From 30129251f26a4b2b59817eb984cc76251e89691d Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 12 May 2000 13:05:24 +0000 Subject: Added mention of the CUPS option for the printing parameter -jerry (This used to be commit 3fed01f9c311bb81ce3013453a5dc9630201ccf1) --- docs/htmldocs/smb.conf.5.html | 1623 ++++++++++++++++++++++------------------- docs/manpages/smb.conf.5 | 408 ++++++++--- docs/yodldocs/smb.conf.5.yo | 8 +- 3 files changed, 1216 insertions(+), 823 deletions(-) (limited to 'docs') diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html index 521c70d653..adda876afd 100644 --- a/docs/htmldocs/smb.conf.5.html +++ b/docs/htmldocs/smb.conf.5.html @@ -5,7 +5,7 @@ smb.conf (5) - + @@ -59,12 +59,12 @@ numeric.

SECTION DESCRIPTIONS


Each section in the configuration file (except for the -[global] section) describes a shared resource (known +[global] section) describes a shared resource (known as a "share"). The section name is the name of the shared resource and the parameters within the section define the shares attributes. -


There are three special sections, [global], -[homes] and [printers], which are -described under 'special sections'. The +


There are three special sections, [global], +[homes] and [printers], which are +described under 'special sections'. The following notes apply to ordinary section descriptions.


A share consists of a directory to which access is being given plus a description of the access rights which are granted to the user of @@ -72,14 +72,14 @@ the service. Some housekeeping options are also specifiable.


Sections are either filespace services (used by the client as an extension of their native file systems) or printable services (used by the client to access print services on the host running the server). -


Sections may be designated guest services, in which +


Sections may be designated guest services, in which case no password is required to access them. A specified UNIX -guest account is used to define access +guest account is used to define access privileges in this case.


Sections other than guest services will require a password to access them. The client provides the username. As older clients only provide passwords and not usernames, you may specify a list of usernames to -check against the password using the "user=" option in +check against the password using the "user=" option in the share definition. For modern clients such as Windows 95/98 and Windows NT, this should not be necessary.


Note that the access rights granted by the server are masked by the @@ -102,13 +102,13 @@ the share name "foo":


The following sample section defines a printable share. The share is readonly, but printable. That is, the only write access permitted is via calls to open, write to and close a spool file. The -'guest ok' parameter means access will be permitted +'guest ok' parameter means access will be permitted as the default guest user (specified elsewhere):


 
  	[aprinter]
  		path = /usr/spool/public
- 		read only = true
+ 		writeable = false
  		printable = true
  		guest ok = true
 
@@ -122,7 +122,7 @@ as the default guest user (specified elsewhere):
 
  • The [global] section


    Parameters in this section apply to the server as a whole, or are defaults for sections which do not specifically define certain -items. See the notes under 'PARAMETERS' for more +items. See the notes under 'PARAMETERS' for more information.


  • The [homes] section @@ -141,8 +141,8 @@ username


  • If no path was given, the path is set to the user's home directory.


    -


    If you decide to use a path= line in your [homes] -section then you may find it useful to use the %S +


    If you decide to use a path= line in your [homes] +section then you may find it useful to use the %S macro. For example :


    path=/data/pchome/%S


    would be useful if you have different home directories for your PCs @@ -166,26 +166,26 @@ following is a typical and suitable [homes] section:


    An important point is that if guest access is specified in the [homes] section, all home directories will be visible to all clients without a password. In the very unlikely event that this is -actually desirable, it would be wise to also specify read only +actually desirable, it would be wise to also specify read only access. -


    Note that the browseable flag for auto home +


    Note that the browseable flag for auto home directories will be inherited from the global browseable flag, not the [homes] browseable flag. This is useful as it means setting browseable=no in the [homes] section will hide the [homes] share but make any auto home directories visible.


  • The [printers] section -


    This section works like [homes], but for printers. -


    If a [printers] section occurs in the configuration file, users are +


    This section works like [homes], but for printers. +


    If a [printers] section occurs in the configuration file, users are able to connect to any printer specified in the local host's printcap file.


    When a connection request is made, the existing sections are scanned. If a match is found, it is used. If no match is found, but a -[homes] section exists, it is used as described +[homes] section exists, it is used as described above. Otherwise, the requested section name is treated as a printer name and the appropriate printcap file is scanned to see if the requested section name is a valid printer share name. If a match is -found, a new printer share is created by cloning the [printers] +found, a new printer share is created by cloning the [printers] section.


    A few modifications are then made to the newly created share:


      @@ -195,16 +195,15 @@ located printer name


    • If the share does not permit guest access and no username was given, the username is set to the located printer name.


    -


    Note that the [printers] service MUST be printable - if you specify +


    Note that the [printers] service MUST be printable - if you specify otherwise, the server will refuse to load the configuration file.


    Typically the path specified would be that of a world-writeable spool -directory with the sticky bit set on it. A typical [printers] entry +directory with the sticky bit set on it. A typical [printers] entry would look like this:


     
      	[printers]
      		path = /usr/spool/public
    - 		writeable = no
      		guest ok = yes
      		printable = yes 
     
    @@ -220,7 +219,7 @@ this:
     


    Each alias should be an acceptable printer name for your printing -subsystem. In the [global] section, specify the new +subsystem. In the [global] section, specify the new file as your printcap. The server will then only recognize names found in your pseudo-printcap, which of course can contain whatever aliases you like. The same technique could be used simply to limit @@ -230,26 +229,26 @@ of a printcap record. Records are separated by newlines, components (if there are more than one) are separated by vertical bar symbols ("|").


    NOTE: On SYSV systems which use lpstat to determine what printers are -defined on the system you may be able to use "printcap name = +defined on the system you may be able to use "printcap name = lpstat" to automatically obtain a list of -printers. See the "printcap name" option for +printers. See the "printcap name" option for more details.



    PARAMETERS


    Parameters define the specific attributes of sections. -


    Some parameters are specific to the [global] section -(e.g., security). Some parameters are usable in -all sections (e.g., create mode). All others are +


    Some parameters are specific to the [global] section +(e.g., security). Some parameters are usable in +all sections (e.g., create mode). All others are permissible only in normal sections. For the purposes of the following -descriptions the [homes] and -[printers] sections will be considered normal. +descriptions the [homes] and +[printers] sections will be considered normal. The letter 'G' in parentheses indicates that a parameter is -specific to the [global] section. The letter 'S' +specific to the [global] section. The letter 'S' indicates that a parameter can be specified in a service specific section. Note that all 'S' parameters can also be specified in the -[global] section - in which case they will define +[global] section - in which case they will define the default behavior for all services.


    Parameters are arranged here in alphabetical order - this may not create best bedfellows, but at least you can find them! Where there @@ -259,7 +258,7 @@ preferred synonym.

    VARIABLE SUBSTITUTIONS


    Many of the strings that are settable in the config file can take -substitutions. For example the option "path = +substitutions. For example the option "path = /tmp/%u" would be interpreted as "path = /tmp/john" if the user connected with the username john.


    These substitutions are mostly noted in the descriptions below, but @@ -273,14 +272,14 @@ be relevant. These are:


  • %u = user name of the current service, if any.


    -

  • %g = primary group name of %u. +
  • %g = primary group name of %u.


  • %U = session user name (the user name that the client wanted, not necessarily the same as the one they got).


    -

  • %G = primary group name of %U. +
  • %G = primary group name of %U.


    -

  • %H = the home directory of the user given by %u. +
  • %H = the home directory of the user given by %u.


  • %v = the Samba version.


    @@ -297,7 +296,7 @@ personality".

  • %N = the name of your NIS home directory server. This is obtained from your NIS auto.map entry. If you have not compiled Samba with the --with-automount option then this value will be the same -as %L. +as %L.


  • %p = the path of the service's home directory, obtained from your NIS auto.map entry. The NIS auto.map entry is split up as "%N:%p". @@ -311,7 +310,7 @@ negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1. machine. Only some are recognized, and those may not be 100% reliable. It currently recognizes Samba, WfWg, WinNT and Win95. Anything else will be known as "UNKNOWN". If it gets it wrong -then sending a level 3 log to samba-bugs@samba.org +then sending a level 3 log to samba@samba.org should allow it to be fixed.


  • %I = The IP address of the client machine. @@ -351,7 +350,7 @@ case. Default Yes.


    "short preserve case = yes/no" controls if new files which conform to 8.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced to be the "default" -case. This option can be use with "preserve case = +case. This option can be use with "preserve case = yes" to permit long filenames to retain their case, while short names are lowered. Default Yes.


    By default, Samba 2.0 has the same semantics as a Windows NT @@ -364,7 +363,7 @@ service. The server follows the following steps in determining if it will allow a connection to a specified service. If all the steps fail then the connection request is rejected. If one of the steps pass then the following steps are not checked. -


    If the service is marked "guest only = yes" then +


    If the service is marked "guest only = yes" then steps 1 to 5 are skipped.



    1. Step 1: If the client has passed a username/password pair and @@ -381,17 +380,17 @@ the connection is allowed as the corresponding user.


    2. Step 4: If the client has previously validated a username/password pair with the server and the client has passed the validation token then that username is used. This step is skipped if -"revalidate = yes" for this service. -


    3. Step 5: If a "user = " field is given in the +"revalidate = yes" for this service. +


    4. Step 5: If a "user = " field is given in the smb.conf file for the service and the client has supplied a password, and that password matches (according to the UNIX system's password -checking) with one of the usernames from the user= +checking) with one of the usernames from the user= field then the connection is made as the username in the -"user=" line. If one of the username in the -user= list begins with a '@' then that name +"user=" line. If one of the username in the +user= list begins with a '@' then that name expands to a list of names in the group of the same name.


    5. Step 6: If the service is a guest service then a connection is -made as the username given in the "guest account +made as the username given in the "guest account =" for the service, irrespective of the supplied password.


    @@ -401,154 +400,162 @@ password.


    Here is a list of all global parameters. See the section of each parameter for details. Note that some are synonyms.



    COMPLETE LIST OF SERVICE PARAMETERS

    @@ -556,116 +563,119 @@ parameter for details. Note that some are synonyms.


    Here is a list of all service parameters. See the section of each parameter for details. Note that some are synonyms.



    EXPLANATION OF EACH PARAMETER

    @@ -684,14 +694,14 @@ onerous task. This option allows smbd the required UNIX users ON DEMAND when a user accesses the Samba server.


    In order to use this option, smbd must be set to -security=server or -security=domain and "add user script" +security=server or +security=domain and "add user script" must be set to a full pathname for a script that will create a UNIX user given one argument of %u, which expands into the UNIX user name to create.


    When the Windows user attempts to access the Samba server, at "login"(session setup in the SMB protocol) time, -smbd contacts the password +smbd contacts the password server and attempts to authenticate the given user with the given password. If the authentication succeeds then smbd attempts to find a UNIX user in the UNIX @@ -703,9 +713,9 @@ to be the user name to create. smbd will continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to match existing Windows NT accounts. -


    See also security=server, -security=domain, password -server, delete user +


    See also
    security=server, +security=domain, password +server, delete user script.


    Default: add user script = <empty string> @@ -725,10 +735,10 @@ file permissions. admin users = jason


  • allow hosts (S) -


    Synonym for hosts allow. +


    Synonym for hosts allow.


  • allow trusted domains (G) -


    This option only takes effect when the security +


    This option only takes effect when the security option is set to server or domain. If it is set to no, then attempts to connect to a resource from a domain or workgroup other than the one which smbd is running in will fail, even if that domain @@ -781,7 +791,7 @@ to be a downlevel server. the browse lists. This is most useful for homes and printers services that would otherwise not be visible.


    Note that if you just want all printers in your printcap file loaded -then the "load printers" option is easier. +then the "load printers" option is easier.


    Default: no auto services


    Example: @@ -803,7 +813,7 @@ on a machine will serve smb requests. If affects file service in slightly different ways.


    For name service it causes nmbd to bind to ports 137 and 138 on the interfaces listed in the -'interfaces' +'interfaces' parameter. nmbd also binds to the 'all addresses' interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast messages. If this option is not set then @@ -812,22 +822,22 @@ sockets. If "bind interfaces only" is set then nmbd will check the source address of any packets coming in on the broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the -'interfaces' parameter list. As unicast packets +'interfaces' parameter list. As unicast packets are received on the other sockets it allows nmbd to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the -"interfaces" list. IP Source address spoofing +"interfaces" list. IP Source address spoofing does defeat this simple check, however so it must not be used seriously as a security feature for nmbd.


    For file service it causes smbd to bind only to -the interface list given in the 'interfaces' +the interface list given in the 'interfaces' parameter. This restricts the networks that smbd will serve to packets coming in those interfaces. Note that you should not use this parameter for machines that are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with non-permanent interfaces.


    If "bind interfaces only" is set then unless the network address -127.0.0.1 is added to the 'interfaces' parameter +127.0.0.1 is added to the 'interfaces' parameter list smbpasswd and swat may not work as expected due to the reasons covered below. @@ -835,7 +845,7 @@ reasons covered below. by default connects to the "localhost" - 127.0.0.1 address as an SMB client to issue the password change request. If "bind interfaces only" is set then unless the network address 127.0.0.1 is added to the -'interfaces' parameter list then +'interfaces' parameter list then smbpasswd will fail to connect in it's default mode. smbpasswd can be forced to use the primary IP interface of the local host by using its @@ -872,7 +882,7 @@ request immediately if the lock range cannot be obtained. blocking locks = False


  • browsable (S) -


    Synonym for browseable. +


    Synonym for browseable.


  • browse list(G)


    This controls whether smbd will serve a browse @@ -889,11 +899,11 @@ shares in a net view and in the browse list.


    Example: browseable = No


    -

  • case sensitive (G) -


    See the discussion in the section NAME MANGLING. +

  • case sensitive (S) +


    See the discussion in the section NAME MANGLING.


    -

  • casesignames (G) -


    Synonym for "case sensitive". +

  • casesignames (S) +


    Synonym for "case sensitive".


  • change notify timeout (G)


    One of the new NT SMB requests that Samba 2.0 supports is the @@ -912,38 +922,38 @@ requested directory once every change notify timeout seconds.


  • character set (G)


    This allows a smbd to map incoming filenames from a DOS Code page (see -the client code page parameter) to several +the client code page parameter) to several built in UNIX character sets. The built in code page translations are:



    • ISO8859-1 Western European UNIX character set. The parameter -client code page MUST be set to code +client code page MUST be set to code page 850 if the character set parameter is set to iso8859-1 in order for the conversion to the UNIX character set to be done correctly.


    • ISO8859-2 Eastern European UNIX character set. The parameter -client code page MUST be set to code +client code page MUST be set to code page 852 if the character set parameter is set to ISO8859-2 in order for the conversion to the UNIX character set to be done correctly.


    • ISO8859-5 Russian Cyrillic UNIX character set. The parameter -client code page MUST be set to code +client code page MUST be set to code page 866 if the character set parameter is set to ISO8859-5 in order for the conversion to the UNIX character set to be done correctly.


    • ISO8859-7 Greek UNIX character set. The parameter -client code page MUST be set to code +client code page MUST be set to code page 737 if the character set parameter is set to ISO8859-7 in order for the conversion to the UNIX character set to be done correctly.


    • KOI8-R Alternate mapping for Russian Cyrillic UNIX -character set. The parameter client code +character set. The parameter client code page MUST be set to code page 866 if the character set parameter is set to KOI8-R in order for the conversion to the UNIX character set to be done correctly.



    BUG. These MSDOS code page to UNIX character set mappings should be dynamic, like the loading of MS DOS code pages, not static. -


    See also client code page. Normally this +


    See also client code page. Normally this parameter is not set, meaning no filename translation is done.


    Default: character set = <empty string> @@ -982,16 +992,16 @@ read the comments in one of the other codepage files and the make_smbcodepage (1) man page and write one. Please remember to donate it back to the Samba user community. -


    This parameter co-operates with the "valid +


    This parameter co-operates with the
    "valid chars" parameter in determining what characters are valid in filenames and how capitalization is done. If you set both -this parameter and the "valid chars" parameter +this parameter and the "valid chars" parameter the "client code page" parameter MUST be set before the -"valid chars" parameter in the smb.conf -file. The "valid chars" string will then augment +"valid chars" parameter in the smb.conf +file. The "valid chars" string will then augment the character settings in the "client code page" parameter.


    If not set, "client code page" defaults to 850. -


    See also : "valid chars" +


    See also : "valid chars"


    Default: client code page = 850


    Example: @@ -999,9 +1009,9 @@ the character settings in the "client code page" parameter.


