findsmb

lmhosts

lmhosts is the is the Samba - NetBIOS name to IP address mapping file. It is very similar to the An example follows : # @@ -119,9 +118,6 @@ CLASS="PROGRAMLISTING" 192.9.200.20 NTSERVER#20 192.9.200.21 SAMBASERVER Contains three IP to NetBIOS name mappings. The first diff --git a/docs/htmldocs/make_smbcodepage.1.html b/docs/htmldocs/make_smbcodepage.1.html index 8e792e3122..4c2ad993ae 100644 --- a/docs/htmldocs/make_smbcodepage.1.html +++ b/docs/htmldocs/make_smbcodepage.1.html @@ -1,10 +1,11 @@ + make_smbcodepagemake_smbcodepage make_smbcodepage
c case this will be a text +> case, this will be a text codepage definition file such as the ones found in the Samba d case this will be the +> case, this will be the binary format codepage definition file normally found in the codepage_def.<codepage>codepage_def.<codepage> These are the input (text) codepage files provided in the @@ -259,7 +260,7 @@ CLASS="COMMAND" > codepage.<codepage>codepage.<codepage> - These are the output (binary) codepage files produced and placed in the Samba destination make_unicodemapmake_unicodemap make_unicodemap
CP<codepage>.TXTCP<codepage>.TXT These are the input (text) unicode map files provided @@ -176,7 +177,7 @@ CLASS="PARAMETER" >
unicode_map.<codepage>unicode_map.<codepage> - These are the output (binary) unicode map files produced and placed in the Samba destination + net
net
net
Synopsis net {<ads|rap|rpc>} [-h] [-w workgroup] [-W myworkgroup] [-U user] [-I ip-address] [-p port] [-n myname] [-s conffile] [-S server] [-C comment] [-M maxusers] [-F flags] [-j jobid] [-l] [-r] [-f] [-t timeout] [-P] [-D debuglevel] {<ads|rap|rpc>} [-h] [-w workgroup] [-W myworkgroup] [-U user] [-I ip-address] [-p port] [-n myname] [-s conffile] [-S server] [-C comment] [-M maxusers] [-F flags] [-j jobid] [-l] [-r] [-f] [-t timeout] [-P] [-D debuglevel]
USER DELETE <name> [misc options] USER DELETE <name> [misc options] delete specified user USER INFO <name> [misc options] USER INFO <name> [misc options] list the domain groups of the specified user USER ADD <name> [password] [-F user flags] [misc. options USER ADD <name> [password] [-F user flags] [misc. options Add specified user @@ -331,14 +334,14 @@ CLASS="VARIABLELIST" GROUP DELETE <name> [misc. options] [targets] GROUP DELETE <name> [misc. options] [targets] Delete specified group GROUP ADD <name> [-C comment] GROUP ADD <name> [-C comment] Create specified group @@ -352,14 +355,14 @@ CLASS="VARIABLELIST" SHARE ADD <name=serverpath> [misc. options] [targets] SHARE ADD <name=serverpath> [misc. options] [targets] Adds a share from a server (makes the export active) SHARE DELETE <sharenam SHARE DELETE <sharenam nmbdnmbd nmbdnmbd [-D] [-a] [-i] [-o] [-P] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log directory>] [-n <primary netbios name>] [-p <port number>] [-s <configuration file>] [-D] [-a] [-i] [-o] [-P] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log directory>] [-n <primary netbios name>] [-p <port number>] [-s <configuration file>] -n-n option (see OPTIONS below). Thus nmbd can act as a WINS proxy, relaying broadcast queries from clients that do - not understand how to talk the WINS protocol to a WIN + not understand how to talk the WINS protocol to a WINS server. If this parameter is specified it causes the server to run "interactively", not as a daemon, even if the server is executed on the command line of a shell. Setting this - parameter negates the implicit deamon mode when run from the + parameter negates the implicit daemon mode when run from the command line. . -H <filename> -H <filename>NetBIOS lmhosts file. The lmhosts @@ -204,16 +209,24 @@ CLASS="FILENAME" > to resolve any NetBIOS name queries needed by the server. Note - that the contents of this file are NOTNOT used by nmbd to answer any name queries. Adding a line to this file affects name NetBIOS resolution - from this host ONLYONLY. The default path to this file is compiled into @@ -229,15 +242,16 @@ CLASS="FILENAME" /etc/lmhosts. See the . See the + lmhosts(5) man page for details on the - contents of this file. + man page for details on the contents of this file. -V . -d <debug level> -d <debug level>debuglevel is an integer @@ -281,21 +295,21 @@ HREF="smb.conf.5.html" TARGET="_top" > smb.conf smb.conf(5) file. -l <log directory> -l <log directory>
The -l parameter specifies a directory into which the "log.nmbd" log file will be created - for operational data from the running - nmbd server. The default log directory is compiled into Samba +> + server. The default log directory is compiled into Samba as part of the build process. Common defaults are /usr/local/samba/var/log.nmb/var/log/log.nmb. Beware:. Beware: If the directory specified does not exist,
-n <primary NetBIOS name>
-n <primary NetBIOS name>
This option allows you to override @@ -342,7 +360,7 @@ CLASS="FILENAME" >.
-p <UDP port number>
-p <UDP port number>
UDP port number is a positive integer value. @@ -355,7 +373,7 @@ CLASS="COMMAND" won't need help!
-s <configuration file>
-s <configuration file>
The default configuration file name @@ -505,8 +523,12 @@ CLASS="FILENAME" >If nmbd is acting as a browse master is acting as a browse master (see the nmbd process it is recommended - that SIGKILL (-9) NOTNOT be used, except as a last resort, as this may leave the name database in an inconsistent state. The correct way to terminate nmblookup
nmblookup
nmblookup
nmblookup [-M] [-R] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] {name}
[-M] [-R] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] {name}
Print a help (usage) message.
-B <broadcast address>
-B <broadcast address>
Send the query to the given broadcast address. Without @@ -179,7 +180,7 @@ CLASS="FILENAME"
-U <unicast address>
-U <unicast address>
Do a unicast query to the specified address or @@ -198,7 +199,7 @@ CLASS="PARAMETER" query a WINS server.
-d <debuglevel>
-d <debuglevel>
debuglevel is an integer from 0 to 10.
file.
-s <smb.conf>
-s <smb.conf>
This parameter specifies the pathname to @@ -246,7 +247,7 @@ TARGET="_top" the Samba setup on the machine.
-i <scope>
-i <scope>
This specifies a NetBIOS scope that @@ -256,8 +257,12 @@ CLASS="COMMAND" > will use to communicate with when generating NetBIOS names. For details on the use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes are - veryvery rarely used, only set this parameter if you are the system administrator in charge of all the NetBIOS systems you communicate with.
IP address .... NetBIOS nameIP address .... NetBIOS name
pair that is the normal output.
This is the NetBIOS name being queried. Depending upon the previous options this may be a NetBIOS name or IP address. If a NetBIOS name then the different name types may be specified - by appending '#<type>' to the name. This name may also be + by appending '#<type>' to the name. This name may also be '*', which will return all registered names within a broadcast area.
pdbedit
pdbedit
pdbedit
pdbedit [-l] [-v] [-w] [-u username] [-f fullname] [-h homedir] [-d drive] [-s script] [-p profile] [-a] [-m] [-x] [-i passdb-backend] [-e passdb-backend] [-D debuglevel]
[-l] [-v] [-w] [-u username] [-f fullname] [-h homedir] [-d drive] [-s script] [-p profile] [-a] [-m] [-x] [-i passdb-backend] [-e passdb-backend] [-b passdb-backend] [-D debuglevel]
DESCRIPTION
suite.
The pdbedit program is used to manage the users accounts - stored in the sam database and can be run only by root.
The pdbedit tool use the passdb modular interface and is +>The pdbedit tool uses the passdb modular interface and is independent from the kind of users database used (currently there - are smbpasswd, ldap, nis+ and tdb based and more can be addedd + are smbpasswd, ldap, nis+ and tdb based and more can be added without changing the tool).
There are five main ways to use pdbedit: adding a user account, @@ -67,7 +68,7 @@ TARGET="_top" >
OPTIONS
-l
This option list all the user accounts +>This option lists all the user accounts present in the users database. This option prints a list of user/uid pairs separated by the ':' character.
pdbedit -l
sorce:500:Simo Sorce samba:45:Test User
-v
This option sets the verbose listing format. - It will make pdbedit list the users in the database printing +>This option enables the verbose listing format. + It causes pdbedit to list the users in the database, printing out the account fields in a descriptive format.
