From fadde4210715322bac081e3665a73181d80059ab Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Wed, 11 Nov 1998 01:54:31 +0000 Subject: swat.c updated to use new yodl generated smb.conf.5.html file for help added smb.conf.5.html to swat/help (This used to be commit 9f250a80c66fb3e2b9039218771f0b4d5088a0ae) --- swat/help/smb.conf.5.html | 4451 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 4451 insertions(+) create mode 100644 swat/help/smb.conf.5.html (limited to 'swat') diff --git a/swat/help/smb.conf.5.html b/swat/help/smb.conf.5.html new file mode 100644 index 0000000000..7f35b75969 --- /dev/null +++ b/swat/help/smb.conf.5.html @@ -0,0 +1,4451 @@ + + + + + +smb.conf + + + + + +

+ +

smb.conf

Samba

23 Oct 1998

+ + + + +

NAME

+ smb.conf - The configuration file for the Samba suite +

SYNOPSIS

+ +

smb.conf The smb.conf file is a configuration file for the +Samba suite. smb.conf contains runtime configuration information +for the Samba programs. The smb.conf file is designed to be +configured and administered by the swat (8) +program. The complete description of the file format and possible +parameters held within are here for reference purposes. +

FILE FORMAT

+ +

The file consists of sections and parameters. A section begins with +the name of the section in square brackets and continues until the +next section begins. Sections contain parameters of the form +

'name = value' +

The file is line-based - that is, each newline-terminated line +represents either a comment, a section name or a parameter. +

Section and parameter names are not case sensitive. +

Only the first equals sign in a parameter is significant. Whitespace +before or after the first equals sign is discarded. Leading, trailing +and internal whitespace in section and parameter names is +irrelevant. Leading and trailing whitespace in a parameter value is +discarded. Internal whitespace within a parameter value is retained +verbatim. +

Any line beginning with a semicolon (';') or a hash ('#') character is +ignored, as are lines containing only whitespace. +

Any line ending in a '\' is "continued" on the next line in the +customary UNIX fashion. +

The values following the equals sign in parameters are all either a +string (no quotes needed) or a boolean, which may be given as yes/no, +0/1 or true/false. Case is not significant in boolean values, but is +preserved in string values. Some items such as create modes are +numeric. +

SECTION DESCRIPTIONS

+ +

Each section in the configuration file (except for the +[global] section) describes a shared resource (known +as a "share"). The section name is the name of the shared resource +and the parameters within the section define the shares attributes. +

There are three special sections, [global], +[homes] and [printers], which are +described under 'special sections'. The +following notes apply to ordinary section descriptions. +

A share consists of a directory to which access is being given plus +a description of the access rights which are granted to the user of +the service. Some housekeeping options are also specifiable. +

Sections are either filespace services (used by the client as an +extension of their native file systems) or printable services (used by +the client to access print services on the host running the server). +

Sections may be designated guest services, in which +case no password is required to access them. A specified UNIX +guest account is used to define access +privileges in this case. +

Sections other than guest services will require a password to access +them. The client provides the username. As older clients only provide +passwords and not usernames, you may specify a list of usernames to +check against the password using the "user=" option in +the share definition. For modern clients such as Windows 95/98 and +Windows NT, this should not be neccessary. +

Note that the access rights granted by the server are masked by the +access rights granted to the specified or guest UNIX user by the host +system. The server does not grant more access than the host system +grants. +

The following sample section defines a file space share. The user has +write access to the path /home/bar. The share is accessed via +the share name "foo": +

+
+
+ 	[foo]
+ 		path = /home/bar
+ 		writable = true
+
+
+

+ +

The following sample section defines a printable share. The share +is readonly, but printable. That is, the only write access permitted +is via calls to open, write to and close a spool file. The +'guest ok' parameter means access will be permitted +as the default guest user (specified elsewhere): +

+
+ 	[aprinter]
+ 		path = /usr/spool/public
+ 		read only = true
+ 		printable = true
+ 		guest ok = true
+
+

+ +

SPECIAL SECTIONS

+ +

The [global] section +

Parameters in this section apply to the server as a whole, or are +defaults for sections which do not specifically define certain +items. See the notes under 'PARAMETERS' for more +information. +

+
The [homes] section +

If a section called 'homes' is included in the configuration file, +services connecting clients to their home directories can be created +on the fly by the server. +

When the connection request is made, the existing sections are +scanned. If a match is found, it is used. If no match is found, the +requested section name is treated as a user name and looked up in the +local password file. If the name exists and the correct password has +been given, a share is created by cloning the [homes] section. +

Some modifications are then made to the newly created share: +
- The share name is changed from 'homes' to the located +username +
- If no path was given, the path is set to the user's home +directory. +
+

If you decide to use a path= line in your [homes] +section then you may find it useful to use the %S +macro. For example : +

path=/data/pchome/%S +

would be useful if you have different home directories for your PCs +than for UNIX access. +

This is a fast and simple way to give a large number of clients access +to their home directories with a minimum of fuss. +

A similar process occurs if the requested section name is "homes", +except that the share name is not changed to that of the requesting +user. This method of using the [homes] section works well if different +users share a client PC. +

The [homes] section can specify all the parameters a normal service +section can specify, though some make more sense than others. The +following is a typical and suitable [homes] section: +
```
+
+ 	[homes]
+ 		writable = yes
+
+
```
+ +

An important point is that if guest access is specified in the [homes] +section, all home directories will be visible to all clients +without a password. In the very unlikely event that this is +actually desirable, it would be wise to also specify read only +access. +

Note that the browseable flag for auto home +directories will be inherited from the global browseable flag, not the +[homes] browseable flag. This is useful as it means setting +browseable=no in the [homes] section will hide the [homes] share but +make any auto home directories visible. +

+
The [printers] section +

This section works like [homes], but for printers. +

If a [printers] section occurs in the configuration file, users are +able to connect to any printer specified in the local host's printcap +file. +

When a connection request is made, the existing sections are +scanned. If a match is found, it is used. If no match is found, but a +[homes] section exists, it is used as described +above. Otherwise, the requested section name is treated as a printer +name and the appropriate printcap file is scanned to see if the +requested section name is a valid printer share name. If a match is +found, a new printer share is created by cloning the [printers] +section. +

A few modifications are then made to the newly created share: +
- The share name is set to the located printer name +
- If no printer name was given, the printer name is set to the +located printer name +
- If the share does not permit guest access and no username was +given, the username is set to the located printer name. +
+

Note that the [printers] service MUST be printable - if you specify +otherwise, the server will refuse to load the configuration file. +

Typically the path specified would be that of a world-writable spool +directory with the sticky bit set on it. A typical [printers] entry +would look like this: +
```
+
+ 	[printers]
+ 		path = /usr/spool/public
+ 		writable = no
+ 		guest ok = yes
+ 		printable = yes 
+
+
```
+ +

All aliases given for a printer in the printcap file are legitimate +printer names as far as the server is concerned. If your printing +subsystem doesn't work like that, you will have to set up a +pseudo-printcap. This is a file consisting of one or more lines like +this: +
```
+        alias|alias|alias|alias...    
+
```
+ +

Each alias should be an acceptable printer name for your printing +subsystem. In the [global] section, specify the new +file as your printcap. The server will then only recognise names +found in your pseudo-printcap, which of course can contain whatever +aliases you like. The same technique could be used simply to limit +access to a subset of your local printers. +

An alias, by the way, is defined as any component of the first entry +of a printcap record. Records are separated by newlines, components +(if there are more than one) are separated by vertical bar symbols +("|"). +

NOTE: On SYSV systems which use lpstat to determine what printers are +defined on the system you may be able to use "printcap name = +lpstat" to automatically obtain a list of +printers. See the "printcap name" option for +more detils. +

PARAMETERS

+ +

Parameters define the specific attributes of sections. +

Some parameters are specific to the [global] section +(eg., security). Some parameters are usable in +all sections (eg., create mode). All others are +permissible only in normal sections. For the purposes of the following +descriptions the [homes] and +[printers] sections will be considered normal. +The letter 'G' in parentheses indicates that a parameter is +specific to the [global] section. The letter 'S' +indicates that a parameter can be specified in a service specific +section. Note that all 'S' parameters can also be specified in the +[global] section - in which case they will define +the default behaviour for all services. +

Parameters are arranged here in alphabetical order - this may not +create best bedfellows, but at least you can find them! Where there +are synonyms, the preferred synonym is described, others refer to the +preferred synonym. +

VARIABLE SUBSTITUTIONS

+ +

Many of the strings that are settable in the config file can take +substitutions. For example the option "path = +/tmp/%u" would be interpreted as "path = /tmp/john" if +the user connected with the username john. +

These substitutions are mostly noted in the descriptions below, but +there are some general substitutions which apply whenever they might +be relevant. These are: +

%S = the name of the current service, if any. +

+
%P = the root directory of the current service, if any. +

+
%u = user name of the current service, if any. +

+
%g = primary group name of %u. +

+
%U = session user name (the user name that +the client wanted, not necessarily the same as the one they got). +

+
%G = primary group name of %U. +

+
%H = the home directory of the user given by %u. +

+
%v = the Samba version. +

+
%h = the internet hostname that Samba is running on. +

+
%m = the NetBIOS name of the client machine (very useful). +

+
%L = the NetBIOS name of the server. This allows you to change your +config based on what the client calls you. Your server can have a "dual +personality". +

+
%M = the internet name of the client machine. +

+
%N = the name of your NIS home directory server. This is +obtained from your NIS auto.map entry. If you have not compiled Samba +with the --with-automount option then this value will be the same +as %L. +

+
%p = the path of the service's home directory, obtained from your NIS +auto.map entry. The NIS auto.map entry is split up as "%N:%p". +

+
%R = the selected protocol level after protocol +negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1. +

+
%d = The process id of the current server process. +

+
%a = the architecture of the remote +machine. Only some are recognised, and those may not be 100% +reliable. It currently recognises Samba, WfWg, WinNT and +Win95. Anything else will be known as "UNKNOWN". If it gets it wrong +then sending a level 3 log to samba-bugs@samba.anu.edu.au +should allow it to be fixed. +

+
%I = The IP address of the client machine. +

+
%T = the current date and time. +

There are some quite creative things that can be done with these +substitutions and other smb.conf options. +

NAME MANGLING

+ +

Samba supports "name mangling" so that DOS and Windows clients can +use files that don't conform to the 8.3 format. It can also be set to +adjust the case of 8.3 format filenames. +

There are several options that control the way mangling is performed, +and they are grouped here rather than listed separately. For the +defaults look at the output of the testparm program. +

All of these options can be set separately for each service (or +globally, of course). +

The options are: +

+"mangle case = yes/no" controls if names that have characters that +aren't of the "default" case are mangled. For example, if this is yes +then a name like "Mail" would be mangled. Default no. +

+"case sensitive = yes/no" controls whether filenames are case +sensitive. If they aren't then Samba must do a filename search and +match on passed names. Default no. +

+"default case = upper/lower" controls what the default case is for new +filenames. Default lower. +

+"preserve case = yes/no" controls if new files are created with the +case that the client passes, or if they are forced to be the "default" +case. Default Yes. +

"short preserve case = yes/no" controls if new files which conform +to 8.3 syntax, that is all in upper case and of suitable length, are +created upper case, or if they are forced to be the "default" +case. This option can be use with "preserve case = +yes" to permit long filenames to retain their +case, while short names are lowered. Default Yes. +

By default, Samba 2.0 has the same semantics as a Windows NT +server, in that it is case insensitive but case preserving. +

NOTE ABOUT USERNAME/PASSWORD VALIDATION

+ +

There are a number of ways in which a user can connect to a +service. The server follows the following steps in determining if it +will allow a connection to a specified service. If all the steps fail +then the connection request is rejected. If one of the steps pass then +the following steps are not checked. +

If the service is marked "guest only = yes" then +steps 1 to 5 are skipped. +

Step 1: If the client has passed a username/password pair and +that username/password pair is validated by the UNIX system's password +programs then the connection is made as that username. Note that this +includes the \\server\service%username method of passing a +username. +
Step 2: If the client has previously registered a username with +the system and now supplies a correct password for that username then +the connection is allowed. +
Step 3: The client's netbios name and any previously used user +names are checked against the supplied password, if they match then +the connection is allowed as the corresponding user. +
Step 4: If the client has previously validated a +username/password pair with the server and the client has passed the +validation token then that username is used. This step is skipped if +"revalidate = yes" for this service. +
Step 5: If a "user = " field is given in the +smb.conf file for the service and the client has supplied a password, +and that password matches (according to the UNIX system's password +checking) with one of the usernames from the user= +field then the connection is made as the username in the +"user=" line. If one of the username in the +user= list begins with a '@' then that name +expands to a list of names in the group of the same name. +
Step 6: If the service is a guest service then a connection is +made as the username given in the "guest account +=" for the service, irrespective of the supplied +password. +

COMPLETE LIST OF GLOBAL PARAMETERS

+ +

Here is a list of all global parameters. See the section of each +parameter for details. Note that some are synonyms. +

COMPLETE LIST OF SERVICE PARAMETERS

+ +

Here is a list of all service parameters. See the section of each +parameter for details. Note that some are synonyms. +

EXPLANATION OF EACH PARAMETER

+ +

admin users (S) +

This is a list of users who will be granted administrative privileges +on the share. This means that they will do all file operations as the +super-user (root). +

You should use this option very carefully, as any user in this list +will be able to do anything they like on the share, irrespective of +file permissions. +

Default:
+ no admin users +

Example:
+ admin users = jason +

+
allow hosts (S) +

A synonym for this parameter is 'hosts allow' +

This parameter is a comma, space, or tab delimited set of hosts which +are permitted to access a service. +

If specified in the [global] section then it will +apply to all services, regardless of whether the individual service +has a different setting. +

You can specify the hosts by name or IP number. For example, you could +restrict access to only the hosts on a Class C subnet with something +like "allow hosts = 150.203.5.". The full syntax of the list is +described in the man page hosts_access (5). Note that this man +page may not be present on your system, so a brief description will +be given here also. +

NOTE: IF you wish to allow the smbpasswd +(8) program to be run by local users to change +their Samba passwords using the local smbd (8) +daemon, then you MUST ensure that the localhost is listed in your +allow hosts list, as smbpasswd (8) runs +in client-server mode and is seen by the local +smbd process as just another client. +

You can also specify hosts by network/netmask pairs and by netgroup +names if your system supports netgroups. The EXCEPT keyword can also +be used to limit a wildcard list. The following examples may provide +some help: +

Example 1: allow localhost and all IPs in 150.203.*.* except one +

hosts allow = localhost, 150.203. EXCEPT 150.203.6.66 +

Example 2: allow localhost and hosts that match the given network/netmask +

hosts allow = localhost, 150.203.15.0/255.255.255.0 +

Example 3: allow a localhost plus a couple of hosts +

hosts allow = localhost, lapland, arvidsjaur +

Example 4: allow only hosts in NIS netgroup "foonet" or localhost, but +deny access from one particular host +

hosts allow = @foonet, localhost + hosts deny = pirate +

Note that access still requires suitable user-level passwords. +

See testparm (1) for a way of testing your +host access to see if it does what you expect. +

Default: + none (i.e., all hosts permitted access) +

Example: + allow hosts = 150.203.5. localhost myhost.mynet.edu.au +

+
alternate permissions (S) +

This is a deprecated parameter. It no longer has any effect in Samba2.0. +In previous versions of Samba it affected the way the DOS "read only" +attribute was mapped for a file. In Samba2.0 a file is marked "read only" +if the UNIX file does not have the 'w' bit set for the owner of the file, +regardless if the owner of the file is the currently logged on user or not. +

+
announce as (G) +

This specifies what type of server nmbd will +announce itself as, to a network neighborhood browse list. By default +this is set to Windows NT. The valid options are : "NT", "Win95" or +"WfW" meaining Windows NT, Windows 95 and Windows for Workgroups +respectively. Do not change this parameter unless you have a specific +need to stop Samba appearing as an NT server as this may prevent Samba +servers from participating as browser servers correctly. +

Default: + announce as = NT +

Example + announce as = Win95 +

+
announce version (G) +

This specifies the major and minor version numbers that nmbd will use +when announcing itself as a server. The default is 4.2. Do not change +this parameter unless you have a specific need to set a Samba server +to be a downlevel server. +

Default: + announce version = 4.2 +

Example: + announce version = 2.0 +

+
auto services (G) +

This is a list of services that you want to be automatically added to +the browse lists. This is most useful for homes and printers services +that would otherwise not be visible. +

Note that if you just want all printers in your printcap file loaded +then the "load printers" option is easier. +

Default: + no auto services +

Example: + auto services = fred lp colorlp +

+
available (S) +

This parameter lets you 'turn off' a service. If 'available = no', +then ALL attempts to connect to the service will fail. Such failures +are logged. +

Default: + available = yes +

Example: + available = no +

+
bind interfaces only (G) +

This global parameter allows the Samba admin to limit what interfaces +on a machine will serve smb requests. If affects file service +smbd and name service nmbd +in slightly different ways. +

For name service it causes nmbd to bind to ports +137 and 138 on the interfaces listed in the +'interfaces' +parameter. nmbd also binds to the 'all +addresses' interface (0.0.0.0) on ports 137 and 138 for the purposes +of reading broadcast messages. If this option is not set then +nmbd will service name requests on all of these +sockets. If "bind interfaces only" is set then +nmbd will check the source address of any +packets coming in on the broadcast sockets and discard any that don't +match the broadcast addresses of the interfaces in the +'interfaces' parameter list. As unicast packets +are received on the other sockets it allows nmbd +to refuse to serve names to machines that send packets that arrive +through any interfaces not listed in the +"interfaces" list. IP Source address spoofing +does defeat this simple check, however so it must not be used +seriously as a security feature for nmbd. +

