search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
merging for 2.2.6pre1
[Samba.git] / docs / docbook / manpages / smb.conf.5.sgml
blobcff2afdcaca0c43ab0bbbe9e73f0669585318014
1 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
2 <refentry id="smb.conf">
3
4 <refmeta>
5 <refentrytitle>smb.conf</refentrytitle>
6 <manvolnum>5</manvolnum>
7 </refmeta>
8
9
10 <refnamediv>
11 <refname>smb.conf</refname>
12 <refpurpose>The configuration file for the Samba suite</refpurpose>
13 </refnamediv>
14
15 <refsect1>
16 <title>SYNOPSIS</title>
17
18 <para>The <filename>smb.conf</filename> file is a configuration
19 file for the Samba suite. <filename>smb.conf</filename> contains
20 runtime configuration information for the Samba programs. The
21 <filename>smb.conf</filename> file is designed to be configured and
22 administered by the <ulink url="swat.8.html"><command>swat(8)</command>
23 </ulink> program. The complete description of the file format and
24 possible parameters held within are here for reference purposes.</para>
25 </refsect1>
26
27 <refsect1>
28 <title id="FILEFORMATSECT">FILE FORMAT</title>
29
30 <para>The file consists of sections and parameters. A section
31 begins with the name of the section in square brackets and continues
32 until the next section begins. Sections contain parameters of the
33 form</para>
34
35 <para><replaceable>name</replaceable> = <replaceable>value
36 </replaceable></para>
37
38 <para>The file is line-based - that is, each newline-terminated
39 line represents either a comment, a section name or a parameter.</para>
40
41 <para>Section and parameter names are not case sensitive.</para>
42
43 <para>Only the first equals sign in a parameter is significant.
44 Whitespace before or after the first equals sign is discarded.
45 Leading, trailing and internal whitespace in section and parameter
46 names is irrelevant. Leading and trailing whitespace in a parameter
47 value is discarded. Internal whitespace within a parameter value
48 is retained verbatim.</para>
49
50 <para>Any line beginning with a semicolon (';') or a hash ('#')
51 character is ignored, as are lines containing only whitespace.</para>
52
53 <para>Any line ending in a '\' is continued
54 on the next line in the customary UNIX fashion.</para>
55
56 <para>The values following the equals sign in parameters are all
57 either a string (no quotes needed) or a boolean, which may be given
58 as yes/no, 0/1 or true/false. Case is not significant in boolean
59 values, but is preserved in string values. Some items such as
60 create modes are numeric.</para>
61 </refsect1>
62
63 <refsect1>
64 <title>SECTION DESCRIPTIONS</title>
65
66 <para>Each section in the configuration file (except for the
67 [global] section) describes a shared resource (known
68 as a "share"). The section name is the name of the
69 shared resource and the parameters within the section define
70 the shares attributes.</para>
71
72 <para>There are three special sections, [global],
73 [homes] and [printers], which are
74 described under <emphasis>special sections</emphasis>. The
75 following notes apply to ordinary section descriptions.</para>
76
77 <para>A share consists of a directory to which access is being
78 given plus a description of the access rights which are granted
79 to the user of the service. Some housekeeping options are
80 also specifiable.</para>
81
82 <para>Sections are either file share services (used by the
83 client as an extension of their native file systems) or
84 printable services (used by the client to access print services
85 on the host running the server).</para>
86
87 <para>Sections may be designated <emphasis>guest</emphasis> services,
88 in which case no password is required to access them. A specified
89 UNIX <emphasis>guest account</emphasis> is used to define access
90 privileges in this case.</para>
91
92 <para>Sections other than guest services will require a password
93 to access them. The client provides the username. As older clients
94 only provide passwords and not usernames, you may specify a list
95 of usernames to check against the password using the "user ="
96 option in the share definition. For modern clients such as
97 Windows 95/98/ME/NT/2000, this should not be necessary.</para>
98
99 <para>Note that the access rights granted by the server are
100 masked by the access rights granted to the specified or guest
101 UNIX user by the host system. The server does not grant more
102 access than the host system grants.</para>
103
104 <para>The following sample section defines a file space share.
105 The user has write access to the path <filename>/home/bar</filename>.
106 The share is accessed via the share name "foo":</para>
107
108 <screen>
109 <computeroutput>
110 [foo]
111 path = /home/bar
112 writeable = true
113 </computeroutput>
114 </screen>
115
116 <para>The following sample section defines a printable share.
117 The share is readonly, but printable. That is, the only write
118 access permitted is via calls to open, write to and close a
119 spool file. The <emphasis>guest ok</emphasis> parameter means
120 access will be permitted as the default guest user (specified
121 elsewhere):</para>
122
123 <screen>
124 <computeroutput>
125 [aprinter]
126 path = /usr/spool/public
127 writeable = false
128 printable = true
129 guest ok = true
130 </computeroutput>
131 </screen>
132 </refsect1>
133
134 <refsect1>
135 <title>SPECIAL SECTIONS</title>
136
137 <refsect2>
138 <title>The [global] section</title>
139
140 <para>parameters in this section apply to the server
141 as a whole, or are defaults for sections which do not
142 specifically define certain items. See the notes
143 under PARAMETERS for more information.</para>
144 </refsect2>
145
146 <refsect2>
147 <title id="HOMESECT">The [homes] section</title>
148
149 <para>If a section called homes is included in the
150 configuration file, services connecting clients to their
151 home directories can be created on the fly by the server.</para>
152
153 <para>When the connection request is made, the existing
154 sections are scanned. If a match is found, it is used. If no
155 match is found, the requested section name is treated as a
156 user name and looked up in the local password file. If the
157 name exists and the correct password has been given, a share is
158 created by cloning the [homes] section.</para>
159
160 <para>Some modifications are then made to the newly
161 created share:</para>
162
163 <itemizedlist>
164 <listitem><para>The share name is changed from homes to
165 the located username.</para></listitem>
166
167 <listitem><para>If no path was given, the path is set to
168 the user's home directory.</para></listitem>
169 </itemizedlist>
170
171 <para>If you decide to use a <emphasis>path =</emphasis> line
172 in your [homes] section then you may find it useful
173 to use the %S macro. For example :</para>
174
175 <para><userinput>path = /data/pchome/%S</userinput></para>
176
177 <para>would be useful if you have different home directories
178 for your PCs than for UNIX access.</para>
179
180 <para>This is a fast and simple way to give a large number
181 of clients access to their home directories with a minimum
182 of fuss.</para>
183
184 <para>A similar process occurs if the requested section
185 name is "homes", except that the share name is not
186 changed to that of the requesting user. This method of using
187 the [homes] section works well if different users share
188 a client PC.</para>
189
190 <para>The [homes] section can specify all the parameters
191 a normal service section can specify, though some make more sense
192 than others. The following is a typical and suitable [homes]
193 section:</para>
194
195 <screen>
196 <computeroutput>
197 [homes]
198 writeable = yes
199 </computeroutput>
200 </screen>
201
202 <para>An important point is that if guest access is specified
203 in the [homes] section, all home directories will be
204 visible to all clients <emphasis>without a password</emphasis>.
205 In the very unlikely event that this is actually desirable, it
206 would be wise to also specify <emphasis>read only
207 access</emphasis>.</para>
208
209 <para>Note that the <emphasis>browseable</emphasis> flag for
210 auto home directories will be inherited from the global browseable
211 flag, not the [homes] browseable flag. This is useful as
212 it means setting <emphasis>browseable = no</emphasis> in
213 the [homes] section will hide the [homes] share but make
214 any auto home directories visible.</para>
215 </refsect2>
216
217 <refsect2>
218 <title id="PRINTERSSECT">The [printers] section</title>
219
220 <para>This section works like [homes],
221 but for printers.</para>
222
223 <para>If a [printers] section occurs in the
224 configuration file, users are able to connect to any printer
225 specified in the local host's printcap file.</para>
226
227 <para>When a connection request is made, the existing sections
228 are scanned. If a match is found, it is used. If no match is found,
229 but a [homes] section exists, it is used as described
230 above. Otherwise, the requested section name is treated as a
231 printer name and the appropriate printcap file is scanned to see
232 if the requested section name is a valid printer share name. If
233 a match is found, a new printer share is created by cloning
234 the [printers] section.</para>
235
236 <para>A few modifications are then made to the newly created
237 share:</para>
238
239 <itemizedlist>
240 <listitem><para>The share name is set to the located printer
241 name</para></listitem>
242
243 <listitem><para>If no printer name was given, the printer name
244 is set to the located printer name</para></listitem>
245
246 <listitem><para>If the share does not permit guest access and
247 no username was given, the username is set to the located
248 printer name.</para></listitem>
249 </itemizedlist>
250
251 <para>Note that the [printers] service MUST be
252 printable - if you specify otherwise, the server will refuse
253 to load the configuration file.</para>
254
255 <para>Typically the path specified would be that of a
256 world-writeable spool directory with the sticky bit set on
257 it. A typical [printers] entry would look like
258 this:</para>
259
260 <screen><computeroutput>
261 [printers]
262 path = /usr/spool/public
263 guest ok = yes
264 printable = yes
265 </computeroutput></screen>
266
267 <para>All aliases given for a printer in the printcap file
268 are legitimate printer names as far as the server is concerned.