Example: pdbedit -l -v
--------------- @@ -146,9 +132,6 @@ CLASS="PROGRAMLISTING" Logon Script: Profile Path: \\BERSERKER\profile
This option sets the "smbpasswd" listing format. - It will make pdbedit list the users in the database printing + It will make pdbedit list the users in the database, printing out the account fields in a format compatible with the pdbedit -l -w
sorce:500:508818B733CE64BEAAD3B435B51404EE:D2A2418EFC466A8A0F6B1DBB5C3DB80C:[UX ]:LCT-00000000: samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:BC281CE3F53B6A5146629CD4751D3490:[UX ]:LCT-3BFA1E8D:
-u username
This option specifies that the username to be - used for the operation requested (listing, adding, removing) - It is requiredThis option specifies the username to be + used for the operation requested (listing, adding, removing). + It is required in add, remove and modify - operations and optionaloptional in list operations.
This option is used to add a user into the - database. This command need the user name be specified with - the -u switch. When adding a new user pdbedit will also - ask for the password to be used
Example: pdbedit -a -u sorce - new password: retype new password
This option causes pdbedit to delete an account - from the database. It need the username be specified with the + from the database. It needs a username specified with the -u switch.
Example: -i passdb-backend
Use a different passdb backend to retrieve users than the one specified in smb.conf.
Use a different passdb backend to retrieve users + than the one specified in smb.conf. Can be used to import data into + your local user database. This option will ease migration from one passdb backend to another. - This option will ease migration from one passdb backend to + another. Example: pdbedit -i smbpasswd:/etc/smbpasswd.old -e tdbsam:/etc/samba/passwd.tdb - pdbedit -i smbpasswd:/etc/smbpasswd.old +
-e passdb-backend
Export all currently available users to the specified password database backend.
Exports all currently available users to the + specified password database backend. This option will ease migration from one passdb backend to another and will ease backuppingThis option will ease migration from one passdb backend to + another and will ease backing up. Example: pdbedit -e smbpasswd:/root/samba-users.backup
-b passdb-backend
Use a different default passdb backend.
Example: pdbedit -b xml:/root/pdb-backup.xml -l
NOTES VERSION SEE ALSO AUTHOR rpcclientrpcclient rpcclientrpcclient [-A authfile] [-c <command string>] [-d debuglevel] [-h] [-l logfile] [-N] [-s <smb config file>] [-U username[%password]] [-W workgroup] [-N] [-I destinationIP] {server} [-A authfile] [-c <command string>] [-d debuglevel] [-h] [-l logfile] [-N] [-s <smb config file>] [-U username[%password]] [-W workgroup] [-N] [-I destinationIP] {server} username = <value> - password = <value> - domain = <value> +> username = <value> + password = <value> + domain = <value> Make certain that the permissions on the file restrict @@ -187,8 +179,8 @@ CLASS="PARAMETER" '.client' will be appended. The log file is never removed - by the client. +> will be appended. The log file is + never removed by the client. rpcclient will prompt - for a password. See also the will + prompt for a password. See also the -U option. + option. -s|--conf=smb.conf Specifies the location of the all important +>Specifies the location of the all-important smb.conf A third option is to use a credentials file which contains the plaintext of the username and password. This - option is mainly provided for scripts where the admin doesn't - desire to pass the credentials on the command line or via environment + option is mainly provided for scripts where the admin does not + wish to pass the credentials on the command line or via environment variables. If this method is used, make certain that the permissions on the file restrict access from unwanted users. See the COMMANDS LSARPCLSARPC lookupnames - Resolve s list +> - Resolve a list of usernames to SIDs. SAMRSAMR SPOOLSSSPOOLSS adddriver <arch> <config>adddriver <arch> <config> - Execute an AddPrinterDriver() RPC to install the printer driver information on the server. Note that the driver files should @@ -432,12 +437,6 @@ CLASS="PARAMETER" > parameter is defined as follows: Long Printer Name:\ @@ -449,9 +448,6 @@ CLASS="PROGRAMLISTING" Default Data Type:\ Comma Separated list of Files Any empty fields should be enter as the string "NULL". addprinter <printername> - <sharename> <drivername> <port>addprinter <printername> + <sharename> <drivername> <port> - Add a printer on the remote server. This printer will be automatically shared. Be aware that the printer driver @@ -514,9 +510,9 @@ CLASS="COMMAND" > enumjobs <printer>enumjobs <printer> - - List the jobs and status of a given printer. + - List the jobs and status of a given printer. This command corresponds to the MS Platform SDK EnumJobs() function (* This command is currently unimplemented). getdata <printername>getdata <printername> - Retrieve the data for a given printer setting. See the getdriver <printername>getdriver <printername> - Retrieve the printer driver information (such as driver file, config file, dependent files, etc...) for @@ -582,10 +578,10 @@ CLASS="COMMAND" > getdriverdir <arch>getdriverdir <arch> - Execute a GetPrinterDriverDirectory() - RPC to retreive the SMB share name and subdirectory for + RPC to retrieve the SMB share name and subdirectory for storing printer driver files for a given architecture. Possible values for getprinter <printername>getprinter <printername> - Retrieve the current printer information. This command corresponds to the GetPrinter() MS Platform SDK function. @@ -610,7 +606,7 @@ CLASS="COMMAND" > openprinter <printername>openprinter <printername> - Execute an OpenPrinterEx() and ClosePrinter() RPC against a given printer. setdriver <printername> <drivername> - - Execute a SetPrinter() command to update the printer driver associated - with an installed printer. The printer driver must already be correctly - installed on the print server. setdriver <printername> + <drivername> + - Execute a SetPrinter() command to update the printer driver + associated with an installed printer. The printer driver must + already be correctly installed on the print server. See also the GENERAL OPTIONSGENERAL OPTIONS debuglevel - Set the current debug level - used to log information. - Set the current + debug level used to log information. From Luke Leighton's original rpcclient man page: "WARNING!"WARNING! The MSRPC over SMB code has been developed from examining Network traces. No documentation is available from the original creators (Microsoft) on how MSRPC over diff --git a/docs/htmldocs/samba.7.html b/docs/htmldocs/samba.7.html index 6fb9eac578..0851e99bd5 100644 --- a/docs/htmldocs/samba.7.html +++ b/docs/htmldocs/samba.7.html @@ -1,10 +1,11 @@ + sambasamba sambaThe Samba software suite is a collection of programs that implements the Server Message Block (commonly abbreviated as SMB) protocol for UNIX systems. This protocol is sometimes - also referred to as the Common Internet File System (CIFS), - LanManager or NetBIOS protocol. http://www.ubiqx.org/cifs/. Samba also implements the NetBIOS + protocol in nmbd. nmbd - daemon provides NetBIOS nameserving and browsing + daemon provides NetBIOS nameservice and browsing support. The configuration file for this daemon is described in printcap>printcap file used by Samba. COMPONENTS samba@samba.orghttp://devel.samba.org + for information on how to file a bug report or submit a patch. If you require help, visit the Samba webpage at + http://www.samba.org/ and + explore the many option available to you. + AVAILABILITYVERSIONCONTRIBUTIONS. If you have patches to submit or bugs to report - then you may mail them directly to samba-patches@samba.org. - Note, however, that due to the enormous popularity of this - package the Samba Team may take some time to respond to mail. We - prefer patches in If you have patches to submit, visit + http://devel.samba.org/ + for information on how to do it properly. We prefer patches in + diff -u format.CONTRIBUTORSAUTHOR + smb.confsmb.conf smb.confThere are three special sections, [global], [homes] and [printers], which are - described under special sections. The following notes apply to ordinary section descriptions. Sections may be designated Sections may be designated guest services, in which case no password is required to access them. A specified - UNIX guest account is used to define access privileges in this case./home/bar. The share is accessed via the share name "foo": The following sample section defines a printable share. The share is readonly, but printable. That is, the only write access permitted is via calls to open, write to and close a - spool file. The guest ok parameter means access will be permitted as the default guest user (specified elsewhere): If you decide to use a If you decide to use a path = line in your [homes] section then you may find it useful to use the %S macro. For example : An important point is that if guest access is specified in the [homes] section, all home directories will be - visible to all clients without a password. In the very unlikely event that this is actually desirable, it - would be wise to also specify read only access. Note that the Note that the browseable flag for auto home directories will be inherited from the global browseable flag, not the [homes] browseable flag. This is useful as - it means setting browseable = no in the [homes] section will hide the [homes] share but make any auto home directories visible. All aliases given for a printer in the printcap file are legitimate printer names as far as the server is concerned. If your printing subsystem doesn't work like that, you will have to set up a pseudo-printcap. This is a file consisting of one or more lines like this: Each alias should be an acceptable printer name for your printing subsystem. In the [global] section, specify @@ -479,29 +462,44 @@ NAME="AEN102" >parameters define the specific attributes of sections. Some parameters are specific to the [global] section - (e.g., security). Some parameters are usable - in all sections (e.g., create mode). All others are permissible only in normal sections. For the purposes of