C. Samba Configuration Option Quick Reference

The following pages list each of the Samba configuration options. If an option is applicable only to the global section, "[global]" will appear before its name. Any lists mentioned are space separated, except where noted. A glossary of terms follows the options.

admin users = user list

Default: NULL

Allowable values: user list

List of users who will be granted root permissions on the share by Samba.

allow hosts = host list

Default: NULL

Allowable values: any

Synonym for hosts allow. List of machines that may connect to a share.

alternate permissions = boolean

Default: NO

Allowable values: YES, NO

Obsolete. Has no effect in Samba 2. Files will be shown as read-only if the owner can't write them. In Samba 1.9 and earlier, setting this option would set the DOS filesystem read-only attribute on any file the user couldn't read. This in turn required the delete readonly option.

[global] announce as = system type

Default: NT

Allowable values: NT, Win95, WfW

Have Samba announce itself as something other than an NT server. Discouraged because it interferes with serving browse lists.

[global] announce version = number.number

Default: 4.2

Allowable values: any

Instructs Samba to announce itself as an older version SMB server. Discouraged.

[global] auto services = share list

Default: NULL

Allowable values: any shares

List of shares that will always appear in browse lists. A synonym is preload.

available = boolean

Default: YES

Allowable values: YES, NO

If set to NO, denies access to a share. Doesn't affect browsing.

[global] bind interfaces only = boolean

Default: NO

Allowable values: YES, NO

If set to YES, shares and browsing will be provided only on interfaces in an interfaces list (see interfaces). New in Samba 1.9.18. If you set this option to YES, be sure to add 127.0.0.1 to the interfaces list to allow smbpasswd to connect to the local machine to change passwords. This is a convienence option; it does not improve security.

browsable = boolean

Default: YES

Allowable values: YES, NO

Allows a share to be announced in browse lists.

blocking locks = boolean

Default: YES

Allowable values: YES, NO

If YES, honors byte range lock requests with time limits for queuing the request and retrying it until the time period expires. New in Samba 2.0.

[global] browse list = boolean

Default: YES

Allowable values: YES, NO

Turns on/off browse list from this server. Avoid changing.

[global] case sensitive = boolean

Default: NO

Allowable values: YES, NO

If YES, uses exactly the case the client supplied when trying to resolve a filename. If NO, matches either upper- or lowercase name. Avoid changing.

[global] case sig names = boolean

Default: NO

Allowable values: YES, NO

Synonym for case sensitive.

[global] change notify timeout = number

Default: 60

Allowable values: positive number

Sets the number of seconds between checks when a client asks for notification of changes in a directory. Introduced in Samba 2.0 to limit the performance cost of the checks. Avoid lowering.

character set = name

Default: NULL

Allowable values: ISO8859-1, ISO8859-2, ISO8859-5, KOI8-R

If set, translates from DOS code pages to the Western European (ISO8859-1), Eastern European (ISO8859-2), Russian Cyrillic (ISO8859-5), or Alternate Russian (KOI8-R) character set. The client code page must be set to 850.

client code page = name

Default: 437 (US MS-DOS)

Allowable values: See Table 8.4

Sets the DOS code page explicitly, overriding any previous valid chars settings. Examples of values are 850 for European, 437 is the US standard, and 932 for Japanese Shift-JIS. Introduced in Samba 1.9.19.

coding system = code

Default: NULL

Allowable values: euc, cap, hex, hexN, sjis, j8bb, j8bj, jis8, j8bh, j8@b, j8@j, j8@h, j7bb, j7bj, jis7, j7bh, j7@b, j7@j, j7@h, jubb, jubj, junet, jubh, ju@b, ju@j, ju@h

Sets the coding system used, notably for Kanji. This is employed for filenames and should correspond to the code page in use. The client code page option must be set to 932 (Japanese Shift-JIS). Introduced in Samba 2.0.

comment = text

Default: NULL

Allowable values: a text string or NULL

Sets the comment that appears beside a share in a NET VIEW or the details list of a Microsoft directory window. See also the server string configuration option.

[global] config file = pathname

Default: NULL

Allowable values: Unix pathname

Selects an additional Samba configuration file to read instead of the current one. Used to relocate the configuration file, or used with %-variables to select custom configuration files for some users or machines.

copy = section name

Default: NULL

Allowable values: existing section's name

Copies the configuration of a previously seen share into the share where it appears. Used with %-variables to select custom configurations for machines, architectures and users. The copied section must be earlier in the configuration file. Copied options are of lesser priority than those explicitly listed in the section.

create mask = octal value

Default: 0744

Allowable values: octal permission bits, 0-0777

Also called create mode. Sets the maximum allowable permissions for new files (e.g., 0755). See also directory mask. To require certain permissions to be set, see force create mask/force directory mask. This option stopped affecting directories in Samba 1.9.17, and the default value changed in Samba 2.0.

create mode = octal permission bits

Default: 0744

Allowable values: octal permission bits, 0-0777

Synonym for create mask.

[global] deadtime = minutes

Default: 0

Allowable values: minutes

The time in minutes before an unused connection will be terminated. Zero means forever. Used to keep clients from tying up server resources forever. If used, clients will have to auto-reconnect after minutes of inactivity. See also keepalive.

[global] debug level = number

Default: 0

Allowable values: number

Sets the logging level used. Values of 3 or more slow Samba noticeably. A synonym is log level. Recommended value: 1.

