1 .\" This manpage has been automatically generated by docbook2man
2 .\" from a DocBook document. This tool can be found at:
3 .\" <http://shell.ipoline.com/~elmert/comp/docbook2X/>
4 .\" Please send any bug reports, improvements, comments, patches,
5 .\" etc. to Steve Cheng <steve@ggi-project.org>.
6 .TH "SMB.CONF" "5" "15 January 2003" "" ""
8 smb.conf \- The configuration file for the Samba suite
11 The \fIsmb.conf\fR file is a configuration
12 file for the Samba suite. \fIsmb.conf\fR contains
13 runtime configuration information for the Samba programs. The
14 \fIsmb.conf\fR file is designed to be configured and
15 administered by the \fBswat(8)\fR
16 program. The complete description of the file format and
17 possible parameters held within are here for reference purposes.
20 The file consists of sections and parameters. A section
21 begins with the name of the section in square brackets and continues
22 until the next section begins. Sections contain parameters of the
28 The file is line-based - that is, each newline-terminated
29 line represents either a comment, a section name or a parameter.
31 Section and parameter names are not case sensitive.
33 Only the first equals sign in a parameter is significant.
34 Whitespace before or after the first equals sign is discarded.
35 Leading, trailing and internal whitespace in section and parameter
36 names is irrelevant. Leading and trailing whitespace in a parameter
37 value is discarded. Internal whitespace within a parameter value
40 Any line beginning with a semicolon (';') or a hash ('#')
41 character is ignored, as are lines containing only whitespace.
43 Any line ending in a '\\' is continued
44 on the next line in the customary UNIX fashion.
46 The values following the equals sign in parameters are all
47 either a string (no quotes needed) or a boolean, which may be given
48 as yes/no, 0/1 or true/false. Case is not significant in boolean
49 values, but is preserved in string values. Some items such as
50 create modes are numeric.
51 .SH "SECTION DESCRIPTIONS"
53 Each section in the configuration file (except for the
54 [global] section) describes a shared resource (known
55 as a "share"). The section name is the name of the
56 shared resource and the parameters within the section define
57 the shares attributes.
59 There are three special sections, [global],
60 [homes] and [printers], which are
61 described under \fBspecial sections\fR. The
62 following notes apply to ordinary section descriptions.
64 A share consists of a directory to which access is being
65 given plus a description of the access rights which are granted
66 to the user of the service. Some housekeeping options are
69 Sections are either file share services (used by the
70 client as an extension of their native file systems) or
71 printable services (used by the client to access print services
72 on the host running the server).
74 Sections may be designated \fBguest\fR services,
75 in which case no password is required to access them. A specified
76 UNIX \fBguest account\fR is used to define access
77 privileges in this case.
79 Sections other than guest services will require a password
80 to access them. The client provides the username. As older clients
81 only provide passwords and not usernames, you may specify a list
82 of usernames to check against the password using the "user ="
83 option in the share definition. For modern clients such as
84 Windows 95/98/ME/NT/2000, this should not be necessary.
86 Note that the access rights granted by the server are
87 masked by the access rights granted to the specified or guest
88 UNIX user by the host system. The server does not grant more
89 access than the host system grants.
91 The following sample section defines a file space share.
92 The user has write access to the path \fI/home/bar\fR.
93 The share is accessed via the share name "foo":
103 The following sample section defines a printable share.
104 The share is readonly, but printable. That is, the only write
105 access permitted is via calls to open, write to and close a
106 spool file. The \fBguest ok\fR parameter means
107 access will be permitted as the default guest user (specified
112 path = /usr/spool/public
119 .SH "SPECIAL SECTIONS"
120 .SS "THE [GLOBAL] SECTION"
122 parameters in this section apply to the server
123 as a whole, or are defaults for sections which do not
124 specifically define certain items. See the notes
125 under PARAMETERS for more information.
126 .SS "THE [HOMES] SECTION"
128 If a section called homes is included in the
129 configuration file, services connecting clients to their
130 home directories can be created on the fly by the server.
132 When the connection request is made, the existing
133 sections are scanned. If a match is found, it is used. If no
134 match is found, the requested section name is treated as a
135 user name and looked up in the local password file. If the
136 name exists and the correct password has been given, a share is
137 created by cloning the [homes] section.
139 Some modifications are then made to the newly
143 The share name is changed from homes to
144 the located username.
147 If no path was given, the path is set to
148 the user's home directory.
150 If you decide to use a \fBpath =\fR line
151 in your [homes] section then you may find it useful
152 to use the %S macro. For example :
154 \fBpath = /data/pchome/%S\fR
156 would be useful if you have different home directories
157 for your PCs than for UNIX access.
159 This is a fast and simple way to give a large number
160 of clients access to their home directories with a minimum
163 A similar process occurs if the requested section
164 name is "homes", except that the share name is not
165 changed to that of the requesting user. This method of using
166 the [homes] section works well if different users share
169 The [homes] section can specify all the parameters
170 a normal service section can specify, though some make more sense
171 than others. The following is a typical and suitable [homes]
181 An important point is that if guest access is specified
182 in the [homes] section, all home directories will be
183 visible to all clients \fBwithout a password\fR.
184 In the very unlikely event that this is actually desirable, it
185 would be wise to also specify \fBread only
188 Note that the \fBbrowseable\fR flag for
189 auto home directories will be inherited from the global browseable
190 flag, not the [homes] browseable flag. This is useful as
191 it means setting \fBbrowseable = no\fR in
192 the [homes] section will hide the [homes] share but make
193 any auto home directories visible.
194 .SS "THE [PRINTERS] SECTION"
196 This section works like [homes],
199 If a [printers] section occurs in the
200 configuration file, users are able to connect to any printer
201 specified in the local host's printcap file.
203 When a connection request is made, the existing sections
204 are scanned. If a match is found, it is used. If no match is found,
205 but a [homes] section exists, it is used as described
206 above. Otherwise, the requested section name is treated as a
207 printer name and the appropriate printcap file is scanned to see
208 if the requested section name is a valid printer share name. If
209 a match is found, a new printer share is created by cloning
210 the [printers] section.
212 A few modifications are then made to the newly created
216 The share name is set to the located printer
220 If no printer name was given, the printer name
221 is set to the located printer name
224 If the share does not permit guest access and
225 no username was given, the username is set to the located
228 Note that the [printers] service MUST be
229 printable - if you specify otherwise, the server will refuse
230 to load the configuration file.
232 Typically the path specified would be that of a
233 world-writeable spool directory with the sticky bit set on
234 it. A typical [printers] entry would look like
239 path = /usr/spool/public
245 All aliases given for a printer in the printcap file
246 are legitimate printer names as far as the server is concerned.
247 If your printing subsystem doesn't work like that, you will have
248 to set up a pseudo-printcap. This is a file consisting of one or
249 more lines like this:
252 alias|alias|alias|alias...
257 Each alias should be an acceptable printer name for
258 your printing subsystem. In the [global] section, specify
259 the new file as your printcap. The server will then only recognize
260 names found in your pseudo-printcap, which of course can contain
261 whatever aliases you like. The same technique could be used
262 simply to limit access to a subset of your local printers.
264 An alias, by the way, is defined as any component of the
265 first entry of a printcap record. Records are separated by newlines,
266 components (if there are more than one) are separated by vertical
269 NOTE: On SYSV systems which use lpstat to determine what
270 printers are defined on the system you may be able to use
271 "printcap name = lpstat" to automatically obtain a list
272 of printers. See the "printcap name" option
276 parameters define the specific attributes of sections.
278 Some parameters are specific to the [global] section
279 (e.g., \fBsecurity\fR). Some parameters are usable
280 in all sections (e.g., \fBcreate mode\fR). All others
281 are permissible only in normal sections. For the purposes of the
282 following descriptions the [homes] and [printers]
283 sections will be considered normal. The letter \fBG\fR
284 in parentheses indicates that a parameter is specific to the
285 [global] section. The letter \fBS\fR
286 indicates that a parameter can be specified in a service specific
287 section. Note that all \fBS\fR parameters can also be specified in
288 the [global] section - in which case they will define
289 the default behavior for all services.
291 parameters are arranged here in alphabetical order - this may
292 not create best bedfellows, but at least you can find them! Where
293 there are synonyms, the preferred synonym is described, others refer
294 to the preferred synonym.
295 .SH "VARIABLE SUBSTITUTIONS"
297 Many of the strings that are settable in the config file
298 can take substitutions. For example the option "path =
299 /tmp/%u" would be interpreted as "path =
300 /tmp/john" if the user connected with the username john.
302 These substitutions are mostly noted in the descriptions below,
303 but there are some general substitutions which apply whenever they
304 might be relevant. These are:
307 session user name (the user name that the client
308 wanted, not necessarily the same as the one they got).
311 primary group name of %U.
314 the Internet hostname that Samba is running
318 the NetBIOS name of the client machine
322 the NetBIOS name of the server. This allows you
323 to change your config based on what the client calls you. Your
324 server can have a "dual personality".
326 Note that this parameter is not available when Samba listens
327 on port 445, as clients no longer send this information
330 the Internet name of the client machine.
333 the selected protocol level after
334 protocol negotiation. It can be one of CORE, COREPLUS,
335 LANMAN1, LANMAN2 or NT1.
338 The process id of the current server
342 the architecture of the remote
343 machine. Only some are recognized, and those may not be
344 100% reliable. It currently recognizes Samba, WfWg, Win95,
345 WinNT and Win2k. Anything else will be known as
346 "UNKNOWN". If it gets it wrong then sending a level
347 3 log to samba@samba.org
348 <URL:mailto:samba@samba.org> should allow it to be fixed.
351 The IP address of the client machine.
354 the current date and time.
357 Name of the domain or workgroup of the current user.
359 \fB%$(\fIenvvar\fB)\fR
360 The value of the environment variable
363 The following substitutes apply only to some configuration options(only those
364 that are used when a connection has been established):
367 the name of the current service, if any.
370 the root directory of the current service,
374 user name of the current service, if any.
377 primary group name of %u.
380 the home directory of the user given
384 the name of your NIS home directory server.
385 This is obtained from your NIS auto.map entry. If you have
386 not compiled Samba with the \fB--with-automount\fR
387 option then this value will be the same as %L.
390 the path of the service's home directory,
391 obtained from your NIS auto.map entry. The NIS auto.map entry
392 is split up as "%N:%p".
394 There are some quite creative things that can be done
395 with these substitutions and other smb.conf options.
398 Samba supports "name mangling" so that DOS and
399 Windows clients can use files that don't conform to the 8.3 format.
400 It can also be set to adjust the case of 8.3 format filenames.
402 There are several options that control the way mangling is
403 performed, and they are grouped here rather than listed separately.
404 For the defaults look at the output of the testparm program.
406 All of these options can be set separately for each service
407 (or globally, of course).
411 \fBmangle case = yes/no\fR
412 controls if names that have characters that
413 aren't of the "default" case are mangled. For example,
414 if this is yes then a name like "Mail" would be mangled.
417 \fBcase sensitive = yes/no\fR
418 controls whether filenames are case sensitive. If
419 they aren't then Samba must do a filename search and match on passed
420 names. Default \fBno\fR.
422 \fBdefault case = upper/lower\fR
423 controls what the default case is for new
424 filenames. Default \fBlower\fR.
426 \fBpreserve case = yes/no\fR
427 controls if new files are created with the
428 case that the client passes, or if they are forced to be the
429 "default" case. Default \fByes\fR.
431 \fBshort preserve case = yes/no\fR
432 controls if new files which conform to 8.3 syntax,
433 that is all in upper case and of suitable length, are created
434 upper case, or if they are forced to be the "default"
435 case. This option can be use with "preserve case = yes"
436 to permit long filenames to retain their case, while short names
437 are lowercased. Default \fByes\fR.
439 By default, Samba 3.0 has the same semantics as a Windows
440 NT server, in that it is case insensitive but case preserving.
441 .SH "NOTE ABOUT USERNAME/PASSWORD VALIDATION"
443 There are a number of ways in which a user can connect
444 to a service. The server uses the following steps in determining
445 if it will allow a connection to a specified service. If all the
446 steps fail, then the connection request is rejected. However, if one of the
447 steps succeeds, then the following steps are not checked.
449 If the service is marked "guest only = yes" and the
450 server is running with share-level security ("security = share")
451 then steps 1 to 5 are skipped.
454 If the client has passed a username/password
455 pair and that username/password pair is validated by the UNIX
456 system's password programs then the connection is made as that
457 username. Note that this includes the
458 \\\\server\\service%\fIusername\fR method of passing
462 If the client has previously registered a username
463 with the system and now supplies a correct password for that
464 username then the connection is allowed.
467 The client's NetBIOS name and any previously
468 used user names are checked against the supplied password, if
469 they match then the connection is allowed as the corresponding
473 If the client has previously validated a
474 username/password pair with the server and the client has passed
475 the validation token then that username is used.
478 If a "user = " field is given in the
479 \fIsmb.conf\fR file for the service and the client
480 has supplied a password, and that password matches (according to
481 the UNIX system's password checking) with one of the usernames
482 from the "user =" field then the connection is made as
483 the username in the "user =" line. If one
484 of the username in the "user =" list begins with a
485 \&'@' then that name expands to a list of names in
486 the group of the same name.
489 If the service is a guest service then a
490 connection is made as the username given in the "guest
491 account =" for the service, irrespective of the
493 .SH "COMPLETE LIST OF GLOBAL PARAMETERS"
495 Here is a list of all global parameters. See the section of
496 each parameter for details. Note that some are synonyms.
499 \fIabort shutdown script\fR
502 \fIadd group script\fR
505 \fIaddprinter command\fR
508 \fIadd share command\fR
511 \fIadd user script\fR
514 \fIadd user to group script\fR
517 \fIadd machine script\fR
520 \fIdelete group script\fR
526 \fIalgorithmic rid base\fR
529 \fIallow trusted domains\fR
535 \fIannounce version\fR
544 \fIbind interfaces only\fR
550 \fIchange notify timeout\fR
553 \fIchange share command\fR
562 \fIdebug hires timestamp\fR
568 \fIdebug timestamp\fR
580 \fIdefault service\fR
583 \fIdeleteprinter command\fR
586 \fIdelete share command\fR
589 \fIdelete user script\fR
592 \fIdelete user from group script\fR
598 \fIdisable netbios\fR
601 \fIdisable spoolss\fR
604 \fIdisplay charset\fR
619 \fIencrypt passwords\fR
622 \fIenhanced browsing\fR
625 \fIenumports command\fR
631 \fIhide local users\fR
634 \fIhide unreadable\fR
637 \fIhide unwriteable files\fR
640 \fIhide special files\fR
649 \fIhostname lookups\fR
667 \fIlarge readwrite\fR
688 \fIldap user suffix\fR
691 \fIldap machine suffix\fR
694 \fIldap passwd sync\fR
718 \fIlock spin count\fR
748 \fImachine password timeout\fR
772 \fImax smbd processes\fR
784 \fImessage command\fR
787 \fImin passwd length\fR
790 \fImin password length\fR
799 \fIname cache timeout\fR
802 \fIname resolve order\fR
805 \fInetbios aliases\fR
820 \fInon unix account range\fR
823 \fInt pipe support\fR
826 \fInt status support\fR
832 \fIobey pam restrictions\fR
835 \fIoplock break wait time\fR
844 \fIpam password change\fR
850 \fIparanoid server security\fR
859 \fIpasswd chat debug\fR
868 \fIpassword server\fR
871 \fIprefered master\fR
874 \fIpreferred master\fR
886 \fIprinter driver file\fR
907 \fIremote announce\fR
910 \fIremote browse sync\fR
913 \fIrestrict anonymous\fR
931 \fIshow add printer wizard\fR
934 \fIshutdown script\fR
937 \fIsmb passwd file\fR
949 \fIsource environment\fR
958 \fIstat cache size\fR
970 \fItemplate homedir\fR
985 \fItotal print jobs\fR
994 \fIunix extensions\fR
997 \fIunix password sync\fR
1000 \fIupdate encrypted\fR
1012 \fIusername level\fR
1021 \fIutmp directory\fR
1024 \fIwtmp directory\fR
1027 \fIwinbind cache time\fR
1030 \fIwinbind enum users\fR
1033 \fIwinbind enum groups\fR
1039 \fIwinbind separator\fR
1045 \fIwinbind use default domain\fR
1067 .SH "COMPLETE LIST OF SERVICE PARAMETERS"
1069 Here is a list of all service parameters. See the section on
1070 each parameter for details. Note that some are synonyms.
1082 \fIblocking locks\fR
1094 \fIcase sensitive\fR
1118 \fIdefault devmode\fR
1121 \fIdelete readonly\fR
1124 \fIdelete veto files\fR
1133 \fIdirectory mask\fR
1136 \fIdirectory mode\fR
1139 \fIdirectory security mask\fR
1148 \fIdos filetime resolution\fR
1157 \fIfake directory create times\fR
1163 \fIfollow symlinks\fR
1166 \fIforce create mode\fR
1169 \fIforce directory mode\fR
1172 \fIforce directory security mode\fR
1178 \fIforce security mode\fR
1199 \fIhide dot files\fR
1217 \fIinherit permissions\fR
1223 \fIlevel2 oplocks\fR
1229 \fIlppause command\fR
1235 \fIlpresume command\fR
1259 \fImangling method\fR
1271 \fImax connections\fR
1274 \fImax print jobs\fR
1277 \fImin print space\fR
1286 \fInt acl support\fR
1295 \fIoplock contention limit\fR
1337 \fIprinter driver\fR
1340 \fIprinter driver location\fR
1352 \fIqueuepause command\fR
1355 \fIqueueresume command\fR
1370 \fIroot preexec close\fR
1382 \fIshort preserve case\fR
1385 \fIstrict allocate\fR
1388 \fIstrict locking\fR
1397 \fIuse client driver\fR
1415 \fIveto oplock files\fR
1436 \fIwrite cache size\fR
1446 .SH "EXPLANATION OF EACH PARAMETER"
1448 \fBabort shutdown script (G)\fR
1449 \fBThis parameter only exists in the HEAD cvs branch\fR
1450 This a full path name to a script called by
1452 should stop a shutdown procedure issued by the \fIshutdown script\fR.
1454 This command will be run as user.
1456 Default: \fBNone\fR.
1458 Example: \fBabort shutdown script = /sbin/shutdown -c\fR
1460 \fBaddprinter command (G)\fR
1461 With the introduction of MS-RPC based printing
1462 support for Windows NT/2000 clients in Samba 2.2, The MS Add
1463 Printer Wizard (APW) icon is now also available in the
1464 "Printers..." folder displayed a share listing. The APW
1465 allows for printers to be add remotely to a Samba or Windows
1466 NT/2000 print server.
1468 For a Samba host this means that the printer must be
1469 physically added to the underlying printing system. The \fIadd
1470 printer command\fR defines a script to be run which
1471 will perform the necessary operations for adding the printer
1472 to the print system and to add the appropriate service definition
1473 to the \fIsmb.conf\fR file in order that it can be
1474 shared by \fBsmbd(8)\fR
1477 The \fIaddprinter command\fR is
1478 automatically invoked with the following parameter (in
1498 \fIWindows 9x driver location\fR
1501 All parameters are filled in from the PRINTER_INFO_2 structure sent
1502 by the Windows NT/2000 client with one exception. The "Windows 9x
1503 driver location" parameter is included for backwards compatibility
1504 only. The remaining fields in the structure are generated from answers
1505 to the APW questions.
1507 Once the \fIaddprinter command\fR has
1508 been executed, \fBsmbd\fR will reparse the \fI smb.conf\fR to determine if the share defined by the APW
1509 exists. If the sharename is still invalid, then \fBsmbd
1510 \fR will return an ACCESS_DENIED error to the client.
1512 See also \fI deleteprinter command\fR, \fIprinting\fR,
1518 Example: \fBaddprinter command = /usr/bin/addprinter
1521 \fBadd share command (G)\fR
1522 Samba 2.2.0 introduced the ability to dynamically
1523 add and delete shares via the Windows NT 4.0 Server Manager. The
1524 \fIadd share command\fR is used to define an
1525 external program or script which will add a new service definition
1526 to \fIsmb.conf\fR. In order to successfully
1527 execute the \fIadd share command\fR, \fBsmbd\fR
1528 requires that the administrator be connected using a root account (i.e.
1531 When executed, \fBsmbd\fR will automatically invoke the
1532 \fIadd share command\fR with four parameters.
1536 \fIconfigFile\fR - the location
1537 of the global \fIsmb.conf\fR file.
1540 \fIshareName\fR - the name of the new
1544 \fIpathName\fR - path to an **existing**
1548 \fIcomment\fR - comment string to associate
1552 This parameter is only used for add file shares. To add printer shares,
1553 see the \fIaddprinter
1556 See also \fIchange share
1557 command\fR, \fIdelete share
1562 Example: \fBadd share command = /usr/local/bin/addshare\fR
1564 \fBadd machine script (G)\fR
1565 This is the full pathname to a script that will
1566 be run by smbd(8) when a machine is added
1567 to it's domain using the administrator username and password method.
1569 This option is only required when using sam back-ends tied to the
1570 Unix uid method of RID calculation such as smbpasswd. This option is only
1571 available in Samba 3.0.
1573 Default: \fBadd machine script = <empty string>
1576 Example: \fBadd machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
1579 \fBads server (G)\fR
1580 If this option is specified, samba does
1581 not try to figure out what ads server to use itself, but
1582 uses the specified ads server. Either one DNS name or IP
1583 address can be used.
1585 Default: \fBads server = \fR
1587 Example: \fBads server = 192.168.1.2\fR
1589 \fBadd user script (G)\fR
1590 This is the full pathname to a script that will
1591 be run \fBAS ROOT\fR by smbd(8)
1592 under special circumstances described below.
1594 Normally, a Samba server requires that UNIX users are
1595 created for all users accessing files on this server. For sites
1596 that use Windows NT account databases as their primary user database
1597 creating these users and keeping the user list in sync with the
1598 Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users
1599 \fBON DEMAND\fR when a user accesses the Samba server.
1601 In order to use this option, smbd
1602 must \fBNOT\fR be set to \fIsecurity = share\fR
1603 and \fIadd user script\fR
1604 must be set to a full pathname for a script that will create a UNIX
1605 user given one argument of \fI%u\fR, which expands into
1606 the UNIX user name to create.
1608 When the Windows user attempts to access the Samba server,
1609 at login (session setup in the SMB protocol) time, smbd contacts the \fIpassword server\fR and
1610 attempts to authenticate the given user with the given password. If the
1611 authentication succeeds then \fBsmbd\fR
1612 attempts to find a UNIX user in the UNIX password database to map the
1613 Windows user into. If this lookup fails, and \fIadd user script
1614 \fR is set then \fBsmbd\fR will
1615 call the specified script \fBAS ROOT\fR, expanding
1616 any \fI%u\fR argument to be the user name to create.
1618 If this script successfully creates the user then \fBsmbd
1619 \fR will continue on as though the UNIX user
1620 already existed. In this way, UNIX users are dynamically created to
1621 match existing Windows NT accounts.
1623 See also \fI security\fR, \fIpassword server\fR,
1627 Default: \fBadd user script = <empty string>
1630 Example: \fBadd user script = /usr/local/samba/bin/add_user
1633 \fBadd group script (G)\fR
1634 This is the full pathname to a script that will
1635 be run \fBAS ROOT\fR by smbd(8) when a new group is
1636 requested. It will expand any
1637 \fI%g\fR to the group name passed.
1638 This script is only useful for installations using the
1639 Windows NT domain administration tools. The script is
1640 free to create a group with an arbitrary name to
1641 circumvent unix group name restrictions. In that case
1642 the script must print the numeric gid of the created
1645 \fBadmin users (S)\fR
1646 This is a list of users who will be granted
1647 administrative privileges on the share. This means that they
1648 will do all file operations as the super-user (root).
1650 You should use this option very carefully, as any user in
1651 this list will be able to do anything they like on the share,
1652 irrespective of file permissions.
1654 Default: \fBno admin users\fR
1656 Example: \fBadmin users = jason\fR
1658 \fBadd user to group script (G)\fR
1659 Full path to the script that will be called when
1660 a user is added to a group using the Windows NT domain administration
1661 tools. It will be run by smbd(8)
1662 \fBAS ROOT\fR. Any \fI%g\fR will be
1663 replaced with the group name and any \fI%u\fR will
1664 be replaced with the user name.
1666 Default: \fBadd user to group script = \fR
1668 Example: \fBadd user to group script = /usr/sbin/adduser %u %g\fR
1670 \fBallow hosts (S)\fR
1671 Synonym for \fIhosts allow\fR.
1673 \fBalgorithmic rid base (G)\fR
1674 This determines how Samba will use its
1675 algorithmic mapping from uids/gid to the RIDs needed to construct
1676 NT Security Identifiers.
1678 Setting this option to a larger value could be useful to sites
1679 transitioning from WinNT and Win2k, as existing user and
1680 group rids would otherwise clash with sytem users etc.
1682 All UIDs and GIDs must be able to be resolved into SIDs for
1683 the correct operation of ACLs on the server. As such the algorithmic
1684 mapping can't be 'turned off', but pushing it 'out of the way' should
1685 resolve the issues. Users and groups can then be assigned 'low' RIDs
1686 in arbitary-rid supporting backends.
1688 Default: \fBalgorithmic rid base = 1000\fR
1690 Example: \fBalgorithmic rid base = 100000\fR
1692 \fBallow trusted domains (G)\fR
1693 This option only takes effect when the \fIsecurity\fR option is set to
1695 If it is set to no, then attempts to connect to a resource from
1696 a domain or workgroup other than the one which smbd is running
1697 in will fail, even if that domain is trusted by the remote server
1698 doing the authentication.
1700 This is useful if you only want your Samba server to
1701 serve resources to users in the domain it is a member of. As
1702 an example, suppose that there are two domains DOMA and DOMB. DOMB
1703 is trusted by DOMA, which contains the Samba server. Under normal
1704 circumstances, a user with an account in DOMB can then access the
1705 resources of a UNIX account with the same account name on the
1706 Samba server even if they do not have an account in DOMA. This
1707 can make implementing a security boundary difficult.
1709 Default: \fBallow trusted domains = yes\fR
1711 \fBannounce as (G)\fR
1712 This specifies what type of server
1714 will announce itself as, to a network neighborhood browse
1715 list. By default this is set to Windows NT. The valid options
1716 are : "NT Server" (which can also be written as "NT"),
1717 "NT Workstation", "Win95" or "WfW" meaning Windows NT Server,
1718 Windows NT Workstation, Windows 95 and Windows for Workgroups
1719 respectively. Do not change this parameter unless you have a
1720 specific need to stop Samba appearing as an NT server as this
1721 may prevent Samba servers from participating as browser servers
1724 Default: \fBannounce as = NT Server\fR
1726 Example: \fBannounce as = Win95\fR
1728 \fBannounce version (G)\fR
1729 This specifies the major and minor version numbers
1730 that nmbd will use when announcing itself as a server. The default
1731 is 4.9. Do not change this parameter unless you have a specific
1732 need to set a Samba server to be a downlevel server.
