From 20fa298e020027ee8e0a95d91398a18aaa56afff Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Fri, 1 May 1998 19:02:08 +0000 Subject: here is a first cut at a "fixed up" help file (This used to be commit 75298937a851573309cad66af9816010ad2bd9a7) --- swat/help/parameters.html | 5553 ++++++++++++++++++--------------------------- 1 file changed, 2203 insertions(+), 3350 deletions(-) (limited to 'swat') diff --git a/swat/help/parameters.html b/swat/help/parameters.html index 15cf563983..c6c1b34d0e 100644 --- a/swat/help/parameters.html +++ b/swat/help/parameters.html @@ -1,3367 +1,2220 @@ -SWAT Parameters help

+

SWAT Parameters help

-We need to reformat the smb.conf man page as HTML with a label for -each parameter. Anyone want to write a perl script? Currently I've -just done a quick hack with an emacs macro to get something in -place. Or maybe the SGML conversion will be the way to go?

- -


- - -

admin users (S)

- -This is a list of users who will be granted administrative privileges -on the share. This means that they will do all file operations as the -super-user (root).

- -You should use this option very carefully, as any user in this list -will be able to do anything they like on the share, irrespective of -file permissions.

- -.B Default: - no admin users

- -.B Example: - admin users = jason

- - -

announce as (G)

- -This specifies what type of server nmbd will announce itself as in -browse lists. By default this is set to Windows NT. The valid options -are "NT", "Win95" or "WfW" meaining Windows NT, Windows 95 and -Windows for Workgroups respectively. Do not change this parameter -unless you have a specific need to stop Samba appearing as an NT -server as this may prevent Samba servers from participating as -browser servers correctly.

- -.B Default: - announce as = NT

- -.B Example - announce as = Win95

- - -

announce version (G)

- -This specifies the major and minor version numbers that nmbd -will use when announcing itself as a server. The default is 4.2. -Do not change this parameter unless you have a specific need to -set a Samba server to be a downlevel server.

- -.B Default: - announce version = 4.2

- -.B Example: - announce version = 2.0

- - -

auto services (G)

-This is a list of services that you want to be automatically added to -the browse lists. This is most useful for homes and printers services -that would otherwise not be visible.

- -Note that if you just want all printers in your printcap file loaded -then the "load printers" option is easier.

- -.B Default: - no auto services

- -.B Example: - auto services = fred lp colorlp

- - -

allow hosts (S)

-A synonym for this parameter is 'hosts allow'.

- -This parameter is a comma delimited set of hosts which are permitted to access -a service.

- -If specified in the [global] section then it will apply to all -services, regardless of whether the individual service has a different -setting.

- -You can specify the hosts by name or IP number. For example, you could -restrict access to only the hosts on a Class C subnet with something like -"allow hosts = 150.203.5.". The full syntax of the list is described in -the man page -.BR hosts_access (5).

- -You can also specify hosts by network/netmask pairs and by netgroup -names if your system supports netgroups. The EXCEPT keyword can also -be used to limit a wildcard list. The following examples may provide -some help:

- -Example 1: allow all IPs in 150.203.*.* except one

- - hosts allow = 150.203. EXCEPT 150.203.6.66

- -Example 2: allow hosts that match the given network/netmask

- - hosts allow = 150.203.15.0/255.255.255.0

- -Example 3: allow a couple of hosts

- - hosts allow = lapland, arvidsjaur

- -Example 4: allow only hosts in netgroup "foonet" or localhost, but -deny access from one particular host

- - hosts allow = @foonet, localhost - hosts deny = pirate

- -Note that access still requires suitable user-level passwords.

- -See -.BR testparm (1) -for a way of testing your host access to see if it -does what you expect.

- -.B Default: - none (i.e., all hosts permitted access)

- -.B Example: - allow hosts = 150.203.5. myhost.mynet.edu.au

- - -

alternate permissions (S)

- -This option affects the way the "read only" DOS attribute is produced -for UNIX files. If this is false then the read only bit is set for -files on writeable shares which the user cannot write to.

- -If this is true then it is set for files whos user write bit is not set.

- -The latter behaviour is useful for when users copy files from each -others directories, and use a file manager that preserves -permissions. Without this option they may get annoyed as all copied -files will have the "read only" bit set.

- -.B Default: - alternate permissions = no

- -.B Example: - alternate permissions = yes

- - -

available (S)

-This parameter lets you 'turn off' a service. If 'available = no', then -ALL attempts to connect to the service will fail. Such failures are logged.

- -.B Default: - available = yes

- -.B Example: - available = no

- - -

bind interfaces only (G)

-This global parameter (new for 1.9.18) allows the Samba admin to limit -what interfaces on a machine will serve smb requests. If affects file service -(smbd) and name service (nmbd) in slightly different ways.

- -For name service it causes nmbd to bind to ports 137 and 138 on -the interfaces listed in the 'interfaces' parameter. nmbd also binds -to the 'all addresses' interface (0.0.0.0) on ports 137 and 138 -for the purposes of reading broadcast messages. If this option is -not set then nmbd will service name requests on all of these -sockets. If "bind interfaces only" is set then nmbd will check -the source address of any packets coming in on the broadcast -sockets and discard any that don't match the broadcast addresses -of the interfaces in the 'interfaces' parameter list. As unicast -packets are received on the other sockets it allows nmbd to -refuse to serve names to machines that send packets that arrive -through any interfaces not listed in the 'interfaces' list. -IP Source address spoofing does defeat this simple check, however -so it must not be used seriously as a security feature for nmbd.

- -For file service it causes smbd to bind only to the interface -list given in the 'interfaces' parameter. This restricts the -networks that smbd will serve to packets coming in those interfaces. -Note that you should not use this parameter for machines that -are serving ppp or other intermittant or non-broadcast network -interfaces as it will not cope with non-permanent interfaces.

- -.B Default: - bind interfaces only = False

- -.B Example: - bind interfaces only = True

- - -

browseable (S)

-This controls whether this share is seen in the list of available -shares in a net view and in the browse list.

- -.B Default: - browseable = Yes

- -.B Example: - browseable = No - -

browse list(G)

-This controls whether the smbd will serve a browse list to a client -doing a NetServerEnum call. Normally set to true. You should never -need to change this.

- -.B Default: - browse list = Yes

- - -

case sensitive (G)

-See the discussion on NAME MANGLING.

- - -

case sig names (G)

-See "case sensitive"

- - -

character set (G)

-This allows a smbd to map incoming characters from a DOS 850 Code page -to either a Western European (ISO8859-1) or Easter European (ISO8859-2) -code page. Normally not set, meaning no filename translation is done.

- -.B Default

- - character set =

- -.B Example

- - character set = iso8859-1

- - -

client code page (G)

-Currently (Samba 1.9.17 and above) this may be set to one of two -values, 850 or 437. It specifies the base DOS code page that the -clients accessing Samba are using. To determine this, open a DOS -command prompt and type the command "chcp". This will output the -code page. The default for USA MS-DOS, Windows 95, and Windows NT -releases is code page 437. The default for western european -releases of the above operating systems is code page 850.

- -This parameter co-operates with the "valid chars" parameter in -determining what characters are valid in filenames and how -capitalization is done. It has been added as a convenience for -clients whose code page is either 437 or 850 so a convoluted -"valid chars" string does not have to be determined. If you -set both this parameter and the "valid chars" parameter the -"client code page" parameter MUST be set before the "valid chars" -in the smb.conf file. The "valid chars" string will then augment -the character settings in the "client code page" parameter.

- -If "client code page" is set to a value other than 850 or 437 -it will default to 850.

- -See also : "valid chars".

- -.B Default

- - client code page = 850

- -.B Example

- - client code page = 437

- - -

comment (S)

-This is a text field that is seen next to a share when a client does a -net view to list what shares are available.

- -If you want to set the string that is displayed next to the machine -name then see the server string command.

- -.B Default: - No comment string

- -.B Example: - comment = Fred's Files

- - -

config file (G)

- -This allows you to override the config file to use, instead of the -default (usually smb.conf). There is a chicken and egg problem here as -this option is set in the config file!

- -For this reason, if the name of the config file has changed when the -parameters are loaded then it will reload them from the new config -file.

- -This option takes the usual substitutions, which can be very useful.

- -If the config file doesn't exist then it won't be loaded (allowing -you to special case the config files of just a few clients).

- -.B Example: - config file = /usr/local/samba/lib/smb.conf.%m

- - -

copy (S)

-This parameter allows you to 'clone' service entries. The specified -service is simply duplicated under the current service's name. Any -parameters specified in the current section will override those in the -section being copied.

- -This feature lets you set up a 'template' service and create similar -services easily. Note that the service being copied must occur earlier -in the configuration file than the service doing the copying.

- -.B Default: - none

- -.B Example: - copy = otherservice - -

create mask (S)

-A synonym for this parameter is 'create mode'.

- -When a file is created, the neccessary permissions are calculated -according to the mapping from DOS modes to UNIX permissions, and -the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. -This parameter may be thought of as a bit-wise MASK for the UNIX -modes of a file. Any bit *not* set here will be removed from the -modes set on a file when it is created.

- -The default value of this parameter removes the 'group' and 'other' -write and execute bits from the UNIX modes.

- -Following this Samba will bit-wise 'OR' the UNIX mode created from -this parameter with the value of the "force create mode" parameter -which is set to 000 by default.

- -For Samba 1.9.17 and above this parameter no longer affects directory -modes. See the parameter 'directory mode' for details.

- -See also the "force create mode" parameter for forcing particular -mode bits to be set on created files. -See also the "directory mode" parameter for masking mode bits on created -directories.

- -.B Default: - create mask = 0744

- -.B Example: - create mask = 0775 - -

create mode (S)

-See -.B create mask.

- - -

dead time (G)

-The value of the parameter (a decimal integer) represents the number of -minutes of inactivity before a connection is considered dead, and it -is disconnected. The deadtime only takes effect if the number of open files -is zero.

- -This is useful to stop a server's resources being exhausted by a large -number of inactive connections.

- -Most clients have an auto-reconnect feature when a connection is broken so -in most cases this parameter should be transparent to users.

- -Using this parameter with a timeout of a few minutes is recommended -for most systems.

- -A deadtime of zero indicates that no auto-disconnection should be performed.

- -.B Default: - dead time = 0

- -.B Example: - dead time = 15 - -

debug level (G)

-The value of the parameter (an integer) allows the debug level -(logging level) to be specified in the -.B smb.conf -file. This is to give -greater flexibility in the configuration of the system.

- -The default will be the debug level specified on the command line.

- -.B Example: - debug level = 3 - -

default (G)

-See -.B default service. - -

default case (S)

- -See the section on "NAME MANGLING" Also note the addition of "short -preserve case"

- - -

default service (G)

-A synonym for this parameter is 'default'.

- -This parameter specifies the name of a service which will be connected to -if the service actually requested cannot be found. Note that the square -brackets are NOT given in the parameter value (see example below).

- -There is no default value for this parameter. If this parameter is not given, -attempting to connect to a nonexistent service results in an error.

- -Typically the default service would be a public, read-only service.

- -Also note that as of 1.9.14 the apparent service name will be changed to -equal that of the requested service, this is very useful as it allows -you to use macros like %S to make a wildcard service.

- -Note also that any _ characters in the name of the service used in the -default service will get mapped to a /. This allows for interesting -things.

- - -.B Example: - default service = pub - - [pub] - path = /%S -

- - -

delete readonly (S)

-This parameter allows readonly files to be deleted. This is not normal DOS -semantics, but is allowed by UNIX.

- -This option may be useful for running applications such as rcs, where UNIX -file ownership prevents changing file permissions, and DOS semantics prevent -deletion of a read only file.

- -.B Default: - delete readonly = No

- -.B Example: - delete readonly = Yes - -

deny hosts (S)

-A synonym for this parameter is 'hosts deny'.

- -The opposite of 'allow hosts' - hosts listed here are NOT permitted -access to services unless the specific services have their own lists to -override this one. Where the lists conflict, the 'allow' list takes precedence.

- -.B Default: - none (i.e., no hosts specifically excluded)

- -.B Example: - deny hosts = 150.203.4. badhost.mynet.edu.au

- - -

delete veto files (S)

- -This option is used when Samba is attempting to delete a directory -that contains one or more vetoed directories (see the 'veto files' option). -If this option is set to False (the default) then if a vetoed directory -contains any non-vetoed files or directories then the directory delete -will fail. This is usually what you want.

- -If this option is set to True, then Samba will attempt -to recursively delete any files and directories within the vetoed -directory. This can be useful for integration with file serving -systems such as Netatalk, which create meta-files within directories -you might normally veto DOS/Windows users from seeing (eg. .AppleDouble)

- -Setting 'delete veto files = True' allows these directories to be -transparently deleted when the parent directory is deleted (so long -as the user has permissions to do so).

- -.B Default: - delete veto files = False

- -.B Example: - delete veto files = True

- -See -.B veto files

- - -

dfree command (G)

-The dfree command setting should only be used on systems where a -problem occurs with the internal disk space calculations. This has -been known to happen with Ultrix, but may occur with other operating -systems. The symptom that was seen was an error of "Abort Retry -Ignore" at the end of each directory listing.

- -This setting allows the replacement of the internal routines to -calculate the total disk space and amount available with an external -routine. The example below gives a possible script that might fulfill -this function.

- -The external program will be passed a single parameter indicating a -directory in the filesystem being queried. This will typically consist -of the string "./". The script should return two integers in ascii. The -first should be the total disk space in blocks, and the second should -be the number of available blocks. An optional third return value -can give the block size in bytes. The default blocksize is 1024 bytes.

- -Note: Your script should NOT be setuid or setgid and should be owned by -(and writable only by) root!

- -.B Default: - By default internal routines for determining the disk capacity -and remaining space will be used.

- -.B Example: - dfree command = /usr/local/samba/bin/dfree

- - Where the script dfree (which must be made executable) could be

- -.nf - #!/bin/sh - df $1 | tail -1 | awk '{print $2" "$4}' -.fi

- - or perhaps (on Sys V)

- -.nf - #!/bin/sh - /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' -.fi

- - Note that you may have to replace the command names with full -path names on some systems. - -

directory (S)

-See -.B path.

- - -

directory mask (S)

-A synonym for this parameter is 'directory mode'.

- -This parameter is the octal modes which are used when converting DOS modes -to UNIX modes when creating UNIX directories.

- -When a directory is created, the neccessary permissions are calculated -according to the mapping from DOS modes to UNIX permissions, and -the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. -This parameter may be thought of as a bit-wise MASK for the UNIX -modes of a directory. Any bit *not* set here will be removed from the -modes set on a directory when it is created.

- -The default value of this parameter removes the 'group' and 'other' -write bits from the UNIX mode, allowing only the user who owns the -directory to modify it.

- -Following this Samba will bit-wise 'OR' the UNIX mode created from -this parameter with the value of the "force directory mode" parameter. -This parameter is set to 000 by default (ie. no extra mode bits are added).

- -See the "force directory mode" parameter to cause particular mode -bits to always be set on created directories.

- -See also the "create mode" parameter for masking mode bits on created -files.

- -.B Default: - directory mask = 0755

- -.B Example: - directory mask = 0775

- - -

directory mode (S)

-See -.B directory mask.

- - -

dns proxy (G)

- -Specifies that nmbd should (as a WINS server), on finding that a NetBIOS -name has not been registered, treat the NetBIOS name word-for-word as -a DNS name.

- -Note that the maximum length for a NetBIOS name is 15 -characters, so the DNS name (or DNS alias) can likewise only be 15 -characters, maximum.

- -Note also that nmbd will block completely until the DNS name is resolved. -This will result in temporary loss of browsing and WINS services. -Enable this option only if you are certain that DNS resolution is fast, -or you can live with the consequences of periodic pauses in nmbd service.

- -.B Default: - dns proxy = yes

- - -

domain controller (G)

- -Specifies the DNS name or IP address of the machine to refer domain -logons from Win95 machines to. You should never need to set this parameter.

- -.B Default: - domain controller = no

- - -

domain logons (G)

- -If set to true, the Samba server will serve Windows 95 domain logons -for the workgroup it is in. For more details on setting up this feature -see the file DOMAINS.txt in the Samba source documentation directory.

- -.B Default: - domain logons = no

- - -

domain master (G)

- -Enable WAN-wide browse list collation. Local master browsers on -broadcast-isolated subnets will give samba their local browse lists, and -ask for a complete copy of the browse list for the whole wide area network. -Browser clients will then contact their local master browser, and will -receive the domain-wide browse list, instead of just the list for their -broadcast-isolated subnet.

- -.B Default: - domain master = no

- - -

dont descend (S)

-There are certain directories on some systems (eg., the /proc tree under -Linux) that are either not of interest to clients or are infinitely deep -(recursive). This parameter allows you to specify a comma-delimited list -of directories that the server should always show as empty.

- -Note that Samba can be very fussy about the exact format of the "dont -descend" entries. For example you may need "./proc" instead of just -"/proc". Experimentation is the best policy :-)

- -.B Default: - none (i.e., all directories are OK to descend)

- -.B Example: - dont descend = /proc,/dev

- - -

dos filetimes (S)

-Under DOS and Windows, if a user can write to a file they can change -the timestamp on it. Under POSIX semantics, only the owner of the file -or root may change the timestamp. By default, Samba runs with POSIX -semantics and refuses to change the timestamp on a file if the user -smbd is acting on behalf of is not the file owner. Setting this option -to True allows DOS semantics and smbd will change the file timstamp as -DOS requires. This is a correct implementation of a previous compile-time -options (UTIME_WORKAROUND) which was broken and is now removed.

- -.B Default: - dos filetimes = False

- -.B Example: - dos filetimes = True

- - -

dos filetime resolution (S)

-Under the DOS and Windows FAT filesystem, the finest granulatity on -time resolution is two seconds. Setting this parameter for a share -causes Samba to round the reported time down to the nearest two -second boundary when a query call that requires one second resolution -is made to smbd.

- -This option is mainly used as a compatibility option for Visual C++ -when used against Samba shares. If oplocks are enabled on a share, -Visual C++ uses two different time reading calls to check if a file -has changed since it was last read. One of these calls uses a one-second -granularity, the other uses a two second granularity. As the two second -call rounds any odd second down, then if the file has a timestamp of an -odd number of seconds then the two timestamps will not match and Visual -C++ will keep reporting the file has changed. Setting this option causes -the two timestamps to match, and Visual C++ is happy.

- -.B Default: - dos filetime resolution = False

- -.B Example: - dos filetime resolution = True

- - -

encrypt passwords (G)

- -This boolean controls whether encrypted passwords will be negotiated -with the client. Note that this option has no effect if you haven't -compiled in the necessary des libraries and encryption code. It -defaults to no.

- - -

exec (S)

- -This is an alias for preexec

- - -

fake oplocks (S)

- -Oplocks are the way that SMB clients get permission from a server to -locally cache file operations. If a server grants an oplock -(opportunistic lock) then the client is free to assume that it is the -only one accessing the file and it will aggressively cache file -data. With some oplock types the client may even cache file open/close -operations. This can give enormous performance benefits.

- -When you set "fake oplocks = yes" Samba will always grant oplock -requests no matter how many clients are using the file.

- -By enabling this option on all read-only shares or shares that you know -will only be accessed from one client at a time you will see a big -performance improvement on many operations. If you enable this option -on shares where multiple clients may be accessing the files read-write -at the same time you can get data corruption. Use this option -carefully!

- -It is generally much better to use the real oplock support except for -physically read-only media such as CDROMs.

- -This option is disabled by default.

- - -

follow symlinks (S)

- -This parameter allows the Samba administrator to stop smbd from -following symbolic links in a particular share. Setting this -parameter to "No" prevents any file or directory that is a -symbolic link from being followed (the user will get an error). -This option is very useful to stop users from adding a symbolic -link to /etc/pasword in their home directory for instance. -However it will slow filename lookups down slightly.

- -This option is enabled (ie. smbd will follow symbolic links) -by default.

- - -

force create mode (S)

-This parameter specifies a set of UNIX mode bit permissions that -will *always* be set on a file created by Samba. This is done -by bitwise 'OR'ing these bits onto the mode bits of a file that -is being created. The default for this parameter is (in octel) -000. The modes in this parameter are bitwise 'OR'ed onto the -file mode after the mask set in the "create mask" parameter -is applied.

- -See also the parameter "create mask" for details on masking mode -bits on created files.

- -.B Default: - force create mode = 000

- -.B Example: - force create mode = 0755

- -would force all created files to have read and execute permissions -set for 'group' and 'other' as well as the read/write/execute bits -set for the 'user'.

- - -

force directory mode (S)

-This parameter specifies a set of UNIX mode bit permissions that -will *always* be set on a directory created by Samba. This is done -by bitwise 'OR'ing these bits onto the mode bits of a directory that -is being created. The default for this parameter is (in octel) -0000 which will not add any extra permission bits to a created -directory. This operation is done after the mode mask in the parameter -"directory mask" is applied.

- -See also the parameter "directory mask" for details on masking mode -bits on created directories.

- -.B Default: - force directory mode = 000

- -.B Example: - force directory mode = 0755

- -would force all created directories to have read and execute permissions -set for 'group' and 'other' as well as the read/write/execute bits -set for the 'user'.

- - -

force group (S)

-This specifies a group name that all connections to this service -should be made as. This may be useful for sharing files.

- -.B Default: - no forced group

- -.B Example: - force group = agroup

- - -

force user (S)

-This specifies a user name that all connections to this service -should be made as. This may be useful for sharing files. You should -also use it carefully as using it incorrectly can cause security -problems.

- -This user name only gets used once a connection is established. Thus -clients still need to connect as a valid user and supply a valid -password. Once connected, all file operations will be performed as the -"forced user", not matter what username the client connected as.

