Synopsis

pdbedit [-l] [-v] [-w] [-u username] [-f fullname] [-h homedir] [-D drive] [-S script] [-p profile] [-a] [-m] [-x] [-i passdb-backend] [-e passdb-backend] [-b passdb-backend] [-d debuglevel] [-s configfile] [-P account-policy] [-V value]

[-l] [-v] [-w] [-u username] [-f fullname] [-h homedir] [-D drive] [-S script] [-p profile] [-a] [-m] [-x] [-i passdb-backend] [-e passdb-backend] [-b passdb-backend] [-d debuglevel] [-s configfile] [-P account-policy] [-V value]

pdbedit -l

sorce:500:Simo Sorce samba:45:Test User

pdbedit -l -v

--------------- @@ -132,6 +144,9 @@ CLASS="PROGRAMLISTING" Logon Script: Profile Path: \\BERSERKER\profile

pdbedit -l -w

sorce:500:508818B733CE64BEAAD3B435B51404EE:D2A2418EFC466A8A0F6B1DBB5C3DB80C:[UX ]:LCT-00000000: samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:BC281CE3F53B6A5146629CD4751D3490:[UX ]:LCT-3BFA1E8D:

This option specifies the username to be used for the operation requested (listing, adding, removing). - It is required in add, remove and modify - operations and optional in list operations.

pdbedit -a -u sorce -

new password:
 		retype new password

Valid policies are: minimum password age, reset count minutes, disconnect time, user must logon to change password, password history, lockout duration, min password length, - maximum password age and bad lockout attempt. - -

Example: pdbedit -P "bad lockout attempt"

account policy value for bad lockout attempt is 0

-P option. -

Example: pdbedit -P "bad lockout attempt" -V 3

account policy value for bad lockout attempt was 0 account policy value for bad lockout attempt is now 3

Print a summary of command line options.

-s <configuration file>

The file specified contains the diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html index d409469e7c..5e0e9be1e8 100644 --- a/docs/htmldocs/smb.conf.5.html +++ b/docs/htmldocs/smb.conf.5.html @@ -1,11 +1,12 @@ - + smb.conf

smb.conf

There are three special sections, [global], [homes] and [printers], which are - described under special sections. The following notes apply to ordinary section descriptions.

Sections may be designated Sections may be designated guest services, in which case no password is required to access them. A specified - UNIX guest account is used to define access privileges in this case.

/home/bar. The share is accessed via the share name "foo":

The following sample section defines a printable share. The share is readonly, but printable. That is, the only write access permitted is via calls to open, write to and close a - spool file. The guest ok parameter means access will be permitted as the default guest user (specified elsewhere):

If you decide to use a If you decide to use a path = line in your [homes] section then you may find it useful to use the %S macro. For example :

An important point is that if guest access is specified in the [homes] section, all home directories will be - visible to all clients without a password. In the very unlikely event that this is actually desirable, it - would be wise to also specify read only access.

Note that the Note that the browseable flag for auto home directories will be inherited from the global browseable flag, not the [homes] browseable flag. This is useful as - it means setting browseable = no in the [homes] section will hide the [homes] share but make any auto home directories visible.

All aliases given for a printer in the printcap file are legitimate printer names as far as the server is concerned. If your printing subsystem doesn't work like that, you will have to set up a pseudo-printcap. This is a file consisting of one or more lines like this:

Each alias should be an acceptable printer name for your printing subsystem. In the [global] section, specify @@ -462,44 +479,29 @@ NAME="AEN102" >parameters define the specific attributes of sections.

Some parameters are specific to the [global] section - (e.g., security). Some parameters are usable - in all sections (e.g., create mode). All others are permissible only in normal sections. For the purposes of the following descriptions the [homes] and [printers] - sections will be considered normal. The letter G in parentheses indicates that a parameter is specific to the - [global] section. The letter S indicates that a parameter can be specified in a service specific - section. Note that all S parameters can also be specified in the [global] section - in which case they will define the default behavior for all services.

the name of your NIS home directory server. This is obtained from your NIS auto.map entry. If you have - not compiled Samba with the --with-automount option then this value will be the same as %L.

