Samba Configuration Option Quick ReferenceThe following pages list each of the Samba configuration
options. If an option is applicable only to the global section,
"[global]" will appear before its name. Any lists mentioned are space
separated, except where noted. A glossary of terms follows the
options.Configuration Optionsuser listNULLadmin users = user listList of users who will be granted root permissions on the share by Samba.anyNULLallow hosts = host listSynonym for hosts allow. List of machines that may connect to a share.YES, NONOalternate permissions = booleanObsolete. Has no effect in Samba 2. Files will be shown as read-only if the owner can't write them. In Samba 1.9 and earlier, setting this option would set the DOS filesystem read-only attribute on any file the user couldn't read. This in turn required the delete readonly option.any sharesNULL[global] auto services = share listList of shares that will always appear in browse lists. A synonym is preload.YES, NOYESavailable = booleanIf set to NO, denies access to a share. Doesn't affect browsing.YES, NONO[global] bind interfaces only = booleanIf set to YES, shares and browsing will be provided only on interfaces in an interfaces list (see interfaces). New in Samba 1.9.18. If you set this option to YES, be sure to add 127.0.0.1 to the interfaces list to allow smbpasswd to connect to the local machine to change passwords. This is a convienence option; it does not improve security.YES, NOYESbrowsable = booleanAllows a share to be announced in browse lists.YES, NOYESblocking locks = booleanIf YES, honors byte range lock requests with time limits for queuing the request and retrying it until the time period expires. New in Samba 2.0.YES, NOYES[global] browse list = booleanTurns on/off browselist from this server. Avoid changing.YES, NONO[global] case sensitive = booleanIf YES, uses exactly the case the client supplied when trying to resolve a filename. If NO, matches either upper- or lowercase name. Avoid changing.YES, NONO[global] case sig names = booleanSynonym for case sensitive.positive number60[global] change notify timeout = numberSets the number of seconds between checks when a client asks for notification of changes in a directory. Introduced in Samba 2.0 to limit the performance cost of the checks. Avoid lowering.ISO8859-1, ISO8859-2, ISO8859-5, KOI8-RNULLcharacter set = nameIf set, translates from DOS code pages to the Western European (ISO8859-1), Eastern European (ISO8859-2), Russian Cyrillic (ISO8859-5), or Alternate Russian (KOI8-R) character set. The client code page must be set to 850.See Table 8.4437 (US MS-DOS)client code page = nameSets the DOS code page explicitly, overriding any previous valid chars settings. Examples of values are 850 for European, 437 is the US standard, and 932 for Japanese Shift-JIS. Introduced in Samba 1.9.19.euc, cap, hex, hexN, sjis, j8bb, j8bj, jis8, j8bh, j8@b, j8@j, j8@h, j7bb, j7bj, jis7, j7bh, j7@b, j7@j, j7@h, jubb, jubj, junet, jubh, ju@b, ju@j, ju@hNULLcoding system = codeSets the coding system used, notably for Kanji. This is employed for filenames and should correspond to the code page in use. The client code page option must be set to 932 (Japanese Shift-JIS). Introduced in Samba 2.0.a text string or NULLNULLcomment = textSets the comment that appears beside a share in a NET VIEW or the details list of a Microsoft directory window. See also the server string configuration option.Unix pathnameNULL[global] config file = pathnameSelects an additional Samba configuration file to read instead of the current one. Used to relocate the configuration file, or used with %-variables to select custom configuration files for some users or machines.existing section's nameNULLcopy = section nameCopies the configuration of a previously seen share into the share where it appears. Used with %-variables to select custom configurations for machines, architectures and users. The copied section must be earlier in the configuration file. Copied options are of lesser priority than those explicitly listed in the section.octal permission bits, 0-07770744create mask = octal valueAlso called create mode. Sets the maximum allowable permissions for new files (e.g., 0755). See also directory mask. To require certain permissions to be set, see force create mask/force directory mask. This option stopped affecting directories in Samba 1.9.17, and the default value changed in Samba 2.0.octal permission bits, 0-07770744create mode = octal permission bitsSynonym for create mask.minutes0 [global] deadtime = minutesThe time in minutes before an unused connection will be terminated. Zero means forever. Used to keep clients from tying up server resources forever. If used, clients will have to auto-reconnect after minutes of inactivity. See also keepalive.number0[global] debug level = numberSets the logging level used. Values of 3 or more slow Samba noticeably. A synonym is log level. Recommended value: 