For file service it causes smbd to bind only to +the interface list given in the 'interfaces' +parameter. This restricts the networks that smbd +will serve to packets coming in those interfaces. Note that you +should not use this parameter for machines that are serving PPP or +other intermittant or non-broadcast network interfaces as it will not +cope with non-permanent interfaces. +

In addition, to change a users SMB password, the +smbpasswd by default connects to the +"localhost" - 127.0.0.1 address as an SMB client to issue the +password change request. If "bind interfaces only" is set then +unless the network address 127.0.0.1 is added to the +'interfaces' parameter list then +smbpasswd will fail to connect in it's +default mode. smbpasswd can be forced to +use the primary IP interface of the local host by using its +"-r remote machine" parameter, with +"remote machine" set to the IP name of the primary interface +of the local host. +

Default: + bind interfaces only = False +

Example: + bind interfaces only = True +

+
blocking locks (S) +

This parameter controls the behavior of smbd when +given a request by a client to obtain a byte range lock on a region +of an open file, and the request has a time limit associated with it. +

If this parameter is set and the lock range requested cannot be +immediately satisfied, Samba 2.0 will internally queue the lock +request, and periodically attempt to obtain the lock until the +timeout period expires. +

If this parameter is set to "False", then Samba 2.0 will behave +as previous versions of Samba would and will fail the lock +request immediately if the lock range cannot be obtained. +

This parameter can be set per share. +

Default: + blocking locks = True +

Example: + blocking locks = False +

+
broweable (S) +

This controls whether this share is seen in the list of available +shares in a net view and in the browse list. +

Default: + browsable = Yes +

Example: + browsable = No +

+
browse list(G) +

This controls whether smbd will serve a browse +list to a client doing a NetServerEnum call. Normally set to true. You +should never need to change this. +

Default: + browse list = Yes +

+
browseable +

Synonym for browsable. +

+
case sensitive (G) +

See the discussion in the section NAME MANGLING. +

+
casesignames (G) +

Synonym for "case sensitive". +

+
change notify timeout (G) +

One of the new NT SMB requests that Samba 2.0 supports is the +"ChangeNotify" requests. This SMB allows a client to tell a server to +"watch" a particular directory for any changes and only reply to +the SMB request when a change has occurred. Such constant scanning of +a directory is expensive under UNIX, hence an +smbd daemon only performs such a scan on each +requested directory once every change notify timeout seconds. +

change notify timeout is specified in units of seconds. +

Default: + change notify timeout = 60 +

Example: + change notify timeout = 300 +

Would change the scan time to every 5 minutes. +

+
character set (G) +

This allows a smbd to map incoming filenames from a DOS Code page (see +the client code page parameter) to several +built in UNIX character sets. The built in code page translations are: +
- ISO8859-1 Western European UNIX character set. The parameter +client code page MUST be set to code +page 850 if the character set parameter is set to iso8859-1 +in order for the conversion to the UNIX character set to be done +correctly. +
- ISO8859-2 Eastern European UNIX character set. The parameter +client code page MUST be set to code +page 852 if the character set parameter is set to ISO8859-2 +in order for the conversion to the UNIX character set to be done +correctly. +
- ISO8859-5 Russian Cyrillic UNIX character set. The parameter +client code page MUST be set to code +page 866 if the character set parameter is set to ISO8859-2 +in order for the conversion to the UNIX character set to be done +correctly. +
- KOI8-R Alternate mapping for Russian Cyrillic UNIX +character set. The parameter client code +page MUST be set to code page 866 if the +character set parameter is set to KOI8-R in order for the +conversion to the UNIX character set to be done correctly. +
+

BUG. These MSDOS code page to UNIX character set mappings should +be dynamic, like the loading of MS DOS code pages, not static. +

See also client code page. Normally this +parameter is not set, meaning no filename translation is done. +

Default: + character set = <empty string> +

Example: + character set = ISO8859-1 +

+
client code page (G) +

This parameter specifies the DOS code page that the clients accessing +Samba are using. To determine what code page a Windows or DOS client +is using, open a DOS command prompt and type the command "chcp". This +will output the code page. The default for USA MS-DOS, Windows 95, and +Windows NT releases is code page 437. The default for western european +releases of the above operating systems is code page 850. +

This parameter tells smbd which of the +codepage.XXX files to dynamically load on startup. These files, +described more fully in the manual page make_smbcodepage +(1), tell smbd how +to map lower to upper case characters to provide the case insensitivity +of filenames that Windows clients expect. +

Samba currenly ships with the following code page files : +
- Code Page 437 - MS-DOS Latin US +
- Code Page 737 - Windows '95 Greek +
- Code Page 850 - MS-DOS Latin 1 +
- Code Page 852 - MS-DOS Latin 2 +
- Code Page 861 - MS-DOS Icelandic +
- Code Page 866 - MS-DOS Cyrillic +
- Code Page 932 - MS-DOS Japanese SJIS +
- Code Page 936 - MS-DOS Simplified Chinese +
- Code Page 949 - MS-DOS Korean Hangul +
- Code Page 950 - MS-DOS Traditional Chinese +
+

Thus this parameter may have any of the values 437, 737, 850, 852, +861, 932, 936, 949, or 950. If you don't find the codepage you need, +read the comments in one of the other codepage files and the +make_smbcodepage (1) man page and +write one. Please remember to donate it back to the Samba user +community. +

This parameter co-operates with the "valid +chars" parameter in determining what characters are +valid in filenames and how capitalization is done. If you set both +this parameter and the "valid chars" parameter +the "client code page" parameter MUST be set before the +"valid chars" parameter in the smb.conf +file. The "valid chars" string will then augment +the character settings in the "client code page" parameter. +

If not set, "client code page" defaults to 850. +

See also : "valid chars" +

Default: + client code page = 850 +

Example: + client code page = 936 +

+
codingsystem (G) +

This parameter is used to determine how incoming Shift-JIS Japanese +characters are mapped from the incoming "client code +page" used by the client, into file names in the +UNIX filesystem. Only useful if "client code +page" is set to 932 (Japanese Shift-JIS). +

The options are : +
- SJIS Shift-JIS. Does no conversion of the incoming filename. +
- JIS8, J8BB, J8BH, J8@B, J8@J, J8@H Convert from incoming +Shift-JIS to eight bit JIS code with different shift-in, shift out +codes. +
- JIS7, J7BB, J7BH, J7@B, J7@J, J7@H Convert from incoming +Shift-JIS to seven bit JIS code with different shift-in, shift out +codes. +
- JUNET, JUBB, JUBH, JU@B, JU@J, JU@H Convert from incoming +Shift-JIS to JUNET code with different shift-in, shift out codes. +
- EUC Convert an incoming Shift-JIS character to EUC code. +
- HEX Convert an incoming Shift-JIS character to a 3 byte hex +representation, ie. :AB. +
- CAP Convert an incoming Shift-JIS character to the 3 byte hex +representation used by the Columbia Appletalk Program (CAP), +ie. :AB. This is used for compatibility between Samba and CAP. +
+

+
comment (S) +

This is a text field that is seen next to a share when a client does a +queries the server, either via the network neighborhood or via "net +view" to list what shares are available. +

If you want to set the string that is displayed next to the machine +name then see the server string command. +

Default: + No comment string +

Example: + comment = Fred's Files +

+
config file (G) +

This allows you to override the config file to use, instead of the +default (usually smb.conf). There is a chicken and egg problem +here as this option is set in the config file! +

For this reason, if the name of the config file has changed when the +parameters are loaded then it will reload them from the new config +file. +

This option takes the usual substitutions, which can be very useful. +

If the config file doesn't exist then it won't be loaded (allowing you +to special case the config files of just a few clients). +

Example: + config file = /usr/local/samba/lib/smb.conf.%m +

+
copy (S) +

This parameter allows you to 'clone' service entries. The specified +service is simply duplicated under the current service's name. Any +parameters specified in the current section will override those in the +section being copied. +

This feature lets you set up a 'template' service and create similar +services easily. Note that the service being copied must occur earlier +in the configuration file than the service doing the copying. +

Default: + none +

Example: + copy = otherservice +

+
create mask (S) +

A synonym for this parameter is 'create mode'. +

When a file is created, the neccessary permissions are calculated +according to the mapping from DOS modes to UNIX permissions, and the +resulting UNIX mode is then bit-wise 'AND'ed with this parameter. +This parameter may be thought of as a bit-wise MASK for the UNIX modes +of a file. Any bit *not* set here will be removed from the modes set +on a file when it is created. +

The default value of this parameter removes the 'group' and 'other' +write and execute bits from the UNIX modes. +

Following this Samba will bit-wise 'OR' the UNIX mode created from +this parameter with the value of the "force create mode" parameter +which is set to 000 by default. +

This parameter does not affect directory modes. See the parameter +'directory mode' for details. +

See also the "force create mode" parameter +for forcing particular mode bits to be set on created files. See also +the "directory mode" parameter for masking +mode bits on created directories. +

Default: + create mask = 0744 +

Example: + create mask = 0775 +

+
create mode (S) +

This is a synonym for create mask. +

+
deadtime (G) +

The value of the parameter (a decimal integer) represents the number +of minutes of inactivity before a connection is considered dead, and +it is disconnected. The deadtime only takes effect if the number of +open files is zero. +

This is useful to stop a server's resources being exhausted by a large +number of inactive connections. +

Most clients have an auto-reconnect feature when a connection is +broken so in most cases this parameter should be transparent to users. +

Using this parameter with a timeout of a few minutes is recommended +for most systems. +

A deadtime of zero indicates that no auto-disconnection should be +performed. +

Default: + deadtime = 0 +

Example: + deadtime = 15 +

+
debug timestamp (G) +

Samba2.0 debug log messages are timestamped by default. If you are +running at a high "debug level" these timestamps +can be distracting. This boolean parameter allows them to be turned +off. +

Default: + debug timestamp = Yes +

Example: + debug timestamp = No +

+
debug level (G) +

The value of the parameter (an integer) allows the debug level +(logging level) to be specified in the smb.conf file. This is to +give greater flexibility in the configuration of the system. +

The default will be the debug level specified on the command line +or level zero if none was specified. +

Example: + debug level = 3 +

+
default (G) +

A synonym for default service. +

+
default case (S) +

See the section on "NAME MANGLING". Also note +the "short preserve case" parameter. +

+
default service (G) +

This parameter specifies the name of a service which will be connected +to if the service actually requested cannot be found. Note that the +square brackets are NOT given in the parameter value (see example +below). +

There is no default value for this parameter. If this parameter is not +given, attempting to connect to a nonexistent service results in an +error. +

Typically the default service would be a guest ok, +read-only service. +

Also note that the apparent service name will be changed to equal that +of the requested service, this is very useful as it allows you to use +macros like %S to make a wildcard service. +

Note also that any '_' characters in the name of the service used +in the default service will get mapped to a '/'. This allows for +interesting things. +

Example: +
```
+
+	default service = pub
+        
+	[pub]
+		path = /%S
+
+
```
+ +

+
delete readonly (S) +

This parameter allows readonly files to be deleted. This is not +normal DOS semantics, but is allowed by UNIX. +

This option may be useful for running applications such as rcs, where +UNIX file ownership prevents changing file permissions, and DOS +semantics prevent deletion of a read only file. +

Default: + delete readonly = No +

Example: + delete readonly = Yes +

+
delete veto files (S) +

This option is used when Samba is attempting to delete a directory +that contains one or more vetoed directories (see the 'veto +files' option). If this option is set to False (the +default) then if a vetoed directory contains any non-vetoed files or +directories then the directory delete will fail. This is usually what +you want. +

If this option is set to True, then Samba will attempt to recursively +delete any files and directories within the vetoed directory. This can +be useful for integration with file serving systems such as NetAtalk, +which create meta-files within directories you might normally veto +DOS/Windows users from seeing (eg. .AppleDouble) +

Setting 'delete veto files = True' allows these directories to be +transparently deleted when the parent directory is deleted (so long +as the user has permissions to do so). +

See also the veto files parameter. +

Default: + delete veto files = False +

Example: + delete veto files = True +

+
deny hosts (S) +

The opposite of 'allow hosts' - hosts listed +here are NOT permitted access to services unless the specific +services have their own lists to override this one. Where the lists +conflict, the 'allow' list takes precedence. +

Default: + none (i.e., no hosts specifically excluded) +

Example: + deny hosts = 150.203.4. badhost.mynet.edu.au +

+
dfree command (G) +

The dfree command setting should only be used on systems where a +problem occurs with the internal disk space calculations. This has +been known to happen with Ultrix, but may occur with other operating +systems. The symptom that was seen was an error of "Abort Retry +Ignore" at the end of each directory listing. +

This setting allows the replacement of the internal routines to +calculate the total disk space and amount available with an external +routine. The example below gives a possible script that might fulfill +this function. +

The external program will be passed a single parameter indicating a +directory in the filesystem being queried. This will typically consist +of the string "./". The script should return two integers in +ascii. The first should be the total disk space in blocks, and the +second should be the number of available blocks. An optional third +return value can give the block size in bytes. The default blocksize +is 1024 bytes. +

Note: Your script should NOT be setuid or setgid and should be +owned by (and writable only by) root! +

Default: +By default internal routines for determining the disk capacity +and remaining space will be used. +

Example: + dfree command = /usr/local/samba/bin/dfree +

Where the script dfree (which must be made executable) could be: +
```
+
+	#!/bin/sh
+	df $1 | tail -1 | awk '{print $2" "$4}'
+
+
```
+ +

or perhaps (on Sys V based systems): +
```
+
+	#!/bin/sh
+	/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
+
+
```
+ +

Note that you may have to replace the command names with full +path names on some systems. +

+
directory (S) +

Synonym for path. +

+
directory mask (S) +

This parameter is the octal modes which are used when converting DOS +modes to UNIX modes when creating UNIX directories. +

When a directory is created, the neccessary permissions are calculated +according to the mapping from DOS modes to UNIX permissions, and the +resulting UNIX mode is then bit-wise 'AND'ed with this parameter. +This parameter may be thought of as a bit-wise MASK for the UNIX modes +of a directory. Any bit *not* set here will be removed from the +modes set on a directory when it is created. +

The default value of this parameter removes the 'group' and 'other' +write bits from the UNIX mode, allowing only the user who owns the +directory to modify it. +

Following this Samba will bit-wise 'OR' the UNIX mode created from +this parameter with the value of the "force directory mode" +parameter. This parameter is set to 000 by default (ie. no extra mode +bits are added). +

See the "force directory mode" parameter +to cause particular mode bits to always be set on created directories. +

See also the "create mode" parameter for masking +mode bits on created files. +

Default: + directory mask = 0755 +

Example: + directory mask = 0775 +

+
directory mode (S) +

Synonym for directory mask. +

+
dns proxy (G) +

Specifies that nmbd when acting as a WINS +server and finding that a NetBIOS name has not been registered, should +treat the NetBIOS name word-for-word as a DNS name and do a lookup +with the DNS server for that name on behalf of the name-querying +client. +

Note that the maximum length for a NetBIOS name is 15 characters, so +the DNS name (or DNS alias) can likewise only be 15 characters, +maximum. +

nmbd spawns a second copy of itself to do the +DNS name lookup requests, as doing a name lookup is a blocking action. +

See also the parameter wins support. +

Default: + dns proxy = yes +

+domain admin group (G) +

This is an EXPERIMENTAL parameter that is part of the unfinished +Samba NT Domain Controller Code. It may be removed in a later release. +To work with the latest code builds that may have more support for +Samba NT Domain Controller functionality please subscibe to the +mailing list Samba-ntdom available by sending email to +listproc@samba.anu.edu.au +

+
domain admin users (G) +

This is an EXPERIMENTAL parameter that is part of the unfinished +Samba NT Domain Controller Code. It may be removed in a later release. +To work with the latest code builds that may have more support for +Samba NT Domain Controller functionality please subscibe to the +mailing list Samba-ntdom available by sending email to +listproc@samba.anu.edu.au +

+
domain controller (G) +

This is a DEPRECATED parameter. It is currently not used within +the Samba source and should be removed from all current smb.conf +files. It is left behind for compatibility reasons. +

+
domain groups (G) +

This is an EXPERIMENTAL parameter that is part of the unfinished +Samba NT Domain Controller Code. It may be removed in a later release. +To work with the latest code builds that may have more support for +Samba NT Domain Controller functionality please subscibe to the +mailing list Samba-ntdom available by sending email to +listproc@samba.anu.edu.au +

+
domain guest group (G) +

This is an EXPERIMENTAL parameter that is part of the unfinished +Samba NT Domain Controller Code. It may be removed in a later release. +To work with the latest code builds that may have more support for +Samba NT Domain Controller functionality please subscibe to the +mailing list Samba-ntdom available by sending email to +listproc@samba.anu.edu.au +

+
domain guest users (G) +

This is an EXPERIMENTAL parameter that is part of the unfinished +Samba NT Domain Controller Code. It may be removed in a later release. +To work with the latest code builds that may have more support for +Samba NT Domain Controller functionality please subscibe to the +mailing list Samba-ntdom available by sending email to +listproc@samba.anu.edu.au +

+
domain logons (G) +

If set to true, the Samba server will serve Windows 95/98 Domain +logons for the workgroup it is in. For more +details on setting up this feature see the file DOMAINS.txt in the +Samba documentation directory docs/ shipped with the source code. +