[global] debug timestamp = boolean

Default: YES

Allowable values: YES, NO

Timestamps all log messages. Can be turned off when it's not useful (e.g., in debugging). New in Samba 2.0.

[global] default = name

Default: NULL

Allowable values: share name

Also called default service. The name of a service (share) to provide if someone requests a service they don't have permission to use or which doesn't exist. As of Samba 1.9.14, the path will be set from the name the client specified, with any "_" characters changed to "/" characters, allowing access to any directory on the Samba server. Use is strongly discouraged.

default case = case

Default: LOWER

Allowable values: LOWER, UPPER

Sets the case in which to store new filenames. LOWER indicates mixed case, UPPER indicates uppercase letters.

[global] default service = share name

Default: NULL

Allowable values: share name

Synonym for default.

delete readonly = boolean

Default: NO

Allowable values: NO, YES

Allow delete requests to remove read-only files. This is not allowed in DOS/Windows, but is normal in Unix, which has separate directory permissions. Used with programs like RCS, or with the older alternate permissions option.

delete veto files = boolean

Default: NO

Allowable values: NO, YES

Allow delete requests for a directory containing files or subdirectories the user can't see due to the veto files option. If set to NO, the directory will not be deleted and will still contain invisible files.

deny hosts = host list

Default: NULL

Allowable values: host list

A synonym is hosts deny. Specifies a list of machines from which to refuse connections or shares.

[global] dfree command = command

Default: varies

Allowable values: shell command

A command to run on the server to return disk free space. Not needed unless the OS command does not work properly.

directory = pathname

Default: NULL

Allowable values: pathname

Synonym for path. A directory provided by a file share, or used by a printer share. Set automatically in the [homes] share to user's home directory, otherwise defaults to /tmp.

directory mask = octal permission bits

Default: 0755

Allowable values: octal value from 0 to 0777

Also called directory mode. Sets the maximum allowable permissions for newly created directories. To require certain permissions be set, see the force create mask and force directory mask options.

directory mode = octal permission bits

Default: 0755

Allowable values: octal value from 0 to 0777

Synonym for directory mask.

[global] dns proxy = boolean

Default: YES

Allowable values: YES, NO

If set to YES, and if wins server = YES, look up hostnames in DNS if they are not found using WINS.

[global] domain logons = boolean

Default: NO

Allowable values: YES, NO

Allow Windows 95/98 or NT clients to log on to an NT-like domain.

[global] domain master = boolean

Default: NO

Allowable values: YES, NO

Become a domain master browser list collector if possible for the entire workgroup/domain.

dont descend = comma-list

Default: NULL

Allowable values: comma-separated list of paths

Does not allow a change directory or search in the directories specified. This is a browsing convenience option; it doesn't provide any extra security.

dos filetimes = boolean

Default: NO

Allowable values: YES, NO

Allow non-owners to change file times if they can write to the file. See also dos filetime resolution.

dos filetime resolution = boolean

Default: NO

Allowable values: YES, NO

Set file times on Unix to match DOS standards (round to next even second). Recommended if using Visual C++ or a PC make program to avoid remaking the programs unnecesarily. Use with the dos filetimes option.

[global] encrypt passwords = boolean

Default: NO

Allowable values: YES, NO

Uses Windows NT-style password encryption. Requires an smbpasswd on the Samba server.

exec = command

Default: NULL

Allowable values: shell command

Synonym of preexec, a command to run as the user just before connecting to the share.

fake directory create times = boolean

Default: NO

Allowable values: YES, NO

Bug fix for users of Microsoft nmake. If set, Samba will set directory create times such that nmake won't remake all files every time.

fake oplocks = boolean

Default: NO

Allowable values: YES, NO

Return YES whenever a client asks if it can lock a file and cache it locally, but does not enforce lock on the server. Use only for read-only disks, as Samba now supports real oplocks and has per-file overrides. See also oplocks and veto oplock files.

follow symlinks = boolean

Default: YES

Allowable values: YES, NO

If YES, Samba will follow symlinks in a file share or shares. See the wide links option if you want to restrict symlinks to just the current share.

force create mask = octal permission bits

Default: 0

Allowable values: octal value from 0 to 0777

Provides bits that will be ORed into the permissions of newly created files. Used with the create mode configuration option.

force create mode = octal permission bits

Default: 0

Allowable values: octal value from 0 to 0777

Synonym for force create mask.

force directory mask = octal permission bits

Default: 0

Allowable values: octal value from 0 to 0777

Provides bits that will be ORed into the permissions of newly created directories, forcing those bits to be set. Used with directory mode.

force directory mode = octal permission bits

Default: 0

Allowable values: octal value from 0 to 0777

Synonym for force directory mask.

force group = unix group

Default: NULL

Allowable values: group

Sets the effective group name assigned to all users accessing a share. Used to override user's normal groups.

force user = name

Default: NULL

Allowable values: username

Sets the effective username assigned to all users accessing a share. Discouraged.

fstype = string

Default: NTFS

Allowable values: NTFS, FAT, Samba

Sets the filesystem type reported to the client.