269 If your printing subsystem doesn't work like that, you will have
270 to set up a pseudo-printcap. This is a file consisting of one or
271 more lines like this:</para>
272
273 <screen>
274 <computeroutput>
275 alias|alias|alias|alias...
276 </computeroutput>
277 </screen>
278
279 <para>Each alias should be an acceptable printer name for
280 your printing subsystem. In the [global] section, specify
281 the new file as your printcap. The server will then only recognize
282 names found in your pseudo-printcap, which of course can contain
283 whatever aliases you like. The same technique could be used
284 simply to limit access to a subset of your local printers.</para>
285
286 <para>An alias, by the way, is defined as any component of the
287 first entry of a printcap record. Records are separated by newlines,
288 components (if there are more than one) are separated by vertical
289 bar symbols ('|').</para>
290
291 <para>NOTE: On SYSV systems which use lpstat to determine what
292 printers are defined on the system you may be able to use
293 "printcap name = lpstat" to automatically obtain a list
294 of printers. See the "printcap name" option
295 for more details.</para>
296 </refsect2>
297 </refsect1>
298
299 <refsect1>
300 <title>PARAMETERS</title>
301
302 <para>parameters define the specific attributes of sections.</para>
303
304 <para>Some parameters are specific to the [global] section
305 (e.g., <emphasis>security</emphasis>). Some parameters are usable
306 in all sections (e.g., <emphasis>create mode</emphasis>). All others
307 are permissible only in normal sections. For the purposes of the
308 following descriptions the [homes] and [printers]
309 sections will be considered normal. The letter <emphasis>G</emphasis>
310 in parentheses indicates that a parameter is specific to the
311 [global] section. The letter <emphasis>S</emphasis>
312 indicates that a parameter can be specified in a service specific
313 section. Note that all <emphasis>S</emphasis> parameters can also be specified in
314 the [global] section - in which case they will define
315 the default behavior for all services.</para>
316
317 <para>parameters are arranged here in alphabetical order - this may
318 not create best bedfellows, but at least you can find them! Where
319 there are synonyms, the preferred synonym is described, others refer
320 to the preferred synonym.</para>
321 </refsect1>
322
323 <refsect1>
324 <title>VARIABLE SUBSTITUTIONS</title>
325
326 <para>Many of the strings that are settable in the config file
327 can take substitutions. For example the option "path =
328 /tmp/%u" would be interpreted as "path =
329 /tmp/john" if the user connected with the username john.</para>
330
331 <para>These substitutions are mostly noted in the descriptions below,
332 but there are some general substitutions which apply whenever they
333 might be relevant. These are:</para>
334
335 <variablelist>
336 <varlistentry>
337 <term>%S</term>
338 <listitem><para>the name of the current service, if any.</para>
339 </listitem>
340 </varlistentry>
341
342 <varlistentry>
343 <term>%P</term>
344 <listitem><para>the root directory of the current service,
345 if any.</para></listitem>
346 </varlistentry>
347
348 <varlistentry>
349 <term>%u</term>
350 <listitem><para>user name of the current service, if any.</para>
351 </listitem>
352 </varlistentry>
353
354 <varlistentry>
355 <term>%g</term>
356 <listitem><para>primary group name of %u.</para></listitem>
357 </varlistentry>
358
359 <varlistentry>
360 <term>%U</term>
361 <listitem><para>session user name (the user name that the client
362 wanted, not necessarily the same as the one they got).</para></listitem>
363 </varlistentry>
364
365 <varlistentry>
366 <term>%G</term>
367 <listitem><para>primary group name of %U.</para></listitem>
368 </varlistentry>
369
370 <varlistentry>
371 <term>%H</term>
372 <listitem><para>the home directory of the user given
373 by %u.</para></listitem>
374 </varlistentry>
375
376 <varlistentry>
377 <term>%v</term>
378 <listitem><para>the Samba version.</para></listitem>
379 </varlistentry>
380
381 <varlistentry>
382 <term>%h</term>
383 <listitem><para>the Internet hostname that Samba is running
384 on.</para></listitem>
385 </varlistentry>
386
387 <varlistentry>
388 <term>%m</term>
389 <listitem><para>the NetBIOS name of the client machine
390 (very useful).</para></listitem>
391 </varlistentry>
392
393 <varlistentry>
394 <term>%L</term>
395 <listitem><para>the NetBIOS name of the server. This allows you
396 to change your config based on what the client calls you. Your
397 server can have a "dual personality".</para>
398
399 <para>Note that this paramater is not available when Samba listens
400 on port 445, as clients no longer send this information </para>
401 </listitem>
402
403 </varlistentry>
404
405 <varlistentry>
406 <term>%M</term>
407 <listitem><para>the Internet name of the client machine.
408 </para></listitem>
409 </varlistentry>
410
411 <varlistentry>
412 <term>%N</term>
413 <listitem><para>the name of your NIS home directory server.
414 This is obtained from your NIS auto.map entry. If you have
415 not compiled Samba with the <emphasis>--with-automount</emphasis>
416 option then this value will be the same as %L.</para>
417 </listitem>
418 </varlistentry>
419
420 <varlistentry>
421 <term>%p</term>
422 <listitem><para>the path of the service's home directory,
423 obtained from your NIS auto.map entry. The NIS auto.map entry
424 is split up as "%N:%p".</para></listitem>
425 </varlistentry>
426
427 <varlistentry>
428 <term>%R</term>
429 <listitem><para>the selected protocol level after
430 protocol negotiation. It can be one of CORE, COREPLUS,
431 LANMAN1, LANMAN2 or NT1.</para></listitem>
432 </varlistentry>
433
434 <varlistentry>
435 <term>%d</term>
436 <listitem><para>The process id of the current server
437 process.</para></listitem>
438 </varlistentry>
439
440 <varlistentry>
441 <term>%a</term>
442 <listitem><para>the architecture of the remote
443 machine. Only some are recognized, and those may not be
444 100% reliable. It currently recognizes Samba, WfWg, Win95,
445 WinNT and Win2k. Anything else will be known as
446 "UNKNOWN". If it gets it wrong then sending a level
447 3 log to <ulink url="mailto:samba@samba.org">samba@samba.org
448 </ulink> should allow it to be fixed.</para></listitem>
449 </varlistentry>
450
451 <varlistentry>
452 <term>%I</term>
453 <listitem><para>The IP address of the client machine.</para>
454 </listitem>
455 </varlistentry>
456
457 <varlistentry>
458 <term>%T</term>
459 <listitem><para>the current date and time.</para></listitem>
460 </varlistentry>
461
462 <varlistentry>
463 <term>%$(<replaceable>envvar</replaceable>)</term>
464 <listitem><para>The value of the environment variable
465 <replaceable>envar</replaceable>.</para></listitem>
466 </varlistentry>
467 </variablelist>
468
469 <para>There are some quite creative things that can be done
470 with these substitutions and other smb.conf options.</para
471 </refsect1>
472
473 <refsect1>
474 <title id="NAMEMANGLINGSECT">NAME MANGLING</title>
475
476 <para>Samba supports "name mangling" so that DOS and
477 Windows clients can use files that don't conform to the 8.3 format.
478 It can also be set to adjust the case of 8.3 format filenames.</para>
479
480 <para>There are several options that control the way mangling is
481 performed, and they are grouped here rather than listed separately.
482 For the defaults look at the output of the testparm program. </para>
483
484 <para>All of these options can be set separately for each service
485 (or globally, of course). </para>
486
487 <para>The options are: </para>
488
489 <variablelist>
490
491 <varlistentry>
492 <term>mangling method</term>
493 <listitem><para> controls the algorithm used for the generating
494 the mangled names. Can take two different values, "hash" and
495 "hash2". "hash" is the default and is the algorithm that has been
496 used in Samba for many years. "hash2" is a newer and considered
497 a better algorithm (generates less collisions) in the names.
498 However, many Win32 applications store the
499 mangled names and so changing to the new algorithm must not be done
500 lightly as these applications may break unless reinstalled.
501 New installations of Samba may set the default to hash2.
502 Default <emphasis>hash</emphasis>.</para></listitem>
503 </varlistentry>
504
505
506 <varlistentry>
507 <term>mangle case = yes/no</term>
508 <listitem><para> controls if names that have characters that
509 aren't of the "default" case are mangled. For example,
510 if this is yes then a name like "Mail" would be mangled.
511 Default <emphasis>no</emphasis>.</para></listitem>
512 </varlistentry>
513
514 <varlistentry>
515 <term>case sensitive = yes/no</term>
516 <listitem><para>controls whether filenames are case sensitive. If
517 they aren't then Samba must do a filename search and match on passed
518 names. Default <emphasis>no</emphasis>.</para></listitem>
519 </varlistentry>
520
521 <varlistentry>
522 <term>default case = upper/lower</term>
523 <listitem><para>controls what the default case is for new
524 filenames. Default <emphasis>lower</emphasis>.</para></listitem>
525 </varlistentry>
526
527 <varlistentry>
528 <term>preserve case = yes/no</term>
529 <listitem><para>controls if new files are created with the
530 case that the client passes, or if they are forced to be the
531 "default" case. Default <emphasis>yes</emphasis>.
