR +.TP 0.2i +\(bu +\fImagic output\fR +.TP 0.2i +\(bu +\fImagic script\fR +.TP 0.2i +\(bu +\fImangle case\fR +.TP 0.2i +\(bu +\fImangle locks\fR +.TP 0.2i +\(bu +\fImangled map\fR +.TP 0.2i +\(bu +\fImangled names\fR +.TP 0.2i +\(bu +\fImangling char\fR +.TP 0.2i +\(bu +\fImap archive\fR +.TP 0.2i +\(bu +\fImap hidden\fR +.TP 0.2i +\(bu +\fImap system\fR +.TP 0.2i +\(bu +\fImax connections\fR +.TP 0.2i +\(bu +\fImin print space\fR +.TP 0.2i +\(bu +\fIonly guest\fR +.TP 0.2i +\(bu +\fIonly user\fR +.TP 0.2i +\(bu +\fIoplock contention limit\fR +.TP 0.2i +\(bu +\fIoplocks\fR +.TP 0.2i +\(bu +\fIpath\fR +.TP 0.2i +\(bu +\fIpostexec\fR +.TP 0.2i +\(bu +\fIpostscript\fR +.TP 0.2i +\(bu +\fIpreexec\fR +.TP 0.2i +\(bu +\fIpreexec close\fR +.TP 0.2i +\(bu +\fIpreserve case\fR +.TP 0.2i +\(bu +\fIprint command\fR +.TP 0.2i +\(bu +\fIprint ok\fR +.TP 0.2i +\(bu +\fIprintable\fR +.TP 0.2i +\(bu +\fIprinter\fR +.TP 0.2i +\(bu +\fIprinter admin\fR +.TP 0.2i +\(bu +\fIprinter driver\fR +.TP 0.2i +\(bu +\fIprinter driver location\fR +.TP 0.2i +\(bu +\fIprinter name\fR +.TP 0.2i +\(bu +\fIprinting\fR +.TP 0.2i +\(bu +\fIpublic\fR +.TP 0.2i +\(bu +\fIqueuepause command\fR +.TP 0.2i +\(bu +\fIqueueresume command\fR +.TP 0.2i +\(bu +\fIread list\fR +.TP 0.2i +\(bu +\fIread only\fR +.TP 0.2i +\(bu +\fIroot postexec\fR +.TP 0.2i +\(bu +\fIroot preexec\fR +.TP 0.2i +\(bu +\fIroot preexec close\fR +.TP 0.2i +\(bu +\fIsecurity mask\fR +.TP 0.2i +\(bu +\fIset directory\fR +.TP 0.2i +\(bu +\fIshare modes\fR +.TP 0.2i +\(bu +\fIshort preserve case\fR +.TP 0.2i +\(bu +\fIstatus\fR +.TP 0.2i +\(bu +\fIstrict locking\fR +.TP 0.2i +\(bu +\fIstrict sync\fR +.TP 0.2i +\(bu +\fIsync always\fR +.TP 0.2i +\(bu +\fIuser\fR +.TP 0.2i +\(bu +\fIusername\fR +.TP 0.2i +\(bu +\fIusers\fR +.TP 0.2i +\(bu +\fIutmp\fR +.TP 0.2i +\(bu +\fIvalid users\fR +.TP 0.2i +\(bu +\fIveto files\fR +.TP 0.2i +\(bu +\fIveto oplock files\fR +.TP 0.2i +\(bu +\fIvolume\fR +.TP 0.2i +\(bu +\fIwide links\fR +.TP 0.2i +\(bu +\fIwritable\fR +.TP 0.2i +\(bu +\fIwrite cache size\fR +.TP 0.2i +\(bu +\fIwrite list\fR +.TP 0.2i +\(bu +\fIwrite ok\fR +.TP 0.2i +\(bu +\fIwriteable\fR +.SH "EXPLANATION OF EACH PARAMETER" +.TP +\fBadd user script (G)\fR +This is the full pathname to a script that will +be run \fBAS ROOT\fR by smbd(8) + under special circumstances decribed below. + +Normally, a Samba server requires that UNIX users are +created for all users accessing files on this server. For sites +that use Windows NT account databases as their primary user database +creating these users and keeping the user list in sync with the +Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users +\fBON DEMAND\fR when a user accesses the Samba server. + +In order to use this option, smbd +must be set to \fIsecurity=server\fR or \fI security=domain\fR and \fIadd user script\fR +must be set to a full pathname for a script that will create a UNIX +user given one argument of \fI%u\fR, which expands into +the UNIX user name to create. + +When the Windows user attempts to access the Samba server, +at login (session setup in the SMB protocol) time, smbd contacts the \fIpassword server\fR and +attempts to authenticate the given user with the given password. If the +authentication succeeds then smbd +attempts to find a UNIX user in the UNIX password database to map the +Windows user into. If this lookup fails, and \fIadd user script +\fRis set then smbd will +call the specified script \fBAS ROOT\fR, expanding +any \fI%u\fR argument to be the user name to create. + +If this script successfully creates the user then smbd will continue on as though the UNIX user +already existed. In this way, UNIX users are dynamically created to +match existing Windows NT accounts. + +See also \fI security\fR , \fIpassword server\fR , \fIdelete user +script\fR . + +Default: \fBadd user script = +\fR +Example: \fBadd user script = /usr/local/samba/bin/add_user +%u\fR +.TP +\fBadmin users (S)\fR +This is a list of users who will be granted +administrative privileges on the share. This means that they +will do all file operations as the super-user (root). + +You should use this option very carefully, as any user in +this list will be able to do anything they like on the share, +irrespective of file permissions. + +Default: \fBno admin users\fR + +Example: \fBadmin users = jason\fR +.TP +\fBallow hosts (S)\fR +Synonym for \fIhosts allow\fR . +.TP +\fBallow trusted domains (G)\fR +This option only takes effect when the security option is set to +\fIserver\fR or \fIdomain\fR. +If it is set to no, then attempts to connect to a resource from +a domain or workgroup other than the one which smbd is running +in will fail, even if that domain is trusted by the remote server +doing the authentication. + +This is useful if you only want your Samba server to +serve resources to users in the domain it is a member of. As +an example, suppose that there are two domains DOMA and DOMB. DOMB +is trusted by DOMA, which contains the Samba server. Under normal +circumstances, a user with an account in DOMB can then access the +resources of a UNIX account with the same account name on the +Samba server even if they do not have an account in DOMA. This +can make implementing a security boundary difficult. + +Default: \fBallow trusted domains = yes\fR +.TP +\fBannounce as (G)\fR +This specifies what type of server +\fBnmbd\fR +will announce itself as, to a network neighborhood browse +list. By default this is set to Windows NT. The valid options +are : "NT" (which is a synonym for "NT Server"), "NT Server", +"NT Workstation", "Win95" or "WfW" meaning Windows NT Server, +Windows NT Workstation, Windows 95 and Windows for Workgroups +respectively. Do not change this parameter unless you have a +specific need to stop Samba appearing as an NT server as this +may prevent Samba servers from participating as browser servers +correctly. + +Default: \fBannounce as = NT Server\fR + +Example: \fBannounce as = Win95\fR +.TP +\fBannouce version (G)\fR +This specifies the major and minor version numbers +that nmbd will use when announcing itself as a server. The default +is 4.2. Do not change this parameter unless you have a specific +need to set a Samba server to be a downlevel server. + +Default: \fBannounce version = 4.2\fR + +Example: \fBannounce version = 2.0\fR +.TP +\fBauto services (G)\fR +This is a list of services that you want to be +automatically added to the browse lists. This is most useful +for homes and printers services that would otherwise not be +visible. + +Note that if you just want all printers in your +printcap file loaded then the \fIload printers\fR option is easier. + +Default: \fBno auto services\fR + +Example: \fBauto services = fred lp colorlp\fR +.TP +\fBavailable (S)\fR +This parameter lets you "turn off" a service. If +\fIavailable = no\fR, then \fBALL\fR +attempts to connect to the service will fail. Such failures are +logged. + +Default: \fBavailable = yes\fR +.TP +\fBbind interfaces only (G)\fR +This global parameter allows the Samba admin +to limit what interfaces on a machine will serve smb requests. If +affects file service smbd(8) and +name service nmbd(8) in slightly +different ways. + +For name service it causes \fBnmbd\fR to bind +to ports 137 and 138 on the interfaces listed in the interfaces parameter. \fBnmbd +\fRalso binds to the "all addresses" interface (0.0.0.0) +on ports 137 and 138 for the purposes of reading broadcast messages. +If this option is not set then \fBnmbd\fR will service +name requests on all of these sockets. If \fIbind interfaces +only\fR is set then \fBnmbd\fR will check the +source address of any packets coming in on the broadcast sockets +and discard any that don't match the broadcast addresses of the +interfaces in the \fIinterfaces\fR parameter list. +As unicast packets are received on the other sockets it allows +\fBnmbd\fR to refuse to serve names to machines that +send packets that arrive through any interfaces not listed in the +\fIinterfaces\fR list. IP Source address spoofing +does defeat this simple check, however so it must not be used +seriously as a security feature for \fBnmbd\fR. + +For file service it causes smbd(8) +to bind only to the interface list given in the interfaces parameter. This restricts the networks that +\fBsmbd\fR will serve to packets coming in those +interfaces. Note that you should not use this parameter for machines +that are serving PPP or other intermittent or non-broadcast network +interfaces as it will not cope with non-permanent interfaces. + +If \fIbind interfaces only\fR is set then +unless the network address \fB127.0.0.1\fR is added +to the \fIinterfaces\fR parameter list \fBsmbpasswd(8)\fR +and \fBswat(8)\fR may +not work as expected due to the reasons covered below. + +To change a users SMB password, the \fBsmbpasswd\fR +by default connects to the \fBlocalhost - 127.0.0.1\fR +address as an SMB client to issue the password change request. If +\fIbind interfaces only\fR is set then unless the +network address \fB127.0.0.1\fR is added to the +\fIinterfaces\fR parameter list then \fB smbpasswd\fR will fail to connect in it's default mode. +\fBsmbpasswd\fR can be forced to use the primary IP interface +of the local host by using its \fI-r remote machine\fR + parameter, with \fIremote machine\fR set +to the IP name of the primary interface of the local host. + +The \fBswat\fR status page tries to connect with +\fBsmbd\fR and \fBnmbd\fR at the address +\fB127.0.0.1\fR to determine if they are running. +Not adding \fB127.0.0.1\fR will cause \fB smbd\fR and \fBnmbd\fR to always show +"not running" even if they really are. This can prevent \fB swat\fR from starting/stopping/restarting \fBsmbd\fR +and \fBnmbd\fR. + +Default: \fBbind interfaces only = no\fR +.TP +\fBblocking locks (S)\fR +This parameter controls the behavior of smbd(8) when given a request by a client +to obtain a byte range lock on a region of an open file, and the +request has a time limit associated with it. + +If this parameter is set and the lock range requested +cannot be immediately satisfied, Samba 2.2 will internally +queue the lock request, and periodically attempt to obtain +the lock until the timeout period expires. + +If this parameter is set to False, then +Samba 2.2 will behave as previous versions of Samba would and +will fail the lock request immediately if the lock range +cannot be obtained. + +Default: \fBblocking locks = yes\fR +.TP +\fBbrowsable (S)\fR +See the \fI browseable\fR. +.TP +\fBbrowse list (G)\fR +This controls whether \fBsmbd(8)\fR will serve a browse list to +a client doing a \fBNetServerEnum\fR call. Normally +set to true. You should never need to change +this. + +Default: \fBbrowse list = yes\fR +.TP +\fBbrowseable (S)\fR +This controls whether this share is seen in +the list of available shares in a net view and in the browse list. + +Default: \fBbrowseable = yes\fR +.TP +\fBcase sensitive (S)\fR +See the discussion in the section NAME MANGLING. +.TP +\fBcasesignames (S)\fR +Synonym for case +sensitive. +.TP +\fBchange notify timeout (G)\fR +This SMB allows a client to tell a server to +"watch" a particular directory for any changes and only reply to +the SMB request when a change has occurred. Such constant scanning of +a directory is expensive under UNIX, hence an \fBsmbd(8)\fR daemon only performs such a scan +on each requested directory once every \fIchange notify +timeout\fR seconds. + +Default: \fBchange notify timeout = 60\fR + +Example: \fBchange notify timeout = 300\fR + +Would change the scan time to every 5 minutes. +.TP +\fBcharacter set (G)\fR +This allows a smbd to map incoming filenames +from a DOS Code page (see the client +code page parameter) to several built in UNIX character sets. +The built in code page translations are: +.RS +.TP 0.2i +\(bu +ISO8859-1 : Western European +UNIX character set. The parameter \fIclient code page\fR +\fBMUST\fR be set to code page 850 if the +\fIcharacter set\fR parameter is set to +ISO8859-1 in order for the conversion to the +UNIX character set to be done correctly. +.TP 0.2i +\(bu +ISO8859-2 : Eastern European +UNIX character set. The parameter \fIclient code page +\fR\fBMUST\fR be set to code page 852 if +the \fI character set\fR parameter is set +to ISO8859-2 in order for the conversion +to the UNIX character set to be done correctly. +.TP 0.2i +\(bu +ISO8859-5 : Russian Cyrillic +UNIX character set. The parameter \fIclient code page +\fR\fBMUST\fR be set to code page +866 if the \fIcharacter set \fR parameter is +set to ISO8859-5 in order for the conversion +to the UNIX character set to be done correctly. +.TP 0.2i +\(bu +ISO8859-7 : Greek UNIX +character set. The parameter \fIclient code page +\fR\fBMUST\fR be set to code page +737 if the \fIcharacter set\fR parameter is +set to ISO8859-7 in order for the conversion +to the UNIX character set to be done correctly. +.TP 0.2i +\(bu +KOI8-R : Alternate mapping +for Russian Cyrillic UNIX character set. The parameter +\fIclient code page\fR \fBMUST\fR +be set to code page 866 if the \fIcharacter set\fR +parameter is set to KOI8-R in order for the +conversion to the UNIX character set to be done correctly. +.RE +.PP +\fBBUG\fR. These MSDOS code page to UNIX character +set mappings should be dynamic, like the loading of MS DOS code pages, +not static. +.PP +.PP +Normally this parameter is not set, meaning no filename +translation is done. +.PP +.PP +Default: \fBcharacter set = \fR +.PP +.PP +Example: \fBcharacter set = ISO8859-1\fR +.PP +.TP +\fBclient code page (G)\fR +This parameter specifies the DOS code page +that the clients accessing Samba are using. To determine what code +page a Windows or DOS client is using, open a DOS command prompt +and type the command \fBchcp\fR. This will output +the code page. The default for USA MS-DOS, Windows 95, and +Windows NT releases is code page 437. The default for western +european releases of the above operating systems is code page 850. + +This parameter tells smbd(8) +which of the \fIcodepage.XXX +\fRfiles to dynamically load on startup. These files, +described more fully in the manual page \fBmake_smbcodepage(1)\fR , tell \fB smbd\fR how to map lower to upper case characters to provide +the case insensitivity of filenames that Windows clients expect. + +Samba currently ships with the following code page files : +.RS +.TP 0.2i +\(bu +Code Page 437 - MS-DOS Latin US +.TP 0.2i +\(bu +Code Page 737 - Windows '95 Greek +.TP 0.2i +\(bu +Code Page 850 - MS-DOS Latin 1 +.TP 0.2i +\(bu +Code Page 852 - MS-DOS Latin 2 +.TP 0.2i +\(bu +Code Page 861 - MS-DOS Icelandic +.TP 0.2i +\(bu +Code Page 866 - MS-DOS Cyrillic +.TP 0.2i +\(bu +Code Page 932 - MS-DOS Japanese SJIS +.TP 0.2i +\(bu +Code Page 936 - MS-DOS Simplified Chinese +.TP 0.2i +\(bu +Code Page 949 - MS-DOS Korean Hangul +.TP 0.2i +\(bu +Code Page 950 - MS-DOS Traditional Chinese +.RE +.PP +Thus this parameter may have any of the values 437, 737, 850, 852, +861, 932, 936, 949, or 950. If you don't find the codepage you need, +read the comments in one of the other codepage files and the +\fBmake_smbcodepage(1)\fR man page and write one. Please +remember to donate it back to the Samba user community. +.PP +.PP +This parameter co-operates with the \fIvalid +chars\fR parameter in determining what characters are +valid in filenames and how capitalization is done. If you set both +this parameter and the \fIvalid chars\fR parameter +the \fIclient code page\fR parameter +\fBMUST\fR be set before the \fIvalid +chars\fR parameter in the \fIsmb.conf\fR +file. The \fIvalid chars\fR string will then +augment the character settings in the \fIclient code page\fR +parameter. +.PP +.PP +If not set, \fIclient code page\fR defaults +to 850. +.PP +.PP +See also : \fIvalid +chars\fR +.PP +.PP +Default: \fBclient code page = 850\fR +.PP +.PP +Example: \fBclient code page = 936\fR +.PP +.TP +\fBcodingsystem (G)\fR +This parameter is used to determine how incoming +Shift-JIS Japanese characters are mapped from the incoming \fIclient code page\fR +used by the client, into file names in the UNIX filesystem. +Only useful if \fIclient code page\fR is set to +932 (Japanese Shift-JIS). The options are : +.RS +.TP 0.2i +\(bu +SJIS - Shift-JIS. Does no +conversion of the incoming filename. +.TP 0.2i +\(bu +JIS8, J8BB, J8BH, J8@B, +J8@J, J8@H - Convert from incoming Shift-JIS to eight +bit JIS code with different shift-in, shift out codes. +.TP 0.2i +\(bu +JIS7, J7BB, J7BH, J7@B, J7@J, +J7@H - Convert from incoming Shift-JIS to seven bit +JIS code with different shift-in, shift out codes. +.TP 0.2i +\(bu +JUNET, JUBB, JUBH, JU@B, JU@J, JU@H +- Convert from incoming Shift-JIS to JUNET code with different shift-in, +shift out codes. +.TP 0.2i +\(bu +EUC - Convert an incoming +Shift-JIS character to EUC code. +.TP 0.2i +\(bu +HEX - Convert an incoming +Shift-JIS character to a 3 byte hex representation, i.e. +:AB. +.TP 0.2i +\(bu +CAP - Convert an incoming +Shift-JIS character to the 3 byte hex representation used by +the Columbia AppleTalk Program (CAP), i.e. :AB. +This is used for compatibility between Samba and CAP. +.RE +.PP +.TP +\fBcomment (S)\fR +This is a text field that is seen next to a share +when a client does a queries the server, either via the network +neighborhood or via \fBnet view\fR to list what shares +are available. + +If you want to set the string that is displayed next to the +machine name then see the \fI server string\fR parameter. + +Default: \fBNo comment string\fR + +Example: \fBcomment = Fred's Files\fR +.TP +\fBconfig file (G)\fR +This allows you to override the config file +to use, instead of the default (usually \fIsmb.conf\fR). +There is a chicken and egg problem here as this option is set +in the config file! + +For this reason, if the name of the config file has changed +when the parameters are loaded then it will reload them from +the new config file. + +This option takes the usual substitutions, which can +be very useful. + +If the config file doesn't exist then it won't be loaded +(allowing you to special case the config files of just a few +clients). + +Example: \fBconfig file = /usr/local/samba/lib/smb.conf.%m +\fR.TP +\fBcopy (S)\fR +This parameter allows you to "clone" service +entries. The specified service is simply duplicated under the +current service's name. Any parameters specified in the current +section will override those in the section being copied. + +This feature lets you set up a 'template' service and +create similar services easily. Note that the service being +copied must occur earlier in the configuration file than the +service doing the copying. + +Default: \fBnone\fR + +Example: \fBcopy = otherservice\fR +.TP +\fBcreate mask (S)\fR +A synonym for this parameter is +\fIcreate mode\fR +\&. + +When a file is created, the necessary permissions are +calculated according to the mapping from DOS modes to UNIX +permissions, and the resulting UNIX mode is then bit-wise 'AND'ed +with this parameter. This parameter may be thought of as a bit-wise +MASK for the UNIX modes of a file. Any bit \fBnot\fR +set here will be removed from the modes set on a file when it is +created. + +The default value of this parameter removes the +\&'group' and 'other' write and execute bits from the UNIX modes. + +Following this Samba will bit-wise 'OR' the UNIX mode created +from this parameter with the value of the \fIforce create mode\fR +parameter which is set to 000 by default. + +This parameter does not affect directory modes. See the +parameter \fIdirectory mode +\fRfor details. + +See also the \fIforce +create mode\fR parameter for forcing particular mode +bits to be set on created files. See also the \fIdirectory mode"\fR parameter for masking +mode bits on created directories. See also the \fIinherit permissions\fR parameter. + +Default: \fBcreate mask = 0744\fR + +Example: \fBcreate mask = 0775\fR +.TP +\fBcreate mode (S)\fR +This is a synonym for \fI create mask\fR. +.TP +\fBdeadtime (G)\fR +The value of the parameter (a decimal integer) +represents the number of minutes of inactivity before a connection +is considered dead, and it is disconnected. The deadtime only takes +effect if the number of open files is zero. + +This is useful to stop a server's resources being +exhausted by a large number of inactive connections. + +Most clients have an auto-reconnect feature when a +connection is broken so in most cases this parameter should be +transparent to users. + +Using this parameter with a timeout of a few minutes +is recommended for most systems. + +A deadtime of zero indicates that no auto-disconnection +should be performed. + +Default: \fBdeadtime = 0\fR + +Example: \fBdeadtime = 15\fR +.TP +\fBdebug hires timestamp (G)\fR +Sometimes the timestamps in the log messages +are needed with a resolution of higher that seconds, this +boolean parameter adds microsecond resolution to the timestamp +message header when turned on. + +Note that the parameter \fI debug timestamp\fR must be on for this to have an +effect. + +Default: \fBdebug hires timestamp = no\fR +.TP +\fBdebug timestamp (G)\fR +Samba 2.2 debug log messages are timestamped +by default. If you are running at a high \fIdebug level\fR these timestamps +can be distracting. This boolean parameter allows timestamping +to be turned off. + +Default: \fBdebug timestamp = yes\fR +.TP +\fBdebug pid (G)\fR +When using only one log file for more then one +forked smbd-process there may be hard to follow which process +outputs which message. This boolean parameter is adds the process-id +to the timestamp message headers in the logfile when turned on. + +Note that the parameter \fI debug timestamp\fR must be on for this to have an +effect. + +Default: \fBdebug pid = no\fR +.TP +\fBdebug uid (G)\fR +Samba is sometimes run as root and sometime +run as the connected user, this boolean parameter inserts the +current euid, egid, uid and gid to the timestamp message headers +in the log file if turned on. + +Note that the parameter \fI debug timestamp\fR must be on for this to have an +effect. + +Default: \fBdebug uid = no\fR +.TP +\fBdebug level (G)\fR +The value of the parameter (an integer) allows +the debug level (logging level) to be specified in the +\fIsmb.conf\fR file. This is to give greater +flexibility in the configuration of the system. + +The default will be the debug level specified on +the command line or level zero if none was specified. + +Example: \fBdebug level = 3\fR +.TP +\fBdefault (G)\fR +A synonym for \fI default service\fR. +.TP +\fBdefault case (S)\fR +See the section on NAME MANGLING". Also note the \fIshort preserve case"\fR parameter. +.TP +\fBdefault service (G)\fR +This parameter specifies the name of a service +which will be connected to if the service actually requested cannot +be found. Note that the square brackets are \fBNOT\fR +given in the parameter value (see example below). + +There is no default value for this parameter. If this +parameter is not given, attempting to connect to a nonexistent +service results in an error. + +Typically the default service would be a \fIguest ok\fR, \fIread-only\fR service. + +Also note that the apparent service name will be changed +to equal that of the requested service, this is very useful as it +allows you to use macros like \fI%S\fR to make +a wildcard service. + +Note also that any "_" characters in the name of the service +used in the default service will get mapped to a "/". This allows for +interesting things. + +Example: +.sp +.nf + default service = pub + + [pub] + path = /%S + +.sp +.fi +.TP +\fBdelete user script (G)\fR +This is the full pathname to a script that will +be run \fBAS ROOT\fR by \fBsmbd(8)\fR under special circumstances +decribed below. + +Normally, a Samba server requires that UNIX users are +created for all users accessing files on this server. For sites +that use Windows NT account databases as their primary user database +creating these users and keeping the user list in sync with the +Windows NT PDC is an onerous task. This option allows \fB smbd\fR to delete the required UNIX users \fBON +DEMAND\fR when a user accesses the Samba server and the +Windows NT user no longer exists. + +In order to use this option, \fBsmbd\fR must be +set to \fIsecurity=domain\fR and \fIdelete +user script\fR must be set to a full pathname for a script +that will delete a UNIX user given one argument of \fI%u +\fR, which expands into the UNIX user name to delete. +\fBNOTE\fR that this is different to the \fIadd user script\fR +which will work with the \fIsecurity=server\fR option +as well as \fIsecurity=domain\fR. The reason for this +is only when Samba is a domain member does it get the information +on an attempted user logon that a user no longer exists. In the +\fIsecurity=server\fR mode a missing user +is treated the same as an invalid password logon attempt. Deleting +the user in this circumstance would not be a good idea. + +When the Windows user attempts to access the Samba server, +at \fBlogin\fR (session setup in the SMB protocol) +time, \fBsmbd\fR contacts the \fIpassword server\fR and attempts to authenticate +the given user with the given password. If the authentication fails +with the specific Domain error code meaning that the user no longer +exists then \fBsmbd\fR attempts to find a UNIX user in +the UNIX password database that matches the Windows user account. If +this lookup succeeds, and \fIdelete user script\fR is +set then \fBsmbd\fR will all the specified script +\fBAS ROOT\fR, expanding any \fI%u\fR +argument to be the user name to delete. + +This script should delete the given UNIX username. In this way, +UNIX users are dynamically deleted to match existing Windows NT +accounts. + +See also security=domain, +\fIpassword server\fR +, \fIadd user script\fR +\&. + +Default: \fBdelete user script = +\fR +Example: \fBdelete user script = /usr/local/samba/bin/del_user +%u\fR +.TP +\fBdelete readonly (S)\fR +This parameter allows readonly files to be deleted. +This is not normal DOS semantics, but is allowed by UNIX. + +This option may be useful for running applications such +as rcs, where UNIX file ownership prevents changing file +permissions, and DOS semantics prevent deletion of a read only file. + +Default: \fBdelete readonly = no\fR +.TP +\fBdelete veto files (S)\fR +This option is used when Samba is attempting to +delete a directory that contains one or more vetoed directories +(see the \fIveto files\fR +option). If this option is set to False (the default) then if a vetoed +directory contains any non-vetoed files or directories then the +directory delete will fail. This is usually what you want. + +If this option is set to True, then Samba +will attempt to recursively delete any files and directories within +the vetoed directory. This can be useful for integration with file +serving systems such as NetAtalk which create meta-files within +directories you might normally veto DOS/Windows users from seeing +(e.g. \fI.AppleDouble\fR) + +Setting \fBdelete veto files = yes\fR allows these +directories to be transparently deleted when the parent directory +is deleted (so long as the user has permissions to do so). + +See also the \fIveto +files\fR parameter. + +Default: \fBdelete veto files = no\fR +.TP +\fBdeny hosts (S)\fR +Synonym for \fIhosts +deny\fR. +.TP +\fBdfree command (G)\fR +The \fIdfree command\fR setting should +only be used on systems where a problem occurs with the internal +disk space calculations. This has been known to happen with Ultrix, +but may occur with other operating systems. The symptom that was +seen was an error of "Abort Retry Ignore" at the end of each +directory listing. + +This setting allows the replacement of the internal routines to +calculate the total disk space and amount available with an external +routine. The example below gives a possible script that might fulfill +this function. + +The external program will be passed a single parameter indicating +a directory in the filesystem being queried. This will typically consist +of the string \fI./\fR. The script should return two +integers in ascii. The first should be the total disk space in blocks, +and the second should be the number of available blocks. An optional +third return value can give the block size in bytes. The default +blocksize is 1024 bytes. + +Note: Your script should \fBNOT\fR be setuid or +setgid and should be owned by (and writeable only by) root! + +Default: \fBBy default internal routines for +determining the disk capacity and remaining space will be used. +\fR +Example: \fBdfree command = /usr/local/samba/bin/dfree +\fR +Where the script dfree (which must be made executable) could be: + +.sp +.nf + + #!/bin/sh + df $1 | tail -1 | awk '{print $2" "$4}' + +.sp +.fi + +or perhaps (on Sys V based systems): + +.sp +.nf + #!/bin/sh + /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' + +.sp +.fi + +Note that you may have to replace the command names +with full path names on some systems. +.TP +\fBdirectory (S)\fR +Synonym for \fIpath +\fR\&. +.TP +\fBdirectory mask (S)\fR +This parameter is the octal modes which are +used when converting DOS modes to UNIX modes when creating UNIX +directories. + +When a directory is created, the necessary permissions are +calculated according to the mapping from DOS modes to UNIX permissions, +and the resulting UNIX mode is then bit-wise 'AND'ed with this +parameter. This parameter may be thought of as a bit-wise MASK for +the UNIX modes of a directory. Any bit \fBnot\fR set +here will be removed from the modes set on a directory when it is +created. + +The default value of this parameter removes the 'group' +and 'other' write bits from the UNIX mode, allowing only the +user who owns the directory to modify it. + +Following this Samba will bit-wise 'OR' the UNIX mode +created from this parameter with the value of the \fIforce directory mode +\fRparameter. This parameter is set to 000 by +default (i.e. no extra mode bits are added). + +See the \fIforce +directory mode\fR parameter to cause particular mode +bits to always be set on created directories. + +See also the \fIcreate mode +\fRparameter for masking mode bits on created files, +and the \fIdirectory +security mask\fR parameter. + +Also refer to the \fI inherit permissions\fR parameter. + +Default: \fBdirectory mask = 0755\fR + +Example: \fBdirectory mask = 0775\fR +.TP +\fBdirectory mode (S)\fR +Synonym for \fI directory mask\fR +.TP +\fBdirectory security mask (S)\fR +This parameter controls what UNIX permission bits +can be modified when a Windows NT client is manipulating the UNIX +permission on a directory using the native NT security dialog +box. + +This parameter is applied as a mask (AND'ed with) to +the changed permission bits, thus preventing any bits not in +this mask from being modified. Essentially, zero bits in this +mask may be treated as a set of bits the user is not allowed +to change. + +If not set explicitly this parameter is set to the same +value as the \fIdirectory +mask\fR parameter. To allow a user to +modify all the user/group/world permissions on a directory, set +this parameter to 0777. + +\fBNote\fR that users who can access the +Samba server through other means can easily bypass this restriction, +so it is primarily useful for standalone "appliance" systems. +Administrators of most normal systems will probably want to set +it to 0777. + +See also the \fI force directory security mode\fR, \fIsecurity mask\fR, +\fIforce security mode +\fRparameters. + +Default: \fBdirectory security mask = \fR + +Example: \fBdirectory security mask = 0777\fR +.TP +\fBdns proxy (G)\fR +Specifies that nmbd(8) +when acting as a WINS server and finding that a NetBIOS name has not +been registered, should treat the NetBIOS name word-for-word as a DNS +name and do a lookup with the DNS server for that name on behalf of +the name-querying client. + +Note that the maximum length for a NetBIOS name is 15 +characters, so the DNS name (or DNS alias) can likewise only be +15 characters, maximum. + +\fBnmbd\fR spawns a second copy of itself to do the +DNS name lookup requests, as doing a name lookup is a blocking +action. + +See also the parameter \fI wins support\fR. + +Default: \fBdns proxy = yes\fR +.TP +\fBdomain admin group (G)\fR +This is an \fBEXPERIMENTAL\fR parameter +that is part of the unfinished Samba NT Domain Controller Code. It may +be removed in a later release. To work with the latest code builds +that may have more support for Samba NT Domain Controller functionality +please subscribe to the mailing list samba-ntdom available by +visiting the web page at http://lists.samba.org/ . +.TP +\fBdomain admin users (G)\fR +This is an \fBEXPERIMENTAL\fR parameter +that is part of the unfinished Samba NT Domain Controller Code. It may +be removed in a later release. To work with the latest code builds +that may have more support for Samba NT Domain Controller functionality +please subscribe to the mailing list samba-ntdom available by +visiting the web page at http://lists.samba.org/ . +.TP +\fBdomain groups (G)\fR +This is an \fBEXPERIMENTAL\fR parameter +that is part of the unfinished Samba NT Domain Controller Code. It may +be removed in a later release. To work with the latest code builds +that may have more support for Samba NT Domain Controller functionality +please subscribe to the mailing list samba-ntdom available by +visiting the web page at http://lists.samba.org/ . +.TP +\fBdomain guest group (G)\fR +This is an \fBEXPERIMENTAL\fR parameter +that is part of the unfinished Samba NT Domain Controller Code. It may +be removed in a later release. To work with the latest code builds +that may have more support for Samba NT Domain Controller functionality +please subscribe to the mailing list samba-ntdom available by +visiting the web page at http://lists.samba.org/ . +.TP +\fBdomain guest users (G)\fR +This is an \fBEXPERIMENTAL\fR parameter +that is part of the unfinished Samba NT Domain Controller Code. It may +be removed in a later release. To work with the latest code builds +that may have more support for Samba NT Domain Controller functionality +please subscribe to the mailing list samba-ntdom available by +visiting the web page at http://lists.samba.org/ . +.TP +\fBdomain logons (G)\fR +If set to true, the Samba server will serve +Windows 95/98 Domain logons for the \fIworkgroup\fR it is in. Samba 2.2 also +has limited capability to act as a domain controller for Windows +NT 4 Domains. For more details on setting up this feature see +the file DOMAINS.txt in the Samba documentation directory \fIdocs/ +\fRshipped with the source code. + +Default: \fBdomain logons = no\fR +.TP +\fBdomain master (G)\fR +Tell \fB nmbd(8)\fR to enable WAN-wide browse list +collation. Setting this option causes \fBnmbd\fR to +claim a special domain specific NetBIOS name that identifies +it as a domain master browser for its given \fIworkgroup\fR. Local master browsers +in the same \fIworkgroup\fR on broadcast-isolated +subnets will give this \fBnmbd\fR their local browse lists, +and then ask \fBsmbd(8)\fR +for a complete copy of the browse list for the whole wide area +network. Browser clients will then contact their local master browser, +and will receive the domain-wide browse list, instead of just the list +for their broadcast-isolated subnet. + +Note that Windows NT Primary Domain Controllers expect to be +able to claim this \fIworkgroup\fR specific special +NetBIOS name that identifies them as domain master browsers for +that \fIworkgroup\fR by default (i.e. there is no +way to prevent a Windows NT PDC from attempting to do this). This +means that if this parameter is set and \fBnmbd\fR claims +the special name for a \fIworkgroup\fR before a Windows +NT PDC is able to do so then cross subnet browsing will behave +strangely and may fail. + +Default: \fBdomain master = no\fR +.TP +\fBdont descend (S)\fR +There are certain directories on some systems +(e.g., the \fI/proc\fR tree under Linux) that are either not +of interest to clients or are infinitely deep (recursive). This +parameter allows you to specify a comma-delimited list of directories +that the server should always show as empty. + +Note that Samba can be very fussy about the exact format +of the "dont descend" entries. For example you may need \fI ./proc\fR instead of just \fI/proc\fR. +Experimentation is the best policy :-) + +Default: \fBnone (i.e., all directories are OK +to descend)\fR + +Example: \fBdont descend = /proc,/dev\fR +.TP +\fBdos filetime resolution (S)\fR +Under the DOS and Windows FAT filesystem, the finest +granularity on time resolution is two seconds. Setting this parameter +for a share causes Samba to round the reported time down to the +nearest two second boundary when a query call that requires one second +resolution is made to \fBsmbd(8)\fR + . + +This option is mainly used as a compatibility option for Visual +C++ when used against Samba shares. If oplocks are enabled on a +share, Visual C++ uses two different time reading calls to check if a +file has changed since it was last read. One of these calls uses a +one-second granularity, the other uses a two second granularity. As +the two second call rounds any odd second down, then if the file has a +timestamp of an odd number of seconds then the two timestamps will not +match and Visual C++ will keep reporting the file has changed. Setting +this option causes the two timestamps to match, and Visual C++ is +happy. + +Default: \fBdos filetime resolution = no\fR +.TP +\fBdos filetimes (S)\fR +Under DOS and Windows, if a user can write to a +file they can change the timestamp on it. Under POSIX semantics, +only the owner of the file or root may change the timestamp. By +default, Samba runs with POSIX semantics and refuses to change the +timestamp on a file if the user \fBsmbd\fR is acting +on behalf of is not the file owner. Setting this option to True allows DOS semantics and smbd will change the file +timestamp as DOS requires. + +Default: \fBdos filetimes = no\fR +.TP +\fBencrypt passwords (G)\fR +This boolean controls whether encrypted passwords +will be negotiated with the client. Note that Windows NT 4.0 SP3 and +above and also Windows 98 will by default expect encrypted passwords +unless a registry entry is changed. To use encrypted passwords in +Samba see the file ENCRYPTION.txt in the Samba documentation +directory \fIdocs/\fR shipped with the source code. + +In order for encrypted passwords to work correctly +\fBsmbd(8)\fR must either +have access to a local \fIsmbpasswd(5) +\fR file (see the \fB smbpasswd(8)\fR program for information on how to set up +and maintain this file), or set the security=[serve|domain] parameter which +causes \fBsmbd\fR to authenticate against another +server. + +Default: \fBencrypt passwords = no\fR +.TP +\fBexec (S)\fR +This is a synonym for \fIpreexec\fR. +.TP +\fBfake directory create times (S)\fR +NTFS and Windows VFAT file systems keep a create +time for all files and directories. This is not the same as the +ctime - status change time - that Unix keeps, so Samba by default +reports the earliest of the various times Unix does keep. Setting +this parameter for a share causes Samba to always report midnight +1-1-1980 as the create time for directories. + +This option is mainly used as a compatibility option for +Visual C++ when used against Samba shares. Visual C++ generated +makefiles have the object directory as a dependency for each object +file, and a make rule to create the directory. Also, when NMAKE +compares timestamps it uses the creation time when examining a +directory. Thus the object directory will be created if it does not +exist, but once it does exist it will always have an earlier +timestamp than the object files it contains. + +However, Unix time semantics mean that the create time +reported by Samba will be updated whenever a file is created or +deleted in the directory. NMAKE therefore finds all object files +in the object directory bar the last one built are out of date +compared to the directory and rebuilds them. Enabling this option +ensures directories always predate their contents and an NMAKE build +will proceed as expected. + +Default: \fBfake directory create times = no\fR +.TP +\fBfake oplocks (S)\fR +Oplocks are the way that SMB clients get permission +from a server to locally cache file operations. If a server grants +an oplock (opportunistic lock) then the client is free to assume +that it is the only one accessing the file and it will aggressively +cache file data. With some oplock types the client may even cache +file open/close operations. This can give enormous performance benefits. + +When you set \fBfake oplocks = yes\fR, \fBsmbd(8)\fR will +always grant oplock requests no matter how many clients are using +the file. + +It is generally much better to use the real \fIoplocks\fR support rather +than this parameter. + +If you enable this option on all read-only shares or +shares that you know will only be accessed from one client at a +time such as physically read-only media like CDROMs, you will see +a big performance improvement on many operations. If you enable +this option on shares where multiple clients may be accessing the +files read-write at the same time you can get data corruption. Use +this option carefully! + +Default: \fBfake oplocks = no\fR +.TP +\fBfollow symlinks (S)\fR +This parameter allows the Samba administrator +to stop \fBsmbd(8)\fR +from following symbolic links in a particular share. Setting this +parameter to no prevents any file or directory +that is a symbolic link from being followed (the user will get an +error). This option is very useful to stop users from adding a +symbolic link to \fI/etc/passwd\fR in their home +directory for instance. However it will slow filename lookups +down slightly. + +This option is enabled (i.e. \fBsmbd\fR will +follow symbolic links) by default. + +Default: \fBfollow symlinks = yes\fR +.TP +\fBforce create mode (S)\fR +This parameter specifies a set of UNIX mode bit +permissions that will \fBalways\fR be set on a +file by Samba. This is done by bitwise 'OR'ing these bits onto +the mode bits of a file that is being created or having its +permissions changed. The default for this parameter is (in octal) +000. The modes in this parameter are bitwise 'OR'ed onto the file +mode after the mask set in the \fIcreate mask\fR +parameter is applied. + +See also the parameter \fIcreate +mask\fR for details on masking mode bits on files. + +See also the \fIinherit +permissions\fR parameter. + +Default: \fBforce create mode = 000\fR + +Example: \fBforce create mode = 0755\fR + +would force all created files to have read and execute +permissions set for 'group' and 'other' as well as the +read/write/execute bits set for the 'user'. +.TP +\fBforce directory mode (S)\fR +This parameter specifies a set of UNIX mode bit +permissions that will \fBalways\fR be set on a directory +created by Samba. This is done by bitwise 'OR'ing these bits onto the +mode bits of a directory that is being created. The default for this +parameter is (in octal) 0000 which will not add any extra permission +bits to a created directory. This operation is done after the mode +mask in the parameter \fIdirectory mask\fR is +applied. + +See also the parameter \fI directory mask\fR for details on masking mode bits +on created directories. + +See also the \fI inherit permissions\fR parameter. + +Default: \fBforce directory mode = 000\fR + +Example: \fBforce directory mode = 0755\fR + +would force all created directories to have read and execute +permissions set for 'group' and 'other' as well as the +read/write/execute bits set for the 'user'. +.TP +\fBforce directory security mode (S)\fR +This parameter controls what UNIX permission bits +can be modified when a Windows NT client is manipulating the UNIX +permission on a directory using the native NT security dialog box. + +This parameter is applied as a mask (OR'ed with) to the +changed permission bits, thus forcing any bits in this mask that +the user may have modified to be on. Essentially, one bits in this +mask may be treated as a set of bits that, when modifying security +on a directory, the user has always set to be 'on'. + +If not set explicitly this parameter is set to the same +value as the \fIforce +directory mode\fR parameter. To allow +a user to modify all the user/group/world permissions on a +directory, with restrictions set this parameter to 000. + +\fBNote\fR that users who can access the +Samba server through other means can easily bypass this restriction, +so it is primarily useful for standalone "appliance" systems. +Administrators of most normal systems will probably want to set +it to 0000. + +See also the \fI directory security mask\fR, \fIsecurity mask\fR, +\fIforce security mode +\fRparameters. + +Default: \fBforce directory security mode = \fR + +Example: \fBforce directory security mode = 0\fR +.TP +\fBforce group (S)\fR +This specifies a UNIX group name that will be +assigned as the default primary group for all users connecting +to this service. This is useful for sharing files by ensuring +that all access to files on service will use the named group for +their permissions checking. Thus, by assigning permissions for this +group to the files and directories within this service the Samba +administrator can restrict or allow sharing of these files. + +In Samba 2.0.5 and above this parameter has extended +functionality in the following way. If the group name listed here +has a '+' character prepended to it then the current user accessing +the share only has the primary group default assigned to this group +if they are already assigned as a member of that group. This allows +an administrator to decide that only users who are already in a +particular group will create files with group ownership set to that +group. This gives a finer granularity of ownership assignment. For +example, the setting \fIforce group = +sys\fR means +that only users who are already in group sys will have their default +primary group assigned to sys when accessing this Samba share. All +other users will retain their ordinary primary group. + +If the \fIforce user +\fRparameter is also set the group specified in +\fIforce group\fR will override the primary group +set in \fIforce user\fR. + +See also \fIforce +user\fR. + +Default: \fBno forced group\fR + +Example: \fBforce group = agroup\fR +.TP +\fBforce security mode (S)\fR +This parameter controls what UNIX permission +bits can be modified when a Windows NT client is manipulating +the UNIX permission on a file using the native NT security dialog +box. + +This parameter is applied as a mask (OR'ed with) to the +changed permission bits, thus forcing any bits in this mask that +the user may have modified to be on. Essentially, one bits in this +mask may be treated as a set of bits that, when modifying security +on a file, the user has always set to be 'on'. + +If not set explicitly this parameter is set to the same +value as the \fIforce +create mode\fR parameter. To allow a user to +modify all the user/group/world permissions on a file, with no +restrictions set this parameter to 000. + +\fBNote\fR that users who can access +the Samba server through other means can easily bypass this restriction, +so it is primarily useful for standalone "appliance" systems. +Administrators of most normal systems will probably want to set +it to 0000. + +See also the \fI force directory security mode\fR, +\fIdirectory security +mask\fR, \fI security mask\fR parameters. + +Default: \fBforce security mode = \fR + +Example: \fBforce security mode = 0\fR +.TP +\fBforce user (S)\fR +This specifies a UNIX user name that will be +assigned as the default user for all users connecting to this service. +This is useful for sharing files. You should also use it carefully +as using it incorrectly can cause security problems. + +This user name only gets used once a connection is established. +Thus clients still need to connect as a valid user and supply a +valid password. Once connected, all file operations will be performed +as the "forced user", no matter what username the client connected +as. + +This can be very useful. + +In Samba 2.0.5 and above this parameter also causes the +primary group of the forced user to be used as the primary group +for all file activity. Prior to 2.0.5 the primary group was left +as the primary group of the connecting user (this was a bug). + +See also \fIforce group +\fR +Default: \fBno forced user\fR + +Example: \fBforce user = auser\fR +.TP +\fBfstype (S)\fR +This parameter allows the administrator to +configure the string that specifies the type of filesystem a share +is using that is reported by \fBsmbd(8) +\fR when a client queries the filesystem type +for a share. The default type is NTFS for +compatibility with Windows NT but this can be changed to other +strings such as Samba or FAT +if required. + +Default: \fBfstype = NTFS\fR + +Example: \fBfstype = Samba\fR +.TP +\fBgetwd cache (G)\fR +This is a tuning option. When this is enabled a +caching algorithm will be used to reduce the time taken for getwd() +calls. This can have a significant impact on performance, especially +when the \fIwide links\fR +parameter is set to False. + +Default: \fBgetwd cache = No\fR +.TP +\fBgroup (S)\fR +Synonym for \fIforce +group\fR. +.TP +\fBguest account (S)\fR +This is a username which will be used for access +to services which are specified as \fI guest ok\fR (see below). Whatever privileges this +ser has will be available to any client connecting to the guest service. +Typically this user will exist in the password file, but will not +have a valid login. The user account "ftp" is often a good choice +for this parameter. If a username is specified in a given service, +the specified username overrides this one. + +One some systems the default guest account "nobody" may not +be able to print. Use another account in this case. You should test +this by trying to log in as your guest user (perhaps by using the +\fBsu -\fR command) and trying to print using the +system print command such as \fBlpr(1)\fR or \fB lp(1)\fR. + +Default: \fBspecified at compile time, usually +"nobody"\fR + +Example: \fBguest account = ftp\fR +.TP +\fBguest ok (S)\fR +If this parameter is yes for +a service, then no password is equired to connect to the service. +Privileges will be those of the \fI guest account\fR. + +See the section below on \fI security\fR for more information about this option. + +Default: \fBguest ok = no\fR +.TP +\fBguest only (S)\fR +If this parameter is yes for +a service, then only guest connections to the service are permitted. +This parameter will have no affect if \fIguest ok\fR is not set for the service. + +See the section below on \fI security\fR for more information about this option. + +Default: \fBguest only = no\fR +.TP +\fBhide dot files (S)\fR +This is a boolean parameter that controls whether +files starting with a dot appear as hidden files. + +Default: \fBhide dot files = yes\fR +.TP +\fBhide files(S)\fR +This is a list of files or directories that are not +visible but are accessible. The DOS 'hidden' attribute is applied +to any files or directories that match. + +Each entry in the list must be separated by a '/', +which allows spaces to be included in the entry. '*' +and '?' can be used to specify multiple files or directories +as in DOS wildcards. + +Each entry must be a Unix path, not a DOS path and must +not include the Unix directory separator '/'. + +Note that the case sensitivity option is applicable +in hiding files. + +Setting this parameter will affect the performance of Samba, +as it will be forced to check all files and directories for a match +as they are scanned. + +See also \fIhide +dot files\fR, \fI veto files\fR and \fIcase sensitive\fR. + +Default: \fBno file are hidden\fR + +Example: \fBhide files = +/.