- -.B Default: - no forced user

- -.B Example: - force user = auser

- - -

getwd cache (G)

-This is a tuning option. When this is enabled a cacheing algorithm will -be used to reduce the time taken for getwd() calls. This can have a -significant impact on performance, especially when widelinks is False.

- -.B Default: - getwd cache = No

- -.B Example: - getwd cache = Yes

- - -

group (S)

-This is an alias for "force group" and is only kept for compatibility -with old versions of Samba. It may be removed in future versions.

- - -

guest account (S)

-This is a username which will be used for access to services which are -specified as 'guest ok' (see below). Whatever privileges this user has -will be available to any client connecting to the guest -service. Typically this user will exist in the password file, but will -not have a valid login. If a username is specified in a given service, -the specified username overrides this one.

- -One some systems the account "nobody" may not be able to print. Use -another account in this case. You should test this by trying to log in -as your guest user (perhaps by using the "su \-" command) and trying to -print using -.BR lpr .

- -Note that as of version 1.9 of Samba this option may be set -differently for each service.

- -.B Default: - specified at compile time

- -.B Example: - guest account = nobody - -

guest ok (S)

-See -.B public. - -

guest only (S)

-If this parameter is 'yes' for a service, then only guest connections to the -service are permitted. This parameter will have no affect if "guest ok" or -"public" is not set for the service.

- -See the section below on user/password validation for more information about -this option.

- -.B Default: - guest only = no

- -.B Example: - guest only = yes - -

hide dot files (S)

-This is a boolean parameter that controls whether files starting with -a dot appear as hidden files.

- -.B Default: - hide dot files = yes

- -.B Example: - hide dot files = no

- - - -

hide files(S)

-This is a list of files or directories that are not visible but are -accessible. The DOS 'hidden' attribute is applied to any files or -directories that match.

- -Each entry in the list must be separated by a "/", which allows spaces -to be included in the entry. '*' and '?' can be used to specify multiple -files or directories as in DOS wildcards.

- -Each entry must be a unix path, not a DOS path and must not include the -unix directory separator "/".

- -Note that the case sensitivity option is applicable in hiding files.

- -Setting this parameter will affect the performance of Samba, as -it will be forced to check all files and directories for a match -as they are scanned.

- -See also "hide dot files", "veto files" and "case sensitive"

- -.B Default - No files or directories are hidden by this option (dot files are - hidden by default because of the "hide dot files" option).

- -.B Example - hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/

- -The above example is based on files that the Macintosh client (DAVE) -creates for internal use, and also still hides all files beginning with -a dot.

- - -

homedir map (G)

-If "nis homedir" is true, this parameter specifies the NIS (or YP) map -from which the server for the user's home directory should be extracted. -At present, only the Sun auto.home map format is understood. The form of -the map is:

- -username server:/some/file/system

- -and the program will extract the servername from before the first ':'. -There should probably be a better parsing system that copes with different -map formats and also Amd (another automounter) maps.

- -NB: The -DNETGROUP option is required in the Makefile for option to work -and on some architectures the line -lrpcsvc needs to be added to the -LIBSM variable. This is required for Solaris 2, FreeBSD and HPUX.

- -See also "nis homedir"

- -.B Default: - homedir map = auto.home

- -.B Example: - homedir map = amd.homedir - -

hosts allow (S)

-See -.B allow hosts. - -

hosts deny (S)

-See -.B deny hosts.

- - -

hosts equiv (G)

-If this global parameter is a non-null string, it specifies the name of -a file to read for the names of hosts and users who will be allowed access -without specifying a password.

- -This is not be confused with -.B allow hosts -which is about hosts access to services and is more useful for guest services. -.B hosts equiv -may be useful for NT clients which will not supply passwords to samba.

- -NOTE: The use of hosts.equiv can be a major security hole. This is -because you are trusting the PC to supply the correct username. It is -very easy to get a PC to supply a false username. I recommend that the -hosts.equiv option be only used if you really know what you are doing, -or perhaps on a home network where you trust your wife and kids :-)

- -.B Default - No host equivalences

- -.B Example - hosts equiv = /etc/hosts.equiv

- - -

include (G)

- -This allows you to include one config file inside another. The file is -included literally, as though typed in place.

- -It takes the standard substitutions, except %u, %P and %S

- - -

interfaces (G)

- -This option allows you to setup multiple network interfaces, so that -Samba can properly handle browsing on all interfaces.

- -The option takes a list of ip/netmask pairs. The netmask may either be -a bitmask, or a bitlength.

- -For example, the following line:

- -interfaces = 192.168.2.10/24 192.168.3.10/24

- -would configure two network interfaces with IP addresses 192.168.2.10 -and 192.168.3.10. The netmasks of both interfaces would be set to -255.255.255.0.

- -You could produce an equivalent result by using:

- -interfaces = 192.168.2.10/255.255.255.0 192.168.3.10/255.255.255.0

- -if you prefer that format.

- -If this option is not set then Samba will attempt to find a primary -interface, but won't attempt to configure more than one interface.

- - -

invalid users (S)

-This is a list of users that should not be allowed to login to this -service. This is really a "paranoid" check to absolutely ensure an -improper setting does not breach your security.

- -A name starting with @ is interpreted as a UNIX group.

- -The current servicename is substituted for %S. This is useful in the -[homes] section.

- -See also "valid users"

- -.B Default - No invalid users

- -.B Example - invalid users = root fred admin @wheel

- - -

keepalive (G)

-The value of the parameter (an integer) represents the number of seconds -between 'keepalive' packets. If this parameter is zero, no keepalive packets -will be sent. Keepalive packets, if sent, allow the server to tell whether a -client is still present and responding.

- -Keepalives should, in general, not be needed if the socket being used -has the SO_KEEPALIVE attribute set on it (see "socket -options"). Basically you should only use this option if you strike -difficulties.

- -.B Default: - keep alive = 0

- -.B Example: - keep alive = 60

- - -

lm announce (G)

- -This parameter determines if Samba will produce Lanman announce -broadcasts that are needed by OS/2 clients in order for them to -see the Samba server in their browse list. This parameter can -have three values, true, false, or auto. The default is auto. -If set to False Samba will never produce these broadcasts. If -set to true Samba will produce Lanman announce broadcasts at -a frequency set by the parameter 'lm interval'. If set to auto -Samba will not send Lanman announce broadcasts by default but -will listen for them. If it hears such a broadcast on the wire -it will then start sending them at a frequency set by the parameter -'lm interval'.

- -See also "lm interval".

- -.B Default: - lm announce = auto

- -.B Example: - lm announce = true

- - -

lm interval (G)

- -If Samba is set to produce Lanman announce broadcasts needed -by OS/2 clients (see the "lm announce" parameter) this parameter -defines the frequency in seconds with which they will be made. -If this is set to zero then no Lanman announcements will be -made despite the setting of the "lm announce" parameter.

- -See also "lm announce".

- -.B Default: - lm interval = 60

- -.B Example: - lm interval = 120

- - -

load printers (G)

-A boolean variable that controls whether all printers in the printcap -will be loaded for browsing by default.

- -.B Default: - load printers = yes

- -.B Example: - load printers = no

- - -

local master (G)

-This option allows the nmbd to become a local master browser on a -subnet. If set to False then nmbd will not attempt to become a local -master browser on a subnet and will also lose in all browsing elections. -By default this value is set to true. Setting this value to true doesn't -mean that Samba will become the local master browser on a subnet, just -that the nmbd will participate in elections for local master browser.

- -.B Default: - local master = yes

- - -

lock directory (G)

-This option specifies the directory where lock files will be placed. -The lock files are used to implement the "max connections" option.

- -.B Default: - lock directory = /tmp/samba

- -.B Example: - lock directory = /usr/local/samba/var/locks

- - -

locking (S)

-This controls whether or not locking will be performed by the server in -response to lock requests from the client.

- -If "locking = no", all lock and unlock requests will appear to succeed and -all lock queries will indicate that the queried lock is clear.

- -If "locking = yes", real locking will be performed by the server.

- -This option may be particularly useful for read-only filesystems which -do not need locking (such as cdrom drives).

- -Be careful about disabling locking either globally or in a specific -service, as lack of locking may result in data corruption.

- -.B Default: - locking = yes

- -.B Example: - locking = no

- - -

log file (G)

- -This options allows you to override the name of the Samba log file -(also known as the debug file).

- -This option takes the standard substitutions, allowing you to have -separate log files for each user or machine.

- -.B Example: - log file = /usr/local/samba/var/log.%m

- - -

log level (G)

-see "debug level"

- - -

logon drive (G)

- -This parameter specifies the local path to which the home directory -will be connected (see "logon home") and is only used by NT Workstations.

- -.B Example: - logon drive = h:

- - -

logon home (G)

- -This parameter specifies the home directory location when a Win95 or -NT Workstation logs into a Samba PDC. It allows you to do "NET USE -H: /HOME" from a command prompt, for example.

- -.B -This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine.

- -.B Example: - logon home = "\\\\remote_smb_server\\%U"

- -.B Default: - logon home = "\\\\%N\\%U"

- - -

logon path (G)

- -This parameter specifies the home directory where roaming profiles -(USER.DAT / USER.MAN files for Windows 95) are stored.

- -This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine. It also specifies -the directory from which the "desktop", "start menu", "nethood" and -"programs" folders, and their contents, are loaded and displayed -on your Windows 95 client.

- -The share and the path must be readable by the user for the preferences -and directories to be loaded onto the Windows 95 client. The share -must be writeable when the logs in for the first time, in order that -the Windows 95 client can create the user.dat and other directories.

- -Thereafter, the directories and any of contents can, if required, -be made read-only. It is not adviseable that the USER.DAT file be made -read-only - rename it to USER.MAN to achieve the desired effect -(a MANdatory profile).

- -Windows clients can sometimes maintain a connection to the [homes] -share, even though there is no user logged in. Therefore, it is -vital that the logon path does not include a reference to the -homes share (i.e \\\\%N\\HOMES\profile_path will cause problems).

- -.B -This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine.

- -.B Default: - logon path = \\\\%N\\%U\\profile

- -.B Example: - logon path = \\\\PROFILESERVER\\HOME_DIR\\%U\\PROFILE

- - -

logon script (G)

- -This parameter specifies the batch file (.bat) or NT command file (.cmd) -to be downloaded and run on a machine when a user successfully logs in. -The file must contain the DOS style cr/lf line endings. Using a DOS-style -editor to create the file is recommended.

- -The script must be a relative path to the [netlogon] service. If the -[netlogon] service specifies a path of /usr/local/samba/netlogon, and -logon script = STARTUP.BAT, then file that will be downloaded is:

- -.B /usr/local/samba/netlogon/STARTUP.BAT

- -The contents of the batch file is entirely your choice. A suggested -command would be to add NET TIME \\\\SERVER /SET /YES, to force every -machine to synchronise clocks with the same time server. Another use -would be to add NET USE U: \\\\SERVER\\UTILS for commonly used utilities, -or NET USE Q: \\\\SERVER\\ISO9001_QA.

- -Note that it is particularly important not to allow write access to -the [netlogon] share, or to grant users write permission on the -batch files in a secure environment, as this would allow the batch -files to be arbitrarily modified.

- -.B -This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine.

- -.B Example: - logon script = scripts/%U.bat

- - -

lppause command (S)

-This parameter specifies the command to be executed on the server host in -order to stop printing or spooling a specific print job.

- -This command should be a program or script which takes a printer name and -job number to pause the print job. Currently I don't know of any print -spooler system that can do this with a simple option, except for the PPR -system from Trinity College (ppr\-dist.trincoll.edu/pub/ppr). One way -of implementing this is by using job priorities, where jobs having a too -low priority won't be sent to the printer. See also the -.B lppause -command.

- -If a %p is given then the printername is put in its place. A %j is -replaced with the job number (an integer). -On HPUX (see printing=hpux), if the -p%p option is added to the lpq -command, the job will show up with the correct status, i.e. if the job -priority is lower than the set fence priority it will have the PAUSED -status, whereas if the priority is equal or higher it will have the -SPOOLED or PRINTING status.

- -Note that it is good practice to include the absolute path in the lppause -command as the PATH may not be available to the server.

- -.B Default: - Currently no default value is given to this string

- -.B Example for HPUX: - lppause command = /usr/bin/lpalt %p-%j -p0

- - -

lpq cache time (G)

- -This controls how long lpq info will be cached for to prevent the lpq -command being called too often. A separate cache is kept for each -variation of the lpq command used by the system, so if you use -different lpq commands for different users then they won't share cache -information.

- -The cache files are stored in /tmp/lpq.xxxx where xxxx is a hash -of the lpq command in use.

- -The default is 10 seconds, meaning that the cached results of a -previous identical lpq command will be used if the cached data is less -than 10 seconds old. A large value may be advisable if your lpq -command is very slow.

- -A value of 0 will disable cacheing completely.

- -.B Default: - lpq cache time = 10

- -.B Example: - lpq cache time = 30

- - -

lpq command (S)

-This parameter specifies the command to be executed on the server host in -order to obtain "lpq"-style printer status information.

- -This command should be a program or script which takes a printer name -as its only parameter and outputs printer status information.

- -Currently six styles of printer status information are supported; BSD, -SYSV, AIX, HPUX, QNX, LPRNG and PLP. This covers most UNIX systems. You -control which type is expected using the "printing =" option.

- -Some clients (notably Windows for Workgroups) may not correctly send the -connection number for the printer they are requesting status information -about. To get around this, the server reports on the first printer service -connected to by the client. This only happens if the connection number sent -is invalid.

- -If a %p is given then the printername is put in its place. Otherwise -it is placed at the end of the command.

- -Note that it is good practice to include the absolute path in the lpq -command as the PATH may not be available to the server.

- -.B Default: - depends on the setting of "printing ="

- -.B Example: - lpq command = /usr/bin/lpq %p

- - -

lpresume command (S)

-This parameter specifies the command to be executed on the server host in -order to restart or continue printing or spooling a specific print job.

- -This command should be a program or script which takes a printer name and -job number to resume the print job. See also the lppause command.

- -If a %p is given then the printername is put in its place. A %j is -replaced with the job number (an integer).

- -Note that it is good practice to include the absolute path in the lpresume -command as the PATH may not be available to the server.

- -.B Default: - Currently no default value is given to this string

- -.B Example for HPUX: - lpresume command = /usr/bin/lpalt %p-%j -p2

- - -

lprm command (S)

-This parameter specifies the command to be executed on the server host in -order to delete a print job.

- -This command should be a program or script which takes a printer name -and job number, and deletes the print job.

- -Currently seven styles of printer control are supported; BSD, SYSV, AIX -HPUX, QNX, LPRNG and PLP. This covers most UNIX systems. You control -which type is expected using the "printing =" option.

- -If a %p is given then the printername is put in its place. A %j is -replaced with the job number (an integer).

- -Note that it is good practice to include the absolute path in the lprm -command as the PATH may not be available to the server.

- -.B Default: - depends on the setting of "printing ="

- -.B Example 1: - lprm command = /usr/bin/lprm -P%p %j

- -.B Example 2: - lprm command = /usr/bin/cancel %p-%j

- - -

magic output (S)

-This parameter specifies the name of a file which will contain output -created by a magic script (see -.I magic script -below).

- -Warning: If two clients use the same magic script in the same directory the -output file content is undefined. -.B Default: - magic output = .out

- -.B Example: - magic output = myfile.txt - -

magic script (S)

-This parameter specifies the name of a file which, if opened, will be -executed by the server when the file is closed. This allows a UNIX script -to be sent to the Samba host and executed on behalf of the connected user.

- -Scripts executed in this way will be deleted upon completion, permissions -permitting.

- -If the script generates output, output will be sent to the file specified by -the -.I magic output -parameter (see above).

- -Note that some shells are unable to interpret scripts containing -carriage-return-linefeed instead of linefeed as the end-of-line -marker. Magic scripts must be executable "as is" on the host, which -for some hosts and some shells will require filtering at the DOS end.

- -Magic scripts are EXPERIMENTAL and should NOT be relied upon.

- -.B Default: - None. Magic scripts disabled.

- -.B Example: - magic script = user.csh

- - -

mangle case (S)

- -See the section on "NAME MANGLING"

- - -

mangled map (S)

-This is for those who want to directly map UNIX file names which are -not representable on DOS. The mangling of names is not always what is -needed. In particular you may have documents with file extensions -that differ between DOS and UNIX. For example, under UNIX it is common -to use .html for HTML files, whereas under DOS .htm is more commonly -used.

- -So to map 'html' to 'htm' you put:

- - mangled map = (*.html *.htm)

- -One very useful case is to remove the annoying ;1 off the ends of -filenames on some CDROMS (only visible under some UNIXes). To do this -use a map of (*;1 *)

- -.B default: - no mangled map

- -.B Example: - mangled map = (*;1 *)

- - -

mangled names (S)

-This controls whether non-DOS names under UNIX should be mapped to -DOS-compatible names ("mangled") and made visible, or whether non-DOS names -should simply be ignored.

- -See the section on "NAME MANGLING" for details on how to control the -mangling process.

- -If mangling is used then the mangling algorithm is as follows: -.RS -- the first (up to) five alphanumeric characters before the rightmost dot of -the filename are preserved, forced to upper case, and appear as the first (up -to) five characters of the mangled name.

- -- a tilde ("~") is appended to the first part of the mangled name, followed -by a two-character unique sequence, based on the original root name -(i.e., the original filename minus its final extension). The final -extension is included in the hash calculation only if it contains any upper -case characters or is longer than three characters.

- -Note that the character to use may be specified using the "mangling -char" option, if you don't like ~.

- -- the first three alphanumeric characters of the final extension are preserved, -forced to upper case and appear as the extension of the mangled name. The -final extension is defined as that part of the original filename after the -rightmost dot. If there are no dots in the filename, the mangled name will -have no extension (except in the case of hidden files - see below).

- -- files whose UNIX name begins with a dot will be presented as DOS hidden -files. The mangled name will be created as for other filenames, but with the -leading dot removed and "___" as its extension regardless of actual original -extension (that's three underscores). -.RE

- -The two-digit hash value consists of upper case alphanumeric characters.

- -This algorithm can cause name collisions only if files in a directory share -the same first five alphanumeric characters. The probability of such a clash -is 1/1300.

- -The name mangling (if enabled) allows a file to be copied between UNIX -directories from DOS while retaining the long UNIX filename. UNIX files can -be renamed to a new extension from DOS and will retain the same basename. -Mangled names do not change between sessions.

- -.B Default: - mangled names = yes

- -.B Example: - mangled names = no - -

mangling char (S)

-This controls what character is used as the "magic" character in name -mangling. The default is a ~ but this may interfere with some -software. Use this option to set it to whatever you prefer.

- -.B Default: - mangling char = ~

- -.B Example: - mangling char = ^

- - -

mangled stack (G)

-This parameter controls the number of mangled names that should be cached in -the Samba server.

- -This stack is a list of recently mangled base names (extensions are only -maintained if they are longer than 3 characters or contains upper case -characters).

- -The larger this value, the more likely it is that mangled names can be -successfully converted to correct long UNIX names. However, large stack -sizes will slow most directory access. Smaller stacks save memory in the -server (each stack element costs 256 bytes).

- -It is not possible to absolutely guarantee correct long file names, so -be prepared for some surprises!

- -.B Default: - mangled stack = 50

- -.B Example: - mangled stack = 100

- - -

map archive (S)

-This controls whether the DOS archive attribute should be mapped to the -UNIX owner execute bit. The DOS archive bit is set when a file has been modified -since its last backup. One motivation for this option it to keep Samba/your -PC from making any file it touches from becoming executable under UNIX. -This can be quite annoying for shared source code, documents, etc...

- -Note that this requires the 'create mask' to be set such that owner -execute bit is not masked out (ie. it must include 100). See the -parameter "create mask" for details.

- -.B Default: - map archive = yes

- -.B Example: - map archive = no

- - -

map hidden (S)

-This controls whether DOS style hidden files should be mapped to the -UNIX world execute bit.

- -Note that this requires the 'create mask' to be set such that the world -execute bit is not masked out (ie. it must include 001). -See the parameter "create mask" for details.

- -.B Default: - map hidden = no

- -.B Example: - map hidden = yes - -

map system (S)

-This controls whether DOS style system files should be mapped to the -UNIX group execute bit.

- -Note that this requires the 'create mask' to be set such that the group -execute bit is not masked out (ie. it must include 010). See the parameter -"create mask" for details.

- -.B Default: - map system = no

- -.B Example: - map system = yes - -

max connections (S)

-This option allows the number of simultaneous connections to a -service to be limited. If "max connections" is greater than 0 then -connections will be refused if this number of connections to the -service are already open. A value of zero mean an unlimited number of -connections may be made.

- -Record lock files are used to implement this feature. The lock files -will be stored in the directory specified by the "lock directory" option.

- -.B Default: - max connections = 0

- -.B Example: - max connections = 10

- - -

max disk size (G)

-This option allows you to put an upper limit on the apparent size of -disks. If you set this option to 100 then all shares will appear to be -not larger than 100 MB in size.

- -Note that this option does not limit the amount of data you can put on -the disk. In the above case you could still store much more than 100 -MB on the disk, but if a client ever asks for the amount of free disk -space or the total disk size then the result will be bounded by the -amount specified in "max disk size".

- -This option is primarily useful to work around bugs in some pieces of -software that can't handle very large disks, particularly disks over -1GB in size.

- -A "max disk size" of 0 means no limit.

- -.B Default: - max disk size = 0

- -.B Example: - max disk size = 1000

- - -

max log size (G)

- -This option (an integer in kilobytes) specifies the max size the log -file should grow to. Samba periodically checks the size and if it is -exceeded it will rename the file, adding a .old extension.

- -A size of 0 means no limit.

- -.B Default: - max log size = 5000

- -.B Example: - max log size = 1000

- - -

max mux (G)

- -This option controls the maximum number of outstanding simultaneous SMB -operations that samba tells the client it will allow. You should never need -to set this parameter.