  • codingsystem (G)


    This parameter is used to determine how incoming Shift-JIS Japanese -characters are mapped from the incoming "client code +characters are mapped from the incoming "client code page" used by the client, into file names in the -UNIX filesystem. Only useful if "client code +UNIX filesystem. Only useful if "client code page" is set to 932 (Japanese Shift-JIS).


    The options are :


      @@ -1060,7 +1070,7 @@ in the configuration file than the service doing the copying. copy = otherservice


    • create mask (S) -


      A synonym for this parameter is 'create mode'. +


      A synonym for this parameter is 'create mode'.


      When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. @@ -1073,18 +1083,19 @@ write and execute bits from the UNIX modes. this parameter with the value of the "force create mode" parameter which is set to 000 by default.


      This parameter does not affect directory modes. See the parameter -'directory mode' for details. -


      See also the "force create mode" parameter +'directory mode' for details. +


      See also the "force create mode" parameter for forcing particular mode bits to be set on created files. See also -the "directory mode" parameter for masking +the "directory mode" parameter for masking mode bits on created directories. +See also the "inherit permissions" parameter.


      Default: create mask = 0744


      Example: create mask = 0775


    • create mode (S) -


      This is a synonym for create mask. +


      This is a synonym for create mask.


    • deadtime (G)


      The value of the parameter (a decimal integer) represents the number @@ -1108,7 +1119,7 @@ performed.


      Sometimes the timestamps in the log messages are needed with a resolution of higher that seconds, this boolean parameter adds microsecond resolution to the timestamp message header when turned on. -


      Note that the parameter debug timestamp +


      Note that the parameter debug timestamp must be on for this to have an effect.


      Default: debug hires timestamp = No @@ -1117,8 +1128,8 @@ must be on for this to have an effect.


    • debug timestamp (G)


      Samba2.0 debug log messages are timestamped by default. If you are -running at a high "debug level" these timestamps -can be distracting. This boolean parameter allows them to be turned +running at a high "debug level" these timestamps +can be distracting. This boolean parameter allows timestamping to be turned off.


      Default: debug timestamp = Yes @@ -1130,7 +1141,7 @@ off. there may be hard to follow which process outputs which message. This boolean parameter is adds the process-id to the timestamp message headers in the logfile when turned on. -


      Note that the parameter debug timestamp +


      Note that the parameter debug timestamp must be on for this to have an effect.


      Default: debug pid = No @@ -1141,7 +1152,7 @@ must be on for this to have an effect.


      Samba is sometimes run as root and sometime run as the connected user, this boolean parameter inserts the current euid, egid, uid and gid to the timestamp message headers in the log file if turned on. -


      Note that the parameter debug timestamp +


      Note that the parameter debug timestamp must be on for this to have an effect.


      Default: debug uid = No @@ -1158,11 +1169,11 @@ or level zero if none was specified. debug level = 3


    • default (G) -


      A synonym for default service. +


      A synonym for default service.


    • default case (S) -


      See the section on "NAME MANGLING". Also note -the "short preserve case" parameter. +


      See the section on "NAME MANGLING". Also note +the "short preserve case" parameter.


    • default service (G)


      This parameter specifies the name of a service which will be connected @@ -1172,11 +1183,11 @@ below).


      There is no default value for this parameter. If this parameter is not given, attempting to connect to a nonexistent service results in an error. -


      Typically the default service would be a guest ok, -read-only service. +


      Typically the default service would be a guest ok, +read-only service.


      Also note that the apparent service name will be changed to equal that of the requested service, this is very useful as it allows you to use -macros like %S to make a wildcard service. +macros like %S to make a wildcard service.


      Note also that any '_' characters in the name of the service used in the default service will get mapped to a '/'. This allows for interesting things. @@ -1203,21 +1214,21 @@ onerous task. This option allows smbd the required UNIX users ON DEMAND when a user accesses the Samba server and the Windows NT user no longer exists.


      In order to use this option, smbd must be set to -security=domain and "delete user +security=domain and "delete user script" must be set to a full pathname for a script that will delete a UNIX user given one argument of %u, which expands into the UNIX user name to delete. NOTE that this is different to the -add user script which will work with the -security=server option as well as -security=domain. The reason for this +add user script which will work with the +security=server option as well as +security=domain. The reason for this is only when Samba is a domain member does it get the information on an attempted user logon that a user no longer exists. In the -security=server mode a missing user +security=server mode a missing user is treated the same as an invalid password logon attempt. Deleting the user in this circumstance would not be a good idea.


      When the Windows user attempts to access the Samba server, at "login"(session setup in the SMB protocol) time, -smbd contacts the password +smbd contacts the password server and attempts to authenticate the given user with the given password. If the authentication fails with the specific Domain error code meaning that the user no longer exists then @@ -1228,8 +1239,8 @@ call the specified script AS ROOT, expanding any %u ar to be the user name to delete.


      This script should delete the given UNIX username. In this way, UNIX users are dynamically deleted to match existing Windows NT accounts. -


      See also security=domain, -password server, add user +


      See also
      security=domain, +password server, add user script.


      Default: delete user script = <empty string> @@ -1249,7 +1260,7 @@ semantics prevent deletion of a read only file.


    • delete veto files (S)


      This option is used when Samba is attempting to delete a directory -that contains one or more vetoed directories (see the 'veto +that contains one or more vetoed directories (see the 'veto files' option). If this option is set to False (the default) then if a vetoed directory contains any non-vetoed files or directories then the directory delete will fail. This is usually what @@ -1262,14 +1273,14 @@ DOS/Windows users from seeing (e.g. .AppleDouble)


      Setting 'delete veto files = True' allows these directories to be transparently deleted when the parent directory is deleted (so long as the user has permissions to do so). -


      See also the veto files parameter. +


      See also the veto files parameter.


      Default: delete veto files = False


      Example: delete veto files = True


    • deny hosts (S) -


      Synonym for hosts deny. +


      Synonym for hosts deny.


    • dfree command (G)


      The dfree command setting should only be used on systems where a @@ -1315,7 +1326,7 @@ and remaining space will be used.
      path names on some systems.


    • directory (S) -


      Synonym for path. +


      Synonym for path.


    • directory mask (S)


      This parameter is the octal modes which are used when converting DOS @@ -1333,18 +1344,19 @@ directory to modify it. this parameter with the value of the "force directory mode" parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added). -


      See the "force directory mode" parameter +


      See the "force directory mode" parameter to cause particular mode bits to always be set on created directories. -


      See also the "create mode" parameter for masking -mode bits on created files, and the "directory security mask" +


      See also the "create mode" parameter for masking +mode bits on created files, and the "directory security mask" parameter. +


      See also the "inherit permissions" parameter.


      Default: directory mask = 0755


      Example: directory mask = 0775


    • directory mode (S) -


      Synonym for directory mask. +


      Synonym for directory mask.


    • directory security mask (S)


      This parameter controls what UNIX permission bits can be modified @@ -1355,16 +1367,16 @@ permission bits, thus preventing any bits not in this mask from being modified. Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.


      If not set explicitly this parameter is set to the same value as the -directory mask parameter. To allow a user to +directory mask parameter. To allow a user to modify all the user/group/world permissions on a directory, set this parameter to 0777.


      Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to set it to 0777. -


      See also the force directory security -mode, security -mask, force security mode +


      See also the force directory security +mode, security +mask, force security mode parameters.


      Default: directory security mask = <same as directory mask> @@ -1382,7 +1394,7 @@ the DNS name (or DNS alias) can likewise only be 15 characters, maximum.


      nmbd spawns a second copy of itself to do the DNS name lookup requests, as doing a name lookup is a blocking action. -


      See also the parameter wins support. +


      See also the parameter wins support.


      Default: dns proxy = yes


      @@ -1401,11 +1413,6 @@ To work with the latest code builds that may have more support for Samba NT Domain Controller functionality please subscribe to the mailing list Samba-ntdom available by sending email to listproc@samba.org -


      -

    • domain controller (G) -


      This is a DEPRECATED parameter. It is currently not used within -the Samba source and should be removed from all current smb.conf -files. It is left behind for compatibility reasons.


    • domain groups (G)


      This is an EXPERIMENTAL parameter that is part of the unfinished @@ -1433,7 +1440,7 @@ mailing list Samba-ntdom available by sending email to


    • domain logons (G)


      If set to true, the Samba server will serve Windows 95/98 Domain -logons for the workgroup it is in. For more +logons for the workgroup it is in. For more details on setting up this feature see the file DOMAINS.txt in the Samba documentation directory docs/ shipped with the source code.


      Note that Win95/98 Domain logons are NOT the same as Windows @@ -1449,20 +1456,20 @@ also. collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given -workgroup. Local master browsers in the same -workgroup on broadcast-isolated subnets will give +workgroup. Local master browsers in the same +workgroup on broadcast-isolated subnets will give this nmbd their local browse lists, and then ask smbd for a complete copy of the browse list for the whole wide area network. Browser clients will then contact their local master browser, and will receive the domain-wide browse list, instead of just the list for their broadcast-isolated subnet.


      Note that Windows NT Primary Domain Controllers expect to be able to -claim this workgroup specific special NetBIOS +claim this workgroup specific special NetBIOS name that identifies them as domain master browsers for that -workgroup by default (i.e. there is no way to +workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting to do this). This means that if this parameter is set and nmbd claims the -special name for a workgroup before a Windows NT +special name for a workgroup before a Windows NT PDC is able to do so then cross subnet browsing will behave strangely and may fail.


      Default: @@ -1528,13 +1535,13 @@ shipped with the source code. smbpasswd (5) file (see the smbpasswd (8) program for information on how to set up and maintain this file), or set the -security= parameter to either -"server" or -"domain" which causes +security= parameter to either +"server" or +"domain" which causes smbd to authenticate against another server.


    • exec (S) -


      This is a synonym for preexec. +


      This is a synonym for preexec.


    • fake directory create times (S)


      NTFS and Windows VFAT file systems keep a create time for all files @@ -1573,7 +1580,7 @@ operations. This can give enormous performance benefits.


      When you set "fake oplocks = yes" smbd will always grant oplock requests no matter how many clients are using the file. -


      It is generally much better to use the real oplocks +


      It is generally much better to use the real oplocks support rather than this parameter.


      If you enable this option on all read-only shares or shares that you know will only be accessed from one client at a time such as @@ -1596,13 +1603,15 @@ symbolic links) by default.


    • force create mode (S)


      This parameter specifies a set of UNIX mode bit permissions that will -*always* be set on a file created by Samba. This is done by -bitwise 'OR'ing these bits onto the mode bits of a file that is being -created. The default for this parameter is (in octal) 000. The modes -in this parameter are bitwise 'OR'ed onto the file mode after the mask -set in the "create mask" parameter is applied. -


      See also the parameter "create mask" for details -on masking mode bits on created files. +*always* be set on a file by Samba. This is done by bitwise +'OR'ing these bits onto the mode bits of a file that is being created +or having its permissions changed. The default for this parameter is +(in octal) 000. The modes in this parameter are bitwise 'OR'ed onto +the file mode after the mask set in the "create +mask" parameter is applied. +


      See also the parameter "create mask" for details +on masking mode bits on files. +


      See also the "inherit permissions" parameter.


      Default: force create mode = 000


      Example: @@ -1618,9 +1627,10 @@ bitwise 'OR'ing these bits onto the mode bits of a directory that is being created. The default for this parameter is (in octal) 0000 which will not add any extra permission bits to a created directory. This operation is done after the mode mask in the parameter -"directory mask" is applied. -


      See also the parameter "directory mask" for +"directory mask" is applied. +


      See also the parameter "directory mask" for details on masking mode bits on created directories. +


      See also the "inherit permissions" parameter.


      Default: force directory mode = 000


      Example: @@ -1639,15 +1649,15 @@ have modified to be on. Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a directory, the user has always set to be 'on'.


      If not set explicitly this parameter is set to the same value as the -force directory mode parameter. To allow +force directory mode parameter. To allow a user to modify all the user/group/world permissions on a directory, with restrictions set this parameter to 000.


      Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to set it to 0000. -


      See also the directory security mask, -security mask, force security +


      See also the
      directory security mask, +security mask, force security mode parameters.


      Default: force directory security mode = <same as force directory mode> @@ -1673,10 +1683,10 @@ assignment. For example, the setting force group = +sys means that only users who are already in group sys will have their default primary group assigned to sys when accessing this Samba share. All other users will retain their ordinary primary group. -


      If the "force user" parameter is also set the +


      If the "force user" parameter is also set the group specified in force group will override the primary group -set in "force user". -


      See also "force user" +set in "force user". +


      See also "force user"


      Default: no forced group


      Example: @@ -1692,16 +1702,16 @@ have modified to be on. Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, the user has always set to be 'on'.


      If not set explicitly this parameter is set to the same value as the -force create mode parameter. To allow +force create mode parameter. To allow a user to modify all the user/group/world permissions on a file, with no restrictions set this parameter to 000.


      Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to set it to 0000. -


      See also the force directory security -mode, directory security -mask, security mask +


      See also the force directory security +mode, directory security +mask, security mask parameters.


      Default: force security mode = <same as force create mode> @@ -1722,7 +1732,7 @@ password. Once connected, all file operations will be performed as the group of the forced user to be used as the primary group for all file activity. Prior to 2.0.5 the primary group was left as the primary group of the connecting user (this was a bug). -


      See also "force group" +


      See also "force group"


      Default: no forced user


      Example: @@ -1744,18 +1754,18 @@ Windows NT but this can be changed to other strings such as "Samba" or


      This is a tuning option. When this is enabled a caching algorithm will be used to reduce the time taken for getwd() calls. This can have a significant impact on performance, especially when the -widelinks parameter is set to False. +widelinks parameter is set to False.


      Default: getwd cache = No


      Example: getwd cache = Yes


    • group (S) -


      Synonym for "force group". +


      Synonym for "force group".


    • guest account (S)


      This is a username which will be used for access to services which are -specified as 'guest ok' (see below). Whatever +specified as 'guest ok' (see below). Whatever privileges this user has will be available to any client connecting to the guest service. Typically this user will exist in the password file, but will not have a valid login. The user account "ftp" is @@ -1774,8 +1784,8 @@ command) and trying to print using the system print command such as

    • guest ok (S)


      If this parameter is 'yes' for a service, then no password is required to connect to the service. Privileges will be those of the -guest account. -


      See the section below on security for more +guest account. +


      See the section below on security for more information about this option.


      Default: guest ok = no @@ -1785,9 +1795,9 @@ information about this option.

    • guest only (S)


      If this parameter is 'yes' for a service, then only guest connections to the service are permitted. This parameter will have no -affect if "guest ok" or "public" +affect if "guest ok" or "public" is not set for the service. -


      See the section below on security for more +


      See the section below on security for more information about this option.


      Default: guest only = no @@ -1815,8 +1825,8 @@ Unix directory separator '/'.


      Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories for a match as they are scanned. -


      See also "hide dot files", "veto -files" and "case sensitive". +


      See also "hide dot files", "veto +files" and "case sensitive".


      Default

       
      @@ -1832,8 +1842,8 @@ files" and "case se
       internal use, and also still hides all files beginning with a dot.
       


    • homedir map (G) -


      If "nis homedir" is true, and -smbd is also acting as a Win95/98 logon +


      If
      "nis homedir" is true, and +smbd is also acting as a Win95/98 logon server then this parameter specifies the NIS (or YP) map from which the server for the user's home directory should be extracted. At present, only the Sun auto.home map format is @@ -1843,7 +1853,7 @@ understood. The form of the map is: ':'. There should probably be a better parsing system that copes with different map formats and also Amd (another automounter) maps.


      NB: A working NIS is required on the system for this option to work. -


      See also "nis homedir", domain +


      See also
      "nis homedir", domain logons.


      Default: homedir map = auto.home @@ -1851,10 +1861,10 @@ logons
      . homedir map = amd.homedir


    • hosts allow (S) -


      A synonym for this parameter is 'allow hosts' +


      A synonym for this parameter is 'allow hosts'


      This parameter is a comma, space, or tab delimited set of hosts which are permitted to access a service. -


      If specified in the [global] section then it will +


      If specified in the [global] section then it will apply to all services, regardless of whether the individual service has a different setting.


      You can specify the hosts by name or IP number. For example, you could @@ -1888,10 +1898,10 @@ host access to see if it does what you expect. allow hosts = 150.203.5. myhost.mynet.edu.au


    • hosts deny (S) -


      The opposite of 'hosts allow' - hosts listed +


      The opposite of 'hosts allow' - hosts listed here are NOT permitted access to services unless the specific services have their own lists to override this one. Where the lists -conflict, the 'allow' list takes precedence. +conflict, the 'allow' list takes precedence.