*/DesktopFolderDB/TrashFor%m/resource.frk/\fR + +The above example is based on files that the Macintosh +SMB client (DAVE) available from +Thursby creates for internal use, and also still hides +all files beginning with a dot. +.TP +\fBhide local users(G)\fR +This parameter toggles the hiding of local UNIX +users (root, wheel, floppy, etc) from remote clients. + +Default: \fBhide local users = no\fR +.TP +\fBhomedir map (G)\fR +If\fInis homedir +\fRis True, and \fBsmbd(8)\fR is also acting +as a Win95/98 \fIlogon server\fR then this parameter +specifies the NIS (or YP) map from which the server for the user's +home directory should be extracted. At present, only the Sun +auto.home map format is understood. The form of the map is: + +\fBusername server:/some/file/system\fR + +and the program will extract the servername from before +the first ':'. There should probably be a better parsing system +that copes with different map formats and also Amd (another +automounter) maps. + +\fBNOTE :\fRA working NIS client is required on +the system for this option to work. + +See also \fInis homedir\fR +, \fIdomain logons\fR +\&. + +Default: \fBhomedir map = auto.home\fR + +Example: \fBhomedir map = amd.homedir\fR +.TP +\fBhosts allow (S)\fR +A synonym for this parameter is \fIallow +hosts\fR. + +This parameter is a comma, space, or tab delimited +set of hosts which are permitted to access a service. + +If specified in the [global] section then it will +apply to all services, regardless of whether the individual +service has a different setting. + +You can specify the hosts by name or IP number. For +example, you could restrict access to only the hosts on a +Class C subnet with something like \fBallow hosts = 150.203.5. +\fR\&. The full syntax of the list is described in the man +page \fIhosts_access(5)\fR. Note that this man +page may not be present on your system, so a brief description will +be given here also. + +Note that the localhost address 127.0.0.1 will always +be allowed access unless specifically denied by a \fIhosts deny\fR option. + +You can also specify hosts by network/netmask pairs and +by netgroup names if your system supports netgroups. The +\fBEXCEPT\fR keyword can also be used to limit a +wildcard list. The following examples may provide some help: + +Example 1: allow all IPs in 150.203.*.*; except one + +\fBhosts allow = 150.203. EXCEPT 150.203.6.66\fR + +Example 2: allow hosts that match the given network/netmask + +\fBhosts allow = 150.203.15.0/255.255.255.0\fR + +Example 3: allow a couple of hosts + +\fBhosts allow = lapland, arvidsjaur\fR + +Example 4: allow only hosts in NIS netgroup "foonet", but +deny access from one particular host + +\fBhosts allow = @foonet\fR + +\fBhosts deny = pirate\fR + +Note that access still requires suitable user-level passwords. + +See \fBtestparm(1)\fR + for a way of testing your host access to see if it does +what you expect. + +Default: \fBnone (i.e., all hosts permitted access) +\fR +Example: \fBallow hosts = 150.203.5. myhost.mynet.edu.au +\fR.TP +\fBhosts deny (S)\fR +The opposite of \fIhosts allow\fR +- hosts listed here are \fBNOT\fR permitted access to +services unless the specific services have their own lists to override +this one. Where the lists conflict, the \fIallow\fR +list takes precedence. + +Default: \fBnone (i.e., no hosts specifically excluded) +\fR +Example: \fBhosts deny = 150.203.4. badhost.mynet.edu.au +\fR.TP +\fBhosts equiv (G)\fR +If this global parameter is a non-null string, +it specifies the name of a file to read for the names of hosts +and users who will be allowed access without specifying a password. + +This is not be confused with \fIhosts allow\fR which is about hosts +access to services and is more useful for guest services. \fI hosts equiv\fR may be useful for NT clients which will +not supply passwords to samba. + +\fBNOTE :\fR The use of \fIhosts equiv +\fRcan be a major security hole. This is because you are +trusting the PC to supply the correct username. It is very easy to +get a PC to supply a false username. I recommend that the +\fIhosts equiv\fR option be only used if you really +know what you are doing, or perhaps on a home network where you trust +your spouse and kids. And only if you \fBreally\fR trust +them :-). + +Default: \fBno host equivalences\fR + +Example: \fBhosts equiv = /etc/hosts.equiv\fR +.TP +\fBinclude (G)\fR +This allows you to include one config file +inside another. The file is included literally, as though typed +in place. + +It takes the standard substitutions, except \fI%u +\fR, \fI%P\fR and \fI%S\fR. + +Default: \fBno file included\fR + +Example: \fBinclude = /usr/local/samba/lib/admin_smb.conf +\fR.TP +\fBinherit permissions (S)\fR +The permissions on new files and directories +are normally governed by \fI create mask\fR, \fIdirectory mask\fR, \fIforce create mode\fR +and \fIforce +directory mode\fR but the boolean inherit +permissions parameter overrides this. + +New directories inherit the mode of the parent directory, +including bits such as setgid. + +New files inherit their read/write bits from the parent +directory. Their execute bits continue to be determined by +\fImap archive\fR +, \fImap hidden\fR +and \fImap system\fR +as usual. + +Note that the setuid bit is \fBnever\fR set via +inheritance (the code explicitly prohibits this). + +This can be particularly useful on large systems with +many users, perhaps several thousand,to allow a single [homes] +share to be used flexibly by each user. + +See also \fIcreate mask +\fR, \fI directory mask\fR, \fIforce create mode\fR and \fIforce directory mode\fR +\&. + +Default: \fBinherit permissions = no\fR +.TP +\fBinterfaces (G)\fR +This option allows you to override the default +network interfaces list that Samba will use for browsing, name +registration and other NBT traffic. By default Samba will query +the kernel for the list of all active interfaces and use any +interfaces except 127.0.0.1 that are broadcast capable. + +The option takes a list of interface strings. Each string +can be in any of the following forms: +.RS +.TP 0.2i +\(bu +a network interface name (such as eth0). +This may include shell-like wildcards so eth* will match +any interface starting with the substring "eth" +.TP 0.2i +\(bu +an IP address. In this case the netmask is +determined from the list of interfaces obtained from the +kernel +.TP 0.2i +\(bu +an IP/mask pair. +.TP 0.2i +\(bu +a broadcast/mask pair. +.RE +.PP +The "mask" parameters can either be a bit length (such +as 24 for a C class network) or a full netmask in dotted +decmal form. +.PP +.PP +The "IP" parameters above can either be a full dotted +decimal IP address or a hostname which will be looked up via +the OSes normal hostname resolution mechanisms. +.PP +.PP +For example, the following line: +.PP +.PP +\fBinterfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0 +\fR.PP +.PP +would configure three network interfaces corresponding +to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. +The netmasks of the latter two interfaces would be set to 255.255.255.0. +.PP +.PP +See also \fIbind +interfaces only\fR. +.PP +.TP +\fBinvalid users (S)\fR +This is a list of users that should not be allowed +to login to this service. This is really a \fBparanoid\fR +check to absolutely ensure an improper setting does not breach +your security. + +A name starting with a '@' is interpreted as an NIS +netgroup first (if your system supports NIS), and then as a UNIX +group if the name was not found in the NIS netgroup database. + +A name starting with '+' is interpreted only +by looking in the UNIX group database. A name starting with +\&'&' is interpreted only by looking in the NIS netgroup database +(this requires NIS to be working on your system). The characters +\&'+' and '&' may be used at the start of the name in either order +so the value \fI+&group\fR means check the +UNIX group database, followed by the NIS netgroup database, and +the value \fI&+group"\fR means check the NIS +netgroup database, followed by the UNIX group database (the +same as the '@' prefix). + +The current servicename is substituted for \fI%S\fR. +This is useful in the [homes] section. + +See also \fIvalid users +\fR\&. + +Default: \fBno invalid users\fR + +Example: \fBinvalid users = root fred admin @wheel +\fR.TP +\fBkeepalive (G)\fR +The value of the parameter (an integer) represents +the number of seconds between \fIkeepalive\fR +packets. If this parameter is zero, no keepalive packets will be +sent. Keepalive packets, if sent, allow the server to tell whether +a client is still present and responding. + +Keepalives should, in general, not be needed if the socket +being used has the SO_KEEPALIVE attribute set on it (see \fIsocket options\fR). +Basically you should only use this option if you strike difficulties. + +Default: \fBkeepalive = 0\fR + +Example: \fBkeepalive = 60\fR +.TP +\fBkernel oplocks (G)\fR +For UNIXs that support kernel based \fIoplocks\fR +(currently only IRIX and the Linux 2.4 kernel), this parameter +allows the use of them to be turned on or off. + +Kernel oplocks support allows Samba \fIoplocks +\fRto be broken whenever a local UNIX process or NFS operation +accesses a file that \fBsmbd(8)\fR + has oplocked. This allows complete data consistency between +SMB/CIFS, NFS and local file access (and is a \fBvery\fR +cool feature :-). + +This parameter defaults to on on systems +that have the support, and off on systems that +don't. You should never need to touch this parameter. + +See also the \fIoplocks\fR +and \fIlevel2 oplocks +\fRparameters. + +Default: \fBkernel oplocks = yes\fR +.TP +\fBlevel2 oplocks (S)\fR +This parameter controls whether Samba supports +level2 (read-only) oplocks on a share. + +Level2, or read-only oplocks allow Windows NT clients +that have an oplock on a file to downgrade from a read-write oplock +to a read-only oplock once a second client opens the file (instead +of releasing all oplocks on a second open, as in traditional, +exclusive oplocks). This allows all openers of the file that +support level2 oplocks to cache the file for read-ahead only (ie. +they may not cache writes or lock requests) and increases performance +for many acesses of files that are not commonly written (such as +application .EXE files). + +Once one of the clients which have a read-only oplock +writes to the file all clients are notified (no reply is needed +or waited for) and told to break their oplocks to "none" and +delete any read-ahead caches. + +It is recommended that this parameter be turned on +to speed access to shared executables (and also to test +the code :-). + +For more discussions on level2 oplocks see the CIFS spec. + +Currently, if \fIkernel +oplocks\fR are supported then level2 oplocks are +not granted (even if this parameter is set to yes). +Note also, the \fIoplocks\fR +parameter must be set to "true" on this share in order for +this parameter to have any effect. + +See also the \fIoplocks\fR +and \fIkernel oplocks\fR +parameters. + +Default: \fBlevel2 oplocks = False\fR +.TP +\fBlm announce (G)\fR +This parameter determines if \fBnmbd(8)\fR will produce Lanman announce +broadcasts that are needed by OS/2 clients in order for them to see +the Samba server in their browse list. This parameter can have three +values, true, false, or +auto. The default is auto. +If set to false Samba will never produce these +broadcasts. If set to true Samba will produce +Lanman announce broadcasts at a frequency set by the parameter +\fIlm interval\fR. If set to auto +Samba will not send Lanman announce broadcasts by default but will +listen for them. If it hears such a broadcast on the wire it will +then start sending them at a frequency set by the parameter +\fIlm interval\fR. + +See also \fIlm interval +\fR\&. + +Default: \fBlm announce = auto\fR + +Example: \fBlm announce = true\fR +.TP +\fBlm interval (G)\fR +If Samba is set to produce Lanman announce +broadcasts needed by OS/2 clients (see the \fIlm announce\fR parameter) then this +parameter defines the frequency in seconds with which they will be +made. If this is set to zero then no Lanman announcements will be +made despite the setting of the \fIlm announce\fR +parameter. + +See also \fIlm +announce\fR. + +Default: \fBlm interval = 60\fR + +Example: \fBlm interval = 120\fR +.TP +\fBload printers (G)\fR +A boolean variable that controls whether all +printers in the printcap will be loaded for browsing by default. +See the printers section for +more details. + +Default: \fBload printers = yes\fR +.TP +\fBlocal master (G)\fR +This option allows \fB nmbd(8)\fR to try and become a local master browser +on a subnet. If set to False then \fB nmbd\fR will not attempt to become a local master browser +on a subnet and will also lose in all browsing elections. By +default this value is set to true. Setting this value to true doesn't +mean that Samba will \fBbecome\fR the local master +browser on a subnet, just that \fBnmbd\fR will \fB participate\fR in elections for local master browser. + +Setting this value to False will cause \fBnmbd\fR +\fBnever\fR to become a local master browser. + +Default: \fBlocal master = yes\fR +.TP +\fBlock dir (G)\fR +Synonym for \fI lock directory\fR. +.TP +\fBlock directory (G)\fR +This option specifies the directory where lock +files will be placed. The lock files are used to implement the +\fImax connections\fR +option. + +Default: \fBlock directory = /tmp/samba\fR + +Example: \fBlock directory = /usr/local/samba/var/locks\fR +.TP +\fBlocking (S)\fR +This controls whether or not locking will be +performed by the server in response to lock requests from the +client. + +If \fBlocking = no\fR, all lock and unlock requests +will appear to succeed and all lock queries will indicate that the +queried lock is clear. + +If \fBlocking = yes\fR, real locking will be performed +by the server. + +This option \fBmay\fR be useful for read-only +filesystems which \fBmay\fR not need locking (such as +cdrom drives), although setting this parameter of no +is not really recommended even in this case. + +Be careful about disabling locking either globally or in a +specific service, as lack of locking may result in data corruption. +You should never need to set this parameter. + +Default: \fBlocking = yes\fR +.TP +\fBlog file (G)\fR +This options allows you to override the name +of the Samba log file (also known as the debug file). + +This option takes the standard substitutions, allowing +you to have separate log files for each user or machine. + +Example: \fBlog file = /usr/local/samba/var/log.%m +\fR.TP +\fBlog level (G)\fR +Synonym for \fI debug level\fR. +.TP +\fBlogon drive (G)\fR +This parameter specifies the local path to +which the home directory will be connected (see \fIlogon home\fR) +and is only used by NT Workstations. + +Note that this option is only useful if Samba is set up as a +logon server. + +Default: \fBlogon drive = z:\fR + +Example: \fBlogon drive = h:\fR +.TP +\fBlogon home (G)\fR +This parameter specifies the home directory +location when a Win95/98 or NT Workstation logs into a Samba PDC. +It allows you to do + +C:\\> \fBNET USE H: /HOME\fR + +from a command prompt, for example. + +This option takes the standard substitutions, allowing +you to have separate logon scripts for each user or machine. + +This parameter can be used with Win9X workstations to ensure +that roaming profiles are stored in a subdirectory of the user's +home directory. This is done in the following way: + +\fBlogon home = \\\\%L\\%U\\profile\fR + +This tells Samba to return the above string, with +substitutions made when a client requests the info, generally +in a NetUserGetInfo request. Win9X clients truncate the info to +\\\\server\\share when a user does \fBnet use /home"\fR +but use the whole string when dealing with profiles. + +Note that in prior versions of Samba, the \fIlogon path\fR was returned rather than +\fIlogon home\fR. This broke \fBnet use +/home\fR but allowed profiles outside the home directory. +The current implementation is correct, and can be used for +profiles if you use the above trick. + +This option is only useful if Samba is set up as a logon +server. + +Default: \fBlogon home = "\\\\%N\\%U"\fR + +Example: \fBlogon home = "\\\\remote_smb_server\\%U"\fR +.TP +\fBlogon path (G)\fR +This parameter specifies the home directory +where roaming profiles (NTuser.dat etc files for Windows NT) are +stored. Contrary to previous versions of these manual pages, it has +nothing to do with Win 9X roaming profiles. To find out how to +handle roaming profiles for Win 9X system, see the \fIlogon home\fR parameter. + +This option takes the standard substitutions, allowing you +to have separate logon scripts for each user or machine. It also +specifies the directory from which the "Application Data", +(\fIdesktop\fR, \fIstart menu\fR, +\fInetwork neighborhood\fR, \fIprograms\fR +and other folders, and their contents, are loaded and displayed on +your Windows NT client. + +The share and the path must be readable by the user for +the preferences and directories to be loaded onto the Windows NT +client. The share must be writeable when the logs in for the first +time, in order that the Windows NT client can create the NTuser.dat +and other directories. + +Thereafter, the directories and any of the contents can, +if required, be made read-only. It is not advisable that the +NTuser.dat file be made read-only - rename it to NTuser.man to +achieve the desired effect (a \fBMAN\fRdatory +profile). + +Windows clients can sometimes maintain a connection to +the [homes] share, even though there is no user logged in. +Therefore, it is vital that the logon path does not include a +reference to the homes share (i.e. setting this parameter to +\\%N\\%U\\profile_path will cause problems). + +This option takes the standard substitutions, allowing +you to have separate logon scripts for each user or machine. + +Note that this option is only useful if Samba is set up +as a logon server. + +Default: \fBlogon path = \\\\%N\\%U\\profile\fR + +Example: \fBlogon path = \\\\PROFILESERVER\\PROFILE\\%U\fR +.TP +\fBlogon script (G)\fR +This parameter specifies the batch file (.bat) or +NT command file (.cmd) to be downloaded and run on a machine when +a user successfully logs in. The file must contain the DOS +style cr/lf line endings. Using a DOS-style editor to create the +file is recommended. + +The script must be a relative path to the [netlogon] +service. If the [netlogon] service specifies a \fIpath\fR of \fI/usr/local/samba/netlogon +\fR, and \fBlogon script = STARTUP.BAT\fR, then +the file that will be downloaded is: + +\fI/usr/local/samba/netlogon/STARTUP.BAT\fR + +The contents of the batch file is entirely your choice. A +suggested command would be to add \fBNET TIME \\\\SERVER /SET +/YES\fR, to force every machine to synchronize clocks with +the same time server. Another use would be to add \fBNET USE +U: \\\\SERVER\\UTILS\fR for commonly used utilities, or \fB NET USE Q: \\\\SERVER\\ISO9001_QA\fR for example. + +Note that it is particularly important not to allow write +access to the [netlogon] share, or to grant users write permission +on the batch files in a secure environment, as this would allow +the batch files to be arbitrarily modified and security to be +breached. + +This option takes the standard substitutions, allowing you +to have separate logon scripts for each user or machine. + +This option is only useful if Samba is set up as a logon +server. + +Default: \fBno logon script defined\fR + +Example: \fBlogon script = scripts\\%U.bat\fR +.TP +\fBlppause command (S)\fR +This parameter specifies the command to be +executed on the server host in order to stop printing or spooling +a specific print job. + +This command should be a program or script which takes +a printer name and job number to pause the print job. One way +of implementing this is by using job priorities, where jobs +having a too low priority won't be sent to the printer. + +If a \fI%p\fR is given then the printername +is put in its place. A \fI%j\fR is replaced with +the job number (an integer). On HPUX (see \fIprinting=hpux +\fR), if the \fI-p%p\fR option is added +to the lpq command, the job will show up with the correct status, i.e. +if the job priority is lower than the set fence priority it will +have the PAUSED status, whereas if the priority is equal or higher it +will have the SPOOLED or PRINTING status. + +Note that it is good practice to include the absolute path +in the lppause command as the PATH may not be available to the server. + +See also the \fIprinting +\fRparameter. + +Default: Currently no default value is given to +this string, unless the value of the \fIprinting\fR +parameter is SYSV, in which case the default is : + +\fBlp -i %p-%j -H hold\fR + +or if the value of the \fIprinting\fR parameter +is SOFTQ, then the default is: + +\fBqstat -s -j%j -h\fR + +Example for HPUX: \fBlppause command = /usr/bin/lpalt +%p-%j -p0\fR +.TP +\fBlpq cache time (G)\fR +This controls how long lpq info will be cached +for to prevent the \fBlpq\fR command being called too +often. A separate cache is kept for each variation of the \fB lpq\fR command used by the system, so if you use different +\fBlpq\fR commands for different users then they won't +share cache information. + +The cache files are stored in \fI/tmp/lpq.xxxx\fR +where xxxx is a hash of the \fBlpq\fR command in use. + +The default is 10 seconds, meaning that the cached results +of a previous identical \fBlpq\fR command will be used +if the cached data is less than 10 seconds old. A large value may +be advisable if your \fBlpq\fR command is very slow. + +A value of 0 will disable caching completely. + +See also the \fIprinting +\fRparameter. + +Default: \fBlpq cache time = 10\fR + +Example: \fBlpq cache time = 30\fR +.TP +\fBlpq command (S)\fR +This parameter specifies the command to be +executed on the server host in order to obtain \fBlpq +\fR-style printer status information. + +This command should be a program or script which +takes a printer name as its only parameter and outputs printer +status information. + +Currently eight styles of printer status information +are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ. +This covers most UNIX systems. You control which type is expected +using the \fIprinting =\fR option. + +Some clients (notably Windows for Workgroups) may not +correctly send the connection number for the printer they are +requesting status information about. To get around this, the +server reports on the first printer service connected to by the +client. This only happens if the connection number sent is invalid. + +If a \fI%p\fR is given then the printername +is put in its place. Otherwise it is placed at the end of the +command. + +Note that it is good practice to include the absolute path +in the \fIlpq command\fR as the PATH may not be +available to the server. + +See also the \fIprinting +\fRparameter. + +Default: \fBdepends on the setting of \fI printing\fB\fR + +Example: \fBlpq command = /usr/bin/lpq %p\fR +.TP +\fBlpresume command (S)\fR +This parameter specifies the command to be +executed on the server host in order to restart or continue +printing or spooling a specific print job. + +This command should be a program or script which takes +a printer name and job number to resume the print job. See +also the \fIlppause command +\fRparameter. + +If a \fI%p\fR is given then the printername +is put in its place. A \fI%j\fR is replaced with +the job number (an integer). + +Note that it is good practice to include the absolute path +in the \fIlpresume command\fR as the PATH may not +be available to the server. + +See also the \fIprinting +\fRparameter. + +Default: Currently no default value is given +to this string, unless the value of the \fIprinting\fR +parameter is SYSV, in which case the default is : + +\fBlp -i %p-%j -H resume\fR + +or if the value of the \fIprinting\fR parameter +is SOFTQ, then the default is: + +\fBqstat -s -j%j -r\fR + +Example for HPUX: \fBlpresume command = /usr/bin/lpalt +%p-%j -p2\fR +.TP +\fBlprm command (S)\fR +This parameter specifies the command to be +executed on the server host in order to delete a print job. + +This command should be a program or script which takes +a printer name and job number, and deletes the print job. + +If a \fI%p\fR is given then the printername +is put in its place. A \fI%j\fR is replaced with +the job number (an integer). + +Note that it is good practice to include the absolute +path in the \fIlprm command\fR as the PATH may not be +available to the server. + +See also the \fIprinting +\fRparameter. + +Default: \fBdepends on the setting of \fIprinting +\fB\fR +Example 1: \fBlprm command = /usr/bin/lprm -P%p %j +\fR +Example 2: \fBlprm command = /usr/bin/cancel %p-%j +\fR.TP +\fBmachine password timeout (G)\fR +If a Samba server is a member of an Windows +NT Domain (see the security=domain) +parameter) then periodically a running smbd(8) process will try and change the MACHINE ACCOUNT +PASSWORD stored in the TDB called \fIprivate/secrets.tdb +\fR\&. This parameter specifies how often this password +will be changed, in seconds. The default is one week (expressed in +seconds), the same as a Windows NT Domain member server. + +See also \fBsmbpasswd(8) +\fR , and the security=domain) parameter. + +Default: \fBmachine password timeout = 604800\fR +.TP +\fBmagic output (S)\fR +This parameter specifies the name of a file +which will contain output created by a magic script (see the +\fImagic script\fR +parameter below). + +Warning: If two clients use the same \fImagic script +\fRin the same directory the output file content +is undefined. + +Default: \fBmagic output = .out +\fR +Example: \fBmagic output = myfile.txt\fR +.TP +\fBmagic script (S)\fR +This parameter specifies the name of a file which, +if opened, will be executed by the server when the file is closed. +This allows a UNIX script to be sent to the Samba host and +executed on behalf of the connected user. + +Scripts executed in this way will be deleted upon +completion, permissions permitting. + +If the script generates output, output will be sent to +the file specified by the \fI magic output\fR parameter (see above). + +Note that some shells are unable to interpret scripts +containing carriage-return-linefeed instead of linefeed as +the end-of-line marker. Magic scripts must be executable +\fBas is\fR on the host, which for some hosts and +some shells will require filtering at the DOS end. + +Magic scripts are \fBEXPERIMENTAL\fR and +should \fBNOT\fR be relied upon. + +Default: \fBNone. Magic scripts disabled.\fR + +Example: \fBmagic script = user.csh\fR +.TP +\fBmangle case (S)\fR +See the section on NAME MANGLING +.TP +\fBmangled map (S)\fR +This is for those who want to directly map UNIX +file names which can not be represented on Windows/DOS. The mangling +of names is not always what is needed. In particular you may have +documents with file extensions that differ between DOS and UNIX. +For example, under UNIX it is common to use \fI.html\fR +for HTML files, whereas under Windows/DOS \fI.htm\fR +is more commonly used. + +So to map \fIhtml\fR to \fIhtm\fR +you would use: + +\fBmangled map = (*.html *.htm)\fR + +One very useful case is to remove the annoying \fI;1 +\fRoff the ends of filenames on some CDROMS (only visible +under some UNIXs). To do this use a map of (*;1 *;). + +Default: \fBno mangled map\fR + +Example: \fBmangled map = (*;1 *;)\fR +.TP +\fBmangled names (S)\fR +This controls whether non-DOS names under UNIX +should be mapped to DOS-compatible names ("mangled") and made visible, +or whether non-DOS names should simply be ignored. + +See the section on NAME MANGLING for details on how to control the mangling process. + +If mangling is used then the mangling algorithm is as follows: +.RS +.TP 0.2i +\(bu +The first (up to) five alphanumeric characters +before the rightmost dot of the filename are preserved, forced +to upper case, and appear as the first (up to) five characters +of the mangled name. +.TP 0.2i +\(bu +A tilde "~" is appended to the first part of the mangled +name, followed by a two-character unique sequence, based on the +original root name (i.e., the original filename minus its final +extension). The final extension is included in the hash calculation +only if it contains any upper case characters or is longer than three +characters. + +Note that the character to use may be specified using +the \fImangling char\fR +option, if you don't like '~'. +.TP 0.2i +\(bu +The first three alphanumeric characters of the final +extension are preserved, forced to upper case and appear as the +extension of the mangled name. The final extension is defined as that +part of the original filename after the rightmost dot. If there are no +dots in the filename, the mangled name will have no extension (except +in the case of "hidden files" - see below). +.TP 0.2i +\(bu +Files whose UNIX name begins with a dot will be +presented as DOS hidden files. The mangled name will be created as +for other filenames, but with the leading dot removed and "___" as +its extension regardless of actual original extension (that's three +underscores). +.RE +.PP +The two-digit hash value consists of upper case +alphanumeric characters. +.PP +.PP +This algorithm can cause name collisions only if files +in a directory share the same first five alphanumeric characters. +The probability of such a clash is 1/1300. +.PP +.PP +The name mangling (if enabled) allows a file to be +copied between UNIX directories from Windows/DOS while retaining +the long UNIX filename. UNIX files can be renamed to a new extension +from Windows/DOS and will retain the same basename. Mangled names +do not change between sessions. +.PP +.PP +Default: \fBmangled names = yes\fR +.PP +.TP +\fBmangling char (S)\fR +This controls what character is used as +the \fBmagic\fR character in name mangling. The default is a '~' +but this may interfere with some software. Use this option to set +it to whatever you prefer. + +Default: \fBmangling char = ~\fR + +Example: \fBmangling char = ^\fR +.TP +\fBmangled stack (G)\fR +This parameter controls the number of mangled names +that should be cached in the Samba server smbd(8) . + +This stack is a list of recently mangled base names +(extensions are only maintained if they are longer than 3 characters +or contains upper case characters). + +The larger this value, the more likely it is that mangled +names can be successfully converted to correct long UNIX names. +However, large stack sizes will slow most directory access. Smaller +stacks save memory in the server (each stack element costs 256 bytes). + +It is not possible to absolutely guarantee correct long +file names, so be prepared for some surprises! + +Default: \fBmangled stack = 50\fR + +Example: \fBmangled stack = 100\fR +.TP +\fBmap archive (S)\fR +This controls whether the DOS archive attribute +should be mapped to the UNIX owner execute bit. The DOS archive bit +is set when a file has been modified since its last backup. One +motivation for this option it to keep Samba/your PC from making +any file it touches from becoming executable under UNIX. This can +be quite annoying for shared source code, documents, etc... + +Note that this requires the \fIcreate mask\fR +parameter to be set such that owner execute bit is not masked out +(i.e. it must include 100). See the parameter \fIcreate mask\fR for details. + +Default: \fBmap archive = yes\fR +.TP +\fBmap hidden (S)\fR +This controls whether DOS style hidden files +should be mapped to the UNIX world execute bit. + +Note that this requires the \fIcreate mask\fR +to be set such that the world execute bit is not masked out (i.e. +it must include 001). See the parameter \fIcreate mask\fR for details. + +Default: \fBmap hidden = no\fR +.TP +\fBmap system (S)\fR +This controls whether DOS style system files +should be mapped to the UNIX group execute bit. + +Note that this requires the \fIcreate mask\fR +to be set such that the group execute bit is not masked out (i.e. +it must include 010). See the parameter \fIcreate mask\fR for details. + +Default: \fBmap system = no\fR +.TP +\fBmap to guest (G)\fR +This parameter is only useful in security modes other than \fIsecurity=share\fR +- i.e. user, server, +and domain. + +This parameter can take three different values, which tell +smbd(8) what to do with user +login requests that don't match a valid UNIX user in some way. + +The three settings are : +.RS +.TP 0.2i +\(bu +Never - Means user login +requests with an invalid password are rejected. This is the +default. +.TP 0.2i +\(bu +Bad User - Means user +logins with an invalid password are rejected, unless the username +does not exist, in which case it is treated as a guest login and +mapped into the \fI guest account\fR. +.TP 0.2i +\(bu +Bad Password - Means user logins +with an invalid password are treated as a guest login and mapped +into the guest account. Note that +this can cause problems as it means that any user incorrectly typing +their password will be silently logged on as a "guest" - and +will not know the reason they cannot access files they think +they should - there will have been no message given to them +that they got their password wrong. Helpdesk services will +\fBhate\fR you if you set the \fImap to +guest\fR parameter this way :-). +.RE +.PP +Note that this parameter is needed to set up "Guest" +share services when using \fIsecurity\fR modes other than +share. This is because in these modes the name of the resource being +requested is \fBnot\fR sent to the server until after +the server has successfully authenticated the client so the server +cannot make authentication decisions at the correct time (connection +to the share) for "Guest" shares. +.PP +.PP +For people familiar with the older Samba releases, this +parameter maps to the old compile-time setting of the GUEST_SESSSETUP value in local.h. +.PP +.PP +Default: \fBmap to guest = Never\fR +.PP +.PP +Example: \fBmap to guest = Bad User\fR +.PP +.TP +\fBmax connections (S)\fR +This option allows the number of simultaneous +connections to a service to be limited. If \fImax connections +\fRis greater than 0 then connections will be refused if +this number of connections to the service are already open. A value +of zero mean an unlimited number of connections may be made. + +Record lock files are used to implement this feature. The +lock files will be stored in the directory specified by the \fIlock directory\fR +option. + +Default: \fBmax connections = 0\fR + +Example: \fBmax connections = 10\fR +.TP +\fBmax disk size (G)\fR +This option allows you to put an upper limit +on the apparent size of disks. If you set this option to 100 +then all shares will appear to be not larger than 100 MB in +size. + +Note that this option does not limit the amount of +data you can put on the disk. In the above case you could still +store much more than 100 MB on the disk, but if a client ever asks +for the amount of free disk space or the total disk size then the +result will be bounded by the amount specified in \fImax +disk size\fR. + +This option is primarily useful to work around bugs +in some pieces of software that can't handle very large disks, +particularly disks over 1GB in size. + +A \fImax disk size\fR of 0 means no limit. + +Default: \fBmax disk size = 0\fR + +Example: \fBmax disk size = 1000\fR +.TP +\fBmax log size (G)\fR +This option (an integer in kilobytes) specifies +the max size the log file should grow to. Samba periodically checks +the size and if it is exceeded it will rename the file, adding +a \fI.old\fR extension. + +A size of 0 means no limit. + +Default: \fBmax log size = 5000\fR + +Example: \fBmax log size = 1000\fR +.TP +\fBmax mux (G)\fR +This option controls the maximum number of +outstanding simultaneous SMB operations that samba tells the client +it will allow. You should never need to set this parameter. + +Default: \fBmax mux = 50\fR +.TP +\fBmax open files (G)\fR +This parameter limits the maximum number of +open files that one smbd(8) file +serving process may have open for a client at any one time. The +default for this parameter is set very high (10,000) as Samba uses +only one bit per unopened file. + +The limit of the number of open files is usually set +by the UNIX per-process file descriptor limit rather than +this parameter so you should never need to touch this parameter. + +Default: \fBmax open files = 10000\fR +.TP +\fBmax ttl (G)\fR +This option tells nmbd(8) +what the default 'time to live' of NetBIOS names should be (in seconds) +when \fBnmbd\fR is requesting a name using either a +broadcast packet or from a WINS server. You should never need to +change this parameter. The default is 3 days. + +Default: \fBmax ttl = 259200\fR +.TP +\fBmax wins ttl (G)\fR +This option tells nmbd(8) + when acting as a WINS server ( \fIwins support=yes\fR) what the maximum +\&'time to live' of NetBIOS names that \fBnmbd\fR +will grant will be (in seconds). You should never need to change this +parameter. The default is 6 days (518400 seconds). + +See also the \fImin +wins ttl"\fR parameter. + +Default: \fBmax wins ttl = 518400\fR +.TP +\fBmax xmit (G)\fR +This option controls the maximum packet size +that will be negotiated by Samba. The default is 65535, which +is the maximum. In some cases you may find you get better performance +with a smaller value. A value below 2048 is likely to cause problems. + +Default: \fBmax xmit = 65535\fR + +Example: \fBmax xmit = 8192\fR +.TP +\fBmessage command (G)\fR +This specifies what command to run when the +server receives a WinPopup style message. + +This would normally be a command that would +deliver the message somehow. How this is to be done is +up to your imagination. + +An example is: + +\fBmessage command = csh -c 'xedit %s;rm %s' &\fR + +This delivers the message using \fBxedit\fR, then +removes it afterwards. \fBNOTE THAT IT IS VERY IMPORTANT +THAT THIS COMMAND RETURN IMMEDIATELY\fR. That's why I +have the '&' on the end. If it doesn't return immediately then +your PCs may freeze when sending messages (they should recover +after 30secs, hopefully). + +All messages are delivered as the global guest user. +The command takes the standard substitutions, although \fI %u\fR won't work (\fI%U\fR may be better +in this case). + +Apart from the standard substitutions, some additional +ones apply. In particular: +.RS +.TP 0.2i +\(bu +\fI%s\fR = the filename containing +the message. +.TP 0.2i +\(bu +\fI%t\fR = the destination that +the message was sent to (probably the server name). +.TP 0.2i +\(bu +\fI%f\fR = who the message +is from. +.RE +.PP +You could make this command send mail, or whatever else +takes your fancy. Please let us know of any really interesting +ideas you have. +.PP +.PP +Here's a way of sending the messages as mail to root: +.PP +.PP +\fBmessage command = /bin/mail -s 'message from %f on +%m' root < %s; rm %s\fR +.PP +.PP +If you don't have a message command then the message +won't be delivered and Samba will tell the sender there was +an error. Unfortunately WfWg totally ignores the error code +and carries on regardless, saying that the message was delivered. +.PP +.PP +If you want to silently delete it then try: +.PP +.PP +\fBmessage command = rm %s\fR +.PP +.PP +Default: \fBno message command\fR +.PP +.PP +Example: \fBmessage command = csh -c 'xedit %s; +rm %s' &\fR +.PP +.TP +\fBmin print space (S)\fR +This sets the minimum amount of free disk +space that must be available before a user will be able to spool +a print job. It is specified in kilobytes. The default is 0, which +means a user can always spool a print job. + +See also the \fIprinting +\fRparameter. + +Default: \fBmin print space = 0\fR + +Example: \fBmin print space = 2000\fR +.TP +\fBmin passwd length (G)\fR +Synonym for \fImin password length\fR. +.TP +\fBmin password length (G)\fR +This option sets the minimum length in characters +of a plaintext password than smbd will accept when performing +UNIX password changing. + +See also \fIunix +password sync\fR, \fIpasswd program\fR and \fIpasswd chat debug\fR +\&. + +Default: \fBmin password length = 5\fR +.TP +\fBmin wins ttl (G)\fR +This option tells nmbd(8) +when acting as a WINS server (\fI wins support = yes\fR) what the minimum 'time to live' +of NetBIOS names that \fBnmbd\fR will grant will be (in +seconds). You should never need to change this parameter. The default +is 6 hours (21600 seconds). + +Default: \fBmin wins ttl = 21600\fR +.TP +\fBname resolve order (G)\fR +This option is used by the programs in the Samba +suite to determine what naming services and in what order to resolve +host names to IP addresses. The option takes a space separated +string of different name resolution options. + +The options are :"lmhosts", "host", "wins" and "bcast". They +cause names to be resolved as follows : +.RS +.TP 0.2i +\(bu +lmhosts : Lookup an IP +address in the Samba lmhosts file. If the line in lmhosts has +no name type attached to the NetBIOS name (see the lmhosts(5) for details) then +any name type matches for lookup. +.TP 0.2i +\(bu +host : Do a standard host +name to IP address resolution, using the system \fI/etc/hosts +\fR, NIS, or DNS lookups. This method of name resolution +is operating system depended for instance on IRIX or Solaris this +may be controlled by the \fI/etc/nsswitch.conf\fR +file). Note that this method is only used if the NetBIOS name +type being queried is the 0x20 (server) name type, otherwise +it is ignored. +.TP 0.2i +\(bu +wins : Query a name with +the IP address listed in the \fI wins server\fR parameter. If no WINS server has +been specified this method will be ignored. +.TP 0.2i +\(bu +bcast : Do a broadcast on +each of the known local interfaces listed in the \fIinterfaces\fR +parameter. This is the least reliable of the name resolution +methods as it depends on the target host being on a locally +connected subnet. +.RE +.PP +Default: \fBname resolve order = lmhosts host wins bcast +\fR.PP +.PP +Example: \fBname resolve order = lmhosts bcast host +\fR.PP +.PP +This will cause the local lmhosts file to be examined +first, followed by a broadcast attempt, followed by a normal +system hostname lookup. +.PP +.TP +\fBnetbios aliases (G)\fR +This is a list of NetBIOS names that nmbd(8) will advertise as additional +names by which the Samba server is known. This allows one machine +to appear in browse lists under multiple names. If a machine is +acting as a browse server or logon server none +of these names will be advertised as either browse server or logon +servers, only the primary name of the machine will be advertised +with these capabilities. + +See also \fInetbios +name\fR. + +Default: \fBempty string (no additional names)\fR + +Example: \fBnetbios aliases = TEST TEST1 TEST2\fR +.TP +\fBnetbios name (G)\fR +This sets the NetBIOS name by which a Samba +server is known. By default it is the same as the first component +of the host's DNS name. If a machine is a browse server or +logon server this name (or the first component +of the hosts DNS name) will be the name that these services are +advertised under. + +See also \fInetbios +aliases\fR. + +Default: \fBmachine DNS name\fR + +Example: \fBnetbios name = MYNAME\fR +.TP +\fBnetbios scope (G)\fR +This sets the NetBIOS scope that Samba will +operate under. This should not be set unless every machine +on your LAN also sets this value. +.TP +\fBnis homedir (G)\fR +Get the home share server from a NIS map. For +UNIX systems that use an automounter, the user's home directory +will often be mounted on a workstation on demand from a remote +server. + +When the Samba logon server is not the actual home directory +server, but is mounting the home directories via NFS then two +network hops would be required to access the users home directory +if the logon server told the client to use itself as the SMB server +for home directories (one over SMB and one over NFS). This can +be very slow. + +This option allows Samba to return the home share as +being on a different server to the logon server and as +long as a Samba daemon is running on the home directory server, +it will be mounted on the Samba client directly from the directory +server. When Samba is returning the home share to the client, it +will consult the NIS map specified in \fIhomedir map\fR and return the server +listed there. + +Note that for this option to work there must be a working +NIS system and the Samba server with this option must also +be a logon server. + +Default: \fBnis homedir = no\fR +.TP +\fBnt acl support (G)\fR +This boolean parameter controls whether +smbd(8) will attempt to map +UNIX permissions into Windows NT access control lists. + +Default: \fBnt acl support = yes\fR +.TP +\fBnt pipe support (G)\fR +This boolean parameter controls whether +smbd(8) will allow Windows NT +clients to connect to the NT SMB specific IPC$ +pipes. This is a developer debugging option and can be left +alone. + +Default: \fBnt pipe support = yes\fR +.TP +\fBnt smb support (G)\fR +This boolean parameter controls whether smbd(8) will negotiate NT specific SMB +support with Windows NT clients. Although this is a developer +debugging option and should be left alone, benchmarking has discovered +that Windows NT clients give faster performance with this option +set to no. This is still being investigated. +If this option is set to no then Samba offers +exactly the same SMB calls that versions prior to Samba 2.0 offered. +This information may be of use if any users are having problems +with NT SMB support. + +Default: \fBnt support = yes\fR +.TP +\fBnull passwords (G)\fR +Allow or disallow client access to accounts +that have null passwords. + +See also smbpasswd (5) . + +Default: \fBnull passwords = no\fR +.TP +\fBole locking compatibility (G)\fR +This parameter allows an administrator to turn +off the byte range lock manipulation that is done within Samba to +give compatibility for OLE applications. Windows OLE applications +use byte range locking as a form of inter-process communication, by +locking ranges of bytes around the 2^32 region of a file range. This +can cause certain UNIX lock managers to crash or otherwise cause +problems. Setting this parameter to no means you +trust your UNIX lock manager to handle such cases correctly. + +Default: \fBole locking compatibility = yes\fR +.TP +\fBonly guest (S)\fR +A synonym for \fI guest only\fR. +.TP +\fBonly user (S)\fR +This is a boolean option that controls whether +connections with usernames not in the \fIuser\fR +list will be allowed. By default this option is disabled so a client +can supply a username to be used by the server. + +Note that this also means Samba won't try to deduce +usernames from the service name. This can be annoying for +the [homes] section. To get around this you could use \fBuser = +%S\fR which means your \fIuser\fR list +will be just the service name, which for home directories is the +name of the user. + +See also the \fIuser\fR +parameter. + +Default: \fBonly user = no\fR +.TP +\fBoplocks (S)\fR +This boolean option tells smbd whether to +issue oplocks (opportunistic locks) to file open requests on this +share. The oplock code can dramatically (approx. 