532 </para></listitem>
533 </varlistentry>
534
535 <varlistentry>
536 <term>short preserve case = yes/no</term>
537 <listitem><para>controls if new files which conform to 8.3 syntax,
538 that is all in upper case and of suitable length, are created
539 upper case, or if they are forced to be the "default"
540 case. This option can be use with "preserve case = yes"
541 to permit long filenames to retain their case, while short names
542 are lowercased. Default <emphasis>yes</emphasis>.</para></listitem>
543 </varlistentry>
544 </variablelist>
545
546 <para>By default, Samba 2.2 has the same semantics as a Windows
547 NT server, in that it is case insensitive but case preserving.</para>
548
549 </refsect1>
550
551 <refsect1>
552 <title id="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</title>
553
554 <para>There are a number of ways in which a user can connect
555 to a service. The server uses the following steps in determining
556 if it will allow a connection to a specified service. If all the
557 steps fail, then the connection request is rejected. However, if one of the
558 steps succeeds, then the following steps are not checked.</para>
559
560 <para>If the service is marked "guest only = yes" and the
561 server is running with share-level security ("security = share")
562 then steps 1 to 5 are skipped.</para>
563
564
565 <orderedlist numeration="Arabic">
566 <listitem><para>If the client has passed a username/password
567 pair and that username/password pair is validated by the UNIX
568 system's password programs then the connection is made as that
569 username. Note that this includes the
570 \\server\service%<replaceable>username</replaceable> method of passing
571 a username.</para></listitem>
572
573 <listitem><para>If the client has previously registered a username
574 with the system and now supplies a correct password for that
575 username then the connection is allowed.</para></listitem>
576
577 <listitem><para>The client's NetBIOS name and any previously
578 used user names are checked against the supplied password, if
579 they match then the connection is allowed as the corresponding
580 user.</para></listitem>
581
582 <listitem><para>If the client has previously validated a
583 username/password pair with the server and the client has passed
584 the validation token then that username is used. </para></listitem>
585
586 <listitem><para>If a "user = " field is given in the
587 <filename>smb.conf</filename> file for the service and the client
588 has supplied a password, and that password matches (according to
589 the UNIX system's password checking) with one of the usernames
590 from the "user =" field then the connection is made as
591 the username in the "user =" line. If one
592 of the username in the "user =" list begins with a
593 '@' then that name expands to a list of names in
594 the group of the same name.</para></listitem>
595
596 <listitem><para>If the service is a guest service then a
597 connection is made as the username given in the "guest
598 account =" for the service, irrespective of the
599 supplied password.</para></listitem>
600 </orderedlist>
601
602 </refsect1>
603
604 <refsect1>
605 <title>COMPLETE LIST OF GLOBAL PARAMETERS</title>
606
607 <para>Here is a list of all global parameters. See the section of
608 each parameter for details. Note that some are synonyms.</para>
609
610 <itemizedlist>
611 <listitem><para><link linkend="ADDPRINTERCOMMAND"><parameter>add printer command</parameter></link></para></listitem>
612 <listitem><para><link linkend="ADDSHARECOMMAND"><parameter>add share command</parameter></link></para></listitem>
613 <listitem><para><link linkend="ADDUSERSCRIPT"><parameter>add user script</parameter></link></para></listitem>
614 <listitem><para><link linkend="ALLOWTRUSTEDDOMAINS"><parameter>allow trusted domains</parameter></link></para></listitem>
615 <listitem><para><link linkend="ANNOUNCEAS"><parameter>announce as</parameter></link></para></listitem>
616 <listitem><para><link linkend="ANNOUNCEVERSION"><parameter>announce version</parameter></link></para></listitem>
617 <listitem><para><link linkend="AUTOSERVICES"><parameter>auto services</parameter></link></para></listitem>
618 <listitem><para><link linkend="BINDINTERFACESONLY"><parameter>bind interfaces only</parameter></link></para></listitem>
619 <listitem><para><link linkend="BROWSELIST"><parameter>browse list</parameter></link></para></listitem>
620 <listitem><para><link linkend="CHANGENOTIFYTIMEOUT"><parameter>change notify timeout</parameter></link></para></listitem>
621 <listitem><para><link linkend="CHANGESHARECOMMAND"><parameter>change share command</parameter></link></para></listitem>
622 <listitem><para><link linkend="CHARACTERSET"><parameter>character set</parameter></link></para></listitem>
623 <listitem><para><link linkend="CLIENTCODEPAGE"><parameter>client code page</parameter></link></para></listitem>
624 <listitem><para><link linkend="CODEPAGEDIRECTORY"><parameter>code page directory</parameter></link></para></listitem>
625 <listitem><para><link linkend="CODINGSYSTEM"><parameter>coding system</parameter></link></para></listitem>
626 <listitem><para><link linkend="CONFIGFILE"><parameter>config file</parameter></link></para></listitem>
627 <listitem><para><link linkend="DEADTIME"><parameter>deadtime</parameter></link></para></listitem>
628 <listitem><para><link linkend="DEBUGHIRESTIMESTAMP"><parameter>debug hires timestamp</parameter></link></para></listitem>
629 <listitem><para><link linkend="DEBUGPID"><parameter>debug pid</parameter></link></para></listitem>
630 <listitem><para><link linkend="DEBUGTIMESTAMP"><parameter>debug timestamp</parameter></link></para></listitem>
631 <listitem><para><link linkend="DEBUGUID"><parameter>debug uid</parameter></link></para></listitem>
632 <listitem><para><link linkend="DEBUGLEVEL"><parameter>debuglevel</parameter></link></para></listitem>
633 <listitem><para><link linkend="DEFAULT"><parameter>default</parameter></link></para></listitem>
634 <listitem><para><link linkend="DEFAULTSERVICE"><parameter>default service</parameter></link></para></listitem>
635 <listitem><para><link linkend="DELETEPRINTERCOMMAND"><parameter>delete printer command</parameter></link></para></listitem>
636 <listitem><para><link linkend="DELETESHARECOMMAND"><parameter>delete share command</parameter></link></para></listitem>
637 <listitem><para><link linkend="DELETEUSERSCRIPT"><parameter>delete user script</parameter></link></para></listitem>
638 <listitem><para><link linkend="DFREECOMMAND"><parameter>dfree command</parameter></link></para></listitem>
639 <listitem><para><link linkend="DISABLESPOOLSS"><parameter>disable spoolss</parameter></link></para></listitem>
640 <listitem><para><link linkend="DNSPROXY"><parameter>dns proxy</parameter></link></para></listitem>
641 <listitem><para><link linkend="DOMAINADMINGROUP"><parameter>domain admin group</parameter></link></para></listitem>
642 <listitem><para><link linkend="DOMAINGUESTGROUP"><parameter>domain guest group</parameter></link></para></listitem>
643 <listitem><para><link linkend="DOMAINLOGONS"><parameter>domain logons</parameter></link></para></listitem>
644 <listitem><para><link linkend="DOMAINMASTER"><parameter>domain master</parameter></link></para></listitem>
645 <listitem><para><link linkend="ENCRYPTPASSWORDS"><parameter>encrypt passwords</parameter></link></para></listitem>
646 <listitem><para><link linkend="ENHANCEDBROWSING"><parameter>enhanced browsing</parameter></link></para></listitem>
647 <listitem><para><link linkend="ENUMPORTSCOMMAND"><parameter>enumports command</parameter></link></para></listitem>
648 <listitem><para><link linkend="GETWDCACHE"><parameter>getwd cache</parameter></link></para></listitem>
649 <listitem><para><link linkend="HIDELOCALUSERS"><parameter>hide local users</parameter></link></para></listitem>
650 <listitem><para><link linkend="HIDEUNREADABLE"><parameter>hide unreadable</parameter></link></para></listitem>
651 <listitem><para><link linkend="HOMEDIRMAP"><parameter>homedir map</parameter></link></para></listitem>
652 <listitem><para><link linkend="HOSTMSDFS"><parameter>host msdfs</parameter></link></para></listitem>
653 <listitem><para><link linkend="HOSTSEQUIV"><parameter>hosts equiv</parameter></link></para></listitem>
654 <listitem><para><link linkend="INTERFACES"><parameter>interfaces</parameter></link></para></listitem>
655 <listitem><para><link linkend="KEEPALIVE"><parameter>keepalive</parameter></link></para></listitem>
656 <listitem><para><link linkend="KERNELOPLOCKS"><parameter>kernel oplocks</parameter></link></para></listitem>
657 <listitem><para><link linkend="LANMANAUTH"><parameter>lanman auth</parameter></link></para></listitem>
658 <listitem><para><link linkend="LARGEREADWRITE"><parameter>large readwrite</parameter></link></para></listitem>
659
660 <listitem><para><link linkend="LDAPADMINDN"><parameter>ldap admin dn</parameter></link></para></listitem>
661 <listitem><para><link linkend="LDAPFILTER"><parameter>ldap filter</parameter></link></para></listitem>
662 <listitem><para><link linkend="LDAPPORT"><parameter>ldap port</parameter></link></para></listitem>
663 <listitem><para><link linkend="LDAPSERVER"><parameter>ldap server</parameter></link></para></listitem>