      Default: none (i.e., no hosts specifically excluded)


      Example: @@ -1901,7 +1911,7 @@ conflict, the 'allow'


      If this global parameter is a non-null string, it specifies the name of a file to read for the names of hosts and users who will be allowed access without specifying a password. -


      This is not be confused with hosts allow which +


      This is not be confused with hosts allow which is about hosts access to services and is more useful for guest services. hosts equiv may be useful for NT clients which will not supply passwords to samba. @@ -1919,8 +1929,35 @@ kids. And only if you really trust them :-).

    • include (G)


      This allows you to include one config file inside another. The file is included literally, as though typed in place. -


      It takes the standard substitutions, except %u, -%P and %S. +


      It takes the standard substitutions, except %u, +%P and %S. +


      +

    • inherit permissions (S) +


      The permissions on new files and directories are normally governed by +"create mask", +"directory mask", +"force create mode" and +"force directory mode" +but the boolean inherit permissions parameter overrides this. +


      New directories inherit the mode of the parent directory, +including bits such as setgid. +


      New files inherit their read/write bits from the parent directory. +Their execute bits continue to be determined by +"map archive", +"map hidden" and +"map system" as usual. +


      Note that the setuid bit is *never* set via inheritance +(the code explicitly prohibits this). +


      This can be particularly useful on large systems with many users, +perhaps several thousand, +to allow a single [homes] share to be used flexibly by each user. +


      See also "create mask", "directory mask", +"force create mode" and +"force directory mode". +


      Default + inherit permissions = no +


      Example + inherit permissions = yes


    • interfaces (G)


      This option allows you to override the default network interfaces list @@ -1934,10 +1971,10 @@ any of the following forms:

    • a network interface name (such as eth0). This may include shell-like wildcards so eth* will match any interface starting with the substring "eth" -if() a IP address. In this case the netmask is determined +
    • an IP address. In this case the netmask is determined from the list of interfaces obtained from the kernel -if() a IP/mask pair. -if() a broadcast/mask pair. +
    • an IP/mask pair. +
    • a broadcast/mask pair.


    The "mask" parameters can either be a bit length (such as 24 for a C class network) or a full netmask in dotted decmal form. @@ -1949,7 +1986,7 @@ hostname resolution mechanisms.


    would configure three network interfaces corresponding to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. The netmasks of the latter two interfaces would be set to 255.255.255.0. -


    See also "bind interfaces only". +


    See also "bind interfaces only".


  • invalid users (S)


    This is a list of users that should not be allowed to login to this @@ -1968,9 +2005,9 @@ netgroup database, and the value "&+group" means check the NIS netgroup database, followed by the UNIX group database (the same as the '@' prefix).


    The current servicename is substituted for -%S. This is useful in the [homes] +%S. This is useful in the [homes] section. -


    See also "valid users". +


    See also "valid users".


    Default: No invalid users


    Example: @@ -1982,7 +2019,7 @@ seconds between 'keepalive' packets. If this parameter is zero, keepalive packets will be sent. Keepalive packets, if sent, allow the server to tell whether a client is still present and responding.


    Keepalives should, in general, not be needed if the socket being used -has the SO_KEEPALIVE attribute set on it (see "socket +has the SO_KEEPALIVE attribute set on it (see "socket options"). Basically you should only use this option if you strike difficulties.


    Default: @@ -1991,10 +2028,10 @@ if you strike difficulties. keepalive = 60


  • kernel oplocks (G) -


    For UNIXs that support kernel based oplocks +


    For UNIXs that support kernel based oplocks (currently only IRIX but hopefully also Linux and FreeBSD soon) this parameter allows the use of them to be turned on or off. -


    Kernel oplocks support allows Samba oplocks to be +


    Kernel oplocks support allows Samba oplocks to be broken whenever a local UNIX process or NFS operation accesses a file that smbd has oplocked. This allows complete data consistency between SMB/CIFS, NFS and local file access (and is a @@ -2002,7 +2039,7 @@ data consistency between SMB/CIFS, NFS and local file access (and is a


    This parameter defaults to "On" on systems that have the support, and "off" on systems that don't. You should never need to touch this parameter. -


    See also the "oplocks" and "level2 oplocks" +


    See also the "oplocks" and "level2 oplocks" parameters.


  • ldap filter (G) @@ -2012,7 +2049,7 @@ are only available if your version of Samba was configured with the --with-ldap option.


    This parameter specifies an LDAP search filter used to search for a user name in the LDAP database. It must contain the string -%u which will be replaced with the user being +%u which will be replaced with the user being searched for.


    Default: empty string. @@ -2035,7 +2072,7 @@ the --with-ldap option.


    This parameter specifies the entity to bind to the LDAP server as (essentially the LDAP username) in order to be able to perform queries and modifications on the LDAP database. -


    See also ldap root passwd. +


    See also ldap root passwd.


    Default: empty string (no user defined)


    @@ -2050,7 +2087,7 @@ able to perform queries and modifications on the LDAP database.


    BUGS: This parameter should NOT be a readable parameter in the smb.conf file and will be removed once a correct storage place is found. -


    See also ldap root. +


    See also ldap root.


    Default: empty string.


    @@ -2077,7 +2114,7 @@ for an entry in the LDAP password database.


  • level2 oplocks (S)


    This parameter (new in Samba 2.0.5) controls whether Samba supports -level2 (read-only) oplocks on a share. In Samba 2.0.4 this parameter +level2 (read-only) oplocks on a share. In Samba 2.0.5 this parameter defaults to "False" as the code is new, but will default to "True" in a later release.


    Level2, or read-only oplocks allow Windows NT clients that have an @@ -2095,12 +2132,12 @@ read-ahead caches.


    It is recommended that this parameter be turned on to speed access to shared executables (and also to test the code :-).


    For more discussions on level2 oplocks see the CIFS spec. -


    Currently, if "kernel oplocks" are supported +


    Currently, if "kernel oplocks" are supported then level2 oplocks are not granted (even if this parameter is set -to "true"). Note also, the "oplocks" parameter must +to "true"). Note also, the "oplocks" parameter must be set to "true" on this share in order for this parameter to have any effect. -


    See also the "oplocks" and "kernel oplocks" parameters. +


    See also the "oplocks" and "kernel oplocks" parameters.


    Default: level2 oplocks = False


    Example: @@ -2113,12 +2150,12 @@ for them to see the Samba server in their browse list. This parameter can have three values, "true", "false", or "auto". The default is "auto". If set to "false" Samba will never produce these broadcasts. If set to "true" Samba will produce Lanman -announce broadcasts at a frequency set by the parameter "lm +announce broadcasts at a frequency set by the parameter "lm interval". If set to "auto" Samba will not send Lanman announce broadcasts by default but will listen for them. If it hears such a broadcast on the wire it will then start sending them at a -frequency set by the parameter "lm interval". -


    See also "lm interval". +frequency set by the parameter "lm interval". +


    See also "lm interval".


    Default: lm announce = auto


    Example: @@ -2126,12 +2163,12 @@ frequency set by the parameter "lm


  • lm interval (G)


    If Samba is set to produce Lanman announce broadcasts needed by -OS/2 clients (see the "lm announce" +OS/2 clients (see the "lm announce" parameter) then this parameter defines the frequency in seconds with which they will be made. If this is set to zero then no Lanman -announcements will be made despite the setting of the "lm +announcements will be made despite the setting of the "lm announce" parameter. -


    See also "lm announce". +


    See also "lm announce".


    Default: lm interval = 60


    Example: @@ -2140,7 +2177,7 @@ announce"
    parameter.

  • load printers (G)


    A boolean variable that controls whether all printers in the printcap will be loaded for browsing by default. See the -"printers" section for more details. +"printers" section for more details.


    Default: load printers = yes


    Example: @@ -2161,11 +2198,11 @@ elections for local master browser. local master = yes


  • lock dir (G) -


    Synonym for "lock directory". +


    Synonym for "lock directory".


  • lock directory (G)


    This option specifies the directory where lock files will be placed. -The lock files are used to implement the "max +The lock files are used to implement the "max connections" option.


    Default: lock directory = /tmp/samba @@ -2199,14 +2236,14 @@ separate log files for each user or machine. log file = /usr/local/samba/var/log.%m


  • log level (G) -


    Synonym for "debug level". +


    Synonym for "debug level".


  • logon drive (G)


    This parameter specifies the local path to which the home directory -will be connected (see "logon home") and is only +will be connected (see "logon home") and is only used by NT Workstations.


    Note that this option is only useful if Samba is set up as a -logon server. +logon server.


    Example: logon drive = h:


    @@ -2217,8 +2254,20 @@ NT Workstation logs into a Samba PDC. It allows you to do


    from a command prompt, for example.


    This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. +


    This parameter can be used with Win9X workstations to ensure that +roaming profiles are stored in a subdirectory of the user's home +directory. This is done in the following way: +


    " logon home = \\%L\%U\profile" +


    This tells Samba to return the above string, with substitutions made +when a client requests the info, generally in a NetUserGetInfo request. +Win9X clients truncate the info to \\server\share when a user does "net use /home", +but use the whole string when dealing with profiles. +


    Note that in prior versions of Samba, the "logon path" was returned rather than +"logon home". This broke "net use /home" but allowed profiles outside the +home directory. The current implementation is correct, and can be used for profiles +if you use the above trick.


    Note that this option is only useful if Samba is set up as a -logon server. +logon server.


    Example: logon home = "\\remote_smb_server\%U"


    Default: @@ -2226,21 +2275,24 @@ separate logon scripts for each user or machine.


  • logon path (G)


    This parameter specifies the home directory where roaming profiles -(USER.DAT / USER.MAN files for Windows 95/98) are stored. +(NTuser.dat etc files for Windows NT) are stored. Contrary to previous +versions of these manual pages, it has nothing to do with Win 9X roaming +profiles. To find out how to handle roaming profiles for Win 9X system, see +the "logon home" parameter.


    This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. It also specifies -the directory from which the "desktop", "start menu", -"network neighborhood" and "programs" folders, and their -contents, are loaded and displayed on your Windows 95/98 client. +the directory from which the "application data", ("desktop", "start menu", +"network neighborhood", "programs" and other folders, and their +contents, are loaded and displayed on your Windows NT client.


    The share and the path must be readable by the user for the -preferences and directories to be loaded onto the Windows 95/98 +preferences and directories to be loaded onto the Windows NT client. The share must be writeable when the logs in for the first -time, in order that the Windows 95/98 client can create the user.dat +time, in order that the Windows NT client can create the NTuser.dat and other directories.


    Thereafter, the directories and any of the contents can, if required, be -made read-only. It is not advisable that the USER.DAT file be made -read-only - rename it to USER.MAN to achieve the desired effect (a -MANdatory profile). +made read-only. It is not advisable that the NTuser.dat file be made +read-only - rename it to NTuser.man to achieve the desired effect (a +MANdatory profile).


    Windows clients can sometimes maintain a connection to the [homes] share, even though there is no user logged in. Therefore, it is vital that the logon path does not include a reference to the homes share @@ -2249,7 +2301,7 @@ problems).


    This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.


    Note that this option is only useful if Samba is set up as a -logon server. +logon server.


    Default: logon path = \\%N\%U\profile


    Example: @@ -2261,7 +2313,7 @@ separate logon scripts for each user or machine. logs in. The file must contain the DOS style cr/lf line endings. Using a DOS-style editor to create the file is recommended.


    The script must be a relative path to the [netlogon] service. If -the [netlogon] service specifies a path of +the [netlogon] service specifies a path of /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the file that will be downloaded is:


    /usr/local/samba/netlogon/STARTUP.BAT @@ -2277,7 +2329,7 @@ files to be arbitrarily modified and security to be breached.


    This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.


    Note that this option is only useful if Samba is set up as a -logon server. +logon server.


    Example: logon script = scripts\%U.bat


    @@ -2290,20 +2342,20 @@ by using job priorities, where jobs having a too low priority won't be sent to the printer.


    If a "%p" is given then the printername is put in its place. A "%j" is replaced with the job number (an integer). On HPUX (see -printing=hpux), if the "-p%p" option is added +printing=hpux), if the "-p%p" option is added to the lpq command, the job will show up with the correct status, i.e. if the job priority is lower than the set fence priority it will have the PAUSED status, whereas if the priority is equal or higher it will have the SPOOLED or PRINTING status.


    Note that it is good practice to include the absolute path in the lppause command as the PATH may not be available to the server. -


    See also the "printing" parameter. +


    See also the "printing" parameter.


    Default: Currently no default value is given to this string, unless the -value of the "printing" parameter is SYSV, in +value of the "printing" parameter is SYSV, in which case the default is :


    lp -i %p-%j -H hold -


    or if the value of the "printing" parameter is softq, +


    or if the value of the "printing" parameter is softq, then the default is:


    qstat -s -j%j -h


    Example for HPUX: @@ -2322,7 +2374,7 @@ previous identical lpq command will be used if the cached data less than 10 seconds old. A large value may be advisable if your lpq command is very slow.


    A value of 0 will disable caching completely. -


    See also the "printing" parameter. +


    See also the "printing" parameter.


    Default: lpq cache time = 10


    Example: @@ -2336,7 +2388,7 @@ as its only parameter and outputs printer status information.


    Currently eight styles of printer status information are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ. This covers most UNIX systems. You control which type is expected using the -"printing =" option. +"printing =" option.


    Some clients (notably Windows for Workgroups) may not correctly send the connection number for the printer they are requesting status information about. To get around this, the server reports on the first @@ -2346,7 +2398,7 @@ connection number sent is invalid. it is placed at the end of the command.


    Note that it is good practice to include the absolute path in the lpq command as the PATH may not be available to the server. -


    See also the "printing" parameter. +


    See also the "printing" parameter.


    Default: depends on the setting of printing =


    Example: @@ -2357,19 +2409,19 @@ command
    as the PATH may not be available to the server. in order to restart or continue printing or spooling a specific print job.


    This command should be a program or script which takes a printer name -and job number to resume the print job. See also the "lppause +and job number to resume the print job. See also the "lppause command" parameter.


    If a %p is given then the printername is put in its place. A %j is replaced with the job number (an integer).


    Note that it is good practice to include the absolute path in the lpresume command as the PATH may not be available to the server. -


    See also the "printing" parameter. +


    See also the "printing" parameter.


    Default:


    Currently no default value is given to this string, unless the -value of the "printing" parameter is SYSV, in +value of the "printing" parameter is SYSV, in which case the default is :


    lp -i %p-%j -H resume -


    or if the value of the "printing" parameter is softq, +


    or if the value of the "printing" parameter is softq, then the default is:


    qstat -s -j%j -r


    Example for HPUX: @@ -2384,7 +2436,7 @@ and job number, and deletes the print job. %j is replaced with the job number (an integer).


    Note that it is good practice to include the absolute path in the lprm command as the PATH may not be available to the server. -


    See also the "printing" parameter. +


    See also the "printing" parameter.


    Default: depends on the setting of "printing ="


    Example 1: @@ -2394,26 +2446,26 @@ and job number, and deletes the print job.


  • machine password timeout (G)


    If a Samba server is a member of an Windows NT Domain (see the -"security=domain") parameter) then +"security=domain") parameter) then periodically a running smbd process will try and change the MACHINE ACCOUNT PASWORD stored in the file called <Domain>.<Machine>.mac where <Domain> is the name of the Domain we are a member of and <Machine> is the primary -"NetBIOS name" of the machine +"NetBIOS name" of the machine smbd is running on. This parameter specifies how often this password will be changed, in seconds. The default is one week (expressed in seconds), the same as a Windows NT Domain member server.


    See also smbpasswd (8), and the -"security=domain") parameter. +"security=domain") parameter.


    Default: machine password timeout = 604800


  • magic output (S)


    This parameter specifies the name of a file which will contain output -created by a magic script (see the "magic +created by a magic script (see the "magic script" parameter below). -


    Warning: If two clients use the same "magic +


    Warning: If two clients use the same
    "magic script" in the same directory the output file content is undefined.


    Default: @@ -2429,7 +2481,7 @@ connected user.


    Scripts executed in this way will be deleted upon completion, permissions permitting.


    If the script generates output, output will be sent to the file -specified by the "magic output" parameter (see +specified by the "magic output" parameter (see above).


    Note that some shells are unable to interpret scripts containing carriage-return-linefeed instead of linefeed as the end-of-line @@ -2443,7 +2495,7 @@ end. magic script = user.csh


  • mangle case (S) -


    See the section on "NAME MANGLING". +


    See the section on "NAME MANGLING".