Note that Win95/98 Domain logons are NOT the same as Windows +NT Domain logons. NT Domain logons require a Primary Domain Controller +(PDC) for the Domain. It is inteded that in a future release Samba +will be able to provide this functionality for Windows NT clients +also. +

Default: + domain logons = no +

+
domain master (G) +

Tell nmbd to enable WAN-wide browse list +collation.Setting this option causes nmbd to +claim a special domain specific NetBIOS name that identifies it as a +domain master browser for its given +workgroup. Local master browsers in the same +workgroup on broadcast-isolated subnets will give +this nmbd their local browse lists, and then +ask smbd for a complete copy of the browse list +for the whole wide area network. Browser clients will then contact +their local master browser, and will receive the domain-wide browse +list, instead of just the list for their broadcast-isolated subnet. +

Note that Windows NT Primary Domain Controllers expect to be able to +claim this workgroup specific special NetBIOS +name that identifies them as domain master browsers for that +workgroup by default (ie. there is no way to +prevent a Windows NT PDC from attempting to do this). This means that +if this parameter is set and nmbd claims the +special name for a workgroup before a Windows NT +PDC is able to do so then cross subnet browsing will behave strangely +and may fail. +

Default: + domain master = no +

+
dont descend (S) +

There are certain directories on some systems (eg., the /proc tree +under Linux) that are either not of interest to clients or are +infinitely deep (recursive). This parameter allows you to specify a +comma-delimited list of directories that the server should always show +as empty. +

Note that Samba can be very fussy about the exact format of the "dont +descend" entries. For example you may need "./proc" instead of +just "/proc". Experimentation is the best policy :-) +

Default: + none (i.e., all directories are OK to descend) +

Example: + dont descend = /proc,/dev +

+
dos filetime resolution (S) +

Under the DOS and Windows FAT filesystem, the finest granulatity on +time resolution is two seconds. Setting this parameter for a share +causes Samba to round the reported time down to the nearest two second +boundary when a query call that requires one second resolution is made +to smbd. +

This option is mainly used as a compatibility option for Visual C++ +when used against Samba shares. If oplocks are enabled on a share, +Visual C++ uses two different time reading calls to check if a file +has changed since it was last read. One of these calls uses a +one-second granularity, the other uses a two second granularity. As +the two second call rounds any odd second down, then if the file has a +timestamp of an odd number of seconds then the two timestamps will not +match and Visual C++ will keep reporting the file has changed. Setting +this option causes the two timestamps to match, and Visual C++ is +happy. +

Default: + dos filetime resolution = False +

Example: + dos filetime resolution = True +

+
dos filetimes (S) +

Under DOS and Windows, if a user can write to a file they can change +the timestamp on it. Under POSIX semantics, only the owner of the file +or root may change the timestamp. By default, Samba runs with POSIX +semantics and refuses to change the timestamp on a file if the user +smbd is acting on behalf of is not the file owner. Setting this option +to True allows DOS semantics and smbd will change the file timstamp as +DOS requires. +

Default: + dos filetimes = False +

Example: + dos filetimes = True +

+
encrypt passwords (G) +

This boolean controls whether encrypted passwords will be negotiated +with the client. Note that Windows NT 4.0 SP3 and above and also +Windows 98 will by default expect encrypted passwords unless a +registry entry is changed. To use encrypted passwords in Samba see the +file ENCRYPTION.txt in the Samba documentation directory docs/ +shipped with the source code. +

In order for encrypted passwords to work correctly +smbd must either have access to a local +smbpasswd (5) file (see the +smbpasswd (8) program for information on +how to set up and maintain this file), or set the +security= parameter to either +"server" or +"domain" which causes +smbd to authenticate against another server. +

+
exec (S) +

This is a synonym for preexec. +

+
fake directory create times (S) +

NTFS and Windows VFAT file systems keep a create time for all files +and directories. This is not the same as the ctime - status change +time - that Unix keeps, so Samba by default reports the earliest of +the various times Unix does keep. Setting this parameter for a share +causes Samba to always report midnight 1-1-1980 as the create time for +directories. +

This option is mainly used as a compatibility option for Visual C++ +when used against Samba shares. Visual C++ generated makefiles have +the object directory as a dependency for each object file, and a make +rule to create the directory. Also, when NMAKE compares timestamps it +uses the creation time when examining a directory. Thus the object +directory will be created if it does not exist, but once it does exist +it will always have an earlier timestamp than the object files it +contains. +

However, Unix time semantics mean that the create time reported by +Samba will be updated whenever a file is created or deleted in the +directory. NMAKE therefore finds all object files in the object +directory bar the last one built are out of date compared to the +directory and rebuilds them. Enabling this option ensures directories +always predate their contents and an NMAKE build will proceed as +expected. +

Default: + fake directory create times = False +

Example: + fake directory create times = True +

+
fake oplocks (S) +

Oplocks are the way that SMB clients get permission from a server to +locally cache file operations. If a server grants an oplock +(opportunistic lock) then the client is free to assume that it is the +only one accessing the file and it will aggressively cache file +data. With some oplock types the client may even cache file open/close +operations. This can give enormous performance benefits. +

When you set "fake oplocks = yes" smbd will +always grant oplock requests no matter how many clients are using the +file. +

It is generally much better to use the real oplocks +support rather than this parameter. +

If you enable this option on all read-only shares or shares that you +know will only be accessed from one client at a time such as +physically read-only media like CDROMs, you will see a big performance +improvement on many operations. If you enable this option on shares +where multiple clients may be accessing the files read-write at the +same time you can get data corruption. Use this option carefully! +

This option is disabled by default. +

+
follow symlinks (S) +

This parameter allows the Samba administrator to stop +smbd from following symbolic links in a +particular share. Setting this parameter to "No" prevents any file +or directory that is a symbolic link from being followed (the user +will get an error). This option is very useful to stop users from +adding a symbolic link to /etc/pasword in their home directory for +instance. However it will slow filename lookups down slightly. +

This option is enabled (ie. smbd will follow +symbolic links) by default. +

+
force create mode (S) +

This parameter specifies a set of UNIX mode bit permissions that will +*always* be set on a file created by Samba. This is done by +bitwise 'OR'ing these bits onto the mode bits of a file that is being +created. The default for this parameter is (in octel) 000. The modes +in this parameter are bitwise 'OR'ed onto the file mode after the mask +set in the "create mask" parameter is applied. +

See also the parameter "create mask" for details +on masking mode bits on created files. +

Default: + force create mode = 000 +

Example: + force create mode = 0755 +

would force all created files to have read and execute permissions set +for 'group' and 'other' as well as the read/write/execute bits set for +the 'user'. +

+
force directory mode (S) +

This parameter specifies a set of UNIX mode bit permissions that will +*always* be set on a directory created by Samba. This is done by +bitwise 'OR'ing these bits onto the mode bits of a directory that is +being created. The default for this parameter is (in octel) 0000 which +will not add any extra permission bits to a created directory. This +operation is done after the mode mask in the parameter +"directory mask" is applied. +

See also the parameter "directory mask" for +details on masking mode bits on created directories. +

Default: + force directory mode = 000 +

Example: + force directory mode = 0755 +

would force all created directories to have read and execute +permissions set for 'group' and 'other' as well as the +read/write/execute bits set for the 'user'. +

+
force group (S) +

This specifies a UNIX group name that will be assigned as the default +primary group for all users connecting to this service. This is useful +for sharing files by ensuring that all access to files on service will +use the named group for their permissions checking. Thus, by assigning +permissions for this group to the files and directories within this +service the Samba administrator can restrict or allow sharing of these +files. +

Default: + no forced group +

Example: + force group = agroup +

+
force user (S) +

This specifies a UNIX user name that will be assigned as the default +user for all users connecting to this service. This is useful for +sharing files. You should also use it carefully as using it +incorrectly can cause security problems. +

This user name only gets used once a connection is established. Thus +clients still need to connect as a valid user and supply a valid +password. Once connected, all file operations will be performed as the +"forced user", no matter what username the client connected as. +

This can be very useful. +

Default: + no forced user +

Example: + force user = auser +

+
fstype (S) +

This parameter allows the administrator to configure the string that +specifies the type of filesystem a share is using that is reported by +smbd when a client queries the filesystem type +for a share. The default type is "NTFS" for compatibility with +Windows NT but this can be changed to other strings such as "Samba" or +"FAT" if required. +

Default: + fstype = NTFS +

Example: + fstype = Samba +

+
getwd cache (G) +

This is a tuning option. When this is enabled a cacheing algorithm +will be used to reduce the time taken for getwd() calls. This can have +a significant impact on performance, especially when the +widelinks parameter is set to False. +

Default: + getwd cache = No +

Example: + getwd cache = Yes +

+
group (S) +

Synonym for "force group". +

+
guest account (S) +

This is a username which will be used for access to services which are +specified as 'guest ok' (see below). Whatever +privileges this user has will be available to any client connecting to +the guest service. Typically this user will exist in the password +file, but will not have a valid login. The user account "ftp" is +often a good choice for this parameter. If a username is specified in +a given service, the specified username overrides this one. +

One some systems the default guest account "nobody" may not be able to +print. Use another account in this case. You should test this by +trying to log in as your guest user (perhaps by using the "su -" +command) and trying to print using the system print command such as +lpr (1) or lp (1). +

Default: + specified at compile time, usually "nobody" +

Example: + guest account = ftp +

+
guest ok (S) +

If this parameter is 'yes' for a service, then no password is +required to connect to the service. Privileges will be those of the +guest account. +

See the section below on security for more +information about this option. +

Default: + guest ok = no +

Example: + guest ok = yes +

+
guest only (S) +

If this parameter is 'yes' for a service, then only guest +connections to the service are permitted. This parameter will have no +affect if "guest ok" or "public" +is not set for the service. +

See the section below on security for more +information about this option. +

Default: + guest only = no +

Example: + guest only = yes +

+
hide dot files (S) +

This is a boolean parameter that controls whether files starting with +a dot appear as hidden files. +

Default: + hide dot files = yes +

Example: + hide dot files = no +

+
hide files(S) +

This is a list of files or directories that are not visible but are +accessible. The DOS 'hidden' attribute is applied to any files or +directories that match. +

Each entry in the list must be separated by a '/', which allows +spaces to be included in the entry. '*' and '?' can be used +to specify multiple files or directories as in DOS wildcards. +

Each entry must be a unix path, not a DOS path and must not include the +unix directory separator '/'. +

Note that the case sensitivity option is applicable in hiding files. +

Setting this parameter will affect the performance of Samba, as it +will be forced to check all files and directories for a match as they +are scanned. +

See also "hide dot files", "veto +files" and "case sensitive". +

Default +
```
+
+	No files or directories are hidden by this option (dot files are
+	hidden by default because of the "hide dot files" option).
+
+
```
+ +

Example + hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/ +

The above example is based on files that the Macintosh SMB client +(DAVE) available from Thursby creates for +internal use, and also still hides all files beginning with a dot. +

+
homedir map (G) +

If "nis homedir" is true, and +smbd is also acting as a Win95/98 logon +server then this parameter specifies the NIS (or YP) +map from which the server for the user's home directory should be +extracted. At present, only the Sun auto.home map format is +understood. The form of the map is: +

username server:/some/file/system +

and the program will extract the servername from before the first +':'. There should probably be a better parsing system that copes +with different map formats and also Amd (another automounter) maps. +

NB: A working NIS is required on the system for this option to work. +

See also "nis homedir", domain +logons. +

Default: + homedir map = auto.home +

Example: + homedir map = amd.homedir +

+
hosts allow (S) +

Synonym for allow hosts. +

+
hosts deny (S) +

Synonym for denyhosts. +

+
hosts equiv (G) +

If this global parameter is a non-null string, it specifies the name +of a file to read for the names of hosts and users who will be allowed +access without specifying a password. +

This is not be confused with allow hosts which +is about hosts access to services and is more useful for guest +services. hosts equiv may be useful for NT clients which will not +supply passwords to samba. +

NOTE: The use of hosts equiv can be a major security hole. This is +because you are trusting the PC to supply the correct username. It is +very easy to get a PC to supply a false username. I recommend that the +hosts equiv option be only used if you really know what you are +doing, or perhaps on a home network where you trust your spouse and +kids. And only if you really trust them :-). +

Default + No host equivalences +

Example + hosts equiv = /etc/hosts.equiv +

+
include (G) +

This allows you to include one config file inside another. The file +is included literally, as though typed in place. +

It takes the standard substitutions, except %u, +%P and %S. +

+
interfaces (G) +

This option allows you to setup multiple network interfaces, so that +Samba can properly handle browsing on all interfaces. +

The option takes a list of ip/netmask pairs. The netmask may either be +a bitmask, or a bitlength. +

For example, the following line: +

interfaces = 192.168.2.10/24 192.168.3.10/24 +

would configure two network interfaces with IP addresses 192.168.2.10 +and 192.168.3.10. The netmasks of both interfaces would be set to +255.255.255.0. +

You could produce an equivalent result by using: +

interfaces = 192.168.2.10/255.255.255.0 192.168.3.10/255.255.255.0 +

if you prefer that format. +

If this option is not set then Samba will attempt to find a primary +interface, but won't attempt to configure more than one interface. +

See also "bind interfaces only". +

+
invalid users (S) +

This is a list of users that should not be allowed to login to this +service. This is really a "paranoid" check to absolutely ensure an +improper setting does not breach your security. +

A name starting with a '@' is interpreted as an NIS netgroup first +(if your system supports NIS), and then as a UNIX group if the name +was not found in the NIS netgroup database. +

A name starting with '+' is interpreted only by looking in the +UNIX group database. A name starting with '&' is interpreted only +by looking in the NIS netgroup database (this requires NIS to be +working on your system). The characters '+' and '&' may be +used at the start of the name in either order so the value +"+&group" means check the UNIX group database, followed by the NIS +netgroup database, and the value "&+group" means check the NIS +netgroup database, followed by the UNIX group database (the same as +the '@' prefix). +

The current servicename is substituted for +%S. This is useful in the [homes] +section. +

See also "valid users". +

Default: + No invalid users +

Example: + invalid users = root fred admin @wheel +

+
keepalive (G) +

The value of the parameter (an integer) represents the number of +seconds between 'keepalive' packets. If this parameter is zero, no +keepalive packets will be sent. Keepalive packets, if sent, allow the +server to tell whether a client is still present and responding. +

Keepalives should, in general, not be needed if the socket being used +has the SO_KEEPALIVE attribute set on it (see "socket +options"). Basically you should only use this option +if you strike difficulties. +

Default: + keep alive = 0 +

Example: + keep alive = 60 +

+
kernel oplocks (G) +

For UNIXs that support kernel based oplocks +(currently only IRIX but hopefully also Linux and FreeBSD soon) this +parameter allows the use of them to be turned on or off. +

Kernel oplocks support allows Samba oplocks to be +broken whenever a local UNIX process or NFS operation accesses a file +that smbd has oplocked. This allows complete +data consistancy between SMB/CIFS, NFS and local file access (and is a +very cool feature :-). +

This parameter defaults to "On" on systems that have the support, +and "off" on systems that don't. You should never need to touch +this parameter. +

+
ldap filter (G) +

This parameter is part of the EXPERIMENTAL Samba support for a +password database stored on an LDAP server back-end. These options +are only available if your version of Samba was configured with +the --with-ldap option. +

This parameter specifies an LDAP search filter used to search for a +user name in the LDAP database. It must contain the string +%u which will be replaced with the user being +searched for. +

Default: + empty string. +

+
ldap port (G) +

This parameter is part of the EXPERIMENTAL Samba support for a +password database stored on an LDAP server back-end. These options +are only available if your version of Samba was configured with +the --with-ldap option. +

This parameter specifies the TCP port number to use to contact +the LDAP server on. +

Default: + ldap port = 389. +

+
ldap root (G) +

This parameter is part of the EXPERIMENTAL Samba support for a +password database stored on an LDAP server back-end. These options +are only available if your version of Samba was configured with +the --with-ldap option. +

This parameter specifies the entity to bind to the LDAP server +as (essentially the LDAP username) in order to be able to perform +queries and modifications on the LDAP database. +

See also ldap root passwd. +

Default: + empty string (no user defined) +

+
ldap root passwd (G) +

This parameter is part of the EXPERIMENTAL Samba support for a +password database stored on an LDAP server back-end. These options +are only available if your version of Samba was configured with +the --with-ldap option. +

This parameter specifies the password for the entity to bind to the +LDAP server as (the password for this LDAP username) in order to be +able to perform queries and modifications on the LDAP database. +

BUGS: This parameter should NOT be a readable parameter +in the smb.conf file and will be removed once a correct +storage place is found. +

See also ldap root. +

Default: + empty string. +

+
ldap server (G) +

This parameter is part of the EXPERIMENTAL Samba support for a +password database stored on an LDAP server back-end. These options +are only available if your version of Samba was configured with +the --with-ldap option. +

This parameter specifies the DNS name of the LDAP server to use +for SMB/CIFS authentication purposes. +

Default: + ldap server = localhost +

+
ldap suffix (G) +

This parameter is part of the EXPERIMENTAL Samba support for a +password database stored on an LDAP server back-end. These options +are only available if your version of Samba was configured with +the --with-ldap option. +

This parameter specifies the "dn" or LDAP "distinguished name" +that tells smbd to start from when searching +for an entry in the LDAP password database. +

Default: + empty string. +

+
lm announce (G) +

This parameter determines if nmbd will produce +Lanman announce broadcasts that are needed by OS/2 clients in order +for them to see the Samba server in their browse list. This parameter +can have three values, "true", "false", or "auto". The +default is "auto". If set to "false" Samba will never produce +these broadcasts. If set to "true" Samba will produce Lanman +announce broadcasts at a frequency set by the parameter "lm +interval". If set to "auto" Samba will not send Lanman +announce broadcasts by default but will listen for them. If it hears +such a broadcast on the wire it will then start sending them at a +frequency set by the parameter "lm interval". +