664 <listitem><para><link linkend="LDAPSSL"><parameter>ldap ssl</parameter></link></para></listitem>
665 <listitem><para><link linkend="LDAPSUFFIX"><parameter>ldap suffix</parameter></link></para></listitem>
666
667 <listitem><para><link linkend="LMANNOUNCE"><parameter>lm announce</parameter></link></para></listitem>
668 <listitem><para><link linkend="LMINTERVAL"><parameter>lm interval</parameter></link></para></listitem>
669 <listitem><para><link linkend="LOADPRINTERS"><parameter>load printers</parameter></link></para></listitem>
670 <listitem><para><link linkend="LOCALMASTER"><parameter>local master</parameter></link></para></listitem>
671 <listitem><para><link linkend="LOCKDIR"><parameter>lock dir</parameter></link></para></listitem>
672 <listitem><para><link linkend="LOCKDIRECTORY"><parameter>lock directory</parameter></link></para></listitem>
673 <listitem><para><link linkend="LOCKSPINCOUNT"><parameter>lock spin count</parameter></link></para></listitem>
674 <listitem><para><link linkend="LOCKSPINTIME"><parameter>lock spin time</parameter></link></para></listitem>
675 <listitem><para><link linkend="PIDDIRECTORY"><parameter>pid directory</parameter></link></para></listitem>
676 <listitem><para><link linkend="LOGFILE"><parameter>log file</parameter></link></para></listitem>
677 <listitem><para><link linkend="LOGLEVEL"><parameter>log level</parameter></link></para></listitem>
678 <listitem><para><link linkend="LOGONDRIVE"><parameter>logon drive</parameter></link></para></listitem>
679 <listitem><para><link linkend="LOGONHOME"><parameter>logon home</parameter></link></para></listitem>
680 <listitem><para><link linkend="LOGONPATH"><parameter>logon path</parameter></link></para></listitem>
681 <listitem><para><link linkend="LOGONSCRIPT"><parameter>logon script</parameter></link></para></listitem>
682 <listitem><para><link linkend="LPQCACHETIME"><parameter>lpq cache time</parameter></link></para></listitem>
683 <listitem><para><link linkend="MACHINEPASSWORDTIMEOUT"><parameter>machine password timeout</parameter></link></para></listitem>
684 <listitem><para><link linkend="MANGLEDSTACK"><parameter>mangled stack</parameter></link></para></listitem>
685 <listitem><para><link linkend="MANGLINGMETHOD"><parameter>mangling method</parameter></link></para></listitem>
686 <listitem><para><link linkend="MAPTOGUEST"><parameter>map to guest</parameter></link></para></listitem>
687 <listitem><para><link linkend="MAXDISKSIZE"><parameter>max disk size</parameter></link></para></listitem>
688 <listitem><para><link linkend="MAXLOGSIZE"><parameter>max log size</parameter></link></para></listitem>
689 <listitem><para><link linkend="MAXMUX"><parameter>max mux</parameter></link></para></listitem>
690 <listitem><para><link linkend="MAXOPENFILES"><parameter>max open files</parameter></link></para></listitem>
691 <listitem><para><link linkend="MAXPROTOCOL"><parameter>max protocol</parameter></link></para></listitem>
692 <listitem><para><link linkend="MAXSMBDPROCESSES"><parameter>max smbd processes</parameter></link></para></listitem>
693 <listitem><para><link linkend="MAXTTL"><parameter>max ttl</parameter></link></para></listitem>
694 <listitem><para><link linkend="MAXWINSTTL"><parameter>max wins ttl</parameter></link></para></listitem>
695 <listitem><para><link linkend="MAXXMIT"><parameter>max xmit</parameter></link></para></listitem>
696 <listitem><para><link linkend="MESSAGECOMMAND"><parameter>message command</parameter></link></para></listitem>
697 <listitem><para><link linkend="MINPASSWDLENGTH"><parameter>min passwd length</parameter></link></para></listitem>
698 <listitem><para><link linkend="MINPASSWORDLENGTH"><parameter>min password length</parameter></link></para></listitem>
699 <listitem><para><link linkend="MINPROTOCOL"><parameter>min protocol</parameter></link></para></listitem>
700 <listitem><para><link linkend="MINWINSTTL"><parameter>min wins ttl</parameter></link></para></listitem>
701 <listitem><para><link linkend="NAMERESOLVEORDER"><parameter>name resolve order</parameter></link></para></listitem>
702 <listitem><para><link linkend="NETBIOSALIASES"><parameter>netbios aliases</parameter></link></para></listitem>
703 <listitem><para><link linkend="NETBIOSNAME"><parameter>netbios name</parameter></link></para></listitem>
704 <listitem><para><link linkend="NETBIOSSCOPE"><parameter>netbios scope</parameter></link></para></listitem>
705 <listitem><para><link linkend="NISHOMEDIR"><parameter>nis homedir</parameter></link></para></listitem>
706 <listitem><para><link linkend="NTPIPESUPPORT"><parameter>nt pipe support</parameter></link></para></listitem>
707 <listitem><para><link linkend="NTSMBSUPPORT"><parameter>nt smb support</parameter></link></para></listitem>
708 <listitem><para><link linkend="NTSTATUSSUPPORT"><parameter>nt status support</parameter></link></para></listitem>
709 <listitem><para><link linkend="NULLPASSWORDS"><parameter>null passwords</parameter></link></para></listitem>
710 <listitem><para><link linkend="OBEYPAMRESTRICTIONS"><parameter>obey pam restrictions</parameter></link></para></listitem>
711 <listitem><para><link linkend="OPLOCKBREAKWAITTIME"><parameter>oplock break wait time</parameter></link></para></listitem>
712 <listitem><para><link linkend="OSLEVEL"><parameter>os level</parameter></link></para></listitem>
713 <listitem><para><link linkend="OS2DRIVERMAP"><parameter>os2 driver map</parameter></link></para></listitem>
714 <listitem><para><link linkend="PAMPASSWORDCHANGE"><parameter>pam password change</parameter></link></para></listitem>
715 <listitem><para><link linkend="PANICACTION"><parameter>panic action</parameter></link></para></listitem>
716 <listitem><para><link linkend="PASSWDCHAT"><parameter>passwd chat</parameter></link></para></listitem>
717 <listitem><para><link linkend="PASSWDCHATDEBUG"><parameter>passwd chat debug</parameter></link></para></listitem>
718 <listitem><para><link linkend="PASSWDPROGRAM"><parameter>passwd program</parameter></link></para></listitem>
719 <listitem><para><link linkend="PASSWORDLEVEL"><parameter>password level</parameter></link></para></listitem>
720 <listitem><para><link linkend="PASSWORDSERVER"><parameter>password server</parameter></link></para></listitem>
721 <listitem><para><link linkend="PREFEREDMASTER"><parameter>prefered master</parameter></link></para></listitem>
722 <listitem><para><link linkend="PREFERREDMASTER"><parameter>preferred master</parameter></link></para></listitem>
723 <listitem><para><link linkend="PRELOAD"><parameter>preload</parameter></link></para></listitem>
724 <listitem><para><link linkend="PRINTCAP"><parameter>printcap</parameter></link></para></listitem>
725 <listitem><para><link linkend="PRINTCAPNAME"><parameter>printcap name</parameter></link></para></listitem>
726 <listitem><para><link linkend="PRINTERDRIVERFILE"><parameter>printer driver file</parameter></link></para></listitem>
727 <listitem><para><link linkend="PROTOCOL"><parameter>protocol</parameter></link></para></listitem>
728 <listitem><para><link linkend="READBMPX"><parameter>read bmpx</parameter></link></para></listitem>
729 <listitem><para><link linkend="READRAW"><parameter>read raw</parameter></link></para></listitem>
730 <listitem><para><link linkend="READSIZE"><parameter>read size</parameter></link></para></listitem>
731 <listitem><para><link linkend="REMOTEANNOUNCE"><parameter>remote announce</parameter></link></para></listitem>
732 <listitem><para><link linkend="REMOTEBROWSESYNC"><parameter>remote browse sync</parameter></link></para></listitem>
733 <listitem><para><link linkend="RESTRICTANONYMOUS"><parameter>restrict anonymous</parameter></link></para></listitem>
734 <listitem><para><link linkend="ROOT"><parameter>root</parameter></link></para></listitem>
735 <listitem><para><link linkend="ROOTDIR"><parameter>root dir</parameter></link></para></listitem>
736 <listitem><para><link linkend="ROOTDIRECTORY"><parameter>root directory</parameter></link></para></listitem>
737 <listitem><para><link linkend="SECURITY"><parameter>security</parameter></link></para></listitem>
738 <listitem><para><link linkend="SERVERSTRING"><parameter>server string</parameter></link></para></listitem>
739 <listitem><para><link linkend="SHOWADDPRINTERWIZARD"><parameter>show add printer wizard</parameter></link></para></listitem>
740 <listitem><para><link linkend="SMBPASSWDFILE"><parameter>smb passwd file</parameter></link></para></listitem>
741 <listitem><para><link linkend="SOCKETADDRESS"><parameter>socket address</parameter></link></para></listitem>
742 <listitem><para><link linkend="SOCKETOPTIONS"><parameter>socket options</parameter></link></para></listitem>
743 <listitem><para><link linkend="SOURCEENVIRONMENT"><parameter>source environment</parameter></link></para></listitem>
744
745 <listitem><para><link linkend="SSL"><parameter>ssl</parameter></link></para></listitem>
746 <listitem><para><link linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter></link></para></listitem>
747 <listitem><para><link linkend="SSLCACERTFILE"><parameter>ssl CA certFile</parameter></link></para></listitem>
748 <listitem><para><link linkend="SSLCIPHERS"><parameter>ssl ciphers</parameter></link></para></listitem>
749 <listitem><para><link linkend="SSLCLIENTCERT"><parameter>ssl client cert</parameter></link></para></listitem>