1.YES, NOYES[global] debug timestamp = booleanTimestamps all log messages. Can be turned off when it's not useful (e.g., in debugging). New in Samba 2.0.share nameNULL[global] default = nameAlso called default service. The name of a service (share) to provide if someone requests a service they don't have permission to use or which doesn't exist. As of Samba 1.9.14, the path will be set from the name the client specified, with any "_" characters changed to "/" characters, allowing access to any directory on the Samba server. Use is strongly discouraged.LOWER, UPPERLOWERdefault case = caseSets the case in which to store new filenames. LOWER indicates mixed case, UPPER indicates uppercase letters.share nameNULL[global] default service = share nameSynonym for default.NO, YESNOdelete readonly = booleanAllow delete requests to remove read-only files. This is not allowed in DOS/Windows, but is normal in Unix, which has separate directory permissions. Used with programs like RCS, or with the older alternate permissions option.NO, YESNOdelete veto files = booleanAllow delete requests for a directory containing files or subdirectories the user can't see due to the veto files option. If set to NO, the directory will not be deleted and will still contain invisible files.host listNULLdeny hosts = host listA synonym is hosts deny. Specifies a list of machines from which to refuse connections or shares.shell commandvaries[global] dfree command = commandA command to run on the server to return disk free space. Not needed unless the OS command does not work properly.pathnameNULLdirectory = pathnameSynonym for path. A directory provided by a file share, or used by a printer share. Set automatically in the [homes] share to user's home directory, otherwise defaults to /tmp.octal value from 0 to 07770755directory mask = octal permission bitsAlso called directory mode. Sets the maximum allowable permissions for newly created directories. To require certain permissions be set, see the force create mask and force directory mask options.octal value from 0 to 07770755directory mode = octal permission bitsSynonym for directory mask.YES, NOYES[global] dns proxy = booleanIf set to YES, and if wins server = YES, look up hostnames in DNS if they are not found using WINS.YES, NONO[global] domain logons = booleanAllow Windows 95/98 or NT clients to log on to an NT-like domain.YES, NONO[global] domain master = booleanBecome a domain master browser list collector if possible for the entire workgroup/domain.comma-separated list of pathsNULLdont descend = comma-listDoes not allow a change directory or search in the directories specified. This is a browsing convenience option; it doesn't provide any extra security.YES, NONOdos filetimes = booleanAllow non-owners to change file times if they can write to the file. See also dos filetime resolution.YES, NONOdos filetime resolution = booleanSet file times on Unix to match DOS standards (round to next even second). Recommended if using Visual C++ or a PC make program to avoid remaking the programs unnecesarily. Use with the dos filetimes option.YES, NONO[global] encrypt passwords = booleanUses Windows NT-style password encryption. Requires an smbpasswd on the Samba server.shell commandNULLexec = commandSynonym of preexec, a command to run as the user just before connecting to the share.YES, NONOfake directory create times = booleanBug fix for users of Microsoft nmake. If set, Samba will set directory create times such that nmake won't remake all files every time.YES, NONOfake oplocks = booleanReturn YES whenever a client asks if it can lock a file and cache it locally, but does not enforce lock on the server. Use only for read-only disks, as Samba now supports real oplocks and has per-file overrides. See also oplocks and veto oplock files.YES, NOYESfollow symlinks = booleanIf YES, Samba will follow symlinks in a file share or shares. See the wide links option if you want to restrict symlinks to just the current share.octal value from 0 to 07770force create mask = octal permission bitsProvides bits that will be ORed into the permissions of newly created files. Used with the create mode configuration option.octal value from 0 to 07770force create mode = octal permission bitsSynonym for force create mask.octal value from 0 to 07770force directory mask = octal permission bitsProvides bits that will be ORed into the permissions of newly created directories, forcing those bits to be set. Used with directory mode.octal value from 0 to 07770force directory mode = octal permission bitsSynonym for forcedirectorymask.groupNULLforce group = unix groupSets the effective group name assigned to all users accessing a share. Used to override user's normal groups.usernameNULLforce user = nameSets the effective username assigned to all users accessing a share. Discouraged.NTFS, FAT, SambaNTFSfstype = stringSets the filesystem type reported to the client.YES, NONO[global] getwd cache = booleanCache current directory for performance. Recommended with the wide links option.unix groupNULLgroup = groupAn obsolete form of force group.usernameNULLguest account = userSets the name of the unprivileged Unix account to use for tasks like printing and for accessing shares marked with guest ok.YES, NONOguest ok = booleanIf YES, passwords are not needed for this share. Synonym of public.YES, NONOguest only = booleanForces user of a share to do so as the guest account. Requires guestok or public to be yes.YES, NOYEShide dot files = booleanTreats files beginning with a dot in a share as if they had the DOS/Windows hidden attribute set.list of patterns, separated by / charactersNULLhide files = slash-separated listList of file or directory names to set the DOS hidden attribute on. Names may contain ? or * pattern-characters and %-variables. See also hidedotfiles and vetofiles.NIS map nameauto.home[global] homedir map = NIS map nameUsed with nis homedir to locate user's Unix home directory from Sun NIS (not NIS+).list of hostnamesNULLhosts allow = host listSynonym of allow hosts, a list of machines that can access a share or shares. If NULL (the default) any machine can access the share unless there is a hosts deny option.list of hostnamesNULLhosts deny = host listSynonym of deny hosts, a list of machines that cannot connect to a share or shares.pathnameNULL[global] hosts equiv = pathnamePath to a file of trusted machines from which password-less logins are allowed. Strongly discouraged, because Windows/NT users can always override the user name, the only security in this scheme.pathnameNULLinclude = pathnameInclude the named file in smb.conf at the line where it appears. This option does not understand the variables %u (user), %P (current share's root directory), or %S (current share name), because they are not set at the time the file is read.IP addresses separated by spacesNULL[global] interfaces = interface listSets the interfaces to which Samba will respond. The default is the machine's primary interface only. Recommended on multihomed machines or to override erroneous addresses and netmasks.list of usersNULLinvalid users = user listList of users that will not be permitted access to a share or shares.number of seconds0[global] keepalive = numberNumber of seconds between checks for a crashed client. The default of 0 causes no checks to be performed. Recommended if you want checks more often than every four hours. 3600 (10 minutes) is reasonable. See also socket options for another approach.YES, NOautomatic[global] kernel oplocks = booleanBreak oplock when a Unix process accesses an oplocked file, preventing corruption. Set to YES on operating systems supporting this, otherwise set to NO. New in Samba 2.0; supported on SGI, and hopefully soon on Linux and BSD. Avoid changing.variousvaries[global] ldap filter = variousOptions beginning with ldap are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.variousvarious[global] ldap port = variousOptions beginning with ldap are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.variousvarious[global] ldap root = variousOptions beginning with ldap are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.variousvarious[global] ldap server = variousOptions beginning with ldap are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.variousvarious[global] ldap suffix = variousOptions beginning with ldap are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.YES, NOYES[global] load printers = booleanLoad all printer names from the system printer capabilities into browse list. Uses configuration options from the [printers] section.YES, NOYES[global] local master = booleanStands for election as the local master browser. See also domain master and os level.AUTO, YES, NOAUTO[global] lm announce = valueProduce OS/2 SMB broadcasts at an interval specified by the lm interval option. YES/NO turns them on/off unconditionally. AUTO causes the Samba server to wait for a LAN Manager announcement from another client before sending one out. Required for OS/2 client browsing.number60[global] lm interval = secondsSets the time period, in seconds, between OS/2 SMB broadcast announcements.pathname/usr/local/samba/var/locks[global] lock directory = pathnameSet a directory to keep lock files in. The directory must be writable by Samba, readable by everyone.YES, NOYESlocking = booleanPerform file locking. If set to NO, Samba will accept lock requests but will not actually lock resources. Recommended only for read-only file systems.pathnamevaries[global] log file = pathnameSet name and location of the log file. Allows all %-variables.number0[global] log level = numberA synonym of debug level. Sets the logging level used. Values of 3 or more slow the system noticeably.DOS drive nameNone[global] logon drive = driveSets the drive on Windows NT (only) of the logon path.Unix pathname\\%N \%U[global] logon home = pathSets the home directory of a