1734 Default: \fBannounce version = 4.9\fR
1736 Example: \fBannounce version = 2.0\fR
1738 \fBauto services (G)\fR
1739 This is a synonym for the \fIpreload\fR.
1741 \fBauth methods (G)\fR
1742 This option allows the administrator to chose what
1743 authentication methods \fBsmbd\fR will use when authenticating
1744 a user. This option defaults to sensible values based on \fI security\fR.
1745 Each entry in the list attempts to authenticate the user in turn, until
1746 the user authenticates. In practice only one method will ever actually
1747 be able to complete the authentication.
1749 Default: \fBauth methods = <empty string>\fR
1751 Example: \fBauth methods = guest sam ntdomain\fR
1754 This parameter lets you "turn off" a service. If
1755 \fIavailable = no\fR, then \fBALL\fR
1756 attempts to connect to the service will fail. Such failures are
1759 Default: \fBavailable = yes\fR
1761 \fBbind interfaces only (G)\fR
1762 This global parameter allows the Samba admin
1763 to limit what interfaces on a machine will serve SMB requests. It
1764 affects file service smbd(8) and
1765 name service nmbd(8) in slightly
1768 For name service it causes \fBnmbd\fR to bind
1769 to ports 137 and 138 on the interfaces listed in the interfaces parameter. \fBnmbd
1770 \fR also binds to the "all addresses" interface (0.0.0.0)
1771 on ports 137 and 138 for the purposes of reading broadcast messages.
1772 If this option is not set then \fBnmbd\fR will service
1773 name requests on all of these sockets. If \fIbind interfaces
1774 only\fR is set then \fBnmbd\fR will check the
1775 source address of any packets coming in on the broadcast sockets
1776 and discard any that don't match the broadcast addresses of the
1777 interfaces in the \fIinterfaces\fR parameter list.
1778 As unicast packets are received on the other sockets it allows
1779 \fBnmbd\fR to refuse to serve names to machines that
1780 send packets that arrive through any interfaces not listed in the
1781 \fIinterfaces\fR list. IP Source address spoofing
1782 does defeat this simple check, however, so it must not be used
1783 seriously as a security feature for \fBnmbd\fR.
1785 For file service it causes smbd(8)
1786 to bind only to the interface list given in the interfaces parameter. This restricts the networks that
1787 \fBsmbd\fR will serve to packets coming in those
1788 interfaces. Note that you should not use this parameter for machines
1789 that are serving PPP or other intermittent or non-broadcast network
1790 interfaces as it will not cope with non-permanent interfaces.
1792 If \fIbind interfaces only\fR is set then
1793 unless the network address \fB127.0.0.1\fR is added
1794 to the \fIinterfaces\fR parameter list \fBsmbpasswd(8)\fR
1795 and \fBswat(8)\fR may
1796 not work as expected due to the reasons covered below.
1798 To change a users SMB password, the \fBsmbpasswd\fR
1799 by default connects to the \fBlocalhost - 127.0.0.1\fR
1800 address as an SMB client to issue the password change request. If
1801 \fIbind interfaces only\fR is set then unless the
1802 network address \fB127.0.0.1\fR is added to the
1803 \fIinterfaces\fR parameter list then \fB smbpasswd\fR will fail to connect in it's default mode.
1804 \fBsmbpasswd\fR can be forced to use the primary IP interface
1805 of the local host by using its \fI-r remote machine\fR
1806 parameter, with \fIremote machine\fR set
1807 to the IP name of the primary interface of the local host.
1809 The \fBswat\fR status page tries to connect with
1810 \fBsmbd\fR and \fBnmbd\fR at the address
1811 \fB127.0.0.1\fR to determine if they are running.
1812 Not adding \fB127.0.0.1\fR will cause \fB smbd\fR and \fBnmbd\fR to always show
1813 "not running" even if they really are. This can prevent \fB swat\fR from starting/stopping/restarting \fBsmbd\fR
1816 Default: \fBbind interfaces only = no\fR
1818 \fBblocking locks (S)\fR
1819 This parameter controls the behavior of smbd(8) when given a request by a client
1820 to obtain a byte range lock on a region of an open file, and the
1821 request has a time limit associated with it.
1823 If this parameter is set and the lock range requested
1824 cannot be immediately satisfied, samba will internally
1825 queue the lock request, and periodically attempt to obtain
1826 the lock until the timeout period expires.
1828 If this parameter is set to no, then
1829 samba will behave as previous versions of Samba would and
1830 will fail the lock request immediately if the lock range
1833 Default: \fBblocking locks = yes\fR
1835 \fBblock size (S)\fR
1836 This parameter controls the behavior of
1837 smbd(8) when reporting disk free
1838 sizes. By default, this reports a disk block size of 1024 bytes.
1840 Changing this parameter may have some effect on the
1841 efficiency of client writes, this is not yet confirmed. This
1842 parameter was added to allow advanced administrators to change
1843 it (usually to a higher value) and test the effect it has on
1844 client write performance without re-compiling the code. As this
1845 is an experimental option it may be removed in a future release.
1847 Changing this option does not change the disk free reporting
1848 size, just the block size unit reported to the client.
1850 Default: \fBblock size = 1024\fR
1852 Example: \fBblock size = 65536\fR
1855 See the \fI browseable\fR.
1857 \fBbrowse list (G)\fR
1858 This controls whether \fBsmbd(8)\fR will serve a browse list to
1859 a client doing a \fBNetServerEnum\fR call. Normally
1860 set to yes. You should never need to change
1863 Default: \fBbrowse list = yes\fR
1865 \fBbrowseable (S)\fR
1866 This controls whether this share is seen in
1867 the list of available shares in a net view and in the browse list.
1869 Default: \fBbrowseable = yes\fR
1871 \fBcase sensitive (S)\fR
1872 See the discussion in the section NAME MANGLING.
1874 Default: \fBcase sensitive = no\fR
1876 \fBcasesignames (S)\fR
1880 \fBchange notify timeout (G)\fR
1881 This SMB allows a client to tell a server to
1882 "watch" a particular directory for any changes and only reply to
1883 the SMB request when a change has occurred. Such constant scanning of
1884 a directory is expensive under UNIX, hence an \fBsmbd(8)\fR daemon only performs such a scan
1885 on each requested directory once every \fIchange notify
1888 Default: \fBchange notify timeout = 60\fR
1890 Example: \fBchange notify timeout = 300\fR
1892 Would change the scan time to every 5 minutes.
1894 \fBchange share command (G)\fR
1895 Samba 2.2.0 introduced the ability to dynamically
1896 add and delete shares via the Windows NT 4.0 Server Manager. The
1897 \fIchange share command\fR is used to define an
1898 external program or script which will modify an existing service definition
1899 in \fIsmb.conf\fR. In order to successfully
1900 execute the \fIchange share command\fR, \fBsmbd\fR
1901 requires that the administrator be connected using a root account (i.e.
1904 When executed, \fBsmbd\fR will automatically invoke the
1905 \fIchange share command\fR with four parameters.
1909 \fIconfigFile\fR - the location
1910 of the global \fIsmb.conf\fR file.
1913 \fIshareName\fR - the name of the new
1917 \fIpathName\fR - path to an **existing**
1921 \fIcomment\fR - comment string to associate
1925 This parameter is only used modify existing file shares definitions. To modify
1926 printer shares, use the "Printers..." folder as seen when browsing the Samba host.
1928 See also \fIadd share
1929 command\fR, \fIdelete
1934 Example: \fBchange share command = /usr/local/bin/addshare\fR
1937 This is a text field that is seen next to a share
1938 when a client does a queries the server, either via the network
1939 neighborhood or via \fBnet view\fR to list what shares
1942 If you want to set the string that is displayed next to the
1943 machine name then see the \fI server string\fR parameter.
1945 Default: \fBNo comment string\fR
1947 Example: \fBcomment = Fred's Files\fR
1949 \fBconfig file (G)\fR
1950 This allows you to override the config file
1951 to use, instead of the default (usually \fIsmb.conf\fR).
1952 There is a chicken and egg problem here as this option is set
1955 For this reason, if the name of the config file has changed
1956 when the parameters are loaded then it will reload them from
1957 the new config file.
1959 This option takes the usual substitutions, which can
1962 If the config file doesn't exist then it won't be loaded
1963 (allowing you to special case the config files of just a few
1966 Example: \fBconfig file = /usr/local/samba/lib/smb.conf.%m
1970 This parameter allows you to "clone" service
1971 entries. The specified service is simply duplicated under the
1972 current service's name. Any parameters specified in the current
1973 section will override those in the section being copied.
1975 This feature lets you set up a 'template' service and
1976 create similar services easily. Note that the service being
1977 copied must occur earlier in the configuration file than the
1978 service doing the copying.
1980 Default: \fBno value\fR
1982 Example: \fBcopy = otherservice\fR
1984 \fBcreate mask (S)\fR
1985 A synonym for this parameter is
1989 When a file is created, the necessary permissions are
1990 calculated according to the mapping from DOS modes to UNIX
1991 permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
1992 with this parameter. This parameter may be thought of as a bit-wise
1993 MASK for the UNIX modes of a file. Any bit \fBnot\fR
1994 set here will be removed from the modes set on a file when it is
1997 The default value of this parameter removes the
1998 \&'group' and 'other' write and execute bits from the UNIX modes.
2000 Following this Samba will bit-wise 'OR' the UNIX mode created
2001 from this parameter with the value of the \fIforce create mode\fR
2002 parameter which is set to 000 by default.
2004 This parameter does not affect directory modes. See the
2005 parameter \fIdirectory mode
2008 See also the \fIforce
2009 create mode\fR parameter for forcing particular mode
2010 bits to be set on created files. See also the \fIdirectory mode\fR parameter for masking
2011 mode bits on created directories. See also the \fIinherit permissions\fR parameter.
2013 Note that this parameter does not apply to permissions
2014 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
2015 a mask on access control lists also, they need to set the \fIsecurity mask\fR.
2017 Default: \fBcreate mask = 0744\fR
2019 Example: \fBcreate mask = 0775\fR
2021 \fBcreate mode (S)\fR
2022 This is a synonym for \fI create mask\fR.
2024 \fBcsc policy (S)\fR
2025 This stands for \fBclient-side caching
2026 policy\fR, and specifies how clients capable of offline
2027 caching will cache the files in the share. The valid values
2028 are: manual, documents, programs, disable.
2030 These values correspond to those used on Windows
2033 For example, shares containing roaming profiles can have
2034 offline caching disabled using \fBcsc policy = disable
2037 Default: \fBcsc policy = manual\fR
2039 Example: \fBcsc policy = programs\fR
2042 The value of the parameter (a decimal integer)
2043 represents the number of minutes of inactivity before a connection
2044 is considered dead, and it is disconnected. The deadtime only takes
2045 effect if the number of open files is zero.
2047 This is useful to stop a server's resources being
2048 exhausted by a large number of inactive connections.
2050 Most clients have an auto-reconnect feature when a
2051 connection is broken so in most cases this parameter should be
2052 transparent to users.
2054 Using this parameter with a timeout of a few minutes
2055 is recommended for most systems.
2057 A deadtime of zero indicates that no auto-disconnection
2058 should be performed.
2060 Default: \fBdeadtime = 0\fR
2062 Example: \fBdeadtime = 15\fR
2064 \fBdebug hires timestamp (G)\fR
2065 Sometimes the timestamps in the log messages
2066 are needed with a resolution of higher that seconds, this
2067 boolean parameter adds microsecond resolution to the timestamp
2068 message header when turned on.
2070 Note that the parameter \fI debug timestamp\fR must be on for this to have an
2073 Default: \fBdebug hires timestamp = no\fR
2076 When using only one log file for more then one
2077 forked smbdprocess there may be hard to follow which process
2078 outputs which message. This boolean parameter is adds the process-id
2079 to the timestamp message headers in the logfile when turned on.
2081 Note that the parameter \fI debug timestamp\fR must be on for this to have an
2084 Default: \fBdebug pid = no\fR
2086 \fBdebug timestamp (G)\fR
2087 Samba debug log messages are timestamped
2088 by default. If you are running at a high \fIdebug level\fR these timestamps
2089 can be distracting. This boolean parameter allows timestamping
2092 Default: \fBdebug timestamp = yes\fR
2095 Samba is sometimes run as root and sometime
2096 run as the connected user, this boolean parameter inserts the
2097 current euid, egid, uid and gid to the timestamp message headers
2098 in the log file if turned on.
2100 Note that the parameter \fI debug timestamp\fR must be on for this to have an
2103 Default: \fBdebug uid = no\fR
2105 \fBdebuglevel (G)\fR
2106 Synonym for \fI log level\fR.
2109 A synonym for \fI default service\fR.
2111 \fBdefault case (S)\fR
2112 See the section on NAME MANGLING. Also note the \fIshort preserve case\fR parameter.
2114 Default: \fBdefault case = lower\fR
2116 \fBdefault devmode (S)\fR
2117 This parameter is only applicable to printable services. When smbd is serving
2118 Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
2119 server has a Device Mode which defines things such as paper size and
2120 orientation and duplex settings. The device mode can only correctly be
2121 generated by the printer driver itself (which can only be executed on a
2122 Win32 platform). Because smbd is unable to execute the driver code
2123 to generate the device mode, the default behavior is to set this field
2126 Most problems with serving printer drivers to Windows NT/2k/XP clients
2127 can be traced to a problem with the generated device mode. Certain drivers
2128 will do things such as crashing the client's Explorer.exe with a NULL devmode.
2129 However, other printer drivers can cause the client's spooler service
2130 (spoolsv.exe) to die if the devmode was not created by the driver itself
2131 (i.e. smbd generates a default devmode).
2133 This parameter should be used with care and tested with the printer
2134 driver in question. It is better to leave the device mode to NULL
2135 and let the Windows client set the correct values. Because drivers do not
2136 do this all the time, setting \fBdefault devmode = yes\fR
2137 will instruct smbd to generate a default one.
2139 For more information on Windows NT/2k printing and Device Modes,
2140 see the MSDN documentation <URL:http://msdn.microsoft.com/>.
2142 Default: \fBdefault devmode = no\fR
2144 \fBdefault service (G)\fR
2145 This parameter specifies the name of a service
2146 which will be connected to if the service actually requested cannot
2147 be found. Note that the square brackets are \fBNOT\fR
2148 given in the parameter value (see example below).
2150 There is no default value for this parameter. If this
2151 parameter is not given, attempting to connect to a nonexistent
2152 service results in an error.
2154 Typically the default service would be a \fIguest ok\fR, \fIread-only\fR service.
2156 Also note that the apparent service name will be changed
2157 to equal that of the requested service, this is very useful as it
2158 allows you to use macros like \fI%S\fR to make
2161 Note also that any "_" characters in the name of the service
2162 used in the default service will get mapped to a "/". This allows for
2170 default service = pub
2177 \fBdelete group script (G)\fR
2178 This is the full pathname to a script that will
2179 be run \fBAS ROOT\fR by smbd(8) when a group is requested to be deleted. It will expand any \fI%g\fR to the group name passed. This script is only useful for installations using the Windows NT domain administration tools.
2181 \fBdeleteprinter command (G)\fR
2182 With the introduction of MS-RPC based printer
2183 support for Windows NT/2000 clients in Samba 2.2, it is now
2184 possible to delete printer at run time by issuing the
2185 DeletePrinter() RPC call.
2187 For a Samba host this means that the printer must be
2188 physically deleted from underlying printing system. The \fI deleteprinter command\fR defines a script to be run which
2189 will perform the necessary operations for removing the printer
2190 from the print system and from \fIsmb.conf\fR.
2192 The \fIdeleteprinter command\fR is
2193 automatically called with only one parameter: \fI "printer name"\fR.
2195 Once the \fIdeleteprinter command\fR has
2196 been executed, \fBsmbd\fR will reparse the \fI smb.conf\fR to associated printer no longer exists.
2197 If the sharename is still valid, then \fBsmbd
2198 \fR will return an ACCESS_DENIED error to the client.
2200 See also \fI addprinter command\fR, \fIprinting\fR,
2206 Example: \fBdeleteprinter command = /usr/bin/removeprinter
2209 \fBdelete readonly (S)\fR
2210 This parameter allows readonly files to be deleted.
2211 This is not normal DOS semantics, but is allowed by UNIX.
2213 This option may be useful for running applications such
2214 as rcs, where UNIX file ownership prevents changing file
2215 permissions, and DOS semantics prevent deletion of a read only file.
2217 Default: \fBdelete readonly = no\fR
2219 \fBdelete share command (G)\fR
2220 Samba 2.2.0 introduced the ability to dynamically
2221 add and delete shares via the Windows NT 4.0 Server Manager. The
2222 \fIdelete share command\fR is used to define an
2223 external program or script which will remove an existing service
2224 definition from \fIsmb.conf\fR. In order to successfully
2225 execute the \fIdelete share command\fR, \fBsmbd\fR
2226 requires that the administrator be connected using a root account (i.e.
2229 When executed, \fBsmbd\fR will automatically invoke the
2230 \fIdelete share command\fR with two parameters.
2234 \fIconfigFile\fR - the location
2235 of the global \fIsmb.conf\fR file.
2238 \fIshareName\fR - the name of
2239 the existing service.
2242 This parameter is only used to remove file shares. To delete printer shares,
2243 see the \fIdeleteprinter
2246 See also \fIadd share
2247 command\fR, \fIchange
2252 Example: \fBdelete share command = /usr/local/bin/delshare\fR
2254 \fBdelete user script (G)\fR
2255 This is the full pathname to a script that will
2256 be run by \fBsmbd(8)\fR
2257 when managing user's with remote RPC (NT) tools.
2259 This script is called when a remote client removes a user
2260 from the server, normally using 'User Manager for Domains' or
2263 This script should delete the given UNIX username.
2265 Default: \fBdelete user script = <empty string>
2268 Example: \fBdelete user script = /usr/local/samba/bin/del_user
2271 \fBdelete user from group script (G)\fR
2272 Full path to the script that will be called when
2273 a user is removed from a group using the Windows NT domain administration
2274 tools. It will be run by smbd(8)
2275 \fBAS ROOT\fR. Any \fI%g\fR will be
2276 replaced with the group name and any \fI%u\fR will
2277 be replaced with the user name.
2279 Default: \fBdelete user from group script = \fR
2281 Example: \fBdelete user from group script = /usr/sbin/deluser %u %g\fR
2283 \fBdelete veto files (S)\fR
2284 This option is used when Samba is attempting to
2285 delete a directory that contains one or more vetoed directories
2286 (see the \fIveto files\fR
2287 option). If this option is set to no (the default) then if a vetoed
2288 directory contains any non-vetoed files or directories then the
2289 directory delete will fail. This is usually what you want.
2291 If this option is set to yes, then Samba
2292 will attempt to recursively delete any files and directories within
2293 the vetoed directory. This can be useful for integration with file
2294 serving systems such as NetAtalk which create meta-files within
2295 directories you might normally veto DOS/Windows users from seeing
2296 (e.g. \fI.AppleDouble\fR)
2298 Setting \fBdelete veto files = yes\fR allows these
2299 directories to be transparently deleted when the parent directory
2300 is deleted (so long as the user has permissions to do so).
2302 See also the \fIveto
2305 Default: \fBdelete veto files = no\fR
2307 \fBdeny hosts (S)\fR
2308 Synonym for \fIhosts
2311 \fBdfree command (G)\fR
2312 The \fIdfree command\fR setting should
2313 only be used on systems where a problem occurs with the internal
2314 disk space calculations. This has been known to happen with Ultrix,
2315 but may occur with other operating systems. The symptom that was
2316 seen was an error of "Abort Retry Ignore" at the end of each
2319 This setting allows the replacement of the internal routines to
2320 calculate the total disk space and amount available with an external
2321 routine. The example below gives a possible script that might fulfill
2324 The external program will be passed a single parameter indicating
2325 a directory in the filesystem being queried. This will typically consist
2326 of the string \fI./\fR. The script should return two
2327 integers in ASCII. The first should be the total disk space in blocks,
2328 and the second should be the number of available blocks. An optional
2329 third return value can give the block size in bytes. The default
2330 blocksize is 1024 bytes.
2332 Note: Your script should \fBNOT\fR be setuid or
2333 setgid and should be owned by (and writeable only by) root!
2335 Default: \fBBy default internal routines for
2336 determining the disk capacity and remaining space will be used.
2339 Example: \fBdfree command = /usr/local/samba/bin/dfree
2342 Where the script dfree (which must be made executable) could be:
2348 df $1 | tail -1 | awk '{print $2" "$4}'
2352 or perhaps (on Sys V based systems):
2358 /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
2362 Note that you may have to replace the command names
2363 with full path names on some systems.
2369 \fBdirectory mask (S)\fR
2370 This parameter is the octal modes which are
2371 used when converting DOS modes to UNIX modes when creating UNIX
2374 When a directory is created, the necessary permissions are
2375 calculated according to the mapping from DOS modes to UNIX permissions,
2376 and the resulting UNIX mode is then bit-wise 'AND'ed with this
2377 parameter. This parameter may be thought of as a bit-wise MASK for
2378 the UNIX modes of a directory. Any bit \fBnot\fR set
2379 here will be removed from the modes set on a directory when it is
2382 The default value of this parameter removes the 'group'
2383 and 'other' write bits from the UNIX mode, allowing only the
2384 user who owns the directory to modify it.
2386 Following this Samba will bit-wise 'OR' the UNIX mode
2387 created from this parameter with the value of the \fIforce directory mode
2388 \fR parameter. This parameter is set to 000 by
2389 default (i.e. no extra mode bits are added).
2391 Note that this parameter does not apply to permissions
2392 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
2393 a mask on access control lists also, they need to set the \fIdirectory security mask\fR.
2396 directory mode\fR parameter to cause particular mode
2397 bits to always be set on created directories.
2399 See also the \fIcreate mode
2400 \fR parameter for masking mode bits on created files,
2401 and the \fIdirectory
2402 security mask\fR parameter.
2404 Also refer to the \fI inherit permissions\fR parameter.
2406 Default: \fBdirectory mask = 0755\fR
2408 Example: \fBdirectory mask = 0775\fR
2410 \fBdirectory mode (S)\fR
2411 Synonym for \fI directory mask\fR
2413 \fBdirectory security mask (S)\fR
2414 This parameter controls what UNIX permission bits
2415 can be modified when a Windows NT client is manipulating the UNIX
2416 permission on a directory using the native NT security dialog
2419 This parameter is applied as a mask (AND'ed with) to
2420 the changed permission bits, thus preventing any bits not in
2421 this mask from being modified. Essentially, zero bits in this
2422 mask may be treated as a set of bits the user is not allowed
2425 If not set explicitly this parameter is set to 0777
2426 meaning a user is allowed to modify all the user/group/world
2427 permissions on a directory.
2429 \fBNote\fR that users who can access the
2430 Samba server through other means can easily bypass this restriction,
2431 so it is primarily useful for standalone "appliance" systems.
2432 Administrators of most normal systems will probably want to leave
2433 it as the default of 0777.
2435 See also the \fI force directory security mode\fR, \fIsecurity mask\fR,
2436 \fIforce security mode
2439 Default: \fBdirectory security mask = 0777\fR
2441 Example: \fBdirectory security mask = 0700\fR
2443 \fBdisable netbios (G)\fR
2444 Enabling this parameter will disable netbios support
2445 in Samba. Netbios is the only available form of browsing in
2446 all windows versions except for 2000 and XP.
2448 Note that clients that only support netbios won't be able to
2449 see your samba server when netbios support is disabled.
2451 Default: \fBdisable netbios = no\fR
2453 Example: \fBdisable netbios = yes\fR
2455 \fBdisable spoolss (G)\fR
2456 Enabling this parameter will disable Samba's support
2457 for the SPOOLSS set of MS-RPC's and will yield identical behavior
2458 as Samba 2.0.x. Windows NT/2000 clients will downgrade to using
2459 Lanman style printing commands. Windows 9x/ME will be uneffected by
2460 the parameter. However, this will also disable the ability to upload
2461 printer drivers to a Samba server via the Windows NT Add Printer
2462 Wizard or by using the NT printer properties dialog window. It will
2463 also disable the capability of Windows NT/2000 clients to download
2464 print drivers from the Samba host upon demand.
2465 \fBBe very careful about enabling this parameter.\fR
2467 See also use client driver
2469 Default : \fBdisable spoolss = no\fR
2471 \fBdisplay charset (G)\fR
2472 Specifies the charset that samba will use
2473 to print messages to stdout and stderr and SWAT will use.
2474 Should generally be the same as the \fBunix charset\fR.
2476 Default: \fBdisplay charset = ASCII\fR
2478 Example: \fBdisplay charset = UTF8\fR
2481 Specifies that nmbd(8)
2482 when acting as a WINS server and finding that a NetBIOS name has not
2483 been registered, should treat the NetBIOS name word-for-word as a DNS
2484 name and do a lookup with the DNS server for that name on behalf of
2485 the name-querying client.
2487 Note that the maximum length for a NetBIOS name is 15
2488 characters, so the DNS name (or DNS alias) can likewise only be
2489 15 characters, maximum.
2491 \fBnmbd\fR spawns a second copy of itself to do the
2492 DNS name lookup requests, as doing a name lookup is a blocking
2495 See also the parameter \fI wins support\fR.
2497 Default: \fBdns proxy = yes\fR
2499 \fBdomain logons (G)\fR
2500 If set to yes, the Samba server will serve
2501 Windows 95/98 Domain logons for the \fIworkgroup\fR it is in. Samba 2.2
2502 has limited capability to act as a domain controller for Windows
2503 NT 4 Domains. For more details on setting up this feature see
2504 the Samba-PDC-HOWTO included in the \fIhtmldocs/\fR
2505 directory shipped with the source code.
2507 Default: \fBdomain logons = no\fR
2509 \fBdomain master (G)\fR
2510 Tell \fB nmbd(8)\fR to enable WAN-wide browse list
2511 collation. Setting this option causes \fBnmbd\fR to
2512 claim a special domain specific NetBIOS name that identifies
2513 it as a domain master browser for its given \fIworkgroup\fR. Local master browsers
2514 in the same \fIworkgroup\fR on broadcast-isolated
2515 subnets will give this \fBnmbd\fR their local browse lists,
2516 and then ask \fBsmbd(8)\fR
2517 for a complete copy of the browse list for the whole wide area
2518 network. Browser clients will then contact their local master browser,
2519 and will receive the domain-wide browse list, instead of just the list
2520 for their broadcast-isolated subnet.
2522 Note that Windows NT Primary Domain Controllers expect to be
2523 able to claim this \fIworkgroup\fR specific special
2524 NetBIOS name that identifies them as domain master browsers for
2525 that \fIworkgroup\fR by default (i.e. there is no
2526 way to prevent a Windows NT PDC from attempting to do this). This
2527 means that if this parameter is set and \fBnmbd\fR claims
2528 the special name for a \fIworkgroup\fR before a Windows
2529 NT PDC is able to do so then cross subnet browsing will behave
2530 strangely and may fail.