750 <listitem><para><link linkend="SSLCLIENTKEY"><parameter>ssl client key</parameter></link></para></listitem>
751 <listitem><para><link linkend="SSLCOMPATIBILITY"><parameter>ssl compatibility</parameter></link></para></listitem>
752 <listitem><para><link linkend="SSLEGDSOCKET"><parameter>ssl egd socket</parameter></link></para></listitem>
753 <listitem><para><link linkend="SSLENTROPYBYTES"><parameter>ssl entropy bytes</parameter></link></para></listitem>
754 <listitem><para><link linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link></para></listitem>
755 <listitem><para><link linkend="SSLHOSTS"><parameter>ssl hosts</parameter></link></para></listitem>
756 <listitem><para><link linkend="SSLHOSTSRESIGN"><parameter>ssl hosts resign</parameter></link></para></listitem>
757 <listitem><para><link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require clientcert</parameter></link></para></listitem>
758 <listitem><para><link linkend="SSLREQUIRESERVERCERT"><parameter>ssl require servercert</parameter></link></para></listitem>
759 <listitem><para><link linkend="SSLSERVERCERT"><parameter>ssl server cert</parameter></link></para></listitem>
760 <listitem><para><link linkend="SSLSERVERKEY"><parameter>ssl server key</parameter></link></para></listitem>
761 <listitem><para><link linkend="SSLVERSION"><parameter>ssl version</parameter></link></para></listitem>
762
763 <listitem><para><link linkend="STATCACHE"><parameter>stat cache</parameter></link></para></listitem>
764 <listitem><para><link linkend="STATCACHESIZE"><parameter>stat cache size</parameter></link></para></listitem>
765 <listitem><para><link linkend="STRIPDOT"><parameter>strip dot</parameter></link></para></listitem>
766 <listitem><para><link linkend="SYSLOG"><parameter>syslog</parameter></link></para></listitem>
767 <listitem><para><link linkend="SYSLOGONLY"><parameter>syslog only</parameter></link></para></listitem>
768 <listitem><para><link linkend="TEMPLATEHOMEDIR"><parameter>template homedir</parameter></link></para></listitem>
769 <listitem><para><link linkend="TEMPLATESHELL"><parameter>template shell</parameter></link></para></listitem>
770 <listitem><para><link linkend="TIMEOFFSET"><parameter>time offset</parameter></link></para></listitem>
771 <listitem><para><link linkend="TIMESERVER"><parameter>time server</parameter></link></para></listitem>
772 <listitem><para><link linkend="TIMESTAMPLOGS"><parameter>timestamp logs</parameter></link></para></listitem>
773 <listitem><para><link linkend="TOTALPRINTJOBS"><parameter>total print jobs</parameter></link></para></listitem>
774 <listitem><para><link linkend="UNIXEXTENSIONS"><parameter>unix extensions</parameter></link></para></listitem>
775 <listitem><para><link linkend="UNIXPASSWORDSYNC"><parameter>unix password sync</parameter></link></para></listitem>
776 <listitem><para><link linkend="UPDATEENCRYPTED"><parameter>update encrypted</parameter></link></para></listitem>
777 <listitem><para><link linkend="USEMMAP"><parameter>use mmap</parameter></link></para></listitem>
778 <listitem><para><link linkend="USERHOSTS"><parameter>use rhosts</parameter></link></para></listitem>
779 <listitem><para><link linkend="USERNAMELEVEL"><parameter>username level</parameter></link></para></listitem>
780 <listitem><para><link linkend="USERNAMEMAP"><parameter>username map</parameter></link></para></listitem>
781 <listitem><para><link linkend="UTMP"><parameter>utmp</parameter></link></para></listitem>
782 <listitem><para><link linkend="UTMPDIRECTORY"><parameter>utmp directory</parameter></link></para></listitem>
783 <listitem><para><link linkend="VALIDCHARS"><parameter>valid chars</parameter></link></para></listitem>
784 <listitem><para><link linkend="WINBINDCACHETIME"><parameter>winbind cache time</parameter></link></para></listitem>
785 <listitem><para><link linkend="WINBINDENUMUSERS"><parameter>winbind enum users</parameter></link></para></listitem>
786 <listitem><para><link linkend="WINBINDENUMGROUPS"><parameter>winbind enum groups</parameter></link></para></listitem>
787 <listitem><para><link linkend="WINBINDGID"><parameter>winbind gid</parameter></link></para></listitem>
788 <listitem><para><link linkend="WINBINDSEPARATOR"><parameter>winbind separator</parameter></link></para></listitem>
789 <listitem><para><link linkend="WINBINDUID"><parameter>winbind uid</parameter></link></para></listitem>
790 <listitem><para><link linkend="WINBINDUSEDEFAULTDOMAIN"><parameter>winbind use default domain</parameter></link></para></listitem>
791 <listitem><para><link linkend="WINSHOOK"><parameter>wins hook</parameter></link></para></listitem>
792 <listitem><para><link linkend="WINSPROXY"><parameter>wins proxy</parameter></link></para></listitem>
793 <listitem><para><link linkend="WINSSERVER"><parameter>wins server</parameter></link></para></listitem>
794 <listitem><para><link linkend="WINSSUPPORT"><parameter>wins support</parameter></link></para></listitem>
795 <listitem><para><link linkend="WORKGROUP"><parameter>workgroup</parameter></link></para></listitem>
796 <listitem><para><link linkend="WRITERAW"><parameter>write raw</parameter></link></para></listitem>
797 </itemizedlist>
798
799 </refsect1>
800
801 <refsect1>
802 <title>COMPLETE LIST OF SERVICE PARAMETERS</title>
803
804 <para>Here is a list of all service parameters. See the section on
805 each parameter for details. Note that some are synonyms.</para>
806
807 <itemizedlist>
808 <listitem><para><link linkend="ADMINUSERS"><parameter>admin users</parameter></link></para></listitem>
809 <listitem><para><link linkend="ALLOWHOSTS"><parameter>allow hosts</parameter></link></para></listitem>
810 <listitem><para><link linkend="AVAILABLE"><parameter>available</parameter></link></para></listitem>
811 <listitem><para><link linkend="BLOCKINGLOCKS"><parameter>blocking locks</parameter></link></para></listitem>
812 <listitem><para><link linkend="BLOCKSIZE"><parameter>block size</parameter></link></para></listitem>
813 <listitem><para><link linkend="BROWSABLE"><parameter>browsable</parameter></link></para></listitem>
814 <listitem><para><link linkend="BROWSEABLE"><parameter>browseable</parameter></link></para></listitem>
815 <listitem><para><link linkend="CASESENSITIVE"><parameter>case sensitive</parameter></link></para></listitem>
816 <listitem><para><link linkend="CASESIGNAMES"><parameter>casesignames</parameter></link></para></listitem>
817 <listitem><para><link linkend="COMMENT"><parameter>comment</parameter></link></para></listitem>
818 <listitem><para><link linkend="COPY"><parameter>copy</parameter></link></para></listitem>
819 <listitem><para><link linkend="CREATEMASK"><parameter>create mask</parameter></link></para></listitem>
820 <listitem><para><link linkend="CREATEMODE"><parameter>create mode</parameter></link></para></listitem>
821 <listitem><para><link linkend="CSCPOLICY"><parameter>csc policy</parameter></link></para></listitem>
822
823 <listitem><para><link linkend="DEFAULTCASE"><parameter>default case</parameter></link></para></listitem>
824 <listitem><para><link linkend="DEFAULTDEVMODE"><parameter>default devmode</parameter></link></para></listitem>
825 <listitem><para><link linkend="DELETEREADONLY"><parameter>delete readonly</parameter></link></para></listitem>
826 <listitem><para><link linkend="DELETEVETOFILES"><parameter>delete veto files</parameter></link></para></listitem>
827 <listitem><para><link linkend="DENYHOSTS"><parameter>deny hosts</parameter></link></para></listitem>
828 <listitem><para><link linkend="DIRECTORY"><parameter>directory</parameter></link></para></listitem>
829 <listitem><para><link linkend="DIRECTORYMASK"><parameter>directory mask</parameter></link></para></listitem>
830 <listitem><para><link linkend="DIRECTORYMODE"><parameter>directory mode</parameter></link></para></listitem>
831 <listitem><para><link linkend="DIRECTORYSECURITYMASK"><parameter>directory security mask</parameter></link></para></listitem>
832 <listitem><para><link linkend="DONTDESCEND"><parameter>dont descend</parameter></link></para></listitem>
833 <listitem><para><link linkend="DOSFILEMODE"><parameter>dos filemode</parameter></link></para></listitem>
834 <listitem><para><link linkend="DOSFILETIMERESOLUTION"><parameter>dos filetime resolution</parameter></link></para></listitem>
835 <listitem><para><link linkend="DOSFILETIMES"><parameter>dos filetimes</parameter></link></para></listitem>
836 <listitem><para><link linkend="EXEC"><parameter>exec</parameter></link></para></listitem>
837 <listitem><para><link linkend="FAKEDIRECTORYCREATETIMES"><parameter>fake directory create times</parameter></link></para></listitem>
838 <listitem><para><link linkend="FAKEOPLOCKS"><parameter>fake oplocks</parameter></link></para></listitem>
839 <listitem><para><link linkend="FOLLOWSYMLINKS"><parameter>follow symlinks</parameter></link></para></listitem>
840 <listitem><para><link linkend="FORCECREATEMODE"><parameter>force create mode</parameter></link></para></listitem>
841 <listitem><para><link linkend="FORCEDIRECTORYMODE"><parameter>force directory mode</parameter></link></para></listitem>
842 <listitem><para><link linkend="FORCEDIRECTORYSECURITYMODE"><parameter>force directory security mode</parameter></link></para></listitem>