  • mangle locks (S)


    This option is was introduced with Samba 2.0.4 and above and has been @@ -2471,7 +2523,7 @@ this use a map of (*;1 *).


    This controls whether non-DOS names under UNIX should be mapped to DOS-compatible names ("mangled") and made visible, or whether non-DOS names should simply be ignored. -


    See the section on "NAME MANGLING" for details +


    See the section on "NAME MANGLING" for details on how to control the mangling process.


    If mangling is used then the mangling algorithm is as follows:


      @@ -2485,14 +2537,14 @@ extension). The final extension is included in the hash calculation only if it contains any upper case characters or is longer than three characters.


      Note that the character to use may be specified using the -"mangling char" option, if you don't like +"mangling char" option, if you don't like '~'.


    • The first three alphanumeric characters of the final extension are preserved, forced to upper case and appear as the extension of the mangled name. The final extension is defined as that part of the original filename after the rightmost dot. If there are no dots in the filename, the mangled name will have no extension (except in the case -of "hidden files" - see below). +of "hidden files" - see below).


    • Files whose UNIX name begins with a dot will be presented as DOS hidden files. The mangled name will be created as for other filenames, but with the leading dot removed and "___" as its extension regardless @@ -2515,7 +2567,7 @@ change between sessions.


    • mangling char (S)


      This controls what character is used as the "magic" character in -name mangling. The default is a '~' but +name mangling. The default is a '~' but this may interfere with some software. Use this option to set it to whatever you prefer.


      Default: @@ -2547,9 +2599,9 @@ has been modified since its last backup. One motivation for this option it to keep Samba/your PC from making any file it touches from becoming executable under UNIX. This can be quite annoying for shared source code, documents, etc... -


      Note that this requires the "create mask" +


      Note that this requires the "create mask" parameter to be set such that owner execute bit is not masked out -(i.e. it must include 100). See the parameter "create +(i.e. it must include 100). See the parameter "create mask" for details.


      Default: map archive = yes @@ -2559,9 +2611,9 @@ mask"
      for details.

    • map hidden (S)


      This controls whether DOS style hidden files should be mapped to the UNIX world execute bit. -


      Note that this requires the "create mask" to be +


      Note that this requires the "create mask" to be set such that the world execute bit is not masked out (i.e. it must -include 001). See the parameter "create mask" +include 001). See the parameter "create mask" for details.


      Default: map hidden = no @@ -2571,9 +2623,9 @@ for details.

    • map system (S)


      This controls whether DOS style system files should be mapped to the UNIX group execute bit. -


      Note that this requires the "create mask" to be +


      Note that this requires the "create mask" to be set such that the group execute bit is not masked out (i.e. it must -include 010). See the parameter "create mask" +include 010). See the parameter "create mask" for details.


      Default: map system = no @@ -2581,8 +2633,8 @@ for details. map system = yes


    • map to guest (G) -


      This parameter is only useful in security modes -other than "security=share" - i.e. user, +


      This parameter is only useful in security modes +other than "security=share" - i.e. user, server, and domain.


      This parameter can take three different values, which tell smbd what to do with user login requests that @@ -2593,11 +2645,11 @@ don't match a valid UNIX user in some way. are rejected. This is the default.


    • "Bad User" - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is -treated as a guest login and mapped into the "guest +treated as a guest login and mapped into the "guest account".


    • "Bad Password" - Means user logins with an invalid password are treated as a guest login and mapped into the -"guest account". Note that this can +"guest account". Note that this can cause problems as it means that any user incorrectly typing their password will be silently logged on a "guest" - and will not know the reason they cannot access files they think @@ -2607,7 +2659,7 @@ that they got their password wrong. Helpdesk services will this way :-).



    Note that this parameter is needed to set up "Guest" share -services when using security modes other than +services when using security modes other than share. This is because in these modes the name of the resource being requested is *not* sent to the server until after the server has successfully authenticated the client so the server cannot make @@ -2628,7 +2680,7 @@ connections will be refused if this number of connections to the service are already open. A value of zero mean an unlimited number of connections may be made.


    Record lock files are used to implement this feature. The lock files -will be stored in the directory specified by the "lock +will be stored in the directory specified by the "lock directory" option.


    Default: max connections = 0 @@ -2682,7 +2734,7 @@ so you should never need to touch this parameter. max open files = 10000


  • max packet (G) -


    Synonym for ">(packetsize). +


    Synonym for "packet size".


  • max ttl (G)


    This option tells nmbd what the default 'time @@ -2695,11 +2747,11 @@ change this parameter. The default is 3 days.


  • max wins ttl (G)


    This option tells nmbd when acting as a WINS -server (wins support =true) what the maximum +server (wins support =true) what the maximum 'time to live' of NetBIOS names that nmbd will grant will be (in seconds). You should never need to change this parameter. The default is 6 days (518400 seconds). -


    See also the "min wins ttl" parameter. +


    See also the "min wins ttl" parameter.


    Default: max wins ttl = 518400


    @@ -2726,8 +2778,8 @@ IMMEDIATELY. That's why I have the '&' on the end. If it d return immediately then your PCs may freeze when sending messages (they should recover after 30secs, hopefully).


    All messages are delivered as the global guest user. The command takes -the standard substitutions, although %u won't work -(%U may be better in this case). +the standard substitutions, although %u won't work +(%U may be better in this case).


    Apart from the standard substitutions, some additional ones apply. In particular:


      @@ -2756,24 +2808,27 @@ on regardless, saying that the message was delivered. before a user will be able to spool a print job. It is specified in kilobytes. The default is 0, which means a user can always spool a print job. -


      See also the printing parameter. +


      See also the printing parameter.


      Default: min print space = 0


      Example: min print space = 2000


    • min passwd length (G) +


      Synonym for "min password length". +


      +

    • min password length (G)


      This option sets the minimum length in characters of a plaintext password than smbd will accept when performing UNIX password changing. -


      See also "unix password sync", -"passwd program" and "passwd chat +


      See also
      "unix password sync", +"passwd program" and "passwd chat debug".


      Default: - min passwd length = 5 + min password length = 5


    • min wins ttl (G)


      This option tells nmbd when acting as a WINS -server (wins support = true) what the minimum +server (wins support = true) what the minimum 'time to live' of NetBIOS names that nmbd will grant will be (in seconds). You should never need to change this parameter. The default is 6 hours (21600 seconds). @@ -2799,10 +2854,10 @@ Solaris this may be controlled by the /etc/nsswitch.conf file). Note that this method is only used if the NetBIOS name type being queried is the 0x20 (server) name type, otherwise it is ignored.


    • wins : Query a name with the IP address listed in the -wins server parameter. If no WINS server has +wins server parameter. If no WINS server has been specified this method will be ignored.


    • bcast : Do a broadcast on each of the known local interfaces -listed in the interfaces parameter. This is the +listed in the interfaces parameter. This is the least reliable of the name resolution methods as it depends on the target host being on a locally connected subnet.


    @@ -2817,11 +2872,11 @@ by a broadcast attempt, followed by a normal system hostname lookup.


    This is a list of NetBIOS names that nmbd will advertise as additional names by which the Samba server is known. This allows one machine to appear in browse lists under multiple names. If -a machine is acting as a browse server or -logon server none of these names will be +a machine is acting as a browse server or +logon server none of these names will be advertised as either browse server or logon servers, only the primary name of the machine will be advertised with these capabilities. -


    See also "netbios name". +


    See also "netbios name".


    Default: empty string (no additional names)


    Example: @@ -2830,15 +2885,19 @@ name of the machine will be advertised with these capabilities.

  • netbios name (G)


    This sets the NetBIOS name by which a Samba server is known. By default it is the same as the first component of the host's DNS name. -If a machine is a browse server or -logon server this name (or the first component +If a machine is a browse server or +logon server this name (or the first component of the hosts DNS name) will be the name that these services are advertised under. -


    See also "netbios aliases". +


    See also "netbios aliases".


    Default: Machine DNS name.


    Example: netbios name = MYNAME +


    +

  • netbios scope (G) +


    This sets the NetBIOS scope that Samba will operate under. This should +not be set unless every machine on your LAN also sets this value.


  • nis homedir (G)


    Get the home share server from a NIS map. For UNIX systems that use an @@ -2855,11 +2914,11 @@ different server to the logon server and as long as a Samba daemon is running on the home directory server, it will be mounted on the Samba client directly from the directory server. When Samba is returning the home share to the client, it will consult the NIS map specified in -"homedir map" and return the server listed +"homedir map" and return the server listed there.


    Note that for this option to work there must be a working NIS system and the Samba server with this option must also be a -logon server. +logon server.


    Default: nis homedir = false


    Example: @@ -2917,20 +2976,20 @@ correctly. ole locking compatibility = no


  • only guest (S) -


    A synonym for "guest only". +


    A synonym for "guest only".


  • only user (S)


    This is a boolean option that controls whether connections with -usernames not in the user= list will be allowed. By +usernames not in the user= list will be allowed. By default this option is disabled so a client can supply a username to be used by the server.


    Note that this also means Samba won't try to deduce usernames from the -service name. This can be annoying for the [homes] -section. To get around this you could use "user = -%S" which means your "user" list +service name. This can be annoying for the [homes] +section. To get around this you could use "user = +%S" which means your "user" list will be just the service name, which for home directories is the name of the user. -


    See also the user parameter. +


    See also the user parameter.


    Default: only user = False


    Example: @@ -2948,10 +3007,10 @@ more information see the file Speed.txt in the Samba docs/ directory. See the 'veto oplock files' parameter. On some systems oplocks are recognized by the underlying operating system. This allows data synchronization between all access to oplocked files, whether it be via Samba or NFS or a local -UNIX process. See the kernel oplocks parameter +UNIX process. See the kernel oplocks parameter for details. -


    See also the "kernel oplocks" and -"level2 oplocks" parameters. +


    See also the "kernel oplocks" and +"level2 oplocks" parameters.


    Default: oplocks = True


    Example: @@ -2985,7 +3044,7 @@ OPLOCK CODE.


    This integer value controls what level Samba advertises itself as for browse elections. The value of this parameter determines whether nmbd has a chance of becoming a local master -browser for the WORKGROUP in the local broadcast +browser for the WORKGROUP in the local broadcast area. The default is zero, which means nmbd will lose elections to Windows machines. See BROWSING.txt in the Samba docs/ directory for details. @@ -2995,7 +3054,7 @@ docs/ directory for details. os level = 65 ; This will win against any NT Server


  • packet size (G) -


    This is a deprecated parameter that how no effect on the current +


    This is a deprecated parameter that has no effect on the current Samba code. It is left in the parameter list to prevent breaking old smb.conf files.


    @@ -3012,7 +3071,7 @@ attention to the fact that a problem occurred. between smbd and the local password changing program to change the users password. The string describes a sequence of response-receive pairs that smbd uses to -determine what to send to the passwd program +determine what to send to the passwd program and what to expect back. If the expected output is not received then the password is not changed.


    This chat sequence is often quite site specific, depending on what @@ -3028,13 +3087,13 @@ a single string.


    If the send string in any part of the chat sequence is a fullstop "." then no string is sent. Similarly, is the expect string is a fullstop then no string is expected. -


    Note that if the "unix password sync" +


    Note that if the "unix password sync" parameter is set to true, then this sequence is called *AS ROOT* when the SMB password in the smbpasswd file is being changed, without access to the old password cleartext. In this case the old password cleartext is set to "" (the empty string). -


    See also "unix password sync", -"passwd program" and "passwd chat +


    See also
    "unix password sync", +"passwd program" and "passwd chat debug".


    Example:

    @@ -3052,13 +3111,13 @@ debug".
     


    This boolean specifies if the passwd chat script parameter is run in "debug" mode. In this mode the strings passed to and received from the passwd chat are printed in the smbd log with -a "debug level" of 100. This is a dangerous +a "debug level" of 100. This is a dangerous option as it will allow plaintext passwords to be seen in the smbd log. It is available to help Samba admins -debug their "passwd chat" scripts when calling -the "passwd program" and should be turned off +debug their "passwd chat" scripts when calling +the "passwd program" and should be turned off after this has been done. This parameter is off by default. -


    See also "passwd chat", "passwd +


    See also
    "passwd chat", "passwd program".


    Example: passwd chat debug = True @@ -3067,25 +3126,25 @@ program"
    .


  • passwd program (G)


    The name of a program that can be used to set UNIX user passwords. -Any occurrences of %u will be replaced with the +Any occurrences of %u will be replaced with the user name. The user name is checked for existence before calling the password changing program.


    Also note that many passwd programs insist in "reasonable" passwords, such as a minimum length, or the inclusion of mixed case chars and digits. This can pose a problem as some clients (such as Windows for Workgroups) uppercase the password before sending it. -


    Note that if the "unix password sync" +


    Note that if the "unix password sync" parameter is set to "True" then this program is called *AS ROOT* before the SMB password in the smbpasswd file is changed. If this UNIX password change fails, then smbd will fail to change the SMB password also (this is by design). -


    If the "unix password sync" parameter is +


    If the "unix password sync" parameter is set this parameter MUST USE ABSOLUTE PATHS for ALL programs called, and must be examined for security implications. Note that by -default "unix password sync" is set to +default "unix password sync" is set to "False". -


    See also "unix password sync". +


    See also "unix password sync".


    Default: passwd program = /bin/passwd


    Example: @@ -3121,15 +3180,15 @@ as is and the password in all-lower case.


  • password server (G)


    By specifying the name of another SMB server (such as a WinNT box) -with this option, and using "security = domain" or -"security = server" you can get Samba to do all +with this option, and using "security = domain" or +"security = server" you can get Samba to do all its username/password validation via a remote server.


    This options sets the name of the password server to use. It must be a NetBIOS name, so if the machine's NetBIOS name is different from its internet name then you may have to add its NetBIOS name to the lmhosts file which is stored in the same directory as the smb.conf file.


    The name of the password server is looked up using the parameter -"name resolve order=" and so may resolved +"name resolve order=" and so may resolved by any method and order described in that parameter.


    The password server much be a machine capable of using the "LM1.2X002" or the "LM NT 0.12" protocol, and it must be in user level security @@ -3140,17 +3199,17 @@ SERVER THAT YOU DON'T COMPLETELY TRUST.


    Never point a Samba server at itself for password serving. This will cause a loop and could lock up your Samba server!


    The name of the password server takes the standard substitutions, but -probably the only useful one is %m, which means +probably the only useful one is %m, which means the Samba server will use the incoming client as the password server. If you use this then you better trust your clients, and you better restrict them with hosts allow! -


    If the "security" parameter is set to +


    If the "security" parameter is set to "domain", then the list of machines in this option must be a list of Primary or Backup Domain controllers for the -Domain or the character *, as the Samba server is cryptographicly +Domain or the character *, as the Samba server is cryptographicly in that domain, and will use cryptographicly authenticated RPC calls to authenticate the user logging on. The advantage of using -"security=domain" is that if you list +"security=domain" is that if you list several hosts in the "password server" option then smbd will try each in turn till it finds one that responds. This is useful in case your primary server goes down. @@ -3158,10 +3217,10 @@ that responds. This is useful in case your primary server goes down. then Samba will attempt to auto-locate the Primary or Backup Domain controllers to authenticate against by doing a query for the name WORKGROUP<1C> and then contacting each server returned in the list of IP addresses -from the name resolution source. -


    If the "security" parameter is set to -"server", then there are different -restrictions that "security=domain" +from the name resolution source. +


    If the "security" parameter is set to +"server", then there are different +restrictions that "security=domain" doesn't suffer from:



    • You may list several password servers in the "password server" @@ -3169,16 +3228,16 @@ parameter, however if an smbd makes a to a password server, and then the password server fails, no more users will be able to be authenticated from this smbd. This is a restriction of the SMB/CIFS -protocol when in "security=server" mode +protocol when in "security=server" mode and cannot be fixed in Samba.


    • If you are using a Windows NT server as your password server then you will have to ensure that your users are able to login from the Samba server, as when in -"security=server" mode the network +"security=server" mode the network logon will appear to come from there rather than from the users workstation.


    -


    See also the "security" parameter. +


    See also the "security" parameter.


    Default: password server = <empty string>


    Example: @@ -3195,13 +3254,13 @@ printing. readonly and the path should be world-writeable and have the sticky bit set. This is not mandatory of course, but you probably won't get the results you expect if you do otherwise. -


    Any occurrences of %u in the path will be replaced +


    Any occurrences of %u in the path will be replaced with the UNIX username that the client is using on this -connection. Any occurrences of %m will be replaced +connection. Any occurrences of %m will be replaced by the NetBIOS name of the machine they are connecting from. These replacements are very useful for setting up pseudo home directories for users. -


    Note that this path will be based on "root dir" if +


    Note that this path will be based on "root dir" if one was specified.