- -.B Default: - max mux = 50

- - -

max packet (G)

- -A synonym for this parameter is 'packet size'.

- - -

max ttl (G)

- -This option tells nmbd what the default 'time to live' of NetBIOS -names should be (in seconds) when nmbd is requesting a name using -either a broadcast or from a WINS server. You should never need to -change this parameter.

- -.B Default: - max ttl = 14400

- - -

max wins ttl (G)

- -This option tells nmbd when acting as a WINS server (wins support = true) -what the maximum 'time to live' of NetBIOS names that nmbd will grant will -be (in seconds). You should never need to change this parameter. -The default is 3 days (259200 seconds).

- -.B Default: - max wins ttl = 259200

- - -

max xmit (G)

- -This option controls the maximum packet size that will be negotiated -by Samba. The default is 65535, which is the maximum. In some cases -you may find you get better performance with a smaller value. A value -below 2048 is likely to cause problems.

- -.B Default: - max xmit = 65535

- -.B Example: - max xmit = 8192

- - -

message command (G)

- -This specifies what command to run when the server receives a WinPopup -style message.

- -This would normally be a command that would deliver the message -somehow. How this is to be done is up to your imagination.

- -What I use is:

- - message command = csh -c 'xedit %s;rm %s' &

- -This delivers the message using xedit, then removes it -afterwards. NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN -IMMEDIATELY. That's why I have the & on the end. If it doesn't return -immediately then your PCs may freeze when sending messages (they -should recover after 30secs, hopefully).

- -All messages are delivered as the global guest user. The command takes -the standard substitutions, although %u won't work (%U may be better -in this case).

- -Apart from the standard substitutions, some additional ones apply. In -particular:

- -%s = the filename containing the message

- -%t = the destination that the message was sent to (probably the server -name)

- -%f = who the message is from

- -You could make this command send mail, or whatever else takes your -fancy. Please let me know of any really interesting ideas you have.

- -Here's a way of sending the messages as mail to root:

- -message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s

- -If you don't have a message command then the message won't be -delivered and Samba will tell the sender there was an -error. Unfortunately WfWg totally ignores the error code and carries -on regardless, saying that the message was delivered.

- -If you want to silently delete it then try "message command = rm %s".

- -For the really adventurous, try something like this:

- -message command = csh -c 'csh < %s |& /usr/local/samba/bin/smbclient \e - -M %m; rm %s' &

- -this would execute the command as a script on the server, then give -them the result in a WinPopup message. Note that this could cause a -loop if you send a message from the server using smbclient! You better -wrap the above in a script that checks for this :-)

- -.B Default: - no message command

- -.B Example: - message command = csh -c 'xedit %s;rm %s' &

- - -

min print space (S)

- -This sets the minimum amount of free disk space that must be available -before a user will be able to spool a print job. It is specified in -kilobytes. The default is 0, which means no limit.

- -.B Default: - min print space = 0

- -.B Example: - min print space = 2000

- - -

min wins ttl (G)

- -This option tells nmbd when acting as a WINS server (wins support = true) -what the minimum 'time to live' of NetBIOS names that nmbd will grant will -be (in seconds). You should never need to change this parameter. -The default is 6 hours (21600 seconds).

- -.B Default: - min wins ttl = 21600

- - - -

netbios aliases (G)

- -This is a list of names that nmbd will advertise as additional -names by which the Samba server is known. This allows one machine -to appear in browse lists under multiple names. If a machine is -acting as a browse server or logon server none of these names -will be advertised as either browse server or logon servers, only -the primary name of the machine will be advertised with these -capabilities.

- -See also 'netbios name'.

- -.B Example: - netbios aliases = TEST TEST1 TEST2

- - -

netbios name (G)

- -This sets the NetBIOS name by which a Samba server is known. By -default it is the same as the first component of the host's DNS name. -If a machine is a browse server or logon server this name (or the -first component of the hosts DNS name) will be the name that these -services are advertised under.

- -See also 'netbios aliases'.

- -.B Example: - netbios name = MYNAME

- - -

nis homedir (G)

-Get the home share server from a NIS (or YP) map. For unix systems that -use an automounter, the user's home directory will often be mounted on -a workstation on demand from a remote server. When the Samba logon server -is not the actual home directory server, two network hops are required -to access the home directory and this can be very slow especially with -writing via Samba to an NFS mounted directory. This option allows samba -to return the home share as being on a different server to the logon -server and as long as a samba daemon is running on the home directory -server, it will be mounted on the Samba client directly from the directory -server. When Samba is returning the home share to the client, it will -consult the NIS (or YP) map specified in "homedir map" and return the -server listed there.

- -.B Default: - nis homedir = false

- -.B Example: - nis homedir = true

- - -

networkstation user login (G)

-This global parameter (new for 1.9.18p3) affects server level security. -With this set (recommended) samba will do a full NetWkstaUserLogon to -confirm that the client really should have login rights. This can cause -problems with machines in trust relationships in which case you can -disable it here, but be warned, we have heard that some NT machines -will then allow anyone in with any password! Make sure you test it.

- -.B Default: - networkstation user login = yes

- -.B Example: - networkstation user login = no

- - -

null passwords (G)

-Allow or disallow access to accounts that have null passwords.

- -.B Default: - null passwords = no

- -.B Example: - null passwords = yes

- - -

only guest (S)

-A synonym for this command is 'guest only'.

- - -

only user (S)

-This is a boolean option that controls whether connections with -usernames not in the user= list will be allowed. By default this -option is disabled so a client can supply a username to be used by -the server.

- -Note that this also means Samba won't try to deduce usernames from the -service name. This can be annoying for the [homes] section. To get -around this you could use "user = %S" which means your "user" list -will be just the service name, which for home directories is the name -of the user.

- -.B Default: - only user = False

- -.B Example: - only user = True

- - -

oplocks (S)

-This boolean option tells smbd whether to issue oplocks (opportunistic -locks) to file open requests on this share. The oplock code was introduced in -Samba 1.9.18 and can dramatically (approx 30% or more) improve the speed -of access to files on Samba servers. It allows the clients to agressively -cache files locally and you may want to disable this option for unreliable -network environments (it is turned on by default in Windows NT Servers). -For more information see the file Speed.txt in the Samba docs/ directory.

- -Oplocks may be selectively turned off on certain files on a per share basis. -See the 'veto oplock files' parameter.

- -.B Default: - oplocks = True

- -.B Example: - oplocks = False

- - - -

os level (G)

-This integer value controls what level Samba advertises itself as for -browse elections. See BROWSING.txt for details.

- - -

packet size (G)

-The maximum transmit packet size during a raw read. This option is no -longer implemented as of version 1.7.00, and is kept only so old -configuration files do not become invalid.

- - -

passwd chat (G)

-This string controls the "chat" conversation that takes places -between smbd and the local password changing program to change the -users password. The string describes a sequence of response-receive -pairs that smbd uses to determine what to send to the passwd program -and what to expect back. If the expected output is not received then -the password is not changed.

- -This chat sequence is often quite site specific, depending on what -local methods are used for password control (such as NIS+ etc).

- -The string can contain the macros %o and %n which are substituted for -the old and new passwords respectively. It can also contain the -standard macros \en \er \et and \es to give line-feed, carriage-return, -tab and space.

- -The string can also contain a * which matches any sequence of -characters.

- -Double quotes can be used to collect strings with spaces in them into -a single string.

- -If the send string in any part of the chat sequence is a fullstop "." -then no string is sent. Similarly, is the expect string is a fullstop -then no string is expected.

- -.B Example: - passwd chat = "*Enter OLD password*" %o\en "*Enter NEW password*" %n\en \e - "*Reenter NEW password*" %n\en "*Password changed*"

- - -.B Default: - passwd chat = *old*password* %o\en *new*password* %n\en *new*password* %n\en *changed*

- - -

passwd program (G)

-The name of a program that can be used to set user passwords.

- -This is only necessary if you have enabled remote password changing at -compile time. Any occurrences of %u will be replaced with the user -name.

- -Also note that many passwd programs insist in "reasonable" passwords, -such as a minimum length, or the inclusion of mixed case chars and -digits. This can pose a problem as some clients (such as Windows for -Workgroups) uppercase the password before sending it.

- -.B Default: - passwd program = /bin/passwd

- -.B Example: - passwd program = /sbin/passwd %u

- - -

password level (G)

-Some client/server combinations have difficulty with mixed-case passwords. -One offending client is Windows for Workgroups, which for some reason forces -passwords to upper case when using the LANMAN1 protocol, but leaves them alone -when using COREPLUS!

- -This parameter defines the maximum number of characters that may be upper case -in passwords.

- -For example, say the password given was "FRED". If -.B password level -is set to 1 (one), the following combinations would be tried if "FRED" failed: -"Fred", "fred", "fRed", "frEd", "freD". If -.B password level was set to 2 (two), the following combinations would also be -tried: "FRed", "FrEd", "FreD", "fREd", "fReD", "frED". And so on.

- -The higher value this parameter is set to the more likely it is that a mixed -case password will be matched against a single case password. However, you -should be aware that use of this parameter reduces security and increases the -time taken to process a new connection.

- -A value of zero will cause only two attempts to be made - the password as is -and the password in all-lower case.

- -If you find the connections are taking too long with this option then -you probably have a slow crypt() routine. Samba now comes with a fast -"ufc crypt" that you can select in the Makefile. You should also make -sure the PASSWORD_LENGTH option is correct for your system in local.h -and includes.h. On most systems only the first 8 chars of a password -are significant so PASSWORD_LENGTH should be 8, but on some longer -passwords are significant. The includes.h file tries to select the -right length for your system.

- -.B Default: - password level = 0

- -.B Example: - password level = 4

- - -

password server (G)

- -By specifying the name of another SMB server (such as a WinNT box) -with this option, and using "security = server" you can get Samba to -do all its username/password validation via a remote server.

- -This options sets the name of the password server to use. It must be a -netbios name, so if the machine's netbios name is different from its -internet name then you may have to add its netbios name to -/etc/hosts.

- -The password server much be a machine capable of using the "LM1.2X002" -or the "LM NT 0.12" protocol, and it must be in user level security -mode.

- -NOTE: Using a password server means your UNIX box (running Samba) is -only as secure as your password server. DO NOT CHOOSE A PASSWORD -SERVER THAT YOU DON'T COMPLETELY TRUST.

- -Never point a Samba server at itself for password serving. This will -cause a loop and could lock up your Samba server!

- -The name of the password server takes the standard substitutions, but -probably the only useful one is %m, which means the Samba server will -use the incoming client as the password server. If you use this then -you better trust your clients, and you better restrict them with hosts -allow!

- -If you list several hosts in the "password server" option then smbd -will try each in turn till it finds one that responds. This is useful -in case your primary server goes down.

- -If you are using a WindowsNT server as your password server then you -will have to ensure that your users are able to login from the Samba -server, as the network logon will appear to come from there rather -than from the users workstation.

- - -

path (S)

-A synonym for this parameter is 'directory'.

- -This parameter specifies a directory to which the user of the service is to -be given access. In the case of printable services, this is where print data -will spool prior to being submitted to the host for printing.

- -For a printable service offering guest access, the service should be readonly -and the path should be world-writable and have the sticky bit set. This is not -mandatory of course, but you probably won't get the results you expect if you -do otherwise.

- -Any occurrences of %u in the path will be replaced with the username -that the client is connecting as. Any occurrences of %m will be -replaced by the name of the machine they are connecting from. These -replacements are very useful for setting up pseudo home directories -for users.

- -Note that this path will be based on 'root dir' if one was specified. -.B Default: - none

- -.B Example: - path = /home/fred+

- - -

postexec (S)

- -This option specifies a command to be run whenever the service is -disconnected. It takes the usual substitutions. The command may be run -as the root on some systems.

- -An interesting example may be do unmount server resources:

- -postexec = /etc/umount /cdrom

- -See also preexec

- -.B Default: - none (no command executed)

- -.B Example: - postexec = echo \e"%u disconnected from %S from %m (%I)\e" >> /tmp/log

- - -

postscript (S)

-This parameter forces a printer to interpret the print files as -postscript. This is done by adding a %! to the start of print output.

- -This is most useful when you have lots of PCs that persist in putting -a control-D at the start of print jobs, which then confuses your -printer.

- -.B Default: - postscript = False

- -.B Example: - postscript = True

- - -

preexec (S)

- -This option specifies a command to be run whenever the service is -connected to. It takes the usual substitutions.

- -An interesting example is to send the users a welcome message every -time they log in. Maybe a message of the day? Here is an example:

- -preexec = csh -c 'echo \e"Welcome to %S!\e" | \e - /usr/local/samba/bin/smbclient -M %m -I %I' &

- -Of course, this could get annoying after a while :-)

- -See also postexec

- -.B Default: - none (no command executed)

- -.B Example: - preexec = echo \e"%u connected to %S from %m (%I)\e" >> /tmp/log

- - -

preferred master (G)

-This boolean parameter controls if Samba is a preferred master browser -for its workgroup. -If this is set to true, on startup, samba will force an election, -and it will have a slight advantage in winning the election. -It is recommended that this parameter is used in conjunction -with domain master = yes, so that samba can guarantee becoming -a domain master.

- -Use this option with caution, because if there are several hosts -(whether samba servers, Windows 95 or NT) that are preferred master -browsers on the same subnet, they will each periodically and continuously -attempt to become the local master browser. This will result in -unnecessary broadcast traffic and reduced browsing capabilities.

- -See -.B os level = nn

- -.B Default: - preferred master = no

- -

preload

-This is an alias for "auto services"

- - -

preload

-This is an alias for "auto services"

- - -

preserve case (S)

- -This controls if new filenames are created with the case that the -client passes, or if they are forced to be the "default" case.

- -.B Default: - preserve case = no

- -See the section on "NAME MANGLING" for a fuller discussion.

- - -

print command (S)

-After a print job has finished spooling to a service, this command will be -used via a system() call to process the spool file. Typically the command -specified will submit the spool file to the host's printing subsystem, but -there is no requirement that this be the case. The server will not remove the -spool file, so whatever command you specify should remove the spool file when -it has been processed, otherwise you will need to manually remove old spool -files.

- -The print command is simply a text string. It will be used verbatim, -with two exceptions: All occurrences of "%s" will be replaced by the -appropriate spool file name, and all occurrences of "%p" will be -replaced by the appropriate printer name. The spool file name is -generated automatically by the server, the printer name is discussed -below.

- -The full path name will be used for the filename if %s is not preceded -by a /. If you don't like this (it can stuff up some lpq output) then -use %f instead. Any occurrences of %f get replaced by the spool -filename without the full path at the front.

- -The print command MUST contain at least one occurrence of "%s" or %f - -the "%p" is optional. At the time a job is submitted, if no printer -name is supplied the "%p" will be silently removed from the printer -command.

- -If specified in the [global] section, the print command given will be used -for any printable service that does not have its own print command specified.

- -If there is neither a specified print command for a printable service nor a -global print command, spool files will be created but not processed and (most -importantly) not removed.

- -Note that printing may fail on some UNIXes from the "nobody" -account. If this happens then create an alternative guest account that -can print and set the "guest account" in the [global] section.

- -You can form quite complex print commands by realising that they are -just passed to a shell. For example the following will log a print -job, print the file, then remove it. Note that ; is the usual -separator for command in shell scripts.

- -print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s

- -You may have to vary this command considerably depending on how you -normally print files on your system.

- -.B Default: - print command = lpr -r -P %p %s

- -.B Example: - print command = /usr/local/samba/bin/myprintscript %p %s - -

print ok (S)

-See -.B printable. - -

printable (S)

-A synonym for this parameter is 'print ok'.

- -If this parameter is 'yes', then clients may open, write to and submit spool -files on the directory specified for the service.

- -Note that a printable service will ALWAYS allow writing to the service path -(user privileges permitting) via the spooling of print data. The 'read only' -parameter controls only non-printing access to the resource.

- -.B Default: - printable = no

- -.B Example: - printable = yes

- - -

printcap name (G)

-This parameter may be used to override the compiled-in default printcap -name used by the server (usually /etc/printcap). See the discussion of the -[printers] section above for reasons why you might want to do this.

- -On SystemV systems that use lpstat to list available printers you -can use "printcap name = lpstat" to automatically obtain lists of -available printers. This is the default for systems that define -SYSV at compile time in Samba (this includes most SystemV based -systems). If "printcap name" is set to lpstat on these systems then -Samba will launch "lpstat -v" and attempt to parse the output to -obtain a printer list.

- -A minimal printcap file would look something like this:

- -print1|My Printer 1 -.br -print2|My Printer 2 -.br -print3|My Printer 3 -.br -print4|My Printer 4 -.br -print5|My Printer 5

- -where the | separates aliases of a printer. The fact that the second -alias has a space in it gives a hint to Samba that it's a comment.

- -NOTE: Under AIX the default printcap name is "/etc/qconfig". Samba -will assume the file is in AIX "qconfig" format if the string -"/qconfig" appears in the printcap filename.

- -.B Default: - printcap name = /etc/printcap

- -.B Example: - printcap name = /etc/myprintcap

- - -

printer (S)

-A synonym for this parameter is 'printer name'.

- -This parameter specifies the name of the printer to which print jobs spooled -through a printable service will be sent.

- -If specified in the [global] section, the printer name given will be used -for any printable service that does not have its own printer name specified.

- -.B Default: - none (but may be 'lp' on many systems)

- -.B Example: - printer name = laserwriter

- - -

printer driver (S)

-This option allows you to control the string that clients receive when -they ask the server for the printer driver associated with a -printer. If you are using Windows95 or WindowsNT then you can use this -to automate the setup of printers on your system.

- -You need to set this parameter to the exact string (case sensitive) -that describes the appropriate printer driver for your system. -If you don't know the exact string to use then you should first try -with no "printer driver" option set and the client will give you a -list of printer drivers. The appropriate strings are shown in a -scrollbox after you have chosen the printer manufacturer.

- -.B Example: - printer driver = HP LaserJet 4L

- - -

printer name (S)

-See -.B printer.

- - -

printer driver file (G)

-This parameter tells Samba where the printer driver definition file, -used when serving drivers to Windows 95 clients, is to be found. If -this is not set, the default is :

- -SAMBA_INSTALL_DIRECTORY/lib/printers.def

- -This file is created from Windows 95 'msprint.def' files found on the -Windows 95 client system. For more details on setting up serving of -printer drivers to Windows 95 clients, see the documentation file -docs/PRINTER_DRIVER.txt.

- -.B Default: - None (set in compile).

- -.B Example: - printer driver file = /usr/local/samba/printers/drivers.def

- -Related parameters. -.B printer driver location

- - -

printer driver location (S)

-This parameter tells clients of a particular printer share where -to find the printer driver files for the automatic installation -of drivers for Windows 95 machines. If Samba is set up to serve -printer drivers to Windows 95 machines, this should be set to

- -\e\eMACHINE\ePRINTER$

- -Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$ -is a share you set up for serving printer driver files. For more -details on setting this up see the documentation file -docs/PRINTER_DRIVER.txt.

- -.B Default: - None

- -.B Example: - printer driver location = \e\eMACHINE\ePRINTER$

- -Related paramerers. -.B printer driver file

- - - -

printing (S)

-This parameters controls how printer status information is interpreted -on your system, and also affects the default values for the "print -command", "lpq command" and "lprm command".

- -Currently six printing styles are supported. They are "printing = -bsd", "printing = sysv", "printing = hpux", "printing = aix", -"printing = qnx" and "printing = plp".

- -To see what the defaults are for the other print commands when using -these three options use the "testparm" program.

- -As of version 1.9.18 of Samba this option can be set on a per printer basis

- - -

protocol (G)

-The value of the parameter (a string) is the highest protocol level that will -be supported by the server.

- -Possible values are CORE, COREPLUS, LANMAN1, LANMAN2 and NT1. The relative -merits of each are discussed in the README file.

- -Normally this option should not be set as the automatic negotiation -phase in the SMB protocol takes care of choosing the appropriate protocol.

- -.B Default: - protocol = NT1

- -.B Example: - protocol = LANMAN1 - -

public (S)

-A synonym for this parameter is 'guest ok'.

- -If this parameter is 'yes' for a service, then no password is required -to connect to the service. Privileges will be those of the guest -account.

- -See the section below on user/password validation for more information about -this option.

- -.B Default: - public = no

- -.B Example: - public = yes - -

read list (S)

-This is a list of users that are given read-only access to a -service. If the connecting user is in this list then they will -not be given write access, no matter what the "read only" option -is set to. The list can include group names using the @group syntax.

- -See also the "write list" option

- -.B Default: - read list =

- -.B Example: - read list = mary, @students

- - -

read only (S)

-See -.B writable -and -.B write ok. -Note that this is an inverted synonym for writable and write ok. - -

read prediction (G)

-This options enables or disables the read prediction code used to -speed up reads from the server. When enabled the server will try to -pre-read data from the last accessed file that was opened read-only -while waiting for packets.

- -

Default:

- read prediction = False

- -

Example:

- read prediction = True -
-

read raw (G)

-This parameter controls whether or not the server will support raw reads when -transferring data to clients.

- -If enabled, raw reads allow reads of 65535 bytes in one packet. This -typically provides a major performance benefit.

- -However, some clients either negotiate the allowable block size incorrectly -or are incapable of supporting larger block sizes, and for these clients you -may need to disable raw reads.

- -In general this parameter should be viewed as a system tuning tool and left -severely alone. See also -.B write raw.

- -.B Default: - read raw = yes

- -.B Example: - read raw = no - -

read size (G)

- -The option "read size" affects the overlap of disk reads/writes with -network reads/writes. If the amount of data being transferred in -several of the SMB commands (currently SMBwrite, SMBwriteX and -SMBreadbraw) is larger than this value then the server begins writing -the data before it has received the whole packet from the network, or -in the case of SMBreadbraw, it begins writing to the network before -all the data has been read from disk.