Windows 95/98 or NT Workstation user. Allows NETUSEH:/HOME from the command prompt.Windows pathname\\%N \%U \profile[global] logon path = pathnameSets path to Windows profile directory. This contains USER.MAN and/or USER.DAT profile files and the Windows 95 Desktop, Start Menu, Network Neighborhood, and programs folders.pathnameNULL[global] logon script = pathnameSets pathname relative to [netlogin] share of a DOS/NT script to run on the client at login time. Allows all %-variables.fully-qualfied Unix shell commandvarieslppause command = /absolute_ path/commandSets the command to pause a print job. Honors the %p (printer name) and %j (job number) variables.fully-qualified Unix shell commandvarieslpresume command = /absolute_ path/commandSets the command to resume a paused print job. Honors the %p (printer name) and %j ( job number) variables.number of seconds10[global] lpq cache time = secondsSets how long to keep print queue (lpq ) status is cached, in seconds.fully-qualfied Unix shell commandvarieslpq command = /absolute_ path/commandSets the command used to get printer status. Usually initialized to a default value by the printing option. Honors the %p (printer name) variable.fully-qualified Unix shell commandvarieslprm command = /absolute_ path/commandSets the command to delete a print job. Usually initialized to a default value by the printing option. Honors the %p (printer name) and %j (job number) variables.number of seconds604,800machine password timeout = secondsSets the period between (NT domain) machine password changes. Default is 1 week, or 604,800 seconds.Unix pathnamescript.outmagic output = pathnameSets the output file for the discouraged magic scripts option. Default is the script name, followed by the extension .out.Unix pathnameNULLmagic script = pathnameSets a filename for execution via a shell whenever the file is closed from the client, to allow clients to run commands on the server.allowable values: YES, NONOmangle case = booleanMangle a name if it is in mixed case.list of to-from pairsNULLmangled map = map listSet up a table of names to remap (e.g., .html to .htm).YES, NOYESmangled names = booleanSets Samba to abbreviate names that are too long or have unsupported characters to the DOS 8.3 style.character~mangling char = characterSets the unique mangling character used in all mangled names.number50[global] mangled stack = numberSets the size of a cache of recently-mangled filenames.Unix pathnameNULLmap aliasname = pathnamePoints to a file of Unix group/NT group pairs, one per line. This is used to map NT aliases to Unix group names. See also the configuration options usernamemap and mapgroupname. Introduced in Samba 2.0.YES, NOYESmap archive = booleanIf YES, Samba sets the executable-by-user (0100) bit on Unix files if the DOS archive attribute is set. Recommended: if used, the create mask must contain the 0100 bit.YES, NONOmap hidden = booleanIf YES, sets executable-by-other (0001) bit on Unix files if the DOS hidden attribute is set. If used, the create mask option must contain the 0001 bit.pathnameNULLmap groupname = pathnamePoints to a file of Unix group/NT group, one per line. This is used to map NT group names to Unix group names. See also the configuration options usernamemap and mapaliasname. Introduced in Samba 2.0.YES, NONOmap system = booleanIf YES, Samba sets the executable-by-group (0010) bit on Unix files if the DOS system attribute is set. If used, the create mask must contain the 0010 bit.number0 (infinity)max connections = numberSet maximum number of connections allowed to a share from each individual client machine.size in MB0 (unchanged)[global] max disk size = numberSets maximum disk size/free-space size (in megabytes) to return to client. Some clients or applications can't understand large maximum disk sizes.size in KB5000[global] max log size = numberSets the size (in kilobytes) at which Samba will start a new log file. The current log file will be renamed with an .old extension, replacing any previous file with that name.number50[global] max mux = numberSets the number of simultaneous operations that Samba clients may make. Avoid changing.numberN/A[global] max packet = numberSynonym for packet size. Obsolete as of Samba 1.7. Use max xmit instead.number10,000[global] max open files = numberLimits the number of files a Samba process will try to keep open at one time. Samba allows you to set this to less than the Unix maximum. This option is a workaround for a separate problem. Avoid changing. This option was introduced in Samba 2.0.time in seconds14400 (4 hrs)[global] max ttl = secondsSets the time to keep NetBIOS names in nmbd cache while trying to perform a lookup on it. Avoid changing.time in seconds259200 (3 days)[global] max wins ttl = secondsLimits time-to-live of a NetBIOS name in nmbd WINS cache, in seconds. Avoid changing.size in bytes65535[global] max xmit = bytesSets maximum packet size that will be negotiated by