[global] getwd cache = boolean

Default: NO

Allowable values: YES, NO

Cache current directory for performance. Recommended with the wide links option.

group = group

Default: NULL

Allowable values: unix group

An obsolete form of force group.

guest account = user

Default: NULL

Allowable values: username

Sets the name of the unprivileged Unix account to use for tasks like printing and for accessing shares marked with guest ok.

guest ok = boolean

Default: NO

Allowable values: YES, NO

If YES, passwords are not needed for this share. Synonym of public.

guest only = boolean

Default: NO

Allowable values: YES, NO

Forces user of a share to do so as the guest account. Requires guest ok or public to be yes.

hide dot files = boolean

Default: YES

Allowable values: YES, NO

Treats files beginning with a dot in a share as if they had the DOS/Windows hidden attribute set.

hide files = slash-separated list

Default: NULL

Allowable values: list of patterns, separated by / characters

List of file or directory names to set the DOS hidden attribute on. Names may contain ? or * pattern-characters and %-variables. See also hide dot files and veto files.

[global] homedir map = NIS map name

Default: auto.home

Allowable values: NIS map name

Used with nis homedir to locate user's Unix home directory from Sun NIS (not NIS+).

hosts allow = host list

Default: NULL

Allowable values: list of hostnames

Synonym of allow hosts, a list of machines that can access a share or shares. If NULL (the default) any machine can access the share unless there is a hosts deny option.

hosts deny = host list

Default: NULL

Allowable values: list of hostnames

Synonym of deny hosts, a list of machines that cannot connect to a share or shares.

[global] hosts equiv = pathname

Default: NULL

Allowable values: pathname

Path to a file of trusted machines from which password-less logins are allowed. Strongly discouraged, because Windows/NT users can always override the user name, the only security in this scheme.

include = pathname

Default: NULL

Allowable values: pathname

Include the named file in smb.conf at the line where it appears. This option does not understand the variables %u (user), %P (current share's root directory), or %S (current share name), because they are not set at the time the file is read.

inherit permissions = boolean

Default: NO

Allowable values: YES, NO

If set, subdirectories will be created with the same permissions as the directory they are in. This overrides create mask, directory mask, force create mode and force directory mode, but not map archive, map hidden and map system. Will never set the setuid bit. New in 2.0.7, this is a means of ensuring Unix permissions can be propagated to subdirectories, especially in [homes].

[global] interfaces = interface list

Default: NULL

Allowable values: IP addresses separated by spaces

Sets the interfaces to which Samba will respond. The default is the machine's primary interface only. Recommended on multihomed machines or to override erroneous addresses and netmasks.

invalid users = user list

Default: NULL

Allowable values: list of users

List of users that will not be permitted access to a share or shares.

[global] keepalive = number

Default: 0

Allowable values: number of seconds

Number of seconds between checks for a crashed client. The default of 0 causes no checks to be performed. Recommended if you want checks more often than every four hours. 3600 (10 minutes) is reasonable. See also socket options for another approach.

[global] kernel oplocks = boolean

Default: automatic

Allowable values: YES, NO

Break oplock when a Unix process accesses an oplocked file, preventing corruption. Set to YES on operating systems supporting this, otherwise set to NO. New in Samba 2.0; supported on SGI, and hopefully soon on Linux and BSD. Avoid changing.

[global] ldap filter = various

Default: varies

Allowable values: various

Options beginning with ldap are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.

[global] ldap port = various

Default: various

Allowable values: various

Options beginning with ldap are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.

[global] ldap root = various

Default: various

Allowable values: various

Options beginning with ldap are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.

[global] ldap server = various

Default: various

Allowable values: various

Options beginning with ldap are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.

[global] ldap suffix = various

Default: various

Allowable values: various

Options beginning with ldap are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.

[global] load printers = boolean

Default: YES

Allowable values: YES, NO

Load all printer names from the system printer capabilities into browse list. Uses configuration options from the [printers] section.

[global] local master = boolean

Default: YES

Allowable values: YES, NO

Stands for election as the local master browser. See also domain master and os level.

[global] lm announce = value

Default: AUTO

Allowable values: AUTO, YES, NO

Produce OS/2 SMB broadcasts at an interval specified by the lm interval option. YES/NO turns them on/off unconditionally. AUTO causes the Samba server to wait for a LAN Manager announcement from another client before sending one out. Required for OS/2 client browsing.

[global] lm interval = seconds

Default: 60

Allowable values: number

Sets the time period, in seconds, between OS/2 SMB broadcast announcements.

[global] lock directory = pathname

Default: /usr/local/samba/var/locks

Allowable values: pathname

Set a directory to keep lock files in. The directory must be writable by Samba, readable by everyone.

locking = boolean

Default: YES

Allowable values: YES, NO

Perform file locking. If set to NO, Samba will accept lock requests but will not actually lock resources. Recommended only for read-only file systems.

[global] log file = pathname

Default: varies

Allowable values: pathname

Set name and location of the log file. Allows all %-variables.

[global] log level = number

Default: 0

Allowable values: number

A synonym of debug level. Sets the logging level used. Values of 3 or more slow the system noticeably.

[global] logon drive = drive

Default: None

Allowable values: DOS drive name

Sets the drive on Windows NT (only) of the logon path.

[global] logon home = path

Default: \\%

Allowable values: Unix pathname

Sets the home directory of a Windows 95/98 or NT Workstation user. Allows NET USE H:/HOME from the command prompt.