30% or more) improve +the speed of access to files on Samba servers. It allows the clients +to aggressively cache files ocally and you may want to disable this +option for unreliable network environments (it is turned on by +default in Windows NT Servers). For more information see the file +\fISpeed.txt\fR in the Samba \fIdocs/\fR +directory. + +Oplocks may be selectively turned off on certain files on +a per share basis. See the \fI veto oplock files\fR parameter. On some systems +oplocks are recognized by the underlying operating system. This +allows data synchronization between all access to oplocked files, +whether it be via Samba or NFS or a local UNIX process. See the +\fIkernel oplocks\fR parameter for details. + +See also the \fIkernel +oplocks\fR and \fI level2 oplocks\fR parameters. + +Default: \fBoplocks = yes\fR +.TP +\fBoplock break wait time (G)\fR +This is a tuning parameter added due to bugs in +both Windows 9x and WinNT. If Samba responds to a client too +quickly when that client issues an SMB that can cause an oplock +break request, then the client redirector can fail and not respond +to the break request. This tuning parameter (which is set in milliseconds) +is the amount of time Samba will wait before sending an oplock break +request to such (broken) clients. + +\fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ +AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR. + +Default: \fBoplock break wait time = 10\fR +.TP +\fBoplock contention limit (S)\fR +This is a \fBvery\fR advanced +smbd(8) tuning option to +improve the efficiency of the granting of oplocks under multiple +client contention for the same file. + +In brief it specifies a number, which causes smbd not to +grant an oplock even when requested if the approximate number of +clients contending for an oplock on the same file goes over this +limit. This causes \fBsmbd\fR to behave in a similar +way to Windows NT. + +\fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ +AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR. + +Default: \fBoplock contention limit = 2\fR +.TP +\fBos level (G)\fR +This integer value controls what level Samba +advertises itself as for browse elections. The value of this +parameter determines whether nmbd(8) +has a chance of becoming a local master browser for the \fI WORKGROUP\fR in the local broadcast area. The default is +zero, which means \fBnmbd\fR will lose elections to +Windows machines. See \fIBROWSING.txt\fR in the +Samba \fIdocs/\fR directory for details. + +Default: \fBos level = 20\fR + +Example: \fBos level = 65 \fR +.TP +\fBpanic action (G)\fR +This is a Samba developer option that allows a +system command to be called when either smbd(8) or nmbd(8) +crashes. This is usually used to draw attention to the fact that +a problem occurred. + +Default: \fBpanic action = \fR + +Example: \fBpanic action = "/bin/sleep 90000"\fR +.TP +\fBpasswd chat (G)\fR +This string controls the \fB"chat"\fR +conversation that takes places between smbd and the local password changing +program to change the users password. The string describes a +sequence of response-receive pairs that smbd(8) uses to determine what to send to the +\fIpasswd program\fR +and what to expect back. If the expected output is not +received then the password is not changed. + +This chat sequence is often quite site specific, depending +on what local methods are used for password control (such as NIS +etc). + +The string can contain the macros \fI%o\fR +and \fI%n\fR which are substituted for the old +and new passwords respectively. It can also contain the standard +macros \\n, \\r, \\t and %s to give line-feed, +carriage-return, tab and space. + +The string can also contain a '*' which matches +any sequence of characters. + +Double quotes can be used to collect strings with spaces +in them into a single string. + +If the send string in any part of the chat sequence +is a fullstop ".", then no string is sent. Similarly, +is the expect string is a fullstop then no string is expected. + +Note that if the \fIunix +password sync\fR parameter is set to true, then this +sequence is called \fBAS ROOT\fR when the SMB password +in the smbpasswd file is being changed, without access to the old +password cleartext. In this case the old password cleartext is set +to "" (the empty string). + +See also \fIunix password +sync\fR, \fI passwd program\fR and \fIpasswd chat debug\fR. + +Default: \fBpasswd chat = *old*password* %o\\n *new* +password* %n\\n *new*password* %n\\n *changed*\fR + +Example: \fBpasswd chat = "*Enter OLD password*" %o\\n +"*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password +changed*"\fR +.TP +\fBpasswd chat debug (G)\fR +This boolean specifies if the passwd chat script +parameter is run in \fBdebug\fR mode. In this mode the +strings passed to and received from the passwd chat are printed +in the smbd(8) log with a +\fIdebug level\fR +of 100. This is a dangerous option as it will allow plaintext passwords +to be seen in the \fBsmbd\fR log. It is available to help +Samba admins debug their \fIpasswd chat\fR scripts +when calling the \fIpasswd program\fR and should +be turned off after this has been done. This parameter is off by +default. + +See also <\fIpasswd chat\fR +, \fIpasswd program\fR +\&. + +Default: \fBpasswd chat debug = no\fR + +Example: \fBpasswd chat debug = yes\fR +.TP +\fBpasswd program (G)\fR +The name of a program that can be used to set +UNIX user passwords. Any occurrences of \fI%u\fR +will be replaced with the user name. The user name is checked for +existence before calling the password changing program. + +Also note that many passwd programs insist in \fBreasonable +\fRpasswords, such as a minimum length, or the inclusion +of mixed case chars and digits. This can pose a problem as some clients +(such as Windows for Workgroups) uppercase the password before sending +it. + +\fBNote\fR that if the \fIunix +password sync\fR parameter is set to True +then this program is called \fBAS ROOT\fR +before the SMB password in the smbpasswd(5) + file is changed. If this UNIX password change fails, then +\fBsmbd\fR will fail to change the SMB password also +(this is by design). + +If the \fIunix password sync\fR parameter +is set this parameter \fBMUST USE ABSOLUTE PATHS\fR +for \fBALL\fR programs called, and must be examined +for security implications. Note that by default \fIunix +password sync\fR is set to False. + +See also \fIunix +password sync\fR. + +Default: \fBpasswd program = /bin/passwd\fR + +Example: \fBpasswd program = /sbin/npasswd %u\fR +.TP +\fBpassword level (G)\fR +Some client/server combinations have difficulty +with mixed-case passwords. One offending client is Windows for +Workgroups, which for some reason forces passwords to upper +case when using the LANMAN1 protocol, but leaves them alone when +using COREPLUS! + +This parameter defines the maximum number of characters +that may be upper case in passwords. + +For example, say the password given was "FRED". If \fI password level\fR is set to 1, the following combinations +would be tried if "FRED" failed: + +"Fred", "fred", "fRed", "frEd","freD" + +If \fIpassword level\fR was set to 2, +the following combinations would also be tried: + +"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", .. + +And so on. + +The higher value this parameter is set to the more likely +it is that a mixed case password will be matched against a single +case password. However, you should be aware that use of this +parameter reduces security and increases the time taken to +process a new connection. + +A value of zero will cause only two attempts to be +made - the password as is and the password in all-lower case. + +Default: \fBpassword level = 0\fR + +Example: \fBpassword level = 4\fR +.TP +\fBpassword server (G)\fR +By specifying the name of another SMB server (such +as a WinNT box) with this option, and using \fBsecurity = domain +\fRor \fBsecurity = server\fR you can get Samba +to do all its username/password validation via a remote server. + +This options sets the name of the password server to use. +It must be a NetBIOS name, so if the machine's NetBIOS name is +different from its internet name then you may have to add its NetBIOS +name to the lmhosts file which is stored in the same directory +as the \fIsmb.conf\fR file. + +The name of the password server is looked up using the +parameter \fIname +resolve order\fR and so may resolved +by any method and order described in that parameter. + +The password server much be a machine capable of using +the "LM1.2X002" or the "LM NT 0.12" protocol, and it must be in +user level security mode. + +\fBNOTE:\fR Using a password server +means your UNIX box (running Samba) is only as secure as your +password server. \fBDO NOT CHOOSE A PASSWORD SERVER THAT +YOU DON'T COMPLETELY TRUST\fR. + +Never point a Samba server at itself for password +serving. This will cause a loop and could lock up your Samba +server! + +The name of the password server takes the standard +substitutions, but probably the only useful one is \fI%m +\fR, which means the Samba server will use the incoming +client as the passwordserver. If you use this then you better +trust your clients, and you better restrict them with hosts allow! + +If the \fIsecurity\fR parameter is set to +domain, then the list of machines in this +option must be a list of Primary or Backup Domain controllers for the +Domain or the character '*', as the Samba server is cryptographicly +in that domain, and will use cryptographicly authenticated RPC calls +to authenticate the user logging on. The advantage of using \fB security = domain\fR is that if you list several hosts in the +\fIpassword server\fR option then \fBsmbd +\fRwill try each in turn till it finds one that responds. This +is useful in case your primary server goes down. + +If the \fIpassword server\fR option is set +to the character '*', then Samba will attempt to auto-locate the +Primary or Backup Domain controllers to authenticate against by +doing a query for the name WORKGROUP<1C> +and then contacting each server returned in the list of IP +addresses from the name resolution source. + +If the \fIsecurity\fR parameter is +set to server, then there are different +restrictions that \fBsecurity = domain\fR doesn't +suffer from: +.RS +.TP 0.2i +\(bu +You may list several password servers in +the \fIpassword server\fR parameter, however if an +\fBsmbd\fR makes a connection to a password server, +and then the password server fails, no more users will be able +to be authenticated from this \fBsmbd\fR. This is a +restriction of the SMB/CIFS protocol when in \fBsecurity=server +\fRmode and cannot be fixed in Samba. +.TP 0.2i +\(bu +If you are using a Windows NT server as your +password server then you will have to ensure that your users +are able to login from the Samba server, as when in \fB security=server\fR mode the network logon will appear to +come from there rather than from the users workstation. +.RE +.PP +See also the \fIsecurity +\fRparameter. +.PP +.PP +Default: \fBpassword server = \fR +.PP +.PP +Example: \fBpassword server = NT-PDC, NT-BDC1, NT-BDC2 +\fR.PP +.PP +Example: \fBpassword server = *\fR +.PP +.TP +\fBpath (S)\fR +This parameter specifies a directory to which +the user of the service is to be given access. In the case of +printable services, this is where print data will spool prior to +being submitted to the host for printing. + +For a printable service offering guest access, the service +should be readonly and the path should be world-writeable and +have the sticky bit set. This is not mandatory of course, but +you probably won't get the results you expect if you do +otherwise. + +Any occurrences of \fI%u\fR in the path +will be replaced with the UNIX username that the client is using +on this connection. Any occurrences of \fI%m\fR +will be replaced by the NetBIOS name of the machine they are +connecting from. These replacements are very useful for setting +up pseudo home directories for users. + +Note that this path will be based on \fIroot dir\fR if one was specified. + +Default: \fBnone\fR + +Example: \fBpath = /home/fred\fR +.TP +\fBpostexec (S)\fR +This option specifies a command to be run +whenever the service is disconnected. It takes the usual +substitutions. The command may be run as the root on some +systems. + +An interesting example may be do unmount server +resources: + +\fBpostexec = /etc/umount /cdrom\fR + +See also \fIpreexec\fR +\&. + +Default: \fBnone (no command executed)\fR + +Example: \fBpostexec = echo \\"%u disconnected from %S +from %m (%I)\\" >> /tmp/log\fR +.TP +\fBpostscript (S)\fR +This parameter forces a printer to interpret +the print files as postscript. This is done by adding a %! +to the start of print output. + +This is most useful when you have lots of PCs that persist +in putting a control-D at the start of print jobs, which then +confuses your printer. + +Default: \fBpostscript = no\fR +.TP +\fBpreexec (S)\fR +This option specifies a command to be run whenever +the service is connected to. It takes the usual substitutions. + +An interesting example is to send the users a welcome +message every time they log in. Maybe a message of the day? Here +is an example: + +\fBpreexec = csh -c 'echo \\"Welcome to %S!\\" | +/usr/local/samba/bin/smbclient -M %m -I %I' & \fR + +Of course, this could get annoying after a while :-) + +See also \fIpreexec close +\fRand \fIpostexec +\fR\&. + +Default: \fBnone (no command executed)\fR + +Example: \fBpreexec = echo \\"%u connected to %S from %m +(%I)\\" >> /tmp/log\fR +.TP +\fBpreexec close (S)\fR +This boolean option controls whether a non-zero +return code from \fIpreexec +\fRshould close the service being connected to. + +Default: \fBpreexec close = no\fR +.TP +\fBpreferred master (G)\fR +This boolean parameter controls if nmbd(8) is a preferred master browser +for its workgroup. + +If this is set to true, on startup, \fBnmbd\fR +will force an election, and it will have a slight advantage in +winning the election. It is recommended that this parameter is +used in conjunction with \fB\fI domain master\fB = yes\fR, so that \fB nmbd\fR can guarantee becoming a domain master. + +Use this option with caution, because if there are several +hosts (whether Samba servers, Windows 95 or NT) that are preferred +master browsers on the same subnet, they will each periodically +and continuously attempt to become the local master browser. +This will result in unnecessary broadcast traffic and reduced browsing +capabilities. + +See also \fIos level\fR +\&. + +Default: \fBpreferred master = no\fR +.TP +\fBprefered master (G)\fR +Synonym for \fI preferred master\fR for people who cannot spell :-). +.TP +\fBpreload\fR +Synonym for \fI auto services\fR. +.TP +\fBpreserve case (S)\fR +This controls if new filenames are created +with the case that the client passes, or if they are forced to +be the \fIderault case +\fR\&. + +Default: \fBpreserve case = yes\fR + +See the section on NAME +MANGLING" for a fuller discussion. +.TP +\fBprint command (S)\fR +After a print job has finished spooling to +a service, this command will be used via a \fBsystem()\fR +call to process the spool file. Typically the command specified will +submit the spool file to the host's printing subsystem, but there +is no requirement that this be the case. The server will not remove +the spool file, so whatever command you specify should remove the +spool file when it has been processed, otherwise you will need to +manually remove old spool files. + +The print command is simply a text string. It will be used +verbatim, with two exceptions: All occurrences of \fI%s +\fRand \fI%f\fR will be replaced by the +appropriate spool file name, and all occurrences of \fI%p +\fRwill be replaced by the appropriate printer name. The +spool file name is generated automatically by the server, the printer +name is discussed below. + +The print command \fBMUST\fR contain at least +one occurrence of \fI%s\fR or \fI%f +\fR- the \fI%p\fR is optional. At the time +a job is submitted, if no printer name is supplied the \fI%p +\fRwill be silently removed from the printer command. + +If specified in the [global] section, the print command given +will be used for any printable service that does not have its own +print command specified. + +If there is neither a specified print command for a +printable service nor a global print command, spool files will +be created but not processed and (most importantly) not removed. + +Note that printing may fail on some UNIXs from the +nobody account. If this happens then create +an alternative guest account that can print and set the \fIguest account\fR +in the [global] section. + +You can form quite complex print commands by realizing +that they are just passed to a shell. For example the following +will log a print job, print the file, then remove it. Note that +\&';' is the usual separator for command in shell scripts. + +\fBprint command = echo Printing %s >> +/tmp/print.log; lpr -P %p %s; rm %s\fR + +You may have to vary this command considerably depending +on how you normally print files on your system. The default for +the parameter varies depending on the setting of the \fIprinting\fR parameter. + +Default: For \fBprinting= BSD, AIX, QNX, LPRNG +or PLP :\fR + +\fBprint command = lpr -r -P%p %s\fR + +For \fBprinting= SYS or HPUX :\fR + +\fBprint command = lp -c -d%p %s; rm %s\fR + +For \fBprinting=SOFTQ :\fR + +\fBprint command = lp -d%p -s %s; rm %s\fR + +Example: \fBprint command = /usr/local/samba/bin/myprintscript +%p %s\fR +.TP +\fBprint ok (S)\fR +Synonym for \fIprintable\fR. +.TP +\fBprintable (S)\fR +If this parameter is yes, then +clients may open, write to and submit spool files on the directory +specified for the service. + +Note that a printable service will ALWAYS allow writing +to the service path (user privileges permitting) via the spooling +of print data. The \fIwriteable +\fRparameter controls only non-printing access to +the resource. + +Default: \fBprintable = no\fR +.TP +\fBprintcap (G)\fR +Synonym for \fI printcap name\fR. +.TP +\fBprinter admin (S)\fR +This is a list of users that can do anything to +printers via the remote administration interfaces offered by MSRPC +(usually using a NT workstation). Note that the root user always +has admin rights. + +Default: \fBprinter admin = \fR + +Example: \fBprinter admin = admin, @staff\fR +.TP +\fBprintcap name (G)\fR +This parameter may be used to override the +compiled-in default printcap name used by the server (usually \fI /etc/printcap\fR). See the discussion of the [printers] section above for reasons +why you might want to do this. + +On System V systems that use \fBlpstat\fR to +list available printers you can use \fBprintcap name = lpstat +\fRto automatically obtain lists of available printers. This +is the default for systems that define SYSV at configure time in +Samba (this includes most System V based systems). If \fI printcap name\fR is set to \fBlpstat\fR on +these systems then Samba will launch \fBlpstat -v\fR and +attempt to parse the output to obtain a printer list. + +A minimal printcap file would look something like this: + +.sp +.nf + print1|My Printer 1 + print2|My Printer 2 + print3|My Printer 3 + print4|My Printer 4 + print5|My Printer 5 + +.sp +.fi + +where the '|' separates aliases of a printer. The fact +that the second alias has a space in it gives a hint to Samba +that it's a comment. + +\fBNOTE\fR: Under AIX the default printcap +name is \fI/etc/qconfig\fR. Samba will assume the +file is in AIX \fIqconfig\fR format if the string +\fIqconfig\fR appears in the printcap filename. + +Default: \fBprintcap name = /etc/printcap\fR + +Example: \fBprintcap name = /etc/myprintcap\fR +.TP +\fBprinter (S)\fR +This parameter specifies the name of the printer +to which print jobs spooled through a printable service will be sent. + +If specified in the [global] section, the printer +name given will be used for any printable service that does +not have its own printer name specified. + +Default: \fBnone (but may be lp +on many systems)\fR + +Example: \fBprinter name = laserwriter\fR +.TP +\fBprinter driver (S)\fR +This option allows you to control the string +that clients receive when they ask the server for the printer driver +associated with a printer. If you are using Windows95 or WindowsNT +then you can use this to automate the setup of printers on your +system. + +You need to set this parameter to the exact string (case +sensitive) that describes the appropriate printer driver for your +system. If you don't know the exact string to use then you should +first try with no \fI printer driver\fR option set and the client will +give you a list of printer drivers. The appropriate strings are +shown in a scrollbox after you have chosen the printer manufacturer. + +See also \fIprinter +driver file\fR. + +Example: \fBprinter driver = HP LaserJet 4L\fR +.TP +\fBprinter driver file (G)\fR +This parameter tells Samba where the printer driver +definition file, used when serving drivers to Windows 95 clients, is +to be found. If this is not set, the default is : + +\fISAMBA_INSTALL_DIRECTORY +/lib/printers.def\fR + +This file is created from Windows 95 \fImsprint.inf +\fRfiles found on the Windows 95 client system. For more +details on setting up serving of printer drivers to Windows 95 +clients, see the documentation file in the \fIdocs/\fR +directory, \fIPRINTER_DRIVER.txt\fR. + +See also \fI printer driver location\fR. + +Default: \fBNone (set in compile).\fR + +Example: \fBprinter driver file = +/usr/local/samba/printers/drivers.def\fR +.TP +\fBprinter driver location (S)\fR +This parameter tells clients of a particular printer +share where to find the printer driver files for the automatic +installation of drivers for Windows 95 machines. If Samba is set up +to serve printer drivers to Windows 95 machines, this should be set to + +\fB\\\\MACHINE\\PRINTER$\fR + +Where MACHINE is the NetBIOS name of your Samba server, +and PRINTER$ is a share you set up for serving printer driver +files. For more details on setting this up see the documentation +file in the \fIdocs/\fR directory, \fI PRINTER_DRIVER.txt\fR. + +See also \fI printer driver file\fR. + +Default: \fBnone\fR + +Example: \fBprinter driver location = \\\\MACHINE\\PRINTER$ +\fR.TP +\fBprinter name (S)\fR +Synonym for \fI printer\fR. +.TP +\fBprinting (S)\fR +This parameters controls how printer status +information is interpreted on your system. It also affects the +default values for the \fIprint command\fR, +\fIlpq command\fR, \fIlppause command +\fR, \fIlpresume command\fR, and +\fIlprm command\fR if specified in the +[global]f> section. + +Currently eight printing styles are supported. They are +BSD, AIX, +LPRNG, PLP, +SYSV, HPUX, +QNX, SOFTQ, +and CUPS. + +To see what the defaults are for the other print +commands when using the various options use the testparm(1) program. + +This option can be set on a per printer basis + +See also the discussion in the [printers] section. +.TP +\fBprivate dir(G)\fR +The \fIprivate dir\fR parameter +allows an administator to define a directory path used to hold the +various databases Samba will use to store things like a the machine +trust account information when acting as a domain member (i.e. where +the secrets.tdb file will be located), where the passdb.tbd file +will stored in the case of using the experiemental tdbsam support, +etc... + +Default: \fBprivate dir = \fR + +Example: \fBprivate dir = /etc/smbprivate\fR +.TP +\fBprotocol (G)\fR +The value of the parameter (a string) is the highest +protocol level that will be supported by the server. + +Possible values are : +.RS +.TP 0.2i +\(bu +CORE: Earliest version. No +concept of user names. +.TP 0.2i +\(bu +COREPLUS: Slight improvements on +CORE for efficiency. +.TP 0.2i +\(bu +LANMAN1: First \fB modern\fR version of the protocol. Long filename +support. +.TP 0.2i +\(bu +LANMAN2: Updates to Lanman1 protocol. +.TP 0.2i +\(bu +NT1: Current up to date version of +the protocol. Used by Windows NT. Known as CIFS. +.RE +.PP +Normally this option should not be set as the automatic +negotiation phase in the SMB protocol takes care of choosing +the appropriate protocol. +.PP +.PP +Default: \fBprotocol = NT1\fR +.PP +.PP +Example: \fBprotocol = LANMAN1\fR +.PP +.TP +\fBpublic (S)\fR +Synonym for \fIguest +ok\fR. +.TP +\fBqueuepause command (S)\fR +This parameter specifies the command to be +executed on the server host in order to pause the printerqueue. + +This command should be a program or script which takes +a printer name as its only parameter and stops the printerqueue, +such that no longer jobs are submitted to the printer. + +This command is not supported by Windows for Workgroups, +but can be issued from the Printer's window under Windows 95 +and NT. + +If a \fI%p\fR is given then the printername +is put in its place. Otherwise it is placed at the end of the command. + +Note that it is good practice to include the absolute +path in the command as the PATH may not be available to the +server. + +Default: \fBdepends on the setting of \fIprinting +\fB\fR +Example: \fBqueuepause command = disable %p\fR +.TP +\fBqueueresume command (S)\fR +This parameter specifies the command to be +executed on the server host in order to resume the printerqueue. It +is the command to undo the behavior that is caused by the +previous parameter (\fI queuepause command\fR). + +This command should be a program or script which takes +a printer name as its only parameter and resumes the printerqueue, +such that queued jobs are resubmitted to the printer. + +This command is not supported by Windows for Workgroups, +but can be issued from the Printer's window under Windows 95 +and NT. + +If a \fI%p\fR is given then the printername +is put in its place. Otherwise it is placed at the end of the +command. + +Note that it is good practice to include the absolute +path in the command as the PATH may not be available to the +server. + +Default: \fBdepends on the setting of \fIprinting\fB\fR + +Example: \fBqueuepause command = enable %p +\fR.TP +\fBread bmpx (G)\fR +This boolean parameter controls whether smbd(8) will support the "Read +Block Multiplex" SMB. This is now rarely used and defaults to +no. You should never need to set this +parameter. + +Default: \fBread bmpx = no\fR +.TP +\fBread list (S)\fR +This is a list of users that are given read-only +access to a service. If the connecting user is in this list then +they will not be given write access, no matter what the \fIwriteable\fR +option is set to. The list can include group names using the +syntax described in the \fI invalid users\fR parameter. + +See also the \fI write list\fR parameter and the \fIinvalid users\fR +parameter. + +Default: \fBread list = \fR + +Example: \fBread list = mary, @students\fR +.TP +\fBread only (S)\fR +Note that this is an inverted synonym for \fIwriteable\fR. +.TP +\fBread raw (G)\fR +This parameter controls whether or not the server +will support the raw read SMB requests when transferring data +to clients. + +If enabled, raw reads allow reads of 65535 bytes in +one packet. This typically provides a major performance benefit. + +However, some clients either negotiate the allowable +block size incorrectly or are incapable of supporting larger block +sizes, and for these clients you may need to disable raw reads. + +In general this parameter should be viewed as a system tuning +tool and left severely alone. See also \fIwrite raw\fR. + +Default: \fBread raw = yes\fR +.TP +\fBread size (G)\fR +The option \fIread size\fR +affects the overlap of disk reads/writes with network reads/writes. +If the amount of data being transferred in several of the SMB +commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger +than this value then the server begins writing the data before it +has received the whole packet from the network, or in the case of +SMBreadbraw, it begins writing to the network before all the data +has been read from disk. + +This overlapping works best when the speeds of disk and +network access are similar, having very little effect when the +speed of one is much greater than the other. + +The default value is 16384, but very little experimentation +has been done yet to determine the optimal value, and it is likely +that the best value will vary greatly between systems anyway. +A value over 65536 is pointless and will cause you to allocate +memory unnecessarily. + +Default: \fBread size = 16384\fR + +Example: \fBread size = 8192\fR +.TP +\fBremote announce (G)\fR +This option allows you to setup nmbd(8) to periodically announce itself +to arbitrary IP addresses with an arbitrary workgroup name. + +This is useful if you want your Samba server to appear +in a remote workgroup for which the normal browse propagation +rules don't work. The remote workgroup can be anywhere that you +can send IP packets to. + +For example: + +\fBremote announce = 192.168.2.255/SERVERS +192.168.4.255/STAFF\fR + +the above line would cause nmbd to announce itself +to the two given IP addresses using the given workgroup names. +If you leave out the workgroup name then the one given in +the \fIworkgroup\fR +parameter is used instead. + +The IP addresses you choose would normally be the broadcast +addresses of the remote networks, but can also be the IP addresses +of known browse masters if your network config is that stable. + +See the documentation file \fIBROWSING.txt\fR +in the \fIdocs/\fR directory. + +Default: \fBremote announce = +\fR.TP +\fBremote browse sync (G)\fR +This option allows you to setup nmbd(8) to periodically request +synchronization of browse lists with the master browser of a samba +server that is on a remote segment. This option will allow you to +gain browse lists for multiple workgroups across routed networks. This +is done in a manner that does not work with any non-samba servers. + +This is useful if you want your Samba server and all local +clients to appear in a remote workgroup for which the normal browse +propagation rules don't work. The remote workgroup can be anywhere +that you can send IP packets to. + +For example: + +\fBremote browse sync = 192.168.2.255 192.168.4.255 +\fR +the above line would cause \fBnmbd\fR to request +the master browser on the specified subnets or addresses to +synchronize their browse lists with the local server. + +The IP addresses you choose would normally be the broadcast +addresses of the remote networks, but can also be the IP addresses +of known browse masters if your network config is that stable. If +a machine IP address is given Samba makes NO attempt to validate +that the remote machine is available, is listening, nor that it +is in fact the browse master on it's segment. + +Default: \fBremote browse sync = +\fR.TP +\fBrestrict anonymous (G)\fR +This is a boolean parameter. If it is true, then +anonymous access to the server will be restricted, namely in the +case where the server is expecting the client to send a username, +but it doesn't. Setting it to true will force these anonymous +connections to be denied, and the client will be required to always +supply a username and password when connecting. Use of this parameter +is only recommened for homogenous NT client environments. +This parameter makes the use of macro expansions that rely +on the username (%U, %G, etc) consistant. NT 4.0 +likes to use anonymous connections when refreshing the share list, +and this is a way to work around that. - [foo] - path = /home/bar - writeable = true +When restrict anonymous is true, all anonymous connections +are denied no matter what they are for. This can effect the ability +of a machine to access the samba Primary Domain Controller to revalidate +it's machine account after someone else has logged on the client +interactively. The NT client will display a message saying that +the machine's account in the domain doesn't exist or the password is +bad. The best way to deal with this is to reboot NT client machines +between interactive logons, using "Shutdown and Restart", rather +than "Close all programs and logon as a different user". +Default: \fBrestrict anonymous = no\fR +.TP +\fBroot (G)\fR +Synonym for \fIroot directory"\fR. +.TP +\fBroot dir (G)\fR +Synonym for \fIroot directory"\fR. +.TP +\fBroot directory (G)\fR +The server will \fBchroot()\fR (i.e. +Change it's root directory) to this directory on startup. This is +not strictly necessary for secure operation. Even without it the +server will deny access to files not in one of the service entries. +It may also check for, and deny access to, soft links to other +parts of the filesystem, or attempts to use ".." in file names +to access other directories (depending on the setting of the \fIwide links\fR +parameter). -.fi - +Adding a \fIroot directory\fR entry other +than "/" adds an extra level of security, but at a price. It +absolutely ensures that no access is given to files not in the +sub-tree specified in the \fIroot directory\fR +option, \fBincluding\fR some files needed for +complete operation of the server. To maintain full operability +of the server you will need to mirror some system files +into the \fIroot directory\fR tree. In particular +you will need to mirror \fI/etc/passwd\fR (or a +subset of it), and any binaries or configuration files needed for +printing (if required). The set of files that must be mirrored is +operating system dependent. -.PP -The following sample section defines a printable share\&. The share -is readonly, but printable\&. That is, the only write access permitted -is via calls to open, write to and close a spool file\&. The -\fB\'guest ok\'\fP parameter means access will be permitted -as the default guest user (specified elsewhere): -.PP +Default: \fBroot directory = /\fR -.nf - +Example: \fBroot directory = /homes/smb\fR +.TP +\fBroot postexec (S)\fR +This is the same as the \fIpostexec\fR +parameter except that the command is run as root. This +is useful for unmounting filesystems +(such as cdroms) after a connection is closed. - [aprinter] - path = /usr/spool/public - writeable = false - printable = true - guest ok = true +See also \fI postexec\fR. +.TP +\fBroot preexec (S)\fR +This is the same as the \fIpreexec\fR +parameter except that the command is run as root. This +is useful for mounting filesystems +(such as cdroms) after a connection is closed. -.fi - +See also \fI preexec\fR and \fIpreexec close\fR. +.TP +\fBroot preexec close (S)\fR +This is the same as the \fIpreexec close +\fRparameter except that the command is run as root. -.PP -.SH "SPECIAL SECTIONS" -.PP -.IP -.IP "\fBThe [global] section\fP" -.IP -Parameters in this section apply to the server as a whole, or are -defaults for sections which do not specifically define certain -items\&. See the notes under \fB\'PARAMETERS\'\fP for more -information\&. -.IP -.IP "\fBThe [homes] section\fP" -.IP -If a section called \f(CW\'homes\'\fP is included in the configuration file, -services connecting clients to their home directories can be created -on the fly by the server\&. -.IP -When the connection request is made, the existing sections are -scanned\&. If a match is found, it is used\&. If no match is found, the -requested section name is treated as a user name and looked up in the -local password file\&. If the name exists and the correct password has -been given, a share is created by cloning the [homes] section\&. -.IP -Some modifications are then made to the newly created share: -.IP -.IP -.IP o -The share name is changed from \f(CW\'homes\'\fP to the located -username -.IP -.IP o -If no path was given, the path is set to the user\'s home -directory\&. -.IP -.IP -If you decide to use a \fBpath=\fP line in your [homes] -section then you may find it useful to use the \fB%S\fP -macro\&. For example : -.IP -\f(CWpath=/data/pchome/%S\fP -.IP -would be useful if you have different home directories for your PCs -than for UNIX access\&. -.IP -This is a fast and simple way to give a large number of clients access -to their home directories with a minimum of fuss\&. -.IP -A similar process occurs if the requested section name is \f(CW"homes"\fP, -except that the share name is not changed to that of the requesting -user\&. This method of using the [homes] section works well if different -users share a client PC\&. -.IP -The [homes] section can specify all the parameters a normal service -section can specify, though some make more sense than others\&. The -following is a typical and suitable [homes] section: -.IP - -.nf - +See also \fI preexec\fR and \fIpreexec close\fR. +.TP +\fBsecurity (G)\fR +This option affects how clients respond to +Samba and is one of the most important settings in the \fI smb.conf\fR file. - [homes] - writeable = yes +The option sets the "security mode bit" in replies to +protocol negotiations with smbd(8) + to turn share level security on or off. Clients decide +based on this bit whether (and how) to transfer user and password +information to the server. -.fi - +The default is \fBsecurity = user\fR, as this is +the most common setting needed when talking to Windows 98 and +Windows NT. -.IP -An important point is that if guest access is specified in the [homes] -section, all home directories will be visible to all clients -\fBwithout a password\fP\&. In the very unlikely event that this is -actually desirable, it would be wise to also specify \fBread only -access\fP\&. -.IP -Note that the \fBbrowseable\fP flag for auto home -directories will be inherited from the global browseable flag, not the -[homes] browseable flag\&. This is useful as it means setting -browseable=no in the [homes] section will hide the [homes] share but -make any auto home directories visible\&. -.IP -.IP "\fBThe [printers] section\fP" -.IP -This section works like \fB[homes]\fP, but for printers\&. -.IP -If a \fB[printers]\fP section occurs in the configuration file, users are -able to connect to any printer specified in the local host\'s printcap -file\&. -.IP -When a connection request is made, the existing sections are -scanned\&. If a match is found, it is used\&. If no match is found, but a -\fB[homes]\fP section exists, it is used as described -above\&. Otherwise, the requested section name is treated as a printer -name and the appropriate printcap file is scanned to see if the -requested section name is a valid printer share name\&. If a match is -found, a new printer share is created by cloning the \fB[printers]\fP -section\&. -.IP -A few modifications are then made to the newly created share: -.IP -.IP -.IP o -The share name is set to the located printer name -.IP -.IP o -If no printer name was given, the printer name is set to the -located printer name -.IP -.IP o -If the share does not permit guest access and no username was -given, the username is set to the located printer name\&. -.IP -.IP -Note that the \fB[printers]\fP service MUST be printable - if you specify -otherwise, the server will refuse to load the configuration file\&. -.IP -Typically the path specified would be that of a world-writeable spool -directory with the sticky bit set on it\&. A typical \fB[printers]\fP entry -would look like this: -.IP - -.nf - +The alternatives are \fBsecurity = share\fR, +\fBsecurity = server\fR or \fBsecurity=domain +\fR\&. - [printers] - path = /usr/spool/public - guest ok = yes - printable = yes +In versions of Samba prior to 2..0, the default was +\fBsecurity = share\fR mainly because that was +the only option at one stage. -.fi - +There is a bug in WfWg that has relevance to this +setting. When in user or server level security a WfWg client +will totally ignore the password you type in the "connect +drive" dialog box. This makes it very difficult (if not impossible) +to connect to a Samba service as anyone except the user that +you are logged into WfWg as. -.IP -All aliases given for a printer in the printcap file are legitimate -printer names as far as the server is concerned\&. If your printing -subsystem doesn\'t work like that, you will have to set up a -pseudo-printcap\&. This is a file consisting of one or more lines like -this: -.IP +If your PCs use usernames that are the same as their +usernames on the UNIX machine then you will want to use +\fBsecurity = user\fR. If you mostly use usernames +that don't exist on the UNIX box then use \fBsecurity = +share\fR. -.nf - - alias|alias|alias|alias\&.\&.\&. -.fi - +You should also use \fBsecurity = share\fR if you +want to mainly setup shares without a password (guest shares). This +is commonly used for a shared printer server. It is more difficult +to setup guest shares with \fBsecurity = user\fR, see +the \fImap to guest\fR +parameter for details. -.IP -Each alias should be an acceptable printer name for your printing -subsystem\&. In the \fB[global]\fP section, specify the new -file as your printcap\&. The server will then only recognize names -found in your pseudo-printcap, which of course can contain whatever -aliases you like\&. The same technique could be used simply to limit -access to a subset of your local printers\&. -.IP -An alias, by the way, is defined as any component of the first entry -of a printcap record\&. Records are separated by newlines, components -(if there are more than one) are separated by vertical bar symbols -("|")\&. -.IP -NOTE: On SYSV systems which use lpstat to determine what printers are -defined on the system you may be able to use \fB"printcap name = -lpstat"\fP to automatically obtain a list of -printers\&. See the \fB"printcap name"\fP option for -more details\&. -.IP -.PP -.SH "PARAMETERS" -.PP -Parameters define the specific attributes of sections\&. -.PP -Some parameters are specific to the \fB[global]\fP section -(e\&.g\&., \fBsecurity\fP)\&. Some parameters are usable in -all sections (e\&.g\&., \fBcreate mode\fP)\&. All others are -permissible only in normal sections\&. For the purposes of the following -descriptions the \fB[homes]\fP and -\fB[printers]\fP sections will be considered normal\&. -The letter \f(CW\'G\'\fP in parentheses indicates that a parameter is -specific to the \fB[global]\fP section\&. The letter \f(CW\'S\'\fP -indicates that a parameter can be specified in a service specific -section\&. Note that all \f(CW\'S\'\fP parameters can also be specified in the -\fB[global]\fP section - in which case they will define -the default behavior for all services\&. -.PP -Parameters are arranged here in alphabetical order - this may not -create best bedfellows, but at least you can find them! Where there -are synonyms, the preferred synonym is described, others refer to the -preferred synonym\&. -.PP -.SH "VARIABLE SUBSTITUTIONS" -.PP -Many of the strings that are settable in the config file can take -substitutions\&. For example the option \fB\f(CW"path = -/tmp/%u"\fP\fP would be interpreted as \f(CW"path = /tmp/john"\fP if -the user connected with the username john\&. -.PP -These substitutions are mostly noted in the descriptions below, but -there are some general substitutions which apply whenever they might -be relevant\&. These are: -.PP -.IP -.IP o -\fB%S\fP = the name of the current service, if any\&. -.IP -.IP o -\fB%P\fP = the root directory of the current service, if any\&. -.IP -.IP o -\fB%u\fP = user name of the current service, if any\&. -.IP -.IP o -\fB%g\fP = primary group name of \fB%u\fP\&. -.IP -.IP o -\fB%U\fP = session user name (the user name that -the client wanted, not necessarily the same as the one they got)\&. -.IP -.IP o -\fB%G\fP = primary group name of \fB%U\fP\&. -.IP -.IP o -\fB%H\fP = the home directory of the user given by \fB%u\fP\&. -.IP -.IP o -\fB%v\fP = the Samba version\&. -.IP -.IP o -\fB%h\fP = the internet hostname that Samba is running on\&. -.IP -.IP o -\fB%m\fP = the NetBIOS name of the client machine (very useful)\&. -.IP -.IP o -\fB%L\fP = the NetBIOS name of the server\&. This allows you to change your -config based on what the client calls you\&. Your server can have a "dual -personality"\&. -.IP -.IP o -\fB%M\fP = the internet name of the client machine\&. -.IP -.IP o -\fB%N\fP = the name of your NIS home directory server\&. This is -obtained from your NIS auto\&.map entry\&. If you have not compiled Samba -with the \fB--with-automount\fP option then this value will be the same -as \fB%L\fP\&. -.IP -.IP o -\fB%p\fP = the path of the service\'s home directory, obtained from your NIS -auto\&.map entry\&. The NIS auto\&.map entry is split up as "%N:%p"\&. -.IP -.IP o -\fB%R\fP = the selected protocol level after protocol -negotiation\&. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1\&. -.IP -.IP o -\fB%d\fP = The process id of the current server process\&. -.IP -.IP o -\fB%a\fP = the architecture of the remote -machine\&. Only some are recognized, and those may not be 100% -reliable\&. It currently recognizes Samba, WfWg, WinNT and -Win95\&. Anything else will be known as "UNKNOWN"\&. If it gets it wrong -then sending a level 3 log to \fIsamba@samba\&.org\fP -should allow it to be fixed\&. -.IP -.IP o -\fB%I\fP = The IP address of the client machine\&. -.IP -.IP o -\fB%T\fP = the current date and time\&. -.IP -.PP -There are some quite creative things that can be done with these -substitutions and other smb\&.conf options\&. -.PP -.SH "NAME MANGLING" -.PP -Samba supports \fI"name mangling"\fP so that DOS and Windows clients can -use files that don\'t conform to the 8\&.3 format\&. It can also be set to -adjust the case of 8\&.3 format filenames\&. -.PP -There are several options that control the way mangling is performed, -and they are grouped here rather than listed separately\&. For the -defaults look at the output of the testparm program\&. -.PP -All of these options can be set separately for each service (or -globally, of course)\&. -.PP -The options are: -.PP -\fB"mangle case = yes/no"\fP controls if names that have characters that -aren\'t of the "default" case are mangled\&. For example, if this is yes -then a name like \f(CW"Mail"\fP would be mangled\&. Default \fIno\fP\&. -.PP -\fB"case sensitive = yes/no"\fP controls whether filenames are case -sensitive\&. If they aren\'t then Samba must do a filename search and -match on passed names\&. Default \fIno\fP\&. -.PP -\fB"default case = upper/lower"\fP controls what the default case is for new -filenames\&. Default \fIlower\fP\&. -.PP -\fB"preserve case = yes/no"\fP controls if new files are created with the -case that the client passes, or if they are forced to be the \f(CW"default"\fP -case\&. Default \fIYes\fP\&. -.PP -.PP -\fB"short preserve case = yes/no"\fP controls if new files which conform -to 8\&.3 syntax, that is all in upper case and of suitable length, are -created upper case, or if they are forced to be the \f(CW"default"\fP -case\&. This option can be use with \fB"preserve case = -yes"\fP to permit long filenames to retain their -case, while short names are lowered\&. Default \fIYes\fP\&. -.PP -By default, Samba 2\&.0 has the same semantics as a Windows NT -server, in that it is case insensitive but case preserving\&. -.PP -.SH "NOTE ABOUT USERNAME/PASSWORD VALIDATION" -.PP -There are a number of ways in which a user can connect to a -service\&. The server follows the following steps in determining if it -will allow a connection to a specified service\&. If all the steps fail -then the connection request is rejected\&. If one of the steps pass then -the following steps are not checked\&. -.PP -If the service is marked \fB"guest only = yes"\fP then -steps 1 to 5 are skipped\&. -.PP -.IP -.IP 1\&. -Step 1: If the client has passed a username/password pair and -that username/password pair is validated by the UNIX system\'s password -programs then the connection is made as that username\&. Note that this -includes the \f(CW\e\eserver\eservice%username\fP method of passing a -username\&. -.IP -.IP 2\&. -Step 2: If the client has previously registered a username with -the system and now supplies a correct password for that username then -the connection is allowed\&. -.IP -.IP 3\&. -Step 3: The client\'s netbios name and any previously used user -names are checked against the supplied password, if they match then -the connection is allowed as the corresponding user\&. -.IP -.IP 4\&. -Step 4: If the client has previously validated a -username/password pair with the server and the client has passed the -validation token then that username is used\&. -.IP -.IP 5\&. -Step 5: If a \fB"user = "\fP field is given in the -smb\&.conf file for the service and the client has supplied a password, -and that password matches (according to the UNIX system\'s password -checking) with one of the usernames from the \fBuser=\fP -field then the connection is made as the username in the -\fB"user="\fP line\&. If one of the username in the -\fBuser=\fP list begins with a \f(CW\'@\'\fP then that name -expands to a list of names in the group of the same name\&. -.IP -.IP 6\&. -Step 6: If the service is a guest service then a connection is -made as the username given in the \fB"guest account -="\fP for the service, irrespective of the supplied -password\&. -.IP -.PP -.SH "COMPLETE LIST OF GLOBAL PARAMETERS" -.PP -Here is a list of all global parameters\&. See the section of each -parameter for details\&. Note that some are synonyms\&. -.PP -.IP -.IP o -\fBadd user script\fP -.IP -.IP o -\fBallow trusted domains\fP -.IP -.IP o -\fBannounce as\fP -.IP -.IP o -\fBannounce version\fP -.IP -.IP o -\fBauto services\fP -.IP -.IP o -\fBbind interfaces only\fP -.IP -.IP o -\fBbrowse list\fP -.IP -.IP o -\fBchange notify timeout\fP -.IP -.IP o -\fBcharacter set\fP -.IP -.IP o -\fBclient code page\fP -.IP -.IP o -\fBcoding system\fP -.IP -.IP o -\fBconfig file\fP -.IP -.IP o -\fBdeadtime\fP -.IP -.IP o -\fBdebug hires timestamp\fP -.IP -.IP o -\fBdebug pid\fP -.IP -.IP o -\fBdebug timestamp\fP -.IP -.IP o -\fBdebug uid\fP -.IP -.IP o -\fBdebug level\fP -.IP -.IP o -\fBdefault\fP -.IP -.IP o -\fBdefault service\fP -.IP -.IP o -\fBdelete user script\fP -.IP -.IP o -\fBdfree command\fP -.IP -.IP o -\fBdns proxy\fP -.IP -.IP o -\fBdomain admin group\fP -.IP -.IP o -\fBdomain admin users\fP -.IP -.IP o -\fBdomain groups\fP -.IP -.IP o -\fBdomain guest group\fP -.IP -.IP o -\fBdomain guest users\fP -.IP -.IP o -\fBdomain logons\fP -.IP -.IP o -\fBdomain master\fP -.IP -.IP o -\fBencrypt passwords\fP -.IP -.IP o -\fBgetwd cache\fP -.IP -.IP o -\fBhide local users\fP -.IP -.IP o -\fBhomedir map\fP -.IP -.IP o -\fBhosts equiv\fP -.IP -.IP o -\fBinterfaces\fP -.IP -.IP o -\fBkeepalive\fP -.IP -.IP o -\fBkernel oplocks\fP -.IP -.IP o -\fBldap filter\fP -.IP -.IP o -\fBldap port\fP -.IP -.IP o -\fBldap root\fP -.IP -.IP o -\fBldap root passwd\fP -.IP -.IP o -\fBldap server\fP -.IP -.IP o -\fBldap suffix\fP -.IP -.IP o -\fBlm announce\fP -.IP -.IP o -\fBlm interval\fP -.IP -.IP o -\fBload printers\fP -.IP -.IP o -\fBlocal master\fP -.IP -.IP o -\fBlock dir\fP -.IP -.IP o -\fBlock directory\fP -.IP -.IP o -\fBlog file\fP -.IP -.IP o -\fBlog level\fP -.IP -.IP o -\fBlogon drive\fP -.IP -.IP o -\fBlogon home\fP -.IP -.IP o -\fBlogon path\fP -.IP -.IP o -\fBlogon script\fP -.IP -.IP o -\fBlpq cache time\fP -.IP -.IP o -\fBmachine password timeout\fP -.IP -.IP o -\fBmangled stack\fP -.IP -.IP o -\fBmap to guest\fP -.IP -.IP o -\fBmax disk size\fP -.IP -.IP o -\fBmax log size\fP -.IP -.IP o -\fBmax mux\fP -.IP -.IP o -\fBmax open files\fP -.IP -.IP o -\fBmax packet\fP -.IP -.IP o -\fBmax ttl\fP -.IP -.IP o -\fBmax wins ttl\fP -.IP -.IP o -\fBmax xmit\fP -.IP -.IP o -\fBmessage command\fP -.IP -.IP o -\fBmin passwd length\fP -.IP -.IP o -\fBmin password length\fP -.IP -.IP o -\fBmin wins ttl\fP -.IP -.IP o -\fBname resolve order\fP -.IP -.IP o -\fBnetbios aliases\fP -.IP -.IP o -\fBnetbios name\fP -.IP -.IP o -\fBnetbios scope\fP -.IP -.IP o -\fBnis homedir\fP -.IP -.IP o -\fBnt acl support\fP -.IP -.IP o -\fBnt pipe support\fP -.IP -.IP o -\fBnt smb support\fP -.IP -.IP o -\fBnull passwords\fP -.IP -.IP o -\fBole locking compatibility\fP -.IP -.IP o -\fBoplock break wait time\fP -.IP -.IP o -\fBos level\fP -.IP -.IP o -\fBpacket size\fP -.IP -.IP o -\fBpanic action\fP -.IP -.IP o -\fBpasswd chat\fP -.IP -.IP o -\fBpasswd chat debug\fP -.IP -.IP o -\fBpasswd program\fP -.IP -.IP o -\fBpassword level\fP -.IP -.IP o -\fBpassword server\fP -.IP -.IP o -\fBprefered master\fP -.IP -.IP o -\fBpreferred master\fP -.IP -.IP o -\fBpreload\fP -.IP -.IP o -\fBprintcap\fP -.IP -.IP o -\fBprintcap name\fP -.IP -.IP o -\fBprinter driver file\fP -.IP -.IP o -\fBprivate dir\fP -.IP -.IP o -\fBprotocol\fP -.IP -.IP o -\fBread bmpx\fP -.IP -.IP o -\fBread prediction\fP -.IP -.IP o -\fBread raw\fP -.IP -.IP o -\fBread size\fP -.IP -.IP o -\fBremote announce\fP -.IP -.IP o -\fBremote browse sync\fP -.IP -.IP o -\fBrestrict anonymous\fP -.IP -.IP o -\fBroot\fP -.IP -.IP o -\fBroot dir\fP -.IP -.IP o -\fBroot directory\fP -.IP -.IP o -\fBsecurity\fP -.IP -.IP o -\fBserver string\fP -.IP -.IP o -\fBshared mem size\fP -.IP -.IP o -\fBsmb passwd file\fP -.IP -.IP o -\fBsmbrun\fP -.IP -.IP o -\fBsocket address\fP -.IP -.IP o -\fBsocket options\fP -.IP -.IP o -\fBsource environment\fP -.IP -.IP o -\fBssl\fP -.IP -.IP o -\fBssl CA certDir\fP -.IP -.IP o -\fBssl CA certFile\fP -.IP -.IP o -\fBssl ciphers\fP -.IP -.IP o -\fBssl client cert\fP -.IP -.IP o -\fBssl client key\fP -.IP -.IP o -\fBssl compatibility\fP -.IP -.IP o -\fBssl hosts\fP -.IP -.IP o -\fBssl hosts resign\fP -.IP -.IP o -\fBssl require clientcert\fP -.IP -.IP o -\fBssl require servercert\fP -.IP -.IP o -\fBssl server cert\fP -.IP -.IP o -\fBssl server key\fP -.IP -.IP o -\fBssl version\fP -.IP -.IP o -\fBstat cache\fP -.IP -.IP o -\fBstat cache size\fP -.IP -.IP o -\fBstrip dot\fP -.IP -.IP o -\fBsyslog\fP -.IP -.IP o -\fBsyslog only\fP -.IP -.IP o -\fBtemplate homedir\fP -.IP -.IP o -\fBtemplate shell\fP -.IP -.IP o -\fBtime offset\fP -.IP -.IP o -\fBtime server\fP -.IP -.IP o -\fBtimestamp logs\fP -.IP -.IP o -\fBunix password sync\fP -.IP -.IP o -\fBunix realname\fP -.IP -.IP o -\fBupdate encrypted\fP -.IP -.IP o -\fBuse rhosts\fP -.IP -.IP o -\fBusername level\fP -.IP -.IP o -\fBusername map\fP -.IP -.IP o -\fButmp directory\fP -.IP -.IP o -\fBvalid chars\fP -.IP -.IP o -\fBwinbind cache time\fP -.IP -.IP o -\fBwinbind gid\fP -.IP -.IP o -\fBwinbind uid\fP -.IP -.IP o -\fBwins hook\fP -.IP -.IP o -\fBwins proxy\fP -.IP -.IP o -\fBwins server\fP -.IP -.IP o -\fBwins support\fP -.IP -.IP o -\fBworkgroup\fP -.IP -.IP o -\fBwrite raw\fP -.IP -.PP -.SH "COMPLETE LIST OF SERVICE PARAMETERS" -.PP -Here is a list of all service parameters\&. See the section of each -parameter for details\&. Note that some are synonyms\&. -.PP -.IP -.IP o -\fBadmin users\fP -.IP -.IP o -\fBallow hosts\fP -.IP -.IP o -\fBalternate permissions\fP -.IP -.IP o -\fBavailable\fP -.IP -.IP o -\fBblocking locks\fP -.IP -.IP o -\fBbrowsable\fP -.IP -.IP o -\fBbrowseable\fP -.IP -.IP o -\fBcase sensitive\fP -.IP -.IP o -\fBcasesignames\fP -.IP -.IP o -\fBcomment\fP -.IP -.IP o -\fBcopy\fP -.IP -.IP o -\fBcreate mask\fP -.IP -.IP o -\fBcreate mode\fP -.IP -.IP o -\fBdefault case\fP -.IP -.IP o -\fBdelete readonly\fP -.IP -.IP o -\fBdelete veto files\fP -.IP -.IP o -\fBdeny hosts\fP -.IP -.IP o -\fBdirectory\fP -.IP -.IP o -\fBdirectory mask\fP -.IP -.IP o -\fBdirectory mode\fP -.IP -.IP o -\fBdirectory security mask\fP -.IP -.IP o -\fBdont descend\fP -.IP -.IP o -\fBdos filetime resolution\fP -.IP -.IP o -\fBdos filetimes\fP -.IP -.IP o -\fBexec\fP -.IP -.IP o -\fBfake directory create times\fP -.IP -.IP o -\fBfake oplocks\fP -.IP -.IP o -\fBfollow symlinks\fP -.IP -.IP o -\fBforce create mode\fP -.IP -.IP o -\fBforce directory mode\fP -.IP -.IP o -\fBforce directory security mode\fP -.IP -.IP o -\fBforce group\fP -.IP -.IP o -\fBforce security mode\fP -.IP -.IP o -\fBforce user\fP -.IP -.IP o -\fBfstype\fP -.IP -.IP o -\fBgroup\fP -.IP -.IP o -\fBguest account\fP -.IP -.IP o -\fBguest ok\fP -.IP -.IP o -\fBguest only\fP -.IP -.IP o -\fBhide dot files\fP -.IP -.IP o -\fBhide files\fP -.IP -.IP o -\fBhosts allow\fP -.IP -.IP o -\fBhosts deny\fP -.IP -.IP o -\fBinclude\fP -.IP -.IP o -\fBinherit permissions\fP -.IP -.IP o -\fBinvalid users\fP -.IP -.IP o -\fBlevel2 oplocks\fP -.IP -.IP o -\fBlocking\fP -.IP -.IP o -\fBlppause command\fP -.IP -.IP o -\fBlpq command\fP -.IP -.IP o -\fBlpresume command\fP -.IP -.IP o -\fBlprm command\fP -.IP -.IP o -\fBmagic output\fP -.IP -.IP o -\fBmagic script\fP -.IP -.IP o -\fBmangle case\fP -.IP -.IP o -\fBmangle locks\fP -.IP -.IP o -\fBmangled map\fP -.IP -.IP o -\fBmangled names\fP -.IP -.IP o -\fBmangling char\fP -.IP -.IP o -\fBmap