Samba. Tuning parameter for slow links and older client bugs. Values less than 2048 are discouraged.shell commandNULL[global] message command = /absolute_ path/commandSets the command on the server to run when a WinPopup message arrives from a client. The command must end in "&" to allow immediate return. Honors all %-variables except %u (user), and supports the extra variables %s (filename the message is in), %t (destination machine), and %f (from).space in KB0 (unlimited)min print space = kilobytesSets minimum spool space required before accepting a print request.time in seconds21600 (6 hrs)[global] min wins ttl = secondsSets minimum time-to-live of a NetBIOS name in nmbd WINS cache, in seconds. Avoid changing.list of lmhosts, wins, hosts and bcastlmhosts wins hosts bcastname resolve order = listSets order of lookup when trying to get IP address from names. The hosts parameter carrries out a regular name look up using the server's normal sources: /etc/hosts, DNS, NIS, or a combination of them. Introduced in Samba 1.9.18p4.list of netbios namesNULL[global] netbios aliases = listAdds additional NetBIOS names by which a Samba server will advertise itself.host namevariesnetbios name = hostnameSets the NetBIOS name by which a Samba server is known, or primary name if NetBIOS aliases exist.YES, NOYES[global] networkstation user login = booleanIf set to NO, clients will not do a full login when security = server. Avoid changing. Turning it off is a temporary workaround (introduced in Samba 1.9.18p3) for NT trusted domains bug. Automatic correction was introduced in Samba 1.9.18p10; the parameter may eventually be removed.YES, NONO[global] nis homedir = booleanIf YES, the homedir map will be used to look up the user's home-directory server name and return it to the client. The client will contact that machine to connect to the share. This avoids mounting from a machine that doesn't actually have the disk. The machine with the home directories must be an SMB server.YES, NOYES[global] nt pipe support = booleanAllows turning off NT-specific pipe calls. This is a developer/benchmarking option and may be removed in the future. Avoid changing.YES, NOYES[global] nt smb support = booleanIf YES, allow NT-specific SMBs to be used. This is a developer/benchmarking option and may be removed in the future. Avoid changing.YES, NONO[global] null passwords = booleanIf YES, allows access to accounts that have null passwords. Strongly discouraged.YES, NOYESole locking compatibility = booleanIf YES, locking ranges will be mapped to avoid Unix locks crashing when Windows uses locks above 32KB. You should avoid changing this option. Introduced in Samba 1.9.18p10.YES, NONOonly guest = booleanA synonym for guest only. Forces user of a share to login as the guest account.YES, NONOonly user = booleanRequires that users of the share be on a username = list.YES, NOYESoplocks = booleanIf YES, support local caching of opportunistic locked files on client. This option is recommended because it improves performance by about 30%. See also fakeoplocks and vetooplockfiles.number0[global] os level = numberSets the candidacy of the server when electing a browse master. Used with the domainmaster or localmaster options. You can set a higher value than a competing operating system if you want Samba to win. Windows for Workgroups and Windows 95 use 1, Windows NT client uses 17, and Windows NT Server uses 33.number in bytes65535[global] packet size = bytesObsolete. Discouraged synonym of max packet. See max xmit.YES, NONO[global] passwd chat debug = booleanLogs an entire password chat, including passwords passed, with a log level of 100. For debugging only. Introduced in Samba 1.9.18p5.Unix server commandscompiled-in value[global] passwd chat = command sequenceSets the command used to change passwords on the server. Supports the variables %o (old password) and %n (new password) and allows \r\n\t and \s (space) escapes in the sequence.Unix server programNULL[global] passwd program = programSets the command used to change user's password. Will be run as root. Supports %u (user).number0[global] password level = numberSpecifies the number of uppercase letter permutations used to match passwords. Workaround for clients that change passwords to a single case before sending them to the Samba server. Causes repeated login attempts with passwords in different cases, which can trigger account lockouts.list of NetBIOS namesNULL[global] password server = netbios namesA list of SMB servers that will validate passwords for you. Used with an NT password server (PDC or BDC) and the security=server or security=domain configuration options. Caution: an NT password server must allow logins from the Samba server.fully-qualfied Unix shell commandNULLpanic action = /absolute_ path/commandSets the command to run when Samba panics. For Samba developers and testers, /usr/bin/X11/xterm -display :0 -e gdb /samba/bin/smbd %d is a possible