[global] logon path = pathname

Default: \\N\%U\profile

Allowable values: Windows pathname

Sets path to Windows profile directory. This contains USER.MAN and/or USER.DAT profile files and the Windows 95 Desktop, Start Menu, Network Neighborhood, and programs folders.

[global] logon script = pathname

Default: NULL

Allowable values: pathname

Sets pathname relative to [netlogin] share of a DOS/NT script to run on the client at login time. Allows all %-variables.

lppause command = /absolute_ path/command

Default: varies

Allowable values: fully-qualfied Unix shell command

Sets the command to pause a print job. Honors the %p (printer name) and %j (job number) variables.

lpresume command = /absolute_ path/command

Default: varies

Allowable values: fully-qualified Unix shell command

Sets the command to resume a paused print job. Honors the %p (printer name) and %j (job number) variables.

[global] lpq cache time = seconds

Default: 10

Allowable values: number of seconds

Sets how long to keep print queue (lpq) status is cached, in seconds.

lpq command = /absolute_ path/command

Default: varies

Allowable values: fully-qualfied Unix shell command

Sets the command used to get printer status. Usually initialized to a default value by the printing option. Honors the %p (printer name) variable.

lprm command = /absolute_ path/command

Default: varies

Allowable values: fully-qualified Unix shell command

Sets the command to delete a print job. Usually initialized to a default value by the printing option. Honors the %p (printer name) and %j (job number) variables.

machine password timeout = seconds

Default: 604,800

Allowable values: number of seconds

Sets the period between (NT domain) machine password changes. Default is 1 week, or 604,800 seconds.

magic output = pathname

Default: script.out

Allowable values: Unix pathname

Sets the output file for the discouraged magic scripts option. Default is the script name, followed by the extension .out.

magic script = pathname

Default: NULL

Allowable values: Unix pathname

Sets a filename for execution via a shell whenever the file is closed from the client, to allow clients to run commands on the server.

mangle case = boolean

Default: NO

Allowable values: allowable values: YES, NO

Mangle a name if it is in mixed case.

mangled map = map list

Default: NULL

Allowable values: list of to-from pairs

Set up a table of names to remap (e.g., .html to .htm).

mangled names = boolean

Default: YES

Allowable values: YES, NO

Sets Samba to abbreviate names that are too long or have unsupported characters to the DOS 8.3 style.

mangling char = character

Default: ~

Allowable values: character

Sets the unique mangling character used in all mangled names.

[global] mangled stack = number

Default: 50

Allowable values: number

Sets the size of a cache of recently-mangled filenames.

map aliasname = pathname

Default: NULL

Allowable values: Unix pathname

Points to a file of Unix group/NT group pairs, one per line. This is used to map NT aliases to Unix group names. See also the configuration options username map and map groupname. Introduced in Samba 2.0.

map archive = boolean

Default: YES

Allowable values: YES, NO

If YES, Samba sets the executable-by-user (0100) bit on Unix files if the DOS archive attribute is set. Recommended: if used, the create mask must contain the 0100 bit.

map hidden = boolean

Default: NO

Allowable values: YES, NO

If YES, sets executable-by-other (0001) bit on Unix files if the DOS hidden attribute is set. If used, the create mask option must contain the 0001 bit.

map groupname = pathname

Default: NULL

Allowable values: pathname

Points to a file of Unix group/NT group, one per line. This is used to map NT group names to Unix group names. See also the configuration options username map and map aliasname. Introduced in Samba 2.0.

map system = boolean

Default: NO

Allowable values: YES, NO

If YES, Samba sets the executable-by-group (0010) bit on Unix files if the DOS system attribute is set. If used, the create mask must contain the 0010 bit.

max connections = number

Default: 0 (infinity)

Allowable values: number

Set maximum number of connections allowed to a share from each individual client machine.

[global] max disk size = number

Default: 0 (unchanged)

Allowable values: size in MB

Sets maximum disk size/free-space size (in megabytes) to return to client. Some clients or applications can't understand large maximum disk sizes.

[global] max log size = number

Default: 5000

Allowable values: size in KB

Sets the size (in kilobytes) at which Samba will start a new log file. The current log file will be renamed with an .old extension, replacing any previous file with that name.

[global] max mux = number

Default: 50

Allowable values: number

Sets the number of simultaneous operations that Samba clients may make. Avoid changing.

[global] max packet = number

Default: N/A

Allowable values: number

Synonym for packet size. Obsolete as of Samba 1.7. Use max xmit instead.

[global] max open files = number

Default: 10,000

Allowable values: number

Limits the number of files a Samba process will try to keep open at one time. Samba allows you to set this to less than the Unix maximum. This option is a workaround for a separate problem. Avoid changing. This option was introduced in Samba 2.0.

[global] max ttl = seconds

Default: 14400 (4 hrs)

Allowable values: time in seconds

Sets the time to keep NetBIOS names in nmbd cache while trying to perform a lookup on it. Avoid changing.

[global] max wins ttl = seconds

Default: 259200 (3 days)

Allowable values: time in seconds

Limits time-to-live of a NetBIOS name in nmbd WINS cache, in seconds. Avoid changing.

[global] max xmit = bytes

Default: 65535

Allowable values: size in bytes

Sets maximum packet size that will be negotiated by Samba. Tuning parameter for slow links and older client bugs. Values less than 2048 are discouraged.