archive\fP -.IP -.IP o -\fBmap hidden\fP -.IP -.IP o -\fBmap system\fP -.IP -.IP o -\fBmax connections\fP -.IP -.IP o -\fBmin print space\fP -.IP -.IP o -\fBonly guest\fP -.IP -.IP o -\fBonly user\fP -.IP -.IP o -\fBoplock contention limit\fP -.IP -.IP o -\fBoplocks\fP -.IP -.IP o -\fBpath\fP -.IP -.IP o -\fBpostexec\fP -.IP -.IP o -\fBpostscript\fP -.IP -.IP o -\fBpreexec\fP -.IP -.IP o -\fBpreexec close\fP -.IP -.IP o -\fBpreserve case\fP -.IP -.IP o -\fBprint command\fP -.IP -.IP o -\fBprint ok\fP -.IP -.IP o -\fBprintable\fP -.IP -.IP o -\fBprinter\fP -.IP -.IP o -\fBprinter admin\fP -.IP -.IP o -\fBprinter driver\fP -.IP -.IP o -\fBprinter driver location\fP -.IP -.IP o -\fBprinter name\fP -.IP -.IP o -\fBprinting\fP -.IP -.IP o -\fBpublic\fP -.IP -.IP o -\fBqueuepause command\fP -.IP -.IP o -\fBqueueresume command\fP -.IP -.IP o -\fBread list\fP -.IP -.IP o -\fBread only\fP -.IP -.IP o -\fBroot postexec\fP -.IP -.IP o -\fBroot preexec\fP -.IP -.IP o -\fBroot preexec close\fP -.IP -.IP o -\fBsecurity mask\fP -.IP -.IP o -\fBset directory\fP -.IP -.IP o -\fBshare modes\fP -.IP -.IP o -\fBshort preserve case\fP -.IP -.IP o -\fBstatus\fP -.IP -.IP o -\fBstrict locking\fP -.IP -.IP o -\fBstrict sync\fP -.IP -.IP o -\fBsync always\fP -.IP -.IP o -\fBuser\fP -.IP -.IP o -\fBusername\fP -.IP -.IP o -\fBusers\fP -.IP -.IP o -\fButmp\fP -.IP -.IP o -\fBvalid users\fP -.IP -.IP o -\fBveto files\fP -.IP -.IP o -\fBveto oplock files\fP -.IP -.IP o -\fBvolume\fP -.IP -.IP o -\fBwide links\fP -.IP -.IP o -\fBwritable\fP -.IP -.IP o -\fBwrite cache size\fP -.IP -.IP o -\fBwrite list\fP -.IP -.IP o -\fBwrite ok\fP -.IP -.IP o -\fBwriteable\fP -.IP -.PP -.SH "EXPLANATION OF EACH PARAMETER" -.PP -.IP -.IP "\fBadd user script (G)\fP" -.IP -This is the full pathname to a script that will be run \fIAS ROOT\fP by -\fBsmbd (8)\fP under special circumstances decribed -below\&. -.IP -Normally, a Samba server requires that UNIX users are created for all -users accessing files on this server\&. For sites that use Windows NT -account databases as their primary user database creating these users -and keeping the user list in sync with the Windows NT PDC is an -onerous task\&. This option allows \fBsmbd\fP to create -the required UNIX users \fION DEMAND\fP when a user accesses the Samba -server\&. -.IP -In order to use this option, \fBsmbd\fP must be set to -\fBsecurity=server\fP or -\fBsecurity=domain\fP and \fB"add user script"\fP -must be set to a full pathname for a script that will create a UNIX user -given one argument of \fB%u\fP, which expands into the UNIX user name to -create\&. -.IP -When the Windows user attempts to access the Samba server, at -\fI"login"\fP(session setup in the SMB protocol) time, -\fBsmbd\fP contacts the \fBpassword -server\fP and attempts to authenticate the given user -with the given password\&. If the authentication succeeds then -\fBsmbd\fP attempts to find a UNIX user in the UNIX -password database to map the Windows user into\&. If this lookup fails, -and \fB"add user script"\fP is set then \fBsmbd\fP will -call the specified script \fIAS ROOT\fP, expanding any \fB%u\fP argument -to be the user name to create\&. -.IP -If this script successfully creates the user then -\fBsmbd\fP will continue on as though the UNIX user -already existed\&. In this way, UNIX users are dynamically created to -match existing Windows NT accounts\&. -.IP -See also \fBsecurity=server\fP, -\fBsecurity=domain\fP, \fBpassword -server\fP, \fBdelete user -script\fP\&. -.IP -\fBDefault:\fP -\f(CW add user script = \fP -.IP -\fBExample:\fP -\f(CW add user script = /usr/local/samba/bin/add_user %u\fP -.IP -.IP "\fBadmin users (S)\fP" -.IP -This is a list of users who will be granted administrative privileges -on the share\&. This means that they will do all file operations as the -super-user (root)\&. -.IP -You should use this option very carefully, as any user in this list -will be able to do anything they like on the share, irrespective of -file permissions\&. -.IP -\fBDefault:\fP -.br -\f(CW no admin users\fP -.IP -\fBExample:\fP -.br -\f(CW admin users = jason\fP -.IP -.IP "\fBallow hosts (S)\fP" -.IP -Synonym for \fBhosts allow\fP\&. -.IP -.IP "\fBallow trusted domains (G)\fP" -.IP -This option only takes effect when the \fBsecurity\fP -option is set to \fBserver\fP or \fBdomain\fP\&. If it is set to no, -then attempts to connect to a resource from a domain or workgroup other than -the one which smbd is running in will fail, even if that domain -is trusted by the remote server doing the authentication\&. -.IP -This is useful if you only want your Samba server to serve resources -to users in the domain it is a member of\&. As an example, suppose that there are -two domains DOMA and DOMB\&. DOMB is trusted by DOMA, which contains -the Samba server\&. Under normal circumstances, a user with an account -in DOMB can then access the resources of a UNIX account with the same -account name on the Samba server even if they do not have an account -in DOMA\&. This can make implementing a security boundary difficult\&. -.IP -\fBDefault:\fP -\f(CW allow trusted domains = Yes\fP -.IP -\fBExample:\fP -\f(CW allow trusted domains = No\fP -.IP -.IP "\fBalternate permissions (S)\fP" -.IP -This is a deprecated parameter\&. It no longer has any effect in Samba2\&.0\&. -In previous versions of Samba it affected the way the DOS "read only" -attribute was mapped for a file\&. In Samba2\&.0 a file is marked "read only" -if the UNIX file does not have the \'w\' bit set for the owner of the file, -regardless if the owner of the file is the currently logged on user or not\&. -.IP -.IP "\fBannounce as (G)\fP" -.IP -This specifies what type of server \fBnmbd\fP will -announce itself as, to a network neighborhood browse list\&. By default -this is set to Windows NT\&. The valid options are : "NT", which is a -synonym for "NT Server", "NT Server", "NT Workstation", "Win95" or -"WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95 -and Windows for Workgroups respectively\&. Do not change this parameter -unless you have a specific need to stop Samba appearing as an NT server -as this may prevent Samba servers from participating as browser servers correctly\&. -.IP -\fBDefault:\fP -\f(CW announce as = NT Server\fP -.IP -\fBExample\fP -\f(CW announce as = Win95\fP -.IP -.IP "\fBannounce version (G)\fP" -.IP -This specifies the major and minor version numbers that nmbd will use -when announcing itself as a server\&. The default is 4\&.2\&. Do not change -this parameter unless you have a specific need to set a Samba server -to be a downlevel server\&. -.IP -\fBDefault:\fP -\f(CW announce version = 4\&.2\fP -.IP -\fBExample:\fP -\f(CW announce version = 2\&.0\fP -.IP -.IP "\fBauto services (G)\fP" -.IP -This is a list of services that you want to be automatically added to -the browse lists\&. This is most useful for homes and printers services -that would otherwise not be visible\&. -.IP -Note that if you just want all printers in your printcap file loaded -then the \fB"load printers"\fP option is easier\&. -.IP -\fBDefault:\fP -\f(CW no auto services\fP -.IP -\fBExample:\fP -\f(CW auto services = fred lp colorlp\fP -.IP -.IP "\fBavailable (S)\fP" -.IP -This parameter lets you \fI\'turn off\'\fP a service\&. If \f(CW\'available = no\'\fP, -then \fIALL\fP attempts to connect to the service will fail\&. Such failures -are logged\&. -.IP -\fBDefault:\fP -\f(CW available = yes\fP -.IP -\fBExample:\fP -\f(CW available = no\fP -.IP -.IP "\fBbind interfaces only (G)\fP" -.IP -This global parameter allows the Samba admin to limit what interfaces -on a machine will serve smb requests\&. If affects file service -\fBsmbd\fP and name service \fBnmbd\fP -in slightly different ways\&. -.IP -For name service it causes \fBnmbd\fP to bind to ports -137 and 138 on the interfaces listed in the -\fB\'interfaces\'\fP -parameter\&. \fBnmbd\fP also binds to the \'all -addresses\' interface (0\&.0\&.0\&.0) on ports 137 and 138 for the purposes -of reading broadcast messages\&. If this option is not set then -\fBnmbd\fP will service name requests on all of these -sockets\&. If \fB"bind interfaces only"\fP is set then -\fBnmbd\fP will check the source address of any -packets coming in on the broadcast sockets and discard any that don\'t -match the broadcast addresses of the interfaces in the -\fB\'interfaces\'\fP parameter list\&. As unicast packets -are received on the other sockets it allows \fBnmbd\fP -to refuse to serve names to machines that send packets that arrive -through any interfaces not listed in the -\fB"interfaces"\fP list\&. IP Source address spoofing -does defeat this simple check, however so it must not be used -seriously as a security feature for \fBnmbd\fP\&. -.IP -For file service it causes \fBsmbd\fP to bind only to -the interface list given in the \fB\'interfaces\'\fP -parameter\&. This restricts the networks that \fBsmbd\fP -will serve to packets coming in those interfaces\&. Note that you -should not use this parameter for machines that are serving PPP or -other intermittent or non-broadcast network interfaces as it will not -cope with non-permanent interfaces\&. -.IP -If \fB"bind interfaces only"\fP is set then unless the network address -\fI127\&.0\&.0\&.1\fP is added to the \fB\'interfaces\'\fP parameter -list \fBsmbpasswd\fP and -\fBswat\fP may not work as expected due to the -reasons covered below\&. -.IP -To change a users SMB password, the \fBsmbpasswd\fP -by default connects to the \fI"localhost" - 127\&.0\&.0\&.1\fP address as an SMB -client to issue the password change request\&. If \fB"bind interfaces only"\fP -is set then unless the network address \fI127\&.0\&.0\&.1\fP is added to the -\fB\'interfaces\'\fP parameter list then -\fBsmbpasswd\fP will fail to connect in it\'s -default mode\&. \fBsmbpasswd\fP can be forced to -use the primary IP interface of the local host by using its -\fB"-r remote machine"\fP parameter, with -\fB"remote machine"\fP set to the IP name of the primary interface -of the local host\&. -.IP -The \fBswat\fP status page tries to connect with -\fBsmbd\fP and \fBnmbd\fP at the address -\fI127\&.0\&.0\&.1\fP to determine if they are running\&. Not adding \fI127\&.0\&.0\&.1\fP will cause -\fBsmbd\fP and \fBnmbd\fP to always show -"not running" even if they really are\&. This can prevent -\fBswat\fP from starting/stopping/restarting -\fBsmbd\fP and \fBnmbd\fP\&. -.IP -\fBDefault:\fP -\f(CW bind interfaces only = False\fP -.IP -\fBExample:\fP -\f(CW bind interfaces only = True\fP -.IP -.IP "\fBblocking locks (S)\fP" -.IP -This parameter controls the behavior of \fBsmbd\fP when -given a request by a client to obtain a byte range lock on a region -of an open file, and the request has a time limit associated with it\&. -.IP -If this parameter is set and the lock range requested cannot be -immediately satisfied, Samba 2\&.0 will internally queue the lock -request, and periodically attempt to obtain the lock until the -timeout period expires\&. -.IP -If this parameter is set to "False", then Samba 2\&.0 will behave -as previous versions of Samba would and will fail the lock -request immediately if the lock range cannot be obtained\&. -.IP -This parameter can be set per share\&. -.IP -\fBDefault:\fP -\f(CW blocking locks = True\fP -.IP -\fBExample:\fP -\f(CW blocking locks = False\fP -.IP -.IP "\fBbrowsable (S)\fP" -.IP -Synonym for \fBbrowseable\fP\&. -.IP -.IP "\fBbrowse list(G)\fP" -.IP -This controls whether \fBsmbd\fP will serve a browse -list to a client doing a NetServerEnum call\&. Normally set to true\&. You -should never need to change this\&. -.IP -\fBDefault:\fP -\f(CW browse list = Yes\fP -.IP -.IP "\fBbrowseable\fP" -.IP -This controls whether this share is seen in the list of available -shares in a net view and in the browse list\&. -.IP -\fBDefault:\fP -\f(CW browseable = Yes\fP -.IP -\fBExample:\fP -\f(CW browseable = No\fP -.IP -.IP "\fBcase sensitive (S)\fP" -.IP -See the discussion in the section \fBNAME MANGLING\fP\&. -.IP -.IP "\fBcasesignames (S)\fP" -.IP -Synonym for \fB"case sensitive"\fP\&. -.IP -.IP "\fBchange notify timeout (G)\fP" -.IP -One of the new NT SMB requests that Samba 2\&.0 supports is the -"ChangeNotify" requests\&. This SMB allows a client to tell a server to -\fI"watch"\fP a particular directory for any changes and only reply to -the SMB request when a change has occurred\&. Such constant scanning of -a directory is expensive under UNIX, hence an -\fBsmbd\fP daemon only performs such a scan on each -requested directory once every \fBchange notify timeout\fP seconds\&. -.IP -\fBchange notify timeout\fP is specified in units of seconds\&. -.IP -\fBDefault:\fP -\f(CW change notify timeout = 60\fP -.IP -\fBExample:\fP -\f(CW change notify timeout = 300\fP -.IP -Would change the scan time to every 5 minutes\&. -.IP -.IP "\fBcharacter set (G)\fP" -.IP -This allows a smbd to map incoming filenames from a DOS Code page (see -the \fBclient code page\fP parameter) to several -built in UNIX character sets\&. The built in code page translations are: -.IP -.IP -.IP o -\fBISO8859-1\fP Western European UNIX character set\&. The parameter -\fBclient code page\fP \fIMUST\fP be set to code -page 850 if the \fBcharacter set\fP parameter is set to iso8859-1 -in order for the conversion to the UNIX character set to be done -correctly\&. -.IP -.IP o -\fBISO8859-2\fP Eastern European UNIX character set\&. The parameter -\fBclient code page\fP \fIMUST\fP be set to code -page 852 if the \fBcharacter set\fP parameter is set to ISO8859-2 -in order for the conversion to the UNIX character set to be done -correctly\&. -.IP -.IP o -\fBISO8859-5\fP Russian Cyrillic UNIX character set\&. The parameter -\fBclient code page\fP \fIMUST\fP be set to code -page 866 if the \fBcharacter set\fP parameter is set to ISO8859-5 -in order for the conversion to the UNIX character set to be done -correctly\&. -.IP -.IP o -\fBISO8859-7\fP Greek UNIX character set\&. The parameter -\fBclient code page\fP \fIMUST\fP be set to code -page 737 if the \fBcharacter set\fP parameter is set to ISO8859-7 -in order for the conversion to the UNIX character set to be done -correctly\&. -.IP -.IP o -\fBKOI8-R\fP Alternate mapping for Russian Cyrillic UNIX -character set\&. The parameter \fBclient code -page\fP \fIMUST\fP be set to code page 866 if the -\fBcharacter set\fP parameter is set to KOI8-R in order for the -conversion to the UNIX character set to be done correctly\&. -.IP -.IP -\fIBUG\fP\&. These MSDOS code page to UNIX character set mappings should -be dynamic, like the loading of MS DOS code pages, not static\&. -.IP -See also \fBclient code page\fP\&. Normally this -parameter is not set, meaning no filename translation is done\&. -.IP -\fBDefault:\fP -\f(CW character set = \fP -.IP -\fBExample:\fP -\f(CW character set = ISO8859-1\fP -.IP -.IP "\fBclient code page (G)\fP" -.IP -This parameter specifies the DOS code page that the clients accessing -Samba are using\&. To determine what code page a Windows or DOS client -is using, open a DOS command prompt and type the command "chcp"\&. This -will output the code page\&. The default for USA MS-DOS, Windows 95, and -Windows NT releases is code page 437\&. The default for western european -releases of the above operating systems is code page 850\&. -.IP -This parameter tells \fBsmbd\fP which of the -\f(CWcodepage\&.XXX\fP files to dynamically load on startup\&. These files, -described more fully in the manual page \fBmake_smbcodepage -(1)\fP, tell \fBsmbd\fP how -to map lower to upper case characters to provide the case insensitivity -of filenames that Windows clients expect\&. -.IP -Samba currently ships with the following code page files : -.IP -.IP -.IP o -\fBCode Page 437 - MS-DOS Latin US\fP -.IP -.IP o -\fBCode Page 737 - Windows \'95 Greek\fP -.IP -.IP o -\fBCode Page 850 - MS-DOS Latin 1\fP -.IP -.IP o -\fBCode Page 852 - MS-DOS Latin 2\fP -.IP -.IP o -\fBCode Page 861 - MS-DOS Icelandic\fP -.IP -.IP o -\fBCode Page 866 - MS-DOS Cyrillic\fP -.IP -.IP o -\fBCode Page 932 - MS-DOS Japanese SJIS\fP -.IP -.IP o -\fBCode Page 936 - MS-DOS Simplified Chinese\fP -.IP -.IP o -\fBCode Page 949 - MS-DOS Korean Hangul\fP -.IP -.IP o -\fBCode Page 950 - MS-DOS Traditional Chinese\fP -.IP -.IP -Thus this parameter may have any of the values 437, 737, 850, 852, -861, 932, 936, 949, or 950\&. If you don\'t find the codepage you need, -read the comments in one of the other codepage files and the -\fBmake_smbcodepage (1)\fP man page and -write one\&. Please remember to donate it back to the Samba user -community\&. -.IP -This parameter co-operates with the \fB"valid -chars"\fP parameter in determining what characters are -valid in filenames and how capitalization is done\&. If you set both -this parameter and the \fB"valid chars"\fP parameter -the \fB"client code page"\fP parameter \fIMUST\fP be set before the -\fB"valid chars"\fP parameter in the \fBsmb\&.conf\fP -file\&. The \fB"valid chars"\fP string will then augment -the character settings in the "client code page" parameter\&. -.IP -If not set, \fB"client code page"\fP defaults to 850\&. -.IP -See also : \fB"valid chars"\fP -.IP -\fBDefault:\fP -\f(CW client code page = 850\fP -.IP -\fBExample:\fP -\f(CW client code page = 936\fP -.IP -.IP "\fBcodingsystem (G)\fP" -.IP -This parameter is used to determine how incoming Shift-JIS Japanese -characters are mapped from the incoming \fB"client code -page"\fP used by the client, into file names in the -UNIX filesystem\&. Only useful if \fB"client code -page"\fP is set to 932 (Japanese Shift-JIS)\&. -.IP -The options are : -.IP -.IP -.IP o -\fBSJIS\fP Shift-JIS\&. Does no conversion of the incoming filename\&. -.IP -.IP o -\fBJIS8, J8BB, J8BH, J8@B, J8@J, J8@H \fP Convert from incoming -Shift-JIS to eight bit JIS code with different shift-in, shift out -codes\&. -.IP -.IP o -\fBJIS7, J7BB, J7BH, J7@B, J7@J, J7@H \fP Convert from incoming -Shift-JIS to seven bit JIS code with different shift-in, shift out -codes\&. -.IP -.IP o -\fBJUNET, JUBB, JUBH, JU@B, JU@J, JU@H \fP Convert from incoming -Shift-JIS to JUNET code with different shift-in, shift out codes\&. -.IP -.IP o -\fBEUC\fP Convert an incoming Shift-JIS character to EUC code\&. -.IP -.IP o -\fBHEX\fP Convert an incoming Shift-JIS character to a 3 byte hex -representation, i\&.e\&. \f(CW:AB\fP\&. -.IP -.IP o -\fBCAP\fP Convert an incoming Shift-JIS character to the 3 byte hex -representation used by the Columbia AppleTalk Program (CAP), -i\&.e\&. \f(CW:AB\fP\&. This is used for compatibility between Samba and CAP\&. -.IP -.IP -.IP "\fBcomment (S)\fP" -.IP -This is a text field that is seen next to a share when a client does a -queries the server, either via the network neighborhood or via "net -view" to list what shares are available\&. -.IP -If you want to set the string that is displayed next to the machine -name then see the server string command\&. -.IP -\fBDefault:\fP -\f(CW No comment string\fP -.IP -\fBExample:\fP -\f(CW comment = Fred\'s Files\fP -.IP -.IP "\fBconfig file (G)\fP" -.IP -This allows you to override the config file to use, instead of the -default (usually \fBsmb\&.conf\fP)\&. There is a chicken and egg problem -here as this option is set in the config file! -.IP -For this reason, if the name of the config file has changed when the -parameters are loaded then it will reload them from the new config -file\&. -.IP -This option takes the usual substitutions, which can be very useful\&. -.IP -If the config file doesn\'t exist then it won\'t be loaded (allowing you -to special case the config files of just a few clients)\&. -.IP -\fBExample:\fP -\f(CW config file = /usr/local/samba/lib/smb\&.conf\&.%m\fP -.IP -.IP "\fBcopy (S)\fP" -.IP -This parameter allows you to \fI\'clone\'\fP service entries\&. The specified -service is simply duplicated under the current service\'s name\&. Any -parameters specified in the current section will override those in the -section being copied\&. -.IP -This feature lets you set up a \'template\' service and create similar -services easily\&. Note that the service being copied must occur earlier -in the configuration file than the service doing the copying\&. -.IP -\fBDefault:\fP -\f(CW none\fP -.IP -\fBExample:\fP -\f(CW copy = otherservice\fP -.IP -.IP "\fBcreate mask (S)\fP" -.IP -A synonym for this parameter is \fB\'create mode\'\fP\&. -.IP -When a file is created, the necessary permissions are calculated -according to the mapping from DOS modes to UNIX permissions, and the -resulting UNIX mode is then bit-wise \'AND\'ed with this parameter\&. -This parameter may be thought of as a bit-wise MASK for the UNIX modes -of a file\&. Any bit \fI*not*\fP set here will be removed from the modes set -on a file when it is created\&. -.IP -The default value of this parameter removes the \'group\' and \'other\' -write and execute bits from the UNIX modes\&. -.IP -Following this Samba will bit-wise \'OR\' the UNIX mode created from -this parameter with the value of the "force create mode" parameter -which is set to 000 by default\&. -.IP -This parameter does not affect directory modes\&. See the parameter -\fB\'directory mode\'\fP for details\&. -.IP -See also the \fB"force create mode"\fP parameter -for forcing particular mode bits to be set on created files\&. See also -the \fB"directory mode"\fP parameter for masking -mode bits on created directories\&. -See also the \fB"inherit permissions"\fP parameter\&. -.IP -\fBDefault:\fP -\f(CW create mask = 0744\fP -.IP -\fBExample:\fP -\f(CW create mask = 0775\fP -.IP -.IP "\fBcreate mode (S)\fP" -.IP -This is a synonym for \fBcreate mask\fP\&. -.IP -.IP "\fBdeadtime (G)\fP" -.IP -The value of the parameter (a decimal integer) represents the number -of minutes of inactivity before a connection is considered dead, and -it is disconnected\&. The deadtime only takes effect if the number of -open files is zero\&. -.IP -This is useful to stop a server\'s resources being exhausted by a large -number of inactive connections\&. -.IP -Most clients have an auto-reconnect feature when a connection is -broken so in most cases this parameter should be transparent to users\&. -.IP -Using this parameter with a timeout of a few minutes is recommended -for most systems\&. -.IP -A deadtime of zero indicates that no auto-disconnection should be -performed\&. -.IP -\fBDefault:\fP -\f(CW deadtime = 0\fP -.IP -\fBExample:\fP -\f(CW deadtime = 15\fP -.IP -.IP "\fBdebug hires timestamp (G)\fP" -.IP -Sometimes the timestamps in the log messages are needed with a -resolution of higher that seconds, this boolean parameter adds -microsecond resolution to the timestamp message header when turned on\&. -.IP -Note that the parameter \fBdebug timestamp\fP -must be on for this to have an effect\&. -.IP -\fBDefault:\fP -\f(CW debug hires timestamp = No\fP -.IP -\fBExample:\fP -\f(CW debug hires timestamp = Yes\fP -.IP -.IP "\fBdebug timestamp (G)\fP" -.IP -Samba2\&.0 debug log messages are timestamped by default\&. If you are -running at a high \fB"debug level"\fP these timestamps -can be distracting\&. This boolean parameter allows timestamping to be turned -off\&. -.IP -\fBDefault:\fP -\f(CW debug timestamp = Yes\fP -.IP -\fBExample:\fP -\f(CW debug timestamp = No\fP -.IP -.IP "\fBdebug pid (G)\fP" -.IP -When using only one log file for more then one forked smbd-process -there may be hard to follow which process outputs which message\&. -This boolean parameter is adds the process-id to the timestamp message -headers in the logfile when turned on\&. -.IP -Note that the parameter \fBdebug timestamp\fP -must be on for this to have an effect\&. -.IP -\fBDefault:\fP -\f(CW debug pid = No\fP -.IP -\fBExample:\fP -\f(CW debug pid = Yes\fP -.IP -.IP "\fBdebug uid (G)\fP" -.IP -Samba is sometimes run as root and sometime run as the connected -user, this boolean parameter inserts the current euid, egid, uid -and gid to the timestamp message headers in the log file if turned on\&. -.IP -Note that the parameter \fBdebug timestamp\fP -must be on for this to have an effect\&. -.IP -\fBDefault:\fP -\f(CW debug uid = No\fP -.IP -\fBExample:\fP -\f(CW debug uid = Yes\fP -.IP -.IP "\fBdebug level (G)\fP" -.IP -The value of the parameter (an integer) allows the debug level -(logging level) to be specified in the \fBsmb\&.conf\fP file\&. This is to -give greater flexibility in the configuration of the system\&. -.IP -The default will be the debug level specified on the command line -or level zero if none was specified\&. -.IP -\fBExample:\fP -\f(CW debug level = 3\fP -.IP -.IP "\fBdefault (G)\fP" -.IP -A synonym for \fBdefault service\fP\&. -.IP -.IP "\fBdefault case (S)\fP" -.IP -See the section on \fB"NAME MANGLING"\fP\&. Also note -the \fB"short preserve case"\fP parameter\&. -.IP -.IP "\fBdefault service (G)\fP" -.IP -This parameter specifies the name of a service which will be connected -to if the service actually requested cannot be found\&. Note that the -square brackets are \fINOT\fP given in the parameter value (see example -below)\&. -.IP -There is no default value for this parameter\&. If this parameter is not -given, attempting to connect to a nonexistent service results in an -error\&. -.IP -Typically the default service would be a \fBguest ok\fP, -\fBread-only\fP service\&. -.IP -Also note that the apparent service name will be changed to equal that -of the requested service, this is very useful as it allows you to use -macros like \fB%S\fP to make a wildcard service\&. -.IP -Note also that any \f(CW\'_\'\fP characters in the name of the service used -in the default service will get mapped to a \f(CW\'/\'\fP\&. This allows for -interesting things\&. -.IP -\fBExample:\fP - -.nf - +It is possible to use \fBsmbd\fR in a \fB hybrid mode\fR where it is offers both user and share +level security under different \fINetBIOS aliases\fR. - default service = pub - - [pub] - path = /%S +The different settings will now be explained. -.fi - +\fBSECURITY = SHARE +\fR +When clients connect to a share level security server then +need not log onto the server with a valid username and password before +attempting to connect to a shared resource (although modern clients +such as Windows 95/98 and Windows NT will send a logon request with +a username but no password when talking to a \fBsecurity = share +\fRserver). Instead, the clients send authentication information +(passwords) on a per-share basis, at the time they attempt to connect +to that share. -.IP -.IP "\fBdelete user script (G)\fP" -.IP -This is the full pathname to a script that will be run \fIAS ROOT\fP by -\fBsmbd (8)\fP under special circumstances decribed -below\&. -.IP -Normally, a Samba server requires that UNIX users are created for all -users accessing files on this server\&. For sites that use Windows NT -account databases as their primary user database creating these users -and keeping the user list in sync with the Windows NT PDC is an -onerous task\&. This option allows \fBsmbd\fP to delete -the required UNIX users \fION DEMAND\fP when a user accesses the Samba -server and the Windows NT user no longer exists\&. -.IP -In order to use this option, \fBsmbd\fP must be set to -\fBsecurity=domain\fP and \fB"delete user -script"\fP must be set to a full pathname for a script that will delete -a UNIX user given one argument of \fB%u\fP, which expands into the UNIX -user name to delete\&. \fINOTE\fP that this is different to the -\fBadd user script\fP which will work with the -\fBsecurity=server\fP option as well as -\fBsecurity=domain\fP\&. The reason for this -is only when Samba is a domain member does it get the information -on an attempted user logon that a user no longer exists\&. In the -\fBsecurity=server\fP mode a missing user -is treated the same as an invalid password logon attempt\&. Deleting -the user in this circumstance would not be a good idea\&. -.IP -When the Windows user attempts to access the Samba server, at -\fI"login"\fP(session setup in the SMB protocol) time, -\fBsmbd\fP contacts the \fBpassword -server\fP and attempts to authenticate the given user -with the given password\&. If the authentication fails with the specific -Domain error code meaning that the user no longer exists then -\fBsmbd\fP attempts to find a UNIX user in the UNIX -password database that matches the Windows user account\&. If this lookup succeeds, -and \fB"delete user script"\fP is set then \fBsmbd\fP will -call the specified script \fIAS ROOT\fP, expanding any \fB%u\fP argument -to be the user name to delete\&. -.IP -This script should delete the given UNIX username\&. In this way, UNIX -users are dynamically deleted to match existing Windows NT accounts\&. -.IP -See also \fBsecurity=domain\fP, -\fBpassword server\fP, \fBadd user -script\fP\&. -.IP -\fBDefault:\fP -\f(CW delete user script = \fP -.IP -\fBExample:\fP -\f(CW delete user script = /usr/local/samba/bin/del_user %u\fP -.IP -.IP "\fBdelete readonly (S)\fP" -.IP -This parameter allows readonly files to be deleted\&. This is not -normal DOS semantics, but is allowed by UNIX\&. -.IP -This option may be useful for running applications such as rcs, where -UNIX file ownership prevents changing file permissions, and DOS -semantics prevent deletion of a read only file\&. -.IP -\fBDefault:\fP -\f(CW delete readonly = No\fP -.IP -\fBExample:\fP -\f(CW delete readonly = Yes\fP -.IP -.IP "\fBdelete veto files (S)\fP" -.IP -This option is used when Samba is attempting to delete a directory -that contains one or more vetoed directories (see the \fB\'veto -files\'\fP option)\&. If this option is set to False (the -default) then if a vetoed directory contains any non-vetoed files or -directories then the directory delete will fail\&. This is usually what -you want\&. -.IP -If this option is set to True, then Samba will attempt to recursively -delete any files and directories within the vetoed directory\&. This can -be useful for integration with file serving systems such as \fBNetAtalk\fP, -which create meta-files within directories you might normally veto -DOS/Windows users from seeing (e\&.g\&. \f(CW\&.AppleDouble\fP) -.IP -Setting \f(CW\'delete veto files = True\'\fP allows these directories to be -transparently deleted when the parent directory is deleted (so long -as the user has permissions to do so)\&. -.IP -See also the \fBveto files\fP parameter\&. -.IP -\fBDefault:\fP -\f(CW delete veto files = False\fP -.IP -\fBExample:\fP -\f(CW delete veto files = True\fP -.IP -.IP "\fBdeny hosts (S)\fP" -.IP -Synonym for \fBhosts deny\fP\&. -.IP -.IP "\fBdfree command (G)\fP" -.IP -The dfree command setting should only be used on systems where a -problem occurs with the internal disk space calculations\&. This has -been known to happen with Ultrix, but may occur with other operating -systems\&. The symptom that was seen was an error of "Abort Retry -Ignore" at the end of each directory listing\&. -.IP -This setting allows the replacement of the internal routines to -calculate the total disk space and amount available with an external -routine\&. The example below gives a possible script that might fulfill -this function\&. -.IP -The external program will be passed a single parameter indicating a -directory in the filesystem being queried\&. This will typically consist -of the string \f(CW"\&./"\fP\&. The script should return two integers in -ascii\&. The first should be the total disk space in blocks, and the -second should be the number of available blocks\&. An optional third -return value can give the block size in bytes\&. The default blocksize -is 1024 bytes\&. -.IP -Note: Your script should \fINOT\fP be setuid or setgid and should be -owned by (and writeable only by) root! -.IP -\fBDefault:\fP -\f(CW By default internal routines for determining the disk capacity -and remaining space will be used\&.\fP -.IP -\fBExample:\fP -\f(CW dfree command = /usr/local/samba/bin/dfree\fP -.IP -Where the script dfree (which must be made executable) could be: -.IP +Note that \fBsmbd\fR \fBALWAYS\fR +uses a valid UNIX user to act on behalf of the client, even in +\fBsecurity = share\fR level security. -.nf - +As clients are not required to send a username to the server +in share level security, \fBsmbd\fR uses several +techniques to determine the correct UNIX user to use on behalf +of the client. - #!/bin/sh - df $1 | tail -1 | awk \'{print $2" "$4}\' +A list of possible UNIX usernames to match with the given +client password is constructed using the following methods : +.RS +.TP 0.2i +\(bu +If the \fIguest +only\fR parameter is set, then all the other +stages are missed and only the \fIguest account\fR username is checked. +.TP 0.2i +\(bu +Is a username is sent with the share connection +request, then this username (after mapping - see \fIusername map\fR), +is added as a potential username. +.TP 0.2i +\(bu +If the client did a previous \fBlogon +\fRrequest (the SessionSetup SMB call) then the +username sent in this SMB will be added as a potential username. +.TP 0.2i +\(bu +The name of the service the client requested is +added as a potential username. +.TP 0.2i +\(bu +The NetBIOS name of the client is added to +the list as a potential username. +.TP 0.2i +\(bu +Any users on the \fI user\fR list are added as potential usernames. +.RE +.PP +If the \fIguest only\fR parameter is +not set, then this list is then tried with the supplied password. +The first user for whom the password matches will be used as the +UNIX user. +.PP +.PP +If the \fIguest only\fR parameter is +set, or no username can be determined then if the share is marked +as available to the \fIguest account\fR, then this +guest user will be used, otherwise access is denied. +.PP +.PP +Note that it can be \fBvery\fR confusing +in share-level security as to which UNIX username will eventually +be used in granting access. +.PP +.PP +See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. +.PP +.PP +\fBSECURIYT = USER +\fR.PP +.PP +This is the default security setting in Samba 2.2. +With user-level security a client must first "log=on" with a +valid username and password (which can be mapped using the \fIusername map\fR +parameter). Encrypted passwords (see the \fIencrypted passwords\fR parameter) can also +be used in this security mode. Parameters such as \fIuser\fR and \fIguest only\fR if set are then applied and +may change the UNIX user to use on this connection, but only after +the user has been successfully authenticated. +.PP +.PP +\fBNote\fR that the name of the resource being +requested is \fBnot\fR sent to the server until after +the server has successfully authenticated the client. This is why +guest shares don't work in user level security without allowing +the server to automatically map unknown users into the \fIguest account\fR. +See the \fImap to guest\fR +parameter for details on doing this. +.PP +.PP +See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. +.PP +.PP +\fBSECURITY = SERVER +\fR.PP +.PP +In this mode Samba will try to validate the username/password +by passing it to another SMB server, such as an NT box. If this +fails it will revert to \fBsecurity = user\fR, but note +that if encrypted passwords have been negotiated then Samba cannot +revert back to checking the UNIX password file, it must have a valid +\fIsmbpasswd\fR file to check users against. See the +documentation file in the \fIdocs/\fR directory +\fIENCRYPTION.txt\fR for details on how to set this +up. +.PP +.PP +\fBNote\fR that from the clients point of +view \fBsecurity = server\fR is the same as \fB security = user\fR. It only affects how the server deals +with the authentication, it does not in any way affect what the +client sees. +.PP +.PP +\fBNote\fR that the name of the resource being +requested is \fBnot\fR sent to the server until after +the server has successfully authenticated the client. This is why +guest shares don't work in user level security without allowing +the server to automatically map unknown users into the \fIguest account\fR. +See the \fImap to guest\fR +parameter for details on doing this. +.PP +.PP +See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. +.PP +.PP +See also the \fIpassword +server\fR parameter and the \fIencrypted passwords\fR +parameter. +.PP +.PP +\fBSECURITY = DOMAIN +\fR.PP +.PP +This mode will only work correctly if smbpasswd(8) has been used to add this +machine into a Windows NT Domain. It expects the \fIencrypted passwords\fR +parameter to be set to true. In this +mode Samba will try to validate the username/password by passing +it to a Windows NT Primary or Backup Domain Controller, in exactly +the same way that a Windows NT Server would do. +.PP +.PP +\fBNote\fR that a valid UNIX user must still +exist as well as the account on the Domain Controller to allow +Samba to have a valid UNIX account to map file access to. +.PP +.PP +\fBNote\fR that from the clients point +of view \fBsecurity = domain\fR is the same as \fBsecurity = user +\fR\&. It only affects how the server deals with the authentication, +it does not in any way affect what the client sees. +.PP +.PP +\fBNote\fR that the name of the resource being +requested is \fBnot\fR sent to the server until after +the server has successfully authenticated the client. This is why +guest shares don't work in user level security without allowing +the server to automatically map unknown users into the \fIguest account\fR. +See the \fImap to guest\fR +parameter for details on doing this. +.PP +.PP +\fBBUG:\fR There is currently a bug in the +implementation of \fBsecurity = domain\fR with respect +to multi-byte character set usernames. The communication with a +Domain Controller must be done in UNICODE and Samba currently +does not widen multi-byte user names to UNICODE correctly, thus +a multi-byte username will not be recognized correctly at the +Domain Controller. This issue will be addressed in a future release. +.PP +.PP +See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. +.PP +.PP +See also the \fIpassword +server\fR parameter and the \fIencrypted passwords\fR +parameter. +.PP +.PP +Default: \fBsecurity = USER\fR +.PP +.PP +Example: \fBsecurity = DOMAIN\fR +.PP +.TP +\fBsecurity mask (S)\fR +This parameter controls what UNIX permission +bits can be modified when a Windows NT client is manipulating +the UNIX permission on a file using the native NT security +dialog box. -.fi - +This parameter is applied as a mask (AND'ed with) to +the changed permission bits, thus preventing any bits not in +this mask from being modified. Essentially, zero bits in this +mask may be treated as a set of bits the user is not allowed +to change. -.IP -or perhaps (on Sys V based systems): -.IP +If not set explicitly this parameter is set to the same +value as the \fIcreate mask +\fRparameter. To allow a user to modify all the +user/group/world permissions on a file, set this parameter to +0777. -.nf - +\fBNote\fR that users who can access the +Samba server through other means can easily bypass this +restriction, so it is primarily useful for standalone +"appliance" systems. Administrators of most normal systems will +probably want to set it to 0777. - #!/bin/sh - /usr/bin/df -k $1 | tail -1 | awk \'{print $3" "$5}\' +See also the \fIforce directory security mode\fR, +\fIdirectory +security mask\fR, \fIforce security mode\fR parameters. -.fi - +Default: \fBsecurity mask = +\fR +Example: \fBsecurity mask = 0777\fR +.TP +\fBserver string (G)\fR +This controls what string will show up in the +printer comment box in print manager and next to the IPC connection +in \fBnet view"\fR. It can be any string that you wish +to show to your users. -.IP -Note that you may have to replace the command names with full -path names on some systems\&. -.IP -.IP "\fBdirectory (S)\fP" -.IP -Synonym for \fBpath\fP\&. -.IP -.IP "\fBdirectory mask (S)\fP" -.IP -This parameter is the octal modes which are used when converting DOS -modes to UNIX modes when creating UNIX directories\&. -.IP -When a directory is created, the necessary permissions are calculated -according to the mapping from DOS modes to UNIX permissions, and the -resulting UNIX mode is then bit-wise \'AND\'ed with this parameter\&. -This parameter may be thought of as a bit-wise MASK for the UNIX modes -of a directory\&. Any bit \fI*not*\fP set here will be removed from the -modes set on a directory when it is created\&. -.IP -The default value of this parameter removes the \'group\' and \'other\' -write bits from the UNIX mode, allowing only the user who owns the -directory to modify it\&. -.IP -Following this Samba will bit-wise \'OR\' the UNIX mode created from -this parameter with the value of the "force directory mode" -parameter\&. This parameter is set to 000 by default (i\&.e\&. no extra mode -bits are added)\&. -.IP -See the \fB"force directory mode"\fP parameter -to cause particular mode bits to always be set on created directories\&. -.IP -See also the \fB"create mode"\fP parameter for masking -mode bits on created files, and the \fB"directory security mask"\fP -parameter\&. -.IP -See also the \fB"inherit permissions"\fP parameter\&. -.IP -\fBDefault:\fP -\f(CW directory mask = 0755\fP -.IP -\fBExample:\fP -\f(CW directory mask = 0775\fP -.IP -.IP "\fBdirectory mode (S)\fP" -.IP -Synonym for \fBdirectory mask\fP\&. -.IP -.IP "\fBdirectory security mask (S)\fP" -.IP -This parameter controls what UNIX permission bits can be modified -when a Windows NT client is manipulating the UNIX permission on a -directory using the native NT security dialog box\&. -.IP -This parameter is applied as a mask (AND\'ed with) to the changed -permission bits, thus preventing any bits not in this mask from -being modified\&. Essentially, zero bits in this mask may be treated -as a set of bits the user is not allowed to change\&. -.IP -If not set explicitly this parameter is set to the same value as the -\fBdirectory mask\fP parameter\&. To allow a user to -modify all the user/group/world permissions on a directory, set this -parameter to 0777\&. -.IP -\fINote\fP that users who can access the Samba server through other -means can easily bypass this restriction, so it is primarily -useful for standalone "appliance" systems\&. Administrators of -most normal systems will probably want to set it to 0777\&. -.IP -See also the \fBforce directory security -mode\fP, \fBsecurity -mask\fP, \fBforce security mode\fP -parameters\&. -.IP -\fBDefault:\fP -\f(CW directory security mask = \fP -.IP -\fBExample:\fP -\f(CW directory security mask = 0777\fP -.IP -.IP "\fBdns proxy (G)\fP" -.IP -Specifies that \fBnmbd\fP when acting as a WINS -server and finding that a NetBIOS name has not been registered, should -treat the NetBIOS name word-for-word as a DNS name and do a lookup -with the DNS server for that name on behalf of the name-querying -client\&. -.IP -Note that the maximum length for a NetBIOS name is 15 characters, so -the DNS name (or DNS alias) can likewise only be 15 characters, -maximum\&. -.IP -\fBnmbd\fP spawns a second copy of itself to do the -DNS name lookup requests, as doing a name lookup is a blocking action\&. -.IP -See also the parameter \fBwins support\fP\&. -.IP -\fBDefault:\fP -\f(CW dns proxy = yes\fP -.IP -\fBdomain admin group (G)\fP -.IP -This is an \fBEXPERIMENTAL\fP parameter that is part of the unfinished -Samba NT Domain Controller Code\&. It may be removed in a later release\&. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list \fBSamba-ntdom\fP available by visiting the web page at -http://lists\&.samba\&.org/ -.IP -.IP "\fBdomain admin users (G)\fP" -.IP -This is an \fBEXPERIMENTAL\fP parameter that is part of the unfinished -Samba NT Domain Controller Code\&. It may be removed in a later release\&. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list \fBSamba-ntdom\fP available by visiting the web page at -http://lists\&.samba\&.org/ -.IP -.IP "\fBdomain groups (G)\fP" -.IP -This is an \fBEXPERIMENTAL\fP parameter that is part of the unfinished -Samba NT Domain Controller Code\&. It may be removed in a later release\&. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list \fBSamba-ntdom\fP available by visiting the web page at -http://lists\&.samba\&.org/ -.IP -.IP "\fBdomain guest group (G)\fP" -.IP -This is an \fBEXPERIMENTAL\fP parameter that is part of the unfinished -Samba NT Domain Controller Code\&. It may be removed in a later release\&. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list \fBSamba-ntdom\fP available by visiting the web page at -http://lists\&.samba\&.org/ -.IP -.IP "\fBdomain guest users (G)\fP" -.IP -This is an \fBEXPERIMENTAL\fP parameter that is part of the unfinished -Samba NT Domain Controller Code\&. It may be removed in a later release\&. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list \fBSamba-ntdom\fP available by visiting the web page at -http://lists\&.samba\&.org/ -.IP -.IP "\fBdomain logons (G)\fP" -.IP -If set to true, the Samba server will serve Windows 95/98 Domain -logons for the \fBworkgroup\fP it is in\&. For more -details on setting up this feature see the file DOMAINS\&.txt in the -Samba documentation directory \f(CWdocs/\fP shipped with the source code\&. -.IP -Note that Win95/98 Domain logons are \fINOT\fP the same as Windows -NT Domain logons\&. NT Domain logons require a Primary Domain Controller -(PDC) for the Domain\&. It is intended that in a future release Samba -will be able to provide this functionality for Windows NT clients -also\&. -.IP -\fBDefault:\fP -\f(CW domain logons = no\fP -.IP -.IP "\fBdomain master (G)\fP" -.IP -Tell \fBnmbd\fP to enable WAN-wide browse list -collation\&. Setting this option causes \fBnmbd\fP to -claim a special domain specific NetBIOS name that identifies it as a -domain master browser for its given -\fBworkgroup\fP\&. Local master browsers in the same -\fBworkgroup\fP on broadcast-isolated subnets will give -this \fBnmbd\fP their local browse lists, and then -ask \fBsmbd\fP for a complete copy of the browse list -for the whole wide area network\&. Browser clients will then contact -their local master browser, and will receive the domain-wide browse -list, instead of just the list for their broadcast-isolated subnet\&. -.IP -Note that Windows NT Primary Domain Controllers expect to be able to -claim this \fBworkgroup\fP specific special NetBIOS -name that identifies them as domain master browsers for that -\fBworkgroup\fP by default (i\&.e\&. there is no way to -prevent a Windows NT PDC from attempting to do this)\&. This means that -if this parameter is set and \fBnmbd\fP claims the -special name for a \fBworkgroup\fP before a Windows NT -PDC is able to do so then cross subnet browsing will behave strangely -and may fail\&. -.IP -\fBDefault:\fP -\f(CW domain master = no\fP -.IP -.IP "\fBdont descend (S)\fP" -.IP -There are certain directories on some systems (e\&.g\&., the \f(CW/proc\fP tree -under Linux) that are either not of interest to clients or are -infinitely deep (recursive)\&. This parameter allows you to specify a -comma-delimited list of directories that the server should always show -as empty\&. -.IP -Note that Samba can be very fussy about the exact format of the "dont -descend" entries\&. For example you may need \f(CW"\&./proc"\fP instead of -just \f(CW"/proc"\fP\&. Experimentation is the best policy :-) -.IP -\fBDefault:\fP -\f(CW none (i\&.e\&., all directories are OK to descend)\fP -.IP -\fBExample:\fP -\f(CW dont descend = /proc,/dev\fP -.IP -.IP "\fBdos filetime resolution (S)\fP" -.IP -Under the DOS and Windows FAT filesystem, the finest granularity on -time resolution is two seconds\&. Setting this parameter for a share -causes Samba to round the reported time down to the nearest two second -boundary when a query call that requires one second resolution is made -to \fBsmbd\fP\&. -.IP -This option is mainly used as a compatibility option for Visual C++ -when used against Samba shares\&. If oplocks are enabled on a share, -Visual C++ uses two different time reading calls to check if a file -has changed since it was last read\&. One of these calls uses a -one-second granularity, the other uses a two second granularity\&. As -the two second call rounds any odd second down, then if the file has a -timestamp of an odd number of seconds then the two timestamps will not -match and Visual C++ will keep reporting the file has changed\&. Setting -this option causes the two timestamps to match, and Visual C++ is -happy\&. -.IP -\fBDefault:\fP -\f(CW dos filetime resolution = False\fP -.IP -\fBExample:\fP -\f(CW dos filetime resolution = True\fP -.IP -.IP "\fBdos filetimes (S)\fP" -.IP -Under DOS and Windows, if a user can write to a file they can change -the timestamp on it\&. Under POSIX semantics, only the owner of the file -or root may change the timestamp\&. By default, Samba runs with POSIX -semantics and refuses to change the timestamp on a file if the user -smbd is acting on behalf of is not the file owner\&. Setting this option -to True allows DOS semantics and smbd will change the file timestamp as -DOS requires\&. -.IP -\fBDefault:\fP -\f(CW dos filetimes = False\fP -.IP -\fBExample:\fP -\f(CW dos filetimes = True\fP -.IP -.IP "\fBencrypt passwords (G)\fP" -.IP -This boolean controls whether encrypted passwords will be negotiated -with the client\&. Note that Windows NT 4\&.0 SP3 and above and also -Windows 98 will by default expect encrypted passwords unless a -registry entry is changed\&. To use encrypted passwords in Samba see the -file ENCRYPTION\&.txt in the Samba documentation directory \f(CWdocs/\fP -shipped with the source code\&. -.IP -In order for encrypted passwords to work correctly -\fBsmbd\fP must either have access to a local -\fBsmbpasswd (5)\fP file (see the -\fBsmbpasswd (8)\fP program for information on -how to set up and maintain this file), or set the -\fBsecurity=\fP parameter to either -\fB"server"\fP or -\fB"domain"\fP which causes -\fBsmbd\fP to authenticate against another server\&. -.IP -.IP "\fBexec (S)\fP" -.IP -This is a synonym for \fBpreexec\fP\&. -.IP -.IP "\fBfake directory create times (S)\fP" -.IP -NTFS and Windows VFAT file systems keep a create time for all files -and directories\&. This is not the same as the ctime - status change -time - that Unix keeps, so Samba by default reports the earliest of -the various times Unix does keep\&. Setting this parameter for a share -causes Samba to always report midnight 1-1-1980 as the create time for -directories\&. -.IP -This option is mainly used as a compatibility option for Visual C++ -when used against Samba shares\&. Visual C++ generated makefiles have -the object directory as a dependency for each object file, and a make -rule to create the directory\&. Also, when NMAKE compares timestamps it -uses the creation time when examining a directory\&. Thus the object -directory will be created if it does not exist, but once it does exist -it will always have an earlier timestamp than the object files it -contains\&. -.IP -However, Unix time semantics mean that the create time reported by -Samba will be updated whenever a file is created or deleted in the -directory\&. NMAKE therefore finds all object files in the object -directory bar the last one built are out of date compared to the -directory and rebuilds them\&. Enabling this option ensures directories -always predate their contents and an NMAKE build will proceed as -expected\&. -.IP -\fBDefault:\fP -\f(CW fake directory create times = False\fP -.IP -\fBExample:\fP -\f(CW fake directory create times = True\fP -.IP -.IP "\fBfake oplocks (S)\fP" -.IP -Oplocks are the way that SMB clients get permission from a server to -locally cache file operations\&. If a server grants an oplock -(opportunistic lock) then the client is free to assume that it is the -only one accessing the file and it will aggressively cache file -data\&. With some oplock types the client may even cache file open/close -operations\&. This can give enormous performance benefits\&. -.IP -When you set \f(CW"fake oplocks = yes"\fP \fBsmbd\fP will -always grant oplock requests no matter how many clients are using the -file\&. -.IP -It is generally much better to use the real \fBoplocks\fP -support rather than this parameter\&. -.IP -If you enable this option on all read-only shares or shares that you -know will only be accessed from one client at a time such as -physically read-only media like CDROMs, you will see a big performance -improvement on many operations\&. If you enable this option on shares -where multiple clients may be accessing the files read-write at the -same time you can get data corruption\&. Use this option carefully! -.IP -This option is disabled by default\&. -.IP -.IP "\fBfollow symlinks (S)\fP" -.IP -This parameter allows the Samba administrator to stop -\fBsmbd\fP from following symbolic links in a -particular share\&. Setting this parameter to \fI"No"\fP prevents any file -or directory that is a symbolic link from being followed (the user -will get an error)\&. This option is very useful to stop users from -adding a symbolic link to \f(CW/etc/passwd\fP in their home directory for -instance\&. However it will slow filename lookups down slightly\&. -.IP -This option is enabled (i\&.e\&. \fBsmbd\fP will follow -symbolic links) by default\&. -.IP -.IP "\fBforce create mode (S)\fP" -.IP -This parameter specifies a set of UNIX mode bit permissions that will -\fI*always*\fP be set on a file by Samba\&. This is done by bitwise -\'OR\'ing these bits onto the mode bits of a file that is being created -or having its permissions changed\&. The default for this parameter is -(in octal) 000\&. The modes in this parameter are bitwise \'OR\'ed onto -the file mode after the mask set in the \fB"create -mask"\fP parameter is applied\&. -.IP -See also the parameter \fB"create mask"\fP for details -on masking mode bits on files\&. -.IP -See also the \fB"inherit permissions"\fP parameter\&. -.IP -\fBDefault:\fP -\f(CW force create mode = 000\fP -.IP -\fBExample:\fP -\f(CW force create mode = 0755\fP -.IP -would force all created files to have read and execute permissions set -for \'group\' and \'other\' as well as the read/write/execute bits set for -the \'user\'\&. -.IP -.IP "\fBforce directory mode (S)\fP" -.IP -This parameter specifies a set of UNIX mode bit permissions that will -\fI*always*\fP be set on a directory created by Samba\&. This is done by -bitwise \'OR\'ing these bits onto the mode bits of a directory that is -being created\&. The default for this parameter is (in octal) 0000 which -will not add any extra permission bits to a created directory\&. This -operation is done after the mode mask in the parameter -\fB"directory mask"\fP is applied\&. -.IP -See also the parameter \fB"directory mask"\fP for -details on masking mode bits on created directories\&. -.IP -See also the \fB"inherit permissions"\fP parameter\&. -.IP -\fBDefault:\fP -\f(CW force directory mode = 000\fP -.IP -\fBExample:\fP -\f(CW force directory mode = 0755\fP -.IP -would force all created directories to have read and execute -permissions set for \'group\' and \'other\' as well as the -read/write/execute bits set for the \'user\'\&. -.IP -.IP "\fBforce directory security mode (S)\fP" -.IP -This parameter controls what UNIX permission bits can be modified when -a Windows NT client is manipulating the UNIX permission on a directory -using the native NT security dialog box\&. -.IP -This parameter is applied as a mask (OR\'ed with) to the changed -permission bits, thus forcing any bits in this mask that the user may -have modified to be on\&. Essentially, one bits in this mask may be -treated as a set of bits that, when modifying security on a directory, -the user has always set to be \'on\'\&. -.IP -If not set explicitly this parameter is set to the same value as the -\fBforce directory mode\fP parameter\&. To allow -a user to modify all the user/group/world permissions on a directory, -with restrictions set this parameter to 000\&. -.IP -\fINote\fP that users who can access the Samba server through other -means can easily bypass this restriction, so it is primarily -useful for standalone "appliance" systems\&. Administrators of -most normal systems will probably want to set it to 0000\&. -.IP -See also the \fBdirectory security mask\fP, -\fBsecurity mask\fP, \fBforce security -mode\fP parameters\&. -.IP -\fBDefault:\fP -\f(CW force directory security mode = \fP -.IP -\fBExample:\fP -\f(CW force directory security mode = 0\fP -.IP -.IP "\fBforce group (S)\fP" -.IP -This specifies a UNIX group name that will be assigned as the default -primary group for all users connecting to this service\&. This is useful -for sharing files by ensuring that all access to files on service will -use the named group for their permissions checking\&. Thus, by assigning -permissions for this group to the files and directories within this -service the Samba administrator can restrict or allow sharing of these -files\&. -.IP -In Samba 2\&.0\&.5 and above this parameter has extended functionality in the following -way\&. If the group name listed here has a \'+\' character prepended to it -then the current user accessing the share only has the primary group -default assigned to this group if they are already assigned as a member -of that group\&. This allows an administrator to decide that only users -who are already in a particular group will create files with group -ownership set to that group\&. This gives a finer granularity of ownership -assignment\&. For example, the setting \f(CWforce group = +sys\fP means -that only users who are already in group sys will have their default -primary group assigned to sys when accessing this Samba share\&. All -other users will retain their ordinary primary group\&. -.IP -If the \fB"force user"\fP parameter is also set the -group specified in \fBforce group\fP will override the primary group -set in \fB"force user"\fP\&. -.IP -See also \fB"force user"\fP -.IP -\fBDefault:\fP -\f(CW no forced group\fP -.IP -\fBExample:\fP -\f(CW force group = agroup\fP -.IP -.IP "\fBforce security mode (S)\fP" -.IP -This parameter controls what UNIX permission bits can be modified when -a Windows NT client is manipulating the UNIX permission on a file -using the native NT security dialog box\&. -.IP -This parameter is applied as a mask (OR\'ed with) to the changed -permission bits, thus forcing any bits in this mask that the user may -have modified to be on\&. Essentially, one bits in this mask may be -treated as a set of bits that, when modifying security on a file, the -user has always set to be \'on\'\&. -.IP -If not set explicitly this parameter is set to the same value as the -\fBforce create mode\fP parameter\&. To allow -a user to modify all the user/group/world permissions on a file, -with no restrictions set this parameter to 000\&. -.IP -\fINote\fP that users who can access the Samba server through other -means can easily bypass this restriction, so it is primarily -useful for standalone "appliance" systems\&. Administrators of -most normal systems will probably want to set it to 0000\&. -.IP -See also the \fBforce directory security -mode\fP, \fBdirectory security -mask\fP, \fBsecurity mask\fP -parameters\&. -.IP -\fBDefault:\fP -\f(CW force security mode = \fP -.IP -\fBExample:\fP -\f(CW force security mode = 0\fP -.IP -.IP "\fBforce user (S)\fP" -.IP -This specifies a UNIX user name that will be assigned as the default -user for all users connecting to this service\&. This is useful for -sharing files\&. You should also use it carefully as using it -incorrectly can cause security problems\&. -.IP -This user name only gets used once a connection is established\&. Thus -clients still need to connect as a valid user and supply a valid -password\&. Once connected, all file operations will be performed as the -\f(CW"forced user"\fP, no matter what username the client connected as\&. -.IP -This can be very useful\&. -.IP -In Samba 2\&.0\&.5 and above this parameter also causes the primary -group of the forced user to be used as the primary group for all -file activity\&. Prior to 2\&.0\&.5 the primary group was left as the -primary group of the connecting user (this was a bug)\&. -.IP -See also \fB"force group"\fP -.IP -\fBDefault:\fP -\f(CW no forced user\fP -.IP -\fBExample:\fP -\f(CW force user = auser\fP -.IP -.IP "\fBfstype (S)\fP" -.IP -This parameter allows the administrator to configure the string that -specifies the type of filesystem a share is using that is reported by -\fBsmbd\fP when a client queries the filesystem type -for a share\&. The default type is \fB"NTFS"\fP for compatibility with -Windows NT but this can be changed to other strings such as "Samba" or -"FAT" if required\&. -.IP -\fBDefault:\fP -\f(CW fstype = NTFS\fP -.IP -\fBExample:\fP -\f(CW fstype = Samba\fP -.IP -.IP "\fBgetwd cache (G)\fP" -.IP -This is a tuning option\&. When this is enabled a caching algorithm -will be used to reduce the time taken for getwd() calls\&. This can have -a significant impact on performance, especially when the -\fBwidelinks\fP parameter is set to False\&. -.IP -\fBDefault:\fP -\f(CW getwd cache = No\fP -.IP -\fBExample:\fP -\f(CW getwd cache = Yes\fP -.IP -.IP "\fBgroup (S)\fP" -.IP -Synonym for \fB"force group"\fP\&. -.IP -.IP "\fBguest account (S)\fP" -.IP -This is a username which will be used for access to services which are -specified as \fB\'guest ok\'\fP (see below)\&. Whatever -privileges this user has will be available to any client connecting to -the guest service\&. Typically this user will exist in the password -file, but will not have a valid login\&. The user account \fB"ftp"\fP is -often a good choice for this parameter\&. If a username is specified in -a given service, the specified username overrides this one\&. -.IP -One some systems the default guest account "nobody" may not be able to -print\&. Use another account in this case\&. You should test this by -trying to log in as your guest user (perhaps by using the \f(CW"su -"\fP -command) and trying to print using the system print command such as -\fBlpr (1)\fP or \fBlp (1)\fP\&. -.IP -\fBDefault:\fP -\f(CW specified at compile time, usually "nobody"\fP -.IP -\fBExample:\fP -\f(CW guest account = ftp\fP -.IP -.IP "\fBguest ok (S)\fP" -.IP -If this parameter is \fI\'yes\'\fP for a service, then no password is -required to connect to the service\&. Privileges will be those of the -\fBguest account\fP\&. -.IP -See the section below on \fBsecurity\fP for more -information about this option\&. -.IP -\fBDefault:\fP -\f(CW guest ok = no\fP -.IP -\fBExample:\fP -\f(CW guest ok = yes\fP -.IP -.IP "\fBguest only (S)\fP" -.IP -If this parameter is \fI\'yes\'\fP for a service, then only guest -connections to the service are permitted\&. This parameter will have no -affect if \fB"guest ok"\fP or \fB"public"\fP -is not set for the service\&. -.IP -See the section below on \fBsecurity\fP for more -information about this option\&. -.IP -\fBDefault:\fP -\f(CW guest only = no\fP -.IP -\fBExample:\fP -\f(CW guest only = yes\fP -.IP -.IP "\fBhide dot files (S)\fP" -.IP -This is a boolean parameter that controls whether files starting with -a dot appear as hidden files\&. -.IP -\fBDefault:\fP -\f(CW hide dot files = yes\fP -.IP -\fBExample:\fP -\f(CW hide dot files = no\fP -.IP -.IP "\fBhide files(S)\fP" -.IP -This is a list of files or directories that are not visible but are -accessible\&. The DOS \'hidden\' attribute is applied to any files or -directories that match\&. -.IP -Each entry in the list must be separated by a \f(CW\'/\'\fP, which allows -spaces to be included in the entry\&. \f(CW\'*\'\fP and \f(CW\'?\'\fP can be used -to specify multiple files or directories as in DOS wildcards\&. -.IP -Each entry must be a Unix path, not a DOS path and must not include the -Unix directory separator \f(CW\'/\'\fP\&. -.IP -Note that the case sensitivity option is applicable in hiding files\&. -.IP -Setting this parameter will affect the performance of Samba, as it -will be forced to check all files and directories for a match as they -are scanned\&. -.IP -See also \fB"hide dot files"\fP, \fB"veto -files"\fP and \fB"case sensitive"\fP\&. -.IP -\fBDefault\fP - -.nf - +It also sets what will appear in browse lists next +to the machine name. - No files or directories are hidden by this option (dot files are - hidden by default because of the "hide dot files" option)\&. +A \fI%v\fR will be replaced with the Samba +version number. -.fi - +A \fI%h\fR will be replaced with the +hostname. -.IP -\fBExample\fP -\f(CW hide files = /\&.*/DesktopFolderDB/TrashFor%m/resource\&.frk/\fP -.IP -The above example is based on files that the Macintosh SMB client -(DAVE) available from \fBThursby\fP creates for -internal use, and also still hides all files beginning with a dot\&. -.IP -.IP "\fBhide local users(G)\fP" -.IP -This parameter toggles the hiding of local UNIX users (root, wheel, floppy, etc) -from remote clients\&. -.IP -\fBDefault:\fP -\f(CW hide local users = No\fP -.IP -\fBExample:\fP -\f(CW hide local users = Yes\fP -.IP -.IP "\fBhomedir map (G)\fP" -.IP -If \fB"nis homedir"\fP is true, and -\fBsmbd\fP is also acting as a Win95/98 \fBlogon -server\fP then this parameter specifies the NIS (or YP) -map from which the server for the user\'s home directory should be -extracted\&. At present, only the Sun auto\&.home map format is -understood\&. The form of the map is: -.IP -\f(CWusername server:/some/file/system\fP -.IP -and the program will extract the servername from before the first -\f(CW\':\'\fP\&. There should probably be a better parsing system that copes -with different map formats and also Amd (another automounter) maps\&. -.IP -NB: A working NIS is required on the system for this option to work\&. -.IP -See also \fB"nis homedir"\fP, \fBdomain -logons\fP\&. -.IP -\fBDefault:\fP -\f(CW homedir map = auto\&.home\fP -.IP -\fBExample:\fP -\f(CW homedir map = amd\&.homedir\fP -.IP -.IP "\fBhosts allow (S)\fP" -.IP -A synonym for this parameter is \fB\'allow hosts\'\fP -.IP -This parameter is a comma, space, or tab delimited set of hosts which -are permitted to access a service\&. -.IP -If specified in the \fB[global]\fP section then it will -apply to all services, regardless of whether the individual service -has a different setting\&. -.IP -You can specify the hosts by name or IP number\&. For example, you could -restrict access to only the hosts on a Class C subnet with something -like \f(CW"allow hosts = 150\&.203\&.5\&."\fP\&. The full syntax of the list is -described in the man page \fBhosts_access (5)\fP\&. Note that this man -page may not be present on your system, so a brief description will -be given here also\&. -.IP -Note that the localhost address 127\&.0\&.0\&.1 will always be allowed -access unless specifically denied by a "hosts deny" option\&. -.IP -You can also specify hosts by network/netmask pairs and by netgroup -names if your system supports netgroups\&. The \fIEXCEPT\fP keyword can also -be used to limit a wildcard list\&. The following examples may provide -some help: -.IP -\fBExample 1\fP: allow all IPs in 150\&.203\&.*\&.* except one -.IP -\f(CW hosts allow = 150\&.203\&. EXCEPT 150\&.203\&.6\&.66\fP -.IP -\fBExample 2\fP: allow hosts that match the given network/netmask -.IP -\f(CW hosts allow = 150\&.203\&.15\&.0/255\&.255\&.255\&.0\fP -.IP -\fBExample 3\fP: allow a couple of hosts -.IP -\f(CW hosts allow = lapland, arvidsjaur\fP -.IP -\fBExample 4\fP: allow only hosts in NIS netgroup "foonet", but -deny access from one particular host -.IP -\f(CW hosts allow = @foonet\fP -.IP -\f(CW hosts deny = pirate\fP -.IP -Note that access still requires suitable user-level passwords\&. -.IP -See \fBtestparm (1)\fP for a way of testing your -host access to see if it does what you expect\&. -.IP -\fBDefault:\fP -\f(CW none (i\&.e\&., all hosts permitted access)\fP -.IP -\fBExample:\fP -\f(CW allow hosts = 150\&.203\&.5\&. myhost\&.mynet\&.edu\&.au\fP -.IP -.IP "\fBhosts deny (S)\fP" -.IP -The opposite of \fB\'hosts allow\'\fP - hosts listed -here are \fINOT\fP permitted access to services unless the specific -services have their own lists to override this one\&. Where the lists -conflict, the \fB\'allow\'\fP list takes precedence\&. -.IP -\fBDefault:\fP -\f(CW none (i\&.e\&., no hosts specifically excluded)\fP -.IP -\fBExample:\fP -\f(CW hosts deny = 150\&.203\&.4\&. badhost\&.mynet\&.edu\&.au\fP -.IP -.IP "\fBhosts equiv (G)\fP" -.IP -If this global parameter is a non-null string, it specifies the name -of a file to read for the names of hosts and users who will be allowed -access without specifying a password\&. -.IP -This is not be confused with \fBhosts allow\fP which -is about hosts access to services and is more useful for guest -services\&. \fBhosts equiv\fP may be useful for NT clients which will not -supply passwords to samba\&. -.IP -NOTE: The use of \fBhosts equiv\fP can be a major security hole\&. This is -because you are trusting the PC to supply the correct username\&. It is -very easy to get a PC to supply a false username\&. I recommend that the -\fBhosts equiv\fP option be only used if you really know what you are -doing, or perhaps on a home network where you trust your spouse and -kids\&. And only if you \fIreally\fP trust them :-)\&. -.IP -\fBDefault\fP -\f(CW No host equivalences\fP -.IP -\fBExample\fP -\f(CW hosts equiv = /etc/hosts\&.equiv\fP -.IP -.IP "\fBinclude (G)\fP" -.IP -This allows you to include one config file inside another\&. The file -is included literally, as though typed in place\&. -.IP -It takes the standard substitutions, except \fB%u\fP, -\fB%P\fP and \fB%S\fP\&. -.IP -.IP "\fBinherit permissions (S)\fP" -.IP -The permissions on new files and directories are normally governed by -\fB"create mask"\fP, -\fB"directory mask"\fP, -\fB"force create mode"\fP and -\fB"force directory mode"\fP -but the boolean inherit permissions parameter overrides this\&. -.IP -New directories inherit the mode of the parent directory, -including bits such as setgid\&. -.IP -New files inherit their read/write bits from the parent directory\&. -Their execute bits continue to be determined by -\fB"map archive"\fP, -\fB"map hidden"\fP and -\fB"map system"\fP as usual\&. -.IP -Note that the setuid bit is *never* set via inheritance -(the code explicitly prohibits this)\&. -.IP -This can be particularly useful on large systems with many users, -perhaps several thousand, -to allow a single \fB[homes]\fP share to be used flexibly by each user\&. -.IP -See also \fB"create mask"\fP, \fB"directory mask"\fP, -\fB"force create mode"\fP and -\fB"force directory mode"\fP\&. -.IP -\fBDefault\fP -\f(CW inherit permissions = no\fP -.IP -\fBExample\fP -\f(CW inherit permissions = yes\fP -.IP -.IP "\fBinterfaces (G)\fP" -.IP -This option allows you to override the default network interfaces list -that Samba will use for browsing, name registration and other NBT -traffic\&. By default Samba will query the kernel for the list of all -active interfaces and use any interfaces except 127\&.0\&.0\&.1 that are -broadcast capable\&. -.IP -The option takes a list of interface strings\&. Each string can be in -any of the following forms: -.IP -.IP o -a network interface name (such as eth0)\&. This may include -shell-like wildcards so eth* will match any interface starting -with the substring "eth" -.IP o -an IP address\&. In this case the netmask is determined -from the list of interfaces obtained from the kernel -.IP o -an IP/mask pair\&. -.IP o -a broadcast/mask pair\&. -.IP -The "mask" parameters can either be a bit length (such as 24 for a C -class network) or a full netmask in dotted decmal form\&. -.IP -The "IP" parameters above can either be a full dotted decimal IP -address or a hostname which will be looked up via the OSes normal -hostname resolution mechanisms\&. -.IP -For example, the following line: -.IP -\f(CWinterfaces = eth0 192\&.168\&.2\&.10/24 192\&.168\&.3\&.10/255\&.255\&.255\&.0\fP -.IP -would configure three network interfaces corresponding to the eth0 -device and IP addresses 192\&.168\&.2\&.10 and 192\&.168\&.3\&.10\&. The netmasks of -the latter two interfaces would be set to 255\&.255\&.255\&.0\&. -.IP -See also \fB"bind interfaces only"\fP\&. -.IP -.IP "\fBinvalid users (S)\fP" -.IP -This is a list of users that should not be allowed to login to this -service\&. This is really a \fI"paranoid"\fP check to absolutely ensure an -improper setting does not breach your security\&. -.IP -A name starting with a \f(CW\'@\'\fP is interpreted as an NIS netgroup first -(if your system supports NIS), and then as a UNIX group if the name -was not found in the NIS netgroup database\&. -.IP -A name starting with \f(CW\'+\'\fP is interpreted only by looking in the -UNIX group database\&. A name starting with \f(CW\'&\'\fP is interpreted only -by looking in the NIS netgroup database (this requires NIS to be -working on your system)\&. The characters \f(CW\'+\'\fP and \f(CW\'&\'\fP may be -used at the start of the name in either order so the value -\f(CW"+&group"\fP means check the UNIX group database, followed by the NIS -netgroup database, and the value \f(CW"&+group"\fP means check the NIS -netgroup database, followed by the UNIX group database (the same as -the \f(CW\'@\'\fP prefix)\&. -.IP -The current servicename is substituted for -\fB%S\fP\&. This is useful in the \fB[homes]\fP -section\&. -.IP -See also \fB"valid users"\fP\&. -.IP -\fBDefault:\fP -\f(CW No invalid users\fP -.IP -\fBExample:\fP -\f(CW invalid users = root fred admin @wheel\fP -.IP -.IP "\fBkeepalive (G)\fP" -.IP -The value of the parameter (an integer) represents the number of -seconds between \fB\'keepalive\'\fP packets\&. If this parameter is zero, no -keepalive packets will be sent\&. Keepalive packets, if sent, allow the -server to tell whether a client is still present and responding\&. -.IP -Keepalives should, in general, not be needed if the socket being used -has the SO_KEEPALIVE attribute set on it (see \fB"socket -options"\fP)\&. Basically you should only use this option -if you strike difficulties\&. -.IP -\fBDefault:\fP -\f(CW keepalive = 0\fP -.IP -\fBExample:\fP -\f(CW keepalive = 60\fP -.IP -.IP "\fBkernel oplocks (G)\fP" -.IP -For UNIXs that support kernel based \fBoplocks\fP -(currently only IRIX but hopefully also Linux and FreeBSD soon) this -parameter allows the use of them to be turned on or off\&. -.IP -Kernel oplocks support allows Samba \fBoplocks\fP to be -broken whenever a local UNIX process or NFS operation accesses a file -that \fBsmbd\fP has oplocked\&. This allows complete -data consistency between SMB/CIFS, NFS and local file access (and is a -\fIvery\fP cool feature :-)\&. -.IP -This parameter defaults to \fI"On"\fP on systems that have the support, -and \fI"off"\fP on systems that don\'t\&. You should never need to touch -this parameter\&. -.IP -See also the \fB"oplocks"\fP and \fB"level2 oplocks"\fP -parameters\&. -.IP -.IP "\fBldap filter (G)\fP" -.IP -This parameter is part of the \fIEXPERIMENTAL\fP Samba support for a -password database stored on an LDAP server back-end\&. These options -are only available if your version of Samba was configured with -the \fB--with-ldap\fP option\&. -.IP -This parameter specifies an LDAP search filter used to search for a -user name in the LDAP database\&. It must contain the string -\fB%u\fP which will be replaced with the user being -searched for\&. -.IP -\fBDefault:\fP -\f(CW empty string\&.\fP -.IP -.IP "\fBldap port (G)\fP" -.IP -This parameter is part of the \fIEXPERIMENTAL\fP Samba support for a -password database stored on an LDAP server back-end\&. These options -are only available if your version of Samba was configured with -the \fB--with-ldap\fP option\&. -.IP -This parameter specifies the TCP port number to use to contact -the LDAP server on\&. -.IP -\fBDefault:\fP -\f(CW ldap port = 389\&.\fP -.IP -.IP "\fBldap root (G)\fP" -.IP -This parameter is part of the \fIEXPERIMENTAL\fP Samba support for a -password database stored on an LDAP server back-end\&. These options -are only available if your version of Samba was configured with -the \fB--with-ldap\fP option\&. -.IP -This parameter specifies the entity to bind to the LDAP server -as (essentially the LDAP username) in order to be able to perform -queries and modifications on the LDAP database\&. -.IP -See also \fBldap root passwd\fP\&. -.IP -\fBDefault:\fP -\f(CW empty string (no user defined)\fP -.IP -.IP "\fBldap root passwd (G)\fP" -.IP -This parameter is part of the \fIEXPERIMENTAL\fP Samba support for a -password database stored on an LDAP server back-end\&. These options -are only available if your version of Samba was configured with -the \fB--with-ldap\fP option\&. -.IP -This parameter specifies the password for the entity to bind to the -LDAP server as (the password for this LDAP username) in order to be -able to perform queries and modifications on the LDAP database\&. -.IP -\fIBUGS:\fP This parameter should \fINOT\fP be a readable parameter -in the \fBsmb\&.conf\fP file and will be removed once a correct -storage place is found\&. -.IP -See also \fBldap root\fP\&. -.IP -\fBDefault:\fP -\f(CW empty string\&.\fP -.IP -.IP "\fBldap server (G)\fP" -.IP -This parameter is part of the \fIEXPERIMENTAL\fP Samba support for a -password database stored on an LDAP server back-end\&. These options -are only available if your version of Samba was configured with -the \fB--with-ldap\fP option\&. -.IP -This parameter specifies the DNS name of the LDAP server to use -for SMB/CIFS authentication purposes\&. -.IP -\fBDefault:\fP -\f(CW ldap server = localhost\fP -.IP -.IP "\fBldap suffix (G)\fP" -.IP -This parameter is part of the \fIEXPERIMENTAL\fP Samba support for a -password database stored on an LDAP server back-end\&. These options -are only available if your version of Samba was configured with -the \fB--with-ldap\fP option\&. -.IP -This parameter specifies the \f(CW"dn"\fP or LDAP \fI"distinguished name"\fP -that tells \fBsmbd\fP to start from when searching -for an entry in the LDAP password database\&. -.IP -\fBDefault:\fP -\f(CW empty string\&.\fP -.IP -.IP "\fBlevel2 oplocks (S)\fP" -.IP -This parameter (new in Samba 2\&.0\&.5) controls whether Samba supports -level2 (read-only) oplocks on a share\&. In Samba 2\&.0\&.5 this parameter -defaults to "False" as the code is new, but will default to "True" -in a later release\&. -.IP -Level2, or read-only oplocks allow Windows NT clients that have an -oplock on a file to downgrade from a read-write oplock to a read-only -oplock once a second client opens the file (instead of releasing all -oplocks on a second open, as in traditional, exclusive oplocks)\&. This -allows all openers of the file that support level2 oplocks to cache -the file for read-ahead only (ie\&. they may not cache writes or lock -requests) and increases performance for many acesses of files that -are not commonly written (such as application \&.EXE files)\&. -.IP -Once one of the clients which have a read-only oplock writes to -the file all clients are notified (no reply is needed or waited -for) and told to break their oplocks to "none" and delete any -read-ahead caches\&. -.IP -It is recommended that this parameter be turned on to speed access -to shared executables (and also to test the code :-)\&. -.IP -For more discussions on level2 oplocks see the CIFS spec\&. -.IP -Currently, if \fB"kernel oplocks"\fP are supported -then level2 oplocks are not granted (even if this parameter is set -to \f(CW"true"\fP)\&. Note also, the \fB"oplocks"\fP parameter must -be set to "true" on this share in order for this parameter to have any -effect\&. -.IP -See also the \fB"oplocks"\fP and \fB"kernel oplocks"\fP parameters\&. -.IP -\fBDefault:\fP -\f(CW level2 oplocks = False\fP -.IP -\fBExample:\fP -\f(CW level2 oplocks = True\fP -.IP -.IP "\fBlm announce (G)\fP" -.IP -This parameter determines if \fBnmbd\fP will produce -Lanman announce broadcasts that are needed by \fBOS/2\fP clients in order -for them to see the Samba server in their browse list\&. This parameter -can have three values, \f(CW"true"\fP, \f(CW"false"\fP, or \f(CW"auto"\fP\&. The -default is \f(CW"auto"\fP\&. If set to \f(CW"false"\fP Samba will never produce -these broadcasts\&. If set to \f(CW"true"\fP Samba will produce Lanman -announce broadcasts at a frequency set by the parameter \fB"lm -interval"\fP\&. If set to \f(CW"auto"\fP Samba will not send Lanman -announce broadcasts by default but will listen for them\&. If it hears -such a broadcast on the wire it will then start sending them at a -frequency set by the parameter \fB"lm interval"\fP\&. -.IP -See also \fB"lm interval"\fP\&. -.IP -\fBDefault:\fP -\f(CW lm announce = auto\fP -.IP -\fBExample:\fP -\f(CW lm announce = true\fP -.IP -.IP "\fBlm interval (G)\fP" -.IP -If Samba is set to produce Lanman announce broadcasts needed by -\fBOS/2\fP clients (see the \fB"lm announce"\fP -parameter) then this parameter defines the frequency in seconds with -which they will be made\&. If this is set to zero then no Lanman -announcements will be made despite the setting of the \fB"lm -announce"\fP parameter\&. -.IP -See also \fB"lm announce"\fP\&. -.IP -\fBDefault:\fP -\f(CW lm interval = 60\fP -.IP -\fBExample:\fP -\f(CW lm interval = 120\fP -.IP -.IP "\fBload printers (G)\fP" -.IP -A boolean variable that controls whether all printers in the printcap -will be loaded for browsing by default\&. See the -\fB"printers"\fP section for more details\&. -.IP -\fBDefault:\fP -\f(CW load printers = yes\fP -.IP -\fBExample:\fP -\f(CW load printers = no\fP -.IP -.IP "\fBlocal master (G)\fP" -.IP -This option allows \fBnmbd\fP to try and become a -local master browser on a subnet\&. If set to False then -\fBnmbd\fP will not attempt to become a local master -browser on a subnet and will also lose in all browsing elections\&. By -default this value is set to true\&. Setting this value to true doesn\'t -mean that Samba will \fIbecome\fP the local master browser on a subnet, -just that \fBnmbd\fP will \fIparticipate\fP in -elections for local master browser\&. -.IP -Setting this value to False will cause \fBnmbd\fP -\fInever\fP to become a local master browser\&. -.IP -\fBDefault:\fP -\f(CW local master = yes\fP -.IP -.IP "\fBlock dir (G)\fP" -.IP -Synonym for \fB"lock directory"\fP\&. -.IP -.IP "\fBlock directory (G)\fP" -.IP -This option specifies the directory where lock files will be placed\&. -The lock files are used to implement the \fB"max -connections"\fP option\&. -.IP -\fBDefault:\fP -\f(CW lock directory = /tmp/samba\fP -.IP -\fBExample:\fP -\f(CW lock directory = /usr/local/samba/var/locks\fP -.IP -.IP "\fBlocking (S)\fP" -.IP -This controls whether or not locking will be performed by the server -in response to lock requests from the client\&. -.IP -If \f(CW"locking = no"\fP, all lock and unlock requests will appear to -succeed and all lock queries will indicate that the queried lock is -clear\&. -.IP -If \f(CW"locking = yes"\fP, real locking will be performed by the server\&. -.IP -This option \fImay\fP be useful for read-only filesystems which \fImay\fP -not need locking (such as cdrom drives), although setting this -parameter of \f(CW"no"\fP is not really recommended even in this case\&. -.IP -Be careful about disabling locking either globally or in a specific -service, as lack of locking may result in data corruption\&. You should -never need to set this parameter\&. -.IP -\fBDefault:\fP -\f(CW locking = yes\fP -.IP -\fBExample:\fP -\f(CW locking = no\fP -.IP -.IP "\fBlog file (G)\fP" -.IP -This options allows you to override the name of the Samba log file -(also known as the debug file)\&. -.IP -This option takes the standard substitutions, allowing you to have -separate log files for each user or machine\&. -.IP -\fBExample:\fP -\f(CW log file = /usr/local/samba/var/log\&.%m\fP -.IP -.IP "\fBlog level (G)\fP" -.IP -Synonym for \fB"debug level"\fP\&. -.IP -.IP "\fBlogon drive (G)\fP" -.IP -This parameter specifies the local path to which the home directory -will be connected (see \fB"logon home"\fP) and is only -used by NT Workstations\&. -.IP -Note that this option is only useful if Samba is set up as a -\fBlogon server\fP\&. -.IP -\fBExample:\fP -\f(CW logon drive = h:\fP -.IP -.IP "\fBlogon home (G)\fP" -.IP -This parameter specifies the home directory location when a Win95/98 or -NT Workstation logs into a Samba PDC\&. It allows you to do -.IP -\f(CW"NET USE H: /HOME"\fP -.IP -from a command prompt, for example\&. -.IP -This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine\&. -.IP -This parameter can be used with Win9X workstations to ensure that -roaming profiles are stored in a subdirectory of the user\'s home -directory\&. This is done in the following way: -.IP -\f(CW" logon home = \e\e%L\e%U\eprofile"\fP -.IP -This tells Samba to return the above string, with substitutions made -when a client requests the info, generally in a NetUserGetInfo request\&. -Win9X clients truncate the info to \e\eserver\eshare when a user does \f(CW"net use /home"\fP, -but use the whole string when dealing with profiles\&. -.IP -Note that in prior versions of Samba, the \f(CW"logon path"\fP was returned rather than -\f(CW"logon home"\fP\&. This broke \f(CW"net use /home"\fP but allowed profiles outside the -home directory\&. The current implementation is correct, and can be used for profiles -if you use the above trick\&. -.IP -Note that this option is only useful if Samba is set up as a -\fBlogon server\fP\&. -.IP -\fBExample:\fP -\f(CW logon home = "\e\eremote_smb_server\e%U"\fP -.IP -\fBDefault:\fP -\f(CW logon home = "\e\e%N\e%U"\fP -.IP -.IP "\fBlogon path (G)\fP" -.IP -This parameter specifies the home directory where roaming profiles -(NTuser\&.dat etc files for Windows NT) are stored\&. Contrary to previous -versions of these manual pages, it has nothing to do with Win 9X roaming -profiles\&. To find out how to handle roaming profiles for Win 9X system, see -the \f(CW"logon home"\fP parameter\&. -.IP -This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine\&. It also specifies -the directory from which the \f(CW"application data"\fP, (\f(CW"desktop"\fP, \f(CW"start menu"\fP, -\f(CW"network neighborhood"\fP, \f(CW"programs"\fP and other folders, and their -contents, are loaded and displayed on your Windows NT client\&. -.IP -The share and the path must be readable by the user for the -preferences and directories to be loaded onto the Windows NT -client\&. The share must be writeable when the logs in for the first -time, in order that the Windows NT client can create the NTuser\&.dat -and other directories\&. -.IP -Thereafter, the directories and any of the contents can, if required, be -made read-only\&. It is not advisable that the NTuser\&.dat file be made -read-only - rename it to NTuser\&.man to achieve the desired effect (a -\fIMAN\fPdatory profile)\&. -.IP -Windows clients can sometimes maintain a connection to the [homes] -share, even though there is no user logged in\&. Therefore, it is vital -that the logon path does not include a reference to the homes share -(i\&.e\&. setting this parameter to \f(CW\e\e%N\eHOMES\eprofile_path\fP will cause -problems)\&. -.IP -This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine\&. -.IP -Note that this option is only useful if Samba is set up as a -\fBlogon server\fP\&. -.IP -\fBDefault:\fP -\f(CW logon path = \e\e%N\e%U\eprofile\fP -.IP -\fBExample:\fP -\f(CW logon path = \e\ePROFILESERVER\eHOME_DIR\e%U\ePROFILE\fP -.IP -.IP "\fBlogon script (G)\fP" -.IP -This parameter specifies the batch file (\&.bat) or NT command file -(\&.cmd) to be downloaded and run on a machine when a user successfully -logs in\&. The file must contain the DOS style cr/lf line endings\&. -Using a DOS-style editor to create the file is recommended\&. -.IP -The script must be a relative path to the \f(CW[netlogon]\fP service\&. If -the \f(CW[netlogon]\fP service specifies a \fBpath\fP of -/usr/local/samba/netlogon, and logon script = STARTUP\&.BAT, then the -file that will be downloaded is: -.IP -\f(CW/usr/local/samba/netlogon/STARTUP\&.BAT\fP -.IP -The contents of the batch file is entirely your choice\&. A suggested -command would be to add \f(CWNET TIME \e\eSERVER /SET /YES\fP, to force every -machine to synchronize clocks with the same time server\&. Another use -would be to add \f(CWNET USE U: \e\eSERVER\eUTILS\fP for commonly used -utilities, or \f(CWNET USE Q: \e\eSERVER\eISO9001_QA\fP for example\&. -.IP -Note that it is particularly important not to allow write access to -the \f(CW[netlogon]\fP share, or to grant users write permission on the -batch files in a secure environment, as this would allow the batch -files to be arbitrarily modified and security to be breached\&. -.IP -This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine\&. -.IP -Note that this option is only useful if Samba is set up as a -\fBlogon server\fP\&. -.IP -\fBExample:\fP -\f(CW logon script = scripts\e%U\&.bat\fP -.IP -.IP "\fBlppause command (S)\fP" -.IP -This parameter specifies the command to be executed on the server host -in order to stop printing or spooling a specific print job\&. -.IP -This command should be a program or script which takes a printer name -and job number to pause the print job\&. One way of implementing this is -by using job priorities, where jobs having a too low priority won\'t be -sent to the printer\&. -.IP -If a \f(CW"%p"\fP is given then the printername is put in its place\&. A -\f(CW"%j"\fP is replaced with the job number (an integer)\&. On HPUX (see -\fBprinting=hpux\fP), if the \f(CW"-p%p"\fP option is added -to the lpq command, the job will show up with the correct status, -i\&.e\&. if the job priority is lower than the set fence priority it will -have the PAUSED status, whereas if the priority is equal or higher it -will have the SPOOLED or PRINTING status\&. -.IP -Note that it is good practice to include the absolute path in the -lppause command as the PATH may not be available to the server\&. -.IP -See also the \fB"printing"\fP parameter\&. -.IP -\fBDefault:\fP -Currently no default value is given to this string, unless the -value of the \fB"printing"\fP parameter is \f(CWSYSV\fP, in -which case the default is : -.IP -\f(CW lp -i %p-%j -H hold\fP -.IP -or if the value of the \fB"printing"\fP parameter is \f(CWsoftq\fP, -then the default is: -.IP -\f(CW qstat -s -j%j -h\fP -.IP -\fBExample for HPUX:\fP -lppause command = /usr/bin/lpalt %p-%j -p0 -.IP -.IP "\fBlpq cache time (G)\fP" -.IP -This controls how long lpq info will be cached for to prevent the -\fBlpq\fP command being called too often\&. A separate cache is kept for -each variation of the \fBlpq\fP command used by the system, so if you -use different \fBlpq\fP commands for different users then they won\'t -share cache information\&. -.IP -The cache files are stored in \f(CW/tmp/lpq\&.xxxx\fP where xxxx is a hash of -the \fBlpq\fP command in use\&. -.IP -The default is 10 seconds, meaning that the cached results of a -previous identical \fBlpq\fP command will be used if the cached data is -less than 10 seconds old\&. A large value may be advisable if your -\fBlpq\fP command is very slow\&. -.IP -A value of 0 will disable caching completely\&. -.IP -See also the \fB"printing"\fP parameter\&. -.IP -\fBDefault:\fP -\f(CW lpq cache time = 10\fP -.IP -\fBExample:\fP -\f(CW lpq cache time = 30\fP -.IP -.IP "\fBlpq command (S)\fP" -.IP -This parameter specifies the command to be executed on the server host -in order to obtain \f(CW"lpq"\fP-style printer status information\&. -.IP -This command should be a program or script which takes a printer name -as its only parameter and outputs printer status information\&. -.IP -Currently eight styles of printer status information are supported; -BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ\&. This covers most UNIX -systems\&. You control which type is expected using the -\fB"printing ="\fP option\&. -.IP -Some clients (notably Windows for Workgroups) may not correctly send -the connection number for the printer they are requesting status -information about\&. To get around this, the server reports on the first -printer service connected to by the client\&. This only happens if the -connection number sent is invalid\&. -.IP -If a \f(CW%p\fP is given then the printername is put in its place\&. Otherwise -it is placed at the end of the command\&. -.IP -Note that it is good practice to include the absolute path in the \fBlpq -command\fP as the PATH may not be available to the server\&. -.IP -See also the \fB"printing"\fP parameter\&. -.IP -\fBDefault:\fP -\f(CW depends on the setting of printing =\fP -.IP -\fBExample:\fP -\f(CW lpq command = /usr/bin/lpq %p\fP -.IP -.IP "\fBlpresume command (S)\fP" -.IP -This parameter specifies the command to be executed on the server host -in order to restart or continue printing or spooling a specific print -job\&. -.IP -This command should be a program or script which takes a printer name -and job number to resume the print job\&. See also the \fB"lppause -command"\fP parameter\&. -.IP -If a \f(CW%p\fP is given then the printername is put in its place\&. A -\f(CW%j\fP is replaced with the job number (an integer)\&. -.IP -Note that it is good practice to include the absolute path in the \fBlpresume -command\fP as the PATH may not be available to the server\&. -.IP -See also the \fB"printing"\fP parameter\&. -.IP -\fBDefault:\fP -.IP -Currently no default value is given to this string, unless the -value of the \fB"printing"\fP parameter is \f(CWSYSV\fP, in -which case the default is : -.IP -\f(CW lp -i %p-%j -H resume\fP -.IP -or if the value of the \fB"printing"\fP parameter is \f(CWsoftq\fP, -then the default is: -.IP -\f(CW qstat -s -j%j -r\fP -.IP -\fBExample for HPUX:\fP -\f(CW lpresume command = /usr/bin/lpalt %p-%j -p2\fP -.IP -.IP "\fBlprm command (S)\fP" -.IP -This parameter specifies the command to be executed on the server host -in order to delete a print job\&. -.IP -This command should be a program or script which takes a printer name -and job number, and deletes the print job\&. -.IP -If a \f(CW%p\fP is given then the printername is put in its place\&. A -\f(CW%j\fP is replaced with the job number (an integer)\&. -.IP -Note that it is good practice to include the absolute path in the -\fBlprm command\fP as the PATH may not be available to the server\&. -.IP -See also the \fB"printing"\fP parameter\&. -.IP -\fBDefault:\fP -\f(CW depends on the setting of "printing ="\fP -.IP -\fBExample 1:\fP -\f(CW lprm command = /usr/bin/lprm -P%p %j\fP -.IP -\fBExample 2:\fP -\f(CW lprm command = /usr/bin/cancel %p-%j\fP -.IP -.IP "\fBmachine password timeout (G)\fP" -.IP -If a Samba server is a member of an Windows NT Domain (see the -\fB"security=domain"\fP) parameter) then -periodically a running \fBsmbd\fP process will try and -change the \fBMACHINE ACCOUNT PASWORD\fP stored in the file called -\f(CW\&.\&.mac\fP where \f(CW\fP is the name of the -Domain we are a member of and \f(CW\fP is the primary -\fB"NetBIOS name"\fP of the machine -\fBsmbd\fP is running on\&. This parameter specifies how -often this password will be changed, in seconds\&. The default is one -week (expressed in seconds), the same as a Windows NT Domain member -server\&. -.IP -See also \fBsmbpasswd (8)\fP, and the -\fB"security=domain"\fP) parameter\&. -.IP -\fBDefault:\fP -\f(CW machine password timeout = 604800\fP -.IP -.IP "\fBmagic output (S)\fP" -.IP -This parameter specifies the name of a file which will contain output -created by a magic script (see the \fB"magic -script"\fP parameter below)\&. -.IP -Warning: If two clients use the same \fB"magic -script"\fP in the same directory the output file content -is undefined\&. -.IP -\fBDefault:\fP -\f(CW magic output = \&.out\fP -.IP -\fBExample:\fP -\f(CW magic output = myfile\&.txt\fP -.IP -.IP "\fBmagic script (S)\fP" -.IP -This parameter specifies the name of a file which, if opened, will be -executed by the server when the file is closed\&. This allows a UNIX -script to be sent to the Samba host and executed on behalf of the -connected user\&. -.IP -Scripts executed in this way will be deleted upon completion, -permissions permitting\&. -.IP -If the script generates output, output will be sent to the file -specified by the \fB"magic output"\fP parameter (see -above)\&. -.IP -Note that some shells are unable to interpret scripts containing -carriage-return-linefeed instead of linefeed as the end-of-line -marker\&. Magic scripts must be executable \fI"as is"\fP on the host, -which for some hosts and some shells will require filtering at the DOS -end\&. -.IP -Magic scripts are \fIEXPERIMENTAL\fP and should \fINOT\fP be relied upon\&. -.IP -\fBDefault:\fP -\f(CW None\&. Magic scripts disabled\&.\fP -.IP -\fBExample:\fP -\f(CW magic script = user\&.csh\fP -.IP -.IP "\fBmangle case (S)\fP" -.IP -See the section on \fB"NAME MANGLING"\fP\&. -.IP -.IP "\fBmangle locks (S)\fP" -.IP -This option is was introduced with Samba 2\&.0\&.4 and above and has been -removed in Samba 2\&.0\&.6 as Samba now dynamically configures such things -on 32 bit systems\&. -.IP -.IP "\fBmangled map (S)\fP" -.IP -This is for those who want to directly map UNIX file names which can -not be represented on Windows/DOS\&. The mangling of names is not always -what is needed\&. In particular you may have documents with file -extensions that differ between DOS and UNIX\&. For example, under UNIX -it is common to use \f(CW"\&.html"\fP for HTML files, whereas under -Windows/DOS \f(CW"\&.htm"\fP is more commonly used\&. -.IP -So to map \f(CW"html"\fP to \f(CW"htm"\fP you would use: -.IP -\f(CW mangled map = (*\&.html *\&.htm)\fP -.IP -One very useful case is to remove the annoying \f(CW";1"\fP off the ends -of filenames on some CDROMS (only visible under some UNIXs)\&. To do -this use a map of (*;1 *)\&. -.IP -\fBdefault:\fP -\f(CW no mangled map\fP -.IP -\fBExample:\fP -\f(CW mangled map = (*;1 *)\fP -.IP -.IP "\fBmangled names (S)\fP" -.IP -This controls whether non-DOS names under UNIX should be mapped to -DOS-compatible names ("mangled") and made visible, or whether non-DOS -names should simply be ignored\&. -.IP -See the section on \fB"NAME MANGLING"\fP for details -on how to control the mangling process\&. -.IP -If mangling is used then the mangling algorithm is as follows: -.IP -.IP -.IP o -The first (up to) five alphanumeric characters before the -rightmost dot of the filename are preserved, forced to upper case, and -appear as the first (up to) five characters of the mangled name\&. -.IP -.IP o -A tilde \f(CW"~"\fP is appended to the first part of the mangled -name, followed by a two-character unique sequence, based on the -original root name (i\&.e\&., the original filename minus its final -extension)\&. The final extension is included in the hash calculation -only if it contains any upper case characters or is longer than three -characters\&. -.IP -Note that the character to use may be specified using the -\fB"mangling char"\fP option, if you don\'t like -\f(CW\'~\'\fP\&. -.IP -.IP o -The first three alphanumeric characters of the final extension -are preserved, forced to upper case and appear as the extension of the -mangled name\&. The final extension is defined as that part of the -original filename after the rightmost dot\&. If there are no dots in the -filename, the mangled name will have no extension (except in the case -of \fB"hidden files"\fP - see below)\&. -.IP -.IP o -Files whose UNIX name begins with a dot will be presented as DOS -hidden files\&. The mangled name will be created as for other filenames, -but with the leading dot removed and \f(CW"___"\fP as its extension regardless -of actual original extension (that\'s three underscores)\&. -.IP -.IP -The two-digit hash value consists of upper case alphanumeric -characters\&. -.IP -This algorithm can cause name collisions only if files in a directory -share the same first five alphanumeric characters\&. The probability of -such a clash is 1/1300\&. -.IP -The name mangling (if enabled) allows a file to be copied between UNIX -directories from Windows/DOS while retaining the long UNIX -filename\&. UNIX files can be renamed to a new extension from -Windows/DOS and will retain the same basename\&. Mangled names do not -change between sessions\&. -.IP -\fBDefault:\fP -\f(CW mangled names = yes\fP -.IP -\fBExample:\fP -\f(CW mangled names = no\fP -.IP -.IP "\fBmangling char (S)\fP" -.IP -This controls what character is used as the \fI"magic"\fP character in -\fBname mangling\fP\&. The default is a \f(CW\'~\'\fP but -this may interfere with some software\&. Use this option to set it to -whatever you prefer\&. -.IP -\fBDefault:\fP -\f(CW mangling char = ~\fP -.IP -\fBExample:\fP -\f(CW mangling char = ^\fP -.IP -.IP "\fBmangled stack (G)\fP" -.IP -This parameter controls the number of mangled names that should be -cached in the Samba server \fBsmbd\fP\&. -.IP -This stack is a list of recently mangled base names (extensions are -only maintained if they are longer than 3 characters or contains upper -case characters)\&. -.IP -The larger this value, the more likely it is that mangled names can be -successfully converted to correct long UNIX names\&. However, large -stack sizes will slow most directory access\&. Smaller stacks save -memory in the server (each stack element costs 256 bytes)\&. -.IP -It is not possible to absolutely guarantee correct long file names, so -be prepared for some surprises! -.IP -\fBDefault:\fP -\f(CW mangled stack = 50\fP -.IP -\fBExample:\fP -\f(CW mangled stack = 100\fP -.IP -.IP "\fBmap archive (S)\fP" -.IP -This controls whether the DOS archive attribute should be mapped to -the UNIX owner execute bit\&. The DOS archive bit is set when a file -has been modified since its last backup\&. One motivation for this -option it to keep Samba/your PC from making any file it touches from -becoming executable under UNIX\&. This can be quite annoying for shared -source code, documents, etc\&.\&.