- -This overlapping works best when the speeds of disk and network access -are similar, having very little effect when the speed of one is much -greater than the other.

- -The default value is 2048, but very little experimentation has been -done yet to determine the optimal value, and it is likely that the best -value will vary greatly between systems anyway. A value over 65536 is -pointless and will cause you to allocate memory unnecessarily.

- -.B Default: - read size = 2048

- -.B Example: - read size = 8192

- - -

remote announce (G)

- -This option allows you to setup nmbd to periodically announce itself -to arbitrary IP addresses with an arbitrary workgroup name.

- -This is useful if you want your Samba server to appear in a remote -workgroup for which the normal browse propagation rules don't -work. The remote workgroup can be anywhere that you can send IP -packets to.

- -For example:

- - remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF

- -the above line would cause nmbd to announce itself to the two given IP -addresses using the given workgroup names. If you leave out the -workgroup name then the one given in the "workgroup" option is used -instead.

- -The IP addresses you choose would normally be the broadcast addresses -of the remote networks, but can also be the IP addresses of known -browse masters if your network config is that stable.

- -This option replaces similar functionality from the nmbd lmhosts file.

- - -

remote browse sync (G)

- -This option allows you to setup nmbd to periodically request synchronisation -of browse lists with the master browser of a samba server that is on a remote -segment. This option will allow you to gain browse lists for multiple -workgroups across routed networks. This is done in a manner that does not work -with any non-samba servers.

- -This is useful if you want your Samba server and all local clients -to appear in a remote workgroup for which the normal browse propagation -rules don't work. The remote workgroup can be anywhere that you can send IP -packets to.

- -For example:

- - remote browse sync = 192.168.2.255 192.168.4.255

- -the above line would cause nmbd to request the master browser on the -specified subnets or addresses to synchronise their browse lists with -the local server.

- -The IP addresses you choose would normally be the broadcast addresses -of the remote networks, but can also be the IP addresses of known -browse masters if your network config is that stable. If a machine IP -address is given Samba makes NO attempt to validate that the remote -machine is available, is listening, nor that it is in fact the browse -master on it's segment.

- - - -

revalidate (S)

- -This options controls whether Samba will allow a previously validated -username/password pair to be used to attach to a share. Thus if you -connect to \e\eserver\eshare1 then to \e\eserver\eshare2 it won't -automatically allow the client to request connection to the second -share as the same username as the first without a password.

- -If "revalidate" is True then the client will be denied automatic -access as the same username.

- -.B Default: - revalidate = False

- -.B Example: - revalidate = True

- - -

root (G)

-See -.B root directory. - -

root dir (G)

-See -.B root directory. -
-

root directory (G)

-Synonyms for this parameter are 'root dir' and 'root'.

- -The server will chroot() to this directory on startup. This is not -strictly necessary for secure operation. Even without it the server -will deny access to files not in one of the service entries. It may -also check for, and deny access to, soft links to other parts of the -filesystem, or attempts to use .. in file names to access other -directories (depending on the setting of the "wide links" parameter).

- -Adding a "root dir" entry other than "/" adds an extra level of security, -but at a price. It absolutely ensures that no access is given to files not -in the sub-tree specified in the "root dir" option, *including* some files -needed for complete operation of the server. To maintain full operability -of the server you will need to mirror some system files into the "root dir" -tree. In particular you will need to mirror /etc/passwd (or a subset of it), -and any binaries or configuration files needed for printing (if required). -The set of files that must be mirrored is operating system dependent.

- -.B Default: - root directory = /

- -.B Example: - root directory = /homes/smb - -

root postexec (S)

- -This is the same as postexec except that the command is run as -root. This is useful for unmounting filesystems (such as cdroms) after -a connection is closed.

- - -

root preexec (S)

- -This is the same as preexec except that the command is run as -root. This is useful for mounting filesystems (such as cdroms) before -a connection is finalised.

- - -

security (G)

-This option affects how clients respond to Samba.

- -The option sets the "security mode bit" in replies to protocol negotiations -to turn share level security on or off. Clients decide based on this bit -whether (and how) to transfer user and password information to the server.

- -The default is "security=SHARE", mainly because that was the only -option at one stage.

- -The alternatives are "security = user" or "security = server".

- -If your PCs use usernames that are the same as their usernames on the -UNIX machine then you will want to use "security = user". If you -mostly use usernames that don't exist on the UNIX box then use -"security = share".

- -There is a bug in WfWg that may affect your decision. When in user -level security a WfWg client will totally ignore the password you type -in the "connect drive" dialog box. This makes it very difficult (if -not impossible) to connect to a Samba service as anyone except the -user that you are logged into WfWg as.

- -If you use "security = server" then Samba will try to validate the -username/password by passing it to another SMB server, such as an NT -box. If this fails it will revert to "security = USER".

- -See the "password server" option for more details.

- -.B Default: - security = SHARE

- -.B Example: - security = USER - -

server string (G)

-This controls what string will show up in the printer comment box in -print manager and next to the IPC connection in "net view". It can be -any string that you wish to show to your users.

- -It also sets what will appear in browse lists next to the machine name.

- -A %v will be replaced with the Samba version number.

- -A %h will be replaced with the hostname.

- -.B Default: - server string = Samba %v

- -.B Example: - server string = University of GNUs Samba Server

- - -

set directory (S)

-If 'set directory = no', then users of the service may not use the setdir -command to change directory.

- -The setdir command is only implemented in the Digital Pathworks client. See the -Pathworks documentation for details.

- -.B Default: - set directory = no

- -.B Example: - set directory = yes

- - -

shared file entries (G)

-This parameter has been removed (as of Samba 1.9.18 and above). The new -System V shared memory code prohibits the user from allocating the -share hash bucket size directly.

- - -

shared mem size (G)

-This parameter is only useful when Samba has been compiled with FAST_SHARE_MODES. -It specifies the size of the shared memory (in bytes) to use between smbd -processes. You should never change this parameter unless you have studied -the source and know what you are doing. This parameter defaults to 1024 -multiplied by the setting of the maximum number of open files in the -file local.h in the Samba source code. MAX_OPEN_FILES is normally set -to 100, so this parameter defaults to 102400 bytes.

- -.B Default - shared mem size = 102400

- - -

smb passwd file (G)

-This option sets the path to the encrypted smbpasswd file. This is a *VERY -DANGEROUS OPTION* if the smb.conf is user writable. By default the path -to the smbpasswd file is compiled into Samba.

- - -

smbrun (G)

-This sets the full path to the smbrun binary. This defaults to the -value in the Makefile.

- -You must get this path right for many services to work correctly.

- -.B Default: -taken from Makefile

- -.B Example: - smbrun = /usr/local/samba/bin/smbrun

- - -

share modes (S)

- -This enables or disables the honouring of the "share modes" during a -file open. These modes are used by clients to gain exclusive read or -write access to a file.

- -These open modes are not directly supported by UNIX, so they are -simulated using lock files in the "lock directory". The "lock -directory" specified in smb.conf must be readable by all users.

- -The share modes that are enabled by this option are DENY_DOS, -DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB.

- -Enabling this option gives full share compatibility but may cost a bit -of processing time on the UNIX server. They are enabled by default.

- -.B Default: - share modes = yes

- -.B Example: - share modes = no

- - -

short preserve case (S)

- -This controls if new short filenames are created with the case that -the client passes, or if they are forced to be the "default" case.

- -.B Default: - short preserve case = no

- -See the section on "NAME MANGLING" for a fuller discussion.

- - -

socket address (G)

- -This option allows you to control what address Samba will listen for -connections on. This is used to support multiple virtual interfaces on -the one server, each with a different configuration.

- -By default samba will accept connections on any address.

- -.B Example: - socket address = 192.168.2.20

- - -

socket options (G)

-This option (which can also be invoked with the -O command line -option) allows you to set socket options to be used when talking with -the client.

- -Socket options are controls on the networking layer of the operating -systems which allow the connection to be tuned.

- -This option will typically be used to tune your Samba server for -optimal performance for your local network. There is no way that Samba -can know what the optimal parameters are for your net, so you must -experiment and choose them yourself. I strongly suggest you read the -appropriate documentation for your operating system first (perhaps -"man setsockopt" will help).

- -You may find that on some systems Samba will say "Unknown socket -option" when you supply an option. This means you either mis-typed it -or you need to add an include file to includes.h for your OS. If the -latter is the case please send the patch to me -(samba-bugs@samba.anu.edu.au).

- -Any of the supported socket options may be combined in any way you -like, as long as your OS allows it.

- -This is the list of socket options currently settable using this -option:

- - SO_KEEPALIVE

- - SO_REUSEADDR

- - SO_BROADCAST

- - TCP_NODELAY

- - IPTOS_LOWDELAY

- - IPTOS_THROUGHPUT

- - SO_SNDBUF *

- - SO_RCVBUF *

- - SO_SNDLOWAT *

- - SO_RCVLOWAT *

- -Those marked with a * take an integer argument. The others can -optionally take a 1 or 0 argument to enable or disable the option, by -default they will be enabled if you don't specify 1 or 0.

- -To specify an argument use the syntax SOME_OPTION=VALUE for example -SO_SNDBUF=8192. Note that you must not have any spaces before or after -the = sign.

- -If you are on a local network then a sensible option might be

- -socket options = IPTOS_LOWDELAY

- -If you have an almost unloaded local network and you don't mind a lot -of extra CPU usage in the server then you could try

- -socket options = IPTOS_LOWDELAY TCP_NODELAY

- -If you are on a wide area network then perhaps try setting -IPTOS_THROUGHPUT.

- -Note that several of the options may cause your Samba server to fail -completely. Use these options with caution!

- -.B Default: - no socket options

- -.B Example: - socket options = IPTOS_LOWDELAY

- -

- - - -

status (G)

-This enables or disables logging of connections to a status file that -.B smbstatus -can read.

- -With this disabled -.B smbstatus -won't be able to tell you what -connections are active.

- -.B Default: - status = yes

- -.B Example: - status = no

- - -

strict locking (S)

-This is a boolean that controls the handling of file locking in the -server. When this is set to yes the server will check every read and -write access for file locks, and deny access if locks exist. This can -be slow on some systems.

- -When strict locking is "no" the server does file lock checks only when -the client explicitly asks for them.

- -Well behaved clients always ask for lock checks when it is important, -so in the vast majority of cases "strict locking = no" is preferable.

- -.B Default: - strict locking = no

- -.B Example: - strict locking = yes

- - -

strip dot (G)

-This is a boolean that controls whether to strip trailing dots off -UNIX filenames. This helps with some CDROMs that have filenames ending in a -single dot.

- -.B Default: - strip dot = no

- -.B Example: - strip dot = yes

- - -

syslog (G)

-This parameter maps how Samba debug messages are logged onto the -system syslog logging levels. Samba debug level zero maps onto -syslog LOG_ERR, debug level one maps onto LOG_WARNING, debug -level two maps to LOG_NOTICE, debug level three maps onto LOG_INFO. -The paramter sets the threshold for doing the mapping, all Samba -debug messages above this threashold are mapped to syslog LOG_DEBUG -messages.

- -.B Default:

- - syslog = 1

- - -

syslog only (G)

-If this parameter is set then Samba debug messages are logged into -the system syslog only, and not to the debug log files.

- -.B Default: - syslog only = no

- - -

sync always (S)

- -This is a boolean parameter that controls whether writes will always -be written to stable storage before the write call returns. If this is -false then the server will be guided by the client's request in each -write call (clients can set a bit indicating that a particular write -should be synchronous). If this is true then every write will be -followed by a fsync() call to ensure the data is written to disk.

- -.B Default: - sync always = no

- -.B Example: - sync always = yes

- - -

time offset (G)

-This parameter is a setting in minutes to add to the normal GMT to -local time conversion. This is useful if you are serving a lot of PCs -that have incorrect daylight saving time handling.

- -.B Default: - time offset = 0

- -.B Example: - time offset = 60

- - -

time server (G)

-This parameter determines if nmbd advertises itself as a time server -to Windows clients. The default is False.

- -.B Default: - time server = False

- -.B Example: - time server = True

- - -

unix realname (G)

-This boolean parameter when set causes samba to supply the real name field -from the unix password file to the client. This is useful for setting up -mail clients and WWW browsers on systems used by more than one person.

- -.B Default: - unix realname = no

- -.B Example: - unix realname = yes

- - -

user (S)

-See -.B username. - -

username (S)

-A synonym for this parameter is 'user'.

- -Multiple users may be specified in a comma-delimited list, in which case the -supplied password will be tested against each username in turn (left to right).

- -The username= line is needed only when the PC is unable to supply its own -username. This is the case for the coreplus protocol or where your -users have different WfWg usernames to UNIX usernames. In both these -cases you may also be better using the \e\eserver\eshare%user syntax -instead.

- -The username= line is not a great solution in many cases as it means Samba -will try to validate the supplied password against each of the -usernames in the username= line in turn. This is slow and a bad idea for -lots of users in case of duplicate passwords. You may get timeouts or -security breaches using this parameter unwisely.

- -Samba relies on the underlying UNIX security. This parameter does not -restrict who can login, it just offers hints to the Samba server as to -what usernames might correspond to the supplied password. Users can -login as whoever they please and they will be able to do no more -damage than if they started a telnet session. The daemon runs as the -user that they log in as, so they cannot do anything that user cannot -do.

- -To restrict a service to a particular set of users you can use the -"valid users=" line.

- -If any of the usernames begin with a @ then the name will be looked up -in the groups file and will expand to a list of all users in the group -of that name. Note that searching though a groups file can take quite -some time, and some clients may time out during the search.

- -See the section below on username/password validation for more information -on how this parameter determines access to the services.

- -.B Default: - The guest account if a guest service, else the name of the service.

- -.B Examples: - username = fred - username = fred, mary, jack, jane, @users, @pcgroup

- - -

username level (G)

- -This option helps Samba to try and 'guess' at the real UNIX username, -as many DOS clients send an all-uppercase username. By default Samba -tries all lowercase, followed by the username with the first letter -capitalized, and fails if the username is not found on the UNIX machine.

- -If this parameter is set to non-zero the behaviour changes. This -parameter is a number that specifies the number of uppercase combinations -to try whilst trying to determine the UNIX user name. The higher the number -the more combinations will be tried, but the slower the discovery -of usernames will be. Use this parameter when you have strange -usernames on your UNIX machine, such as 'AstrangeUser'.

- -.B Default: - username level = 0

- -.B Example: - username level = 5

- - -

username map (G)

- -This option allows you to to specify a file containing a mapping of -usernames from the clients to the server. This can be used for several -purposes. The most common is to map usernames that users use on DOS or -Windows machines to those that the UNIX box uses. The other is to map -multiple users to a single username so that they can more easily share -files.

- -The map file is parsed line by line. Each line should contain a single -UNIX username on the left then a '=' followed by a list of usernames -on the right. The list of usernames on the right may contain names of -the form @group in which case they will match any UNIX username in -that group. The special client name '*' is a wildcard and matches any -name.

- -The file is processed on each line by taking the supplied username and -comparing it with each username on the right hand side of the '=' -signs. If the supplied name matches any of the names on the right -hand side then it is replaced with the name on the left. Processing -then continues with the next line.

- -If any line begins with a '#' or a ';' then it is ignored

- -If any line begins with an ! then the processing will stop after that -line if a mapping was done by the line. Otherwise mapping continues -with every line being processed. Using ! is most useful when you have -a wildcard mapping line later in the file.

- -For example to map from the name "admin" or "administrator" to the UNIX -name "root" you would use

- - root = admin administrator

- -Or to map anyone in the UNIX group "system" to the UNIX name "sys" you -would use

- - sys = @system

- -You can have as many mappings as you like in a username map file.

- -You can map Windows usernames that have spaces in them by using double -quotes around the name. For example:

- - tridge = "Andrew Tridgell"

- -would map the windows username "Andrew Tridgell" to the unix username -tridge.

- -The following example would map mary and fred to the unix user sys, -and map the rest to guest. Note the use of the ! to tell Samba to stop -processing if it gets a match on that line.

- - !sys = mary fred - guest = *

- - -Note that the remapping is applied to all occurrences of -usernames. Thus if you connect to "\e\eserver\efred" and "fred" is -remapped to "mary" then you will actually be connecting to -"\e\eserver\emary" and will need to supply a password suitable for -"mary" not "fred". The only exception to this is the username passed -to the "password server" (if you have one). The password server will -receive whatever username the client supplies without modification.

- -Also note that no reverse mapping is done. The main effect this has is -with printing. Users who have been mapped may have trouble deleting -print jobs as PrintManager under WfWg will think they don't own the -print job.

- -.B Default - no username map

- -.B Example - username map = /usr/local/samba/lib/users.map

- - -

valid chars (S)

- -The option allows you to specify additional characters that should be -considered valid by the server in filenames. This is particularly -useful for national character sets, such as adding u-umlaut or a-ring.

- -The option takes a list of characters in either integer or character -form with spaces between them. If you give two characters with a colon -between them then it will be taken as an lowercase:uppercase pair.

- -If you have an editor capable of entering the characters into the -config file then it is probably easiest to use this method. Otherwise -you can specify the characters in octal, decimal or hexadecimal form -using the usual C notation.

- -For example to add the single character 'Z' to the charset (which is a -pointless thing to do as it's already there) you could do one of the -following

- -valid chars = Z -valid chars = z:Z -valid chars = 0132:0172

- -The last two examples above actually add two characters, and alter -the uppercase and lowercase mappings appropriately.

- -Note that you MUST specify this parameter after the "client code page" -parameter if you have both set. If "client code page" is set after -the "valid chars" parameter the "valid chars" settings will be -overwritten.

- -See also the "client code page" parameter.

- -.B Default -.br - Samba defaults to using a reasonable set of valid characters -.br - for english systems

- -.B Example - valid chars = 0345:0305 0366:0326 0344:0304

- -The above example allows filenames to have the swedish characters in -them.

- -NOTE: It is actually quite difficult to correctly produce a "valid -chars" line for a particular system. To automate the process -tino@augsburg.net has written a package called "validchars" which will -automatically produce a complete "valid chars" line for a given client -system. Look in the examples subdirectory for this package.

- - -

valid users (S)

-This is a list of users that should be allowed to login to this -service. A name starting with @ is interpreted as a UNIX group.

- -If this is empty (the default) then any user can login. If a username -is in both this list and the "invalid users" list then access is -denied for that user.

- -The current servicename is substituted for %S. This is useful in the -[homes] section.

+


-See also "invalid users"

+

admin users (S)

+This is a list of users who will be granted administrative privileges on the +share. This means that they will do all file operations as the super-user +(root).

+You should use this option very carefully, as any user in this list will be +able to do anything they like on the share, irrespective of file permissions.

+Default: no admin users

+Example: admin users = jason

+ +

announce as (G)

+This specifies what type of server nmbd will announce itself as in browse +lists. By default this is set to Windows NT. The valid options are "NT", +"Win95" or "WfW" meaining Windows NT, Windows 95 and Windows for Workgroups +respectively. Do not change this parameter unless you have a specific need to +stop Samba appearing as an NT server as this may prevent Samba servers from +participating as browser servers correctly.

+Default: announce as = NT

+Example: announce as = Win95

+ +

announce version (G)

+This specifies the major and minor version numbers that nmbd will use when +announcing itself as a server. The default is 4.2. Do not change this parameter +unless you have a specific need to set a Samba server to be a downlevel +server.

+Default: announce version = 4.2

+Example: announce version = 2.0

+ +

alternate permissions (S)

+This option affects the way the "read only" DOS attribute is produced for +UNIX files. If this is No then the read only bit is set for files on +writeable shares which the user cannot write to.

+If this is Yes then "read only" is set for files when the user write bit is +not set.

+The latter behaviour is useful when users copy files from each others +directories, and use a file manager that preserves permissions. Without this +option they may get annoyed as all copied files will have the "read only" +bit set.

+Default: alternate permissions = no

+Example: alternate permissions = yes

+ +

available (S)

+This parameter lets you 'turn off' a service. If 'available = no', then ALL +attempts to connect to the service will fail. Such failures are logged.

+Default: available = yes

+Example: available = no

+ +

bind interfaces only (G)

+This global parameter (new for 1.9.18) allows the Samba admin to limit what +interfaces on a machine will serve smb requests. If affects file service +(smbd) and name service (nmbd) in slightly different ways.

+For name service it causes nmbd to bind to ports 137 and 138 on the interfaces +listed in the 'interfaces' parameter. nmbd also binds to the 'all addresses' +interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast +messages. If this option is not set then nmbd will service name requests on +all of these sockets. If "bind interfaces only" is set then nmbd will check +the source address of any packets coming in on the broadcast sockets and +discard any that don't match the broadcast addresses of the interfaces in the +interfaces parameter list. As unicast packets are +received on the other sockets it allows nmbd to refuse to serve names to +machines that send packets that arrive through any interfaces not listed in +the 'interfaces' list. IP Source address spoofing does defeat this simple +check, however so it must not be used seriously as a security feature for +nmbd.

+For file service it causes smbd to bind only to the interface list given in +the interfaces parameter. This restricts +the networks that smbd will serve to packets coming in those interfaces. +Note that you should not use this parameter for machines that are serving +ppp or other intermittant or non-broadcast network interfaces as it will +not cope with non-permanent interfaces.

+Default: bind interfaces only = No

+Example: bind interfaces only = Yes

+ +

browseable (S)

+This controls whether this share is seen in the list of available shares +in a net view and in the browse list.

+Default: browseable = Yes

+Example: browseable = No

+ +

browse list(G)

+This controls whether the smbd will serve a browse list to a client doing a +NetServerEnum call. Normally set to Yes. You should never need to change +this.

+Default: browse list = Yes

+ +

case sensitive (G)

+Controls whether filenames are case sensitive. If they aren't then Samba must +do a filename search and match on passed names.