controls if names that have characters that aren't of the "default" case are mangled. For example, if this is yes then a name like "Mail" would be mangled. - Default no.
controls whether filenames are case sensitive. If they aren't then Samba must do a filename search and match on passed - names. Default no.
controls what the default case is for new - filenames. Default lower.
controls if new files are created with the case that the client passes, or if they are forced to be the - "default" case. Default yes.
yes.
abort shutdown script (G)
This parameter only exists in the HEAD cvs branch This a full path name to a script called by
This command will be run as user.
Default: Default: None.
Example:
Default: Default: none
Example: .
Default: Default: none
Example:
Default: add machine script = <empty string> +>add machine script = <empty string>
This is the full pathname to a script that will - be run AS ROOT by smbd to create the required UNIX users - ON DEMAND when a user accesses the Samba server.
In order to use this option, smbd - must NOT be set to smbdwill - call the specified script AS ROOT, expanding any
Default: add user script = <empty string> +>add user script = <empty string>
This is the full pathname to a script that will - be run AS ROOT by
Default: Default: no admin users
Example: smbd(8) - AS ROOT. Any
Default: auth methods = <empty string>auth methods = <empty string>
Example: available = no, then , then ALL attempts to connect to the service will fail. Such failures are logged.
This global parameter allows the Samba admin - to limit what interfaces on a machine will serve SMB requests. If + to limit what interfaces on a machine will serve SMB requests. It affects file service interfaces list. IP Source address spoofing - does defeat this simple check, however so it must not be used + does defeat this simple check, however, so it must not be used seriously as a security feature for nmbdbind interfaces only is set then - unless the network address 127.0.0.1 is added to the smbpasswd- by default connects to the localhost - 127.0.0.1 address as an SMB client to issue the password change request. If bind interfaces onlyis set then unless the - network address 127.0.0.1 is added to the nmbdat the address - 127.0.0.1 to determine if they are running. - Not adding 127.0.0.1 will cause smbd.
Default: Default: none
Example: parameter.
Default: Default: No comment string
Example:
Default: Default: no value
Example: not set here will be removed from the modes set on a file when it is created.
csc policy (S)
This stands for This stands for client-side caching policy, and specifies how clients capable of offline caching will cache the files in the share. The valid values are: manual, documents, programs, disable.
This parameter specifies the name of a service which will be connected to if the service actually requested cannot - be found. Note that the square brackets are NOT given in the parameter value (see example below).
Example:
[global] @@ -6758,6 +6679,9 @@ CLASS="PROGRAMLISTING" [pub] path = /%S
This is the full pathname to a script that will - be run AS ROOT by
Default: Default: none
Example: .
Default: Default: none
Example:
Default: delete user script = <empty string> +>delete user script = <empty string>
smbd(8) - AS ROOT. Any
Note: Your script should Note: Your script should NOT be setuid or setgid and should be owned by (and writeable only by) root!
Default: Default: By default internal routines for determining the disk capacity and remaining space will be used.
Example:
Where the script dfree (which must be made executable) could be:
#!/bin/sh df $1 | tail -1 | awk '{print $2" "$4}'
or perhaps (on Sys V based systems):
#!/bin/sh /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
Note that you may have to replace the command names @@ -7308,12 +7232,9 @@ NAME="DIRECTORYMASK" calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for - the UNIX modes of a directory. Any bit not set here will be removed from the modes set on a directory when it is created.
Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. @@ -7533,12 +7451,9 @@ NAME="DISABLESPOOLSS" Wizard or by using the NT printer properties dialog window. It will also disable the capability of Windows NT/2000 clients to download print drivers from the Samba host upon demand. - Be very careful about enabling this parameter.
workgroup it is in. Samba 2.2 also +> it is in. Samba 2.2 has limited capability to act as a domain controller for Windows NT 4 Domains. For more details on setting up this feature see the Samba-PDC-HOWTO included in the . Experimentation is the best policy :-)
Default: Default: none (i.e., all directories are OK to descend)
Example:
Default: Default: no enumports command
Example:
This parameter specifies a set of UNIX mode bit - permissions that will always be set on a file created by Samba. This is done by bitwise 'OR'ing these bits onto the mode bits of a file that is being created or having its @@ -8276,12 +8182,9 @@ NAME="FORCEDIRECTORYMODE" >
This parameter specifies a set of UNIX mode bit - permissions that will always be set on a directory created by Samba. This is done by bitwise 'OR'ing these bits onto the mode bits of a directory that is being created. The default for this @@ -8351,12 +8254,9 @@ NAME="FORCEDIRECTORYSECURITYMODE" allows a user to modify all the user/group/world permissions on a directory without restrictions.
Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. @@ -8466,12 +8366,9 @@ CLASS="PARAMETER" >.
Default: Default: no forced group
Example:
Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. @@ -8585,12 +8479,9 @@ CLASS="PARAMETER" >
Default: Default: no forced user
Example:
Default: Default: specified at compile time, usually "nobody"
Example: .
Default: Default: no file are hidden
Example:
NOTE :A working NIS client is required on the system for this option to work.
Default: homedir map = <empty string>homedir map = <empty string>
Example:
You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups. The - EXCEPT keyword can also be used to limit a wildcard list. The following examples may provide some help:
for a way of testing your host access to see if it does what you expect.
Default: Default: none (i.e., all hosts permitted access)
Example: hosts allow - - hosts listed here are NOT permitted access to services unless the specific services have their own lists to override this one. Where the lists conflict, the list takes precedence.
Default: Default: none (i.e., no hosts specifically excluded)
Example: may be useful for NT clients which will not supply passwords to Samba.
NOTE : The use of option be only used if you really know what you are doing, or perhaps on a home network where you trust - your spouse and kids. And only if you really trust them :-).
Default: Default: no host equivalences
Example: .
Default: Default: no file included
Example: as usual.
Note that the setuid bit is Note that the setuid bit is never set via inheritance (the code explicitly prohibits this).
.
Default: Default: all active interfaces except 127.0.0.1 that are broadcast capable
This is a list of users that should not be allowed - to login to this service. This is really a paranoid check to absolutely ensure an improper setting does not breach your security.
+&group+&group means check the UNIX group database, followed by the NIS netgroup database, and @@ -9707,12 +9556,9 @@ CLASS="PARAMETER" >. Default: Default: no invalid users Example: has oplocked. This allows complete data consistency between - SMB/CIFS, NFS and local file access (and is a very cool feature :-). Default : Default : none
Default : ldap filter = (&(uid=%u)(objectclass=sambaAccount))ldap filter = (&(uid=%u)(objectclass=sambaAccount))
This option is used to define whether or not Samba should use SSL when connecting to the ldap server - This is NOT related to Samba's previous SSL support which was enabled by specifying the ldap machine suffix. It also used as the base dn for all ldap searches.