\&. -.IP -Note that this requires the \fB"create mask"\fP -parameter to be set such that owner execute bit is not masked out -(i\&.e\&. it must include 100)\&. See the parameter \fB"create -mask"\fP for details\&. -.IP -\fBDefault:\fP -\f(CW map archive = yes\fP -.IP -\fBExample:\fP -\f(CW map archive = no\fP -.IP -.IP "\fBmap hidden (S)\fP" -.IP -This controls whether DOS style hidden files should be mapped to the -UNIX world execute bit\&. -.IP -Note that this requires the \fB"create mask"\fP to be -set such that the world execute bit is not masked out (i\&.e\&. it must -include 001)\&. See the parameter \fB"create mask"\fP -for details\&. -.IP -\fBDefault:\fP -\f(CW map hidden = no\fP -.IP -\fBExample:\fP -\f(CW map hidden = yes\fP -.IP -.IP "\fBmap system (S)\fP" -.IP -This controls whether DOS style system files should be mapped to the -UNIX group execute bit\&. -.IP -Note that this requires the \fB"create mask"\fP to be -set such that the group execute bit is not masked out (i\&.e\&. it must -include 010)\&. See the parameter \fB"create mask"\fP -for details\&. -.IP -\fBDefault:\fP -\f(CW map system = no\fP -.IP -\fBExample:\fP -\f(CW map system = yes\fP -.IP -.IP "\fBmap to guest (G)\fP" -.IP -This parameter is only useful in \fBsecurity\fP modes -other than \fB"security=share"\fP - i\&.e\&. user, -server, and domain\&. -.IP -This parameter can take three different values, which tell -\fBsmbd\fP what to do with user login requests that -don\'t match a valid UNIX user in some way\&. -.IP -The three settings are : -.IP -.IP -.IP o -\fB"Never"\fP - Means user login requests with an invalid password -are rejected\&. This is the default\&. -.IP -.IP o -\fB"Bad User"\fP - Means user logins with an invalid password are -rejected, unless the username does not exist, in which case it is -treated as a guest login and mapped into the \fB"guest -account"\fP\&. -.IP -.IP o -\fB"Bad Password"\fP - Means user logins with an invalid -password are treated as a guest login and mapped into the -\fB"guest account"\fP\&. Note that this can -cause problems as it means that any user incorrectly typing their -password will be silently logged on a \fB"guest"\fP - and -will not know the reason they cannot access files they think -they should - there will have been no message given to them -that they got their password wrong\&. Helpdesk services will -\fI*hate*\fP you if you set the \fB"map to guest"\fP parameter -this way :-)\&. -.IP -.IP -Note that this parameter is needed to set up \fB"Guest"\fP share -services when using \fBsecurity\fP modes other than -share\&. This is because in these modes the name of the resource being -requested is \fI*not*\fP sent to the server until after the server has -successfully authenticated the client so the server cannot make -authentication decisions at the correct time (connection to the -share) for \fB"Guest"\fP shares\&. -.IP -For people familiar with the older Samba releases, this parameter -maps to the old compile-time setting of the GUEST_SESSSETUP value -in local\&.h\&. -.IP -\fBDefault:\fP -\f(CW map to guest = Never\fP -\fBExample\fP: -\f(CW map to guest = Bad User\fP -.IP -.IP "\fBmax connections (S)\fP" -.IP -This option allows the number of simultaneous connections to a service -to be limited\&. If \fB"max connections"\fP is greater than 0 then -connections will be refused if this number of connections to the -service are already open\&. A value of zero mean an unlimited number of -connections may be made\&. -.IP -Record lock files are used to implement this feature\&. The lock files -will be stored in the directory specified by the \fB"lock -directory"\fP option\&. -.IP -\fBDefault:\fP -\f(CW max connections = 0\fP -.IP -\fBExample:\fP -\f(CW max connections = 10\fP -.IP -.IP "\fBmax disk size (G)\fP" -.IP -This option allows you to put an upper limit on the apparent size of -disks\&. If you set this option to 100 then all shares will appear to be -not larger than 100 MB in size\&. -.IP -Note that this option does not limit the amount of data you can put on -the disk\&. In the above case you could still store much more than 100 -MB on the disk, but if a client ever asks for the amount of free disk -space or the total disk size then the result will be bounded by the -amount specified in \fB"max disk size"\fP\&. -.IP -This option is primarily useful to work around bugs in some pieces of -software that can\'t handle very large disks, particularly disks over -1GB in size\&. -.IP -A \fB"max disk size"\fP of 0 means no limit\&. -.IP -\fBDefault:\fP -\f(CW max disk size = 0\fP -.IP -\fBExample:\fP -\f(CW max disk size = 1000\fP -.IP -.IP "\fBmax log size (G)\fP" -.IP -This option (an integer in kilobytes) specifies the max size the log -file should grow to\&. Samba periodically checks the size and if it is -exceeded it will rename the file, adding a \f(CW"\&.old"\fP extension\&. -.IP -A size of 0 means no limit\&. -.IP -\fBDefault:\fP -\f(CW max log size = 5000\fP -.IP -\fBExample:\fP -\f(CW max log size = 1000\fP -.IP -.IP "\fBmax mux (G)\fP" -.IP -This option controls the maximum number of outstanding simultaneous -SMB operations that samba tells the client it will allow\&. You should -never need to set this parameter\&. -.IP -\fBDefault:\fP -\f(CW max mux = 50\fP -.IP -.IP "\fBmax open files (G)\fP" -.IP -This parameter limits the maximum number of open files that one -\fBsmbd\fP file serving process may have open for -a client at any one time\&. The default for this parameter is set -very high (10,000) as Samba uses only one bit per unopened file\&. -.IP -The limit of the number of open files is usually set by the -UNIX per-process file descriptor limit rather than this parameter -so you should never need to touch this parameter\&. -.IP -\fBDefault:\fP -\f(CW max open files = 10000\fP -.IP -.IP "\fBmax packet (G)\fP" -.IP -Synonym for \fB"packet size"\fP\&. -.IP -.IP "\fBmax ttl (G)\fP" -.IP -This option tells \fBnmbd\fP what the default \'time -to live\' of NetBIOS names should be (in seconds) when -\fBnmbd\fP is requesting a name using either a -broadcast packet or from a WINS server\&. You should never need to -change this parameter\&. The default is 3 days\&. -.IP -\fBDefault:\fP -\f(CW max ttl = 259200\fP -.IP -.IP "\fBmax wins ttl (G)\fP" -.IP -This option tells \fBnmbd\fP when acting as a WINS -server \fB(wins support =true)\fP what the maximum -\'time to live\' of NetBIOS names that \fBnmbd\fP will -grant will be (in seconds)\&. You should never need to change this -parameter\&. The default is 6 days (518400 seconds)\&. -.IP -See also the \fB"min wins ttl"\fP parameter\&. -.IP -\fBDefault:\fP -\f(CW max wins ttl = 518400\fP -.IP -.IP "\fBmax xmit (G)\fP" -.IP -This option controls the maximum packet size that will be negotiated -by Samba\&. The default is 65535, which is the maximum\&. In some cases -you may find you get better performance with a smaller value\&. A value -below 2048 is likely to cause problems\&. -.IP -\fBDefault:\fP -\f(CW max xmit = 65535\fP -.IP -\fBExample:\fP -\f(CW max xmit = 8192\fP -.IP -.IP "\fBmessage command (G)\fP" -.IP -This specifies what command to run when the server receives a WinPopup -style message\&. -.IP -This would normally be a command that would deliver the message -somehow\&. How this is to be done is up to your imagination\&. -.IP -An example is: -.IP -\f(CW message command = csh -c \'xedit %s;rm %s\' &\fP -.IP -This delivers the message using \fBxedit\fP, then removes it -afterwards\&. \fINOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN -IMMEDIATELY\fP\&. That\'s why I have the \f(CW\'&\'\fP on the end\&. If it doesn\'t -return immediately then your PCs may freeze when sending messages -(they should recover after 30secs, hopefully)\&. -.IP -All messages are delivered as the global guest user\&. The command takes -the standard substitutions, although \fB%u\fP won\'t work -(\fB%U\fP may be better in this case)\&. -.IP -Apart from the standard substitutions, some additional ones apply\&. In -particular: -.IP -.IP -.IP o -\f(CW"%s"\fP = the filename containing the message\&. -.IP -.IP o -\f(CW"%t"\fP = the destination that the message was sent to (probably the server -name)\&. -.IP -.IP o -\f(CW"%f"\fP = who the message is from\&. -.IP -.IP -You could make this command send mail, or whatever else takes your -fancy\&. Please let us know of any really interesting ideas you have\&. -.IP -Here\'s a way of sending the messages as mail to root: -.IP -\f(CWmessage command = /bin/mail -s \'message from %f on %m\' root < %s; rm %s\fP -.IP -If you don\'t have a message command then the message won\'t be -delivered and Samba will tell the sender there was an -error\&. Unfortunately WfWg totally ignores the error code and carries -on regardless, saying that the message was delivered\&. -.IP -If you want to silently delete it then try: -.IP -\f(CW"message command = rm %s"\fP\&. -.IP -\fBDefault:\fP -\f(CW no message command\fP -.IP -\fBExample:\fP -\f(CW message command = csh -c \'xedit %s;rm %s\' &\fP -.IP -.IP "\fBmin print space (S)\fP" -.IP -This sets the minimum amount of free disk space that must be available -before a user will be able to spool a print job\&. It is specified in -kilobytes\&. The default is 0, which means a user can always spool a print -job\&. -.IP -See also the \fBprinting\fP parameter\&. -.IP -\fBDefault:\fP -\f(CW min print space = 0\fP -.IP -\fBExample:\fP -\f(CW min print space = 2000\fP -.IP -.IP "\fBmin passwd length (G)\fP" -.IP -Synonym for \fB"min password length"\fP\&. -.IP -.IP "\fBmin password length (G)\fP" -.IP -This option sets the minimum length in characters of a plaintext password -than smbd will accept when performing UNIX password changing\&. -.IP -See also \fB"unix password sync"\fP, -\fB"passwd program"\fP and \fB"passwd chat -debug"\fP\&. -.IP -\fBDefault:\fP -\f(CW min password length = 5\fP -.IP -.IP "\fBmin wins ttl (G)\fP" -.IP -This option tells \fBnmbd\fP when acting as a WINS -server \fB(wins support = true)\fP what the minimum -\'time to live\' of NetBIOS names that \fBnmbd\fP will -grant will be (in seconds)\&. You should never need to change this -parameter\&. The default is 6 hours (21600 seconds)\&. -.IP -\fBDefault:\fP -\f(CW min wins ttl = 21600\fP -.IP -.IP "\fBname resolve order (G)\fP" -.IP -This option is used by the programs in the Samba suite to determine -what naming services and in what order to resolve host names to IP -addresses\&. The option takes a space separated string of different name -resolution options\&. -.IP -The options are :"lmhosts", "host", "wins" and "bcast"\&. They cause -names to be resolved as follows : -.IP -.IP -.IP o -\fBlmhosts\fP : Lookup an IP address in the Samba lmhosts file\&. -If the line in lmhosts has no name type attached to the NetBIOS -name (see the \fBlmhosts (5)\fP for details) then -any name type matches for lookup\&. -.IP -.IP o -\fBhost\fP : Do a standard host name to IP address resolution, -using the system /etc/hosts, NIS, or DNS lookups\&. This method of name -resolution is operating system depended for instance on IRIX or -Solaris this may be controlled by the \fI/etc/nsswitch\&.conf\fP file)\&. -Note that this method is only used if the NetBIOS name type being -queried is the 0x20 (server) name type, otherwise it is ignored\&. -.IP -.IP o -\fBwins\fP : Query a name with the IP address listed in the -\fBwins server\fP parameter\&. If no WINS server has -been specified this method will be ignored\&. -.IP -.IP o -\fBbcast\fP : Do a broadcast on each of the known local interfaces -listed in the \fBinterfaces\fP parameter\&. This is the -least reliable of the name resolution methods as it depends on the -target host being on a locally connected subnet\&. -.IP -.IP -\fBDefault:\fP -\f(CW name resolve order = lmhosts host wins bcast\fP -.IP -\fBExample:\fP -\f(CW name resolve order = lmhosts bcast host\fP -.IP -This will cause the local lmhosts file to be examined first, followed -by a broadcast attempt, followed by a normal system hostname lookup\&. -.IP -.IP "\fBnetbios aliases (G)\fP" -.IP -This is a list of NetBIOS names that \fBnmbd\fP will -advertise as additional names by which the Samba server is known\&. This -allows one machine to appear in browse lists under multiple names\&. If -a machine is acting as a \fBbrowse server\fP or -\fBlogon server\fP none of these names will be -advertised as either browse server or logon servers, only the primary -name of the machine will be advertised with these capabilities\&. -.IP -See also \fB"netbios name"\fP\&. -.IP -\fBDefault:\fP -\f(CW empty string (no additional names)\fP -.IP -\fBExample:\fP -\f(CW netbios aliases = TEST TEST1 TEST2\fP -.IP -.IP "\fBnetbios name (G)\fP" -.IP -This sets the NetBIOS name by which a Samba server is known\&. By -default it is the same as the first component of the host\'s DNS name\&. -If a machine is a \fBbrowse server\fP or -\fBlogon server\fP this name (or the first component -of the hosts DNS name) will be the name that these services are -advertised under\&. -.IP -See also \fB"netbios aliases"\fP\&. -.IP -\fBDefault:\fP -\f(CW Machine DNS name\&.\fP -.IP -\fBExample:\fP -\f(CW netbios name = MYNAME\fP -.IP -.IP "\fBnetbios scope (G)\fP" -.IP -This sets the NetBIOS scope that Samba will operate under\&. This should -not be set unless every machine on your LAN also sets this value\&. -.IP -.IP "\fBnis homedir (G)\fP" -.IP -Get the home share server from a NIS map\&. For UNIX systems that use an -automounter, the user\'s home directory will often be mounted on a -workstation on demand from a remote server\&. -.IP -When the Samba logon server is not the actual home directory server, -but is mounting the home directories via NFS then two network hops -would be required to access the users home directory if the logon -server told the client to use itself as the SMB server for home -directories (one over SMB and one over NFS)\&. This can be very -slow\&. -.IP -This option allows Samba to return the home share as being on a -different server to the logon server and as long as a Samba daemon is -running on the home directory server, it will be mounted on the Samba -client directly from the directory server\&. When Samba is returning the -home share to the client, it will consult the NIS map specified in -\fB"homedir map"\fP and return the server listed -there\&. -.IP -Note that for this option to work there must be a working NIS -system and the Samba server with this option must also be a -\fBlogon server\fP\&. -.IP -\fBDefault:\fP -\f(CW nis homedir = false\fP -.IP -\fBExample:\fP -\f(CW nis homedir = true\fP -.IP -.IP "\fBnt acl support (G)\fP" -.IP -This boolean parameter controls whether \fBsmbd\fP -will attempt to map UNIX permissions into Windows NT access control lists\&. -.IP -\fBDefault:\fP -\f(CW nt acl support = yes\fP -.IP -\fBExample:\fP -\f(CW nt acl support = no\fP -.IP -.IP "\fBnt pipe support (G)\fP" -.IP -This boolean parameter controls whether \fBsmbd\fP -will allow Windows NT clients to connect to the NT SMB specific -\f(CWIPC$\fP pipes\&. This is a developer debugging option and can be left -alone\&. -.IP -\fBDefault:\fP -\f(CW nt pipe support = yes\fP -.IP -.IP "\fBnt smb support (G)\fP" -.IP -This boolean parameter controls whether \fBsmbd\fP -will negotiate NT specific SMB support with Windows NT -clients\&. Although this is a developer debugging option and should be -left alone, benchmarking has discovered that Windows NT clients give -faster performance with this option set to \f(CW"no"\fP\&. This is still -being investigated\&. If this option is set to \f(CW"no"\fP then Samba -offers exactly the same SMB calls that versions prior to Samba2\&.0 -offered\&. This information may be of use if any users are having -problems with NT SMB support\&. -.IP -\fBDefault:\fP -\f(CW nt support = yes\fP -.IP -.IP "\fBnull passwords (G)\fP" -.IP -Allow or disallow client access to accounts that have null passwords\&. -.IP -See also \fBsmbpasswd (5)\fP\&. -.IP -\fBDefault:\fP -\f(CW null passwords = no\fP -.IP -\fBExample:\fP -\f(CW null passwords = yes\fP -.IP -.IP "\fBole locking compatibility (G)\fP" -.IP -This parameter allows an administrator to turn off the byte range lock -manipulation that is done within Samba to give compatibility for OLE -applications\&. Windows OLE applications use byte range locking as a -form of inter-process communication, by locking ranges of bytes around -the 2^32 region of a file range\&. This can cause certain UNIX lock -managers to crash or otherwise cause problems\&. Setting this parameter -to \f(CW"no"\fP means you trust your UNIX lock manager to handle such cases -correctly\&. -.IP -\fBDefault:\fP -\f(CW ole locking compatibility = yes\fP -.IP -\fBExample:\fP -\f(CW ole locking compatibility = no\fP -.IP -.IP "\fBonly guest (S)\fP" -.IP -A synonym for \fB"guest only"\fP\&. -.IP -.IP "\fBonly user (S)\fP" -.IP -This is a boolean option that controls whether connections with -usernames not in the \fBuser=\fP list will be allowed\&. By -default this option is disabled so a client can supply a username to -be used by the server\&. -.IP -Note that this also means Samba won\'t try to deduce usernames from the -service name\&. This can be annoying for the \fB[homes]\fP -section\&. To get around this you could use "\fBuser\fP = -\fB%S\fP" which means your \fB"user"\fP list -will be just the service name, which for home directories is the name -of the user\&. -.IP -See also the \fBuser\fP parameter\&. -.IP -\fBDefault:\fP -\f(CW only user = False\fP -.IP -\fBExample:\fP -\f(CW only user = True\fP -.IP -.IP "\fBoplocks (S)\fP" -.IP -This boolean option tells smbd whether to issue oplocks (opportunistic -locks) to file open requests on this share\&. The oplock code can -dramatically (approx\&. 30% or more) improve the speed of access to files -on Samba servers\&. It allows the clients to aggressively cache files -locally and you may want to disable this option for unreliable network -environments (it is turned on by default in Windows NT Servers)\&. For -more information see the file Speed\&.txt in the Samba docs/ directory\&. -.IP -Oplocks may be selectively turned off on certain files on a per share basis\&. -See the \'veto oplock files\' parameter\&. On some systems oplocks are recognized -by the underlying operating system\&. This allows data synchronization between -all access to oplocked files, whether it be via Samba or NFS or a local -UNIX process\&. See the \fBkernel oplocks\fP parameter -for details\&. -.IP -See also the \fB"kernel oplocks"\fP and -\fB"level2 oplocks"\fP parameters\&. -.IP -\fBDefault:\fP -\f(CW oplocks = True\fP -.IP -\fBExample:\fP -\f(CW oplocks = False\fP -.IP -.IP "\fBoplock break wait time (G)\fP" -.IP -This is a tuning parameter added due to bugs in both Windows 9x and WinNT\&. -If Samba responds to a client too quickly when that client issues an SMB that -can cause an oplock break request, then the client redirector can fail and -not respond to the break request\&. This tuning parameter (which is set in -milliseconds) is the amount of time Samba will wait before sending an -oplock break request to such (broken) clients\&. -.IP -\fIDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA -OPLOCK CODE\fP\&. -.IP -\fBDefault:\fP -\f(CW oplock break wait time = 10\fP -.IP -.IP "\fBoplock contention limit (S)\fP" -.IP -This is a \fIvery\fP advanced \fBsmbd\fP tuning option to improve -the efficiency of the granting of oplocks under multiple client contention for the same file\&. -.IP -In brief it specifies a number, which causes smbd not to grant an oplock even -when requested if the approximate number of clients contending for an oplock on -the same file goes over this limit\&. This causes \fBsmbd\fP to -behave in a similar way to Windows NT\&. -.IP -\fIDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA -OPLOCK CODE\fP\&. -.IP -\fBDefault:\fP -\f(CW oplock contention limit = 2\fP -.IP -.IP "\fBos level (G)\fP" -.IP -This integer value controls what level Samba advertises itself as for -browse elections\&. The value of this parameter determines whether -\fBnmbd\fP has a chance of becoming a local master -browser for the \fBWORKGROUP\fP in the local broadcast -area\&. The default is zero, which means \fBnmbd\fP will -lose elections to Windows machines\&. See BROWSING\&.txt in the Samba -docs/ directory for details\&. -.IP -\fBDefault:\fP -\f(CW os level = 20\fP -.IP -\fBExample:\fP -\f(CW os level = 65 ; This will win against any NT Server\fP -.IP -.IP "\fBpacket size (G)\fP" -.IP -This is a deprecated parameter that has no effect on the current -Samba code\&. It is left in the parameter list to prevent breaking -old \fBsmb\&.conf\fP files\&. -.IP -.IP "\fBpanic action (G)\fP" -.IP -This is a Samba developer option that allows a system command to be -called when either \fBsmbd\fP or -\fBnmbd\fP crashes\&. This is usually used to draw -attention to the fact that a problem occurred\&. -.IP -\fBDefault:\fP -\f(CW panic action = \fP -.IP -.IP "\fBpasswd chat (G)\fP" -.IP -This string controls the \fI"chat"\fP conversation that takes places -between \fBsmbd\fP and the local password changing -program to change the users password\&. The string describes a sequence -of response-receive pairs that \fBsmbd\fP uses to -determine what to send to the \fBpasswd\fP program -and what to expect back\&. If the expected output is not received then -the password is not changed\&. -.IP -This chat sequence is often quite site specific, depending on what -local methods are used for password control (such as NIS etc)\&. -.IP -The string can contain the macros \f(CW"%o"\fP and \f(CW"%n"\fP which are -substituted for the old and new passwords respectively\&. It can also -contain the standard macros \f(CW"\en"\fP, \f(CW"\er"\fP, \f(CW"\et"\fP and \f(CW"\es"\fP -to give line-feed, carriage-return, tab and space\&. -.IP -The string can also contain a \f(CW\'*\'\fP which matches any sequence of -characters\&. -.IP -Double quotes can be used to collect strings with spaces in them into -a single string\&. -.IP -If the send string in any part of the chat sequence is a fullstop -\f(CW"\&."\fP then no string is sent\&. Similarly, is the expect string is a -fullstop then no string is expected\&. -.IP -Note that if the \fB"unix password sync"\fP -parameter is set to true, then this sequence is called \fI*AS ROOT*\fP -when the SMB password in the smbpasswd file is being changed, without -access to the old password cleartext\&. In this case the old password -cleartext is set to \f(CW""\fP (the empty string)\&. -.IP -See also \fB"unix password sync"\fP, -\fB"passwd program"\fP and \fB"passwd chat -debug"\fP\&. -.IP -\fBExample:\fP - -.nf - - passwd chat = "*Enter OLD password*" %o\en "*Enter NEW password*" %n\en "*Reenter NEW password*" %n\en "*Password changed*" +Default: \fBserver string = Samba %v\fR -.fi - +Example: \fBserver string = University of GNUs Samba +Server\fR +.TP +\fBset directory (S)\fR +If \fBset directory = no\fR, then +users of the service may not use the setdir command to change +directory. -.IP -\fBDefault:\fP +The \fBsetdir\fR command is only implemented +in the Digital Pathworks client. See the Pathworks documentation +for details. -.nf - - passwd chat = *old*password* %o\en *new*password* %n\en *new*password* %n\en *changed* -.fi - +Default: \fBset directory = no\fR +.TP +\fBshare modes (S)\fR +This enables or disables the honoring of +the \fIshare modes\fR during a file open. These +modes are used by clients to gain exclusive read or write access +to a file. -.IP -.IP "\fBpasswd chat debug (G)\fP" -.IP -This boolean specifies if the passwd chat script parameter is run in -\f(CW"debug"\fP mode\&. In this mode the strings passed to and received from -the passwd chat are printed in the \fBsmbd\fP log with -a \fB"debug level"\fP of 100\&. This is a dangerous -option as it will allow plaintext passwords to be seen in the -\fBsmbd\fP log\&. It is available to help Samba admins -debug their \fB"passwd chat"\fP scripts when calling -the \fB"passwd program"\fP and should be turned off -after this has been done\&. This parameter is off by default\&. -.IP -See also \fB"passwd chat"\fP, \fB"passwd -program"\fP\&. -.IP -\fBExample:\fP -\f(CW passwd chat debug = True\fP -.IP -\fBDefault:\fP -\f(CW passwd chat debug = False\fP -.IP -.IP "\fBpasswd program (G)\fP" -.IP -The name of a program that can be used to set UNIX user passwords\&. -Any occurrences of \fB%u\fP will be replaced with the -user name\&. The user name is checked for existence before calling the -password changing program\&. -.IP -Also note that many passwd programs insist in \fI"reasonable"\fP -passwords, such as a minimum length, or the inclusion of mixed case -chars and digits\&. This can pose a problem as some clients (such as -Windows for Workgroups) uppercase the password before sending it\&. -.IP -\fINote\fP that if the \fB"unix password sync"\fP -parameter is set to \f(CW"True"\fP then this program is called \fI*AS -ROOT*\fP before the SMB password in the -\fBsmbpasswd\fP file is changed\&. If this UNIX -password change fails, then \fBsmbd\fP will fail to -change the SMB password also (this is by design)\&. -.IP -If the \fB"unix password sync"\fP parameter is -set this parameter \fIMUST USE ABSOLUTE PATHS\fP for \fIALL\fP programs -called, and must be examined for security implications\&. Note that by -default \fB"unix password sync"\fP is set to -\f(CW"False"\fP\&. -.IP -See also \fB"unix password sync"\fP\&. -.IP -\fBDefault:\fP -\f(CW passwd program = /bin/passwd\fP -.IP -\fBExample:\fP -\f(CW passwd program = /sbin/passwd %u\fP -.IP -.IP "\fBpassword level (G)\fP" -.IP -Some client/server combinations have difficulty with mixed-case -passwords\&. One offending client is Windows for Workgroups, which for -some reason forces passwords to upper case when using the LANMAN1 -protocol, but leaves them alone when using COREPLUS! -.IP -This parameter defines the maximum number of characters that may be -upper case in passwords\&. -.IP -For example, say the password given was \f(CW"FRED"\fP\&. If \fBpassword -level\fP is set to 1, the following combinations would be tried if -\f(CW"FRED"\fP failed: -.IP -\f(CW"Fred"\fP, \f(CW"fred"\fP, \f(CW"fRed"\fP, \f(CW"frEd"\fP, \f(CW"freD"\fP -.IP -If \fBpassword level\fP was set to 2, the following combinations would -also be tried: -.IP -\f(CW"FRed"\fP, \f(CW"FrEd"\fP, \f(CW"FreD"\fP, \f(CW"fREd"\fP, \f(CW"fReD"\fP, -\f(CW"frED"\fP, \f(CW\&.\&.\fP -.IP -And so on\&. -.IP -The higher value this parameter is set to the more likely it is that a -mixed case password will be matched against a single case -password\&. However, you should be aware that use of this parameter -reduces security and increases the time taken to process a new -connection\&. -.IP -A value of zero will cause only two attempts to be made - the password -as is and the password in all-lower case\&. -.IP -\fBDefault:\fP -\f(CW password level = 0\fP -.IP -\fBExample:\fP -\f(CW password level = 4\fP -.IP -.IP "\fBpassword server (G)\fP" -.IP -By specifying the name of another SMB server (such as a WinNT box) -with this option, and using \fB"security = domain"\fP or -\fB"security = server"\fP you can get Samba to do all -its username/password validation via a remote server\&. -.IP -This options sets the name of the password server to use\&. It must be a -NetBIOS name, so if the machine\'s NetBIOS name is different from its -internet name then you may have to add its NetBIOS name to the lmhosts -file which is stored in the same directory as the \fBsmb\&.conf\fP file\&. -.IP -The name of the password server is looked up using the parameter -\fB"name resolve order="\fP and so may resolved -by any method and order described in that parameter\&. -.IP -The password server much be a machine capable of using the "LM1\&.2X002" -or the "LM NT 0\&.12" protocol, and it must be in user level security -mode\&. -.IP -NOTE: Using a password server means your UNIX box (running Samba) is -only as secure as your password server\&. \fIDO NOT CHOOSE A PASSWORD -SERVER THAT YOU DON\'T COMPLETELY TRUST\fP\&. -.IP -Never point a Samba server at itself for password serving\&. This will -cause a loop and could lock up your Samba server! -.IP -The name of the password server takes the standard substitutions, but -probably the only useful one is \fB%m\fP, which means -the Samba server will use the incoming client as the password -server\&. If you use this then you better trust your clients, and you -better restrict them with hosts allow! -.IP -If the \fB"security"\fP parameter is set to -\fB"domain"\fP, then the list of machines in this option must be a list -of Primary or Backup Domain controllers for the -\fBDomain\fP or the character \f(CW*\fP, as the Samba server is cryptographicly -in that domain, and will use cryptographicly authenticated RPC calls -to authenticate the user logging on\&. The advantage of using -\fB"security=domain"\fP is that if you list -several hosts in the \fB"password server"\fP option then -\fBsmbd\fP will try each in turn till it finds one -that responds\&. This is useful in case your primary server goes down\&. -.IP -If the \fB"password server"\fP option is set to the character \f(CW*\fP, -then Samba will attempt to auto-locate the Primary or Backup Domain controllers -to authenticate against by doing a query for the name \f(CWWORKGROUP<1C>\fP -and then contacting each server returned in the list of IP addresses -from the \fBname resolution\fP source\&. -.IP -If the \fB"security"\fP parameter is set to -\fB"server"\fP, then there are different -restrictions that \fB"security=domain"\fP -doesn\'t suffer from: -.IP -.IP -.IP o -You may list several password servers in the \fB"password server"\fP -parameter, however if an \fBsmbd\fP makes a connection -to a password server, and then the password server fails, no more -users will be able to be authenticated from this -\fBsmbd\fP\&. This is a restriction of the SMB/CIFS -protocol when in \fB"security=server"\fP mode -and cannot be fixed in Samba\&. -.IP -.IP o -If you are using a Windows NT server as your password server then -you will have to ensure that your users are able to login from the -Samba server, as when in -\fB"security=server"\fP mode the network -logon will appear to come from there rather than from the users -workstation\&. -.IP -.IP -See also the \fB"security"\fP parameter\&. -.IP -\fBDefault:\fP -\f(CW password server = \fP -.IP -\fBExample:\fP -\f(CW password server = NT-PDC, NT-BDC1, NT-BDC2\fP -.IP -\fBExample:\fP -\f(CW password server = *\fP -.IP -.IP "\fBpath (S)\fP" -.IP -This parameter specifies a directory to which the user of the service -is to be given access\&. In the case of printable services, this is -where print data will spool prior to being submitted to the host for -printing\&. -.IP -For a printable service offering guest access, the service should be -readonly and the path should be world-writeable and have the sticky bit -set\&. This is not mandatory of course, but you probably won\'t get the -results you expect if you do otherwise\&. -.IP -Any occurrences of \fB%u\fP in the path will be replaced -with the UNIX username that the client is using on this -connection\&. Any occurrences of \fB%m\fP will be replaced -by the NetBIOS name of the machine they are connecting from\&. These -replacements are very useful for setting up pseudo home directories -for users\&. -.IP -Note that this path will be based on \fB"root dir"\fP if -one was specified\&. -.IP -\fBDefault:\fP -\f(CW none\fP -.IP -\fBExample:\fP -\f(CW path = /home/fred\fP -.IP -.IP "\fBpostexec (S)\fP" -.IP -This option specifies a command to be run whenever the service is -disconnected\&. It takes the usual substitutions\&. The command may be run -as the root on some systems\&. -.IP -An interesting example may be do unmount server resources: -.IP -\f(CWpostexec = /etc/umount /cdrom\fP -.IP -See also \fBpreexec\fP\&. -.IP -\fBDefault:\fP -\f(CW none (no command executed)\fP -.IP -\fBExample:\fP -\f(CW postexec = echo "%u disconnected from %S from %m (%I)" >> /tmp/log\fP -.IP -.IP "\fBpostscript (S)\fP" -.IP -This parameter forces a printer to interpret the print files as -postscript\&. This is done by adding a \f(CW%!\fP to the start of print output\&. -.IP -This is most useful when you have lots of PCs that persist in putting -a control-D at the start of print jobs, which then confuses your -printer\&. -.IP -\fBDefault:\fP -\f(CW postscript = False\fP -.IP -\fBExample:\fP -\f(CW postscript = True\fP -.IP -.IP "\fBpreexec (S)\fP" -.IP -This option specifies a command to be run whenever the service is -connected to\&. It takes the usual substitutions\&. -.IP -An interesting example is to send the users a welcome message every -time they log in\&. Maybe a message of the day? Here is an example: -.IP - -.nf - +These open modes are not directly supported by UNIX, so +they are simulated using shared memory, or lock files if your +UNIX doesn't support shared memory (almost all do). - preexec = csh -c \'echo \e"Welcome to %S!\e" | /usr/local/samba/bin/smbclient -M %m -I %I\' & +The share modes that are enabled by this option are +DENY_DOS, DENY_ALL, +DENY_READ, DENY_WRITE, +DENY_NONE and DENY_FCB. -.fi - +This option gives full share compatibility and enabled +by default. -.IP -Of course, this could get annoying after a while :-) -.IP -See also \fBpreexec close\fP and \fBpostexec\fP\&. -.IP -\fBDefault:\fP -\f(CW none (no command executed)\fP -.IP -\fBExample:\fP -\f(CW preexec = echo \e"%u connected to %S from %m (%I)\e" >> /tmp/log\fP -.IP -.IP "\fBpreexec close (S)\fP" -.IP -This boolean option controls whether a non-zero return code from -\fB"preexec"\fP should close the service being connected to\&. -.IP -\fBDefault:\fP -\f(CW preexec close = no\fP -.IP -\fBExample:\fP -\f(CW preexec close = yes\fP -.IP -.IP "\fBpreferred master (G)\fP" -.IP -This boolean parameter controls if \fBnmbd\fP is a -preferred master browser for its workgroup\&. -.IP -If this is set to true, on startup, \fBnmbd\fP will -force an election, and it will have a slight advantage in winning the -election\&. It is recommended that this parameter is used in -conjunction with \fB"domain master = yes"\fP, so -that \fBnmbd\fP can guarantee becoming a domain -master\&. -.IP -Use this option with caution, because if there are several hosts -(whether Samba servers, Windows 95 or NT) that are preferred master -browsers on the same subnet, they will each periodically and -continuously attempt to become the local master browser\&. This will -result in unnecessary broadcast traffic and reduced browsing -capabilities\&. -.IP -See also \fBos level\fP\&. -.IP -\fBDefault:\fP -\f(CW preferred master = no\fP -.IP -\fBExample:\fP -\f(CW preferred master = yes\fP -.IP -.IP "\fBprefered master (G)\fP" -.IP -Synonym for \fB"preferred master"\fP for people -who cannot spell :-)\&. -.IP -.IP "\fBpreload\fP" -Synonym for \fB"auto services"\fP\&. -.IP -.IP "\fBpreserve case (S)\fP" -.IP -This controls if new filenames are created with the case that the -client passes, or if they are forced to be the \f(CW"default"\fP case\&. -.IP -\fBDefault:\fP -\f(CW preserve case = yes\fP -.IP -See the section on \fB"NAME MANGLING"\fP for a -fuller discussion\&. -.IP -.IP "\fBprint command (S)\fP" -.IP -After a print job has finished spooling to a service, this command -will be used via a \f(CWsystem()\fP call to process the spool -file\&. Typically the command specified will submit the spool file to -the host\'s printing subsystem, but there is no requirement that this -be the case\&. The server will not remove the spool file, so whatever -command you specify should remove the spool file when it has been -processed, otherwise you will need to manually remove old spool files\&. -.IP -The print command is simply a text string\&. It will be used verbatim, -with two exceptions: All occurrences of \f(CW"%s"\fP and \f(CW"%f"\fP will be -replaced by the appropriate spool file name, and all occurrences of -\f(CW"%p"\fP will be replaced by the appropriate printer name\&. The spool -file name is generated automatically by the server, the printer name -is discussed below\&. -.IP -The print command \fIMUST\fP contain at least one occurrence of \f(CW"%s"\fP -or \f(CW"%f"\fP - the \f(CW"%p"\fP is optional\&. At the time a job is -submitted, if no printer name is supplied the \f(CW"%p"\fP will be -silently removed from the printer command\&. -.IP -If specified in the \fB"[global]"\fP section, the print -command given will be used for any printable service that does not -have its own print command specified\&. -.IP -If there is neither a specified print command for a printable service -nor a global print command, spool files will be created but not -processed and (most importantly) not removed\&. -.IP -Note that printing may fail on some UNIXs from the \f(CW"nobody"\fP -account\&. If this happens then create an alternative guest account that -can print and set the \fB"guest account"\fP in the -\fB"[global]"\fP section\&. -.IP -You can form quite complex print commands by realizing that they are -just passed to a shell\&. For example the following will log a print -job, print the file, then remove it\&. Note that \f(CW\';\'\fP is the usual -separator for command in shell scripts\&. -.IP -\f(CWprint command = echo Printing %s >> /tmp/print\&.log; lpr -P %p %s; rm %s\fP -.IP -You may have to vary this command considerably depending on how you -normally print files on your system\&. The default for the parameter -varies depending on the setting of the \fB"printing="\fP -parameter\&. -.IP -\fBDefault:\fP -For \fB"printing="\fP BSD, AIX, QNX, LPRNG or PLP : -\f(CW print command = lpr -r -P%p %s\fP -.IP -For \fB"printing="\fP SYS or HPUX : -\f(CW print command = lp -c -d%p %s; rm %s\fP -.IP -For \fB"printing="\fP SOFTQ : -\f(CW print command = lp -d%p -s %s; rm %s\fP -.IP -\fBExample:\fP -\f(CW print command = /usr/local/samba/bin/myprintscript %p %s\fP -.IP -.IP "\fBprint ok (S)\fP" -.IP -Synonym for \fBprintable\fP\&. -.IP -.IP "\fBprintable (S)\fP" -.IP -If this parameter is \f(CW"yes"\fP, then clients may open, write to and -submit spool files on the directory specified for the service\&. -.IP -Note that a printable service will ALWAYS allow writing to the service -path (user privileges permitting) via the spooling of print data\&. The -\fB"writeable"\fP parameter controls only non-printing -access to the resource\&. -.IP -\fBDefault:\fP -\f(CW printable = no\fP -.IP -\fBExample:\fP -\f(CW printable = yes\fP -.IP -.IP "\fBprintcap (G)\fP" -.IP -Synonym for \fBprintcapname\fP\&. -.IP -.IP "\fBprinter admin (S)\fP" -.IP -This is a list of users that can do anything to printers via the -remote administration interfaces offered by MSRPC (usually using a NT -workstation)\&. Note that the root user always has admin rights\&. -.IP -\fBDefault:\fP -\f(CW printer admin = \fP -.IP -\fBExample:\fP -\f(CW printer admin = admin, @staff\fP -.IP -.IP "\fBprintcap name (G)\fP" -.IP -This parameter may be used to override the compiled-in default -printcap name used by the server (usually /etc/printcap)\&. See the -discussion of the \fB[printers]\fP section above for -reasons why you might want to do this\&. -.IP -On System V systems that use \fBlpstat\fP to list available printers you -can use \f(CW"printcap name = lpstat"\fP to automatically obtain lists of -available printers\&. This is the default for systems that define SYSV -at configure time in Samba (this includes most System V based -systems)\&. If \fB"printcap name"\fP is set to \fBlpstat\fP on these systems -then Samba will launch \f(CW"lpstat -v"\fP and attempt to parse the output -to obtain a printer list\&. -.IP -A minimal printcap file would look something like this: -.IP +You should \fBNEVER\fR turn this parameter +off as many Windows applications will break if you do so. -.nf - +Default: \fBshare modes = yes\fR +.TP +\fBshared mem size (G)\fR +It specifies the size of the shared memory (in +bytes) to use between smbd(8) +processes. This parameter defaults to one megabyte of shared +memory. It is possible that if you have a large erver with many +files open simultaneously that you may need to increase this +parameter. Signs that this parameter is set too low are users +reporting strange problems trying to save files (locking errors) +and error messages in the smbd log looking like \fBERROR +smb_shm_alloc : alloc of XX bytes failed\fR. - print1|My Printer 1 - print2|My Printer 2 - print3|My Printer 3 - print4|My Printer 4 - print5|My Printer 5 +If your OS refuses the size that Samba asks for then +Samba will try a smaller size, reducing by a factor of 0.8 until +the OS accepts it. -.fi - +Default: \fBshared mem size = 1048576\fR -.IP -where the \f(CW\'|\'\fP separates aliases of a printer\&. The fact that the -second alias has a space in it gives a hint to Samba that it\'s a -comment\&. -.IP -\fINOTE\fP: Under AIX the default printcap name is -\f(CW"/etc/qconfig"\fP\&. Samba will assume the file is in AIX \f(CW"qconfig"\fP -format if the string \f(CW"/qconfig"\fP appears in the printcap filename\&. -.IP -\fBDefault:\fP -\f(CW printcap name = /etc/printcap\fP -.IP -\fBExample:\fP -\f(CW printcap name = /etc/myprintcap\fP -.IP -.IP "\fBprinter (S)\fP" -.IP -This parameter specifies the name of the printer to which print jobs -spooled through a printable service will be sent\&. -.IP -If specified in the \fB[global]\fP section, the printer -name given will be used for any printable service that does not have -its own printer name specified\&. -.IP -\fBDefault:\fP -none (but may be \f(CW"lp"\fP on many systems) -.IP -\fBExample:\fP -printer name = laserwriter -.IP -.IP "\fBprinter driver (S)\fP" -.IP -This option allows you to control the string that clients receive when -they ask the server for the printer driver associated with a -printer\&. If you are using Windows95 or WindowsNT then you can use this -to automate the setup of printers on your system\&. -.IP -You need to set this parameter to the exact string (case sensitive) -that describes the appropriate printer driver for your system\&. If you -don\'t know the exact string to use then you should first try with no -\fB"printer driver"\fP option set and the client will give you a list of -printer drivers\&. The appropriate strings are shown in a scrollbox -after you have chosen the printer manufacturer\&. -.IP -See also \fB"printer driver file"\fP\&. -.IP -\fBExample:\fP -printer driver = HP LaserJet 4L -.IP -.IP "\fBprinter driver file (G)\fP" -.IP -This parameter tells Samba where the printer driver definition file, -used when serving drivers to Windows 95 clients, is to be found\&. If -this is not set, the default is : -.IP -\f(CWSAMBA_INSTALL_DIRECTORY/lib/printers\&.def\fP -.IP -This file is created from Windows 95 \f(CW"msprint\&.inf"\fP files found on -the Windows 95 client system\&. For more details on setting up serving -of printer drivers to Windows 95 clients, see the documentation file -in the docs/ directory, PRINTER_DRIVER\&.txt\&. -.IP -\fBDefault:\fP -\f(CW None (set in compile)\&.\fP -.IP -\fBExample:\fP -\f(CW printer driver file = /usr/local/samba/printers/drivers\&.def\fP -.IP -See also \fB"printer driver location"\fP\&. -.IP -.IP "\fBprinter driver location (S)\fP" -.IP -This parameter tells clients of a particular printer share where to -find the printer driver files for the automatic installation of -drivers for Windows 95 machines\&. If Samba is set up to serve printer -drivers to Windows 95 machines, this should be set to -.IP -\f(CW\e\eMACHINE\ePRINTER$\fP -.IP -Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$ -is a share you set up for serving printer driver files\&. For more -details on setting this up see the documentation file in the docs/ -directory, PRINTER_DRIVER\&.txt\&. -.IP -\fBDefault:\fP -\f(CW None\fP -.IP -\fBExample:\fP -\f(CW printer driver location = \e\eMACHINE\ePRINTER$\fP -.IP -See also \fB"printer driver file"\fP\&. -.IP -.IP "\fBprinter name (S)\fP" -.IP -Synonym for \fBprinter\fP\&. -.IP -.IP "\fBprinting (S)\fP" -.IP -This parameters controls how printer status information is interpreted -on your system\&. It also affects the default values for the -\fB"print command"\fP, \fB"lpq -command"\fP \fB"lppause command"\fP, -\fB"lpresume command"\fP, and \fB"lprm -command"\fP if specified in the \fB[global]\fP -section\&. -.IP -Currently eight printing styles are supported\&. They are -\fB"printing=BSD"\fP, \fB"printing=AIX"\fP, -\fB"printing=LPRNG"\fP, \fB"printing=PLP"\fP, \fB"printing=SYSV"\fP, -\fB"printing="HPUX"\fP, \fB"printing=QNX"\fP, \fB"printing=SOFTQ"\fP, -and \fB"printing=CUPS"\fP\&. -.IP -To see what the defaults are for the other print commands when using -the various options use the \fB"testparm"\fP program\&. -.IP -This option can be set on a per printer basis -.IP -See also the discussion in the \fB[printers]\fP section\&. -.IP -.IP "\fBprivate dir(G)\fP" -.IP -The \fBprivate dir\fP parameter allows an administator to define a -directory path used to hold the various databases Samba will use -to store things like a the machine trust account information -when acting as a domain member (i\&.e\&. where the secrets\&.tdb file will -be located), where the passdb\&.tbd file will stored in the case -of using the experiemental tdbsam support, etc\&.\&.\&. -.IP -\fBDefault:\fP -\f(CW private dir = \fP -.IP -\fBExample:\fP -\f(CW private dir = /etc/smbprivate\fP -.IP -.IP "\fBprotocol (G)\fP" -.IP -The value of the parameter (a string) is the highest protocol level -that will be supported by the server\&. -.IP -Possible values are : -.IP -.IP -.IP o -CORE: Earliest version\&. No concept of user names\&. -.IP -.IP o -COREPLUS: Slight improvements on CORE for efficiency\&. -.IP -.IP o -LANMAN1: First \fI"modern"\fP version of the protocol\&. Long -filename support\&. -.IP -.IP o -LANMAN2: Updates to Lanman1 protocol\&. -.IP -.IP o -NT1: Current up to date version of the protocol\&. Used by Windows -NT\&. Known as CIFS\&. -.IP -.IP -Normally this option should not be set as the automatic negotiation -phase in the SMB protocol takes care of choosing the appropriate -protocol\&. -.IP -\fBDefault:\fP -\f(CW protocol = NT1\fP -.IP -\fBExample:\fP -\f(CW protocol = LANMAN1\fP -.IP -.IP "\fBpublic (S)\fP" -.IP -Synonym for \fB"guest ok"\fP\&. -.IP -.IP "\fBqueuepause command (S)\fP" -.IP -This parameter specifies the command to be executed on the server host -in order to pause the printerqueue\&. -.IP -This command should be a program or script which takes a printer name -as its only parameter and stops the printerqueue, such that no longer -jobs are submitted to the printer\&. -.IP -This command is not supported by Windows for Workgroups, but can be -issued from the Printer\'s window under Windows 95 & NT\&. -.IP -If a \f(CW"%p"\fP is given then the printername is put in its -place\&. Otherwise it is placed at the end of the command\&. -.IP -Note that it is good practice to include the absolute path in the -command as the PATH may not be available to the server\&. -.IP -\fBDefault:\fP -\f(CW depends on the setting of "printing ="\fP -.IP -\fBExample:\fP -\f(CW queuepause command = disable %p\fP -.IP -.IP "\fBqueueresume command (S)\fP" -.IP -This parameter specifies the command to be executed on the server host -in order to resume the printerqueue\&. It is the command to undo the -behavior that is caused by the previous parameter -(\fB"queuepause command\fP)\&. -.IP -This command should be a program or script which takes a printer name -as its only parameter and resumes the printerqueue, such that queued -jobs are resubmitted to the printer\&. -.IP -This command is not supported by Windows for Workgroups, but can be -issued from the Printer\'s window under Windows 95 & NT\&. -.IP -If a \f(CW"%p"\fP is given then the printername is put in its -place\&. Otherwise it is placed at the end of the command\&. -.IP -Note that it is good practice to include the absolute path in the -command as the PATH may not be available to the server\&. -.IP -\fBDefault:\fP -\f(CW depends on the setting of "printing ="\fP -.IP -\fBExample:\fP -\f(CW queuepause command = enable %p\fP -.IP -.IP "\fBread bmpx (G)\fP" -.IP -This boolean parameter controls whether \fBsmbd\fP -will support the "Read Block Multiplex" SMB\&. This is now rarely used -and defaults to off\&. You should never need to set this parameter\&. -.IP -\fBDefault:\fP -read bmpx = No -.IP -.IP "\fBread list (S)\fP" -.IP -This is a list of users that are given read-only access to a -service\&. If the connecting user is in this list then they will not be -given write access, no matter what the \fB"writeable"\fP -option is set to\&. The list can include group names using the syntax -described in the \fB"invalid users"\fP parameter\&. -.IP -See also the \fB"write list"\fP parameter and -the \fB"invalid users"\fP parameter\&. -.IP -\fBDefault:\fP -\f(CW read list = \fP -.IP -\fBExample:\fP -\f(CW read list = mary, @students\fP -.IP -.IP "\fBread only (S)\fP" -.IP -Note that this is an inverted synonym for -\fB"writeable"\fP\&. -.IP -.IP "\fBread prediction (G)\fP" -.IP -\fINOTE\fP: This code is currently disabled in Samba2\&.0 and -may be removed at a later date\&. Hence this parameter has -no effect\&. -.IP -This options enables or disables the read prediction code used to -speed up reads from the server\&. When enabled the server will try to -pre-read data from the last accessed file that was opened read-only -while waiting for packets\&. -.IP -\fBDefault:\fP -\f(CW read prediction = False\fP -.IP -.IP "\fBread raw (G)\fP" -.IP -This parameter controls whether or not the server will support the raw -read SMB requests when transferring data to clients\&. -.IP -If enabled, raw reads allow reads of 65535 bytes in one packet\&. This -typically provides a major performance benefit\&. -.IP -However, some clients either negotiate the allowable block size -incorrectly or are incapable of supporting larger block sizes, and for -these clients you may need to disable raw reads\&. -.IP -In general this parameter should be viewed as a system tuning tool and left -severely alone\&. See also \fB"write raw"\fP\&. -.IP -\fBDefault:\fP -\f(CW read raw = yes\fP -.IP -.IP "\fBread size (G)\fP" -.IP -The option \fB"read size"\fP affects the overlap of disk reads/writes -with network reads/writes\&. If the amount of data being transferred in -several of the SMB commands (currently SMBwrite, SMBwriteX and -SMBreadbraw) is larger than this value then the server begins writing -the data before it has received the whole packet from the network, or -in the case of SMBreadbraw, it begins writing to the network before -all the data has been read from disk\&. -.IP -This overlapping works best when the speeds of disk and network access -are similar, having very little effect when the speed of one is much -greater than the other\&. -.IP -The default value is 16384, but very little experimentation has been -done yet to determine the optimal value, and it is likely that the -best value will vary greatly between systems anyway\&. A value over -65536 is pointless and will cause you to allocate memory -unnecessarily\&. -.IP -\fBDefault:\fP -\f(CW read size = 16384\fP -.IP -\fBExample:\fP -\f(CW read size = 8192\fP -.IP -.IP "\fBremote announce (G)\fP" -.IP -This option allows you to setup \fBnmbd\fP to -periodically announce itself to arbitrary IP addresses with an -arbitrary workgroup name\&. -.IP -This is useful if you want your Samba server to appear in a remote -workgroup for which the normal browse propagation rules don\'t -work\&. The remote workgroup can be anywhere that you can send IP -packets to\&. -.IP -For example: -.IP -\f(CW remote announce = 192\&.168\&.2\&.255/SERVERS 192\&.168\&.4\&.255/STAFF\fP -.IP -the above line would cause nmbd to announce itself to the two given IP -addresses using the given workgroup names\&. If you leave out the -workgroup name then the one given in the -\fB"workgroup"\fP parameter is used instead\&. -.IP -The IP addresses you choose would normally be the broadcast addresses -of the remote networks, but can also be the IP addresses of known -browse masters if your network config is that stable\&. -.IP -See the documentation file BROWSING\&.txt in the docs/ directory\&. -.IP -\fBDefault:\fP -\f(CW remote announce = \fP -.IP -\fBExample:\fP -\f(CW remote announce = 192\&.168\&.2\&.255/SERVERS 192\&.168\&.4\&.255/STAFF\fP -.IP -.IP "\fBremote browse sync (G)\fP" -.IP -This option allows you to setup \fBnmbd\fP to -periodically request synchronization of browse lists with the master -browser of a samba server that is on a remote segment\&. This option -will allow you to gain browse lists for multiple workgroups across -routed networks\&. This is done in a manner that does not work with any -non-samba servers\&. -.IP -This is useful if you want your Samba server and all local clients to -appear in a remote workgroup for which the normal browse propagation -rules don\'t work\&. The remote workgroup can be anywhere that you can -send IP packets to\&. -.IP -For example: -.IP -\f(CW remote browse sync = 192\&.168\&.2\&.255 192\&.168\&.4\&.255\fP -.IP -the above line would cause \fBnmbd\fP to request the -master browser on the specified subnets or addresses to synchronize -their browse lists with the local server\&. -.IP -The IP addresses you choose would normally be the broadcast addresses -of the remote networks, but can also be the IP addresses of known -browse masters if your network config is that stable\&. If a machine IP -address is given Samba makes NO attempt to validate that the remote -machine is available, is listening, nor that it is in fact the browse -master on it\'s segment\&. -.IP -\fBDefault:\fP -\f(CW remote browse sync = \fP -.IP -\fBExample:\fP -\f(CW remote browse sync = 192\&.168\&.2\&.255 192\&.168\&.4\&.255\fP -.IP -.IP "\fBrestrict anonymous (G)\fP" -.IP -This is a boolean parameter\&. If it is true, then anonymous access -to the server will be restricted, namely in the case where the server -is expecting the client to send a username, but it doesn\'t\&. Setting -it to true will force these anonymous connections to be denied, and -the client will be required to always supply a username and password -when connecting\&. Use of this parameter is only recommened for homogenous -NT client environments\&. -.IP -This parameter makes the use of macro expansions that rely -on the username (%U, %G, etc) consistant\&. NT 4\&.0 likes to use -anonymous connections when refreshing the share list, and this -is a way to work around that\&. -.IP -When restrict anonymous is true, all anonymous connections are denied -no matter what they are for\&. This can effect the ability of a machine -to access the samba Primary Domain Controller to revalidate it\'s machine -account after someone else has logged on the client interactively\&. The -NT client will display a message saying that the machine\'s account in -the domain doesn\'t exist or the password is bad\&. The best way to deal -with this is to reboot NT client machines between interactive logons, -using "Shutdown and Restart", rather than "Close all programs and logon -as a different user"\&. -.IP -\fBDefault:\fP -\f(CW restrict anonymous = false\fP -.IP -\fBExample:\fP -\f(CW restrict anonymous = true\fP -.IP -.IP "\fBroot (G)\fP" -.IP -Synonym for \fB"root directory"\fP\&. -.IP -.IP "\fBroot dir (G)\fP" -.IP -Synonym for \fB"root directory"\fP\&. -.IP -.IP "\fBroot directory (G)\fP" -.IP -The server will \f(CW"chroot()"\fP (i\&.e\&. Change it\'s root directory) to -this directory on startup\&. This is not strictly necessary for secure -operation\&. Even without it the server will deny access to files not in -one of the service entries\&. It may also check for, and deny access to, -soft links to other parts of the filesystem, or attempts to use -\f(CW"\&.