[global] message command = /absolute_ path/command

Default: NULL

Allowable values: shell command

Sets the command on the server to run when a WinPopup message arrives from a client. The command must end in "&" to allow immediate return. Honors all %-variables except %u (user), and supports the extra variables %s (filename the message is in), %t (destination machine), and %f (from).

min print space = kilobytes

Default: 0 (unlimited)

Allowable values: space in KB

Sets minimum spool space required before accepting a print request.

min password length = characters

Default: 5

Allowable values: decimal number of characters

Sets the shortest password Samba will pass to the Unix passwd command.

[global] min wins ttl = seconds

Default: 21600 (6 hrs)

Allowable values: time in seconds

Sets minimum time-to-live of a NetBIOS name in nmbd WINS cache, in seconds. Avoid changing.

name resolve order = list

Default: lmhosts wins hosts bcast

Allowable values: list of lmhosts, wins, hosts and bcast

Sets order of lookup when trying to get IP address from names. The hosts parameter carrries out a regular name look up using the server's normal sources: /etc/hosts, DNS, NIS, or a combination of them. Introduced in Samba 1.9.18p4.

[global] netbios aliases = list

Default: NULL

Allowable values: list of netbios names

Adds additional NetBIOS names by which a Samba server will advertise itself.

netbios name = hostname

Default: varies

Allowable values: host name

Sets the NetBIOS name by which a Samba server is known, or primary name if NetBIOS aliases exist.

netbios scope = string

Default: NULL

Allowable values: string

Sets the NetBIOS scope string. Samba will not communicate with a machine with a different scope. This was an early predecessor of workgroups: avoid setting it. Added in 2.0.7.

[global] networkstation user login = boolean

Default: YES

Allowable values: YES, NO

If set to NO, clients will not do a full login when security = server. Avoid changing. Turning it off is a temporary workaround (introduced in Samba 1.9.18p3) for NT trusted domains bug. Automatic correction was introduced in Samba 1.9.18p10; the parameter may eventually be removed.

[global] nis homedir = boolean

Default: NO

Allowable values: YES, NO

If YES, the homedir map will be used to look up the user's home-directory server name and return it to the client. The client will contact that machine to connect to the share. This avoids mounting from a machine that doesn't actually have the disk. The machine with the home directories must be an SMB server.

[global] nt pipe support = boolean

Default: YES

Allowable values: YES, NO

Allows turning off NT-specific pipe calls. This is a developer/benchmarking option and may be removed in the future. Avoid changing.

[global] nt smb support = boolean

Default: YES

Allowable values: YES, NO

If YES, allow NT-specific SMBs to be used. This is a developer/benchmarking option and may be removed in the future. Avoid changing.

[global] null passwords = boolean

Default: NO

Allowable values: YES, NO

If YES, allows access to accounts that have null passwords. Strongly discouraged.

ole locking compatibility = boolean

Default: YES

Allowable values: YES, NO

If YES, locking ranges will be mapped to avoid Unix locks crashing when Windows uses locks above 32KB. You should avoid changing this option. Introduced in Samba 1.9.18p10.

only guest = boolean

Default: NO

Allowable values: YES, NO

A synonym for guest only. Forces user of a share to login as the guest account.

only user = boolean

Default: NO

Allowable values: YES, NO

Requires that users of the share be on a username = list.

oplocks = boolean

Default: YES

Allowable values: YES, NO

If YES, support local caching of opportunistic locked files on client. This option is recommended because it improves performance by about 30%. See also fake oplocks and veto oplock files.

[global] os level = number

Default: 0

Allowable values: number

Sets the candidacy of the server when electing a browse master. Used with the domain master or local master options. You can set a higher value than a competing operating system if you want Samba to win. Windows for Workgroups and Windows 95 use 1, Windows NT client uses 17, and Windows NT Server uses 33.

[global] packet size = bytes

Default: 65535

Allowable values: number in bytes

Obsolete. Discouraged synonym of max packet. See max xmit.

[global] passwd chat debug = boolean

Default: NO

Allowable values: YES, NO

Logs an entire password chat, including passwords passed, with a log level of 100. For debugging only. Introduced in Samba 1.9.18p5.

[global] passwd chat = command sequence

Default: compiled-in value

Allowable values: Unix server commands

Sets the command used to change passwords on the server. Supports the variables %o (old password) and %n (new password) and allows \r \n \t and \s (space) escapes in the sequence.

[global] passwd program = program

Default: NULL

Allowable values: Unix server program

Sets the command used to change user's password. Will be run as root. Supports %u (user).

[global] password level = number

Default: 0

Allowable values: number

Specifies the number of uppercase letter permutations used to match passwords. Workaround for clients that change passwords to a single case before sending them to the Samba server. Causes repeated login attempts with passwords in different cases, which can trigger account lockouts.