Default : Default : none
It specifies where users are added to the tree. Default : Default : none
Default : Default : none
yes doesn't - mean that Samba will become the local master browser on a subnet, just that nmbd will will participate in elections for local master browser.Setting this value to nmbd - never to become a local master browser. Default: , real locking will be performed by the server. This option This option may be useful for read-only - filesystems which may not need locking (such as CDROM drives), although setting this parameter of smb.conf file. This parameter has been - extended since 2.2.x series, now it allow to specify the debug + extended since the 2.2.x series, now it allow to specify the debug level for multiple debug classes. This is to give greater flexibility in the configuration of the system. Thereafter, the directories and any of the contents can, if required, be made read-only. It is not advisable that the NTuser.dat file be made read-only - rename it to NTuser.man to - achieve the desired effect (a MANdatory profile). This option is only useful if Samba is set up as a logon server. Default: Default: no logon script defined Example: parameter. Default: Default: depends on the setting of printing Example: parameter. Default: Default: depends on the setting of Example 1: Default: magic output = <magic script name>.out +>magic output = <magic script name>.out Note that some shells are unable to interpret scripts containing CR/LF instead of CR as the end-of-line marker. Magic scripts must be executable - as is on the host, which for some hosts and some shells will require filtering at the DOS end. Magic scripts are Magic scripts are EXPERIMENTAL and - should NOT be relied upon. Default: Default: None. Magic scripts disabled. Example: off the ends of filenames on some CDROMs (only visible under some UNIXes). To do this use a map of (*;1 *;). Default: Default: no mangled map Example:
This controls what character is used as - the magic character in name manglinghate you if you set the modes other than share. This is because in these modes the name of the resource being - requested is not sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection @@ -12269,12 +12046,9 @@ CLASS="CONSTANT" >LANMAN1: First : First modern version of the protocol. Long filename support.
xedit, then - removes it afterwards. NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN IMMEDIATELY. That's why I have the '&' on the end. If it doesn't return immediately then your PCs may freeze when sending messages (they should recover @@ -12549,7 +12320,7 @@ CLASS="PARAMETER" >message command = /bin/mail -s 'message from %f on - %m' root < %s; rm %sIf you don't have a message command then the message @@ -12565,12 +12336,9 @@ CLASS="COMMAND" >message command = rm %s Default: Default: no message command Example: . Default: Default: empty string (no additional names) Example: . Default: Default: machine DNS name Example: Default: non unix account range = <empty string> +>non unix account range = <empty string> DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE. Default: oplock contention limit (S)
This is a This is a very advanced to behave in a similar way to Windows NT.
DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE.
Default: in the local broadcast area.
Note :By default, Samba will win a local master browsing election over all Microsoft operating systems except a Windows NT 4.0/2000 Domain Controller. This @@ -13539,8 +13289,8 @@ NAME="OS2DRIVERMAP" path to a file containing a mapping of Windows NT printer driver names to OS/2 printer driver names. The format is:
<nt driver name> = <os2 driver - name>.<device name>
<nt driver name> = <os2 driver + name>.<device name> For example, a valid entry using the HP LaserJet 5 printer driver would appear as Default: os2 driver map = <empty string> +>os2 driver map = <empty string>
Default: panic action = <empty string>panic action = <empty string>
Example:
This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both smbpasswd and tdbsam to be used without a recompile. - Multiple backends can be specified, seperated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified. + Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified. Experimental backends must still be selected (eg --with-tdbsam) at configure time.
ldap://localhost) Note: In this module, any account - without a matching POSIX account is regarded - as 'non unix'. - Note: In this module, any account without a matching POSIX account is regarded + as 'non unix'. See also passwd chat (G)This string controls the This string controls the "chat" conversation that takes places between yes. This - sequence is then called AS ROOT when the SMB password in the smbpasswd file is being changed, without access to the old password cleartext. This means that root must be able to reset the user's password @@ -14042,12 +13784,9 @@ NAME="PASSWDCHATDEBUG" >
This boolean specifies if the passwd chat script - parameter is run in debug mode. In this mode the strings passed to and received from the passwd chat are printed in the
Also note that many passwd programs insist in Also note that many passwd programs insist in reasonable passwords, such as a minimum length, or the inclusion of mixed case chars and digits. This can pose a problem as some clients (such as Windows for Workgroups) uppercase the password before sending it.
Note that if the yes then this program is called then this program is called AS ROOT before the SMB password in the unix password sync parameter - is set this parameter MUST USE ABSOLUTE PATHS - for ALL programs called, and must be examined for security implications. Note that by default
NOTE: Using a password server means your UNIX box (running Samba) is only as secure as your - password server. DO NOT CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST.
Never point a Samba server at itself for password @@ -14419,11 +14137,17 @@ CLASS="PARAMETER" Primary or Backup Domain controllers to authenticate against by doing a query for the name WORKGROUP<1C>WORKGROUP<1C> and then contacting each server returned in the list of IP addresses from the name resolution source.
If the list of servers contains both names and the '*' + character, the list is treated as a list of preferred + domain controllers, but an auto lookup of all remaining DC's + will be added to the list as well. Samba will not attempt to optimize + this list by locating the closest DC.
If the
Default: password server = <empty string>password server = <empty string>
Example: password server = NT-PDC, NT-BDC1, NT-BDC2 +>password server = NT-PDC, NT-BDC1, NT-BDC2, *
if one was specified.
Default: Default: none
Example: .
Default: Default: none (no command executed)
Example: postexec = echo \"%u disconnected from %S - from %m (%I)\" >> /tmp/log
. Default: Default: none (no command executed) Example: preexec = echo \"%u connected to %S from %m - (%I)\" >> /tmp/log
option is easier. Default: Default: no preloaded services Example: %z - the size of the spooled print job (in bytes) The print command The print command MUST contain at least one occurrence of print command = echo Printing %s >> +>print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s A minimal printcap file would look something like this: print1|My Printer 1 @@ -15215,18 +14930,18 @@ CLASS="PROGRAMLISTING" print4|My Printer 4 print5|My Printer 5 where the '|' separates aliases of a printer. The fact that the second alias has a space in it gives a hint to Samba that it's a comment. NOTE: Under AIX the default printcap name is Default: printer admin = <empty string>printer admin = <empty string> printer driver (S)