+Default: case sensitive = No

+See the discussion on NAME MANGLING.

+ +

character set (G)

+This allows smbd to map incoming characters from a DOS 850 Code page to +either a Western European (ISO8859-1) or Easter European (ISO8859-2) code page. +Normally not set, meaning no filename translation is done.

+Default: character set =

+Example: character set = iso8859-1

+ +

client code page (G)

+Currently (Samba 1.9.19 and above) this may be set to one of the following +values: 437, 850, 852, 866, 932, 936, 949, or 950. It specifies the base DOS +code page that the clients accessing Samba are using. To determine this, +open a DOS command prompt and type the command "chcp". This will output +the code page. The default for USA MS-DOS, Windows 95, and Windows NT releases +is code page 437. The default for western european releases of the above +operating systems is code page 850.

+This parameter co-operates with the valid chars +parameter in determining what characters are valid in filenames +and how capitalization is done. It has been added as a convenience for +clients whose code page is either 437 or 850 so a convoluted "valid chars" +string does not have to be determined. If you set both this parameter and +the "valid chars" parameter the "client code page" parameter MUST be +set before the "valid chars" in the smb.conf file. The "valid chars" string +will then augment the character settings in the "client code page" parameter. +

+If "client code page" is set to a value other than those listed above, it will +default to 850.

+See also : valid chars.

+Default: client code page = 850

+Example: client code page = 437

+ +

coding system (G)

+Default: coding system =

+ +

comment (S)

+This is a text field that is seen next to a share when a client does a net +view to list what shares are available.

+If you want to set the string that is displayed next to the machine name then +see the server string command.

+Default: No comment string

+Example: comment = Fred's Files

+ +

create mask (S)

+A synonym for this parameter is 'create mode'.

+When a file is created, the neccessary permissions are calculated according +to the mapping from DOS modes to UNIX permissions, and the resulting UNIX +mode is then bit-wise 'AND'ed with this parameter. This parameter may be +thought of as a bit-wise MASK for the UNIX modes of a file. Any bit *not* set +here will be removed from the modes set on a file when it is created.

+The default value of this parameter removes the 'group' and 'other' write and +execute bits from the UNIX modes.

+Following this Samba will bit-wise 'OR' the UNIX mode created from this +parameter with the value of the +force create mode +parameter which is set to 000 by default.

+For Samba 1.9.17 and above this parameter no longer affects directory modes. +See the parameter directory mask for details.

+See also the force create mode parameter for +forcing particular mode bits to be set on created files. See also the +directory mask +parameter for masking mode bits on created directories.

+Default: create mask = 0744

+Example: create mask = 0775

+ +

deadtime (G)

+The value of the parameter (a decimal integer) represents the number of +minutes of inactivity before a connection is considered dead, and it is +disconnected. The deadtime only takes effect if the number of open files is +zero.

+This is useful to stop a server's resources being exhausted by a large number +of inactive connections.

+Most clients have an auto-reconnect feature when a connection is broken so in +most cases this parameter should be transparent to users.

+Using this parameter with a timeout of a few minutes is recommended for most +systems.

+A deadtime of zero indicates that no auto-disconnection should be performed.

+Default: deadtime = 0

+Example: deadtime = 15 + +

default case (S)

+Controls what the default case (upper/lower) is for new filenames.

+See the section on NAME MANGLING

+Default: default case = lower

+Example: default case = upper

+ +

default service (G)

A synonym for this +parameter is 'default'.

+This parameter specifies the name of a service which will be connected to if +the service actually requested cannot be found. Note that the square brackets +are NOT given in the parameter value (see example below).

+There is no default value for this parameter. If this parameter is not given, +attempting to connect to a nonexistent service results in an error.

+Typically the default service would be a public, read-only service.

+Also note that as of 1.9.14 the apparent service name will be changed to be +that of the requested service, this is very useful as it allows +you to use macros like %S to make a wildcard service.

+Note also that any _ characters in the name of the service used in the default +service will get mapped to a /. This allows for interesting things.

+Example: default service = pub

+

+[pub]
+	path = /%S
+
+ +

delete readonly (S)

+This parameter allows readonly files to be deleted. This is not normal DOS +semantics, but is allowed by UNIX.

+This option may be useful for running applications such as rcs, where UNIX +file ownership prevents changing file permissions, and DOS semantics prevent +deletion of a read only file.

+Default: delete readonly = No

+Example: delete readonly = Yes

+ +

delete veto files (S)

+This option is used when Samba is attempting to delete a directory that +contains one or more vetoed directories (see the +veto files option). If this option is set to No +(the default) then if a vetoed directory contains any non-vetoed files or +directories then the directory delete will fail. This is usually what you +want.

+If this option is set to Yes, then Samba will attempt to recursively delete +any files and directories within the vetoed directory. This can be useful +for integration with file serving systems such as Netatalk, which create +meta-files within directories you might normally veto DOS/Windows users +from seeing (eg. .AppleDouble)

+Setting 'delete veto files = Yes' allows these directories to be +transparently deleted when the parent directory is deleted (so long as the +user has permissions to do so).

+Default: delete veto files = No

+Example: delete veto files = Yes

+See veto files

+ +

dfree command (G)

+The dfree command setting should only be used on systems where a problem +occurs with the internal disk space calculations. This has been known to +happen with Ultrix, but may occur with other operating systems. The symptom +that was seen was an error of "Abort Retry Ignore" at the end of each +directory listing.

+This setting allows the replacement of the internal routines to calculate the +total disk space and amount available with an external routine. The example +below gives a possible script that might fulfill this function.

+The external program will be passed a single parameter indicating a directory +in the filesystem being queried. This will typically consist of the string +"./". The script should return two integers in ascii. The first should be the +total disk space in blocks, and the second should be the number of available +blocks. An optional third return value can give the block size in bytes. The +default blocksize is 1024 bytes.

+Note: Your script should NOT be setuid or setgid and should be owned by +(and writable only by) root!

+Default: By default internal routines for determining the disk capacity +and remaining space will be used.

+Example: dfree command = /usr/local/samba/bin/dfree

+Where the script dfree (which must be made executable) could be

+

+ #!/bin/sh
+ df $1 | tail -1 | awk '{print $2" "$4}'
+
+or perhaps (on Sys V)

+

+ #!/bin/sh
+ /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
+
+Note that you may have to replace the command names with full path names on +some systems.

+ +

directory mask (S)

+A synonym for this parameter is 'directory mode'.

+This parameter is the octal modes which are used when converting DOS modes +to UNIX modes when creating UNIX directories.

+When a directory is created, the neccessary permissions are calculated +according to the mapping from DOS modes to UNIX permissions, and the resulting +UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be +thought of as a bit-wise MASK for the UNIX modes of a directory. Any bit *not* +set here will be removed from the modes set on a directory when it is +created.

+The default value of this parameter removes the 'group' and 'other' write +bits from the UNIX mode, allowing only the user who owns the directory to +modify it.

+Following this Samba will bit-wise 'OR' the UNIX mode created from this +parameter with the value of the +force directory mode +parameter. This parameter is set to 000 by default (ie. no extra mode bits +are added).

+See the force directory mode +parameter to cause particular mode bits to always be set on created +directories.

+See also the create mask parameter +for masking mode bits on created files.

+Default: directory mask = 0755

+Example: directory mask = 0775

+ +

dns proxy (G)

+Specifies that nmbd should (as a WINS server), on finding that a NetBIOS name +has not been registered, treat the NetBIOS name word-for-word as a DNS name.

+Note that the maximum length for a NetBIOS name is 15 characters, so the DNS +name (or DNS alias) can likewise only be 15 characters, maximum.

+Default: dns proxy = yes

+ +

domain admin users (G)

+

+ +

domain controller (G)

+

This is wrong

+Specifies the DNS name or IP address of the machine to refer domain logons +from Win95 machines to. You should never need to set this parameter.

+Default: domain controller = no

+ +

domain groups (G)

+

-.B Default - No valid users list. (anyone can login)

+

domain guest users (G)

+

-.B Example - valid users = greg, @pcusers

+

domain hosts allow (G)

+

+

domain hosts deny (G)

+

- -

veto files(S)

-This is a list of files and directories that are neither visible nor -accessible. Each entry in the list must be separated by a "/", which -allows spaces to be included in the entry. '*' and '?' can be used to -specify multiple files or directories as in DOS wildcards.

+

domain logons (G)

+If set to Yes, the Samba server will serve Windows 95 domain +logons for the workgroup it is in. For more details on setting up this +feature see the file DOMAINS.txt in the Samba source documentation directory. +

+Default: domain logons = no

+ +

domain master (G)

+Enable WAN-wide browse list collation. Local master browsers on +broadcast-isolated subnets will give samba their local browse lists, and +ask for a complete copy of the browse list for the whole wide area network. +Browser clients will then contact their local master browser, and will +receive the domain-wide browse list, instead of just the list for their +broadcast-isolated subnet. There should only be one "domain master" for +each workgroup name.

+Default: domain master = no

+ +

domain other sid (G)

+

+ +

domain sid (G)

+

+ +

dont descend (S)

+There are certain directories on some systems (eg., the /proc tree under Linux) +that are either not of interest to clients or are infinitely deep (recursive). +This parameter allows you to specify a comma-delimited list of directories +that the server should always show as empty.

+Note that Samba can be very fussy about the exact format of the "dont descend" +entries. For example you may need "./proc" instead of just "/proc". +Experimentation is the best policy :-)

+Default: none (i.e., all directories are OK to descend)

+Example: dont descend = /proc,/dev

+ +

dos filetimes (S)

+Under DOS and Windows, if a user can write to a file they can change the +timestamp on it. Under POSIX semantics, only the owner of the file or root +may change the timestamp. By default, Samba runs with POSIX semantics and +refuses to change the timestamp on a file if the user smbd is acting on +behalf of is not the file owner. Setting this option to Yes allows DOS +semantics and smbd will change the file timstamp as DOS requires. This is a +correct implementation of a previous compile-time options (UTIME_WORKAROUND) +which was broken and is now removed.

+Default: dos filetimes = No

+Example: dos filetimes = Yes

+ +

dos filetime resolution (S)

+Under the DOS and Windows FAT filesystem, the finest granulatity on time +resolution is two seconds. Setting this parameter for a share causes Samba +to round the reported time down to the nearest two second boundary when a +query call that requires one second resolution is made to smbd.

+This option is mainly used as a compatibility option for Visual C++ when +used against Samba shares. If oplocks are enabled on a share, Visual C++ +uses two different time reading calls to check if a file has changed since +it was last read. One of these calls uses a one-second granularity, the +other uses a two second granularity. As the two second call rounds any odd +second down, then if the file has a timestamp of an odd number of seconds +then the two timestamps will not match and Visual C++ will keep reporting +the file has changed. Setting this option causes the two timestamps to +match, and Visual C++ is happy.

+Default: dos filetime resolution = No

+Example: dos filetime resolution = Yes

+ +

encrypt passwords (G)

+This boolean controls whether encrypted passwords will be negotiated with +the client. Note that Windows NT 4.0 SP3 and above will by default expect +encrypted passwords unless a registry entry is changed. To use encrypted +passwords in Samba see the file docs/ENCRYPTION.txt.

+Default: encrypt passwords = No

+ +

exec (S)

+A synonym for this is preexec.

+This option specifies a command to be run whenever a connection is made to +the service. It takes the usual substitutions.

+An interesting example is to send the users a welcome message every time +they log in. Maybe a message of the day? Here is an example:

+exec = csh -c 'echo \"Welcome to %S!\" | \ /usr/local/samba/bin/smbclient -M %m -I %I' &

+Of course, this could get annoying after a while :-)

+See also postexec

+Default: none (no command executed)

+Example: exec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log

+ +

fake directory create times (S)

+NTFS and Windows VFAT file systems keep a create time for all files and +directories. This is not the same as the ctime - status change time - that +Unix keeps, so Samba by default reports the earliest of the various times +Unix does keep. Setting this parameter for a share causes Samba to always +report midnight 1-1-1980 as the create time for directories.

+This option is mainly used as a compatibility option for Visual C++ +when used against Samba shares. Visual C++ generated makefiles have the +object directory as a dependency for each object file, and a make rule +to create the directory. Also, when NMAKE compares timestamps it uses the +creation time when examining a directory. Thus the object directory will +be created if it does not exist, but once it does exist it will always +have an earlier timestamp than the object files it contains.

+However, Unix time semantics mean that the create time reported by Samba +will be updated whenever a file is created or deleted in the directory. +NMAKE therefore finds all object files in the object directory bar the last +one built are out of date compared to the directory and rebuilds them. +Enabling this option ensures directories always predate their contents and +an NMAKE build will proceed as expected.

+Default: fake directory create times = No

+Example: fake directory create times = Yes

+ +

fake oplocks (S)

+Oplocks are the way that SMB clients get permission from a server to locally +cache file operations. If a server grants an oplock (opportunistic +lock) then the client is free to assume that it is the only one accessing +the file and it will aggressively cache file data. With some oplock types +the client may even cache file open/close operations. This can give enormous +performance benefits.

+When you set "fake oplocks = yes" Samba will always grant oplock requests +no matter how many clients are using the file.

+By enabling this option on all read-only shares or shares that you know +will only be accessed from one client at a time you will see a big performance +improvement on many operations. If you enable this option on shares where +multiple clients may be accessing the files read-write at the same time +you can get data corruption. Use this option carefully!

+It is generally much better to use the real oplock support except for +physically read-only media such as CDROMs.

+Default: fake oplocks = No

+Example: fake oplocks = Yes

+ +

follow symlinks (S)

+This parameter allows the Samba administrator to stop smbd from following +symbolic links in a particular share. Setting this parameter to "No" prevents +any file or directory that is a symbolic link from being followed (the +user will get an error). This option is very useful to stop users from +adding a symbolic link to /etc/pasword in their home directory for instance. +However it will slow filename lookups down slightly.

+Default: follow symlinks = Yes (smbd will follow symbolic links)

+ +

force create mode (S)

+This parameter specifies a set of UNIX mode bit permissions that will *always* +be set on a file created by Samba. This is done by bitwise 'OR'ing these +bits onto the mode bits of a file that is being created. The modes in this +parameter are bitwise 'OR'ed onto the file mode after the mask set in the +create mask parameter is applied.

+See also the parameter create mask for details +on masking mode bits on created files.

+Default: force create mode = 000

+Example: force create mode = 0755

+would force all created files to have read and execute permissions set for +'group' and 'other' as well as the read/write/execute bits set for the +'user'.

+ +

force directory mode (S)

+This parameter specifies a set of UNIX mode bit permissions that will *always* +be set on a directory created by Samba. This is done by bitwise 'OR'ing these +bits onto the mode bits of a directory that is being created. The default for +this parameter is (in octel) 0000 which will not add any extra permission bits +to a created directory. This operation is done after the mode mask in the +parameter directory mask is applied.

+See also the parameter directory mask +for details on masking mode bits on created directories.

+Default: force directory mode = 000

+Example: force directory mode = 0755

+would force all created directories to have read and execute permissions +set for 'group' and 'other' as well as the read/write/execute bits set for +the 'user'.

+ +

force group (S)

+This specifies a group name that all connections to this service should be +made as. This may be useful for sharing files.

+Default: no forced group

+Example: force group = agroup

+ +

force user (S)

+This specifies a user name that all connections to this service should be +made as. This may be useful for sharing files. You should also use it +carefully as using it incorrectly can cause security problems.

+This user name only gets used once a connection is established. Thus clients +still need to connect as a valid user and supply a valid password. Once +connected, all file operations will be performed as the "forced user", +no matter what username the client connected as.

+Default: no forced user

+Example: force user = auser

+ +

getwd cache (G)

+This is a tuning option. When this is enabled a cacheing algorithm will be +used to reduce the time taken for getwd() calls. This can have a significant +impact on performance, especially when widelinks is No.

+Default:getwd cache = No

+Example:getwd cache = Yes

+ +

guest account (S)

+This is a username which will be used for access to services which are +specified as guest ok. Whatever privileges this +user has will be available to any client connecting to the guest service. +Typically this user will exist in the password file, but will not have a +valid login. If a username is specified in a given service, the specified +username overrides this one.

+One some systems the account "nobody" may not be able to print. Use another +account in this case. You should test this by trying to log in as your +guest user (perhaps by using the "su -" command) and trying to print using +lpr.

+Note that as of version 1.9 of Samba this option may be set differently +for each service.

+Default:specified at compile time

+Example:guest account = nobody + +

guest ok (S)

+A synonym for this parameter is 'public'.

+If this parameter is 'Yes' for a service, then no password is required +to connect to the service. Privileges will be those of the guest account.

+See the section below on +USERNAME/PASSWORD VALIDATION +for more information about this option.

+Default: guest ok = No

+Example: guest ok = Yes + +

guest only (S)

+If this parameter is 'Yes' for a service, then only guest connections to the +service are permitted. This parameter will have no affect if +guest ok is not set for the service.

+See the section below on +USERNAME/PASSWORD VALIDATION for +more information about this option.

+Default: guest only = No

+Example: guest only = Yes + +

hide dot files (S)

+This is a boolean parameter that controls whether files starting with a dot +appear as hidden files.

+Default: hide dot files = Yes

+Example: hide dot files = No

+ +

hide files (S)

+This is a list of files or directories that are not visible but are accessible. +The DOS 'hidden' attribute is applied to any files or directories that match.

+Each entry in the list must be separated by a "/", which allows spaces +to be included in the entry. '*' and '?' can be used to specify multiple +files or directories as in DOS wildcards.

+Each entry must be a unix path, not a DOS path and must not include the unix +directory separator "/".

+Note that the case sensitivity option is applicable in hiding files.

+Setting this parameter will affect the performance of Samba, as it will +be forced to check all files and directories for a match as they are scanned.

+See also hide dot files, +veto files and +case sensitive

+Default No files or directories are hidden by this option +(dot files are hidden by default because of the "hide dot files" option).

+Example hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/

+The above example is based on files that the Macintosh client (DAVE) creates +for internal use, and also still hides all files beginning with a dot.

+ +

homedir map (G)

+If NIS homedir is Yes, this parameter specifies +the NIS (or YP) map from which the server for the user's home directory should +be extracted. At present, only the Sun auto.home map format is understood. +The form of the map is:

+    username server:/some/file/system

+and the program will extract the servername from before the first ':'. There +should probably be a better parsing system that copes with different map +formats and also Amd (another automounter) maps.

+NB: The -DNETGROUP option is required in the Makefile for option +to work and on some architectures the line -lrpcsvc needs to be added to +the LIBSM variable. This is required for Solaris 2, FreeBSD and HPUX.

+See also NIS homedir

+Default: homedir map = auto.home

+Example: homedir map = amd.homedir + +

hosts allow (S)

+A synonym for this parameter is 'allow hosts'.

+This parameter is a comma delimited set of hosts which are permitted to access +a service.

+If specified in the [global] section then it will apply to all services, +regardless of whether the individual service has a different setting.

+You can specify the hosts by name or IP number. For example, you could restrict +access to only the hosts on a Class C subnet with something like +"hosts allow = 150.203.5.".

+You can also specify hosts by network/netmask pairs and by netgroup names +if your system supports netgroups. The EXCEPT keyword can also be used +to limit a wildcard list. The following examples may provide some help:

+Example 1: allow all IPs in 150.203.*.* except one

+  hosts allow = 150.203. EXCEPT 150.203.6.66

+Example 2: allow hosts that match the given network/netmask

+  hosts allow = 150.203.15.0/255.255.255.0

+Example 3: allow a couple of hosts

+  hosts allow = lapland, arvidsjaur

+Example 4: allow only hosts in netgroup "foonet" or localhost, but deny +access from one particular host

+  hosts allow = @foonet, localhost

+  hosts deny = pirate

+Note that access still requires suitable user-level passwords.

+See testparm(1) for a way of testing your host access to see if it +does what you expect.

+Default: none (i.e., all hosts permitted access)

+Example: hosts allow = 150.203.5. myhost.mynet.edu.au

+ +

hosts deny (S)

+A synonym for this parameter is 'deny hosts'.

+This is the opposite of hosts allow - hosts listed +here are NOT permitted access to services unless the specific services have +their own lists to override this one. Where the lists conflict, the 'allow' +list takes precedence.

+Default: none (i.e., no hosts specifically excluded)

+Example:hosts deny = 150.203.4. badhost.mynet.edu.au

+ +

hosts equiv (G)

+If this global parameter is a non-null string, it specifies the name of a +file to read for the names of hosts and users who will be allowed access +without specifying a password.

+This is not be confused with hosts allow which is +about hosts access to services and is more useful for guest services. +hosts equiv may be useful for NT clients which will not supply +passwords to samba.

+NOTE: The use of hosts.equiv can be a major security hole. This is because you +are trusting the PC to supply the correct username. It is very easy to get a +PC to supply a false username. I recommend that the hosts.equiv option be +only used if you really know what you are doing, or perhaps on a home network +where you trust your wife and kids :-)

+Default No host equivalences

+Example hosts equiv = /etc/hosts.equiv

+ +

include (G)

+This allows you to include one config file +inside another. The file is included literally, as though typed in place.

+It takes the standard substitutions, except %u, %P and %S

+ +

interfaces (G)

+This option allows you to setup multiple network interfaces, so that +Samba can properly handle browsing on all interfaces.

+The option takes a list of ip/netmask pairs. The netmask may either be a +bitmask, or a bitlength.

+For example, the following line:

+  interfaces = 192.168.2.10/24 192.168.3.10/24

+would configure two network interfaces with IP addresses 192.168.2.10 and +192.168.3.10. The netmasks of both interfaces would be set to 255.255.255.0.

+You could produce an equivalent result by using:

+  interfaces = 192.168.2.10/255.255.255.0 192.168.3.10/255.255.255.0

+if you prefer that format.