See also "lm interval". +

Default: + lm announce = auto +

Example: + lm announce = true +

+
lm interval (G) +

If Samba is set to produce Lanman announce broadcasts needed by +OS/2 clients (see the "lm announce" +parameter) then this parameter defines the frequency in seconds with +which they will be made. If this is set to zero then no Lanman +announcements will be made despite the setting of the "lm +announce" parameter. +

See also "lm announce". +

Default: + lm interval = 60 +

Example: + lm interval = 120 +

+
load printers (G) +

A boolean variable that controls whether all printers in the printcap +will be loaded for browsing by default. See the +"printers" section for more details. +

Default: + load printers = yes +

bg(Example:) + load printers = no +

+
local master (G) +

This option allows nmbd to try and become a +local master browser on a subnet. If set to False then +nmbd will not attempt to become a local master +browser on a subnet and will also lose in all browsing elections. By +default this value is set to true. Setting this value to true doesn't +mean that Samba will become the local master browser on a subnet, +just that nmbd will participate in +elections for local master browser. +

Setting this value to False will cause nmbd +never to become a local master browser. +

Default: + local master = yes +

+
lock dir (G) +

Synonym for "lock directory". +

+
lock directory (G) +

This option specifies the directory where lock files will be placed. +The lock files are used to implement the "max +connections" option. +

Default: + lock directory = /tmp/samba +

Example: + lock directory = /usr/local/samba/var/locks +

+
locking (S) +

This controls whether or not locking will be performed by the server +in response to lock requests from the client. +

If "locking = no", all lock and unlock requests will appear to +succeed and all lock queries will indicate that the queried lock is +clear. +

If "locking = yes", real locking will be performed by the server. +

This option may be useful for read-only filesystems which may +not need locking (such as cdrom drives), although setting this +parameter of "no" is not really recommended even in this case. +

Be careful about disabling locking either globally or in a specific +service, as lack of locking may result in data corruption. You should +never need to set this parameter. +

Default: + locking = yes +

Example: + locking = no +

+
log file (G) +

This options allows you to override the name of the Samba log file +(also known as the debug file). +

This option takes the standard substitutions, allowing you to have +separate log files for each user or machine. +

Example: + log file = /usr/local/samba/var/log.%m +

+
log level (G) +

Synonym for "debug level". +

+
logon drive (G) +

This parameter specifies the local path to which the home directory +will be connected (see "logon home") and is only +used by NT Workstations. +

Note that this option is only useful if Samba is set up as a +logon server. +

Example: + logon drive = h: +

+
logon home (G) +

This parameter specifies the home directory location when a Win95/98 or +NT Workstation logs into a Samba PDC. It allows you to do +

"NET USE H: /HOME" +

from a command prompt, for example. +

This option takes the standard substitutions, allowing you to have +separate logon scripts for each user or machine. +

Note that this option is only useful if Samba is set up as a +logon server. +

Example: + logon home = "\\remote_smb_server\%U" +

Default: + logon home = "\\%N\%U" +

+
logon path (G) +

This parameter specifies the home directory where roaming profiles +(USER.DAT / USER.MAN files for Windows 95/98) are stored. +

This option takes the standard substitutions, allowing you to have +separate logon scripts for each user or machine. It also specifies +the directory from which the "desktop", "start menu", +"network neighborhood" and "programs" folders, and their +contents, are loaded and displayed on your Windows 95/98 client. +

The share and the path must be readable by the user for the +preferences and directories to be loaded onto the Windows 95/98 +client. The share must be writeable when the logs in for the first +time, in order that the Windows 95/98 client can create the user.dat +and other directories. +

Thereafter, the directories and any of contents can, if required, be +made read-only. It is not adviseable that the USER.DAT file be made +read-only - rename it to USER.MAN to achieve the desired effect (a +MANdatory profile). +

Windows clients can sometimes maintain a connection to the [homes] +share, even though there is no user logged in. Therefore, it is vital +that the logon path does not include a reference to the homes share +(i.e setting this parameter to \\%N\HOMES\profile_path will cause +problems). +

This option takes the standard substitutions, allowing you to have +separate logon scripts for each user or machine. +

Note that this option is only useful if Samba is set up as a +logon server. +

Default: + logon path = \\%N\%U\profile +

Example: + logon path = \\PROFILESERVER\HOME_DIR\%U\PROFILE +

+
logon script (G) +

This parameter specifies the batch file (.bat) or NT command file +(.cmd) to be downloaded and run on a machine when a user successfully +logs in. The file must contain the DOS style cr/lf line endings. +Using a DOS-style editor to create the file is recommended. +

The script must be a relative path to the [netlogon] service. If +the [netlogon] service specifies a path of +/usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the +file that will be downloaded is: +

/usr/local/samba/netlogon/STARTUP.BAT +

The contents of the batch file is entirely your choice. A suggested +command would be to add NET TIME \\SERVER /SET /YES, to force every +machine to synchronise clocks with the same time server. Another use +would be to add NET USE U: \\SERVER\UTILS for commonly used +utilities, or NET USE Q: \\SERVER\ISO9001_QA for example. +

Note that it is particularly important not to allow write access to +the [netlogon] share, or to grant users write permission on the +batch files in a secure environment, as this would allow the batch +files to be arbitrarily modified and security to be breached. +

This option takes the standard substitutions, allowing you to have +separate logon scripts for each user or machine. +

Note that this option is only useful if Samba is set up as a +logon server. +

Example: + logon script = scripts\%U.bat +

+
lppause command (S) +

This parameter specifies the command to be executed on the server host +in order to stop printing or spooling a specific print job. +

This command should be a program or script which takes a printer name +and job number to pause the print job. One way of implementing this is +by using job priorities, where jobs having a too low priority won't be +sent to the printer. +

If a "%p" is given then the printername is put in its place. A +"%j" is replaced with the job number (an integer). On HPUX (see +printing=hpux), if the "-p%p" option is added +to the lpq command, the job will show up with the correct status, +i.e. if the job priority is lower than the set fence priority it will +have the PAUSED status, whereas if the priority is equal or higher it +will have the SPOOLED or PRINTING status. +

Note that it is good practice to include the absolute path in the +lppause command as the PATH may not be available to the server. +

See also the "printing" parameter. +

Default: + Currently no default value is given to this string, unless the +value of the "printing" parameter is SYSV, in +which case the default is : +

lp -i %p-%j -H hold +

or if the value of the "printing" parameter is softq, +then the default is: +

qstat -s -j%j -h +

Example for HPUX: + lppause command = /usr/bin/lpalt %p-%j -p0 +

+
lpq cache time (G) +

This controls how long lpq info will be cached for to prevent the +lpq command being called too often. A separate cache is kept for +each variation of the lpq command used by the system, so if you +use different lpq commands for different users then they won't +share cache information. +

The cache files are stored in /tmp/lpq.xxxx where xxxx is a hash of +the lpq command in use. +

The default is 10 seconds, meaning that the cached results of a +previous identical lpq command will be used if the cached data is +less than 10 seconds old. A large value may be advisable if your +lpq command is very slow. +

A value of 0 will disable cacheing completely. +

See also the "printing" parameter. +

Default: + lpq cache time = 10 +

Example: + lpq cache time = 30 +

+
lpq command (S) +

This parameter specifies the command to be executed on the server host +in order to obtain "lpq"-style printer status information. +

This command should be a program or script which takes a printer name +as its only parameter and outputs printer status information. +

Currently eight styles of printer status information are supported; +BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ. This covers most UNIX +systems. You control which type is expected using the +"printing =" option. +

Some clients (notably Windows for Workgroups) may not correctly send +the connection number for the printer they are requesting status +information about. To get around this, the server reports on the first +printer service connected to by the client. This only happens if the +connection number sent is invalid. +

If a %p is given then the printername is put in its place. Otherwise +it is placed at the end of the command. +

Note that it is good practice to include the absolute path in the lpq +command as the PATH may not be available to the server. +

See also the "printing" parameter. +

Default: + depends on the setting of printing = +

Example: + lpq command = /usr/bin/lpq %p +

+
lpresume command (S) +

This parameter specifies the command to be executed on the server host +in order to restart or continue printing or spooling a specific print +job. +

This command should be a program or script which takes a printer name +and job number to resume the print job. See also the "lppause +command" parameter. +

If a %p is given then the printername is put in its place. A +%j is replaced with the job number (an integer). +

Note that it is good practice to include the absolute path in the lpresume +command as the PATH may not be available to the server. +

See also the "printing" parameter. +

Default: +

Currently no default value is given to this string, unless the +value of the "printing" parameter is SYSV, in +which case the default is : +

lp -i %p-%j -H resume +

or if the value of the "printing" parameter is softq, +then the default is: +

qstat -s -j%j -r +

Example for HPUX: + lpresume command = /usr/bin/lpalt %p-%j -p2 +

+
lprm command (S) +

This parameter specifies the command to be executed on the server host +in order to delete a print job. +

This command should be a program or script which takes a printer name +and job number, and deletes the print job. +

If a %p is given then the printername is put in its place. A +%j is replaced with the job number (an integer). +

Note that it is good practice to include the absolute path in the +lprm command as the PATH may not be available to the server. +

See also the "printing" parameter. +

Default: + depends on the setting of "printing =" +

Example 1: + lprm command = /usr/bin/lprm -P%p %j +

Example 2: + lprm command = /usr/bin/cancel %p-%j +

+
machine password timeout (G) +

If a Samba server is a member of an Windows NT Domain (see the +"security=domain") parameter) then +periodically a running smbd process will try and +change the MACHINE ACCOUNT PASWORD stored in the file called +<Domain>.<Machine>.mac where <Domain> is the name of the +Domain we are a member of and tt<Machine> is the primary +"NetBIOS name" of the machine +smbd is running on. This parameter specifies how +often this password will be changed, in seconds. The default is one +week (expressed in seconds), the same as a Windows NT Domain member +server. +

See also smbpasswd (8), and the +"security=domain") parameter. +

Default: + machine password timeout = 604800 +

+
magic output (S) +

This parameter specifies the name of a file which will contain output +created by a magic script (see the "magic +script" parameter below). +

Warning: If two clients use the same "magic +script" in the same directory the output file content +is undefined. +

Default: + magic output = <magic script name>.out +

Example: + magic output = myfile.txt +

+
magic script (S) +

This parameter specifies the name of a file which, if opened, will be +executed by the server when the file is closed. This allows a UNIX +script to be sent to the Samba host and executed on behalf of the +connected user. +

Scripts executed in this way will be deleted upon completion, +permissions permitting. +

If the script generates output, output will be sent to the file +specified by the "magic output" parameter (see +above). +

Note that some shells are unable to interpret scripts containing +carriage-return-linefeed instead of linefeed as the end-of-line +marker. Magic scripts must be executable "as is" on the host, +which for some hosts and some shells will require filtering at the DOS +end. +

Magic scripts are EXPERIMENTAL and should NOT be relied upon. +

Default: + None. Magic scripts disabled. +

Example: + magic script = user.csh +

+
mangle case (S) +

See the section on "NAME MANGLING". +

+
mangled map (S) +

This is for those who want to directly map UNIX file names which are +not representable on Windows/DOS. The mangling of names is not always +what is needed. In particular you may have documents with file +extensions that differ between DOS and UNIX. For example, under UNIX +it is common to use ".html" for HTML files, whereas under +Windows/DOS ".htm" is more commonly used. +

So to map "html" to "htm" you would use: +

mangled map = (*.html *.htm) +

One very useful case is to remove the annoying ";1" off the ends +of filenames on some CDROMS (only visible under some UNIXes). To do +this use a map of (*;1 *). +

default: + no mangled map +

Example: + mangled map = (*;1 *) +

+
mangled names (S) +

This controls whether non-DOS names under UNIX should be mapped to +DOS-compatible names ("mangled") and made visible, or whether non-DOS +names should simply be ignored. +

See the section on "NAME MANGLING" for details +on how to control the mangling process. +

If mangling is used then the mangling algorithm is as follows: +
- The first (up to) five alphanumeric characters before the +rightmost dot of the filename are preserved, forced to upper case, and +appear as the first (up to) five characters of the mangled name. +
- A tilde "~" is appended to the first part of the mangled +name, followed by a two-character unique sequence, based on the +original root name (i.e., the original filename minus its final +extension). The final extension is included in the hash calculation +only if it contains any upper case characters or is longer than three +characters. +
  
  Note that the character to use may be specified using the +"mangling char" option, if you don't like +'~'. +
- The first three alphanumeric characters of the final extension +are preserved, forced to upper case and appear as the extension of the +mangled name. The final extension is defined as that part of the +original filename after the rightmost dot. If there are no dots in the +filename, the mangled name will have no extension (except in the case +of "hidden files" - see below). +
- Files whose UNIX name begins with a dot will be presented as DOS +hidden files. The mangled name will be created as for other filenames, +but with the leading dot removed and "___" as its extension regardless +of actual original extension (that's three underscores). +
+

The two-digit hash value consists of upper case alphanumeric +characters. +

This algorithm can cause name collisions only if files in a directory +share the same first five alphanumeric characters. The probability of +such a clash is 1/1300. +

The name mangling (if enabled) allows a file to be copied between UNIX +directories from Windows/DOS while retaining the long UNIX +filename. UNIX files can be renamed to a new extension from +Windows/DOS and will retain the same basename. Mangled names do not +change between sessions. +

Default: + mangled names = yes +

Example: + mangled names = no +

+
mangling char (S) +

This controls what character is used as the "magic" character in +name mangling. The default is a '~' but +this may interfere with some software. Use this option to set it to +whatever you prefer. +

Default: + mangling char = ~ +

Example: + mangling char = ^ +

+
mangled stack (G) +

This parameter controls the number of mangled names that should be +cached in the Samba server smbd. +

This stack is a list of recently mangled base names (extensions are +only maintained if they are longer than 3 characters or contains upper +case characters). +

The larger this value, the more likely it is that mangled names can be +successfully converted to correct long UNIX names. However, large +stack sizes will slow most directory access. Smaller stacks save +memory in the server (each stack element costs 256 bytes). +

It is not possible to absolutely guarantee correct long file names, so +be prepared for some surprises! +

Default: + mangled stack = 50 +

Example: + mangled stack = 100 +

+
map archive (S) +

This controls whether the DOS archive attribute should be mapped to +the UNIX owner execute bit. The DOS archive bit is set when a file +has been modified since its last backup. One motivation for this +option it to keep Samba/your PC from making any file it touches from +becoming executable under UNIX. This can be quite annoying for shared +source code, documents, etc... +

Note that this requires the "create mask" +parameter to be set such that owner execute bit is not masked out +(ie. it must include 100). See the parameter "create +mask" for details. +

Default: + map archive = yes +

Example: + map archive = no +

+
map hidden (S) +

This controls whether DOS style hidden files should be mapped to the +UNIX world execute bit. +

Note that this requires the "create mask" to be +set such that the world execute bit is not masked out (ie. it must +include 001). See the parameter "create mask" +for details. +

Default: + map hidden = no +

Example: + map hidden = yes +

+
map system (S) +

This controls whether DOS style system files should be mapped to the +UNIX group execute bit. +

Note that this requires the "create mask" to be +set such that the group execute bit is not masked out (ie. it must +include 010). See the parameter "create mask" +for details. +

Default: + map system = no +

Example: + map system = yes +

+
map to guest (G) +

This parameter is only useful in security modes +other than "security=share" - ie. user, +server, and domain. +

This parameter can take three different values, which tell +smbd what to do with user login requests that +don't match a valid UNIX user in some way. +

The three settings are : +
- "Never" - Means user login requests with an invalid password +are rejected. This is the default. +
- "Bad User" - Means user logins with an invalid password are +rejected, unless the username does not exist, in which case it is +treated as a guest login and mapped into the "guest +account". +
- "Bad Password" - Means user logins with an invalid +password are treated as a guest login and mapped into the +"guest account". Note that this can +cause problems as it means that any user mistyping their +password will be silently logged on a "guest" - and +will not know the reason they cannot access files they think +they should - there will have been no message given to them +that they got their password wrong. Helpdesk services will +*hate* you if you set the "map to guest" parameter +this way :-). +
+

Note that this parameter is needed to set up "Guest" share +services when using security modes other than +share. This is because in these modes the name of the resource being +requested is *not* sent to the server until after the server has +successfully authenticated the client so the server cannot make +authentication decisions at the correct time (connection to the +share) for "Guest" shares. +

For people familiar with the older Samba releases, this parameter +maps to the old compile-time setting of the GUEST_SESSSETUP value +in local.h. +

Default: + map to guest = Never + Example: + map to guest = Bad User +

+
max connections (S) +

This option allows the number of simultaneous connections to a service +to be limited. If "max connections" is greater than 0 then +connections will be refused if this number of connections to the +service are already open. A value of zero mean an unlimited number of +connections may be made. +

Record lock files are used to implement this feature. The lock files +will be stored in the directory specified by the "lock +directory" option. +

Default: + max connections = 0 +

Example: + max connections = 10 +

+
max disk size (G) +

This option allows you to put an upper limit on the apparent size of +disks. If you set this option to 100 then all shares will appear to be +not larger than 100 MB in size. +

Note that this option does not limit the amount of data you can put on +the disk. In the above case you could still store much more than 100 +MB on the disk, but if a client ever asks for the amount of free disk +space or the total disk size then the result will be bounded by the +amount specified in "max disk size". +