Note :This is a deprecated parameter and will be removed in the next major release following version 2.2. Please see the instructions in @@ -15343,12 +15055,9 @@ NAME="PRINTERDRIVERFILE" >printer driver file (G)
Note :This is a deprecated parameter and will be removed in the next major release following version 2.2. Please see the instructions in @@ -15401,12 +15110,9 @@ CLASS="PARAMETER" >.
Default: Default: None (set in compile).
Example: printer driver location (S)
Note :This is a deprecated parameter and will be removed in the next major release following version 2.2. Please see the instructions in @@ -15496,16 +15199,13 @@ NAME="PRINTERNAME" name given will be used for any printable service that does not have its own printer name specified.
Default: Default: none (but may be lp on many systems)
Example:
Default: Default: depends on the setting of
Example:
Default: Default: depends on the setting of
Default: read list = <empty string>read list = <empty string>
Example: printable = yes) - will ALWAYS allow writing to the directory (user privileges permitting), but only via spooling operations.
Default: remote announce = <empty string> +>remote announce = <empty string>
Default: remote browse sync = <empty string> +>remote browse sync = <empty string>
restrict anonymous (G)This is a boolean parameter. If it is yes, then - anonymous access to the server will be restricted, namely in the - case where the server is expecting the client to send a username, - but it doesn't. Setting it to yes will force these anonymous - connections to be denied, and the client will be required to always - supply a username and password when connecting. Use of this parameter - is only recommended for homogeneous NT client environments. This parameter makes the use of macro expansions that rely - on the username (%U, %G, etc) consistent. NT 4.0 - likes to use anonymous connections when refreshing the share list, - and this is a way to work around that. When restrict anonymous is This is a integer parameter, and + mirrors as much as possible the functinality the + yes, all anonymous connections - are denied no matter what they are for. This can effect the ability - of a machine to access the Samba Primary Domain Controller to revalidate - its machine account after someone else has logged on the client - interactively. The NT client will display a message saying that - the machine's account in the domain doesn't exist or the password is - bad. The best way to deal with this is to reboot NT client machines - between interactive logons, using "Shutdown and Restart", rather - than "Close all programs and logon as a different user". RestrictAnonymous + registry key does on NT/Win2k. Default: restrict anonymous = norestrict anonymous = 0
root directory - option, including some files needed for complete operation of the server. To maintain full operability of the server you will need to mirror some system files @@ -16309,7 +15973,7 @@ CLASS="PARAMETER" >Default: root postexec = <empty string> +>root postexec = <empty string> Default: root preexec = <empty string> +>root preexec = <empty string> It is possible to use smbd in a in a hybrid mode where it is offers both user and share level security under different SECURITY = SHARE When clients connect to a share level security server they @@ -16531,12 +16189,9 @@ CLASS="COMMAND" >Note that smbd ALWAYS uses a valid UNIX user to act on behalf of the client, even in
If the client did a previous If the client did a previous logon request (the SessionSetup SMB call) then the username sent in this SMB will be added as a potential username. , then this guest user will be used, otherwise access is denied. Note that it can be Note that it can be very confusing in share-level security as to which UNIX username will eventually be used in granting access. SECURITY = USER This is the default security setting in Samba 2.2. @@ -16724,19 +16370,13 @@ CLASS="PARAMETER" may change the UNIX user to use on this connection, but only after the user has been successfully authenticated. Note that the name of the resource being - requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing @@ -16768,13 +16408,10 @@ HREF="#AEN238" >SECURITY = SERVER In this mode Samba will try to validate the username/password @@ -16799,12 +16436,9 @@ CLASS="FILENAME" > for details on how to set this up. Note that from the client's point of view Note that the name of the resource being - requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing @@ -16880,13 +16508,10 @@ CLASS="PARAMETER" >SECURITY = DOMAIN This mode will only work correctly if Note that a valid UNIX user must still exist as well as the account on the Domain Controller to allow Samba to have a valid UNIX account to map file access to. Note that from the client's point of view . It only affects how the server deals with the authentication, it does not in any way affect what the client sees. Note that the name of the resource being - requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing @@ -16974,12 +16587,9 @@ CLASS="PARAMETER" parameter for details on doing this. BUG: There is currently a bug in the implementation of Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone @@ -17220,12 +16827,9 @@ CLASS="CONSTANT" >This option gives full share compatibility and enabled by default. You should You should NEVER turn this parameter off as many Windows applications will break if you do so.
parameter will always cause the OpenPrinterEx() on the server - to fail. Thus the APW icon will never be displayed. Note :This does not prevent the same user from having administrative privilege on an individual printer.
shutdown script (G)
This parameter only exists in the HEAD cvs branch This a full path name to a script called by %r will be substituted with the - switch -r. It means reboot after shutdown for NT.
%f will be substituted with the - switch -f. It means force the shutdown even if applications do not respond for NT.
Default: Default: None.
Example:
Shutdown script example: -
#!/bin/bash @@ -17451,6 +17046,9 @@ CLASS="PROGRAMLISTING" /sbin/shutdown $3 $4 +$time $1 &
Shutdown does not return so we need to launch it in background.
Those marked with a Those marked with a '*' take an integer argument. The others can optionally take a 1 or 0 argument to enable or disable the option, by default they will be enabled if you @@ -17687,12 +17282,9 @@ CLASS="COMMAND" >SAMBA_NETBIOS_NAME = myhostname
Default: Default: No default value
Examples:
This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism. As of samba 3.0alpha it must be set to "no" for these clients to join a samba domain controller. It can be set to "yes" to allow samba to participate in an AD domain controlled by a Windows2000 domain controller.
Default: Default: use spnego = yes
passwd programparameter is called parameter is called AS ROOT - to allow the new UNIX password to be set without access to the old UNIX password (as the SMB password change code has no @@ -18350,14 +17936,11 @@ CLASS="COMMAND" >If this parameter is enabled for a printer, then any attempt to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() - call to succeed. This parameter MUST not be able enabled on a print share which has valid print driver installed on the Samba server.
See also
NOTE: The use of Default: The guest account if a guest service, - else <empty string>.
Examples:
!sys = mary fred guest = *
Note that the remapping is applied to all occurrences @@ -18741,12 +18330,9 @@ CLASS="PARAMETER" trouble deleting print jobs as PrintManager under WfWg will think they don't own the print job.
Default: Default: no username map
Example: /var/run/utmp on Linux).
Default: Default: no utmp directory
Example: /var/run/wtmp on Linux).
Default: Default: no wtmp directory
Example:
Default: Default: No valid users list (anyone can login)
Example:
Each entry must be a unix path, not a DOS path and - must not include the unix directory separator '/'.
fail unless you also set the .