+If this option is not set then Samba will attempt to find a primary interface, +but won't attempt to configure more than one interface.

+ +

invalid users (S)

+This is a list of users that should not be allowed to login to this service. +This is really a "paranoid" check to absolutely ensure an improper setting +does not breach your security.

+A name starting with @ is interpreted as a UNIX group.

+The current servicename is substituted for %S. This is useful in the [homes] +section.

+See also valid users

+Default No invalid users

+Example invalid users = root fred admin @wheel

+ +

keepalive (G)

+The value of the parameter (an integer) represents the number of seconds +between 'keepalive' packets. If this parameter is zero, no keepalive packets +will be sent. Keepalive packets, if sent, allow the server to tell whether a +client is still present and responding.

+Default: keep alive = 300

+Example: keep alive = 60

+ +

lm announce (G)

+This parameter determines if Samba will produce Lanman announce broadcasts +that are needed by OS/2 clients in order for them to see the Samba server in +their browse list. This parameter can have three values, True, False, or Auto. +The default is Auto. If set to False Samba will never produce these broadcasts. +If set to True Samba will produce Lanman announce broadcasts at a frequency +set by the parameter lm interval. If set to Auto +Samba will not send Lanman announce broadcasts by default but will listen for +them. If it hears such a broadcast on the wire it will then start sending +them at a frequency set by the 'lm interval' parameter

+See also lm interval.

+Default: lm announce = Auto

+Example: lm announce = True

+ +

lm interval (G)

+If Samba is set to produce Lanman announce broadcasts needed by OS/2 clients +(see the lm announce parameter) this +parameter defines the frequency in seconds with which they will be made. +If this is set to zero then no Lanman announcements will be made despite +the setting of the lm announce parameter.

+See also lm announce.

+Default: lm interval = 60

+Example: lm interval = 120

+ +

load printers (G)

+A boolean variable that controls whether all printers in the printcap +will be loaded for browsing by default.

+Default: load printers = Yes

+Example: load printers = No

+ +

local master (G)

+This option allows nmbd to become a local master browser on a subnet. If set +to No then nmbd will not attempt to become a local master browser on a subnet +and will also lose in all browsing elections. By default this value is set +to Yes. Setting this value to Yes doesn't mean that Samba will become the local +master browser on a subnet, just that the nmbd will participate in elections +for local master browser.

+Default: local master = yes

+ +

lock dir (G)

+This option specifies the directory where lock files will be placed. +The lock files are used to implement the +max connections option.

+Default: lock dir = /tmp/samba

+Example: lock dir = /usr/local/samba/var/locks

+ +

locking (S)

+This controls whether or not locking will be performed by the server in +response to lock requests from the client.

+If set to No, all lock and unlock requests will appear to succeed and all +lock queries will indicate that the queried lock is clear.

+If set to Yes, real locking will be performed by the server.

+This option may be particularly useful for read-only filesystems which do not +need locking (such as CDROM drives).

+Be careful about disabling locking either globally or in a specific +service, as lack of locking may result in data corruption.

+Default: locking = Yes

+Example: locking = No

+ +

log file (G)

+This options allows you to override the name of the Samba log file (also +known as the debug file).

+This option takes the standard substitutions, allowing you to have separate +log files for each user or machine.

+Example: log file = /usr/local/samba/var/log.%m

+ +

log level (G)

+A synonym for this is debuglevel

+The value of the parameter (an integer) allows the logging level (debug level) +to be specified in the smb.conf file. This is to give greater +flexibility in the configuration of the system.

+The default will be the logging level specified on the command line.

+Example: log level = 3 + +

logon drive (G)

+This parameter specifies the local path to which the home directory will be +connected (see logon home) and is only used by NT +Workstations.

+Example: logon drive = h:

+ +

logon home (G)

+This parameter specifies the home directory location when a Win95 or NT +Workstation logs into a Samba PDC. It allows you to do "NET USE H: /HOME" +from a command prompt, for example.

+This option takes the standard substitutions, allowing you to have separate +logon scripts for each user or machine.

+Default: logon home = "\\%N\%U"

+Example: logon home = "\\remote_smb_server\%U"

+ +

logon path (G)

+This parameter specifies the home directory where roaming profiles (USER.DAT +/ USER.MAN files for Windows 95) are stored.

+This option takes the standard substitutions, allowing you to have separate +logon scripts for each user or machine. It also specifies the directory from +which the "desktop", "start menu", "nethood" and "programs" folders, and their +contents, are loaded and displayed on your Windows 95 client.

+The share and the path must be readable by the user for the preferences and +directories to be loaded onto the Windows 95 client. The share must be +writeable when the user logs in for the first time, in order that the +Windows 95 client can create the user.dat and other directories.

+Thereafter, the directories and any of contents can, if required, be +made read-only. It is not adviseable that the USER.DAT file be made read-only +- rename it to USER.MAN to achieve the desired effect (a MANdatory profile).

+Windows clients can sometimes maintain a connection to the [homes] share, +even though there is no user logged in. Therefore, it is vital that the +logon path does not include a reference to the homes share (i.e +\\%N\HOMESprofile_path will cause problems).

+This option takes the standard substitutions, allowing you to have separate +logon scripts for each user or machine.

+Default: logon path = \\%N\%U\profile

+Example: logon path = \\PROFILESERVER\HOME_DIR\%U\PROFILE

+ +

logon script (G)

+This parameter specifies the batch file (.bat) or NT command file (.cmd) to +be downloaded and run on a machine when a user successfully logs in. The file +must contain the DOS style cr/lf line endings. Using a DOS-style editor to +create the file is recommended.

+The script must be a relative path to the [netlogon] service. If the +[netlogon] service specifies a path of /usr/local/samba/netlogon, and logon +script = STARTUP.BAT, then file that will be downloaded is:

+  /usr/local/samba/netlogon/STARTUP.BAT

+The contents of the batch file is entirely your choice. A suggested command +would be to add NET TIME \\SERVER /SET /YES, to force every machine to +synchronise clocks with the same time server. Another use would be to add +NET USE U: \\SERVER\UTILS for commonly used utilities, or +NET USE Q: \\SERVER\ISO9001_QA.

+Note that it is particularly important not to allow write access to the +[netlogon] share, or to grant users write permission on the batch files +in a secure environment, as this would allow the batch files to be arbitrarily +modified.

+This option takes the standard substitutions, allowing you to have separate +logon scripts for each user or machine.

+Example: logon script = scripts/%U.bat

+ +

lppause command (S)

+This parameter specifies the command to be executed on the server host in +order to stop printing or spooling a specific print job.

+This command should be a program or script which takes a printer name and +job number to pause the print job. Currently I don't know of any print spooler +system that can do this with a simple option, except for the PPR system from +Trinity College (ppr-dist.trincoll.edu/pub/ppr). One way of implementing this +is by using job priorities, where jobs having a too low priority won't be +sent to the printer. See also +lpresume command.

+If a %p is given then the printername is put in its place. A %j is replaced +with the job number (an integer). On HPUX (see +printing=hpux), if the -p%p +option is added to the lpq command, the job will show up with the correct +status, i.e. if the job priority is lower than the set fence priority it +will have the PAUSED status, whereas if the priority is equal or higher +it will have the SPOOLED or PRINTING status.

+Note that it is good practice to include the absolute path in the lppause +command as the PATH may not be available to the server.

+Default: Currently no default value is given to this string

+Example for HPUX: lppause command = /usr/bin/lpalt %p-%j -p0

+ +

lpq cache time (G)

+This controls how long lpq info will be cached for to prevent the lpq command +being called too often. A separate cache is kept for each variation of the +lpq command used by the system, so if you use different lpq commands for +different users then they won't share cache information.

+The cache files are stored in /tmp/lpq.xxxx where xxxx is a hash of the lpq +command in use.

+The default is 10 seconds, meaning that the cached results of a previous +identical lpq command will be used if the cached data is less than 10 seconds +old. A large value may be advisable if your lpq command is very slow.

+A value of 0 will disable cacheing completely.

+Default: lpq cache time = 10

+Example: lpq cache time = 30

+ +

lpq command (S)

+This parameter specifies the command to be executed on the server host +in order to obtain "lpq"-style printer status information.

+This command should be a program or script which takes a printer name as its +only parameter and outputs printer status information.

+Currently six styles of printer status information are supported; BSD, SYSV, +AIX, HPUX, QNX, LPRNG and PLP. This covers most UNIX systems. You control +which type is expected using the printing option.

+Some clients (notably Windows for Workgroups) may not correctly send the +connection number for the printer they are requesting status information +about. To get around this, the server reports on the first printer service +connected to by the client. This only happens if the connection number sent +is invalid.

+If a %p is given then the printername is put in its place. Otherwise it is +placed at the end of the command.

+Note that it is good practice to include the absolute path in the lpq +command as the PATH may not be available to the server.

+Default: depends on the setting of printing

+Example: lpq command = /usr/bin/lpq %p

+ +

lpresume command (S)

+This parameter specifies the command to be executed on the server host in +order to restart or continue printing or spooling a specific print job.

+This command should be a program or script which takes a printer name and +job number to resume the print job. See also the +lppause command.

+If a %p is given then the printername is put in its place. +A %j is replaced with the job number (an integer).

+Note that it is good practice to include the absolute path in the lpresume +command as the PATH may not be available to the server.

+Default: Currently no default value is given to this string

+Example for HPUX: lpresume command = /usr/bin/lpalt %p-%j -p2

+ +

lprm command (S)

+This parameter specifies the command to be executed on the server host in +order to delete a print job.

+This command should be a program or script which takes a printer name +and job number, and deletes the print job.

+Currently seven styles of printer control are supported; BSD, SYSV, AIX HPUX, +QNX, LPRNG and PLP. This covers most UNIX systems. You control which type is +expected using the printing option.

+If a %p is given then the printername is put in its place. A +%j is replaced with the job number (an integer).

+Note that it is good practice to include the absolute path in the lprm +command as the PATH may not be available to the server.

+Default: depends on the setting of printing

+Example 1:lprm command = /usr/bin/lprm -P%p %j

+Example 2:lprm command = /usr/bin/cancel %p-%j

+ +

magic output (S)

+This parameter specifies the name of a file which will contain output +created by a magic script (see magic script +below).

+Warning: If two clients use the same magic script in the same directory the +output file content is undefined.

+Default: magic output = <magic script name>.out

+Example: magic output = myfile.txt

+ +

magic script (S)

+This parameter specifies the name of a file which, if opened, will be +executed by the server when the file is closed. This allows a UNIX script to +be sent to the Samba host and executed on behalf of the connected user.

+Scripts executed in this way will be deleted upon completion, permissions +permitting.

+If the script generates output, output will be sent to the file specified by +the magic output parameter.

+Note that some shells are unable to interpret scripts containing +carriage-return-linefeed instead of linefeed as the end-of-line marker. Magic +scripts must be executable "as is" on the host, which for some hosts and +some shells will require filtering at the DOS end.

+Magic scripts are EXPERIMENTAL and should NOT be relied upon.

+Default: None. Magic scripts disabled.

+Example: magic script = user.csh

+ +

mangle case (S)

+Controls if names that have characters that aren't of the "default" case are +mangled.

+See the section on NAME MANGLING

+ +

mangled map (S)

+This is for those who want to directly map UNIX file names which are not +representable on DOS. The mangling of names is not always what is needed. In +particular you may have documents with file extensions that differ between +DOS and UNIX. For example, under UNIX it is common to use .html for HTML +files, whereas under DOS .htm is more commonly used.

+So to map 'html' to 'htm' you put:

+mangled map = (*.html *.htm)

+One very useful case is to remove the annoying ;1 off the ends of filenames +on some CDROMS (only visible under some UNIXes). To do this use a map of +(*;1 *)

+default: no mangled map

+Example: mangled map = (*;1 *)

+ +

mangled names (S)

+This controls whether non-DOS names under UNIX should be mapped +to DOS-compatible names ("mangled") and made visible, or whether non-DOS +names should simply be ignored.

+See the section on NAME MANGLING for +details on how to control the mangling process.

+If mangling is used then the mangling algorithm is as follows: +

- the first (up to) five alphanumeric characters before the +rightmost dot of the filename are preserved, forced to upper case, and appear +as the first (up to) five characters of the mangled name.

+- a tilde ("~") is appended to the first part of the mangled name, followed +by a two-character unique sequence, based on the original root name (i.e., +the original filename minus its final extension). The final +extension is included in the hash calculation only if it contains any +upper case characters or is longer than three characters.

+Note that the character to use may be specified using the +mangling char option, if you don't like ~.

+- the first three alphanumeric characters of the final +extension are preserved, forced to upper case and appear as the extension +of the mangled name. The final extension is defined as that part of the +original filename after the rightmost dot. If there are no dots in the +filename, the mangled name will have no extension (except in the case +of hidden files - see below).

+- files whose UNIX name begins with a dot will be presented as DOS hidden +files. The mangled name will be created as for other filenames, but with the +leading dot removed and "___" as its extension regardless of actual original +extension (that's three underscores). +

+The two-digit hash value consists of upper case alphanumeric characters.

+This algorithm can cause name collisions only if files in a directory +share the same first five alphanumeric characters. The probability of such +a clash is 1/1300.

+The name mangling (if enabled) allows a file to be copied between UNIX +directories from DOS while retaining the long UNIX filename. UNIX files can +be renamed to a new extension from DOS and will retain the same basename. +Mangled names do not change between sessions.

+Default: mangled names = Yes

+Example: mangled names = No

+ +

mangling char (S)

+This controls what character is used as the "magic" character +in name mangling. The default is a ~ but this may interfere with some software. +Use this option to set it to whatever you prefer.

+Default: mangling char = ~

+Example: mangling char = ^

+ +

mangled stack (G)

+This parameter controls the number of mangled names that should be cached in +the Samba server.

+This stack is a list of recently mangled base names (extensions are only +maintained if they are longer than 3 characters or contains upper case +characters).

+The larger this value, the more likely it is that mangled +names can be successfully converted to correct long UNIX names. However, +large stack sizes will slow most directory access. Smaller stacks save +memory in the server (each stack element costs 256 bytes).

+It is not possible to absolutely guarantee correct long file names, so be +prepared for some surprises!

+Default: mangled stack = 50

+Example: mangled stack = 100

+ +

map archive (S)

+This controls whether the DOS archive attribute should +be mapped to the UNIX owner execute bit. The DOS archive bit is set when +a file has been modified since its last backup. One motivation for this +option it to keep Samba/your PC from making any file it touches from becoming +executable under UNIX. This can be quite annoying for shared source code, +documents, etc...

+Note that this requires the 'create mask' to be set such +that owner execute bit is not masked out (ie. it must include 100). See +the parameter create mask for details.

+Default: map archive = Yes

+Example: map archive = No

+ +

map hidden (S)

+This controls whether DOS style hidden files should be mapped to the UNIX +world execute bit.

+Note that this requires the 'create mask' to be set such that the world +execute bit is not masked out (ie. it must include 001). See the parameter +create mask for details.

+Default: map hidden = No

+Example: map hidden = Yes

+ +

map system (S)

+This controls whether DOS style system files should be mapped to the UNIX +group execute bit.

+Note that this requires the 'create mask' to be set such that the group +execute bit is not masked out (ie. it must include 010). See the parameter +create mask for details.

+Default: map system = No

+Example: map system = Yes

+ +

max connections (S)

+This option allows the number of simultaneous connections to a service to be +limited. If "max connections" is greater than 0 then connections will be +refused if this number of connections to the service are already open. A value +of zero mean an unlimited number of connections may be made.

+Record lock files are used to implement this feature. The lock files will be +stored in the directory specified by the +lock dir option.

+Default: max connections = 0

+Example: max connections = 10

+ +

max disk size (G)

+This option allows you to put an upper limit on the apparent size of disks. +If you set this option to 100 then all shares will appear to be not larger +than 100 MB in size.

+Note that this option does not limit the amount of data you can put on the +disk. In the above case you could still store much more than 100 MB on the +disk, but if a client ever asks for the amount of free disk space or the +total disk size then the result will be bounded by the amount specified in +"max disk size".

+This option is primarily useful to work around bugs in some pieces of +software that can't handle very large disks, particularly disks over 1GB in +size.

+A "max disk size" of 0 means no limit.

+Default: max disk size = 0

+Example: max disk size = 1000

+ +

max log size (G)

+This option (an integer in kilobytes) specifies the max size +the log file should grow to. Samba periodically checks the size and if +it is exceeded it will rename the file, adding a .old extension.

+A size of 0 means no limit.

+Default: max log size = 5000

+Example: max log size = 1000

+ +

max mux (G)

+This option controls the maximum number of outstanding simultaneous SMB +operations that samba tells the client it will allow. You should never need +to set this parameter.

+Default: max mux = 50

+ +

max packet (G)

+A synonym for this parameter is 'packet size'.

+The maximum transmit packet size during a raw read. This option is no longer +implemented as of version 1.7.00, and is kept only so old configuration files +do not become invalid.

+ +

max ttl (G)

+This option tells nmbd what the default 'time to live' of NetBIOS names should +be (in seconds) when nmbd is requesting a name using either a broadcast +or from a WINS server. You should never need to change this parameter.

+Default: max ttl = 14400

+ +

max wins ttl (G)

+This option tells nmbd when acting as a WINS server +(wins support = Yes) what the maximum 'time to +live' of NetBIOS names that nmbd will grant will be (in seconds). You should +never need to change this parameter. The default is 3 days (259200 +seconds).

+Default: max wins ttl = 259200

+ +

max xmit (G)

+This option controls the maximum packet size that will be negotiated by +Samba. The default is 65535, which is the maximum. In some cases you may find +you get better performance with a smaller value. A value below 2048 is likely +to cause problems.

+Default: max xmit = 65535

+Example: max xmit = 8192

+ +

message command (G)

+This specifies what command to run when the server receives a WinPopup style +message.

+This would normally be a command that would deliver the message somehow. +How this is to be done is up to your imagination.

+What I use is:

+message command = csh -c 'xedit %s;rm %s' &

+This delivers the message using xedit, then removes it afterwards. NOTE +THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN IMMEDIATELY. That's why +I have the & on the end. If it doesn't return immediately then your PCs may +freeze when sending messages (they should recover after 30secs, hopefully).

+All messages are delivered as the global guest user. The command takes +the standard substitutions, although %u won't work (%U may be better in +this case).

+Apart from the standard substitutions, some additional ones apply. In +particular:

+%s = the filename containing the message

+%t = the destination that the message was sent to (probably the server name)

+%f = who the message is from

+You could make this command send mail, or whatever else takes your fancy. +Please let me know of any really interesting ideas you have.

+Here's a way of sending the messages as mail to root:

+message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s

+If you don't have a message command then the message won't be delivered and +Samba will tell the sender there was an error. Unfortunately WfWg totally +ignores the error code and carries on regardless, saying that the message was +delivered.

+If you want to silently delete it then try "message command = rm %s".

+For the really adventurous, try something like this:

+message command = csh -c 'csh < %s |& /usr/local/samba/bin/smbclient \ + -M %m; rm %s' &

+this would execute the command as a script on the server, +then give them the result in a WinPopup message. Note that this could cause +a loop if you send a message from the server using smbclient! You better +wrap the above in a script that checks for this :-)

+Default: no message command

+Example: message command = csh -c 'xedit %s;rm %s' &

+ +

min print space (S)

+This sets the minimum amount of free disk space that must +be available before a user will be able to spool a print job. It is specified +in kilobytes. The default is 0, which means no limit.

+Default: min print space = 0

+Example: min print space = 2000

+ +

min wins ttl (G)

+This option tells nmbd when acting as a WINS server +(wins support = Yes) what the +minimum 'time to live' of NetBIOS names that nmbd will grant will be (in +seconds). You should never need to change this parameter. The default is +6 hours (21600 seconds).

+Default: min wins ttl = 21600

+ +

name resolve order (G)

+This option is used by the programs smbd, nmbd and smbclient +to determine what naming services and in what order to resolve host names +to IP addresses. This option is most useful in smbclient. The option takes +a space separated string of different name resolution options. These are +"lmhosts", "host", "wins" and "bcast". They cause names to be resolved +as follows :

+

+lmhosts	Lookup an IP address in the Samba lmhosts file.
+host	Do a standard host name to IP address resolution, using the 
+	system /etc/hosts, NIS, or DNS lookups. This method of name 
+	resolution is operating system depended (for instance on Solaris 
+	this may be controlled by the /etc/nsswitch.conf file). 
+wins	Query a name with the IP address listed in the "wins server ="
+	parameter. If no WINS server has been specified this method will
+	be ignored.
+bcast	Do a broadcast on each of the known local 
+	interfaces listed in the "interfaces =" parameter. This is the 
+	least reliable of the name resolution methods as it depends 
+	on the target host being on a locally connected subnet.
+
+The default order is lmhosts, host, wins, bcast and these name resolution +methods will be attempted in this order.

+This option was first introduced in Samba 1.9.18p4.

+Default: name resolve order = lmhosts host wins bcast

+example: name resolve order = lmhosts bcast host

+This will cause the local lmhosts file to be examined first, followed by a +broadcast attempt, followed by a normal system hostname lookup.

+ +

netbios aliases (G)

+This is a list of names that nmbd will advertise as additional names by which +the Samba server is known. This allows one machine to appear in browse +lists under multiple names. If a machine is acting as a browse server or +logon server none of these names will be advertised as either browse server +or logon servers, only the primary name of the machine will be advertised +with these capabilities.

+See also netbios name.

+Example:netbios aliases = TEST TEST1 TEST2

+ +

netbios name (G)

+This sets the NetBIOS name by which a Samba server is known. By default it is +the same as the first component of the host's DNS name. If a machine is a +browse server or logon server this name (or the first component of the hosts +DNS name) will be the name that these services are advertised under.

+See also netbios aliases.