[global] password server = netbios names

Default: NULL

Allowable values: list of NetBIOS names

A list of SMB servers that will validate passwords for you. Used with an NT password server (PDC or BDC) and the security = server or security = domain configuration options. Caution: an NT password server must allow logins from the Samba server.

panic action = /absolute_ path/command

Default: NULL

Allowable values: fully-qualfied Unix shell command

Sets the command to run when Samba panics. For Samba developers and testers, /usr/bin/X11/xterm -display :0 -e gdb /samba/bin/smbd %d is a possible value.

path = pathname

Default: varies

Allowable values: pathname

Sets the path to the directory provided by a file share or used by a printer share. Set automatically in [homes] share to user's home directory, otherwise defaults to /tmp. Honors the %u (user) and %m (machine) variables.

postexec = /absolute_ path/command

Default: NULL

Allowable values: fully-qualified Unix shell command

Sets a command to run as the user after disconnecting from the share. See also the options preexec, root preexec, and root postexec.

postscript = boolean

Default: NO

Allowable values: YES, NO

Flags a printer as PostScript to avoid a Windows bug by inserting %! as the first line. Works only if printer actually is PostScript compatible.

preexec = /absolute_ path/command

Default: NULL

Allowable values: fully-qualified Unix shell command

Sets a command to run as the user before connecting to the share. See also the options postexec, root preexec, and root postexec.

[global] preferred master = boolean

Default: NO

Allowable values: YES, NO

If YES, Samba is preferred to become the master browser. Causes Samba to call a browsing election when it comes online.

preload = share list

Default: NULL

Allowable values: list of services

Synonym of auto services. Specifies a list of shares that will always appear in browse lists.

preserve case = boolean

Default: NO

Allowable values: YES, NO

If set to YES, this option leaves filenames in the case sent by client. If no, it forces filenames to the case specified by the default case option. See also short preserve case.

print command = /absolute_ path/command

Default: varies

Allowable values: fully-qualified Unix shell command

Sets the command used to send a spooled file to the printer. Usually initialized to a default value by the printing option. This option honors the %p (printer name), %s (spool file) and %f (spool file as a relative path) variables. Note that the command in the value of the option must include file deletion of the spool file.

print ok = boolean

Default: NO

Allowable values: YES, NO

Synonym of printable.

printable = boolean

Default: NO

Allowable values: YES, NO

Sets a share to be a print share. Required for all printers.

[global] printcap name = pathname

Default: /etc/printcap

Allowable values: pathname

Sets the path to the printer capabilities file used by the [printers] share. The default value changes to /etc/qconfig under AIX and lpstat on System V.

printer = name

Default: lp

Allowable values: printer name

Sets the name of the Unix printer.

printer driver = printer driver name

Default: NULL

Allowable values: exact printer driver string used by Windows

Sets the string to pass to Windows when asked what driver to use to prepare files for a printer share. Note that the value is case sensitive.

[global] printer driver file = path

Default: samba-lib/printers.def

Allowable values: Unix pathname

Sets the location of a msprint.def file, usable by Windows 95/98.

printer driver location = path

Default: \\server\PRINTER$

Allowable values: Windows network path

Sets the location of the driver for a particular printer. The value is a pathname for a share that stores the printer driver files.

printer name = name

Default: NULL

Allowable values: name

Synonym of printer.

printing = style

Default: bsd

Allowable values: bsd, sysv, hpux, aix, qnx, plp, lprng

Sets printing style to one of the above, instead of the compiled-in value. This sets initial values of at least the print command, print command, lpq command, and lprm command.

[global] protocol = protocol

Default: NT1

Allowable values: NT1, LANMAN2, LANMAN1, COREPLUS, CORE

Sets SMB protocol version to one of the allowable values. Resetting is highly discouraged. Only for backwards compatibility with older-client bugs.

public = boolean

Default: NO

Allowable values: YES, NO

If YES, passwords are not needed for this share. A synonym is guest ok.

queuepause command = /absolute_ path/command

Default: varies

Allowable values: valid Unix command

Sets the command used to pause a print queue. Usually initialized to a default value by the printing option. Introduced in Samba 1.9.18p10.

queueresume command = /absolute_ path/command

Default: varies

Allowable values: valid Unix command

Sets the command used to resume a print queue. Usually initialized to a default value by the printing option. Introduced in Samba 1.9.18p10.

read bmpx = boolean

Default: NO

Allowable values: YES, NO

Obsolete. Do not change.

read list = comma-separated list

Default: NULL

Allowable values: comma-separated list of users

Specifies a list of users given read-only access to a writeable share.

read only = boolean

Default: NO

Allowable values: YES, NO

Sets a share to read-only. Antonym of writable and write ok.

[global] read prediction = boolean

Default: NO

Allowable values: YES, NO

Reads ahead data for read-only files. Obsolete; removed in Samba 2.0.

[global] read raw = boolean

Default: YES

Allowable values: YES, NO

Allows fast streaming reads over TCP using 64K buffers. Recommended.

[global] read size = bytes

Default: 2048

Allowable values: size in bytes

Sets a buffering option for servers with mismatched disk and network speeds. Requires experimentation. Avoid changing. Should not exceed 65536.

[global] remote announce = remote list

Default: NULL

Allowable values: list of remote addresses

Adds workgroups to the list on which the Samba server will announce itself. Specified as IP address/workgroup (for instance, 192.168.220.215/SIMPLE) with multiple groups separated by spaces. Allows directed broadcasts. The server will appear on those workgroup's browse lists. Does not require WINS.

[global] remote browse sync = address list

Default: NULL

Allowable values: IP-address list

Enables Samba-only browse list synchronization with other Samba local master browsers. Addresses can be specific addresses or directed broadcasts (i.e., ###.###.###.255). The latter will cause Samba to hunt down the local master.

revalidate = boolean

Default: NO

Allowable values: YES, NO

If set to YES, requires users to re-enter passwords even after a successful initial logon to a share with a password.