Default: Default: No files or directories are vetoed.
Examples:
Examples:; Veto any files containing the word Security, ; any ending in .tmp, and any directory containing the @@ -19063,6 +18637,9 @@ veto files = /*Security*/*.tmp/*root*/ ; Veto the Apple specific files that a NetAtalk server ; creates. veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ parameter. Default: Default: No files are vetoed for oplock grants You might want to do this on files that you know will @@ -19153,18 +18727,14 @@ NAME="VFSOBJECT" >vfs object (S) This parameter specifies a shared object file that - is used for Samba VFS I/O operations. By default, normal +>This parameter specifies a shared object files that + are used for Samba VFS I/O operations. By default, normal disk I/O operations are used but these can be overloaded - with a VFS object. The Samba VFS layer is new to Samba 2.2 and - must be enabled at compile time with --with-vfs. Default : Default : no value This parameter allows parameters to be passed - to the vfs layer at initialization time. The Samba VFS layer - is new to Samba 2.2 and must be enabled at compile time - with --with-vfs. See also . Default : Default : no value Default: Default: the name of the share system call will not return any data. Warning: Turning off user enumeration may cause some programs to behave oddly. For example, the finger program relies on having access to the @@ -19356,12 +18916,9 @@ CLASS="COMMAND" > system call will not return any data. Warning: Turning off group enumeration may cause some programs to behave oddly. Default: winbind gid = <empty string> +>winbind gid = <empty string> Default: winbind uid = <empty string> +>winbind uid = <empty string> Default: winbind use default domain = <no> +>winbind use default domain = <no> You should point this at your WINS server if you have a multi-subnetted network. NOTE. You need to set up Samba to point to a WINS server if you have multiple subnets and wish cross-subnet browsing to work correctly. in the docs/ directory of your Samba source distribution. Default: Default: not enabled Example: nmbd to be your WINS server. - Note that you should NEVER set this to yes setting. Default: Default: set at compile time to WORKGROUP Example: If this integer parameter is set to non-zero value, Samba will create an in-memory cache for each oplocked file - (it does not do this for non-oplocked files). All writes that the client does not request to be flushed directly to disk will be stored in this cache if possible. @@ -19800,7 +19342,7 @@ CLASS="PARAMETER" > Default: write list = <empty string> +>write list = <empty string> WARNINGS VERSION SEE ALSO AUTHOR + smbdsmbd smbd Synopsis smbd [-D] [-a] [-i] [-o] [-P] [-h] [-V] [-b] [-d <debug level>] [-l <log directory>] [-p <port number>] [-O <socket option>] [-s <configuration file>] [-D] [-i] [-h] [-V] [-b] [-d <debug level>] [-l <log directory>] [-p <port number>] [-O <socket option>] [-s <configuration file>] DESCRIPTION OPTIONS -a If this parameter is specified, each new - connection will append log messages to the log file. - This is the default. -i -o If this parameter is specified, the - log files will be overwritten when opened. By default, - smbd will append entries to the log - files. -P Passive option. Causes smbd not to - send any network traffic out. Used for debugging by - the developers only. -h . -v -V
Prints the version number for @@ -206,7 +172,7 @@ CLASS="COMMAND" Samba was built.
-d <debug level>
-d <debug level> file. -l <log directory> -l <log directory>If specified, @@ -273,12 +239,9 @@ TARGET="_top" CLASS="FILENAME" > smb.conf(5) file. file. Beware: If the directory specified does not exist, -O <socket options> -O <socket options>See the file for details. -p <port number> -p <port number> -s <configuration file> -s <configuration file>The file specified contains the @@ -366,7 +329,7 @@ CLASS="FILENAME" >FILESLIMITATIONSENVIRONMENT VARIABLESPAM INTERACTIONAccount Validation: All acccesses to a +>: All accesses to a samba server are checked against PAM to see if the account is vaild, not disabled and is permitted to login at this time. This also applies to encrypted logins. @@ -563,12 +523,9 @@ CLASS="EMPHASIS" >Session Management: When not using share level secuirty, users must pass PAM's session checks before access is granted. Note however, that this is bypassed in share level secuirty. @@ -581,18 +538,18 @@ CLASS="EMPHASIS" > VERSION This man page is correct for version 2.2 of +>This man page is correct for version 3.0 of the Samba suite.DIAGNOSTICSSIGNALS SIGKILL (-9) NOT be used, except as a last resort, as this may leave the shared memory area in an inconsistent state. The safe way to terminate @@ -684,7 +638,7 @@ CLASS="COMMAND" >SEE ALSOAUTHOR + smbpasswdsmbpasswd smbpasswd Synopsis smbpasswd [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [username] [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [-i] [-L] [username]DESCRIPTION suite.The smbpasswd program has several different - functions, depending on whether it is run by the root user or not. When run as a normal user it allows the user to change the password used for their SMB sessions on any machines that store @@ -75,12 +69,9 @@ CLASS="COMMAND" CLASS="COMMAND" >smbpasswd differs from how the passwd program works - however in that it is not setuid root but works in a client-server mode and communicates with a locally running smbpasswd can also be used by a normal user to change their SMB password on remote machines, such as Windows NT Primary Domain @@ -119,7 +110,7 @@ CLASS="COMMAND" > OPTIONS This option specifies that the username following should be added to the local smbpasswd file, with the - new password typed (type <Enter> for the old password). This + new password typed (type <Enter> for the old password). This option is ignored if the username following already exists in the smbpasswd file and it is treated like a regular change password command. Note that the default passdb backends require @@ -303,12 +294,9 @@ CLASS="PARAMETER" copy of the user account database and will not allow the password change). Note that Windows 95/98 do not have a real password database so it is not possible to change passwords specifying a Win95/98 machine as remote machine target. -i This option tells smbpasswd that the account + being changed is an interdomain trust account. Currently this is used + when Samba is being used as an NT Primary Domain Controller. + The account contains the info about another trusted domain. This option is only available when running smbpasswd as root. + -L Run in local mode. username This specifies the username for all of the - root only options to operate on. Only root can specify this parameter as only root has the permission needed to modify attributes directly in the local smbpasswd file. @@ -520,7 +523,7 @@ CLASS="EMPHASIS" > NOTES VERSION SEE ALSO AUTHOR + smbshsmbsh smbsh Synopsis smbsh [-W workgroup] [-U username] [-P prefix] [-R <name resolve order>] [-d <debug level>] [-l logfile] [-L libdir] [-W workgroup] [-U username] [-P prefix] [-R <name resolve order>] [-d <debug level>] [-l logfile] [-L libdir] This option allows the user to set the directory prefix for SMB access. The default value if this option is not specified is - smb. -R <name resolve order> -R <name resolve order>This option is used to determine what naming @@ -236,7 +230,7 @@ CLASS="FILENAME" order. -d <debug level> -d <debug level>debug level is an integer from 0 to 10. Any dynamically linked command you execute from @@ -354,7 +357,7 @@ CLASS="COMMAND" the workgroup MYGROUP. The command ls /smb/MYGROUP/<machine-name>ls /smb/MYGROUP/<machine-name> will show the share names for that machine. You could then, for example, use the VERSION This man page is correct for version 2.2 of +>This man page is correct for version 3.0 of the Samba suite.