2532 If \fBdomain logons = yes\fR
2533 , then the default behavior is to enable the \fIdomain
2534 master\fR parameter. If \fIdomain logons\fR is
2535 not enabled (the default setting), then neither will \fIdomain
2536 master\fR be enabled by default.
2538 Default: \fBdomain master = auto\fR
2540 \fBdont descend (S)\fR
2541 There are certain directories on some systems
2542 (e.g., the \fI/proc\fR tree under Linux) that are either not
2543 of interest to clients or are infinitely deep (recursive). This
2544 parameter allows you to specify a comma-delimited list of directories
2545 that the server should always show as empty.
2547 Note that Samba can be very fussy about the exact format
2548 of the "dont descend" entries. For example you may need \fI ./proc\fR instead of just \fI/proc\fR.
2549 Experimentation is the best policy :-)
2551 Default: \fBnone (i.e., all directories are OK
2554 Example: \fBdont descend = /proc,/dev\fR
2556 \fBdos charset (G)\fR
2557 DOS SMB clients assume the server has
2558 the same charset as they do. This option specifies which
2559 charset Samba should talk to DOS clients.
2561 The default depends on which charsets you have instaled.
2562 Samba tries to use charset 850 but falls back to ASCII in
2563 case it is not available. Run testparm(1)
2564 to check the default on your system.
2566 \fBdos filemode (S)\fR
2567 The default behavior in Samba is to provide
2568 UNIX-like behavior where only the owner of a file/directory is
2569 able to change the permissions on it. However, this behavior
2570 is often confusing to DOS/Windows users. Enabling this parameter
2571 allows a user who has write access to the file (by whatever
2572 means) to modify the permissions on it. Note that a user
2573 belonging to the group owning the file will not be allowed to
2574 change permissions if the group is only granted read access.
2575 Ownership of the file/directory is not changed, only the permissions
2578 Default: \fBdos filemode = no\fR
2580 \fBdos filetime resolution (S)\fR
2581 Under the DOS and Windows FAT filesystem, the finest
2582 granularity on time resolution is two seconds. Setting this parameter
2583 for a share causes Samba to round the reported time down to the
2584 nearest two second boundary when a query call that requires one second
2585 resolution is made to \fBsmbd(8)\fR
2588 This option is mainly used as a compatibility option for Visual
2589 C++ when used against Samba shares. If oplocks are enabled on a
2590 share, Visual C++ uses two different time reading calls to check if a
2591 file has changed since it was last read. One of these calls uses a
2592 one-second granularity, the other uses a two second granularity. As
2593 the two second call rounds any odd second down, then if the file has a
2594 timestamp of an odd number of seconds then the two timestamps will not
2595 match and Visual C++ will keep reporting the file has changed. Setting
2596 this option causes the two timestamps to match, and Visual C++ is
2599 Default: \fBdos filetime resolution = no\fR
2601 \fBdos filetimes (S)\fR
2602 Under DOS and Windows, if a user can write to a
2603 file they can change the timestamp on it. Under POSIX semantics,
2604 only the owner of the file or root may change the timestamp. By
2605 default, Samba runs with POSIX semantics and refuses to change the
2606 timestamp on a file if the user \fBsmbd\fR is acting
2607 on behalf of is not the file owner. Setting this option to yes allows DOS semantics and smbd will change the file
2608 timestamp as DOS requires.
2610 Default: \fBdos filetimes = no\fR
2612 \fBencrypt passwords (G)\fR
2613 This boolean controls whether encrypted passwords
2614 will be negotiated with the client. Note that Windows NT 4.0 SP3 and
2615 above and also Windows 98 will by default expect encrypted passwords
2616 unless a registry entry is changed. To use encrypted passwords in
2617 Samba see the file ENCRYPTION.txt in the Samba documentation
2618 directory \fIdocs/\fR shipped with the source code.
2620 In order for encrypted passwords to work correctly
2621 \fBsmbd(8)\fR must either
2622 have access to a local \fIsmbpasswd(5)
2623 \fR program for information on how to set up
2624 and maintain this file), or set the security = [server|domain|ads] parameter which
2625 causes \fBsmbd\fR to authenticate against another
2628 Default: \fBencrypt passwords = yes\fR
2630 \fBenhanced browsing (G)\fR
2631 This option enables a couple of enhancements to
2632 cross-subnet browse propagation that have been added in Samba
2633 but which are not standard in Microsoft implementations.
2635 The first enhancement to browse propagation consists of a regular
2636 wildcard query to a Samba WINS server for all Domain Master Browsers,
2637 followed by a browse synchronization with each of the returned
2638 DMBs. The second enhancement consists of a regular randomised browse
2639 synchronization with all currently known DMBs.
2641 You may wish to disable this option if you have a problem with empty
2642 workgroups not disappearing from browse lists. Due to the restrictions
2643 of the browse protocols these enhancements can cause a empty workgroup
2644 to stay around forever which can be annoying.
2646 In general you should leave this option enabled as it makes
2647 cross-subnet browse propagation much more reliable.
2649 Default: \fBenhanced browsing = yes\fR
2651 \fBenumports command (G)\fR
2652 The concept of a "port" is fairly foreign
2653 to UNIX hosts. Under Windows NT/2000 print servers, a port
2654 is associated with a port monitor and generally takes the form of
2655 a local port (i.e. LPT1:, COM1:, FILE:) or a remote port
2656 (i.e. LPD Port Monitor, etc...). By default, Samba has only one
2657 port defined--"Samba Printer Port". Under
2658 Windows NT/2000, all printers must have a valid port name.
2659 If you wish to have a list of ports displayed (\fBsmbd
2660 \fR does not use a port name for anything) other than
2661 the default "Samba Printer Port", you
2662 can define \fIenumports command\fR to point to
2663 a program which should generate a list of ports, one per line,
2664 to standard output. This listing will then be used in response
2665 to the level 1 and 2 EnumPorts() RPC.
2667 Default: \fBno enumports command\fR
2669 Example: \fBenumports command = /usr/bin/listports
2673 This is a synonym for \fIpreexec\fR.
2675 \fBfake directory create times (S)\fR
2676 NTFS and Windows VFAT file systems keep a create
2677 time for all files and directories. This is not the same as the
2678 ctime - status change time - that Unix keeps, so Samba by default
2679 reports the earliest of the various times Unix does keep. Setting
2680 this parameter for a share causes Samba to always report midnight
2681 1-1-1980 as the create time for directories.
2683 This option is mainly used as a compatibility option for
2684 Visual C++ when used against Samba shares. Visual C++ generated
2685 makefiles have the object directory as a dependency for each object
2686 file, and a make rule to create the directory. Also, when NMAKE
2687 compares timestamps it uses the creation time when examining a
2688 directory. Thus the object directory will be created if it does not
2689 exist, but once it does exist it will always have an earlier
2690 timestamp than the object files it contains.
2692 However, Unix time semantics mean that the create time
2693 reported by Samba will be updated whenever a file is created or
2694 or deleted in the directory. NMAKE finds all object files in
2695 the object directory. The timestamp of the last one built is then
2696 compared to the timestamp of the object directory. If the
2697 directory's timestamp if newer, then all object files
2698 will be rebuilt. Enabling this option
2699 ensures directories always predate their contents and an NMAKE build
2700 will proceed as expected.
2702 Default: \fBfake directory create times = no\fR
2704 \fBfake oplocks (S)\fR
2705 Oplocks are the way that SMB clients get permission
2706 from a server to locally cache file operations. If a server grants
2707 an oplock (opportunistic lock) then the client is free to assume
2708 that it is the only one accessing the file and it will aggressively
2709 cache file data. With some oplock types the client may even cache
2710 file open/close operations. This can give enormous performance benefits.
2712 When you set \fBfake oplocks = yes\fR, \fBsmbd(8)\fR will
2713 always grant oplock requests no matter how many clients are using
2716 It is generally much better to use the real \fIoplocks\fR support rather
2717 than this parameter.
2719 If you enable this option on all read-only shares or
2720 shares that you know will only be accessed from one client at a
2721 time such as physically read-only media like CDROMs, you will see
2722 a big performance improvement on many operations. If you enable
2723 this option on shares where multiple clients may be accessing the
2724 files read-write at the same time you can get data corruption. Use
2725 this option carefully!
2727 Default: \fBfake oplocks = no\fR
2729 \fBfollow symlinks (S)\fR
2730 This parameter allows the Samba administrator
2731 to stop \fBsmbd(8)\fR
2732 from following symbolic links in a particular share. Setting this
2733 parameter to no prevents any file or directory
2734 that is a symbolic link from being followed (the user will get an
2735 error). This option is very useful to stop users from adding a
2736 symbolic link to \fI/etc/passwd\fR in their home
2737 directory for instance. However it will slow filename lookups
2740 This option is enabled (i.e. \fBsmbd\fR will
2741 follow symbolic links) by default.
2743 Default: \fBfollow symlinks = yes\fR
2745 \fBforce create mode (S)\fR
2746 This parameter specifies a set of UNIX mode bit
2747 permissions that will \fBalways\fR be set on a
2748 file created by Samba. This is done by bitwise 'OR'ing these bits onto
2749 the mode bits of a file that is being created or having its
2750 permissions changed. The default for this parameter is (in octal)
2751 000. The modes in this parameter are bitwise 'OR'ed onto the file
2752 mode after the mask set in the \fIcreate mask\fR
2753 parameter is applied.
2755 See also the parameter \fIcreate
2756 mask\fR for details on masking mode bits on files.
2758 See also the \fIinherit
2759 permissions\fR parameter.
2761 Default: \fBforce create mode = 000\fR
2763 Example: \fBforce create mode = 0755\fR
2765 would force all created files to have read and execute
2766 permissions set for 'group' and 'other' as well as the
2767 read/write/execute bits set for the 'user'.
2769 \fBforce directory mode (S)\fR
2770 This parameter specifies a set of UNIX mode bit
2771 permissions that will \fBalways\fR be set on a directory
2772 created by Samba. This is done by bitwise 'OR'ing these bits onto the
2773 mode bits of a directory that is being created. The default for this
2774 parameter is (in octal) 0000 which will not add any extra permission
2775 bits to a created directory. This operation is done after the mode
2776 mask in the parameter \fIdirectory mask\fR is
2779 See also the parameter \fI directory mask\fR for details on masking mode bits
2780 on created directories.
2782 See also the \fI inherit permissions\fR parameter.
2784 Default: \fBforce directory mode = 000\fR
2786 Example: \fBforce directory mode = 0755\fR
2788 would force all created directories to have read and execute
2789 permissions set for 'group' and 'other' as well as the
2790 read/write/execute bits set for the 'user'.
2792 \fBforce directory security mode (S)\fR
2793 This parameter controls what UNIX permission bits
2794 can be modified when a Windows NT client is manipulating the UNIX
2795 permission on a directory using the native NT security dialog box.
2797 This parameter is applied as a mask (OR'ed with) to the
2798 changed permission bits, thus forcing any bits in this mask that
2799 the user may have modified to be on. Essentially, one bits in this
2800 mask may be treated as a set of bits that, when modifying security
2801 on a directory, the user has always set to be 'on'.
2803 If not set explicitly this parameter is 000, which
2804 allows a user to modify all the user/group/world permissions on a
2805 directory without restrictions.
2807 \fBNote\fR that users who can access the
2808 Samba server through other means can easily bypass this restriction,
2809 so it is primarily useful for standalone "appliance" systems.
2810 Administrators of most normal systems will probably want to leave
2813 See also the \fI directory security mask\fR, \fIsecurity mask\fR,
2814 \fIforce security mode
2817 Default: \fBforce directory security mode = 0\fR
2819 Example: \fBforce directory security mode = 700\fR
2821 \fBforce group (S)\fR
2822 This specifies a UNIX group name that will be
2823 assigned as the default primary group for all users connecting
2824 to this service. This is useful for sharing files by ensuring
2825 that all access to files on service will use the named group for
2826 their permissions checking. Thus, by assigning permissions for this
2827 group to the files and directories within this service the Samba
2828 administrator can restrict or allow sharing of these files.
2830 In Samba 2.0.5 and above this parameter has extended
2831 functionality in the following way. If the group name listed here
2832 has a '+' character prepended to it then the current user accessing
2833 the share only has the primary group default assigned to this group
2834 if they are already assigned as a member of that group. This allows
2835 an administrator to decide that only users who are already in a
2836 particular group will create files with group ownership set to that
2837 group. This gives a finer granularity of ownership assignment. For
2838 example, the setting \fIforce group = +sys\fR means
2839 that only users who are already in group sys will have their default
2840 primary group assigned to sys when accessing this Samba share. All
2841 other users will retain their ordinary primary group.
2843 If the \fIforce user
2844 \fR parameter is also set the group specified in
2845 \fIforce group\fR will override the primary group
2846 set in \fIforce user\fR.
2851 Default: \fBno forced group\fR
2853 Example: \fBforce group = agroup\fR
2855 \fBforce security mode (S)\fR
2856 This parameter controls what UNIX permission
2857 bits can be modified when a Windows NT client is manipulating
2858 the UNIX permission on a file using the native NT security dialog
2861 This parameter is applied as a mask (OR'ed with) to the
2862 changed permission bits, thus forcing any bits in this mask that
2863 the user may have modified to be on. Essentially, one bits in this
2864 mask may be treated as a set of bits that, when modifying security
2865 on a file, the user has always set to be 'on'.
2867 If not set explicitly this parameter is set to 0,
2868 and allows a user to modify all the user/group/world permissions on a file,
2869 with no restrictions.
2871 \fBNote\fR that users who can access
2872 the Samba server through other means can easily bypass this restriction,
2873 so it is primarily useful for standalone "appliance" systems.
2874 Administrators of most normal systems will probably want to leave
2877 See also the \fI force directory security mode\fR,
2878 \fIdirectory security
2879 mask\fR, \fI security mask\fR parameters.
2881 Default: \fBforce security mode = 0\fR
2883 Example: \fBforce security mode = 700\fR
2885 \fBforce user (S)\fR
2886 This specifies a UNIX user name that will be
2887 assigned as the default user for all users connecting to this service.
2888 This is useful for sharing files. You should also use it carefully
2889 as using it incorrectly can cause security problems.
2891 This user name only gets used once a connection is established.
2892 Thus clients still need to connect as a valid user and supply a
2893 valid password. Once connected, all file operations will be performed
2894 as the "forced user", no matter what username the client connected
2895 as. This can be very useful.
2897 In Samba 2.0.5 and above this parameter also causes the
2898 primary group of the forced user to be used as the primary group
2899 for all file activity. Prior to 2.0.5 the primary group was left
2900 as the primary group of the connecting user (this was a bug).
2902 See also \fIforce group
2905 Default: \fBno forced user\fR
2907 Example: \fBforce user = auser\fR
2910 This parameter allows the administrator to
2911 configure the string that specifies the type of filesystem a share
2912 is using that is reported by \fBsmbd(8)
2913 \fR when a client queries the filesystem type
2914 for a share. The default type is NTFS for
2915 compatibility with Windows NT but this can be changed to other
2916 strings such as Samba or FAT
2919 Default: \fBfstype = NTFS\fR
2921 Example: \fBfstype = Samba\fR
2923 \fBgetwd cache (G)\fR
2924 This is a tuning option. When this is enabled a
2925 caching algorithm will be used to reduce the time taken for getwd()
2926 calls. This can have a significant impact on performance, especially
2927 when the \fIwide links\fR
2928 parameter is set to no.
2930 Default: \fBgetwd cache = yes\fR
2933 Synonym for \fIforce
2936 \fBguest account (S)\fR
2937 This is a username which will be used for access
2938 to services which are specified as \fI guest ok\fR (see below). Whatever privileges this
2939 user has will be available to any client connecting to the guest service.
2940 Typically this user will exist in the password file, but will not
2941 have a valid login. The user account "ftp" is often a good choice
2942 for this parameter. If a username is specified in a given service,
2943 the specified username overrides this one.
2945 One some systems the default guest account "nobody" may not
2946 be able to print. Use another account in this case. You should test
2947 this by trying to log in as your guest user (perhaps by using the
2948 \fBsu -\fR command) and trying to print using the
2949 system print command such as \fBlpr(1)\fR or \fB lp(1)\fR.
2951 This parameter does not accept % macros, because
2952 many parts of the system require this value to be
2953 constant for correct operation.
2955 Default: \fBspecified at compile time, usually
2958 Example: \fBguest account = ftp\fR
2961 If this parameter is yes for
2962 a service, then no password is required to connect to the service.
2963 Privileges will be those of the \fI guest account\fR.
2965 See the section below on \fI security\fR for more information about this option.
2967 Default: \fBguest ok = no\fR
2969 \fBguest only (S)\fR
2970 If this parameter is yes for
2971 a service, then only guest connections to the service are permitted.
2972 This parameter will have no effect if \fIguest ok\fR is not set for the service.
2974 See the section below on \fI security\fR for more information about this option.
2976 Default: \fBguest only = no\fR
2978 \fBhide dot files (S)\fR
2979 This is a boolean parameter that controls whether
2980 files starting with a dot appear as hidden files.
2982 Default: \fBhide dot files = yes\fR
2985 This is a list of files or directories that are not
2986 visible but are accessible. The DOS 'hidden' attribute is applied
2987 to any files or directories that match.
2989 Each entry in the list must be separated by a '/',
2990 which allows spaces to be included in the entry. '*'
2991 and '?' can be used to specify multiple files or directories
2992 as in DOS wildcards.
2994 Each entry must be a Unix path, not a DOS path and must
2995 not include the Unix directory separator '/'.
2997 Note that the case sensitivity option is applicable
3000 Setting this parameter will affect the performance of Samba,
3001 as it will be forced to check all files and directories for a match
3002 as they are scanned.
3005 dot files\fR, \fI veto files\fR and \fIcase sensitive\fR.
3007 Default: \fBno file are hidden\fR
3009 Example: \fBhide files =
3010 /.*/DesktopFolderDB/TrashFor%m/resource.frk/\fR
3012 The above example is based on files that the Macintosh
3013 SMB client (DAVE) available from
3014 Thursby <URL:http://www.thursby.com> creates for internal use, and also still hides
3015 all files beginning with a dot.
3017 \fBhide local users(G)\fR
3018 This parameter toggles the hiding of local UNIX
3019 users (root, wheel, floppy, etc) from remote clients.
3021 Default: \fBhide local users = no\fR
3023 \fBhide unreadable (G)\fR
3024 This parameter prevents clients from seeing the
3025 existance of files that cannot be read. Defaults to off.
3027 Default: \fBhide unreadable = no\fR
3029 \fBhide unwriteable files (G)\fR
3030 This parameter prevents clients from seeing
3031 the existance of files that cannot be written to. Defaults to off.
3032 Note that unwriteable directories are shown as usual.
3034 Default: \fBhide unwriteable = no\fR
3036 \fBhide special files (G)\fR
3037 This parameter prevents clients from seeing
3038 special files such as sockets, devices and fifo's in directory
3041 Default: \fBhide special files = no\fR
3043 \fBhomedir map (G)\fR
3045 \fR is yes, and \fBsmbd(8)\fR is also acting
3046 as a Win95/98 \fIlogon server\fR then this parameter
3047 specifies the NIS (or YP) map from which the server for the user's
3048 home directory should be extracted. At present, only the Sun
3049 auto.home map format is understood. The form of the map is:
3051 \fBusername server:/some/file/system\fR
3053 and the program will extract the servername from before
3054 the first ':'. There should probably be a better parsing system
3055 that copes with different map formats and also Amd (another
3058 \fBNOTE :\fRA working NIS client is required on
3059 the system for this option to work.
3061 See also \fInis homedir\fR
3062 , \fIdomain logons\fR
3065 Default: \fBhomedir map = <empty string>\fR
3067 Example: \fBhomedir map = amd.homedir\fR
3069 \fBhost msdfs (G)\fR
3070 This boolean parameter is only available
3071 if Samba has been configured and compiled with the \fB --with-msdfs\fR option. If set to yes,
3072 Samba will act as a Dfs server, and allow Dfs-aware clients
3073 to browse Dfs trees hosted on the server.
3075 See also the \fI msdfs root\fR share level parameter. For
3076 more information on setting up a Dfs tree on Samba,
3077 refer to msdfs_setup.html
3079 Default: \fBhost msdfs = no\fR
3081 \fBhostname lookups (G)\fR
3082 Specifies whether samba should use (expensive)
3083 hostname lookups or use the ip addresses instead. An example place
3084 where hostname lookups are currently used is when checking
3085 the \fBhosts deny\fR and \fBhosts allow\fR.
3087 Default: \fBhostname lookups = yes\fR
3089 Example: \fBhostname lookups = no\fR
3091 \fBhosts allow (S)\fR
3092 A synonym for this parameter is \fIallow
3095 This parameter is a comma, space, or tab delimited
3096 set of hosts which are permitted to access a service.
3098 If specified in the [global] section then it will
3099 apply to all services, regardless of whether the individual
3100 service has a different setting.
3102 You can specify the hosts by name or IP number. For
3103 example, you could restrict access to only the hosts on a
3104 Class C subnet with something like \fBallow hosts = 150.203.5.
3105 \fR. The full syntax of the list is described in the man
3106 page \fIhosts_access(5)\fR. Note that this man
3107 page may not be present on your system, so a brief description will
3110 Note that the localhost address 127.0.0.1 will always
3111 be allowed access unless specifically denied by a \fIhosts deny\fR option.
3113 You can also specify hosts by network/netmask pairs and
3114 by netgroup names if your system supports netgroups. The
3115 \fBEXCEPT\fR keyword can also be used to limit a
3116 wildcard list. The following examples may provide some help:
3118 Example 1: allow all IPs in 150.203.*.*; except one
3120 \fBhosts allow = 150.203. EXCEPT 150.203.6.66\fR
3122 Example 2: allow hosts that match the given network/netmask
3124 \fBhosts allow = 150.203.15.0/255.255.255.0\fR
3126 Example 3: allow a couple of hosts
3128 \fBhosts allow = lapland, arvidsjaur\fR
3130 Example 4: allow only hosts in NIS netgroup "foonet", but
3131 deny access from one particular host
3133 \fBhosts allow = @foonet\fR
3135 \fBhosts deny = pirate\fR
3137 Note that access still requires suitable user-level passwords.
3139 See \fBtestparm(1)\fR
3140 for a way of testing your host access to see if it does
3143 Default: \fBnone (i.e., all hosts permitted access)
3146 Example: \fBallow hosts = 150.203.5. myhost.mynet.edu.au
3149 \fBhosts deny (S)\fR
3150 The opposite of \fIhosts allow\fR
3151 - hosts listed here are \fBNOT\fR permitted access to
3152 services unless the specific services have their own lists to override
3153 this one. Where the lists conflict, the \fIallow\fR
3154 list takes precedence.
3156 Default: \fBnone (i.e., no hosts specifically excluded)
3159 Example: \fBhosts deny = 150.203.4. badhost.mynet.edu.au
3162 \fBhosts equiv (G)\fR
3163 If this global parameter is a non-null string,
3164 it specifies the name of a file to read for the names of hosts
3165 and users who will be allowed access without specifying a password.
3167 This is not be confused with \fIhosts allow\fR which is about hosts
3168 access to services and is more useful for guest services. \fI hosts equiv\fR may be useful for NT clients which will
3169 not supply passwords to Samba.
3171 \fBNOTE :\fR The use of \fIhosts equiv
3172 \fR can be a major security hole. This is because you are
3173 trusting the PC to supply the correct username. It is very easy to
3174 get a PC to supply a false username. I recommend that the
3175 \fIhosts equiv\fR option be only used if you really
3176 know what you are doing, or perhaps on a home network where you trust
3177 your spouse and kids. And only if you \fBreally\fR trust
3180 Default: \fBno host equivalences\fR
3182 Example: \fBhosts equiv = /etc/hosts.equiv\fR
3185 This allows you to include one config file
3186 inside another. The file is included literally, as though typed
3189 It takes the standard substitutions, except \fI%u
3190 \fR, \fI%P\fR and \fI%S\fR.
3192 Default: \fBno file included\fR
3194 Example: \fBinclude = /usr/local/samba/lib/admin_smb.conf
3197 \fBinherit acls (S)\fR
3198 This parameter can be used to ensure
3199 that if default acls exist on parent directories,
3200 they are always honored when creating a subdirectory.
3201 The default behavior is to use the mode specified
3202 when creating the directory. Enabling this option
3203 sets the mode to 0777, thus guaranteeing that
3204 default directory acls are propagated.
3206 Default: \fBinherit acls = no\fR
3208 \fBinherit permissions (S)\fR
3209 The permissions on new files and directories
3210 are normally governed by \fI create mask\fR, \fIdirectory mask\fR, \fIforce create mode\fR
3212 directory mode\fR but the boolean inherit
3213 permissions parameter overrides this.
3215 New directories inherit the mode of the parent directory,
3216 including bits such as setgid.
3218 New files inherit their read/write bits from the parent
3219 directory. Their execute bits continue to be determined by
3222 and \fImap system\fR
3225 Note that the setuid bit is \fBnever\fR set via
3226 inheritance (the code explicitly prohibits this).
3228 This can be particularly useful on large systems with
3229 many users, perhaps several thousand, to allow a single [homes]
3230 share to be used flexibly by each user.
3232 See also \fIcreate mask
3233 \fR, \fI directory mask\fR, \fIforce create mode\fR and \fIforce directory mode\fR
3236 Default: \fBinherit permissions = no\fR
3238 \fBinterfaces (G)\fR
3239 This option allows you to override the default
3240 network interfaces list that Samba will use for browsing, name
3241 registration and other NBT traffic. By default Samba will query
3242 the kernel for the list of all active interfaces and use any
3243 interfaces except 127.0.0.1 that are broadcast capable.
3245 The option takes a list of interface strings. Each string
3246 can be in any of the following forms:
3250 a network interface name (such as eth0).
3251 This may include shell-like wildcards so eth* will match
3252 any interface starting with the substring "eth"
3255 an IP address. In this case the netmask is
3256 determined from the list of interfaces obtained from the
3263 a broadcast/mask pair.
3266 The "mask" parameters can either be a bit length (such
3267 as 24 for a C class network) or a full netmask in dotted
3270 The "IP" parameters above can either be a full dotted
3271 decimal IP address or a hostname which will be looked up via
3272 the OS's normal hostname resolution mechanisms.
3274 For example, the following line:
3276 \fBinterfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
3279 would configure three network interfaces corresponding
3280 to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
3281 The netmasks of the latter two interfaces would be set to 255.255.255.0.
3286 Default: \fBall active interfaces except 127.0.0.1
3287 that are broadcast capable\fR
3289 \fBinvalid users (S)\fR
3290 This is a list of users that should not be allowed
3291 to login to this service. This is really a \fBparanoid\fR
3292 check to absolutely ensure an improper setting does not breach
3295 A name starting with a '@' is interpreted as an NIS
3296 netgroup first (if your system supports NIS), and then as a UNIX
3297 group if the name was not found in the NIS netgroup database.