the following descriptions the [homes] and [printers] - sections will be considered normal. The letter G in parentheses indicates that a parameter is specific to the - [global] section. The letter S indicates that a parameter can be specified in a service specific - section. Note that all S parameters can also be specified in the [global] section - in which case they will define the default behavior for all services. the name of your NIS home directory server. This is obtained from your NIS auto.map entry. If you have - not compiled Samba with the --with-automount option then this value will be the same as %L. controls if names that have characters that aren't of the "default" case are mangled. For example, if this is yes then a name like "Mail" would be mangled. - Default no. controls whether filenames are case sensitive. If they aren't then Samba must do a filename search and match on passed - names. Default no. controls what the default case is for new - filenames. Default lower.controls if new files are created with the case that the client passes, or if they are forced to be the - "default" case. Default yes. yes. abort shutdown script (G) This parameter only exists in the HEAD cvs branch This a full path name to a script called by that should stop a shutdown procedure issued by the This command will be run as user. Default: Default: None. Example: will return an ACCESS_DENIED error to the client. See also , , Default: Default: none Example: This parameter is only used for add file shares. To add printer shares, see the See also , . Default: Default: none Example: Default: add machine script = <empty string> +>add machine script = <empty string> This is the full pathname to a script that will - be run AS ROOT by smbd to create the required UNIX users - ON DEMAND when a user accesses the Samba server. In order to use this option, smbd - must NOT be set to smbd will - call the specified script AS ROOT, expanding any See also , , Default: add user script = <empty string> +>add user script = <empty string> This is the full pathname to a script that will - be run AS ROOT by Default: Default: no admin users Example: smbd(8) - AS ROOT. Any Synonym for This option only takes effect when the This is a synonym for the smbd will use when authenticating a user. This option defaults to sensible values based on Default: auth methods = <empty string>auth methods = <empty string> Example: available = no, then , then ALL attempts to connect to the service will fail. Such failures are logged. nmbd to bind to ports 137 and 138 on the interfaces listed in the interfaces parameter. smbd(8) to bind only to the interface list given in the interfaces parameter. This restricts the networks that bind interfaces only is set then - unless the network address 127.0.0.1 is added to the smbpasswd - by default connects to the localhost - 127.0.0.1 address as an SMB client to issue the password change request. If bind interfaces only is set then unless the - network address 127.0.0.1 is added to the nmbd at the address - 127.0.0.1 to determine if they are running. - Not adding 127.0.0.1 will cause smbd See the See the discussion in the section NAME MANGLING. Synonym for case sensitive. See also , . Default: Default: none Example: If you want to set the string that is displayed next to the machine name then see the parameter. Default: Default: No comment string Example: Default: Default: no value Example: A synonym for this parameter is not set here will be removed from the modes set on a file when it is created. Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the This parameter does not affect directory modes. See the parameter for details. See also the parameter for forcing particular mode bits to be set on created files. See also the parameter for masking mode bits on created directories. See also the Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the This is a synonym for csc policy (S) This stands for This stands for client-side caching policy, and specifies how clients capable of offline caching will cache the files in the share. The valid values are: manual, documents, programs, disable. Note that the parameter Note that the parameter Samba 2.2 debug log messages are timestamped by default. If you are running at a high Note that the parameter Synonym for A synonym for See the section on NAME MANGLING. Also note the This parameter is only applicable to printable services. When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba @@ -6599,9 +6681,12 @@ NAME="DEFAULTSERVICE" > This parameter specifies the name of a service which will be connected to if the service actually requested cannot - be found. Note that the square brackets are NOT given in the parameter value (see example below). Typically the default service would be a , Example: [global] @@ -6657,9 +6736,6 @@ CLASS="PROGRAMLISTING" [pub] path = /%S This is the full pathname to a script that will - be run AS ROOT by will return an ACCESS_DENIED error to the client. See also , , Default: Default: none Example: This parameter is only used to remove file shares. To delete printer shares, see the See also , . Default: Default: none Example: Default: delete user script = <empty string> +>delete user script = <empty string> smbd(8) - AS ROOT. Any This option is used when Samba is attempting to delete a directory that contains one or more vetoed directories (see the See also the Synonym for Note: Your script should Note: Your script should NOT be setuid or setgid and should be owned by (and writeable only by) root! Default: Default: By default internal routines for determining the disk capacity and remaining space will be used. Example: Where the script dfree (which must be made executable) could be: #!/bin/sh df $1 | tail -1 | awk '{print $2" "$4}' or perhaps (on Sys V based systems): #!/bin/sh /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' Note that you may have to replace the command names @@ -7185,7 +7261,7 @@ NAME="DIRECTORY" > Synonym for not set here will be removed from the modes set on a directory when it is created. Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the . See the See also the parameter for masking mode bits on created files, and the parameter. Also refer to the Synonym for Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. @@ -7351,7 +7433,7 @@ CLASS="CONSTANT" >. See also the , , Be very careful about enabling this parameter. See also use client driver See also the parameter yes, the Samba server will serve Windows 95/98 Domain logons for the to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given If domain logons = yes. Experimentation is the best policy :-) Default: Default: none (i.e., all directories are OK to descend) Example: program for information on how to set up and maintain this file), or set the security = [server|domain|ads] parameter which causes Default: Default: no enumports command Example: This is a synonym for It is generally much better to use the real This parameter specifies a set of UNIX mode bit - permissions that will always be set on a file created by Samba. This is done by bitwise 'OR'ing these bits onto the mode bits of a file that is being created or having its @@ -8117,7 +8211,7 @@ CLASS="PARAMETER" parameter is applied. See also the parameter for details on masking mode bits on files. See also the This parameter specifies a set of UNIX mode bit - permissions that will always be set on a directory created by Samba. This is done by bitwise 'OR'ing these bits onto the mode bits of a directory that is being created. The default for this @@ -8177,7 +8274,7 @@ CLASS="PARAMETER" applied. See also the parameter See also the Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. @@ -8242,7 +8342,7 @@ CLASS="EMPHASIS" it set as 0000. See also the , , If the . See also . Default: Default: no forced group Example: Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. @@ -8386,7 +8492,7 @@ CLASS="EMPHASIS" this set to 0000. See also the , , See also Default: Default: no forced user Example: Synonym for This is a username which will be used for access to services which are specified as Default: Default: specified at compile time, usually "nobody" Example: for a service, then no password is required to connect to the service. Privileges will be those of the . See the section below on for a service, then only guest connections to the service are permitted. This parameter will have no effect if is not set for the service. See the section below on See also , and . Default: Default: no file are hidden Example: If NOTE :A working NIS client is required on the system for this option to work. See also , Default: homedir map = <empty string>homedir map = <empty string> Example: See also the Note that the localhost address 127.0.0.1 will always be allowed access unless specifically denied by a You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups. The - EXCEPT keyword can also be used to limit a wildcard list. The following examples may provide some help: for a way of testing your host access to see if it does what you expect. Default: Default: none (i.e., all hosts permitted access) Example: hosts allow - - hosts listed here are NOT permitted access to services unless the specific services have their own lists to override this one. Where the lists conflict, the list takes precedence. Default: Default: none (i.e., no hosts specifically excluded) Example: This is not be confused with may be useful for NT clients which will not supply passwords to Samba. NOTE : The use of option be only used if you really know what you are doing, or perhaps on a home network where you trust - your spouse and kids. And only if you really trust them :-). Default: Default: no host equivalences Example: . Default: Default: no file included Example: The permissions on new files and directories are normally governed by , , and New files inherit their read/write bits from the parent directory. Their execute bits continue to be determined by , and as usual. Note that the setuid bit is Note that the setuid bit is never set via inheritance (the code explicitly prohibits this). See also , , and See also . Default: Default: all active interfaces except 127.0.0.1 that are broadcast capable This is a list of users that should not be allowed - to login to this service. This