+ testparmtestparm testparmSynopsis testparm [-s] [-h] [-v] [-L <servername>] {config filename} [hostname hostIP] [-s] [-h] [-v] [-L <servername>] [-t <encoding>] {config filename} [hostname hostIP]DESCRIPTION will successfully load the configuration file. Note that this is Note that this is NOT a guarantee that the services specified in the configuration file will be available or will operate as expected. OPTIONS -t encoding Output data in specified encoding. + configfilename FILES DIAGNOSTICS VERSION This man page is correct for version 2.2 of +>This man page is correct for version 3.0 of the Samba suite. SEE ALSO AUTHOR + vfstestvfstest vfstest Synopsis vfstest [-d debuglevel] [-c command] [-l logfile] [-h] [-d debuglevel] [-c command] [-l logfile] [-h] -c|--command=command Execute the specified (colon-seperated) commands. +>Execute the specified (colon-separated) commands. See below for the commands that are available. COMMANDS VFS COMMANDS load <module.so>load <module.so> - Load specified VFS module populate <char> <size>populate <char> <size> - Populate a data buffer with the specified data showdata [<offset> <len>]showdata [<offset> <len>] - Show data currently in data buffer GENERAL COMMANDS conf <smb.conf>conf <smb.conf> - Load a different configuration filehelp [<command>]help [<command>] - Get list of commands or info about specified commanddebuglevel <level>debuglevel <level> - Set debug level .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng . -.TH "PDBEDIT" "8" "05 November 2002" "" "" +.TH "PDBEDIT" "8" "26 November 2002" "" "" .SH NAME pdbedit \- manage the SAM database .SH SYNOPSIS diff --git a/docs/manpages/smb.conf.5 b/docs/manpages/smb.conf.5 index 9afba79ef4..a9cf133c8d 100644 --- a/docs/manpages/smb.conf.5 +++ b/docs/manpages/smb.conf.5 @@ -3,7 +3,7 @@ .\" .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng . -.TH "SMB.CONF" "5" "05 November 2002" "" "" +.TH "SMB.CONF" "5" "26 November 2002" "" "" .SH NAME smb.conf \- The configuration file for the Samba suite .SH "SYNOPSIS" @@ -1751,7 +1751,7 @@ Default: \fBavailable = yes\fR .TP \fBbind interfaces only (G)\fR This global parameter allows the Samba admin -to limit what interfaces on a machine will serve SMB requests. If +to limit what interfaces on a machine will serve SMB requests. It affects file service smbd(8) and name service nmbd(8) in slightly different ways. @@ -1770,7 +1770,7 @@ As unicast packets are received on the other sockets it allows \fBnmbd\fR to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the \fIinterfaces\fR list. IP Source address spoofing -does defeat this simple check, however so it must not be used +does defeat this simple check, however, so it must not be used seriously as a security feature for \fBnmbd\fR. For file service it causes smbd(8) @@ -2489,7 +2489,7 @@ Default: \fBdns proxy = yes\fR .TP \fBdomain logons (G)\fR If set to yes, the Samba server will serve -Windows 95/98 Domain logons for the \fIworkgroup\fR it is in. Samba 2.2 also +Windows 95/98 Domain logons for the \fIworkgroup\fR it is in. Samba 2.2 has limited capability to act as a domain controller for Windows NT 4 Domains. For more details on setting up this feature see the Samba-PDC-HOWTO included in the \fIhtmldocs/\fR @@ -3633,7 +3633,7 @@ Example: \fBlog file = /usr/local/samba/var/log.%m The value of the parameter (a astring) allows the debug level (logging level) to be specified in the \fIsmb.conf\fR file. This parameter has been -extended since 2.2.x series, now it allow to specify the debug +extended since the 2.2.x series, now it allow to specify the debug level for multiple debug classes. This is to give greater flexibility in the configuration of the system. @@ -4862,7 +4862,7 @@ Default: \fBparanoid server security = yes\fR \fBpassdb backend (G)\fR This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both smbpasswd and tdbsam to be used without a recompile. -Multiple backends can be specified, seperated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified. +Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified. Experimental backends must still be selected (eg --with-tdbsam) at configure time. @@ -4906,9 +4906,8 @@ backend. Takes an LDAP URL as an optional argument (defaults to backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to \fBldap://localhost\fR) -Note: In this module, any account -without a matching POSIX account is regarded -as 'non unix'. +Note: In this module, any account without a matching POSIX account is regarded +as 'non unix'. See also \fInon unix account range\fR @@ -5145,6 +5144,12 @@ doing a query for the name WORKGROUP<1C> and then contacting each server returned in the list of IP addresses from the name resolution source. +If the list of servers contains both names and the '*' +character, the list is