3299 A name starting with '+' is interpreted only
3300 by looking in the UNIX group database. A name starting with
3301 \&'&' is interpreted only by looking in the NIS netgroup database
3302 (this requires NIS to be working on your system). The characters
3303 \&'+' and '&' may be used at the start of the name in either order
3304 so the value \fI+&group\fR means check the
3305 UNIX group database, followed by the NIS netgroup database, and
3306 the value \fI&+group\fR means check the NIS
3307 netgroup database, followed by the UNIX group database (the
3308 same as the '@' prefix).
3310 The current servicename is substituted for \fI%S\fR.
3311 This is useful in the [homes] section.
3313 See also \fIvalid users
3316 Default: \fBno invalid users\fR
3318 Example: \fBinvalid users = root fred admin @wheel
3322 The value of the parameter (an integer) represents
3323 the number of seconds between \fIkeepalive\fR
3324 packets. If this parameter is zero, no keepalive packets will be
3325 sent. Keepalive packets, if sent, allow the server to tell whether
3326 a client is still present and responding.
3328 Keepalives should, in general, not be needed if the socket
3329 being used has the SO_KEEPALIVE attribute set on it (see \fIsocket options\fR).
3330 Basically you should only use this option if you strike difficulties.
3332 Default: \fBkeepalive = 300\fR
3334 Example: \fBkeepalive = 600\fR
3336 \fBkernel oplocks (G)\fR
3337 For UNIXes that support kernel based \fIoplocks\fR
3338 (currently only IRIX and the Linux 2.4 kernel), this parameter
3339 allows the use of them to be turned on or off.
3341 Kernel oplocks support allows Samba \fIoplocks
3342 \fR to be broken whenever a local UNIX process or NFS operation
3343 accesses a file that \fBsmbd(8)\fR
3344 has oplocked. This allows complete data consistency between
3345 SMB/CIFS, NFS and local file access (and is a \fBvery\fR
3348 This parameter defaults to on, but is translated
3349 to a no-op on systems that no not have the necessary kernel support.
3350 You should never need to touch this parameter.
3352 See also the \fIoplocks\fR
3353 and \fIlevel2 oplocks
3356 Default: \fBkernel oplocks = yes\fR
3358 \fBlanman auth (G)\fR
3359 This parameter determines whether or not smbd will
3360 attempt to authenticate users using the LANMAN password hash.
3361 If disabled, only clients which support NT password hashes (e.g. Windows
3362 NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS
3363 network client) will be able to connect to the Samba host.
3365 Default : \fBlanman auth = yes\fR
3367 \fBlarge readwrite (G)\fR
3368 This parameter determines whether or not smbd
3369 supports the new 64k streaming read and write varient SMB requests introduced
3370 with Windows 2000. Note that due to Windows 2000 client redirector bugs
3371 this requires Samba to be running on a 64-bit capable operating system such
3372 as IRIX, Solaris or a Linux 2.4 kernel. Can improve performance by 10% with
3373 Windows 2000 clients. Defaults to on. Not as tested as some other Samba
3376 Default : \fBlarge readwrite = yes\fR
3378 \fBldap admin dn (G)\fR
3379 The \fIldap admin dn\fR defines the Distinguished
3380 Name (DN) name used by Samba to contact the ldap server when retreiving
3381 user account information. The \fIldap
3382 admin dn\fR is used in conjunction with the admin dn password
3383 stored in the \fIprivate/secrets.tdb\fR file. See the
3384 \fBsmbpasswd(8)\fR man
3385 page for more information on how to accmplish this.
3387 Default : \fBnone\fR
3389 \fBldap filter (G)\fR
3390 This parameter specifies the RFC 2254 compliant LDAP search filter.
3391 The default is to match the login name with the uid
3392 attribute for all entries matching the sambaAccount
3393 objectclass. Note that this filter should only return one entry.
3395 Default : \fBldap filter = (&(uid=%u)(objectclass=sambaAccount))\fR
3398 This parameter is only available if Samba has been
3399 configure to include the \fB--with-ldapsam\fR option
3402 This option is used to control the tcp port number used to contact
3403 the \fIldap server\fR.
3404 The default is to use the stand LDAPS port 636.
3408 Default : \fBldap port = 636 ; if ldap ssl = on\fR
3410 Default : \fBldap port = 389 ; if ldap ssl = off\fR
3412 \fBldap server (G)\fR
3413 This parameter is only available if Samba has been
3414 configure to include the \fB--with-ldapsam\fR option
3417 This parameter should contain the FQDN of the ldap directory
3418 server which should be queried to locate user account information.
3420 Default : \fBldap server = localhost\fR
3423 This option is used to define whether or not Samba should
3424 use SSL when connecting to the ldap server
3425 This is \fBNOT\fR related to
3426 Samba's previous SSL support which was enabled by specifying the
3427 \fB--with-ssl\fR option to the \fIconfigure\fR
3430 The \fIldap ssl\fR can be set to one of three values:
3434 \fIOff\fR = Never use SSL when querying the directory.
3437 \fIStart_tls\fR = Use the LDAPv3 StartTLS extended operation
3438 (RFC2830) for communicating with the directory server.
3442 Use SSL on the ldaps port when contacting the
3443 \fIldap server\fR. Only
3444 available when the backwards-compatiblity \fB --with-ldapsam\fR option is specified
3445 to configure. See \fIpassdb backend\fR
3448 Default : \fBldap ssl = start_tls\fR
3450 \fBldap suffix (G)\fR
3451 Specifies where user and machine accounts are added to the tree. Can be overriden by \fBldap user suffix\fR and \fBldap machine suffix\fR. It also used as the base dn for all ldap searches.
3453 Default : \fBnone\fR
3455 \fBldap user suffix (G)\fR
3456 It specifies where users are added to the tree.
3458 Default : \fBnone\fR
3460 \fBldap machine suffix (G)\fR
3461 It specifies where machines should be
3462 added to the ldap tree.
3464 Default : \fBnone\fR
3466 \fBldap passwd sync (G)\fR
3467 This option is used to define whether
3468 or not Samba should sync the LDAP password with the NT
3469 and LM hashes for normal accounts (NOT for
3470 workstation, server or domain trusts) on a password
3473 The \fIldap passwd sync\fR can be set to one of three values:
3477 \fIYes\fR = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time.
3480 \fINo\fR = Update NT and LM passwords and update the pwdLastSet time.
3483 \fIOnly\fR = Only update the LDAP password and let the LDAP server do the rest.
3486 Default : \fBldap passwd sync = no\fR
3488 \fBldap trust ids (G)\fR
3489 Normally, Samba validates each entry
3490 in the LDAP server against getpwnam(). This allows
3491 LDAP to be used for Samba with the unix system using
3492 NIS (for example) and also ensures that Samba does not
3493 present accounts that do not otherwise exist.
3495 This option is used to disable this functionality, and
3496 instead to rely on the presence of the appropriate
3497 attributes in LDAP directly, which can result in a
3498 significant performance boost in some situations.
3499 Setting this option to yes effectivly assumes
3500 that the local machine is running \fBnss_ldap\fR against the
3503 Default: \fBldap trust ids = No\fR
3505 \fBlevel2 oplocks (S)\fR
3506 This parameter controls whether Samba supports
3507 level2 (read-only) oplocks on a share.
3509 Level2, or read-only oplocks allow Windows NT clients
3510 that have an oplock on a file to downgrade from a read-write oplock
3511 to a read-only oplock once a second client opens the file (instead
3512 of releasing all oplocks on a second open, as in traditional,
3513 exclusive oplocks). This allows all openers of the file that
3514 support level2 oplocks to cache the file for read-ahead only (ie.
3515 they may not cache writes or lock requests) and increases performance
3516 for many accesses of files that are not commonly written (such as
3517 application .EXE files).
3519 Once one of the clients which have a read-only oplock
3520 writes to the file all clients are notified (no reply is needed
3521 or waited for) and told to break their oplocks to "none" and
3522 delete any read-ahead caches.
3524 It is recommended that this parameter be turned on
3525 to speed access to shared executables.
3527 For more discussions on level2 oplocks see the CIFS spec.
3529 Currently, if \fIkernel
3530 oplocks\fR are supported then level2 oplocks are
3531 not granted (even if this parameter is set to yes).
3532 Note also, the \fIoplocks\fR
3533 parameter must be set to yes on this share in order for
3534 this parameter to have any effect.
3536 See also the \fIoplocks\fR
3537 and \fIkernel oplocks\fR
3540 Default: \fBlevel2 oplocks = yes\fR
3542 \fBlm announce (G)\fR
3543 This parameter determines if \fBnmbd(8)\fR will produce Lanman announce
3544 broadcasts that are needed by OS/2 clients in order for them to see
3545 the Samba server in their browse list. This parameter can have three
3547 auto. The default is auto.
3548 If set to no Samba will never produce these
3549 broadcasts. If set to yes Samba will produce
3550 Lanman announce broadcasts at a frequency set by the parameter
3551 \fIlm interval\fR. If set to auto
3552 Samba will not send Lanman announce broadcasts by default but will
3553 listen for them. If it hears such a broadcast on the wire it will
3554 then start sending them at a frequency set by the parameter
3557 See also \fIlm interval
3560 Default: \fBlm announce = auto\fR
3562 Example: \fBlm announce = yes\fR
3564 \fBlm interval (G)\fR
3565 If Samba is set to produce Lanman announce
3566 broadcasts needed by OS/2 clients (see the \fIlm announce\fR parameter) then this
3567 parameter defines the frequency in seconds with which they will be
3568 made. If this is set to zero then no Lanman announcements will be
3569 made despite the setting of the \fIlm announce\fR
3575 Default: \fBlm interval = 60\fR
3577 Example: \fBlm interval = 120\fR
3579 \fBload printers (G)\fR
3580 A boolean variable that controls whether all
3581 printers in the printcap will be loaded for browsing by default.
3582 See the printers section for
3585 Default: \fBload printers = yes\fR
3587 \fBlocal master (G)\fR
3588 This option allows \fB nmbd(8)\fR to try and become a local master browser
3589 on a subnet. If set to no then \fB nmbd\fR will not attempt to become a local master browser
3590 on a subnet and will also lose in all browsing elections. By
3591 default this value is set to yes. Setting this value to yes doesn't
3592 mean that Samba will \fBbecome\fR the local master
3593 browser on a subnet, just that \fBnmbd\fR will \fB participate\fR in elections for local master browser.
3595 Setting this value to no will cause \fBnmbd\fR
3596 \fBnever\fR to become a local master browser.
3598 Default: \fBlocal master = yes\fR
3601 Synonym for \fI lock directory\fR.
3603 \fBlock directory (G)\fR
3604 This option specifies the directory where lock
3605 files will be placed. The lock files are used to implement the
3606 \fImax connections\fR
3609 Default: \fBlock directory = ${prefix}/var/locks\fR
3611 Example: \fBlock directory = /var/run/samba/locks\fR
3613 \fBlock spin count (G)\fR
3614 This parameter controls the number of times
3615 that smbd should attempt to gain a byte range lock on the
3616 behalf of a client request. Experiments have shown that
3617 Windows 2k servers do not reply with a failure if the lock
3618 could not be immediately granted, but try a few more times
3619 in case the lock could later be aquired. This behavior
3620 is used to support PC database formats such as MS Access
3623 Default: \fBlock spin count = 2\fR
3625 \fBlock spin time (G)\fR
3626 The time in microseconds that smbd should
3627 pause before attempting to gain a failed lock. See
3629 count\fR for more details.
3631 Default: \fBlock spin time = 10\fR
3634 This controls whether or not locking will be
3635 performed by the server in response to lock requests from the
3638 If \fBlocking = no\fR, all lock and unlock
3639 requests will appear to succeed and all lock queries will report
3640 that the file in question is available for locking.
3642 If \fBlocking = yes\fR, real locking will be performed
3645 This option \fBmay\fR be useful for read-only
3646 filesystems which \fBmay\fR not need locking (such as
3647 CDROM drives), although setting this parameter of no
3648 is not really recommended even in this case.
3650 Be careful about disabling locking either globally or in a
3651 specific service, as lack of locking may result in data corruption.
3652 You should never need to set this parameter.
3654 Default: \fBlocking = yes\fR
3657 This option allows you to override the name
3658 of the Samba log file (also known as the debug file).
3660 This option takes the standard substitutions, allowing
3661 you to have separate log files for each user or machine.
3663 Example: \fBlog file = /usr/local/samba/var/log.%m
3667 The value of the parameter (a astring) allows
3668 the debug level (logging level) to be specified in the
3669 \fIsmb.conf\fR file. This parameter has been
3670 extended since the 2.2.x series, now it allow to specify the debug
3671 level for multiple debug classes. This is to give greater
3672 flexibility in the configuration of the system.
3674 The default will be the log level specified on
3675 the command line or level zero if none was specified.
3677 Example: \fBlog level = 3 passdb:5 auth:10 winbind:2
3680 \fBlogon drive (G)\fR
3681 This parameter specifies the local path to
3682 which the home directory will be connected (see \fIlogon home\fR)
3683 and is only used by NT Workstations.
3685 Note that this option is only useful if Samba is set up as a
3688 Default: \fBlogon drive = z:\fR
3690 Example: \fBlogon drive = h:\fR
3692 \fBlogon home (G)\fR
3693 This parameter specifies the home directory
3694 location when a Win95/98 or NT Workstation logs into a Samba PDC.
3697 C:\\> \fBNET USE H: /HOME\fR
3699 from a command prompt, for example.
3701 This option takes the standard substitutions, allowing
3702 you to have separate logon scripts for each user or machine.
3704 This parameter can be used with Win9X workstations to ensure
3705 that roaming profiles are stored in a subdirectory of the user's
3706 home directory. This is done in the following way:
3708 \fBlogon home = \\\\%N\\%U\\profile\fR
3710 This tells Samba to return the above string, with
3711 substitutions made when a client requests the info, generally
3712 in a NetUserGetInfo request. Win9X clients truncate the info to
3713 \\\\server\\share when a user does \fBnet use /home\fR
3714 but use the whole string when dealing with profiles.
3716 Note that in prior versions of Samba, the \fIlogon path\fR was returned rather than
3717 \fIlogon home\fR. This broke \fBnet use
3718 /home\fR but allowed profiles outside the home directory.
3719 The current implementation is correct, and can be used for
3720 profiles if you use the above trick.
3722 This option is only useful if Samba is set up as a logon
3725 Default: \fBlogon home = "\\\\%N\\%U"\fR
3727 Example: \fBlogon home = "\\\\remote_smb_server\\%U"\fR
3729 \fBlogon path (G)\fR
3730 This parameter specifies the home directory
3731 where roaming profiles (NTuser.dat etc files for Windows NT) are
3732 stored. Contrary to previous versions of these manual pages, it has
3733 nothing to do with Win 9X roaming profiles. To find out how to
3734 handle roaming profiles for Win 9X system, see the \fIlogon home\fR parameter.
3736 This option takes the standard substitutions, allowing you
3737 to have separate logon scripts for each user or machine. It also
3738 specifies the directory from which the "Application Data",
3739 (\fIdesktop\fR, \fIstart menu\fR,
3740 \fInetwork neighborhood\fR, \fIprograms\fR
3741 and other folders, and their contents, are loaded and displayed on
3742 your Windows NT client.
3744 The share and the path must be readable by the user for
3745 the preferences and directories to be loaded onto the Windows NT
3746 client. The share must be writeable when the user logs in for the first
3747 time, in order that the Windows NT client can create the NTuser.dat
3748 and other directories.
3750 Thereafter, the directories and any of the contents can,
3751 if required, be made read-only. It is not advisable that the
3752 NTuser.dat file be made read-only - rename it to NTuser.man to
3753 achieve the desired effect (a \fBMAN\fRdatory
3756 Windows clients can sometimes maintain a connection to
3757 the [homes] share, even though there is no user logged in.
3758 Therefore, it is vital that the logon path does not include a
3759 reference to the homes share (i.e. setting this parameter to
3760 \\%N\\%U\\profile_path will cause problems).
3762 This option takes the standard substitutions, allowing
3763 you to have separate logon scripts for each user or machine.
3765 Note that this option is only useful if Samba is set up
3768 Default: \fBlogon path = \\\\%N\\%U\\profile\fR
3770 Example: \fBlogon path = \\\\PROFILESERVER\\PROFILE\\%U\fR
3772 \fBlogon script (G)\fR
3773 This parameter specifies the batch file (.bat) or
3774 NT command file (.cmd) to be downloaded and run on a machine when
3775 a user successfully logs in. The file must contain the DOS
3776 style CR/LF line endings. Using a DOS-style editor to create the
3777 file is recommended.
3779 The script must be a relative path to the [netlogon]
3780 service. If the [netlogon] service specifies a \fIpath\fR of \fI/usr/local/samba/netlogon
3781 \fR, and \fBlogon script = STARTUP.BAT\fR, then
3782 the file that will be downloaded is:
3784 \fI/usr/local/samba/netlogon/STARTUP.BAT\fR
3786 The contents of the batch file are entirely your choice. A
3787 suggested command would be to add \fBNET TIME \\\\SERVER /SET
3788 /YES\fR, to force every machine to synchronize clocks with
3789 the same time server. Another use would be to add \fBNET USE
3790 U: \\\\SERVER\\UTILS\fR for commonly used utilities, or \fB NET USE Q: \\\\SERVER\\ISO9001_QA\fR for example.
3792 Note that it is particularly important not to allow write
3793 access to the [netlogon] share, or to grant users write permission
3794 on the batch files in a secure environment, as this would allow
3795 the batch files to be arbitrarily modified and security to be
3798 This option takes the standard substitutions, allowing you
3799 to have separate logon scripts for each user or machine.
3801 This option is only useful if Samba is set up as a logon
3804 Default: \fBno logon script defined\fR
3806 Example: \fBlogon script = scripts\\%U.bat\fR
3808 \fBlppause command (S)\fR
3809 This parameter specifies the command to be
3810 executed on the server host in order to stop printing or spooling
3811 a specific print job.
3813 This command should be a program or script which takes
3814 a printer name and job number to pause the print job. One way
3815 of implementing this is by using job priorities, where jobs
3816 having a too low priority won't be sent to the printer.
3818 If a \fI%p\fR is given then the printer name
3819 is put in its place. A \fI%j\fR is replaced with
3820 the job number (an integer). On HPUX (see \fIprinting=hpux
3821 \fR), if the \fI-p%p\fR option is added
3822 to the lpq command, the job will show up with the correct status, i.e.
3823 if the job priority is lower than the set fence priority it will
3824 have the PAUSED status, whereas if the priority is equal or higher it
3825 will have the SPOOLED or PRINTING status.
3827 Note that it is good practice to include the absolute path
3828 in the lppause command as the PATH may not be available to the server.
3830 See also the \fIprinting
3833 Default: Currently no default value is given to
3834 this string, unless the value of the \fIprinting\fR
3835 parameter is SYSV, in which case the default is :
3837 \fBlp -i %p-%j -H hold\fR
3839 or if the value of the \fIprinting\fR parameter
3840 is SOFTQ, then the default is:
3842 \fBqstat -s -j%j -h\fR
3844 Example for HPUX: \fBlppause command = /usr/bin/lpalt
3847 \fBlpq cache time (G)\fR
3848 This controls how long lpq info will be cached
3849 for to prevent the \fBlpq\fR command being called too
3850 often. A separate cache is kept for each variation of the \fB lpq\fR command used by the system, so if you use different
3851 \fBlpq\fR commands for different users then they won't
3852 share cache information.
3854 The cache files are stored in \fI/tmp/lpq.xxxx\fR
3855 where xxxx is a hash of the \fBlpq\fR command in use.
3857 The default is 10 seconds, meaning that the cached results
3858 of a previous identical \fBlpq\fR command will be used
3859 if the cached data is less than 10 seconds old. A large value may
3860 be advisable if your \fBlpq\fR command is very slow.
3862 A value of 0 will disable caching completely.
3864 See also the \fIprinting
3867 Default: \fBlpq cache time = 10\fR
3869 Example: \fBlpq cache time = 30\fR
3871 \fBlpq command (S)\fR
3872 This parameter specifies the command to be
3873 executed on the server host in order to obtain \fBlpq
3874 \fR-style printer status information.
3876 This command should be a program or script which
3877 takes a printer name as its only parameter and outputs printer
3880 Currently nine styles of printer status information
3881 are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ.
3882 This covers most UNIX systems. You control which type is expected
3883 using the \fIprinting =\fR option.
3885 Some clients (notably Windows for Workgroups) may not
3886 correctly send the connection number for the printer they are
3887 requesting status information about. To get around this, the
3888 server reports on the first printer service connected to by the
3889 client. This only happens if the connection number sent is invalid.
3891 If a \fI%p\fR is given then the printer name
3892 is put in its place. Otherwise it is placed at the end of the
3895 Note that it is good practice to include the absolute path
3896 in the \fIlpq command\fR as the \fB$PATH
3897 \fR may not be available to the server. When compiled with
3898 the CUPS libraries, no \fIlpq command\fR is
3899 needed because smbd will make a library call to obtain the
3900 print queue listing.
3902 See also the \fIprinting
3905 Default: \fBdepends on the setting of \fI printing\fB\fR
3907 Example: \fBlpq command = /usr/bin/lpq -P%p\fR
3909 \fBlpresume command (S)\fR
3910 This parameter specifies the command to be
3911 executed on the server host in order to restart or continue
3912 printing or spooling a specific print job.
3914 This command should be a program or script which takes
3915 a printer name and job number to resume the print job. See
3916 also the \fIlppause command
3919 If a \fI%p\fR is given then the printer name
3920 is put in its place. A \fI%j\fR is replaced with
3921 the job number (an integer).
3923 Note that it is good practice to include the absolute path
3924 in the \fIlpresume command\fR as the PATH may not
3925 be available to the server.
3927 See also the \fIprinting
3930 Default: Currently no default value is given
3931 to this string, unless the value of the \fIprinting\fR
3932 parameter is SYSV, in which case the default is :
3934 \fBlp -i %p-%j -H resume\fR
3936 or if the value of the \fIprinting\fR parameter
3937 is SOFTQ, then the default is:
3939 \fBqstat -s -j%j -r\fR
3941 Example for HPUX: \fBlpresume command = /usr/bin/lpalt
3944 \fBlprm command (S)\fR
3945 This parameter specifies the command to be
3946 executed on the server host in order to delete a print job.
3948 This command should be a program or script which takes
3949 a printer name and job number, and deletes the print job.
3951 If a \fI%p\fR is given then the printer name
3952 is put in its place. A \fI%j\fR is replaced with
3953 the job number (an integer).
3955 Note that it is good practice to include the absolute
3956 path in the \fIlprm command\fR as the PATH may not be
3957 available to the server.
3959 See also the \fIprinting
3962 Default: \fBdepends on the setting of \fIprinting
3965 Example 1: \fBlprm command = /usr/bin/lprm -P%p %j
3968 Example 2: \fBlprm command = /usr/bin/cancel %p-%j
3971 \fBmachine password timeout (G)\fR
3972 If a Samba server is a member of a Windows
3973 NT Domain (see the security = domain)
3974 parameter) then periodically a running smbd(8) process will try and change the MACHINE ACCOUNT
3975 PASSWORD stored in the TDB called \fIprivate/secrets.tdb
3976 \fR. This parameter specifies how often this password
3977 will be changed, in seconds. The default is one week (expressed in
3978 seconds), the same as a Windows NT Domain member server.
3980 See also \fBsmbpasswd(8)
3981 \fR and the security = domain) parameter.
3983 Default: \fBmachine password timeout = 604800\fR
3985 \fBmagic output (S)\fR
3986 This parameter specifies the name of a file
3987 which will contain output created by a magic script (see the
3991 Warning: If two clients use the same \fImagic script
3992 \fR in the same directory the output file content
3995 Default: \fBmagic output = <magic script name>.out
3998 Example: \fBmagic output = myfile.txt\fR
4000 \fBmagic script (S)\fR
4001 This parameter specifies the name of a file which,
4002 if opened, will be executed by the server when the file is closed.
4003 This allows a UNIX script to be sent to the Samba host and
4004 executed on behalf of the connected user.
4006 Scripts executed in this way will be deleted upon
4007 completion assuming that the user has the appropriate level
4008 of privilege and the file permissions allow the deletion.
4010 If the script generates output, output will be sent to
4011 the file specified by the \fI magic output\fR parameter (see above).
4013 Note that some shells are unable to interpret scripts
4014 containing CR/LF instead of CR as
4015 the end-of-line marker. Magic scripts must be executable
4016 \fBas is\fR on the host, which for some hosts and
4017 some shells will require filtering at the DOS end.
4019 Magic scripts are \fBEXPERIMENTAL\fR and
4020 should \fBNOT\fR be relied upon.
4022 Default: \fBNone. Magic scripts disabled.\fR
4024 Example: \fBmagic script = user.csh\fR
4026 \fBmangle case (S)\fR
4027 See the section on NAME MANGLING
4029 Default: \fBmangle case = no\fR
4031 \fBmangled map (S)\fR
4032 This is for those who want to directly map UNIX
4033 file names which cannot be represented on Windows/DOS. The mangling
4034 of names is not always what is needed. In particular you may have
4035 documents with file extensions that differ between DOS and UNIX.
4036 For example, under UNIX it is common to use \fI.html\fR
4037 for HTML files, whereas under Windows/DOS \fI.htm\fR
4038 is more commonly used.
4040 So to map \fIhtml\fR to \fIhtm\fR
4043 \fBmangled map = (*.html *.htm)\fR
4045 One very useful case is to remove the annoying \fI;1
4046 \fR off the ends of filenames on some CDROMs (only visible
4047 under some UNIXes). To do this use a map of (*;1 *;).
4049 Default: \fBno mangled map\fR
4051 Example: \fBmangled map = (*;1 *;)\fR
4053 \fBmangled names (S)\fR
4054 This controls whether non-DOS names under UNIX
4055 should be mapped to DOS-compatible names ("mangled") and made visible,
4056 or whether non-DOS names should simply be ignored.
4058 See the section on NAME MANGLING for details on how to control the mangling process.
4060 If mangling is used then the mangling algorithm is as follows:
4064 The first (up to) five alphanumeric characters
4065 before the rightmost dot of the filename are preserved, forced
4066 to upper case, and appear as the first (up to) five characters
4067 of the mangled name.
4070 A tilde "~" is appended to the first part of the mangled
4071 name, followed by a two-character unique sequence, based on the
4072 original root name (i.e., the original filename minus its final
4073 extension). The final extension is included in the hash calculation
4074 only if it contains any upper case characters or is longer than three
4077 Note that the character to use may be specified using
4078 the \fImangling char\fR
4079 option, if you don't like '~'.
4082 The first three alphanumeric characters of the final
4083 extension are preserved, forced to upper case and appear as the
4084 extension of the mangled name. The final extension is defined as that
4085 part of the original filename after the rightmost dot. If there are no
4086 dots in the filename, the mangled name will have no extension (except
4087 in the case of "hidden files" - see below).
4090 Files whose UNIX name begins with a dot will be
4091 presented as DOS hidden files. The mangled name will be created as
4092 for other filenames, but with the leading dot removed and "___" as
4093 its extension regardless of actual original extension (that's three
4097 The two-digit hash value consists of upper case
4098 alphanumeric characters.
