From 7fa7be07a1ba236c839136fbfddc9d9faddf560d Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 22 Feb 2001 15:43:18 +0000 Subject: housekeeping and a new SGML source file (findsmb) (This used to be commit d509bb881da1fdad108a843fa35e2ed7248617e9) --- docs/docbook/manpages/findsmb.1.sgml | 131 + docs/docbook/manpages/nmbd.8.sgml | 343 ++ docs/docbook/manpages/samba.7.sgml | 213 + docs/docbook/manpages/smb.conf.5.sgml | 7435 +++++++++++++++++++++++++++++++++ docs/docbook/manpages/smbd.8.sgml | 573 +++ docs/docbook/nmbd.8.sgml | 343 -- docs/docbook/samba.7.sgml | 213 - docs/docbook/smb.conf.5.sgml | 7435 --------------------------------- docs/docbook/smbd.8.sgml | 573 --- 9 files changed, 8695 insertions(+), 8564 deletions(-) create mode 100644 docs/docbook/manpages/findsmb.1.sgml create mode 100644 docs/docbook/manpages/nmbd.8.sgml create mode 100644 docs/docbook/manpages/samba.7.sgml create mode 100644 docs/docbook/manpages/smb.conf.5.sgml create mode 100644 docs/docbook/manpages/smbd.8.sgml delete mode 100644 docs/docbook/nmbd.8.sgml delete mode 100644 docs/docbook/samba.7.sgml delete mode 100644 docs/docbook/smb.conf.5.sgml delete mode 100644 docs/docbook/smbd.8.sgml (limited to 'docs') diff --git a/docs/docbook/manpages/findsmb.1.sgml b/docs/docbook/manpages/findsmb.1.sgml new file mode 100644 index 0000000000..852dc7da95 --- /dev/null +++ b/docs/docbook/manpages/findsmb.1.sgml @@ -0,0 +1,131 @@ + + + + + findsmb + 1 + + + + + findsmb + list info about machines that respond to SMB + name queries on a subnet + + + + + findsmb + subnet broadcast address + + + + + DESCRIPTION + + This perl script is part of the + Samba suite. + + findsmb is a perl script that + prints out several pieces of information about machines + on a subnet that respond to SMB name query requests. + It uses + nmblookup(1) and + smbclient(1) to obtain this information. + + + + + OPTIONS + + + + subnet broadcast address + Without this option, findsmb + will probe the subnet of the machine where + findsmb is run. This value is passed + to nmblookup as part of the + -B option + + + + + + EXAMPLES + + The output of findsmb lists the following + information for all machines that respond to the initial + nmblookup for any name: IP address, NetBIOS name, + Workgroup name, operating system, and SMB server version. + + There will be a '+' in front of the workgroup name for + machines that are local master browsers for that workgroup. There + will be an '*' in front of the workgroup name for + machines that are the domain master browser for that workgroup. + Machines that are running Windows, Windows 95 or Windows 98 will + not show any information about the operating system or server + version. + + The command must be run on a system without nmbd running. + If nmbd is running on the system, you will + only get the IP address and the DNS name of the machine. To + get proper responses from Windows 95 and Windows 98 machines, + the command must be run as root. + + For example running findsmb on a machine + without nmbd running would yield output similar + to the following + + +IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION +--------------------------------------------------------------------- +192.168.35.10 MINESET-TEST1 [DMVENGR] +192.168.35.55 LINUXBOX *[MYGROUP] [Unix] [Samba 2.0.6] +192.168.35.56 HERBNT2 [HERB-NT] +192.168.35.63 GANDALF [MVENGR] [Unix] [Samba 2.0.5a for IRIX] +192.168.35.65 SAUNA [WORKGROUP] [Unix] [Samba 1.9.18p10] +192.168.35.71 FROGSTAR [ENGR] [Unix] [Samba 2.0.0 for IRIX] +192.168.35.78 HERBDHCP1 +[HERB] +192.168.35.88 SCNT2 +[MVENGR] [Windows NT 4.0] [NT LAN Manager 4.0] +192.168.35.93 FROGSTAR-PC [MVENGR] [Windows 5.0] [Windows 2000 LAN Manager] +192.168.35.97 HERBNT1 *[HERB-NT] [Windows NT 4.0] [NT LAN Manager 4.0] + + + + + + + VERSION + + This man page is correct for version 2.2 of + the Samba suite. + + + + SEE ALSO + nmbd(8), + smbclient(1) + , and + nmblookup(1) + + + + + AUTHOR + + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + + The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter + + + diff --git a/docs/docbook/manpages/nmbd.8.sgml b/docs/docbook/manpages/nmbd.8.sgml new file mode 100644 index 0000000000..0188bca748 --- /dev/null +++ b/docs/docbook/manpages/nmbd.8.sgml @@ -0,0 +1,343 @@ + + + + + nmbd + 8 + + + + + nmbd + NetBIOS name server to provide NetBIOS + over IP naming services to clients + + + + + smbd + -D + -a + -o + -P + -h + -V + -d <debug level> + -H <lmhosts file> + -l <log file> + -n <primary netbios name> + -p <port number> + -s <configuration file> + + + + + DESCRIPTION + This program is part of the Samba suite. + + nmbd is a server that understands + and can reply to NetBIOS over IP name service requests, like + those produced by SMBD/CIFS clients such as Windows 95/98/ME, + Windows NT, Windows 2000, and LanManager clients. It also + participates in the browsing protocols which make up the + Windows "Network Neighborhood" view. + + SMB/CIFS clients, when they start up, may wish to + locate an SMB/CIFS server. That is, they wish to know what + IP number a specified host is using. + + Amongst other services, nmbd will + listen for such requests, and if its own NetBIOS name is + specified it will respond with the IP number of the host it + is running on. Its "own NetBIOS name" is by + default the primary DNS name of the host it is running on, + but this can be overridden with the -n + option (see OPTIONS below). Thus nmbd will + reply to broadcast queries for its own name(s). Additional + names for nmbd to respond on can be set + via parameters in the + smb.conf(5) configuration file. + + nmbd can also be used as a WINS + (Windows Internet Name Server) server. What this basically means + is that it will act as a WINS database server, creating a + database from name registration requests that it receives and + replying to queries from clients for these names. + + In addition, nmbd can act as a WINS + proxy, relaying broadcast queries from clients that do + not understand how to talk the WINS protocol to a WIN + server. + + + + OPTIONS + + + + -D + If specified, this parameter causes + nmbd to operate as a daemon. That is, + it detaches itself and runs in the background, fielding + requests on the appropriate port. By default, nmbd + will operate as a daemon if launched from a command shell. + nmbd can also be operated from the inetd + meta-daemon, although this is not recommended. + + + + + -a + If this parameter is specified, each new + connection will append log messages to the log file. + This is the default. + + + + -o + If this parameter is specified, the + log files will be overwritten when opened. By default, + smbd will append entries to the log + files. + + + + -h + Prints the help information (usage) + for nmbd. + + + + -H <filename> + NetBIOS lmhosts file. The lmhosts + file is a list of NetBIOS names to IP addresses that + is loaded by the nmbd server and used via the name + resolution mechanism + name resolve order described in smb.conf(5) + to resolve any NetBIOS name queries needed by the server. Note + that the contents of this file are NOT + used by nmbd to answer any name queries. + Adding a line to this file affects name NetBIOS resolution + from this host ONLY. + + The default path to this file is compiled into + Samba as part of the build process. Common defaults + are /usr/local/samba/lib/lmhosts, + /usr/samba/lib/lmhosts or + /etc/lmhosts. See the + lmhosts(5) man page for details on the + contents of this file. + + + + -V + Prints the version number for + nmbd. + + + + -d <debug level> + debuglevel is an integer + from 0 to 10. The default value if this parameter is + not specified is zero. + + The higher this value, the more detail will + be logged to the log files about the activities of the + server. At level 0, only critical errors and serious + warnings will be logged. Level 1 is a reasonable level for + day to day running - it generates a small amount of + information about operations carried out. + + Levels above 1 will generate considerable amounts + of log data, and should only be used when investigating + a problem. Levels above 3 are designed for use only by developers + and generate HUGE amounts of log data, most of which is extremely + cryptic. + + Note that specifying this parameter here will override + the log level + parameter in the + smb.conf file. + + + + -l <log file> + The -l parameter specifies a path + and base filename into which operational data from + the running nmbd server will + be logged. The actual log file name is generated by + appending the extension ".nmb" to the specified base + name. For example, if the name specified was "log" + then the file log.nmb would contain the debugging data. + + The default log file path is compiled into Samba as + part of the build process. Common defaults are + /usr/local/samba/var/log.nmb, + /usr/samba/var/log.nmb or + /var/log/log.nmb. + + + + + -n <primary NetBIOS name> + This option allows you to override + the NetBIOS name that Samba uses for itself. This is identical + to setting the + NetBIOS name parameter in the + smb.conf file. However, a command + line setting will take precedence over settings in + smb.conf. + + + + + -p <UDP port number> + UDP port number is a positive integer value. + This option changes the default UDP port number (normally 137) + that nmbd responds to name queries on. Don't + use this option unless you are an expert, in which case you + won't need help! + + + + -s <configuration file> + The default configuration file name + is set at build time, typically as + /usr/local/samba/lib/smb.conf, but + this may be changed when Samba is autoconfigured. + + The file specified contains the configuration details + required by the server. See + smb.conf(5) for more information. + + + + + + + FILES + + + + /etc/inetd.conf + If the server is to be run by the + inetd meta-daemon, this file + must contain suitable startup information for the + meta-daemon. See the section INSTALLATION below. + + + + + /etc/rc + or whatever initialization script your + system uses). + + If running the server as a daemon at startup, + this file will need to contain an appropriate startup + sequence for the server. See the section INSTALLATION + below. + + + + /etc/services + If running the server via the + meta-daemon inetd, this file + must contain a mapping of service name (e.g., netbios-ssn) + to service port (e.g., 139) and protocol type (e.g., tcp). + See the section INSTALLATION below. + + + + /usr/local/samba/lib/smb.conf + This is the default location of the + smb.conf + server configuration file. Other common places that systems + install this file are /usr/samba/lib/smb.conf + and /etc/smb.conf. + + When run as a WINS server (see the + wins support + parameter in the + smb.conf(5) man page), nmbd + will store the WINS database in the file wins.dat + in the var/locks directory configured under + wherever Samba was configured to install itself. + + If nmbd is acting as a + browse master (see the local master + parameter in the + smb.conf(5) man page), nmbd + will store the browsing database in the file browse.dat + in the var/locks directory + configured under wherever Samba was configured to install itself. + + + + + + + SIGNALS + + To shut down an nmbd process it is recommended + that SIGKILL (-9) NOT be used, except as a last + resort, as this may leave the name database in an inconsistent state. + The correct way to terminate nmbd is to send it + a SIGTERM (-15) signal and wait for it to die on its own. + + nmbd will accept SIGHUP, which will cause + it to dump out it's namelists into the file namelist.debug + in the /usr/local/samba/var/locks + directory (or the var/locks directory configured + under wherever Samba was configured to install itself). This will also + cause nmbd to dump out it's server database in + the log.nmb file. In addition, the debug log level + of nmbd may be raised by sending it a SIGUSR1 (kill -USR1 + <nmbd-pid>) and lowered by sending it a + SIGUSR2 (kill -USR2 <nmbd-pid>). This is to + allow transient problems to be diagnosed, whilst still running at a + normally low log level. + + + + + VERSION + + This man page is correct for version 2.2 of + the Samba suite. + + + + SEE ALSO + inetd(8), smbd(8), + smb.conf(5) + , smbclient(1) + , + testparm(1), + testprns(1), and the Internet RFC's + rfc1001.txt, rfc1002.txt. + In addition the CIFS (formerly SMB) specification is available + as a link from the Web page + http://samba.org/cifs/. + + + + AUTHOR + + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + + The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter + + + diff --git a/docs/docbook/manpages/samba.7.sgml b/docs/docbook/manpages/samba.7.sgml new file mode 100644 index 0000000000..a27b52ca94 --- /dev/null +++ b/docs/docbook/manpages/samba.7.sgml @@ -0,0 +1,213 @@ + + + + + samba + 7 + + + + + SAMBA + A Windows SMB/CIFS fileserver for UNIX + + + + Samba + + + + DESCRIPTION + + The Samba software suite is a collection of programs + that implements the Server Message Block (commonly abbreviated + as SMB) protocol for UNIX systems. This protocol is sometimes + also referred to as the Common Internet File System (CIFS), + LanManager or NetBIOS protocol. + + + + smbd + The smbd + daemon provides the file and print services to + SMB clients, such as Windows 95/98, Windows NT, Windows + for Workgroups or LanManager. The configuration file + for this daemon is described in smb.conf + + + + + nmbd + The nmbd + daemon provides NetBIOS nameserving and browsing + support. The configuration file for this daemon + is described in smb.conf + + + + + smbclient + The smbclient + program implements a simple ftp-like client. This + is useful for accessing SMB shares on other compatible + servers (such as Windows NT), and can also be used + to allow a UNIX box to print to a printer attached to + any SMB server (such as a PC running Windows NT). + + + + + testparm + The testparm + utility is a simple syntax checker for Samba's + smb.confconfiguration file. + + + + + testprns + The testprns + utility supports testing printer names defined + in your printcap> file used + by Samba. + + + + + smbstatus + The smbstatus + tool provides access to information about the + current connections to smbd. + + + + + nmblookup + The nmblookup + tools allows NetBIOS name queries to be made + from a UNIX host. + + + + + make_smbcodepage + The make_smbcodepage + utility provides a means of creating SMB code page + definition files for your smbd server. + + + + + smbpasswd + The smbpasswd + command is a tool for changing LanMan and Windows NT + password hashes on Samba and Windows NT servers. + + + + + + + + COMPONENTS + + The Samba suite is made up of several components. Each + component is described in a separate manual page. It is strongly + recommended that you read the documentation that comes with Samba + and the manual pages of those components that you use. If the + manual pages aren't clear enough then please send a patch or + bug report to + samba@samba.org + + + + + + + AVAILABILITY + + The Samba software suite is licensed under the + GNU Public License(GPL). A copy of that license should + have come with the package in the file COPYING. You are + encouraged to distribute copies of the Samba suite, but + please obey the terms of this license. + + The latest version of the Samba suite can be + obtained via anonymous ftp from samba.org in the + directory pub/samba/. It is also available on several + mirror sites worldwide. + + You may also find useful information about Samba + on the newsgroup + comp.protocol.smb and the Samba mailing + list. Details on how to join the mailing list are given in + the README file that comes with Samba. + + If you have access to a WWW viewer (such as Netscape + or Mosaic) then you will also find lots of useful information, + including back issues of the Samba mailing list, at + http://lists.samba.org. + + + + VERSION + + This man page is correct for version 2.2 of the + Samba suite. + + + + CONTRIBUTIONS + + If you wish to contribute to the Samba project, + then I suggest you join the Samba mailing list at + http://lists.samba.org. + + + If you have patches to submit or bugs to report + then you may mail them directly to samba-patches@samba.org. + Note, however, that due to the enormous popularity of this + package the Samba Team may take some time to respond to mail. We + prefer patches in diff -u format. + + + + CONTRIBUTORS + + Contributors to the project are now too numerous + to mention here but all deserve the thanks of all Samba + users. To see a full list, look at + ftp://samba.org/pub/samba/alpha/change-log + for the pre-CVS changes and at + ftp://samba.org/pub/samba/alpha/cvs.log + for the contributors to Samba post-CVS. CVS is the Open Source + source code control system used by the Samba Team to develop + Samba. The project would have been unmanageable without it. + + In addition, several commercial organizations now help + fund the Samba Team with money and equipment. For details see + the Samba Web pages at + http://samba.org/samba/samba-thanks.html. + + + + AUTHOR + + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + + The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter + + + diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml new file mode 100644 index 0000000000..a00ca178db --- /dev/null +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -0,0 +1,7435 @@ + + + + + smb.conf + 5 + + + + + smb.conf + The configuration file for the Samba suite + + + + SYNOPSIS + + The smb.conf file is a configuration + file for the Samba suite. smb.conf contains + runtime configuration information for the Samba programs. The + smb.conf file is designed to be configured and + administered by the swat(8) + program. The complete description of the file format and + possible parameters held within are here for reference purposes. + + + + FILE FORMAT + + The file consists of sections and parameters. A section + begins with the name of the section in square brackets and continues + until the next section begins. Sections contain parameters of the + form + + name = value + + + The file is line-based - that is, each newline-terminated + line represents either a comment, a section name or a parameter. + + Section and parameter names are not case sensitive. + + Only the first equals sign in a parameter is significant. + Whitespace before or after the first equals sign is discarded. + Leading, trailing and internal whitespace in section and parameter + names is irrelevant. Leading and trailing whitespace in a parameter + value is discarded. Internal whitespace within a parameter value + is retained verbatim. + + Any line beginning with a semicolon (';') or a hash ('#') + character is ignored, as are lines containing only whitespace. + + Any line ending in a '\' is continued + on the next line in the customary UNIX fashion. + + The values following the equals sign in parameters are all + either a string (no quotes needed) or a boolean, which may be given + as yes/no, 0/1 or true/false. Case is not significant in boolean + values, but is preserved in string values. Some items such as + create modes are numeric. + + + + SECTION DESCRIPTIONS + + Each section in the configuration file (except for the + [global] section) describes a shared resource (known + as a "share"). The section name is the name of the + shared resource and the parameters within the section define + the shares attributes. + + There are three special sections, [global], + [homes] and [printers], which are + described under special sections. The + following notes apply to ordinary section descriptions. + + A share consists of a directory to which access is being + given plus a description of the access rights which are granted + to the user of the service. Some housekeeping options are + also specifiable. + + Sections are either filespace services (used by the + client as an extension of their native file systems) or + printable services (used by the client to access print services + on the host running the server). + + Sections may be designated guest services, + in which case no password is required to access them. A specified + UNIX guest account is used to define access + privileges in this case. + + Sections other than guest services will require a password + to access them. The client provides the username. As older clients + only provide passwords and not usernames, you may specify a list + of usernames to check against the password using the "user=" + option in the share definition. For modern clients such as + Windows 95/98/ME/NT/2000, this should not be necessary. + + Note that the access rights granted by the server are + masked by the access rights granted to the specified or guest + UNIX user by the host system. The server does not grant more + access than the host system grants. + + The following sample section defines a file space share. + The user has write access to the path /home/bar. + The share is accessed via the share name "foo": + + + + [foo] + path = /home/bar + writeable = true + + + + The following sample section defines a printable share. + The share is readonly, but printable. That is, the only write + access permitted is via calls to open, write to and close a + spool file. The guest ok parameter means + access will be permitted as the default guest user (specified + elsewhere): + + + + [aprinter] + path = /usr/spool/public + writeable = false + printable = true + guest ok = true + + + + + + SPECIAL SECTIONS + + + The [global] section + + parameters in this section apply to the server + as a whole, or are defaults for sections which do not + specifically define certain items. See the notes + under paraMETERS for more information. + + + + The [homes] section + + If a section called homes is included in the + configuration file, services connecting clients to their + home directories can be created on the fly by the server. + + When the connection request is made, the existing + sections are scanned. If a match is found, it is used. If no + match is found, the requested section name is treated as a + user name and looked up in the local password file. If the + name exists and the correct password has been given, a share is + created by cloning the [homes] section. + + Some modifications are then made to the newly + created share: + + + The share name is changed from homes to + the located username. + + If no path was given, the path is set to + the user's home directory. + + + If you decide to use a path= line + in your [homes] section then you may find it useful + to use the %S macro. For example : + + path=/data/pchome/%S + + would be useful if you have different home directories + for your PCs than for UNIX access. + + This is a fast and simple way to give a large number + of clients access to their home directories with a minimum + of fuss. + + A similar process occurs if the requested section + name is "homes", except that the share name is not + changed to that of the requesting user. This method of using + the [homes] section works well if different users share + a client PC. + + The [homes] section can specify all the parameters + a normal service section can specify, though some make more sense + than others. The following is a typical and suitable [homes] + section: + + + + [homes] + writeable = yes + + + + An important point is that if guest access is specified + in the [homes] section, all home directories will be + visible to all clients without a password. + In the very unlikely event that this is actually desirable, it + would be wise to also specify read only + access. + + Note that the browseable flag for + auto home directories will be inherited from the global browseable + flag, not the [homes] browseable flag. This is useful as + it means setting browseable=no in the [homes] section + will hide the [homes] share but make any auto home + directories visible. + + + + The [printers] section + + This section works like [homes], + but for printers. + + If a [printers] section occurs in the + configuration file, users are able to connect to any printer + specified in the local host's printcap file. + + When a connection request is made, the existing sections + are scanned. If a match is found, it is used. If no match is found, + but a [homes] section exists, it is used as described + above. Otherwise, the requested section name is treated as a + printer name and the appropriate printcap file is scanned to see + if the requested section name is a valid printer share name. If + a match is found, a new printer share is created by cloning + the [printers] section. + + A few modifications are then made to the newly created + share: + + + The share name is set to the located printer + name + + If no printer name was given, the printer name + is set to the located printer name + + If the share does not permit guest access and + no username was given, the username is set to the located + printer name. + + + Note that the [printers] service MUST be + printable - if you specify otherwise, the server will refuse + to load the configuration file. + + Typically the path specified would be that of a + world-writeable spool directory with the sticky bit set on + it. A typical [printers] entry would look like + this: + + + [printers] + path = /usr/spool/public + guest ok = yes + printable = yes + + + All aliases given for a printer in the printcap file + are legitimate printer names as far as the server is concerned. + If your printing subsystem doesn't work like that, you will have + to set up a pseudo-printcap. This is a file consisting of one or + more lines like this: + + + + alias|alias|alias|alias... + + + + Each alias should be an acceptable printer name for + your printing subsystem. In the [global] section, specify + the new file as your printcap. The server will then only recognize + names found in your pseudo-printcap, which of course can contain + whatever aliases you like. The same technique could be used + simply to limit access to a subset of your local printers. + + An alias, by the way, is defined as any component of the + first entry of a printcap record. Records are separated by newlines, + components (if there are more than one) are separated by vertical + bar symbols ('|'). + + NOTE: On SYSV systems which use lpstat to determine what + printers are defined on the system you may be able to use + "printcap name = lpstat" to automatically obtain a list + of printers. See the "printcap name" option + for more details. + + + + + paraMETRS + + parameters define the specific attributes of sections. + + Some parameters are specific to the [global] section + (e.g., security). Some parameters are usable + in all sections (e.g., create mode). All others + are permissible only in normal sections. For the purposes of the + following descriptions the [homes] and [printers] + sections will be considered normal. The letter G + in parentheses indicates that a parameter is specific to the + [global] section. The letter S + indicates that a parameter can be specified in a service specific + section. Note that all S parameters can also be specified in + the [global] section - in which case they will define + the default behavior for all services. + + parameters are arranged here in alphabetical order - this may + not create best bedfellows, but at least you can find them! Where + there are synonyms, the preferred synonym is described, others refer + to the preferred synonym. + + + + VARIABLE SUBSTITUTIONS + + Many of the strings that are settable in the config file + can take substitutions. For example the option "path = + /tmp/%u" would be interpreted as "path = + /tmp/john" if the user connected with the username john. + + These substitutions are mostly noted in the descriptions below, + but there are some general substitutions which apply whenever they + might be relevant. These are: + + + + %S + the name of the current service, if any. + + + + + %P + the root directory of the current service, + if any. + + + + %u + user name of the current service, if any. + + + + + %g + primary group name of %u. + + + + %U + session user name (the user name that the client + wanted, not necessarily the same as the one they got). + + + + %G + primary group name of %U. + + + + %H + the home directory of the user given + by %u. + + + + %v + the Samba version. + + + + %h + the internet hostname that Samba is running + on. + + + + %m + the NetBIOS name of the client machine + (very useful). + + + + %L + the NetBIOS name of the server. This allows you + to change your config based on what the client calls you. Your + server can have a "dual personality". + + + + %M + the internet name of the client machine. + + + + + %N + the name of your NIS home directory server. + This is obtained from your NIS auto.map entry. If you have + not compiled Samba with the --with-automount + option then this value will be the same as %. + + + + + %p + the path of the service's home directory, + obtained from your NIS auto.map entry. The NIS auto.map entry + is split up as "%N:%p". + + + + %R + the selected protocol level after + protocol negotiation. It can be one of CORE, COREPLUS, + LANMAN1, LANMAN2 or NT1. + + + + %d + The process id of the current server + process. + + + + %a + the architecture of the remote + machine. Only some are recognized, and those may not be + 100% reliable. It currently recognizes Samba, WfWg, + WinNT and Win95. Anything else will be known as + "UNKNOWN". If it gets it wrong then sending a level + 3 log to samba@samba.org + should allow it to be fixed. + + + + %I + The IP address of the client machine. + + + + + %T + the current date and time. + + + + %$(envvar) + The value of the environment variable + envar. + + + + There are some quite creative things that can be done + with these substitutions and other smb.conf options. + + + NAME MANGLING + + Samba supports "name mangling" so that DOS and + Windows clients can use files that don't conform to the 8.3 format. + It can also be set to adjust the case of 8.3 format filenames. + + There are several options that control the way mangling is + performed, and they are grouped here rather than listed separately. + For the defaults look at the output of the testparm program. + + All of these options can be set separately for each service + (or globally, of course). + + The options are: + + + + + mangle case= yes/no + controls if names that have characters that + aren't of the "default" case are mangled. For example, + if this is yes then a name like "Mail" would be mangled. + Default no. + + + + case sensitive = yes/no + controls whether filenames are case sensitive. If + they aren't then Samba must do a filename search and match on passed + names. Default no. + + + + default case = upper/lower + controls what the default case is for new + filenames. Default lower. + + + + preserve case = yes/no + controls if new files are created with the + case that the client passes, or if they are forced to be the + "default" case. Default yes. + + + + + short preserve case = yes/no + controls if new files which conform to 8.3 syntax, + that is all in upper case and of suitable length, are created + upper case, or if they are forced to be the "default" + case. This option can be use with "preserve case = yes" + to permit long filenames to retain their case, while short names + are lowered. Default yes. + + + + By default, Samba 2.2 has the same semantics as a Windows + NT server, in that it is case insensitive but case preserving. + + + + + NOTE ABOUT USERNAME/PASSWORD VALIDATION + + There are a number of ways in which a user can connect + to a service. The server follows the following steps in determining + if it will allow a connection to a specified service. If all the + steps fail then the connection request is rejected. If one of the + steps pass then the following steps are not checked. + + If the service is marked "guest only = yes" then + steps 1 to 5 are skipped. + + + If the client has passed a username/password + pair and that username/password pair is validated by the UNIX + system's password programs then the connection is made as that + username. Note that this includes the + \\server\service%username method of passing + a username. + + If the client has previously registered a username + with the system and now supplies a correct password for that + username then the connection is allowed. + + The client's netbios name and any previously + used user names are checked against the supplied password, if + they match then the connection is allowed as the corresponding + user. + + If the client has previously validated a + username/password pair with the server and the client has passed + the validation token then that username is used. + + If a "user = " field is given in the + smb.conf file for the service and the client + has supplied a password, and that password matches (according to + the UNIX system's password checking) with one of the usernames + from the "user=" field then the connection is made as + the username in the "user=" line. If one + of the username in the "user=" list begins with a + '@' then that name expands to a list of names in + the group of the same name. + + If the service is a guest service then a + connection is made as the username given in the "guest + account =" for the service, irrespective of the + supplied password. + + + + + + COMPLETE LIST OF GLOBAL PARAMETERS + + Here is a list of all global parameters. See the section of + each parameter for details. Note that some are synonyms. + + + add user script + allow trusted domains + announce as + announce version + auto services + bind interfaces only + browse list + change notify timeout + character set + client code page + coding system + config file + deadtime + debug hires timestamp + debug pid + debug timestamp + debug uid + debug level + default + default service + delete user script + dfree command + dns proxy + domain admin group + domain admin users + domain groups + domain guest group + domain guest users + domain logons + domain master + encrypt passwords + getwd cache + hide local users + homedir map + hosts equiv + interfaces + keepalive + kernel oplocks + lm announce + lm interval + load printers + local master + lock dir + lock directory + log file + log level + logon drive + logon home + logon path + logon script + lpq cache time + machine password timeout + mangled stack + map to guest + max disk size + max log size + max mux + max open files + max packet + max ttl + max wins ttl + max xmit + message command + min passwd length + min password length + min wins ttl + name resolve order + netbios aliases + netbios name + netbios scope + nis homedir + nt acl support + nt pipe support + nt smb support + null passwords + ole locking compatibility + oplock break wait time + os level + panic action + passwd chat + passwd chat debug + passwd program + password level + password server + prefered master + preferred master + preload + printcap + printcap name + printer driver file + private dir + protocol + read bmpx + read prediction + read raw + read size + remote announce + remote browse sync + restrict anonymous + root + root dir + root directory + security + server string + shared mem size + smb passwd file + smbrun + socket address + socket options + source environment + ssl + ssl CA certDir + ssl CA certFile + ssl ciphers + ssl client cert + ssl client key + ssl compatibility + ssl hosts + ssl hosts resign + ssl require clientcert + ssl require servercert + ssl server cert + ssl server key + ssl version + stat cache + stat cache size + strip dot + syslog + syslog only + template homedir + template shell + time offset + time server + timestamp logs + unix password sync + unix realname + update encrypted + use rhosts + username level + username map + utmp directory + valid chars + winbind cache time + winbind gid + winbind uid + wins hook + wins proxy + wins server + wins support + workgroup + write raw + + + + + + COMPLETE LIST OF SERVICE PARAMETERS + + Here is a list of all service parameters. See the section of + each parameter for details. Note that some are synonyms. + + + admin users + allow hosts + alternate permissions + available + blocking locks + browsable + browseable + case sensitive + casesignames + comment + copy + create mask + create mode + default case + delete readonly + delete veto files + deny hosts + directory + directory mask + directory mode + directory security mask + dont descend + dos filetime resolution + dos filetimes + exec + fake directory create times + fake oplocks + follow symlinks + force create mode + force directory mode + force directory security mode + force group + force security mode + force user + fstype + group + guest account + guest ok + guest only + hide dot files + hide files + hosts allow + hosts deny + include + inherit permissions + invalid users + level2 oplocks + locking + lppause command + lpq command + lpresume command + lprm command + magic output + magic script + mangle case + mangle locks + mangled map + mangled names + mangling char + map archive + map hidden + map system + max connections + min print space + only guest + only user + oplock contention limit + oplocks + path + postexec + postscript + preexec + preexec close + preserve case + print command + print ok + printable + printer + printer admin + printer driver + printer driver location + printer name + printing + public + queuepause command + queueresume command + read list + read only + root postexec + root preexec + root preexec close + security mask + set directory + share modes + short preserve case + status + strict locking + strict sync + sync always + user + username + users + utmp + valid users + veto files + veto oplock files + volume + wide links + writable + write cache size + write list + write ok + writeable + + + + + + EXPLANATION OF EACH PARAMETER + + + + + add user script (G) + This is the full pathname to a script that will + be run AS ROOT by smbd(8) + under special circumstances decribed below. + + Normally, a Samba server requires that UNIX users are + created for all users accessing files on this server. For sites + that use Windows NT account databases as their primary user database + creating these users and keeping the user list in sync with the + Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users + ON DEMAND when a user accesses the Samba server. + + In order to use this option, smbd + must be set to security=server or + security=domain and add user script + must be set to a full pathname for a script that will create a UNIX + user given one argument of %u, which expands into + the UNIX user name to create. + + When the Windows user attempts to access the Samba server, + at login (session setup in the SMB protocol) time, + smbd contacts the password server and + attempts to authenticate the given user with the given password. If the + authentication succeeds then smbd + attempts to find a UNIX user in the UNIX password database to map the + Windows user into. If this lookup fails, and add user script + is set then smbd will + call the specified script AS ROOT, expanding + any %u argument to be the user name to create. + + If this script successfully creates the user then smbd will continue on as though the UNIX user + already existed. In this way, UNIX users are dynamically created to + match existing Windows NT accounts. + + See also + security, + password server, delete user + script. + + Default: add user script = <empty string> + + + Example: add user script = /usr/local/samba/bin/add_user + %u + + + + + + + admin users (S) + This is a list of users who will be granted + administrative privileges on the share. This means that they + will do all file operations as the super-user (root). + + You should use this option very carefully, as any user in + this list will be able to do anything they like on the share, + irrespective of file permissions. + + Default: no admin users + + Example: admin users = jason + + + + + + + allow hosts (S) + Synonym for + hosts allow. + + + + + + allow trusted domains (G) + This option only takes effect when the security option is set to + server or domain. + If it is set to no, then attempts to connect to a resource from + a domain or workgroup other than the one which smbd is running + in will fail, even if that domain is trusted by the remote server + doing the authentication. + + This is useful if you only want your Samba server to + serve resources to users in the domain it is a member of. As + an example, suppose that there are two domains DOMA and DOMB. DOMB + is trusted by DOMA, which contains the Samba server. Under normal + circumstances, a user with an account in DOMB can then access the + resources of a UNIX account with the same account name on the + Samba server even if they do not have an account in DOMA. This + can make implementing a security boundary difficult. + + Default: allow trusted domains = yes + + + + + + + + announce as (G) + This specifies what type of server + nmbd + will announce itself as, to a network neighborhood browse + list. By default this is set to Windows NT. The valid options + are : "NT" (which is a synonym for "NT Server"), "NT Server", + "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, + Windows NT Workstation, Windows 95 and Windows for Workgroups + respectively. Do not change this parameter unless you have a + specific need to stop Samba appearing as an NT server as this + may prevent Samba servers from participating as browser servers + correctly. + + Default: announce as = NT Server + + Example: announce as = Win95 + + + + + + + annouce version (G) + This specifies the major and minor version numbers + that nmbd will use when announcing itself as a server. The default + is 4.2. Do not change this parameter unless you have a specific + need to set a Samba server to be a downlevel server. + + Default: announce version = 4.2 + + Example: announce version = 2.0 + + + + + + + auto services (G) + This is a list of services that you want to be + automatically added to the browse lists. This is most useful + for homes and printers services that would otherwise not be + visible. + + Note that if you just want all printers in your + printcap file loaded then the + load printers option is easier. + + Default: no auto services + + Example: auto services = fred lp colorlp + + + + + + + available (S) + This parameter lets you "turn off" a service. If + available = no, then ALL + attempts to connect to the service will fail. Such failures are + logged. + + Default: available = yes + + + + + + + + bind interfaces only (G) + This global parameter allows the Samba admin + to limit what interfaces on a machine will serve smb requests. If + affects file service smbd(8) and + name service nmbd(8) in slightly + different ways. + + For name service it causes nmbd to bind + to ports 137 and 138 on the interfaces listed in the interfaces parameter. nmbd + also binds to the "all addresses" interface (0.0.0.0) + on ports 137 and 138 for the purposes of reading broadcast messages. + If this option is not set then nmbd will service + name requests on all of these sockets. If bind interfaces + only is set then nmbd will check the + source address of any packets coming in on the broadcast sockets + and discard any that don't match the broadcast addresses of the + interfaces in the interfaces parameter list. + As unicast packets are received on the other sockets it allows + nmbd to refuse to serve names to machines that + send packets that arrive through any interfaces not listed in the + interfaces list. IP Source address spoofing + does defeat this simple check, however so it must not be used + seriously as a security feature for nmbd. + + For file service it causes smbd(8) + to bind only to the interface list given in the + interfaces parameter. This restricts the networks that + smbd will serve to packets coming in those + interfaces. Note that you should not use this parameter for machines + that are serving PPP or other intermittent or non-broadcast network + interfaces as it will not cope with non-permanent interfaces. + + If bind interfaces only is set then + unless the network address 127.0.0.1 is added + to the interfaces parameter list smbpasswd(8) + and swat(8) may + not work as expected due to the reasons covered below. + + To change a users SMB password, the smbpasswd + by default connects to the localhost - 127.0.0.1 + address as an SMB client to issue the password change request. If + bind interfaces only is set then unless the + network address 127.0.0.1 is added to the + interfaces parameter list then + smbpasswd will fail to connect in it's default mode. + smbpasswd can be forced to use the primary IP interface + of the local host by using its + -r remote machine + parameter, with remote machine set + to the IP name of the primary interface of the local host. + + The swat status page tries to connect with + smbd and nmbd at the address + 127.0.0.1 to determine if they are running. + Not adding 127.0.0.1 will cause + smbd and nmbd to always show + "not running" even if they really are. This can prevent + swat from starting/stopping/restarting smbd + and nmbd. + + Default: bind interfaces only = no + + + + + + + + blocking locks (S) + This parameter controls the behavior of smbd(8) when given a request by a client + to obtain a byte range lock on a region of an open file, and the + request has a time limit associated with it. + + If this parameter is set and the lock range requested + cannot be immediately satisfied, Samba 2.2 will internally + queue the lock request, and periodically attempt to obtain + the lock until the timeout period expires. + + If this parameter is set to False, then + Samba 2.2 will behave as previous versions of Samba would and + will fail the lock request immediately if the lock range + cannot be obtained. + + Default: blocking locks = yes + + + + + + + + browsable (S) + See the + browseable. + + + + + + browse list (G) + This controls whether + smbd(8) will serve a browse list to + a client doing a NetServerEnum call. Normally + set to true. You should never need to change + this. + + Default: browse list = yes + + + + + + browseable (S) + This controls whether this share is seen in + the list of available shares in a net view and in the browse list. + + Default: browseable = yes + + + + + + + case sensitive (S) + See the discussion in the section NAME MANGLING. + + + + + + casesignames (S) + Synonym for case + sensitive. + + + + + + change notify timeout (G) + This SMB allows a client to tell a server to + "watch" a particular directory for any changes and only reply to + the SMB request when a change has occurred. Such constant scanning of + a directory is expensive under UNIX, hence an + smbd(8) daemon only performs such a scan + on each requested directory once every change notify + timeout seconds. + + Default: change notify timeout = 60 + Example: change notify timeout = 300 + + Would change the scan time to every 5 minutes. + + + + + + character set (G) + This allows a smbd to map incoming filenames + from a DOS Code page (see the client + code page parameter) to several built in UNIX character sets. + The built in code page translations are: + + + ISO8859-1 : Western European + UNIX character set. The parameter client code page + MUST be set to code page 850 if the + character set parameter is set to + ISO8859-1 in order for the conversion to the + UNIX character set to be done correctly. + + ISO8859-2 : Eastern European + UNIX character set. The parameter client code page + MUST be set to code page 852 if + the character set parameter is set + to ISO8859-2 in order for the conversion + to the UNIX character set to be done correctly. + + ISO8859-5 : Russian Cyrillic + UNIX character set. The parameter client code page + MUST be set to code page + 866 if the character set parameter is + set to ISO8859-5 in order for the conversion + to the UNIX character set to be done correctly. + + ISO8859-7 : Greek UNIX + character set. The parameter client code page + MUST be set to code page + 737 if the character set parameter is + set to ISO8859-7 in order for the conversion + to the UNIX character set to be done correctly. + + KOI8-R : Alternate mapping + for Russian Cyrillic UNIX character set. The parameter + client code page MUST + be set to code page 866 if the character set + parameter is set to KOI8-R in order for the + conversion to the UNIX character set to be done correctly. + + + + BUG. These MSDOS code page to UNIX character + set mappings should be dynamic, like the loading of MS DOS code pages, + not static. + + Normally this parameter is not set, meaning no filename + translation is done. + + Default: character set = <empty string> + Example: character set = ISO8859-1 + + + + + + client code page (G) + This parameter specifies the DOS code page + that the clients accessing Samba are using. To determine what code + page a Windows or DOS client is using, open a DOS command prompt + and type the command chcp. This will output + the code page. The default for USA MS-DOS, Windows 95, and + Windows NT releases is code page 437. The default for western + european releases of the above operating systems is code page 850. + + This parameter tells smbd(8) + which of the codepage.XXX + files to dynamically load on startup. These files, + described more fully in the manual page + make_smbcodepage(1), tell + smbd how to map lower to upper case characters to provide + the case insensitivity of filenames that Windows clients expect. + + Samba currently ships with the following code page files : + + + Code Page 437 - MS-DOS Latin US + Code Page 737 - Windows '95 Greek + Code Page 850 - MS-DOS Latin 1 + Code Page 852 - MS-DOS Latin 2 + Code Page 861 - MS-DOS Icelandic + Code Page 866 - MS-DOS Cyrillic + Code Page 932 - MS-DOS Japanese SJIS + Code Page 936 - MS-DOS Simplified Chinese + Code Page 949 - MS-DOS Korean Hangul + Code Page 950 - MS-DOS Traditional Chinese + + + Thus this parameter may have any of the values 437, 737, 850, 852, + 861, 932, 936, 949, or 950. If you don't find the codepage you need, + read the comments in one of the other codepage files and the + make_smbcodepage(1) man page and write one. Please + remember to donate it back to the Samba user community. + + This parameter co-operates with the valid + chars parameter in determining what characters are + valid in filenames and how capitalization is done. If you set both + this parameter and the valid chars parameter + the client code page parameter + MUST be set before the valid + chars parameter in the smb.conf + file. The valid chars string will then + augment the character settings in the client code page + parameter. + + If not set, client code page defaults + to 850. + + See also : valid + chars + + Default: client code page = 850 + Example: client code page = 936 + + + + + + codingsystem (G) + This parameter is used to determine how incoming + Shift-JIS Japanese characters are mapped from the incoming client code page + used by the client, into file names in the UNIX filesystem. + Only useful if client code page is set to + 932 (Japanese Shift-JIS). The options are : + + + SJIS - Shift-JIS. Does no + conversion of the incoming filename. + + JIS8, J8BB, J8BH, J8@B, + J8@J, J8@H - Convert from incoming Shift-JIS to eight + bit JIS code with different shift-in, shift out codes. + + JIS7, J7BB, J7BH, J7@B, J7@J, + J7@H - Convert from incoming Shift-JIS to seven bit + JIS code with different shift-in, shift out codes. + + JUNET, JUBB, JUBH, JU@B, JU@J, JU@H + - Convert from incoming Shift-JIS to JUNET code with different shift-in, + shift out codes. + + + EUC - Convert an incoming + Shift-JIS character to EUC code. + + HEX - Convert an incoming + Shift-JIS character to a 3 byte hex representation, i.e. + :AB. + + CAP - Convert an incoming + Shift-JIS character to the 3 byte hex representation used by + the Columbia AppleTalk Program (CAP), i.e. :AB. + This is used for compatibility between Samba and CAP. + + + + + + + + comment (S) + This is a text field that is seen next to a share + when a client does a queries the server, either via the network + neighborhood or via net view to list what shares + are available. + + If you want to set the string that is displayed next to the + machine name then see the + server string parameter. + + Default: No comment string + Example: comment = Fred's Files + + + + + + config file (G) + This allows you to override the config file + to use, instead of the default (usually smb.conf). + There is a chicken and egg problem here as this option is set + in the config file! + + For this reason, if the name of the config file has changed + when the parameters are loaded then it will reload them from + the new config file. + + This option takes the usual substitutions, which can + be very useful. + + If the config file doesn't exist then it won't be loaded + (allowing you to special case the config files of just a few + clients). + + Example: config file = /usr/local/samba/lib/smb.conf.