value.pathnamevariespath = pathnameSets the path to the directory provided by a file share or used by a printer share. Set automatically in [homes] share to user's home directory, otherwise defaults to /tmp. Honors the %u (user) and %m (machine) variables.fully-qualified Unix shell commandNULLpostexec = /absolute_ path/commandSets a command to run as the user after disconnecting from the share. See also the options preexec, root preexec, and root postexec.YES, NONOpostscript = booleanFlags a printer as PostScript to avoid a Windows bug by inserting %! as the first line. Works only if printer actually is PostScript compatible.fully-qualified Unix shell commandNULLpreexec = /absolute_ path/commandSets a command to run as the user before connecting to the share. See also the options postexec, root preexec, and root postexec.YES, NONO[global] preferred master = booleanIf YES, Samba is preferred to become the master browser. Causes Samba to call a browsing election when it comes online.list of servicesNULLpreload = share listSynonym of autoservices. Specifies a list of shares that will always appear in browse lists.YES, NONOpreserve case = booleanIf set to YES, this option leaves filenames in the case sent by client. If no, it forces filenames to the case specified by the defaultcase option. See also short preserve case.fully-qualified Unix shell commandvariesprint command = /absolute_ path/commandSets the command used to send a spooled file to the printer. Usually initialized to a default value by the printing option. This option honors the %p (printer name), %s (spool file) and %f (spool file as a relative path) variables. Note that the command in the value of the option must include file deletion of the spool file.YES, NONOprint ok = booleanSynonym of printable.YES, NONOprintable = booleanSets a share to be a print share. Required for all printers.pathname/etc/printcap[global] printcap name = pathnameSets the path to the printer capabilities file used by the [printers] share. The default value changes to /etc/qconfig under AIX and lpstat on System V.printer namelpprinter = nameSets the name of the Unix printer.exact printer driver string used by WindowsNULLprinter driver = printer driver nameSets the string to pass to Windows when asked what driver to use to prepare files for a printer share. Note that the value is case sensitive.Unix pathnamesamba-lib/printers.def[global] printer driver file = pathSets the location of a msprint.def file, usable by Windows 95/98.Windows network path\\server\PRINTER$printer driver location = pathSets the location of the driver for a particular printer. The value is a pathname for a share that stores the printer driver files.nameNULLprinter name = nameSynonym of printer.bsd, sysv, hpux, aix, qnx, plp, lprngbsdprinting = styleSets printing style to one of the above, instead of the compiled-in value. This sets initial values of at least the printcommand , printcommand , lpqcommand , and lprmcommand.NT1, LANMAN2, LANMAN1, COREPLUS, CORENT1[global] protocol = protocolSets SMB protocol version to one of the allowable
values. Resetting is highly discouraged. Only for backwards
compatibility with older-client bugs.YES, NONOpublic = booleanIf YES, passwords are not needed for this share. A synonym is guest ok.valid Unix commandvariesqueuepause command = /absolute_ path/commandSets the command used to pause a print queue. Usually initialized to a default value by the printing option. Introduced in Samba 1.9.18p10.valid Unix commandvariesqueueresume command = /absolute_ path/commandSets the command used to resume a print queue. Usually initialized to a default value by the printing option. Introduced in Samba 1.9.18p10.YES, NONOread bmpx = booleanObsolete. Do not change.comma-separated list of usersNULLread list = comma-separated listSpecifies a list of users given read-only access to a writeable share.YES, NONOread only = booleanSets a share to read-only. Antonym of writable and write ok.YES, NONO[global] read prediction = booleanReads ahead data for read-only files. Obsolete; removed in Samba 2.0.YES, NOYES[global] read raw = booleanAllows fast streaming reads over TCP using 64K buffers. Recommended.size in bytes2048[global] read size = bytesSets a buffering option for servers with mismatched disk and network speeds. Requires experimentation. Avoid changing. Should not exceed 65536.list of remote addressesNULL[global] remote announce = remote listAdds workgroups to the list on which the Samba server will announce itself. Specified as IP address/workgroup (for instance, 192.168.220.215/SIMPLE) with multiple groups separated by spaces. Allows directed broadcasts. The server will appear on those workgroup's browse lists. Does not require WINS.IP-address listNULL[global] remote browse sync = address listEnables Samba-only browse list synchronization with other Samba local master browsers. Addresses can be specific addresses or directed broadcasts (i.e., ###.###.