+Example: netbios name = MYNAME

+ +

NIS homedir (G)

+Get the home share server from a NIS (or YP) map. For unix systems that use +an automounter, the user's home directory will often be mounted on a +workstation on demand from a remote server. When the Samba logon server is +not the actual home directory server, two network hops are required to access +the home directory and this can be very slow especially with writing via +Samba to an NFS mounted directory. This option allows samba to return the +home share as being on a different server to the logon server and as long as +a samba daemon is running on the home directory server, it will be mounted +on the Samba client directly from the directory server. When Samba is +returning the home share to the client, it will consult the NIS (or YP) map +specified in homedir map and return the server +listed there.

+Default: NIS homedir = No

+Example: NIS homedir = Yes

+ +

networkstation user login (G)

+This global parameter (new for 1.9.18p3) affects server level security. With +this set (recommended) samba will do a full NetWkstaUserLogon to confirm that +the client really should have login rights. This can cause problems with +machines in trust relationships in which case you can disable it here, +but be warned, we have heard that some NT machines will then allow anyone +in with any password! Make sure you test it.

+Default: networkstation user login = Yes

+Example: networkstation user login = No

+ +

null passwords (G)

+Allow or disallow access to accounts that have null passwords.

+Default: null passwords = No

+Example: null passwords = Yes

+ +

only user (S)

+This is a boolean option that controls whether connections with usernames not +in the username list will be allowed. By default this +option is disabled so a client can supply a username to be used by the +server.

+Note that this also means Samba won't try to deduce usernames from the +service name. This can be annoying for the [homes] section. To get around +this you could use "username = %S" which means your +"username" list will be just the service name, which for home directories +is the name of the user.

+Default: only user = No

+Example: only user = Yes

+ +

oplocks (S)

+This boolean option tells smbd whether to issue oplocks (opportunistic locks) +to file open requests on this share. The oplock code +was introduced in Samba 1.9.18 and can dramatically (approx 30% or more) +improve the speed of access to files on Samba servers. It allows the clients +to agressively cache files locally and you may want to disable this option +for unreliable network environments (it is turned on by default in Windows +NT Servers). For more information see the file Speed.txt in the Samba docs/ +directory.

+Oplocks may be selectively turned off on certain files on a per share basis. +See the veto oplock files parameter.

+Default: oplocks = Yes

+Example: oplocks = No

+ +

os level (G)

+This integer value controls what level Samba advertises itself as for browse +elections. See BROWSING.txt for details.

+ +

passwd chat debug (G)

+Default: passwd chat debug = No

+ +

passwd chat (G)

+This string controls the "chat" conversation that takes places +between smbd and the local password changing program to change the users +password. The string describes a sequence of response-receive pairs that +smbd uses to determine what to send to the passwd program and what to +expect back. If the expected output is not received then the password is +not changed.

+This chat sequence is often quite site specific, depending +on what local methods are used for password control (such as NIS+ etc).

+The string can contain the macros %o and %n which are substituted for +the old and new passwords respectively. It can also contain the standard +macros \n \r \t and \s to give line-feed, carriage-return, tab and space.

+The string can also contain a * which matches any sequence of characters.

+Double quotes can be used to collect strings with spaces in them into +a single string.

+If the send string in any part of the chat sequence is +a fullstop "." then no string is sent. Similarly, is the expect string is +a fullstop then no string is expected.

+Default: passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed*

+Example: passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n \ + "*Reenter NEW password*" %n\n "*Password changed*"

+ +

passwd program (G)

+The name of a program that can be used to set user passwords.

+This is only necessary if you have enabled remote password changing at +compile time. Any occurrences of %u will be replaced with the user name.

+Also note that many passwd programs insist in "reasonable" +passwords, such as a minimum length, or the inclusion of mixed case chars +and digits. This can pose a problem as some clients (such as Windows for +Workgroups) uppercase the password before sending it.

+Default: passwd program = /bin/passwd

+Example: passwd program = /sbin/passwd %u

+ +

password level (G)

+Some client/server combinations have difficulty with mixed-case +passwords. One offending client is Windows for Workgroups, which for some +reason forces passwords to upper case when using the LANMAN1 protocol, +but leaves them alone when using COREPLUS!

+This parameter defines the maximum number of characters that may be upper +case in passwords.

+For example, say the password given was "FRED". If password level is set to +1 (one), the following combinations would be tried if "FRED" failed: "Fred", +"fred", "fRed", "frEd", "freD". If password level was set to 2 (two), the +following combinations would also be tried: "FRed", "FrEd", "FreD", "fREd", +"fReD", "frED". And so on.

+The higher value this parameter is set to the more likely it is that a mixed +case password will be matched against a single case password. However, you +should be aware that use of this parameter reduces security and increases the +time taken to process a new connection.

+A value of zero will cause only two attempts to be made - the password +as is and the password in all-lower case.

+If you find the connections are taking too long with this option then you +probably have a slow crypt() routine. Samba now comes with a fast "ufc crypt" +that you can select in the Makefile. You should also make sure the +PASSWORD_LENGTH option is correct for your system in local.h and includes.h. +On most systems only the first 8 chars of a password are significant so +PASSWORD_LENGTH should be 8, but on some longer passwords are significant. +The includes.h file tries to select the right length for your system.

+Default: password level = 0

+Example: password level = 4

+ +

password server (G)

+By specifying the name of another SMB server (such as a WinNT box) with this +option, and using "security = server" you can get +Samba to do all its username/password validation via a remote server.

+This options sets the name of the password server to use. It must be a netbios +name, so if the machine's netbios name is different from its internet name +then you may have to add its netbios name to /etc/hosts.

+Note that with Samba 1.9.18p4 and above the name of the password server is +looked up using the name resolve order +parameter and so may resolved by any method and order described in that +parameter.

+The password server much be a machine capable of using the "LM1.2X002" +or the "LM NT 0.12" protocol, and it must be in user level security mode.

+NOTE: Using a password server means your UNIX box (running Samba) is +only as secure as your password server. DO NOT CHOOSE A PASSWORD SERVER +THAT YOU DON'T COMPLETELY TRUST.

+Never point a Samba server at itself for password serving. This will cause a +loop and could lock up your Samba server!

+The name of the password server takes the standard substitutions, but +probably the only useful one is %m, which means the Samba server will +use the incoming client as the password server. If you use this then you +better trust your clients, and you better restrict them with +hosts allow!

+If you list several hosts in the "password server" option then smbd will +try each in turn till it finds one that responds. This is useful in case +your primary server goes down.

+If you are using a WindowsNT server as your password server then you will +have to ensure that your users are able to login from the Samba server, as +the network logon will appear to come from there rather than from the users +workstation.

+ +

path (S)

+A synonym for this parameter is "directory".

+This parameter specifies a directory to which the user of the service is to +be given access. In the case of printable services, this is where print data +will spool prior to being submitted to the host for printing.

+For a printable service offering guest access, the service should be readonly +and the path should be world-writable and have the sticky bit set. This is +not mandatory of course, but you probably won't get the results you expect if +you do otherwise.

+Any occurrences of %u in the path will be replaced with the username that the +client is connecting as. Any occurrences of %m will be replaced by the name +of the machine they are connecting from. These replacements are very useful +for setting up pseudo home directories for users.

+Note that this path will be based on +root directory if one was specified.

+Default: none

+Example: path = /home/fred

+ +

postexec (S)

+This option specifies a command to be run whenever the +service is disconnected. It takes the usual substitutions. The command may +be run as the root on some systems.

+An interesting example may be do unmount server resources:

+postexec = /etc/umount /cdrom

+See also preexec

+Default: none (no command executed)

+Example: postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log

+ +

postscript (S)

+This parameter forces a printer to interpret the print files as postscript. +This is done by adding a %! to the start of print output.

+This is most useful when you have lots of PCs that persist in putting a +control-D at the start of print jobs, which then confuses your printer.

+Default: postscript = No

+Example: postscript = Yes

+ +

preferred master (G)

+This boolean parameter controls if Samba is a preferred master browser for +its workgroup. If this is set to Yes, on startup, samba will force an +election, and it will have a slight advantage in winning the election. +It is recommended that this parameter is used in conjunction with +domain master = yes, so that samba can guarantee +becoming a domain master.

+Use this option with caution, because if there are several hosts (whether +samba servers, Windows 95 or NT) that are preferred master browsers on +the same subnet, they will each periodically and continuously attempt +to become the local master browser. This will result in unnecessary broadcast +traffic and reduced browsing capabilities.

+See os level = nn

+Default: preferred master = no

+ +

preload

+An alias is "auto services". This is a list of services that you want to be +automatically added to the browse lists. This is most useful for homes and +printers services that would otherwise not be visible.

+Note that if you just want all printers in your printcap file loaded then the +load printers option is easier.

+Default: no preloaded services

+Example: preload = fred lp colorlp

+ +

preserve case (S)

+This controls if new filenames are created with the case that +the client passes, or if they are forced to be the "default" case.

+Default: preserve case = no

+See the section on NAME MANGLING for a fuller +discussion.

+ +

print command (S)

+After a print job has finished spooling to a service, this command will be +used via a system() call to process the spool file. Typically the command +specified will submit the spool file to the host's printing subsystem, but +there is no requirement that this be the case. The server will not remove +the spool file, so whatever command you specify should remove the spool file +when it has been processed, otherwise you will need to manually remove old +spool files.

+The print command is simply a text string. It will be used verbatim, with +two exceptions: All occurrences of "%s" will be replaced by the appropriate +spool file name, and all occurrences of "%p" will be replaced by the +appropriate printer name. The spool file name is generated automatically by +the server, the printer name is discussed below.

+The full path name will be used for the filename if %s is not preceded by a +/. If you don't like this (it can stuff up some lpq output) then use %f +instead. Any occurrences of %f get replaced by the spool filename without +the full path at the front.

+The print command MUST contain at least one occurrence of "%s" or %f - +the "%p" is optional. At the time a job is submitted, if no printer name is +supplied the "%p" will be silently removed from the printer command.

+If specified in the [global] section, the print command given will be used for +any printable service that does not have its own print command specified.

+If there is neither a specified print command for a printable service nor a +global print command, spool files will be created but not processed and (most +importantly) not removed.

+Note that printing may fail on some UNIXes from the "nobody" account. If this +happens then create an alternative guest account that can print and set the +guest account in the [global] section.

+You can form quite complex print commands by realising that they are +just passed to a shell. For example the following will log a print job, +print the file, then remove it. Note that ; is the usual separator for +command in shell scripts.

+print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s

+You may have to vary this command considerably depending on how you normally +print files on your system.

+Default: print command = lpr -r -P %p %s

+Example:print command = /usr/local/samba/bin/myprintscript %p %s

+ +

print ok (S)

+A synonym for this parameter is 'printable'.

+If this parameter is 'Yes', then clients may open, write to +and submit spool files on the directory specified for the service.

+Note that a printable service will ALWAYS allow writing to the service path +(user privileges permitting) via the spooling of print data. The +read only parameter controls only non-printing +access to the resource.

+Default: print ok = No

+Example: print ok = Yes

+ +

printcap name (G)

+This parameter may be used to override the compiled-in default printcap name +used by the server (usually /etc/printcap). On SystemV systems that +use lpstat to list available printers you can use "printcap name = lpstat" +to automatically obtain lists of available printers. This is the default +for systems that define SYSV at compile time in Samba (this includes +most SystemV based systems). If "printcap name" is set to lpstat on these +systems then Samba will launch "lpstat -v" and attempt to parse the output +to obtain a printer list.

+A minimal printcap file would look something like this:

+print1|My Printer 1
+print2|My Printer 2
+print3|My Printer 3
+print4|My Printer 4
+print5|My Printer 5

+where the | separates aliases of a printer. The fact that the second alias +has a space in it gives a hint to Samba that it's a comment.

+NOTE: Under AIX the default printcap name is "/etc/qconfig". +Samba will assume the file is in AIX "qconfig" format if the string "/qconfig" +appears in the printcap filename.

+Default: printcap name = /etc/printcap

+Example: printcap name = /etc/myprintcap

+ +

printer driver (S)

+This option allows you to control the string that clients receive when they +ask the server for the printer driver associated with a printer. If you are +using Windows95 or WindowsNT then you can use this to automate the setup of +printers on your system.

+You need to set this parameter to the exact string (case sensitive) that +describes the appropriate printer driver for your system. If you don't know +the exact string to use then you should first try with no "printer driver" +option set and the client will give you a list of printer drivers. The +appropriate strings are shown in a scrollbox after you have chosen the +printer manufacturer.

+Example: printer driver = HP LaserJet 4L

+ +

printer name (S)

+A synonym for this parameter is 'printer'.

+This parameter specifies the name of the printer to which print jobs spooled +through a printable service will be sent.

+If specified in the [global] section, the printer name given will be used for +any printable service that does not have its own printer name specified.

+Default: none (but may be 'lp' on many systems)

+Example: printer name = laserwriter

+ +

printer driver file (G)

+This parameter tells Samba where the printer driver definition file, used +when serving drivers to Windows 95 clients, is to be found. If this is not +set, the default is :

+SAMBA_INSTALL_DIRECTORY/lib/printers.def

+This file is created from Windows 95 'msprint.def' files found on the Windows +95 client system. For more details on setting up serving of printer drivers +to Windows 95 clients, see the documentation file docs/PRINTER_DRIVER.txt.

+Default: None (set in compile).

+Example: printer driver file = /usr/local/samba/printers/drivers.def

+Related parameters. +printer driver location

+ +

printer driver location (S)

+This parameter tells clients of a particular printer share where to find the +printer driver files for the automatic installation of drivers for Windows 95 +machines. If Samba is set up to serve printer drivers to Windows 95 machines, +this should be set to

+\\MACHINE\PRINTER$

+Where MACHINE is the NetBIOS name of your Samba +server, and PRINTER$ is a share you set up for serving printer driver +files. For more details on setting this up see the documentation file +docs/PRINTER_DRIVER.txt.

+Default: None

+Example: printer driver location = \\MACHINE\PRINTER$

+Related paramerers. +printer driver file

+ +

printing (S)

+This parameters controls how printer status information is interpreted +on your system, and also affects the default values for the +print command, +lpq command and +lprm command.

+Currently six printing styles are supported. They are bsd, sysv, hpux, aix, +qnx and plp.

+To see what the defaults are for the other print commands when using these +options use the "testparm" program.

+As of version 1.9.18 of Samba this option can be set on a per printer basis

+Example: printing = sysv

+ +

protocol (G)

+The value of the parameter (a string) is the highest protocol level that will +be supported by the server.

+Possible values are CORE, COREPLUS, LANMAN1, LANMAN2 and NT1. The relative +merits of each are discussed in the README file.

+Normally this option should not be set as the automatic negotiation phase in +the SMB protocol takes care of choosing the appropriate protocol.

+Default: protocol = NT1

+Example: protocol = LANMAN1

+ +

read bmpx (S)

+Default: read bmpx = Yes

+ +

read list (S)

+This is a list of users that are given read-only access to a service. +If the connecting user is in this list then they will not be given write +access, no matter what the read only option is set +to. The list can include group names using the @group syntax.

+See also the write list option

+Default: read list =

+Example: read list = mary, @students

+ +

read only (S)

+Inverted synonyms for this parameter are 'writable' and 'write ok'.

+If this parameter is 'Yes', then users of the service may not create or +modify files in the service's directory.

+Note that a printable service ('printable = Yes') +will ALWAYS allow writing to the directory (user privileges permitting), but +only via spooling operations.

+Default: read only = Yes

+Examples: read only = No
+writable = No
+write ok = Yes

+ +

read prediction (G)

+This options enables or disables the read prediction code used to speed up +reads from the server. When enabled the server will try to pre-read data +from the last accessed file that was opened read-only while waiting for +packets.

+Default: read prediction = No

+Example: read prediction = Yes

+ +

read raw (G)

+This parameter controls whether or not the server will support raw reads when +transferring data to clients.

+If enabled, raw reads allow reads of 65535 bytes in one packet. This typically +provides a major performance benefit.

+However, some clients either negotiate the allowable block size incorrectly +or are incapable of supporting larger block sizes, and for these clients you +may need to disable raw reads.

+In general this parameter should be viewed as a system tuning tool and left +severely alone. See also write raw.

+Default: read raw = Yes

+Example: read raw = No

+ +

read size (G)

+The option "read size" affects the overlap of disk reads/writes with network +reads/writes. If the amount of data being transferred in several of the SMB +commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger than this +value then the server begins writing the data before it has received the +whole packet from the network, or in the case of SMBreadbraw, it begins +writing to the network before all the data has been read from disk.

+This overlapping works best when the speeds of disk and network access are +similar, having very little effect when the speed of one is much greater +than the other.

+The default value is 2048, but very little experimentation has been done +yet to determine the optimal value, and it is likely that the best value +will vary greatly between systems anyway. A value over 65536 is pointless +and will cause you to allocate memory unnecessarily.

+Default: read size = 2048

+Example: read size = 8192

+ +

remote announce (G)

+This option allows you to setup nmbd to periodically announce itself to +arbitrary IP addresses with an arbitrary workgroup name.

+This is useful if you want your Samba server to appear in a remote workgroup +for which the normal browse propagation rules don't work. The remote +workgroup can be anywhere that you can send IP packets to.

+For example:

+remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF

+the above line would cause nmbd to announce itself to the two given IP +addresses using the given workgroup names. If you leave out the workgroup +name then the one given in the workgroup option is +used instead.

+The IP addresses you choose would normally be the broadcast +addresses of the remote networks, but can also be the IP addresses of +known browse masters if your network config is that stable.

+This option replaces similar functionality from the nmbd lmhosts file.

+ +

remote browse sync (G)

+This option allows you to setup nmbd to periodically request +synchronisation of browse lists with the master browser of a samba server +that is on a remote segment. This option will allow you to gain browse +lists for multiple workgroups across routed networks. This is done in a +manner that does not work with any non-samba servers.

+This is useful if you want your Samba server and all local clients to appear +in a remote workgroup for which the normal browse propagation rules don't +work. The remote workgroup can be anywhere that you can send IP packets to.

+For example:

+remote browse sync = 192.168.2.255 192.168.4.255

+the above line would cause nmbd to request the master browser on the +specified subnets or addresses to synchronise their browse lists with the +local server.

+The IP addresses you choose would normally be the broadcast addresses +of the remote networks, but can also be the IP addresses of known browse +masters if your network config is that stable. If a machine IP address +is given Samba makes NO attempt to validate that the remote machine is +available, is listening, nor that it is in fact the browse master on it's +segment.

+ +

revalidate (S)

+This options controls whether Samba will allow a previously validated +username/password pair to be used to attach to a share. Thus if you connect +to \\server\share1 then to \\server\share2 it won't automatically allow the +client to request connection to the second share as the same username as the +first without a password.

+If "revalidate" is Yes then the client will be denied automatic access as +the same username.

+Default: revalidate = No

+Example: revalidate = Yes

+ +

root directory (G)

+Synonyms for this parameter are 'root dir' and 'root'.

+The server will chroot() to this directory on startup. This is not strictly +necessary for secure operation. Even without it the server will deny access +to files not in one of the service entries. It may also check for, and deny +access to, soft links to other parts of the filesystem, or attempts to use +.. in file names to access other directories (depending on the setting of +the wide links parameter).

+Adding a "root dir" entry other than "/" adds an extra level +of security, but at a price. It absolutely ensures that no access is given +to files not in the sub-tree specified in the "root dir" option, *including* +some files needed for complete operation of the server. To maintain full +operability of the server you will need to mirror some system files into +the "root dir" tree. In particular you will need to mirror /etc/passwd +(or a subset of it), and any binaries or configuration files needed for +printing (if required). The set of files that must be mirrored is operating +system dependent.

+Default: root directory = /

+Example: root directory = /homes/smb

+ +

root postexec (S)

+This is the same as postexec except that +the command is run as root. This is useful for unmounting filesystems (such +as CDROMS) after a connection is closed.

+ +

root preexec (S)

+This is the same as exec except that the command is run +as root. This is useful for mounting filesystems (such as CDROMS) before a +connection is finalised.

+ +

security (G)

+This option affects how clients respond to Samba.

+The option sets the "security mode bit" in replies to protocol negotiations +to turn share level security on or off. Clients decide based on this bit +whether (and how) to transfer user and password information to the server.

+The default is "security=SHARE", mainly because that was the only option at +one stage.

+The alternatives are "security = user" or "security = server".

+If your PCs use usernames that are the same as their usernames on the +UNIX machine then you will want to use "security = user". If you mostly +use usernames that don't exist on the UNIX box then use "security = share".

+There is a bug in WfWg that may affect your decision. When in user level +security a WfWg client will totally ignore the password you type in the +"connect drive" dialog box. This makes it very difficult (if not impossible) +to connect to a Samba service as anyone except the user that you are logged +into WfWg as.

+If you use "security = server" then Samba will try to validate +the username/password by passing it to another SMB server, such as an +NT box. If this fails it will revert to "security = USER".

+See the password server option for more +details.

+Default: security = SHARE

+Example: security = USER

+ +

server string (G)

+This controls what string will show up in the printer comment box in print +manager and next to the IPC connection in "net view". It can be any string +that you wish to show to your users.

+It also sets what will appear in browse lists next to the machine name.

+A %v will be replaced with the Samba version number.

+A %h will be replaced with the hostname.

+Default: server string = Samba %v

+Example: server string = University of GNUs Samba Server

+ +

set directory (S)

+If 'set directory = No', then users of the service may not use the setdir +command to change directory.

+The setdir command is only implemented in the Digital Pathworks +client. See the Pathworks documentation for details.

+Default: set directory = No

+Example: set directory = Yes

+ +

shared mem size (G)

+This parameter is only useful when Samba has been compiled with +FAST_SHARE_MODES. It specifies the size of the shared +memory (in bytes) to use between smbd processes. You should never change +this parameter unless you have studied the source and know what you are +doing. This parameter defaults to 1024 multiplied by the setting of the +maximum number of open files in the file local.h in the Samba source code. +MAX_OPEN_FILES is normally set to 100, so this parameter defaults to 102400 +bytes.