[global] root = pathname

Default: NULL

Allowable values: Unix pathname

Synonym for root directory.

[global] root dir = pathname

Default: NULL

Allowable values: Unix pathname

Synonym for root directory.

[global] root directory = pathname

Default: NULL

Allowable values: Unix pathname

Specifies a directory to chroot() to before starting daemons. Prevents any access below that directory tree. See also the wide links configuration option.

root postexec = /absolute_ path/command

Default: NULL

Allowable values: fully-qualified Unix shell command

Sets a command to run as root after disconnecting from the share. See also preexec, postexec, and root preexec configuration options. Runs after the user's postexec command. Use with caution.

root preexec = /absolute_ path/command

Default: NULL

Allowable values: fully-qualified Unix shell command

Sets a command to run as root before connecting to the share. See also preexec, postexec, and root postexec configuration options. Runs before the user's preexec command. Use with caution.

[global] security = value

Default: share in Samba 1.0, user in 2.0

Allowable values: share, user, server, domain

Sets password-security policy. If security = share, services have a shared password, available to everyone. If security = user, users have (Unix) accounts and passwords. If security = server, users have accounts and passwords and a separate machine authenticates them for Samba. If security = domain, full NT-domain authentication is done. See also the password server and encrypted passwords configuration options.

[global] server string = text

Default: Samba %v in 2.0

Allowable values: string

Sets the name that appears beside a server in browse lists. Honors the %v (Samba version number) and %h (hostname) variables.

set directory = boolean

Default: NO

Allowable values: YES, NO

Allows DEC Pathworks client to use the set dir command.

[global] shared file entries = number

Default: 113

Allowable values: number

Obsolete; do not use.

shared mem size = bytes

Default: 102400

Allowable values: size in bytes

If compiled with FAST_SHARE_MODES (mmap), sets the shared memory size in bytes. Avoid changing.

[global] smb passwd file = path

Default: /usr/local/samba/private/smbpasswd

Allowable values: Unix pathname

Overrides compiled-in path to password file if encrypted passwords = yes.

[global] smbrun = /absolute_ path/command

Default: compiled-in value

Allowable values: smbrun command

Overrides compiled-in path to smbrun binary. Avoid changing.

share modes = boolean

Default: YES

Allowable values: YES, NO

If set to YES, this option supports Windows-style whole-file (deny mode) locks.

short preserve case = boolean

Default: NO

Allowable values: YES, NO

If set to YES, leaves mangled 8.3-style filenames in the case sent by client. If no, it forces the case to that specified by the default case option. See also preserve case.

[global] socket address = IP address

Default: NULL

Allowable values: IP address

Sets address on which to listen for connections. Default is to listen to all addresses. Used to support multiple virtual interfaces on one server. Highly discouraged.

[global] socket options = socket option list

Default: NULL

Allowable values: list

Sets OS-specific socket options. SO_KEEPALIVE has TCP check clients every 4 hours to see if they are still accessible. TCP_NODELAY sends even tiny packets to keep delay low. Recommended wherever the operating system supports them. See Appendix B, Samba Performance Tuning, for more information.

[global] source environment = string

Default: NULL

Allowable values: pathname

This pathname parameter causes Samba to read a list of environment variables from a named file on startup. This can be useful in setting up Samba in a clustered environment. This is new in 2.0.7.

The file must be owned by root and not be world writable, and if the filename begins with a "|" (pipe) character, it must point to a command which is neither world writable nor resides in a world writable directory.

The data should be in the form of lines such as SAMBA_NETBIOS_NAME=myhostname. This variable will then be available in the smb.conf files as $%SAMBA_NETBIOS_NAME.

[global] status = boolean

Default: YES

Allowable values: YES, NO

If YES, logs connections to a file (or shared memory) accessible to smbstatus.

strict sync = boolean

Default: NO

Allowable values: YES, NO

If set to YES, Samba will synchronize to disk whenever the client sets the sync bit in a packet. If set to NO, Samba flushes data to disk whenever buffers fill. Defaults to NO because Windows 98 Explorer sets the bit (incorrectly) in all packets. Introduced in Samba 1.9.18p10.

strict locking = boolean

Default: NO

Allowable values: YES, NO

If set to YES, Samba checks locks on every access, not just on demand and at open time. Not recommended.

[global] strip dot = boolean

Default: NO

Allowable values: YES, NO

Removes trailing dots from filenames. Use mangled map instead.

[global] syslog = number

Default: 1

Allowable values: number

Sets number of Samba log messages to send to syslog. Higher is more verbose. The syslog.conf file must have suitable logging enabled.

[global] syslog only = boolean

Default: NO

Allowable values: YES, NO

If set to YES, log only to syslog, not standard Samba log files.

sync always = boolean

Default: NO

Allowable values: YES, NO

If set to YES, Samba calls fsync(3) after every write. Avoid except for debugging crashing servers.

[global] time offset = minutes

Default: 0

Allowable values: minutes

Sets number of minutes to add to system time zone calculation. Provided to fix a client daylight-savings bug; not recommended.