treated as a list of preferred +domain controllers, but an auto lookup of all remaining DC's +will be added to the list as well. Samba will not attempt to optimize +this list by locating the closest DC. + If the \fIsecurity\fR parameter is set to server, then there are different restrictions that \fBsecurity = domain\fR doesn't @@ -5172,7 +5177,7 @@ See also the \fIsecurity Default: \fBpassword server = \fR -Example: \fBpassword server = NT-PDC, NT-BDC1, NT-BDC2 +Example: \fBpassword server = NT-PDC, NT-BDC1, NT-BDC2, * \fR Example: \fBpassword server = *\fR @@ -5819,30 +5824,12 @@ Default: \fBremote browse sync = \fR .TP \fBrestrict anonymous (G)\fR -This is a boolean parameter. If it is yes, then -anonymous access to the server will be restricted, namely in the -case where the server is expecting the client to send a username, -but it doesn't. Setting it to yes will force these anonymous -connections to be denied, and the client will be required to always -supply a username and password when connecting. Use of this parameter -is only recommended for homogeneous NT client environments. - -This parameter makes the use of macro expansions that rely -on the username (%U, %G, etc) consistent. NT 4.0 -likes to use anonymous connections when refreshing the share list, -and this is a way to work around that. - -When restrict anonymous is yes, all anonymous connections -are denied no matter what they are for. This can effect the ability -of a machine to access the Samba Primary Domain Controller to revalidate -its machine account after someone else has logged on the client -interactively. The NT client will display a message saying that -the machine's account in the domain doesn't exist or the password is -bad. The best way to deal with this is to reboot NT client machines -between interactive logons, using "Shutdown and Restart", rather -than "Close all programs and logon as a different user". - -Default: \fBrestrict anonymous = no\fR +This is a integer parameter, and +mirrors as much as possible the functinality the +RestrictAnonymous +registry key does on NT/Win2k. + +Default: \fBrestrict anonymous = 0\fR .TP \fBroot (G)\fR Synonym for \fIroot directory"\fR. @@ -7051,19 +7038,17 @@ Default: \fBvfs path = \fR Example: \fBvfs path = /usr/lib/samba/vfs\fR .TP \fBvfs object (S)\fR -This parameter specifies a shared object file that -is used for Samba VFS I/O operations. By default, normal +This parameter specifies a shared object files that +are used for Samba VFS I/O operations. By default, normal disk I/O operations are used but these can be overloaded -with a VFS object. The Samba VFS layer is new to Samba 2.2 and -must be enabled at compile time with --with-vfs. +with one or more VFS objects. Default : \fBno value\fR .TP \fBvfs options (S)\fR This parameter allows parameters to be passed -to the vfs layer at initialization time. The Samba VFS layer -is new to Samba 2.2 and must be enabled at compile time -with --with-vfs. See also \fI vfs object\fR. +to the vfs layer at initialization time. +See also \fI vfs object\fR. Default : \fBno value\fR .TP diff --git a/docs/manpages/smbd.8 b/docs/manpages/smbd.8 index 5d1f6bc46e..3e350f80e9 100644 --- a/docs/manpages/smbd.8 +++ b/docs/manpages/smbd.8 @@ -3,12 +3,12 @@ .\" .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng . -.TH "SMBD" "8" "05 November 2002" "" "" +.TH "SMBD" "8" "26 November 2002" "" "" .SH NAME smbd \- server to provide SMB/CIFS services to clients .SH SYNOPSIS -\fBsmbd\fR [ \fB-D\fR ] [ \fB-a\fR ] [ \fB-i\fR ] [ \fB-o\fR ] [ \fB-P\fR ] [ \fB-h\fR ] [ \fB-V\fR ] [ \fB-b\fR ] [ \fB-d \fR ] [ \fB-l \fR ] [ \fB-p \fR ] [ \fB-O \fR ] [ \fB-s \fR ] +\fBsmbd\fR [ \fB-D\fR ] [ \fB-i\fR ] [ \fB-h\fR ] [ \fB-V\fR ] [ \fB-b\fR ] [ \fB-d \fR ] [ \fB-l \fR ] [ \fB-p \fR ] [ \fB-O \fR ] [ \fB-s \fR ] .SH "DESCRIPTION" .PP @@ -60,11 +60,6 @@ servers that provide more than casual use file and print services. This switch is assumed if \fBsmbd \fR is executed on the command line of a shell. .TP -\fB-a\fR -If this parameter is specified, each new -connection will append log messages to the log file. -This is the default. -.TP \fB-i\fR If this parameter is specified it causes the server to run "interactively", not as a daemon, even if the @@ -72,22 +67,11 @@ server is executed on the command line of a shell. Setting this parameter negates the implicit deamon mode when run from the command line. .TP -\fB-o\fR -If this parameter is specified, the -log files will be overwritten when opened. By default, -\fBsmbd\fR will append entries to the log -files. -.TP -\fB-P\fR -Passive option. Causes \fBsmbd\fR not to -send any network traffic out. Used for debugging by -the developers only. -.TP \fB-h\fR Prints the help information (usage) for \fBsmbd\fR. .TP -\fB-v\fR +\fB-V\fR Prints the version