###.255). The latter will cause Samba to hunt down the local master.YES, NONOrevalidate = booleanIf set to YES, requires users to re-enter passwords even after a successful initial logon to a share with a password.Unix pathnameNULL[global] root = pathnameSynonym for root directory.Unix pathnameNULL[global] root dir = pathnameSynonym for root directory.Unix pathnameNULL[global] root directory = pathnameSpecifies a directory to chroot() to before starting daemons. Prevents any access below that directory tree. See also the wide links configuration option.fully-qualified Unix shell commandNULLroot postexec = /absolute_ path/commandSets a command to run as root after disconnecting from the share. See also preexec, postexec, and rootpreexec configuration options. Runs after the user's postexec command. Use with caution.fully-qualified Unix shell commandNULLroot preexec = /absolute_ path/commandSets a command to run as root before connecting to the share. See also preexec, postexec, and rootpostexec configuration options. Runs before the user's preexec command. Use with caution.share, user, server, domainshare in Samba 1.0, user in 2.0[global] security = valueSets password-security policy. If security=share, services have a shared password, available to everyone. If security=user, users have (Unix) accounts and passwords. If security=server, users have accounts and passwords and a separate machine authenticates them for Samba. If security=domain, full NT-domain authentication is done. See also the password server and encrypted passwords configuration options.stringSamba %v in 2.0[global] server string = textSets the name that appears beside a server in browse lists. Honors the %v (Samba version number) and %h (hostname) variables.YES, NONOset directory = booleanAllows DEC Pathworks client to use the set dir command.number113[global] shared file entries = numberObsolete; do not use.size in bytes102400shared mem size = bytesIf compiled with FAST_SHARE_MODES (mmap), sets the shared memory size in bytes. Avoid changing.Unix pathname/usr/local/samba/private/smbpasswd[global] smb passwd file = pathOverrides compiled-in path to password file if encrypted passwords=yes.smbrun commandcompiled-in value[global] smbrun = /absolute_ path/commandOverrides compiled-in path to smbrun binary. Avoid changing.YES, NONOshort preserve case = booleanIf set to YES, leaves mangled 8.3-style filenames in the case sent by client. If no, it forces the case to that specified by the default case option. See also preserve case.IP addressNULL[global] socket address = IP addressSets address on which to listen for connections. Default is to listen to all addresses. Used to support multiple virtual interfaces on one server. Highly discouraged.listNULL[global] socket options = socket option listSets OS-specific socket options. SO_KEEPALIVE has TCP check clients every 4 hours to see if they are still accessible. TCP_NODELAY sends even tiny packets to keep delay low. Recommended wherever the operating system supports them. See Appendix B, for more information.YES, NOYES[global] status = booleanIf YES, logs connections to a file (or shared memory) accessible to smbstatus.YES, NONOstrict sync = booleanIf set to YES, Samba will synchronize to disk whenever the client sets the sync bit in a packet. If set to NO, Samba flushes data to disk whenever buffers fill. Defaults to NO because Windows 98 Explorer sets the bit (incorrectly) in all packets. Introduced in Samba 1.9.18p10.YES, NONOstrict locking = booleanIf set to YES, Samba checks locks on every access, not just on demand and at open time. Not recommended.YES, NONO[global] strip dot = booleanRemoves trailing dots from filenames. Use mangled map instead.number1[global] syslog = numberSets number of Samba log messages to send to syslog. Higher is more verbose. The syslog.conf file must have suitable logging enabled.YES, NONO[global] syslog only = booleanIf set to YES, log only to syslog, not standard Samba log files.YES, NONOsync always = booleanIf set to YES, Samba calls fsync(3) after every write. Avoid except for debugging crashing servers.minutes0[global] time offset = minutesSets number of minutes to add to system time zone calculation. Provided to fix a client daylight-savings bug; not recommended.YES, NONO[global] time server = booleanIf YES, nmbd will provide time service to its clients.YES, NONOunix password sync = booleanIf set, will attempt to change the user's Unix password whenever the user changes his or her SMB password. Used to ease synchronization of Unix and Microsoft password databases. Added in Samba 1.9.18p4. See also passwd chat.YES, NONOunix realname = booleanIf set, will provide the GCOS field of /etc/passwd to the client as the user's full name.comma-separated list of user namesNULLuser = comma-separated listSynonym for username.comma-separated list of user namesNULLusername = comma-separated listSets a list of users to try to log in as for a