4100 This algorithm can cause name collisions only if files
4101 in a directory share the same first five alphanumeric characters.
4102 The probability of such a clash is 1/1300.
4104 The name mangling (if enabled) allows a file to be
4105 copied between UNIX directories from Windows/DOS while retaining
4106 the long UNIX filename. UNIX files can be renamed to a new extension
4107 from Windows/DOS and will retain the same basename. Mangled names
4108 do not change between sessions.
4110 Default: \fBmangled names = yes\fR
4112 \fBmangling method (G)\fR
4113 controls the algorithm used for the generating
4114 the mangled names. Can take two different values, "hash" and
4115 "hash2". "hash" is the default and is the algorithm that has been
4116 used in Samba for many years. "hash2" is a newer and considered
4117 a better algorithm (generates less collisions) in the names.
4118 However, many Win32 applications store the mangled names and so
4119 changing to the new algorithm must not be done
4120 lightly as these applications may break unless reinstalled.
4122 Default: \fBmangling method = hash2\fR
4124 Example: \fBmangling method = hash\fR
4126 \fBmangle prefix (G)\fR
4127 controls the number of prefix
4128 characters from the original name used when generating
4129 the mangled names. A larger value will give a weaker
4130 hash and therefore more name collisions. The minimum
4131 value is 1 and the maximum value is 6.
4133 Default: \fBmangle prefix = 1\fR
4135 Example: \fBmangle prefix = 4\fR
4137 \fBmangled stack (G)\fR
4138 This parameter controls the number of mangled names
4139 that should be cached in the Samba server smbd(8)
4141 This stack is a list of recently mangled base names
4142 (extensions are only maintained if they are longer than 3 characters
4143 or contains upper case characters).
4145 The larger this value, the more likely it is that mangled
4146 names can be successfully converted to correct long UNIX names.
4147 However, large stack sizes will slow most directory accesses. Smaller
4148 stacks save memory in the server (each stack element costs 256 bytes).
4150 It is not possible to absolutely guarantee correct long
4151 filenames, so be prepared for some surprises!
4153 Default: \fBmangled stack = 50\fR
4155 Example: \fBmangled stack = 100\fR
4157 \fBmangling char (S)\fR
4158 This controls what character is used as
4159 the \fBmagic\fR character in name mangling. The default is a '~'
4160 but this may interfere with some software. Use this option to set
4161 it to whatever you prefer.
4163 Default: \fBmangling char = ~\fR
4165 Example: \fBmangling char = ^\fR
4167 \fBmap archive (S)\fR
4168 This controls whether the DOS archive attribute
4169 should be mapped to the UNIX owner execute bit. The DOS archive bit
4170 is set when a file has been modified since its last backup. One
4171 motivation for this option it to keep Samba/your PC from making
4172 any file it touches from becoming executable under UNIX. This can
4173 be quite annoying for shared source code, documents, etc...
4175 Note that this requires the \fIcreate mask\fR
4176 parameter to be set such that owner execute bit is not masked out
4177 (i.e. it must include 100). See the parameter \fIcreate mask\fR for details.
4179 Default: \fBmap archive = yes\fR
4181 \fBmap hidden (S)\fR
4182 This controls whether DOS style hidden files
4183 should be mapped to the UNIX world execute bit.
4185 Note that this requires the \fIcreate mask\fR
4186 to be set such that the world execute bit is not masked out (i.e.
4187 it must include 001). See the parameter \fIcreate mask\fR for details.
4189 Default: \fBmap hidden = no\fR
4191 \fBmap system (S)\fR
4192 This controls whether DOS style system files
4193 should be mapped to the UNIX group execute bit.
4195 Note that this requires the \fIcreate mask\fR
4196 to be set such that the group execute bit is not masked out (i.e.
4197 it must include 010). See the parameter \fIcreate mask\fR for details.
4199 Default: \fBmap system = no\fR
4201 \fBmap to guest (G)\fR
4202 This parameter is only useful in security modes other than \fIsecurity = share\fR
4203 - i.e. user, server,
4206 This parameter can take three different values, which tell
4207 smbd(8) what to do with user
4208 login requests that don't match a valid UNIX user in some way.
4210 The three settings are :
4214 Never - Means user login
4215 requests with an invalid password are rejected. This is the
4219 Bad User - Means user
4220 logins with an invalid password are rejected, unless the username
4221 does not exist, in which case it is treated as a guest login and
4222 mapped into the \fI guest account\fR.
4225 Bad Password - Means user logins
4226 with an invalid password are treated as a guest login and mapped
4227 into the guest account. Note that
4228 this can cause problems as it means that any user incorrectly typing
4229 their password will be silently logged on as "guest" - and
4230 will not know the reason they cannot access files they think
4231 they should - there will have been no message given to them
4232 that they got their password wrong. Helpdesk services will
4233 \fBhate\fR you if you set the \fImap to
4234 guest\fR parameter this way :-).
4237 Note that this parameter is needed to set up "Guest"
4238 share services when using \fIsecurity\fR modes other than
4239 share. This is because in these modes the name of the resource being
4240 requested is \fBnot\fR sent to the server until after
4241 the server has successfully authenticated the client so the server
4242 cannot make authentication decisions at the correct time (connection
4243 to the share) for "Guest" shares.
4245 For people familiar with the older Samba releases, this
4246 parameter maps to the old compile-time setting of the GUEST_SESSSETUP value in local.h.
4248 Default: \fBmap to guest = Never\fR
4250 Example: \fBmap to guest = Bad User\fR
4252 \fBmax connections (S)\fR
4253 This option allows the number of simultaneous
4254 connections to a service to be limited. If \fImax connections
4255 \fR is greater than 0 then connections will be refused if
4256 this number of connections to the service are already open. A value
4257 of zero mean an unlimited number of connections may be made.
4259 Record lock files are used to implement this feature. The
4260 lock files will be stored in the directory specified by the \fIlock directory\fR
4263 Default: \fBmax connections = 0\fR
4265 Example: \fBmax connections = 10\fR
4267 \fBmax disk size (G)\fR
4268 This option allows you to put an upper limit
4269 on the apparent size of disks. If you set this option to 100
4270 then all shares will appear to be not larger than 100 MB in
4273 Note that this option does not limit the amount of
4274 data you can put on the disk. In the above case you could still
4275 store much more than 100 MB on the disk, but if a client ever asks
4276 for the amount of free disk space or the total disk size then the
4277 result will be bounded by the amount specified in \fImax
4280 This option is primarily useful to work around bugs
4281 in some pieces of software that can't handle very large disks,
4282 particularly disks over 1GB in size.
4284 A \fImax disk size\fR of 0 means no limit.
4286 Default: \fBmax disk size = 0\fR
4288 Example: \fBmax disk size = 1000\fR
4290 \fBmax log size (G)\fR
4291 This option (an integer in kilobytes) specifies
4292 the max size the log file should grow to. Samba periodically checks
4293 the size and if it is exceeded it will rename the file, adding
4294 a \fI.old\fR extension.
4296 A size of 0 means no limit.
4298 Default: \fBmax log size = 5000\fR
4300 Example: \fBmax log size = 1000\fR
4303 This option controls the maximum number of
4304 outstanding simultaneous SMB operations that Samba tells the client
4305 it will allow. You should never need to set this parameter.
4307 Default: \fBmax mux = 50\fR
4309 \fBmax open files (G)\fR
4310 This parameter limits the maximum number of
4311 open files that one smbd(8) file
4312 serving process may have open for a client at any one time. The
4313 default for this parameter is set very high (10,000) as Samba uses
4314 only one bit per unopened file.
4316 The limit of the number of open files is usually set
4317 by the UNIX per-process file descriptor limit rather than
4318 this parameter so you should never need to touch this parameter.
4320 Default: \fBmax open files = 10000\fR
4322 \fBmax print jobs (S)\fR
4323 This parameter limits the maximum number of
4324 jobs allowable in a Samba printer queue at any given moment.
4325 If this number is exceeded, \fB smbd(8)\fR will remote "Out of Space" to the client.
4329 Default: \fBmax print jobs = 1000\fR
4331 Example: \fBmax print jobs = 5000\fR
4333 \fBmax protocol (G)\fR
4334 The value of the parameter (a string) is the highest
4335 protocol level that will be supported by the server.
4337 Possible values are :
4341 CORE: Earliest version. No
4342 concept of user names.
4345 COREPLUS: Slight improvements on
4346 CORE for efficiency.
4349 LANMAN1: First \fB modern\fR version of the protocol. Long filename
4353 LANMAN2: Updates to Lanman1 protocol.
4356 NT1: Current up to date version of
4357 the protocol. Used by Windows NT. Known as CIFS.
4360 Normally this option should not be set as the automatic
4361 negotiation phase in the SMB protocol takes care of choosing
4362 the appropriate protocol.
4367 Default: \fBmax protocol = NT1\fR
4369 Example: \fBmax protocol = LANMAN1\fR
4371 \fBmax smbd processes (G)\fR
4372 This parameter limits the maximum number of
4374 processes concurrently running on a system and is intended
4375 as a stopgap to prevent degrading service to clients in the event
4376 that the server has insufficient resources to handle more than this
4377 number of connections. Remember that under normal operating
4378 conditions, each user will have an smbd associated with him or her
4379 to handle connections to all shares from a given host.
4381 Default: \fBmax smbd processes = 0\fR ## no limit
4383 Example: \fBmax smbd processes = 1000\fR
4386 This option tells nmbd(8)
4387 what the default 'time to live' of NetBIOS names should be (in seconds)
4388 when \fBnmbd\fR is requesting a name using either a
4389 broadcast packet or from a WINS server. You should never need to
4390 change this parameter. The default is 3 days.
4392 Default: \fBmax ttl = 259200\fR
4394 \fBmax wins ttl (G)\fR
4395 This option tells nmbd(8)
4396 when acting as a WINS server ( \fIwins support = yes\fR) what the maximum
4397 \&'time to live' of NetBIOS names that \fBnmbd\fR
4398 will grant will be (in seconds). You should never need to change this
4399 parameter. The default is 6 days (518400 seconds).
4402 wins ttl\fR parameter.
4404 Default: \fBmax wins ttl = 518400\fR
4407 This option controls the maximum packet size
4408 that will be negotiated by Samba. The default is 65535, which
4409 is the maximum. In some cases you may find you get better performance
4410 with a smaller value. A value below 2048 is likely to cause problems.
4412 Default: \fBmax xmit = 65535\fR
4414 Example: \fBmax xmit = 8192\fR
4416 \fBmessage command (G)\fR
4417 This specifies what command to run when the
4418 server receives a WinPopup style message.
4420 This would normally be a command that would
4421 deliver the message somehow. How this is to be done is
4422 up to your imagination.
4426 \fBmessage command = csh -c 'xedit %s;rm %s' &\fR
4428 This delivers the message using \fBxedit\fR, then
4429 removes it afterwards. \fBNOTE THAT IT IS VERY IMPORTANT
4430 THAT THIS COMMAND RETURN IMMEDIATELY\fR. That's why I
4431 have the '&' on the end. If it doesn't return immediately then
4432 your PCs may freeze when sending messages (they should recover
4433 after 30 seconds, hopefully).
4435 All messages are delivered as the global guest user.
4436 The command takes the standard substitutions, although \fI %u\fR won't work (\fI%U\fR may be better
4439 Apart from the standard substitutions, some additional
4440 ones apply. In particular:
4444 \fI%s\fR = the filename containing
4448 \fI%t\fR = the destination that
4449 the message was sent to (probably the server name).
4452 \fI%f\fR = who the message
4456 You could make this command send mail, or whatever else
4457 takes your fancy. Please let us know of any really interesting
4460 Here's a way of sending the messages as mail to root:
4462 \fBmessage command = /bin/mail -s 'message from %f on
4463 %m' root < %s; rm %s\fR
4465 If you don't have a message command then the message
4466 won't be delivered and Samba will tell the sender there was
4467 an error. Unfortunately WfWg totally ignores the error code
4468 and carries on regardless, saying that the message was delivered.
4470 If you want to silently delete it then try:
4472 \fBmessage command = rm %s\fR
4474 Default: \fBno message command\fR
4476 Example: \fBmessage command = csh -c 'xedit %s;
4479 \fBmin passwd length (G)\fR
4480 Synonym for \fImin password length\fR.
4482 \fBmin password length (G)\fR
4483 This option sets the minimum length in characters
4484 of a plaintext password that \fBsmbd\fR will accept when performing
4485 UNIX password changing.
4488 password sync\fR, \fIpasswd program\fR and \fIpasswd chat debug\fR
4491 Default: \fBmin password length = 5\fR
4493 \fBmin print space (S)\fR
4494 This sets the minimum amount of free disk
4495 space that must be available before a user will be able to spool
4496 a print job. It is specified in kilobytes. The default is 0, which
4497 means a user can always spool a print job.
4499 See also the \fIprinting
4502 Default: \fBmin print space = 0\fR
4504 Example: \fBmin print space = 2000\fR
4506 \fBmin protocol (G)\fR
4507 The value of the parameter (a string) is the
4508 lowest SMB protocol dialect than Samba will support. Please refer
4509 to the \fImax protocol\fR
4510 parameter for a list of valid protocol names and a brief description
4511 of each. You may also wish to refer to the C source code in
4512 \fIsource/smbd/negprot.c\fR for a listing of known protocol
4513 dialects supported by clients.
4515 If you are viewing this parameter as a security measure, you should
4516 also refer to the \fIlanman
4517 auth\fR parameter. Otherwise, you should never need
4518 to change this parameter.
4520 Default : \fBmin protocol = CORE\fR
4522 Example : \fBmin protocol = NT1\fR # disable DOS
4525 \fBmin wins ttl (G)\fR
4526 This option tells nmbd(8)
4527 when acting as a WINS server (\fI wins support = yes\fR) what the minimum 'time to live'
4528 of NetBIOS names that \fBnmbd\fR will grant will be (in
4529 seconds). You should never need to change this parameter. The default
4530 is 6 hours (21600 seconds).
4532 Default: \fBmin wins ttl = 21600\fR
4534 \fBmsdfs proxy (S)\fR
4535 This parameter indicates that the share is a
4536 stand-in for another CIFS share whose location is specified by
4537 the value of the parameter. When clients attempt to connect to
4538 this share, they are redirected to the proxied share using
4539 the SMB-Dfs protocol.
4541 Only Dfs roots can act as proxy shares. Take a look at the
4545 options to find out how to set up a Dfs root share.
4547 Example: \fBmsdfs proxy = \\otherserver\\someshare\fR
4549 \fBmsdfs root (S)\fR
4550 This boolean parameter is only available if
4551 Samba is configured and compiled with the \fB --with-msdfs\fR option. If set to yes,
4552 Samba treats the share as a Dfs root and allows clients to browse
4553 the distributed file system tree rooted at the share directory.
4554 Dfs links are specified in the share directory by symbolic
4555 links of the form \fImsdfs:serverA\\shareA,serverB\\shareB\fR
4556 and so on. For more information on setting up a Dfs tree
4557 on Samba, refer to msdfs_setup.html
4560 See also \fIhost msdfs
4563 Default: \fBmsdfs root = no\fR
4565 \fBname cache timeout (G)\fR
4566 Specifies the number of seconds it takes before
4567 entries in samba's hostname resolve cache time out. If
4568 the timeout is set to 0. the caching is disabled.
4570 Default: \fBname cache timeout = 660\fR
4572 Example: \fBname cache timeout = 0\fR
4574 \fBname resolve order (G)\fR
4575 This option is used by the programs in the Samba
4576 suite to determine what naming services to use and in what order
4577 to resolve host names to IP addresses. The option takes a space
4578 separated string of name resolution options.
4580 The options are :"lmhosts", "host", "wins" and "bcast". They
4581 cause names to be resolved as follows :
4585 lmhosts : Lookup an IP
4586 address in the Samba lmhosts file. If the line in lmhosts has
4587 no name type attached to the NetBIOS name (see the lmhosts(5) for details) then
4588 any name type matches for lookup.
4591 host : Do a standard host
4592 name to IP address resolution, using the system \fI/etc/hosts
4593 \fR, NIS, or DNS lookups. This method of name resolution
4594 is operating system depended for instance on IRIX or Solaris this
4595 may be controlled by the \fI/etc/nsswitch.conf\fR
4596 file. Note that this method is only used if the NetBIOS name
4597 type being queried is the 0x20 (server) name type, otherwise
4601 wins : Query a name with
4602 the IP address listed in the \fI wins server\fR parameter. If no WINS server has
4603 been specified this method will be ignored.
4606 bcast : Do a broadcast on
4607 each of the known local interfaces listed in the \fIinterfaces\fR
4608 parameter. This is the least reliable of the name resolution
4609 methods as it depends on the target host being on a locally
4613 Default: \fBname resolve order = lmhosts host wins bcast
4616 Example: \fBname resolve order = lmhosts bcast host
4619 This will cause the local lmhosts file to be examined
4620 first, followed by a broadcast attempt, followed by a normal
4621 system hostname lookup.
4623 \fBnetbios aliases (G)\fR
4624 This is a list of NetBIOS names that nmbd(8) will advertise as additional
4625 names by which the Samba server is known. This allows one machine
4626 to appear in browse lists under multiple names. If a machine is
4627 acting as a browse server or logon server none
4628 of these names will be advertised as either browse server or logon
4629 servers, only the primary name of the machine will be advertised
4630 with these capabilities.
4635 Default: \fBempty string (no additional names)\fR
4637 Example: \fBnetbios aliases = TEST TEST1 TEST2\fR
4639 \fBnetbios name (G)\fR
4640 This sets the NetBIOS name by which a Samba
4641 server is known. By default it is the same as the first component
4642 of the host's DNS name. If a machine is a browse server or
4643 logon server this name (or the first component
4644 of the hosts DNS name) will be the name that these services are
4650 Default: \fBmachine DNS name\fR
4652 Example: \fBnetbios name = MYNAME\fR
4654 \fBnetbios scope (G)\fR
4655 This sets the NetBIOS scope that Samba will
4656 operate under. This should not be set unless every machine
4657 on your LAN also sets this value.
4659 \fBnis homedir (G)\fR
4660 Get the home share server from a NIS map. For
4661 UNIX systems that use an automounter, the user's home directory
4662 will often be mounted on a workstation on demand from a remote
4665 When the Samba logon server is not the actual home directory
4666 server, but is mounting the home directories via NFS then two
4667 network hops would be required to access the users home directory
4668 if the logon server told the client to use itself as the SMB server
4669 for home directories (one over SMB and one over NFS). This can
4672 This option allows Samba to return the home share as
4673 being on a different server to the logon server and as
4674 long as a Samba daemon is running on the home directory server,
4675 it will be mounted on the Samba client directly from the directory
4676 server. When Samba is returning the home share to the client, it
4677 will consult the NIS map specified in \fIhomedir map\fR and return the server
4680 Note that for this option to work there must be a working
4681 NIS system and the Samba server with this option must also
4684 Default: \fBnis homedir = no\fR
4686 \fBnon unix account range (G)\fR
4687 The non unix account range parameter specifies
4688 the range of 'user ids' that are allocated by the various 'non unix
4689 account' passdb backends. These backends allow
4690 the storage of passwords for users who don't exist in /etc/passwd.
4691 This is most often used for machine account creation.
4692 This range of ids should have no existing local or NIS users within
4693 it as strange conflicts can occur otherwise.
4695 NOTE: These userids never appear on the system and Samba will never
4696 \&'become' these users. They are used only to ensure that the algorithmic
4697 RID mapping does not conflict with normal users.
4699 Default: \fBnon unix account range = <empty string>
4702 Example: \fBnon unix account range = 10000-20000\fR
4704 \fBnt acl support (S)\fR
4705 This boolean parameter controls whether
4706 smbd(8) will attempt to map
4707 UNIX permissions into Windows NT access control lists.
4708 This parameter was formally a global parameter in releases
4711 Default: \fBnt acl support = yes\fR
4713 \fBnt pipe support (G)\fR
4714 This boolean parameter controls whether
4715 smbd(8) will allow Windows NT
4716 clients to connect to the NT SMB specific IPC$
4717 pipes. This is a developer debugging option and can be left
4720 Default: \fBnt pipe support = yes\fR
4722 \fBnt status support (G)\fR
4723 This boolean parameter controls whether smbd(8) will negotiate NT specific status
4724 support with Windows NT/2k/XP clients. This is a developer
4725 debugging option and should be left alone.
4726 If this option is set to no then Samba offers
4727 exactly the same DOS error codes that versions prior to Samba 2.2.3
4730 You should not need to ever disable this parameter.
4732 Default: \fBnt status support = yes\fR
4734 \fBnull passwords (G)\fR
4735 Allow or disallow client access to accounts
4736 that have null passwords.
4738 See also smbpasswd (5)
4740 Default: \fBnull passwords = no\fR
4742 \fBobey pam restrictions (G)\fR
4743 When Samba 2.2 is configured to enable PAM support
4744 (i.e. --with-pam), this parameter will control whether or not Samba
4745 should obey PAM's account and session management directives. The
4746 default behavior is to use PAM for clear text authentication only
4747 and to ignore any account or session management. Note that Samba
4748 always ignores PAM for authentication in the case of \fIencrypt passwords = yes\fR
4749 \&. The reason is that PAM modules cannot support the challenge/response
4750 authentication mechanism needed in the presence of SMB password encryption.
4752 Default: \fBobey pam restrictions = no\fR
4755 This is a boolean option that controls whether
4756 connections with usernames not in the \fIuser\fR
4757 list will be allowed. By default this option is disabled so that a
4758 client can supply a username to be used by the server. Enabling
4759 this parameter will force the server to only use the login
4760 names from the \fIuser\fR list and is only really
4761 useful in share level
4764 Note that this also means Samba won't try to deduce
4765 usernames from the service name. This can be annoying for
4766 the [homes] section. To get around this you could use \fBuser =
4767 %S\fR which means your \fIuser\fR list
4768 will be just the service name, which for home directories is the
4771 See also the \fIuser\fR
4774 Default: \fBonly user = no\fR
4776 \fBonly guest (S)\fR
4777 A synonym for \fI guest only\fR.
4779 \fBoplock break wait time (G)\fR
4780 This is a tuning parameter added due to bugs in
4781 both Windows 9x and WinNT. If Samba responds to a client too
4782 quickly when that client issues an SMB that can cause an oplock
4783 break request, then the network client can fail and not respond
4784 to the break request. This tuning parameter (which is set in milliseconds)
4785 is the amount of time Samba will wait before sending an oplock break
4786 request to such (broken) clients.
4788 \fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
4789 AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR.
4791 Default: \fBoplock break wait time = 0\fR
4793 \fBoplock contention limit (S)\fR
4794 This is a \fBvery\fR advanced
4795 smbd(8) tuning option to
4796 improve the efficiency of the granting of oplocks under multiple
4797 client contention for the same file.
4799 In brief it specifies a number, which causes smbd not to
4800 grant an oplock even when requested if the approximate number of
4801 clients contending for an oplock on the same file goes over this
4802 limit. This causes \fBsmbd\fR to behave in a similar
4805 \fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
4806 AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR.
4808 Default: \fBoplock contention limit = 2\fR
4811 This boolean option tells \fBsmbd\fR whether to
4812 issue oplocks (opportunistic locks) to file open requests on this
4813 share. The oplock code can dramatically (approx. 30% or more) improve
4814 the speed of access to files on Samba servers. It allows the clients
4815 to aggressively cache files locally and you may want to disable this
4816 option for unreliable network environments (it is turned on by
4817 default in Windows NT Servers). For more information see the file
4818 \fISpeed.txt\fR in the Samba \fIdocs/\fR
4821 Oplocks may be selectively turned off on certain files with a
4822 share. See the \fI veto oplock files\fR parameter. On some systems
4823 oplocks are recognized by the underlying operating system. This
4824 allows data synchronization between all access to oplocked files,
4825 whether it be via Samba or NFS or a local UNIX process. See the
4826 \fIkernel oplocks\fR parameter for details.
4828 See also the \fIkernel
4829 oplocks\fR and \fI level2 oplocks\fR parameters.
4831 Default: \fBoplocks = yes\fR
4834 This parameter determines whether or not smbd will
4835 attempt to authenticate users using the NTLM password hash.
4836 If disabled, only the lanman password hashes will be used.
4838 Please note that at least this option or \fBlanman auth\fR should be enabled in order to be able to log in.
4840 Default : \fBntlm auth = yes\fR
4843 This integer value controls what level Samba
4844 advertises itself as for browse elections. The value of this
4845 parameter determines whether nmbd(8)
4846 has a chance of becoming a local master browser for the \fI WORKGROUP\fR in the local broadcast area.
4848 \fBNote :\fRBy default, Samba will win
4849 a local master browsing election over all Microsoft operating
4850 systems except a Windows NT 4.0/2000 Domain Controller. This
4851 means that a misconfigured Samba host can effectively isolate
4852 a subnet for browsing purposes. See \fIBROWSING.txt
4853 \fR in the Samba \fIdocs/\fR directory
4856 Default: \fBos level = 20\fR
4858 Example: \fBos level = 65 \fR
4860 \fBos2 driver map (G)\fR
4861 The parameter is used to define the absolute
4862 path to a file containing a mapping of Windows NT printer driver
4863 names to OS/2 printer driver names. The format is:
4865 <nt driver name> = <os2 driver
4868 For example, a valid entry using the HP LaserJet 5
4869 printer driver would appear as \fBHP LaserJet 5L = LASERJET.HP
4872 The need for the file is due to the printer driver namespace
4873 problem described in the Samba
4874 Printing HOWTO For more details on OS/2 clients, please
4875 refer to the OS2-Client-HOWTO
4876 containing in the Samba documentation.
4878 Default: \fBos2 driver map = <empty string>
4881 \fBpam password change (G)\fR
4882 With the addition of better PAM support in Samba 2.2,
4883 this parameter, it is possible to use PAM's password change control
4884 flag for Samba. If enabled, then PAM will be used for password
4885 changes when requested by an SMB client instead of the program listed in
4886 \fIpasswd program\fR.
4887 It should be possible to enable this without changing your
4889 parameter for most setups.
4891 Default: \fBpam password change = no\fR
4893 \fBpanic action (G)\fR
4894 This is a Samba developer option that allows a
4895 system command to be called when either smbd(8)
4896 crashes. This is usually used to draw attention to the fact that
4899 Default: \fBpanic action = <empty string>\fR
4901 Example: \fBpanic action = "/bin/sleep 90000"\fR
4903 \fBparanoid server security (G)\fR
4904 Some version of NT 4.x allow non-guest
4905 users with a bad passowrd. When this option is enabled, samba will not
4906 use a broken NT 4.x server as password server, but instead complain
4907 to the logs and exit.
4909 Default: \fBparanoid server security = yes\fR
4911 \fBpassdb backend (G)\fR
4912 This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both
4913 smbpasswd and tdbsam to be used without a recompile.
4914 Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified.
4915 Experimental backends must still be selected
4916 (eg --with-tdbsam) at configure time.