    Default: none @@ -3214,7 +3273,7 @@ disconnected. It takes the usual substitutions. The command may be run as the root on some systems.


    An interesting example may be do unmount server resources:


    postexec = /etc/umount /cdrom -


    See also preexec. +


    See also preexec.


    Default: none (no command executed)


    Example: @@ -3243,7 +3302,7 @@ time they log in. Maybe a message of the day? Here is an example:


  • Of course, this could get annoying after a while :-) -


    See also preexec close and postexec. +


    See also preexec close and postexec.


    Default: none (no command executed)


    Example: @@ -3251,7 +3310,7 @@ time they log in. Maybe a message of the day? Here is an example:


  • preexec close (S)


    This boolean option controls whether a non-zero return code from -"preexec" should close the service being connected to. +"preexec" should close the service being connected to.


    Default: preexec close = no


    Example: @@ -3263,7 +3322,7 @@ preferred master browser for its workgroup.


    If this is set to true, on startup, nmbd will force an election, and it will have a slight advantage in winning the election. It is recommended that this parameter is used in -conjunction with "domain master = yes", so +conjunction with "domain master = yes", so that nmbd can guarantee becoming a domain master.


    Use this option with caution, because if there are several hosts @@ -3272,25 +3331,25 @@ browsers on the same subnet, they will each periodically and continuously attempt to become the local master browser. This will result in unnecessary broadcast traffic and reduced browsing capabilities. -


    See also os level. +


    See also os level.


    Default: preferred master = no


    Example: preferred master = yes


  • prefered master (G) -


    Synonym for "preferred master" for people +


    Synonym for "preferred master" for people who cannot spell :-).


  • preload -Synonym for "auto services". +Synonym for "auto services".


  • preserve case (S)


    This controls if new filenames are created with the case that the client passes, or if they are forced to be the "default" case.


    Default: preserve case = yes -


    See the section on "NAME MANGLING" for a +


    See the section on "NAME MANGLING" for a fuller discussion.


  • print command (S) @@ -3302,20 +3361,16 @@ be the case. The server will not remove the spool file, so whatever command you specify should remove the spool file when it has been processed, otherwise you will need to manually remove old spool files.


    The print command is simply a text string. It will be used verbatim, -with two exceptions: All occurrences of "%s" will be replaced by -the appropriate spool file name, and all occurrences of "%p" will -be replaced by the appropriate printer name. The spool file name is -generated automatically by the server, the printer name is discussed -below. -


    The full path name will be used for the filename if "%s" is not -preceded by a '/'. If you don't like this (it can stuff up some -lpq output) then use "%f" instead. Any occurrences of "%f" get -replaced by the spool filename without the full path at the front. +with two exceptions: All occurrences of "%s" and "%f" will be +replaced by the appropriate spool file name, and all occurrences of +"%p" will be replaced by the appropriate printer name. The spool +file name is generated automatically by the server, the printer name +is discussed below.


    The print command MUST contain at least one occurrence of "%s" or "%f" - the "%p" is optional. At the time a job is submitted, if no printer name is supplied the "%p" will be silently removed from the printer command. -


    If specified in the "[global]" section, the print +


    If specified in the "[global]" section, the print command given will be used for any printable service that does not have its own print command specified.


    If there is neither a specified print command for a printable service @@ -3323,8 +3378,8 @@ nor a global print command, spool files will be created but not processed and (most importantly) not removed.


    Note that printing may fail on some UNIXs from the "nobody" account. If this happens then create an alternative guest account that -can print and set the "guest account" in the -"[global]" section. +can print and set the "guest account" in the +"[global]" section.


    You can form quite complex print commands by realizing that they are just passed to a shell. For example the following will log a print job, print the file, then remove it. Note that ';' is the usual @@ -3332,27 +3387,27 @@ separator for command in shell scripts.


    print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s


    You may have to vary this command considerably depending on how you normally print files on your system. The default for the parameter -varies depending on the setting of the "printing=" +varies depending on the setting of the "printing=" parameter.


    Default: - For "printing=" BSD, AIX, QNX, LPRNG or PLP : + For "printing=" BSD, AIX, QNX, LPRNG or PLP : print command = lpr -r -P%p %s -


    For "printing=" SYS or HPUX : +


    For "printing=" SYS or HPUX : print command = lp -c -d%p %s; rm %s -


    For "printing=" SOFTQ : +


    For "printing=" SOFTQ : print command = lp -d%p -s %s; rm %s


    Example: print command = /usr/local/samba/bin/myprintscript %p %s


  • print ok (S) -


    Synonym for printable. +


    Synonym for printable.


  • printable (S)


    If this parameter is "yes", then clients may open, write to and submit spool files on the directory specified for the service.


    Note that a printable service will ALWAYS allow writing to the service path (user privileges permitting) via the spooling of print data. The -"read only" parameter controls only non-printing +"writeable" parameter controls only non-printing access to the resource.


    Default: printable = no @@ -3360,12 +3415,12 @@ access to the resource. printable = yes


  • printcap (G) -


    Synonym for printcapname. +


    Synonym for printcapname.


  • printcap name (G)


    This parameter may be used to override the compiled-in default printcap name used by the server (usually /etc/printcap). See the -discussion of the [printers] section above for +discussion of the [printers] section above for reasons why you might want to do this.


    On System V systems that use lpstat to list available printers you can use "printcap name = lpstat" to automatically obtain lists of @@ -3399,7 +3454,7 @@ format if the string "/qconfig" appears in the printcap filename.

  • printer (S)


    This parameter specifies the name of the printer to which print jobs spooled through a printable service will be sent. -


    If specified in the [global] section, the printer +


    If specified in the [global] section, the printer name given will be used for any printable service that does not have its own printer name specified.


    Default: @@ -3418,7 +3473,7 @@ don't know the exact string to use then you should first try with no "printer driver" option set and the client will give you a list of printer drivers. The appropriate strings are shown in a scrollbox after you have chosen the printer manufacturer. -


    See also "printer driver file". +


    See also "printer driver file".


    Example: printer driver = HP LaserJet 4L


    @@ -3435,14 +3490,14 @@ in the docs/ directory, PRINTER_DRIVER.txt. None (set in compile).


    Example: printer driver file = /usr/local/samba/printers/drivers.def -


    See also "printer driver location". +


    See also "printer driver location".


  • printer driver location (S)


    This parameter tells clients of a particular printer share where to find the printer driver files for the automatic installation of drivers for Windows 95 machines. If Samba is set up to serve printer drivers to Windows 95 machines, this should be set to -


    \\MACHINE\aPRINTER$ +


    \\MACHINE\PRINTER$


    Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$ is a share you set up for serving printer driver files. For more details on setting this up see the documentation file in the docs/ @@ -3451,27 +3506,28 @@ directory, PRINTER_DRIVER.txt. None


    Example: printer driver location = \\MACHINE\PRINTER$ -


    See also "printer driver file". +


    See also "printer driver file".


  • printer name (S) -


    Synonym for printer. +


    Synonym for printer.


  • printing (S)


    This parameters controls how printer status information is interpreted -on your system, and also affects the default values for the -"print command", "lpq -command" "lppause command", -"lpresume command", and "lprm -command". +on your system. It also affects the default values for the +"print command", "lpq +command" "lppause command", +"lpresume command", and "lprm +command" if specified in the [global] +section.


    Currently eight printing styles are supported. They are -"printing=BSD", "printing=AIX", "printing=LPRNG", -"printing=PLP", -"printing=SYSV","printing="HPUX","printing=QNX" and -"printing=SOFTQ". +"printing=BSD", "printing=AIX", +"printing=LPRNG", "printing=PLP", "printing=SYSV", +"printing="HPUX", "printing=QNX", "printing=SOFTQ", +and "printing=CUPS".


    To see what the defaults are for the other print commands when using -these three options use the "testparm" program. +the various options use the "testparm" program.


    This option can be set on a per printer basis -


    See also the discussion in the [printers] section. +


    See also the discussion in the [printers] section.


  • protocol (G)


    The value of the parameter (a string) is the highest protocol level @@ -3495,7 +3551,7 @@ protocol. protocol = LANMAN1


  • public (S) -


    Synonym for "guest ok". +


    Synonym for "guest ok".


  • queuepause command (S)


    This parameter specifies the command to be executed on the server host @@ -3518,7 +3574,7 @@ command as the PATH may not be available to the server.


    This parameter specifies the command to be executed on the server host in order to resume the printerqueue. It is the command to undo the behavior that is caused by the previous parameter -("queuepause command). +("queuepause command).


    This command should be a program or script which takes a printer name as its only parameter and resumes the printerqueue, such that queued jobs are resubmitted to the printer. @@ -3543,11 +3599,11 @@ and defaults to off. You should never need to set this parameter.

  • read list (S)


    This is a list of users that are given read-only access to a service. If the connecting user is in this list then they will not be -given write access, no matter what the "read only" +given write access, no matter what the "writeable" option is set to. The list can include group names using the syntax -described in the "invalid users" parameter. -


    See also the "write list" parameter and -the "invalid users" parameter. +described in the "invalid users" parameter. +


    See also the "write list" parameter and +the "invalid users" parameter.


    Default: read list = <empty string>


    Example: @@ -3555,9 +3611,7 @@ the "invalid users"


  • read only (S)


    Note that this is an inverted synonym for -"writeable" and "write ok". -


    See also "writeable" and "write -ok". +"writeable".


  • read prediction (G)


    NOTE: This code is currently disabled in Samba2.0 and @@ -3579,7 +3633,7 @@ typically provides a major performance benefit. incorrectly or are incapable of supporting larger block sizes, and for these clients you may need to disable raw reads.


    In general this parameter should be viewed as a system tuning tool and left -severely alone. See also "write raw". +severely alone. See also "write raw".


    Default: read raw = yes


    @@ -3617,7 +3671,7 @@ packets to.


    the above line would cause nmbd to announce itself to the two given IP addresses using the given workgroup names. If you leave out the workgroup name then the one given in the -"workgroup" parameter is used instead. +"workgroup" parameter is used instead.


    The IP addresses you choose would normally be the broadcast addresses of the remote networks, but can also be the IP addresses of known browse masters if your network config is that stable. @@ -3682,7 +3736,7 @@ as a different user".


  • revalidate (S)


    Note that this option only works with -"security=share" and will be ignored if +"security=share" and will be ignored if this is not the case.


    This option controls whether Samba will allow a previously validated username/password pair to be used to attach to a share. Thus if you @@ -3697,10 +3751,10 @@ automatic access as the same username. revalidate = True


  • root (G) -


    Synonym for "root directory". +


    Synonym for "root directory".


  • root dir (G) -


    Synonym for "root directory". +


    Synonym for "root directory".


  • root directory (G)


    The server will "chroot()" (i.e. Change it's root directory) to @@ -3709,7 +3763,7 @@ operation. Even without it the server will deny access to files not in one of the service entries. It may also check for, and deny access to, soft links to other parts of the filesystem, or attempts to use ".." in file names to access other directories (depending on the -setting of the "wide links" parameter). +setting of the "wide links" parameter).


    Adding a "root directory" entry other than "/" adds an extra level of security, but at a price. It absolutely ensures that no access is given to files not in the sub-tree specified in the "root @@ -3726,22 +3780,22 @@ operating system dependent. root directory = /homes/smb


  • root postexec (S) -


    This is the same as the "postexec" parameter +


    This is the same as the "postexec" parameter except that the command is run as root. This is useful for unmounting filesystems (such as cdroms) after a connection is closed. -


    See also "postexec". +


    See also "postexec".


  • root preexec (S) -


    This is the same as the "preexec" parameter except +


    This is the same as the "preexec" parameter except that the command is run as root. This is useful for mounting filesystems (such as cdroms) before a connection is finalized. -


    See also "preexec" -and "root preexec close". +


    See also "preexec" +and "root preexec close".


  • root preexec close (S) -


    This is the same as the "preexec close" parameter +


    This is the same as the "preexec close" parameter except that the command is run as root. -


    See also "preexec", "preexec close". +


    See also "preexec", "preexec close".


  • security (G)


    This option affects how clients respond to Samba and is one of the most @@ -3750,16 +3804,16 @@ important settings in the smb.conf file. negotiations with smbd to turn share level security on or off. Clients decide based on this bit whether (and how) to transfer user and password information to the server. -


    The default is "security=user", as this is +


    The default is "security=user", as this is the most common setting needed when talking to Windows 98 and Windows NT. -


    The alternatives are "security = share", -"security = server" or -"security=domain". +


    The alternatives are "security = share", +"security = server" or +"security=domain".


    *****NOTE THAT THIS DEFAULT IS DIFFERENT IN SAMBA2.0 THAN FOR PREVIOUS VERSIONS OF SAMBA *******.


    In previous versions of Samba the default was -"security=share" mainly because that was +"security=share" mainly because that was the only option at one stage.


    There is a bug in WfWg that has relevance to this setting. When in user or server level security a WfWg client will totally ignore the @@ -3770,17 +3824,17 @@ anyone except the user that you are logged into WfWg as. UNIX machine then you will want to use "security = user". If you mostly use usernames that don't exist on the UNIX box then use "security = share". -


    You should also use security=share if +


    You should also use security=share if you want to mainly setup shares without a password (guest shares). This is commonly used for a shared printer server. It is more difficult to setup guest shares with -security=user, see the "map to +security=user, see the "map to guest"parameter for details.


    It is possible to use smbd in a "hybrid mode" where it is offers both user and share level security under -different NetBIOS aliases. See the -NetBIOS aliases and the -include parameters for more information. +different NetBIOS aliases. See the +NetBIOS aliases and the +include parameters for more information.


    The different settings will now be explained.



      @@ -3802,11 +3856,11 @@ of the client.


      A list of possible UNIX usernames to match with the given client password is constructed using the following methods :


        -


      • If the "guest only" parameter is set, then -all the other stages are missed and only the "guest +


      • If the "guest only" parameter is set, then +all the other stages are missed and only the "guest account" username is checked.


      • Is a username is sent with the share connection request, then -this username (after mapping - see "username +this username (after mapping - see "username map"), is added as a potential username.


      • If the client did a previous "logon" request (the SessionSetup SMB call) then the username sent in this SMB @@ -3815,29 +3869,29 @@ will be added as a potential username. as a potential username.


      • The NetBIOS name of the client is added to the list as a potential username. -


      • Any users on the "user" list are added +


      • Any users on the "user" list are added as potential usernames.


      -


      If the "guest only" parameter is not set, then +


      If the "guest only" parameter is not set, then this list is then tried with the supplied password. The first user for whom the password matches will be used as the UNIX user. -


      If the "guest only" parameter is set, or no +


      If the "guest only" parameter is set, or no username can be determined then if the share is marked as available to -the "guest account", then this guest user will +the "guest account", then this guest user will be used, otherwise access is denied.


      Note that it can be *very* confusing in share-level security as to which UNIX username will eventually be used in granting access. -


      See also the section "NOTE ABOUT USERNAME/PASSWORD +


      See also the section
      "NOTE ABOUT USERNAME/PASSWORD VALIDATION".


    • "security=user"


      This is the default security setting in Samba2.0. With user-level security a client must first "log-on" with a valid username and -password (which can be mapped using the "username +password (which can be mapped using the "username map" parameter). Encrypted passwords (see the -"encrypted passwords" parameter) can also +"encrypted passwords" parameter) can also be used in this security mode. Parameters such as -"user" and "guest only", if set +"user" and "guest only", if set are then applied and may change the UNIX user to use on this connection, but only after the user has been successfully authenticated. @@ -3845,10 +3899,10 @@ authenticated. *not* sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing the server to automatically map unknown -users into the "guest account". See the -"map to guest" parameter for details on +users into the "guest account". See the +"map to guest" parameter for details on doing this. -


      See also the section "NOTE ABOUT USERNAME/PASSWORD +


      See also the section
      "NOTE ABOUT USERNAME/PASSWORD VALIDATION".


    • "security=server" @@ -3860,25 +3914,25 @@ checking the UNIX password file, it must have a valid smbpasswd file to check users against. See the documentation file in the docs/ directory ENCRYPTION.txt for details on how to set this up.


      Note that from the clients point of view "security=server" is -the same as "security=user". It only +the same as "security=user". It only affects how the server deals with the authentication, it does not in any way affect what the client sees.