843 <listitem><para><link linkend="FORCEGROUP"><parameter>force group</parameter></link></para></listitem>
844 <listitem><para><link linkend="FORCESECURITYMODE"><parameter>force security mode</parameter></link></para></listitem>
845 <listitem><para><link linkend="FORCEUNKNOWNACLUSER"><parameter>force unknown acl user</parameter></link></para></listitem>
846 <listitem><para><link linkend="FORCEUSER"><parameter>force user</parameter></link></para></listitem>
847 <listitem><para><link linkend="FSTYPE"><parameter>fstype</parameter></link></para></listitem>
848 <listitem><para><link linkend="GROUP"><parameter>group</parameter></link></para></listitem>
849 <listitem><para><link linkend="GUESTACCOUNT"><parameter>guest account</parameter></link></para></listitem>
850 <listitem><para><link linkend="GUESTOK"><parameter>guest ok</parameter></link></para></listitem>
851 <listitem><para><link linkend="GUESTONLY"><parameter>guest only</parameter></link></para></listitem>
852 <listitem><para><link linkend="HIDEDOTFILES"><parameter>hide dot files</parameter></link></para></listitem>
853 <listitem><para><link linkend="HIDEFILES"><parameter>hide files</parameter></link></para></listitem>
854 <listitem><para><link linkend="HOSTSALLOW"><parameter>hosts allow</parameter></link></para></listitem>
855 <listitem><para><link linkend="HOSTSDENY"><parameter>hosts deny</parameter></link></para></listitem>
856 <listitem><para><link linkend="INCLUDE"><parameter>include</parameter></link></para></listitem>
857 <listitem><para><link linkend="INHERITACLS"><parameter>inherit acls</parameter></link></para></listitem>
858 <listitem><para><link linkend="INHERITPERMISSIONS"><parameter>inherit permissions</parameter></link></para></listitem>
859 <listitem><para><link linkend="INVALIDUSERS"><parameter>invalid users</parameter></link></para></listitem>
860 <listitem><para><link linkend="LEVEL2OPLOCKS"><parameter>level2 oplocks</parameter></link></para></listitem>
861 <listitem><para><link linkend="LOCKING"><parameter>locking</parameter></link></para></listitem>
862 <listitem><para><link linkend="LPPAUSECOMMAND"><parameter>lppause command</parameter></link></para></listitem>
863 <listitem><para><link linkend="LPQCOMMAND"><parameter>lpq command</parameter></link></para></listitem>
864 <listitem><para><link linkend="LPRESUMECOMMAND"><parameter>lpresume command</parameter></link></para></listitem>
865 <listitem><para><link linkend="LPRMCOMMAND"><parameter>lprm command</parameter></link></para></listitem>
866 <listitem><para><link linkend="MAGICOUTPUT"><parameter>magic output</parameter></link></para></listitem>
867 <listitem><para><link linkend="MAGICSCRIPT"><parameter>magic script</parameter></link></para></listitem>
868 <listitem><para><link linkend="MANGLECASE"><parameter>mangle case</parameter></link></para></listitem>
869 <listitem><para><link linkend="MANGLEDMAP"><parameter>mangled map</parameter></link></para></listitem>
870 <listitem><para><link linkend="MANGLEDNAMES"><parameter>mangled names</parameter></link></para></listitem>
871 <listitem><para><link linkend="MANGLINGCHAR"><parameter>mangling char</parameter></link></para></listitem>
872 <listitem><para><link linkend="MAPARCHIVE"><parameter>map archive</parameter></link></para></listitem>
873 <listitem><para><link linkend="MAPHIDDEN"><parameter>map hidden</parameter></link></para></listitem>
874 <listitem><para><link linkend="MAPSYSTEM"><parameter>map system</parameter></link></para></listitem>
875 <listitem><para><link linkend="MAXCONNECTIONS"><parameter>max connections</parameter></link></para></listitem>
876 <listitem><para><link linkend="MAXPRINTJOBS"><parameter>max print jobs</parameter></link></para></listitem>
877 <listitem><para><link linkend="MINPRINTSPACE"><parameter>min print space</parameter></link></para></listitem>
878 <listitem><para><link linkend="MSDFSROOT"><parameter>msdfs root</parameter></link></para></listitem>
879 <listitem><para><link linkend="NTACLSUPPORT"><parameter>nt acl support</parameter></link></para></listitem>
880 <listitem><para><link linkend="ONLYGUEST"><parameter>only guest</parameter></link></para></listitem>
881 <listitem><para><link linkend="ONLYUSER"><parameter>only user</parameter></link></para></listitem>
882 <listitem><para><link linkend="OPLOCKCONTENTIONLIMIT"><parameter>oplock contention limit</parameter></link></para></listitem>
883 <listitem><para><link linkend="OPLOCKS"><parameter>oplocks</parameter></link></para></listitem>
884 <listitem><para><link linkend="PATH"><parameter>path</parameter></link></para></listitem>
885 <listitem><para><link linkend="POSIXLOCKING"><parameter>posix locking</parameter></link></para></listitem>
886 <listitem><para><link linkend="POSTEXEC"><parameter>postexec</parameter></link></para></listitem>
887 <listitem><para><link linkend="POSTSCRIPT"><parameter>postscript</parameter></link></para></listitem>
888 <listitem><para><link linkend="PREEXEC"><parameter>preexec</parameter></link></para></listitem>
889 <listitem><para><link linkend="PREEXECCLOSE"><parameter>preexec close</parameter></link></para></listitem>
890 <listitem><para><link linkend="PRESERVECASE"><parameter>preserve case</parameter></link></para></listitem>
891 <listitem><para><link linkend="PRINTCOMMAND"><parameter>print command</parameter></link></para></listitem>
892 <listitem><para><link linkend="PRINTOK"><parameter>print ok</parameter></link></para></listitem>
893 <listitem><para><link linkend="PRINTABLE"><parameter>printable</parameter></link></para></listitem>
894 <listitem><para><link linkend="PRINTER"><parameter>printer</parameter></link></para></listitem>
895 <listitem><para><link linkend="PRINTERADMIN"><parameter>printer admin</parameter></link></para></listitem>
896 <listitem><para><link linkend="PRINTERDRIVER"><parameter>printer driver</parameter></link></para></listitem>
897 <listitem><para><link linkend="PRINTERDRIVERLOCATION"><parameter>printer driver location</parameter></link></para></listitem>
898 <listitem><para><link linkend="PRINTERNAME"><parameter>printer name</parameter></link></para></listitem>
899 <listitem><para><link linkend="PRINTING"><parameter>printing</parameter></link></para></listitem>
900 <listitem><para><link linkend="PUBLIC"><parameter>public</parameter></link></para></listitem>
901 <listitem><para><link linkend="QUEUEPAUSECOMMAND"><parameter>queuepause command</parameter></link></para></listitem>
902 <listitem><para><link linkend="QUEUERESUMECOMMAND"><parameter>queueresume command</parameter></link></para></listitem>
903 <listitem><para><link linkend="READLIST"><parameter>read list</parameter></link></para></listitem>
904 <listitem><para><link linkend="READONLY"><parameter>read only</parameter></link></para></listitem>
905 <listitem><para><link linkend="ROOTPOSTEXEC"><parameter>root postexec</parameter></link></para></listitem>
906 <listitem><para><link linkend="ROOTPREEXEC"><parameter>root preexec</parameter></link></para></listitem>
907 <listitem><para><link linkend="ROOTPREEXECCLOSE"><parameter>root preexec close</parameter></link></para></listitem>
908 <listitem><para><link linkend="SECURITYMASK"><parameter>security mask</parameter></link></para></listitem>
909 <listitem><para><link linkend="SETDIRECTORY"><parameter>set directory</parameter></link></para></listitem>
910 <listitem><para><link linkend="SHAREMODES"><parameter>share modes</parameter></link></para></listitem>
911 <listitem><para><link linkend="SHORTPRESERVECASE"><parameter>short preserve case</parameter></link></para></listitem>
912 <listitem><para><link linkend="STATUS"><parameter>status</parameter></link></para></listitem>
913 <listitem><para><link linkend="STRICTALLOCATE"><parameter>strict allocate</parameter></link></para></listitem>
914 <listitem><para><link linkend="STRICTLOCKING"><parameter>strict locking</parameter></link></para></listitem>
915 <listitem><para><link linkend="STRICTSYNC"><parameter>strict sync</parameter></link></para></listitem>
916 <listitem><para><link linkend="SYNCALWAYS"><parameter>sync always</parameter></link></para></listitem>
917 <listitem><para><link linkend="USECLIENTDRIVER"><parameter>use client driver</parameter></link></para></listitem>
918 <listitem><para><link linkend="USER"><parameter>user</parameter></link></para></listitem>
919 <listitem><para><link linkend="USERNAME"><parameter>username</parameter></link></para></listitem>
920 <listitem><para><link linkend="USERS"><parameter>users</parameter></link></para></listitem>
921 <listitem><para><link linkend="VALIDUSERS"><parameter>valid users</parameter></link></para></listitem>
922 <listitem><para><link linkend="VETOFILES"><parameter>veto files</parameter></link></para></listitem>
923 <listitem><para><link linkend="VETOOPLOCKFILES"><parameter>veto oplock files</parameter></link></para></listitem>
924 <listitem><para><link linkend="VFSOBJECT"><parameter>vfs object</parameter></link></para></listitem>
925 <listitem><para><link linkend="VFSOPTIONS"><parameter>vfs options</parameter></link></para></listitem>
926 <listitem><para><link linkend="VOLUME"><parameter>volume</parameter></link></para></listitem>
927 <listitem><para><link linkend="WIDELINKS"><parameter>wide links</parameter></link></para></listitem>
928 <listitem><para><link linkend="WRITABLE"><parameter>writable</parameter></link></para></listitem>