4918 This parameter is in two parts, the backend's name, and a 'location'
4919 string that has meaning only to that particular backed. These are separated
4922 Available backends can include:
4926 \fBsmbpasswd\fR - The default smbpasswd
4927 backend. Takes a path to the smbpasswd file as an optional argument.
4930 \fBsmbpasswd_nua\fR - The smbpasswd
4931 backend, but with support for 'not unix accounts'.
4932 Takes a path to the smbpasswd file as an optional argument.
4934 See also \fInon unix account range\fR
4937 \fBtdbsam\fR - The TDB based password storage
4938 backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
4939 in the \fIprivate dir\fR directory.
4942 \fBtdbsam_nua\fR - The TDB based password storage
4943 backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
4944 in the \fIprivate dir\fR directory.
4946 See also \fInon unix account range\fR
4949 \fBldapsam\fR - The LDAP based passdb
4950 backend. Takes an LDAP URL as an optional argument (defaults to
4951 \fBldap://localhost\fR)
4954 \fBldapsam_nua\fR - The LDAP based passdb
4955 backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to
4956 \fBldap://localhost\fR)
4958 Note: In this module, any account without a matching POSIX account is regarded
4961 See also \fInon unix account
4964 LDAP connections should be secured where
4965 possible. This may be done using either
4966 Start-TLS (see \fIldap ssl\fR) or by
4967 specifying \fIldaps://\fR in
4971 \fBnisplussam\fR - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers.
4974 \fBplugin\fR - Allows Samba to load an
4975 arbitary passdb backend from the .so specified as a compulsary argument.
4977 Any characters after the (optional) second : are passed to the plugin
4978 for its own processing
4981 \fBunixsam\fR - Allows samba to map all (other) available unix users
4983 This backend uses the standard unix database for retrieving users. Users included
4984 in this pdb are NOT listed in samba user listings and users included in this pdb won't be
4985 able to login. The use of this backend is to always be able to display the owner of a file
4986 on the samba server - even when the user doesn't have a 'real' samba account in one of the
4987 other passdb backends.
4989 This backend should always be the last backend listed, since it contains all users in
4990 the unix passdb and might 'override' mappings if specified earlier. It's meant to only return
4991 accounts for users that aren't covered by the previous backends.
4994 Default: \fBpassdb backend = smbpasswd unixsam\fR
4996 Example: \fBpassdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd unixsam\fR
4998 Example: \fBpassdb backend = ldapsam_nua:ldaps://ldap.example.com unixsam\fR
5000 Example: \fBpassdb backend = plugin:/usr/local/samba/lib/my_passdb.so:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb\fR
5002 \fBpasswd chat (G)\fR
5003 This string controls the \fB"chat"\fR
5004 conversation that takes places between smbd and the local password changing
5005 program to change the user's password. The string describes a
5006 sequence of response-receive pairs that smbd(8) uses to determine what to send to the
5007 \fIpasswd program\fR
5008 and what to expect back. If the expected output is not
5009 received then the password is not changed.
5011 This chat sequence is often quite site specific, depending
5012 on what local methods are used for password control (such as NIS
5015 Note that this parameter only is only used if the \fIunix
5016 password sync\fR parameter is set to yes. This
5017 sequence is then called \fBAS ROOT\fR when the SMB password
5018 in the smbpasswd file is being changed, without access to the old
5019 password cleartext. This means that root must be able to reset the user's password
5020 without knowing the text of the previous password. In the presence of NIS/YP,
5021 this means that the passwd program must be
5022 executed on the NIS master.
5024 The string can contain the macro \fI%n\fR which is substituted
5025 for the new password. The chat sequence can also contain the standard
5026 macros \\n, \\r, \\t and \\s to give line-feed,
5027 carriage-return, tab and space. The chat sequence string can also contain
5028 a '*' which matches any sequence of characters.
5029 Double quotes can be used to collect strings with spaces
5030 in them into a single string.
5032 If the send string in any part of the chat sequence
5033 is a full stop ".", then no string is sent. Similarly,
5034 if the expect string is a full stop then no string is expected.
5037 password change\fR parameter is set to yes, the chat pairs
5038 may be matched in any order, and success is determined by the PAM result,
5039 not any particular output. The \\n macro is ignored for PAM conversions.
5041 See also \fIunix password
5042 sync\fR, \fI passwd program\fR , \fIpasswd chat debug\fR and \fIpam password change\fR.
5044 Default: \fBpasswd chat = *new*password* %n\\n
5045 *new*password* %n\\n *changed*\fR
5047 Example: \fBpasswd chat = "*Enter OLD password*" %o\\n
5048 "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password
5051 \fBpasswd chat debug (G)\fR
5052 This boolean specifies if the passwd chat script
5053 parameter is run in \fBdebug\fR mode. In this mode the
5054 strings passed to and received from the passwd chat are printed
5055 in the smbd(8) log with a
5057 of 100. This is a dangerous option as it will allow plaintext passwords
5058 to be seen in the \fBsmbd\fR log. It is available to help
5059 Samba admins debug their \fIpasswd chat\fR scripts
5060 when calling the \fIpasswd program\fR and should
5061 be turned off after this has been done. This option has no effect if the
5062 \fIpam password change\fR
5063 paramter is set. This parameter is off by default.
5065 See also \fIpasswd chat\fR
5066 , \fIpam password change\fR
5067 , \fIpasswd program\fR
5070 Default: \fBpasswd chat debug = no\fR
5072 \fBpasswd program (G)\fR
5073 The name of a program that can be used to set
5074 UNIX user passwords. Any occurrences of \fI%u\fR
5075 will be replaced with the user name. The user name is checked for
5076 existence before calling the password changing program.
5078 Also note that many passwd programs insist in \fBreasonable
5079 \fR passwords, such as a minimum length, or the inclusion
5080 of mixed case chars and digits. This can pose a problem as some clients
5081 (such as Windows for Workgroups) uppercase the password before sending
5084 \fBNote\fR that if the \fIunix
5085 password sync\fR parameter is set to yes
5086 then this program is called \fBAS ROOT\fR
5087 before the SMB password in the smbpasswd(5)
5088 file is changed. If this UNIX password change fails, then
5089 \fBsmbd\fR will fail to change the SMB password also
5090 (this is by design).
5092 If the \fIunix password sync\fR parameter
5093 is set this parameter \fBMUST USE ABSOLUTE PATHS\fR
5094 for \fBALL\fR programs called, and must be examined
5095 for security implications. Note that by default \fIunix
5096 password sync\fR is set to no.
5101 Default: \fBpasswd program = /bin/passwd\fR
5103 Example: \fBpasswd program = /sbin/npasswd %u\fR
5105 \fBpassword level (G)\fR
5106 Some client/server combinations have difficulty
5107 with mixed-case passwords. One offending client is Windows for
5108 Workgroups, which for some reason forces passwords to upper
5109 case when using the LANMAN1 protocol, but leaves them alone when
5110 using COREPLUS! Another problem child is the Windows 95/98
5111 family of operating systems. These clients upper case clear
5112 text passwords even when NT LM 0.12 selected by the protocol
5113 negotiation request/response.
5115 This parameter defines the maximum number of characters
5116 that may be upper case in passwords.
5118 For example, say the password given was "FRED". If \fI password level\fR is set to 1, the following combinations
5119 would be tried if "FRED" failed:
5121 "Fred", "fred", "fRed", "frEd","freD"
5123 If \fIpassword level\fR was set to 2,
5124 the following combinations would also be tried:
5126 "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..
5130 The higher value this parameter is set to the more likely
5131 it is that a mixed case password will be matched against a single
5132 case password. However, you should be aware that use of this
5133 parameter reduces security and increases the time taken to
5134 process a new connection.
5136 A value of zero will cause only two attempts to be
5137 made - the password as is and the password in all-lower case.
5139 Default: \fBpassword level = 0\fR
5141 Example: \fBpassword level = 4\fR
5143 \fBpassword server (G)\fR
5144 By specifying the name of another SMB server (such
5145 as a WinNT box) with this option, and using \fBsecurity = domain
5146 \fR or \fBsecurity = server\fR you can get Samba
5147 to do all its username/password validation via a remote server.
5149 This option sets the name of the password server to use.
5150 It must be a NetBIOS name, so if the machine's NetBIOS name is
5151 different from its Internet name then you may have to add its NetBIOS
5152 name to the lmhosts file which is stored in the same directory
5153 as the \fIsmb.conf\fR file.
5155 The name of the password server is looked up using the
5157 resolve order\fR and so may resolved
5158 by any method and order described in that parameter.
5160 The password server much be a machine capable of using
5161 the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
5162 user level security mode.
5164 \fBNOTE:\fR Using a password server
5165 means your UNIX box (running Samba) is only as secure as your
5166 password server. \fBDO NOT CHOOSE A PASSWORD SERVER THAT
5167 YOU DON'T COMPLETELY TRUST\fR.
5169 Never point a Samba server at itself for password
5170 serving. This will cause a loop and could lock up your Samba
5173 The name of the password server takes the standard
5174 substitutions, but probably the only useful one is \fI%m
5175 \fR, which means the Samba server will use the incoming
5176 client as the password server. If you use this then you better
5177 trust your clients, and you had better restrict them with hosts allow!
5179 If the \fIsecurity\fR parameter is set to
5180 domain, then the list of machines in this
5181 option must be a list of Primary or Backup Domain controllers for the
5182 Domain or the character '*', as the Samba server is effectively
5183 in that domain, and will use cryptographically authenticated RPC calls
5184 to authenticate the user logging on. The advantage of using \fB security = domain\fR is that if you list several hosts in the
5185 \fIpassword server\fR option then \fBsmbd
5186 \fR will try each in turn till it finds one that responds. This
5187 is useful in case your primary server goes down.
5189 If the \fIpassword server\fR option is set
5190 to the character '*', then Samba will attempt to auto-locate the
5191 Primary or Backup Domain controllers to authenticate against by
5192 doing a query for the name WORKGROUP<1C>
5193 and then contacting each server returned in the list of IP
5194 addresses from the name resolution source.
5196 If the list of servers contains both names and the '*'
5197 character, the list is treated as a list of preferred
5198 domain controllers, but an auto lookup of all remaining DC's
5199 will be added to the list as well. Samba will not attempt to optimize
5200 this list by locating the closest DC.
5202 If the \fIsecurity\fR parameter is
5203 set to server, then there are different
5204 restrictions that \fBsecurity = domain\fR doesn't
5209 You may list several password servers in
5210 the \fIpassword server\fR parameter, however if an
5211 \fBsmbd\fR makes a connection to a password server,
5212 and then the password server fails, no more users will be able
5213 to be authenticated from this \fBsmbd\fR. This is a
5214 restriction of the SMB/CIFS protocol when in \fBsecurity = server
5215 \fR mode and cannot be fixed in Samba.
5218 If you are using a Windows NT server as your
5219 password server then you will have to ensure that your users
5220 are able to login from the Samba server, as when in \fB security = server\fR mode the network logon will appear to
5221 come from there rather than from the users workstation.
5224 See also the \fIsecurity
5227 Default: \fBpassword server = <empty string>\fR
5229 Example: \fBpassword server = NT-PDC, NT-BDC1, NT-BDC2, *
5232 Example: \fBpassword server = *\fR
5235 This parameter specifies a directory to which
5236 the user of the service is to be given access. In the case of
5237 printable services, this is where print data will spool prior to
5238 being submitted to the host for printing.
5240 For a printable service offering guest access, the service
5241 should be readonly and the path should be world-writeable and
5242 have the sticky bit set. This is not mandatory of course, but
5243 you probably won't get the results you expect if you do
5246 Any occurrences of \fI%u\fR in the path
5247 will be replaced with the UNIX username that the client is using
5248 on this connection. Any occurrences of \fI%m\fR
5249 will be replaced by the NetBIOS name of the machine they are
5250 connecting from. These replacements are very useful for setting
5251 up pseudo home directories for users.
5253 Note that this path will be based on \fIroot dir\fR if one was specified.
5257 Example: \fBpath = /home/fred\fR
5259 \fBpid directory (G)\fR
5260 This option specifies the directory where pid
5261 files will be placed.
5263 Default: \fBpid directory = ${prefix}/var/locks\fR
5265 Example: \fBpid directory = /var/run/\fR
5267 \fBposix locking (S)\fR
5269 daemon maintains an database of file locks obtained by SMB clients.
5270 The default behavior is to map this internal database to POSIX
5271 locks. This means that file locks obtained by SMB clients are
5272 consistent with those seen by POSIX compliant applications accessing
5273 the files via a non-SMB method (e.g. NFS or local file access).
5274 You should never need to disable this parameter.
5276 Default: \fBposix locking = yes\fR
5279 This option specifies a command to be run
5280 whenever the service is disconnected. It takes the usual
5281 substitutions. The command may be run as the root on some
5284 An interesting example may be to unmount server
5287 \fBpostexec = /etc/umount /cdrom\fR
5289 See also \fIpreexec\fR
5292 Default: \fBnone (no command executed)\fR
5294 Example: \fBpostexec = echo \\"%u disconnected from %S
5295 from %m (%I)\\" >> /tmp/log\fR
5297 \fBpostscript (S)\fR
5298 This parameter forces a printer to interpret
5299 the print files as PostScript. This is done by adding a %!
5300 to the start of print output.
5302 This is most useful when you have lots of PCs that persist
5303 in putting a control-D at the start of print jobs, which then
5304 confuses your printer.
5306 Default: \fBpostscript = no\fR
5309 This option specifies a command to be run whenever
5310 the service is connected to. It takes the usual substitutions.
5312 An interesting example is to send the users a welcome
5313 message every time they log in. Maybe a message of the day? Here
5316 \fBpreexec = csh -c 'echo \\"Welcome to %S!\\" |
5317 /usr/local/samba/bin/smbclient -M %m -I %I' & \fR
5319 Of course, this could get annoying after a while :-)
5321 See also \fIpreexec close
5325 Default: \fBnone (no command executed)\fR
5327 Example: \fBpreexec = echo \\"%u connected to %S from %m
5328 (%I)\\" >> /tmp/log\fR
5330 \fBpreexec close (S)\fR
5331 This boolean option controls whether a non-zero
5332 return code from \fIpreexec
5333 \fR should close the service being connected to.
5335 Default: \fBpreexec close = no\fR
5337 \fBpreferred master (G)\fR
5338 This boolean parameter controls if nmbd(8) is a preferred master browser
5341 If this is set to yes, on startup, \fBnmbd\fR
5342 will force an election, and it will have a slight advantage in
5343 winning the election. It is recommended that this parameter is
5344 used in conjunction with \fB\fI domain master\fB = yes\fR, so that \fB nmbd\fR can guarantee becoming a domain master.
5346 Use this option with caution, because if there are several
5347 hosts (whether Samba servers, Windows 95 or NT) that are preferred
5348 master browsers on the same subnet, they will each periodically
5349 and continuously attempt to become the local master browser.
5350 This will result in unnecessary broadcast traffic and reduced browsing
5353 See also \fIos level\fR
5356 Default: \fBpreferred master = auto\fR
5358 \fBprefered master (G)\fR
5359 Synonym for \fI preferred master\fR for people who cannot spell :-).
5362 This is a list of services that you want to be
5363 automatically added to the browse lists. This is most useful
5364 for homes and printers services that would otherwise not be
5367 Note that if you just want all printers in your
5368 printcap file loaded then the \fIload printers\fR option is easier.
5370 Default: \fBno preloaded services\fR
5372 Example: \fBpreload = fred lp colorlp\fR
5374 \fBpreserve case (S)\fR
5375 This controls if new filenames are created
5376 with the case that the client passes, or if they are forced to
5377 be the \fIdefault case
5380 Default: \fBpreserve case = yes\fR
5382 See the section on NAME
5383 MANGLING for a fuller discussion.
5385 \fBprint command (S)\fR
5386 After a print job has finished spooling to
5387 a service, this command will be used via a \fBsystem()\fR
5388 call to process the spool file. Typically the command specified will
5389 submit the spool file to the host's printing subsystem, but there
5390 is no requirement that this be the case. The server will not remove
5391 the spool file, so whatever command you specify should remove the
5392 spool file when it has been processed, otherwise you will need to
5393 manually remove old spool files.
5395 The print command is simply a text string. It will be used
5396 verbatim after macro substitutions have been made:
5398 s, %p - the path to the spool
5401 %p - the appropriate printer
5405 name as transmitted by the client.
5407 %c - The number of printed pages
5408 of the spooled job (if known).
5410 %z - the size of the spooled
5411 print job (in bytes)
5413 The print command \fBMUST\fR contain at least
5414 one occurrence of \fI%s\fR or \fI%f
5415 \fR - the \fI%p\fR is optional. At the time
5416 a job is submitted, if no printer name is supplied the \fI%p
5417 \fR will be silently removed from the printer command.
5419 If specified in the [global] section, the print command given
5420 will be used for any printable service that does not have its own
5421 print command specified.
5423 If there is neither a specified print command for a
5424 printable service nor a global print command, spool files will
5425 be created but not processed and (most importantly) not removed.
5427 Note that printing may fail on some UNIXes from the
5428 nobody account. If this happens then create
5429 an alternative guest account that can print and set the \fIguest account\fR
5430 in the [global] section.
5432 You can form quite complex print commands by realizing
5433 that they are just passed to a shell. For example the following
5434 will log a print job, print the file, then remove it. Note that
5435 \&';' is the usual separator for command in shell scripts.
5437 \fBprint command = echo Printing %s >>
5438 /tmp/print.log; lpr -P %p %s; rm %s\fR
5440 You may have to vary this command considerably depending
5441 on how you normally print files on your system. The default for
5442 the parameter varies depending on the setting of the \fIprinting\fR parameter.
5444 Default: For \fBprinting = BSD, AIX, QNX, LPRNG
5447 \fBprint command = lpr -r -P%p %s\fR
5449 For \fBprinting = SYSV or HPUX :\fR
5451 \fBprint command = lp -c -d%p %s; rm %s\fR
5453 For \fBprinting = SOFTQ :\fR
5455 \fBprint command = lp -d%p -s %s; rm %s\fR
5457 For printing = CUPS : If SAMBA is compiled against
5458 libcups, then printcap = cups
5459 uses the CUPS API to
5460 submit jobs, etc. Otherwise it maps to the System V
5461 commands with the -oraw option for printing, i.e. it
5462 uses \fBlp -c -d%p -oraw; rm %s\fR.
5463 With \fBprinting = cups\fR,
5464 and if SAMBA is compiled against libcups, any manually
5465 set print command will be ignored.
5467 Example: \fBprint command = /usr/local/samba/bin/myprintscript
5471 Synonym for \fIprintable\fR.
5474 If this parameter is yes, then
5475 clients may open, write to and submit spool files on the directory
5476 specified for the service.
5478 Note that a printable service will ALWAYS allow writing
5479 to the service path (user privileges permitting) via the spooling
5480 of print data. The \fIread only
5481 \fR parameter controls only non-printing access to
5484 Default: \fBprintable = no\fR
5487 Synonym for \fI printcap name\fR.
5489 \fBprintcap name (G)\fR
5490 This parameter may be used to override the
5491 compiled-in default printcap name used by the server (usually \fI /etc/printcap\fR). See the discussion of the [printers] section above for reasons
5492 why you might want to do this.
5494 To use the CUPS printing interface set \fBprintcap name = cups
5495 \fR. This should be supplemented by an addtional setting
5496 printing = cups in the [global]
5497 section. \fBprintcap name = cups\fR will use the
5498 "dummy" printcap created by CUPS, as specified in your CUPS
5501 On System V systems that use \fBlpstat\fR to
5502 list available printers you can use \fBprintcap name = lpstat
5503 \fR to automatically obtain lists of available printers. This
5504 is the default for systems that define SYSV at configure time in
5505 Samba (this includes most System V based systems). If \fI printcap name\fR is set to \fBlpstat\fR on
5506 these systems then Samba will launch \fBlpstat -v\fR and
5507 attempt to parse the output to obtain a printer list.
5509 A minimal printcap file would look something like this:
5521 where the '|' separates aliases of a printer. The fact
5522 that the second alias has a space in it gives a hint to Samba
5523 that it's a comment.
5525 \fBNOTE\fR: Under AIX the default printcap
5526 name is \fI/etc/qconfig\fR. Samba will assume the
5527 file is in AIX \fIqconfig\fR format if the string
5528 \fIqconfig\fR appears in the printcap filename.
5530 Default: \fBprintcap name = /etc/printcap\fR
5532 Example: \fBprintcap name = /etc/myprintcap\fR
5534 \fBprinter admin (S)\fR
5535 This is a list of users that can do anything to
5536 printers via the remote administration interfaces offered by MS-RPC
5537 (usually using a NT workstation). Note that the root user always
5540 Default: \fBprinter admin = <empty string>\fR
5542 Example: \fBprinter admin = admin, @staff\fR
5544 \fBprinter driver (S)\fR
5545 \fBNote :\fRThis is a deprecated
5546 parameter and will be removed in the next major release
5547 following version 2.2. Please see the instructions in
5548 the Samba 2.2. Printing
5549 HOWTO for more information
5550 on the new method of loading printer drivers onto a Samba server.
5552 This option allows you to control the string
5553 that clients receive when they ask the server for the printer driver
5554 associated with a printer. If you are using Windows95 or Windows NT
5555 then you can use this to automate the setup of printers on your
5558 You need to set this parameter to the exact string (case
5559 sensitive) that describes the appropriate printer driver for your
5560 system. If you don't know the exact string to use then you should
5561 first try with no \fI printer driver\fR option set and the client will
5562 give you a list of printer drivers. The appropriate strings are
5563 shown in a scroll box after you have chosen the printer manufacturer.
5568 Example: \fBprinter driver = HP LaserJet 4L\fR
5570 \fBprinter driver file (G)\fR
5571 \fBNote :\fRThis is a deprecated
5572 parameter and will be removed in the next major release
5573 following version 2.2. Please see the instructions in
5574 the Samba 2.2. Printing
5575 HOWTO for more information
5576 on the new method of loading printer drivers onto a Samba server.
5578 This parameter tells Samba where the printer driver
5579 definition file, used when serving drivers to Windows 95 clients, is
5580 to be found. If this is not set, the default is :
5582 \fISAMBA_INSTALL_DIRECTORY
5583 /lib/printers.def\fR
5585 This file is created from Windows 95 \fImsprint.inf
5586 \fR files found on the Windows 95 client system. For more
5587 details on setting up serving of printer drivers to Windows 95
5588 clients, see the outdated documentation file in the \fIdocs/\fR
5589 directory, \fIPRINTER_DRIVER.txt\fR.
5591 See also \fI printer driver location\fR.
5593 Default: \fBNone (set in compile).\fR
5595 Example: \fBprinter driver file =
5596 /usr/local/samba/printers/drivers.def\fR
5598 \fBprinter driver location (S)\fR
5599 \fBNote :\fRThis is a deprecated
5600 parameter and will be removed in the next major release
5601 following version 2.2. Please see the instructions in
5602 the Samba 2.2. Printing
5603 HOWTO for more information
5604 on the new method of loading printer drivers onto a Samba server.
5606 This parameter tells clients of a particular printer
5607 share where to find the printer driver files for the automatic
5608 installation of drivers for Windows 95 machines. If Samba is set up
5609 to serve printer drivers to Windows 95 machines, this should be set to
5611 \fB\\\\MACHINE\\PRINTER$\fR
5613 Where MACHINE is the NetBIOS name of your Samba server,
5614 and PRINTER$ is a share you set up for serving printer driver
5615 files. For more details on setting this up see the outdated documentation
5616 file in the \fIdocs/\fR directory, \fI PRINTER_DRIVER.txt\fR.
5618 See also \fI printer driver file\fR.
5622 Example: \fBprinter driver location = \\\\MACHINE\\PRINTER$
5625 \fBprinter name (S)\fR
5626 This parameter specifies the name of the printer
5627 to which print jobs spooled through a printable service will be sent.
5629 If specified in the [global] section, the printer
5630 name given will be used for any printable service that does
5631 not have its own printer name specified.
5633 Default: \fBnone (but may be lp
5636 Example: \fBprinter name = laserwriter\fR
5639 Synonym for \fI printer name\fR.
5642 This parameters controls how printer status
5643 information is interpreted on your system. It also affects the
5644 default values for the \fIprint command\fR,
5645 \fIlpq command\fR, \fIlppause command
5646 \fR, \fIlpresume command\fR, and
5647 \fIlprm command\fR if specified in the
5650 Currently nine printing styles are supported. They are
5657 To see what the defaults are for the other print
5658 commands when using the various options use the testparm(1) program.
5660 This option can be set on a per printer basis
5662 See also the discussion in the [printers] section.
5664 \fBprivate dir (G)\fR
5665 This parameters defines the directory
5666 smbd will use for storing such files as \fIsmbpasswd\fR
5667 and \fIsecrets.tdb\fR.
5669 Default :\fBprivate dir = ${prefix}/private\fR
5672 Synonym for \fImax protocol\fR.
5675 Synonym for \fIguest
5678 \fBqueuepause command (S)\fR
5679 This parameter specifies the command to be
5680 executed on the server host in order to pause the printer queue.
5682 This command should be a program or script which takes
5683 a printer name as its only parameter and stops the printer queue,
5684 such that no longer jobs are submitted to the printer.
5686 This command is not supported by Windows for Workgroups,
5687 but can be issued from the Printers window under Windows 95
5690 If a \fI%p\fR is given then the printer name
5691 is put in its place. Otherwise it is placed at the end of the command.
5693 Note that it is good practice to include the absolute
5694 path in the command as the PATH may not be available to the
5697 Default: \fBdepends on the setting of \fIprinting
5700 Example: \fBqueuepause command = disable %p\fR
5702 \fBqueueresume command (S)\fR
5703 This parameter specifies the command to be
5704 executed on the server host in order to resume the printer queue. It
5705 is the command to undo the behavior that is caused by the
5706 previous parameter (\fI queuepause command\fR).
5708 This command should be a program or script which takes
5709 a printer name as its only parameter and resumes the printer queue,
5710 such that queued jobs are resubmitted to the printer.
5712 This command is not supported by Windows for Workgroups,
5713 but can be issued from the Printers window under Windows 95
5716 If a \fI%p\fR is given then the printer name
5717 is put in its place. Otherwise it is placed at the end of the
5720 Note that it is good practice to include the absolute
5721 path in the command as the PATH may not be available to the
5724 Default: \fBdepends on the setting of \fIprinting\fB\fR
5726 Example: \fBqueuepause command = enable %p
5730 This boolean parameter controls whether smbd(8) will support the "Read
5731 Block Multiplex" SMB. This is now rarely used and defaults to
5732 no. You should never need to set this
5735 Default: \fBread bmpx = no\fR
5738 This is a list of users that are given read-only
5739 access to a service. If the connecting user is in this list then
5740 they will not be given write access, no matter what the \fIread only\fR
5741 option is set to. The list can include group names using the
5742 syntax described in the \fI invalid users\fR parameter.
5744 See also the \fI write list\fR parameter and the \fIinvalid users\fR
5747 Default: \fBread list = <empty string>\fR
5749 Example: \fBread list = mary, @students\fR
5752 An inverted synonym is \fIwriteable\fR.
5754 If this parameter is yes, then users
5755 of a service may not create or modify files in the service's
5758 Note that a printable service (\fBprintable = yes\fR)
5759 will \fBALWAYS\fR allow writing to the directory
5760 (user privileges permitting), but only via spooling operations.