      Note that the name of the resource being requested is *not* sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in server level security without allowing the server to automatically map unknown -users into the "guest account". See the -"map to guest" parameter for details on +users into the "guest account". See the +"map to guest" parameter for details on doing this. -


      See also the section "NOTE ABOUT USERNAME/PASSWORD +


      See also the section
      "NOTE ABOUT USERNAME/PASSWORD VALIDATION". -


      See also the "password server" parameter. -and the "encrypted passwords" parameter. +


      See also the "password server" parameter. +and the "encrypted passwords" parameter.


    • "security=domain"


      This mode will only work correctly if smbpasswd has been used to add this machine -into a Windows NT Domain. It expects the "encrypted +into a Windows NT Domain. It expects the "encrypted passwords" parameter to be set to "true". In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactly the @@ -3887,15 +3941,15 @@ same way that a Windows NT Server would do. account on the Domain Controller to allow Samba to have a valid UNIX account to map file access to.


      Note that from the clients point of view "security=domain" is -the same as "security=user". It only +the same as "security=user". It only affects how the server deals with the authentication, it does not in any way affect what the client sees.


      Note that the name of the resource being requested is *not* sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in domain level security without allowing the server to automatically map unknown -users into the "guest account". See the -"map to guest" parameter for details on +users into the "guest account". See the +"map to guest" parameter for details on doing this.


      BUG: There is currently a bug in the implementation of "security=domain with respect to multi-byte character @@ -3904,10 +3958,10 @@ must be done in UNICODE and Samba currently does not widen multi-byte user names to UNICODE correctly, thus a multi-byte username will not be recognized correctly at the Domain Controller. This issue will be addressed in a future release. -


      See also the section "NOTE ABOUT USERNAME/PASSWORD +


      See also the section
      "NOTE ABOUT USERNAME/PASSWORD VALIDATION". -


      See also the "password server" parameter. -and the "encrypted passwords" parameter. +


      See also the "password server" parameter. +and the "encrypted passwords" parameter.



    Default: security = USER @@ -3923,16 +3977,16 @@ permission bits, thus preventing any bits not in this mask from being modified. Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.


    If not set explicitly this parameter is set to the same value as the -create mask parameter. To allow a user to +create mask parameter. To allow a user to modify all the user/group/world permissions on a file, set this parameter to 0777.


    Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to set it to 0777. -


    See also the force directory security -mode, directory security -mask, force security +


    See also the
    force directory security +mode, directory security +mask, force security mode parameters.


    Default: security mask = <same as create mask> @@ -3993,14 +4047,14 @@ smaller size, reducing by a factor of 0.8 until the OS accepts it.


    Example: shared mem size = 5242880 ; Set to 5mb for a large number of files.


    -

  • short preserve case (G) +
  • short preserve case (S)


    This boolean parameter controls if new files which conform to 8.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced to be the "default" case. This -option can be use with "preserve case +option can be use with "preserve case =yes" to permit long filenames to retain their case, while short names are lowered. Default Yes. -


    See the section on NAME MANGLING. +


    See the section on NAME MANGLING.


    Default: short preserve case = yes


    @@ -4046,7 +4100,7 @@ appropriate documentation for your operating system first (perhaps option" when you supply an option. This means you either incorrectly typed it or you need to add an include file to includes.h for your OS. If the latter is the case please send the patch to -samba-bugs@samba.org. +samba@samba.org.


    Any of the supported socket options may be combined in any way you like, as long as your OS allows it.


    This is the list of socket options currently settable using this @@ -4081,6 +4135,25 @@ completely. Use these options with caution! socket options = TCP_NODELAY


    Example: socket options = IPTOS_LOWDELAY +


    +

  • source environment (G) +


    This parameter causes Samba to set environment variables as per the +content of the file named. +


    The file must be owned by root and not world writable in order +to be read (this is a security check). +


    If the value of this parameter starts with a "|" character then Samba will +treat that value as a pipe command to open and will set the environment +variables from the oput of the pipe. This command must not be world writable +and must reside in a directory that is not world writable. +


    The contents of the file or the output of the pipe should be formatted +as the output of the standard Unix env(1) command. This is of the form : +


    Example environment entry: + SAMBA_NETBIOS_NAME=myhostname +


    Default: +No default value +


    Examples: +


    source environment = |/etc/smb.conf.sh +


    source environment = /usr/local/smb_env_vars


  • ssl (G)


    This variable is part of SSL-enabled Samba. This is only available if @@ -4090,8 +4163,8 @@ option "--with-ssl" was given at configure time. enabled by default in any current binary version of Samba.


    This variable enables or disables the entire SSL mode. If it is set to "no", the SSL enabled samba behaves exactly like the non-SSL samba. If -set to "yes", it depends on the variables "ssl -hosts" and "ssl hosts resign" +set to "yes", it depends on the variables "ssl +hosts" and "ssl hosts resign" whether an SSL connection will be required.


    Default: ssl=no @@ -4178,7 +4251,7 @@ than SSLeay exist. ssl compatibility = no


  • ssl hosts (G) -


    See "ssl hosts resign". +


    See "ssl hosts resign".


  • ssl hosts resign (G)


    This variable is part of SSL-enabled Samba. This is only available if @@ -4188,15 +4261,15 @@ option "--with-ssl" was given at configure time. enabled by default in any current binary version of Samba.


    These two variables define whether samba will go into SSL mode or not. If none of them is defined, samba will allow only SSL -connections. If the "ssl hosts" variable lists +connections. If the "ssl hosts" variable lists hosts (by IP-address, IP-address range, net group or name), only these hosts will be forced into SSL mode. If the "ssl hosts resign" variable lists hosts, only these hosts will NOT be forced into SSL mode. The syntax for these two variables is the same as for the -"hosts allow" and "hosts +"hosts allow" and "hosts deny" pair of variables, only that the subject of the decision is different: It's not the access right but whether SSL is -used or not. See the "allow hosts" parameter for +used or not. See the "allow hosts" parameter for details. The example below requires SSL connections from all hosts outside the local net (which is 192.168.*.*).


    Default: @@ -4213,8 +4286,8 @@ option "--with-ssl" was given at configure time. enabled by default in any current binary version of Samba.


    If this variable is set to "yes", the server will not tolerate connections from clients that don't have a valid certificate. The -directory/file given in "ssl CA certDir" and -"ssl CA certFile" will be used to look up the +directory/file given in "ssl CA certDir" and +"ssl CA certFile" will be used to look up the CAs that issued the client's certificate. If the certificate can't be verified positively, the connection will be terminated. If this variable is set to "no", clients don't need certificates. Contrary @@ -4234,7 +4307,7 @@ option "--with-ssl" was given at configure time. enabled by default in any current binary version of Samba.


    If this variable is set to "yes", the smbclient will request a certificate from -the server. Same as "ssl require +the server. Same as "ssl require clientcert" for the server.


    Default: ssl require servercert = no @@ -4286,7 +4359,7 @@ never need to change this parameter. stat cache = yes


  • stat cache size (G) -


    This parameter determines the number of entries in the stat +


    This parameter determines the number of entries in the
    stat cache. You should never need to change this parameter.


    Default: stat cache size = 50 @@ -4328,7 +4401,7 @@ operating system itself that Samba is running on crashes, so there is little danger in this default setting. In addition, this fixes many performance problems that people have reported with the new Windows98 explorer shell file copies. -


    See also the "sync always" parameter. +


    See also the "sync always" parameter.


    Default: strict sync = no


    Example: @@ -4350,9 +4423,9 @@ false then the server will be guided by the client's request in each write call (clients can set a bit indicating that a particular write should be synchronous). If this is true then every write will be followed by a fsync() call to ensure the data is written to disk. -Note that the "strict sync" parameter must be +Note that the "strict sync" parameter must be set to "yes" in order for this parameter to have any affect. -


    See also the "strict sync" parameter. +


    See also the "strict sync" parameter.


    Default: sync always = no


    Example: @@ -4375,6 +4448,24 @@ to syslog. system syslog only, and not to the debug log files.


    Default: syslog only = no +


    +

  • template homedir (G) +


    NOTE: this parameter is only available in Samba 3.0. +


    When filling out the user information for a Windows NT user, the +winbindd daemon uses this parameter to fill in +the home directory for that user. If the string %D is present it is +substituted with the user's Windows NT domain name. If the string %U +is present it is substituted with the user's Windows NT user name. +


    Default: + template homedir = /home/%D/%U +


    +

  • template shell (G) +


    NOTE: this parameter is only available in Samba 3.0. +


    When filling out the user information for a Windows NT user, the +winbindd daemon uses this parameter to fill in +the login shell for that user. +


    Default: + template shell = /bin/false


  • time offset (G)


    This parameter is a setting in minutes to add to the normal GMT to @@ -4394,24 +4485,18 @@ itself as a time server to Windows clients. The default is False. time server = True


  • timestamp logs (G) -


    Samba2.0 will a timestamps to all log entries by default. This -can be distracting if you are attempting to debug a problem. This -parameter allows the timestamping to be turned off. -


    Default: - timestamp logs = True -


    Example: - timestamp logs = False +


    Synonym for "debug timestamp".


  • unix password sync (G)


    This boolean parameter controls whether Samba attempts to synchronize the UNIX password with the SMB password when the encrypted SMB password in the smbpasswd file is changed. If this is set to true the -program specified in the "passwd program" +program specified in the "passwd program" parameter is called *AS ROOT* - to allow the new UNIX password to be set without access to the old UNIX password (as the SMB password has change code has no access to the old password cleartext, only the new). By default this is set to "false". -


    See also "passwd program", "passwd +


    See also
    "passwd program", "passwd chat".


    Default: unix password sync = False @@ -4441,7 +4526,7 @@ change is made. This is a convenience option to allow the change over to encrypted passwords to be made over a longer period. Once all users have encrypted representations of their passwords in the smbpasswd file this parameter should be set to "off". -


    In order for this parameter to work correctly the "encrypt +


    In order for this parameter to work correctly the
    "encrypt passwords" parameter must be set to "no" when this parameter is set to "yes".


    Note that even when this parameter is set a user authenticating to @@ -4468,10 +4553,10 @@ doing. use rhosts = yes


  • user (S) -


    Synonym for "username". +


    Synonym for "username".


  • users (S) -


    Synonym for "username". +


    Synonym for "username".


  • username (S)


    Multiple users may be specified in a comma-delimited list, in which @@ -4495,7 +4580,7 @@ damage than if they started a telnet session. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do.


    To restrict a service to a particular set of users you can use the -"valid users=" parameter. +"valid users=" parameter.


    If any of the usernames begin with a '@' then the name will be looked up first in the yp netgroups list (if Samba is compiled with netgroup support), followed by a lookup in the UNIX groups database @@ -4509,7 +4594,7 @@ netgroup support) and will expand to a list of all users in the netgroup group of that name.


    Note that searching though a groups database can take quite some time, and some clients may time out during the search. -


    See the section "NOTE ABOUT USERNAME/PASSWORD +


    See the section
    "NOTE ABOUT USERNAME/PASSWORD VALIDATION" for more information on how this parameter determines access to the services.


    Default: @@ -4594,7 +4679,7 @@ usernames. Thus if you connect to "\\server\fred" and "fred"< is remapped to "mary" then you will actually be connecting to "\\server\mary" and will need to supply a password suitable for "mary" not "fred". The only exception to this is the username -passed to the "password server" (if you have +passed to the "password server" (if you have one). The password server will receive whatever username the client supplies without modification.


    Also note that no reverse mapping is done. The main effect this has is @@ -4605,8 +4690,62 @@ print job. no username map


    Example: username map = /usr/local/samba/lib/users.map +


    +

  • utmp (S) +


    This boolean parameter is only available if Samba has been configured and compiled +with the option --with-utmp. If set to True then Samba will attempt +to add utmp or utmpx records (depending on the UNIX system) whenever a +connection is made to a Samba server. Sites may use this to record the +user connecting to a Samba share. +


    See also the "utmp directory" parameter. +


    Default: +utmp = False +


    Example: +utmp = True +


    +

  • utmp directory(G) +


    This parameter is only available if Samba has been configured and compiled +with the option --with-utmp. It specifies a directory pathname that is +used to store the utmp or utmpx files (depending on the UNIX system) that +record user connections to a Samba server. See also the "utmp" +parameter. By default this is not set, meaning the system will use whatever +utmp file the native system is set to use (usually /var/run/utmp on Linux). +


    Default: +no utmp directory +


    Example: +utmp directory = /var/adm/ +


    +

  • winbind cache time +


    NOTE: this parameter is only available in Samba 3.0. +


    This parameter specifies the number of seconds the +winbindd daemon will cache user and group +information before querying a Windows NT server again. +


    Default: + winbind cache type = 15 +


    +

  • winbind gid +


    NOTE: this parameter is only available in Samba 3.0. +


    The winbind gid parameter specifies the range of group ids that are +allocated by the winbindd daemon. This range of +group ids should have no existing local or nis groups within it as strange +conflicts can occur otherwise. +


    Default: + winbind gid = <empty string> +


    Example: + winbind gid = 10000-20000 +


    +

  • winbind uid +


    NOTE: this parameter is only available in Samba 3.0. +


    The winbind uid parameter specifies the range of user ids that are +allocated by the winbindd daemon. This range of +ids should have no existing local or nis users within it as strange +conflicts can occur otherwise. +


    Default: + winbind uid = <empty string> +


    Example: + winbind uid = 10000-20000


    -

  • valid chars (S) +
  • valid chars (G)


    The option allows you to specify additional characters that should be considered valid by the server in filenames. This is particularly useful for national character sets, such as adding u-umlaut or a-ring. @@ -4630,12 +4769,12 @@ the following


    The last two examples above actually add two characters, and alter the uppercase and lowercase mappings appropriately. -


    Note that you MUST specify this parameter after the "client +


    Note that you MUST specify this parameter after the
    "client code page" parameter if you have both set. If -"client code page" is set after the +"client code page" is set after the "valid chars" parameter the "valid chars" settings will be overwritten. -


    See also the "client code page" parameter. +


    See also the "client code page" parameter.


    Default:

     
    @@ -4658,15 +4797,15 @@ of your Samba source code distribution for this package.
     
  • valid users (S)


    This is a list of users that should be allowed to login to this service. Names starting with '@', '+' and '&' are -interpreted using the same rules as described in the "invalid +interpreted using the same rules as described in the "invalid users" parameter.


    If this is empty (the default) then any user can login. If a username -is in both this list and the "invalid users" +is in both this list and the "invalid users" list then access is denied for that user.


    The current servicename is substituted for -"%S". This is useful in the -[homes] section. -


    See also "invalid users". +"%S". This is useful in the +[homes] section. +


    See also "invalid users".


    Default: No valid users list. (anyone can login)


    Example: @@ -4680,7 +4819,7 @@ can be used to specify multiple files or directories as in DOS wildcards.


    Each entry must be a unix path, not a DOS path and must *not* include the unix directory separator '/'. -


    Note that the "case sensitive" option is +


    Note that the "case sensitive" option is applicable in vetoing files.


    One feature of the veto files parameter that it is important to be aware of, is that if a directory contains nothing but files that match @@ -4691,7 +4830,7 @@ to do so.


    Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories for a match as they are scanned. -


    See also "hide files" and "case +


    See also
    "hide files" and "case sensitive".


    Default: No files or directories are vetoed. @@ -4720,11 +4859,11 @@ sensitive"
    .


  • veto oplock files (S) -


    This parameter is only valid when the "oplocks" +


    This parameter is only valid when the "oplocks" parameter is turned on for a share. It allows the Samba administrator to selectively turn off the granting of oplocks on selected files that match a wildcarded list, similar to the wildcarded list used in the -"veto files" parameter. +"veto files" parameter.


    Default: No files are vetoed for oplock grants.


    Examples: @@ -4732,7 +4871,7 @@ match a wildcarded list, similar to the wildcarded list used in the contended for by clients. A good example of this is in the NetBench SMB benchmark program, which causes heavy client contention for files ending in ".SEM". To cause Samba not to grant oplocks on these -files you would use the line (either in the [global] +files you would use the line (either in the [global] section or in the section for the particular NetBench share :


    veto oplock files = /*.SEM/


    @@ -4818,7 +4957,7 @@ network.

  • workgroup (G)


    This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain -name used with the "security=domain" +name used with the "security=domain" setting.


    Default: set at compile time to WORKGROUP @@ -4826,24 +4965,44 @@ setting. workgroup = MYGROUP


  • writable (S) -


    Synonym for "writeable" for people who can't spell :-). +


    Synonym for "writeable" for people who can't spell :-).