number for \fBsmbd\fR. .TP @@ -231,7 +215,7 @@ obey pam restricions smb.conf paramater. When this is set, the following restrictions apply: .TP 0.2i \(bu -\fBAccount Validation\fR: All acccesses to a +\fBAccount Validation\fR: All accesses to a samba server are checked against PAM to see if the account is vaild, not disabled and is permitted to login at this time. This also applies to encrypted logins. @@ -244,7 +228,7 @@ Note also that some older pam configuration files may need a line added for session support. .SH "VERSION" .PP -This man page is correct for version 2.2 of +This man page is correct for version 3.0 of the Samba suite. .SH "DIAGNOSTICS" .PP diff --git a/docs/manpages/smbpasswd.8 b/docs/manpages/smbpasswd.8 index e0fe91afe1..ad933517be 100644 --- a/docs/manpages/smbpasswd.8 +++ b/docs/manpages/smbpasswd.8 @@ -3,12 +3,12 @@ .\" .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng . -.TH "SMBPASSWD" "8" "05 November 2002" "" "" +.TH "SMBPASSWD" "8" "26 November 2002" "" "" .SH NAME smbpasswd \- change a user's SMB password .SH SYNOPSIS -\fBsmbpasswd\fR [ \fB-a\fR ] [ \fB-x\fR ] [ \fB-d\fR ] [ \fB-e\fR ] [ \fB-D debuglevel\fR ] [ \fB-n\fR ] [ \fB-r \fR ] [ \fB-R \fR ] [ \fB-m\fR ] [ \fB-U username[%password]\fR ] [ \fB-h\fR ] [ \fB-s\fR ] [ \fB-w pass\fR ] [ \fBusername\fR ] +\fBsmbpasswd\fR [ \fB-a\fR ] [ \fB-x\fR ] [ \fB-d\fR ] [ \fB-e\fR ] [ \fB-D debuglevel\fR ] [ \fB-n\fR ] [ \fB-r \fR ] [ \fB-R \fR ] [ \fB-m\fR ] [ \fB-U username[%password]\fR ] [ \fB-h\fR ] [ \fB-s\fR ] [ \fB-w pass\fR ] [ \fB-i\fR ] [ \fB-L\fR ] [ \fBusername\fR ] .SH "DESCRIPTION" .PP @@ -240,6 +240,17 @@ of the admin's DN. This means that if the value of \fIldap admin dn\fR ever changes, the password will need to be manually updated as well. .TP +\fB-i\fR +This option tells smbpasswd that the account +being changed is an interdomain trust account. Currently this is used +when Samba is being used as an NT Primary Domain Controller. +The account contains the info about another trusted domain. + +This option is only available when running smbpasswd as root. +.TP +\fB-L\fR +Run in local mode. +.TP \fBusername\fR This specifies the username for all of the \fBroot only\fR options to operate on. Only root diff --git a/docs/manpages/smbsh.1 b/docs/manpages/smbsh.1 index 6aa70c470c..e9c1add9e9 100644 --- a/docs/manpages/smbsh.1 +++ b/docs/manpages/smbsh.1 @@ -3,7 +3,7 @@ .\" .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng . -.TH "SMBSH" "1" "05 November 2002" "" "" +.TH "SMBSH" "1" "26 November 2002" "" "" .SH NAME smbsh \- Allows access to Windows NT filesystem using UNIX commands .SH SYNOPSIS @@ -138,7 +138,7 @@ names for that machine. You could then, for example, use the \fB cd\fR command t edit files, and \fBrcp\fR to copy files. .SH "VERSION" .PP -This man page is correct for version 2.2 of +This man page is correct for version 3.0 of the Samba suite. .SH "BUGS" .PP diff --git a/docs/manpages/testparm.1 b/docs/manpages/testparm.1 index a519fd6930..555c28c46c 100644 --- a/docs/manpages/testparm.1 +++ b/docs/manpages/testparm.1 @@ -3,12 +3,12 @@ .\" .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng . -.TH "TESTPARM" "1" "05 November 2002" "" "" +.TH "TESTPARM" "1" "26 November 2002" "" "" .SH NAME testparm \- check an smb.conf configuration file for internal correctness .SH SYNOPSIS -\fBtestparm\fR [ \fB-s\fR ] [ \fB-h\fR ] [ \fB-v\fR ] [ \fB-L \fR ] \fBconfig filename\fR [ \fBhostname hostIP\fR ] +\fBtestparm\fR [ \fB-s\fR ] [ \fB-h\fR ] [ \fB-v\fR ] [ \fB-L \fR ] [ \fB-t \fR ] \fBconfig filename\fR [ \fBhostname hostIP\fR ] .SH "DESCRIPTION" .PP @@ -53,6 +53,9 @@ will also output all options that were not used in \fIsmb.conf\fR and are thus set to their defaults. .TP +\fB-t encoding\fR +Output data in specified encoding. +.TP \fBconfigfilename\fR This is the name of the configuration file to check. If this parameter is not present then the @@ -86,7 +89,7 @@ loaded OK, the program then dumps all known service details to stdout. .SH "VERSION" .PP -This man page is correct for version 2.2 of +This man page is correct for version 3.0 of the Samba suite. .SH "SEE ALSO" .PP diff --git a/docs/manpages/vfstest.1 b/docs/manpages/vfstest.1 index c4958e3dd4..ced1038112 100644 --- a/docs/manpages/vfstest.1 +++ b/docs/manpages/vfstest.1 @@ -3,7 +3,7 @@ .\" .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng . -.TH "VFSTEST" "1" "05 November 2002" "" "" +.TH "VFSTEST" "1" "26 November 2002" "" "" .SH NAME vfstest \- tool for testing samba VFS modules .SH SYNOPSIS @@ -21,7 +21,7 @@ supports cascaded VFS modules. .SH "OPTIONS" .TP \fB-c|--command=command\fR -Execute the specified (colon-seperated) commands. +Execute the specified (colon-separated) commands. See below for the commands that are available. .TP \fB-d|--debug=debuglevel\fR -- cgit