[global] time server = boolean

Default: NO

Allowable values: YES, NO

If YES, nmbd will provide time service to its clients.

unix password sync = boolean

Default: NO

Allowable values: YES, NO

If set, will attempt to change the user's Unix password whenever the user changes his or her SMB password. Used to ease synchronization of Unix and Microsoft password databases. Added in Samba 1.9.18p4. See also passwd chat.

unix realname = boolean

Default: NO

Allowable values: YES, NO

If set, will provide the GCOS field of /etc/passwd to the client as the user's full name.

update encrypted = boolean

Default: NO

Allowable values: YES, NO

Updates the Microsoft-format password file when a user logs in with unencrypted passwords. Provided to ease conversion to encryped passwords for Windows 95/98 and NT. Added in Samba 1.9.18p5.

user = comma-separated list

Default: NULL

Allowable values: comma-separated list of user names

Synonym for username.

username = comma-separated list

Default: NULL

Allowable values: comma-separated list of user names

Sets a list of users to try to log in as for a share or shares with share-level security. Synonyms are user and users. Discouraged. Use NET USE \\server\share %user from the client instead.

username level = number

Default: 0

Allowable values: number

Number of uppercase letter permutations allowed to match Unix usernames. Workaround for Windows feature (single-case usernames). Use is discouraged.

[global] username map = pathname

Default: NULL

Allowable values: pathname

Names a file of Unix-to-Windows name pairs; used to map different spellings of account names and those Windows usernames longer than eight characters.

[global] utmp = boolean

Default: NO

Allowable values: YES, NO

This is available if Samba has been configured with the option --with-utmp. If set, Samba will add utmp/utmpx records whenever a connection is made to a Samba server. New in 2.0.7, sites may use this to record the user connecting to a Samba share.

[global] utmp directory = string

Default: NULL

Allowable values: pathname

This is available if Samba has been configured with the option --with-utmp. If it and utmp are set, Samba will look in the specified directory insteqad of the default system directory for utmp/utmpx files. New in 2.0.7, also called utmp dir.

write cache size = decimal number

Default: 0 (Disabled)

Allowable values: decimal number of bytes

Sets the size of a write buffer that Samba uses to pre-accumulate write into, so as to write with a particular size that's optimal for a given filesystem. Typically this is used with RAID drives, which have a preferred write size, systems with large memory and slow disks, etc.

As of Samba 2.0.7, this applies to the first 10 oplocked files, which are also found in shares where this option is set.

write ok = boolean

Default: YES

Allowable values: YES, NO

Synonym of the writable configuration option.

[global] write raw = boolean

Default: YES

Allowable values: YES, NO

Allows fast streaming writes over TCP, using 64KB buffers. Recommended.

Glossary of Configuration Values

Address list: A space-separated list of IP addresses in ###.###.###.### format.
Comma-separated list: A list of items separated by commas.
Command: A Unix command, with full path and parameters.
Host list: A space-separated list of hosts. Allows IP addresses, address masks, domain names, ALL, and EXCEPT
Interface list: A space-separated list of interfaces, in either address/netmask or address/n-bits format. For example, 192.168.2.10/24 or 192.168.2.10/255.255.255.0
Map list: A space-separated list of file-remapping strings such as (*.html *.htm).
Remote list: A space-separated list of subnet-broadcast-address/workgroup pairs. For example, 192.168.2.255/SERVERS 192.168.4.255/STAFF.
Service (share) list: A space-separated list of share names, without the enclosing square brackets.
Slash-list: A list of filenames, separated by "/" characters to allow embedded spaces. For example, /.*/fred flintstone/*.frk/.
Text: One line of text.
User list: A space-separated list of usernames. In Samba 1.9, @group-name will include everyone in Unix group group-name. In Samba 2.0, @group-name includes whomever is in the NIS netgroup group_name if one exists, otherwise whomever is in the Unix group group_name. In addition, +group_name is a Unix group, &group_name is an NIS netgroup, and &+ and +& cause an ordered search of both Unix and NIS groups.

Configuration File Variables

Table C.1 lists of Samba configuration file variables.

Table C.1: Variables in Alphabetic Order
Name	Meaning
`%a`	Client's architecture (one of Samba, WfWg, WinNT, Win95, or UNKNOWN)
`%d`	Current server process's processID
`%f`	Print-spool file as a relative path (printing only)
`%f`	User from which a message was sent (messages only)
`%G`	Primary group name of `%U` (requested username)
`%g`	Primary group name of `%u` (actual username)
`%H`	Home directory of `%u` (actual username)
`%h`	Samba server's (Internet) hostname
`%I`	Client's IP address
`%j`	Print job number (printing only)
`%L`	Samba server's NetBIOS name (virtual servers have multiple names)
`%M`	Client's (Internet) hostname
`%m`	Client's NetBIOS name
`%n`	New password (password change only)
`%N`	Name of the NIS home directory server (without NIS, same as `%L`)
`%o`	Old password (password change only)
`%P`	Current share's root directory (actual)
`%p`	Current share's root directory (in an NIS homedir map)
`%p`	Print filename (printing only)
`%R`	Protocol level in use (one of CORE, COREPLUS, LANMAN1, LANMAN2, or NT1)
`%S`	Current share's name
`%s`	Filename the message is in (messages only)
`%s`	Print-spool file name (printing only)
`%T`	Current date and time
`%t`	Destination machine (messages only)
`%u`	Current share's username
`%U`	Requested username for current share
`%v`	Samba version


B.3 Sizing Samba Servers		D. Summary of Samba Daemons and Commands

Using Samba

C. Samba Configuration Option Quick Reference

Glossary of Configuration Values

Configuration File Variables