\&."\fP in file names to access other directories (depending on the -setting of the \fB"wide links"\fP parameter)\&. -.IP -Adding a \fB"root directory"\fP entry other than \f(CW"/"\fP adds an extra -level of security, but at a price\&. It absolutely ensures that no -access is given to files not in the sub-tree specified in the \fB"root -directory"\fP option, \fI*including*\fP some files needed for complete -operation of the server\&. To maintain full operability of the server -you will need to mirror some system files into the \fB"root -directory"\fP tree\&. In particular you will need to mirror /etc/passwd -(or a subset of it), and any binaries or configuration files needed -for printing (if required)\&. The set of files that must be mirrored is -operating system dependent\&. -.IP -\fBDefault:\fP -\f(CW root directory = /\fP -.IP -\fBExample:\fP -\f(CW root directory = /homes/smb\fP -.IP -.IP "\fBroot postexec (S)\fP" -.IP -This is the same as the \fB"postexec"\fP parameter -except that the command is run as root\&. This is useful for unmounting -filesystems (such as cdroms) after a connection is closed\&. -.IP -See also \fB"postexec"\fP\&. -.IP -.IP "\fBroot preexec (S)\fP" -.IP -This is the same as the \fB"preexec"\fP parameter except -that the command is run as root\&. This is useful for mounting -filesystems (such as cdroms) before a connection is finalized\&. -.IP -See also \fB"preexec"\fP -and \fB"root preexec close"\fP\&. -.IP -.IP "\fBroot preexec close (S)\fP" -.IP -This is the same as the \fB"preexec close"\fP parameter -except that the command is run as root\&. -.IP -See also \fB"preexec"\fP, \fB"preexec close"\fP\&. -.IP -.IP "\fBsecurity (G)\fP" -.IP -This option affects how clients respond to Samba and is one of the most -important settings in the \fBsmb\&.conf\fP file\&. -.IP -The option sets the \f(CW"security mode bit"\fP in replies to protocol -negotiations with \fBsmbd\fP to turn share level -security on or off\&. Clients decide based on this bit whether (and how) -to transfer user and password information to the server\&. -.IP -The default is "security=user", as this is -the most common setting needed when talking to Windows 98 and Windows -NT\&. -.IP -The alternatives are \fB"security = share"\fP, -\fB"security = server"\fP or -\fB"security=domain"\fP\&. -.IP -\fI*****NOTE THAT THIS DEFAULT IS DIFFERENT IN SAMBA2\&.0 THAN FOR -PREVIOUS VERSIONS OF SAMBA *******\fP\&. -.IP -In previous versions of Samba the default was -\fB"security=share"\fP mainly because that was -the only option at one stage\&. -.IP -There is a bug in WfWg that has relevance to this setting\&. When in -user or server level security a WfWg client will totally ignore the -password you type in the "connect drive" dialog box\&. This makes it -very difficult (if not impossible) to connect to a Samba service as -anyone except the user that you are logged into WfWg as\&. -.IP -If your PCs use usernames that are the same as their usernames on the -UNIX machine then you will want to use \fB"security = user"\fP\&. If you -mostly use usernames that don\'t exist on the UNIX box then use -\fB"security = share"\fP\&. -.IP -You should also use \fBsecurity=share\fP if -you want to mainly setup shares without a password (guest -shares)\&. This is commonly used for a shared printer server\&. It is more -difficult to setup guest shares with -\fBsecurity=user\fP, see the \fB"map to -guest"\fPparameter for details\&. -.IP -It is possible to use \fBsmbd\fP in a \fI"hybrid -mode"\fP where it is offers both user and share level security under -different \fBNetBIOS aliases\fP\&. See the -\fBNetBIOS aliases\fP and the -\fBinclude\fP parameters for more information\&. -.IP -The different settings will now be explained\&. -.IP -.IP -.IP "\fB"security=share"\fP" -When clients connect to a share level -security server then need not log onto the server with a valid -username and password before attempting to connect to a shared -resource (although modern clients such as Windows 95/98 and Windows NT -will send a logon request with a username but no password when talking -to a \fBsecurity=share\fP server)\&. Instead, the clients send -authentication information (passwords) on a per-share basis, at the -time they attempt to connect to that share\&. -.IP -Note that \fBsmbd\fP \fI*ALWAYS*\fP uses a valid UNIX -user to act on behalf of the client, even in \fB"security=share"\fP -level security\&. -.IP -As clients are not required to send a username to the server -in share level security, \fBsmbd\fP uses several -techniques to determine the correct UNIX user to use on behalf -of the client\&. -.IP -A list of possible UNIX usernames to match with the given -client password is constructed using the following methods : -.IP -.IP -.IP o -If the \fB"guest only"\fP parameter is set, then -all the other stages are missed and only the \fB"guest -account"\fP username is checked\&. -.IP -.IP o -Is a username is sent with the share connection request, then -this username (after mapping - see \fB"username -map"\fP), is added as a potential username\&. -.IP -.IP o -If the client did a previous \fI"logon"\fP request (the -SessionSetup SMB call) then the username sent in this SMB -will be added as a potential username\&. -.IP -.IP o -The name of the service the client requested is added -as a potential username\&. -.IP -.IP o -The NetBIOS name of the client is added to the list as a -potential username\&. -.IP -.IP o -Any users on the \fB"user"\fP list are added -as potential usernames\&. -.IP -.IP -If the \fB"guest only"\fP parameter is not set, then -this list is then tried with the supplied password\&. The first user for -whom the password matches will be used as the UNIX user\&. -.IP -If the \fB"guest only"\fP parameter is set, or no -username can be determined then if the share is marked as available to -the \fB"guest account"\fP, then this guest user will -be used, otherwise access is denied\&. -.IP -Note that it can be \fI*very*\fP confusing in share-level security as to -which UNIX username will eventually be used in granting access\&. -.IP -See also the section \fB"NOTE ABOUT USERNAME/PASSWORD -VALIDATION"\fP\&. -.IP -.IP "\fB"security=user"\fP" -.IP -This is the default security setting in Samba2\&.0\&. With user-level -security a client must first \f(CW"log-on"\fP with a valid username and -password (which can be mapped using the \fB"username -map"\fP parameter)\&. Encrypted passwords (see the -\fB"encrypted passwords"\fP parameter) can also -be used in this security mode\&. Parameters such as -\fB"user"\fP and \fB"guest only"\fP, if set -are then applied and may change the UNIX user to use on this -connection, but only after the user has been successfully -authenticated\&. -.IP -\fINote\fP that the name of the resource being requested is -\fI*not*\fP sent to the server until after the server has successfully -authenticated the client\&. This is why guest shares don\'t work in user -level security without allowing the server to automatically map unknown -users into the \fB"guest account"\fP\&. See the -\fB"map to guest"\fP parameter for details on -doing this\&. -.IP -See also the section \fB"NOTE ABOUT USERNAME/PASSWORD -VALIDATION"\fP\&. -.IP -.IP "\fB"security=server"\fP" -.IP -In this mode Samba will try to validate the username/password by -passing it to another SMB server, such as an NT box\&. If this fails it -will revert to \fB"security = user"\fP, but note that if encrypted -passwords have been negotiated then Samba cannot revert back to -checking the UNIX password file, it must have a valid smbpasswd file -to check users against\&. See the documentation file in the docs/ -directory ENCRYPTION\&.txt for details on how to set this up\&. -.IP -\fINote\fP that from the clients point of view \fB"security=server"\fP is -the same as \fB"security=user"\fP\&. It only -affects how the server deals with the authentication, it does not in -any way affect what the client sees\&. -.IP -\fINote\fP that the name of the resource being requested is -\fI*not*\fP sent to the server until after the server has successfully -authenticated the client\&. This is why guest shares don\'t work in server -level security without allowing the server to automatically map unknown -users into the \fB"guest account"\fP\&. See the -\fB"map to guest"\fP parameter for details on -doing this\&. -.IP -See also the section \fB"NOTE ABOUT USERNAME/PASSWORD -VALIDATION"\fP\&. -.IP -See also the \fB"password server"\fP parameter\&. -and the \fB"encrypted passwords"\fP parameter\&. -.IP -.IP "\fB"security=domain"\fP" -.IP -This mode will only work correctly if -\fBsmbpasswd\fP has been used to add this machine -into a Windows NT Domain\&. It expects the \fB"encrypted -passwords"\fP parameter to be set to \f(CW"true"\fP\&. In -this mode Samba will try to validate the username/password by passing -it to a Windows NT Primary or Backup Domain Controller, in exactly the -same way that a Windows NT Server would do\&. -.IP -\fINote\fP that a valid UNIX user must still exist as well as the -account on the Domain Controller to allow Samba to have a valid -UNIX account to map file access to\&. -.IP -\fINote\fP that from the clients point of view \fB"security=domain"\fP is -the same as \fB"security=user"\fP\&. It only -affects how the server deals with the authentication, it does not in -any way affect what the client sees\&. -.IP -\fINote\fP that the name of the resource being requested is -\fI*not*\fP sent to the server until after the server has successfully -authenticated the client\&. This is why guest shares don\'t work in domain -level security without allowing the server to automatically map unknown -users into the \fB"guest account"\fP\&. See the -\fB"map to guest"\fP parameter for details on -doing this\&. -.IP -\fIBUG:\fP There is currently a bug in the implementation of -\fB"security=domain\fP with respect to multi-byte character -set usernames\&. The communication with a Domain Controller -must be done in UNICODE and Samba currently does not widen -multi-byte user names to UNICODE correctly, thus a multi-byte -username will not be recognized correctly at the Domain Controller\&. -This issue will be addressed in a future release\&. -.IP -See also the section \fB"NOTE ABOUT USERNAME/PASSWORD -VALIDATION"\fP\&. -.IP -See also the \fB"password server"\fP parameter\&. -and the \fB"encrypted passwords"\fP parameter\&. -.IP -.IP -\fBDefault:\fP -\f(CW security = USER\fP -.IP -\fBExample:\fP -\f(CW security = DOMAIN\fP -.IP -.IP "\fBsecurity mask (S)\fP" -.IP -This parameter controls what UNIX permission bits can be modified -when a Windows NT client is manipulating the UNIX permission on a -file using the native NT security dialog box\&. -.IP -This parameter is applied as a mask (AND\'ed with) to the changed -permission bits, thus preventing any bits not in this mask from -being modified\&. Essentially, zero bits in this mask may be treated -as a set of bits the user is not allowed to change\&. -.IP -If not set explicitly this parameter is set to the same value as the -\fBcreate mask\fP parameter\&. To allow a user to -modify all the user/group/world permissions on a file, set this -parameter to 0777\&. -.IP -\fINote\fP that users who can access the Samba server through other -means can easily bypass this restriction, so it is primarily -useful for standalone "appliance" systems\&. Administrators of -most normal systems will probably want to set it to 0777\&. -.IP -See also the \fBforce directory security -mode\fP, \fBdirectory security -mask\fP, \fBforce security -mode\fP parameters\&. -.IP -\fBDefault:\fP -\f(CW security mask = \fP -.IP -\fBExample:\fP -\f(CW security mask = 0777\fP -.IP -.IP "\fBserver string (G)\fP" -.IP -This controls what string will show up in the printer comment box in -print manager and next to the IPC connection in \f(CW"net view"\fP\&. It can be -any string that you wish to show to your users\&. -.IP -It also sets what will appear in browse lists next to the machine -name\&. -.IP -A \f(CW"%v"\fP will be replaced with the Samba version number\&. -.IP -A \f(CW"%h"\fP will be replaced with the hostname\&. -.IP -\fBDefault:\fP -\f(CW server string = Samba %v\fP -.IP -\fBExample:\fP -\f(CW server string = University of GNUs Samba Server\fP -.IP -.IP "\fBset directory (S)\fP" -.IP -If \f(CW"set directory = no"\fP, then users of the service may not use the -setdir command to change directory\&. -.IP -The setdir command is only implemented in the Digital Pathworks -client\&. See the Pathworks documentation for details\&. -.IP -\fBDefault:\fP -\f(CW set directory = no\fP -.IP -\fBExample:\fP -\f(CW set directory = yes\fP -.IP -.IP "\fBshare modes (S)\fP" -.IP -This enables or disables the honoring of the \f(CW"share modes"\fP during a -file open\&. These modes are used by clients to gain exclusive read or -write access to a file\&. -.IP -These open modes are not directly supported by UNIX, so they are -simulated using shared memory, or lock files if your UNIX doesn\'t -support shared memory (almost all do)\&. -.IP -The share modes that are enabled by this option are DENY_DOS, -DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB\&. -.IP -This option gives full share compatibility and enabled by default\&. -.IP -You should \fI*NEVER*\fP turn this parameter off as many Windows -applications will break if you do so\&. -.IP -\fBDefault:\fP -\f(CW share modes = yes\fP -.IP -.IP "\fBshared mem size (G)\fP" -.IP -It specifies the size of the shared memory (in bytes) to use between -\fBsmbd\fP processes\&. This parameter defaults to one -megabyte of shared memory\&. It is possible that if you have a large -server with many files open simultaneously that you may need to -increase this parameter\&. Signs that this parameter is set too low are -users reporting strange problems trying to save files (locking errors) -and error messages in the smbd log looking like \f(CW"ERROR -smb_shm_alloc : alloc of XX bytes failed"\fP\&. -.IP -If your OS refuses the size that Samba asks for then Samba will try a -smaller size, reducing by a factor of 0\&.8 until the OS accepts it\&. -.IP -\fBDefault:\fP -\f(CW shared mem size = 1048576\fP -.IP -\fBExample:\fP -\f(CW shared mem size = 5242880 ; Set to 5mb for a large number of files\&.\fP -.IP -.IP "\fBshort preserve case (S)\fP" -.IP -This boolean parameter controls if new files which conform to 8\&.3 -syntax, that is all in upper case and of suitable length, are created -upper case, or if they are forced to be the \f(CW"default"\fP case\&. This -option can be use with \fB"preserve case -=yes"\fP to permit long filenames to retain their -case, while short names are lowered\&. Default \fIYes\fP\&. -.IP -See the section on \fBNAME MANGLING\fP\&. -.IP -\fBDefault:\fP -\f(CW short preserve case = yes\fP -.IP -.IP "\fBsmb passwd file (G)\fP" -.IP -This option sets the path to the encrypted smbpasswd file\&. By default -the path to the smbpasswd file is compiled into Samba\&. -.IP -\fBDefault:\fP -\f(CW smb passwd file= \fP -.IP -\fBExample:\fP -\f(CW smb passwd file = /usr/samba/private/smbpasswd\fP -.IP -.IP "\fBsmbrun (G)\fP" -.IP -This sets the full path to the \fBsmbrun\fP binary\&. This defaults to the -value in the Makefile\&. -.IP -You must get this path right for many services to work correctly\&. -.IP -You should not need to change this parameter so long as Samba -is installed correctly\&. -.IP -\fBDefault:\fP -\f(CW smbrun=\fP -.IP -\fBExample:\fP -\f(CW smbrun = /usr/local/samba/bin/smbrun\fP -.IP -.IP "\fBsocket address (G)\fP" -.IP -This option allows you to control what address Samba will listen for -connections on\&. This is used to support multiple virtual interfaces on -the one server, each with a different configuration\&. -.IP -By default samba will accept connections on any address\&. -.IP -\fBExample:\fP -\f(CW socket address = 192\&.168\&.2\&.20\fP -.IP -.IP "\fBsocket options (G)\fP" -.IP -This option allows you to set socket options to be used when talking -with the client\&. -.IP -Socket options are controls on the networking layer of the operating -systems which allow the connection to be tuned\&. -.IP -This option will typically be used to tune your Samba server for -optimal performance for your local network\&. There is no way that Samba -can know what the optimal parameters are for your net, so you must -experiment and choose them yourself\&. We strongly suggest you read the -appropriate documentation for your operating system first (perhaps -\fB"man setsockopt"\fP will help)\&. -.IP -You may find that on some systems Samba will say "Unknown socket -option" when you supply an option\&. This means you either incorrectly -typed it or you need to add an include file to includes\&.h for your OS\&. -If the latter is the case please send the patch to -\fIsamba@samba\&.org\fP\&. -.IP -Any of the supported socket options may be combined in any way you -like, as long as your OS allows it\&. -.IP -This is the list of socket options currently settable using this -option: -.IP -.IP -.IP o +Example: \fBshared mem size = 5242880 ; Set to 5mb for a +large number of files.\fR +.TP +\fBshort preserve case (S)\fR +This boolean parameter controls if new files +which conform to 8.3 syntax, that is all in upper case and of +suitable length, are created upper case, or if they are forced +to be the \fIdefault case +\fR\&. This option can be use with \fBpreserve case = yes\fR +to permit long filenames to retain their case, while short +names are lowered. + +See the section on NAME MANGLING. + +Default: \fBshort preserve case = yes\fR +.TP +\fBsmb passwd file (G)\fR +This option sets the path to the encrypted +smbpasswd file. By default the path to the smbpasswd file +is compiled into Samba. + +Default: \fBsmb passwd file= \fR + +Example: \fBsmb passwd file = /usr/samba/private/smbpasswd +\fR.TP +\fBsmbrun (G)\fR +This sets the full path to the \fBsmbrun +\fRbinary. This defaults to the value in the \fI Makefile\fR. + +You must get this path right for many services +to work correctly. + +You should not need to change this parameter so +long as Samba is installed correctly. + +Default: \fBsmbrun= +\fR +Example: \fBsmbrun = /usr/local/samba/bin/smbrun +\fR.TP +\fBsocket address (G)\fR +This option allows you to control what +address Samba will listen for connections on. This is used to +support multiple virtual interfaces on the one server, each +with a different configuration. + +By default samba will accept connections on any +address. + +Example: \fBsocket address = 192.168.2.20\fR +.TP +\fBsocket options (G)\fR +This option allows you to set socket options +to be used when talking with the client. + +Socket options are controls on the networking layer +of the operating systems which allow the connection to be +tuned. + +This option will typically be used to tune your Samba +server for optimal performance for your local network. There is +no way that Samba can know what the optimal parameters are for +your net, so you must experiment and choose them yourself. We +strongly suggest you read the appropriate documentation for your +operating system first (perhaps \fBman setsockopt\fR +will help). + +You may find that on some systems Samba will say +"Unknown socket option" when you supply an option. This means you +either incorrectly typed it or you need to add an include file +to includes.h for your OS. If the latter is the case please +send the patch to samba@samba.org . + +Any of the supported socket options may be combined +in any way you like, as long as your OS allows it. + +This is the list of socket options currently settable +using this option: +.RS +.TP 0.2i +\(bu SO_KEEPALIVE -.IP -.IP o +.TP 0.2i +\(bu SO_REUSEADDR -.IP -.IP o +.TP 0.2i +\(bu SO_BROADCAST -.IP -.IP o +.TP 0.2i +\(bu TCP_NODELAY -.IP -.IP o +.TP 0.2i +\(bu IPTOS_LOWDELAY -.IP -.IP o +.TP 0.2i +\(bu IPTOS_THROUGHPUT -.IP -.IP o +.TP 0.2i +\(bu SO_SNDBUF * -.IP -.IP o +.TP 0.2i +\(bu SO_RCVBUF * -.IP -.IP o +.TP 0.2i +\(bu SO_SNDLOWAT * -.IP -.IP o +.TP 0.2i +\(bu SO_RCVLOWAT * -.IP -.IP -Those marked with a \f(CW*\fP take an integer argument\&. The others can -optionally take a 1 or 0 argument to enable or disable the option, by -default they will be enabled if you don\'t specify 1 or 0\&. -.IP -To specify an argument use the syntax SOME_OPTION=VALUE for example -\f(CWSO_SNDBUF=8192\fP\&. Note that you must not have any spaces before or after -the = sign\&. -.IP -If you are on a local network then a sensible option might be -.IP -\f(CWsocket options = IPTOS_LOWDELAY\fP -.IP +.RE +.PP +Those marked with a \fB'*'\fR take an integer +argument. The others can optionally take a 1 or 0 argument to enable +or disable the option, by default they will be enabled if you +don't specify 1 or 0. +.PP +.PP +To specify an argument use the syntax SOME_OPTION=VALUE +for example \fBSO_SNDBUF=8192\fR. Note that you must +not have any spaces before or after the = sign. +.PP +.PP +If you are on a local network then a sensible option +might be +.PP +.PP +\fBsocket options = IPTOS_LOWDELAY\fR +.PP +.PP If you have a local network then you could try: -.IP -\f(CWsocket options = IPTOS_LOWDELAY TCP_NODELAY\fP -.IP -If you are on a wide area network then perhaps try setting -IPTOS_THROUGHPUT\&. -.IP -Note that several of the options may cause your Samba server to fail -completely\&. Use these options with caution! -.IP -\fBDefault:\fP -\f(CW socket options = TCP_NODELAY\fP -.IP -\fBExample:\fP -\f(CW socket options = IPTOS_LOWDELAY\fP -.IP -.IP "\fBsource environment (G)\fP" -.IP -This parameter causes Samba to set environment variables as per the -content of the file named\&. -.IP -The file \fBmust\fP be owned by root and not world writable in order -to be read (this is a security check)\&. -.IP -If the value of this parameter starts with a "|" character then Samba will -treat that value as a pipe command to open and will set the environment -variables from the oput of the pipe\&. This command must not be world writable -and must reside in a directory that is not world writable\&. -.IP -The contents of the file or the output of the pipe should be formatted -as the output of the standard Unix env(1) command\&. This is of the form : -.IP +.PP +.PP +\fBsocket options = IPTOS_LOWDELAY TCP_NODELAY\fR +.PP +.PP +If you are on a wide area network then perhaps try +setting IPTOS_THROUGHPUT. +.PP +.PP +Note that several of the options may cause your Samba +server to fail completely. Use these options with caution! +.PP +.PP +Default: \fBsocket options = TCP_NODELAY\fR +.PP +.PP +Example: \fBsocket options = IPTOS_LOWDELAY\fR +.PP +.TP +\fBsource environment (G)\fR +This parameter causes Samba to set environment +variables as per the content of the file named. + +If the value of this parameter starts with a "|" character +then Samba will treat that value as a pipe command to open and +will set the environment variables from the output of the pipe. + +The contents of the file or the output of the pipe should +be formatted as the output of the standard Unix \fBenv(1) +\fRcommand. This is of the form : + Example environment entry: -\f(CW SAMBA_NETBIOS_NAME=myhostname \fP -.IP -\fBDefault:\fP -\f(CWNo default value\fP -.IP -\fBExamples:\fP -.IP -\f(CW source environment = |/etc/smb\&.conf\&.sh\fP -.IP -\f(CW source environment = /usr/local/smb_env_vars\fP -.IP -.IP "\fBssl (G)\fP" -.IP -This variable is part of SSL-enabled Samba\&. This is only available if -the SSL libraries have been compiled on your system and the configure -option \f(CW"--with-ssl"\fP was given at configure time\&. -.IP -\fINote\fP that for export control reasons this code is \fI**NOT**\fP -enabled by default in any current binary version of Samba\&. -.IP -This variable enables or disables the entire SSL mode\&. If it is set to -"no", the SSL enabled samba behaves exactly like the non-SSL samba\&. If -set to "yes", it depends on the variables \fB"ssl -hosts"\fP and \fB"ssl hosts resign"\fP -whether an SSL connection will be required\&. -.IP -\fBDefault:\fP -\f(CW ssl=no\fP -\fBExample:\fP -\f(CW ssl=yes\fP -.IP -.IP "\fBssl CA certDir (G)\fP" -.IP -This variable is part of SSL-enabled Samba\&. This is only available if -the SSL libraries have been compiled on your system and the configure -option \f(CW"--with-ssl"\fP was given at configure time\&. -.IP -\fINote\fP that for export control reasons this code is \fI**NOT**\fP -enabled by default in any current binary version of Samba\&. -.IP + +\fBSAMBA_NETBIOS_NAME=myhostname\fR + +Default: \fBNo default value\fR + +Examples: \fBsource environment = |/etc/smb.conf.sh +\fR +Example: \fBsource environment = +/usr/local/smb_env_vars\fR +.TP +\fBssl (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +\fBNote\fR that for export control reasons +this code is \fBNOT\fR enabled by default in any +current binary version of Samba. + +This variable enables or disables the entire SSL mode. If +it is set to no, the SSL enabled samba behaves +exactly like the non-SSL samba. If set to yes, +it depends on the variables \fI ssl hosts\fR and \fIssl hosts resign\fR whether an SSL +connection will be required. + +Default: \fBssl=no\fR +.TP +\fBssl CA certDir (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +\fBNote\fR that for export control reasons +this code is \fBNOT\fR enabled by default in any +current binary version of Samba. + This variable defines where to look up the Certification -Authorities\&. The given directory should contain one file for each CA -that samba will trust\&. The file name must be the hash value over the -"Distinguished Name" of the CA\&. How this directory is set up is -explained later in this document\&. All files within the directory that -don\'t fit into this naming scheme are ignored\&. You don\'t need this -variable if you don\'t verify client certificates\&. -.IP -\fBDefault:\fP -\f(CW ssl CA certDir = /usr/local/ssl/certs\fP -.IP -.IP "\fBssl CA certFile (G)\fP" -.IP -This variable is part of SSL-enabled Samba\&. This is only available if -the SSL libraries have been compiled on your system and the configure -option \f(CW"--with-ssl"\fP was given at configure time\&. -.IP -\fINote\fP that for export control reasons this code is \fI**NOT**\fP -enabled by default in any current binary version of Samba\&. -.IP -This variable is a second way to define the trusted CAs\&. The -certificates of the trusted CAs are collected in one big file and this -variable points to the file\&. You will probably only use one of the two -ways to define your CAs\&. The first choice is preferable if you have -many CAs or want to be flexible, the second is preferable if you only -have one CA and want to keep things simple (you won\'t need to create -the hashed file names)\&. You don\'t need this variable if you don\'t -verify client certificates\&. -.IP -\fBDefault:\fP -\f(CW ssl CA certFile = /usr/local/ssl/certs/trustedCAs\&.pem\fP -.IP -.IP "\fBssl ciphers (G)\fP" -.IP -This variable is part of SSL-enabled Samba\&. This is only available if -the SSL libraries have been compiled on your system and the configure -option \f(CW"--with-ssl"\fP was given at configure time\&. -.IP -\fINote\fP that for export control reasons this code is \fI**NOT**\fP -enabled by default in any current binary version of Samba\&. -.IP -This variable defines the ciphers that should be offered during SSL -negotiation\&. You should not set this variable unless you know what you -are doing\&. -.IP -.IP "\fBssl client cert (G)\fP" -.IP -This variable is part of SSL-enabled Samba\&. This is only available if -the SSL libraries have been compiled on your system and the configure -option \f(CW"--with-ssl"\fP was given at configure time\&. -.IP -\fINote\fP that for export control reasons this code is \fI**NOT**\fP -enabled by default in any current binary version of Samba\&. -.IP -The certificate in this file is used by -\fBsmbclient\fP if it exists\&. It\'s needed if the -server requires a client certificate\&. -.IP -\fBDefault:\fP -\f(CW ssl client cert = /usr/local/ssl/certs/smbclient\&.pem\fP -.IP -.IP "\fBssl client key (G)\fP" -.IP -This variable is part of SSL-enabled Samba\&. This is only available if -the SSL libraries have been compiled on your system and the configure -option \f(CW"--with-ssl"\fP was given at configure time\&. -.IP -\fINote\fP that for export control reasons this code is \fI**NOT**\fP -enabled by default in any current binary version of Samba\&. -.IP -This is the private key for \fBsmbclient\fP\&. It\'s -only needed if the client should have a certificate\&. -.IP -\fBDefault:\fP -\f(CW ssl client key = /usr/local/ssl/private/smbclient\&.pem\fP -.IP -.IP "\fBssl compatibility (G)\fP" -.IP -This variable is part of SSL-enabled Samba\&. This is only available if -the SSL libraries have been compiled on your system and the configure -option \f(CW"--with-ssl"\fP was given at configure time\&. -.IP -\fINote\fP that for export control reasons this code is \fI**NOT**\fP -enabled by default in any current binary version of Samba\&. -.IP -This variable defines whether SSLeay should be configured for bug -compatibility with other SSL implementations\&. This is probably not -desirable because currently no clients with SSL implementations other -than SSLeay exist\&. -.IP -\fBDefault:\fP -\f(CW ssl compatibility = no\fP -.IP -.IP "\fBssl hosts (G)\fP" -.IP -See \fB"ssl hosts resign"\fP\&. -.IP -.IP "\fBssl hosts resign (G)\fP" -.IP -This variable is part of SSL-enabled Samba\&. This is only available if -the SSL libraries have been compiled on your system and the configure -option \f(CW"--with-ssl"\fP was given at configure time\&. -.IP -\fINote\fP that for export control reasons this code is \fI**NOT**\fP -enabled by default in any current binary version of Samba\&. -.IP -These two variables define whether samba will go into SSL mode or -not\&. If none of them is defined, samba will allow only SSL -connections\&. If the \fB"ssl hosts"\fP variable lists -hosts (by IP-address, IP-address range, net group or name), only these -hosts will be forced into SSL mode\&. If the \fB"ssl hosts resign"\fP -variable lists hosts, only these hosts will NOT be forced into SSL -mode\&. The syntax for these two variables is the same as for the -\fB"hosts allow"\fP and \fB"hosts -deny"\fP pair of variables, only that the subject of the -decision is different: It\'s not the access right but whether SSL is -used or not\&. See the \fB"allow hosts"\fP parameter for -details\&. The example below requires SSL connections from all hosts -outside the local net (which is 192\&.168\&.*\&.*)\&. -.IP -\fBDefault:\fP -\f(CW ssl hosts = \fP -\f(CW ssl hosts resign = \fP -.IP -\fBExample:\fP -\f(CW ssl hosts resign = 192\&.168\&.\fP -.IP -.IP "\fBssl require clientcert (G)\fP" -.IP -This variable is part of SSL-enabled Samba\&. This is only available if -the SSL libraries have been compiled on your system and the configure -option \f(CW"--with-ssl"\fP was given at configure time\&. -.IP -\fINote\fP that for export control reasons this code is \fI**NOT**\fP -enabled by default in any current binary version of Samba\&. -.IP -If this variable is set to \f(CW"yes"\fP, the server will not tolerate -connections from clients that don\'t have a valid certificate\&. The -directory/file given in \fB"ssl CA certDir"\fP and -\fB"ssl CA certFile"\fP will be used to look up the -CAs that issued the client\'s certificate\&. If the certificate can\'t be -verified positively, the connection will be terminated\&. If this -variable is set to \f(CW"no"\fP, clients don\'t need certificates\&. Contrary -to web applications you really \fI*should*\fP require client -certificates\&. In the web environment the client\'s data is sensitive -(credit card numbers) and the server must prove to be trustworthy\&. In -a file server environment the server\'s data will be sensitive and the -clients must prove to be trustworthy\&. -.IP -\fBDefault:\fP -\f(CW ssl require clientcert = no\fP -.IP -.IP "\fBssl require servercert (G)\fP" -.IP -This variable is part of SSL-enabled Samba\&. This is only available if -the SSL libraries have been compiled on your system and the configure -option \f(CW"--with-ssl"\fP was given at configure time\&. -.IP -\fINote\fP that for export control reasons this code is \fI**NOT**\fP -enabled by default in any current binary version of Samba\&. -.IP -If this variable is set to \f(CW"yes"\fP, the -\fBsmbclient\fP will request a certificate from -the server\&. Same as \fB"ssl require -clientcert"\fP for the server\&. -.IP -\fBDefault:\fP -\f(CW ssl require servercert = no\fP -.IP -.IP "\fBssl server cert (G)\fP" -.IP -This variable is part of SSL-enabled Samba\&. This is only available if -the SSL libraries have been compiled on your system and the configure -option \f(CW"--with-ssl"\fP was given at configure time\&. -.IP -\fINote\fP that for export control reasons this code is \fI**NOT**\fP -enabled by default in any current binary version of Samba\&. -.IP -This is the file containing the server\'s certificate\&. The server _must_ -have a certificate\&. The file may also contain the server\'s private key\&. -See later for how certificates and private keys are created\&. -.IP -\fBDefault:\fP -\f(CW ssl server cert = \fP -.IP -.IP "\fBssl server key (G)\fP" -.IP -This variable is part of SSL-enabled Samba\&. This is only available if -the SSL libraries have been compiled on your system and the configure -option \f(CW"--with-ssl"\fP was given at configure time\&. -.IP -\fINote\fP that for export control reasons this code is \fI**NOT**\fP -enabled by default in any current binary version of Samba\&. -.IP -This file contains the private key of the server\&. If this variable is -not defined, the key is looked up in the certificate file (it may be -appended to the certificate)\&. The server \fI*must*\fP have a private key -and the certificate \fI*must*\fP match this private key\&. -.IP -\fBDefault:\fP -\f(CW ssl server key = \fP -.IP -.IP "\fBssl version (G)\fP" -.IP -This variable is part of SSL-enabled Samba\&. This is only available if -the SSL libraries have been compiled on your system and the configure -option \f(CW"--with-ssl"\fP was given at configure time\&. -.IP -\fINote\fP that for export control reasons this code is \fI**NOT**\fP -enabled by default in any current binary version of Samba\&. -.IP -This enumeration variable defines the versions of the SSL protocol -that will be used\&. \f(CW"ssl2or3"\fP allows dynamic negotiation of SSL v2 -or v3, \f(CW"ssl2"\fP results in SSL v2, \f(CW"ssl3"\fP results in SSL v3 and -"tls1" results in TLS v1\&. TLS (Transport Layer Security) is the -(proposed?) new standard for SSL\&. -.IP -\fBDefault:\fP -\f(CW ssl version = "ssl2or3"\fP -.IP -.IP "\fBstat cache (G)\fP" -.IP -This parameter determines if \fBsmbd\fP will use a -cache in order to speed up case insensitive name mappings\&. You should -never need to change this parameter\&. -.IP -\fBDefault:\fP -\f(CW stat cache = yes\fP -.IP -.IP "\fBstat cache size (G)\fP" -.IP -This parameter determines the number of entries in the \fBstat -cache\fP\&. You should never need to change this parameter\&. -.IP -\fBDefault:\fP -\f(CW stat cache size = 50\fP -.IP -.IP "\fBstatus (G)\fP" -.IP -This enables or disables logging of connections to a status file that -\fBsmbstatus\fP can read\&. -.IP -With this disabled \fBsmbstatus\fP won\'t be able -to tell you what connections are active\&. You should never need to -change this parameter\&. -.IP -\fBDefault:\fP -status = yes -.IP -.IP "\fBstrict locking (S)\fP" -.IP -This is a boolean that controls the handling of file locking in the -server\&. When this is set to \f(CW"yes"\fP the server will check every read and -write access for file locks, and deny access if locks exist\&. This can -be slow on some systems\&. -.IP -When strict locking is \f(CW"no"\fP the server does file lock checks only -when the client explicitly asks for them\&. -.IP -Well behaved clients always ask for lock checks when it is important, -so in the vast majority of cases \fB"strict locking = no"\fP is -preferable\&. -.IP -\fBDefault:\fP -\f(CW strict locking = no\fP -.IP -\fBExample:\fP -\f(CW strict locking = yes\fP -.IP -.IP "\fBstrict sync (S)\fP" -.IP -Many Windows applications (including the Windows 98 explorer shell) -seem to confuse flushing buffer contents to disk with doing a sync to -disk\&. Under UNIX, a sync call forces the process to be suspended until -the kernel has ensured that all outstanding data in kernel disk -buffers has been safely stored onto stable storage\&. This is very slow -and should only be done rarely\&. Setting this parameter to "no" (the +Authorities. The given directory should contain one file for +each CA that samba will trust. The file name must be the hash +value over the "Distinguished Name" of the CA. How this directory +is set up is explained later in this document. All files within the +directory that don't fit into this naming scheme are ignored. You +don't need this variable if you don't verify client certificates. + +Default: \fBssl CA certDir = /usr/local/ssl/certs +\fR.TP +\fBssl CA certFile (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +\fBNote\fR that for export control reasons +this code is \fBNOT\fR enabled by default in any +current binary version of Samba. + +This variable is a second way to define the trusted CAs. +The certificates of the trusted CAs are collected in one big +file and this variable points to the file. You will probably +only use one of the two ways to define your CAs. The first choice is +preferable if you have many CAs or want to be flexible, the second +is preferable if you only have one CA and want to keep things +simple (you won't need to create the hashed file names). You +don't need this variable if you don't verify client certificates. + +Default: \fBssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem +\fR.TP +\fBssl ciphers (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +\fBNote\fR that for export control reasons +this code is \fBNOT\fR enabled by default in any +current binary version of Samba. + +This variable defines the ciphers that should be offered +during SSL negotiation. You should not set this variable unless +you know what you are doing. +.TP +\fBssl client cert (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +\fBNote\fR that for export control reasons +this code is \fBNOT\fR enabled by default in any +current binary version of Samba. + +The certificate in this file is used by \fBsmbclient(1)\fR if it exists. It's needed +if the server requires a client certificate. + +Default: \fBssl client cert = /usr/local/ssl/certs/smbclient.pem +\fR.TP +\fBssl client key (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +\fBNote\fR that for export control reasons +this code is \fBNOT\fR enabled by default in any +current binary version of Samba. + +This is the private key for \fBsmbclient(1)\fR . It's only needed if the +client should have a certificate. + +Default: \fBssl client key = /usr/local/ssl/private/smbclient.pem +\fR.TP +\fBssl compatibility (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +\fBNote\fR that for export control reasons +this code is \fBNOT\fR enabled by default in any +current binary version of Samba. + +This variable defines whether SSLeay should be configured +for bug compatibility with other SSL implementations. This is +probably not desirable because currently no clients with SSL +implementations other than SSLeay exist. + +Default: \fBssl compatibility = no\fR +.TP +\fBssl hosts (G)\fR +See \fI ssl hosts resign\fR. +.TP +\fBssl hosts resign (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +\fBNote\fR that for export control reasons +this code is \fBNOT\fR enabled by default in any +current binary version of Samba. + +These two variables define whether samba will go +into SSL mode or not. If none of them is defined, samba will +allow only SSL connections. If the \fIssl hosts\fR variable lists +hosts (by IP-address, IP-address range, net group or name), +only these hosts will be forced into SSL mode. If the \fI ssl hosts resign\fR variable lists hosts, only these +hosts will NOT be forced into SSL mode. The syntax for these two +variables is the same as for the \fI hosts allow\fR and \fIhosts deny\fR pair of variables, only +that the subject of the decision is different: It's not the access +right but whether SSL is used or not. + +The example below requires SSL connections from all hosts +outside the local net (which is 192.168.*.*). + +Default: \fBssl hosts = \fR + +\fBssl hosts resign = \fR + +Example: \fBssl hosts resign = 192.168.\fR +.TP +\fBssl require clientcert (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +\fBNote\fR that for export control reasons +this code is \fBNOT\fR enabled by default in any +current binary version of Samba. + +If this variable is set to yes, the +server will not tolerate connections from clients that don't +have a valid certificate. The directory/file given in \fIssl CA certDir\fR +and \fIssl CA certFile +\fRwill be used to look up the CAs that issued +the client's certificate. If the certificate can't be verified +positively, the connection will be terminated. If this variable +is set to no, clients don't need certificates. +Contrary to web applications you really \fBshould\fR +require client certificates. In the web environment the client's +data is sensitive (credit card numbers) and the server must prove +to be trustworthy. In a file server environment the server's data +will be sensitive and the clients must prove to be trustworthy. + +Default: \fBssl require clientcert = no\fR +.TP +\fBssl require servercert (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +\fBNote\fR that for export control reasons +this code is \fBNOT\fR enabled by default in any +current binary version of Samba. + +If this variable is set to yes, the +\fBsmbclient(1)\fR + will request a certificate from the server. Same as +\fIssl require +clientcert\fR for the server. + +Default: \fBssl require servercert = no\fR +.TP +\fBssl server cert (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +\fBNote\fR that for export control reasons +this code is \fBNOT\fR enabled by default in any +current binary version of Samba. + +This is the file containing the server's certificate. +The server \fBmust\fR have a certificate. The +file may also contain the server's private key. See later for +how certificates and private keys are created. + +Default: \fBssl server cert = +\fR.TP +\fBssl server key (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +\fBNote\fR that for export control reasons +this code is \fBNOT\fR enabled by default in any +current binary version of Samba. + +This file contains the private key of the server. If +this variable is not defined, the key is looked up in the +certificate file (it may be appended to the certificate). +The server \fBmust\fR have a private key +and the certificate \fBmust\fR +match this private key. + +Default: \fBssl server key = +\fR.TP +\fBssl version (G)\fR +This variable is part of SSL-enabled Samba. This +is only available if the SSL libraries have been compiled on your +system and the configure option \fB--with-ssl\fR was +given at configure time. + +\fBNote\fR that for export control reasons +this code is \fBNOT\fR enabled by default in any +current binary version of Samba. + +This enumeration variable defines the versions of the +SSL protocol that will be used. ssl2or3 allows +dynamic negotiation of SSL v2 or v3, ssl2 results +in SSL v2, ssl3 results in SSL v3 and +tls1 results in TLS v1. TLS (Transport Layer +Security) is the new standard for SSL. + +Default: \fBssl version = "ssl2or3"\fR +.TP +\fBstat cache (G)\fR +This parameter determines if smbd(8) will use a cache in order to +speed up case insensitive name mappings. You should never need +to change this parameter. + +Default: \fBstat cache = yes\fR +.TP +\fBstat cache size (G)\fR +This parameter determines the number of +entries in the \fIstat cache\fR. You should +never need to change this parameter. + +Default: \fBstat cache size = 50\fR +.TP +\fBstatus (G)\fR +This enables or disables logging of connections +to a status file that smbstatus(1) +can read. + +With this disabled \fBsmbstatus\fR won't be able +to tell you what connections are active. You should never need to +change this parameter. + +Default: \fBstatus = yes\fR +.TP +\fBstrict locking (S)\fR +This is a boolean that controls the handling of +file locking in the server. When this is set to yes +the server will check every read and write access for file locks, and +deny access if locks exist. This can be slow on some systems. + +When strict locking is no the server does file +lock checks only when the client explicitly asks for them. + +Well behaved clients always ask for lock checks when it +is important, so in the vast majority of cases \fBstrict +locking = no\fR is preferable. + +Default: \fBstrict locking = no\fR +.TP +\fBstrict sync (S)\fR +Many Windows applications (including the Windows +98 explorer shell) seem to confuse flushing buffer contents to +disk with doing a sync to disk. Under UNIX, a sync call forces +the process to be suspended until the kernel has ensured that +all outstanding data in kernel disk buffers has been safely stored +onto stable storage. This is very slow and should only be done +rarely. Setting this parameter to no (the default) means that smbd ignores the Windows applications requests for -a sync call\&. There is only a possibility of losing data if the +a sync call. There is only a possibility of losing data if the operating system itself that Samba is running on crashes, so there is -little danger in this default setting\&. In addition, this fixes many +little danger in this default setting. In addition, this fixes many performance problems that people have reported with the new Windows98 -explorer shell file copies\&. -.IP -See also the \fB"sync always"\fP parameter\&. -.IP -\fBDefault:\fP -\f(CW strict sync = no\fP -.IP -\fBExample:\fP -\f(CW strict sync = yes\fP -.IP -.IP "\fBstrip dot (G)\fP" -.IP -This is a boolean that controls whether to strip trailing dots off -UNIX filenames\&. This helps with some CDROMs that have filenames ending -in a single dot\&. -.IP -\fBDefault:\fP -\f(CW strip dot = no\fP -.IP -\fBExample:\fP -\f(CW strip dot = yes\fP -.IP -.IP "\fBsync always (S)\fP" -.IP -This is a boolean parameter that controls whether writes will always -be written to stable storage before the write call returns\&. If this is -false then the server will be guided by the client\'s request in each -write call (clients can set a bit indicating that a particular write -should be synchronous)\&. If this is true then every write will be -followed by a fsync() call to ensure the data is written to disk\&. -Note that the \fB"strict sync"\fP parameter must be -set to \f(CW"yes"\fP in order for this parameter to have any affect\&. -.IP -See also the \fB"strict sync"\fP parameter\&. -.IP -\fBDefault:\fP -\f(CW sync always = no\fP -.IP -\fBExample:\fP -\f(CW sync always = yes\fP -.IP -.IP "\fBsyslog (G)\fP" -.IP -This parameter maps how Samba debug messages are logged onto the -system syslog logging levels\&. Samba debug level zero maps onto syslog -LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps -onto LOG_NOTICE, debug level three maps onto LOG_INFO\&. All higher -levels are mapped to LOG_DEBUG\&. -.IP -This paramter sets the threshold for sending messages to syslog\&. -Only messages with debug level less than this value will be sent -to syslog\&. -.IP -\fBDefault:\fP -\f(CW syslog = 1\fP -.IP -.IP "\fBsyslog only (G)\fP" -.IP -If this parameter is set then Samba debug messages are logged into the -system syslog only, and not to the debug log files\&. -.IP -\fBDefault:\fP -\f(CW syslog only = no\fP -.IP -.IP "\fBtemplate homedir (G)\fP" -.IP -NOTE: this parameter is only available in Samba 3\&.0\&. -.IP -When filling out the user information for a Windows NT user, the -\fBwinbindd\fP daemon uses this parameter to fill in -the home directory for that user\&. If the string \f(CW%D\fP is present it is -substituted with the user\'s Windows NT domain name\&. If the string \f(CW%U\fP -is present it is substituted with the user\'s Windows NT user name\&. -.IP -\fBDefault:\fP -\f(CW template homedir = /home/%D/%U\fP -.IP -.IP "\fBtemplate shell (G)\fP" -.IP -NOTE: this parameter is only available in Samba 3\&.0\&. -.IP -When filling out the user information for a Windows NT user, the -\fBwinbindd\fP daemon uses this parameter to fill in -the login shell for that user\&. -.IP -\fBDefault:\fP -\f(CW template shell = /bin/false\fP -.IP -.IP "\fBtime offset (G)\fP" -.IP -This parameter is a setting in minutes to add to the normal GMT to -local time conversion\&. This is useful if you are serving a lot of PCs -that have incorrect daylight saving time handling\&. -.IP -\fBDefault:\fP -\f(CW time offset = 0\fP -.IP -\fBExample:\fP -\f(CW time offset = 60\fP -.IP -.IP -.IP "\fBtime server (G)\fP" -.IP -This parameter determines if \fBnmbd\fP advertises -itself as a time server to Windows clients\&. The default is False\&. -.IP -\fBDefault:\fP -\f(CW time server = False\fP -.IP -\fBExample:\fP -\f(CW time server = True\fP -.IP -.IP "\fBtimestamp logs (G)\fP" -.IP -Synonym for \fB"debug timestamp"\fP\&. -.IP -.IP "\fBunix password sync (G)\fP" -.IP -This boolean parameter controls whether Samba attempts to synchronize -the UNIX password with the SMB password when the encrypted SMB -password in the smbpasswd file is changed\&. If this is set to true the -program specified in the \fB"passwd program"\fP -parameter is called \fI*AS ROOT*\fP - to allow the new UNIX password to be -set without access to the old UNIX password (as the SMB password has -change code has no