%m + + + + + + + copy (S) + This parameter allows you to "clone" service + entries. The specified service is simply duplicated under the + current service's name. Any parameters specified in the current + section will override those in the section being copied. + + This feature lets you set up a 'template' service and + create similar services easily. Note that the service being + copied must occur earlier in the configuration file than the + service doing the copying. + + Default: none + Example: copy = otherservice + + + + + + create mask (S) + A synonym for this parameter is + create mode + . + + When a file is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX + permissions, and the resulting UNIX mode is then bit-wise 'AND'ed + with this parameter. This parameter may be thought of as a bit-wise + MASK for the UNIX modes of a file. Any bit not + set here will be removed from the modes set on a file when it is + created. + + The default value of this parameter removes the + 'group' and 'other' write and execute bits from the UNIX modes. + + Following this Samba will bit-wise 'OR' the UNIX mode created + from this parameter with the value of the force create mode + parameter which is set to 000 by default. + + This parameter does not affect directory modes. See the + parameter directory mode + for details. + + See also the force + create mode parameter for forcing particular mode + bits to be set on created files. See also the + directory mode" parameter for masking + mode bits on created directories. See also the + inherit permissions parameter. + + Default: create mask = 0744 + Example: create mask = 0775 + + + + + + create mode (S) + This is a synonym for + create mask. + + + + + + deadtime (G) + The value of the parameter (a decimal integer) + represents the number of minutes of inactivity before a connection + is considered dead, and it is disconnected. The deadtime only takes + effect if the number of open files is zero. + + This is useful to stop a server's resources being + exhausted by a large number of inactive connections. + + Most clients have an auto-reconnect feature when a + connection is broken so in most cases this parameter should be + transparent to users. + + Using this parameter with a timeout of a few minutes + is recommended for most systems. + + A deadtime of zero indicates that no auto-disconnection + should be performed. + + Default: deadtime = 0 + Example: deadtime = 15 + + + + + + debug hires timestamp (G) + Sometimes the timestamps in the log messages + are needed with a resolution of higher that seconds, this + boolean parameter adds microsecond resolution to the timestamp + message header when turned on. + + Note that the parameter + debug timestamp must be on for this to have an + effect. + + Default: debug hires timestamp = no + + + + + + + debug timestamp (G) + Samba 2.2 debug log messages are timestamped + by default. If you are running at a high + debug level these timestamps + can be distracting. This boolean parameter allows timestamping + to be turned off. + + Default: debug timestamp = yes + + + + + + debug pid (G) + When using only one log file for more then one + forked smbd-process there may be hard to follow which process + outputs which message. This boolean parameter is adds the process-id + to the timestamp message headers in the logfile when turned on. + + Note that the parameter + debug timestamp must be on for this to have an + effect. + + Default: debug pid = no + + + + + + debug uid (G) + Samba is sometimes run as root and sometime + run as the connected user, this boolean parameter inserts the + current euid, egid, uid and gid to the timestamp message headers + in the log file if turned on. + + Note that the parameter + debug timestamp must be on for this to have an + effect. + + Default: debug uid = no + + + + + + debug level (G) + The value of the parameter (an integer) allows + the debug level (logging level) to be specified in the + smb.conf file. This is to give greater + flexibility in the configuration of the system. + + The default will be the debug level specified on + the command line or level zero if none was specified. + + Example: debug level = 3 + + + + + + default (G) + A synonym for + default service. + + + + + + default case (S) + See the section on + NAME MANGLING". Also note the + short preserve case" parameter. + + + + + + + default service (G) + This parameter specifies the name of a service + which will be connected to if the service actually requested cannot + be found. Note that the square brackets are NOT + given in the parameter value (see example below). + + There is no default value for this parameter. If this + parameter is not given, attempting to connect to a nonexistent + service results in an error. + + Typically the default service would be a + guest ok, + read-only service. + + Also note that the apparent service name will be changed + to equal that of the requested service, this is very useful as it + allows you to use macros like %S to make + a wildcard service. + + Note also that any "_" characters in the name of the service + used in the default service will get mapped to a "/". This allows for + interesting things. + + + Example: + + + default service = pub + + [pub] + path = /%S + + + + + + + + delete user script (G) + This is the full pathname to a script that will + be run AS ROOT by + smbd(8) under special circumstances + decribed below. + + Normally, a Samba server requires that UNIX users are + created for all users accessing files on this server. For sites + that use Windows NT account databases as their primary user database + creating these users and keeping the user list in sync with the + Windows NT PDC is an onerous task. This option allows + smbd to delete the required UNIX users ON + DEMAND when a user accesses the Samba server and the + Windows NT user no longer exists. + + In order to use this option, smbd must be + set to security=domain and delete + user script must be set to a full pathname for a script + that will delete a UNIX user given one argument of %u + , which expands into the UNIX user name to delete. + NOTE that this is different to the add user script + which will work with the security=server option + as well as security=domain. The reason for this + is only when Samba is a domain member does it get the information + on an attempted user logon that a user no longer exists. In the + security=server mode a missing user + is treated the same as an invalid password logon attempt. Deleting + the user in this circumstance would not be a good idea. + + When the Windows user attempts to access the Samba server, + at login (session setup in the SMB protocol) + time, smbd contacts the + password server and attempts to authenticate + the given user with the given password. If the authentication fails + with the specific Domain error code meaning that the user no longer + exists then smbd attempts to find a UNIX user in + the UNIX password database that matches the Windows user account. If + this lookup succeeds, and delete user script is + set then smbd will all the specified script + AS ROOT, expanding any %u + argument to be the user name to delete. + + This script should delete the given UNIX username. In this way, + UNIX users are dynamically deleted to match existing Windows NT + accounts. + + See also security=domain, + password server + , add user script + . + + Default: delete user script = <empty string> + + Example: delete user script = /usr/local/samba/bin/del_user + %u + + + + + + delete readonly (S) + This parameter allows readonly files to be deleted. + This is not normal DOS semantics, but is allowed by UNIX. + + This option may be useful for running applications such + as rcs, where UNIX file ownership prevents changing file + permissions, and DOS semantics prevent deletion of a read only file. + + Default: delete readonly = no + + + + + + delete veto files (S) + This option is used when Samba is attempting to + delete a directory that contains one or more vetoed directories + (see the veto files + option). If this option is set to False (the default) then if a vetoed + directory contains any non-vetoed files or directories then the + directory delete will fail. This is usually what you want. + + If this option is set to True, then Samba + will attempt to recursively delete any files and directories within + the vetoed directory. This can be useful for integration with file + serving systems such as NetAtalk which create meta-files within + directories you might normally veto DOS/Windows users from seeing + (e.g. .AppleDouble) + + Setting delete veto files = yes allows these + directories to be transparently deleted when the parent directory + is deleted (so long as the user has permissions to do so). + + See also the veto + files parameter. + + Default: delete veto files = no + + + + + + deny hosts (S) + Synonym for hosts + deny. + + + + + + dfree command (G) + The dfree command setting should + only be used on systems where a problem occurs with the internal + disk space calculations. This has been known to happen with Ultrix, + but may occur with other operating systems. The symptom that was + seen was an error of "Abort Retry Ignore" at the end of each + directory listing. + + This setting allows the replacement of the internal routines to + calculate the total disk space and amount available with an external + routine. The example below gives a possible script that might fulfill + this function. + + The external program will be passed a single parameter indicating + a directory in the filesystem being queried. This will typically consist + of the string ./. The script should return two + integers in ascii. The first should be the total disk space in blocks, + and the second should be the number of available blocks. An optional + third return value can give the block size in bytes. The default + blocksize is 1024 bytes. + + Note: Your script should NOT be setuid or + setgid and should be owned by (and writeable only by) root! + + Default: By default internal routines for + determining the disk capacity and remaining space will be used. + + + Example: dfree command = /usr/local/samba/bin/dfree + + + Where the script dfree (which must be made executable) could be: + + + #!/bin/sh + df $1 | tail -1 | awk '{print $2" "$4}' + + + or perhaps (on Sys V based systems): + + + #!/bin/sh + /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' + + + Note that you may have to replace the command names + with full path names on some systems. + + + + + + + + directory (S) + Synonym for path + . + + + + + + directory mask (S) + This parameter is the octal modes which are + used when converting DOS modes to UNIX modes when creating UNIX + directories. + + When a directory is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX permissions, + and the resulting UNIX mode is then bit-wise 'AND'ed with this + parameter. This parameter may be thought of as a bit-wise MASK for + the UNIX modes of a directory. Any bit not set + here will be removed from the modes set on a directory when it is + created. + + The default value of this parameter removes the 'group' + and 'other' write bits from the UNIX mode, allowing only the + user who owns the directory to modify it. + + Following this Samba will bit-wise 'OR' the UNIX mode + created from this parameter with the value of the force directory mode + parameter. This parameter is set to 000 by + default (i.e. no extra mode bits are added). + + See the force + directory mode parameter to cause particular mode + bits to always be set on created directories. + + See also the create mode + parameter for masking mode bits on created files, + and the directory + security mask parameter. + + Also refer to the + inherit permissions parameter. + + Default: directory mask = 0755 + Example: directory mask = 0775 + + + + + + + directory mode (S) + Synonym for + directory mask + + + + + + directory security mask (S) + This parameter controls what UNIX permission bits + can be modified when a Windows NT client is manipulating the UNIX + permission on a directory using the native NT security dialog + box. + + This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change. + + If not set explicitly this parameter is set to the same + value as the directory + mask parameter. To allow a user to + modify all the user/group/world permissions on a directory, set + this parameter to 0777. + + Note that users who can access the + Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to set + it to 0777. + + See also the + force directory security mode, security mask, + force security mode + parameters. + + Default: directory security mask = <same as + directory mask> + Example: directory security mask = 0777 + + + + + + + dns proxy (G) + Specifies that nmbd(8) + when acting as a WINS server and finding that a NetBIOS name has not + been registered, should treat the NetBIOS name word-for-word as a DNS + name and do a lookup with the DNS server for that name on behalf of + the name-querying client. + + Note that the maximum length for a NetBIOS name is 15 + characters, so the DNS name (or DNS alias) can likewise only be + 15 characters, maximum. + + nmbd spawns a second copy of itself to do the + DNS name lookup requests, as doing a name lookup is a blocking + action. + + See also the parameter + wins support. + + Default: dns proxy = yes + + + + + + domain admin group (G) + This is an EXPERIMENTAL parameter + that is part of the unfinished Samba NT Domain Controller Code. It may + be removed in a later release. To work with the latest code builds + that may have more support for Samba NT Domain Controller functionality + please subscribe to the mailing list samba-ntdom available by + visiting the web page at + http://lists.samba.org/. + + + + + domain admin users (G) + This is an EXPERIMENTAL parameter + that is part of the unfinished Samba NT Domain Controller Code. It may + be removed in a later release. To work with the latest code builds + that may have more support for Samba NT Domain Controller functionality + please subscribe to the mailing list samba-ntdom available by + visiting the web page at + http://lists.samba.org/. + + + + + domain groups (G) + This is an EXPERIMENTAL parameter + that is part of the unfinished Samba NT Domain Controller Code. It may + be removed in a later release. To work with the latest code builds + that may have more support for Samba NT Domain Controller functionality + please subscribe to the mailing list samba-ntdom available by + visiting the web page at + http://lists.samba.org/. + + + + + + domain guest group (G) + This is an EXPERIMENTAL parameter + that is part of the unfinished Samba NT Domain Controller Code. It may + be removed in a later release. To work with the latest code builds + that may have more support for Samba NT Domain Controller functionality + please subscribe to the mailing list samba-ntdom available by + visiting the web page at + http://lists.samba.org/. + + + + + domain guest users (G) + This is an EXPERIMENTAL parameter + that is part of the unfinished Samba NT Domain Controller Code. It may + be removed in a later release. To work with the latest code builds + that may have more support for Samba NT Domain Controller functionality + please subscribe to the mailing list samba-ntdom available by + visiting the web page at + http://lists.samba.org/. + + + + + domain logons (G) + If set to true, the Samba server will serve + Windows 95/98 Domain logons for the + workgroup it is in. Samba 2.2 also + has limited capability to act as a domain controller for Windows + NT 4 Domains. For more details on setting up this feature see + the file DOMAINS.txt in the Samba documentation directory docs/ + shipped with the source code. + + Default: domain logons = no + + + + + + domain master (G) + Tell + nmbd(8) to enable WAN-wide browse list + collation. Setting this option causes nmbd to + claim a special domain specific NetBIOS name that identifies + it as a domain master browser for its given + workgroup. Local master browsers + in the same workgroup on broadcast-isolated + subnets will give this nmbd their local browse lists, + and then ask smbd(8) + for a complete copy of the browse list for the whole wide area + network. Browser clients will then contact their local master browser, + and will receive the domain-wide browse list, instead of just the list + for their broadcast-isolated subnet. + + Note that Windows NT Primary Domain Controllers expect to be + able to claim this workgroup specific special + NetBIOS name that identifies them as domain master browsers for + that workgroup by default (i.e. there is no + way to prevent a Windows NT PDC from attempting to do this). This + means that if this parameter is set and nmbd claims + the special name for a workgroup before a Windows + NT PDC is able to do so then cross subnet browsing will behave + strangely and may fail. + + Default: domain master = no + + + + + + dont descend (S) + There are certain directories on some systems + (e.g., the /proc tree under Linux) that are either not + of interest to clients or are infinitely deep (recursive). This + parameter allows you to specify a comma-delimited list of directories + that the server should always show as empty. + + Note that Samba can be very fussy about the exact format + of the "dont descend" entries. For example you may need + ./proc instead of just /proc. + Experimentation is the best policy :-) + + Default: none (i.e., all directories are OK + to descend) + Example: dont descend = /proc,/dev + + + + + + + dos filetime resolution (S) + Under the DOS and Windows FAT filesystem, the finest + granularity on time resolution is two seconds. Setting this parameter + for a share causes Samba to round the reported time down to the + nearest two second boundary when a query call that requires one second + resolution is made to smbd(8) + . + + This option is mainly used as a compatibility option for Visual + C++ when used against Samba shares. If oplocks are enabled on a + share, Visual C++ uses two different time reading calls to check if a + file has changed since it was last read. One of these calls uses a + one-second granularity, the other uses a two second granularity. As + the two second call rounds any odd second down, then if the file has a + timestamp of an odd number of seconds then the two timestamps will not + match and Visual C++ will keep reporting the file has changed. Setting + this option causes the two timestamps to match, and Visual C++ is + happy. + + Default: dos filetime resolution = no + + + + + + + dos filetimes (S) + Under DOS and Windows, if a user can write to a + file they can change the timestamp on it. Under POSIX semantics, + only the owner of the file or root may change the timestamp. By + default, Samba runs with POSIX semantics and refuses to change the + timestamp on a file if the user smbd is acting + on behalf of is not the file owner. Setting this option to + True allows DOS semantics and smbd will change the file + timestamp as DOS requires. + + Default: dos filetimes = no + + + + + + encrypt passwords (G) + This boolean controls whether encrypted passwords + will be negotiated with the client. Note that Windows NT 4.0 SP3 and + above and also Windows 98 will by default expect encrypted passwords + unless a registry entry is changed. To use encrypted passwords in + Samba see the file ENCRYPTION.txt in the Samba documentation + directory docs/ shipped with the source code. + + In order for encrypted passwords to work correctly + smbd(8) must either + have access to a local smbpasswd(5) + file (see the + smbpasswd(8) program for information on how to set up + and maintain this file), or set the security=[serve|domain] parameter which + causes smbd to authenticate against another + server. + + Default: encrypt passwords = no + + + + + + exec (S) + This is a synonym for + preexec. + + + + + + fake directory create times (S) + NTFS and Windows VFAT file systems keep a create + time for all files and directories. This is not the same as the + ctime - status change time - that Unix keeps, so Samba by default + reports the earliest of the various times Unix does keep. Setting + this parameter for a share causes Samba to always report midnight + 1-1-1980 as the create time for directories. + + This option is mainly used as a compatibility option for + Visual C++ when used against Samba shares. Visual C++ generated + makefiles have the object directory as a dependency for each object + file, and a make rule to create the directory. Also, when NMAKE + compares timestamps it uses the creation time when examining a + directory. Thus the object directory will be created if it does not + exist, but once it does exist it will always have an earlier + timestamp than the object files it contains. + + However, Unix time semantics mean that the create time + reported by Samba will be updated whenever a file is created or + deleted in the directory. NMAKE therefore finds all object files + in the object directory bar the last one built are out of date + compared to the directory and rebuilds them. Enabling this option + ensures directories always predate their contents and an NMAKE build + will proceed as expected. + + Default: fake directory create times = no + + + + + + + fake oplocks (S) + Oplocks are the way that SMB clients get permission + from a server to locally cache file operations. If a server grants + an oplock (opportunistic lock) then the client is free to assume + that it is the only one accessing the file and it will aggressively + cache file data. With some oplock types the client may even cache + file open/close operations. This can give enormous performance benefits. + + + When you set fake oplocks = yes, smbd(8) will + always grant oplock requests no matter how many clients are using + the file. + + It is generally much better to use the real oplocks support rather + than this parameter. + + If you enable this option on all read-only shares or + shares that you know will only be accessed from one client at a + time such as physically read-only media like CDROMs, you will see + a big performance improvement on many operations. If you enable + this option on shares where multiple clients may be accessing the + files read-write at the same time you can get data corruption. Use + this option carefully! + + Default: fake oplocks = no + + + + + + follow symlinks (S) + This parameter allows the Samba administrator + to stop smbd(8) + from following symbolic links in a particular share. Setting this + parameter to no prevents any file or directory + that is a symbolic link from being followed (the user will get an + error). This option is very useful to stop users from adding a + symbolic link to /etc/passwd in their home + directory for instance. However it will slow filename lookups + down slightly. + + This option is enabled (i.e. smbd will + follow symbolic links) by default. + + Default: follow symlinks = yes + + + + + + force create mode (S) + This parameter specifies a set of UNIX mode bit + permissions that will always be set on a + file by Samba. This is done by bitwise 'OR'ing these bits onto + the mode bits of a file that is being created or having its + permissions changed. The default for this parameter is (in octal) + 000. The modes in this parameter are bitwise 'OR'ed onto the file + mode after the mask set in the create mask + parameter is applied. + + See also the parameter create + mask for details on masking mode bits on files. + + See also the inherit + permissions parameter. + + Default: force create mode = 000 + Example: force create mode = 0755 + + would force all created files to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'. + + + + + + + force directory mode (S) + This parameter specifies a set of UNIX mode bit + permissions that will always be set on a directory + created by Samba. This is done by bitwise 'OR'ing these bits onto the + mode bits of a directory that is being created. The default for this + parameter is (in octal) 0000 which will not add any extra permission + bits to a created directory. This operation is done after the mode + mask in the parameter directory mask is + applied. + + See also the parameter + directory mask for details on masking mode bits + on created directories. + + See also the + inherit permissions parameter. + + Default: force directory mode = 000 + Example: force directory mode = 0755 + + would force all created directories to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'. + + + + + + + force directory security mode (S) + This parameter controls what UNIX permission bits + can be modified when a Windows NT client is manipulating the UNIX + permission on a directory using the native NT security dialog box. + + This parameter is applied as a mask (OR'ed with) to the + changed permission bits, thus forcing any bits in this mask that + the user may have modified to be on. Essentially, one bits in this + mask may be treated as a set of bits that, when modifying security + on a directory, the user has always set to be 'on'. + + If not set explicitly this parameter is set to the same + value as the force + directory mode parameter. To allow + a user to modify all the user/group/world permissions on a + directory, with restrictions set this parameter to 000. + + Note that users who can access the + Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to set + it to 0000. + + See also the + directory security mask, + security mask, + force security mode + parameters. + + Default: force directory security mode = <same as + force directory mode> + Example: force directory security mode = 0 + + + + + + + + force group (S) + This specifies a UNIX group name that will be + assigned as the default primary group for all users connecting + to this service. This is useful for sharing files by ensuring + that all access to files on service will use the named group for + their permissions checking. Thus, by assigning permissions for this + group to the files and directories within this service the Samba + administrator can restrict or allow sharing of these files. + + In Samba 2.0.5 and above this parameter has extended + functionality in the following way. If the group name listed here + has a '+' character prepended to it then the current user accessing + the share only has the primary group default assigned to this group + if they are already assigned as a member of that group. This allows + an administrator to decide that only users who are already in a + particular group will create files with group ownership set to that + group. This gives a finer granularity of ownership assignment. For + example, the setting force group = +sys means + that only users who are already in group sys will have their default + primary group assigned to sys when accessing this Samba share. All + other users will retain their ordinary primary group. + + If the force user + parameter is also set the group specified in + force group will override the primary group + set in force user. + + See also force + user. + + Default: no forced group + Example: force group = agroup + + + + + + + force security mode (S) + This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security dialog + box. + + This parameter is applied as a mask (OR'ed with) to the + changed permission bits, thus forcing any bits in this mask that + the user may have modified to be on. Essentially, one bits in this + mask may be treated as a set of bits that, when modifying security + on a file, the user has always set to be 'on'. + + If not set explicitly this parameter is set to the same + value as the force + create mode parameter. To allow a user to + modify all the user/group/world permissions on a file, with no + restrictions set this parameter to 000. + + Note that users who can access + the Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to set + it to 0000. + + See also the + force directory security mode, + directory security + mask, + security mask parameters. + + Default: force security mode = <same as force + create mode> + Example: force security mode = 0 + + + + + + + force user (S) + This specifies a UNIX user name that will be + assigned as the default user for all users connecting to this service. + This is useful for sharing files. You should also use it carefully + as using it incorrectly can cause security problems. + + This user name only gets used once a connection is established. + Thus clients still need to connect as a valid user and supply a + valid password. Once connected, all file operations will be performed + as the "forced user", no matter what username the client connected + as. + + This can be very useful. + + In Samba 2.0.5 and above this parameter also causes the + primary group of the forced user to be used as the primary group + for all file activity. Prior to 2.0.5 the primary group was left + as the primary group of the connecting user (this was a bug). + + See also force group + + + Default: no forced user + Example: force user = auser + + + + + + + fstype (S) + This parameter allows the administrator to + configure the string that specifies the type of filesystem a share + is using that is reported by smbd(8) + when a client queries the filesystem type + for a share. The default type is NTFS for + compatibility with Windows NT but this can be changed to other + strings such as Samba or FAT + if required. + + Default: fstype = NTFS + Example: fstype = Samba + + + + + + getwd cache (G) + This is a tuning option. When this is enabled a + caching algorithm will be used to reduce the time taken for getwd() + calls. This can have a significant impact on performance, especially + when the wide links + parameter is set to False. + + Default: getwd cache = No + + + + + + + group (S) + Synonym for force + group. + + + + + + guest account (S) + This is a username which will be used for access + to services which are specified as + guest ok (see below). Whatever privileges this + ser has will be available to any client connecting to the guest service. + Typically this user will exist in the password file, but will not + have a valid login. The user account "ftp" is often a good choice + for this parameter. If a username is specified in a given service, + the specified username overrides this one. + + One some systems the default guest account "nobody" may not + be able to print. Use another account in this case. You should test + this by trying to log in as your guest user (perhaps by using the + su - command) and trying to print using the + system print command such as lpr(1) or + lp(1). + + Default: specified at compile time, usually + "nobody" + + Example: guest account = ftp + + + + + + guest ok (S) + If this parameter is yes for + a service, then no password is equired to connect to the service. + Privileges will be those of the + guest account. + + See the section below on + security for more information about this option. + + + Default: guest ok = no + + + + + + guest only (S) + If this parameter is yes for + a service, then only guest connections to the service are permitted. + This parameter will have no affect if + guest ok is not set for the service. + + See the section below on + security for more information about this option. + + + Default: guest only = no + + + + + + hide dot files (S) + This is a boolean parameter that controls whether + files starting with a dot appear as hidden files. + + Default: hide dot files = yes + + + + + + hide files(S) + This is a list of files or directories that are not + visible but are accessible. The DOS 'hidden' attribute is applied + to any files or directories that match. + + Each entry in the list must be separated by a '/', + which allows spaces to be included in the entry. '*' + and '?' can be used to specify multiple files or directories + as in DOS wildcards. + + Each entry must be a Unix path, not a DOS path and must + not include the Unix directory separator '/'. + + Note that the case sensitivity option is applicable + in hiding files. + + Setting this parameter will affect the performance of Samba, + as it will be forced to check all files and directories for a match + as they are scanned. + + See also hide + dot files, + veto files and + case sensitive. + + Default: no file are hidden + Example: hide files = + /.*/DesktopFolderDB/TrashFor%m/resource.frk/ + + The above example is based on files that the Macintosh + SMB client (DAVE) available from + Thursby creates for internal use, and also still hides + all files beginning with a dot. + + + + + + hide local users(G) + This parameter toggles the hiding of local UNIX + users (root, wheel, floppy, etc) from remote clients. + + Default: hide local users = no + + + + + + homedir map (G) + Ifnis homedir + is True, and smbd(8) is also acting + as a Win95/98 logon server then this parameter + specifies the NIS (or YP) map from which the server for the user's + home directory should be extracted. At present, only the Sun + auto.home map format is understood. The form of the map is: + + username server:/some/file/system + + and the program will extract the servername from before + the first ':'. There should probably be a better parsing system + that copes with different map formats and also Amd (another + automounter) maps. + + NOTE :A working NIS client is required on + the system for this option to work. + + See also nis homedir + , domain logons + . + + Default: homedir map = auto.home + Example: homedir map = amd.homedir + + + + + + + hosts allow (S) + A synonym for this parameter is allow + hosts. + + This parameter is a comma, space, or tab delimited + set of hosts which are permitted to access a service. + + If specified in the [global] section then it will + apply to all services, regardless of whether the individual + service has a different setting. + + You can specify the hosts by name or IP number. For + example, you could restrict access to only the hosts on a + Class C subnet with something like allow hosts = 150.203.5. + . The full syntax of the list is described in the man + page hosts_access(5). Note that this man + page may not be present on your system, so a brief description will + be given here also. + + Note that the localhost address 127.0.0.1 will always + be allowed access unless specifically denied by a hosts deny option. + + You can also specify hosts by network/netmask pairs and + by netgroup names if your system supports netgroups. The + EXCEPT keyword can also be used to limit a + wildcard list. The following examples may provide some help: + + Example 1: allow all IPs in 150.203.*.*; except one + + hosts allow = 150.203. EXCEPT 150.203.6.66 + + Example 2: allow hosts that match the given network/netmask + + hosts allow = 150.203.15.0/255.255.255.0 + + Example 3: allow a couple of hosts + + hosts allow = lapland, arvidsjaur + + Example 4: allow only hosts in NIS netgroup "foonet", but + deny access from one particular host + + hosts allow = @foonet + + hosts deny = pirate + + Note that access still requires suitable user-level passwords. + + See testparm(1) + for a way of testing your host access to see if it does + what you expect. + + Default: none (i.e., all hosts permitted access) + + + Example: allow hosts = 150.203.5. myhost.mynet.edu.au + + + + + + + + hosts deny (S) + The opposite of hosts allow + - hosts listed here are NOT permitted access to + services unless the specific services have their own lists to override + this one. Where the lists conflict, the allow + list takes precedence. + + Default: none (i.e., no hosts specifically excluded) + + + Example: hosts deny = 150.203.4. badhost.mynet.edu.au + + + + + + + hosts equiv (G) + If this global parameter is a non-null string, + it specifies the name of a file to read for the names of hosts + and users who will be allowed access without specifying a password. + + + This is not be confused with + hosts allow which is about hosts + access to services and is more useful for guest services. + hosts equiv may be useful for NT clients which will + not supply passwords to samba. + + NOTE : The use of hosts equiv + can be a major security hole. This is because you are + trusting the PC to supply the correct username. It is very easy to + get a PC to supply a false username. I recommend that the + hosts equiv option be only used if you really + know what you are doing, or perhaps on a home network where you trust + your spouse and kids. And only if you really trust + them :-). + + Default: no host equivalences + Example: hosts equiv = /etc/hosts.equiv + + + + + + + include (G) + This allows you to include one config file + inside another. The file is included literally, as though typed + in place. + + It takes the standard substitutions, except %u + , %P and %S. + + + Default: no file included + Example: include = /usr/local/samba/lib/admin_smb.conf + + + + + + + inherit permissions (S) + The permissions on new files and directories + are normally governed by + create mask, + directory mask, force create mode + and force + directory mode but the boolean inherit + permissions parameter overrides this. + + New directories inherit the mode of the parent directory, + including bits such as setgid. + + New files inherit their read/write bits from the parent + directory. Their execute bits continue to be determined by + map archive + , map hidden + and map system + as usual. + + Note that the setuid bit is never set via + inheritance (the code explicitly prohibits this). + + This can be particularly useful on large systems with + many users, perhaps several thousand,to allow a single [homes] + share to be used flexibly by each user. + + See also create mask + , + directory mask, + force create mode and force directory mode + . + + Default: inherit permissions = no + + + + + + + interfaces (G) + This option allows you to override the default + network interfaces list that Samba will use for browsing, name + registration and other NBT traffic. By default Samba will query + the kernel for the list of all active interfaces and use any + interfaces except 127.0.0.1 that are broadcast capable. + + The option takes a list of interface strings. Each string + can be in any of the following forms: + + + a network interface name (such as eth0). + This may include shell-like wildcards so eth* will match + any interface starting with the substring "eth" + + an IP address. In this case the netmask is + determined from the list of interfaces obtained from the + kernel + + an IP/mask pair. + + a broadcast/mask pair. + + + The "mask" parameters can either be a bit length (such + as 24 for a C class network) or a full netmask in dotted + decmal form. + + The "IP" parameters above can either be a full dotted + decimal IP address or a hostname which will be looked up via + the OSes normal hostname resolution mechanisms. + + For example, the following line: + + interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0 + + + would configure three network interfaces corresponding + to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. + The netmasks of the latter two interfaces would be set to 255.255.255.0. + + See also bind + interfaces only. + + + + + + invalid users (S) + This is a list of users that should not be allowed + to login to this service. This is really a paranoid + check to absolutely ensure an improper setting does not breach + your security. + + A name starting with a '@' is interpreted as an NIS + netgroup first (if your system supports NIS), and then as a UNIX + group if the name was not found in the NIS netgroup database. + + A name starting with '+' is interpreted only + by looking in the UNIX group database. A name starting with + '&' is interpreted only by looking in the NIS netgroup database + (this requires NIS to be working on your system). The characters + '+' and '&' may be used at the start of the name in either order + so the value +&group means check the + UNIX group database, followed by the NIS netgroup database, and + the value &+group" means check the NIS + netgroup database, followed by the UNIX group database (the + same as the '@' prefix). + + The current servicename is substituted for %S. + This is useful in the [homes] section. + + See also valid users + . + + Default: no invalid users + Example: invalid users = root fred admin @wheel + + + + + + + + keepalive (G) + The value of the parameter (an integer) represents + the number of seconds between keepalive + packets. If this parameter is zero, no keepalive packets will be + sent. Keepalive packets, if sent, allow the server to tell whether + a client is still present and responding. + + Keepalives should, in general, not be needed if the socket + being used has the SO_KEEPALIVE attribute set on it (see socket options). + Basically you should only use this option if you strike difficulties. + + Default: keepalive = 0 + Example: keepalive = 60 + + + + + + + kernel oplocks (G) + For UNIXs that support kernel based oplocks + (currently only IRIX and the Linux 2.4 kernel), this parameter + allows the use of them to be turned on or off. + + Kernel oplocks support allows Samba oplocks + to be broken whenever a local UNIX process or NFS operation + accesses a file that smbd(8) + has oplocked. This allows complete data consistency between + SMB/CIFS, NFS and local file access (and is a very + cool feature :-). + + This parameter defaults to on on systems + that have the support, and off on systems that + don't. You should never need to touch this parameter. + + See also the oplocks + and level2 oplocks + parameters. + + Default: kernel oplocks = yes + + + + + + + level2 oplocks (S) + This parameter controls whether Samba supports + level2 (read-only) oplocks on a share. + + Level2, or read-only oplocks allow Windows NT clients + that have an oplock on a file to downgrade from a read-write oplock + to a read-only oplock once a second client opens the file (instead + of releasing all oplocks on a second open, as in traditional, + exclusive oplocks). This allows all openers of the file that + support level2 oplocks to cache the file for read-ahead only (ie. + they may not cache writes or lock requests) and increases performance + for many acesses of files that are not commonly written (such as + application .EXE files). + + Once one of the clients which have a read-only oplock + writes to the file all clients are notified (no reply is needed + or waited for) and told to break their oplocks to "none" and + delete any read-ahead caches. + + It is recommended that this parameter be turned on + to speed access to shared executables (and also to test + the code :-). + + For more discussions on level2 oplocks see the CIFS spec. + + Currently, if kernel + oplocks are supported then level2 oplocks are + not granted (even if this parameter is set to yes). + Note also, the oplocks + parameter must be set to "true" on this share in order for + this parameter to have any effect. + + See also the oplocks + and kernel oplocks + parameters. + + Default: level2 oplocks = False + + + + + + + lm announce (G) + This parameter determines if + nmbd(8) will produce Lanman announce + broadcasts that are needed by OS/2 clients in order for them to see + the Samba server in their browse list. This parameter can have three + values, true, false, or + auto. The default is auto. + If set to false Samba will never produce these + broadcasts. If set to true Samba will produce + Lanman announce broadcasts at a frequency set by the parameter + lm interval. If set to auto + Samba will not send Lanman announce broadcasts by default but will + listen for them. If it hears such a broadcast on the wire it will + then start sending them at a frequency set by the parameter + lm interval. + + See also lm interval + . + + Default: lm announce = auto + Example: lm announce = true + + + + + + + lm interval (G) + If Samba is set to produce Lanman announce + broadcasts needed by OS/2 clients (see the + lm announce parameter) then this + parameter defines the frequency in seconds with which they will be + made. If this is set to zero then no Lanman announcements will be + made despite the setting of the lm announce + parameter. + + See also lm + announce. + + Default: lm interval = 60 + Example: lm interval = 120 + + + + + + + load printers (G) + A boolean variable that controls whether all + printers in the printcap will be loaded for browsing by default. + See the printers section for + more details. + + Default: load printers = yes + + + + + + + local master (G) + This option allows + nmbd(8) to try and become a local master browser + on a subnet. If set to False then + nmbd will not attempt to become a local master browser + on a subnet and will also lose in all browsing elections. By + default this value is set to true. Setting this value to true doesn't + mean that Samba will become the local master + browser on a subnet, just that nmbd will + participate in elections for local master browser. + + Setting this value to False will cause nmbd + never to become a local master browser. + + Default: local master = yes + + + + + + + lock dir (G) + Synonym for + lock directory. + + + + + + lock directory (G) + This option specifies the directory where lock + files will be placed. The lock files are used to implement the + max connections + option. + + Default: lock directory = /tmp/samba + Example: lock directory = /usr/local/samba/var/locks + + + + + + + locking (S) + This controls whether or not locking will be + performed by the server in response to lock requests from the + client. + + If locking = no, all lock and unlock requests + will appear to succeed and all lock queries will indicate that the + queried lock is clear. + + If locking = yes, real locking will be performed + by the server. + + This option may be useful for read-only + filesystems which may not need locking (such as + cdrom drives), although setting this parameter of no + is not really recommended even in this case. + + Be careful about disabling locking either globally or in a + specific service, as lack of locking may result in data corruption. + You should never need to set this parameter. + + Default: locking = yes + + + + + + + log file (G) + This options allows you to override the name + of the Samba log file (also known as the debug file). + + This option takes the standard substitutions, allowing + you to have separate log files for each user or machine. + + Example: log file = /usr/local/samba/var/log.%m + + + + + + + log level (G) + Synonym for + debug level. + + + + + + + logon drive (G) + This parameter specifies the local path to + which the home directory will be connected (see logon home) + and is only used by NT Workstations. + + Note that this option is only useful if Samba is set up as a + logon server. + + Default: logon drive = z: + Example: logon drive = h: + + + + + + + logon home (G) + This parameter specifies the home directory + location when a Win95/98 or NT Workstation logs into a Samba PDC. + It allows you to do + + C:\> NET USE H: /HOME + + + from a command prompt, for example. + + This option takes the standard substitutions, allowing + you to have separate logon scripts for each user or machine. + + This parameter can be used with Win9X workstations to ensure + that roaming profiles are stored in a subdirectory of the user's + home directory. This is done in the following way: + + logon home = \\%L\%U\profile + + This tells Samba to return the above string, with + substitutions made when a client requests the info, generally + in a NetUserGetInfo request. Win9X clients truncate the info to + \\server\share when a user does net use /home" + but use the whole string when dealing with profiles. + + Note that in prior versions of Samba, the + logon path was returned rather than + logon home. This broke net use + /home but allowed profiles outside the home directory. + The current implementation is correct, and can be used for + profiles if you use the above trick. + + This option is only useful if Samba is set up as a logon + server. + + Default: logon home = "\\%N\%U" + Example: logon home = "\\remote_smb_server\%U" + + + + + + logon path (G) + This parameter specifies the home directory + where roaming profiles (NTuser.dat etc files for Windows NT) are + stored. Contrary to previous versions of these manual pages, it has + nothing to do with Win 9X roaming profiles. To find out how to + handle roaming profiles for Win 9X system, see the + logon home parameter. + + This option takes the standard substitutions, allowing you + to have separate logon scripts for each user or machine. It also + specifies the directory from which the "Application Data", + (desktop, start menu, + network neighborhood, programs + and other folders, and their contents, are loaded and displayed on + your Windows NT client. + + The share and the path must be readable by the user for + the preferences and directories to be loaded onto the Windows NT + client. The share must be writeable when the logs in for the first + time, in order that the Windows NT client can create the NTuser.dat + and other directories. + + Thereafter, the directories and any of the contents can, + if required, be made read-only. It is not advisable that the + NTuser.dat file be made read-only - rename it to NTuser.man to + achieve the desired effect (a MANdatory + profile). + + Windows clients can sometimes maintain a connection to + the [homes] share, even though there is no user logged in. + Therefore, it is vital that the logon path does not include a + reference to the homes share (i.e. setting this parameter to + \%N\%U\profile_path will cause problems). + + This option takes the standard substitutions, allowing + you to have separate logon scripts for each user or machine. + + Note that this option is only useful if Samba is set up + as a logon server. + + Default: logon path = \\%N\%U\profile + Example: logon path = \\PROFILESERVER\PROFILE\%U + + + + + + + logon script (G) + This parameter specifies the batch file (.bat) or + NT command file (.cmd) to be downloaded and run on a machine when + a user successfully logs in. The file must contain the DOS + style cr/lf line endings. Using a DOS-style editor to create the + file is recommended. + + The script must be a relative path to the [netlogon] + service. If the [netlogon] service specifies a + path of /usr/local/samba/netlogon + , and logon script = STARTUP.BAT, then + the file that will be downloaded is: + + /usr/local/samba/netlogon/STARTUP.BAT + + The contents of the batch file is entirely your choice. A + suggested command would be to add NET TIME \\SERVER /SET + /YES, to force every machine to synchronize clocks with + the same time server. Another use would be to add NET USE + U: \\SERVER\UTILS for commonly used utilities, or + NET USE Q: \\SERVER\ISO9001_QA for example. + + Note that it is particularly important not to allow write + access to the [netlogon] share, or to grant users write permission + on the batch files in a secure environment, as this would allow + the batch files to be arbitrarily modified and security to be + breached. + + This option takes the standard substitutions, allowing you + to have separate logon scripts for each user or machine. + + This option is only useful if Samba is set up as a logon + server. + + Default: no logon script defined + Example: logon script = scripts\%U.bat + + + + + + + lppause command (S) + This parameter specifies the command to be + executed on the server host in order to stop printing or spooling + a specific print job. + + This command should be a program or script which takes + a printer name and job number to pause the print job. One way + of implementing this is by using job priorities, where jobs + having a too low priority won't be sent to the printer. + + If a %p is given then the printername + is put in its place. A %j is replaced with + the job number (an integer). On HPUX (see printing=hpux + ), if the -p%p option is added + to the lpq command, the job will show up with the correct status, i.e. + if the job priority is lower than the set fence priority it will + have the PAUSED status, whereas if the priority is equal or higher it + will have the SPOOLED or PRINTING status. + + Note that it is good practice to include the absolute path + in the lppause command as the PATH may not be available to the server. + + See also the printing + parameter. + + Default: Currently no default value is given to + this string, unless the value of the printing + parameter is SYSV, in which case the default is : + + lp -i %p-%j -H hold + + or if the value of the printing parameter + is SOFTQ, then the default is: + + qstat -s -j%j -h + + Example for HPUX: lppause command = /usr/bin/lpalt + %p-%j -p0 + + + + + + + lpq cache time (G) + This controls how long lpq info will be cached + for to prevent the lpq command being called too + often. A separate cache is kept for each variation of the + lpq command used by the system, so if you use different + lpq commands for different users then they won't + share cache information. + + The cache files are stored in /tmp/lpq.xxxx + where xxxx is a hash of the lpq command in use. + + The default is 10 seconds, meaning that the cached results + of a previous identical lpq command will be used + if the cached data is less than 10 seconds old. A large value may + be advisable if your lpq command is very slow. + + A value of 0 will disable caching completely. + + See also the printing + parameter. + + Default: lpq cache time = 10 + Example: lpq cache time = 30 + + + + + + + lpq command (S) + This parameter specifies the command to be + executed on the server host in order to obtain lpq + -style printer status information. + + This command should be a program or script which + takes a printer name as its only parameter and outputs printer + status information. + + Currently eight styles of printer status information + are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ. + This covers most UNIX systems. You control which type is expected + using the printing = option. + + Some clients (notably Windows for Workgroups) may not + correctly send the connection number for the printer they are + requesting status information about. To get around this, the + server reports on the first printer service connected to by the + client. This only happens if the connection number sent is invalid. + + If a %p is given then the printername + is put in its place. Otherwise it is placed at the end of the + command. + + Note that it is good practice to include the absolute path + in the lpq command as the PATH may not be + available to the server. + + See also the printing + parameter. + + Default: depends on the setting of + printing + + Example: lpq command = /usr/bin/lpq %p + + + + + + + lpresume command (S) + This parameter specifies the command to be + executed on the server host in order to restart or continue + printing or spooling a specific print job. + + This command should be a program or script which takes + a printer name and job number to resume the print job. See + also the lppause command + parameter. + + If a %p is given then the printername + is put in its place. A %j is replaced with + the job number (an integer). + + Note that it is good practice to include the absolute path + in the lpresume command as the PATH may not + be available to the server. + + See also the printing + parameter. + + Default: Currently no default value is given + to this string, unless the value of the printing + parameter is SYSV, in which case the default is : + + lp -i %p-%j -H resume + + or if the value of the printing parameter + is SOFTQ, then the default is: + + qstat -s -j%j -r + + Example for HPUX: lpresume command = /usr/bin/lpalt + %p-%j -p2 + + + + + + + lprm command (S) + This parameter specifies the command to be + executed on the server host in order to delete a print job. + + This command should be a program or script which takes + a printer name and job number, and deletes the print job. + + If a %p is given then the printername + is put in its place. A %j is replaced with + the job number (an integer). + + Note that it is good practice to include the absolute + path in the lprm command as the PATH may not be + available to the server. + + See also the printing + parameter. + + Default: depends on the setting of printing + + + Example 1: lprm command = /usr/bin/lprm -P%p %j + + Example 2: lprm command = /usr/bin/cancel %p-%j + + + + + + + machine password timeout (G) + If a Samba server is a member of an Windows + NT Domain (see the security=domain) + parameter) then periodically a running + smbd(8) process will try and change the MACHINE ACCOUNT + PASSWORD stored in the TDB called private/secrets.tdb + . This parameter specifies how often this password + will be changed, in seconds. The default is one week (expressed in + seconds), the same as a Windows NT Domain member server. + + See also smbpasswd(8) + , and the + security=domain) parameter. + + Default: machine password timeout = 604800 + + + + + + magic output (S) + This parameter specifies the name of a file + which will contain output created by a magic script (see the + magic script + parameter below). + + Warning: If two clients use the same magic script + in the same directory the output file content + is undefined. + + Default: magic output = <magic script name>.out + + + Example: magic output = myfile.txt + + + + + + + magic script (S) + This parameter specifies the name of a file which, + if opened, will be executed by the server when the file is closed. + This allows a UNIX script to be sent to the Samba host and + executed on behalf of the connected user. + + Scripts executed in this way will be deleted upon + completion, permissions permitting. + + If the script generates output, output will be sent to + the file specified by the + magic output parameter (see above). + + Note that some shells are unable to interpret scripts + containing carriage-return-linefeed instead of linefeed as + the end-of-line marker. Magic scripts must be executable + as is on the host, which for some hosts and + some shells will require filtering at the DOS end. + + Magic scripts are EXPERIMENTAL and + should NOT be relied upon. + + Default: None. Magic scripts disabled. + Example: magic script = user.csh + + + + + + + mangle case (S) + See the section on + NAME MANGLING + + + + + + mangled map (S) + This is for those who want to directly map UNIX + file names which can not be represented on Windows/DOS. The mangling + of names is not always what is needed. In particular you may have + documents with file extensions that differ between DOS and UNIX. + For example, under UNIX it is common to use .html + for HTML files, whereas under Windows/DOS .htm + is more commonly used. + + So to map html to htm + you would use: + + mangled map = (*.html *.htm) + + One very useful case is to remove the annoying ;1 + off the ends of filenames on some CDROMS (only visible + under some UNIXs). To do this use a map of (*;1 *;). + + Default: no mangled map + Example: mangled map = (*;1 *;) + + + + + + mangled names (S) + This controls whether non-DOS names under UNIX + should be mapped to DOS-compatible names ("mangled") and made visible, + or whether non-DOS names should simply be ignored. + + See the section on + NAME MANGLING for details on how to control the mangling process. + + If mangling is used then the mangling algorithm is as follows: + + + The first (up to) five alphanumeric characters + before the rightmost dot of the filename are preserved, forced + to upper case, and appear as the first (up to) five characters + of the mangled name. + + A tilde "~" is appended to the first part of the mangled + name, followed by a two-character unique sequence, based on the + original root name (i.e., the original filename minus its final + extension). The final extension is included in the hash calculation + only if it contains any upper case characters or is longer than three + characters. + + Note that the character to use may be specified using + the mangling char + option, if you don't like '~'. + + The first three alphanumeric characters of the final + extension are preserved, forced to upper case and appear as the + extension of the mangled name. The final extension is defined as that + part of the original filename after the rightmost dot. If there are no + dots in the filename, the mangled name will have no extension (except + in the case of "hidden files" - see below). + + Files whose UNIX name begins with a dot will be + presented as DOS hidden files. The mangled name will be created as + for other filenames, but with the leading dot removed and "___" as + its extension regardless of actual original extension (that's three + underscores). + + + The two-digit hash value consists of upper case + alphanumeric characters. + + This algorithm can cause name collisions only if files + in a directory share the same first five alphanumeric characters. + The probability of such a clash is 1/1300. + + The name mangling (if enabled) allows a file to be + copied between UNIX directories from Windows/DOS while retaining + the long UNIX filename. UNIX files can be renamed to a new extension + from Windows/DOS and will retain the