This option is primarily useful to work around bugs in some pieces of +software that can't handle very large disks, particularly disks over +1GB in size. +

A "max disk size" of 0 means no limit. +

Default: + max disk size = 0 +

Example: + max disk size = 1000 +

+
max log size (G) +

This option (an integer in kilobytes) specifies the max size the log +file should grow to. Samba periodically checks the size and if it is +exceeded it will rename the file, adding a ".old" extension. +

A size of 0 means no limit. +

Default: + max log size = 5000 +

Example: + max log size = 1000 +

+
max mux (G) +

This option controls the maximum number of outstanding simultaneous +SMB operations that samba tells the client it will allow. You should +never need to set this parameter. +

Default: + max mux = 50 +

+
maxopenfiles (G) +

This parameter limits the maximum number of open files that one +smbd file serving process may have open for +a client at any one time. The default for this parameter is set +very high (10,000) as Samba uses only one bit per un-opened file. +

The limit of the number of open files is usually set by the +UNIX per-process file descriptor limit rather than this parameter +so you should never need to touch this parameter. +

Default: + max open files = 10000 +

+
max packet (G) +

Synonym for ">(packetsize). +

+
max ttl (G) +

This option tells nmbd what the default 'time +to live' of NetBIOS names should be (in seconds) when +nmbd is requesting a name using either a +broadcast packet or from a WINS server. You should never need to +change this parameter. The default is 3 days. +

Default: + max ttl = 259200 +

+
max wins ttl (G) +

This option tells nmbd when acting as a WINS +server (wins support =true) what the maximum +'time to live' of NetBIOS names that nmbd will +grant will be (in seconds). You should never need to change this +parameter. The default is 6 days (518400 seconds). +

See also the "min wins ttl" parameter. +

Default: + max wins ttl = 518400 +

+
max xmit (G) +

This option controls the maximum packet size that will be negotiated +by Samba. The default is 65535, which is the maximum. In some cases +you may find you get better performance with a smaller value. A value +below 2048 is likely to cause problems. +

Default: + max xmit = 65535 +

Example: + max xmit = 8192 +

+
message command (G) +

This specifies what command to run when the server receives a WinPopup +style message. +

This would normally be a command that would deliver the message +somehow. How this is to be done is up to your imagination. +

An example is: +

message command = csh -c 'xedit %s;rm %s' & +

This delivers the message using xedit, then removes it +afterwards. NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN +IMMEDIATELY. That's why I have the '&' on the end. If it doesn't +return immediately then your PCs may freeze when sending messages +(they should recover after 30secs, hopefully). +

All messages are delivered as the global guest user. The command takes +the standard substitutions, although %u won't work +(%U may be better in this case). +

Apart from the standard substitutions, some additional ones apply. In +particular: +
- "%s" = the filename containing the message. +
- "%t" = the destination that the message was sent to (probably the server +name). +
- "%f" = who the message is from. +
+

You could make this command send mail, or whatever else takes your +fancy. Please let us know of any really interesting ideas you have. +

Here's a way of sending the messages as mail to root: +

message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s +

If you don't have a message command then the message won't be +delivered and Samba will tell the sender there was an +error. Unfortunately WfWg totally ignores the error code and carries +on regardless, saying that the message was delivered. +

If you want to silently delete it then try: +

"message command = rm %s". +

For the really adventurous, try something like this: +

message command = csh -c 'csh < %s |& /usr/local/samba/bin/smbclient -M %m; rm %s' & +

this would execute the command as a script on the server, then give +them the result in a WinPopup message. Note that this could cause a +loop if you send a message from the server using smbclient! You better +wrap the above in a script that checks for this :-) +

Default: + no message command +

Example: + message command = csh -c 'xedit %s;rm %s' & +

+
min print space (S) +

This sets the minimum amount of free disk space that must be available +before a user will be able to spool a print job. It is specified in +kilobytes. The default is 0, which means a user can always spool a print +job. +

See also the printing parameter. +

Default: + min print space = 0 +

Example: + min print space = 2000 +

+
min wins ttl (G) +

This option tells nmbd when acting as a WINS +server (wins support = true) what the minimum +'time to live' of NetBIOS names that nmbd will +grant will be (in seconds). You should never need to change this +parameter. The default is 6 hours (21600 seconds). +

Default: + min wins ttl = 21600 +

+
name resolve order (G) +

This option is used by the programs in the Samba suite to determine +what naming services and in what order to resolve host names to IP +addresses. The option takes a space separated string of different name +resolution options. +

The options are :"lmhosts", "host", "wins" and "bcast". They cause +names to be resolved as follows : +
- lmhosts : Lookup an IP address in the Samba lmhosts file. +
- host : Do a standard host name to IP address resolution, +using the system /etc/hosts, NIS, or DNS lookups. This method of name +resolution is operating system depended for instance on IRIX or +Solaris this may be controlled by the /etc/nsswitch.conf file). +
- wins : Query a name with the IP address listed in the +wins server parameter. If no WINS server has +been specified this method will be ignored. +
- bcast : Do a broadcast on each of the known local interfaces +listed in the interfaces parameter. This is the +least reliable of the name resolution methods as it depends on the +target host being on a locally connected subnet. +
+

Default: + name resolve order = lmhosts host wins bcast +

Example: + name resolve order = lmhosts bcast host +

This will cause the local lmhosts file to be examined first, followed +by a broadcast attempt, followed by a normal system hostname lookup. +

+
netbios aliases (G) +

This is a list of NetBIOS names that nmbd will +advertise as additional names by which the Samba server is known. This +allows one machine to appear in browse lists under multiple names. If +a machine is acting as a browse server or +logon server none of these names will be +advertised as either browse server or logon servers, only the primary +name of the machine will be advertised with these capabilities. +

See also "netbios name". +

Default: + empty string (no additional names) +

Example: + netbios aliases = TEST TEST1 TEST2 +

+
netbios name (G) +

This sets the NetBIOS name by which a Samba server is known. By +default it is the same as the first component of the host's DNS name. +If a machine is a browse server or +logon server this name (or the first component +of the hosts DNS name) will be the name that these services are +advertised under. +

See also "netbios aliases". +

Default: + Machine DNS name. +

Example: + netbios name = MYNAME +

+
nis homedir (G) +

Get the home share server from a NIS map. For UNIX systems that use an +automounter, the user's home directory will often be mounted on a +workstation on demand from a remote server. +

When the Samba logon server is not the actual home directory server, +but is mounting the home directories via NFS then two network hops +would be required to access the users home directory if the logon +server told the client to use itself as the SMB server for home +directories (one over SMB and one over NFS). This can be very +slow. +

This option allows Samba to return the home share as being on a +different server to the logon server and as long as a Samba daemon is +running on the home directory server, it will be mounted on the Samba +client directly from the directory server. When Samba is returning the +home share to the client, it will consult the NIS map specified in +"homedir map" and return the server listed +there. +

Note that for this option to work there must be a working NIS +system and the Samba server with this option must also be a +logon server. +

Default: + nis homedir = false +

Example: + nis homedir = true +

+
nt pipe support (G) +

This boolean parameter controlls whether smbd +will allow Windows NT clients to connect to the NT SMB specific +IPC$ pipes. This is a developer debugging option and can be left +alone. +

Default: + nt pipe support = yes +

+
nt smb support (G) +

This boolean parameter controlls whether smbd +will negotiate NT specific SMB support with Windows NT +clients. Although this is a developer debugging option and should be +left alone, benchmarking has discovered that Windows NT clients give +faster performance with this option set to "no". This is still +being investigated. If this option is set to "no" then Samba +offers exactly the same SMB calls that versions prior to Samba2.0 +offered. This information may be of use if any users are having +problems with NT SMB support. +

Default: + nt support = yes +

+
null passwords (G) +

Allow or disallow client access to accounts that have null passwords. +

See also smbpasswd (5). +

Default: + null passwords = no +

Example: + null passwords = yes +

+
ole locking compatibility (G) +

This parameter allows an administrator to turn off the byte range lock +manipulation that is done within Samba to give compatibility for OLE +applications. Windows OLE applications use byte range locking as a +form of inter-process communication, by locking ranges of bytes around +the 2^32 region of a file range. This can cause certain UNIX lock +managers to crash or otherwise cause problems. Setting this parameter +to "no" means you trust your UNIX lock manager to handle such cases +correctly. +

Default: + ole locking compatibility = yes +

Example: + ole locking compatibility = no +

+
only guest (S) +

A synonym for "guest only". +

+
only user (S) +

This is a boolean option that controls whether connections with +usernames not in the user= list will be allowed. By +default this option is disabled so a client can supply a username to +be used by the server. +

Note that this also means Samba won't try to deduce usernames from the +service name. This can be annoying for the [homes] +section. To get around this you could use "user = +%S" which means your "user" list +will be just the service name, which for home directories is the name +of the user. +

See also the user parameter. +

Default: + only user = False +

Example: + only user = True +

+
oplocks (S) +

This boolean option tells smbd whether to issue oplocks (opportunistic +locks) to file open requests on this share. The oplock code can +dramatically (approx 30% or more) improve the speed of access to files +on Samba servers. It allows the clients to agressively cache files +locally and you may want to disable this option for unreliable network +environments (it is turned on by default in Windows NT Servers). For +more information see the file Speed.txt in the Samba docs/ directory. +

Oplocks may be selectively turned off on certain files on a per share basis. +See the 'veto oplock files' parameter. On some systems oplocks are recognised +by the underlying operating system. This allows data synchronisation between +all access to oplocked files, whether it be via Samba or NFS or a local +UNIX process. See the kernel oplocks parameter +for details. +

Default: + oplocks = True +

Example: + oplocks = False +

+
os level (G) +

This integer value controls what level Samba advertises itself as for +browse elections. The value of this parameter determines whether +nmbd has a chance of becoming a local master +browser for the WORKGROUP in the local broadcast +area. The default is zero, which means nmbd will +lose elections to Windows machines. See BROWSING.txt in the Samba +docs/ directory for details. +

Default: + os level = 0 +

Example: + os level = 65 ; This will win against any NT Server +

+
packet size (G) +

This is a deprecated parameter that how no effect on the current +Samba code. It is left in the parameter list to prevent breaking +old smb.conf files. +

+
panic action (G) +

This is a Samba developer option that allows a system command to be +called when either smbd or +nmbd crashes. This is usually used to draw +attention to the fact that a problem occured. +

Default: + panic action = <empty string> +

+
passwd chat (G) +

This string controls the "chat" conversation that takes places +between smbd and the local password changing +program to change the users password. The string describes a sequence +of response-receive pairs that smbd uses to +determine what to send to the passwd program +and what to expect back. If the expected output is not received then +the password is not changed. +

This chat sequence is often quite site specific, depending on what +local methods are used for password control (such as NIS etc). +

The string can contain the macros "%o" and "%n" which are +substituted for the old and new passwords respectively. It can also +contain the standard macros "\n", "\r", "\t" and "\s" +to give line-feed, carriage-return, tab and space. +

The string can also contain a '*' which matches any sequence of +characters. +

Double quotes can be used to collect strings with spaces in them into +a single string. +

If the send string in any part of the chat sequence is a fullstop +"." then no string is sent. Similarly, is the expect string is a +fullstop then no string is expected. +

Note that if the "unix password sync" +parameter is set to true, then this sequence is called *AS ROOT* +when the SMB password in the smbpasswd file is being changed, without +access to the old password cleartext. In this case the old password +cleartext is set to "" (the empty string). +

See also "unix password sync", +"passwd program" and "passwd chat +debug". +

Example: +
```
+ passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*"
+
+
```
+ +

Default: +
```
+       passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed*
+
```
+ +

+
passwd chat debug (G) +

This boolean specifies if the passwd chat script parameter is run in +"debug" mode. In this mode the strings passed to and received from +the passwd chat are printed in the smbd log with +a "debug level" of 100. This is a dangerous +option as it will allow plaintext passwords to be seen in the +smbd log. It is available to help Samba admins +debug their "passwd chat" scripts when calling +the "passwd program" and should be turned off +after this has been done. This parameter is off by default. +

See also "passwd chat", "passwd +program". +

Example: + passwd chat debug = True +

Default: + passwd chat debug = False +

+
passwd program (G) +

The name of a program that can be used to set UNIX user passwords. +Any occurrences of %u will be replaced with the +user name. The user name is checked for existance before calling the +password changing program. +

Also note that many passwd programs insist in "reasonable" +passwords, such as a minimum length, or the inclusion of mixed case +chars and digits. This can pose a problem as some clients (such as +Windows for Workgroups) uppercase the password before sending it. +

Note that if the "unix password sync" +parameter is set to "True" then this program is called *AS +ROOT* before the SMB password in the +smbpassswd file is changed. If this UNIX +password change fails, then smbd will fail to +change the SMB password also (this is by design). +

If the "unix password sync" parameter is +set this parameter MUST USE ABSOLUTE PATHS for ALL programs +called, and must be examined for security implications. Note that by +default "unix password sync" is set to +"False". +

See also "unix password sync". +

Default: + passwd program = /bin/passwd +

Example: + passwd program = /sbin/passwd %u +

+
password level (G) +

Some client/server combinations have difficulty with mixed-case +passwords. One offending client is Windows for Workgroups, which for +some reason forces passwords to upper case when using the LANMAN1 +protocol, but leaves them alone when using COREPLUS! +

This parameter defines the maximum number of characters that may be +upper case in passwords. +

For example, say the password given was "FRED". If password +level is set to 1, the following combinations would be tried if +"FRED" failed: +

"Fred", "fred", "fRed", "frEd", "freD" +

If password level was set to 2, the following combinations would +also be tried: +

"FRed", "FrEd", "FreD", "fREd", "fReD", +"frED", .. +

And so on. +

The higher value this parameter is set to the more likely it is that a +mixed case password will be matched against a single case +password. However, you should be aware that use of this parameter +reduces security and increases the time taken to process a new +connection. +

A value of zero will cause only two attempts to be made - the password +as is and the password in all-lower case. +

Default: + password level = 0 +

Example: + password level = 4 +

+
password server (G) +

By specifying the name of another SMB server (such as a WinNT box) +with this option, and using "security = domain" or +"security = server" you can get Samba to do all +its username/password validation via a remote server. +

This options sets the name of the password server to use. It must be a +NetBIOS name, so if the machine's NetBIOS name is different from its +internet name then you may have to add its NetBIOS name to the lmhosts +file which is stored in the same directory as the smb.conf file. +

The name of the password server is looked up using the parameter +"name resolve order=" and so may resolved +by any method and order described in that parameter. +

The password server much be a machine capable of using the "LM1.2X002" +or the "LM NT 0.12" protocol, and it must be in user level security +mode. +

NOTE: Using a password server means your UNIX box (running Samba) is +only as secure as your password server. DO NOT CHOOSE A PASSWORD +SERVER THAT YOU DON'T COMPLETELY TRUST. +

Never point a Samba server at itself for password serving. This will +cause a loop and could lock up your Samba server! +

The name of the password server takes the standard substitutions, but +probably the only useful one is %m, which means +the Samba server will use the incoming client as the password +server. If you use this then you better trust your clients, and you +better restrict them with hosts allow! +

If the "security" parameter is set to +"domain", then the list of machines in this option must be a list +of Primary or Backup Domain controllers for the +Domain, as the Samba server is cryptographically +in that domain, and will use crpytographically authenticated RPC calls +to authenticate the user logging on. The advantage of using +"security=domain" is that if you list +several hosts in the "password server" option then +smbd will try each in turn till it finds one +that responds. This is useful in case your primary server goes down. +

If the "security" parameter is set to +"server", then there are different +restrictions that "security=domain" +doesn't suffer from: +
- You may list several password servers in the "password server" +parameter, however if an smbd makes a connection +to a password server, and then the password server fails, no more +users will be able to be authenticated from this +smbd. This is a restriction of the SMB/CIFS +protocol when in "security=server" mode +and cannot be fixed in Samba. +
- If you are using a Windows NT server as your password server then +you will have to ensure that your users are able to login from the +Samba server, as when in +"security=server" mode the network +logon will appear to come from there rather than from the users +workstation. +
+

See also the "security" parameter. +

Default: + password server = <empty string> +

Example: + password server = NT-PDC, NT-BDC1, NT-BDC2 +

+
path (S) +

This parameter specifies a directory to which the user of the service +is to be given access. In the case of printable services, this is +where print data will spool prior to being submitted to the host for +printing. +

For a printable service offering guest access, the service should be +readonly and the path should be world-writable and have the sticky bit +set. This is not mandatory of course, but you probably won't get the +results you expect if you do otherwise. +

Any occurrences of %u in the path will be replaced +with the UNIX username that the client is using on this +connection. Any occurrences of %m will be replaced +by the NetBIOS name of the machine they are connecting from. These +replacements are very useful for setting up pseudo home directories +for users. +

Note that this path will be based on "root dir" if +one was specified. +

Default: + none +

Example: + path = /home/fred +

+
postexec (S) +

This option specifies a command to be run whenever the service is +disconnected. It takes the usual substitutions. The command may be run +as the root on some systems. +

An interesting example may be do unmount server resources: +

postexec = /etc/umount /cdrom +

See also preexec. +

Default: + none (no command executed) +

Example: + postexec = echo "%u disconnected from %S from %m (%I)" >> /tmp/log +

+
postscript (S) +

This parameter forces a printer to interpret the print files as +postscript. This is done by adding a %! to the start of print output. +

This is most useful when you have lots of PCs that persist in putting +a control-D at the start of print jobs, which then confuses your +printer. +