5762 Default: \fBread only = yes\fR
5765 This parameter controls whether or not the server
5766 will support the raw read SMB requests when transferring data
5769 If enabled, raw reads allow reads of 65535 bytes in
5770 one packet. This typically provides a major performance benefit.
5772 However, some clients either negotiate the allowable
5773 block size incorrectly or are incapable of supporting larger block
5774 sizes, and for these clients you may need to disable raw reads.
5776 In general this parameter should be viewed as a system tuning
5777 tool and left severely alone. See also \fIwrite raw\fR.
5779 Default: \fBread raw = yes\fR
5782 The option \fIread size\fR
5783 affects the overlap of disk reads/writes with network reads/writes.
5784 If the amount of data being transferred in several of the SMB
5785 commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
5786 than this value then the server begins writing the data before it
5787 has received the whole packet from the network, or in the case of
5788 SMBreadbraw, it begins writing to the network before all the data
5789 has been read from disk.
5791 This overlapping works best when the speeds of disk and
5792 network access are similar, having very little effect when the
5793 speed of one is much greater than the other.
5795 The default value is 16384, but very little experimentation
5796 has been done yet to determine the optimal value, and it is likely
5797 that the best value will vary greatly between systems anyway.
5798 A value over 65536 is pointless and will cause you to allocate
5799 memory unnecessarily.
5801 Default: \fBread size = 16384\fR
5803 Example: \fBread size = 8192\fR
5806 This option specifies the kerberos realm to use. The realm is
5807 used as the ADS equivalent of the NT4\fBdomain\fR. It
5808 is usually set to the DNS name of the kerberos server.
5810 Default: \fBrealm = \fR
5812 Example: \fBrealm = mysambabox.mycompany.com\fR
5814 \fBremote announce (G)\fR
5815 This option allows you to setup nmbd(8) to periodically announce itself
5816 to arbitrary IP addresses with an arbitrary workgroup name.
5818 This is useful if you want your Samba server to appear
5819 in a remote workgroup for which the normal browse propagation
5820 rules don't work. The remote workgroup can be anywhere that you
5821 can send IP packets to.
5825 \fBremote announce = 192.168.2.255/SERVERS
5826 192.168.4.255/STAFF\fR
5828 the above line would cause \fBnmbd\fR to announce itself
5829 to the two given IP addresses using the given workgroup names.
5830 If you leave out the workgroup name then the one given in
5832 parameter is used instead.
5834 The IP addresses you choose would normally be the broadcast
5835 addresses of the remote networks, but can also be the IP addresses
5836 of known browse masters if your network config is that stable.
5838 See the documentation file \fIBROWSING.txt\fR
5839 in the \fIdocs/\fR directory.
5841 Default: \fBremote announce = <empty string>
5844 \fBremote browse sync (G)\fR
5845 This option allows you to setup nmbd(8) to periodically request
5846 synchronization of browse lists with the master browser of a Samba
5847 server that is on a remote segment. This option will allow you to
5848 gain browse lists for multiple workgroups across routed networks. This
5849 is done in a manner that does not work with any non-Samba servers.
5851 This is useful if you want your Samba server and all local
5852 clients to appear in a remote workgroup for which the normal browse
5853 propagation rules don't work. The remote workgroup can be anywhere
5854 that you can send IP packets to.
5858 \fBremote browse sync = 192.168.2.255 192.168.4.255
5861 the above line would cause \fBnmbd\fR to request
5862 the master browser on the specified subnets or addresses to
5863 synchronize their browse lists with the local server.
5865 The IP addresses you choose would normally be the broadcast
5866 addresses of the remote networks, but can also be the IP addresses
5867 of known browse masters if your network config is that stable. If
5868 a machine IP address is given Samba makes NO attempt to validate
5869 that the remote machine is available, is listening, nor that it
5870 is in fact the browse master on its segment.
5872 Default: \fBremote browse sync = <empty string>
5875 \fBrestrict anonymous (G)\fR
5876 This is a integer parameter, and
5877 mirrors as much as possible the functinality the
5879 registry key does on NT/Win2k.
5881 Default: \fBrestrict anonymous = 0\fR
5884 Synonym for \fIroot directory"\fR.
5887 Synonym for \fIroot directory"\fR.
5889 \fBroot directory (G)\fR
5890 The server will \fBchroot()\fR (i.e.
5891 Change its root directory) to this directory on startup. This is
5892 not strictly necessary for secure operation. Even without it the
5893 server will deny access to files not in one of the service entries.
5894 It may also check for, and deny access to, soft links to other
5895 parts of the filesystem, or attempts to use ".." in file names
5896 to access other directories (depending on the setting of the \fIwide links\fR
5899 Adding a \fIroot directory\fR entry other
5900 than "/" adds an extra level of security, but at a price. It
5901 absolutely ensures that no access is given to files not in the
5902 sub-tree specified in the \fIroot directory\fR
5903 option, \fBincluding\fR some files needed for
5904 complete operation of the server. To maintain full operability
5905 of the server you will need to mirror some system files
5906 into the \fIroot directory\fR tree. In particular
5907 you will need to mirror \fI/etc/passwd\fR (or a
5908 subset of it), and any binaries or configuration files needed for
5909 printing (if required). The set of files that must be mirrored is
5910 operating system dependent.
5912 Default: \fBroot directory = /\fR
5914 Example: \fBroot directory = /homes/smb\fR
5916 \fBroot postexec (S)\fR
5917 This is the same as the \fIpostexec\fR
5918 parameter except that the command is run as root. This
5919 is useful for unmounting filesystems
5920 (such as CDROMs) after a connection is closed.
5922 See also \fI postexec\fR.
5924 Default: \fBroot postexec = <empty string>
5927 \fBroot preexec (S)\fR
5928 This is the same as the \fIpreexec\fR
5929 parameter except that the command is run as root. This
5930 is useful for mounting filesystems (such as CDROMs) when a
5931 connection is opened.
5933 See also \fI preexec\fR and \fIpreexec close\fR.
5935 Default: \fBroot preexec = <empty string>
5938 \fBroot preexec close (S)\fR
5939 This is the same as the \fIpreexec close
5940 \fR parameter except that the command is run as root.
5942 See also \fI preexec\fR and \fIpreexec close\fR.
5944 Default: \fBroot preexec close = no\fR
5947 This option affects how clients respond to
5948 Samba and is one of the most important settings in the \fI smb.conf\fR file.
5950 The option sets the "security mode bit" in replies to
5951 protocol negotiations with smbd(8)
5952 to turn share level security on or off. Clients decide
5953 based on this bit whether (and how) to transfer user and password
5954 information to the server.
5956 The default is \fBsecurity = user\fR, as this is
5957 the most common setting needed when talking to Windows 98 and
5960 The alternatives are \fBsecurity = share\fR,
5961 \fBsecurity = server\fR or \fBsecurity = domain
5964 In versions of Samba prior to 2.0.0, the default was
5965 \fBsecurity = share\fR mainly because that was
5966 the only option at one stage.
5968 There is a bug in WfWg that has relevance to this
5969 setting. When in user or server level security a WfWg client
5970 will totally ignore the password you type in the "connect
5971 drive" dialog box. This makes it very difficult (if not impossible)
5972 to connect to a Samba service as anyone except the user that
5973 you are logged into WfWg as.
5975 If your PCs use usernames that are the same as their
5976 usernames on the UNIX machine then you will want to use
5977 \fBsecurity = user\fR. If you mostly use usernames
5978 that don't exist on the UNIX box then use \fBsecurity =
5981 You should also use \fBsecurity = share\fR if you
5982 want to mainly setup shares without a password (guest shares). This
5983 is commonly used for a shared printer server. It is more difficult
5984 to setup guest shares with \fBsecurity = user\fR, see
5985 the \fImap to guest\fR
5986 parameter for details.
5988 It is possible to use \fBsmbd\fR in a \fB hybrid mode\fR where it is offers both user and share
5989 level security under different \fINetBIOS aliases\fR.
5991 The different settings will now be explained.
5996 When clients connect to a share level security server they
5997 need not log onto the server with a valid username and password before
5998 attempting to connect to a shared resource (although modern clients
5999 such as Windows 95/98 and Windows NT will send a logon request with
6000 a username but no password when talking to a \fBsecurity = share
6001 \fR server). Instead, the clients send authentication information
6002 (passwords) on a per-share basis, at the time they attempt to connect
6005 Note that \fBsmbd\fR \fBALWAYS\fR
6006 uses a valid UNIX user to act on behalf of the client, even in
6007 \fBsecurity = share\fR level security.
6009 As clients are not required to send a username to the server
6010 in share level security, \fBsmbd\fR uses several
6011 techniques to determine the correct UNIX user to use on behalf
6014 A list of possible UNIX usernames to match with the given
6015 client password is constructed using the following methods :
6020 only\fR parameter is set, then all the other
6021 stages are missed and only the \fIguest account\fR username is checked.
6024 Is a username is sent with the share connection
6025 request, then this username (after mapping - see \fIusername map\fR),
6026 is added as a potential username.
6029 If the client did a previous \fBlogon
6030 \fR request (the SessionSetup SMB call) then the
6031 username sent in this SMB will be added as a potential username.
6034 The name of the service the client requested is
6035 added as a potential username.
6038 The NetBIOS name of the client is added to
6039 the list as a potential username.
6042 Any users on the \fI user\fR list are added as potential usernames.
6045 If the \fIguest only\fR parameter is
6046 not set, then this list is then tried with the supplied password.
6047 The first user for whom the password matches will be used as the
6050 If the \fIguest only\fR parameter is
6051 set, or no username can be determined then if the share is marked
6052 as available to the \fIguest account\fR, then this
6053 guest user will be used, otherwise access is denied.
6055 Note that it can be \fBvery\fR confusing
6056 in share-level security as to which UNIX username will eventually
6057 be used in granting access.
6059 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
6064 This is the default security setting in Samba 2.2.
6065 With user-level security a client must first "log-on" with a
6066 valid username and password (which can be mapped using the \fIusername map\fR
6067 parameter). Encrypted passwords (see the \fIencrypted passwords\fR parameter) can also
6068 be used in this security mode. Parameters such as \fIuser\fR and \fIguest only\fR if set are then applied and
6069 may change the UNIX user to use on this connection, but only after
6070 the user has been successfully authenticated.
6072 \fBNote\fR that the name of the resource being
6073 requested is \fBnot\fR sent to the server until after
6074 the server has successfully authenticated the client. This is why
6075 guest shares don't work in user level security without allowing
6076 the server to automatically map unknown users into the \fIguest account\fR.
6077 See the \fImap to guest\fR
6078 parameter for details on doing this.
6080 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
6082 \fBSECURITY = SERVER
6085 In this mode Samba will try to validate the username/password
6086 by passing it to another SMB server, such as an NT box. If this
6087 fails it will revert to \fBsecurity = user\fR, but note
6088 that if encrypted passwords have been negotiated then Samba cannot
6089 revert back to checking the UNIX password file, it must have a valid
6090 \fIsmbpasswd\fR file to check users against. See the
6091 documentation file in the \fIdocs/\fR directory
6092 \fIENCRYPTION.txt\fR for details on how to set this
6095 \fBNote\fR that from the client's point of
6096 view \fBsecurity = server\fR is the same as \fB security = user\fR. It only affects how the server deals
6097 with the authentication, it does not in any way affect what the
6100 \fBNote\fR that the name of the resource being
6101 requested is \fBnot\fR sent to the server until after
6102 the server has successfully authenticated the client. This is why
6103 guest shares don't work in user level security without allowing
6104 the server to automatically map unknown users into the \fIguest account\fR.
6105 See the \fImap to guest\fR
6106 parameter for details on doing this.
6108 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
6110 See also the \fIpassword
6111 server\fR parameter and the \fIencrypted passwords\fR
6114 \fBSECURITY = DOMAIN
6117 This mode will only work correctly if smbpasswd(8) has been used to add this
6118 machine into a Windows NT Domain. It expects the \fIencrypted passwords\fR
6119 parameter to be set to yes. In this
6120 mode Samba will try to validate the username/password by passing
6121 it to a Windows NT Primary or Backup Domain Controller, in exactly
6122 the same way that a Windows NT Server would do.
6124 \fBNote\fR that a valid UNIX user must still
6125 exist as well as the account on the Domain Controller to allow
6126 Samba to have a valid UNIX account to map file access to.
6128 \fBNote\fR that from the client's point
6129 of view \fBsecurity = domain\fR is the same as \fBsecurity = user
6130 \fR. It only affects how the server deals with the authentication,
6131 it does not in any way affect what the client sees.
6133 \fBNote\fR that the name of the resource being
6134 requested is \fBnot\fR sent to the server until after
6135 the server has successfully authenticated the client. This is why
6136 guest shares don't work in user level security without allowing
6137 the server to automatically map unknown users into the \fIguest account\fR.
6138 See the \fImap to guest\fR
6139 parameter for details on doing this.
6141 \fBBUG:\fR There is currently a bug in the
6142 implementation of \fBsecurity = domain\fR with respect
6143 to multi-byte character set usernames. The communication with a
6144 Domain Controller must be done in UNICODE and Samba currently
6145 does not widen multi-byte user names to UNICODE correctly, thus
6146 a multi-byte username will not be recognized correctly at the
6147 Domain Controller. This issue will be addressed in a future release.
6149 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
6151 See also the \fIpassword
6152 server\fR parameter and the \fIencrypted passwords\fR
6155 Default: \fBsecurity = USER\fR
6157 Example: \fBsecurity = DOMAIN\fR
6159 \fBsecurity mask (S)\fR
6160 This parameter controls what UNIX permission
6161 bits can be modified when a Windows NT client is manipulating
6162 the UNIX permission on a file using the native NT security
6165 This parameter is applied as a mask (AND'ed with) to
6166 the changed permission bits, thus preventing any bits not in
6167 this mask from being modified. Essentially, zero bits in this
6168 mask may be treated as a set of bits the user is not allowed
6171 If not set explicitly this parameter is 0777, allowing
6172 a user to modify all the user/group/world permissions on a file.
6174 \fBNote\fR that users who can access the
6175 Samba server through other means can easily bypass this
6176 restriction, so it is primarily useful for standalone
6177 "appliance" systems. Administrators of most normal systems will
6178 probably want to leave it set to 0777.
6180 See also the \fIforce directory security mode\fR,
6182 security mask\fR, \fIforce security mode\fR parameters.
6184 Default: \fBsecurity mask = 0777\fR
6186 Example: \fBsecurity mask = 0770\fR
6188 \fBserver string (G)\fR
6189 This controls what string will show up in the
6190 printer comment box in print manager and next to the IPC connection
6191 in \fBnet view\fR. It can be any string that you wish
6192 to show to your users.
6194 It also sets what will appear in browse lists next
6195 to the machine name.
6197 A \fI%v\fR will be replaced with the Samba
6200 A \fI%h\fR will be replaced with the
6203 Default: \fBserver string = Samba %v\fR
6205 Example: \fBserver string = University of GNUs Samba
6208 \fBset directory (S)\fR
6209 If \fBset directory = no\fR, then
6210 users of the service may not use the setdir command to change
6213 The \fBsetdir\fR command is only implemented
6214 in the Digital Pathworks client. See the Pathworks documentation
6217 Default: \fBset directory = no\fR
6219 \fBshare modes (S)\fR
6220 This enables or disables the honoring of
6221 the \fIshare modes\fR during a file open. These
6222 modes are used by clients to gain exclusive read or write access
6225 These open modes are not directly supported by UNIX, so
6226 they are simulated using shared memory, or lock files if your
6227 UNIX doesn't support shared memory (almost all do).
6229 The share modes that are enabled by this option are
6231 DENY_READ, DENY_WRITE,
6232 DENY_NONE and DENY_FCB.
6234 This option gives full share compatibility and enabled
6237 You should \fBNEVER\fR turn this parameter
6238 off as many Windows applications will break if you do so.
6240 Default: \fBshare modes = yes\fR
6242 \fBshort preserve case (S)\fR
6243 This boolean parameter controls if new files
6244 which conform to 8.3 syntax, that is all in upper case and of
6245 suitable length, are created upper case, or if they are forced
6246 to be the \fIdefault case
6247 \fR. This option can be use with \fBpreserve case = yes\fR
6248 to permit long filenames to retain their case, while short
6251 See the section on NAME MANGLING.
6253 Default: \fBshort preserve case = yes\fR
6255 \fBshow add printer wizard (G)\fR
6256 With the introduction of MS-RPC based printing support
6257 for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will
6258 appear on Samba hosts in the share listing. Normally this folder will
6259 contain an icon for the MS Add Printer Wizard (APW). However, it is
6260 possible to disable this feature regardless of the level of privilege
6261 of the connected user.
6263 Under normal circumstances, the Windows NT/2000 client will
6264 open a handle on the printer server with OpenPrinterEx() asking for
6265 Administrator privileges. If the user does not have administrative
6266 access on the print server (i.e is not root or a member of the
6267 \fIprinter admin\fR group), the OpenPrinterEx()
6268 call fails and the client makes another open call with a request for
6269 a lower privilege level. This should succeed, however the APW
6270 icon will not be displayed.
6272 Disabling the \fIshow add printer wizard\fR
6273 parameter will always cause the OpenPrinterEx() on the server
6274 to fail. Thus the APW icon will never be displayed. \fB Note :\fRThis does not prevent the same user from having
6275 administrative privilege on an individual printer.
6277 See also \fIaddprinter
6278 command\fR, \fIdeleteprinter command\fR, \fIprinter admin\fR
6280 Default :\fBshow add printer wizard = yes\fR
6282 \fBshutdown script (G)\fR
6283 \fBThis parameter only exists in the HEAD cvs branch\fR
6284 This a full path name to a script called by
6286 should start a shutdown procedure.
6288 This command will be run as the user connected to the
6291 %m %t %r %f parameters are expanded
6293 \fI%m\fR will be substituted with the
6294 shutdown message sent to the server.
6296 \fI%t\fR will be substituted with the
6297 number of seconds to wait before effectively starting the
6300 \fI%r\fR will be substituted with the
6301 switch \fB-r\fR. It means reboot after shutdown
6304 \fI%f\fR will be substituted with the
6305 switch \fB-f\fR. It means force the shutdown
6306 even if applications do not respond for NT.
6308 Default: \fBNone\fR.
6310 Example: \fBabort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f\fR
6312 Shutdown script example:
6321 /sbin/shutdown $3 $4 +$time $1 &
6324 Shutdown does not return so we need to launch it in background.
6326 See also \fIabort shutdown script\fR.
6328 \fBsmb passwd file (G)\fR
6329 This option sets the path to the encrypted
6330 smbpasswd file. By default the path to the smbpasswd file
6331 is compiled into Samba.
6333 Default: \fBsmb passwd file = ${prefix}/private/smbpasswd
6336 Example: \fBsmb passwd file = /etc/samba/smbpasswd
6340 Specifies which ports the server should listen on
6343 Default: \fBsmb ports = 445 139\fR
6345 \fBsocket address (G)\fR
6346 This option allows you to control what
6347 address Samba will listen for connections on. This is used to
6348 support multiple virtual interfaces on the one server, each
6349 with a different configuration.
6351 By default Samba will accept connections on any
6354 Example: \fBsocket address = 192.168.2.20\fR
6356 \fBsocket options (G)\fR
6357 This option allows you to set socket options
6358 to be used when talking with the client.
6360 Socket options are controls on the networking layer
6361 of the operating systems which allow the connection to be
6364 This option will typically be used to tune your Samba
6365 server for optimal performance for your local network. There is
6366 no way that Samba can know what the optimal parameters are for
6367 your net, so you must experiment and choose them yourself. We
6368 strongly suggest you read the appropriate documentation for your
6369 operating system first (perhaps \fBman setsockopt\fR
6372 You may find that on some systems Samba will say
6373 "Unknown socket option" when you supply an option. This means you
6374 either incorrectly typed it or you need to add an include file
6375 to includes.h for your OS. If the latter is the case please
6376 send the patch to samba@samba.org <URL:mailto:samba@samba.org>.
6378 Any of the supported socket options may be combined
6379 in any way you like, as long as your OS allows it.
6381 This is the list of socket options currently settable
6416 Those marked with a \fB'*'\fR take an integer
6417 argument. The others can optionally take a 1 or 0 argument to enable
6418 or disable the option, by default they will be enabled if you
6419 don't specify 1 or 0.
6421 To specify an argument use the syntax SOME_OPTION = VALUE
6422 for example \fBSO_SNDBUF = 8192\fR. Note that you must
6423 not have any spaces before or after the = sign.
6425 If you are on a local network then a sensible option
6428 \fBsocket options = IPTOS_LOWDELAY\fR
6430 If you have a local network then you could try:
6432 \fBsocket options = IPTOS_LOWDELAY TCP_NODELAY\fR
6434 If you are on a wide area network then perhaps try
6435 setting IPTOS_THROUGHPUT.
6437 Note that several of the options may cause your Samba
6438 server to fail completely. Use these options with caution!
6440 Default: \fBsocket options = TCP_NODELAY\fR
6442 Example: \fBsocket options = IPTOS_LOWDELAY\fR
6444 \fBsource environment (G)\fR
6445 This parameter causes Samba to set environment
6446 variables as per the content of the file named.
6448 If the value of this parameter starts with a "|" character
6449 then Samba will treat that value as a pipe command to open and
6450 will set the environment variables from the output of the pipe.
6452 The contents of the file or the output of the pipe should
6453 be formatted as the output of the standard Unix \fBenv(1)
6454 \fR command. This is of the form :
6456 Example environment entry:
6458 \fBSAMBA_NETBIOS_NAME = myhostname\fR
6460 Default: \fBNo default value\fR
6462 Examples: \fBsource environment = |/etc/smb.conf.sh
6465 Example: \fBsource environment =
6466 /usr/local/smb_env_vars\fR
6468 \fBuse spnego (G)\fR
6469 This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism. As of samba 3.0alpha it must be set to "no" for these clients to join a samba domain controller. It can be set to "yes" to allow samba to participate in an AD domain controlled by a Windows2000 domain controller.
6471 Default: \fBuse spnego = yes\fR
6473 \fBstat cache (G)\fR
6474 This parameter determines if smbd(8) will use a cache in order to
6475 speed up case insensitive name mappings. You should never need
6476 to change this parameter.
6478 Default: \fBstat cache = yes\fR
6480 \fBstat cache size (G)\fR
6481 This parameter determines the number of
6482 entries in the \fIstat cache\fR. You should
6483 never need to change this parameter.
6485 Default: \fBstat cache size = 50\fR
6487 \fBstrict allocate (S)\fR
6488 This is a boolean that controls the handling of
6489 disk space allocation in the server. When this is set to yes
6490 the server will change from UNIX behaviour of not committing real
6491 disk storage blocks when a file is extended to the Windows behaviour
6492 of actually forcing the disk system to allocate real storage blocks
6493 when a file is created or extended to be a given size. In UNIX
6494 terminology this means that Samba will stop creating sparse files.
6495 This can be slow on some systems.
6497 When strict allocate is no the server does sparse
6498 disk block allocation when a file is extended.
6500 Setting this to yes can help Samba return
6501 out of quota messages on systems that are restricting the disk quota
6504 Default: \fBstrict allocate = no\fR
6506 \fBstrict locking (S)\fR
6507 This is a boolean that controls the handling of
6508 file locking in the server. When this is set to yes
6509 the server will check every read and write access for file locks, and
6510 deny access if locks exist. This can be slow on some systems.
6512 When strict locking is no the server does file
6513 lock checks only when the client explicitly asks for them.
6515 Well-behaved clients always ask for lock checks when it
6516 is important, so in the vast majority of cases \fBstrict
6517 locking = no\fR is preferable.
6519 Default: \fBstrict locking = no\fR
6521 \fBstrict sync (S)\fR
6522 Many Windows applications (including the Windows
6523 98 explorer shell) seem to confuse flushing buffer contents to
6524 disk with doing a sync to disk. Under UNIX, a sync call forces
6525 the process to be suspended until the kernel has ensured that
6526 all outstanding data in kernel disk buffers has been safely stored
6527 onto stable storage. This is very slow and should only be done
6528 rarely. Setting this parameter to no (the
6529 default) means that smbd ignores the Windows applications requests for
6530 a sync call. There is only a possibility of losing data if the
6531 operating system itself that Samba is running on crashes, so there is
6532 little danger in this default setting. In addition, this fixes many
6533 performance problems that people have reported with the new Windows98
6534 explorer shell file copies.
6536 See also the \fIsync
6537 always>\fR parameter.
6539 Default: \fBstrict sync = no\fR
6542 This is a boolean that controls whether to
6543 strip trailing dots off UNIX filenames. This helps with some
6544 CDROMs that have filenames ending in a single dot.
6546 Default: \fBstrip dot = no\fR
6548 \fBsync always (S)\fR
6549 This is a boolean parameter that controls
6550 whether writes will always be written to stable storage before
6551 the write call returns. If this is no then the server will be
6552 guided by the client's request in each write call (clients can
6553 set a bit indicating that a particular write should be synchronous).
6554 If this is yes then every write will be followed by a \fBfsync()
6555 \fR call to ensure the data is written to disk. Note that
6556 the \fIstrict sync\fR parameter must be set to
6557 yes in order for this parameter to have
6560 See also the \fIstrict
6563 Default: \fBsync always = no\fR
6566 This parameter maps how Samba debug messages
6567 are logged onto the system syslog logging levels. Samba debug
6568 level zero maps onto syslog LOG_ERR, debug
6569 level one maps onto LOG_WARNING, debug level
6570 two maps onto LOG_NOTICE, debug level three
6571 maps onto LOG_INFO. All higher levels are mapped to LOG_DEBUG.
6573 This parameter sets the threshold for sending messages
6574 to syslog. Only messages with debug level less than this value
6575 will be sent to syslog.
6577 Default: \fBsyslog = 1\fR
6579 \fBsyslog only (G)\fR
6580 If this parameter is set then Samba debug
6581 messages are logged into the system syslog only, and not to
6582 the debug log files.
6584 Default: \fBsyslog only = no\fR
6586 \fBtemplate homedir (G)\fR
6587 When filling out the user information for a Windows NT
6588 user, the winbindd(8) daemon
6589 uses this parameter to fill in the home directory for that user.
6590 If the string \fI%D\fR is present it is substituted
6591 with the user's Windows NT domain name. If the string \fI%U
6592 \fR is present it is substituted with the user's Windows
6595 Default: \fBtemplate homedir = /home/%D/%U\fR
6597 \fBtemplate shell (G)\fR
6598 When filling out the user information for a Windows NT
6599 user, the winbindd(8) daemon
6600 uses this parameter to fill in the login shell for that user.
6602 Default: \fBtemplate shell = /bin/false\fR
6604 \fBtime offset (G)\fR
6605 This parameter is a setting in minutes to add
6606 to the normal GMT to local time conversion. This is useful if
6607 you are serving a lot of PCs that have incorrect daylight
6608 saving time handling.