929 <listitem><para><link linkend="WRITECACHESIZE"><parameter>write cache size</parameter></link></para></listitem>
930 <listitem><para><link linkend="WRITELIST"><parameter>write list</parameter></link></para></listitem>
931 <listitem><para><link linkend="WRITEOK"><parameter>write ok</parameter></link></para></listitem>
932 <listitem><para><link linkend="WRITEABLE"><parameter>writeable</parameter></link></para></listitem>
933 </itemizedlist>
934
935 </refsect1>
936
937 <refsect1>
938 <title>EXPLANATION OF EACH PARAMETER</title>
939
940 <variablelist>
941
942
943 <varlistentry>
944 <term><anchor id="ADDPRINTERCOMMAND">add printer command (G)</term>
945 <listitem><para>With the introduction of MS-RPC based printing
946 support for Windows NT/2000 clients in Samba 2.2, The MS Add
947 Printer Wizard (APW) icon is now also available in the
948 "Printers..." folder displayed a share listing. The APW
949 allows for printers to be add remotely to a Samba or Windows
950 NT/2000 print server.</para>
951
952 <para>For a Samba host this means that the printer must be
953 physically added to the underlying printing system. The <parameter>add
954 printer command</parameter> defines a script to be run which
955 will perform the necessary operations for adding the printer
956 to the print system and to add the appropriate service definition
957 to the <filename>smb.conf</filename> file in order that it can be
958 shared by <ulink url="smbd.8.html"><command>smbd(8)</command>
959 </ulink>.</para>
960
961 <para>The <parameter>add printer command</parameter> is
962 automatically invoked with the following parameter (in
963 order:</para>
964
965 <itemizedlist>
966 <listitem><para><parameter>printer name</parameter></para></listitem>
967 <listitem><para><parameter>share name</parameter></para></listitem>
968 <listitem><para><parameter>port name</parameter></para></listitem>
969 <listitem><para><parameter>driver name</parameter></para></listitem>
970 <listitem><para><parameter>location</parameter></para></listitem>
971 <listitem><para><parameter>Windows 9x driver location</parameter>
972 </para></listitem>
973 </itemizedlist>
974
975 <para>All parameters are filled in from the PRINTER_INFO_2 structure sent
976 by the Windows NT/2000 client with one exception. The "Windows 9x
977 driver location" parameter is included for backwards compatibility
978 only. The remaining fields in the structure are generated from answers
979 to the APW questions.</para>
980
981 <para>Once the <parameter>add printer command</parameter> has
982 been executed, <command>smbd</command> will reparse the <filename>
983 smb.conf</filename> to determine if the share defined by the APW
984 exists. If the sharename is still invalid, then <command>smbd
985 </command> will return an ACCESS_DENIED error to the client.</para>
986
987 <para>See also <link linkend="DELETEPRINTERCOMMAND"><parameter>
988 delete printer command</parameter></link>, <link
989 linkend="printing"><parameter>printing</parameter></link>,
990 <link linkend="SHOWADDPRINTERWIZARD"><parameter>show add
991 printer wizard</parameter></link></para>
992
993 <para>Default: <emphasis>none</emphasis></para>
994 <para>Example: <command>addprinter command = /usr/bin/addprinter
995 </command></para>
996 </listitem>
997 </varlistentry>
998
999
1000
1001 <varlistentry>
1002 <term><anchor id="ADDSHARECOMMAND">add share command (G)</term>
1003 <listitem><para>Samba 2.2.0 introduced the ability to dynamically
1004 add and delete shares via the Windows NT 4.0 Server Manager. The
1005 <parameter>add share command</parameter> is used to define an
1006 external program or script which will add a new service definition
1007 to <filename>smb.conf</filename>. In order to successfully
1008 execute the <parameter>add share command</parameter>, <command>smbd</command>
1009 requires that the administrator be connected using a root account (i.e.
1010 uid == 0).
1011 </para>
1012
1013 <para>
1014 When executed, <command>smbd</command> will automatically invoke the
1015 <parameter>add share command</parameter> with four parameters.
1016 </para>
1017
1018 <itemizedlist>
1019 <listitem><para><parameter>configFile</parameter> - the location
1020 of the global <filename>smb.conf</filename> file.
1021 </para></listitem>
1022
1023 <listitem><para><parameter>shareName</parameter> - the name of the new
1024 share.
1025 </para></listitem>
1026
1027 <listitem><para><parameter>pathName</parameter> - path to an **existing**
1028 directory on disk.
1029 </para></listitem>
1030
1031 <listitem><para><parameter>comment</parameter> - comment string to associate
1032 with the new share.
1033 </para></listitem>
1034 </itemizedlist>
1035
1036 <para>
1037 This parameter is only used for add file shares. To add printer shares,
1038 see the <link linkend="ADDPRINTERCOMMAND"><parameter>add printer
1039 command</parameter></link>.
1040 </para>
1041
1042 <para>
1043 See also <link linkend="CHANGESHARECOMMAND"><parameter>change share
1044 command</parameter></link>, <link linkend="DELETESHARECOMMAND"><parameter>delete share
1045 command</parameter></link>.
1046 </para>
1047
1048 <para>Default: <emphasis>none</emphasis></para>
1049 <para>Example: <command>add share command = /usr/local/bin/addshare</command></para>
1050 </listitem>
1051 </varlistentry>
1052
1053
1054
1055
1056
1057 <varlistentry>
1058 <term><anchor id="ADDUSERSCRIPT">add user script (G)</term>
1059 <listitem><para>This is the full pathname to a script that will
1060 be run <emphasis>AS ROOT</emphasis> by <ulink url="smbd.8.html">smbd(8)
1061 </ulink> under special circumstances described below.</para>
1062
1063 <para>Normally, a Samba server requires that UNIX users are
1064 created for all users accessing files on this server. For sites
1065 that use Windows NT account databases as their primary user database
1066 creating these users and keeping the user list in sync with the
1067 Windows NT PDC is an onerous task. This option allows <ulink
1068 url="smbd.8.html">smbd</ulink> to create the required UNIX users
1069 <emphasis>ON DEMAND</emphasis> when a user accesses the Samba server.</para>
1070
1071 <para>In order to use this option, <ulink url="smbd.8.html">smbd</ulink>
1072 must <emphasis>NOT</emphasis> be set to <parameter>security = share</parameter>
1073 and <parameter>add user script</parameter>
1074 must be set to a full pathname for a script that will create a UNIX
1075 user given one argument of <parameter>%u</parameter>, which expands into
1076 the UNIX user name to create.</para>
1077
1078 <para>When the Windows user attempts to access the Samba server,
1079 at login (session setup in the SMB protocol) time, <ulink url="smbd.8.html">
1080 smbd</ulink> contacts the <parameter>password server</parameter> and
1081 attempts to authenticate the given user with the given password. If the
1082 authentication succeeds then <command>smbd</command>
1083 attempts to find a UNIX user in the UNIX password database to map the
1084 Windows user into. If this lookup fails, and <parameter>add user script
1085 </parameter> is set then <command>smbd</command> will
1086 call the specified script <emphasis>AS ROOT</emphasis>, expanding
1087 any <parameter>%u</parameter> argument to be the user name to create.</para>
1088
1089 <para>If this script successfully creates the user then <command>smbd
1090 </command> will continue on as though the UNIX user
1091 already existed. In this way, UNIX users are dynamically created to
1092 match existing Windows NT accounts.</para>
1093
1094 <para>See also <link linkend="SECURITY"><parameter>
1095 security</parameter></link>, <link linkend="PASSWORDSERVER">
1096 <parameter>password server</parameter></link>,
1097 <link linkend="DELETEUSERSCRIPT"><parameter>delete user
1098 script</parameter></link>.</para>
1099
1100 <para>Default: <command>add user script = &lt;empty string&gt;
1101 </command></para>
1102
1103 <para>Example: <command>add user script = /usr/local/samba/bin/add_user
1104 %u</command></para>
1105 </listitem>
1106 </varlistentry>
1107
1108
1109
1110
1111 <varlistentry>
1112 <term><anchor id="ADMINUSERS">admin users (S)</term>
1113 <listitem><para>This is a list of users who will be granted
1114 administrative privileges on the share. This means that they
1115 will do all file operations as the super-user (root).</para>
1116
1117 <para>You should use this option very carefully, as any user in
1118 this list will be able to do anything they like on the share,
1119 irrespective of file permissions.</para>
1120
1121 <para>Default: <emphasis>no admin users</emphasis></para>
1122
1123 <para>Example: <command>admin users = jason</command></para>
1124 </listitem>
1125 </varlistentry>
1126
1127
1128
1129 <varlistentry>
1130 <term><anchor id="ALLOWHOSTS">allow hosts (S)</term>
1131 <listitem><para>Synonym for <link linkend="HOSTSALLOW">
1132 <parameter>hosts allow</parameter></link>.</para></listitem>
1133 </varlistentry>
1134
1135
1136
1137 <varlistentry>
1138 <term><anchor id="ALLOWTRUSTEDDOMAINS">allow trusted domains (G)</term>
1139 <listitem><para>This option only takes effect when the <link
1140 linkend="SECURITY"><parameter>security</parameter></link> option is set to
1141 <constant>server</constant> or <constant>domain</constant>.