Default: + postscript = False +

Example: + postscript = True +

+
preexec (S) +

This option specifies a command to be run whenever the service is +connected to. It takes the usual substitutions. +

An interesting example is to send the users a welcome message every +time they log in. Maybe a message of the day? Here is an example: +

+ + preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' & + +
+ +

Of course, this could get annoying after a while :- +

See also postexec. +

Default: + none (no command executed) +

Example: + preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log +

+
preferred master (G) +

This boolean parameter controls if nmbd is a +preferred master browser for its workgroup. +

If this is set to true, on startup, nmbd will +force an election, and it will have a slight advantage in winning the +election. It is recommended that this parameter is used in +conjunction with "domain master = yes", so +that nmbd can guarantee becoming a domain +master. +

Use this option with caution, because if there are several hosts +(whether Samba servers, Windows 95 or NT) that are preferred master +browsers on the same subnet, they will each periodically and +continuously attempt to become the local master browser. This will +result in unnecessary broadcast traffic and reduced browsing +capabilities. +

See also os level. +

Default: + preferred master = no +

Example: + preferred master = yes +

+
prefered master (G) +

Synonym for "preferred master" for people +who cannot spell :-). +

+
preload +Synonym for "auto services". +

+
preserve case (S) +

This controls if new filenames are created with the case that the +client passes, or if they are forced to be the "default" case. +

Default: + preserve case = yes +

See the section on "NAME MANGLING" for a +fuller discussion. +

+
print command (S) +

After a print job has finished spooling to a service, this command +will be used via a system() call to process the spool +file. Typically the command specified will submit the spool file to +the host's printing subsystem, but there is no requirement that this +be the case. The server will not remove the spool file, so whatever +command you specify should remove the spool file when it has been +processed, otherwise you will need to manually remove old spool files. +

The print command is simply a text string. It will be used verbatim, +with two exceptions: All occurrences of "%s" will be replaced by +the appropriate spool file name, and all occurrences of "%p" will +be replaced by the appropriate printer name. The spool file name is +generated automatically by the server, the printer name is discussed +below. +

The full path name will be used for the filename if "%s" is not +preceded by a '/'. If you don't like this (it can stuff up some +lpq output) then use "%f" instead. Any occurrences of "%f" get +replaced by the spool filename without the full path at the front. +

The print command MUST contain at least one occurrence of "%s" +or "%f" - the "%p" is optional. At the time a job is +submitted, if no printer name is supplied the "%p" will be +silently removed from the printer command. +

If specified in the "[global]" section, the print +command given will be used for any printable service that does not +have its own print command specified. +

If there is neither a specified print command for a printable service +nor a global print command, spool files will be created but not +processed and (most importantly) not removed. +

Note that printing may fail on some UNIXes from the "nobody" +account. If this happens then create an alternative guest account that +can print and set the "guest account" in the +"[global]" section. +

You can form quite complex print commands by realising that they are +just passed to a shell. For example the following will log a print +job, print the file, then remove it. Note that ';' is the usual +separator for command in shell scripts. +

print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s +

You may have to vary this command considerably depending on how you +normally print files on your system. The default for the parameter +varies depending on the setting of the "printing=" +parameter. +

Default: + For "printing=" BSD, AIX, QNX, LPRNG or PLP : + print command = lpr -r -P%p %s +

For "printing=" SYS or HPUX : + print command = lp -c -d%p %s; rm %s +

For "printing=" SOFTQ : + print command = lp -d%p -s %s; rm %s +

Example: + print command = /usr/local/samba/bin/myprintscript %p %s +

+
print ok (S) +

Synonym for printable. +

+
printable (S) +

If this parameter is "yes", then clients may open, write to and +submit spool files on the directory specified for the service. +

Note that a printable service will ALWAYS allow writing to the service +path (user privileges permitting) via the spooling of print data. The +"read only" parameter controls only non-printing +access to the resource. +

Default: + printable = no +

Example: + printable = yes +

+
printcap (G) +

Synonym for printcapname. +

+
printcap name (G) +

This parameter may be used to override the compiled-in default +printcap name used by the server (usually /etc/printcap). See the +discussion of the [printers] section above for +reasons why you might want to do this. +

On System V systems that use lpstat to list available printers you +can use "printcap name = lpstat" to automatically obtain lists of +available printers. This is the default for systems that define SYSV +at configure time in Samba (this includes most System V based +systems). If "printcap name" is set to lpstat on these systems +then Samba will launch "lpstat -v" and attempt to parse the output +to obtain a printer list. +

A minimal printcap file would look something like this: +
```
+
+	print1|My Printer 1
+	print2|My Printer 2
+	print3|My Printer 3
+	print4|My Printer 4
+	print5|My Printer 5
+
+
```
+ +

where the '|' separates aliases of a printer. The fact that the +second alias has a space in it gives a hint to Samba that it's a +comment. +

NOTE: Under AIX the default printcap name is +"/etc/qconfig". Samba will assume the file is in AIX "qconfig" +format if the string "/qconfig" appears in the printcap filename. +

Default: + printcap name = /etc/printcap +

Example: + printcap name = /etc/myprintcap +

+
printer (S) +

This parameter specifies the name of the printer to which print jobs +spooled through a printable service will be sent. +

If specified in the [global] section, the printer +name given will be used for any printable service that does not have +its own printer name specified. +

Default: + none (but may be "lp" on many systems) +

Example: + printer name = laserwriter +

+
printer driver (S) +

This option allows you to control the string that clients receive when +they ask the server for the printer driver associated with a +printer. If you are using Windows95 or WindowsNT then you can use this +to automate the setup of printers on your system. +

You need to set this parameter to the exact string (case sensitive) +that describes the appropriate printer driver for your system. If you +don't know the exact string to use then you should first try with no +"printer driver" option set and the client will give you a list of +printer drivers. The appropriate strings are shown in a scrollbox +after you have chosen the printer manufacturer. +

See also "printer driver file". +

Example: + printer driver = HP LaserJet 4L +

+
printer driver file (G) +

This parameter tells Samba where the printer driver definition file, +used when serving drivers to Windows 95 clients, is to be found. If +this is not set, the default is : +

SAMBA_INSTALL_DIRECTORY/lib/printers.def +

This file is created from Windows 95 "msprint.def" files found on +the Windows 95 client system. For more details on setting up serving +of printer drivers to Windows 95 clients, see the documentation file +in the docs/ directory, PRINTER_DRIVER.txt. +

Default: + None (set in compile). +

Example: + printer driver file = /usr/local/samba/printers/drivers.def +

See also "printer driver location". +

+
printer driver location (S) +

This parameter tells clients of a particular printer share where to +find the printer driver files for the automatic installation of +drivers for Windows 95 machines. If Samba is set up to serve printer +drivers to Windows 95 machines, this should be set to +

\\MACHINE\aPRINTER$ +

Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$ +is a share you set up for serving printer driver files. For more +details on setting this up see the documentation file in the docs/ +directory, PRINTER_DRIVER.txt. +

Default: + None +

Example: + printer driver location = \\MACHINE\PRINTER$ +

See also "printer driver file". +

+
printer name (S) +

Synonym for printer. +

+
printing (S) +

This parameters controls how printer status information is interpreted +on your system, and also affects the default values for the +"print command", "lpq +command" "lppause command", +"lpresume command", and "lprm +command". +

Currently eight printing styles are supported. They are +"printing=BSD", "printing=AIX", "printing=LPRNG", +"printing=PLP", +"printing=SYSV","printing="HPUX","printing=QNX" and +"printing=SOFTQ". +

To see what the defaults are for the other print commands when using +these three options use the "testparm" program. +

This option can be set on a per printer basis +

See also the discussion in the [printers] section. +

+
protocol (G) +

The value of the parameter (a string) is the highest protocol level +that will be supported by the server. +

Possible values are : +
- CORE: Earliest version. No concept of user names. +
- COREPLUS: Slight improvements on CORE for efficiency. +
- LANMAN1: First "modern" version of the protocol. Long +filename support. +
- LANMAN2: Updates to Lanman1 protocol. +
- NT1: Current up to date version of the protocol. Used by Windows +NT. Known as CIFS. +
+

Normally this option should not be set as the automatic negotiation +phase in the SMB protocol takes care of choosing the appropriate +protocol. +

Default: + protocol = NT1 +

Example: + protocol = LANMAN1 +

+
public (S) +

Synonym for "guest ok". +

+
queuepause command (S) +

This parameter specifies the command to be executed on the server host +in order to pause the printerqueue. +

This command should be a program or script which takes a printer name +as its only parameter and stops the printerqueue, such that no longer +jobs are submitted to the printer. +

This command is not supported by Windows for Workgroups, but can be +issued from the Printer's window under Windows 95 & NT. +

If a "%p" is given then the printername is put in its +place. Otherwise it is placed at the end of the command. +

Note that it is good practice to include the absolute path in the +command as the PATH may not be available to the server. +

Default: + depends on the setting of "printing =" +

Example: + queuepause command = disable %p +

+
queueresume command (S) +

This parameter specifies the command to be executed on the server host +in order to resume the printerqueue. It is the command to undo the +behaviour that is caused by the previous parameter +("queuepause command). +

This command should be a program or script which takes a printer name +as its only parameter and resumes the printerqueue, such that queued +jobs are resubmitted to the printer. +

This command is not supported by Windows for Workgroups, but can be +issued from the Printer's window under Windows 95 & NT. +

If a "%p" is given then the printername is put in its +place. Otherwise it is placed at the end of the command. +

Note that it is good practice to include the absolute path in the +command as the PATH may not be available to the server. +

Default: + depends on the setting of "printing =" +

Example: + queuepause command = enable %p +

+
read bmpx (G) +

This boolean parameter controls whether smbd +will support the "Read Block Multiplex" SMB. This is now rarely used +and defaults to off. You should never need to set this parameter. +

Default: + read bmpx = No +

+
read list (S) +

This is a list of users that are given read-only access to a +service. If the connecting user is in this list then they will not be +given write access, no matter what the "read only" +option is set to. The list can include group names using the syntax +described in the "invalid users" parameter. +

See also the "write list" parameter and +the "invalid users" parameter. +

Default: + read list = <empty string> +

Example: + read list = mary, @students +

+
read only (S) +

Note that this is an inverted synonym for +"writable" and "write ok". +

See also "writable" and "write +ok". +

+
read prediction (G) +

NOTE: This code is currently disabled in Samba2.0 and +may be removed at a later date. Hence this parameter has +no effect. +

This options enables or disables the read prediction code used to +speed up reads from the server. When enabled the server will try to +pre-read data from the last accessed file that was opened read-only +while waiting for packets. +

Default: + read prediction = False +

+
read raw (G) +

This parameter controls whether or not the server will support the raw +read SMB requests when transferring data to clients. +

If enabled, raw reads allow reads of 65535 bytes in one packet. This +typically provides a major performance benefit. +

However, some clients either negotiate the allowable block size +incorrectly or are incapable of supporting larger block sizes, and for +these clients you may need to disable raw reads. +

In general this parameter should be viewed as a system tuning tool and left +severely alone. See also "write raw". +

Default: + read raw = yes +

+
read size (G) +

The option "read size" affects the overlap of disk reads/writes +with network reads/writes. If the amount of data being transferred in +several of the SMB commands (currently SMBwrite, SMBwriteX and +SMBreadbraw) is larger than this value then the server begins writing +the data before it has received the whole packet from the network, or +in the case of SMBreadbraw, it begins writing to the network before +all the data has been read from disk. +

This overlapping works best when the speeds of disk and network access +are similar, having very little effect when the speed of one is much +greater than the other. +

The default value is 2048, but very little experimentation has been +done yet to determine the optimal value, and it is likely that the +best value will vary greatly between systems anyway. A value over +65536 is pointless and will cause you to allocate memory +unnecessarily. +

Default: + read size = 2048 +

Example: + read size = 8192 +

+
remote announce (G) +

This option allows you to setup nmbd to +periodically announce itself to arbitrary IP addresses with an +arbitrary workgroup name. +

This is useful if you want your Samba server to appear in a remote +workgroup for which the normal browse propagation rules don't +work. The remote workgroup can be anywhere that you can send IP +packets to. +

For example: +

remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF +

the above line would cause nmbd to announce itself to the two given IP +addresses using the given workgroup names. If you leave out the +workgroup name then the one given in the +"workgroup" parameter is used instead. +

The IP addresses you choose would normally be the broadcast addresses +of the remote networks, but can also be the IP addresses of known +browse masters if your network config is that stable. +

See the documentation file BROWSING.txt in the docs/ directory. +

Default: + remote announce = <empty string> +

Example: + remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF +

+
remote browse sync (G) +

This option allows you to setup nmbd to +periodically request synchronisation of browse lists with the master +browser of a samba server that is on a remote segment. This option +will allow you to gain browse lists for multiple workgroups across +routed networks. This is done in a manner that does not work with any +non-samba servers. +

This is useful if you want your Samba server and all local clients to +appear in a remote workgroup for which the normal browse propagation +rules don't work. The remote workgroup can be anywhere that you can +send IP packets to. +

For example: +

remote browse sync = 192.168.2.255 192.168.4.255 +

the above line would cause nmbd to request the +master browser on the specified subnets or addresses to synchronise +their browse lists with the local server. +

The IP addresses you choose would normally be the broadcast addresses +of the remote networks, but can also be the IP addresses of known +browse masters if your network config is that stable. If a machine IP +address is given Samba makes NO attempt to validate that the remote +machine is available, is listening, nor that it is in fact the browse +master on it's segment. +

Default: + remote browse sync = <empty string> +

Example: + remote browse sync = 192.168.2.255 192.168.4.255 +

+
revalidate (S) +

Note that this option only works with +"security=share" and will be ignored if +this is not the case. +

This option controls whether Samba will allow a previously validated +username/password pair to be used to attach to a share. Thus if you +connect to \\server\share1 then to \\server\share2 it won't +automatically allow the client to request connection to the second +share as the same username as the first without a password. +

If "revalidate" is "True" then the client will be denied +automatic access as the same username. +

Default: + revalidate = False +

Example: + revalidate = True +

+
root (G) +

Synonym for "root directory". +

+
root dir (G) +

Synonym for "root directory". +

+
root directory (G) +

The server will "chroot()" (ie. Change it's root directory) to +this directory on startup. This is not strictly necessary for secure +operation. Even without it the server will deny access to files not in +one of the service entries. It may also check for, and deny access to, +soft links to other parts of the filesystem, or attempts to use +".." in file names to access other directories (depending on the +setting of the "wide links" parameter). +

Adding a "root directory" entry other than "/" adds an extra +level of security, but at a price. It absolutely ensures that no +access is given to files not in the sub-tree specified in the "root +directory" option, *including* some files needed for complete +operation of the server. To maintain full operability of the server +you will need to mirror some system files into the "root +directory" tree. In particular you will need to mirror /etc/passwd +(or a subset of it), and any binaries or configuration files needed +for printing (if required). The set of files that must be mirrored is +operating system dependent. +

Default: + root directory = / +

Example: + root directory = /homes/smb +

+
root postexec (S) +

This is the same as the "postexec" parameter +except that the command is run as root. This is useful for unmounting +filesystems (such as cdroms) after a connection is closed. +

See also "postexec". +

+
root preexec (S) +

This is the same as the "preexec" parameter except +that the command is run as root. This is useful for mounting +filesystems (such as cdroms) before a connection is finalised. +

See also "preexec". +

+
security (G) +

This option affects how clients respond to Samba and is one of the most +important settings in the smb.conf file. +

The option sets the "security mode bit" in replies to protocol +negotiations with smbd to turn share level +security on or off. Clients decide based on this bit whether (and how) +to transfer user and password information to the server. +

The default is "security=user", as this is +the most common setting needed when talking to Windows 98 and Windows +NT. +

The alternatives are "security = share", +"security = server" or +"security=domain". +

*****NOTE THAT THIS DEFAULT IS DIFFERENT IN SAMBA2.0 THAN FOR +PREVIOUS VERSIONS OF SAMBA *******. +

In previous versions of Samba the default was +"security=share" mainly because that was +the only option at one stage. +

There is a bug in WfWg that has relevence to this setting. When in +user or server level security a WfWg client will totally ignore the +password you type in the "connect drive" dialog box. This makes it +very difficult (if not impossible) to connect to a Samba service as +anyone except the user that you are logged into WfWg as. +

If your PCs use usernames that are the same as their usernames on the +UNIX machine then you will want to use "security = user". If you +mostly use usernames that don't exist on the UNIX box then use +"security = share". +

You should also use security=share if +you want to mainly setup shares without a password (guest +shares). This is commonly used for a shared printer server. It is more +difficult to setup guest shares with +security=user, see the "map to +guest"parameter for details. +

It is possible to use smbd in a "hybred +mode" where it is offers both user and share level security under +different NetBIOS aliases. See the +NetBIOS aliases and the +include parameters for more information. +

The different settings will now be explained. +
- "security=share" When clients connect to a share level +security server then need not log onto the server with a valid +username and password before attempting to connect to a shared +resource (although modern clients such as Windows 95/98 and Windows NT +will send a logon request with a username but no password when talking +to a security=share server). Instead, the clients send +authentication information (passwords) on a per-share basis, at the +time they attempt to connect to that share. +
  
  Note that smbd *ALWAYS* uses a valid UNIX +user to act on behalf of the client, even in "security=share" +level security. +
  
  As clients are not required to send a username to the server +in share level security, smbd uses several +techniques to determine the correct UNIX user to use on behalf +of the client. +
  