is really a paranoid check to absolutely ensure an improper setting does not breach your security. +&group+&group means check the UNIX group database, followed by the NIS netgroup database, and @@ -9524,7 +9675,7 @@ CLASS="PARAMETER" This is useful in the [homes] section. See also . Default: Default: no invalid users Example: Keepalives should, in general, not be needed if the socket being used has the SO_KEEPALIVE attribute set on it (see For UNIXes that support kernel based has oplocked. This allows complete data consistency between - SMB/CIFS, NFS and local file access (and is a very cool feature :-). See also the and Default : Default : none Default : ldap filter = (&(uid=%u)(objectclass=sambaAccount))ldap filter = (&(uid=%u)(objectclass=sambaAccount)) This option is used to define whether or not Samba should use SSL when connecting to the ldap server - This is NOT related to Samba's previous SSL support which was enabled by specifying the ldap suffix (G) Default : Default : none It specifies where users are added to the tree. Default : Default : none Default : Default : none For more discussions on level2 oplocks see the CIFS spec.Currently, if yes). Note also, the See also the and . See also If Samba is set to produce Lanman announce broadcasts needed by OS/2 clients (see the See also A boolean variable that controls whether all printers in the printcap will be loaded for browsing by default. See the printers section for more details. yes doesn't - mean that Samba will become the local master browser on a subnet, just that nmbd will will participate in elections for local master browser.Setting this value to nmbd - never to become a local master browser. Default: Synonym for This option specifies the directory where lock files will be placed. The lock files are used to implement the The time in microseconds that smbd should pause before attempting to gain a failed lock. See , real locking will be performed by the server. This option This option may be useful for read-only - filesystems which may not need locking (such as CDROM drives), although setting this parameter of This parameter specifies the local path to which the home directory will be connected (see Note that in prior versions of Samba, the Thereafter, the directories and any of the contents can, if required, be made read-only. It is not advisable that the NTuser.dat file be made read-only - rename it to NTuser.man to - achieve the desired effect (a MANdatory profile). The script must be a relative path to the [netlogon] service. If the [netlogon] service specifies a This option is only useful if Samba is set up as a logon server. Default: Default: no logon script defined Example: See also the A value of 0 will disable caching completely. See also the See also the parameter. Default: Default: depends on the setting of printing Example: This command should be a program or script which takes a printer name and job number to resume the print job. See also the See also the See also the parameter. Default: Default: depends on the setting of Example 1: If a Samba server is a member of a Windows NT Domain (see the security = domain) parameter) then periodically a running , and the security = domain) parameter. This parameter specifies the name of a file which will contain output created by a magic script (see the Default: magic output = <magic script name>.out +>magic output = <magic script name>.out If the script generates output, output will be sent to the file specified by the Note that some shells are unable to interpret scripts containing CR/LF instead of CR as the end-of-line marker. Magic scripts must be executable - as is on the host, which for some hosts and some shells will require filtering at the DOS end. Magic scripts are Magic scripts are EXPERIMENTAL and - should NOT be relied upon. Default: Default: None. Magic scripts disabled. Example: See the section on NAME MANGLING off the ends of filenames on some CDROMs (only visible under some UNIXes). To do this use a map of (*;1 *;). Default: Default: no mangled map Example: See the section on NAME MANGLING for details on how to control the mangling process. Note that the character to use may be specified using the This controls what character is used as - the magic character in name mangling. The default is a '~' but this may interfere with some software. Use this option to set @@ -11517,7 +11734,7 @@ CLASS="PARAMETER" > parameter to be set such that owner execute bit is not masked out (i.e. it must include 100). See the parameter to be set such that the world execute bit is not masked out (i.e. it must include 001). See the parameter to be set such that the group execute bit is not masked out (i.e. it must include 010). See the parameter This parameter is only useful in security modes other than - Means user logins with an invalid password are treated as a guest login and mapped into the guest account. Note that this can cause problems as it means that any user incorrectly typing @@ -11678,9 +11895,12 @@ HREF="r1.html#GUESTACCOUNT" will not know the reason they cannot access files they think they should - there will have been no message given to them that they got their password wrong. Helpdesk services will - hate you if you set the modes other than share. This is because in these modes the name of the resource being - requested is not sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection @@ -11743,7 +11966,7 @@ CLASS="PARAMETER" > Record lock files are used to implement this feature. The lock files will be stored in the directory specified by the will remote "Out of Space" to the client. See all LANMAN1: First : First modern version of the protocol. Long filename support. See also nmbd(8) when acting as a WINS server ( See also the xedit, then - removes it afterwards. NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN IMMEDIATELY. That's why I have the '&' on the end. If it doesn't return immediately then your PCs may freeze when sending messages (they should recover @@ -12225,7 +12454,7 @@ CLASS="PARAMETER" >message command = /bin/mail -s 'message from %f on - %m' root < %s; rm %s If you don't have a message command then the message @@ -12241,9 +12470,12 @@ CLASS="COMMAND" >message command = rm %s Default: Default: no message command Example: Synonym for See also , and See also the The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support. Please refer to the If you are viewing this parameter as a security measure, you should also refer to the nmbd(8) when acting as a WINS server (. See also wins : Query a name with the IP address listed in the bcast : Do a broadcast on each of the known local interfaces listed in the See also . Default: Default: empty string (no additional names) Example: See also . Default: Default: machine DNS name Example: Default: non unix account range = <empty string> +>non unix account range = <empty string> list and is only really useful in shave level security. See also the A synonym for DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE. Default: oplock contention limit (S) This is a This is a very advanced to behave in a similar way to Windows NT. DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE. Default: Oplocks may be selectively turned off on certain files with a share. See the parameter for details. See also the and in the local broadcast area. Note :By default, Samba will win a local master browsing election over all Microsoft operating systems except a Windows NT 4.0/2000 Domain Controller. This @@ -13194,8 +13444,8 @@ NAME="OS2DRIVERMAP" path to a file containing a mapping of Windows NT printer driver names to OS/2 printer driver names. The format is: <nt driver name> = <os2 driver - name>.<device name> <nt driver name> = <os2 driver + name>.<device name> For example, a valid entry using the HP LaserJet 5 printer driver would appear as Default: os2 driver map = <empty string> +>os2 driver map = <empty string> . It should be possible to enable this without changing your Default: panic action = <empty string>panic action = <empty string> Example: See also - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the - The TDB based password storage backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the directory. See also ) See also passwd chat (G) This string controls the This string controls the "chat" conversation that takes places between smbd(8) uses to determine what to send to the Note that this parameter only is only used if the yes. This - sequence is then called AS ROOT when the SMB password in the smbpasswd file is being changed, without access to the old password cleartext. This means that root must be able to reset the user's password without knowing the text of the previous password. In the presence of NIS/YP, this means that the passwd program must be executed on the NIS master. @@ -13593,7 +13849,7 @@ CLASS="CONSTANT" if the expect string is a full stop then no string is expected. If the See also , , and This boolean specifies if the passwd chat script - parameter is run in debug mode. In this mode the strings passed to and received from the passwd chat are printed in the smbd(8) log with a and should be turned off after this has been done. This option has no effect if the See also , , Also note that many passwd programs insist in Also note that many passwd programs insist in reasonable passwords, such as a minimum length, or the inclusion of mixed case chars and digits. This can pose a problem as some clients (such as Windows for Workgroups) uppercase the password before sending it. Note that if the yes then this program is called then this program is called AS ROOT before the SMB password in the unix password sync parameter - is set this parameter MUST USE ABSOLUTE PATHS - for ALL programs called, and must be examined for security implications. Note that by default . See also The name of the password server is looked up using the parameter NOTE: Using a password server means your UNIX box (running Samba) is only as secure as your - password server. DO NOT CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST. Never point a Samba server at itself for password @@ -14018,7 +14298,7 @@ CLASS="PARAMETER" Primary or Backup Domain controllers to authenticate against by doing a query for the name WORKGROUP<1C>WORKGROUP<1C> and then