  • write list (S)


    This is a list of users that are given read-write access to a service. If the connecting user is in this list then they will be -given write access, no matter what the "read only" +given write access, no matter what the "writeable" option is set to. The list can include group names using the @group syntax.


    Note that if a user is in both the read list and the write list then they will be given write access. -


    See also the "read list" option. +


    See also the "read list" option.


    Default: write list = <empty string>


    Example: write list = admin, root, @staff +


    +

  • write cache size (S) +


    This integer parameter (new with Samba 2.0.7) if set to non-zero causes Samba to create an in-memory +cache for each oplocked file (it does not do this for non-oplocked files). All +writes that the client does not request to be flushed directly to disk will be +stored in this cache if possible. The cache is flushed onto disk when a write +comes in whose offset would not fit into the cache or when the file is closed +by the client. Reads for the file are also served from this cache if the data +is stored within it. +


    This cache allows Samba to batch client writes into a more efficient write +size for RAID disks (ie. writes may be tuned to be the RAID stripe size) and +can improve performance on systems where the disk subsystem is a bottleneck +but there is free memory for userspace programs. +


    The integer parameter specifies the size of this cache (per oplocked file) +in bytes. +


    Default: + write cache size = 0 +


    Example: + write cache size = 262144 +for a 256k cache size per file.


  • write ok (S) -


    Synonym for writeable. +


    Synonym for writeable.


  • write raw (G)


    This parameter controls whether or not the server will support raw @@ -4853,10 +5012,10 @@ need to change this parameter. write raw = yes


  • writeable -


    An inverted synonym is "read only". +


    An inverted synonym is "read only".


    If this parameter is "no", then users of a service may not create or modify files in the service's directory. -


    Note that a printable service ("printable = yes") +


    Note that a printable service ("printable = yes") will *ALWAYS* allow writing to the directory (user privileges permitting), but only via spooling operations.


    Default: @@ -4883,7 +5042,7 @@ service names to eight characters. Smbd
    Use of the
    [homes] and [printers] +


    Use of the [homes] and [printers] special sections make life for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme care when designing these sections. In particular, ensure that the @@ -4904,7 +5063,7 @@ permissions on spool directories are correct.

    AUTHOR


    The original Samba software and related utilities were created by -Andrew Tridgell samba-bugs@samba.org. Samba is now developed +Andrew Tridgell samba@samba.org. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.


    The original Samba man pages were written by Karl Auer. The man page @@ -4912,7 +5071,7 @@ sources were converted to YODL format (another excellent piece of Open Source software, available at ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba2.0 release by Jeremy Allison. -samba-bugs@samba.org. +samba@samba.org.