share or shares with share-level security. Synonyms are user and users. Discouraged. Use NET USE \\server\share %user from the client instead.number0username level = numberNumber of uppercase letter permutations allowed to match Unix usernames. Workaround for Windows feature (single-case usernames). Use is discouraged.pathnameNULL[global] username map = pathnameNames a file of Unix-to-Windows name pairs; used to map different spellings of account names and those Windows usernames longer than eight characters.list of numeric valuesNULLvalid chars = listSemi-obsolete. Adds national characters to a character set map. Overridden by client code page.list of usersNULL (everyone)valid users = user listList of users that can log in to a share.slash-separated list of filenamesNULLveto files = slash-listList of files not to allow the client to see when listing a directory's contents. See also delete veto files.slash-separated list of filenamesNULLveto oplock files = slash-listList of files not to oplock (and cache on clients). See also oplocks and fake oplocks.stringNULLvolume = share nameSets the volume label of a disk share, notably a CD-ROM.YES, NOYESwide links = booleanIf set to YES, Samba will follow symlinks out of the current disk share(s). See also the root dir and follow symlinks options.YES, NONO[global] wins proxy = booleanIf set to YES, nmbd will proxy resolution requests to WINS servers on behalf of old clients, which use broadcasts. WINS server is typically on another subnet.hostnameNULL[global] wins server = hostSets the DNS name or IP address of the WINS server.YES, NONO[global] wins support = booleanIf set to YES, Samba activates WINS service. The wins server option must not be set if wins support = yes.workgroup namecompiled-in[global] workgroup = nameSets the workgroup to which things will be served. Overrides compiled-in value. Choosing a name other than WORKGROUP is strongly recommended.YES, NOYESwritable = booleanAntonym for read only; synonym of write ok.comma-separated list of usersNULL (everyone)write list = comma-separated listList of users that are given read-write access to a read-only share. See also read list.YES, NOYESwrite ok = booleanSynonym of the writable configuration option.YES, NOYES[global] write raw = booleanAllows fast streaming writes over TCP, using 64KB buffers. Recommended.Glossary of Configuration ValuesglossaryAddress listA space-separated list of IP addresses in ###.###.###.### format.Comma-separated listA list of items separated by commas.CommandA Unix command, with full path and parameters.Host listA space-separated list of hosts. Allows IP addresses, address masks, domain names, ALL, and EXCEPTInterface listA space-separated list of interfaces, in either address/netmask or address/n-bits format. For example, 192.168.2.10/24 or 192.168.2.10/255.255.255.0Map listA space-separated list of file-remapping strings such as (*.html*.htm).Remote listA space-separated list of subnet-broadcast-address/workgroup pairs. For example, 192.168.2.255/SERVERS 192.168.4.255/STAFF.Service (share) listA space-separated list of share names, without the enclosing square brackets.Slash-listA list of filenames, separated by "/" characters to allow embedded spaces. For example, /.*/fredflintstone/*.frk/.TextOne line of text.User listA space-separated list of usernames. In Samba 1.9, @group-name will include everyone in Unix group group-name. In Samba 2.0, @group-name includes whomever is in the NIS netgroup group_name if one exists, otherwise whomever is in the Unix group group_name. In addition, +group_name is a Unix group, &group_name is an NIS netgroup, and &+ and +& cause an ordered search of both Unix and NIS groups.Configuration File VariablesTable 3.1 lists of Samba configuration file variables.
Variables in Alphabetic Order NameMeaning%aClient's architecture (one of Samba, WfWg, WinNT, Win95, or UNKNOWN)%dCurrent server process's processID%fPrint-spool file as a relative path (printing only)%fUser from which a message was sent (messages only)%GPrimary group name of %U (requested username)%gPrimary group name of %u (actual username)%HHome directory of %u (actual username)%hSamba server's (Internet) hostname%IClient's IP address%jPrint job number (printing only)%LSamba server's NetBIOS name (virtual servers have multiple names)%MClient's (Internet) hostname%mClient's NetBIOS name%nNew password (password change only)%NName of the NIS home directory server (without NIS, same as %L)%oOld password (password change only)%PCurrent share's root directory (actual)%pCurrent share's root directory (in an NIS homedir map)%pPrint filename (printing only)%RProtocol level in use (one of CORE, COREPLUS, LANMAN1, LANMAN2, or NT1)%SCurrent share's name%sFilename the message is in (messages only)%sPrint-spool file name (printing only)%TCurrent date and time%tDestination machine (messages only)%uCurrent share's username%URequested username for current share%vSamba version