same basename. Mangled names + do not change between sessions. + + Default: mangled names = yes + + + + + + + mangling char (S) + This controls what character is used as + the magic character in name mangling. The default is a '~' + but this may interfere with some software. Use this option to set + it to whatever you prefer. + + Default: mangling char = ~ + Example: mangling char = ^ + + + + + + + mangled stack (G) + This parameter controls the number of mangled names + that should be cached in the Samba server + smbd(8). + + This stack is a list of recently mangled base names + (extensions are only maintained if they are longer than 3 characters + or contains upper case characters). + + The larger this value, the more likely it is that mangled + names can be successfully converted to correct long UNIX names. + However, large stack sizes will slow most directory access. Smaller + stacks save memory in the server (each stack element costs 256 bytes). + + + It is not possible to absolutely guarantee correct long + file names, so be prepared for some surprises! + + Default: mangled stack = 50 + Example: mangled stack = 100 + + + + + + + map archive (S) + This controls whether the DOS archive attribute + should be mapped to the UNIX owner execute bit. The DOS archive bit + is set when a file has been modified since its last backup. One + motivation for this option it to keep Samba/your PC from making + any file it touches from becoming executable under UNIX. This can + be quite annoying for shared source code, documents, etc... + + Note that this requires the create mask + parameter to be set such that owner execute bit is not masked out + (i.e. it must include 100). See the parameter + create mask for details. + + Default: map archive = yes + + + + + + + map hidden (S) + This controls whether DOS style hidden files + should be mapped to the UNIX world execute bit. + + Note that this requires the create mask + to be set such that the world execute bit is not masked out (i.e. + it must include 001). See the parameter + create mask for details. + + Default: map hidden = no + + + + + + map system (S) + This controls whether DOS style system files + should be mapped to the UNIX group execute bit. + + Note that this requires the create mask + to be set such that the group execute bit is not masked out (i.e. + it must include 010). See the parameter + create mask for details. + + Default: map system = no + + + + + + map to guest (G) + This parameter is only useful in + security modes other than security=share + - i.e. user, server, + and domain. + + This parameter can take three different values, which tell + smbd(8) what to do with user + login requests that don't match a valid UNIX user in some way. + + The three settings are : + + + Never - Means user login + requests with an invalid password are rejected. This is the + default. + + Bad User - Means user + logins with an invalid password are rejected, unless the username + does not exist, in which case it is treated as a guest login and + mapped into the + guest account. + + Bad Password - Means user logins + with an invalid password are treated as a guest login and mapped + into the guest account. Note that + this can cause problems as it means that any user incorrectly typing + their password will be silently logged on as a "guest" - and + will not know the reason they cannot access files they think + they should - there will have been no message given to them + that they got their password wrong. Helpdesk services will + hate you if you set the map to + guest parameter this way :-). + + + Note that this parameter is needed to set up "Guest" + share services when using security modes other than + share. This is because in these modes the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client so the server + cannot make authentication decisions at the correct time (connection + to the share) for "Guest" shares. + + For people familiar with the older Samba releases, this + parameter maps to the old compile-time setting of the + GUEST_SESSSETUP value in local.h. + + Default: map to guest = Never + Example: map to guest = Bad User + + + + + + + max connections (S) + This option allows the number of simultaneous + connections to a service to be limited. If max connections + is greater than 0 then connections will be refused if + this number of connections to the service are already open. A value + of zero mean an unlimited number of connections may be made. + + Record lock files are used to implement this feature. The + lock files will be stored in the directory specified by the lock directory + option. + + Default: max connections = 0 + Example: max connections = 10 + + + + + + + max disk size (G) + This option allows you to put an upper limit + on the apparent size of disks. If you set this option to 100 + then all shares will appear to be not larger than 100 MB in + size. + + Note that this option does not limit the amount of + data you can put on the disk. In the above case you could still + store much more than 100 MB on the disk, but if a client ever asks + for the amount of free disk space or the total disk size then the + result will be bounded by the amount specified in max + disk size. + + This option is primarily useful to work around bugs + in some pieces of software that can't handle very large disks, + particularly disks over 1GB in size. + + A max disk size of 0 means no limit. + + Default: max disk size = 0 + Example: max disk size = 1000 + + + + + + + max log size (G) + This option (an integer in kilobytes) specifies + the max size the log file should grow to. Samba periodically checks + the size and if it is exceeded it will rename the file, adding + a .old extension. + + A size of 0 means no limit. + + Default: max log size = 5000 + Example: max log size = 1000 + + + + + + + max mux (G) + This option controls the maximum number of + outstanding simultaneous SMB operations that samba tells the client + it will allow. You should never need to set this parameter. + + Default: max mux = 50 + + + + + + + max open files (G) + This parameter limits the maximum number of + open files that one smbd(8) file + serving process may have open for a client at any one time. The + default for this parameter is set very high (10,000) as Samba uses + only one bit per unopened file. + + The limit of the number of open files is usually set + by the UNIX per-process file descriptor limit rather than + this parameter so you should never need to touch this parameter. + + Default: max open files = 10000 + + + + + + + max ttl (G) + This option tells nmbd(8) + what the default 'time to live' of NetBIOS names should be (in seconds) + when nmbd is requesting a name using either a + broadcast packet or from a WINS server. You should never need to + change this parameter. The default is 3 days. + + Default: max ttl = 259200 + + + + + + + max wins ttl (G) + This option tells nmbd(8) + when acting as a WINS server ( + wins support=yes) what the maximum + 'time to live' of NetBIOS names that nmbd + will grant will be (in seconds). You should never need to change this + parameter. The default is 6 days (518400 seconds). + + See also the min + wins ttl" parameter. + + Default: max wins ttl = 518400 + + + + + + + max xmit (G) + This option controls the maximum packet size + that will be negotiated by Samba. The default is 65535, which + is the maximum. In some cases you may find you get better performance + with a smaller value. A value below 2048 is likely to cause problems. + + + Default: max xmit = 65535 + Example: max xmit = 8192 + + + + + + + message command (G) + This specifies what command to run when the + server receives a WinPopup style message. + + This would normally be a command that would + deliver the message somehow. How this is to be done is + up to your imagination. + + An example is: + + message command = csh -c 'xedit %s;rm %s' & + + + This delivers the message using xedit, then + removes it afterwards. NOTE THAT IT IS VERY IMPORTANT + THAT THIS COMMAND RETURN IMMEDIATELY. That's why I + have the '&' on the end. If it doesn't return immediately then + your PCs may freeze when sending messages (they should recover + after 30secs, hopefully). + + All messages are delivered as the global guest user. + The command takes the standard substitutions, although + %u won't work (%U may be better + in this case). + + Apart from the standard substitutions, some additional + ones apply. In particular: + + + %s = the filename containing + the message. + + %t = the destination that + the message was sent to (probably the server name). + + %f = who the message + is from. + + + You could make this command send mail, or whatever else + takes your fancy. Please let us know of any really interesting + ideas you have. + + + Here's a way of sending the messages as mail to root: + + message command = /bin/mail -s 'message from %f on + %m' root < %s; rm %s + + If you don't have a message command then the message + won't be delivered and Samba will tell the sender there was + an error. Unfortunately WfWg totally ignores the error code + and carries on regardless, saying that the message was delivered. + + + If you want to silently delete it then try: + + message command = rm %s + + Default: no message command + Example: message command = csh -c 'xedit %s; + rm %s' & + + + + + + + min print space (S) + This sets the minimum amount of free disk + space that must be available before a user will be able to spool + a print job. It is specified in kilobytes. The default is 0, which + means a user can always spool a print job. + + See also the printing + parameter. + + Default: min print space = 0 + Example: min print space = 2000 + + + + + + + min passwd length (G) + Synonym for + min password length. + + + + + + + min password length (G) + This option sets the minimum length in characters + of a plaintext password than smbd will accept when performing + UNIX password changing. + + See also unix + password sync, + passwd program and passwd chat debug + . + + Default: min password length = 5 + + + + + + min wins ttl (G) + This option tells nmbd(8) + when acting as a WINS server ( + wins support = yes) what the minimum 'time to live' + of NetBIOS names that nmbd will grant will be (in + seconds). You should never need to change this parameter. The default + is 6 hours (21600 seconds). + + Default: min wins ttl = 21600 + + + + + + + name resolve order (G) + This option is used by the programs in the Samba + suite to determine what naming services and in what order to resolve + host names to IP addresses. The option takes a space separated + string of different name resolution options. + + The options are :"lmhosts", "host", "wins" and "bcast". They + cause names to be resolved as follows : + + + lmhosts : Lookup an IP + address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the lmhosts(5) for details) then + any name type matches for lookup. + + host : Do a standard host + name to IP address resolution, using the system /etc/hosts + , NIS, or DNS lookups. This method of name resolution + is operating system depended for instance on IRIX or Solaris this + may be controlled by the /etc/nsswitch.conf + file). Note that this method is only used if the NetBIOS name + type being queried is the 0x20 (server) name type, otherwise + it is ignored. + + wins : Query a name with + the IP address listed in the + wins server parameter. If no WINS server has + been specified this method will be ignored. + + bcast : Do a broadcast on + each of the known local interfaces listed in the interfaces + parameter. This is the least reliable of the name resolution + methods as it depends on the target host being on a locally + connected subnet. + + + Default: name resolve order = lmhosts host wins bcast + + Example: name resolve order = lmhosts bcast host + + + This will cause the local lmhosts file to be examined + first, followed by a broadcast attempt, followed by a normal + system hostname lookup. + + + + + + + + netbios aliases (G) + This is a list of NetBIOS names that nmbd(8) will advertise as additional + names by which the Samba server is known. This allows one machine + to appear in browse lists under multiple names. If a machine is + acting as a browse server or logon server none + of these names will be advertised as either browse server or logon + servers, only the primary name of the machine will be advertised + with these capabilities. + + See also netbios + name. + + Default: empty string (no additional names) + Example: netbios aliases = TEST TEST1 TEST2 + + + + + + + netbios name (G) + This sets the NetBIOS name by which a Samba + server is known. By default it is the same as the first component + of the host's DNS name. If a machine is a browse server or + logon server this name (or the first component + of the hosts DNS name) will be the name that these services are + advertised under. + + See also netbios + aliases. + + Default: machine DNS name + Example: netbios name = MYNAME + + + + + + + netbios scope (G) + This sets the NetBIOS scope that Samba will + operate under. This should not be set unless every machine + on your LAN also sets this value. + + + + + + nis homedir (G) + Get the home share server from a NIS map. For + UNIX systems that use an automounter, the user's home directory + will often be mounted on a workstation on demand from a remote + server. + + When the Samba logon server is not the actual home directory + server, but is mounting the home directories via NFS then two + network hops would be required to access the users home directory + if the logon server told the client to use itself as the SMB server + for home directories (one over SMB and one over NFS). This can + be very slow. + + This option allows Samba to return the home share as + being on a different server to the logon server and as + long as a Samba daemon is running on the home directory server, + it will be mounted on the Samba client directly from the directory + server. When Samba is returning the home share to the client, it + will consult the NIS map specified in + homedir map and return the server + listed there. + + Note that for this option to work there must be a working + NIS system and the Samba server with this option must also + be a logon server. + + Default: nis homedir = no + + + + + + + nt acl support (G) + This boolean parameter controls whether + smbd(8) will attempt to map + UNIX permissions into Windows NT access control lists. + + Default: nt acl support = yes + + + + + + + nt pipe support (G) + This boolean parameter controls whether + smbd(8) will allow Windows NT + clients to connect to the NT SMB specific IPC$ + pipes. This is a developer debugging option and can be left + alone. + + Default: nt pipe support = yes + + + + + + + nt smb support (G) + This boolean parameter controls whether smbd(8) will negotiate NT specific SMB + support with Windows NT clients. Although this is a developer + debugging option and should be left alone, benchmarking has discovered + that Windows NT clients give faster performance with this option + set to no. This is still being investigated. + If this option is set to no then Samba offers + exactly the same SMB calls that versions prior to Samba 2.0 offered. + This information may be of use if any users are having problems + with NT SMB support. + + Default: nt support = yes + + + + + + + null passwords (G) + Allow or disallow client access to accounts + that have null passwords. + + See also smbpasswd (5). + + Default: null passwords = no + + + + + + ole locking compatibility (G) + This parameter allows an administrator to turn + off the byte range lock manipulation that is done within Samba to + give compatibility for OLE applications. Windows OLE applications + use byte range locking as a form of inter-process communication, by + locking ranges of bytes around the 2^32 region of a file range. This + can cause certain UNIX lock managers to crash or otherwise cause + problems. Setting this parameter to no means you + trust your UNIX lock manager to handle such cases correctly. + + Default: ole locking compatibility = yes + + + + + + + only guest (S) + A synonym for + guest only. + + + + + + + only user (S) + This is a boolean option that controls whether + connections with usernames not in the user + list will be allowed. By default this option is disabled so a client + can supply a username to be used by the server. + + Note that this also means Samba won't try to deduce + usernames from the service name. This can be annoying for + the [homes] section. To get around this you could use user = + %S which means your user list + will be just the service name, which for home directories is the + name of the user. + + See also the user + parameter. + + Default: only user = no + + + + + + + oplocks (S) + This boolean option tells smbd whether to + issue oplocks (opportunistic locks) to file open requests on this + share. The oplock code can dramatically (approx. 30% or more) improve + the speed of access to files on Samba servers. It allows the clients + to aggressively cache files ocally and you may want to disable this + option for unreliable network environments (it is turned on by + default in Windows NT Servers). For more information see the file + Speed.txt in the Samba docs/ + directory. + + Oplocks may be selectively turned off on certain files on + a per share basis. See the + veto oplock files parameter. On some systems + oplocks are recognized by the underlying operating system. This + allows data synchronization between all access to oplocked files, + whether it be via Samba or NFS or a local UNIX process. See the + kernel oplocks parameter for details. + + See also the kernel + oplocks and + level2 oplocks parameters. + + Default: oplocks = yes + + + + + + + oplock break wait time (G) + This is a tuning parameter added due to bugs in + both Windows 9x and WinNT. If Samba responds to a client too + quickly when that client issues an SMB that can cause an oplock + break request, then the client redirector can fail and not respond + to the break request. This tuning parameter (which is set in milliseconds) + is the amount of time Samba will wait before sending an oplock break + request to such (broken) clients. + + DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ + AND UNDERSTOOD THE SAMBA OPLOCK CODE. + + Default: oplock break wait time = 10 + + + + + + oplock contention limit (S) + This is a very advanced + smbd(8) tuning option to + improve the efficiency of the granting of oplocks under multiple + client contention for the same file. + + In brief it specifies a number, which causes smbd not to + grant an oplock even when requested if the approximate number of + clients contending for an oplock on the same file goes over this + limit. This causes smbd to behave in a similar + way to Windows NT. + + DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ + AND UNDERSTOOD THE SAMBA OPLOCK CODE. + + Default: oplock contention limit = 2 + + + + + + os level (G) + This integer value controls what level Samba + advertises itself as for browse elections. The value of this + parameter determines whether nmbd(8) + has a chance of becoming a local master browser for the + WORKGROUP in the local broadcast area. The default is + zero, which means nmbd will lose elections to + Windows machines. See BROWSING.txt in the + Samba docs/ directory for details. + + Default: os level = 20 + Example: os level = 65 + + + + + + + panic action (G) + This is a Samba developer option that allows a + system command to be called when either + smbd(8) or nmbd(8) + crashes. This is usually used to draw attention to the fact that + a problem occurred. + + Default: panic action = <empty string> + Example: panic action = "/bin/sleep 90000" + + + + + + passwd chat (G) + This string controls the "chat" + conversation that takes places between smbd and the local password changing + program to change the users password. The string describes a + sequence of response-receive pairs that + smbd(8) uses to determine what to send to the + passwd program + and what to expect back. If the expected output is not + received then the password is not changed. + + This chat sequence is often quite site specific, depending + on what local methods are used for password control (such as NIS + etc). + + The string can contain the macros %o + and %n which are substituted for the old + and new passwords respectively. It can also contain the standard + macros \n, \r, + \t and %s to give line-feed, + carriage-return, tab and space. + + The string can also contain a '*' which matches + any sequence of characters. + + Double quotes can be used to collect strings with spaces + in them into a single string. + + If the send string in any part of the chat sequence + is a fullstop ".", then no string is sent. Similarly, + is the expect string is a fullstop then no string is expected. + + Note that if the unix + password sync parameter is set to true, then this + sequence is called AS ROOT when the SMB password + in the smbpasswd file is being changed, without access to the old + password cleartext. In this case the old password cleartext is set + to "" (the empty string). + + See also unix password + sync, + passwd program and + passwd chat debug. + + Default: passwd chat = *old*password* %o\n *new* + password* %n\n *new*password* %n\n *changed* + Example: passwd chat = "*Enter OLD password*" %o\n + "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password + changed*" + + + + + + + passwd chat debug (G) + This boolean specifies if the passwd chat script + parameter is run in debug mode. In this mode the + strings passed to and received from the passwd chat are printed + in the smbd(8) log with a + debug level + of 100. This is a dangerous option as it will allow plaintext passwords + to be seen in the smbd log. It is available to help + Samba admins debug their passwd chat scripts + when calling the passwd program and should + be turned off after this has been done. This parameter is off by + default. + + See also <passwd chat + , passwd program + . + + Default: passwd chat debug = no + Example: passwd chat debug = yes + + + + + + + passwd program (G) + The name of a program that can be used to set + UNIX user passwords. Any occurrences of %u + will be replaced with the user name. The user name is checked for + existence before calling the password changing program. + + Also note that many passwd programs insist in reasonable + passwords, such as a minimum length, or the inclusion + of mixed case chars and digits. This can pose a problem as some clients + (such as Windows for Workgroups) uppercase the password before sending + it. + + Note that if the unix + password sync parameter is set to True + then this program is called AS ROOT + before the SMB password in the smbpasswd(5) + file is changed. If this UNIX password change fails, then + smbd will fail to change the SMB password also + (this is by design). + + If the unix password sync parameter + is set this parameter MUST USE ABSOLUTE PATHS + for ALL programs called, and must be examined + for security implications. Note that by default unix + password sync is set to False. + + See also unix + password sync. + + Default: passwd program = /bin/passwd + Example: passwd program = /sbin/npasswd %u + + + + + + + + password level (G) + Some client/server combinations have difficulty + with mixed-case passwords. One offending client is Windows for + Workgroups, which for some reason forces passwords to upper + case when using the LANMAN1 protocol, but leaves them alone when + using COREPLUS! + + This parameter defines the maximum number of characters + that may be upper case in passwords. + + For example, say the password given was "FRED". If + password level is set to 1, the following combinations + would be tried if "FRED" failed: + + "Fred", "fred", "fRed", "frEd","freD" + + If password level was set to 2, + the following combinations would also be tried: + + "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", .. + + And so on. + + The higher value this parameter is set to the more likely + it is that a mixed case password will be matched against a single + case password. However, you should be aware that use of this + parameter reduces security and increases the time taken to + process a new connection. + + A value of zero will cause only two attempts to be + made - the password as is and the password in all-lower case. + + Default: password level = 0 + Example: password level = 4 + + + + + + + password server (G) + By specifying the name of another SMB server (such + as a WinNT box) with this option, and using security = domain + or security = server you can get Samba + to do all its username/password validation via a remote server. + + This options sets the name of the password server to use. + It must be a NetBIOS name, so if the machine's NetBIOS name is + different from its internet name then you may have to add its NetBIOS + name to the lmhosts file which is stored in the same directory + as the smb.conf file. + + The name of the password server is looked up using the + parameter name + resolve order and so may resolved + by any method and order described in that parameter. + + The password server much be a machine capable of using + the "LM1.2X002" or the "LM NT 0.12" protocol, and it must be in + user level security mode. + + NOTE: Using a password server + means your UNIX box (running Samba) is only as secure as your + password server. DO NOT CHOOSE A PASSWORD SERVER THAT + YOU DON'T COMPLETELY TRUST. + + Never point a Samba server at itself for password + serving. This will cause a loop and could lock up your Samba + server! + + The name of the password server takes the standard + substitutions, but probably the only useful one is %m + , which means the Samba server will use the incoming + client as the passwordserver. If you use this then you better + trust your clients, and you better restrict them with hosts allow! + + If the security parameter is set to + domain, then the list of machines in this + option must be a list of Primary or Backup Domain controllers for the + Domain or the character '*', as the Samba server is cryptographicly + in that domain, and will use cryptographicly authenticated RPC calls + to authenticate the user logging on. The advantage of using + security = domain is that if you list several hosts in the + password server option then smbd + will try each in turn till it finds one that responds. This + is useful in case your primary server goes down. + + If the password server option is set + to the character '*', then Samba will attempt to auto-locate the + Primary or Backup Domain controllers to authenticate against by + doing a query for the name WORKGROUP<1C> + and then contacting each server returned in the list of IP + addresses from the name resolution source. + + If the security parameter is + set to server, then there are different + restrictions that security = domain doesn't + suffer from: + + + You may list several password servers in + the password server parameter, however if an + smbd makes a connection to a password server, + and then the password server fails, no more users will be able + to be authenticated from this smbd. This is a + restriction of the SMB/CIFS protocol when in security=server + mode and cannot be fixed in Samba. + + If you are using a Windows NT server as your + password server then you will have to ensure that your users + are able to login from the Samba server, as when in + security=server mode the network logon will appear to + come from there rather than from the users workstation. + + + See also the security + parameter. + + Default: password server = <empty string> + + Example: password server = NT-PDC, NT-BDC1, NT-BDC2 + + Example: password server = * + + + + + + + path (S) + This parameter specifies a directory to which + the user of the service is to be given access. In the case of + printable services, this is where print data will spool prior to + being submitted to the host for printing. + + For a printable service offering guest access, the service + should be readonly and the path should be world-writeable and + have the sticky bit set. This is not mandatory of course, but + you probably won't get the results you expect if you do + otherwise. + + Any occurrences of %u in the path + will be replaced with the UNIX username that the client is using + on this connection. Any occurrences of %m + will be replaced by the NetBIOS name of the machine they are + connecting from. These replacements are very useful for setting + up pseudo home directories for users. + + Note that this path will be based on + root dir if one was specified. + + Default: none + Example: path = /home/fred + + + + + + + postexec (S) + This option specifies a command to be run + whenever the service is disconnected. It takes the usual + substitutions. The command may be run as the root on some + systems. + + An interesting example may be do unmount server + resources: + + postexec = /etc/umount /cdrom + + See also preexec + . + + Default: none (no command executed) + + + Example: postexec = echo \"%u disconnected from %S + from %m (%I)\" >> /tmp/log + + + + + + + postscript (S) + This parameter forces a printer to interpret + the print files as postscript. This is done by adding a %! + to the start of print output. + + This is most useful when you have lots of PCs that persist + in putting a control-D at the start of print jobs, which then + confuses your printer. + + Default: postscript = no + + + + + + + preexec (S) + This option specifies a command to be run whenever + the service is connected to. It takes the usual substitutions. + + An interesting example is to send the users a welcome + message every time they log in. Maybe a message of the day? Here + is an example: + + preexec = csh -c 'echo \"Welcome to %S!\" | + /usr/local/samba/bin/smbclient -M %m -I %I' & + + Of course, this could get annoying after a while :-) + + See also preexec close + and postexec + . + + Default: none (no command executed) + Example: preexec = echo \"%u connected to %S from %m + (%I)\" >> /tmp/log + + + + + + + preexec close (S) + This boolean option controls whether a non-zero + return code from preexec + should close the service being connected to. + + Default: preexec close = no + + + + + + preferred master (G) + This boolean parameter controls if nmbd(8) is a preferred master browser + for its workgroup. + + If this is set to true, on startup, nmbd + will force an election, and it will have a slight advantage in + winning the election. It is recommended that this parameter is + used in conjunction with + domain master = yes, so that + nmbd can guarantee becoming a domain master. + + Use this option with caution, because if there are several + hosts (whether Samba servers, Windows 95 or NT) that are preferred + master browsers on the same subnet, they will each periodically + and continuously attempt to become the local master browser. + This will result in unnecessary broadcast traffic and reduced browsing + capabilities. + + See also os level + . + + Default: preferred master = no + + + + + + + prefered master (G) + Synonym for + preferred master for people who cannot spell :-). + + + + + + + preload + Synonym for + auto services. + + + + + + preserve case (S) + This controls if new filenames are created + with the case that the client passes, or if they are forced to + be the derault case + . + + Default: preserve case = yes + + See the section on NAME + MANGLING" for a fuller discussion. + + + + + + print command (S) + After a print job has finished spooling to + a service, this command will be used via a system() + call to process the spool file. Typically the command specified will + submit the spool file to the host's printing subsystem, but there + is no requirement that this be the case. The server will not remove + the spool file, so whatever command you specify should remove the + spool file when it has been processed, otherwise you will need to + manually remove old spool files. + + The print command is simply a text string. It will be used + verbatim, with two exceptions: All occurrences of %s + and %f will be replaced by the + appropriate spool file name, and all occurrences of %p + will be replaced by the appropriate printer name. The + spool file name is generated automatically by the server, the printer + name is discussed below. + + The print command MUST contain at least + one occurrence of %s or %f + - the %p is optional. At the time + a job is submitted, if no printer name is supplied the %p + will be silently removed from the printer command. + + If specified in the [global] section, the print command given + will be used for any printable service that does not have its own + print command specified. + + If there is neither a specified print command for a + printable service nor a global print command, spool files will + be created but not processed and (most importantly) not removed. + + Note that printing may fail on some UNIXs from the + nobody account. If this happens then create + an alternative guest account that can print and set the guest account + in the [global] section. + + You can form quite complex print commands by realizing + that they are just passed to a shell. For example the following + will log a print job, print the file, then remove it. Note that + ';' is the usual separator for command in shell scripts. + + print command = echo Printing %s >> + /tmp/print.log; lpr -P %p %s; rm %s + + You may have to vary this command considerably depending + on how you normally print files on your system. The default for + the parameter varies depending on the setting of the + printing parameter. + + Default: For printing= BSD, AIX, QNX, LPRNG + or PLP : + print command = lpr -r -P%p %s + + For printing= SYS or HPUX : + print command = lp -c -d%p %s; rm %s + + For printing=SOFTQ : + print command = lp -d%p -s %s; rm %s + + Example: print command = /usr/local/samba/bin/myprintscript + %p %s + + + + + + + print ok (S) + Synonym for + printable. + + + + + + + + printable (S) + If this parameter is yes, then + clients may open, write to and submit spool files on the directory + specified for the service. + + Note that a printable service will ALWAYS allow writing + to the service path (user privileges permitting) via the spooling + of print data. The writeable + parameter controls only non-printing access to + the resource. + + Default: printable = no + + + + + + + printcap (G) + Synonym for + printcap name. + + + + + + + + printer admin (S) + This is a list of users that can do anything to + printers via the remote administration interfaces offered by MSRPC + (usually using a NT workstation). Note that the root user always + has admin rights. + + Default: printer admin = <empty string> + + Example: printer admin = admin, @staff + + + + + + + + + + printcap name (G) + This parameter may be used to override the + compiled-in default printcap name used by the server (usually + /etc/printcap). See the discussion of the [printers] section above for reasons + why you might want to do this. + + On System V systems that use lpstat to + list available printers you can use printcap name = lpstat + to automatically obtain lists of available printers. This + is the default for systems that define SYSV at configure time in + Samba (this includes most System V based systems). If + printcap name is set to lpstat on + these systems then Samba will launch lpstat -v and + attempt to parse the output to obtain a printer list. + + A minimal printcap file would look something like this: + + + print1|My Printer 1 + print2|My Printer 2 + print3|My Printer 3 + print4|My Printer 4 + print5|My Printer 5 + + + where the '|' separates aliases of a printer. The fact + that the second alias has a space in it gives a hint to Samba + that it's a comment. + + NOTE: Under AIX the default printcap + name is /etc/qconfig. Samba will assume the + file is in AIX qconfig format if the string + qconfig appears in the printcap filename. + + Default: printcap name = /etc/printcap + Example: printcap name = /etc/myprintcap + + + + + + + printer (S) + This parameter specifies the name of the printer + to which print jobs spooled through a printable service will be sent. + + If specified in the [global] section, the printer + name given will be used for any printable service that does + not have its own printer name specified. + + Default: none (but may be lp + on many systems) + + Example: printer name = laserwriter + + + + + + + printer driver (S) + This option allows you to control the string + that clients receive when they ask the server for the printer driver + associated with a printer. If you are using Windows95 or WindowsNT + then you can use this to automate the setup of printers on your + system. + + You need to set this parameter to the exact string (case + sensitive) that describes the appropriate printer driver for your + system. If you don't know the exact string to use then you should + first try with no + printer driver option set and the client will + give you a list of printer drivers. The appropriate strings are + shown in a scrollbox after you have chosen the printer manufacturer. + + See also printer + driver file. + + Example: printer driver = HP LaserJet 4L + + + + + + + printer driver file (G) + This parameter tells Samba where the printer driver + definition file, used when serving drivers to Windows 95 clients, is + to be found. If this is not set, the default is : + + SAMBA_INSTALL_DIRECTORY + /lib/printers.def + + This file is created from Windows 95 msprint.inf + files found on the Windows 95 client system. For more + details on setting up serving of printer drivers to Windows 95 + clients, see the documentation file in the docs/ + directory, PRINTER_DRIVER.txt. + + See also + printer driver location. + + Default: None (set in compile). + + Example: printer driver file = + /usr/local/samba/printers/drivers.def + + + + + + + + printer driver location (S) + This parameter tells clients of a particular printer + share where to find the printer driver files for the automatic + installation of drivers for Windows 95 machines. If Samba is set up + to serve printer drivers to Windows 95 machines, this should be set to + + \\MACHINE\PRINTER$ + + Where MACHINE is the NetBIOS name of your Samba server, + and PRINTER$ is a share you set up for serving printer driver + files. For more details on setting this up see the documentation + file in the docs/ directory, + PRINTER_DRIVER.txt. + + See also + printer driver file. + + Default: none + Example: printer driver location = \\MACHINE\PRINTER$ + + + + + + + + printer name (S) + Synonym for + printer. + + + + + + + printing (S) + This parameters controls how printer status + information is interpreted on your system. It also affects the + default values for the print command, + lpq command, lppause command + , lpresume command, and + lprm command if specified in the + [global]f> section. + + Currently eight printing styles are supported. They are + BSD, AIX, + LPRNG, PLP, + SYSV, HPUX, + QNX, SOFTQ, + and CUPS. + + To see what the defaults are for the other print + commands when using the various options use the testparm(1) program. + + This option can be set on a per printer basis + + See also the discussion in the + [printers] section. + + + + + + + private dir(G) + The private dir parameter + allows an administator to define a directory path used to hold the + various databases Samba will use to store things like a the machine + trust account information when acting as a domain member (i.e. where + the secrets.tdb file will be located), where the passdb.tbd file + will stored in the case of using the experiemental tdbsam support, + etc... + + Default: private dir = <compile time location + of smbpasswd> + Example: private dir = /etc/smbprivate + + + + + + + protocol (G) + The value of the parameter (a string) is the highest + protocol level that will be supported by the server. + + Possible values are : + + CORE: Earliest version. No + concept of user names. + + COREPLUS: Slight improvements on + CORE for efficiency. + + LANMAN1: First + modern version of the protocol. Long filename + support. + + LANMAN2: Updates to Lanman1 protocol. + + + NT1: Current up to date version of + the protocol. Used by Windows NT. Known as CIFS. + + + Normally this option should not be set as the automatic + negotiation phase in the SMB protocol takes care of choosing + the appropriate protocol. + + Default: protocol = NT1 + Example: protocol = LANMAN1 + + + + + + public (S) + Synonym for guest + ok. + + + + + + + queuepause command (S) + This parameter specifies the command to be + executed on the server host in order to pause the printerqueue. + + This command should be a program or script which takes + a printer name as its only parameter and stops the printerqueue, + such that no longer jobs are submitted to the printer. + + This command is not supported by Windows for Workgroups, + but can be issued from the Printer's window under Windows 95 + and NT. + + If a %p is given then the printername + is put in its place. Otherwise it is placed at the end of the command. + + + Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server. + + Default: depends on the setting of printing + + Example: queuepause command = disable %p + + + + + + + queueresume command (S) + This parameter specifies the command to be + executed on the server host in order to resume the printerqueue. It + is the command to undo the behavior that is caused by the + previous parameter ( + queuepause command). + + This command should be a program or script which takes + a printer name as its only parameter and resumes the printerqueue, + such that queued jobs are resubmitted to the printer. + + This command is not supported by Windows for Workgroups, + but can be issued from the Printer's window under Windows 95 + and NT. + + If a %p is given then the printername + is put in its place. Otherwise it is placed at the end of the + command. + + Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server. + + Default: depends on the setting of printing + + + Example: queuepause command = enable %p + + + + + + + + read bmpx (G) + This boolean parameter controls whether smbd(8) will support the "Read + Block Multiplex" SMB. This is now rarely used and defaults to + no. You should never need to set this + parameter. + + Default: read bmpx = no + + + + + + + + read list (S) + This is a list of users that are given read-only + access to a service. If the connecting user is in this list then + they will not be given write access, no matter what the writeable + option is set to. The list can include group names using the + syntax described in the + invalid users parameter. + + See also the + write list parameter and the invalid users + parameter. + + Default: read list = <empty string> + Example: read list = mary, @students + + + + + + + read only (S) + Note that this is an inverted synonym for writeable. + + + + + + + read raw (G) + This parameter controls whether or not the server + will support the raw read SMB requests when transferring data + to clients. + + If enabled, raw reads allow reads of 65535 bytes in + one packet. This typically provides a major performance benefit. + + + However, some clients either negotiate the allowable + block size incorrectly or are incapable of supporting larger block + sizes, and for these clients you may need to disable raw reads. + + In general this parameter should be viewed as a system tuning + tool and left severely alone. See also + write raw. + + Default: read raw = yes + + + + + + read size (G) + The option read size + affects the overlap of disk reads/writes with network reads/writes. + If the amount of data being transferred in several of the SMB + commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger + than this value then the server begins writing the data before it + has received the whole packet from the network, or in the case of + SMBreadbraw, it begins writing to the network before all the data + has been read from disk. + + This overlapping works best when the speeds of disk and + network access are similar, having very little effect when the + speed of one is much greater than the other. + + The default value is 16384, but very little experimentation + has been done yet to determine the optimal value, and it is likely + that the best value will vary greatly between systems anyway. + A value over 65536 is pointless and will cause you to allocate + memory unnecessarily. + + Default: read size = 16384 + Example: read size = 8192 + + + + + + + remote announce (G) + This option allows you to setup nmbd(8) to periodically announce itself + to arbitrary IP addresses with an arbitrary workgroup name. + + This is useful if you want your Samba server to appear + in a remote workgroup for which the normal browse propagation + rules don't work. The remote workgroup can be anywhere that you + can send IP packets to. + + For example: + + remote announce = 192.168.2.255/SERVERS + 192.168.4.255/STAFF + + the above line would cause nmbd to announce itself + to the two given IP addresses using the given workgroup names. + If you leave out the workgroup name then the one given in + the workgroup + parameter is used instead. + + The IP addresses you choose would normally be the broadcast + addresses of the remote networks, but can also be the IP addresses + of known browse masters if your network config is that stable. + + See the documentation file BROWSING.txt + in the docs/ directory. + + Default: remote announce = <empty string> + + + + + + + + remote browse sync (G) + This option allows you to setup nmbd(8) to periodically request + synchronization of browse lists with the master browser of a samba + server that is on a remote segment. This option will allow you to + gain browse lists for multiple workgroups across routed networks. This + is done in a manner that does not work with any non-samba servers. + + This is useful if you want your Samba server and all local + clients to appear in a remote workgroup for which the normal browse + propagation rules don't work. The remote workgroup can be anywhere + that you can send IP packets to. + + For example: + + remote browse sync = 192.168.2.255 192.168.4.255 + + + the above line would cause nmbd to request + the master browser on the specified subnets or addresses to + synchronize their browse lists with the local server. + + The IP addresses you choose would normally be the broadcast + addresses of the remote networks, but can also be the IP addresses + of known browse masters if your network config is that stable. If + a machine IP address is given Samba makes NO attempt to validate + that the remote machine is available, is listening, nor that it + is in fact the browse master on it's segment. + + Default: remote browse sync = <empty string> + + + + + + + + restrict anonymous (G) + This is a boolean parameter. If it is true, then + anonymous access to the server will be restricted, namely in the + case where the server is expecting the client to send a username, + but it doesn't. Setting it to true will force these anonymous + connections to be denied, and the client will be required to always + supply a username and password when connecting. Use of this parameter + is only recommened for homogenous NT client environments. + + This parameter makes the use of macro expansions that rely + on the username (%U, %G, etc) consistant. NT 4.0 + likes to use anonymous connections when refreshing the share list, + and this is a way to work around that. + + When restrict anonymous is true, all anonymous connections + are denied no matter what they are for. This can effect the ability + of a machine to access the samba Primary Domain Controller to revalidate + it's machine account after someone else has logged on the client + interactively. The NT client will display a message saying that + the machine's account in the domain doesn't exist or the password is + bad. The best way to deal with this is to reboot NT client machines + between interactive logons, using "Shutdown and Restart", rather + than "Close all programs and logon as a different user". + + Default: restrict anonymous = no + + + + + + + root (G) + Synonym for + root directory". + + + + + + + root dir (G) + Synonym for + root directory". + + + + + + root directory (G) + The server will chroot() (i.e. + Change it's root directory) to this directory on startup. This is + not strictly necessary for secure operation. Even without it the + server will deny access to files not in one of the service entries. + It may also check for, and deny access to, soft links to other + parts of the filesystem, or attempts to use ".." in file names + to access other directories (depending on the setting of the wide links + parameter). + + Adding a root directory entry other + than "/" adds an extra level of security, but at a price. It + absolutely ensures that no access is given to files not in the + sub-tree specified in the root directory + option, including some files needed for + complete operation of the server. To maintain full operability + of the server you will need to mirror some system files + into the root directory tree. In particular + you will need to mirror /etc/passwd (or a + subset of it), and any binaries or configuration files needed for + printing (if required). The set of files that must be mirrored is + operating system dependent. + + Default: root directory = / + Example: root directory = /homes/smb + + + + + + + root postexec (S) + This is the same as the postexec + parameter except that the command is run as root. This + is useful for unmounting filesystems + (such as cdroms) after a connection is closed. + + See also + postexec. + + + + + root preexec (S) + This is the same as the preexec + parameter except that the command is run as root. This + is useful for mounting filesystems + (such as cdroms) after a connection is closed. + + See also + preexec and + preexec close. + + + + + + + root preexec close (S) + This is the same as the preexec close + parameter except that the command is run as root. + + See also + preexec and + preexec close. + + + + + + security (G) + This option affects how clients respond to + Samba and is one of the most important settings in the + smb.conf file. + + The option sets the "security mode bit" in replies to + protocol negotiations with smbd(8) + to turn share level security on or off. Clients decide + based on this bit whether (and how) to transfer user and password + information to the server. + + + The default is security = user, as this is + the most common setting needed when talking to Windows 98 and + Windows NT. + + The alternatives are security = share, + security = server or security=domain + . + + In versions of Samba prior to 2..0, the default was + security = share mainly because that was + the only option at one stage. + + There is a bug in WfWg that has relevance to this + setting. When in user or server level security a WfWg client + will totally ignore the password you type in the "connect + drive" dialog box. This makes it very difficult (if not impossible) + to connect to a Samba service as anyone except the user that + you are logged into WfWg as. + + If your PCs use usernames that are the same as their + usernames on the UNIX machine then you will want to use + security = user. If you mostly use usernames + that don't exist on the UNIX box then use security = + share. + + You should also use security = share if you + want to mainly setup shares without a password (guest shares). This + is commonly used for a shared printer server. It is more difficult + to setup guest shares with security = user, see + the map to guest + parameter for details. + + It is possible to use smbd in a + hybrid mode where it is offers both user and share + level security under different + NetBIOS aliases. + + The different settings will now be explained. + + + SECURITY = SHARE + + + When clients connect to a share level security server then + need not log onto the server with a valid username and password before + attempting to connect to a shared resource (although modern clients + such as Windows 95/98 and Windows NT will send a logon request with + a username but no password when talking to a security = share + server). Instead, the clients send authentication information + (passwords) on a per-share basis, at the time they attempt to connect + to that share. + + Note that smbd ALWAYS + uses a valid UNIX user to act on behalf of the client, even in + security = share level security. + + As clients are not required to send a username to the server + in share level security, smbd uses several + techniques to determine the correct UNIX user to use on behalf + of the client. + + A list of possible UNIX usernames to match with the given + client password is constructed using the following methods : + + + If the guest + only parameter is set, then all the other + stages are missed and only the + guest account username is checked. + + + Is a username is sent with the share connection + request, then this username (after mapping - see username map), + is added as a potential username. + + If the client did a previous logon + request (the SessionSetup SMB call) then the + username sent in this SMB will be added as a potential username. + + + The name of the service the client requested is + added as a potential username. + + The NetBIOS name of the client is added to + the list as a potential username. + + Any users on the + user list are added as potential usernames. + + + + If the guest only parameter is + not set, then this list is then tried with the supplied password. + The first user for whom the password matches will be used as the + UNIX user. + + If the guest only parameter is + set, or no username can be determined then if the share is marked + as available to the guest account, then this + guest user will be used, otherwise access is denied. + + Note that it can be very confusing + in share-level security as to which UNIX username will eventually + be used in granting access. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + SECURIYT = USER + + + This is the default security setting in Samba 2.2. + With user-level security a client must first "log=on" with a + valid username and password (which can be mapped using the username map + parameter). Encrypted passwords (see the + encrypted passwords parameter) can also + be used in this security mode. Parameters such as + user and + guest only if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the guest account. + See the map to guest + parameter for details on doing this. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + SECURITY = SERVER + + + In this mode Samba will try to validate the username/password + by passing it to another SMB server, such as an NT box. If this + fails it will revert to security = user, but note + that if encrypted passwords have been negotiated then Samba cannot + revert back to checking the UNIX password file, it must have a valid + smbpasswd file to check users against. See the + documentation file in the docs/ directory + ENCRYPTION.txt for details on how to set this + up. + + Note that from the clients point of + view security = server is the same as + security = user. It only affects how the server deals + with the authentication, it does not in any way affect what the + client sees. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the guest account. + See the map to guest + parameter for details on doing this. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + See also the password + server parameter and the encrypted passwords + parameter. + + SECURITY = DOMAIN + + + This mode will only work correctly if smbpasswd(8) has been used to add this + machine into a Windows NT Domain. It expects the encrypted passwords + parameter to be set to true. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do. + + Note that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to. + + Note that from the clients point + of view security = domain is the same as security = user + . It only affects how the server deals with the authentication, + it does not in any way affect what the client sees. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the guest account. + See the map to guest + parameter for details on doing this. + + BUG: There is currently a bug in the + implementation of security = domain with respect + to multi-byte character set usernames. The communication with a + Domain Controller must be done in UNICODE and Samba currently + does not widen multi-byte user names to UNICODE correctly, thus + a multi-byte username will not be recognized correctly at the + Domain Controller. This issue will be addressed in a future release. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + See also the password + server parameter and the encrypted passwords + parameter. + + Default: security = USER + Example: security = DOMAIN + + + + + + + security mask (S) + This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security + dialog box. + + This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change. + + If not set explicitly this parameter is set to the same + value as the create mask + parameter. To allow a user to modify all the + user/group/world permissions on a file, set this parameter to + 0777. + + Note that users who can access the + Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone + "appliance" systems. Administrators of most normal systems will + probably want to set it to 0777. + + See also the + force directory security mode, + directory + security mask, + force security mode parameters. + + Default: security mask = <same as create mask> + + Example: security mask = 0777 + + + + + + server string (G) + This controls what string will show up in the + printer comment box in print manager and next to the IPC connection + in net view". It can be any string that you wish + to show to your users. + + It also sets what will appear in browse lists next + to the machine name. + + A %v will be replaced with the Samba + version number. + + A %h will be replaced with the + hostname. + + Default: server string = Samba %v + + Example: server string = University of GNUs Samba + Server + + + + + + + set directory (S) + If set directory = no, then + users of the service may not use the setdir command to change + directory. + + The setdir command is only implemented + in the Digital Pathworks client. See the Pathworks documentation + for details. + + Default: set directory = no + + + + + + + + share modes (S) + This enables or disables the honoring of + the share modes during a file open. These + modes are used by clients to gain exclusive read or write access + to a file. + + These open modes are not directly supported by UNIX, so + they are simulated using shared memory, or lock files if your + UNIX doesn't support shared memory (almost all do). + + The share modes that are enabled by this option are + DENY_DOS, DENY_ALL, + DENY_READ, DENY_WRITE, + DENY_NONE and DENY_FCB. + + + This option gives full share compatibility and enabled + by default. + + You should NEVER turn this parameter + off as many Windows applications will break if you do so. + + Default: share modes = yes + + + + + + + shared mem size (G) + It specifies the size of the shared memory (in + bytes) to use between smbd(8) + processes. This parameter defaults to one megabyte of shared + memory. It is possible that if you have a large erver with many + files open simultaneously that you may need to increase this + parameter. Signs that this parameter is set too low are users + reporting strange problems trying to save files (locking errors) + and error messages in the smbd log looking like ERROR + smb_shm_alloc : alloc of XX bytes failed. + + If your OS refuses the size that Samba asks for then + Samba will try a smaller size, reducing by a factor of 0.8 until + the OS accepts it. + + Default: shared mem size = 1048576 + Example: shared mem size = 5242880 ; Set to 5mb for a + large number of files. + + + + + + + short preserve case (S) + This boolean parameter controls if new files + which conform to 8.3 syntax, that is all in upper case and of + suitable length, are created upper case, or if they are forced + to be the default case + . This option can be use with preserve case = yes + to permit long filenames to retain their case, while short + names are lowered. + + See the section on + NAME MANGLING. + + Default: short preserve case = yes + + + + + + + smb passwd file (G) + This option sets the path to the encrypted + smbpasswd file. By default the path to the smbpasswd file + is compiled into Samba. + + Default: smb passwd file= <compiled + default> + + Example: smb passwd file = /usr/samba/private/smbpasswd + + + + + + + + smbrun (G) + This sets the full path to the smbrun + binary. This defaults to the value in the + Makefile. + + You must get this path right for many services + to work correctly. + + You should not need to change this parameter so + long as Samba is installed correctly. + + Default: smbrun=<compiled default> + + + Example: smbrun = /usr/local/samba/bin/smbrun + + + + + + + + socket address (G) + This option allows you to control what + address Samba will listen for connections on. This is used to + support multiple virtual interfaces on the one server, each + with a different configuration. + + By default samba will accept connections on any + address. + + Example: socket address = 192.168.2.20 + + + + + + + + socket options (G) + This option allows you to set socket options + to be used when talking with the client. + + Socket options are controls on the networking layer + of the operating systems which allow the connection to be + tuned. + + This option will typically be used to tune your Samba + server for optimal performance for your local network. There is + no way that Samba can know what the optimal parameters are for + your net, so you must experiment and choose them yourself. We + strongly suggest you read the appropriate documentation for your + operating system first (perhaps man setsockopt + will help). + + You may find that on some systems Samba will say + "Unknown socket option" when you supply an option. This means you + either incorrectly typed it or you need to add an include file + to includes.h for your OS. If the latter is the case please + send the patch to + samba@samba.org. + + Any of the supported socket options may be combined + in any way you like, as long as your OS allows it. + + This is the list of socket options currently settable + using this option: + + + SO_KEEPALIVE + SO_REUSEADDR + SO_BROADCAST + TCP_NODELAY + IPTOS_LOWDELAY + IPTOS_THROUGHPUT + SO_SNDBUF * + SO_RCVBUF * + SO_SNDLOWAT * + SO_RCVLOWAT * + + + Those marked with a '*' take an integer + argument. The others can optionally take a 1 or 0 argument to enable + or disable the option, by default they will be enabled if you + don't specify 1 or 0. + + To specify an argument use the syntax SOME_OPTION=VALUE + for example SO_SNDBUF=8192. Note that you must + not have any spaces before or after the = sign. + + If you are on a local network then a sensible option + might be + socket options = IPTOS_LOWDELAY + + If you have a local network then you could try: + socket options = IPTOS_LOWDELAY TCP_NODELAY + + If you are on a wide area network then perhaps try + setting IPTOS_THROUGHPUT. + + Note that several of the options may cause your Samba + server to fail completely. Use these options with caution! + + Default: socket options = TCP_NODELAY + Example: socket options = IPTOS_LOWDELAY + + + + + + + + source environment (G) + This parameter causes Samba to set environment + variables as per the content of the file named. + + If the value of this parameter starts with a "|" character + then Samba will treat that value as a pipe command to open and + will set the environment variables from the output of the pipe. + + The contents of the file or the output of the pipe should + be formatted as the output of the standard Unix env(1) + command. This is of the form : + Example environment entry: + SAMBA_NETBIOS_NAME=myhostname + + Default: No default value + Examples: source environment = |/etc/smb.conf.sh + + + Example: source environment = + /usr/local/smb_env_vars + + + + + + + ssl (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This variable enables or disables the entire SSL mode. If + it is set to no, the SSL enabled samba behaves + exactly like the non-SSL samba. If set to yes, + it depends on the variables + ssl hosts and + ssl hosts resign whether an SSL + connection will be required. + + Default: ssl=no + + + + + + + ssl CA certDir (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This variable defines where to look up the Certification + Authorities. The given directory should contain one file for + each CA that samba will trust. The file name must be the hash + value over the "Distinguished Name" of the CA. How this directory + is set up is explained later in this document. All files within the + directory that don't fit into this naming scheme are ignored. You + don't need this variable if you don't verify client certificates. + + Default: ssl CA certDir = /usr/local/ssl/certs + + + + + + + + ssl CA certFile (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This variable is a second way to define the trusted CAs. + The certificates of the trusted CAs are collected in one big + file and this variable points to the file. You will probably + only use one of the two ways to define your CAs. The first choice is + preferable if you have many CAs or want to be flexible, the second + is preferable if you only have one CA and want to keep things + simple (you won't need to create the hashed file names). You + don't need this variable if you don't verify client certificates. + + Default: ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem + + + + + + + + ssl ciphers (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This variable defines the ciphers that should be offered + during SSL negotiation. You should not set this variable unless + you know what you are doing. + + + + + + ssl client cert (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + The certificate in this file is used by + smbclient(1) if it exists. It's needed + if the server requires a client certificate. + + Default: ssl client cert = /usr/local/ssl/certs/smbclient.pem + + + + + + + + ssl client key (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This is the private key for + smbclient(1). It's only needed if the + client should have a certificate. + + Default: ssl client key = /usr/local/ssl/private/smbclient.pem + + + + + + + + ssl compatibility (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This variable defines whether SSLeay should be configured + for bug compatibility with other SSL implementations. This is + probably not desirable because currently no clients with SSL + implementations other than SSLeay exist. + + Default: ssl compatibility = no + + + + + + ssl hosts (G) + See + ssl hosts resign. + + + + + + ssl hosts resign (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + These two variables define whether samba will go + into SSL mode or not. If none of them is defined, samba will + allow only SSL connections. If the + ssl hosts variable lists + hosts (by IP-address, IP-address range, net group or name), + only these hosts will be forced into SSL mode. If the + ssl hosts resign variable lists hosts, only these + hosts will NOT be forced into SSL mode. The syntax for these two + variables is the same as for the + hosts allow and + hosts deny pair of variables, only + that the subject of the decision is different: It's not the access + right but whether SSL is used or not. + + The example below requires SSL connections from all hosts + outside the local net (which is 192.168.*.*). + + Default: ssl hosts = <empty string> + ssl hosts resign = <empty string> + + Example: ssl hosts resign = 192.168. + + + + + + + ssl require clientcert (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + If this variable is set to yes, the + server will not tolerate connections from clients that don't + have a valid certificate. The directory/file given in ssl CA certDir + and ssl CA certFile + will be used to look up the CAs that issued + the client's certificate. If the certificate can't be verified + positively, the connection will be terminated. If this variable + is set to no, clients don't need certificates. + Contrary to web applications you really should + require client certificates. In the web environment the client's + data is sensitive (credit card numbers) and the server must prove + to be trustworthy. In a file server environment the server's data + will be sensitive and the clients must prove to be trustworthy. + + Default: ssl require clientcert = no + + + + + + + ssl require servercert (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + If this variable is set to yes, the + smbclient(1) + will request a certificate from the server. Same as + ssl require + clientcert for the server. + + Default: ssl require servercert = no + + + + + + ssl server cert (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This is the file containing the server's certificate. + The server must have a certificate. The + file may also contain the server's private key. See later for + how certificates and private keys are created. + + Default: ssl server cert = <empty string> + + + + + + + ssl server key (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This file contains the private key of the server. If + this variable is not defined, the key is looked up in the + certificate file (it may be appended to the certificate). + The server must have a private key + and the certificate must + match this private key. + + Default: ssl server key = <empty string> + + + + + + + ssl version (G) + This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option --with-ssl was + given at configure time. + + Note that for export control reasons + this code is NOT enabled by default in any + current binary version of Samba. + + This enumeration variable defines the versions of the + SSL protocol that will be used. ssl2or3 allows + dynamic negotiation of SSL v2 or v3, ssl2 results + in SSL v2, ssl3 results in SSL v3 and + tls1 results in TLS v1. TLS (Transport Layer + Security) is the new standard for SSL. + + Default: ssl version = "ssl2or3" + + + + + + + stat cache (G) + This parameter determines if smbd(8) will use a cache in order to + speed up case insensitive name mappings. You should never need + to change this parameter. + + Default: stat cache = yes + + + + + stat cache size (G) + This parameter determines the number of + entries in the stat cache. You should + never need to change this parameter. + + Default: stat cache size = 50 + + + + + + + status (G) + This enables or disables logging of connections + to a status file that smbstatus(1) + can read. + + With this disabled smbstatus won't be able + to tell you what connections are active. You should never need to + change this parameter. + + Default: status = yes + + + + + + + strict locking (S) + This is a boolean that controls the handling of + file locking in the server. When this is set to yes + the server will check every read and write access for file locks, and + deny access if locks exist. This can be slow on some systems. + + When strict locking is no the server does file + lock checks only when the client explicitly asks for them. + + Well behaved clients always ask for lock checks when it + is important, so in the vast majority of cases strict + locking = no is preferable. + + Default: strict locking = no + + + + + + + strict sync (S) + Many Windows applications (including the Windows + 98 explorer shell) seem to confuse flushing buffer contents to + disk with doing a sync to disk. Under UNIX, a sync call forces + the process to be suspended until the kernel has ensured that + all outstanding data in kernel disk buffers has been safely stored + onto stable storage. This is very slow and should only be done + rarely. Setting this parameter to no (the + default) means that smbd ignores the Windows applications requests for + a sync call. There is only a possibility of losing data if the + operating system itself that Samba is running on crashes, so there is + little danger in this default setting. In addition, this fixes many + performance problems that people have reported with the new Windows98 + explorer shell file copies. + + See also the sync + always> parameter. + + Default: strict sync = no + + + + + + strip dot (G) + This is a boolean that controls whether to + strip trailing dots off UNIX filenames. This helps with some + CDROMs that have filenames ending in a single dot. + + Default: strip dot = no + + + + + + + sync always (S) + This is a boolean parameter that controls + whether writes will always be written to stable storage before + the write call returns. If this is false then the server will be + guided by the client's request in each write call (clients can + set a bit indicating that a particular write should be synchronous). + If this is true then every write will be followed by a fsync() + call to ensure the data is written to disk. Note that + the strict sync parameter must be set to + yes in order for this parameter to have + any affect. + + See also the strict + sync parameter. + + Default: sync always = no + + + + + + + syslog (G) + This parameter maps how Samba debug messages + are logged onto the system syslog logging levels. Samba debug + level zero maps onto syslog LOG_ERR, debug + level one maps onto LOG_WARNING, debug level + two maps onto LOG_NOTICE, debug level three + maps onto LOG_INFO. All higher levels are mapped to + LOG_DEBUG. + + This paramter sets the threshold for sending messages + to syslog. Only messages with debug level less than this value + will be sent to syslog. + + Default: syslog = 1 + + + + + + + syslog only (G) + If this parameter is set then Samba debug + messages are logged into the system syslog only, and not to + the debug log files. + + Default: syslog only = no + + + + + + + template homedir (G) + NOTE: this parameter is + only available in Samba 3.0. + + When filling out the user information for a Windows NT + user, the winbindd(8) daemon + uses this parameter to fill in the home directory for that user. + If the string %D is present it is substituted + with the user's Windows NT domain name. If the string %U + is present it is substituted with the user's Windows + NT user name. + + Default: template homedir = /home/%D/%U + + + + + + + template shell (G) + NOTE: this parameter is + only available in Samba 3.0. + + When filling out the user information for a Windows NT + user, the winbindd(8) daemon + uses this parameter to fill in the login shell for that user. + + Default: template shell = /bin/false + + + + + + + time offset (G) + This parameter is a setting in minutes to add + to the normal GMT to local time conversion. This is useful if + you are serving a lot of PCs that have incorrect daylight + saving time handling. + + Default: time offset = 0 + Example: time offset = 60 + + + + + + + time server (G) + This parameter determines if + nmbd(8) advertises itself as a time server to Windows + clients. + + Default: time server = no + + + + + + timestamp logs (G) + Synonym for + debug timestamp. + + + + + + + + unix password sync (G) + This boolean parameter controls whether Samba + attempts to synchronize the UNIX password with the SMB password + when the encrypted SMB password in the smbpasswd file is changed. + If this is set to true the program specified in the passwd + programparameter is called AS ROOT - + to allow the new UNIX password to be set without access to the + old UNIX password (as the SMB password has change code has no + access to the old password cleartext, only the new). + + See also passwd + program, + passwd chat. + + Default: unix password sync = no + + + + + + + unix realname (G) + This boolean parameter when set causes samba + to supply the real name field from the unix password file to + the client. This isuseful for setting up mail clients and WWW + browsers on systems used by more than one person. + + Default: unix realname = no + + + + + + + update encrypted (G) + This boolean parameter allows a user logging + on with a plaintext password to have their encrypted (hashed) + password in the smbpasswd file to be updated automatically as + they log on. This option allows a site to migrate from plaintext + password authentication (users authenticate with plaintext + password over the wire, and are checked against a UNIX account + database) to encrypted password authentication (the SMB + challenge/response authentication mechanism) without forcing + all users to re-enter their passwords via smbpasswd at the time the + change is made. This is a convenience option to allow the change over + to encrypted passwords to be made over a longer period. Once all users + have encrypted representations of their passwords in the smbpasswd + file this parameter should be set to no. + + In order for this parameter to work correctly the encrypt passwords + parameter must be set to no when + this parameter is set to yes. + + Note that even when this parameter is set a user + authenticating to smbd must still enter a valid + password in order to connect correctly, and to update their hashed + (smbpasswd) passwords. + + Default: update encrypted = no + + + + + + + use rhosts (G) + If this global parameter is a true, it specifies + that the UNIX users .rhosts file in their home directory + will be read to find the names of hosts and users who will be allowed + access without specifying a password. + + NOTE: The use of use rhosts + can be a major security hole. This is because you are + trusting the PC to supply the correct username. It is very easy to + get a PC to supply a false username. I recommend that the + use rhosts option be only used if you really know what + you are doing. + + Default: use rhosts = no + + + + + + + user (S) + Synonym for + username. + + + + + + + users (S) + Synonym for + username. + + + + + + username (S) + Multiple users may be specified in a comma-delimited + list, in which case the supplied password will be tested against + each username in turn (left to right). + + The username line is needed only when + the PC is unable to supply its own username. This is the case + for the COREPLUS protocol or where your users have different WfWg + usernames to UNIX usernames. In both these cases you may also be + better using the \\server\share%user syntax instead. + + The username line is not a great + solution in many cases as it means Samba will try to validate + the supplied password against each of the usernames in the + username line in turn. This is slow and + a bad idea for lots of users in case of duplicate passwords. + You may get timeouts or security breaches using this parameter + unwisely. + + Samba relies on the underlying UNIX security. This + parameter does not restrict who can login, it just offers hints + to the Samba server as to what usernames might correspond to the + supplied password. Users can login as whoever they please and + they will be able to do no more damage than if they started a + telnet session. The daemon runs as the user that they log in as, + so they cannot do anything that user cannot do. + + To restrict a service to a particular set of users you + can use the valid users + parameter. + + If any of the usernames begin with a '@' then the name + will be looked up first in the yp netgroups list (if Samba + is compiled with netgroup support), followed by a lookup in + the UNIX groups database and will expand to a list of all users + in the group of that name. + + If any of the usernames begin with a '+' then the name + will be looked up only in the UNIX groups database and will + expand to a list of all users in the group of that name. + + If any of the usernames begin with a '&'then the name + will be looked up only in the yp netgroups database (if Samba + is compiled with netgroup support) and will expand to a list + of all users in the netgroup group of that name. + + Note that searching though a groups database can take + quite some time, snd some clients may time out during the + search. + + See the section NOTE ABOUT + USERNAME/PASSWORD VALIDATION for more information on how + this parameter determines access to the services. + + Default: The guest account if a guest service, + else the name of the service. + + Examples:username = fred, mary, jack, jane, + @users, @pcgroup + + + + + + + username level (G) + This option helps Samba to try and 'guess' at + the real UNIX username, as many DOS clients send an all-uppercase + username. By default Samba tries all lowercase, followed by the + username with the first letter capitalized, and fails if the + username is not found on the UNIX machine. + + If this parameter is set to non-zero the behavior changes. + This parameter is a number that specifies the number of uppercase + combinations to try whilst trying to determine the UNIX user name. The + higher the number the more combinations will be tried, but the slower + the discovery of usernames will be. Use this parameter when you have + strange usernames on your UNIX machine, such as AstrangeUser + . + + Default: username level = 0 + Example: username level = 5 + + + + + + + username map (G) + This option allows you to specify a file containing + a mapping of usernames from the clients to the server. This can be + used for several purposes. The most common is to map usernames + that users use on DOS or Windows machines to those that the UNIX + box uses. The other is to map multiple users to a single username + so that they can more easily share files. + + The map file is parsed line by line. Each line should + contain a single UNIX username on the left then a '=' followed + by a list of usernames on the right. The list of usernames on the + right may contain names of the form @group in which case they + will match any UNIX username in that group. The special client + name '*' is a wildcard and matches any name. Each line of the + map file may be up to 1023 characters long. + + The file is processed on each line by taking the + supplied username and comparing it with each username on the right + hand side of the '=' signs. If the supplied name matches any of + the names on the right hand side then it is replaced with the name + on the left. Processing then continues with the next line. + + If any line begins with a '#' or a ';' then it is + ignored + + If any line begins with an '!' then the processing + will stop after that line if a mapping was done by the line. + Otherwise mapping continues with every line being processed. + Using '!' is most useful when you have a wildcard mapping line + later in the file. + + For example to map from the name admin + or administrator to the UNIX name + root you would use: + + root = admin administrator + + Or to map anyone in the UNIX group system + to the UNIX name sys you would use: + + sys = @system + + You can have as many mappings as you like in a username + map file. + + + If your system supports the NIS NETGROUP option then + the netgroup database is checked before the /etc/group + database for matching groups. + + You can map Windows usernames that have spaces in them + by using double quotes around the name. For example: + + tridge = "Andrew Tridgell" + + would map the windows username "Andrew Tridgell" to the + unix username "tridge". + + The following example would map mary and fred to the + unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on + that line. + + + !sys = mary fred + guest = * + + + Note that the remapping is applied to all occurrences + of usernames. Thus if you connect to \\server\fred and + fred is remapped to mary then you + will actually be connecting to \\server\mary and will need to + supply a password suitable for mary not + fred. The only exception to this is the + username passed to the + password server (if you have one). The password + server will receive whatever username the client supplies without + modification. + + Also note that no reverse mapping is done. The main effect + this has is with printing. Users who have been mapped may have + trouble deleting print jobs as PrintManager under WfWg will think + they don't own the print job. + + Default: no username map + Example: username map = /usr/local/samba/lib/users.map + + + + + + + + utmp (S) + This boolean parameter is only available if + Samba has been configured and compiled with the option + --with-utmp. If set to True then Samba will attempt + to add utmp or utmpx records (depending on the UNIX system) whenever a + connection is made to a Samba server. Sites may use this to record the + user connecting to a Samba share. + + See also the + utmp directory parameter. + + Default: utmp = no + + + + + + + utmp directory(G) + This parameter is only available if Samba has + been configured and compiled with the option + --with-utmp. It specifies a directory pathname that is + used to store the utmp or utmpx files (depending on the UNIX system) that + record user connections to a Samba server. See also the + utmp parameter. By default this is + not set, meaning the system will use whatever utmp file the + native system is set to use (usually + /var/run/utmp on Linux). + + Default: no utmp directory + + + + + + + winbind cache time + NOTE: this parameter is only + available in Samba 3.0. + + This parameter specifies the number of seconds the + winbindd(8) daemon will cache + user and group information before querying a Windows NT server + again. + + Default: winbind cache type = 15 + + + + + + + + winbind gid + NOTE: this parameter is only + available in Samba 3.0. + + The winbind gid parameter specifies the range of group + ids that are allocated by the + winbindd(8) daemon. This range of group ids should have no + existing local or nis groups within it as strange conflicts can + occur otherwise. + + Default: winbind gid = <empty string> + + + Example: winbind gid = 10000-20000 + + + + + + + winbind uid + NOTE: this parameter is only + available in Samba 3.0. + + The winbind gid parameter specifies the range of group + ids that are allocated by the + winbindd(8) daemon. This range of ids should have no + existing local or nis users within it as strange conflicts can + occur otherwise. + + Default: winbind uid = <empty string> + + + Example: winbind uid = 10000-20000 + + + + + + + valid chars (G) + The option allows you to specify additional + characters that should be considered valid by the server in + filenames. This is particularly useful for national character + sets, such as adding u-umlaut or a-ring. + + The option takes a list of characters in either integer + or character form with spaces between them. If you give two + characters with a colon between them then it will be taken as + an lowercase:uppercase pair. + + If you have an editor capable of entering the characters + into the config file then it is probably easiest to use this + method. Otherwise you can specify the characters in octal, + decimal or hexadecimal form using the usual C notation. + + For example to add the single character 'Z' to the charset + (which is a pointless thing to do as it's already there) you could + do one of the following + + + valid chars = Z + valid chars = z:Z + valid chars = 0132:0172 + + + The last two examples above actually add two characters, + and alter the uppercase and lowercase mappings appropriately. + + Note that you MUST specify this parameter + after the client code page parameter if you + have both set. If client code page is set after + the valid chars parameter the valid + chars settings will be overwritten. + + See also the client + code page parameter. + + Default: Samba defaults to using a reasonable set + of valid characters for English systems + + Example: valid chars = 0345:0305 0366:0326 0344:0304 + + + The above example allows filenames to have the Swedish + characters in them. + + NOTE: It is actually quite difficult to + correctly produce a valid chars line for + a particular system. To automate the process tino@augsburg.net has written + a package called validchars which will automatically + produce a complete valid chars line for + a given client system. Look in the examples/validchars/ + subdirectory of your Samba source code distribution + for this package. + + + + + + + valid users (S) + This is a list of users that should be allowed + to login to this service. Names starting with '@', '+' and '&' + are interpreted using the same rules as described in the + invalid users parameter. + + If this is empty (the default) then any user can login. + If a username is in both this list and the invalid + users list then access is denied for that user. + + The current servicename is substituted for %S + . This is useful in the [homes] section. + + See also invalid users + + + Default: No valid users list (anyone can login) + + + Example: valid users = greg, @pcusers + + + + + + + + veto files(S) + This is a list of files and directories that + are neither visible nor accessible. Each entry in the list must + be separated by a '/', which allows spaces to be included + in the entry. '*' and '?' can be used to specify multiple files + or directories as in DOS wildcards. + + Each entry must be a unix path, not a DOS path and + must not include the unix directory + separator '/'. + + Note that the case sensitive option + is applicable in vetoing files. + + One feature of the veto files parameter that it is important + to be aware of, is that if a directory contains nothing but files + that match the veto files parameter (which means that Windows/DOS + clients cannot ever see them) is deleted, the veto files within + that directory are automatically deleted along + with it, if the user has UNIX permissions to do so. + + Setting this parameter will affect the performance + of Samba, as it will be forced to check all files and directories + for a match as they are scanned. + + See also hide files + and + case sensitive. + + Default: No files or directories are vetoed. + + + Examples: + ; Veto any files containing the word Security, + ; any ending in .tmp, and any directory containing the + ; word root. + veto files = /*Security*/*.tmp/*root*/ + + ; Veto the Apple specific files that a NetAtalk server + ; creates. + veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ + + + + + + + veto oplock files (S) + This parameter is only valid when the oplocks + parameter is turned on for a share. It allows the Samba administrator + to selectively turn off the granting of oplocks on selected files that + match a wildcarded list, similar to the wildcarded list used in the + veto files + parameter. + + Default: No files are vetoed for oplock + grants + + You might want to do this on files that you know will + be heavily contended for by clients. A good example of this + is in the NetBench SMB benchmark program, which causes heavy + client contention for files ending in .SEM. + To cause Samba not to grant oplocks on these files you would use + the line (either in the [global] section or in the section for + the particular NetBench share : + + Example: veto oplock files = /*;.SEM/ + + + + + + + + volume (S) + This allows you to override the volume label + returned for a share. Useful for CDROMs with installation programs + that insist on a particular volume label. + + Default: the name of the share + + + + + + + wide links (S) + This parameter controls whether or not links + in the UNIX file system may be followed by the server. Links + that point to areas within the directory tree exported by the + server are always allowed; this parameter controls access only + to areas that are outside the directory tree being exported. + + Note that setting this parameter can have a negative + effect on your server performance due to the extra system calls + that Samba has to do in order to perform the link checks. + + Default: wide links = yes + + + + + + + wins proxy (G) + This is a boolean that controls if nmbd(8) will respond to broadcast name + queries on behalf of other hosts. You may need to set this + to yes for some older clients. + + Default: wins proxy = no + + + + + + + + wins server (G) + This specifies the IP address (or DNS name: IP + address for preference) of the WINS server that + nmbd(8) should register with. If you have a WINS server on + your network then you should set this to the WINS server's IP. + + You should point this at your WINS server if you have a + multi-subnetted network. + + NOTE. You need to set up Samba to point + to a WINS server if you have multiple subnets and wish cross-subnet + browsing to work correctly. + + See the documentation file BROWSING.txt + in the docs/ directory of your Samba source distribution. + + Default: not enabled + Example: wins server = 192.9.200.1 + + + + + + + wins hook (G) + When Samba is running as a WINS server this + allows you to call an external program for all changes to the + WINS database. The primary use for this option is to allow the + dynamic update of external name resolution databases such as + dynamic DNS. + + The wins hook parameter specifies the name of a script + or executable that will be called as follows: + + wins_hook operation name nametype ttl IP_list + + + + The first argument is the operation and is one + of "add", "delete", or "refresh". In most cases the operation can + be ignored as the rest of the parameters provide sufficient + information. Note that "refresh" may sometimes be called when the + name has not previously been added, in that case it should be treated + as an add. + + The second argument is the netbios name. If the + name is not a legal name then the wins hook is not called. + Legal names contain only letters, digits, hyphens, underscores + and periods. + + The third argument is the netbios name + type as a 2 digit hexadecimal number. + + The fourth argument is the TTL (time to live) + for the name in seconds. + + The fifth and subsequent arguments are the IP + addresses currently registered for that name. If this list is + empty then the name should be deleted. + + + An example script that calls the BIND dynamic DNS update + program nsupdate is provided in the examples + directory of the Samba source code. + + + + + + + wins support (G) + This boolean controls if the + nmbd(8) process in Samba will act as a WINS server. You should + not set this to true unless you have a multi-subnetted network and + you wish a particular nmbd to be your WINS server. + Note that you should NEVER set this to true + on more than one machine in your network. + + Default: wins support = no + + + + + + + workgroup (G) + This controls what workgroup your server will + appear to be in when queried by clients. Note that this parameter + also controls the Domain name used with the security=domain + setting. + + Default: set at compile time to WORKGROUP + Example: workgroup = MYGROUP + + + + + + + + writable (S) + Synonym for + writeable for people who can't spell :-). + + + + + + + write list (S) + This is a list of users that are given read-write + access to a service. If the connecting user is in this list then + they will be given write access, no matter what the writeable + option is set to. The list can include group names using the + @group syntax. + + Note that if a user is in both the read list and the + write list then they will be given write access. + + See also the read list + option. + + Default: write list = <empty string> + + + Example: write list = admin, root, @staff + + + + + + + + write cache size (S) + This integer parameter (new with Samba 2.0.7) + if set to non-zero causes Samba to create an in-memory cache for + each oplocked file (it does not do this for + non-oplocked files). All writes that the client does not request + to be flushed directly to disk will be stored in this cache if possible. + The cache is flushed onto disk when a write comes in whose offset + would not fit into the cache or when the file is closed by the client. + Reads for the file are also served from this cache if the data is stored + within it. + + This cache allows Samba to batch client writes into a more + efficient write size for RAID disks (ie. writes may be tuned to + be the RAID stripe size) and can improve performance on systems + where the disk subsystem is a bottleneck but there is free + memory for userspace programs. + + The integer parameter specifies the size of this cache + (per oplocked file) in bytes. + + Default: write cache size = 0 + Example: write cache size = 262144 + + for a 256k cache size per file. + + + + + + + + + + write ok (S) + Synonym for + writeable. + + + + + + + write raw (G) + This parameter controls whether or not the server + will support raw writes SMB's when transferring data from clients. + You should never need to change this parameter. + + Default: write raw = yes + + + + + + + writeable (S) + An inverted synonym is + read only. + + If this parameter is no, then users + of a service may not create or modify files in the service's + directory. + + Note that a printable service (printable = yes) + will ALWAYS allow writing to the directory + (user privileges permitting), but only via spooling operations. + + Default: writeable = no + + + + + + + + + + WARNINGS + + Although the configuration file permits service names + to contain spaces, your client software may not. Spaces will + be ignored in comparisons anyway, so it shouldn't be a + problem - but be aware of the possibility. + + On a similar note, many clients - especially DOS clients - + limit service names to eight characters. smbd(8) + has no such limitation, but attempts to connect from such + clients will fail if they truncate the service names. For this reason + you should probably keep your service names down to eight characters + in length. + + Use of the [homes] and [printers] special sections make life + for an administrator easy, but the various combinations of default + attributes can be tricky. Take extreme care when designing these + sections. In particular, ensure that the permissions on spool + directories are correct. + + + + VERSION + + This man page is correct for version 2.2 of + the Samba suite. + + + + SEE ALSO + samba(7), + smbpasswd(8), + swat(8), + smbd(8), + nmbd(8), + smbclient(1), + nmblookup(1), + testparm(1), + testprns(1) + + + + + AUTHOR + + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + + The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter + + + diff --git a/docs/docbook/manpages/smbd.8.sgml b/docs/docbook/manpages/smbd.8.sgml new file mode 100644 index 0000000000..2ee7b46e19 --- /dev/null +++ b/docs/docbook/manpages/smbd.8.sgml @@ -0,0 +1,573 @@ + + + + + smbd + 8 + + + + + smbd + server to provide SMB/CIFS services to clients + + + + + smbd + -D + -a + -o + -P + -h + -V + -d <debug level> + -l <log file> + -p <port number> + -O <socket option> + -s <configuration file> + + + + + DESCRIPTION + This program is part of the Samba suite. + + smbd is the server daemon that + provides filesharing and printing services to Windows clients. + The server provides filespace and printer services to + clients using the SMB (or CIFS) protocol. This is compatible + with the LanManager protocol, and can service LanManager + clients. These include MSCLIENT 3.0 for DOS, Windows for + Workgroups, Windows 95/98/ME, Windows NT, Windows 2000, + OS/2, DAVE for Macintosh, and smbfs for Linux. + + An extensive description of the services that the + server can provide is given in the man page for the + configuration file controlling the attributes of those + services (see smb.conf(5) + . This man page will not describe the + services, but will concentrate on the administrative aspects + of running the server. + + Please note that there are significant security + implications to running this server, and the smb.conf(5) + manpage should be regarded as mandatory reading before + proceeding with installation. + + A session is created whenever a client requests one. + Each client gets a copy of the server for each session. This + copy then services all connections made by the client during + that session. When all connections from its client are closed, + the copy of the server for that client terminates. + + The configuration file, and any files that it includes, + are automatically reloaded every minute, if they change. You + can force a reload by sending a SIGHUP to the server. Reloading + the configuration file will not affect connections to any service + that is already established. Either the user will have to + disconnect from the service, or smbd killed and restarted. + + + + OPTIONS + + + + -D + If specified, this parameter causes + the server to operate as a daemon. That is, it detaches + itself and runs in the background, fielding requests + on the appropriate port. Operating the server as a + daemon is the recommended way of running smbd for + servers that provide more than casual use file and + print services. This switch is assumed is smbd + is executed on the command line of a shell. + + + + + -a + If this parameter is specified, each new + connection will append log messages to the log file. + This is the default. + + + + -o + If this parameter is specified, the + log files will be overwritten when opened. By default, + smbd will append entries to the log + files. + + + + -P + Passive option. Causes smbd not to + send any network traffic out. Used for debugging by + the developers only. + + + + -h + Prints the help information (usage) + for smbd. + + + + -v + Prints the version number for + smbd. + + + + -d <debug level> + debuglevel is an integer + from 0 to 10. The default value if this parameter is + not specified is zero. + + The higher this value, the more detail will be + logged to the log files about the activities of the + server. At level 0, only critical errors and serious + warnings will be logged. Level 1 is a reasonable level for + day to day running - it generates a small amount of + information about operations carried out. + + Levels above 1 will generate considerable + amounts of log data, and should only be used when + investigating a problem. Levels above 3 are designed for + use only by developers and generate HUGE amounts of log + data, most of which is extremely cryptic. + + Note that specifying this parameter here will + override the log + level parameter in the + smb.conf(5) file. + + + + + -l <log file> + If specified, log file + specifies a log filename into which informational and debug + messages from the running server will be logged. The log + file generated is never removed by the server although + its size may be controlled by the max log size + option in the + smb.conf(5) file. The default log + file name is specified at compile time. + + + + -O <socket options> + See the socket options + parameter in the smb.conf(5) + file for details. + + + + -p <port number> + port number is a positive integer + value. The default value if this parameter is not + specified is 139. + + This number is the port number that will be + used when making connections to the server from client + software. The standard (well-known) port number for the + SMB over TCP is 139, hence the default. If you wish to + run the server as an ordinary user rather than + as root, most systems will require you to use a port + number greater than 1024 - ask your system administrator + for help if you are in this situation. + + In order for the server to be useful by most + clients, should you configure it on a port other + than 139, you will require port redirection services + on port 139, details of which are outlined in rfc1002.txt + section 4.3.5. + + This parameter is not normally specified except + in the above situation. + + + + -s <configuration file> + The file specified contains the + configuration details required by the server. The + information in this file includes server-specific + information such as what printcap file to use, as well + as descriptions of all the services that the server is + to provide. See + smb.conf(5) for more information. + The default configuration file name is determined at + compile time. + + + + + + FILES + + + + /etc/inetd.conf + If the server is to be run by the + inetd meta-daemon, this file + must contain suitable startup information for the + meta-daemon. See the section INSTALLATION below. + + + + + /etc/rc + or whatever initialization script your + system uses). + + If running the server as a daemon at startup, + this file will need to contain an appropriate startup + sequence for the server. See the section INSTALLATION + below. + + + + /etc/services + If running the server via the + meta-daemon inetd, this file + must contain a mapping of service name (e.g., netbios-ssn) + to service port (e.g., 139) and protocol type (e.g., tcp). + See the section INSTALLATION below. + + + + /usr/local/samba/lib/smb.conf + This is the default location of the + smb.conf + server configuration file. Other common places that systems + install this file are /usr/samba/lib/smb.conf + and /etc/smb.conf. + + This file describes all the services the server + is to make available to clients. See + smb.conf(5) for more information. + + + + + + + LIMITATIONS + On some systems smbd cannot change uid back + to root after a setuid() call. Such systems are called + "trapdoor" uid systems. If you have such a system, + you will be unable to connect from a client (such as a PC) as + two different users at once. Attempts to connect the + second user will result in "access denied" or + similar. + + + + ENVIRONMENTVARIABLES + + + + PRINTER + If no printer name is specified to + printable services, most systems will use the value of + this variable (or "lp" if this variable is + not defined) as the name of the printer to use. This + is not specific to the server, however. + + + + + + INSTALLATION + + The location of the server and its support files + is a matter for individual system administrators. The following + are thus suggestions only. + + It is recommended that the server software be installed + under the /usr/local/samba/ hierarchy, + in a directory readable by all, writeable only by root. The server + program itself should be executable by all, as users may wish to + run the server themselves (in which case it will of course run + with their privileges). The server should NOT be setuid. On some + systems it may be worthwhile to make smbd setgid to an empty group. + This is because some systems may have a security hole where daemon + processes that become a user can be attached to with a debugger. + Making the smbd file setgid to an empty group may prevent + this hole from being exploited. This security hole and the suggested + fix has only been confirmed on old versions (pre-kernel 2.0) of Linux + at the time this was written. It is possible that this hole only + exists in Linux, as testing on other systems has thus far shown them + to be immune. + + The server log files should be put in a directory readable and + writeable only by root, as the log files may contain sensitive + information. + + The configuration file should be placed in a directory + readable and writeable only by root, as the configuration file + controls security for the services offered by the server. The + configuration file can be made readable by all if desired, but + this is not necessary for correct operation of the server and is + not recommended. A sample configuration file smb.conf.sample + is supplied with the source to the server - this may + be renamed to smb.conf and modified to suit + your needs. + + The remaining notes will assume the following: + + + smbd (the server program) + installed in /usr/local/samba/bin + + + smb.conf (the configuration + file) installed in /usr/local/samba/lib + + + log files stored in /var/adm/smblogs + + + + The server may be run either as a daemon by users + or at startup, or it may be run from a meta-daemon such as + inetd upon request. If run as a daemon, + the server will always be ready, so starting sessions will be + faster. If run from a meta-daemon some memory will be saved and + utilities such as the tcpd TCP-wrapper may be used for extra + security. For serious use as file server it is recommended + that smbd be run as a daemon. + + When you've decided, continue with either + + + RUNNING THE SERVER AS A DAEMON or + RUNNING THE SERVER ON REQUEST. + + + + + RUNNING THE SERVER AS A DAEMON + + To run the server as a daemon from the command + line, simply put the -D option on the + command line. There is no need to place an ampersand at + the end of the command line - the -D + option causes the server to detach itself from the tty + anyway. + + Any user can run the server as a daemon (execute + permissions permitting, of course). This is useful for + testing purposes, and may even be useful as a temporary + substitute for something like ftp. When run this way, however, + the server will only have the privileges of the user who ran + it. + + To ensure that the server is run as a daemon whenever + the machine is started, and to ensure that it runs as root + so that it can serve multiple clients, you will need to modify + the system startup files. Wherever appropriate (for example, in + /etc/rc), insert the following line, + substituting port number, log file location, configuration file + location and debug level as desired: + + /usr/local/samba/bin/smbd -D -l /var/adm/smblogs/log + -s /usr/local/samba/lib/smb.conf + + (The above should appear in your initialization script + as a single line. Depending on your terminal characteristics, + it may not appear that way in this man page. If the above appears + as more than one line, please treat any newlines or indentation + as a single space or TAB character.) + + If the options used at compile time are appropriate for + your system, all parameters except -D may + be omitted. See the section OPTIONS above. + + + + RUNNING THE SERVER ON REQUEST + + If your system uses a meta-daemon such as inetd + , you can arrange to have the smbd server started + whenever a process attempts to connect to it. This requires several + changes to the startup files on the host machine. If you are + experimenting as an ordinary user rather than as root, you will + need the assistance of your system administrator to modify the + system files. + + You will probably want to set up the NetBIOS name server + nmbd at + the same time as smbd. To do this refer to the + man page for nmbd(8) + . + + First, ensure that a port is configured in the file + /etc/services. The well-known port 139 + should be used if possible, though any port may be used. + + Ensure that a line similar to the following is in + /etc/services: + + netbios-ssn 139/tcp + + Note for NIS/YP users - you may need to rebuild the + NIS service maps rather than alter your local /etc/services + file. + + Next, put a suitable line in the file /etc/inetd.conf + (in the unlikely event that you are using a meta-daemon + other than inetd, you are on your own). Note that the first item + in this line matches the service name in /etc/services + . Substitute appropriate values for your system + in this line (see inetd(8)): + + netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd + -d1 -l/var/adm/smblogs/log -s/usr/local/samba/lib/smb.conf + + (The above should appear in /etc/inetd.conf + as a single line. Depending on your terminal characteristics, it may + not appear that way in this man page. If the above appears as more + than one line, please treat any newlines or indentation as a single + space or TAB character.) + + Note that there is no need to specify a port number here, + even if you are using a non-standard port number. + + Lastly, edit the configuration file to provide suitable + services. To start with, the following two services should be + all you need: + + + + [homes] + writeable = yes + + [printers] + writeable = no + printable = yes + path = /tmp + public = yes + + + + This will allow you to connect to your home directory + and print to any printer supported by the host (user privileges + permitting). + + + + TESTING THE INSTALLATION + + If running the server as a daemon, execute it before + proceeding. If using a meta-daemon, either restart the system + or kill and restart the meta-daemon. Some versions of + inetd will reread their configuration + tables if they receive a HUP signal. + + If your machine's name is "fred" and your + name is "mary", you should now be able to connect + to the service \\fred\mary. + + + To properly test and experiment with the server, we + recommend using the smbclient program (see + smbclient(1)) + and also going through the steps outlined in the file + DIAGNOSIS.txt in the docs/ + directory of your Samba installation. + + + + VERSION + + This man page is correct for version 2.2 of + the Samba suite. + + + + DIAGNOSTICS + + Most diagnostics issued by the server are logged + in a specified log file. The log file name is specified + at compile time, but may be overridden on the command line. + + The number and nature of diagnostics available depends + on the debug level used by the server. If you have problems, set + the debug level to 3 and peruse the log files. + + Most messages are reasonably self-explanatory. Unfortunately, + at the time this man page was created, there are too many diagnostics + available in the source code to warrant describing each and every + diagnostic. At this stage your best bet is still to grep the + source code and inspect the conditions that gave rise to the + diagnostics you are seeing. + + + + SIGNALS + + Sending the smbd a SIGHUP will cause it to + re-load its smb.conf configuration + file within a short period of time. + + To shut down a users smbd process it is recommended + that SIGKILL (-9) NOT + be used, except as a last resort, as this may leave the shared + memory area in an inconsistent state. The safe way to terminate + an smbd is to send it a SIGTERM (-15) signal and wait for + it to die on its own. + + The debug log level of smbd may be raised by sending + it a SIGUSR1 (kill -USR1 <smbd-pid>) + and lowered by sending it a SIGUSR2 (kill -USR2 <smbd-pid> + ). This is to allow transient problems to be diagnosed, + whilst still running at a normally low log level. + + Note that as the signal handlers send a debug write, + they are not re-entrant in smbd. This you should wait until + smbd is in a state of waiting for an incoming smb before + issuing them. It is possible to make the signal handlers safe + by un-blocking the signals before the select call and re-blocking + them after, however this would affect performance. + + + + SEE ALSO + hosts_access(5), inetd(8), + nmbd(8), + smb.conf(5) + , smbclient(1) + , + testparm(1), + testprns(1), and the Internet RFC's + rfc1001.txt, rfc1002.txt. + In addition the CIFS (formerly SMB) specification is available + as a link from the Web page + http://samba.org/cifs/. + + + + AUTHOR + + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + + The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter + + + diff --git a/docs/docbook/nmbd.8.sgml b/docs/docbook/nmbd.8.sgml deleted file mode 100644 index 0188bca748..0000000000 --- a/docs/docbook/nmbd.8.sgml +++ /dev/null @@ -1,343 +0,0 @@ - - - - - nmbd - 8 - - - - - nmbd - NetBIOS name server to provide NetBIOS - over IP naming services to clients - - - - - smbd - -D - -a - -o - -P - -h - -V - -d <debug level> - -H <lmhosts file> - -l <log file> - -n <primary netbios name> - -p <port number> - -s <configuration file> - - - - - DESCRIPTION - This program is part of the Samba suite. - - nmbd is a server that understands - and can reply to NetBIOS over IP name service requests, like - those produced by SMBD/CIFS clients such as Windows 95/98/ME, - Windows NT, Windows 2000, and LanManager clients. It also - participates in the browsing protocols which make up the - Windows "Network Neighborhood" view. - - SMB/CIFS clients, when they start up, may wish to - locate an SMB/CIFS server. That is, they wish to know what - IP number a specified host is using. - - Amongst other services, nmbd will - listen for such requests, and if its own NetBIOS name is - specified it will respond with the IP number of the host it - is running on. Its "own NetBIOS name" is by - default the primary DNS name of the host it is running on, - but this can be overridden with the -n - option (see OPTIONS below). Thus nmbd will - reply to broadcast queries for its own name(s). Additional - names for nmbd to respond on can be set - via parameters in the - smb.conf(5) configuration file. - - nmbd can also be used as a WINS - (Windows Internet Name Server) server. What this basically means - is that it will act as a WINS database server, creating a - database from name registration requests that it receives and - replying to queries from clients for these names. - - In addition, nmbd can act as a WINS - proxy, relaying broadcast queries from clients that do - not understand how to talk the WINS protocol to a WIN - server. - - - - OPTIONS - - - - -D - If specified, this parameter causes - nmbd to operate as a daemon. That is, - it detaches itself and runs in the background, fielding - requests on the appropriate port. By default, nmbd - will operate as a daemon if launched from a command shell. - nmbd can also be operated from the inetd - meta-daemon, although this is not recommended. - - - - - -a - If this parameter is specified, each new - connection will append log messages to the log file. - This is the default. - - - - -o - If this parameter is specified, the - log files will be overwritten when opened. By default, - smbd will append entries to the log - files. - - - - -h - Prints the help information (usage) - for nmbd. - - - - -H <filename> - NetBIOS lmhosts file. The lmhosts - file is a list of NetBIOS names to IP addresses that - is loaded by the nmbd server and used via the name - resolution mechanism - name resolve order described in smb.conf(5) - to resolve any NetBIOS name queries needed by the server. Note - that the contents of this file are NOT - used by nmbd to answer any name queries. - Adding a line to this file affects name NetBIOS resolution - from this host ONLY. - - The default path to this file is compiled into - Samba as part of the build process. Common defaults - are /usr/local/samba/lib/lmhosts, - /usr/samba/lib/lmhosts or - /etc/lmhosts. See the - lmhosts(5) man page for details on the - contents of this file. - - - - -V - Prints the version number for - nmbd. - - - - -d <debug level> - debuglevel is an integer - from 0 to 10. The default value if this parameter is - not specified is zero. - - The higher this value, the more detail will - be logged to the log files about the activities of the - server. At level 0, only critical errors and serious - warnings will be logged. Level 1 is a reasonable level for - day to day running - it generates a small amount of - information about operations carried out. - - Levels above 1 will generate considerable amounts - of log data, and should only be used when investigating - a problem. Levels above 3 are designed for use only by developers - and generate HUGE amounts of log data, most of which is extremely - cryptic. - - Note that specifying this parameter here will override - the log level - parameter in the - smb.conf file. - - - - -l <log file> - The -l parameter specifies a path - and base filename into which operational data from - the running nmbd server will - be logged. The actual log file name is generated by - appending the extension ".nmb" to the specified base - name. For example, if the name specified was "log" - then the file log.nmb would contain the debugging data. - - The default log file path is compiled into Samba as - part of the build process. Common defaults are - /usr/local/samba/var/log.nmb, - /usr/samba/var/log.nmb or - /var/log/log.nmb. - - - - - -n <primary NetBIOS name> - This option allows you to override - the NetBIOS name that Samba uses for itself. This is identical - to setting the - NetBIOS name parameter in the - smb.conf file. However, a command - line setting will take precedence over settings in - smb.conf. - - - - - -p <UDP port number> - UDP port number is a positive integer value. - This option changes the default UDP port number (normally 137) - that nmbd responds to name queries on. Don't - use this option unless you are an expert, in which case you - won't need help! - - - - -s <configuration file> - The default configuration file name - is set at build time, typically as - /usr/local/samba/lib/smb.conf, but - this may be changed when Samba is autoconfigured. - - The file specified contains the configuration details - required by the server. See - smb.conf(5) for more information. - - - - - - - FILES - - - - /etc/inetd.conf - If the server is to be run by the - inetd meta-daemon, this file - must contain suitable startup information for the - meta-daemon. See the section INSTALLATION below. - - - - - /etc/rc - or whatever initialization script your - system uses). - - If running the server as a daemon at startup, - this file will need to contain an appropriate startup - sequence for the server. See the section INSTALLATION - below. - - - - /etc/services - If running the server via the - meta-daemon inetd, this file - must contain a mapping of service name (e.g., netbios-ssn) - to service port (e.g., 139) and protocol type (e.g., tcp). - See the section INSTALLATION below. - - - - /usr/local/samba/lib/smb.conf - This is the default location of the - smb.conf - server configuration file. Other common places that systems - install this file are /usr/samba/lib/smb.conf - and /etc/smb.conf. - - When run as a WINS server (see the - wins support - parameter in the - smb.conf(5) man page), nmbd - will store the WINS database in the file wins.dat - in the var/locks directory configured under - wherever Samba was configured to install itself. - - If nmbd is acting as a - browse master (see the local master - parameter in the - smb.conf(5) man page), nmbd - will store the browsing database in the file browse.dat - in the var/locks directory - configured under wherever Samba was configured to install itself. - - - - - - - SIGNALS - - To shut down an nmbd process it is recommended - that SIGKILL (-9) NOT be used, except as a last - resort, as this may leave the name database in an inconsistent state. - The correct way to terminate nmbd is to send it - a SIGTERM (-15) signal and wait for it to die on its own. - - nmbd will accept SIGHUP, which will cause - it to dump out it's namelists into the file namelist.debug - in the /usr/local/samba/var/locks - directory (or the var/locks directory configured - under wherever Samba was configured to install itself). This will also - cause nmbd to dump out it's server database in - the log.nmb file. In addition, the debug log level - of nmbd may be raised by sending it a SIGUSR1 (kill -USR1 - <nmbd-pid>) and lowered by sending it a - SIGUSR2 (kill -USR2 <nmbd-pid>). This is to - allow transient problems to be diagnosed, whilst still running at a - normally low log level. - - - - - VERSION - - This man page is correct for version 2.2 of - the Samba suite. - - - - SEE ALSO - inetd(8), smbd(8), - smb.conf(5) - , smbclient(1) - , - testparm(1), - testprns(1), and the Internet RFC's - rfc1001.txt, rfc1002.txt. - In addition the CIFS (formerly SMB) specification is available - as a link from the Web page - http://samba.org/cifs/. - - - - AUTHOR - - The original Samba software and related utilities - were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar - to the way the Linux kernel is developed. - - The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter - - - diff --git a/docs/docbook/samba.7.sgml b/docs/docbook/samba.7.sgml deleted file mode 100644 index a27b52ca94..0000000000 --- a/docs/docbook/samba.7.sgml +++ /dev/null @@ -1,213 +0,0 @@ - - - - - samba - 7 - - - - - SAMBA - A Windows SMB/CIFS fileserver for UNIX - - - - Samba - - - - DESCRIPTION - - The Samba software suite is a collection of programs - that implements the Server Message Block (commonly abbreviated - as SMB) protocol for UNIX systems. This protocol is sometimes - also referred to as the Common Internet File System (CIFS), - LanManager or NetBIOS protocol. - - - - smbd - The smbd - daemon provides the file and print services to - SMB clients, such as Windows 95/98, Windows NT, Windows - for Workgroups or LanManager. The configuration file - for this daemon is described in smb.conf - - - - - nmbd - The nmbd - daemon provides NetBIOS nameserving and browsing - support. The configuration file for this daemon - is described in smb.conf - - - - - smbclient - The smbclient - program implements a simple ftp-like client. This - is useful for accessing SMB shares on other compatible - servers (such as Windows NT), and can also be used - to allow a UNIX box to print to a printer attached to - any SMB server (such as a PC running Windows NT). - - - - - testparm - The testparm - utility is a simple syntax checker for Samba's - smb.confconfiguration file. - - - - - testprns - The testprns - utility supports testing printer names defined - in your printcap> file used - by Samba. - - - - - smbstatus - The smbstatus - tool provides access to information about the - current connections to smbd. - - - - - nmblookup - The nmblookup - tools allows NetBIOS name queries to be made - from a UNIX host. - - - - - make_smbcodepage - The make_smbcodepage - utility provides a means of creating SMB code page - definition files for your smbd server. - - - - - smbpasswd - The smbpasswd - command is a tool for changing LanMan and Windows NT - password hashes on Samba and Windows NT servers. - - - - - - - - COMPONENTS - - The Samba suite is made up of several components. Each - component is described in a separate manual page. It is strongly - recommended that you read the documentation that comes with Samba - and the manual pages of those components that you use. If the - manual pages aren't clear enough then please send a patch or - bug report to - samba@samba.org - - - - - - - AVAILABILITY - - The Samba software suite is licensed under the - GNU Public License(GPL). A copy of that license should - have come with the package in the file COPYING. You are - encouraged to distribute copies of the Samba suite, but - please obey the terms of this license. - - The latest version of the Samba suite can be - obtained via anonymous ftp from samba.org in the - directory pub/samba/. It is also available on several - mirror sites worldwide. - - You may also find useful information about Samba - on the newsgroup - comp.protocol.smb and the Samba mailing - list. Details on how to join the mailing list are given in - the README file that comes with Samba. - - If you have access to a WWW viewer (such as Netscape - or Mosaic) then you will also find lots of useful information, - including back issues of the Samba mailing list, at - http://lists.samba.org. - - - - VERSION - - This man page is correct for version 2.2 of the - Samba suite. - - - - CONTRIBUTIONS - - If you wish to contribute to the Samba project, - then I suggest you join the Samba mailing list at - http://lists.samba.org. - - - If you have patches to submit or bugs to report - then you may mail them directly to samba-patches@samba.org. - Note, however, that due to the enormous popularity of this - package the Samba Team may take some time to respond to mail. We - prefer patches in diff -u format. - - - - CONTRIBUTORS - - Contributors to the project are now too numerous - to mention here but all deserve the thanks of all Samba - users. To see a full list, look at - ftp://samba.org/pub/samba/alpha/change-log - for the pre-CVS changes and at - ftp://samba.org/pub/samba/alpha/cvs.log - for the contributors to Samba post-CVS. CVS is the Open Source - source code control system used by the Samba Team to develop - Samba. The project would have been unmanageable without it. - - In addition, several commercial organizations now help - fund the Samba Team with money and equipment. For details see - the Samba Web pages at - http://samba.org/samba/samba-thanks.html. - - - - AUTHOR - - The original Samba software and related utilities - were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar - to the way the Linux kernel is developed. - - The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter - - - diff --git a/docs/docbook/smb.conf.5.sgml b/docs/docbook/smb.conf.5.sgml deleted file mode 100644 index a00ca178db..0000000000 --- a/docs/docbook/smb.conf.5.sgml +++ /dev/null @@ -1,7435 +0,0 @@ - - - - - smb.conf - 5 - - - - - smb.conf - The configuration file for the Samba suite - - - - SYNOPSIS - - The smb.conf file is a configuration - file for the Samba suite. smb.conf contains - runtime configuration information for the Samba programs. The - smb.conf file is designed to be configured and - administered by the swat(8) - program. The complete description of the file format and - possible parameters held within are here for reference purposes. - - - - FILE FORMAT - - The file consists of sections and parameters. A section - begins with the name of the section in square brackets and continues - until the next section begins. Sections contain parameters of the - form - - name = value - - - The file is line-based - that is, each newline-terminated - line represents either a comment, a section name or a parameter. - - Section and parameter names are not case sensitive. - - Only the first equals sign in a parameter is significant. - Whitespace before or after the first equals sign is discarded. - Leading, trailing and internal whitespace in section and parameter - names is irrelevant. Leading and trailing whitespace in a parameter - value is discarded. Internal whitespace within a parameter value - is retained verbatim. - - Any line beginning with a semicolon (';') or a hash ('#') - character is ignored, as are lines containing only whitespace. - - Any line ending in a '\' is continued - on the next line in the customary UNIX fashion. - - The values following the equals sign in parameters are all - either a string (no quotes needed) or a boolean, which may be given - as yes/no, 0/1 or true/false. Case is not significant in boolean - values, but is preserved in string values. Some items such as - create modes are numeric. - - - - SECTION DESCRIPTIONS - - Each section in the configuration file (except for the - [global] section) describes a shared resource (known - as a "share"). The section name is the name of the - shared resource and the parameters within the section define - the shares attributes. - - There are three special sections, [global], - [homes] and [printers], which are - described under special sections. The - following notes apply to ordinary section descriptions. - - A share consists of a directory to which access is being - given plus a description of the access rights which are granted - to the user of the service. Some housekeeping options are - also specifiable. - - Sections are either filespace services (used by the - client as an extension of their native file systems) or - printable services (used by the client to access print services - on the host running the server). - - Sections may be designated guest services, - in which case no password is required to access them. A specified - UNIX guest account is used to define access - privileges in this case. - - Sections other than guest services will require a password - to access them. The client provides the username. As older clients - only provide passwords and not usernames, you may specify a list - of usernames to check against the password using the "user=" - option in the share definition. For modern clients such as - Windows 95/98/ME/NT/2000, this should not be necessary. - - Note that the access rights granted by the server are - masked by the access rights granted to the specified or guest - UNIX user by the host system. The server does not grant more - access than the host system grants. - - The following sample section defines a file space share. - The user has write access to the path /home/bar. - The share is accessed via the share name "foo": - - - - [foo] - path = /home/bar - writeable = true - - - - The following sample section defines a printable share. - The share is readonly, but printable. That is, the only write - access permitted is via calls to open, write to and close a - spool file. The guest ok parameter means - access will be permitted as the default guest user (specified - elsewhere): - - - - [aprinter] - path = /usr/spool/public - writeable = false - printable = true - guest ok = true - - - - - - SPECIAL SECTIONS - - - The [global] section - - parameters in this section apply to the server - as a whole, or are defaults for sections which do not - specifically define certain items. See the notes - under paraMETERS for more information. - - - - The [homes] section - - If a section called homes is included in the - configuration file, services connecting clients to their - home directories can be created on the fly by the server. - - When the connection request is made, the existing - sections are scanned. If a match is found, it is used. If no - match is found, the requested section name is treated as a - user name and looked up in the local password file. If the - name exists and the correct password has been given, a share is - created by cloning the [homes] section. - - Some modifications are then made to the newly - created share: - - - The share name is changed from homes to - the located username. - - If no path was given, the path is set to - the user's home directory. - - - If you decide to use a path= line - in your [homes] section then you may find it useful - to use the %S macro. For example : - - path=/data/pchome/%S - - would be useful if you have different home directories - for your PCs than for UNIX access. - - This is a fast and simple way to give a large number - of clients access to their home directories with a minimum - of fuss. - - A similar process occurs if the requested section - name is "homes", except that the share name is not - changed to that of the requesting user. This method of using - the [homes] section works well if different users share - a client PC. - - The [homes] section can specify all the parameters - a normal service section can specify, though some make more sense - than others. The following is a typical and suitable [homes] - section: - - - - [homes] - writeable = yes - - - - An important point is that if guest access is specified - in the [homes] section, all home directories will be - visible to all clients without a password. - In the very unlikely event that this is actually desirable, it - would be wise to also specify read only - access. - - Note that the browseable flag for - auto home directories will be inherited from the global browseable - flag, not the [homes] browseable flag. This is useful as - it means setting browseable=no in the [homes] section - will hide the [homes] share but make any auto home - directories visible. - - - - The [printers] section - - This section works like [homes], - but for printers. - - If a [printers] section occurs in the - configuration file, users are able to connect to any printer - specified in the local host's printcap file. - - When a connection request is made, the existing sections - are scanned. If a match is found, it is used. If no match is found, - but a [homes] section exists, it is used as described - above. Otherwise, the requested section name is treated as a - printer name and the appropriate printcap file is scanned to see - if the requested section name is a valid printer share name. If - a match is found, a new printer share is created by cloning - the [printers] section. - - A few modifications are then made to the newly created - share: - - - The share name is set to the located printer - name - - If no printer name was given, the printer name - is set to the located printer name - - If the share does not permit guest access and - no username was given, the username is set to the located - printer name. - - - Note that the [printers] service MUST be - printable - if you specify otherwise, the server will refuse - to load the configuration file. - - Typically the path specified would be that of a - world-writeable spool directory with the sticky bit set on - it. A typical [printers] entry would look like - this: - - - [printers] - path = /usr/spool/public - guest ok = yes - printable = yes - - - All aliases given for a printer in the printcap file - are legitimate printer names as far as the server is concerned. - If your printing subsystem doesn't work like that, you will have - to set up a pseudo-printcap. This is a file consisting of one or - more lines like this: - - - - alias|alias|alias|alias... - - - - Each alias should be an acceptable printer name for - your printing subsystem. In the [global] section, specify - the new file as your printcap. The server will then only recognize - names found in your pseudo-printcap, which of course can contain - whatever aliases you like. The same technique could be used - simply to limit access to a subset of your local printers. - - An alias, by the way, is defined as any component of the - first entry of a printcap record. Records are separated by newlines, - components (if there are more than one) are separated by vertical - bar symbols ('|'). - - NOTE: On SYSV systems which use lpstat to determine what - printers are defined on the system you may be able to use - "printcap name = lpstat" to automatically obtain a list - of printers. See the "printcap name" option - for more details. - - - - - paraMETRS - - parameters define the specific attributes of sections. - - Some parameters are specific to the [global] section - (e.g., security). Some parameters are usable - in all sections (e.g., create mode). All others - are permissible only in normal sections. For the purposes of the - following descriptions the [homes] and [printers] - sections will be considered normal. The letter G - in parentheses indicates that a parameter is specific to the - [global] section. The letter S - indicates that a parameter can be specified in a service specific - section. Note that all S parameters can also be specified in - the [global] section - in which case they will define - the default behavior for all services. - - parameters are arranged here in alphabetical order - this may - not create best bedfellows, but at least you can find them! Where - there are synonyms, the preferred synonym is described, others refer - to the preferred synonym. - - - - VARIABLE SUBSTITUTIONS - - Many of the strings that are settable in the config file - can take substitutions. For example the option "path = - /tmp/%u" would be interpreted as "path = - /tmp/john" if the user connected with the username john. - - These substitutions are mostly noted in the descriptions below, - but there are some general substitutions which apply whenever they - might be relevant. These are: - - - - %S - the name of the current service, if any. - - - - - %P - the root directory of the current service, - if any. - - - - %u - user name of the current service, if any. - - - - - %g - primary group name of %u. - - - - %U - session user name (the user name that the client - wanted, not necessarily the same as the one they got). - - - - %G - primary group name of %U. - - - - %H - the home directory of the user given - by %u. - - - - %v - the Samba version. - - - - %h - the internet hostname that Samba is running - on. - - - - %m - the NetBIOS name of the client machine - (very useful). - - - - %L - the NetBIOS name of the server. This allows you - to change your config based on what the client calls you. Your - server can have a "dual personality". - - - - %M - the internet name of the client machine. - - - - - %N - the name of your NIS home directory server. - This is obtained from your NIS auto.map entry. If you have - not compiled Samba with the --with-automount - option then this value will be the same as %. - - - - - %p - the path of the service's home directory, - obtained from your NIS auto.map entry. The NIS auto.map entry - is split up as "%N:%p". - - - - %R - the selected protocol level after - protocol negotiation. It can be one of CORE, COREPLUS, - LANMAN1, LANMAN2 or NT1. - - - - %d - The process id of the current server - process. - - - - %a - the architecture of the remote - machine. Only some are recognized, and those may not be - 100% reliable. It currently recognizes Samba, WfWg, - WinNT and Win95. Anything else will be known as - "UNKNOWN". If it gets it wrong then sending a level - 3 log to samba@samba.org - should allow it to be fixed. - - - - %I - The IP address of the client machine. - - - - - %T - the current date and time. - - - - %$(envvar) - The value of the environment variable - envar. - - - - There are some quite creative things that can be done - with these substitutions and other smb.conf options. - - - NAME MANGLING - - Samba supports "name mangling" so that DOS and - Windows clients can use files that don't conform to the 8.3 format. - It can also be set to adjust the case of 8.3 format filenames. - - There are several options that control the way mangling is - performed, and they are grouped here rather than listed separately. - For the defaults look at the output of the testparm program. - - All of these options can be set separately for each service - (or globally, of course). - - The options are: - - - - - mangle case= yes/no - controls if names that have characters that - aren't of the "default" case are mangled. For example, - if this is yes then a name like "Mail" would be mangled. - Default no. - - - - case sensitive = yes/no - controls whether filenames are case sensitive. If - they aren't then Samba must do a filename search and match on passed - names. Default no. - - - - default case = upper/lower - controls what the default case is for new - filenames. Default lower. - - - - preserve case = yes/no - controls if new files are created with the - case that the client passes, or if they are forced to be the - "default" case. Default yes. - - - - - short preserve case = yes/no - controls if new files which conform to 8.3 syntax, - that is all in upper case and of suitable length, are created - upper case, or if they are forced to be the "default" - case. This option can be use with "preserve case = yes" - to permit long filenames to retain their case, while short names - are lowered. Default yes. - - - - By default, Samba 2.2 has the same semantics as a Windows - NT server, in that it is case insensitive but case preserving. - - - - - NOTE ABOUT USERNAME/PASSWORD VALIDATION - - There are a number of ways in which a user can connect - to a service. The server follows the following steps in determining - if it will allow a connection to a specified service. If all the - steps fail then the connection request is rejected. If one of the - steps pass then the following steps are not checked. - - If the service is marked "guest only = yes" then - steps 1 to 5 are skipped. - - - If the client has passed a username/password - pair and that username/password pair is validated by the UNIX - system's password programs then the connection is made as that - username. Note that this includes the - \\server\service%username method of passing - a username. - - If the client has previously registered a username - with the system and now supplies a correct password for that - username then the connection is allowed. - - The client's netbios name and any previously - used user names are checked against the supplied password, if - they match then the connection is allowed as the corresponding - user. - - If the client has previously validated a - username/password pair with the server and the client has passed - the validation token then that username is used. - - If a "user = " field is given in the - smb.conf file for the service and the client - has supplied a password, and that password matches (according to - the UNIX system's password checking) with one of the usernames - from the "user=" field then the connection is made as - the username in the "user=" line. If one - of the username in the "user=" list begins with a - '@' then that name expands to a list of names in - the group of the same name. - - If the service is a guest service then a - connection is made as the username given in the "guest - account =" for the service, irrespective of the - supplied password. - - - - - - COMPLETE LIST OF GLOBAL PARAMETERS - - Here is a list of all global parameters. See the section of - each parameter for details. Note that some are synonyms. - - - add user script - allow trusted domains - announce as - announce version - auto services - bind interfaces only - browse list - change notify timeout - character set - client code page - coding system - config file - deadtime - debug hires timestamp - debug pid - debug timestamp - debug uid - debug level - default - default service - delete user script - dfree command - dns proxy - domain admin group - domain admin users - domain groups - domain guest group - domain guest users - domain logons - domain master - encrypt passwords - getwd cache - hide local users - homedir map - hosts equiv - interfaces - keepalive - kernel oplocks - lm announce - lm interval - load printers - local master - lock dir - lock directory - log file - log level - logon drive - logon home - logon path - logon script - lpq cache time - machine password timeout - mangled stack - map to guest - max disk size - max log size - max mux - max open files - max packet - max ttl - max wins ttl - max xmit - message command - min passwd length - min password length - min wins ttl - name resolve order - netbios aliases - netbios name - netbios scope - nis homedir - nt acl support - nt pipe support - nt smb support - null passwords - ole locking compatibility - oplock break wait time - os level - panic action - passwd chat - passwd chat debug - passwd program - password level - password server - prefered master - preferred master - preload - printcap - printcap name - printer driver file - private dir - protocol - read bmpx - read prediction - read raw - read size - remote announce - remote browse sync - restrict anonymous - root - root dir - root directory - security - server string - shared mem size - smb passwd file - smbrun - socket address - socket options - source environment - ssl - ssl CA certDir - ssl CA certFile - ssl ciphers - ssl client cert - ssl client key - ssl compatibility - ssl hosts - ssl hosts resign - ssl require clientcert - ssl require servercert - ssl server cert - ssl server key - ssl version - stat cache - stat cache size - strip dot - syslog - syslog only - template homedir - template shell - time offset - time server - timestamp logs - unix password sync - unix realname - update encrypted - use rhosts - username level - username map - utmp directory - valid chars - winbind cache time - winbind gid - winbind uid - wins hook - wins proxy - wins server - wins support - workgroup - write raw - - - - - - COMPLETE LIST OF SERVICE PARAMETERS - - Here is a list of all service parameters. See the section of - each parameter for details. Note that some are synonyms. - - - admin users - allow hosts - alternate permissions - available - blocking locks - browsable - browseable - case sensitive - casesignames - comment - copy - create mask - create mode - default case - delete readonly - delete veto files - deny hosts - directory - directory mask - directory mode - directory security mask - dont descend - dos filetime resolution - dos filetimes - exec - fake directory create times - fake oplocks - follow symlinks - force create mode - force directory mode - force directory security mode - force group - force security mode - force user - fstype - group - guest account - guest ok - guest only - hide dot files - hide files - hosts allow - hosts deny - include - inherit permissions - invalid users - level2 oplocks - locking - lppause command - lpq command - lpresume command - lprm command - magic output - magic script - mangle case - mangle locks - mangled map - mangled names - mangling char - map archive - map hidden - map system - max connections - min print space - only guest - only user - oplock contention limit - oplocks - path - postexec - postscript - preexec - preexec close - preserve case - print command - print ok - printable - printer - printer admin - printer driver - printer driver location - printer name - printing - public - queuepause command - queueresume command - read list - read only - root postexec - root preexec - root preexec close - security mask - set directory - share modes - short preserve case - status - strict locking - strict sync - sync always - user - username - users - utmp - valid users - veto files - veto oplock files - volume - wide links - writable - write cache size - write list - write ok - writeable - - - - - - EXPLANATION OF EACH PARAMETER - - - - - add user script (G) - This is the full pathname to a script that will - be run AS ROOT by smbd(8) - under special circumstances decribed below. - - Normally, a Samba server requires that UNIX users are - created for all users accessing files on this server. For sites - that use Windows NT account databases as their primary user database - creating these users and keeping the user list in sync with the - Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users - ON DEMAND when a user accesses the Samba server. - - In order to use this option, smbd - must be set to security=server or - security=domain and add user script - must be set to a full pathname for a script that will create a UNIX - user given one argument of %u, which expands into - the UNIX user name to create. - - When the Windows user attempts to access the Samba server, - at login (session setup in the SMB protocol) time, - smbd contacts the password server and - attempts to authenticate the given user with the given password. If the - authentication succeeds then smbd - attempts to find a UNIX user in the UNIX password database to map the - Windows user into. If this lookup fails, and add user script - is set then smbd will - call the specified script AS ROOT, expanding - any %u argument to be the user name to create. - - If this script successfully creates the user then smbd will continue on as though the UNIX user - already existed. In this way, UNIX users are dynamically created to - match existing Windows NT accounts. - - See also - security, - password server, delete user - script. - - Default: add user script = <empty string> - - - Example: add user script = /usr/local/samba/bin/add_user - %u - - - - - - - admin users (S) - This is a list of users who will be granted - administrative privileges on the share. This means that they - will do all file operations as the super-user (root). - - You should use this option very carefully, as any user in - this list will be able to do anything they like on the share, - irrespective of file permissions. - - Default: no admin users - - Example: admin users = jason - - - - - - - allow hosts (S) - Synonym for - hosts allow. - - - - - - allow trusted domains (G) - This option only takes effect when the security option is set to - server or domain. - If it is set to no, then attempts to connect to a resource from - a domain or workgroup other than the one which smbd is running - in will fail, even if that domain is trusted by the remote server - doing the authentication. - - This is useful if you only want your Samba server to - serve resources to users in the domain it is a member of. As - an example, suppose that there are two domains DOMA and DOMB. DOMB - is trusted by DOMA, which contains the Samba server. Under normal - circumstances, a user with an account in DOMB can then access the - resources of a UNIX account with the same account name on the - Samba server even if they do not have an account in DOMA. This - can make implementing a security boundary difficult. - - Default: allow trusted domains = yes - - - - - - - - announce as (G) - This specifies what type of server - nmbd - will announce itself as, to a network neighborhood browse - list. By default this is set to Windows NT. The valid options - are : "NT" (which is a synonym for "NT Server"), "NT Server", - "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, - Windows NT Workstation, Windows 95 and Windows for Workgroups - respectively. Do not change this parameter unless you have a - specific need to stop Samba appearing as an NT server as this - may prevent Samba servers from participating as browser servers - correctly. - - Default: announce as = NT Server - - Example: announce as = Win95 - - - - - - - annouce version (G) - This specifies the major and minor version numbers - that nmbd will use when announcing itself as a server. The default - is 4.2. Do not change this parameter unless you have a specific - need to set a Samba server to be a downlevel server. - - Default: announce version = 4.2 - - Example: announce version = 2.0 - - - - - - - auto services (G) - This is a list of services that you want to be - automatically added to the browse lists. This is most useful - for homes and printers services that would otherwise not be - visible. - - Note that if you just want all printers in your - printcap file loaded then the - load printers option is easier. - - Default: no auto services - - Example: auto services = fred lp colorlp - - - - - - - available (S) - This parameter lets you "turn off" a service. If - available = no, then ALL - attempts to connect to the service will fail. Such failures are - logged. - - Default: available = yes - - - - - - - - bind interfaces only (G) - This global parameter allows the Samba admin - to limit what interfaces on a machine will serve smb requests. If - affects file service smbd(8) and - name service nmbd(8) in slightly - different ways. - - For name service it causes nmbd to bind - to ports 137 and 138 on the interfaces listed in the interfaces parameter. nmbd - also binds to the "all addresses" interface (0.0.0.0) - on ports 137 and 138 for the purposes of reading broadcast messages. - If this option is not set then nmbd will service - name requests on all of these sockets. If bind interfaces - only is set then nmbd will check the - source address of any packets coming in on the broadcast sockets - and discard any that don't match the broadcast addresses of the - interfaces in the interfaces parameter list. - As unicast packets are received on the other sockets it allows - nmbd to refuse to serve names to machines that - send packets that arrive through any interfaces not listed in the - interfaces list. IP Source address spoofing - does defeat this simple check, however so it must not be used - seriously as a security feature for nmbd. - - For file service it causes smbd(8) - to bind only to the interface list given in the - interfaces parameter. This restricts the networks that - smbd will serve to packets coming in those - interfaces. Note that you should not use this parameter for machines - that are serving PPP or other intermittent or non-broadcast network - interfaces as it will not cope with non-permanent interfaces. - - If bind interfaces only is set then - unless the network address 127.0.0.1 is added - to the interfaces parameter list smbpasswd(8) - and swat(8) may - not work as expected due to the reasons covered below. - - To change a users SMB password, the smbpasswd - by default connects to the localhost - 127.0.0.1 - address as an SMB client to issue the password change request. If - bind interfaces only is set then unless the - network address 127.0.0.1 is added to the - interfaces parameter list then - smbpasswd will fail to connect in it's default mode. - smbpasswd can be forced to use the primary IP interface - of the local host by using its - -r remote machine - parameter, with remote machine set - to the IP name of the primary interface of the local host. - - The swat status page tries to connect with - smbd and nmbd at the address - 127.0.0.1 to determine if they are running. - Not adding 127.0.0.1 will cause - smbd and nmbd to always show - "not running" even if they really are. This can prevent - swat from starting/stopping/restarting smbd - and nmbd. - - Default: bind interfaces only = no - - - - - - - - blocking locks (S) - This parameter controls the behavior of smbd(8) when given a request by a client - to obtain a byte range lock on a region of an open file, and the - request has a time limit associated with it. - - If this parameter is set and the lock range requested - cannot be immediately satisfied, Samba 2.2 will internally - queue the lock request, and periodically attempt to obtain - the lock until the timeout period expires. - - If this parameter is set to False, then - Samba 2.2 will behave as previous versions of Samba would and - will fail the lock request immediately if the lock range - cannot be obtained. - - Default: blocking locks = yes - - - - - - - - browsable (S) - See the - browseable. - - - - - - browse list (G) - This controls whether - smbd(8) will serve a browse list to - a client doing a NetServerEnum call. Normally - set to true. You should never need to change - this. - - Default: browse list = yes - - - - - - browseable (S) - This controls whether this share is seen in - the list of available shares in a net view and in the browse list. - - Default: browseable = yes - - - - - - - case sensitive (S) - See the discussion in the section NAME MANGLING. - - - - - - casesignames (S) - Synonym for case - sensitive. - - - - - - change notify timeout (G) - This SMB allows a client to tell a server to - "watch" a particular directory for any changes and only reply to - the SMB request when a change has occurred. Such constant scanning of - a directory is expensive under UNIX, hence an - smbd(8) daemon only performs such a scan - on each requested directory once every change notify - timeout seconds. - - Default: change notify timeout = 60 - Example: change notify timeout = 300 - - Would change the scan time to every 5 minutes. - - - - - - character set (G) - This allows a smbd to map incoming filenames - from a DOS Code page (see the client - code page parameter) to several built in UNIX character sets. - The built in code page translations are: - - - ISO8859-1 : Western European - UNIX character set. The parameter client code page - MUST be set to code page 850 if the - character set parameter is set to - ISO8859-1 in order for the conversion to the - UNIX character set to be done correctly. - - ISO8859-2 : Eastern European - UNIX character set. The parameter client code page - MUST be set to code page 852 if - the character set parameter is set - to ISO8859-2 in order for the conversion - to the UNIX character set to be done correctly. - - ISO8859-5 : Russian Cyrillic - UNIX character set. The parameter client code page - MUST be set to code page - 866 if the character set parameter is - set to ISO8859-5 in order for the conversion - to the UNIX character set to be done correctly. - - ISO8859-7 : Greek UNIX - character set. The parameter client code page - MUST be set to code page - 737 if the character set parameter is - set to ISO8859-7 in order for the conversion - to the UNIX character set to be done correctly. - - KOI8-R : Alternate mapping - for Russian Cyrillic UNIX character set. The parameter - client code page MUST - be set to code page 866 if the character set - parameter is set to KOI8-R in order for the - conversion to the UNIX character set to be done correctly. - - - - BUG. These MSDOS code page to UNIX character - set mappings should be dynamic, like the loading of MS DOS code pages, - not static. - - Normally this parameter is not set, meaning no filename - translation is done. - - Default: character set = <empty string> - Example: character set = ISO8859-1 - - - - - - client code page (G) - This parameter specifies the DOS code page - that the clients accessing Samba are using. To determine what code - page a Windows or DOS client is using, open a DOS command prompt - and type the command chcp. This will output - the code page. The default for USA MS-DOS, Windows 95, and - Windows NT releases is code page 437. The default for western - european releases of the above operating systems is code page 850. - - This parameter tells smbd(8) - which of the codepage.XXX - files to dynamically load on startup. These files, - described more fully in the manual page - make_smbcodepage(1), tell - smbd how to map lower to upper case characters to provide - the case insensitivity of filenames that Windows clients expect. - - Samba currently ships with the following code page files : - - - Code Page 437 - MS-DOS Latin US - Code Page 737 - Windows '95 Greek - Code Page 850 - MS-DOS Latin 1 - Code Page 852 - MS-DOS Latin 2 - Code Page 861 - MS-DOS Icelandic - Code Page 866 - MS-DOS Cyrillic - Code Page 932 - MS-DOS Japanese SJIS - Code Page 936 - MS-DOS Simplified Chinese - Code Page 949 - MS-DOS Korean Hangul - Code Page 950 - MS-DOS Traditional Chinese - - - Thus this parameter may have any of the values 437, 737, 850, 852, - 861, 932, 936, 949, or 950. If you don't find the codepage you need, - read the comments in one of the other codepage files and the - make_smbcodepage(1) man page and write one. Please - remember to donate it back to the Samba user community. - - This parameter co-operates with the valid - chars parameter in determining what characters are - valid in filenames and how capitalization is done. If you set both - this parameter and the valid chars parameter - the client code page parameter - MUST be set before the valid - chars parameter in the smb.conf - file. The valid chars string will then - augment the character settings in the client code page - parameter. - - If not set, client code page defaults - to 850. - - See also : valid - chars - - Default: client code page = 850 - Example: client code page = 936 - - - - - - codingsystem (G) - This parameter is used to determine how incoming - Shift-JIS Japanese characters are mapped from the incoming client code page - used by the client, into file names in the UNIX filesystem. - Only useful if client code page is set to - 932 (Japanese Shift-JIS). The options are : - - - SJIS - Shift-JIS. Does no - conversion of the incoming filename. - - JIS8, J8BB, J8BH, J8@B, - J8@J, J8@H - Convert from incoming Shift-JIS to eight - bit JIS code with different shift-in, shift out codes. - - JIS7, J7BB, J7BH, J7@B, J7@J, - J7@H - Convert from incoming Shift-JIS to seven bit - JIS code with different shift-in, shift out codes. - - JUNET, JUBB, JUBH, JU@B, JU@J, JU@H - - Convert from incoming Shift-JIS to JUNET code with different shift-in, - shift out codes. - - - EUC - Convert an incoming - Shift-JIS character to EUC code. - - HEX - Convert an incoming - Shift-JIS character to a 3 byte hex representation, i.e. - :AB. - - CAP - Convert an incoming - Shift-JIS character to the 3 byte hex representation used by - the Columbia AppleTalk Program (CAP), i.e. :AB. - This is used for compatibility between Samba and CAP. - - - - - - - - comment (S) - This is a text field that is seen next to a share - when a client does a queries the server, either via the network - neighborhood or via net view to list what shares - are available. - - If you want to set the string that is displayed next to the - machine name then see the - server string parameter. - - Default: No comment string - Example: comment = Fred's Files - - - - - - config file (G) - This allows you to override the config file - to use, instead of the default (usually smb.conf). - There is a chicken and egg problem here as this option is set - in the config file! - - For this reason, if the name of the config file has changed - when the parameters are loaded then it will reload them from - the new config file. - - This option takes the usual substitutions, which can - be very useful. - - If the config file doesn't exist then it won't be loaded - (allowing you to special case the config files of just a few - clients). - - Example: config file = /usr/local/samba/lib/smb.conf.%m - - - - - - - copy (S) - This parameter allows you to "clone" service - entries. The specified service is simply duplicated under the - current service's name. Any parameters specified in the current - section will override those in the section being copied. - - This feature lets you set up a 'template' service and - create similar services easily. Note that the service being - copied must occur earlier in the configuration file than the - service doing the copying. - - Default: none - Example: copy = otherservice - - - - - - create mask (S) - A synonym for this parameter is - create mode - . - - When a file is created, the necessary permissions are - calculated according to the mapping from DOS modes to UNIX - permissions, and the resulting UNIX mode is then bit-wise 'AND'ed - with this parameter. This parameter may be thought of as a bit-wise - MASK for the UNIX modes of a file. Any bit not - set here will be removed from the modes set on a file when it is - created. - - The default value of this parameter removes the - 'group' and 'other' write and execute bits from the UNIX modes. - - Following this Samba will bit-wise 'OR' the UNIX mode created - from this parameter with the value of the force create mode - parameter which is set to 000 by default. - - This parameter does not affect directory modes. See the - parameter directory mode - for details. - - See also the force - create mode parameter for forcing particular mode - bits to be set on created files. See also the - directory mode" parameter for masking - mode bits on created directories. See also the - inherit permissions parameter. - - Default: create mask = 0744 - Example: create mask = 0775 - - - - - - create mode (S) - This is a synonym for - create mask. - - - - - - deadtime (G) - The value of the parameter (a decimal integer) - represents the number of minutes of inactivity before a connection - is considered dead, and it is disconnected. The deadtime only takes - effect if the number of open files is zero. - - This is useful to stop a server's resources being - exhausted by a large number of inactive connections. - - Most clients have an auto-reconnect feature when a - connection is broken so in most cases this parameter should be - transparent to users. - - Using this parameter with a timeout of a few minutes - is recommended for most systems. - - A deadtime of zero indicates that no auto-disconnection - should be performed. - - Default: deadtime = 0 - Example: deadtime = 15 - - - - - - debug hires timestamp (G) - Sometimes the timestamps in the log messages - are needed with a resolution of higher that seconds, this - boolean parameter adds microsecond resolution to the timestamp - message header when turned on. - - Note that the parameter - debug timestamp must be on for this to have an - effect. - - Default: debug hires timestamp = no - - - - - - - debug timestamp (G) - Samba 2.2 debug log messages are timestamped - by default. If you are running at a high - debug level these timestamps - can be distracting. This boolean parameter allows timestamping - to be turned off. - - Default: debug timestamp = yes - - - - - - debug pid (G) - When using only one log file for more then one - forked smbd-process there may be hard to follow which process - outputs which message. This boolean parameter is adds the process-id - to the timestamp message headers in the logfile when turned on. - - Note that the parameter - debug timestamp must be on for this to have an - effect. - - Default: debug pid = no - - - - - - debug uid (G) - Samba is sometimes run as root and sometime - run as the connected user, this boolean parameter inserts the - current euid, egid, uid and gid to the timestamp message headers - in the log file if turned on. - - Note that the parameter - debug timestamp must be on for this to have an - effect. - - Default: debug uid = no - - - - - - debug level (G) - The value of the parameter (an integer) allows - the debug level (logging level) to be specified in the - smb.conf file. This is to give greater - flexibility in the configuration of the system. - - The default will be the debug level specified on - the command line or level zero if none was specified. - - Example: debug level = 3 - - - - - - default (G) - A synonym for - default service. - - - - - - default case (S) - See the section on - NAME MANGLING". Also note the - short preserve case" parameter. - - - - - - - default service (G) - This parameter specifies the name of a service - which will be connected to if the service actually requested cannot - be found. Note that the square brackets are NOT - given in the parameter value (see example below). - - There is no default value for this parameter. If this - parameter is not given, attempting to connect to a nonexistent - service results in an error. - - Typically the default service would be a - guest ok, - read-only service. - - Also note that the apparent service name will be changed - to equal that of the requested service, this is very useful as it - allows you to use macros like %S to make - a wildcard service. - - Note also that any "_" characters in the name of the service - used in the default service will get mapped to a "/". This allows for - interesting things. - - - Example: - - - default service = pub - - [pub] - path = /%S - - - - - - - - delete user script (G) - This is the full pathname to a script that will - be run AS ROOT by - smbd(8) under special circumstances - decribed below. - - Normally, a Samba server requires that UNIX users are - created for all users accessing files on this server. For sites - that use Windows NT account databases as their primary user database - creating these users and keeping the user list in sync with the - Windows NT PDC is an onerous task. This option allows - smbd to delete the required UNIX users ON - DEMAND when a user accesses the Samba server and the - Windows NT user no longer exists. - - In order to use this option, smbd must be - set to security=domain and delete - user script must be set to a full pathname for a script - that will delete a UNIX user given one argument of %u - , which expands into the UNIX user name to delete. - NOTE that this is different to the add user script - which will work with the security=server option - as well as security=domain. The reason for this - is only when Samba is a domain member does it get the information - on an attempted user logon that a user no longer exists. In the - security=server mode a missing user - is treated the same as an invalid password logon attempt. Deleting - the user in this circumstance would not be a good idea. - - When the Windows user attempts to access the Samba server, - at login (session setup in the SMB protocol) - time, smbd contacts the - password server and attempts to authenticate - the given user with the given password. If the authentication fails - with the specific Domain error code meaning that the user no longer - exists then smbd attempts to find a UNIX user in - the UNIX password database that matches the Windows user account. If - this lookup succeeds, and delete user script is - set then smbd will all the specified script - AS ROOT, expanding any %u - argument to be the user name to delete. - - This script should delete the given UNIX username. In this way, - UNIX users are dynamically deleted to match existing Windows NT - accounts. - - See also security=domain, - password server - , add user script - . - - Default: delete user script = <empty string> - - Example: delete user script = /usr/local/samba/bin/del_user - %u - - - - - - delete readonly (S) - This parameter allows readonly files to be deleted. - This is not normal DOS semantics, but is allowed by UNIX. - - This option may be useful for running applications such - as rcs, where UNIX file ownership prevents changing file - permissions, and DOS semantics prevent deletion of a read only file. - - Default: delete readonly = no - - - - - - delete veto files (S) - This option is used when Samba is attempting to - delete a directory that contains one or more vetoed directories - (see the veto files - option). If this option is set to False (the default) then if a vetoed - directory contains any non-vetoed files or directories then the - directory delete will fail. This is usually what you want. - - If this option is set to True, then Samba - will attempt to recursively delete any files and directories within - the vetoed directory. This can be useful for integration with file - serving systems such as NetAtalk which create meta-files within - directories you might normally veto DOS/Windows users from seeing - (e.g. .AppleDouble) - - Setting delete veto files = yes allows these - directories to be transparently deleted when the parent directory - is deleted (so long as the user has permissions to do so). - - See also the veto - files parameter. - - Default: delete veto files = no - - - - - - deny hosts (S) - Synonym for hosts - deny. - - - - - - dfree command (G) - The dfree command setting should - only be used on systems where a problem occurs with the internal - disk space calculations. This has been known to happen with Ultrix, - but may occur with other operating systems. The symptom that was - seen was an error of "Abort Retry Ignore" at the end of each - directory listing. - - This setting allows the replacement of the internal routines to - calculate the total disk space and amount available with an external - routine. The example below gives a possible script that might fulfill - this function. - - The external program will be passed a single parameter indicating - a directory in the filesystem being queried. This will typically consist - of the string ./. The script should return two - integers in ascii. The first should be the total disk space in blocks, - and the second should be the number of available blocks. An optional - third return value can give the block size in bytes. The default - blocksize is 1024 bytes. - - Note: Your script should NOT be setuid or - setgid and should be owned by (and writeable only by) root! - - Default: By default internal routines for - determining the disk capacity and remaining space will be used. - - - Example: dfree command = /usr/local/samba/bin/dfree - - - Where the script dfree (which must be made executable) could be: - - - #!