+Default shared mem size = 102400

+ +

smb passwd file (G)

+This option sets the path to the encrypted smbpasswd file. This is a +*VERY DANGEROUS OPTION* if the smb.conf is user writable. By default the +path to the smbpasswd file is compiled into Samba.

+ +

smbrun (G)

+This sets the full path to the smbrun binary. This defaults to the value in +the Makefile.

+You must get this path right for many services to work correctly.

+Default: taken from Makefile

+Example: smbrun = /usr/local/samba/bin/smbrun

+ +

share modes (S)

+This enables or disables the honouring of the "share modes" during a file +open. These modes are used by clients to gain exclusive read or write access +to a file.

+These open modes are not directly supported by UNIX, so they are simulated +using lock files in the lock dir. The "lock dir" +specified in smb.conf must be readable by all users.

+The share modes that are enabled by this option are DENY_DOS, DENY_ALL, +DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB.

+Enabling this option gives full share compatibility but may cost a bit of +processing time on the UNIX server. They are enabled by default.

+Default: share modes = Yes

+Example: share modes = No

+ +

short preserve case (S)

+This controls if new short filenames are created with the case that the client +passes, or if they are forced to be the "default" case.

+Default: short preserve case = No

+See the section on NAME MANGLING for a fuller +discussion.

+ +

socket address (G)

+This option allows you to control what address Samba will listen for +connections on. This is used to support multiple virtual interfaces on the +one server, each with a different configuration.

+By default samba will accept connections on any address.

+Example: socket address = 192.168.2.20

+ +

socket options (G)

+This option (which can also be invoked with the -O command line option) allows +you to set socket options to be used when talking with the client.

+Socket options are controls on the networking layer of the operating systems +which allow the connection to be tuned.

+This option will typically be used to tune your Samba server for optimal +performance for your local network. There is no way that Samba can know what +the optimal parameters are for your net, so you must experiment and choose +them yourself. I strongly suggest you read the appropriate documentation for +your operating system first (perhaps "man setsockopt" will help).

+You may find that on some systems Samba will say "Unknown socket option" when +you supply an option. This means you either mis-typed it or you need to add +an include file to includes.h for your OS. If the latter is the case please +send the patch to me (samba-bugs@samba.anu.edu.au).

+Any of the supported socket options may be combined in any way you like, as +long as your OS allows it.

+This is the list of socket options currently settable using this option:

+SO_KEEPALIVE
+SO_REUSEADDR
+SO_BROADCAST
+TCP_NODELAY
+IPTOS_LOWDELAY
+IPTOS_THROUGHPUT
+SO_SNDBUF *
+SO_RCVBUF *
+SO_SNDLOWAT *
+SO_RCVLOWAT *

+Those marked with a * take an integer argument. The others can optionally take +a 1 or 0 argument to enable or disable the option, by default they will +be enabled if you don't specify 1 or 0.

+To specify an argument use the syntax SOME_OPTION=VALUE for example +SO_SNDBUF=8192. Note that you must not have any spaces before or after the = +sign.

+If you are on a local network then a sensible option might be

+socket options = IPTOS_LOWDELAY

+If you have an almost unloaded local network and you don't mind a lot +of extra CPU usage in the server then you could try

+socket options = IPTOS_LOWDELAY TCP_NODELAY

+If you are on a wide area network then perhaps try setting IPTOS_THROUGHPUT.

+Note that several of the options may cause your Samba server to fail +completely. Use these options with caution!

+Default: no socket options

+Example: socket options = IPTOS_LOWDELAY

+ +

status (G)

+This enables or disables logging of connections to a status +file that smbstatus can read.

+With this disabled smbstatus won't be able to tell you what connections +are active.

+Default: status = Yes

+Example: status = No

+ +

strict locking (S)

+This is a boolean that controls the handling of file locking in the server. +When this is set to yes the server will check every read and write access +for file locks, and deny access if locks exist. This can be slow on some +systems.

+When strict locking is "no" the server does file lock checks only when the +client explicitly asks for them.

+Well behaved clients always ask for lock checks when it is important, +so in the vast majority of cases "strict locking = no" is preferable.

+Default: strict locking = No

+Example: strict locking = Yes

+ +

strip dot (G)

+This is a boolean that controls whether to strip trailing dots off +UNIX filenames. This helps with some CDROMs that have filenames ending +in a single dot.

+Default: strip dot = No

+Example: strip dot = Yes

+ +

syslog (G)

+This parameter maps how Samba debug messages are logged onto +the system syslog logging levels. Samba debug level zero maps onto syslog +LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps to +LOG_NOTICE, debug level three maps onto LOG_INFO. The paramter sets the +threshold for doing the mapping, all Samba debug messages above this threashold +are mapped to syslog LOG_DEBUG messages.

+Default: syslog = 1

+ +

syslog only (G)

+If this parameter is set then Samba debug messages are logged +into the system syslog only, and not to the debug log files.

+Default: syslog only = no

+ +

sync always (S)

+This is a boolean parameter that controls whether writes will always be +written to stable storage before the write call returns. If this is No then +the server will be guided by the client's request in each write call (clients +can set a bit indicating that a particular write should be synchronous). If +this is Yes then every write will be followed by a fsync() call to ensure the +data is written to disk.

+Default: sync always = No

+Example: sync always = Yes

+ +

time offset (G)

+This parameter is a setting in minutes to add to the normal GMT to local time +conversion. This is useful if you are serving a lot of PCs that have incorrect +daylight saving time handling.

+Default: time offset = 0

+Example: time offset = 60

+ +

time server (G)

+This parameter determines if nmbd advertises itself as a time server to +Windows clients.

+Default: time server = No

+Example: time server = Yes

+ +

unix realname (G)

+This boolean parameter when set causes samba to supply the real name field +from the unix password file to the client. This is useful for setting up mail +clients and WWW browsers on systems used by more than one person.

+Default: unix realname = No

+Example: unix realname = Yes

+ +

update encrypted (S)

+Default: update encrypted = No

+ +

use rhosts (S)

+Default: use rhosts = No

+ +

username (S)

+A synonym for this parameter is 'user'.

+Multiple users may be specified in a comma-delimited list, in which case the +supplied password will be tested against each username in turn (left to +right).

+The username= line is needed only when the PC is unable to supply its own +username. This is the case for the coreplus protocol or where your users have +different WfWg usernames to UNIX usernames. In both these cases you may also +be better using the \\server\share%user syntax instead.

+The username= line is not a great solution in many cases as it means Samba +will try to validate the supplied password against each of the usernames in +the username= line in turn. This is slow and a bad idea for lots of users in +case of duplicate passwords. You may get timeouts or security breaches using +this parameter unwisely.

+Samba relies on the underlying UNIX security. This parameter does not restrict +who can login, it just offers hints to the Samba server as to what usernames +might correspond to the supplied password. Users can login as whoever they +please and they will be able to do no more damage than if they started a +telnet session. The daemon runs as the user that they log in as, so they +cannot do anything that user cannot do.

+To restrict a service to a particular set of users you can use the +valid users line.

+If any of the usernames begin with a @ then the name will be looked +up in the groups file and will expand to a list of all users in the group +of that name. Note that searching though a groups file can take quite some +time, and some clients may time out during the search.

+See the section below on +USERNAME/PASSWORD VALIDATION +for more information on how this parameter determines access to the services.

+Default: The guest account if a guest service, else the name of the service.

+Examples:username = fredusername = fred, mary, jack, jane, @users, @pcgroup

+ +

username level (G)

+This option helps Samba to try and 'guess' at the real UNIX username, +as many DOS clients send an all-uppercase username. By default Samba tries +all lowercase, followed by the username with the first letter capitalized, +and fails if the username is not found on the UNIX machine.

+If this parameter is set to non-zero the behaviour changes. This parameter +is a number that specifies the number of uppercase combinations to try whilst +trying to determine the UNIX user name. The higher the number the more +combinations will be tried, but the slower the discovery of usernames will be. +Use this parameter when you have strange usernames on your UNIX machine, +such as 'AstrangeUser'.

+Default: username level = 0

+Example: username level = 5

+ +

username map (G)

+This option allows you to to specify a file containing +a mapping of usernames from the clients to the server. This can be used +for several purposes. The most common is to map usernames that users use +on DOS or Windows machines to those that the UNIX box uses. The other is +to map multiple users to a single username so that they can more easily +share files.

+The map file is parsed line by line. Each line should contain +a single UNIX username on the left then a '=' followed by a list of usernames +on the right. The list of usernames on the right may contain names of the +form @group in which case they will match any UNIX username in that group. +The special client name '*' is a wildcard and matches any name.

+The file is processed on each line by taking the supplied username and +comparing it with each username on the right hand side of the '=' signs. If +the supplied name matches any of the names on the right hand side then it is +replaced with the name on the left. Processing then continues with the next +line.

+If any line begins with a '#' or a ';' then it is ignored

+If any line begins with an ! then the processing will stop after that line if +a mapping was done by the line. Otherwise mapping continues with every line +being processed. Using ! is most useful when you have a wildcard mapping line +later in the file.

+For example to map from the name "admin" or "administrator" to the UNIX name +"root" you would use

+root = admin administrator

+Or to map anyone in the UNIX group "system" to the UNIX name "sys" you would +use

+sys = @system

+You can have as many mappings as you like in a username map file.

+You can map Windows usernames that have spaces in them by using +double quotes around the name. For example:

+tridge = "Andrew Tridgell"

+would map the windows username "Andrew Tridgell" to the unix username +tridge.

+The following example would map mary and fred to the unix user +sys, and map the rest to guest. Note the use of the ! to tell Samba to +stop processing if it gets a match on that line.

+!sys = mary fred guest = *

+Note that the remapping is applied to all occurrences of usernames. +Thus if you connect to "\\server\fred" and "fred" is remapped to "mary" then +you will actually be connecting to "\\server\mary" and will need to supply +a password suitable for "mary" not "fred". The only exception to this is +the username passed to the password server +(if you have one). The password server will receive whatever username the +client supplies without modification.

+Also note that no reverse mapping is done. The main effect this has is +with printing. Users who have been mapped may have trouble deleting print +jobs as PrintManager under WfWg will think they don't own the print job.

+Default no username map

+Example username map = /usr/local/samba/lib/users.map

+ +

valid chars (S)

+The option allows you to specify additional characters that should be +considered valid by the server in filenames. This is particularly +useful for national character sets, such as adding u-umlaut or a-ring.

+The option takes a list of characters in either integer or character form +with spaces between them. If you give two characters with a colon between +them then it will be taken as an lowercase:uppercase pair.

+If you have an editor capable of entering the characters into the config file +then it is probably easiest to use this method. Otherwise you can specify the +characters in octal, decimal or hexadecimal form using the usual C notation.

+For example to add the single character 'Z' to the charset (which is a +pointless thing to do as it's already there) you could do one of the following +

+valid chars = Z
+valid chars = z:Z
+valid chars = 0132:0172

+The last two examples above actually add two characters, and alter the +uppercase and lowercase mappings appropriately.

+Note that you MUST specify this parameter after the +client code page parameter if you have both +set. If "client code page" is set after the "valid chars" parameter the +"valid chars" settings will be overwritten.

+See also the client code page parameter.

+Default: Samba defaults to using a reasonable set of valid characters +for english systems

+Example: valid chars = 0345:0305 0366:0326 0344:0304

+The above example allows filenames to have the swedish characters in them.

+NOTE: It is actually quite difficult to correctly produce a "valid chars" line +for a particular system. To automate the process tino@augsburg.net +has written a package called "validchars" which will automatically produce +a complete "valid chars" line for a given client system. Look in the examples +subdirectory for this package.

+ +

valid users (S)

+This is a list of users that should be allowed to login to this service. A +name starting with @ is interpreted as a UNIX group.

+If this is empty (the default) then any user can login. If a username is in +both this list and the invalid users list then +access is denied for that user.

+The current servicename is substituted for %S. This is useful in the [homes] +section.

+See also invalid users

+Default No valid users list. (anyone can login)

+Example valid users = greg, @pcusers

+ +

veto files (S)

+This is a list of files and directories that are neither visible nor +accessible. Each entry in the list must be separated by a "/", which allows +spaces to be included in the entry. '*' and '?' can be used to specify +multiple files or directories as in DOS wildcards.

Each entry must be a unix path, not a DOS path and must not include the -unix directory separator "/".

- -Note that the case sensitivity option is applicable in vetoing files.

- -One feature of the veto files parameter that it is important to be -aware of, is that if a directory contains nothing but files that -match the veto files parameter (which means that Windows/DOS clients -cannot ever see them) is deleted, the veto files within that directory -*are automatically deleted* along with it, if the user has UNIX permissions -to do so. - -Setting this parameter will affect the performance of Samba, as -it will be forced to check all files and directories for a match -as they are scanned.

- -See also "hide files" and "case sensitive"

- -.B Default - No files or directories are vetoed.

- -.B Examples - Example 1. - Veto any files containing the word Security, - any ending in .tmp, and any directory containing the - word root.

- - veto files = /*Security*/*.tmp/*root*/

- - Example 2. - Veto the Apple specific files that a NetAtalk server - creates.

- - veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/

- - -

veto oplock files (S)

-This parameter is only valid when the 'oplocks' parameter is turned on -for a share. It allows the Samba administrator to selectively turn off -the granting of oplocks on selected files that match a wildcarded list, -similar to the wildcarded list used in the 'veto files' parameter.

- -.B Default - No files are vetoed for oplock grants.

- -.B Examples -You might want to do this on files that you know will be heavily -contended for by clients. A good example of this is in the NetBench -SMB benchmark program, which causes heavy client contention for files -ending in .SEM. To cause Samba not to grant oplocks on these files -you would use the line (either in the [global] section or in the section -for the particular NetBench share :

- - veto oplock files = /*.SEM/

- - -

volume (S)

-This allows you to override the volume label returned for a -share. Useful for CDROMs with installation programs that insist on a -particular volume label.

- -The default is the name of the share

- - -

wide links (S)

-This parameter controls whether or not links in the UNIX file system may be -followed by the server. Links that point to areas within the directory tree -exported by the server are always allowed; this parameter controls access -only to areas that are outside the directory tree being exported.

- -.B Default: - wide links = yes

- -.B Example: - wide links = no

- - -

wins proxy (G)

- -This is a boolean that controls if nmbd will respond to broadcast name -queries on behalf of other hosts. You may need to set this to no for -some older clients.

- -.B Default: - wins proxy = no - -

wins server (G)

+unix directory separator "/".

+Note that the case sensitivity option is applicable in vetoing files.

+One feature of the veto files parameter that it is important to be aware of, +is that if a directory contains nothing but files that match the veto files +parameter (which means that Windows/DOS clients cannot ever see them) is +deleted, the veto files within that directory *are automatically deleted* +along with it, if the user has UNIX permissions to do so.Setting this +parameter will affect the performance of Samba, as it will be forced to check +all files and directories for a match as they are scanned.

+See also hide files and +case sensitive

+Default No files or directories are vetoed.

+Examples Example 1. Veto any files containing the word Security, any +ending in .tmp, and any directory containing the word root.

+veto files = /*Security*/*.tmp/*root*/

+Example 2. Veto the Apple specific files that a NetAtalk server creates.

+veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/

+ +

veto oplock files (S)

+This parameter is only valid when the oplocks +parameter is turned on for a share. It allows the Samba administrator to +selectively turn off the granting of oplocks on selected files that match +a wildcarded list, similar to the wildcarded list used in the +veto files parameter.

+Default No files are vetoed for oplock grants.

+Examples You might want to do this on files that you know will be +heavily contended for by clients. A good example of this is in the NetBench +SMB benchmark program, which causes heavy client contention for files ending +in .SEM. To cause Samba not to grant oplocks on these files you would use the +line (either in the [global] section or in the section for the particular +NetBench share :

+veto oplock files = /*.SEM/

+ +

volume (S)

+This allows you to override the volume label returned for a share. Useful for +CDROMs with installation programs that insist on a particular volume label.

+The default is the name of the share

+ +

wide links (S)

+This parameter controls whether or not links in the UNIX file system may be +followed by the server. Links that point to areas within the directory tree +exported by the server are always allowed; this parameter controls access only +to areas that are outside the directory tree being exported.

+Default: wide links = Yes

+Example: wide links = No

+ +

wins proxy (G)

+This is a boolean that controls if nmbd will respond to broadcast name queries +on behalf of other hosts. You may need to set this to no for some older +clients.

+Default: wins proxy = No

+

wins server (G)

This specifies the DNS name (or IP address) of the WINS server that Samba -should register with. If you have a WINS server on your network then you -should set this to the WINS servers name.

- -You should point this at your WINS server if you have a multi-subnetted -network. -.B Default: - wins server =

- - -

wins support (G)

- +should register with. If you have a WINS server on your network then you +should set this to the WINS servers name.

+You should point this at your WINS server if you have a multi-subnetted +network.

+Default: wins server =

+ +

wins support (G)

This boolean controls if the nmbd process in Samba will act as a WINS server. -You should not set this to true unless you have a multi-subnetted network and -you wish a particular nmbd to be your WINS server. Note that you -should *NEVER* set this to true on more than one machine in your -network.

- -.B Default: - wins support = no

- - -

workgroup (G)

- -This controls what workgroup your server will appear to be in when -queried by clients.

- -.B Default: - set in the Makefile

- -.B Example: - workgroup = MYGROUP

- - -

writable (S)

-A synonym for this parameter is 'write ok'. An inverted synonym is 'read only'.

- -If this parameter is 'no', then users of a service may not create or modify -files in the service's directory.

- -Note that a printable service ('printable = yes') will ALWAYS allow -writing to the directory (user privileges permitting), but only via -spooling operations.

- -.B Default: - writable = no

- -.B Examples: - read only = no - writable = yes - write ok = yes - -

write list (S)

-This is a list of users that are given read-write access to a -service. If the connecting user is in this list then they will be -given write access, no matter what the "read only" option is set -to. The list can include group names using the @group syntax.

- -Note that if a user is in both the read list and the write list then -they will be given write access.

- -See also the "read list" option

- -.B Default: - write list =

- -.B Example: - write list = admin, root, @staff

- - -

write ok (S)

-See -.B writable -and -.B read only.

- - -

write raw (G)

-This parameter controls whether or not the server will support raw writes when -transferring data from clients.

- -.B Default: - write raw = yes

- -.B Example: - write raw = no

- +You should not set this to Yes unless you have a multi-subnetted network and +you wish a particular nmbd to be your WINS server. Note that you should +*NEVER* set this to Yes on more than one machine in your network.

+Default: wins support = No

+ +

workgroup (G)

+This controls what workgroup your server will appear to be in when queried by +clients.

+Default: set in the Makefile

+Example: workgroup = MYGROUP

+ +

write list (S)

+This is a list of users that are given read-write access to a service. If +the connecting user is in this list then they will be given write access, +no matter what the writable option is set to. +The list can include group names using the @group syntax.

+Note that if a user is in both the read list and the write list then they +will be given write access.

+See also the read list option

+Default: write list =

+Example: write list = admin, root, @staff

+ +

write raw (G)

+This parameter controls whether or not the server will support raw writes +when transferring data from clients.

+Default: write raw = Yes

+Example: write raw = No

+ +

USERNAME/PASSWORD VALIDATION

+There are a number of ways in which a user can connect to a +service. The server follows the following steps in determining if it will +allow a connection to a specified service. If all the steps fail then the +connection request is rejected. If one of the steps pass then the following +steps are not checked.

+If the service is marked "guest only = yes" then +steps 1 to 5 are skipped

+Step 1: If the client has passed a username/password +pair and that username/password pair is validated by the UNIX system's +password programs then the connection is made as that username. Note that +this includes the \\server\service%username method of passing a username.

+Step 2: If the client has previously registered a username with the system +and now supplies a correct password for that username then the connection +is allowed.

+Step 3: The client's netbios name and any previously used user +names are checked against the supplied password, if they match then the +connection is allowed as the corresponding user.

+Step 4: If the client has previously validated a username/password pair with +the server and the client has passed the validation token then that username +is used. This step is skipped if "revalidate = yes" +for this service.

+Step 5: If a "username = " field is given in the +smb.conf file for the service and the client has supplied a password, and +that password matches (according to the UNIX system's password checking) with +one of the usernames from the username= field then the connection is made as +the username in the "username=" line. If one of the username in the username= +list begins with a @ then that name expands to a list of names in the group +of the same name.

+Step 6: If the service is a guest service then a connection is made as the +username given in the "guest account =" for the +service, irrespective of the supplied password.

+ +

NAME MANGLING

+Samba supports "name mangling" so that DOS and Windows clients can use files +that don't conform to the 8.3 format. It can also be set to adjust the case of +8.3 format filenames.

+There are several options that control the way mangling is +performed, and they are grouped here rather than listed separately.

+All of these options can be set separately for each service (or globally, +of course).

+The options are:

+"mangle case = yes/no" controls if names that have +characters that aren't of the "default" case are mangled. For example, if +this is yes then a name like "Mail" would be mangled. Default no.

+"case sensitive = yes/no" controls whether +filenames are case sensitive. If they aren't then Samba must do a filename +search and match on passed names. Default no.

+"default case = upper/lower" controls what the +default case is for new filenames. Default lower.

+"preserve case = yes/no" controls if new +files are created with the case that the client passes, or if they are +forced to be the "default" case. Default no.

+"short preserve case = yes/no" +controls if new files which conform to 8.3 syntax, that is all in upper +case and of suitable length, are created upper case, or if they are forced +to be the "default" case. This option can be use with "preserve case = +yes" to permit long filenames to retain their case, while short names +are lowered. Default no.

+ -- cgit