  A list of possible UNIX usernames to match with the given +client password is constructed using the following methods : +
  - If the "guest only" parameter is set, then +all the other stages are missed and only the "guest +account" username is checked. +
  - Is a username is sent with the share connection request, then +this username (after mapping - see "username +map"), is added as a potential username. +
  - If the client did a previous "logon" request (the +SessionSetup SMB call) then the username sent in this SMB +will be added as a potential username. +
  - The name of the service the client requested is added +as a potential username. +
  - The NetBIOS name of the client is added to the list as a +potential username. +
  - Any users on the "user" list are added +as potential usernames. +
  +
  
  If the "guest only" parameter is not set, then +this list is then tried with the supplied password. The first user for +whom the password matches will be used as the UNIX user. +
  
  If the "guest only" parameter is set, or no +username can be determined then if the share is marked as available to +the "guest account", then this guest user will +be used, otherwise access is denied. +
  
  Note that it can be *very* confusing in share-level security as to +which UNIX username will eventually be used in granting access. +
  
  See also the section "NOTE ABOUT USERNAME/PASSWORD +VALIDATION". +
  
  +
- "security=user" +
  
  This is the default security setting in Samba2.0. With user-level +security a client must first "log-on" with a valid username and +password (which can be mapped using the "username +map" parameter). Encrypted passwords (see the +"encrypted passwords" parameter) can also +be used in this security mode. Parameters such as +"user" and "guest only", if set +are then applied and may change the UNIX user to use on this +connection, but only after the user has been successfully +authenticated. +
  
  Note that the the name of the resource being requested is +*not* sent to the server until after the server has successfully +authenticated the client. This is why guest shares don't work in user +level security without allowing the server to automatically map unknown +users into the "guest account". See the +"map to guest" parameter for details on +doing this. +
  
  See also the section "NOTE ABOUT USERNAME/PASSWORD +VALIDATION". +
  
  +
- "security=server" +
  
  In this mode Samba will try to validate the username/password by +passing it to another SMB server, such as an NT box. If this fails it +will revert to "security = user", but note that if encrypted +passwords have been negotiated then Samba cannot revert back to +checking the UNIX password file, it must have a valid smbpasswd file +to check users against. See the documentation file in the docs/ +directory ENCRYPTION.txt for details on how to set this up. +
  
  Note that from the clients point of view "security=server" is +the same as "security=user". It only +affects how the server deals with the authentication, it does not in +any way affect what the client sees. +
  
  Note that the the name of the resource being requested is +*not* sent to the server until after the server has successfully +authenticated the client. This is why guest shares don't work in server +level security without allowing the server to automatically map unknown +users into the "guest account". See the +"map to guest" parameter for details on +doing this. +
  
  See also the section "NOTE ABOUT USERNAME/PASSWORD +VALIDATION". +
  
  See also the "password server" parameter. +and the "encrypted passwords" parameter. +
  
  +
- "security=domain" +
  
  This mode will only work correctly if +smbpasswd has been used to add this machine +into a Windows NT Domain. It expects the "encrypted +passwords" parameter to be set to "true". In +this mode Samba will try to validate the username/password by passing +it to a Windows NT Primary or Backup Domain Controller, in exactly the +same way that a Windows NT Server would do. +
  
  Note that a valid UNIX user must still exist as well as the +account on the Domain Controller to allow Samba to have a valid +UNIX account to map file access to. +
  
  Note that from the clients point of view "security=domain" is +the same as "security=user". It only +affects how the server deals with the authentication, it does not in +any way affect what the client sees. +
  
  Note that the the name of the resource being requested is +*not* sent to the server until after the server has successfully +authenticated the client. This is why guest shares don't work in domain +level security without allowing the server to automatically map unknown +users into the "guest account". See the +"map to guest" parameter for details on +doing this. +
  
  e,(BUG:) There is currently a bug in the implementation of +"security=domain with respect to multi-byte character +set usernames. The communication with a Domain Controller +must be done in UNICODE and Samba currently does not widen +multi-byte user names to UNICODE correctly, thus a multi-byte +username will not be recognised correctly at the Domain Controller. +This issue will be addressed in a future release. +
  
  See also the section "NOTE ABOUT USERNAME/PASSWORD +VALIDATION". +
  
  See also the "password server" parameter. +and the "encrypted passwords" parameter. +
+

Default: + security = USER +

Example: + security = DOMAIN +

+
server string (G) +

This controls what string will show up in the printer comment box in +print manager and next to the IPC connection in "net view". It can be +any string that you wish to show to your users. +

It also sets what will appear in browse lists next to the machine +name. +

A "%v" will be replaced with the Samba version number. +

A "%h" will be replaced with the hostname. +

Default: + server string = Samba %v +

Example: + server string = University of GNUs Samba Server +

+
set directory (S) +

If "set directory = no", then users of the service may not use the +setdir command to change directory. +

The setdir command is only implemented in the Digital Pathworks +client. See the Pathworks documentation for details. +

Default: + set directory = no +

Example: + set directory = yes +

+
share modes (S) +

This enables or disables the honouring of the "share modes" during a +file open. These modes are used by clients to gain exclusive read or +write access to a file. +

These open modes are not directly supported by UNIX, so they are +simulated using shared memory, or lock files if your UNIX doesn't +support shared memory (almost all do). +

The share modes that are enabled by this option are DENY_DOS, +DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB. +

This option gives full share compatibility and enabled by default. +

You should *NEVER* turn this parameter off as many Windows +applications will break if you do so. +

Default: + share modes = yes +

+
shared mem size (G) +

It specifies the size of the shared memory (in bytes) to use between +smbd processes. This parameter defaults to one +megabyte of shared memory. It is possible that if you have a large +server with many files open simultaneously that you may need to +increase this parameter. Signs that this parameter is set too low are +users reporting strange problems trying to save files (locking errors) +and error messages in the smbd log looking like "ERROR +smb_shm_alloc : alloc of XX bytes failed". +

Default: + shared mem size = 1048576 +

Example: + shared mem size = 5242880 ; Set to 5mb for a large number of files. +

+
short preserve case (G) +

This boolean parameter controls if new files which conform to 8.3 +syntax, that is all in upper case and of suitable length, are created +upper case, or if they are forced to be the "default" case. This +option can be use with "preserve case +=yes" to permit long filenames to retain their +case, while short names are lowered. Default Yes. +

See the section on NAME MANGLING. +

Default: + short preserve case = yes +

+
smb passwd file (G) +

This option sets the path to the encrypted smbpasswd file. By default +the path to the smbpasswd file is compiled into Samba. +

Default: + smb passwd file= <compiled default> +

Example: + smb passwd file = /usr/samba/private/smbpasswd +

+
smbrun (G) +

This sets the full path to the smbrun binary. This defaults to the +value in the Makefile. +

You must get this path right for many services to work correctly. +

You should not need to change this parameter so long as Samba +is installed correctly. +

Default: + smbrun=<compiled default> +

Example: + smbrun = /usr/local/samba/bin/smbrun +

+
socket address (G) +

This option allows you to control what address Samba will listen for +connections on. This is used to support multiple virtual interfaces on +the one server, each with a different configuration. +

By default samba will accept connections on any address. +

Example: + socket address = 192.168.2.20 +

+
socket options (G) +

This option allows you to set socket options to be used when talking +with the client. +

Socket options are controls on the networking layer of the operating +systems which allow the connection to be tuned. +

This option will typically be used to tune your Samba server for +optimal performance for your local network. There is no way that Samba +can know what the optimal parameters are for your net, so you must +experiment and choose them yourself. We strongly suggest you read the +appropriate documentation for your operating system first (perhaps +"man setsockopt" will help). +

You may find that on some systems Samba will say "Unknown socket +option" when you supply an option. This means you either mis-typed it +or you need to add an include file to includes.h for your OS. If the +latter is the case please send the patch to +samba-bugs@samba.anu.edu.au. +

Any of the supported socket options may be combined in any way you +like, as long as your OS allows it. +

This is the list of socket options currently settable using this +option: +
- SO_KEEPALIVE +
- SO_REUSEADDR +
- SO_BROADCAST +
- TCP_NODELAY +
- IPTOS_LOWDELAY +
- IPTOS_THROUGHPUT +
- SO_SNDBUF * +
- SO_RCVBUF * +
- SO_SNDLOWAT * +
- SO_RCVLOWAT * +
+

Those marked with a * take an integer argument. The others can +optionally take a 1 or 0 argument to enable or disable the option, by +default they will be enabled if you don't specify 1 or 0. +

To specify an argument use the syntax SOME_OPTION=VALUE for example +SO_SNDBUF=8192. Note that you must not have any spaces before or after +the = sign. +

If you are on a local network then a sensible option might be +

socket options = IPTOS_LOWDELAY +

If you have a local network then you could try: +

socket options = IPTOS_LOWDELAY TCP_NODELAY +

If you are on a wide area network then perhaps try setting +IPTOS_THROUGHPUT. +

Note that several of the options may cause your Samba server to fail +completely. Use these options with caution! +

Default: + socket options = TCP_NODELAY +

Example: + socket options = IPTOS_LOWDELAY +

+
ssl (G) +

This variable is part of SSL-enabled Samba. This is only available if +the SSL libraries have been compiled on your system and the configure +option "--with-ssl" was given at configure time. +

Note that for export control reasons this code is **NOT** +enabled by default in any current binary version of Samba. +

This variable enables or disables the entire SSL mode. If it is set to +"no", the SSL enabled samba behaves exactly like the non-SSL samba. If +set to "yes", it depends on the variables "ssl +hosts" and "ssl hosts resign" +whether an SSL connection will be required. +

Default: + ssl=no + Example: + ssl=yes +

+
ssl CA certDir (G) +

This variable is part of SSL-enabled Samba. This is only available if +the SSL libraries have been compiled on your system and the configure +option "--with-ssl" was given at configure time. +

Note that for export control reasons this code is **NOT** +enabled by default in any current binary version of Samba. +

This variable defines where to look up the Certification +Autorities. The given directory should contain one file for each CA +that samba will trust. The file name must be the hash value over the +"Distinguished Name" of the CA. How this directory is set up is +explained later in this document. All files within the directory that +don't fit into this naming scheme are ignored. You don't need this +variable if you don't verify client certificates. +

Default: + ssl CA certDir = /usr/local/ssl/certs +

+
ssl CA certFile (G) +

This variable is part of SSL-enabled Samba. This is only available if +the SSL libraries have been compiled on your system and the configure +option "--with-ssl" was given at configure time. +

Note that for export control reasons this code is **NOT** +enabled by default in any current binary version of Samba. +

This variable is a second way to define the trusted CAs. The +certificates of the trusted CAs are collected in one big file and this +variable points to the file. You will probably only use one of the two +ways to define your CAs. The first choice is preferable if you have +many CAs or want to be flexible, the second is perferable if you only +have one CA and want to keep things simple (you won't need to create +the hashed file names). You don't need this variable if you don't +verify client certificates. +

Default: + ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem +

+
ssl ciphers (G) +

This variable is part of SSL-enabled Samba. This is only available if +the SSL libraries have been compiled on your system and the configure +option "--with-ssl" was given at configure time. +

Note that for export control reasons this code is **NOT** +enabled by default in any current binary version of Samba. +

This variable defines the ciphers that should be offered during SSL +negotiation. You should not set this variable unless you know what you +are doing. +

+
ssl client cert (G) +

This variable is part of SSL-enabled Samba. This is only available if +the SSL libraries have been compiled on your system and the configure +option "--with-ssl" was given at configure time. +

Note that for export control reasons this code is **NOT** +enabled by default in any current binary version of Samba. +

The certificate in this file is used by +smbclient if it exists. It's needed if the +server requires a client certificate. +

Default: + ssl client cert = /usr/local/ssl/certs/smbclient.pem +

+
ssl client key (G) +

This variable is part of SSL-enabled Samba. This is only available if +the SSL libraries have been compiled on your system and the configure +option "--with-ssl" was given at configure time. +

Note that for export control reasons this code is **NOT** +enabled by default in any current binary version of Samba. +

This is the private key for smbclient. It's +only needed if the client should have a certificate. +

Default: + ssl client key = /usr/local/ssl/private/smbclient.pem +

+
ssl compatibility (G) +

This variable is part of SSL-enabled Samba. This is only available if +the SSL libraries have been compiled on your system and the configure +option "--with-ssl" was given at configure time. +

Note that for export control reasons this code is **NOT** +enabled by default in any current binary version of Samba. +

This variable defines whether SSLeay should be configured for bug +compatibility with other SSL implementations. This is probably not +desirable because currently no clients with SSL implementations other +than SSLeay exist. +

Default: + ssl compatibility = no +

+
ssl hosts (G) +

See "ssl hosts resign". +

+
ssl hosts resign (G) +

This variable is part of SSL-enabled Samba. This is only available if +the SSL libraries have been compiled on your system and the configure +option "--with-ssl" was given at configure time. +

Note that for export control reasons this code is **NOT** +enabled by default in any current binary version of Samba. +

These two variables define whether samba will go into SSL mode or +not. If none of them is defined, samba will allow only SSL +connections. If the "ssl hosts" variable lists +hosts (by IP-address, IP-address range, net group or name), only these +hosts will be forced into SSL mode. If the "ssl hosts resign" +variable lists hosts, only these hosts will NOT be forced into SSL +mode. The syntax for these two variables is the same as for the +"hosts allow" and "hosts +deny" pair of variables, only that the subject of the +decision is different: It's not the access right but whether SSL is +used or not. See the "allow hosts" parameter for +details. The example below requires SSL connections from all hosts +outside the local net (which is 192.168.*.*). +

Default: + ssl hosts = <empty string> + ssl hosts resign = <empty string> +

Example: + ssl hosts resign = 192.168. +

+
ssl require clientcert (G) +

This variable is part of SSL-enabled Samba. This is only available if +the SSL libraries have been compiled on your system and the configure +option "--with-ssl" was given at configure time. +

Note that for export control reasons this code is **NOT** +enabled by default in any current binary version of Samba. +

If this variable is set to "yes", the server will not tolerate +connections from clients that don't have a valid certificate. The +directory/file given in "ssl CA certDir" and +"ssl CA certFile" will be used to look up the +CAs that issued the client's certificate. If the certificate can't be +verified positively, the connection will be terminated. If this +variable is set to "no", clients don't need certificates. Contrary +to web applications you really *should* require client +certificates. In the web environment the client's data is sensitive +(credit card numbers) and the server must prove to be trustworthy. In +a file server environment the server's data will be sensitive and the +clients must prove to be trustworthy. +

Default: + ssl require clientcert = no +

+
ssl require servercert (G) +

This variable is part of SSL-enabled Samba. This is only available if +the SSL libraries have been compiled on your system and the configure +option "--with-ssl" was given at configure time. +

Note that for export control reasons this code is **NOT** +enabled by default in any current binary version of Samba. +

If this variable is set to "yes", the +smbclient will request a certificate from +the server. Same as "ssl require +clientcert" for the server. +

Default: + ssl require servercert = no +

+
ssl server cert (G) +

This variable is part of SSL-enabled Samba. This is only available if +the SSL libraries have been compiled on your system and the configure +option "--with-ssl" was given at configure time. +

Note that for export control reasons this code is **NOT** +enabled by default in any current binary version of Samba. +

This is the file containing the server's certificate. The server _must_ +have a certificate. The file may also contain the server's private key. +See later for how certificates and private keys are created. +

Default: + ssl server cert = <empty string> +

+
ssl server key (G) +

This variable is part of SSL-enabled Samba. This is only available if +the SSL libraries have been compiled on your system and the configure +option "--with-ssl" was given at configure time. +

Note that for export control reasons this code is **NOT** +enabled by default in any current binary version of Samba. +

This file contains the private key of the server. If this variable is +not defined, the key is looked up in the certificate file (it may be +appended to the certificate). The server *must* have a private key +and the certificate *must* match this private key. +

Default: + ssl server key = <empty string> +

+
ssl version (G) +

This variable is part of SSL-enabled Samba. This is only available if +the SSL libraries have been compiled on your system and the configure +option "--with-ssl" was given at configure time. +

Note that for export control reasons this code is **NOT** +enabled by default in any current binary version of Samba. +

This enumeration variable defines the versions of the SSL protocol +that will be used. "ssl2or3" allows dynamic negotiation of SSL v2 +or v3, "ssl2" results in SSL v2, "ssl3" results in SSL v3 and +"tls1" results in TLS v1. TLS (Transport Layer Security) is the +(proposed?) new standard for SSL. +

Default: + ssl version = "ssl2or3" +

+
stat cache (G) +

This parameter determines if smbd will use a +cache in order to speed up case insensitive name mappings. You should +never need to change this parameter. +

Default: + stat cache = yes +

+
stat cache size (G) +

This parameter determines the number of entries in the stat +cache. You should never need to change this parameter. +

Default: + stat cache size = 50 +

+
status (G) +

This enables or disables logging of connections to a status file that +smbstatus can read. +

With this disabled smbstatus won't be able +to tell you what connections are active. You should never need to +change this parameter. +

Default: + status = yes +

+dir(strict locking (S)) +

This is a boolean that controls the handling of file locking in the +server. When this is set to "yes" the server will check every read and +write access for file locks, and deny access if locks exist. This can +be slow on some systems. +

When strict locking is "no" the server does file lock checks only +when the client explicitly asks for them. +

Well behaved clients always ask for lock checks when it is important, +so in the vast majority of cases "strict locking = no" is +preferable. +