/bin/sh - df $1 | tail -1 | awk '{print $2" "$4}' - - - or perhaps (on Sys V based systems): - - - #!/bin/sh - /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' - - - Note that you may have to replace the command names - with full path names on some systems. - - - - - - - - directory (S) - Synonym for path - . - - - - - - directory mask (S) - This parameter is the octal modes which are - used when converting DOS modes to UNIX modes when creating UNIX - directories. - - When a directory is created, the necessary permissions are - calculated according to the mapping from DOS modes to UNIX permissions, - and the resulting UNIX mode is then bit-wise 'AND'ed with this - parameter. This parameter may be thought of as a bit-wise MASK for - the UNIX modes of a directory. Any bit not set - here will be removed from the modes set on a directory when it is - created. - - The default value of this parameter removes the 'group' - and 'other' write bits from the UNIX mode, allowing only the - user who owns the directory to modify it. - - Following this Samba will bit-wise 'OR' the UNIX mode - created from this parameter with the value of the force directory mode - parameter. This parameter is set to 000 by - default (i.e. no extra mode bits are added). - - See the force - directory mode parameter to cause particular mode - bits to always be set on created directories. - - See also the create mode - parameter for masking mode bits on created files, - and the directory - security mask parameter. - - Also refer to the - inherit permissions parameter. - - Default: directory mask = 0755 - Example: directory mask = 0775 - - - - - - - directory mode (S) - Synonym for - directory mask - - - - - - directory security mask (S) - This parameter controls what UNIX permission bits - can be modified when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog - box. - - This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change. - - If not set explicitly this parameter is set to the same - value as the directory - mask parameter. To allow a user to - modify all the user/group/world permissions on a directory, set - this parameter to 0777. - - Note that users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to set - it to 0777. - - See also the - force directory security mode, security mask, - force security mode - parameters. - - Default: directory security mask = <same as - directory mask> - Example: directory security mask = 0777 - - - - - - - dns proxy (G) - Specifies that nmbd(8) - when acting as a WINS server and finding that a NetBIOS name has not - been registered, should treat the NetBIOS name word-for-word as a DNS - name and do a lookup with the DNS server for that name on behalf of - the name-querying client. - - Note that the maximum length for a NetBIOS name is 15 - characters, so the DNS name (or DNS alias) can likewise only be - 15 characters, maximum. - - nmbd spawns a second copy of itself to do the - DNS name lookup requests, as doing a name lookup is a blocking - action. - - See also the parameter - wins support. - - Default: dns proxy = yes - - - - - - domain admin group (G) - This is an EXPERIMENTAL parameter - that is part of the unfinished Samba NT Domain Controller Code. It may - be removed in a later release. To work with the latest code builds - that may have more support for Samba NT Domain Controller functionality - please subscribe to the mailing list samba-ntdom available by - visiting the web page at - http://lists.samba.org/. - - - - - domain admin users (G) - This is an EXPERIMENTAL parameter - that is part of the unfinished Samba NT Domain Controller Code. It may - be removed in a later release. To work with the latest code builds - that may have more support for Samba NT Domain Controller functionality - please subscribe to the mailing list samba-ntdom available by - visiting the web page at - http://lists.samba.org/. - - - - - domain groups (G) - This is an EXPERIMENTAL parameter - that is part of the unfinished Samba NT Domain Controller Code. It may - be removed in a later release. To work with the latest code builds - that may have more support for Samba NT Domain Controller functionality - please subscribe to the mailing list samba-ntdom available by - visiting the web page at - http://lists.samba.org/. - - - - - - domain guest group (G) - This is an EXPERIMENTAL parameter - that is part of the unfinished Samba NT Domain Controller Code. It may - be removed in a later release. To work with the latest code builds - that may have more support for Samba NT Domain Controller functionality - please subscribe to the mailing list samba-ntdom available by - visiting the web page at - http://lists.samba.org/. - - - - - domain guest users (G) - This is an EXPERIMENTAL parameter - that is part of the unfinished Samba NT Domain Controller Code. It may - be removed in a later release. To work with the latest code builds - that may have more support for Samba NT Domain Controller functionality - please subscribe to the mailing list samba-ntdom available by - visiting the web page at - http://lists.samba.org/. - - - - - domain logons (G) - If set to true, the Samba server will serve - Windows 95/98 Domain logons for the - workgroup it is in. Samba 2.2 also - has limited capability to act as a domain controller for Windows - NT 4 Domains. For more details on setting up this feature see - the file DOMAINS.txt in the Samba documentation directory docs/ - shipped with the source code. - - Default: domain logons = no - - - - - - domain master (G) - Tell - nmbd(8) to enable WAN-wide browse list - collation. Setting this option causes nmbd to - claim a special domain specific NetBIOS name that identifies - it as a domain master browser for its given - workgroup. Local master browsers - in the same workgroup on broadcast-isolated - subnets will give this nmbd their local browse lists, - and then ask smbd(8) - for a complete copy of the browse list for the whole wide area - network. Browser clients will then contact their local master browser, - and will receive the domain-wide browse list, instead of just the list - for their broadcast-isolated subnet. - - Note that Windows NT Primary Domain Controllers expect to be - able to claim this workgroup specific special - NetBIOS name that identifies them as domain master browsers for - that workgroup by default (i.e. there is no - way to prevent a Windows NT PDC from attempting to do this). This - means that if this parameter is set and nmbd claims - the special name for a workgroup before a Windows - NT PDC is able to do so then cross subnet browsing will behave - strangely and may fail. - - Default: domain master = no - - - - - - dont descend (S) - There are certain directories on some systems - (e.g., the /proc tree under Linux) that are either not - of interest to clients or are infinitely deep (recursive). This - parameter allows you to specify a comma-delimited list of directories - that the server should always show as empty. - - Note that Samba can be very fussy about the exact format - of the "dont descend" entries. For example you may need - ./proc instead of just /proc. - Experimentation is the best policy :-) - - Default: none (i.e., all directories are OK - to descend) - Example: dont descend = /proc,/dev - - - - - - - dos filetime resolution (S) - Under the DOS and Windows FAT filesystem, the finest - granularity on time resolution is two seconds. Setting this parameter - for a share causes Samba to round the reported time down to the - nearest two second boundary when a query call that requires one second - resolution is made to smbd(8) - . - - This option is mainly used as a compatibility option for Visual - C++ when used against Samba shares. If oplocks are enabled on a - share, Visual C++ uses two different time reading calls to check if a - file has changed since it was last read. One of these calls uses a - one-second granularity, the other uses a two second granularity. As - the two second call rounds any odd second down, then if the file has a - timestamp of an odd number of seconds then the two timestamps will not - match and Visual C++ will keep reporting the file has changed. Setting - this option causes the two timestamps to match, and Visual C++ is - happy. - - Default: dos filetime resolution = no - - - - - - - dos filetimes (S) - Under DOS and Windows, if a user can write to a - file they can change the timestamp on it. Under POSIX semantics, - only the owner of the file or root may change the timestamp. By - default, Samba runs with POSIX semantics and refuses to change the - timestamp on a file if the user smbd is acting - on behalf of is not the file owner. Setting this option to - True allows DOS semantics and smbd will change the file - timestamp as DOS requires. - - Default: dos filetimes = no - - - - - - encrypt passwords (G) - This boolean controls whether encrypted passwords - will be negotiated with the client. Note that Windows NT 4.0 SP3 and - above and also Windows 98 will by default expect encrypted passwords - unless a registry entry is changed. To use encrypted passwords in - Samba see the file ENCRYPTION.txt in the Samba documentation - directory docs/ shipped with the source code. - - In order for encrypted passwords to work correctly - smbd(8) must either - have access to a local smbpasswd(5) - file (see the - smbpasswd(8) program for information on how to set up - and maintain this file), or set the security=[serve|domain] parameter which - causes smbd to authenticate against another - server. - - Default: encrypt passwords = no - - - - - - exec (S) - This is a synonym for - preexec. - - - - - - fake directory create times (S) - NTFS and Windows VFAT file systems keep a create - time for all files and directories. This is not the same as the - ctime - status change time - that Unix keeps, so Samba by default - reports the earliest of the various times Unix does keep. Setting - this parameter for a share causes Samba to always report midnight - 1-1-1980 as the create time for directories. - - This option is mainly used as a compatibility option for - Visual C++ when used against Samba shares. Visual C++ generated - makefiles have the object directory as a dependency for each object - file, and a make rule to create the directory. Also, when NMAKE - compares timestamps it uses the creation time when examining a - directory. Thus the object directory will be created if it does not - exist, but once it does exist it will always have an earlier - timestamp than the object files it contains. - - However, Unix time semantics mean that the create time - reported by Samba will be updated whenever a file is created or - deleted in the directory. NMAKE therefore finds all object files - in the object directory bar the last one built are out of date - compared to the directory and rebuilds them. Enabling this option - ensures directories always predate their contents and an NMAKE build - will proceed as expected. - - Default: fake directory create times = no - - - - - - - fake oplocks (S) - Oplocks are the way that SMB clients get permission - from a server to locally cache file operations. If a server grants - an oplock (opportunistic lock) then the client is free to assume - that it is the only one accessing the file and it will aggressively - cache file data. With some oplock types the client may even cache - file open/close operations. This can give enormous performance benefits. - - - When you set fake oplocks = yes, smbd(8) will - always grant oplock requests no matter how many clients are using - the file. - - It is generally much better to use the real oplocks support rather - than this parameter. - - If you enable this option on all read-only shares or - shares that you know will only be accessed from one client at a - time such as physically read-only media like CDROMs, you will see - a big performance improvement on many operations. If you enable - this option on shares where multiple clients may be accessing the - files read-write at the same time you can get data corruption. Use - this option carefully! - - Default: fake oplocks = no - - - - - - follow symlinks (S) - This parameter allows the Samba administrator - to stop smbd(8) - from following symbolic links in a particular share. Setting this - parameter to no prevents any file or directory - that is a symbolic link from being followed (the user will get an - error). This option is very useful to stop users from adding a - symbolic link to /etc/passwd in their home - directory for instance. However it will slow filename lookups - down slightly. - - This option is enabled (i.e. smbd will - follow symbolic links) by default. - - Default: follow symlinks = yes - - - - - - force create mode (S) - This parameter specifies a set of UNIX mode bit - permissions that will always be set on a - file by Samba. This is done by bitwise 'OR'ing these bits onto - the mode bits of a file that is being created or having its - permissions changed. The default for this parameter is (in octal) - 000. The modes in this parameter are bitwise 'OR'ed onto the file - mode after the mask set in the create mask - parameter is applied. - - See also the parameter create - mask for details on masking mode bits on files. - - See also the inherit - permissions parameter. - - Default: force create mode = 000 - Example: force create mode = 0755 - - would force all created files to have read and execute - permissions set for 'group' and 'other' as well as the - read/write/execute bits set for the 'user'. - - - - - - - force directory mode (S) - This parameter specifies a set of UNIX mode bit - permissions that will always be set on a directory - created by Samba. This is done by bitwise 'OR'ing these bits onto the - mode bits of a directory that is being created. The default for this - parameter is (in octal) 0000 which will not add any extra permission - bits to a created directory. This operation is done after the mode - mask in the parameter directory mask is - applied. - - See also the parameter - directory mask for details on masking mode bits - on created directories. - - See also the - inherit permissions parameter. - - Default: force directory mode = 000 - Example: force directory mode = 0755 - - would force all created directories to have read and execute - permissions set for 'group' and 'other' as well as the - read/write/execute bits set for the 'user'. - - - - - - - force directory security mode (S) - This parameter controls what UNIX permission bits - can be modified when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog box. - - This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a directory, the user has always set to be 'on'. - - If not set explicitly this parameter is set to the same - value as the force - directory mode parameter. To allow - a user to modify all the user/group/world permissions on a - directory, with restrictions set this parameter to 000. - - Note that users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to set - it to 0000. - - See also the - directory security mask, - security mask, - force security mode - parameters. - - Default: force directory security mode = <same as - force directory mode> - Example: force directory security mode = 0 - - - - - - - - force group (S) - This specifies a UNIX group name that will be - assigned as the default primary group for all users connecting - to this service. This is useful for sharing files by ensuring - that all access to files on service will use the named group for - their permissions checking. Thus, by assigning permissions for this - group to the files and directories within this service the Samba - administrator can restrict or allow sharing of these files. - - In Samba 2.0.5 and above this parameter has extended - functionality in the following way. If the group name listed here - has a '+' character prepended to it then the current user accessing - the share only has the primary group default assigned to this group - if they are already assigned as a member of that group. This allows - an administrator to decide that only users who are already in a - particular group will create files with group ownership set to that - group. This gives a finer granularity of ownership assignment. For - example, the setting force group = +sys means - that only users who are already in group sys will have their default - primary group assigned to sys when accessing this Samba share. All - other users will retain their ordinary primary group. - - If the force user - parameter is also set the group specified in - force group will override the primary group - set in force user. - - See also force - user. - - Default: no forced group - Example: force group = agroup - - - - - - - force security mode (S) - This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security dialog - box. - - This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a file, the user has always set to be 'on'. - - If not set explicitly this parameter is set to the same - value as the force - create mode parameter. To allow a user to - modify all the user/group/world permissions on a file, with no - restrictions set this parameter to 000. - - Note that users who can access - the Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to set - it to 0000. - - See also the - force directory security mode, - directory security - mask, - security mask parameters. - - Default: force security mode = <same as force - create mode> - Example: force security mode = 0 - - - - - - - force user (S) - This specifies a UNIX user name that will be - assigned as the default user for all users connecting to this service. - This is useful for sharing files. You should also use it carefully - as using it incorrectly can cause security problems. - - This user name only gets used once a connection is established. - Thus clients still need to connect as a valid user and supply a - valid password. Once connected, all file operations will be performed - as the "forced user", no matter what username the client connected - as. - - This can be very useful. - - In Samba 2.0.5 and above this parameter also causes the - primary group of the forced user to be used as the primary group - for all file activity. Prior to 2.0.5 the primary group was left - as the primary group of the connecting user (this was a bug). - - See also force group - - - Default: no forced user - Example: force user = auser - - - - - - - fstype (S) - This parameter allows the administrator to - configure the string that specifies the type of filesystem a share - is using that is reported by smbd(8) - when a client queries the filesystem type - for a share. The default type is NTFS for - compatibility with Windows NT but this can be changed to other - strings such as Samba or FAT - if required. - - Default: fstype = NTFS - Example: fstype = Samba - - - - - - getwd cache (G) - This is a tuning option. When this is enabled a - caching algorithm will be used to reduce the time taken for getwd() - calls. This can have a significant impact on performance, especially - when the wide links - parameter is set to False. - - Default: getwd cache = No - - - - - - - group (S) - Synonym for force - group. - - - - - - guest account (S) - This is a username which will be used for access - to services which are specified as - guest ok (see below). Whatever privileges this - ser has will be available to any client connecting to the guest service. - Typically this user will exist in the password file, but will not - have a valid login. The user account "ftp" is often a good choice - for this parameter. If a username is specified in a given service, - the specified username overrides this one. - - One some systems the default guest account "nobody" may not - be able to print. Use another account in this case. You should test - this by trying to log in as your guest user (perhaps by using the - su - command) and trying to print using the - system print command such as lpr(1) or - lp(1). - - Default: specified at compile time, usually - "nobody" - - Example: guest account = ftp - - - - - - guest ok (S) - If this parameter is yes for - a service, then no password is equired to connect to the service. - Privileges will be those of the - guest account. - - See the section below on - security for more information about this option. - - - Default: guest ok = no - - - - - - guest only (S) - If this parameter is yes for - a service, then only guest connections to the service are permitted. - This parameter will have no affect if - guest ok is not set for the service. - - See the section below on - security for more information about this option. - - - Default: guest only = no - - - - - - hide dot files (S) - This is a boolean parameter that controls whether - files starting with a dot appear as hidden files. - - Default: hide dot files = yes - - - - - - hide files(S) - This is a list of files or directories that are not - visible but are accessible. The DOS 'hidden' attribute is applied - to any files or directories that match. - - Each entry in the list must be separated by a '/', - which allows spaces to be included in the entry. '*' - and '?' can be used to specify multiple files or directories - as in DOS wildcards. - - Each entry must be a Unix path, not a DOS path and must - not include the Unix directory separator '/'. - - Note that the case sensitivity option is applicable - in hiding files. - - Setting this parameter will affect the performance of Samba, - as it will be forced to check all files and directories for a match - as they are scanned. - - See also hide - dot files, - veto files and - case sensitive. - - Default: no file are hidden - Example: hide files = - /.*/DesktopFolderDB/TrashFor%m/resource.frk/ - - The above example is based on files that the Macintosh - SMB client (DAVE) available from - Thursby creates for internal use, and also still hides - all files beginning with a dot. - - - - - - hide local users(G) - This parameter toggles the hiding of local UNIX - users (root, wheel, floppy, etc) from remote clients. - - Default: hide local users = no - - - - - - homedir map (G) - Ifnis homedir - is True, and smbd(8) is also acting - as a Win95/98 logon server then this parameter - specifies the NIS (or YP) map from which the server for the user's - home directory should be extracted. At present, only the Sun - auto.home map format is understood. The form of the map is: - - username server:/some/file/system - - and the program will extract the servername from before - the first ':'. There should probably be a better parsing system - that copes with different map formats and also Amd (another - automounter) maps. - - NOTE :A working NIS client is required on - the system for this option to work. - - See also nis homedir - , domain logons - . - - Default: homedir map = auto.home - Example: homedir map = amd.homedir - - - - - - - hosts allow (S) - A synonym for this parameter is allow - hosts. - - This parameter is a comma, space, or tab delimited - set of hosts which are permitted to access a service. - - If specified in the [global] section then it will - apply to all services, regardless of whether the individual - service has a different setting. - - You can specify the hosts by name or IP number. For - example, you could restrict access to only the hosts on a - Class C subnet with something like allow hosts = 150.203.5. - . The full syntax of the list is described in the man - page hosts_access(5). Note that this man - page may not be present on your system, so a brief description will - be given here also. - - Note that the localhost address 127.0.0.1 will always - be allowed access unless specifically denied by a hosts deny option. - - You can also specify hosts by network/netmask pairs and - by netgroup names if your system supports netgroups. The - EXCEPT keyword can also be used to limit a - wildcard list. The following examples may provide some help: - - Example 1: allow all IPs in 150.203.*.*; except one - - hosts allow = 150.203. EXCEPT 150.203.6.66 - - Example 2: allow hosts that match the given network/netmask - - hosts allow = 150.203.15.0/255.255.255.0 - - Example 3: allow a couple of hosts - - hosts allow = lapland, arvidsjaur - - Example 4: allow only hosts in NIS netgroup "foonet", but - deny access from one particular host - - hosts allow = @foonet - - hosts deny = pirate - - Note that access still requires suitable user-level passwords. - - See testparm(1) - for a way of testing your host access to see if it does - what you expect. - - Default: none (i.e., all hosts permitted access) - - - Example: allow hosts = 150.203.5. myhost.mynet.edu.au - - - - - - - - hosts deny (S) - The opposite of hosts allow - - hosts listed here are NOT permitted access to - services unless the specific services have their own lists to override - this one. Where the lists conflict, the allow - list takes precedence. - - Default: none (i.e., no hosts specifically excluded) - - - Example: hosts deny = 150.203.4. badhost.mynet.edu.au - - - - - - - hosts equiv (G) - If this global parameter is a non-null string, - it specifies the name of a file to read for the names of hosts - and users who will be allowed access without specifying a password. - - - This is not be confused with - hosts allow which is about hosts - access to services and is more useful for guest services. - hosts equiv may be useful for NT clients which will - not supply passwords to samba. - - NOTE : The use of hosts equiv - can be a major security hole. This is because you are - trusting the PC to supply the correct username. It is very easy to - get a PC to supply a false username. I recommend that the - hosts equiv option be only used if you really - know what you are doing, or perhaps on a home network where you trust - your spouse and kids. And only if you really trust - them :-). - - Default: no host equivalences - Example: hosts equiv = /etc/hosts.equiv - - - - - - - include (G) - This allows you to include one config file - inside another. The file is included literally, as though typed - in place. - - It takes the standard substitutions, except %u - , %P and %S. - - - Default: no file included - Example: include = /usr/local/samba/lib/admin_smb.conf - - - - - - - inherit permissions (S) - The permissions on new files and directories - are normally governed by - create mask, - directory mask, force create mode - and force - directory mode but the boolean inherit - permissions parameter overrides this. - - New directories inherit the mode of the parent directory, - including bits such as setgid. - - New files inherit their read/write bits from the parent - directory. Their execute bits continue to be determined by - map archive - , map hidden - and map system - as usual. - - Note that the setuid bit is never set via - inheritance (the code explicitly prohibits this). - - This can be particularly useful on large systems with - many users, perhaps several thousand,to allow a single [homes] - share to be used flexibly by each user. - - See also create mask - , - directory mask, - force create mode and force directory mode - . - - Default: inherit permissions = no - - - - - - - interfaces (G) - This option allows you to override the default - network interfaces list that Samba will use for browsing, name - registration and other NBT traffic. By default Samba will query - the kernel for the list of all active interfaces and use any - interfaces except 127.0.0.1 that are broadcast capable. - - The option takes a list of interface strings. Each string - can be in any of the following forms: - - - a network interface name (such as eth0). - This may include shell-like wildcards so eth* will match - any interface starting with the substring "eth" - - an IP address. In this case the netmask is - determined from the list of interfaces obtained from the - kernel - - an IP/mask pair. - - a broadcast/mask pair. - - - The "mask" parameters can either be a bit length (such - as 24 for a C class network) or a full netmask in dotted - decmal form. - - The "IP" parameters above can either be a full dotted - decimal IP address or a hostname which will be looked up via - the OSes normal hostname resolution mechanisms. - - For example, the following line: - - interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0 - - - would configure three network interfaces corresponding - to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. - The netmasks of the latter two interfaces would be set to 255.255.255.0. - - See also bind - interfaces only. - - - - - - invalid users (S) - This is a list of users that should not be allowed - to login to this service. This is really a paranoid - check to absolutely ensure an improper setting does not breach - your security. - - A name starting with a '@' is interpreted as an NIS - netgroup first (if your system supports NIS), and then as a UNIX - group if the name was not found in the NIS netgroup database. - - A name starting with '+' is interpreted only - by looking in the UNIX group database. A name starting with - '&' is interpreted only by looking in the NIS netgroup database - (this requires NIS to be working on your system). The characters - '+' and '&' may be used at the start of the name in either order - so the value +&group means check the - UNIX group database, followed by the NIS netgroup database, and - the value &+group" means check the NIS - netgroup database, followed by the UNIX group database (the - same as the '@' prefix). - - The current servicename is substituted for %S. - This is useful in the [homes] section. - - See also valid users - . - - Default: no invalid users - Example: invalid users = root fred admin @wheel - - - - - - - - keepalive (G) - The value of the parameter (an integer) represents - the number of seconds between keepalive - packets. If this parameter is zero, no keepalive packets will be - sent. Keepalive packets, if sent, allow the server to tell whether - a client is still present and responding. - - Keepalives should, in general, not be needed if the socket - being used has the SO_KEEPALIVE attribute set on it (see socket options). - Basically you should only use this option if you strike difficulties. - - Default: keepalive = 0 - Example: keepalive = 60 - - - - - - - kernel oplocks (G) - For UNIXs that support kernel based oplocks - (currently only IRIX and the Linux 2.4 kernel), this parameter - allows the use of them to be turned on or off. - - Kernel oplocks support allows Samba oplocks - to be broken whenever a local UNIX process or NFS operation - accesses a file that smbd(8) - has oplocked. This allows complete data consistency between - SMB/CIFS, NFS and local file access (and is a very - cool feature :-). - - This parameter defaults to on on systems - that have the support, and off on systems that - don't. You should never need to touch this parameter. - - See also the oplocks - and level2 oplocks - parameters. - - Default: kernel oplocks = yes - - - - - - - level2 oplocks (S) - This parameter controls whether Samba supports - level2 (read-only) oplocks on a share. - - Level2, or read-only oplocks allow Windows NT clients - that have an oplock on a file to downgrade from a read-write oplock - to a read-only oplock once a second client opens the file (instead - of releasing all oplocks on a second open, as in traditional, - exclusive oplocks). This allows all openers of the file that - support level2 oplocks to cache the file for read-ahead only (ie. - they may not cache writes or lock requests) and increases performance - for many acesses of files that are not commonly written (such as - application .EXE files). - - Once one of the clients which have a read-only oplock - writes to the file all clients are notified (no reply is needed - or waited for) and told to break their oplocks to "none" and - delete any read-ahead caches. - - It is recommended that this parameter be turned on - to speed access to shared executables (and also to test - the code :-). - - For more discussions on level2 oplocks see the CIFS spec. - - Currently, if kernel - oplocks are supported then level2 oplocks are - not granted (even if this parameter is set to yes). - Note also, the oplocks - parameter must be set to "true" on this share in order for - this parameter to have any effect. - - See also the oplocks - and kernel oplocks - parameters. - - Default: level2 oplocks = False - - - - - - - lm announce (G) - This parameter determines if - nmbd(8) will produce Lanman announce - broadcasts that are needed by OS/2 clients in order for them to see - the Samba server in their browse list. This parameter can have three - values, true, false, or - auto. The default is auto. - If set to false Samba will never produce these - broadcasts. If set to true Samba will produce - Lanman announce broadcasts at a frequency set by the parameter - lm interval. If set to auto - Samba will not send Lanman announce broadcasts by default but will - listen for them. If it hears such a broadcast on the wire it will - then start sending them at a frequency set by the parameter - lm interval. - - See also lm interval - . - - Default: lm announce = auto - Example: lm announce = true - - - - - - - lm interval (G) - If Samba is set to produce Lanman announce - broadcasts needed by OS/2 clients (see the - lm announce parameter) then this - parameter defines the frequency in seconds with which they will be - made. If this is set to zero then no Lanman announcements will be - made despite the setting of the lm announce - parameter. - - See also lm - announce. - - Default: lm interval = 60 - Example: lm interval = 120 - - - - - - - load printers (G) - A boolean variable that controls whether all - printers in the printcap will be loaded for browsing by default. - See the printers section for - more details. - - Default: load printers = yes - - - - - - - local master (G) - This option allows - nmbd(8) to try and become a local master browser - on a subnet. If set to False then - nmbd will not attempt to become a local master browser - on a subnet and will also lose in all browsing elections. By - default this value is set to true. Setting this value to true doesn't - mean that Samba will become the local master - browser on a subnet, just that nmbd will - participate in elections for local master browser. - - Setting this value to False will cause nmbd - never to become a local master browser. - - Default: local master = yes - - - - - - - lock dir (G) - Synonym for - lock directory. - - - - - - lock directory (G) - This option specifies the directory where lock - files will be placed. The lock files are used to implement the - max connections - option. - - Default: lock directory = /tmp/samba - Example: lock directory = /usr/local/samba/var/locks - - - - - - - locking (S) - This controls whether or not locking will be - performed by the server in response to lock requests from the - client. - - If locking = no, all lock and unlock requests - will appear to succeed and all lock queries will indicate that the - queried lock is clear. - - If locking = yes, real locking will be performed - by the server. - - This option may be useful for read-only - filesystems which may not need locking (such as - cdrom drives), although setting this parameter of no - is not really recommended even in this case. - - Be careful about disabling locking either globally or in a - specific service, as lack of locking may result in data corruption. - You should never need to set this parameter. - - Default: locking = yes - - - - - - - log file (G) - This options allows you to override the name - of the Samba log file (also known as the debug file). - - This option takes the standard substitutions, allowing - you to have separate log files for each user or machine. - - Example: log file = /usr/local/samba/var/log.%m - - - - - - - log level (G) - Synonym for - debug level. - - - - - - - logon drive (G) - This parameter specifies the local path to - which the home directory will be connected (see logon home) - and is only used by NT Workstations. - - Note that this option is only useful if Samba is set up as a - logon server. - - Default: logon drive = z: - Example: logon drive = h: - - - - - - - logon home (G) - This parameter specifies the home directory - location when a Win95/98 or NT Workstation logs into a Samba PDC. - It allows you to do - - C:\> NET USE H: /HOME - - - from a command prompt, for example. - - This option takes the standard substitutions, allowing - you to have separate logon scripts for each user or machine. - - This parameter can be used with Win9X workstations to ensure - that roaming profiles are stored in a subdirectory of the user's - home directory. This is done in the following way: - - logon home = \\%L\%U\profile - - This tells Samba to return the above string, with - substitutions made when a client requests the info, generally - in a NetUserGetInfo request. Win9X clients truncate the info to - \\server\share when a user does net use /home" - but use the whole string when dealing with profiles. - - Note that in prior versions of Samba, the - logon path was returned rather than - logon home. This broke net use - /home but allowed profiles outside the home directory. - The current implementation is correct, and can be used for - profiles if you use the above trick. - - This option is only useful if Samba is set up as a logon - server. - - Default: logon home = "\\%N\%U" - Example: logon home = "\\remote_smb_server\%U" - - - - - - logon path (G) - This parameter specifies the home directory - where roaming profiles (NTuser.dat etc files for Windows NT) are - stored. Contrary to previous versions of these manual pages, it has - nothing to do with Win 9X roaming profiles. To find out how to - handle roaming profiles for Win 9X system, see the - logon home parameter. - - This option takes the standard substitutions, allowing you - to have separate logon scripts for each user or machine. It also - specifies the directory from which the "Application Data", - (desktop, start menu, - network neighborhood, programs - and other folders, and their contents, are loaded and displayed on - your Windows NT client. - - The share and the path must be readable by the user for - the preferences and directories to be loaded onto the Windows NT - client. The share must be writeable when the logs in for the first - time, in order that the Windows NT client can create the NTuser.dat - and other directories. - - Thereafter, the directories and any of the contents can, - if required, be made read-only. It is not advisable that the - NTuser.dat file be made read-only - rename it to NTuser.man to - achieve the desired effect (a MANdatory - profile). - - Windows clients can sometimes maintain a connection to - the [homes] share, even though there is no user logged in. - Therefore, it is vital that the logon path does not include a - reference to the homes share (i.e. setting this parameter to - \%N\%U\profile_path will cause problems). - - This option takes the standard substitutions, allowing - you to have separate logon scripts for each user or machine. - - Note that this option is only useful if Samba is set up - as a logon server. - - Default: logon path = \\%N\%U\profile - Example: logon path = \\PROFILESERVER\PROFILE\%U - - - - - - - logon script (G) - This parameter specifies the batch file (.bat) or - NT command file (.cmd) to be downloaded and run on a machine when - a user successfully logs in. The file must contain the DOS - style cr/lf line endings. Using a DOS-style editor to create the - file is recommended. - - The script must be a relative path to the [netlogon] - service. If the [netlogon] service specifies a - path of /usr/local/samba/netlogon - , and logon script = STARTUP.BAT, then - the file that will be downloaded is: - - /usr/local/samba/netlogon/STARTUP.BAT - - The contents of the batch file is entirely your choice. A - suggested command would be to add NET TIME \\SERVER /SET - /YES, to force every machine to synchronize clocks with - the same time server. Another use would be to add NET USE - U: \\SERVER\UTILS for commonly used utilities, or - NET USE Q: \\SERVER\ISO9001_QA for example. - - Note that it is particularly important not to allow write - access to the [netlogon] share, or to grant users write permission - on the batch files in a secure environment, as this would allow - the batch files to be arbitrarily modified and security to be - breached. - - This option takes the standard substitutions, allowing you - to have separate logon scripts for each user or machine. - - This option is only useful if Samba is set up as a logon - server. - - Default: no logon script defined - Example: logon script = scripts\%U.bat - - - - - - - lppause command (S) - This parameter specifies the command to be - executed on the server host in order to stop printing or spooling - a specific print job. - - This command should be a program or script which takes - a printer name and job number to pause the print job. One way - of implementing this is by using job priorities, where jobs - having a too low priority won't be sent to the printer. - - If a %p is given then the printername - is put in its place. A %j is replaced with - the job number (an integer). On HPUX (see printing=hpux - ), if the -p%p option is added - to the lpq command, the job will show up with the correct status, i.e. - if the job priority is lower than the set fence priority it will - have the PAUSED status, whereas if the priority is equal or higher it - will have the SPOOLED or PRINTING status. - - Note that it is good practice to include the absolute path - in the lppause command as the PATH may not be available to the server. - - See also the printing - parameter. - - Default: Currently no default value is given to - this string, unless the value of the printing - parameter is SYSV, in which case the default is : - - lp -i %p-%j -H hold - - or if the value of the printing parameter - is SOFTQ, then the default is: - - qstat -s -j%j -h - - Example for HPUX: lppause command = /usr/bin/lpalt - %p-%j -p0 - - - - - - - lpq cache time (G) - This controls how long lpq info will be cached - for to prevent the lpq command being called too - often. A separate cache is kept for each variation of the - lpq command used by the system, so if you use different - lpq commands for different users then they won't - share cache information. - - The cache files are stored in /tmp/lpq.xxxx - where xxxx is a hash of the lpq command in use. - - The default is 10 seconds, meaning that the cached results - of a previous identical lpq command will be used - if the cached data is less than 10 seconds old. A large value may - be advisable if your lpq command is very slow. - - A value of 0 will disable caching completely. - - See also the printing - parameter. - - Default: lpq cache time = 10 - Example: lpq cache time = 30 - - - - - - - lpq command (S) - This parameter specifies the command to be - executed on the server host in order to obtain lpq - -style printer status information. - - This command should be a program or script which - takes a printer name as its only parameter and outputs printer - status information. - - Currently eight styles of printer status information - are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ. - This covers most UNIX systems. You control which type is expected - using the printing = option. - - Some clients (notably Windows for Workgroups) may not - correctly send the connection number for the printer they are - requesting status information about. To get around this, the - server reports on the first printer service connected to by the - client. This only happens if the connection number sent is invalid. - - If a %p is given then the printername - is put in its place. Otherwise it is placed at the end of the - command. - - Note that it is good practice to include the absolute path - in the lpq command as the PATH may not be - available to the server. - - See also the printing - parameter. - - Default: depends on the setting of - printing - - Example: lpq command = /usr/bin/lpq %p - - - - - - - lpresume command (S) - This parameter specifies the command to be - executed on the server host in order to restart or continue - printing or spooling a specific print job. - - This command should be a program or script which takes - a printer name and job number to resume the print job. See - also the lppause command - parameter. - - If a %p is given then the printername - is put in its place. A %j is replaced with - the job number (an integer). - - Note that it is good practice to include the absolute path - in the lpresume command as the PATH may not - be available to the server. - - See also the printing - parameter. - - Default: Currently no default value is given - to this string, unless the value of the printing - parameter is SYSV, in which case the default is : - - lp -i %p-%j -H resume - - or if the value of the printing parameter - is SOFTQ, then the default is: - - qstat -s -j%j -r - - Example for HPUX: lpresume command = /usr/bin/lpalt - %p-%j -p2 - - - - - - - lprm command (S) - This parameter specifies the command to be - executed on the server host in order to delete a print job. - - This command should be a program or script which takes - a printer name and job number, and deletes the print job. - - If a %p is given then the printername - is put in its place. A %j is replaced with - the job number (an integer). - - Note that it is good practice to include the absolute - path in the lprm command as the PATH may not be - available to the server. - - See also the printing - parameter. - - Default: depends on the setting of printing - - - Example 1: lprm command = /usr/bin/lprm -P%p %j - - Example 2: lprm command = /usr/bin/cancel %p-%j - - - - - - - machine password timeout (G) - If a Samba server is a member of an Windows - NT Domain (see the security=domain) - parameter) then periodically a running - smbd(8) process will try and change the MACHINE ACCOUNT - PASSWORD stored in the TDB called private/secrets.tdb - . This parameter specifies how often this password - will be changed, in seconds. The default is one week (expressed in - seconds), the same as a Windows NT Domain member server. - - See also smbpasswd(8) - , and the - security=domain) parameter. - - Default: machine password timeout = 604800 - - - - - - magic output (S) - This parameter specifies the name of a file - which will contain output created by a magic script (see the - magic script - parameter below). - - Warning: If two clients use the same magic script - in the same directory the output file content - is undefined. - - Default: magic output = <magic script name>.out - - - Example: magic output = myfile.txt - - - - - - - magic script (S) - This parameter specifies the name of a file which, - if opened, will be executed by the server when the file is closed. - This allows a UNIX script to be sent to the Samba host and - executed on behalf of the connected user. - - Scripts executed in this way will be deleted upon - completion, permissions permitting. - - If the script generates output, output will be sent to - the file specified by the - magic output parameter (see above). - - Note that some shells are unable to interpret scripts - containing carriage-return-linefeed instead of linefeed as - the end-of-line marker. Magic scripts must be executable - as is on the host, which for some hosts and - some shells will require filtering at the DOS end. - - Magic scripts are EXPERIMENTAL and - should NOT be relied upon. - - Default: None. Magic scripts disabled. - Example: magic script = user.csh - - - - - - - mangle case (S) - See the section on - NAME MANGLING - - - - - - mangled map (S) - This is for those who want to directly map UNIX - file names which can not be represented on Windows/DOS. The mangling - of names is not always what is needed. In particular you may have - documents with file extensions that differ between DOS and UNIX. - For example, under UNIX it is common to use .html - for HTML files, whereas under Windows/DOS .htm - is more commonly used. - - So to map html to htm - you would use: - - mangled map = (*.html *.htm) - - One very useful case is to remove the annoying ;1 - off the ends of filenames on some CDROMS (only visible - under some UNIXs). To do this use a map of (*;1 *;). - - Default: no mangled map - Example: mangled map = (*;1 *;) - - - - - - mangled names (S) - This controls whether non-DOS names under UNIX - should be mapped to DOS-compatible names ("mangled") and made visible, - or whether non-DOS names should simply be ignored. - - See the section on - NAME MANGLING for details on how to control the mangling process. - - If mangling is used then the mangling algorithm is as follows: - - - The first (up to) five alphanumeric characters - before the rightmost dot of the filename are preserved, forced - to upper case, and appear as the first (up to) five characters - of the mangled name. - - A tilde "~" is appended to the first part of the mangled - name, followed by a two-character unique sequence, based on the - original root name (i.e., the original filename minus its final - extension). The final extension is included in the hash calculation - only if it contains any upper case characters or is longer than three - characters. - - Note that the character to use may be specified using - the mangling char - option, if you don't like '~'. - - The first three alphanumeric characters of the final - extension are preserved, forced to upper case and appear as the - extension of the mangled name. The final extension is defined as that - part of the original filename after the rightmost dot. If there are no - dots in the filename, the mangled name will have no extension (except - in the case of "hidden files" - see below). - - Files whose UNIX name begins with a dot will be - presented as DOS hidden files. The mangled name will be created as - for other filenames, but with the leading dot removed and "___" as - its extension regardless of actual original extension (that's three - underscores). - - - The two-digit hash value consists of upper case - alphanumeric characters. - - This algorithm can cause name collisions only if files - in a directory share the same first five alphanumeric characters. - The probability of such a clash is 1/1300. - - The name mangling (if enabled) allows a file to be - copied between UNIX directories from Windows/DOS while retaining - the long UNIX filename. UNIX files can be renamed to a new extension - from Windows/DOS and will retain the same basename. Mangled names - do not change between sessions. - - Default: mangled names = yes - - - - - - - mangling char (S) - This controls what character is used as - the magic character in name mangling. The default is a '~' - but this may interfere with some software. Use this option to set - it to whatever you prefer. - - Default: mangling char = ~ - Example: mangling char = ^ - - - - - - - mangled stack (G) - This parameter controls the number of mangled names - that should be cached in the Samba server - smbd(8). - - This stack is a list of recently mangled base names - (extensions are only maintained if they are longer than 3 characters - or contains upper case characters). - - The larger this value, the more likely it is that mangled - names can be successfully converted to correct long UNIX names. - However, large stack sizes will slow most directory access. Smaller - stacks save memory in the server (each stack element costs 256 bytes). - - - It is not possible to absolutely guarantee correct long - file names, so be prepared for some surprises! - - Default: mangled stack = 50 - Example: mangled stack = 100 - - - - - - - map archive (S) - This controls whether the DOS archive attribute - should be mapped to the UNIX owner execute bit. The DOS archive bit - is set when a file has been modified since its last backup. One - motivation for this option it to keep Samba/your PC from making - any file it touches from becoming executable under UNIX. This can - be quite annoying for shared source code, documents, etc... - - Note that this requires the create mask - parameter to be set such that owner execute bit is not masked out - (i.e. it must include 100). See the parameter - create mask for details. - - Default: map archive = yes - - - - - - - map hidden (S) - This controls whether DOS style hidden files - should be mapped to the UNIX world execute bit. - - Note that this requires the create mask - to be set such that the world execute bit is not masked out (i.e. - it must include 001). See the parameter - create mask for details. - - Default: map hidden = no - - - - - - map system (S) - This controls whether DOS style system files - should be mapped to the UNIX group execute bit. - - Note that this requires the create mask - to be set such that the group execute bit is not masked out (i.e. - it must include 010). See the parameter - create mask for details. - - Default: map system = no - - - - - - map to guest (G) - This parameter is only useful in - security modes other than security=share - - i.e. user, server, - and domain. - - This parameter can take three different values, which tell - smbd(8) what to do with user - login requests that don't match a valid UNIX user in some way. - - The three settings are : - - - Never - Means user login - requests with an invalid password are rejected. This is the - default. - - Bad User - Means user - logins with an invalid password are rejected, unless the username - does not exist, in which case it is treated as a guest login and - mapped into the - guest account. - - Bad Password - Means user logins - with an invalid password are treated as a guest login and mapped - into the guest account. Note that - this can cause problems as it means that any user