6610 Default: \fBtime offset = 0\fR
6612 Example: \fBtime offset = 60\fR
6614 \fBtime server (G)\fR
6615 This parameter determines if
6616 nmbd(8) advertises itself as a time server to Windows
6619 Default: \fBtime server = no\fR
6621 \fBtimestamp logs (G)\fR
6622 Synonym for \fI debug timestamp\fR.
6624 \fBtotal print jobs (G)\fR
6625 This parameter accepts an integer value which defines
6626 a limit on the maximum number of print jobs that will be accepted
6627 system wide at any given time. If a print job is submitted
6628 by a client which will exceed this number, then smbd will return an
6629 error indicating that no space is available on the server. The
6630 default value of 0 means that no such limit exists. This parameter
6631 can be used to prevent a server from exceeding its capacity and is
6632 designed as a printing throttle. See also
6633 \fImax print jobs\fR.
6635 Default: \fBtotal print jobs = 0\fR
6637 Example: \fBtotal print jobs = 5000\fR
6640 Specifies whether Samba should try
6641 to use unicode on the wire by default. Note: This does NOT
6642 mean that samba will assume that the unix machine uses unicode!
6644 Default: \fBunicode = yes\fR
6646 \fBunix charset (G)\fR
6647 Specifies the charset the unix machine
6648 Samba runs on uses. Samba needs to know this in order to be able to
6649 convert text to the charsets other SMB clients use.
6651 Default: \fBunix charset = ASCII\fR
6653 Example: \fBunix charset = UTF8\fR
6655 \fBunix extensions(G)\fR
6656 This boolean parameter controls whether Samba
6657 implments the CIFS UNIX extensions, as defined by HP.
6658 These extensions enable Samba to better serve UNIX CIFS clients
6659 by supporting features such as symbolic links, hard links, etc...
6660 These extensions require a similarly enabled client, and are of
6661 no current use to Windows clients.
6663 Default: \fBunix extensions = no\fR
6665 \fBunix password sync (G)\fR
6666 This boolean parameter controls whether Samba
6667 attempts to synchronize the UNIX password with the SMB password
6668 when the encrypted SMB password in the smbpasswd file is changed.
6669 If this is set to yes the program specified in the \fIpasswd
6670 program\fRparameter is called \fBAS ROOT\fR -
6671 to allow the new UNIX password to be set without access to the
6672 old UNIX password (as the SMB password change code has no
6673 access to the old password cleartext, only the new).
6676 program\fR, \fI passwd chat\fR.
6678 Default: \fBunix password sync = no\fR
6680 \fBupdate encrypted (G)\fR
6681 This boolean parameter allows a user logging
6682 on with a plaintext password to have their encrypted (hashed)
6683 password in the smbpasswd file to be updated automatically as
6684 they log on. This option allows a site to migrate from plaintext
6685 password authentication (users authenticate with plaintext
6686 password over the wire, and are checked against a UNIX account
6687 database) to encrypted password authentication (the SMB
6688 challenge/response authentication mechanism) without forcing
6689 all users to re-enter their passwords via smbpasswd at the time the
6690 change is made. This is a convenience option to allow the change over
6691 to encrypted passwords to be made over a longer period. Once all users
6692 have encrypted representations of their passwords in the smbpasswd
6693 file this parameter should be set to no.
6695 In order for this parameter to work correctly the \fIencrypt passwords\fR
6696 parameter must be set to no when
6697 this parameter is set to yes.
6699 Note that even when this parameter is set a user
6700 authenticating to \fBsmbd\fR must still enter a valid
6701 password in order to connect correctly, and to update their hashed
6702 (smbpasswd) passwords.
6704 Default: \fBupdate encrypted = no\fR
6706 \fBuse client driver (S)\fR
6707 This parameter applies only to Windows NT/2000
6708 clients. It has no affect on Windows 95/98/ME clients. When
6709 serving a printer to Windows NT/2000 clients without first installing
6710 a valid printer driver on the Samba host, the client will be required
6711 to install a local printer driver. From this point on, the client
6712 will treat the print as a local printer and not a network printer
6713 connection. This is much the same behavior that will occur
6714 when \fBdisable spoolss = yes\fR.
6717 factor is that under normal circumstances, the NT/2000 client will
6718 attempt to open the network printer using MS-RPC. The problem is that
6719 because the client considers the printer to be local, it will attempt
6720 to issue the OpenPrinterEx() call requesting access rights associated
6721 with the logged on user. If the user possesses local administator rights
6722 but not root privilegde on the Samba host (often the case), the OpenPrinterEx()
6723 call will fail. The result is that the client will now display an "Access
6724 Denied; Unable to connect" message in the printer queue window (even though
6725 jobs may successfully be printed).
6727 If this parameter is enabled for a printer, then any attempt
6728 to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped
6729 to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx()
6730 call to succeed. \fBThis parameter MUST not be able enabled
6731 on a print share which has valid print driver installed on the Samba
6734 See also disable spoolss
6736 Default: \fBuse client driver = no\fR
6739 This global parameter determines if the tdb internals of Samba can
6740 depend on mmap working correctly on the running system. Samba requires a coherent
6741 mmap/read-write system memory cache. Currently only HPUX does not have such a
6742 coherent cache, and so this parameter is set to no by
6743 default on HPUX. On all other systems this parameter should be left alone. This
6744 parameter is provided to help the Samba developers track down problems with
6745 the tdb internal code.
6747 Default: \fBuse mmap = yes\fR
6749 \fBuse rhosts (G)\fR
6750 If this global parameter is yes, it specifies
6751 that the UNIX user's \fI.rhosts\fR file in their home directory
6752 will be read to find the names of hosts and users who will be allowed
6753 access without specifying a password.
6755 \fBNOTE:\fR The use of \fIuse rhosts
6756 \fR can be a major security hole. This is because you are
6757 trusting the PC to supply the correct username. It is very easy to
6758 get a PC to supply a false username. I recommend that the \fI use rhosts\fR option be only used if you really know what
6761 Default: \fBuse rhosts = no\fR
6764 Synonym for \fI username\fR.
6767 Synonym for \fI username\fR.
6770 Multiple users may be specified in a comma-delimited
6771 list, in which case the supplied password will be tested against
6772 each username in turn (left to right).
6774 The \fIusername\fR line is needed only when
6775 the PC is unable to supply its own username. This is the case
6776 for the COREPLUS protocol or where your users have different WfWg
6777 usernames to UNIX usernames. In both these cases you may also be
6778 better using the \\\\server\\share%user syntax instead.
6780 The \fIusername\fR line is not a great
6781 solution in many cases as it means Samba will try to validate
6782 the supplied password against each of the usernames in the
6783 \fIusername\fR line in turn. This is slow and
6784 a bad idea for lots of users in case of duplicate passwords.
6785 You may get timeouts or security breaches using this parameter
6788 Samba relies on the underlying UNIX security. This
6789 parameter does not restrict who can login, it just offers hints
6790 to the Samba server as to what usernames might correspond to the
6791 supplied password. Users can login as whoever they please and
6792 they will be able to do no more damage than if they started a
6793 telnet session. The daemon runs as the user that they log in as,
6794 so they cannot do anything that user cannot do.
6796 To restrict a service to a particular set of users you
6797 can use the \fIvalid users
6800 If any of the usernames begin with a '@' then the name
6801 will be looked up first in the NIS netgroups list (if Samba
6802 is compiled with netgroup support), followed by a lookup in
6803 the UNIX groups database and will expand to a list of all users
6804 in the group of that name.
6806 If any of the usernames begin with a '+' then the name
6807 will be looked up only in the UNIX groups database and will
6808 expand to a list of all users in the group of that name.
6810 If any of the usernames begin with a '&'then the name
6811 will be looked up only in the NIS netgroups database (if Samba
6812 is compiled with netgroup support) and will expand to a list
6813 of all users in the netgroup group of that name.
6815 Note that searching though a groups database can take
6816 quite some time, and some clients may time out during the
6819 See the section NOTE ABOUT
6820 USERNAME/PASSWORD VALIDATION for more information on how
6821 this parameter determines access to the services.
6823 Default: \fBThe guest account if a guest service,
6824 else <empty string>.\fR
6826 Examples:\fBusername = fred, mary, jack, jane,
6829 \fBusername level (G)\fR
6830 This option helps Samba to try and 'guess' at
6831 the real UNIX username, as many DOS clients send an all-uppercase
6832 username. By default Samba tries all lowercase, followed by the
6833 username with the first letter capitalized, and fails if the
6834 username is not found on the UNIX machine.
6836 If this parameter is set to non-zero the behavior changes.
6837 This parameter is a number that specifies the number of uppercase
6838 combinations to try while trying to determine the UNIX user name. The
6839 higher the number the more combinations will be tried, but the slower
6840 the discovery of usernames will be. Use this parameter when you have
6841 strange usernames on your UNIX machine, such as AstrangeUser
6844 Default: \fBusername level = 0\fR
6846 Example: \fBusername level = 5\fR
6848 \fBusername map (G)\fR
6849 This option allows you to specify a file containing
6850 a mapping of usernames from the clients to the server. This can be
6851 used for several purposes. The most common is to map usernames
6852 that users use on DOS or Windows machines to those that the UNIX
6853 box uses. The other is to map multiple users to a single username
6854 so that they can more easily share files.
6856 The map file is parsed line by line. Each line should
6857 contain a single UNIX username on the left then a '=' followed
6858 by a list of usernames on the right. The list of usernames on the
6859 right may contain names of the form @group in which case they
6860 will match any UNIX username in that group. The special client
6861 name '*' is a wildcard and matches any name. Each line of the
6862 map file may be up to 1023 characters long.
6864 The file is processed on each line by taking the
6865 supplied username and comparing it with each username on the right
6866 hand side of the '=' signs. If the supplied name matches any of
6867 the names on the right hand side then it is replaced with the name
6868 on the left. Processing then continues with the next line.
6870 If any line begins with a '#' or a ';' then it is
6873 If any line begins with an '!' then the processing
6874 will stop after that line if a mapping was done by the line.
6875 Otherwise mapping continues with every line being processed.
6876 Using '!' is most useful when you have a wildcard mapping line
6879 For example to map from the name admin
6880 or administrator to the UNIX name root you would use:
6882 \fBroot = admin administrator\fR
6884 Or to map anyone in the UNIX group system
6885 to the UNIX name sys you would use:
6889 You can have as many mappings as you like in a username
6892 If your system supports the NIS NETGROUP option then
6893 the netgroup database is checked before the \fI/etc/group
6894 \fR database for matching groups.
6896 You can map Windows usernames that have spaces in them
6897 by using double quotes around the name. For example:
6899 \fBtridge = "Andrew Tridgell"\fR
6901 would map the windows username "Andrew Tridgell" to the
6902 unix username "tridge".
6904 The following example would map mary and fred to the
6905 unix user sys, and map the rest to guest. Note the use of the
6906 \&'!' to tell Samba to stop processing if it gets a match on
6916 Note that the remapping is applied to all occurrences
6917 of usernames. Thus if you connect to \\\\server\\fred and fred is remapped to mary then you
6918 will actually be connecting to \\\\server\\mary and will need to
6919 supply a password suitable for mary not
6920 fred. The only exception to this is the
6921 username passed to the \fI password server\fR (if you have one). The password
6922 server will receive whatever username the client supplies without
6925 Also note that no reverse mapping is done. The main effect
6926 this has is with printing. Users who have been mapped may have
6927 trouble deleting print jobs as PrintManager under WfWg will think
6928 they don't own the print job.
6930 Default: \fBno username map\fR
6932 Example: \fBusername map = /usr/local/samba/lib/users.map
6935 \fBuse sendfile (S)\fR
6936 If this parameter is yes, and Samba
6937 was built with the --with-sendfile-support option, and the underlying operating
6938 system supports sendfile system call, then some SMB read calls (mainly ReadAndX
6939 and ReadRaw) will use the more efficient sendfile system call for files that
6940 are exclusively oplocked. This may make more efficient use of the system CPU's
6941 and cause Samba to be faster. This is off by default as it's effects are unknown
6944 Default: \fBuse sendfile = no\fR
6947 This boolean parameter is only available if
6948 Samba has been configured and compiled with the option \fB --with-utmp\fR. If set to yes then Samba will attempt
6949 to add utmp or utmpx records (depending on the UNIX system) whenever a
6950 connection is made to a Samba server. Sites may use this to record the
6951 user connecting to a Samba share.
6953 Due to the requirements of the utmp record, we
6954 are required to create a unique identifier for the
6955 incoming user. Enabling this option creates an n^2
6956 algorithm to find this number. This may impede
6957 performance on large installations.
6959 See also the \fI utmp directory\fR parameter.
6961 Default: \fButmp = no\fR
6963 \fButmp directory(G)\fR
6964 This parameter is only available if Samba has
6965 been configured and compiled with the option \fB --with-utmp\fR. It specifies a directory pathname that is
6966 used to store the utmp or utmpx files (depending on the UNIX system) that
6967 record user connections to a Samba server. See also the \fIutmp\fR parameter. By default this is
6968 not set, meaning the system will use whatever utmp file the
6969 native system is set to use (usually
6970 \fI/var/run/utmp\fR on Linux).
6972 Default: \fBno utmp directory\fR
6974 Example: \fButmp directory = /var/run/utmp\fR
6976 \fBwtmp directory(G)\fR
6977 This parameter is only available if Samba has
6978 been configured and compiled with the option \fB --with-utmp\fR. It specifies a directory pathname that is
6979 used to store the wtmp or wtmpx files (depending on the UNIX system) that
6980 record user connections to a Samba server. The difference with
6981 the utmp directory is the fact that user info is kept after a user
6983 See also the \fIutmp\fR parameter. By default this is
6984 not set, meaning the system will use whatever utmp file the
6985 native system is set to use (usually
6986 \fI/var/run/wtmp\fR on Linux).
6988 Default: \fBno wtmp directory\fR
6990 Example: \fBwtmp directory = /var/log/wtmp\fR
6992 \fBvalid users (S)\fR
6993 This is a list of users that should be allowed
6994 to login to this service. Names starting with '@', '+' and '&'
6995 are interpreted using the same rules as described in the
6996 \fIinvalid users\fR parameter.
6998 If this is empty (the default) then any user can login.
6999 If a username is in both this list and the \fIinvalid
7000 users\fR list then access is denied for that user.
7002 The current servicename is substituted for \fI%S
7003 \fR. This is useful in the [homes] section.
7005 See also \fIinvalid users
7008 Default: \fBNo valid users list (anyone can login)
7011 Example: \fBvalid users = greg, @pcusers\fR
7014 This is a list of files and directories that
7015 are neither visible nor accessible. Each entry in the list must
7016 be separated by a '/', which allows spaces to be included
7017 in the entry. '*' and '?' can be used to specify multiple files
7018 or directories as in DOS wildcards.
7020 Each entry must be a unix path, not a DOS path and
7021 must \fBnot\fR include the unix directory
7024 Note that the \fIcase sensitive\fR option
7025 is applicable in vetoing files.
7027 One feature of the veto files parameter that it
7028 is important to be aware of is Samba's behaviour when
7029 trying to delete a directory. If a directory that is
7030 to be deleted contains nothing but veto files this
7031 deletion will \fBfail\fR unless you also set
7032 the \fIdelete veto files\fR parameter to
7035 Setting this parameter will affect the performance
7036 of Samba, as it will be forced to check all files and directories
7037 for a match as they are scanned.
7039 See also \fIhide files
7040 \fR and \fI case sensitive\fR.
7042 Default: \fBNo files or directories are vetoed.
7048 ; Veto any files containing the word Security,
7049 ; any ending in .tmp, and any directory containing the
7051 veto files = /*Security*/*.tmp/*root*/
7053 ; Veto the Apple specific files that a NetAtalk server
7055 veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
7058 \fBveto oplock files (S)\fR
7059 This parameter is only valid when the \fIoplocks\fR
7060 parameter is turned on for a share. It allows the Samba administrator
7061 to selectively turn off the granting of oplocks on selected files that
7062 match a wildcarded list, similar to the wildcarded list used in the
7066 Default: \fBNo files are vetoed for oplock
7069 You might want to do this on files that you know will
7070 be heavily contended for by clients. A good example of this
7071 is in the NetBench SMB benchmark program, which causes heavy
7072 client contention for files ending in \fI.SEM\fR.
7073 To cause Samba not to grant oplocks on these files you would use
7074 the line (either in the [global] section or in the section for
7075 the particular NetBench share :
7077 Example: \fBveto oplock files = /*.SEM/
7081 This parameter specifies the directory
7082 to look in for vfs modules. The name of every \fBvfs object
7083 \fR will be prepended by this directory
7085 Default: \fBvfs path = \fR
7087 Example: \fBvfs path = /usr/lib/samba/vfs\fR
7089 \fBvfs object (S)\fR
7090 This parameter specifies a shared object files that
7091 are used for Samba VFS I/O operations. By default, normal
7092 disk I/O operations are used but these can be overloaded
7093 with one or more VFS objects.
7095 Default : \fBno value\fR
7097 \fBvfs options (S)\fR
7098 This parameter allows parameters to be passed
7099 to the vfs layer at initialization time.
7100 See also \fI vfs object\fR.
7102 Default : \fBno value\fR
7105 This allows you to override the volume label
7106 returned for a share. Useful for CDROMs with installation programs
7107 that insist on a particular volume label.
7109 Default: \fBthe name of the share\fR
7111 \fBwide links (S)\fR
7112 This parameter controls whether or not links
7113 in the UNIX file system may be followed by the server. Links
7114 that point to areas within the directory tree exported by the
7115 server are always allowed; this parameter controls access only
7116 to areas that are outside the directory tree being exported.
7118 Note that setting this parameter can have a negative
7119 effect on your server performance due to the extra system calls
7120 that Samba has to do in order to perform the link checks.
7122 Default: \fBwide links = yes\fR
7124 \fBwinbind cache time (G)\fR
7125 This parameter specifies the number of seconds the
7126 winbindd(8) daemon will cache
7127 user and group information before querying a Windows NT server
7130 Default: \fBwinbind cache type = 15\fR
7132 \fBwinbind enum users (G)\fR
7133 On large installations using
7134 winbindd(8) it may be
7135 necessary to suppress the enumeration of users through the
7137 \fBgetpwent()\fR and
7138 \fBendpwent()\fR group of system calls. If
7139 the \fIwinbind enum users\fR parameter is
7140 no, calls to the \fBgetpwent\fR system call
7141 will not return any data.
7143 \fBWarning:\fR Turning off user
7144 enumeration may cause some programs to behave oddly. For
7145 example, the finger program relies on having access to the
7146 full user list when searching for matching
7149 Default: \fBwinbind enum users = yes \fR
7151 \fBwinbind enum groups (G)\fR
7152 On large installations using
7153 winbindd(8) it may be
7154 necessary to suppress the enumeration of groups through the
7156 \fBgetgrent()\fR and
7157 \fBendgrent()\fR group of system calls. If
7158 the \fIwinbind enum groups\fR parameter is
7159 no, calls to the \fBgetgrent()\fR system
7160 call will not return any data.
7162 \fBWarning:\fR Turning off group
7163 enumeration may cause some programs to behave oddly.
7165 Default: \fBwinbind enum groups = yes \fR
7167 \fBwinbind gid (G)\fR
7168 The winbind gid parameter specifies the range of group
7169 ids that are allocated by the winbindd(8) daemon. This range of group ids should have no
7170 existing local or NIS groups within it as strange conflicts can
7173 Default: \fBwinbind gid = <empty string>
7176 Example: \fBwinbind gid = 10000-20000\fR
7178 \fBwinbind separator (G)\fR
7179 This parameter allows an admin to define the character
7180 used when listing a username of the form of \fIDOMAIN
7181 \fR\\\fIuser\fR. This parameter
7182 is only applicable when using the \fIpam_winbind.so\fR
7183 and \fInss_winbind.so\fR modules for UNIX services.
7185 Please note that setting this parameter to + causes problems
7186 with group membership at least on glibc systems, as the character +
7187 is used as a special character for NIS in /etc/group.
7189 Default: \fBwinbind separator = '\\'\fR
7191 Example: \fBwinbind separator = +\fR
7193 \fBwinbind uid (G)\fR
7194 The winbind gid parameter specifies the range of group
7195 ids that are allocated by the winbindd(8) daemon. This range of ids should have no
7196 existing local or NIS users within it as strange conflicts can
7199 Default: \fBwinbind uid = <empty string>
7202 Example: \fBwinbind uid = 10000-20000\fR
7204 \fBwinbind use default domain\fR
7206 \fBwinbind use default domain (G)\fR
7207 This parameter specifies whether the winbindd(8)
7208 daemon should operate on users without domain component in their username.
7209 Users without a domain component are treated as is part of the winbindd server's
7210 own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail
7211 function in a way much closer to the way they would in a native unix system.
7213 Default: \fBwinbind use default domain = <no>
7216 Example: \fBwinbind use default domain = yes\fR
7219 When Samba is running as a WINS server this
7220 allows you to call an external program for all changes to the
7221 WINS database. The primary use for this option is to allow the
7222 dynamic update of external name resolution databases such as
7225 The wins hook parameter specifies the name of a script
7226 or executable that will be called as follows:
7228 \fBwins_hook operation name nametype ttl IP_list
7233 The first argument is the operation and is one
7234 of "add", "delete", or "refresh". In most cases the operation can
7235 be ignored as the rest of the parameters provide sufficient
7236 information. Note that "refresh" may sometimes be called when the
7237 name has not previously been added, in that case it should be treated
7241 The second argument is the NetBIOS name. If the
7242 name is not a legal name then the wins hook is not called.
7243 Legal names contain only letters, digits, hyphens, underscores
7247 The third argument is the NetBIOS name
7248 type as a 2 digit hexadecimal number.
7251 The fourth argument is the TTL (time to live)
7252 for the name in seconds.
7255 The fifth and subsequent arguments are the IP
7256 addresses currently registered for that name. If this list is
7257 empty then the name should be deleted.
7260 An example script that calls the BIND dynamic DNS update
7261 program \fBnsupdate\fR is provided in the examples
7262 directory of the Samba source code.
7264 \fBwins proxy (G)\fR
7265 This is a boolean that controls if nmbd(8) will respond to broadcast name
7266 queries on behalf of other hosts. You may need to set this
7267 to yes for some older clients.
7269 Default: \fBwins proxy = no\fR
7271 \fBwins server (G)\fR
7272 This specifies the IP address (or DNS name: IP
7273 address for preference) of the WINS server that nmbd(8) should register with. If you have a WINS server on
7274 your network then you should set this to the WINS server's IP.
7276 You should point this at your WINS server if you have a
7277 multi-subnetted network.
7279 \fBNOTE\fR. You need to set up Samba to point
7280 to a WINS server if you have multiple subnets and wish cross-subnet
7281 browsing to work correctly.
7283 See the documentation file \fIBROWSING.txt\fR
7284 in the docs/ directory of your Samba source distribution.
7286 Default: \fBnot enabled\fR
7288 Example: \fBwins server = 192.9.200.1\fR
7290 \fBwins support (G)\fR
7291 This boolean controls if the
7292 nmbd(8) process in Samba will act as a WINS server. You should
7293 not set this to yes unless you have a multi-subnetted network and
7294 you wish a particular \fBnmbd\fR to be your WINS server.
7295 Note that you should \fBNEVER\fR set this to yes
7296 on more than one machine in your network.
7298 Default: \fBwins support = no\fR
7301 This controls what workgroup your server will
7302 appear to be in when queried by clients. Note that this parameter
7303 also controls the Domain name used with the \fBsecurity = domain\fR
7306 Default: \fBset at compile time to WORKGROUP\fR
7308 Example: \fBworkgroup = MYGROUP\fR
7311 Synonym for \fI writeable\fR for people who can't spell :-).
7313 \fBwrite cache size (S)\fR
7314 If this integer parameter is set to non-zero value,
7315 Samba will create an in-memory cache for each oplocked file
7316 (it does \fBnot\fR do this for
7317 non-oplocked files). All writes that the client does not request
7318 to be flushed directly to disk will be stored in this cache if possible.
7319 The cache is flushed onto disk when a write comes in whose offset
7320 would not fit into the cache or when the file is closed by the client.
7321 Reads for the file are also served from this cache if the data is stored
7324 This cache allows Samba to batch client writes into a more
7325 efficient write size for RAID disks (i.e. writes may be tuned to
7326 be the RAID stripe size) and can improve performance on systems
7327 where the disk subsystem is a bottleneck but there is free
7328 memory for userspace programs.
7330 The integer parameter specifies the size of this cache
7331 (per oplocked file) in bytes.
7333 Default: \fBwrite cache size = 0\fR
7335 Example: \fBwrite cache size = 262144\fR
7337 for a 256k cache size per file.
7339 \fBwrite list (S)\fR
7340 This is a list of users that are given read-write
7341 access to a service. If the connecting user is in this list then
7342 they will be given write access, no matter what the \fIread only\fR
7343 option is set to. The list can include group names using the
7346 Note that if a user is in both the read list and the
7347 write list then they will be given write access.
7349 See also the \fIread list
7352 Default: \fBwrite list = <empty string>
7355 Example: \fBwrite list = admin, root, @staff
7358 \fBwins partners (G)\fR
7359 A space separated list of partners' IP addresses for
7360 WINS replication. WINS partners are always defined as push/pull
7361 partners as defining only one way WINS replication is unreliable.
7362 WINS replication is currently experimental and unreliable between
7365 Default: \fBwins partners = \fR
7367 Example: \fBwins partners = 192.168.0.1 172.16.1.2\fR
7370 Inverted synonym for \fI read only\fR.
7373 This parameter controls whether or not the server
7374 will support raw write SMB's when transferring data from clients.
7375 You should never need to change this parameter.
7377 Default: \fBwrite raw = yes\fR
7380 Inverted synonym for \fI read only\fR.
7383 Although the configuration file permits service names
7384 to contain spaces, your client software may not. Spaces will
7385 be ignored in comparisons anyway, so it shouldn't be a
7386 problem - but be aware of the possibility.
7388 On a similar note, many clients - especially DOS clients -
7389 limit service names to eight characters. smbd(8)
7390 has no such limitation, but attempts to connect from such
7391 clients will fail if they truncate the service names. For this reason
7392 you should probably keep your service names down to eight characters
7395 Use of the [homes] and [printers] special sections make life
7396 for an administrator easy, but the various combinations of default
7397 attributes can be tricky. Take extreme care when designing these
7398 sections. In particular, ensure that the permissions on spool
7399 directories are correct.
7402 This man page is correct for version 3.0 of
7417 The original Samba software and related utilities
7418 were created by Andrew Tridgell. Samba is now developed
7419 by the Samba Team as an Open Source project similar
7420 to the way the Linux kernel is developed.
7422 The original Samba man pages were written by Karl Auer.
7423 The man page sources were converted to YODL format (another
7424 excellent piece of Open Source software, available at
7425 ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0
7426 release by Jeremy Allison. The conversion to DocBook for
7427 Samba 2.2 was done by Gerald Carter