contacting each server returned in the list of IP addresses from the name resolution source. See also the Default: password server = <empty string>password server = <empty string> Note that this path will be based on if one was specified. Default: Default: none Example: See also . Default: Default: none (no command executed) Example: postexec = echo \"%u disconnected from %S - from %m (%I)\" >> /tmp/log Of course, this could get annoying after a while :-)See also and . Default: Default: none (no command executed) Example: preexec = echo \"%u connected to %S from %m - (%I)\" >> /tmp/log This boolean option controls whether a non-zero return code from See also Synonym for Note that if you just want all printers in your printcap file loaded then the option is easier. Default: Default: no preloaded services Example: This controls if new filenames are created with the case that the client passes, or if they are forced to be the See the section on NAME MANGLING for a fuller discussion. %z - the size of the spooled print job (in bytes) The print command The print command MUST contain at least one occurrence of nobody account. If this happens then create an alternative guest account that can print and set the print command = echo Printing %s >> +>print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s You may have to vary this command considerably depending on how you normally print files on your system. The default for the parameter varies depending on the setting of the For printing = CUPS : If SAMBA is compiled against libcups, then printcap = cups uses the CUPS API to @@ -14671,7 +14966,7 @@ NAME="PRINTOK" > Synonym for Note that a printable service will ALWAYS allow writing to the service path (user privileges permitting) via the spooling of print data. The Synonym for /etc/printcap). See the discussion of the [printers] section above for reasons why you might want to do this. . This should be supplemented by an addtional setting printing = cups in the [global] section. A minimal printcap file would look something like this: print1|My Printer 1 @@ -14805,18 +15094,18 @@ CLASS="PROGRAMLISTING" print4|My Printer 4 print5|My Printer 5 where the '|' separates aliases of a printer. The fact that the second alias has a space in it gives a hint to Samba that it's a comment. NOTE: Under AIX the default printcap name is Default: printer admin = <empty string>printer admin = <empty string> printer driver (S) Note :This is a deprecated parameter and will be removed in the next major release following version 2.2. Please see the instructions in @@ -14896,7 +15188,7 @@ TARGET="_top" sensitive) that describes the appropriate printer driver for your system. If you don't know the exact string to use then you should first try with no See also printer driver file (G) Note :This is a deprecated parameter and will be removed in the next major release following version 2.2. Please see the instructions in @@ -14976,7 +15271,7 @@ CLASS="FILENAME" >. See also . Default: Default: None (set in compile). Example: printer driver location (S) Note :This is a deprecated parameter and will be removed in the next major release following version 2.2. Please see the instructions in @@ -15040,7 +15341,7 @@ CLASS="FILENAME" >. See also Default: Default: none (but may be lp on many systems) Example: Synonym for This option can be set on a per printer basis See also the discussion in the [printers] section. Synonym for Synonym for Default: Default: depends on the setting of Example: Default: Default: depends on the setting of This is a list of users that are given read-only access to a service. If the connecting user is in this list then they will not be given write access, no matter what the option is set to. The list can include group names using the syntax described in the parameter. See also the parameter and the Default: read list = <empty string>read list = <empty string> Example: An inverted synonym is printable = yes) - will ALWAYS allow writing to the directory (user privileges permitting), but only via spooling operations. In general this parameter should be viewed as a system tuning tool and left severely alone. See also Default: remote announce = <empty string> +>remote announce = <empty string> Default: remote browse sync = <empty string> +>remote browse sync = <empty string> Synonym for Synonym for root directory - option, including some files needed for complete operation of the server. To maintain full operability of the server you will need to mirror some system files @@ -15861,7 +16177,7 @@ CLASS="PARAMETER" (such as CDROMs) after a connection is closed. See also Default: root postexec = <empty string> +>root postexec = <empty string> See also and Default: root preexec = <empty string> +>root preexec = <empty string> parameter except that the command is run as root.See also and security = user, see the It is possible to use smbd in a in a hybrid mode where it is offers both user and share level security under different SECURITY = SHARE When clients connect to a share level security server they @@ -16088,9 +16410,12 @@ CLASS="COMMAND" >Note that smbd ALWAYS uses a valid UNIX user to act on behalf of the client, even in If the parameter is set, then all the other stages are missed and only the Is a username is sent with the share connection request, then this username (after mapping - see If the client did a previous If the client did a previous logon request (the SessionSetup SMB call) then the username sent in this SMB will be added as a potential username. Any users on the , then this guest user will be used, otherwise access is denied. Note that it can be Note that it can be very confusing in share-level security as to which UNIX username will eventually be used in granting access. See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. SECURITY = USER This is the default security setting in Samba 2.2. With user-level security a client must first "log-on" with a valid username and password (which can be mapped using the parameter). Encrypted passwords (see the parameter) can also be used in this security mode. Parameters such as and Note that the name of the resource being - requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing the server to automatically map unknown users into the . See the parameter for details on doing this. See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. SECURITY = SERVER In this mode Samba will try to validate the username/password @@ -16335,9 +16678,12 @@ CLASS="FILENAME" > for details on how to set this up. Note that from the client's point of view Note that the name of the resource being - requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing the server to automatically map unknown users into the . See the parameter for details on doing this. See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. See also the parameter and the SECURITY = DOMAIN This mode will only work correctly if smbpasswd(8) has been used to add this machine into a Windows NT Domain. It expects the Note that a valid UNIX user must still exist as well as the account on the Domain Controller to allow Samba to have a valid UNIX account to map file access to. Note that from the client's point of view . It only affects how the server deals with the authentication, it does not in any way affect what the client sees. Note that the name of the resource being - requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing the server to automatically map unknown users into the . See the parameter for details on doing this. BUG: There is currently a bug in the implementation of See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. See also the parameter and the Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone @@ -16570,7 +16943,7 @@ CLASS="CONSTANT" >. See also the , , This option gives full share compatibility and enabled by default. You should You should NEVER turn this parameter off as many Windows applications will break if you do so. . This option can be use with preserve case = yes See the section on NAME MANGLING. parameter will always cause the OpenPrinterEx() on the server - to fail. Thus the APW icon will never be displayed. Note :This does not prevent the same user from having administrative privilege on an individual printer. See also , , shutdown script (G) This parameter only exists in the HEAD cvs branch This a full path name to a script called by %r will be substituted with the - switch -r. It means reboot after shutdown for NT. %f will be substituted with the - switch -f. It means force the shutdown even if applications do not respond for NT. Default: Default: None. Example: Shutdown script example: - #!/bin/bash @@ -16945,15 +17330,12 @@ CLASS="PROGRAMLISTING" /sbin/shutdown $3 $4 +$time $1 & Shutdown does not return so we need to launch it in background. See also Those marked with a Those marked with a '*' take an integer argument. The others can optionally take a 1 or 0 argument to enable or disable the option, by default they will be enabled if you @@ -17181,9 +17566,12 @@ CLASS="COMMAND" >SAMBA_NETBIOS_NAME = myhostname Default: Default: No default value Examples: This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism. As of samba 3.0alpha it must be set to "no" for these clients to join a samba domain controller. It can be set to "yes" to allow samba to participate in an AD domain controlled by a Windows2000 domain controller. Default: Default: use spnego = yes See also the See also the Synonym for passwd programparameter is called parameter is called AS ROOT - to allow the new UNIX password to be set without access to the old UNIX password (as the SMB password change code has no access to the old password cleartext, only the new). See also , . In order for this parameter to work correctly the If this parameter is enabled for a printer, then any attempt to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() - call to succeed. This parameter MUST not be able enabled on a print share which has valid print driver installed on the Samba server. See also disable spoolss NOTE: The use of Synonym for Synonym for To restrict a service to a particular set of users you can use the See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more information on how @@ -18036,7 +18436,7 @@ HREF="r1.html#AEN236" >Default: The guest account if a guest service, - else <empty string>. Examples: !sys = mary fred guest = * Note that the remapping is applied to all occurrences @@ -18207,7 +18598,7 @@ CLASS="CONSTANT" >fred. The only exception to this is the username passed to the Default: Default: no username map Example: See also the . It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server. See also the /var/run/utmp on Linux). Default: Default: no utmp directory Example: /var/run/wtmp on Linux). Default: Default: no wtmp directory Example: . This is useful in the [homes] section. See also Default: Default: No valid users list (anyone can login) Example: Each entry must be a unix path, not a DOS path and - must not include the unix directory separator '/'. fail unless you also set the See also and . Default: Default: No files or directories are vetoed. Examples:Examples:; Veto any files containing the word Security, ; any ending in .tmp, and any directory containing the @@ -18530,9 +18936,6 @@ veto files = /*Security*/*.tmp/*root*/ ; Veto the Apple specific files that a NetAtalk server ; creates. veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ This parameter is only valid when the parameter. Default: Default: No files are vetoed for oplock grants You might want to do this on files that you know will @@ -18626,9 +19032,12 @@ NAME="VFSOBJECT" with a VFS object. The Samba VFS layer is new to Samba 2.2 and must be enabled at compile time with --with-vfs. Default : Default : no value . Default : Default : no value Default: Default: the name of the share system call will not return any data. Warning: Turning off user enumeration may cause some programs to behave oddly. For example, the finger program relies on having access to the @@ -18811,9 +19229,12 @@ CLASS="COMMAND" > system call will not return any data. Warning: Turning off group enumeration may cause some programs to behave oddly. Default: winbind gid = <empty string> +>winbind gid = <empty string> Default: winbind uid = <empty string> +>winbind uid = <empty string> Default: winbind use default domain = <no> +>winbind use default domain = <no> You should point this at your WINS server if you have a multi-subnetted network. NOTE. You need to set up Samba to point to a WINS server if you have multiple subnets and wish cross-subnet browsing to work correctly. in the docs/ directory of your Samba source distribution. Default: Default: not enabled Example: nmbd to be your WINS server. - Note that you should NEVER set this to yesThis controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with the security = domain setting. Default: Default: set at compile time to WORKGROUP Example: Synonym for If this integer parameter is set to non-zero value, Samba will create an in-memory cache for each oplocked file - (it does not do this for non-oplocked files). All writes that the client does not request to be flushed directly to disk will be stored in this cache if possible. @@ -19210,7 +19646,7 @@ NAME="WRITELIST" >This is a list of users that are given read-write access to a service. If the connecting user is in this list then they will be given write access, no matter what the See also the Default: write list = <empty string> +>write list = <empty string> Inverted synonym for Inverted synonym for smbcacls smbcacls smbcaclsThe smbcacls program manipulates NT Access Control Lists - (ACLs) on SMB file shares. program manipulates NT Access Control + Lists (ACLs) on SMB file shares. This command sets the ACLs on the file with only the ones specified on the command line. All other ACLs are - erased. Note that the ACL specified must contain at least a revision, + erased. Note that the ACL specified must contain at least a revision, type, owner and group for the call to succeed. The format of an ACL is one or more ACL entries separated by either commas or newlines. An ACL entry is one of the following: -REVISION:<revision number> -OWNER:<sid or name> -GROUP:<sid or name> -ACL:<sid or name>:<type>/<flags>/<mask> +REVISION:<revision number> +OWNER:<sid or name> +GROUP:<sid or name> +ACL:<sid or name>:<type>/<flags>/<mask> The revision of the ACL specifies the internal Windows @@ -262,38 +254,62 @@ ACL:<sid or name>:<type>/<flags>/<mask> > RR - Allow read access WW - Allow write access XX - Execute permission on the object DD - Delete the object PP - Change permissions OO - Take ownershipREADREAD - Equivalent to 'RX' permissions CHANGECHANGE - Equivalent to 'RXWD' permissions FULLFULL - Equivalent to 'RWXDPO' permissions smbclientsmbclient smbclientsmbclient {servicename} [password] [-b <buffer size>] [-d debuglevel] [-D Directory] [-U username] [-W workgroup] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-l logfile] [-L <netbios name>] [-I destinationIP] [-E <terminal code>] [-c <command string>] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-T<c|x>IXFqgbNan] {servicename} [password] [-b <buffer size>] [-d debuglevel] [-D Directory] [-U username] [-W workgroup] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-l logfile] [-L <netbios name>] [-I destinationIP] [-E <terminal code>] [-c <command string>] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-T<c|x>IXFqgbNan] -R <name resolve order> -R <name resolve order> This option is used by the programs in the Samba @@ -348,8 +349,12 @@ CLASS="FILENAME" > for a description of how to handle incoming WinPopup messages in Samba. NoteNote: Copy WinPopup into the startup group on your WfWg PCs if you want them to always be able to receive messages. rfc1002.txt. - NetBIOS scopes are veryvery rarely used, only set this parameter if you are the system administrator in charge of all the NetBIOS systems you communicate with. debuglevel is set to the letter 'A', then is set to the letter 'A', then all - debug messages will be printed. This setting - is for developers only (and people who reallyreally want to know how the code works internally). username = <value> -password = <value> -domain = <value> +>username = <value> +password = <value> +domain = <value> If the domain parameter is missing the current workgroup name @@ -643,10 +651,18 @@ CLASS="COMMAND" > how to interpret filenames coming from the remote server. Usually Asian language multibyte UNIX implementations use different character sets than - SMB/CIFS servers (EUC instead of SJISEUC instead of SJIS for example). Setting this parameter will let Tar Long File NamesTar Long File Names Tar FilenamesTar Filenames All file names can be given as DOS path names (with '\' as the component separator) or as UNIX path names (with '/' as the component separator). ExamplesExamples Restore from tar file smb:\> smb:\> The backslash ("\") indicates the current working directory @@ -1008,7 +1036,7 @@ CLASS="PROMPT" > Parameters shown in square brackets (e.g., "[parameter]") are optional. If not given, the command will use suitable defaults. Parameters - shown in angle brackets (e.g., "<parameter>") are required. + shown in angle brackets (e.g., "<parameter>") are required. Note that all commands operating on the server are actually @@ -1099,7 +1127,7 @@ CLASS="REPLACEABLE" directory on the server will be reported. del <mask> del <mask>The client will request that the server attempt @@ -1112,7 +1140,7 @@ CLASS="REPLACEABLE" directory on the server. dir <mask> dir <mask>A list of the files matching get <remote file name> [local file name] get <remote file name> [local file name]Copy the file called ls <mask> ls <mask>See the dir command above. mask <mask> mask <mask>This command allows the user to set up a mask @@ -1229,13 +1257,13 @@ CLASS="REPLACEABLE" mask back to "*" after using the mget or mput commands. md <directory name> md <directory name>See the mkdir command. mget <mask> mget <mask>Copy all files matching are binary. See also the lowercase command. mkdir <directory name> mkdir <directory name>Create a new directory on the server (user access privileges permitting) with the specified name. mput <mask> mput <mask>Copy all files matching print <file name> print <file name>Print the specified file from the local machine @@ -1302,7 +1330,7 @@ CLASS="COMMAND" >See also the printmode command. printmode <graphics or text> printmode <graphics or text>Set the print mode to suit either binary data @@ -1322,7 +1350,7 @@ CLASS="COMMAND" put <local file name> [remote file name] put <local file name> [remote file name]Copy the file called See the exit command. rd <directory name> rd <directory name>See the rmdir command. rm <mask> rm <mask>Remove all files matching rmdir <directory name> rmdir <directory name>Remove the specified directory (user access privileges permitting) from the server. setmode <filename> <perm=[+|\-]rsha> setmode <filename> <perm=[+|\-]rsha>A version of the DOS attrib command to set @@ -1423,7 +1451,7 @@ CLASS="COMMAND" tar <c|x>[IXbgNa] tar <c|x>[IXbgNa]Performs a tar operation - see the blocksize <blocksize> blocksize <blocksize>Blocksize. Must be followed by a valid (greater @@ -1452,7 +1480,7 @@ CLASS="REPLACEABLE" >*TBLOCK (usually 512 byte) blocks. tarmode <full|inc|reset|noreset> tarmode <full|inc|reset|noreset>Changes tar's behavior with regard to archive @@ -1540,8 +1568,12 @@ CLASS="FILENAME" > /usr/samba/bin/ directory, this directory readable by all, writeable only by root. The client program itself should - be executable by all. The client should NOTNOT be setuid or setgid! smbcontrolsmbcontrol smbcontrolprintnotify message-type sends a message to smbd which in turn sends a printer notify message to - any Windows NT clients connected to a printer. This message-type + any Windows NT clients connected to a printer. This message-type takes the following arguments: smbdsmbd smbdsmbd [-D] [-a] [-i] [-o] [-P] [-h] [-V] [-b] [-d <debug level>] [-l <log directory>] [-p <port number>] [-O <socket option>] [-s <configuration file>] [-D] [-a] [-i] [-o] [-P] [-h] [-V] [-b] [-d <debug level>] [-l <log directory>] [-p <port number>] [-O <socket option>] [-s <configuration file>] -d <debug level> -d <debug level> file. -l <log directory> -l <log directory>If specified, @@ -272,8 +273,12 @@ TARGET="_top" CLASS="FILENAME" > smb.conf(5) file. Beware: file. Beware: If the directory specified does not exist, -O <socket options> -O <socket options>See the file for details. -p <port number> -p <port number> -s <configuration file> -s <configuration file>The file specified contains the @@ -544,8 +549,12 @@ TARGET="_top" >Account ValidationAccount Validation: All acccesses to a samba server are checked against PAM to see if the account is vaild, not disabled and is permitted to @@ -554,8 +563,12 @@ TARGET="_top" >Session ManagementSession Management: When not using share level secuirty, users must pass PAM's session checks before access is granted. Note however, that this is bypassed in share level secuirty. @@ -624,8 +637,12 @@ CLASS="COMMAND" that SIGKILL (-9) NOT NOT be used, except as a last resort, as this may leave the shared memory area in an inconsistent state. The safe way to terminate diff --git a/docs/htmldocs/smbgroupedit.8.html b/docs/htmldocs/smbgroupedit.8.html index 4af49672ca..b93e900dcd 100644 --- a/docs/htmldocs/smbgroupedit.8.html +++ b/docs/htmldocs/smbgroupedit.8.html @@ -1,10 +1,11 @@ + smbgroupeditsmbgroupedit smbgroupeditsmbroupedit [-v [l|s]] [-a UNIX-groupname [-d NT-groupname|-p prividge|] [-v [l|s]] [-a UNIX-groupname [-d NT-groupname|-p privilege|]] give a long listing, of the format: "NT Group Name" @@ -102,30 +97,18 @@ CLASS="PROGRAMLISTING" Group type : Comment : Privilege : For examples, Users - SID : S-1-5-32-545 + SID : S-1-5-32-545 Unix group: -1 Group type: Local group - Comment : + Comment : Privilege : No privilege display a short listing of the format: NTGroupName(SID) -> UnixGroupName For example, Users (S-1-5-32-545) -> -1 Get the SID for the Windows NT "Domain Admins" group: smbgroupedit -vs | grep "Domain Admins" Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -> -1 warning: warning: don't copy and paste this sample, the Domain Admins SID (the S-1-5-21-...-512) is different for every PDC. To verify that you mapping has taken effect: To verify that your mapping has taken effect: smbgroupedit -vs|grep "Domain Admins" Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -> domadm To give access to a certain directory on a domain member machine (an NT/W2K or a samba server running winbind) to some users who are member of a group on your samba PDC, flag that group as a domain group: smbgroupedit -a unixgroup -td smbmntsmbmnt smbmntsmbmnt {mount-point} [-s <share>] [-r] [-u <uid>] [-g <gid>] [-f <mask>] [-d <mask>] [-o <options>] {mount-point} [-s <share>] [-r] [-u <uid>] [-g <gid>] [-f <mask>] [-d <mask>] [-o <options>] smbmountsmbmount smbmountsmbmount process may also be called mount.smbfs. NOTE:NOTE: smbmountusername=<arg> username=<arg>specifies the username to connect as. If @@ -127,7 +132,7 @@ CLASS="ENVAR" to be specified as part of the username. password=<arg> password=<arg>specifies the SMB password. If this @@ -143,7 +148,7 @@ CLASS="COMMAND" for a passeword, unless the guest option is given. Note that password which contain the arguement delimiter +> Note that passwords which contain the argument delimiter character (i.e. a comma ',') will failed to be parsed correctly on the command line. However, the same password defined in the PASSWD environment variable or a credentials file (see @@ -151,26 +156,17 @@ CLASS="COMMAND" credentials=<filename> credentials=<filename>specifies a file that contains a username and/or password. The format of the file is: username = <value> - password = <value> +> username = <value> + password = <value> netbiosname=<arg> netbiosname=<arg>sets the source NetBIOS name. It defaults to the local hostname. uid=<arg> uid=<arg>sets the uid that will own all files on @@ -199,7 +195,7 @@ CLASS="FILENAME" gid=<arg> gid=<arg>sets the gid that will own all files on @@ -208,14 +204,14 @@ CLASS="FILENAME" gid. port=<arg> port=<arg>sets the remote SMB port number. The default is 139. fmask=<arg> fmask=<arg>sets the file mask. This determines the @@ -223,7 +219,7 @@ CLASS="FILENAME" The default is based on the current umask. dmask=<arg> dmask=<arg>sets the directory mask. This determines the @@ -231,7 +227,7 @@ CLASS="FILENAME" The default is based on the current umask. debug=<arg> debug=<arg>sets the debug level. This is useful for @@ -240,20 +236,20 @@ CLASS="FILENAME" output, possibly hiding the useful output. ip=<arg> ip=<arg>sets the destination host or IP address. workgroup=<arg> workgroup=<arg>sets the workgroup on the destination sockopt=<arg> sockopt=<arg>sets the TCP socket options. See the scope=<arg> scope=<arg>sets the NetBIOS scope mount read-write iocharset=<arg> iocharset=<arg> sets the charset used by the Linux side for codepage @@ -307,7 +303,7 @@ CLASS="PARAMETER" codepage=<arg> codepage=<arg> sets the codepage the server uses. See the iocharset @@ -316,10 +312,10 @@ CLASS="PARAMETER" ttl=<arg> ttl=<arg> how long a directory listing is cached in milliseconds +> sets how long a directory listing is cached in milliseconds (also affects visibility of file size and date changes). A higher value means that changes on the server take longer to be noticed but it can give diff --git a/docs/htmldocs/smbpasswd.5.html b/docs/htmldocs/smbpasswd.5.html index 1f862b6611..04fab30ed6 100644 --- a/docs/htmldocs/smbpasswd.5.html +++ b/docs/htmldocs/smbpasswd.5.html @@ -1,10 +1,11 @@ + smbpasswdsmbpasswd smbpasswd and the user will not be able to log onto the Samba server. WARNING !!WARNING !! Note that, due to the challenge-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network. For this - reason these hashes are known as plain text - equivalents and must NOT and must NOT be made available to anyone but the root user. To protect these passwords the smbpasswd file is placed in a directory with read and @@ -153,17 +166,29 @@ CLASS="CONSTANT" password this entry will be identical (i.e. the password is not "salted" as the UNIX password is). WARNING !!WARNING !!. Note that, due to the challenge-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network. For this - reason these hashes are known as plain text - equivalents and must NOT and must NOT be made available to anyone but the root user. To protect these passwords the smbpasswd file is placed in a directory with read and @@ -186,8 +211,12 @@ CLASS="CONSTANT" >UU - This means this is a "User" account, i.e. an ordinary user. Only User and Workstation Trust accounts are currently supported @@ -195,8 +224,12 @@ CLASS="CONSTANT" > NN - This means the account has no password (the passwords in the fields LANMAN Password Hash and NT Password Hash are ignored). Note that this @@ -217,16 +250,24 @@ CLASS="FILENAME" > DD - This means the account is disabled and no SMB/CIFS logins will be allowed for this user. WW - This means this account is a "Workstation Trust" account. This kind of account is used in the Samba PDC code stream to allow Windows NT Workstations diff --git a/docs/htmldocs/smbpasswd.8.html b/docs/htmldocs/smbpasswd.8.html index a8b39b37e5..fa7b4b2520 100644 --- a/docs/htmldocs/smbpasswd.8.html +++ b/docs/htmldocs/smbpasswd.8.html @@ -1,10 +1,11 @@ + smbpasswdsmbpasswd smbpasswdsmbpasswd [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-j DOMAIN] [-U username[%password]] [-h] [-s] [-w pass] [username] [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [username]DESCRIPTION suite. The smbpasswd program has several different - functions, depending on whether it is run by the rootroot user or not. When run as a normal user it allows the user to change the password used for their SMB sessions on any machines that store @@ -70,8 +75,12 @@ CLASS="COMMAND" CLASS="COMMAND" >smbpasswd differs from how the passwd program works - however in that it is not setuid rootsetuid root but works in a client-server mode and communicates with a locally running smbpasswd(5) file. When run by an ordinary user with no options. smbpasswd +>When run by an ordinary user with no options, smbpasswd will prompt them for their old SMB password and then ask them for their new password twice, to ensure that the new password was typed correctly. No passwords will be echoed on the screen whilst being typed. If you have a blank SMB password (specified by the string "NO PASSWORD" in the smbpasswd file) then just press - the <Enter> key when asked for your old password. smbpasswd can also be used by a normal user to change their SMB password on remote machines, such as Windows NT Primary Domain @@ -110,7 +119,7 @@ CLASS="COMMAND" >OPTIONSThis option specifies that the username following should be added to the local smbpasswd file, with the - new password typed (type <Enter> for the old password). This + new password typed (type <Enter> for the old password). This option is ignored if the username following already exists in the smbpasswd file and it is treated like a regular change password command. Note that the default passdb backends require @@ -134,7 +143,7 @@ CLASS="VARIABLELIST" CLASS="FILENAME" >/etc/passwd), else the request to add the - user will fail. This option is only available when running smbpasswd as root. NoteNote that Windows 95/98 do not have a real password database so it is not possible to change passwords specifying a Win95/98 machine as remote machine target. -R name resolve orderThis option allows the user of smbpasswd to determine +>This option allows the user of smbpasswd to determine what name resolution services to use when looking up the NetBIOS name of the host being connected to. The options are :"lmhosts", "host", "wins" and "bcast". They cause - names to be resolved as follows : The options are :"lmhosts", "host", "wins" and "bcast". They + cause names to be resolved as follows : wins server - parameter. If no WINS server has been specified this method - will be ignored.interfaces parameter. This is the least - reliable of the name resolution methods as it depends on the - target host being on a locally connected subnet. This option is only available when running smbpasswd as root. +>This option is only available when running smbpasswd as root. -w password This parameter is only available is Samba - has been configured to use the experiemental +>This parameter is only available if Samba + has been configured to use the experimental --with-ldapsamldap admin dn ever changes, the password will beed to be +> ever changes, the password will need to be manually updated as well. This specifies the username for all of the - root onlyroot only options to operate on. Only root can specify this parameter as