Default: + strict locking = no +

Example: + strict locking = yes +

+
strict sync (S) +

Many Windows applications (including the Windows 98 explorer shell) +seem to confuse flushing buffer contents to disk with doing a sync to +disk. Under UNIX, a sync call forces the process to be suspended until +the kernel has ensured that all outstanding data in kernel disk +buffers has been safely stored onto stable storate. This is very slow +and should only be done rarely. Setting this parameter to "no" (the +default) means that smbd ignores the Windows applications requests for +a sync call. There is only a possibility of losing data if the +operating system itself that Samba is running on crashes, so there is +little danger in this default setting. In addition, this fixes many +performance problems that people have reported with the new Windows98 +explorer shell file copies. +

See also the "sync always" parameter. +

Default: + strict sync = no +

Example: + strict sync = yes +

+
strip dot (G) +

This is a boolean that controls whether to strip trailing dots off +UNIX filenames. This helps with some CDROMs that have filenames ending +in a single dot. +

Default: + strip dot = no +

Example: + strip dot = yes +

+
sync always (S) +

This is a boolean parameter that controls whether writes will always +be written to stable storage before the write call returns. If this is +false then the server will be guided by the client's request in each +write call (clients can set a bit indicating that a particular write +should be synchronous). If this is true then every write will be +followed by a fsync() call to ensure the data is written to disk. +Note that the "strict sync" parameter must be +set to "yes" in order for this parameter to have any affect. +

See also the "strict sync" parameter. +

Default: + sync always = no +

xample: + sync always = yes +

+
syslog (G) +

This parameter maps how Samba debug messages are logged onto the +system syslog logging levels. Samba debug level zero maps onto syslog +LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps +to LOG_NOTICE, debug level three maps onto LOG_INFO. The paramter +sets the threshold for doing the mapping, all Samba debug messages +above this threashold are mapped to syslog LOG_DEBUG messages. +

Default: + syslog = 1 +

+
syslog only (G) +

If this parameter is set then Samba debug messages are logged into the +system syslog only, and not to the debug log files. +

Default: + syslog only = no +

+
time offset (G) +

This parameter is a setting in minutes to add to the normal GMT to +local time conversion. This is useful if you are serving a lot of PCs +that have incorrect daylight saving time handling. +

Default: + time offset = 0 +

Example: + time offset = 60 +

+
time server (G) +

This parameter determines if nmbd advertises +itself as a time server to Windows clients. The default is False. +

Default: + time server = False +

Example: + time server = True +

+
timestamp logs (G) +

Samba2.0 will a timestamps to all log entries by default. This +can be distracting if you are attempting to debug a problem. This +parameter allows the timestamping to be turned off. +

Default: + timestamp logs = True +

Example: + timestamp logs = False +

+
unix password sync (G) +

This boolean parameter controlls whether Samba attempts to synchronise +the UNIX password with the SMB password when the encrypted SMB +password in the smbpasswd file is changed. If this is set to true the +program specified in the "passwd program" +parameter is called *AS ROOT* - to allow the new UNIX password to be +set without access to the old UNIX password (as the SMB password has +change code has no access to the old password cleartext, only the +new). By default this is set to "false". +

See also "passwd program", "passwd +chat". +

Default: + unix password sync = False +

Example: + unix password sync = True +

+
unix realname (G) +

This boolean parameter when set causes samba to supply the real name +field from the unix password file to the client. This is useful for +setting up mail clients and WWW browsers on systems used by more than +one person. +

Default: + unix realname = no +

Example: + unix realname = yes +

+
update encrypted (G) +

This boolean parameter allows a user logging on with a plaintext +password to have their encrypted (hashed) password in the smbpasswd +file to be updated automatically as they log on. This option allows a +site to migrate from plaintext password authentication (users +authenticate with plaintext password over the wire, and are checked +against a UNIX account database) to encrypted password authentication +(the SMB challenge/response authentication mechanism) without forcing +all users to re-enter their passwords via smbpasswd at the time the +change is made. This is a convenience option to allow the change over +to encrypted passwords to be made over a longer period. Once all users +have encrypted representations of their passwords in the smbpasswd +file this parameter should be set to "off". +

In order for this parameter to work correctly the "encrypt +passwords" parameter must be set to "no" when +this parameter is set to "yes". +

Note that even when this parameter is set a user authenticating to +smbd must still enter a valid password in order to connect correctly, +and to update their hashed (smbpasswd) passwords. +

Default: + update encrypted = no +

Example: + update encrypted = yes +

+
use rhosts (G) +

If this global parameter is a true, it specifies that the UNIX users +".rhosts" file in their home directory will be read to find the +names of hosts and users who will be allowed access without specifying +a password. +

NOTE: The use of use rhosts can be a major security hole. This is +because you are trusting the PC to supply the correct username. It is +very easy to get a PC to supply a false username. I recommend that the +use rhosts option be only used if you really know what you are +doing. +

Default: + use rhosts = no +

Example: + use rhosts = yes +

+
user (S) +

Synonym for "username". +

+
users (S) +

Synonym for "username". +

+
username (S) +

Multiple users may be specified in a comma-delimited list, in which +case the supplied password will be tested against each username in +turn (left to right). +

The username= line is needed only when the PC is unable to supply +its own username. This is the case for the COREPLUS protocol or where +your users have different WfWg usernames to UNIX usernames. In both +these cases you may also be better using the \\server\share%user +syntax instead. +

The username= line is not a great solution in many cases as it +means Samba will try to validate the supplied password against each of +the usernames in the username= line in turn. This is slow and a bad +idea for lots of users in case of duplicate passwords. You may get +timeouts or security breaches using this parameter unwisely. +

Samba relies on the underlying UNIX security. This parameter does not +restrict who can login, it just offers hints to the Samba server as to +what usernames might correspond to the supplied password. Users can +login as whoever they please and they will be able to do no more +damage than if they started a telnet session. The daemon runs as the +user that they log in as, so they cannot do anything that user cannot +do. +

To restrict a service to a particular set of users you can use the +"valid users=" parameter. +

If any of the usernames begin with a '@' then the name will be +looked up first in the yp netgroups list (if Samba is compiled with +netgroup support), followed by a lookup in the UNIX groups database +and will expand to a list of all users in the group of that name. +

If any of the usernames begin with a '+' then the name will be +looked up only in the UNIX groups database and will expand to a list +of all users in the group of that name. +

If any of the usernames begin with a '&' then the name will be +looked up only in the yp netgroups database (if Samba is compiled with +netgroup support) and will expand to a list of all users in the +netgroup group of that name. +

Note that searching though a groups database can take quite some time, +and some clients may time out during the search. +

See the section "NOTE ABOUT USERNAME/PASSWORD +VALIDATION" for more +information on how this parameter determines access to the services. +

Default: + The guest account if a guest service, else the name of the service. +

Examples: +
```
+
+ 	username = fred
+ 	username = fred, mary, jack, jane, @users, @pcgroup
+
+
```
+ +

+
username level (G) +

This option helps Samba to try and 'guess' at the real UNIX username, +as many DOS clients send an all-uppercase username. By default Samba +tries all lowercase, followed by the username with the first letter +capitalized, and fails if the username is not found on the UNIX +machine. +

If this parameter is set to non-zero the behaviour changes. This +parameter is a number that specifies the number of uppercase +combinations to try whilst trying to determine the UNIX user name. The +higher the number the more combinations will be tried, but the slower +the discovery of usernames will be. Use this parameter when you have +strange usernames on your UNIX machine, such as "AstrangeUser". +

Default: + username level = 0 +

Example: + username level = 5 +

+
username map (G) +

This option allows you to to specify a file containing a mapping of +usernames from the clients to the server. This can be used for several +purposes. The most common is to map usernames that users use on DOS or +Windows machines to those that the UNIX box uses. The other is to map +multiple users to a single username so that they can more easily share +files. +

The map file is parsed line by line. Each line should contain a single +UNIX username on the left then a '=' followed by a list of +usernames on the right. The list of usernames on the right may contain +names of the form @group in which case they will match any UNIX +username in that group. The special client name '*' is a wildcard +and matches any name. Each line of the map file may be up to 1023 +characters long. +

The file is processed on each line by taking the supplied username and +comparing it with each username on the right hand side of the '=' +signs. If the supplied name matches any of the names on the right hand +side then it is replaced with the name on the left. Processing then +continues with the next line. +

If any line begins with a '#' or a ';' then it is ignored +

If any line begins with an '!' then the processing will stop after +that line if a mapping was done by the line. Otherwise mapping +continues with every line being processed. Using '!' is most +useful when you have a wildcard mapping line later in the file. +

For example to map from the name "admin" or "administrator" to +the UNIX name "root" you would use: +

root = admin administrator +

Or to map anyone in the UNIX group "system" to the UNIX name +"sys" you would use: +

sys = @system +

You can have as many mappings as you like in a username map file. +

If your system supports the NIS NETGROUP option then the netgroup +database is checked before the /etc/group database for matching +groups. +

You can map Windows usernames that have spaces in them by using double +quotes around the name. For example: +

tridge = "Andrew Tridgell" +

would map the windows username "Andrew Tridgell" to the unix +username tridge. +

The following example would map mary and fred to the unix user sys, +and map the rest to guest. Note the use of the '!' to tell Samba +to stop processing if it gets a match on that line. +
```
+
+	!sys = mary fred
+	guest = *
+
+
```
+ +

Note that the remapping is applied to all occurrences of +usernames. Thus if you connect to "\\server\fred" and "fred" +is remapped to "mary" then you will actually be connecting to +"\\server\mary" and will need to supply a password suitable for +"mary" not "fred". The only exception to this is the username +passed to the "password server" (if you have +one). The password server will receive whatever username the client +supplies without modification. +

Also note that no reverse mapping is done. The main effect this has is +with printing. Users who have been mapped may have trouble deleting +print jobs as PrintManager under WfWg will think they don't own the +print job. +

Default: + no username map +

Example: + username map = /usr/local/samba/lib/users.map +

+
valid chars (S) +

The option allows you to specify additional characters that should be +considered valid by the server in filenames. This is particularly +useful for national character sets, such as adding u-umlaut or a-ring. +

The option takes a list of characters in either integer or character +form with spaces between them. If you give two characters with a colon +between them then it will be taken as an lowercase:uppercase pair. +

If you have an editor capable of entering the characters into the +config file then it is probably easiest to use this method. Otherwise +you can specify the characters in octal, decimal or hexadecimal form +using the usual C notation. +

For example to add the single character 'Z' to the charset (which +is a pointless thing to do as it's already there) you could do one of +the following +
```
+
+	valid chars = Z
+	valid chars = z:Z
+	valid chars = 0132:0172
+
+
```
+ +

The last two examples above actually add two characters, and alter the +uppercase and lowercase mappings appropriately. +

Note that you MUST specify this parameter after the "client +code page" parameter if you have both set. If +"client code page" is set after the +"valid chars" parameter the "valid chars" settings will be +overwritten. +

See also the "client code page" parameter. +

Default: +
```
+
+	Samba defaults to using a reasonable set of valid characters
+	for english systems
+
+
```
+ +

Example + valid chars = 0345:0305 0366:0326 0344:0304 +

The above example allows filenames to have the swedish characters in +them. +

NOTE: It is actually quite difficult to correctly produce a "valid +chars" line for a particular system. To automate the process +tino@augsburg.net has written a package called "validchars" +which will automatically produce a complete "valid chars" line for +a given client system. Look in the examples/validchars/ subdirectory +of your Samba source code distribution for this package. +

+
valid users (S) +

This is a list of users that should be allowed to login to this +service. Names starting with '@', '+' and '&' are +interpreted using the same rules as described in the "invalid +users" parameter. +

If this is empty (the default) then any user can login. If a username +is in both this list and the "invalid users" +list then access is denied for that user. +

The current servicename is substituted for +"%S". This is useful in the +[homes] section. +

See also "invalid users". +

Default: + No valid users list. (anyone can login) +

Example: + valid users = greg, @pcusers +

+
veto files(S) +

This is a list of files and directories that are neither visible nor +accessible. Each entry in the list must be separated by a '/', +which allows spaces to be included in the entry. '*' and '?' +can be used to specify multiple files or directories as in DOS +wildcards. +

Each entry must be a unix path, not a DOS path and must *not* include the +unix directory separator '/'. +

Note that the "case sensitive" option is +applicable in vetoing files. +

One feature of the veto files parameter that it is important to be +aware of, is that if a directory contains nothing but files that match +the veto files parameter (which means that Windows/DOS clients cannot +ever see them) is deleted, the veto files within that directory *are +automatically deleted* along with it, if the user has UNIX permissions +to do so. +

Setting this parameter will affect the performance of Samba, as it +will be forced to check all files and directories for a match as they +are scanned. +

See also "hide files" and "case +sensitive". +

Default: + No files or directories are vetoed. +

Examples: +

Example 1. +
```
+
+
+    Veto any files containing the word Security, 
+    any ending in .tmp, and any directory containing the
+    word root.
+
+	veto files = /*Security*/*.tmp/*root*/
+
+
```
+ +

Example 2. +
```
+
+    Veto the Apple specific files that a NetAtalk server
+    creates.
+
+    veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
+
+
```
+ +

+
veto oplock files (S) +

This parameter is only valid when the "oplocks" +parameter is turned on for a share. It allows the Samba administrator +to selectively turn off the granting of oplocks on selected files that +match a wildcarded list, similar to the wildcarded list used in the +"veto files" parameter. +

Default: + No files are vetoed for oplock grants. +

Examples: +

You might want to do this on files that you know will be heavily +contended for by clients. A good example of this is in the NetBench +SMB benchmark program, which causes heavy client contention for files +ending in ".SEM". To cause Samba not to grant oplocks on these +files you would use the line (either in the [global] +section or in the section for the particular NetBench share : +

veto oplock files = /*.SEM/ +

+
volume (S) +

This allows you to override the volume label returned for a +share. Useful for CDROMs with installation programs that insist on a +particular volume label. +

The default is the name of the share. +

+
wide links (S) +

This parameter controls whether or not links in the UNIX file system +may be followed by the server. Links that point to areas within the +directory tree exported by the server are always allowed; this +parameter controls access only to areas that are outside the directory +tree being exported. +

Default: + wide links = yes +

Example: + wide links = no +

+
wins proxy (G) +

This is a boolean that controls if nmbd will +respond to broadcast name queries on behalf of other hosts. You may +need to set this to "yes" for some older clients. +

Default: + wins proxy = no +

+
wins server (G) +

This specifies the DNS name (or IP address) of the WINS server that +nmbd should register with. If you have a WINS +server on your network then you should set this to the WINS servers +name. +

You should point this at your WINS server if you have a +multi-subnetted network. +

NOTE. You need to set up Samba to point to a WINS server if you +have multiple subnets and wish cross-subnet browsing to work correctly. +

See the documentation file BROWSING.txt in the docs/ directory of your +Samba source distribution. +

Default: + wins server = +

Example: + wins server = 192.9.200.1 +

+
wins support (G) +

This boolean controls if the nmbd process in +Samba will act as a WINS server. You should not set this to true +unless you have a multi-subnetted network and you wish a particular +nmbd to be your WINS server. Note that you +should *NEVER* set this to true on more than one machine in your +network. +

Default: + wins support = no +

+
workgroup (G) +

This controls what workgroup your server will appear to be in when +queried by clients. Note that this parameter also controlls the Domain +name used with the "security=domain" +setting. +

Default: + set at compile time to WORKGROUP +

.B Example: + workgroup = MYGROUP +

+
writable (S) +

An inverted synonym is "read only". +

If this parameter is "no", then users of a service may not create +or modify files in the service's directory. +

Note that a printable service ("printable = yes") +will *ALWAYS* allow writing to the directory (user privileges +permitting), but only via spooling operations. +

Default: + writable = no +

Examples: +
```
+
+ 	read only = no
+ 	writable = yes
+ 	write ok = yes
+
+
```
+ +

+
write list (S) +

This is a list of users that are given read-write access to a +service. If the connecting user is in this list then they will be +given write access, no matter what the "read only" +option is set to. The list can include group names using the @group +syntax. +

Note that if a user is in both the read list and the write list then +they will be given write access. +

See also the "read list" option. +

Default: + write list = <empty string> +

Example: + write list = admin, root, @staff +

+
write ok (S) +

Synonym for writable. +

+
write raw (G) +

This parameter controls whether or not the server will support raw +writes SMB's when transferring data from clients. You should never +need to change this parameter. +

Default: + write raw = yes +

+
writeable +

Synonym for "writable" for people who can't spell :-). +

+
WARNINGS
+ +

Although the configuration file permits service names to contain +spaces, your client software may not. Spaces will be ignored in +comparisons anyway, so it shouldn't be a problem - but be aware of the +possibility. +

On a similar note, many clients - especially DOS clients - limit +service names to eight characters. Smbd has no +such limitation, but attempts to connect from such clients will fail +if they truncate the service names. For this reason you should +probably keep your service names down to eight characters in length. +

Use of the [homes] and [printers] +special sections make life for an administrator easy, but the various +combinations of default attributes can be tricky. Take extreme care +when designing these sections. In particular, ensure that the +permissions on spool directories are correct. +

+
VERSION
+ +

This man page is correct for version 2.0 of the Samba suite. +

+
SEE ALSO
+ +

smbd (8), smbclient (1), +nmbd (8), testparm (1), +testprns (1), Samba, +nmblookup (1), smbpasswd (5), +smbpasswd (8). +

+
AUTHOR
+ +

The original Samba software and related utilities were created by +Andrew Tridgell samba-bugs@samba.anu.edu.au. Samba is now developed +by the Samba Team as an Open Source project similar to the way the +Linux kernel is developed. +

The original Samba man pages were written by Karl Auer. The man page +sources were converted to YODL format (another excellent piece of Open +Source software) and updated for the Samba2.0 release by Jeremy +Allison, samba-bugs@samba.anu.edu.au. + + -- cgit