incorrectly typing - their password will be silently logged on as a "guest" - and - will not know the reason they cannot access files they think - they should - there will have been no message given to them - that they got their password wrong. Helpdesk services will - hate you if you set the map to - guest parameter this way :-). - - - Note that this parameter is needed to set up "Guest" - share services when using security modes other than - share. This is because in these modes the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client so the server - cannot make authentication decisions at the correct time (connection - to the share) for "Guest" shares. - - For people familiar with the older Samba releases, this - parameter maps to the old compile-time setting of the - GUEST_SESSSETUP value in local.h. - - Default: map to guest = Never - Example: map to guest = Bad User - - - - - - - max connections (S) - This option allows the number of simultaneous - connections to a service to be limited. If max connections - is greater than 0 then connections will be refused if - this number of connections to the service are already open. A value - of zero mean an unlimited number of connections may be made. - - Record lock files are used to implement this feature. The - lock files will be stored in the directory specified by the lock directory - option. - - Default: max connections = 0 - Example: max connections = 10 - - - - - - - max disk size (G) - This option allows you to put an upper limit - on the apparent size of disks. If you set this option to 100 - then all shares will appear to be not larger than 100 MB in - size. - - Note that this option does not limit the amount of - data you can put on the disk. In the above case you could still - store much more than 100 MB on the disk, but if a client ever asks - for the amount of free disk space or the total disk size then the - result will be bounded by the amount specified in max - disk size. - - This option is primarily useful to work around bugs - in some pieces of software that can't handle very large disks, - particularly disks over 1GB in size. - - A max disk size of 0 means no limit. - - Default: max disk size = 0 - Example: max disk size = 1000 - - - - - - - max log size (G) - This option (an integer in kilobytes) specifies - the max size the log file should grow to. Samba periodically checks - the size and if it is exceeded it will rename the file, adding - a .old extension. - - A size of 0 means no limit. - - Default: max log size = 5000 - Example: max log size = 1000 - - - - - - - max mux (G) - This option controls the maximum number of - outstanding simultaneous SMB operations that samba tells the client - it will allow. You should never need to set this parameter. - - Default: max mux = 50 - - - - - - - max open files (G) - This parameter limits the maximum number of - open files that one smbd(8) file - serving process may have open for a client at any one time. The - default for this parameter is set very high (10,000) as Samba uses - only one bit per unopened file. - - The limit of the number of open files is usually set - by the UNIX per-process file descriptor limit rather than - this parameter so you should never need to touch this parameter. - - Default: max open files = 10000 - - - - - - - max ttl (G) - This option tells nmbd(8) - what the default 'time to live' of NetBIOS names should be (in seconds) - when nmbd is requesting a name using either a - broadcast packet or from a WINS server. You should never need to - change this parameter. The default is 3 days. - - Default: max ttl = 259200 - - - - - - - max wins ttl (G) - This option tells nmbd(8) - when acting as a WINS server ( - wins support=yes) what the maximum - 'time to live' of NetBIOS names that nmbd - will grant will be (in seconds). You should never need to change this - parameter. The default is 6 days (518400 seconds). - - See also the min - wins ttl" parameter. - - Default: max wins ttl = 518400 - - - - - - - max xmit (G) - This option controls the maximum packet size - that will be negotiated by Samba. The default is 65535, which - is the maximum. In some cases you may find you get better performance - with a smaller value. A value below 2048 is likely to cause problems. - - - Default: max xmit = 65535 - Example: max xmit = 8192 - - - - - - - message command (G) - This specifies what command to run when the - server receives a WinPopup style message. - - This would normally be a command that would - deliver the message somehow. How this is to be done is - up to your imagination. - - An example is: - - message command = csh -c 'xedit %s;rm %s' & - - - This delivers the message using xedit, then - removes it afterwards. NOTE THAT IT IS VERY IMPORTANT - THAT THIS COMMAND RETURN IMMEDIATELY. That's why I - have the '&' on the end. If it doesn't return immediately then - your PCs may freeze when sending messages (they should recover - after 30secs, hopefully). - - All messages are delivered as the global guest user. - The command takes the standard substitutions, although - %u won't work (%U may be better - in this case). - - Apart from the standard substitutions, some additional - ones apply. In particular: - - - %s = the filename containing - the message. - - %t = the destination that - the message was sent to (probably the server name). - - %f = who the message - is from. - - - You could make this command send mail, or whatever else - takes your fancy. Please let us know of any really interesting - ideas you have. - - - Here's a way of sending the messages as mail to root: - - message command = /bin/mail -s 'message from %f on - %m' root < %s; rm %s - - If you don't have a message command then the message - won't be delivered and Samba will tell the sender there was - an error. Unfortunately WfWg totally ignores the error code - and carries on regardless, saying that the message was delivered. - - - If you want to silently delete it then try: - - message command = rm %s - - Default: no message command - Example: message command = csh -c 'xedit %s; - rm %s' & - - - - - - - min print space (S) - This sets the minimum amount of free disk - space that must be available before a user will be able to spool - a print job. It is specified in kilobytes. The default is 0, which - means a user can always spool a print job. - - See also the printing - parameter. - - Default: min print space = 0 - Example: min print space = 2000 - - - - - - - min passwd length (G) - Synonym for - min password length. - - - - - - - min password length (G) - This option sets the minimum length in characters - of a plaintext password than smbd will accept when performing - UNIX password changing. - - See also unix - password sync, - passwd program and passwd chat debug - . - - Default: min password length = 5 - - - - - - min wins ttl (G) - This option tells nmbd(8) - when acting as a WINS server ( - wins support = yes) what the minimum 'time to live' - of NetBIOS names that nmbd will grant will be (in - seconds). You should never need to change this parameter. The default - is 6 hours (21600 seconds). - - Default: min wins ttl = 21600 - - - - - - - name resolve order (G) - This option is used by the programs in the Samba - suite to determine what naming services and in what order to resolve - host names to IP addresses. The option takes a space separated - string of different name resolution options. - - The options are :"lmhosts", "host", "wins" and "bcast". They - cause names to be resolved as follows : - - - lmhosts : Lookup an IP - address in the Samba lmhosts file. If the line in lmhosts has - no name type attached to the NetBIOS name (see the lmhosts(5) for details) then - any name type matches for lookup. - - host : Do a standard host - name to IP address resolution, using the system /etc/hosts - , NIS, or DNS lookups. This method of name resolution - is operating system depended for instance on IRIX or Solaris this - may be controlled by the /etc/nsswitch.conf - file). Note that this method is only used if the NetBIOS name - type being queried is the 0x20 (server) name type, otherwise - it is ignored. - - wins : Query a name with - the IP address listed in the - wins server parameter. If no WINS server has - been specified this method will be ignored. - - bcast : Do a broadcast on - each of the known local interfaces listed in the interfaces - parameter. This is the least reliable of the name resolution - methods as it depends on the target host being on a locally - connected subnet. - - - Default: name resolve order = lmhosts host wins bcast - - Example: name resolve order = lmhosts bcast host - - - This will cause the local lmhosts file to be examined - first, followed by a broadcast attempt, followed by a normal - system hostname lookup. - - - - - - - - netbios aliases (G) - This is a list of NetBIOS names that nmbd(8) will advertise as additional - names by which the Samba server is known. This allows one machine - to appear in browse lists under multiple names. If a machine is - acting as a browse server or logon server none - of these names will be advertised as either browse server or logon - servers, only the primary name of the machine will be advertised - with these capabilities. - - See also netbios - name. - - Default: empty string (no additional names) - Example: netbios aliases = TEST TEST1 TEST2 - - - - - - - netbios name (G) - This sets the NetBIOS name by which a Samba - server is known. By default it is the same as the first component - of the host's DNS name. If a machine is a browse server or - logon server this name (or the first component - of the hosts DNS name) will be the name that these services are - advertised under. - - See also netbios - aliases. - - Default: machine DNS name - Example: netbios name = MYNAME - - - - - - - netbios scope (G) - This sets the NetBIOS scope that Samba will - operate under. This should not be set unless every machine - on your LAN also sets this value. - - - - - - nis homedir (G) - Get the home share server from a NIS map. For - UNIX systems that use an automounter, the user's home directory - will often be mounted on a workstation on demand from a remote - server. - - When the Samba logon server is not the actual home directory - server, but is mounting the home directories via NFS then two - network hops would be required to access the users home directory - if the logon server told the client to use itself as the SMB server - for home directories (one over SMB and one over NFS). This can - be very slow. - - This option allows Samba to return the home share as - being on a different server to the logon server and as - long as a Samba daemon is running on the home directory server, - it will be mounted on the Samba client directly from the directory - server. When Samba is returning the home share to the client, it - will consult the NIS map specified in - homedir map and return the server - listed there. - - Note that for this option to work there must be a working - NIS system and the Samba server with this option must also - be a logon server. - - Default: nis homedir = no - - - - - - - nt acl support (G) - This boolean parameter controls whether - smbd(8) will attempt to map - UNIX permissions into Windows NT access control lists. - - Default: nt acl support = yes - - - - - - - nt pipe support (G) - This boolean parameter controls whether - smbd(8) will allow Windows NT - clients to connect to the NT SMB specific IPC$ - pipes. This is a developer debugging option and can be left - alone. - - Default: nt pipe support = yes - - - - - - - nt smb support (G) - This boolean parameter controls whether smbd(8) will negotiate NT specific SMB - support with Windows NT clients. Although this is a developer - debugging option and should be left alone, benchmarking has discovered - that Windows NT clients give faster performance with this option - set to no. This is still being investigated. - If this option is set to no then Samba offers - exactly the same SMB calls that versions prior to Samba 2.0 offered. - This information may be of use if any users are having problems - with NT SMB support. - - Default: nt support = yes - - - - - - - null passwords (G) - Allow or disallow client access to accounts - that have null passwords. - - See also smbpasswd (5). - - Default: null passwords = no - - - - - - ole locking compatibility (G) - This parameter allows an administrator to turn - off the byte range lock manipulation that is done within Samba to - give compatibility for OLE applications. Windows OLE applications - use byte range locking as a form of inter-process communication, by - locking ranges of bytes around the 2^32 region of a file range. This - can cause certain UNIX lock managers to crash or otherwise cause - problems. Setting this parameter to no means you - trust your UNIX lock manager to handle such cases correctly. - - Default: ole locking compatibility = yes - - - - - - - only guest (S) - A synonym for - guest only. - - - - - - - only user (S) - This is a boolean option that controls whether - connections with usernames not in the user - list will be allowed. By default this option is disabled so a client - can supply a username to be used by the server. - - Note that this also means Samba won't try to deduce - usernames from the service name. This can be annoying for - the [homes] section. To get around this you could use user = - %S which means your user list - will be just the service name, which for home directories is the - name of the user. - - See also the user - parameter. - - Default: only user = no - - - - - - - oplocks (S) - This boolean option tells smbd whether to - issue oplocks (opportunistic locks) to file open requests on this - share. The oplock code can dramatically (approx. 30% or more) improve - the speed of access to files on Samba servers. It allows the clients - to aggressively cache files ocally and you may want to disable this - option for unreliable network environments (it is turned on by - default in Windows NT Servers). For more information see the file - Speed.txt in the Samba docs/ - directory. - - Oplocks may be selectively turned off on certain files on - a per share basis. See the - veto oplock files parameter. On some systems - oplocks are recognized by the underlying operating system. This - allows data synchronization between all access to oplocked files, - whether it be via Samba or NFS or a local UNIX process. See the - kernel oplocks parameter for details. - - See also the kernel - oplocks and - level2 oplocks parameters. - - Default: oplocks = yes - - - - - - - oplock break wait time (G) - This is a tuning parameter added due to bugs in - both Windows 9x and WinNT. If Samba responds to a client too - quickly when that client issues an SMB that can cause an oplock - break request, then the client redirector can fail and not respond - to the break request. This tuning parameter (which is set in milliseconds) - is the amount of time Samba will wait before sending an oplock break - request to such (broken) clients. - - DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ - AND UNDERSTOOD THE SAMBA OPLOCK CODE. - - Default: oplock break wait time = 10 - - - - - - oplock contention limit (S) - This is a very advanced - smbd(8) tuning option to - improve the efficiency of the granting of oplocks under multiple - client contention for the same file. - - In brief it specifies a number, which causes smbd not to - grant an oplock even when requested if the approximate number of - clients contending for an oplock on the same file goes over this - limit. This causes smbd to behave in a similar - way to Windows NT. - - DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ - AND UNDERSTOOD THE SAMBA OPLOCK CODE. - - Default: oplock contention limit = 2 - - - - - - os level (G) - This integer value controls what level Samba - advertises itself as for browse elections. The value of this - parameter determines whether nmbd(8) - has a chance of becoming a local master browser for the - WORKGROUP in the local broadcast area. The default is - zero, which means nmbd will lose elections to - Windows machines. See BROWSING.txt in the - Samba docs/ directory for details. - - Default: os level = 20 - Example: os level = 65 - - - - - - - panic action (G) - This is a Samba developer option that allows a - system command to be called when either - smbd(8) or nmbd(8) - crashes. This is usually used to draw attention to the fact that - a problem occurred. - - Default: panic action = <empty string> - Example: panic action = "/bin/sleep 90000" - - - - - - passwd chat (G) - This string controls the "chat" - conversation that takes places between smbd and the local password changing - program to change the users password. The string describes a - sequence of response-receive pairs that - smbd(8) uses to determine what to send to the - passwd program - and what to expect back. If the expected output is not - received then the password is not changed. - - This chat sequence is often quite site specific, depending - on what local methods are used for password control (such as NIS - etc). - - The string can contain the macros %o - and %n which are substituted for the old - and new passwords respectively. It can also contain the standard - macros \n, \r, - \t and %s to give line-feed, - carriage-return, tab and space. - - The string can also contain a '*' which matches - any sequence of characters. - - Double quotes can be used to collect strings with spaces - in them into a single string. - - If the send string in any part of the chat sequence - is a fullstop ".", then no string is sent. Similarly, - is the expect string is a fullstop then no string is expected. - - Note that if the unix - password sync parameter is set to true, then this - sequence is called AS ROOT when the SMB password - in the smbpasswd file is being changed, without access to the old - password cleartext. In this case the old password cleartext is set - to "" (the empty string). - - See also unix password - sync, - passwd program and - passwd chat debug. - - Default: passwd chat = *old*password* %o\n *new* - password* %n\n *new*password* %n\n *changed* - Example: passwd chat = "*Enter OLD password*" %o\n - "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password - changed*" - - - - - - - passwd chat debug (G) - This boolean specifies if the passwd chat script - parameter is run in debug mode. In this mode the - strings passed to and received from the passwd chat are printed - in the smbd(8) log with a - debug level - of 100. This is a dangerous option as it will allow plaintext passwords - to be seen in the smbd log. It is available to help - Samba admins debug their passwd chat scripts - when calling the passwd program and should - be turned off after this has been done. This parameter is off by - default. - - See also <passwd chat - , passwd program - . - - Default: passwd chat debug = no - Example: passwd chat debug = yes - - - - - - - passwd program (G) - The name of a program that can be used to set - UNIX user passwords. Any occurrences of %u - will be replaced with the user name. The user name is checked for - existence before calling the password changing program. - - Also note that many passwd programs insist in reasonable - passwords, such as a minimum length, or the inclusion - of mixed case chars and digits. This can pose a problem as some clients - (such as Windows for Workgroups) uppercase the password before sending - it. - - Note that if the unix - password sync parameter is set to True - then this program is called AS ROOT - before the SMB password in the smbpasswd(5) - file is changed. If this UNIX password change fails, then - smbd will fail to change the SMB password also - (this is by design). - - If the unix password sync parameter - is set this parameter MUST USE ABSOLUTE PATHS - for ALL programs called, and must be examined - for security implications. Note that by default unix - password sync is set to False. - - See also unix - password sync. - - Default: passwd program = /bin/passwd - Example: passwd program = /sbin/npasswd %u - - - - - - - - password level (G) - Some client/server combinations have difficulty - with mixed-case passwords. One offending client is Windows for - Workgroups, which for some reason forces passwords to upper - case when using the LANMAN1 protocol, but leaves them alone when - using COREPLUS! - - This parameter defines the maximum number of characters - that may be upper case in passwords. - - For example, say the password given was "FRED". If - password level is set to 1, the following combinations - would be tried if "FRED" failed: - - "Fred", "fred", "fRed", "frEd","freD" - - If password level was set to 2, - the following combinations would also be tried: - - "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", .. - - And so on. - - The higher value this parameter is set to the more likely - it is that a mixed case password will be matched against a single - case password. However, you should be aware that use of this - parameter reduces security and increases the time taken to - process a new connection. - - A value of zero will cause only two attempts to be - made - the password as is and the password in all-lower case. - - Default: password level = 0 - Example: password level = 4 - - - - - - - password server (G) - By specifying the name of another SMB server (such - as a WinNT box) with this option, and using security = domain - or security = server you can get Samba - to do all its username/password validation via a remote server. - - This options sets the name of the password server to use. - It must be a NetBIOS name, so if the machine's NetBIOS name is - different from its internet name then you may have to add its NetBIOS - name to the lmhosts file which is stored in the same directory - as the smb.conf file. - - The name of the password server is looked up using the - parameter name - resolve order and so may resolved - by any method and order described in that parameter. - - The password server much be a machine capable of using - the "LM1.2X002" or the "LM NT 0.12" protocol, and it must be in - user level security mode. - - NOTE: Using a password server - means your UNIX box (running Samba) is only as secure as your - password server. DO NOT CHOOSE A PASSWORD SERVER THAT - YOU DON'T COMPLETELY TRUST. - - Never point a Samba server at itself for password - serving. This will cause a loop and could lock up your Samba - server! - - The name of the password server takes the standard - substitutions, but probably the only useful one is %m - , which means the Samba server will use the incoming - client as the passwordserver. If you use this then you better - trust your clients, and you better restrict them with hosts allow! - - If the security parameter is set to - domain, then the list of machines in this - option must be a list of Primary or Backup Domain controllers for the - Domain or the character '*', as the Samba server is cryptographicly - in that domain, and will use cryptographicly authenticated RPC calls - to authenticate the user logging on. The advantage of using - security = domain is that if you list several hosts in the - password server option then smbd - will try each in turn till it finds one that responds. This - is useful in case your primary server goes down. - - If the password server option is set - to the character '*', then Samba will attempt to auto-locate the - Primary or Backup Domain controllers to authenticate against by - doing a query for the name WORKGROUP<1C> - and then contacting each server returned in the list of IP - addresses from the name resolution source. - - If the security parameter is - set to server, then there are different - restrictions that security = domain doesn't - suffer from: - - - You may list several password servers in - the password server parameter, however if an - smbd makes a connection to a password server, - and then the password server fails, no more users will be able - to be authenticated from this smbd. This is a - restriction of the SMB/CIFS protocol when in security=server - mode and cannot be fixed in Samba. - - If you are using a Windows NT server as your - password server then you will have to ensure that your users - are able to login from the Samba server, as when in - security=server mode the network logon will appear to - come from there rather than from the users workstation. - - - See also the security - parameter. - - Default: password server = <empty string> - - Example: password server = NT-PDC, NT-BDC1, NT-BDC2 - - Example: password server = * - - - - - - - path (S) - This parameter specifies a directory to which - the user of the service is to be given access. In the case of - printable services, this is where print data will spool prior to - being submitted to the host for printing. - - For a printable service offering guest access, the service - should be readonly and the path should be world-writeable and - have the sticky bit set. This is not mandatory of course, but - you probably won't get the results you expect if you do - otherwise. - - Any occurrences of %u in the path - will be replaced with the UNIX username that the client is using - on this connection. Any occurrences of %m - will be replaced by the NetBIOS name of the machine they are - connecting from. These replacements are very useful for setting - up pseudo home directories for users. - - Note that this path will be based on - root dir if one was specified. - - Default: none - Example: path = /home/fred - - - - - - - postexec (S) - This option specifies a command to be run - whenever the service is disconnected. It takes the usual - substitutions. The command may be run as the root on some - systems. - - An interesting example may be do unmount server - resources: - - postexec = /etc/umount /cdrom - - See also preexec - . - - Default: none (no command executed) - - - Example: postexec = echo \"%u disconnected from %S - from %m (%I)\" >> /tmp/log - - - - - - - postscript (S) - This parameter forces a printer to interpret - the print files as postscript. This is done by adding a %! - to the start of print output. - - This is most useful when you have lots of PCs that persist - in putting a control-D at the start of print jobs, which then - confuses your printer. - - Default: postscript = no - - - - - - - preexec (S) - This option specifies a command to be run whenever - the service is connected to. It takes the usual substitutions. - - An interesting example is to send the users a welcome - message every time they log in. Maybe a message of the day? Here - is an example: - - preexec = csh -c 'echo \"Welcome to %S!\" | - /usr/local/samba/bin/smbclient -M %m -I %I' & - - Of course, this could get annoying after a while :-) - - See also preexec close - and postexec - . - - Default: none (no command executed) - Example: preexec = echo \"%u connected to %S from %m - (%I)\" >> /tmp/log - - - - - - - preexec close (S) - This boolean option controls whether a non-zero - return code from preexec - should close the service being connected to. - - Default: preexec close = no - - - - - - preferred master (G) - This boolean parameter controls if nmbd(8) is a preferred master browser - for its workgroup. - - If this is set to true, on startup, nmbd - will force an election, and it will have a slight advantage in - winning the election. It is recommended that this parameter is - used in conjunction with - domain master = yes, so that - nmbd can guarantee becoming a domain master. - - Use this option with caution, because if there are several - hosts (whether Samba servers, Windows 95 or NT) that are preferred - master browsers on the same subnet, they will each periodically - and continuously attempt to become the local master browser. - This will result in unnecessary broadcast traffic and reduced browsing - capabilities. - - See also os level - . - - Default: preferred master = no - - - - - - - prefered master (G) - Synonym for - preferred master for people who cannot spell :-). - - - - - - - preload - Synonym for - auto services. - - - - - - preserve case (S) - This controls if new filenames are created - with the case that the client passes, or if they are forced to - be the derault case - . - - Default: preserve case = yes - - See the section on NAME - MANGLING" for a fuller discussion. - - - - - - print command (S) - After a print job has finished spooling to - a service, this command will be used via a system() - call to process the spool file. Typically the command specified will - submit the spool file to the host's printing subsystem, but there - is no requirement that this be the case. The server will not remove - the spool file, so whatever command you specify should remove the - spool file when it has been processed, otherwise you will need to - manually remove old spool files. - - The print command is simply a text string. It will be used - verbatim, with two exceptions: All occurrences of %s - and %f will be replaced by the - appropriate spool file name, and all occurrences of %p - will be replaced by the appropriate printer name. The - spool file name is generated automatically by the server, the printer - name is discussed below. - - The print command MUST contain at least - one occurrence of %s or %f - - the %p is optional. At the time - a job is submitted, if no printer name is supplied the %p - will be silently removed from the printer command. - - If specified in the [global] section, the print command given - will be used for any printable service that does not have its own - print command specified. - - If there is neither a specified print command for a - printable service nor a global print command, spool files will - be created but not processed and (most importantly) not removed. - - Note that printing may fail on some UNIXs from the - nobody account. If this happens then create - an alternative guest account that can print and set the guest account - in the [global] section. - - You can form quite complex print commands by realizing - that they are just passed to a shell. For example the following - will log a print job, print the file, then remove it. Note that - ';' is the usual separator for command in shell scripts. - - print command = echo Printing %s >> - /tmp/print.log; lpr -P %p %s; rm %s - - You may have to vary this command considerably depending - on how you normally print files on your system. The default for - the parameter varies depending on the setting of the - printing parameter. - - Default: For printing= BSD, AIX, QNX, LPRNG - or PLP : - print command = lpr -r -P%p %s - - For printing= SYS or HPUX : - print command = lp -c -d%p %s; rm %s - - For printing=SOFTQ : - print command = lp -d%p -s %s; rm %s - - Example: print command = /usr/local/samba/bin/myprintscript - %p %s - - - - - - - print ok (S) - Synonym for - printable. - - - - - - - - printable (S) - If this parameter is yes, then - clients may open, write to and submit spool files on the directory - specified for the service. - - Note that a printable service will ALWAYS allow writing - to the service path (user privileges permitting) via the spooling - of print data. The writeable - parameter controls only non-printing access to - the resource. - - Default: printable = no - - - - - - - printcap (G) - Synonym for - printcap name. - - - - - - - - printer admin (S) - This is a list of users that can do anything to - printers via the remote administration interfaces offered by MSRPC - (usually using a NT workstation). Note that the root user always - has admin rights. - - Default: printer admin = <empty string> - - Example: printer admin = admin, @staff - - - - - - - - - - printcap name (G) - This parameter may be used to override the - compiled-in default printcap name used by the server (usually - /etc/printcap). See the discussion of the [printers] section above for reasons - why you might want to do this. - - On System V systems that use lpstat to - list available printers you can use printcap name = lpstat - to automatically obtain lists of available printers. This - is the default for systems that define SYSV at configure time in - Samba (this includes most System V based systems). If - printcap name is set to lpstat on - these systems then Samba will launch lpstat -v and - attempt to parse the output to obtain a printer list. - - A minimal printcap file would look something like this: - - - print1|My Printer 1 - print2|My Printer 2 - print3|My Printer 3 - print4|My Printer 4 - print5|My Printer 5 - - - where the '|' separates aliases of a printer. The fact - that the second alias has a space in it gives a hint to Samba - that it's a comment. - - NOTE: Under AIX the default printcap - name is /etc/qconfig. Samba will assume the - file is in AIX qconfig format if the string - qconfig appears in the printcap filename. - - Default: printcap name = /etc/printcap - Example: printcap name = /etc/myprintcap - - - - - - - printer (S) - This parameter specifies the name of the printer - to which print jobs spooled through a printable service will be sent. - - If specified in the [global] section, the printer - name given will be used for any printable service that does - not have its own printer name specified. - - Default: none (but may be lp - on many systems) - - Example: printer name = laserwriter - - - - - - - printer driver (S) - This option allows you to control the string - that clients receive when they ask the server for the printer driver - associated with a printer. If you are using Windows95 or WindowsNT - then you can use this to automate the setup of printers on your - system. - - You need to set this parameter to the exact string (case - sensitive) that describes the appropriate printer driver for your - system. If you don't know the exact string to use then you should - first try with no - printer driver option set and the client will - give you a list of printer drivers. The appropriate strings are - shown in a scrollbox after you have chosen the printer manufacturer. - - See also printer - driver file. - - Example: printer driver = HP LaserJet 4L - - - - - - - printer driver file (G) - This parameter tells Samba where the printer driver - definition file, used when serving drivers to Windows 95 clients, is - to be found. If this is not set, the default is : - - SAMBA_INSTALL_DIRECTORY - /lib/printers.def - - This file is created from Windows 95 msprint.inf - files found on the Windows 95 client system. For more - details on setting up serving of printer drivers to Windows 95 - clients, see the documentation file in the docs/ - directory, PRINTER_DRIVER.txt. - - See also - printer driver location. - - Default: None (set in compile). - - Example: printer driver file = - /usr/local/samba/printers/drivers.def - - - - - - - - printer driver location (S) - This parameter tells clients of a particular printer - share where to find the printer driver files for the automatic - installation of drivers for Windows 95 machines. If Samba is set up - to serve printer drivers to Windows 95 machines, this should be set to - - \\MACHINE\PRINTER$ - - Where MACHINE is the NetBIOS name of your Samba server, - and PRINTER$ is a share you set up for serving printer driver - files. For more details on setting this up see the documentation - file in the docs/ directory, - PRINTER_DRIVER.txt. - - See also - printer driver file. - - Default: none - Example: printer driver location = \\MACHINE\PRINTER$ - - - - - - - - printer name (S) - Synonym for - printer. - - - - - - - printing (S) - This parameters controls how printer status - information is interpreted on your system. It also affects the - default values for the print command, - lpq command, lppause command - , lpresume command, and - lprm command if specified in the - [global]f> section. - - Currently eight printing styles are supported. They are - BSD, AIX, - LPRNG, PLP, - SYSV, HPUX, - QNX, SOFTQ, - and CUPS. - - To see what the defaults are for the other print - commands when using the various options use the testparm(1) program. - - This option can be set on a per printer basis - - See also the discussion in the - [printers] section. - - - - - - - private dir(G) - The private dir parameter - allows an administator to define a directory path used to hold the - various databases Samba will use to store things like a the machine - trust account information when acting as a domain member (i.e. where - the secrets.tdb file will be located), where the passdb.tbd file - will stored in the case of using the experiemental tdbsam support, - etc... - - Default: private dir = <compile time location - of smbpasswd> - Example: private dir = /etc/smbprivate - - - - - - - protocol (G) - The value of the parameter (a string) is the highest - protocol level that will be supported by the server. - - Possible values are : - - CORE: Earliest version. No - concept of user names. - - COREPLUS: Slight improvements on - CORE for efficiency. - - LANMAN1: First - modern version of the protocol. Long filename - support. - - LANMAN2: Updates to Lanman1 protocol. - - - NT1: Current up to date version of - the protocol. Used by Windows NT. Known as CIFS. - - - Normally this option should not be set as the automatic - negotiation phase in the SMB protocol takes care of choosing - the appropriate protocol. - - Default: protocol = NT1 - Example: protocol = LANMAN1 - - - - - - public (S) - Synonym for guest - ok. - - - - - - - queuepause command (S) - This parameter specifies the command to be - executed on the server host in order to pause the printerqueue. - - This command should be a program or script which takes - a printer name as its only parameter and stops the printerqueue, - such that no longer jobs are submitted to the printer. - - This command is not supported by Windows for Workgroups, - but can be issued from the Printer's window under Windows 95 - and NT. - - If a %p is given then the printername - is put in its place. Otherwise it is placed at the end of the command. - - - Note that it is good practice to include the absolute - path in the command as the PATH may not be available to the - server. - - Default: depends on the setting of printing - - Example: queuepause command = disable %p - - - - - - - queueresume command (S) - This parameter specifies the command to be - executed on the server host in order to resume the printerqueue. It - is the command to undo the behavior that is caused by the - previous parameter ( - queuepause command). - - This command should be a program or script which takes - a printer name as its only parameter and resumes the printerqueue, - such that queued jobs are resubmitted to the printer. - - This command is not supported by Windows for Workgroups, - but can be issued from the Printer's window under Windows 95 - and NT. - - If a %p is given then the printername - is put in its place. Otherwise it is placed at the end of the - command. - - Note that it is good practice to include the absolute - path in the command as the PATH may not be available to the - server. - - Default: depends on the setting of printing - - - Example: queuepause command = enable %p - - - - - - - - read bmpx (G) - This boolean parameter controls whether smbd(8) will support the "Read - Block Multiplex" SMB. This is now rarely used and defaults to - no. You should never need to set this - parameter. - - Default: read bmpx = no - - - - - - - - read list (S) - This is a list of users that are given read-only - access to a service. If the connecting user is in this list then - they will not be given write access, no matter what the writeable - option is set to. The list can include group names using the - syntax described in the - invalid users parameter. - - See also the - write list parameter and the invalid users - parameter. - - Default: read list = <empty string> - Example: read list = mary, @students - - - - - - - read only (S) - Note that this is an inverted synonym for writeable. - - - - - - - read raw (G) - This parameter controls whether or not the server - will support the raw read SMB requests when transferring data - to clients. - - If enabled, raw reads allow reads of 65535 bytes in - one packet. This typically provides a major performance benefit. - - - However, some clients either negotiate the allowable - block size incorrectly or are incapable of supporting larger block - sizes, and for these clients you may need to disable raw reads. - - In general this parameter should be viewed as a system tuning - tool and left severely alone. See also - write raw. - - Default: read raw = yes - - - - - - read size (G) - The option read size - affects the overlap of disk reads/writes with network reads/writes. - If the amount of data being transferred in several of the SMB - commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger - than this value then the server begins writing the data before it - has received the whole packet from the network, or in the case of - SMBreadbraw, it begins writing to the network before all the data - has been read from disk. - - This overlapping works best when the speeds of disk and - network access are similar, having very little effect when the - speed of one is much greater than the other. - - The default value is 16384, but very little experimentation - has been done yet to determine the optimal value, and it is likely - that the best value will vary greatly between systems anyway. - A value over 65536 is pointless and will cause you to allocate - memory unnecessarily. - - Default: read size = 16384 - Example: read size = 8192 - - - - - - - remote announce (G) - This option allows you to setup nmbd(8) to periodically announce itself - to arbitrary IP addresses with an arbitrary workgroup name. - - This is useful if you want your Samba server to appear - in a remote workgroup for which the normal browse propagation - rules don't work. The remote workgroup can be anywhere that you - can send IP packets to. - - For example: - - remote announce = 192.168.2.255/SERVERS - 192.168.4.255/STAFF - - the above line would cause nmbd to announce itself - to the two given IP addresses using the given workgroup names. - If you leave out the workgroup name then the one given in - the workgroup - parameter is used instead. - - The IP addresses you choose would normally be the broadcast - addresses of the remote networks, but can also be the IP addresses - of known browse masters if your network config is that stable. - - See the documentation file BROWSING.txt - in the docs/ directory. - - Default: remote announce = <empty string> - - - - - - - - remote browse sync (G) - This option allows you to setup nmbd(8) to periodically request - synchronization of browse lists with the master browser of a samba - server that is on a remote segment. This option will allow you to - gain browse lists for multiple workgroups across routed networks. This - is done in a manner that does not work with any non-samba servers. - - This is useful if you want your Samba server and all local - clients to appear in a remote workgroup for which the normal browse - propagation rules don't work. The remote workgroup can be anywhere - that you can send IP packets to. - - For example: - - remote browse sync = 192.168.2.255 192.168.4.255 - - - the above line would cause nmbd to request - the master browser on the specified subnets or addresses to - synchronize their browse lists with the local server. - - The IP addresses you choose would normally be the broadcast - addresses of the remote networks, but can also be the IP addresses - of known browse masters if your network config is that stable. If - a machine IP address is given Samba makes NO attempt to validate - that the remote machine is available, is listening, nor that it - is in fact the browse master on it's segment. - - Default: remote browse sync = <empty string> - - - - - - - - restrict anonymous (G) - This is a boolean parameter. If it is true, then - anonymous access to the server will be restricted, namely in the - case where the server is expecting the client to send a username, - but it doesn't. Setting it to true will force these anonymous - connections to be denied, and the client will be required to always - supply a username and password when connecting. Use of this parameter - is only recommened for homogenous NT client environments. - - This parameter makes the use of macro expansions that rely - on the username (%U, %G, etc) consistant. NT 4.0 - likes to use anonymous connections when refreshing the share list, - and this is a way to work around that. - - When restrict anonymous is true, all anonymous connections - are denied no matter what they are for. This can effect the ability - of a machine to access the samba Primary Domain Controller to revalidate - it's machine account after someone else has logged on the client - interactively. The NT client will display a message saying that - the machine's account in the domain doesn't exist or the password is - bad. The best way to deal with this is to reboot NT client machines - between interactive logons, using "Shutdown and Restart", rather - than "Close all programs and logon as a different user". - - Default: restrict anonymous = no - - - - - - - root (G) - Synonym for - root directory". - - - - - - - root dir (G) - Synonym for - root directory". - - - - - - root directory (G) - The server will chroot() (i.e. - Change it's root directory) to this directory on startup. This is - not strictly necessary for secure operation. Even without it the - server will deny access to files not in one of the service entries. - It may also check for, and deny access to, soft links to other - parts of the filesystem, or attempts to use ".." in file names - to access other directories (depending on the setting of the wide links - parameter). - - Adding a root directory entry other - than "/" adds an extra level of security, but at a price. It - absolutely ensures that no access is given to files not in the - sub-tree specified in the root directory - option, including some files needed for - complete operation of the server. To maintain full operability - of the server you will need to mirror some system files - into the root directory tree. In particular - you will need to mirror /etc/passwd (or a - subset of it), and any binaries or configuration files needed for - printing (if required). The set of files that must be mirrored is - operating system dependent. - - Default: root directory = / - Example: root directory = /homes/smb - - - - - - - root postexec (S) - This is the same as the postexec - parameter except that the command is run as root. This - is useful for unmounting filesystems - (such as cdroms) after a connection is closed. - - See also - postexec. - - - - - root preexec (S) - This is the same as the preexec - parameter except that the command is run as root. This - is useful for mounting filesystems - (such as cdroms) after a connection is closed. - - See also - preexec and - preexec close. - - - - - - - root preexec close (S) - This is the same as the preexec close - parameter except that the command is run as root. - - See also - preexec and - preexec close. - - - - - - security (G) - This option affects how clients respond to - Samba and is one of the most important settings in the - smb.conf file. - - The option sets the "security mode bit" in replies to - protocol negotiations with smbd(8) - to turn share level security on or off. Clients decide - based on this bit whether (and how) to transfer user and password - information to the server. - - - The default is security = user, as this is - the most common setting needed when talking to Windows 98 and - Windows NT. - - The alternatives are security = share, - security = server or security=domain - . - - In versions of Samba prior to 2..0, the default was - security = share mainly because that was - the only option at one stage. - - There is a bug in WfWg that has relevance to this - setting. When in user or server level security a WfWg client - will totally ignore the password you type in the "connect - drive" dialog box. This makes it very difficult (if not impossible) - to connect to a Samba service as anyone except the user that - you are logged into WfWg as. - - If your PCs use usernames that are the same as their - usernames on the UNIX machine then you will want to use - security = user. If you mostly use usernames - that don't exist on the UNIX box then use security = - share. - - You should also use security = share if you - want to mainly setup shares without a password (guest shares). This - is commonly used for a shared printer server. It is more difficult - to setup guest shares with security = user, see - the map to guest - parameter for details. - - It is possible to use smbd in a - hybrid mode where it is offers both user and share - level security under different - NetBIOS aliases. - - The different settings will now be explained. - - - SECURITY = SHARE - - - When clients connect to a share level security server then - need not log onto the server with a valid username and password before - attempting to connect to a shared resource (although modern clients - such as Windows 95/98 and Windows NT will send a logon request with - a username but no password when talking to a security = share - server). Instead, the clients send authentication information - (passwords) on a per-share basis, at the time they attempt to connect - to that share. - - Note that smbd ALWAYS - uses a valid UNIX user to act on behalf of the client, even in - security = share level security. - - As clients are not required to send a username to the server - in share level security, smbd uses several - techniques to determine the correct UNIX user to use on behalf - of the client. - - A list of possible UNIX usernames to match with the given - client password is constructed using the following methods : - - - If the guest - only parameter is set, then all the other - stages are missed and only the - guest account username is checked. - - - Is a username is sent with the share connection - request, then this username (after mapping - see username map), - is added as a potential username. - - If the client did a previous logon - request (the SessionSetup SMB call) then the - username sent in this SMB will be added as a potential username. - - - The name of the service the client requested is - added as a potential username. - - The NetBIOS name of the client is added to - the list as a potential username. - - Any users on the - user list are added as potential usernames. - - - - If the guest only parameter is - not set, then this list is then tried with the supplied password. - The first user for whom the password matches will be used as the - UNIX user. - - If the guest only parameter is - set, or no username can be determined then if the share is marked - as available to the guest account, then this - guest user will be used, otherwise access is denied. - - Note that it can be very confusing - in share-level security as to which UNIX username will eventually - be used in granting access. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - SECURIYT = USER - - - This is the default security setting in Samba 2.2. - With user-level security a client must first "log=on" with a - valid username and password (which can be mapped using the username map - parameter). Encrypted passwords (see the - encrypted passwords parameter) can also - be used in this security mode. Parameters such as - user and - guest only if set are then applied and - may change the UNIX user to use on this connection, but only after - the user has been successfully authenticated. - - Note that the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the guest account. - See the map to guest - parameter for details on doing this. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - SECURITY = SERVER - - - In this mode Samba will try to validate the username/password - by passing it to another SMB server, such as an NT box. If this - fails it will revert to security = user, but note - that if encrypted passwords have been negotiated then Samba cannot - revert back to checking the UNIX password file, it must have a valid - smbpasswd file to check users against. See the - documentation file in the docs/ directory - ENCRYPTION.txt for details on how to set this - up. - - Note that from the clients point of - view security = server is the same as - security = user. It only affects how the server deals - with the authentication, it does not in any way affect what the - client sees. - - Note that the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the guest account. - See the map to guest - parameter for details on doing this. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - See also the password - server parameter and the encrypted passwords - parameter. - - SECURITY = DOMAIN - - - This mode will only work correctly if smbpasswd(8) has been used to add this - machine into a Windows NT Domain. It expects the encrypted passwords - parameter to be set to true. In this - mode Samba will try to validate the username/password by passing - it to a Windows NT Primary or Backup Domain Controller, in exactly - the same way that a Windows NT Server would do. - - Note that a valid UNIX user must still - exist as well as the account on the Domain Controller to allow - Samba to have a valid UNIX account to map file access to. - - Note that from the clients point - of view security = domain is the same as security = user - . It only affects how the server deals with the authentication, - it does not in any way affect what the client sees. - - Note that the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the guest account. - See the map to guest - parameter for details on doing this. - - BUG: There is currently a bug in the - implementation of security = domain with respect - to multi-byte character set usernames. The communication with a - Domain Controller must be done in UNICODE and Samba currently - does not widen multi-byte user names to UNICODE correctly, thus - a multi-byte username will not be recognized correctly at the - Domain Controller. This issue will be addressed in a future release. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - See also the password - server parameter and the encrypted passwords - parameter. - - Default: security = USER - Example: security = DOMAIN - - - - - - - security mask (S) - This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security - dialog box. - - This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change. - - If not set explicitly this parameter is set to the same - value as the create mask - parameter. To allow a user to modify all the - user/group/world permissions on a file, set this parameter to - 0777. - - Note that users who can access the - Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone - "appliance" systems. Administrators of most normal systems will - probably want to set it to 0777. - - See also the - force directory security mode, - directory - security mask, - force security mode parameters. - - Default: security mask = <same as create mask> - - Example: security mask = 0777 - - - - - - server string (G) - This controls what string will show up in the - printer comment box in print manager and next to the IPC connection - in net view". It can be any string that you wish - to show to your users. - - It also sets what will appear in browse lists next - to the machine name. - - A %v will be replaced with the Samba - version number. - - A %h will be replaced with the - hostname. - - Default: server string = Samba %v - - Example: server string = University of GNUs Samba - Server - - - - - - - set directory (S) - If set directory = no, then - users of the service may not use the setdir command to change - directory. - - The setdir command is only implemented - in the Digital Pathworks client. See the Pathworks documentation - for details. - - Default: set directory = no - - - - - - - - share modes (S) - This enables or disables the honoring of - the share modes during a file open. These - modes are used by clients to gain exclusive read or write access - to a file. - - These open modes are not directly supported by UNIX, so - they are simulated using shared memory, or lock files if your - UNIX doesn't support shared memory (almost all do). - - The share modes that are enabled by this option are - DENY_DOS, DENY_ALL, - DENY_READ, DENY_WRITE, - DENY_NONE and DENY_FCB. - - - This option gives full share compatibility and enabled - by default. - - You should NEVER turn this parameter - off as many Windows applications will break if you do so. - - Default: share modes = yes - - - - - - - shared mem size (G) - It specifies the size of the shared memory (in - bytes) to use between smbd(8) - processes. This parameter defaults to one megabyte of shared - memory. It is possible that if you have a large erver with many - files open simultaneously that you may need to increase this - parameter. Signs that this parameter is set too low are users - reporting strange problems trying to save files (locking errors) - and error messages in the smbd log looking like ERROR - smb_shm_alloc : alloc of XX bytes failed. - - If your OS refuses the size that Samba asks for then - Samba will try a smaller size, reducing by a factor of 0.8 until - the OS accepts it. - - Default: shared mem size = 1048576 - Example: shared mem size = 5242880 ; Set to 5mb for a - large number of files. - - - - - - - short preserve case (S) - This boolean parameter controls if new files - which conform to 8.3 syntax, that is all in upper case and of - suitable length, are created upper case, or if they are forced - to be the default case - . This option can be use with preserve case = yes - to permit long filenames to retain their case, while short - names are lowered. - - See the section on - NAME MANGLING. - - Default: short preserve case = yes - - - - - - - smb passwd file (G) - This option sets the path to the encrypted - smbpasswd file. By default the path to the smbpasswd file - is compiled into Samba. - - Default: smb passwd file= <compiled - default> - - Example: smb passwd file = /usr/samba/private/smbpasswd - - - - - - - - smbrun (G) - This sets the full path to the smbrun - binary. This defaults to the value in the - Makefile. - - You must get this path right for many services - to work correctly. - - You should not need to change this parameter so - long as Samba is installed correctly. - - Default: smbrun=<compiled default> - - - Example: smbrun = /usr/local/samba/bin/smbrun - - - - - - - - socket address (G) - This option allows you to control what - address Samba will listen for connections on. This is used to - support multiple virtual interfaces on the one server, each - with a different configuration. - - By default samba will accept connections on any - address. - - Example: socket address = 192.168.2.20 - - - - - - - - socket options (G) - This option allows you to set socket options - to be used when talking with the client. - - Socket options are controls on the networking layer - of the operating systems which allow the connection to be - tuned. - - This option will typically be used to tune your Samba - server for optimal performance for your local network. There is - no way that Samba can know what the optimal parameters are for - your net, so you must experiment and choose them yourself. We - strongly suggest you read the appropriate documentation for your - operating system first (perhaps man setsockopt - will help). - - You may find that on some systems Samba will say - "Unknown socket option" when you supply an option. This means you - either incorrectly typed it or you need to add an include file - to includes.h for your OS. If the latter is the case please - send the patch to - samba@samba.org. - - Any of the supported socket options may be combined - in any way you like, as long as your OS allows it. - - This is the list of socket options currently settable - using this option: - - - SO_KEEPALIVE - SO_REUSEADDR - SO_BROADCAST - TCP_NODELAY - IPTOS_LOWDELAY - IPTOS_THROUGHPUT - SO_SNDBUF * - SO_RCVBUF * - SO_SNDLOWAT * - SO_RCVLOWAT * - - - Those marked with a '*' take an integer - argument. The others can optionally take a 1 or 0 argument to enable - or disable the option, by default they will be enabled if you - don't specify 1 or 0. - - To specify an argument use the syntax SOME_OPTION=VALUE - for example SO_SNDBUF=8192. Note that you must - not have any spaces before or after the = sign. - - If you are on a local network then a sensible option - might be - socket options = IPTOS_LOWDELAY - - If you have a local network then you could try: - socket options = IPTOS_LOWDELAY TCP_NODELAY - - If you are on a wide area network then perhaps try - setting IPTOS_THROUGHPUT. - - Note that several of the options may cause your Samba - server to fail completely. Use these options with caution! - - Default: socket options = TCP_NODELAY - Example: socket options = IPTOS_LOWDELAY - - - - - - - - source environment (G) - This parameter causes Samba to set environment - variables as per the content of the file named. - - If the value of this parameter starts with a "|" character - then Samba will treat that value as a pipe command to open and - will set the environment variables from the output of the pipe. - - The contents of the file or the output of the pipe should - be formatted as the output of the standard Unix env(1) - command. This is of the form : - Example environment entry: - SAMBA_NETBIOS_NAME=myhostname - - Default: No default value - Examples: source environment = |/etc/smb.conf.sh - - - Example: source environment = - /usr/local/smb_env_vars - - - - - - - ssl (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - Note that for export control reasons - this code is NOT enabled by default in any - current binary version of Samba. - - This variable enables or disables the entire SSL mode. If - it is set to no, the SSL enabled samba behaves - exactly like the non-SSL samba. If set to yes, - it depends on the variables - ssl hosts and - ssl hosts resign whether an SSL - connection will be required. - - Default: ssl=no - - - - - - - ssl CA certDir (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - Note that for export control reasons - this code is NOT enabled by default in any - current binary version of Samba. - - This variable defines where to look up the Certification - Authorities. The given directory should contain one file for - each CA that samba will trust. The file name must be the hash - value over the "Distinguished Name" of the CA. How this directory - is set up is explained later in this document. All files within the - directory that don't fit into this naming scheme are ignored. You - don't need this variable if you don't verify client certificates. - - Default: ssl CA certDir = /usr/local/ssl/certs - - - - - - - - ssl CA certFile (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - Note that for export control reasons - this code is NOT enabled by default in any - current binary version of Samba. - - This variable is a second way to define the trusted CAs. - The certificates of the trusted CAs are collected in one big - file and this variable points to the file. You will probably - only use one of the two ways to define your CAs. The first choice is - preferable if you have many CAs or want to be flexible, the second - is preferable if you only have one CA and want to keep things - simple (you won't need to create the hashed file names). You - don't need this variable if you don't verify client certificates. - - Default: ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem - - - - - - - - ssl ciphers (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - Note that for export control reasons - this code is NOT enabled by default in any - current binary version of Samba. - - This variable defines the ciphers that should be offered - during SSL negotiation. You should not set this variable unless - you know what you are doing. - - - - - - ssl client cert (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - Note that for export control reasons - this code is NOT enabled by default in any - current binary version of Samba. - - The certificate in this file is used by - smbclient(1) if it exists. It's needed - if the server requires a client certificate. - - Default: ssl client cert = /usr/local/ssl/certs/smbclient.pem - - - - - - - - ssl client key (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - Note that for export control reasons - this code is NOT enabled by default in any - current binary version of Samba. - - This is the private key for - smbclient(1). It's only needed if the - client should have a certificate. - - Default: ssl client key = /usr/local/ssl/private/smbclient.pem - - - - - - - - ssl compatibility (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - Note that for export control reasons - this code is NOT enabled by default in any - current binary version of Samba. - - This variable defines whether SSLeay should be configured - for bug compatibility with other SSL implementations. This is - probably not desirable because currently no clients with SSL - implementations other than SSLeay exist. - - Default: ssl compatibility = no - - - - - - ssl hosts (G) - See - ssl hosts resign. - - - - - - ssl hosts resign (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - Note that for export control reasons - this code is NOT enabled by default in any - current binary version of Samba. - - These two variables define whether samba will go - into SSL mode or not. If none of them is defined, samba will - allow only SSL connections. If the - ssl hosts variable lists - hosts (by IP-address, IP-address range, net group or name), - only these hosts will be forced into SSL mode. If the - ssl hosts resign variable lists hosts, only these - hosts will NOT be forced into SSL mode. The syntax for these two - variables is the same as for the - hosts allow and - hosts deny pair of variables, only - that the subject of the decision is different: It's not the access - right but whether SSL is used or not. - - The example below requires SSL connections from all hosts - outside the local net (which is 192.168.*.*). - - Default: ssl hosts = <empty string> - ssl hosts resign = <empty string> - - Example: ssl hosts resign = 192.168. - - - - - - - ssl require clientcert (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - Note that for export control reasons - this code is NOT enabled by default in any - current binary version of Samba. - - If this variable is set to yes, the - server will not tolerate connections from clients that don't - have a valid certificate. The directory/file given in ssl CA certDir - and ssl CA certFile - will be used to look up the CAs that issued - the client's certificate. If the certificate can't be verified - positively, the connection will be terminated. If this variable - is set to no, clients don't need certificates. - Contrary to web applications you really should - require client certificates. In the web environment the client's - data is sensitive (credit card numbers) and the server must prove - to be trustworthy. In a file server environment the server's data - will be sensitive and the clients must prove to be trustworthy. - - Default: ssl require clientcert = no - - - - - - - ssl require servercert (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - Note that for export control reasons - this code is NOT enabled by default in any - current binary version of Samba. - - If this variable is set to yes, the - smbclient(1) - will request a certificate from the server. Same as - ssl require - clientcert for the server. - - Default: ssl require servercert = no - - - - - - ssl server cert (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - Note that for export control reasons - this code is NOT enabled by default in any - current binary version of Samba. - - This is the file containing the server's certificate. - The server must have a certificate. The - file may also contain the server's private key. See later for - how certificates and private keys are created. - - Default: ssl server cert = <empty string> - - - - - - - ssl server key (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - Note that for export control reasons - this code is NOT enabled by default in any - current binary version of Samba. - - This file contains the private key of the server. If - this variable is not defined, the key is looked up in the - certificate file (it may be appended to the certificate). - The server must have a private key - and the certificate must - match this private key. - - Default: ssl server key = <empty string> - - - - - - - ssl version (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - Note that for export control reasons - this code is NOT enabled by default in any - current binary version of Samba. - - This enumeration variable defines the versions of the - SSL protocol that will be used. ssl2or3 allows - dynamic negotiation of SSL v2 or v3, ssl2 results - in SSL v2, ssl3 results in SSL v3 and - tls1 results in TLS v1. TLS (Transport Layer - Security) is the new standard for SSL. - - Default: ssl version = "ssl2or3" - - - - - - - stat cache (G) - This parameter determines if smbd(8) will use a cache in order to - speed up case insensitive name mappings. You should never need - to change this parameter. - - Default: stat cache = yes - - - - - stat cache size (G) - This parameter determines the number of - entries in the stat cache. You should - never need to change this parameter. - - Default: stat cache size = 50 - - - - - - - status (G) - This enables or disables logging of connections - to a status file that smbstatus(1) - can read. - - With this disabled smbstatus won't be able - to tell you what connections are active. You should never need to - change this parameter. - - Default: status = yes - - - - - - - strict locking (S) - This is a boolean that controls the handling of - file locking in the server. When this is set to yes - the server will check every read and write access for file locks, and - deny access if locks exist. This can be slow on some systems. - - When strict locking is no the server does file - lock checks only when the client explicitly asks for them. - - Well behaved clients always ask for lock checks when it - is important, so in the vast majority of cases strict - locking = no is preferable. - - Default: strict locking = no - - - - - - - strict sync (S) - Many Windows applications (including the Windows - 98 explorer shell) seem to confuse flushing buffer contents to - disk with doing a sync to disk. Under UNIX, a sync call forces - the process to be suspended until the kernel has ensured that - all outstanding data in kernel disk buffers has been safely stored - onto stable storage. This is very slow and should only be done - rarely. Setting this parameter to no (the - default) means that smbd ignores the Windows applications requests for - a sync call. There is only a possibility of losing data if the - operating system itself that Samba is running on crashes, so there is - little danger in this default setting. In addition, this fixes many - performance problems that people have reported with the new Windows98 - explorer shell file copies. - - See also the sync - always> parameter. - - Default: strict sync = no - - - - - - strip dot (G) - This is a boolean that controls whether to - strip trailing dots off UNIX filenames. This helps with some - CDROMs that have filenames ending in a single dot. - - Default: strip dot = no - - - - - - - sync always (S) - This is a boolean parameter that controls - whether writes will always be written to stable storage before - the write call returns. If this is false then the server will be - guided by the client's request in each write call (clients can - set a bit indicating that a particular write should be synchronous). - If this is true then every write will be followed by a fsync() - call to ensure the data is written to disk. Note that - the strict sync parameter must be set to - yes in order for this parameter to have - any affect. - - See also the strict - sync parameter. - - Default: sync always = no - - - - - - - syslog (G) - This parameter maps how Samba debug messages - are logged onto the system syslog logging levels. Samba debug - level zero maps onto syslog LOG_ERR, debug - level one maps onto LOG_WARNING, debug level - two maps onto LOG_NOTICE, debug level three - maps onto LOG_INFO. All higher levels are mapped to - LOG_DEBUG. - - This paramter sets the threshold for sending messages - to syslog. Only messages with debug level less than this value - will be sent to syslog. - - Default: syslog = 1 - - - - - - - syslog only (G) - If this parameter is set then Samba debug - messages are logged into the system syslog only, and not to - the debug log files. - - Default: syslog only = no - - - - - - - template homedir (G) - NOTE: this parameter is - only available in Samba 3.0. - - When filling out the user information for a Windows NT - user, the winbindd(8) daemon - uses this parameter to fill in the home directory for that user. - If the string %D is present it is substituted - with the user's Windows NT domain name. If the string %U - is present it is substituted with the user's Windows - NT user name. - - Default: template homedir = /home/%D/%U - - - - - - - template shell (G) - NOTE: this parameter is - only available in Samba 3.0. - - When filling out the user information for a Windows NT - user, the winbindd(8) daemon - uses this parameter to fill in the login shell for that user. - - Default: template shell = /bin/false - - - - - - - time offset (G) - This parameter is a setting in minutes to add - to the normal GMT to local time conversion. This is useful if - you are serving a lot of PCs that have incorrect daylight - saving time handling. - - Default: time offset = 0 - Example: time offset = 60 - - - - - - - time server (G) - This parameter determines if - nmbd(8) advertises itself as a time server to Windows - clients. - - Default: time server = no - - - - - - timestamp logs (G) - Synonym for - debug timestamp. - - - - - - - - unix password sync (G) - This boolean parameter controls whether Samba - attempts to synchronize the UNIX password with the SMB password - when the encrypted SMB password in the smbpasswd file is changed. - If this is set to true the program specified in the passwd - programparameter is called AS ROOT - - to allow the new UNIX password to be set without access to the - old UNIX password (as the SMB password has change code has no - access to the old password cleartext, only the new). - - See also passwd - program, - passwd chat. - - Default: unix password sync = no - - - - - - - unix realname (G) - This boolean parameter when set causes samba - to supply the real name field from the unix password file to - the client. This isuseful for setting up mail clients and WWW - browsers on systems used by more than one person. - - Default: unix realname = no - - - - - - - update encrypted (G) - This boolean parameter allows a user logging - on with a plaintext password to have their encrypted (hashed) - password in the smbpasswd file to be updated automatically as - they log on. This option allows a site to migrate from plaintext - password authentication (users authenticate with plaintext - password over the wire, and are checked against a UNIX account - database) to encrypted password authentication (the SMB - challenge/response authentication mechanism) without forcing - all users to re-enter their passwords via smbpasswd at the time the - change is made. This is a convenience option to allow the change over - to encrypted passwords to be made over a longer period. Once all users - have encrypted representations of their passwords in the smbpasswd - file this parameter should be set to no. - - In order for this parameter to work correctly the encrypt passwords - parameter must be set to no when - this parameter is set to yes. - - Note that even when this parameter is set a user - authenticating to smbd must still enter a valid - password in order to connect correctly, and to update their hashed - (smbpasswd) passwords. - - Default: update encrypted = no - - - - - - - use rhosts (G) - If this global parameter is a true, it specifies - that the UNIX users .rhosts file in their home directory - will be read to find the names of hosts and users who will be allowed - access without specifying a password. - - NOTE: The use of use rhosts - can be a major security hole. This is because you are - trusting the PC to supply the correct username. It is very easy to - get a PC to supply a false username. I recommend that the - use rhosts option be only used if you really know what - you are doing. - - Default: use rhosts = no - - - - - - - user (S) - Synonym for - username. - - - - - - - users (S) - Synonym for - username. - - - - - - username (S) - Multiple users may be specified in a comma-delimited - list, in which case the supplied password will be tested against - each username in turn (left to right). - - The username line is needed only when - the PC is unable to supply its own username. This is the case - for the COREPLUS protocol or where your users have different WfWg - usernames to UNIX usernames. In both these cases you may also be - better using the \\server\share%user syntax instead. - - The username line is not a great - solution in many cases as it means Samba will try to validate - the supplied password against each of the usernames in the - username line in turn. This is slow and - a bad idea for lots of users in case of duplicate passwords. - You may get timeouts or security breaches using this parameter - unwisely. - - Samba relies on the underlying UNIX security. This - parameter does not restrict who can login, it just offers hints - to the Samba server as to what usernames might correspond to the - supplied password. Users can login as whoever they please and - they will be able to do no more damage than if they started a - telnet session. The daemon runs as the user that they log in as, - so they cannot do anything that user cannot do. - - To restrict a service to a particular set of users you - can use the valid users - parameter. - - If any of the usernames begin with a '@' then the name - will be looked up first in the yp netgroups list (if Samba - is compiled with netgroup support), followed by a lookup in - the UNIX groups database and will expand to a list of all users - in the group of that name. - - If any of the usernames begin with a '+' then the name - will be looked up only in the UNIX groups database and will - expand to a list of all users in the group of that name. - - If any of the usernames begin with a '&'then the name - will be looked up only in the yp netgroups database (if Samba - is compiled with netgroup support) and will expand to a list - of all users in the netgroup group of that name. - - Note that searching though a groups database can take - quite some time, snd some clients may time out during the - search. - - See the section NOTE ABOUT - USERNAME/PASSWORD VALIDATION for more information on how - this parameter determines access to the services. - - Default: The guest account if a guest service, - else the name of the service. - - Examples:username = fred, mary, jack, jane, - @users, @pcgroup - - - - - - - username level (G) - This option helps Samba to try and 'guess' at - the real UNIX username, as many DOS clients send an all-uppercase - username. By default Samba tries all lowercase, followed by the - username with the first letter capitalized, and fails if the - username is not found on the UNIX machine. - - If this parameter is set to non-zero the behavior changes. - This parameter is a number that specifies the number of uppercase - combinations to try whilst trying to determine the UNIX user name. The - higher the number the more combinations will be tried, but the slower - the discovery of usernames will be. Use this parameter when you have - strange usernames on your UNIX machine, such as AstrangeUser - . - - Default: username level = 0 - Example: username level = 5 - - - - - - - username map (G) - This option allows you to specify a file containing - a mapping of usernames from the clients to the server. This can be - used for several purposes. The most common is to map usernames - that users use on DOS or Windows machines to those that the UNIX - box uses. The other is to map multiple users to a single username - so that they can more easily share files. - - The map file is parsed line by line. Each line should - contain a single UNIX username on the left then a '=' followed - by a list of usernames on the right. The list of usernames on the - right may contain names of the form @group in which case they - will match any UNIX username in that group. The special client - name '*' is a wildcard and matches any name. Each line of the - map file may be up to 1023 characters long. - - The file is processed on each line by taking the - supplied username and comparing it with each username on the right - hand side of the '=' signs. If the supplied name matches any of - the names on the right hand side then it is replaced with the name - on the left. Processing then continues with the next line. - - If any line begins with a '#' or a ';' then it is - ignored - - If any line begins with an '!' then the processing - will stop after that line if a mapping was done by the line. - Otherwise mapping continues with every line being processed. - Using '!' is most useful when you have a wildcard mapping line - later in the file. - - For example to map from the name admin - or administrator to the UNIX name - root you would use: - - root = admin administrator - - Or to map anyone in the UNIX group system - to the UNIX name sys you would use: - - sys = @system - - You can have as many mappings as you like in a username - map file. - - - If your system supports the NIS NETGROUP option then - the netgroup database is checked before the /etc/group - database for matching groups. - - You can map Windows usernames that have spaces in them - by using double quotes around the name. For example: - - tridge = "Andrew Tridgell" - - would map the windows username "Andrew Tridgell" to the - unix username "tridge". - - The following example would map mary and fred to the - unix user sys, and map the rest to guest. Note the use of the - '!' to tell Samba to stop processing if it gets a match on - that line. - - - !sys = mary fred - guest = * - - - Note that the remapping is applied to all occurrences - of usernames. Thus if you connect to \\server\fred and - fred is remapped to mary then you - will actually be connecting to \\server\mary and will need to - supply a password suitable for mary not - fred. The only exception to this is the - username passed to the - password server (if you have one). The password - server will receive whatever username the client supplies without - modification. - - Also note that no reverse mapping is done. The main effect - this has is with printing. Users who have been mapped may have - trouble deleting print jobs as PrintManager under WfWg will think - they don't own the print job. - - Default: no username map - Example: username map = /usr/local/samba/lib/users.map - - - - - - - - utmp (S) - This boolean parameter is only available if - Samba has been configured and compiled with the option - --with-utmp. If set to True then Samba will attempt - to add utmp or utmpx records (depending on the UNIX system) whenever a - connection is made to a Samba server. Sites may use this to record the - user connecting to a Samba share. - - See also the - utmp directory parameter. - - Default: utmp = no - - - - - - - utmp directory(G) - This parameter is only available if Samba has - been configured and compiled with the option - --with-utmp. It specifies a directory pathname that is - used to store the utmp or utmpx files (depending on the UNIX system) that - record user connections to a Samba server. See also the - utmp parameter. By default this is - not set, meaning the system will use whatever utmp file the - native system is set to use (usually - /var/run/utmp on Linux). - - Default: no utmp directory - - - - - - - winbind cache time - NOTE: this parameter is only - available in Samba 3.0. - - This parameter specifies the number of seconds the - winbindd(8) daemon will cache - user and group information before querying a Windows NT server - again. - - Default: winbind cache type = 15 - - - - - - - - winbind gid - NOTE: this parameter is only - available in Samba 3.0. - - The winbind gid parameter specifies the range of group - ids that are allocated by the - winbindd(8) daemon. This range of group ids should have no - existing local or nis groups within it as strange conflicts can - occur otherwise. - - Default: winbind gid = <empty string> - - - Example: winbind gid = 10000-20000 - - - - - - - winbind uid - NOTE: this parameter is only - available in Samba 3.0. - - The winbind gid parameter specifies the range of group - ids that are allocated by the - winbindd(8) daemon. This range of ids should have no - existing local or nis users within it as strange conflicts can - occur otherwise. - - Default: winbind uid = <empty string> - - - Example: winbind uid = 10000-20000 - - - - - - - valid chars (G) - The option allows you to specify additional - characters that should be considered valid by the server in - filenames. This is particularly useful for national character - sets, such as adding u-umlaut or a-ring. - - The option takes a list of characters in either integer - or character form with spaces between them. If you give two - characters with a colon between them then it will be taken as - an lowercase:uppercase pair. - - If you have an editor capable of entering the characters - into the config file then it is probably easiest to use this - method. Otherwise you can specify the characters in octal, - decimal or hexadecimal form using the usual C notation. - - For example to add the single character 'Z' to the charset - (which is a pointless thing to do as it's already there) you could - do one of the following - - - valid chars = Z - valid chars = z:Z - valid chars = 0132:0172 - - - The last two examples above actually add two characters, - and alter the uppercase and lowercase mappings appropriately. - - Note that you MUST specify this parameter - after the client code page parameter if you - have both set. If client code page is set after - the valid chars parameter the valid - chars settings will be overwritten. - - See also the client - code page parameter. - - Default: Samba defaults to using a reasonable set - of valid characters for English systems - - Example: valid chars = 0345:0305 0366:0326 0344:0304 - - - The above example allows filenames to have the Swedish - characters in them. - - NOTE: It is actually quite difficult to - correctly produce a valid chars line for - a particular system. To automate the process tino@augsburg.net has written - a package called validchars which will automatically - produce a complete valid chars line for - a given client system. Look in the examples/validchars/ - subdirectory of your Samba source code distribution - for this package. - - - - - - - valid users (S) - This is a list of users that should be allowed - to login to this service. Names starting with '@', '+' and '&' - are interpreted using the same rules as described in the - invalid users parameter. - - If this is empty (the default) then any user can login. - If a username is in both this list and the invalid - users list then access is denied for that user. - - The current servicename is substituted for %S - . This is useful in the [homes] section. - - See also invalid users - - - Default: No valid users list (anyone can login) - - - Example: valid users = greg, @pcusers - - - - - - - - veto files(S) - This is a list of files and directories that - are neither visible nor accessible. Each entry in the list must - be separated by a '/', which allows spaces to be included - in the entry. '*' and '?' can be used to specify multiple files - or directories as in DOS wildcards. - - Each entry must be a unix path, not a DOS path and - must not include the unix directory - separator '/'. - - Note that the case sensitive option - is applicable in vetoing files. - - One feature of the veto files parameter that it is important - to be aware of, is that if a directory contains nothing but files - that match the veto files parameter (which means that Windows/DOS - clients cannot ever see them) is deleted, the veto files within - that directory are automatically deleted along - with it, if the user has UNIX permissions to do so. - - Setting this parameter will affect the performance - of Samba, as it will be forced to check all files and directories - for a match as they are scanned. - - See also hide files - and - case sensitive. - - Default: No files or directories are vetoed. - - - Examples: - ; Veto any files containing the word Security, - ; any ending in .tmp, and any directory containing the - ; word root. - veto files = /*Security*/*.tmp/*root*/ - - ; Veto the Apple specific files that a NetAtalk server - ; creates. - veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ - - - - - - - veto oplock files (S) - This parameter is only valid when the oplocks - parameter is turned on for a share. It allows the Samba administrator - to selectively turn off the granting of oplocks on selected files that - match a wildcarded list, similar to the wildcarded list used in the - veto files - parameter. - - Default: No files are vetoed for oplock - grants - - You might want to do this on files that you know will - be heavily contended for by clients. A good example of this - is in the NetBench SMB benchmark program, which causes heavy - client contention for files ending in .SEM. - To cause Samba not to grant oplocks on these files you would use - the line (either in the [global] section or in the section for - the particular NetBench share : - - Example: veto oplock files = /*;.SEM/ - - - - - - - - volume (S) - This allows you to override the volume label - returned for a share. Useful for CDROMs with installation programs - that insist on a particular volume label. - - Default: the name of the share - - - - - - - wide links (S) - This parameter controls whether or not links - in the UNIX file system may be followed by the server. Links - that point to areas within the directory tree exported by the - server are always allowed; this parameter controls access only - to areas that are outside the directory tree being exported. - - Note that setting this parameter can have a negative - effect on your server performance due to the extra system calls - that Samba has to do in order to perform the link checks. - - Default: wide links = yes - - - - - - - wins proxy (G) - This is a boolean that controls if nmbd(8) will respond to broadcast name - queries on behalf of other hosts. You may need to set this - to yes for some older clients. - - Default: wins proxy = no - - - - - - - - wins server (G) - This specifies the IP address (or DNS name: IP - address for preference) of the WINS server that - nmbd(8) should register with. If you have a WINS server on - your network then you should set this to the WINS server's IP. - - You should point this at your WINS server if you have a - multi-subnetted network. - - NOTE. You need to set up Samba to point - to a WINS server if you have multiple subnets and wish cross-subnet - browsing to work correctly. - - See the documentation file BROWSING.txt - in the docs/ directory of your Samba source distribution. - - Default: not enabled - Example: wins server = 192.9.200.1 - - - - - - - wins hook (G) - When Samba is running as a WINS server this - allows you to call an external program for all changes to the - WINS database. The primary use for this option is to allow the - dynamic update of external name resolution databases such as - dynamic DNS. - - The wins hook parameter specifies the name of a script - or executable that will be called as follows: - - wins_hook operation name nametype ttl IP_list - - - - The first argument is the operation and is one - of "add", "delete", or "refresh". In most cases the operation can - be ignored as the rest of the parameters provide sufficient - information. Note that "refresh" may sometimes be called when the - name has not previously been added, in that case it should be treated - as an add. - - The second argument is the netbios name. If the - name is not a legal name then the wins hook is not called. - Legal names contain only letters, digits, hyphens, underscores - and periods. - - The third argument is the netbios name - type as a 2 digit hexadecimal number. - - The fourth argument is the TTL (time to live) - for the name in seconds. - - The fifth and subsequent arguments are the IP - addresses currently registered for that name. If this list is - empty then the name should be deleted. - - - An example script that calls the BIND dynamic DNS update - program nsupdate is provided in the examples - directory of the Samba source code. - - - - - - - wins support (G) - This boolean controls if the - nmbd(8) process in Samba will act as a WINS server. You should - not set this to true unless you have a multi-subnetted network and - you wish a particular nmbd to be your WINS server. - Note that you should NEVER set this to true - on more than one machine in your network. - - Default: wins support = no - - - - - - - workgroup (G) - This controls what workgroup your server will - appear to be in when queried by clients. Note that this parameter - also controls the Domain name used with the security=domain - setting. - - Default: set at compile time to WORKGROUP - Example: workgroup = MYGROUP - - - - - - - - writable (S) - Synonym for - writeable for people who can't spell :-). - - - - - - - write list (S) - This is a list of users that are given read-write - access to a service. If the connecting user is in this list then - they will be given write access, no matter what the writeable - option is set to. The list can include group names using the - @group syntax. - - Note that if a user is in both the read list and the - write list then they will be given write access. - - See also the read list - option. - - Default: write list = <empty string> - - - Example: write list = admin, root, @staff - - - - - - - - write cache size (S) - This integer parameter (new with Samba 2.0.7) - if set to non-zero causes Samba to create an in-memory cache for - each oplocked file (it does not do this for - non-oplocked files). All writes that the client does not request - to be flushed directly to disk will be stored in this cache if possible. - The cache is flushed onto disk when a write comes in whose offset - would not fit into the cache or when the file is closed by the client. - Reads for the file are also served from this cache if the data is stored - within it. - - This cache allows Samba to batch client writes into a more - efficient write size for RAID disks (ie. writes may be tuned to - be the RAID stripe size) and can improve performance on systems - where the disk subsystem is a bottleneck but there is free - memory for userspace programs. - - The integer parameter specifies the size of this cache - (per oplocked file) in bytes. - - Default: write cache size = 0 - Example: write cache size = 262144 - - for a 256k cache size per file. - - - - - - - - - - write ok (S) - Synonym for - writeable. - - - - - - - write raw (G) - This parameter controls whether or not the server - will support raw writes SMB's when transferring data from clients. - You should never need to change this parameter. - - Default: write raw = yes - - - - - - - writeable (S) - An inverted synonym is - read only. - - If this parameter is no, then users - of a service may not create or modify files in the service's - directory. - - Note that a printable service (printable = yes) - will ALWAYS allow writing to the directory - (user privileges permitting), but only via spooling operations. - - Default: writeable = no - - - - - - - - - - WARNINGS - - Although the configuration file permits service names - to contain spaces, your client software may not. Spaces will - be ignored in comparisons anyway, so it shouldn't be a - problem - but be aware of the possibility. - - On a similar note, many clients - especially DOS clients - - limit service names to eight characters. smbd(8) - has no such limitation, but attempts to connect from such - clients will fail if they truncate the service names. For this reason - you should probably keep your service names down to eight characters - in length. - - Use of the [homes] and [printers] special sections make life - for an administrator easy, but the various combinations of default - attributes can be tricky. Take extreme care when designing these - sections. In particular, ensure that the permissions on spool - directories are correct. - - - - VERSION - - This man page is correct for version 2.2 of - the Samba suite. - - - - SEE ALSO - samba(7), - smbpasswd(8), - swat(8), - smbd(8), - nmbd(8), - smbclient(1), - nmblookup(1), - testparm(1), - testprns(1) - - - - - AUTHOR - - The original Samba software and related utilities - were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar - to the way the Linux kernel is developed. - - The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter - - - diff --git a/docs/docbook/smbd.8.sgml b/docs/docbook/smbd.8.sgml deleted file mode 100644 index 2ee7b46e19..0000000000 --- a/docs/docbook/smbd.8.sgml +++ /dev/null @@ -1,573 +0,0 @@ - - - - - smbd - 8 - - - - - smbd - server to provide SMB/CIFS services to clients - - - - - smbd - -D - -a - -o - -P - -h - -V - -d <debug level> - -l <log file> - -p <port number> - -O <socket option> - -s <configuration file> - - - - - DESCRIPTION - This program is part of the Samba suite. - - smbd is the server daemon that - provides filesharing and printing services to Windows clients. - The server provides filespace and printer services to - clients using the SMB (or CIFS) protocol. This is compatible - with the LanManager protocol, and can service LanManager - clients. These include MSCLIENT 3.0 for DOS, Windows for - Workgroups, Windows 95/98/ME, Windows NT, Windows 2000, - OS/2, DAVE for Macintosh, and smbfs for Linux. - - An extensive description of the services that the - server can provide is given in the man page for the - configuration file controlling the attributes of those - services (see smb.conf(5) - . This man page will not describe the - services, but will concentrate on the administrative aspects - of running the server. - - Please note that there are significant security - implications to running this server, and the smb.conf(5) - manpage should be regarded as mandatory reading before - proceeding with installation. - - A session is created whenever a client requests one. - Each client gets a copy of the server for each session. This - copy then services all connections made by the client during - that session. When all connections from its client are closed, - the copy of the server for that client terminates. - - The configuration file, and any files that it includes, - are automatically reloaded every minute, if they change. You - can force a reload by sending a SIGHUP to the server. Reloading - the configuration file will not affect connections to any service - that is already established. Either the user will have to - disconnect from the service, or smbd killed and restarted. - - - - OPTIONS - - - - -D - If specified, this parameter causes - the server to operate as a daemon. That is, it detaches - itself and runs in the background, fielding requests - on the appropriate port. Operating the server as a - daemon is the recommended way of running smbd for - servers that provide more than casual use file and - print services. This switch is assumed is smbd - is executed on the command line of a shell. - - - - - -a - If this parameter is specified, each new - connection will append log messages to the log file. - This is the default. - - - - -o - If this parameter is specified, the - log files will be overwritten when opened. By default, - smbd will append entries to the log - files. - - - - -P - Passive option. Causes smbd not to - send any network traffic out. Used for debugging by - the developers only. - - - - -h - Prints the help information (usage) - for smbd. - - - - -v - Prints the version number for - smbd. - - - - -d <debug level> - debuglevel is an integer - from 0 to 10. The default value if this parameter is - not specified is zero. - - The higher this value, the more detail will be - logged to the log files about the activities of the - server. At level 0, only critical errors and serious - warnings will be logged. Level 1 is a reasonable level for - day to day running - it generates a small amount of - information about operations carried out. - - Levels above 1 will generate considerable - amounts of log data, and should only be used when - investigating a problem. Levels above 3 are designed for - use only by developers and generate HUGE amounts of log - data, most of which is extremely cryptic. - - Note that specifying this parameter here will - override the log - level parameter in the - smb.conf(5) file. - - - - - -l <log file> - If specified, log file - specifies a log filename into which informational and debug - messages from the running server will be logged. The log - file generated is never removed by the server although - its size may be controlled by the max log size - option in the - smb.conf(5) file. The default log - file name is specified at compile time. - - - - -O <socket options> - See the socket options - parameter in the smb.conf(5) - file for details. - - - - -p <port number> - port number is a positive integer - value. The default value if this parameter is not - specified is 139. - - This number is the port number that will be - used when making connections to the server from client - software. The standard (well-known) port number for the - SMB over TCP is 139, hence the default. If you wish to - run the server as an ordinary user rather than - as root, most systems will require you to use a port - number greater than 1024 - ask your system administrator - for help if you are in this situation. - - In order for the server to be useful by most - clients, should you configure it on a port other - than 139, you will require port redirection services - on port 139, details of which are outlined in rfc1002.txt - section 4.3.5. - - This parameter is not normally specified except - in the above situation. - - - - -s <configuration file> - The file specified contains the - configuration details required by the server. The - information in this file includes server-specific - information such as what printcap file to use, as well - as descriptions of all the services that the server is - to provide. See - smb.conf(5) for more information. - The default configuration file name is determined at - compile time. - - - - - - FILES - - - - /etc/inetd.conf - If the server is to be run by the - inetd meta-daemon, this file - must contain suitable startup information for the - meta-daemon. See the section INSTALLATION below. - - - - - /etc/rc - or whatever initialization script your - system uses). - - If running the server as a daemon at startup, - this file will need to contain an appropriate startup - sequence for the server. See the section INSTALLATION - below. - - - - /etc/services - If running the server via the - meta-daemon inetd, this file - must contain a mapping of service name (e.g., netbios-ssn) - to service port (e.g., 139) and protocol type (e.g., tcp). - See the section INSTALLATION below. - - - - /usr/local/samba/lib/smb.conf - This is the default location of the - smb.conf - server configuration file. Other common places that systems - install this file are /usr/samba/lib/smb.conf - and /etc/smb.conf. - - This file describes all the services the server - is to make available to clients. See - smb.conf(5) for more information. - - - - - - - LIMITATIONS - On some systems smbd cannot change uid back - to root after a setuid() call. Such systems are called - "trapdoor" uid systems. If you have such a system, - you will be unable to connect from a client (such as a PC) as - two different users at once. Attempts to connect the - second user will result in "access denied" or - similar. - - - - ENVIRONMENTVARIABLES - - - - PRINTER - If no printer name is specified to - printable services, most systems will use the value of - this variable (or "lp" if this variable is - not defined) as the name of the printer to use. This - is not specific to the server, however. - - - - - - INSTALLATION - - The location of the server and its support files - is a matter for individual system administrators. The following - are thus suggestions only. - - It is recommended that the server software be installed - under the /usr/local/samba/ hierarchy, - in a directory readable by all, writeable only by root. The server - program itself should be executable by all, as users may wish to - run the server themselves (in which case it will of course run - with their privileges). The server should NOT be setuid. On some - systems it may be worthwhile to make smbd setgid to an empty group. - This is because some systems may have a security hole where daemon - processes that become a user can be attached to with a debugger. - Making the smbd file setgid to an empty group may prevent - this hole from being exploited. This security hole and the suggested - fix has only been confirmed on old versions (pre-kernel 2.0) of Linux - at the time this was written. It is possible that this hole only - exists in Linux, as testing on other systems has thus far shown them - to be immune. - - The server log files should be put in a directory readable and - writeable only by root, as the log files may contain sensitive - information. - - The configuration file should be placed in a directory - readable and writeable only by root, as the configuration file - controls security for the services offered by the server. The - configuration file can be made readable by all if desired, but - this is not necessary for correct operation of the server and is - not recommended. A sample configuration file smb.conf.sample - is supplied with the source to the server - this may - be renamed to smb.conf and modified to suit - your needs. - - The remaining notes will assume the following: - - - smbd (the server program) - installed in /usr/local/samba/bin - - - smb.conf (the configuration - file) installed in /usr/local/samba/lib - - - log files stored in /var/adm/smblogs - - - - The server may be run either as a daemon by users - or at startup, or it may be run from a meta-daemon such as - inetd upon request. If run as a daemon, - the server will always be ready, so starting sessions will be - faster. If run from a meta-daemon some memory will be saved and - utilities such as the tcpd TCP-wrapper may be used for extra - security. For serious use as file server it is recommended - that smbd be run as a daemon. - - When you've decided, continue with either - - - RUNNING THE SERVER AS A DAEMON or - RUNNING THE SERVER ON REQUEST. - - - - - RUNNING THE SERVER AS A DAEMON - - To run the server as a daemon from the command - line, simply put the -D option on the - command line. There is no need to place an ampersand at - the end of the command line - the -D - option causes the server to detach itself from the tty - anyway. - - Any user can run the server as a daemon (execute - permissions permitting, of course). This is useful for - testing purposes, and may even be useful as a temporary - substitute for something like ftp. When run this way, however, - the server will only have the privileges of the user who ran - it. - - To ensure that the server is run as a daemon whenever - the machine is started, and to ensure that it runs as root - so that it can serve multiple clients, you will need to modify - the system startup files. Wherever appropriate (for example, in - /etc/rc), insert the following line, - substituting port number, log file location, configuration file - location and debug level as desired: - - /usr/local/samba/bin/smbd -D -l /var/adm/smblogs/log - -s /usr/local/samba/lib/smb.conf - - (The above should appear in your initialization script - as a single line. Depending on your terminal characteristics, - it may not appear that way in this man page. If the above appears - as more than one line, please treat any newlines or indentation - as a single space or TAB character.) - - If the options used at compile time are appropriate for - your system, all parameters except -D may - be omitted. See the section OPTIONS above. - - - - RUNNING THE SERVER ON REQUEST - - If your system uses a meta-daemon such as inetd - , you can arrange to have the smbd server started - whenever a process attempts to connect to it. This requires several - changes to the startup files on the host machine. If you are - experimenting as an ordinary user rather than as root, you will - need the assistance of your system administrator to modify the - system files. - - You will probably want to set up the NetBIOS name server - nmbd at - the same time as smbd. To do this refer to the - man page for nmbd(8) - . - - First, ensure that a port is configured in the file - /etc/services. The well-known port 139 - should be used if possible, though any port may be used. - - Ensure that a line similar to the following is in - /etc/services: - - netbios-ssn 139/tcp - - Note for NIS/YP users - you may need to rebuild the - NIS service maps rather than alter your local /etc/services - file. - - Next, put a suitable line in the file /etc/inetd.conf - (in the unlikely event that you are using a meta-daemon - other than inetd, you are on your own). Note that the first item - in this line matches the service name in /etc/services - . Substitute appropriate values for your system - in this line (see inetd(8)): - - netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd - -d1 -l/var/adm/smblogs/log -s/usr/local/samba/lib/smb.conf - - (The above should appear in /etc/inetd.conf - as a single line. Depending on your terminal characteristics, it may - not appear that way in this man page. If the above appears as more - than one line, please treat any newlines or indentation as a single - space or TAB character.) - - Note that there is no need to specify a port number here, - even if you are using a non-standard port number. - - Lastly, edit the configuration file to provide suitable - services. To start with, the following two services should be - all you need: - - - - [homes] - writeable = yes - - [printers] - writeable = no - printable = yes - path = /tmp - public = yes - - - - This will allow you to connect to your home directory - and print to any printer supported by the host (user privileges - permitting). - - - - TESTING THE INSTALLATION - - If running the server as a daemon, execute it before - proceeding. If using a meta-daemon, either restart the system - or kill and restart the meta-daemon. Some versions of - inetd will reread their configuration - tables if they receive a HUP signal. - - If your machine's name is "fred" and your - name is "mary", you should now be able to connect - to the service \\fred\mary. - - - To properly test and experiment with the server, we - recommend using the smbclient program (see - smbclient(1)) - and also going through the steps outlined in the file - DIAGNOSIS.txt in the docs/ - directory of your Samba installation. - - - - VERSION - - This man page is correct for version 2.2 of - the Samba suite. - - - - DIAGNOSTICS - - Most diagnostics issued by the server are logged - in a specified log file. The log file name is specified - at compile time, but may be overridden on the command line. - - The number and nature of diagnostics available depends - on the debug level used by the server. If you have problems, set - the debug level to 3 and peruse the log files. - - Most messages are reasonably self-explanatory. Unfortunately, - at the time this man page was created, there are too many diagnostics - available in the source code to warrant describing each and every - diagnostic. At this stage your best bet is still to grep the - source code and inspect the conditions that gave rise to the - diagnostics you are seeing. - - - - SIGNALS - - Sending the smbd a SIGHUP will cause it to - re-load its smb.conf configuration - file within a short period of time. - - To shut down a users smbd process it is recommended - that SIGKILL (-9) NOT - be used, except as a last resort, as this may leave the shared - memory area in an inconsistent state. The safe way to terminate - an smbd is to send it a SIGTERM (-15) signal and wait for - it to die on its own. - - The debug log level of smbd may be raised by sending - it a SIGUSR1 (kill -USR1 <smbd-pid>) - and lowered by sending it a SIGUSR2 (kill -USR2 <smbd-pid> - ). This is to allow transient problems to be diagnosed, - whilst still running at a normally low log level. - - Note that as the signal handlers send a debug write, - they are not re-entrant in smbd. This you should wait until - smbd is in a state of waiting for an incoming smb before - issuing them. It is possible to make the signal handlers safe - by un-blocking the signals before the select call and re-blocking - them after, however this would affect performance. - - - - SEE ALSO - hosts_access(5), inetd(8), - nmbd(8), - smb.conf(5) - , smbclient(1) - , - testparm(1), - testprns(1), and the Internet RFC's - rfc1001.txt, rfc1002.txt. - In addition the CIFS (formerly SMB) specification is available - as a link from the Web page - http://samba.org/cifs/. - - - - AUTHOR - - The original Samba software and related utilities - were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar - to the way the Linux kernel is developed. - - The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter - - - -- cgit