only root has the permission needed to modify attributes directly in the local smbpasswd file. @@ -503,7 +520,7 @@ CLASS="PARAMETER" > NOTES VERSION SEE ALSO AUTHOR smbshsmbsh smbshsmbsh [-W workgroup] [-U username] [-P prefix] [-R <name resolve order>] [-d <debug level>] [-l logfile] [-L libdir] [-W workgroup] [-U username] [-P prefix] [-R <name resolve order>] [-d <debug level>] [-l logfile] [-L libdir] This option allows the user to set the directory prefix for SMB access. The default value if this option is not specified is - smbsmb. -R <name resolve order> -R <name resolve order>This option is used to determine what naming @@ -231,7 +236,7 @@ CLASS="FILENAME" order. -d <debug level> -d <debug level>debug level is an integer from 0 to 10. Any dynamically linked command you execute from @@ -358,7 +354,7 @@ CLASS="COMMAND" the workgroup MYGROUP. The command ls /smb/MYGROUP/<machine-name>ls /smb/MYGROUP/<machine-name> will show the share names for that machine. You could then, for example, use the smbspoolsmbspool smbspoolName smbspool -- send print file to an SMB printer smbspool -- send a print file to an SMB printer DEVICE URIDEVICE URI smbspool specifies the destination using a Uniform Resource @@ -136,13 +141,13 @@ NAME="AEN39" > The copies argument (argv[4]) contains the number of copies to be printed of the named file. If - no filename is provided than this argument is not used by + no filename is provided then this argument is not used by smbspool. The options argument (argv[5]) contains - the print options in a single string and is presently + the print options in a single string and is currently not used by smbspool. smbstatussmbstatus smbstatussmbstatus [-P] [-b] [-d] [-L] [-p] [-S] [-s <configuration file>] [-u <username>] [-P] [-b] [-d <debug level>] [-v] [-L] [-B] [-p] [-S] [-s <configuration file>] [-u <username>]DESCRIPTIONOPTIONS-P -P|--profileIf samba has been compiled with the @@ -79,25 +80,38 @@ CLASS="VARIABLELIST" shared memory area. -b -b|--briefgives brief output. -d -d|--debug=<debuglevel>sets debugging to specified level -v|--verbose gives verbose output. -L -L|--lockscauses smbstatus to only list locks. -p -B|--byterangecauses smbstatus to include byte range locks. + -p|--processes print a list of -S -S|--sharescauses smbstatus to only list shares. -s <configuration file> -s|--conf=<configuration file>The default configuration file name is @@ -133,7 +147,7 @@ CLASS="FILENAME" > for more information. -u <username> -u|--user=<username>selects information relevant to @@ -150,18 +164,18 @@ CLASS="PARAMETER" >VERSION This man page is correct for version 2.2 of +>This man page is correct for version 3.0 of the Samba suite.SEE ALSOAUTHOR smbtarsmbtar smbtarsmbtar script has different - options from ordinary tar and tar called from smbclient. Sites that are more careful about security may not like the way the script handles PC passwords. Backup and restore work - on entire shares, should work on file lists. smbtar works best + on entire shares; should work on file lists. smbtar works best with GNU tar and may not work well with other versions. DIAGNOSTICS See the DIAGNOSTICSSee the DIAGNOSTICS section for the VERSION This man page is correct for version 2.2 of +>This man page is correct for version 3.0 of the Samba suite. smbumountsmbumount smbumount swatswat swatswat [-s <smb config file>] [-a] [-s <smb config file>] [-a] smb.conf file. Do NOT enable this option on a production - server. WARNING: Do NOT enable this option on a production + server. and copy=" +>copy= options. If you have a carefully crafted testparmtestparm testparmtestparm [-s] [-h] [-L <servername>] {config filename} [hostname hostIP] [-s] [-h] [-v] [-L <servername>] {config filename} [hostname hostIP] DESCRIPTION will successfully load the configuration file. Note that this is NOTNote that this is NOT a guarantee that the services specified in the configuration file will be available or will operate as expected. OPTIONS -v If this option is specified, testparm + will also output all options that were not used in + smb.conf and are thus set to + their defaults. configfilenameFILESDIAGNOSTICSVERSIONSEE ALSOAUTHOR testprnstestprns testprnsDIAGNOSTICSIf a printer is found to be valid, the message - "Printer name <printername> is valid" will be + "Printer name <printername> is valid" will be displayed. If a printer is found to be invalid, the message - "Printer name <printername> is not valid" will be + "Printer name <printername> is not valid" will be displayed. All messages that would normally be logged during diff --git a/docs/htmldocs/wbinfo.1.html b/docs/htmldocs/wbinfo.1.html index fe218a8f67..26e098868e 100644 --- a/docs/htmldocs/wbinfo.1.html +++ b/docs/htmldocs/wbinfo.1.html @@ -1,10 +1,11 @@ + wbinfowbinfo wbinfo winbinddwinbindd winbinddwinbindd [-i] [-d <debug level>] [-s <smb config file>] [-i] [-d <debug level>] [-s <smb config file>]account - module-types. The latter is simply + module-types. The latter simply performs a getpwnam() to verify that the system can obtain a uid for the user. If the libnss_winbind library has been correctly - installed, this should always suceed. + installed, this should always succeed. The following nsswitch databases are implemented by @@ -170,20 +171,11 @@ CLASS="FILENAME" > and then from the Windows NT server. passwd: files winbind group: files winbind The following simple configuration in the @@ -287,279 +279,130 @@ CLASS="FILENAME" [global] section of smb.conf. winbind separator The winbind separator option allows you - to specify how NT domain names and user names are combined - into unix user names when presented to users. By default, - winbindd will use the traditional '\' - separator so that the unix user names look like - DOMAIN\username. In some cases this separator character may - cause problems as the '\' character has special meaning in - unix shells. In that case you can use the winbind separator - option to specify an alternative separator character. Good - alternatives may be '/' (although that conflicts - with the unix directory separator) or a '+ 'character. - The '+' character appears to be the best choice for 100% - compatibility with existing unix utilities, but may be an - aesthetically bad choice depending on your taste. Default: winbind separator = \ - Example: winbind separator = + winbind uidThe winbind uid parameter specifies the - range of user ids that are allocated by the winbindd daemon. - This range of ids should have no existing local or NIS users - within it as strange conflicts can occur otherwise. Default: winbind uid = <empty string> - Example: winbind uid = 10000-20000 winbind separator winbind gid The winbind gid parameter specifies the - range of group ids that are allocated by the winbindd daemon. - This range of group ids should have no existing local or NIS - groups within it as strange conflicts can occur otherwise. Default: winbind gid = <empty string> - winbind uid Example: winbind gid = 10000-20000 - winbind cache timeThis parameter specifies the number of - seconds the winbindd daemon will cache user and group information - before querying a Windows NT server again. When a item in the - cache is older than this time winbindd will ask the domain - controller for the sequence number of the server's account database. - If the sequence number has not changed then the cached item is - marked as valid for a further winbind cache time - winbind gid seconds. Otherwise the item is fetched from the - server. This means that as long as the account database is not - actively changing winbindd will only have to send one sequence - number query packet every winbind cache time - winbind cache time seconds. Default: winbind cache time = 15 - winbind enum users On large installations it may be necessary - to suppress the enumeration of users through the setpwent(), getpwent() and - endpwent() group of system calls. If - the winbind enum users parameter is false, - calls to the getpwent system call will not - return any data. Warning: Turning off user enumeration - may cause some programs to behave oddly. For example, the finger - program relies on having access to the full user list when - searching for matching usernames. Default: winbind enum users = yes winbind enum groups On large installations it may be necessary - to suppress the enumeration of groups through the setgrent(), getgrent() and - endgrent() group of system calls. If - the winbind enum groups parameter is - false, calls to the getgrent() system - call will not return any data. Warning: Turning off group - enumeration may cause some programs to behave oddly. - Default: winbind enum groups = no - template homedir When filling out the user information - for a Windows NT user, the winbindd daemon - uses this parameter to fill in the home directory for that user. - If the string %Dtemplate homedir is present it is - substituted with the user's Windows NT domain name. If the - string %Utemplate shell is present it is substituted - with the user's Windows NT user name. Default: template homedir = /home/%D/%U - template shell When filling out the user information for - a Windows NT user, the winbindd daemon - uses this parameter to fill in the shell for that user. - Default: template shell = /bin/false - winbind use default domain This parameter specifies whether the winbindd - daemon should operate on users without domain component in their username. - Users without a domain component are treated as is part of the winbindd server's - own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail - function in a way much closer to the way they would in a native unix system. Default: winbind use default domain = <falseg> - Example: winbind use default domain = true winbind use default domain EXAMPLE SETUP put the following: passwd: files winbind group: files winbind In lines with something like this: auth required /lib/security/pam_securetty.so @@ -614,9 +442,6 @@ auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok Note in particular the use of the containing directives like the following: [global] @@ -716,9 +535,6 @@ CLASS="PROGRAMLISTING" security = domain password server = * Now start winbindd and you should find that your user and @@ -737,7 +553,7 @@ CLASS="COMMAND" > NOTES SIGNALS FILES VERSION SEE ALSO AUTHOR