access to the old password cleartext, only the -new)\&. By default this is set to \f(CW"false"\fP\&. -.IP -See also \fB"passwd program"\fP, \fB"passwd -chat"\fP\&. -.IP -\fBDefault:\fP -\f(CW unix password sync = False\fP -.IP -\fBExample:\fP -\f(CW unix password sync = True\fP -.IP -.IP "\fBunix realname (G)\fP" -.IP -This boolean parameter when set causes samba to supply the real name -field from the unix password file to the client\&. This is useful for -setting up mail clients and WWW browsers on systems used by more than -one person\&. -.IP -\fBDefault:\fP -\f(CW unix realname = no\fP -.IP -\fBExample:\fP -\f(CW unix realname = yes\fP -.IP -.IP "\fBupdate encrypted (G)\fP" -.IP -This boolean parameter allows a user logging on with a plaintext -password to have their encrypted (hashed) password in the smbpasswd -file to be updated automatically as they log on\&. This option allows a -site to migrate from plaintext password authentication (users -authenticate with plaintext password over the wire, and are checked -against a UNIX account database) to encrypted password authentication -(the SMB challenge/response authentication mechanism) without forcing +explorer shell file copies. + +See also the \fIsync +always>\fR parameter. + +Default: \fBstrict sync = no\fR +.TP +\fBstrip dot (G)\fR +This is a boolean that controls whether to +strip trailing dots off UNIX filenames. This helps with some +CDROMs that have filenames ending in a single dot. + +Default: \fBstrip dot = no\fR +.TP +\fBsync always (S)\fR +This is a boolean parameter that controls +whether writes will always be written to stable storage before +the write call returns. If this is false then the server will be +guided by the client's request in each write call (clients can +set a bit indicating that a particular write should be synchronous). +If this is true then every write will be followed by a \fBfsync() +\fRcall to ensure the data is written to disk. Note that +the \fIstrict sync\fR parameter must be set to +yes in order for this parameter to have +any affect. + +See also the \fIstrict +sync\fR parameter. + +Default: \fBsync always = no\fR +.TP +\fBsyslog (G)\fR +This parameter maps how Samba debug messages +are logged onto the system syslog logging levels. Samba debug +level zero maps onto syslog LOG_ERR, debug +level one maps onto LOG_WARNING, debug level +two maps onto LOG_NOTICE, debug level three +maps onto LOG_INFO. All higher levels are mapped to LOG_DEBUG. + +This paramter sets the threshold for sending messages +to syslog. Only messages with debug level less than this value +will be sent to syslog. + +Default: \fBsyslog = 1\fR +.TP +\fBsyslog only (G)\fR +If this parameter is set then Samba debug +messages are logged into the system syslog only, and not to +the debug log files. + +Default: \fBsyslog only = no\fR +.TP +\fBtemplate homedir (G)\fR +\fBNOTE:\fR this parameter is +only available in Samba 3.0. + +When filling out the user information for a Windows NT +user, the winbindd(8) daemon +uses this parameter to fill in the home directory for that user. +If the string \fI%D\fR is present it is substituted +with the user's Windows NT domain name. If the string \fI%U +\fRis present it is substituted with the user's Windows +NT user name. + +Default: \fBtemplate homedir = /home/%D/%U\fR +.TP +\fBtemplate shell (G)\fR +\fBNOTE:\fR this parameter is +only available in Samba 3.0. + +When filling out the user information for a Windows NT +user, the winbindd(8) daemon +uses this parameter to fill in the login shell for that user. + +Default: \fBtemplate shell = /bin/false\fR +.TP +\fBtime offset (G)\fR +This parameter is a setting in minutes to add +to the normal GMT to local time conversion. This is useful if +you are serving a lot of PCs that have incorrect daylight +saving time handling. + +Default: \fBtime offset = 0\fR + +Example: \fBtime offset = 60\fR +.TP +\fBtime server (G)\fR +This parameter determines if +nmbd(8) advertises itself as a time server to Windows +clients. + +Default: \fBtime server = no\fR +.TP +\fBtimestamp logs (G)\fR +Synonym for \fI debug timestamp\fR. +.TP +\fBunix password sync (G)\fR +This boolean parameter controls whether Samba +attempts to synchronize the UNIX password with the SMB password +when the encrypted SMB password in the smbpasswd file is changed. +If this is set to true the program specified in the \fIpasswd +program\fRparameter is called \fBAS ROOT\fR - +to allow the new UNIX password to be set without access to the +old UNIX password (as the SMB password has change code has no +access to the old password cleartext, only the new). + +See also \fIpasswd +program\fR, \fI passwd chat\fR. + +Default: \fBunix password sync = no\fR +.TP +\fBunix realname (G)\fR +This boolean parameter when set causes samba +to supply the real name field from the unix password file to +the client. This isuseful for setting up mail clients and WWW +browsers on systems used by more than one person. + +Default: \fBunix realname = no\fR +.TP +\fBupdate encrypted (G)\fR +This boolean parameter allows a user logging +on with a plaintext password to have their encrypted (hashed) +password in the smbpasswd file to be updated automatically as +they log on. This option allows a site to migrate from plaintext +password authentication (users authenticate with plaintext +password over the wire, and are checked against a UNIX account +database) to encrypted password authentication (the SMB +challenge/response authentication mechanism) without forcing all users to re-enter their passwords via smbpasswd at the time the -change is made\&. This is a convenience option to allow the change over -to encrypted passwords to be made over a longer period\&. Once all users +change is made. This is a convenience option to allow the change over +to encrypted passwords to be made over a longer period. Once all users have encrypted representations of their passwords in the smbpasswd -file this parameter should be set to \f(CW"off"\fP\&. -.IP -In order for this parameter to work correctly the \fB"encrypt -passwords"\fP parameter must be set to \f(CW"no"\fP when -this parameter is set to \f(CW"yes"\fP\&. -.IP -Note that even when this parameter is set a user authenticating to -smbd must still enter a valid password in order to connect correctly, -and to update their hashed (smbpasswd) passwords\&. -.IP -\fBDefault:\fP -\f(CW update encrypted = no\fP -.IP -\fBExample:\fP -\f(CW update encrypted = yes\fP -.IP -.IP "\fBuse rhosts (G)\fP" -.IP -If this global parameter is a true, it specifies that the UNIX users -\f(CW"\&.rhosts"\fP file in their home directory will be read to find the -names of hosts and users who will be allowed access without specifying -a password\&. -.IP -NOTE: The use of \fBuse rhosts\fP can be a major security hole\&. This is -because you are trusting the PC to supply the correct username\&. It is -very easy to get a PC to supply a false username\&. I recommend that the -\fBuse rhosts\fP option be only used if you really know what you are -doing\&. -.IP -\fBDefault:\fP -\f(CW use rhosts = no\fP -.IP -\fBExample:\fP -\f(CW use rhosts = yes\fP -.IP -.IP "\fBuser (S)\fP" -.IP -Synonym for \fB"username"\fP\&. -.IP -.IP "\fBusers (S)\fP" -.IP -Synonym for \fB"username"\fP\&. -.IP -.IP "\fBusername (S)\fP" -.IP -Multiple users may be specified in a comma-delimited list, in which -case the supplied password will be tested against each username in -turn (left to right)\&. -.IP -The \fBusername=\fP line is needed only when the PC is unable to supply -its own username\&. This is the case for the COREPLUS protocol or where -your users have different WfWg usernames to UNIX usernames\&. In both -these cases you may also be better using the \f(CW\e\eserver\eshare%user\fP -syntax instead\&. -.IP -The \fBusername=\fP line is not a great solution in many cases as it -means Samba will try to validate the supplied password against each of -the usernames in the username= line in turn\&. This is slow and a bad -idea for lots of users in case of duplicate passwords\&. You may get -timeouts or security breaches using this parameter unwisely\&. -.IP -Samba relies on the underlying UNIX security\&. This parameter does not -restrict who can login, it just offers hints to the Samba server as to -what usernames might correspond to the supplied password\&. Users can -login as whoever they please and they will be able to do no more -damage than if they started a telnet session\&. The daemon runs as the -user that they log in as, so they cannot do anything that user cannot -do\&. -.IP -To restrict a service to a particular set of users you can use the -\fB"valid users="\fP parameter\&. -.IP -If any of the usernames begin with a \f(CW\'@\'\fP then the name will be -looked up first in the yp netgroups list (if Samba is compiled with -netgroup support), followed by a lookup in the UNIX groups database -and will expand to a list of all users in the group of that name\&. -.IP -If any of the usernames begin with a \f(CW\'+\'\fP then the name will be -looked up only in the UNIX groups database and will expand to a list -of all users in the group of that name\&. -.IP -If any of the usernames begin with a \f(CW\'&\'\fP then the name will be -looked up only in the yp netgroups database (if Samba is compiled with -netgroup support) and will expand to a list of all users in the -netgroup group of that name\&. -.IP -Note that searching though a groups database can take quite some time, -and some clients may time out during the search\&. -.IP -See the section \fB"NOTE ABOUT USERNAME/PASSWORD -VALIDATION"\fP for more -information on how this parameter determines access to the services\&. -.IP -\fBDefault:\fP -\f(CW The guest account if a guest service, else the name of the service\&.\fP -.IP -\fBExamples:\fP - -.nf - +file this parameter should be set to no. - username = fred - username = fred, mary, jack, jane, @users, @pcgroup +In order for this parameter to work correctly the \fIencrypt passwords\fR +parameter must be set to no when +this parameter is set to yes. -.fi - +Note that even when this parameter is set a user +authenticating to \fBsmbd\fR must still enter a valid +password in order to connect correctly, and to update their hashed +(smbpasswd) passwords. + +Default: \fBupdate encrypted = no\fR +.TP +\fBuse rhosts (G)\fR +If this global parameter is a true, it specifies +that the UNIX users \fI.rhosts\fR file in their home directory +will be read to find the names of hosts and users who will be allowed +access without specifying a password. + +\fBNOTE:\fR The use of \fIuse rhosts +\fRcan be a major security hole. This is because you are +trusting the PC to supply the correct username. It is very easy to +get a PC to supply a false username. I recommend that the \fI use rhosts\fR option be only used if you really know what +you are doing. + +Default: \fBuse rhosts = no\fR +.TP +\fBuser (S)\fR +Synonym for \fI username\fR. +.TP +\fBusers (S)\fR +Synonym for \fI username\fR. +.TP +\fBusername (S)\fR +Multiple users may be specified in a comma-delimited +list, in which case the supplied password will be tested against +each username in turn (left to right). -.IP -.IP "\fBusername level (G)\fP" -.IP -This option helps Samba to try and \'guess\' at the real UNIX username, -as many DOS clients send an all-uppercase username\&. By default Samba -tries all lowercase, followed by the username with the first letter -capitalized, and fails if the username is not found on the UNIX -machine\&. -.IP -If this parameter is set to non-zero the behavior changes\&. This -parameter is a number that specifies the number of uppercase -combinations to try whilst trying to determine the UNIX user name\&. The +The \fIusername\fR line is needed only when +the PC is unable to supply its own username. This is the case +for the COREPLUS protocol or where your users have different WfWg +usernames to UNIX usernames. In both these cases you may also be +better using the \\\\server\\share%user syntax instead. + +The \fIusername\fR line is not a great +solution in many cases as it means Samba will try to validate +the supplied password against each of the usernames in the +\fIusername\fR line in turn. This is slow and +a bad idea for lots of users in case of duplicate passwords. +You may get timeouts or security breaches using this parameter +unwisely. + +Samba relies on the underlying UNIX security. This +parameter does not restrict who can login, it just offers hints +to the Samba server as to what usernames might correspond to the +supplied password. Users can login as whoever they please and +they will be able to do no more damage than if they started a +telnet session. The daemon runs as the user that they log in as, +so they cannot do anything that user cannot do. + +To restrict a service to a particular set of users you +can use the \fIvalid users +\fRparameter. + +If any of the usernames begin with a '@' then the name +will be looked up first in the yp netgroups list (if Samba +is compiled with netgroup support), followed by a lookup in +the UNIX groups database and will expand to a list of all users +in the group of that name. + +If any of the usernames begin with a '+' then the name +will be looked up only in the UNIX groups database and will +expand to a list of all users in the group of that name. + +If any of the usernames begin with a '&'then the name +will be looked up only in the yp netgroups database (if Samba +is compiled with netgroup support) and will expand to a list +of all users in the netgroup group of that name. + +Note that searching though a groups database can take +quite some time, snd some clients may time out during the +search. + +See the section NOTE ABOUT +USERNAME/PASSWORD VALIDATION for more information on how +this parameter determines access to the services. + +Default: \fBThe guest account if a guest service, +else the name of the service.\fR + +Examples:\fBusername = fred, mary, jack, jane, +@users, @pcgroup\fR +.TP +\fBusername level (G)\fR +This option helps Samba to try and 'guess' at +the real UNIX username, as many DOS clients send an all-uppercase +username. By default Samba tries all lowercase, followed by the +username with the first letter capitalized, and fails if the +username is not found on the UNIX machine. + +If this parameter is set to non-zero the behavior changes. +This parameter is a number that specifies the number of uppercase +combinations to try whilst trying to determine the UNIX user name. The higher the number the more combinations will be tried, but the slower -the discovery of usernames will be\&. Use this parameter when you have -strange usernames on your UNIX machine, such as \f(CW"AstrangeUser"\fP\&. -.IP -\fBDefault:\fP -\f(CW username level = 0\fP -.IP -\fBExample:\fP -\f(CW username level = 5\fP -.IP -.IP "\fBusername map (G)\fP" -.IP -This option allows you to specify a file containing a mapping of -usernames from the clients to the server\&. This can be used for several -purposes\&. The most common is to map usernames that users use on DOS or -Windows machines to those that the UNIX box uses\&. The other is to map -multiple users to a single username so that they can more easily share -files\&. -.IP -The map file is parsed line by line\&. Each line should contain a single -UNIX username on the left then a \f(CW\'=\'\fP followed by a list of -usernames on the right\&. The list of usernames on the right may contain -names of the form @group in which case they will match any UNIX -username in that group\&. The special client name \f(CW\'*\'\fP is a wildcard -and matches any name\&. Each line of the map file may be up to 1023 -characters long\&. -.IP -The file is processed on each line by taking the supplied username and -comparing it with each username on the right hand side of the \f(CW\'=\'\fP -signs\&. If the supplied name matches any of the names on the right hand -side then it is replaced with the name on the left\&. Processing then -continues with the next line\&. -.IP -If any line begins with a \f(CW\'#\'\fP or a \f(CW\';\'\fP then it is ignored -.IP -If any line begins with an \f(CW\'!\'\fP then the processing will stop after -that line if a mapping was done by the line\&. Otherwise mapping -continues with every line being processed\&. Using \f(CW\'!\'\fP is most -useful when you have a wildcard mapping line later in the file\&. -.IP -For example to map from the name \f(CW"admin"\fP or \f(CW"administrator"\fP to -the UNIX name \f(CW"root"\fP you would use: -.IP -\f(CW root = admin administrator\fP -.IP -Or to map anyone in the UNIX group \f(CW"system"\fP to the UNIX name -\f(CW"sys"\fP you would use: -.IP -\f(CW sys = @system\fP -.IP -You can have as many mappings as you like in a username map file\&. -.IP -If your system supports the NIS NETGROUP option then the netgroup -database is checked before the \f(CW/etc/group\fP database for matching -groups\&. -.IP -You can map Windows usernames that have spaces in them by using double -quotes around the name\&. For example: -.IP -\f(CW tridge = "Andrew Tridgell"\fP -.IP -would map the windows username \f(CW"Andrew Tridgell"\fP to the unix -username tridge\&. -.IP -The following example would map mary and fred to the unix user sys, -and map the rest to guest\&. Note the use of the \f(CW\'!\'\fP to tell Samba -to stop processing if it gets a match on that line\&. -.IP - -.nf - +the discovery of usernames will be. Use this parameter when you have +strange usernames on your UNIX machine, such as AstrangeUser +\&. - !sys = mary fred - guest = * +Default: \fBusername level = 0\fR -.fi - +Example: \fBusername level = 5\fR +.TP +\fBusername map (G)\fR +This option allows you to specify a file containing +a mapping of usernames from the clients to the server. This can be +used for several purposes. The most common is to map usernames +that users use on DOS or Windows machines to those that the UNIX +box uses. The other is to map multiple users to a single username +so that they can more easily share files. + +The map file is parsed line by line. Each line should +contain a single UNIX username on the left then a '=' followed +by a list of usernames on the right. The list of usernames on the +right may contain names of the form @group in which case they +will match any UNIX username in that group. The special client +name '*' is a wildcard and matches any name. Each line of the +map file may be up to 1023 characters long. + +The file is processed on each line by taking the +supplied username and comparing it with each username on the right +hand side of the '=' signs. If the supplied name matches any of +the names on the right hand side then it is replaced with the name +on the left. Processing then continues with the next line. + +If any line begins with a '#' or a ';' then it is +ignored -.IP -Note that the remapping is applied to all occurrences of -usernames\&. Thus if you connect to \f(CW"\e\eserver\efred"\fP and \f(CW"fred"\fP -is remapped to \f(CW"mary"\fP then you will actually be connecting to -\f(CW"\e\eserver\emary"\fP and will need to supply a password suitable for -\f(CW"mary"\fP not \f(CW"fred"\fP\&. The only exception to this is the username -passed to the \fB"password server"\fP (if you have -one)\&. The password server will receive whatever username the client -supplies without modification\&. -.IP -Also note that no reverse mapping is done\&. The main effect this has is -with printing\&. Users who have been mapped may have trouble deleting -print jobs as PrintManager under WfWg will think they don\'t own the -print job\&. -.IP -\fBDefault:\fP -\f(CW no username map\fP -.IP -\fBExample:\fP -\f(CW username map = /usr/local/samba/lib/users\&.map\fP -.IP -.IP "\fButmp (S)\fP" -.IP -This boolean parameter is only available if Samba has been configured and compiled -with the option \f(CW--with-utmp\fP\&. If set to True then Samba will attempt +If any line begins with an '!' then the processing +will stop after that line if a mapping was done by the line. +Otherwise mapping continues with every line being processed. +Using '!' is most useful when you have a wildcard mapping line +later in the file. + +For example to map from the name admin +or administrator to the UNIX name root you would use: + +\fBroot = admin administrator\fR + +Or to map anyone in the UNIX group system +to the UNIX name sys you would use: + +\fBsys = @system\fR + +You can have as many mappings as you like in a username +map file. + +If your system supports the NIS NETGROUP option then +the netgroup database is checked before the \fI/etc/group +\fRdatabase for matching groups. + +You can map Windows usernames that have spaces in them +by using double quotes around the name. For example: + +\fBtridge = "Andrew Tridgell"\fR + +would map the windows username "Andrew Tridgell" to the +unix username "tridge". + +The following example would map mary and fred to the +unix user sys, and map the rest to guest. Note the use of the +\&'!' to tell Samba to stop processing if it gets a match on +that line. + +.sp +.nf + !sys = mary fred + guest = * + +.sp +.fi + +Note that the remapping is applied to all occurrences +of usernames. Thus if you connect to \\\\server\\fred and fred is remapped to mary then you +will actually be connecting to \\\\server\\mary and will need to +supply a password suitable for mary not +fred. The only exception to this is the +username passed to the \fI password server\fR (if you have one). The password +server will receive whatever username the client supplies without +modification. + +Also note that no reverse mapping is done. The main effect +this has is with printing. Users who have been mapped may have +trouble deleting print jobs as PrintManager under WfWg will think +they don't own the print job. + +Default: \fBno username map\fR + +Example: \fBusername map = /usr/local/samba/lib/users.map +\fR.TP +\fButmp (S)\fR +This boolean parameter is only available if +Samba has been configured and compiled with the option \fB --with-utmp\fR. If set to True then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a -connection is made to a Samba server\&. Sites may use this to record the -user connecting to a Samba share\&. -.IP -See also the \fB"utmp directory"\fP parameter\&. -.IP -\fBDefault:\fP -\f(CWutmp = False\fP -.IP -\fBExample:\fP -\f(CWutmp = True\fP -.IP -.IP "\fButmp directory(G)\fP" -.IP -This parameter is only available if Samba has been configured and compiled -with the option \f(CW--with-utmp\fP\&. It specifies a directory pathname that is +connection is made to a Samba server. Sites may use this to record the +user connecting to a Samba share. + +See also the \fI utmp directory\fR parameter. + +Default: \fButmp = no\fR +.TP +\fButmp directory(G)\fR +This parameter is only available if Samba has +been configured and compiled with the option \fB --with-utmp\fR. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that -record user connections to a Samba server\&. See also the \fB"utmp"\fP -parameter\&. By default this is not set, meaning the system will use whatever -utmp file the native system is set to use (usually /var/run/utmp on Linux)\&. -.IP -\fBDefault:\fP -\f(CWno utmp directory\fP -.IP -\fBExample:\fP -\f(CWutmp directory = /var/adm/\fP -.IP -.IP "winbind cache time" -.IP -NOTE: this parameter is only available in Samba 3\&.0\&. -.IP +record user connections to a Samba server. See also the \fIutmp\fR parameter. By default this is +not set, meaning the system will use whatever utmp file the +native system is set to use (usually +\fI/var/run/utmp\fR on Linux). + +Default: \fBno utmp directory\fR +.TP +\fBwinbind cache time\fR +\fBNOTE:\fR this parameter is only +available in Samba 3.0. + This parameter specifies the number of seconds the -\fBwinbindd\fP daemon will cache user and group -information before querying a Windows NT server again\&. -.IP -\fBDefault:\fP -\f(CW winbind cache type = 15\fP -.IP -.IP "winbind gid" -.IP -NOTE: this parameter is only available in Samba 3\&.0\&. -.IP -The winbind gid parameter specifies the range of group ids that are -allocated by the \fBwinbindd\fP daemon\&. This range of -group ids should have no existing local or nis groups within it as strange -conflicts can occur otherwise\&. -.IP -\fBDefault:\fP -\f(CW winbind gid = \fP -.IP -\fBExample:\fP -\f(CW winbind gid = 10000-20000\fP -.IP -.IP "winbind uid" -.IP -NOTE: this parameter is only available in Samba 3\&.0\&. -.IP -The winbind uid parameter specifies the range of user ids that are -allocated by the \fBwinbindd\fP daemon\&. This range of -ids should have no existing local or nis users within it as strange -conflicts can occur otherwise\&. -.IP -\fBDefault:\fP -\f(CW winbind uid = \fP -.IP -\fBExample:\fP -\f(CW winbind uid = 10000-20000\fP -.IP -.IP "\fBvalid chars (G)\fP" -.IP -The option allows you to specify additional characters that should be -considered valid by the server in filenames\&. This is particularly -useful for national character sets, such as adding u-umlaut or a-ring\&. -.IP -The option takes a list of characters in either integer or character -form with spaces between them\&. If you give two characters with a colon -between them then it will be taken as an lowercase:uppercase pair\&. -.IP -If you have an editor capable of entering the characters into the -config file then it is probably easiest to use this method\&. Otherwise -you can specify the characters in octal, decimal or hexadecimal form -using the usual C notation\&. -.IP -For example to add the single character \f(CW\'Z\'\fP to the charset (which -is a pointless thing to do as it\'s already there) you could do one of -the following -.IP - -.nf - +winbindd(8) daemon will cache +user and group information before querying a Windows NT server +again. - valid chars = Z - valid chars = z:Z - valid chars = 0132:0172 +Default: \fBwinbind cache type = 15\fR +.TP +\fBwinbind gid\fR +\fBNOTE:\fR this parameter is only +available in Samba 3.0. -.fi - +The winbind gid parameter specifies the range of group +ids that are allocated by the winbindd(8) daemon. This range of group ids should have no +existing local or nis groups within it as strange conflicts can +occur otherwise. -.IP -The last two examples above actually add two characters, and alter the -uppercase and lowercase mappings appropriately\&. -.IP -Note that you MUST specify this parameter after the \fB"client -code page"\fP parameter if you have both set\&. If -\fB"client code page"\fP is set after the -\fB"valid chars"\fP parameter the \fB"valid chars"\fP settings will be -overwritten\&. -.IP -See also the \fB"client code page"\fP parameter\&. -.IP -\fBDefault:\fP - -.nf - +Default: \fBwinbind gid = +\fR +Example: \fBwinbind gid = 10000-20000\fR +.TP +\fBwinbind uid\fR +\fBNOTE:\fR this parameter is only +available in Samba 3.0. - Samba defaults to using a reasonable set of valid characters - for English systems +The winbind gid parameter specifies the range of group +ids that are allocated by the winbindd(8) daemon. This range of ids should have no +existing local or nis users within it as strange conflicts can +occur otherwise. -.fi - +Default: \fBwinbind uid = +\fR +Example: \fBwinbind uid = 10000-20000\fR +.TP +\fBvalid chars (G)\fR +The option allows you to specify additional +characters that should be considered valid by the server in +filenames. This is particularly useful for national character +sets, such as adding u-umlaut or a-ring. -.IP -\fBExample\fP -\f(CW valid chars = 0345:0305 0366:0326 0344:0304\fP -.IP -The above example allows filenames to have the Swedish characters in -them\&. -.IP -NOTE: It is actually quite difficult to correctly produce a \fB"valid -chars"\fP line for a particular system\&. To automate the process -\fItino@augsburg\&.net\fP has written a package called \fB"validchars"\fP -which will automatically produce a complete \fB"valid chars"\fP line for -a given client system\&. Look in the examples/validchars/ subdirectory -of your Samba source code distribution for this package\&. -.IP -.IP "\fBvalid users (S)\fP" -.IP -This is a list of users that should be allowed to login to this -service\&. Names starting with \f(CW\'@\'\fP, \f(CW\'+\'\fP and \f(CW\'&\'\fP are -interpreted using the same rules as described in the \fB"invalid -users"\fP parameter\&. -.IP -If this is empty (the default) then any user can login\&. If a username -is in both this list and the \fB"invalid users"\fP -list then access is denied for that user\&. -.IP -The current servicename is substituted for -\fB"%S"\fP\&. This is useful in the -\fB[homes]\fP section\&. -.IP -See also \fB"invalid users"\fP\&. -.IP -\fBDefault:\fP -\f(CW No valid users list\&. (anyone can login)\fP -.IP -\fBExample:\fP -\f(CW valid users = greg, @pcusers\fP -.IP -.IP "\fBveto files(S)\fP" -.IP -This is a list of files and directories that are neither visible nor -accessible\&. Each entry in the list must be separated by a \f(CW\'/\'\fP, -which allows spaces to be included in the entry\&. \f(CW\'*\'\fP and \f(CW\'?\'\fP -can be used to specify multiple files or directories as in DOS -wildcards\&. -.IP -Each entry must be a unix path, not a DOS path and must \fI*not*\fP include the -unix directory separator \f(CW\'/\'\fP\&. -.IP -Note that the \fB"case sensitive"\fP option is -applicable in vetoing files\&. -.IP -One feature of the veto files parameter that it is important to be -aware of, is that if a directory contains nothing but files that match -the veto files parameter (which means that Windows/DOS clients cannot -ever see them) is deleted, the veto files within that directory *are -automatically deleted* along with it, if the user has UNIX permissions -to do so\&. -.IP -Setting this parameter will affect the performance of Samba, as it -will be forced to check all files and directories for a match as they -are scanned\&. -.IP -See also \fB"hide files"\fP and \fB"case -sensitive"\fP\&. -.IP -\fBDefault:\fP -\f(CW No files or directories are vetoed\&.\fP -.IP -\fBExamples:\fP -.IP -Example 1\&. -.IP - -.nf - +The option takes a list of characters in either integer +or character form with spaces between them. If you give two +characters with a colon between them then it will be taken as +an lowercase:uppercase pair. +If you have an editor capable of entering the characters +into the config file then it is probably easiest to use this +method. Otherwise you can specify the characters in octal, +decimal or hexadecimal form using the usual C notation. - Veto any files containing the word Security, - any ending in \&.tmp, and any directory containing the - word root\&. +For example to add the single character 'Z' to the charset +(which is a pointless thing to do as it's already there) you could +do one of the following - veto files = /*Security*/*\&.tmp/*root*/ +.sp +.nf + valid chars = Z + valid chars = z:Z + valid chars = 0132:0172 + +.sp +.fi -.fi - +The last two examples above actually add two characters, +and alter the uppercase and lowercase mappings appropriately. -.IP -Example 2\&. -.IP +Note that you \fBMUST\fR specify this parameter +after the \fIclient code page\fR parameter if you +have both set. If \fIclient code page\fR is set after +the \fIvalid chars\fR parameter the \fIvalid +chars\fR settings will be overwritten. -.nf - +See also the \fIclient +code page\fR parameter. - Veto the Apple specific files that a NetAtalk server - creates\&. +Default: \fBSamba defaults to using a reasonable set +of valid characters for English systems\fR - veto files = /\&.AppleDouble/\&.bin/\&.AppleDesktop/Network Trash Folder/ +Example: \fBvalid chars = 0345:0305 0366:0326 0344:0304 +\fR +The above example allows filenames to have the Swedish +characters in them. -.fi - +\fBNOTE:\fR It is actually quite difficult to +correctly produce a \fIvalid chars\fR line for +a particular system. To automate the process tino@augsburg.net has written +a package called \fBvalidchars\fR which will automatically +produce a complete \fIvalid chars\fR line for +a given client system. Look in the \fIexamples/validchars/ +\fRsubdirectory of your Samba source code distribution +for this package. +.TP +\fBvalid users (S)\fR +This is a list of users that should be allowed +to login to this service. Names starting with '@', '+' and '&' +are interpreted using the same rules as described in the +\fIinvalid users\fR parameter. + +If this is empty (the default) then any user can login. +If a username is in both this list and the \fIinvalid +users\fR list then access is denied for that user. + +The current servicename is substituted for \fI%S +\fR\&. This is useful in the [homes] section. + +See also \fIinvalid users +\fR +Default: \fBNo valid users list (anyone can login) +\fR +Example: \fBvalid users = greg, @pcusers\fR +.TP +\fBveto files(S)\fR +This is a list of files and directories that +are neither visible nor accessible. Each entry in the list must +be separated by a '/', which allows spaces to be included +in the entry. '*' and '?' can be used to specify multiple files +or directories as in DOS wildcards. + +Each entry must be a unix path, not a DOS path and +must \fBnot\fR include the unix directory +separator '/'. + +Note that the \fIcase sensitive\fR option +is applicable in vetoing files. -.IP -.IP "\fBveto oplock files (S)\fP" -.IP -This parameter is only valid when the \fB"oplocks"\fP -parameter is turned on for a share\&. It allows the Samba administrator +One feature of the veto files parameter that it is important +to be aware of, is that if a directory contains nothing but files +that match the veto files parameter (which means that Windows/DOS +clients cannot ever see them) is deleted, the veto files within +that directory \fBare automatically deleted\fR along +with it, if the user has UNIX permissions to do so. + +Setting this parameter will affect the performance +of Samba, as it will be forced to check all files and directories +for a match as they are scanned. + +See also \fIhide files +\fRand \fI case sensitive\fR. + +Default: \fBNo files or directories are vetoed. +\fR +Examples: +.sp +.nf + ; Veto any files containing the word Security, + ; any ending in .tmp, and any directory containing the + ; word root. + veto files = /*Security*/*.tmp/*root*/ + + ; Veto the Apple specific files that a NetAtalk server + ; creates. + veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ + +.sp +.fi +.TP +\fBveto oplock files (S)\fR +This parameter is only valid when the \fIoplocks\fR +parameter is turned on for a share. It allows the Samba administrator to selectively turn off the granting of oplocks on selected files that match a wildcarded list, similar to the wildcarded list used in the -\fB"veto files"\fP parameter\&. -.IP -\fBDefault:\fP -\f(CW No files are vetoed for oplock grants\&.\fP -.IP -\fBExamples:\fP -.IP -You might want to do this on files that you know will be heavily -contended for by clients\&. A good example of this is in the NetBench -SMB benchmark program, which causes heavy client contention for files -ending in \f(CW"\&.SEM"\fP\&. To cause Samba not to grant oplocks on these -files you would use the line (either in the \fB[global]\fP -section or in the section for the particular NetBench share : -.IP -\f(CW veto oplock files = /*\&.SEM/\fP -.IP -.IP "\fBvolume (S)\fP" -.IP -This allows you to override the volume label returned for a -share\&. Useful for CDROMs with installation programs that insist on a -particular volume label\&. -.IP -The default is the name of the share\&. -.IP -.IP "\fBwide links (S)\fP" -.IP -This parameter controls whether or not links in the UNIX file system -may be followed by the server\&. Links that point to areas within the -directory tree exported by the server are always allowed; this -parameter controls access only to areas that are outside the directory -tree being exported\&. -.IP -Note that setting this parameter can have a negative effect on your -server performance due to the extra system calls that Samba has to -do in order to perform the link checks\&. -.IP -\fBDefault:\fP -\f(CW wide links = yes\fP -.IP -\fBExample:\fP -\f(CW wide links = no\fP -.IP -.IP "\fBwins proxy (G)\fP" -.IP -This is a boolean that controls if \fBnmbd\fP will -respond to broadcast name queries on behalf of other hosts\&. You may -need to set this to \f(CW"yes"\fP for some older clients\&. -.IP -\fBDefault:\fP -\f(CW wins proxy = no\fP -.IP -.IP "\fBwins server (G)\fP" -.IP -This specifies the IP address (or DNS name: IP address for preference) -of the WINS server that \fBnmbd\fP should register with\&. -If you have a WINS server on your network then you should set this to -the WINS server\'s IP\&. -.IP +\fIveto files\fR +parameter. + +Default: \fBNo files are vetoed for oplock +grants\fR + +You might want to do this on files that you know will +be heavily contended for by clients. A good example of this +is in the NetBench SMB benchmark program, which causes heavy +client contention for files ending in \fI.SEM\fR. +To cause Samba not to grant oplocks on these files you would use +the line (either in the [global] section or in the section for +the particular NetBench share : + +Example: \fBveto oplock files = /*;.SEM/ +\fR.TP +\fBvolume (S)\fR +This allows you to override the volume label +returned for a share. Useful for CDROMs with installation programs +that insist on a particular volume label. + +Default: \fBthe name of the share\fR +.TP +\fBwide links (S)\fR +This parameter controls whether or not links +in the UNIX file system may be followed by the server. Links +that point to areas within the directory tree exported by the +server are always allowed; this parameter controls access only +to areas that are outside the directory tree being exported. + +Note that setting this parameter can have a negative +effect on your server performance due to the extra system calls +that Samba has to do in order to perform the link checks. + +Default: \fBwide links = yes\fR +.TP +\fBwins proxy (G)\fR +This is a boolean that controls if nmbd(8) will respond to broadcast name +queries on behalf of other hosts. You may need to set this +to yes for some older clients. + +Default: \fBwins proxy = no\fR +.TP +\fBwins server (G)\fR +This specifies the IP address (or DNS name: IP +address for preference) of the WINS server that nmbd(8) should register with. If you have a WINS server on +your network then you should set this to the WINS server's IP. + You should point this at your WINS server if you have a -multi-subnetted network\&. -.IP -\fINOTE\fP\&. You need to set up Samba to point to a WINS server if you -have multiple subnets and wish cross-subnet browsing to work correctly\&. -.IP -See the documentation file BROWSING\&.txt in the docs/ directory of your -Samba source distribution\&. -.IP -\fBDefault:\fP -\f(CW wins server = \fP -.IP -\fBExample:\fP -\f(CW wins server = 192\&.9\&.200\&.1\fP -.IP -.IP "\fBwins hook (G)\fP" -.IP -When Samba is running as a WINS server this allows you to call an -external program for all changes to the WINS database\&. The primary use -for this option is to allow the dynamic update of external name -resolution databases such as dynamic DNS\&. -.IP -The wins hook parameter specifies the name of a script or executable -that will be called as follows: -.IP -wins_hook operation name nametype ttl IP_list -.IP -The first argument is the operation and is one of "add", "delete", -or "refresh"\&. In most cases the operation can be ignored as the rest -of the parameters provide sufficient information\&. Note that "refresh" -may sometimes be called when the name has not previously been added, -in that case it should be treated as an add\&. -.IP -The second argument is the netbios name\&. If the name is not a legal -name then the wins hook is not called\&. Legal names contain only -letters, digits, hyphens, underscores and periods\&. -.IP -The third argument is the netbios name type as a 2 digit hexadecimal -number\&. -.IP -The fourth argument is the TTL (time to live) for the name in seconds\&. -.IP -The fifth and subsequent arguments are the IP addresses currently -registered for that name\&. If this list is empty then the name should -be deleted\&. -.IP -An example script that calls the BIND dynamic DNS update program -"nsupdate" is provided in the examples directory of the Samba source -code\&. -.IP -.IP "\fBwins support (G)\fP" -.IP -This boolean controls if the \fBnmbd\fP process in -Samba will act as a WINS server\&. You should not set this to true -unless you have a multi-subnetted network and you wish a particular -\fBnmbd\fP to be your WINS server\&. Note that you -should \fI*NEVER*\fP set this to true on more than one machine in your -network\&. -.IP -\fBDefault:\fP -\f(CW wins support = no\fP -.IP -.IP "\fBworkgroup (G)\fP" -.IP -This controls what workgroup your server will appear to be in when -queried by clients\&. Note that this parameter also controls the Domain -name used with the \fB"security=domain"\fP -setting\&. -.IP -\fBDefault:\fP -\f(CW set at compile time to WORKGROUP\fP -.IP -\fBExample:\fP -workgroup = MYGROUP -.IP -.IP "\fBwritable (S)\fP" -.IP -Synonym for \fB"writeable"\fP for people who can\'t spell :-)\&. -.IP -.IP "\fBwrite list (S)\fP" -.IP -This is a list of users that are given read-write access to a -service\&. If the connecting user is in this list then they will be -given write access, no matter what the \fB"writeable"\fP -option is set to\&. The list can include group names using the @group -syntax\&. -.IP -Note that if a user is in both the read list and the write list then -they will be given write access\&. -.IP -See also the \fB"read list"\fP option\&. -.IP -\fBDefault:\fP -\f(CW write list = \fP -.IP -\fBExample:\fP -\f(CW write list = admin, root, @staff\fP -.IP -.IP "\fBwrite cache size (S)\fP" -.IP -This integer parameter (new with Samba 2\&.0\&.7) if set to non-zero causes Samba to create an in-memory -cache for each oplocked file (it does \fBnot\fP do this for non-oplocked files)\&. All -writes that the client does not request to be flushed directly to disk will be -stored in this cache if possible\&. The cache is flushed onto disk when a write -comes in whose offset would not fit into the cache or when the file is closed -by the client\&. Reads for the file are also served from this cache if the data -is stored within it\&. -.IP -This cache allows Samba to batch client writes into a more efficient write -size for RAID disks (ie\&. writes may be tuned to be the RAID stripe size) and -can improve performance on systems where the disk subsystem is a bottleneck -but there is free memory for userspace programs\&. -.IP -The integer parameter specifies the size of this cache (per oplocked file) -in bytes\&. -.IP -\fBDefault:\fP -\f(CW write cache size = 0\fP -.IP -\fBExample:\fP -\f(CW write cache size = 262144\fP -for a 256k cache size per file\&. -.IP -.IP "\fBwrite ok (S)\fP" -.IP -Synonym for \fBwriteable\fP\&. -.IP -.IP "\fBwrite raw (G)\fP" -.IP -This parameter controls whether or not the server will support raw -writes SMB\'s when transferring data from clients\&. You should never -need to change this parameter\&. -.IP -\fBDefault:\fP -\f(CW write raw = yes\fP -.IP -.IP "\fBwriteable\fP" -.IP -An inverted synonym is \fB"read only"\fP\&. -.IP -If this parameter is \f(CW"no"\fP, then users of a service may not create -or modify files in the service\'s directory\&. -.IP -Note that a printable service \fB("printable = yes")\fP -will \fI*ALWAYS*\fP allow writing to the directory (user privileges -permitting), but only via spooling operations\&. -.IP -\fBDefault:\fP -\f(CW writeable = no\fP -.IP -\fBExamples:\fP - -.nf - +multi-subnetted network. - read only = no - writeable = yes - write ok = yes +\fBNOTE\fR. You need to set up Samba to point +to a WINS server if you have multiple subnets and wish cross-subnet +browsing to work correctly. -.fi - +See the documentation file \fIBROWSING.txt\fR +in the docs/ directory of your Samba source distribution. + +Default: \fBnot enabled\fR + +Example: \fBwins server = 192.9.200.1\fR +.TP +\fBwins hook (G)\fR +When Samba is running as a WINS server this +allows you to call an external program for all changes to the +WINS database. The primary use for this option is to allow the +dynamic update of external name resolution databases such as +dynamic DNS. + +The wins hook parameter specifies the name of a script +or executable that will be called as follows: + +\fBwins_hook operation name nametype ttl IP_list +\fR.RS +.TP 0.2i +\(bu +The first argument is the operation and is one +of "add", "delete", or "refresh". In most cases the operation can +be ignored as the rest of the parameters provide sufficient +information. Note that "refresh" may sometimes be called when the +name has not previously been added, in that case it should be treated +as an add. +.TP 0.2i +\(bu +The second argument is the netbios name. If the +name is not a legal name then the wins hook is not called. +Legal names contain only letters, digits, hyphens, underscores +and periods. +.TP 0.2i +\(bu +The third argument is the netbios name +type as a 2 digit hexadecimal number. +.TP 0.2i +\(bu +The fourth argument is the TTL (time to live) +for the name in seconds. +.TP 0.2i +\(bu +The fifth and subsequent arguments are the IP +addresses currently registered for that name. If this list is +empty then the name should be deleted. +.RE +.PP +An example script that calls the BIND dynamic DNS update +program \fBnsupdate\fR is provided in the examples +directory of the Samba source code. +.PP +.TP +\fBwins support (G)\fR +This boolean controls if the +nmbd(8) process in Samba will act as a WINS server. You should +not set this to true unless you have a multi-subnetted network and +you wish a particular \fBnmbd\fR to be your WINS server. +Note that you should \fBNEVER\fR set this to true +on more than one machine in your network. + +Default: \fBwins support = no\fR +.TP +\fBworkgroup (G)\fR +This controls what workgroup your server will +appear to be in when queried by clients. Note that this parameter +also controls the Domain name used with the \fBsecurity=domain\fR +setting. + +Default: \fBset at compile time to WORKGROUP\fR + +Example: \fBworkgroup = MYGROUP\fR +.TP +\fBwritable (S)\fR +Synonym for \fI writeable\fR for people who can't spell :-). +.TP +\fBwrite list (S)\fR +This is a list of users that are given read-write +access to a service. If the connecting user is in this list then +they will be given write access, no matter what the \fIwriteable\fR +option is set to. The list can include group names using the +@group syntax. + +Note that if a user is in both the read list and the +write list then they will be given write access. + +See also the \fIread list +\fRoption. + +Default: \fBwrite list = +\fR +Example: \fBwrite list = admin, root, @staff +\fR.TP +\fBwrite cache size (S)\fR +This integer parameter (new with Samba 2.0.7) +if set to non-zero causes Samba to create an in-memory cache for +each oplocked file (it does \fBnot\fR do this for +non-oplocked files). All writes that the client does not request +to be flushed directly to disk will be stored in this cache if possible. +The cache is flushed onto disk when a write comes in whose offset +would not fit into the cache or when the file is closed by the client. +Reads for the file are also served from this cache if the data is stored +within it. + +This cache allows Samba to batch client writes into a more +efficient write size for RAID disks (ie. writes may be tuned to +be the RAID stripe size) and can improve performance on systems +where the disk subsystem is a bottleneck but there is free +memory for userspace programs. + +The integer parameter specifies the size of this cache +(per oplocked file) in bytes. + +Default: \fBwrite cache size = 0\fR + +Example: \fBwrite cache size = 262144\fR + +for a 256k cache size per file. +.TP +\fBwrite ok (S)\fR +Synonym for \fI writeable\fR. +.TP +\fBwrite raw (G)\fR +This parameter controls whether or not the server +will support raw writes SMB's when transferring data from clients. +You should never need to change this parameter. + +Default: \fBwrite raw = yes\fR +.TP +\fBwriteable (S)\fR +An inverted synonym is \fIread only\fR. + +If this parameter is no, then users +of a service may not create or modify files in the service's +directory. + +Note that a printable service (\fBprintable = yes\fR) +will \fBALWAYS\fR allow writing to the directory +(user privileges permitting), but only via spooling operations. -.IP -.PP -.SH "WARNINGS" -.PP -Although the configuration file permits service names to contain -spaces, your client software may not\&. Spaces will be ignored in -comparisons anyway, so it shouldn\'t be a problem - but be aware of the -possibility\&. -.PP -On a similar note, many clients - especially DOS clients - limit -service names to eight characters\&. \fBSmbd\fP has no -such limitation, but attempts to connect from such clients will fail -if they truncate the service names\&. For this reason you should -probably keep your service names down to eight characters in length\&. -.PP -Use of the \fB[homes]\fP and \fB[printers]\fP -special sections make life for an administrator easy, but the various -combinations of default attributes can be tricky\&. Take extreme care -when designing these sections\&. In particular, ensure that the -permissions on spool directories are correct\&. -.PP -.SH "VERSION" -.PP -This man page is correct for version 2\&.0 of the Samba suite\&. -.PP -.SH "SEE ALSO" -.PP -\fBsmbd (8)\fP, \fBsmbclient (1)\fP, -\fBnmbd (8)\fP, \fBtestparm (1)\fP, -\fBtestprns (1)\fP, \fBSamba\fP, -\fBnmblookup (1)\fP, \fBsmbpasswd (5)\fP, -\fBsmbpasswd (8)\fP\&. -.PP -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by -Andrew Tridgell \fIsamba@samba\&.org\fP\&. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed\&. -.PP -The original Samba man pages were written by Karl Auer\&. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -\fBftp://ftp\&.icce\&.rug\&.nl/pub/unix/\fP) -and updated for the Samba2\&.0 release by Jeremy Allison\&. -\fIsamba@samba\&.org\fP\&. -.PP -See \fBsamba (7)\fP to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc\&. +Default: \fBwriteable = no\fR +.SH "WARNINGS" +.PP +Although the configuration file permits service names +to contain spaces, your client software may not. Spaces will +be ignored in comparisons anyway, so it shouldn't be a +problem - but be aware of the possibility. +.PP +On a similar note, many clients - especially DOS clients - +limit service names to eight characters. smbd(8) + has no such limitation, but attempts to connect from such +clients will fail if they truncate the service names. For this reason +you should probably keep your service names down to eight characters +in length. +.PP +Use of the [homes] and [printers] special sections make life +for an administrator easy, but the various combinations of default +attributes can be tricky. Take extreme care when designing these +sections. In particular, ensure that the permissions on spool +directories are correct. +.SH "VERSION" +.PP +This man page is correct for version 2.2 of +the Samba suite. +.SH "SEE ALSO" +.PP +samba(7) , +\fBsmbpasswd(8)\fR , +\fBswat(8)\fR , +\fBsmbd(8)\fR , +\fBnmbd(8)\fR , +\fBsmbclient(1)\fR , +\fBnmblookup(1)\fR , +\fBtestparm(1)\fR , +\fBtestprns(1)\fR +.SH "AUTHOR" +.PP +The original Samba software and related utilities +were created by Andrew Tridgell. Samba is now developed +by the Samba Team as an Open Source project similar +to the way the Linux kernel is developed. +.PP +The original Samba man pages were written by Karl Auer. +The man page sources were converted to YODL format (another +excellent piece of Open Source software, available at +ftp://ftp.icce.rug.nl/pub/unix/ ) and updated for the Samba 2.0 +release by Jeremy Allison. The conversion to DocBook for +Samba 2.2 was done by Gerald Carter -- cgit