    See samba (7) to find out how to get a full list of contributors and details on how to submit bug reports, comments etc. diff --git a/docs/manpages/smb.conf.5 b/docs/manpages/smb.conf.5 index da87331769..ac227d9182 100644 --- a/docs/manpages/smb.conf.5 +++ b/docs/manpages/smb.conf.5 @@ -111,7 +111,7 @@ as the default guest user (specified elsewhere): [aprinter] path = /usr/spool/public - read only = true + writeable = false printable = true guest ok = true @@ -201,7 +201,7 @@ make any auto home directories visible\&. .IP This section works like \fB[homes]\fP, but for printers\&. .IP -If a [printers] section occurs in the configuration file, users are +If a \fB[printers]\fP section occurs in the configuration file, users are able to connect to any printer specified in the local host\'s printcap file\&. .IP @@ -211,7 +211,7 @@ scanned\&. If a match is found, it is used\&. If no match is found, but a above\&. Otherwise, the requested section name is treated as a printer name and the appropriate printcap file is scanned to see if the requested section name is a valid printer share name\&. If a match is -found, a new printer share is created by cloning the [printers] +found, a new printer share is created by cloning the \fB[printers]\fP section\&. .IP A few modifications are then made to the newly created share: @@ -229,11 +229,11 @@ If the share does not permit guest access and no username was given, the username is set to the located printer name\&. .IP .IP -Note that the [printers] service MUST be printable - if you specify +Note that the \fB[printers]\fP service MUST be printable - if you specify otherwise, the server will refuse to load the configuration file\&. .IP Typically the path specified would be that of a world-writeable spool -directory with the sticky bit set on it\&. A typical [printers] entry +directory with the sticky bit set on it\&. A typical \fB[printers]\fP entry would look like this: .IP @@ -242,7 +242,6 @@ would look like this: [printers] path = /usr/spool/public - writeable = no guest ok = yes printable = yes @@ -378,7 +377,7 @@ negotiation\&. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1\&. machine\&. Only some are recognized, and those may not be 100% reliable\&. It currently recognizes Samba, WfWg, WinNT and Win95\&. Anything else will be known as "UNKNOWN"\&. If it gets it wrong -then sending a level 3 log to \fIsamba-bugs@samba\&.org\fP +then sending a level 3 log to \fIsamba@samba\&.org\fP should allow it to be fixed\&. .IP .IP o @@ -542,7 +541,7 @@ parameter for details\&. Note that some are synonyms\&. \fBdebug uid\fP .IP .IP o -\fBdebuglevel\fP +\fBdebug level\fP .IP .IP o \fBdefault\fP @@ -566,9 +565,6 @@ parameter for details\&. Note that some are synonyms\&. \fBdomain admin users\fP .IP .IP o -\fBdomain controller\fP -.IP -.IP o \fBdomain groups\fP .IP .IP o @@ -701,6 +697,9 @@ parameter for details\&. Note that some are synonyms\&. \fBmin passwd length\fP .IP .IP o +\fBmin password length\fP +.IP +.IP o \fBmin wins ttl\fP .IP .IP o @@ -713,6 +712,9 @@ parameter for details\&. Note that some are synonyms\&. \fBnetbios name\fP .IP .IP o +\fBnetbios scope\fP +.IP +.IP o \fBnis homedir\fP .IP .IP o @@ -830,6 +832,9 @@ parameter for details\&. Note that some are synonyms\&. \fBsocket options\fP .IP .IP o +\fBsource environment\fP +.IP +.IP o \fBssl\fP .IP .IP o @@ -887,6 +892,12 @@ parameter for details\&. Note that some are synonyms\&. \fBsyslog only\fP .IP .IP o +\fBtemplate homedir\fP +.IP +.IP o +\fBtemplate shell\fP +.IP +.IP o \fBtime offset\fP .IP .IP o @@ -914,18 +925,30 @@ parameter for details\&. Note that some are synonyms\&. \fBusername map\fP .IP .IP o +\fButmp directory\fP +.IP +.IP o \fBvalid chars\fP .IP .IP o -\fBwins proxy\fP +\fBwinbind cache time\fP .IP .IP o -\fBwins server\fP +\fBwinbind gid\fP +.IP +.IP o +\fBwinbind uid\fP .IP .IP o \fBwins hook\fP .IP .IP o +\fBwins proxy\fP +.IP +.IP o +\fBwins server\fP +.IP +.IP o \fBwins support\fP .IP .IP o @@ -1074,6 +1097,9 @@ parameter for details\&. Note that some are synonyms\&. \fBinclude\fP .IP .IP o +\fBinherit permissions\fP +.IP +.IP o \fBinvalid users\fP .IP .IP o @@ -1137,10 +1163,10 @@ parameter for details\&. Note that some are synonyms\&. \fBonly user\fP .IP .IP o -\fBoplocks\fP +\fBoplock contention limit\fP .IP .IP o -\fBoplock contention limit\fP +\fBoplocks\fP .IP .IP o \fBpath\fP @@ -1209,10 +1235,10 @@ parameter for details\&. Note that some are synonyms\&. \fBroot preexec\fP .IP .IP o -\fBsecurity mask\fP +\fBroot preexec close\fP .IP .IP o -\fBroot preexec close\fP +\fBsecurity mask\fP .IP .IP o \fBset directory\fP @@ -1245,6 +1271,9 @@ parameter for details\&. Note that some are synonyms\&. \fBusers\fP .IP .IP o +\fButmp\fP +.IP +.IP o \fBvalid users\fP .IP .IP o @@ -1263,6 +1292,9 @@ parameter for details\&. Note that some are synonyms\&. \fBwritable\fP .IP .IP o +\fBwrite cache size\fP +.IP +.IP o \fBwrite list\fP .IP .IP o @@ -1545,11 +1577,11 @@ shares in a net view and in the browse list\&. \fBExample:\fP \f(CW browseable = No\fP .IP -.IP "\fBcase sensitive (G)\fP" +.IP "\fBcase sensitive (S)\fP" .IP See the discussion in the section \fBNAME MANGLING\fP\&. .IP -.IP "\fBcasesignames (G)\fP" +.IP "\fBcasesignames (S)\fP" .IP Synonym for \fB"case sensitive"\fP\&. .IP @@ -1820,6 +1852,7 @@ See also the \fB"force create mode"\fP parameter for forcing particular mode bits to be set on created files\&. See also the \fB"directory mode"\fP parameter for masking mode bits on created directories\&. +See also the \fB"inherit permissions"\fP parameter\&. .IP \fBDefault:\fP \f(CW create mask = 0744\fP @@ -1875,7 +1908,7 @@ must be on for this to have an effect\&. .IP Samba2\&.0 debug log messages are timestamped by default\&. If you are running at a high \fB"debug level"\fP these timestamps -can be distracting\&. This boolean parameter allows them to be turned +can be distracting\&. This boolean parameter allows timestamping to be turned off\&. .IP \fBDefault:\fP @@ -2163,6 +2196,8 @@ See also the \fB"create mode"\fP parameter for masking mode bits on created files, and the \fB"directory security mask"\fP parameter\&. .IP +See also the \fB"inherit permissions"\fP parameter\&. +.IP \fBDefault:\fP \f(CW directory mask = 0755\fP .IP @@ -2243,12 +2278,6 @@ Samba NT Domain Controller functionality please subscribe to the mailing list \fBSamba-ntdom\fP available by sending email to \fIlistproc@samba\&.org\fP .IP -.IP "\fBdomain controller (G)\fP" -.IP -This is a \fBDEPRECATED\fP parameter\&. It is currently not used within -the Samba source and should be removed from all current smb\&.conf -files\&. It is left behind for compatibility reasons\&. -.IP .IP "\fBdomain groups (G)\fP" .IP This is an \fBEXPERIMENTAL\fP parameter that is part of the unfinished @@ -2474,14 +2503,17 @@ symbolic links) by default\&. .IP "\fBforce create mode (S)\fP" .IP This parameter specifies a set of UNIX mode bit permissions that will -\fI*always*\fP be set on a file created by Samba\&. This is done by -bitwise \'OR\'ing these bits onto the mode bits of a file that is being -created\&. The default for this parameter is (in octal) 000\&. The modes -in this parameter are bitwise \'OR\'ed onto the file mode after the mask -set in the \fB"create mask"\fP parameter is applied\&. +\fI*always*\fP be set on a file by Samba\&. This is done by bitwise +\'OR\'ing these bits onto the mode bits of a file that is being created +or having its permissions changed\&. The default for this parameter is +(in octal) 000\&. The modes in this parameter are bitwise \'OR\'ed onto +the file mode after the mask set in the \fB"create +mask"\fP parameter is applied\&. .IP See also the parameter \fB"create mask"\fP for details -on masking mode bits on created files\&. +on masking mode bits on files\&. +.IP +See also the \fB"inherit permissions"\fP parameter\&. .IP \fBDefault:\fP \f(CW force create mode = 000\fP @@ -2506,6 +2538,8 @@ operation is done after the mode mask in the parameter See also the parameter \fB"directory mask"\fP for details on masking mode bits on created directories\&. .IP +See also the \fB"inherit permissions"\fP parameter\&. +.IP \fBDefault:\fP \f(CW force directory mode = 000\fP .IP @@ -2906,6 +2940,41 @@ is included literally, as though typed in place\&. It takes the standard substitutions, except \fB%u\fP, \fB%P\fP and \fB%S\fP\&. .IP +.IP "\fBinherit permissions (S)\fP" +.IP +The permissions on new files and directories are normally governed by +\fB"create mask"\fP, +\fB"directory mask"\fP, +\fB"force create mode"\fP and +\fB"force directory mode"\fP +but the boolean inherit permissions parameter overrides this\&. +.IP +New directories inherit the mode of the parent directory, +including bits such as setgid\&. +.IP +New files inherit their read/write bits from the parent directory\&. +Their execute bits continue to be determined by +\fB"map archive"\fP, +\fB"map hidden"\fP and +\fB"map system"\fP as usual\&. +.IP +Note that the setuid bit is *never* set via inheritance +(the code explicitly prohibits this)\&. +.IP +This can be particularly useful on large systems with many users, +perhaps several thousand, +to allow a single \fB[homes]\fP share to be used flexibly by each user\&. +.IP +See also \fB"create mask"\fP, \fB"directory mask"\fP, +\fB"force create mode"\fP and +\fB"force directory mode"\fP\&. +.IP +\fBDefault\fP +\f(CW inherit permissions = no\fP +.IP +\fBExample\fP +\f(CW inherit permissions = yes\fP +.IP .IP "\fBinterfaces (G)\fP" .IP This option allows you to override the default network interfaces list @@ -2921,10 +2990,13 @@ any of the following forms: a network interface name (such as eth0)\&. This may include shell-like wildcards so eth* will match any interface starting with the substring "eth" -if() a IP address\&. In this case the netmask is determined +.IP o +an IP address\&. In this case the netmask is determined from the list of interfaces obtained from the kernel -if() a IP/mask pair\&. -if() a broadcast/mask pair\&. +.IP o +an IP/mask pair\&. +.IP o +a broadcast/mask pair\&. .IP The "mask" parameters can either be a bit length (such as 24 for a C class network) or a full netmask in dotted decmal form\&. @@ -3106,7 +3178,7 @@ for an entry in the LDAP password database\&. .IP "\fBlevel2 oplocks (S)\fP" .IP This parameter (new in Samba 2\&.0\&.5) controls whether Samba supports -level2 (read-only) oplocks on a share\&. In Samba 2\&.0\&.4 this parameter +level2 (read-only) oplocks on a share\&. In Samba 2\&.0\&.5 this parameter defaults to "False" as the code is new, but will default to "True" in a later release\&. .IP @@ -3291,6 +3363,22 @@ from a command prompt, for example\&. This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine\&. .IP +This parameter can be used with Win9X workstations to ensure that +roaming profiles are stored in a subdirectory of the user\'s home +directory\&. This is done in the following way: +.IP +\f(CW" logon home = \e\e%L\e%U\eprofile"\fP +.IP +This tells Samba to return the above string, with substitutions made +when a client requests the info, generally in a NetUserGetInfo request\&. +Win9X clients truncate the info to \e\eserver\eshare when a user does \f(CW"net use /home"\fP, +but use the whole string when dealing with profiles\&. +.IP +Note that in prior versions of Samba, the \f(CW"logon path"\fP was returned rather than +\f(CW"logon home"\fP\&. This broke \f(CW"net use /home"\fP but allowed profiles outside the +home directory\&. The current implementation is correct, and can be used for profiles +if you use the above trick\&. +.IP Note that this option is only useful if Samba is set up as a \fBlogon server\fP\&. .IP @@ -3303,24 +3391,27 @@ Note that this option is only useful if Samba is set up as a .IP "\fBlogon path (G)\fP" .IP This parameter specifies the home directory where roaming profiles -(USER\&.DAT / USER\&.MAN files for Windows 95/98) are stored\&. +(NTuser\&.dat etc files for Windows NT) are stored\&. Contrary to previous +versions of these manual pages, it has nothing to do with Win 9X roaming +profiles\&. To find out how to handle roaming profiles for Win 9X system, see +the \f(CW"logon home"\fP parameter\&. .IP This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine\&. It also specifies -the directory from which the \f(CW"desktop"\fP, \f(CW"start menu"\fP, -\f(CW"network neighborhood"\fP and \f(CW"programs"\fP folders, and their -contents, are loaded and displayed on your Windows 95/98 client\&. +the directory from which the \f(CW"application data"\fP, (\f(CW"desktop"\fP, \f(CW"start menu"\fP, +\f(CW"network neighborhood"\fP, \f(CW"programs"\fP and other folders, and their +contents, are loaded and displayed on your Windows NT client\&. .IP The share and the path must be readable by the user for the -preferences and directories to be loaded onto the Windows 95/98 +preferences and directories to be loaded onto the Windows NT client\&. The share must be writeable when the logs in for the first -time, in order that the Windows 95/98 client can create the user\&.dat +time, in order that the Windows NT client can create the NTuser\&.dat and other directories\&. .IP Thereafter, the directories and any of the contents can, if required, be -made read-only\&. It is not advisable that the USER\&.DAT file be made -read-only - rename it to USER\&.MAN to achieve the desired effect (a -\fIMAN\fPdatory profile)\&. +made read-only\&. It is not advisable that the NTuser\&.dat file be made +read-only - rename it to NTuser\&.man to achieve the desired effect (a +\fIMAN\fPdatory profile)\&. .IP Windows clients can sometimes maintain a connection to the [homes] share, even though there is no user logged in\&. Therefore, it is vital @@ -3912,7 +4003,7 @@ so you should never need to touch this parameter\&. .IP .IP "\fBmax packet (G)\fP" .IP -Synonym for (packetsize)\&. +Synonym for \fB"packet size"\fP\&. .IP .IP "\fBmax ttl (G)\fP" .IP @@ -4027,6 +4118,10 @@ See also the \fBprinting\fP parameter\&. .IP .IP "\fBmin passwd length (G)\fP" .IP +Synonym for \fB"min password length"\fP\&. +.IP +.IP "\fBmin password length (G)\fP" +.IP This option sets the minimum length in characters of a plaintext password than smbd will accept when performing UNIX password changing\&. .IP @@ -4035,7 +4130,7 @@ See also \fB"unix password sync"\fP, debug"\fP\&. .IP \fBDefault:\fP -\f(CW min passwd length = 5\fP +\f(CW min password length = 5\fP .IP .IP "\fBmin wins ttl (G)\fP" .IP @@ -4129,6 +4224,11 @@ See also \fB"netbios aliases"\fP\&. \fBExample:\fP \f(CW netbios name = MYNAME\fP .IP +.IP "\fBnetbios scope (G)\fP" +.IP +This sets the NetBIOS scope that Samba will operate under\&. This should +not be set unless every machine on your LAN also sets this value\&. +.IP .IP "\fBnis homedir (G)\fP" .IP Get the home share server from a NIS map\&. For UNIX systems that use an @@ -4326,7 +4426,7 @@ docs/ directory for details\&. .IP .IP "\fBpacket size (G)\fP" .IP -This is a deprecated parameter that how no effect on the current +This is a deprecated parameter that has no effect on the current Samba code\&. It is left in the parameter list to prevent breaking old \fBsmb\&.conf\fP files\&. .IP @@ -4732,16 +4832,11 @@ command you specify should remove the spool file when it has been processed, otherwise you will need to manually remove old spool files\&. .IP The print command is simply a text string\&. It will be used verbatim, -with two exceptions: All occurrences of \f(CW"%s"\fP will be replaced by -the appropriate spool file name, and all occurrences of \f(CW"%p"\fP will -be replaced by the appropriate printer name\&. The spool file name is -generated automatically by the server, the printer name is discussed -below\&. -.IP -The full path name will be used for the filename if \f(CW"%s"\fP is not -preceded by a \f(CW\'/\'\fP\&. If you don\'t like this (it can stuff up some -lpq output) then use \f(CW"%f"\fP instead\&. Any occurrences of \f(CW"%f"\fP get -replaced by the spool filename without the full path at the front\&. +with two exceptions: All occurrences of \f(CW"%s"\fP and \f(CW"%f"\fP will be +replaced by the appropriate spool file name, and all occurrences of +\f(CW"%p"\fP will be replaced by the appropriate printer name\&. The spool +file name is generated automatically by the server, the printer name +is discussed below\&. .IP The print command \fIMUST\fP contain at least one occurrence of \f(CW"%s"\fP or \f(CW"%f"\fP - the \f(CW"%p"\fP is optional\&. At the time a job is @@ -4797,7 +4892,7 @@ submit spool files on the directory specified for the service\&. .IP Note that a printable service will ALWAYS allow writing to the service path (user privileges permitting) via the spooling of print data\&. The -\fB"read only"\fP parameter controls only non-printing +\fB"writeable"\fP parameter controls only non-printing access to the resource\&. .IP \fBDefault:\fP @@ -4917,7 +5012,7 @@ find the printer driver files for the automatic installation of drivers for Windows 95 machines\&. If Samba is set up to serve printer drivers to Windows 95 machines, this should be set to .IP -\f(CW\e\eMACHINE\eaPRINTER$\fP +\f(CW\e\eMACHINE\ePRINTER$\fP .IP Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$ is a share you set up for serving printer driver files\&. For more @@ -4939,20 +5034,21 @@ Synonym for \fBprinter\fP\&. .IP "\fBprinting (S)\fP" .IP This parameters controls how printer status information is interpreted -on your system, and also affects the default values for the +on your system\&. It also affects the default values for the \fB"print command"\fP, \fB"lpq command"\fP \fB"lppause command"\fP, \fB"lpresume command"\fP, and \fB"lprm -command"\fP\&. +command"\fP if specified in the \fB[global]\fP +section\&. .IP Currently eight printing styles are supported\&. They are -\fB"printing=BSD"\fP, \fB"printing=AIX"\fP, \fB"printing=LPRNG"\fP, -\fB"printing=PLP"\fP, -\fB"printing=SYSV"\fP,\fB"printing="HPUX"\fP,\fB"printing=QNX"\fP and -\fB"printing=SOFTQ"\fP\&. +\fB"printing=BSD"\fP, \fB"printing=AIX"\fP, +\fB"printing=LPRNG"\fP, \fB"printing=PLP"\fP, \fB"printing=SYSV"\fP, +\fB"printing="HPUX"\fP, \fB"printing=QNX"\fP, \fB"printing=SOFTQ"\fP, +and \fB"printing=CUPS"\fP\&. .IP To see what the defaults are for the other print commands when using -these three options use the \fB"testparm"\fP program\&. +the various options use the \fB"testparm"\fP program\&. .IP This option can be set on a per printer basis .IP @@ -5061,7 +5157,7 @@ read bmpx = No .IP This is a list of users that are given read-only access to a service\&. If the connecting user is in this list then they will not be -given write access, no matter what the \fB"read only"\fP +given write access, no matter what the \fB"writeable"\fP option is set to\&. The list can include group names using the syntax described in the \fB"invalid users"\fP parameter\&. .IP @@ -5077,10 +5173,7 @@ the \fB"invalid users"\fP parameter\&. .IP "\fBread only (S)\fP" .IP Note that this is an inverted synonym for -\fB"writeable"\fP and \fB"write ok"\fP\&. -.IP -See also \fB"writeable"\fP and \fB"write -ok"\fP\&. +\fB"writeable"\fP\&. .IP .IP "\fBread prediction (G)\fP" .IP @@ -5643,7 +5736,7 @@ smaller size, reducing by a factor of 0\&.8 until the OS accepts it\&. \fBExample:\fP \f(CW shared mem size = 5242880 ; Set to 5mb for a large number of files\&.\fP .IP -.IP "\fBshort preserve case (G)\fP" +.IP "\fBshort preserve case (S)\fP" .IP This boolean parameter controls if new files which conform to 8\&.3 syntax, that is all in upper case and of suitable length, are created @@ -5714,7 +5807,7 @@ You may find that on some systems Samba will say "Unknown socket option" when you supply an option\&. This means you either incorrectly typed it or you need to add an include file to includes\&.h for your OS\&. If the latter is the case please send the patch to -\fIsamba-bugs@samba\&.org\fP\&. +\fIsamba@samba\&.org\fP\&. .IP Any of the supported socket options may be combined in any way you like, as long as your OS allows it\&. @@ -5782,6 +5875,34 @@ completely\&. Use these options with caution! \fBExample:\fP \f(CW socket options = IPTOS_LOWDELAY\fP .IP +.IP "\fBsource environment (G)\fP" +.IP +This parameter causes Samba to set environment variables as per the +content of the file named\&. +.IP +The file \fBmust\fP be owned by root and not world writable in order +to be read (this is a security check)\&. +.IP +If the value of this parameter starts with a "|" character then Samba will +treat that value as a pipe command to open and will set the environment +variables from the oput of the pipe\&. This command must not be world writable +and must reside in a directory that is not world writable\&. +.IP +The contents of the file or the output of the pipe should be formatted +as the output of the standard Unix env(1) command\&. This is of the form : +.IP +Example environment entry: +\f(CW SAMBA_NETBIOS_NAME=myhostname \fP +.IP +\fBDefault:\fP +\f(CWNo default value\fP +.IP +\fBExamples:\fP +.IP +\f(CW source environment = |/etc/smb\&.conf\&.sh\fP +.IP +\f(CW source environment = /usr/local/smb_env_vars\fP +.IP .IP "\fBssl (G)\fP" .IP This variable is part of SSL-enabled Samba\&. This is only available if @@ -6157,6 +6278,30 @@ system syslog only, and not to the debug log files\&. \fBDefault:\fP \f(CW syslog only = no\fP .IP +.IP "\fBtemplate homedir (G)\fP" +.IP +NOTE: this parameter is only available in Samba 3\&.0\&. +.IP +When filling out the user information for a Windows NT user, the +\fBwinbindd\fP daemon uses this parameter to fill in +the home directory for that user\&. If the string \f(CW%D\fP is present it is +substituted with the user\'s Windows NT domain name\&. If the string \f(CW%U\fP +is present it is substituted with the user\'s Windows NT user name\&. +.IP +\fBDefault:\fP +\f(CW template homedir = /home/%D/%U\fP +.IP +.IP "\fBtemplate shell (G)\fP" +.IP +NOTE: this parameter is only available in Samba 3\&.0\&. +.IP +When filling out the user information for a Windows NT user, the +\fBwinbindd\fP daemon uses this parameter to fill in +the login shell for that user\&. +.IP +\fBDefault:\fP +\f(CW template shell = /bin/false\fP +.IP .IP "\fBtime offset (G)\fP" .IP This parameter is a setting in minutes to add to the normal GMT to @@ -6183,15 +6328,7 @@ itself as a time server to Windows clients\&. The default is False\&. .IP .IP "\fBtimestamp logs (G)\fP" .IP -Samba2\&.0 will a timestamps to all log entries by default\&. This -can be distracting if you are attempting to debug a problem\&. This -parameter allows the timestamping to be turned off\&. -.IP -\fBDefault:\fP -\f(CW timestamp logs = True\fP -.IP -\fBExample:\fP -\f(CW timestamp logs = False\fP +Synonym for \fB"debug timestamp"\fP\&. .IP .IP "\fBunix password sync (G)\fP" .IP @@ -6457,7 +6594,79 @@ print job\&. \fBExample:\fP \f(CW username map = /usr/local/samba/lib/users\&.map\fP .IP -.IP "\fBvalid chars (S)\fP" +.IP "\fButmp (S)\fP" +.IP +This boolean parameter is only available if Samba has been configured and compiled +with the option \f(CW--with-utmp\fP\&. If set to True then Samba will attempt +to add utmp or utmpx records (depending on the UNIX system) whenever a +connection is made to a Samba server\&. Sites may use this to record the +user connecting to a Samba share\&. +.IP +See also the \fB"utmp directory"\fP parameter\&. +.IP +\fBDefault:\fP +\f(CWutmp = False\fP +.IP +\fBExample:\fP +\f(CWutmp = True\fP +.IP +.IP "\fButmp directory(G)\fP" +.IP +This parameter is only available if Samba has been configured and compiled +with the option \f(CW--with-utmp\fP\&. It specifies a directory pathname that is +used to store the utmp or utmpx files (depending on the UNIX system) that +record user connections to a Samba server\&. See also the \fB"utmp"\fP +parameter\&. By default this is not set, meaning the system will use whatever +utmp file the native system is set to use (usually /var/run/utmp on Linux)\&. +.IP +\fBDefault:\fP +\f(CWno utmp directory\fP +.IP +\fBExample:\fP +\f(CWutmp directory = /var/adm/\fP +.IP +.IP "winbind cache time" +.IP +NOTE: this parameter is only available in Samba 3\&.0\&. +.IP +This parameter specifies the number of seconds the +\fBwinbindd\fP daemon will cache user and group +information before querying a Windows NT server again\&. +.IP +\fBDefault:\fP +\f(CW winbind cache type = 15\fP +.IP +.IP "winbind gid" +.IP +NOTE: this parameter is only available in Samba 3\&.0\&. +.IP +The winbind gid parameter specifies the range of group ids that are +allocated by the \fBwinbindd\fP daemon\&. This range of +group ids should have no existing local or nis groups within it as strange +conflicts can occur otherwise\&. +.IP +\fBDefault:\fP +\f(CW winbind gid = \fP +.IP +\fBExample:\fP +\f(CW winbind gid = 10000-20000\fP +.IP +.IP "winbind uid" +.IP +NOTE: this parameter is only available in Samba 3\&.0\&. +.IP +The winbind uid parameter specifies the range of user ids that are +allocated by the \fBwinbindd\fP daemon\&. This range of +ids should have no existing local or nis users within it as strange +conflicts can occur otherwise\&. +.IP +\fBDefault:\fP +\f(CW winbind uid = \fP +.IP +\fBExample:\fP +\f(CW winbind uid = 10000-20000\fP +.IP +.IP "\fBvalid chars (G)\fP" .IP The option allows you to specify additional characters that should be considered valid by the server in filenames\&. This is particularly @@ -6759,7 +6968,7 @@ Synonym for \fB"writeable"\fP for people who can\'t spell :-)\&. .IP This is a list of users that are given read-write access to a service\&. If the connecting user is in this list then they will be -given write access, no matter what the \fB"read only"\fP +given write access, no matter what the \fB"writeable"\fP option is set to\&. The list can include group names using the @group syntax\&. .IP @@ -6774,6 +6983,31 @@ See also the \fB"read list"\fP option\&. \fBExample:\fP \f(CW write list = admin, root, @staff\fP .IP +.IP "\fBwrite cache size (S)\fP" +.IP +This integer parameter (new with Samba 2\&.0\&.7) if set to non-zero causes Samba to create an in-memory +cache for each oplocked file (it does \fBnot\fP do this for non-oplocked files)\&. All +writes that the client does not request to be flushed directly to disk will be +stored in this cache if possible\&. The cache is flushed onto disk when a write +comes in whose offset would not fit into the cache or when the file is closed +by the client\&. Reads for the file are also served from this cache if the data +is stored within it\&. +.IP +This cache allows Samba to batch client writes into a more efficient write +size for RAID disks (ie\&. writes may be tuned to be the RAID stripe size) and +can improve performance on systems where the disk subsystem is a bottleneck +but there is free memory for userspace programs\&. +.IP +The integer parameter specifies the size of this cache (per oplocked file) +in bytes\&. +.IP +\fBDefault:\fP +\f(CW write cache size = 0\fP +.IP +\fBExample:\fP +\f(CW write cache size = 262144\fP +for a 256k cache size per file\&. +.IP .IP "\fBwrite ok (S)\fP" .IP Synonym for \fBwriteable\fP\&. @@ -6849,7 +7083,7 @@ This man page is correct for version 2\&.0 of the Samba suite\&. .SH "AUTHOR" .PP The original Samba software and related utilities were created by -Andrew Tridgell \fIsamba-bugs@samba\&.org\fP\&. Samba is now developed +Andrew Tridgell \fIsamba@samba\&.org\fP\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. .PP @@ -6858,7 +7092,7 @@ sources were converted to YODL format (another excellent piece of Open Source software, available at \fBftp://ftp\&.icce\&.rug\&.nl/pub/unix/\fP) and updated for the Samba2\&.0 release by Jeremy Allison\&. -\fIsamba-bugs@samba\&.org\fP\&. +\fIsamba@samba\&.org\fP\&. .PP See \fBsamba (7)\fP to find out how to get a full list of contributors and details on how to submit bug reports, diff --git a/docs/yodldocs/smb.conf.5.yo b/docs/yodldocs/smb.conf.5.yo index 8983c26880..dc26764d8f 100644 --- a/docs/yodldocs/smb.conf.5.yo +++ b/docs/yodldocs/smb.conf.5.yo @@ -4880,10 +4880,10 @@ command"))(lprmcommand) if specified in the link(bf([global]))(global) section. Currently eight printing styles are supported. They are -bf("printing=BSD"), bf("printing=AIX"), bf("printing=LPRNG"), -bf("printing=PLP"), -bf("printing=SYSV"),bf("printing="HPUX"),bf("printing=QNX") and -bf("printing=SOFTQ"). +bf("printing=BSD"), bf("printing=AIX"), +bf("printing=LPRNG"), bf("printing=PLP"), bf("printing=SYSV"), +bf("printing="HPUX"), bf("printing=QNX"), bf("printing=SOFTQ"), +and bf("printing=CUPS"). To see what the defaults are for the other print commands when using the various options use the url(bf("testparm"))(testparm.1.html) program. -- cgit