1142 If it is set to no, then attempts to connect to a resource from
1143 a domain or workgroup other than the one which <ulink url="smbd.8.html">smbd</ulink> is running
1144 in will fail, even if that domain is trusted by the remote server
1145 doing the authentication.</para>
1146
1147 <para>This is useful if you only want your Samba server to
1148 serve resources to users in the domain it is a member of. As
1149 an example, suppose that there are two domains DOMA and DOMB. DOMB
1150 is trusted by DOMA, which contains the Samba server. Under normal
1151 circumstances, a user with an account in DOMB can then access the
1152 resources of a UNIX account with the same account name on the
1153 Samba server even if they do not have an account in DOMA. This
1154 can make implementing a security boundary difficult.</para>
1155
1156 <para>Default: <command>allow trusted domains = yes</command></para>
1157
1158 </listitem>
1159 </varlistentry>
1160
1161
1162
1163 <varlistentry>
1164 <term><anchor id="ANNOUNCEAS">announce as (G)</term>
1165 <listitem><para>This specifies what type of server
1166 <ulink url="nmbd.8.html"><command>nmbd</command></ulink>
1167 will announce itself as, to a network neighborhood browse
1168 list. By default this is set to Windows NT. The valid options
1169 are : "NT Server" (which can also be written as "NT"),
1170 "NT Workstation", "Win95" or "WfW" meaning Windows NT Server,
1171 Windows NT Workstation, Windows 95 and Windows for Workgroups
1172 respectively. Do not change this parameter unless you have a
1173 specific need to stop Samba appearing as an NT server as this
1174 may prevent Samba servers from participating as browser servers
1175 correctly.</para>
1176
1177 <para>Default: <command>announce as = NT Server</command></para>
1178
1179 <para>Example: <command>announce as = Win95</command></para>
1180 </listitem>
1181 </varlistentry>
1182
1183
1184
1185 <varlistentry>
1186 <term><anchor id="ANNOUNCEVERSION">announce version (G)</term>
1187 <listitem><para>This specifies the major and minor version numbers
1188 that nmbd will use when announcing itself as a server. The default
1189 is 4.5. Do not change this parameter unless you have a specific
1190 need to set a Samba server to be a downlevel server.</para>
1191
1192 <para>Default: <command>announce version = 4.5</command></para>
1193
1194 <para>Example: <command>announce version = 2.0</command></para>
1195 </listitem>
1196 </varlistentry>
1197
1198
1199
1200 <varlistentry>
1201 <term><anchor id="AUTOSERVICES">auto services (G)</term>
1202 <listitem><para>This is a synonym for the <link linkend="PRELOAD">
1203 <parameter>preload</parameter></link>.</para>
1204 </listitem>
1205 </varlistentry>
1206
1207
1208
1209 <varlistentry>
1210 <term><anchor id="AVAILABLE">available (S)</term>
1211 <listitem><para>This parameter lets you "turn off" a service. If
1212 <parameter>available = no</parameter>, then <emphasis>ALL</emphasis>
1213 attempts to connect to the service will fail. Such failures are
1214 logged.</para>
1215
1216 <para>Default: <command>available = yes</command></para>
1217
1218 </listitem>
1219 </varlistentry>
1220
1221
1222
1223 <varlistentry>
1224 <term><anchor id="BINDINTERFACESONLY">bind interfaces only (G)</term>
1225 <listitem><para>This global parameter allows the Samba admin
1226 to limit what interfaces on a machine will serve SMB requests. If
1227 affects file service <ulink url="smbd.8.html">smbd(8)</ulink> and
1228 name service <ulink url="nmbd.8.html">nmbd(8)</ulink> in slightly
1229 different ways.</para>
1230
1231 <para>For name service it causes <command>nmbd</command> to bind
1232 to ports 137 and 138 on the interfaces listed in the <link
1233 linkend="INTERFACES">interfaces</link> parameter. <command>nmbd
1234 </command> also binds to the "all addresses" interface (0.0.0.0)
1235 on ports 137 and 138 for the purposes of reading broadcast messages.
1236 If this option is not set then <command>nmbd</command> will service
1237 name requests on all of these sockets. If <parameter>bind interfaces
1238 only</parameter> is set then <command>nmbd</command> will check the
1239 source address of any packets coming in on the broadcast sockets
1240 and discard any that don't match the broadcast addresses of the
1241 interfaces in the <parameter>interfaces</parameter> parameter list.
1242 As unicast packets are received on the other sockets it allows
1243 <command>nmbd</command> to refuse to serve names to machines that
1244 send packets that arrive through any interfaces not listed in the
1245 <parameter>interfaces</parameter> list. IP Source address spoofing
1246 does defeat this simple check, however so it must not be used
1247 seriously as a security feature for <command>nmbd</command>.</para>
1248
1249 <para>For file service it causes <ulink url="smbd.8.html">smbd(8)</ulink>
1250 to bind only to the interface list given in the <link linkend="INTERFACES">
1251 interfaces</link> parameter. This restricts the networks that
1252 <command>smbd</command> will serve to packets coming in those
1253 interfaces. Note that you should not use this parameter for machines
1254 that are serving PPP or other intermittent or non-broadcast network
1255 interfaces as it will not cope with non-permanent interfaces.</para>
1256
1257 <para>If <parameter>bind interfaces only</parameter> is set then
1258 unless the network address <emphasis>127.0.0.1</emphasis> is added
1259 to the <parameter>interfaces</parameter> parameter list <ulink
1260 url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink>
1261 and <ulink url="swat.8.html"><command>swat(8)</command></ulink> may
1262 not work as expected due to the reasons covered below.</para>
1263
1264 <para>To change a users SMB password, the <command>smbpasswd</command>
1265 by default connects to the <emphasis>localhost - 127.0.0.1</emphasis>
1266 address as an SMB client to issue the password change request. If
1267 <parameter>bind interfaces only</parameter> is set then unless the
1268 network address <emphasis>127.0.0.1</emphasis> is added to the
1269 <parameter>interfaces</parameter> parameter list then <command>
1270 smbpasswd</command> will fail to connect in it's default mode.
1271 <command>smbpasswd</command> can be forced to use the primary IP interface
1272 of the local host by using its <ulink url="smbpasswd.8.html#minusr">
1273 <parameter>-r <replaceable>remote machine</replaceable></parameter>
1274 </ulink> parameter, with <replaceable>remote machine</replaceable> set
1275 to the IP name of the primary interface of the local host.</para>
1276
1277 <para>The <command>swat</command> status page tries to connect with
1278 <command>smbd</command> and <command>nmbd</command> at the address
1279 <emphasis>127.0.0.1</emphasis> to determine if they are running.
1280 Not adding <emphasis>127.0.0.1</emphasis> will cause <command>
1281 smbd</command> and <command>nmbd</command> to always show
1282 "not running" even if they really are. This can prevent <command>
1283 swat</command> from starting/stopping/restarting <command>smbd</command>
1284 and <command>nmbd</command>.</para>
1285
1286 <para>Default: <command>bind interfaces only = no</command></para>
1287
1288 </listitem>
1289 </varlistentry>
1290
1291
1292
1293 <varlistentry>
1294 <term><anchor id="BLOCKSIZE">block size (S)</term>
1295 <listitem><para>This parameter controls the behavior of <ulink
1296 url="smbd.8.html">smbd(8)</ulink> when reporting disk free sizes.
1297 By default, this reports a disk block size of 1024 bytes.</para>
1298
1299 <para>Changing this parameter may have some effect on the
1300 efficiency of client writes, this is not yet confirmed. This
1301 parameter was added to allow advanced administrators to change
1302 it (usually to a higher value) and test the effect it has on
1303 client write performance without re-compiling the code. As this
1304 is an experimental option it may be removed in a future release.
1305 </para>
1306
1307 <para>Changing this option does not change the disk free reporting
1308 size, just the block size unit reported to the client.</para>
1309
1310 <para>Default: <command>block size = 1024</command></para>
1311 <para>Example: <command>block size = 65536</command></para>
1312
1313 </listitem>
1314 </varlistentry>
1315
1316
1317
1318
1319 <varlistentry>
1320 <term><anchor id="BLOCKINGLOCKS">blocking locks (S)</term>
1321 <listitem><para>This parameter controls the behavior of <ulink
1322 url="smbd.8.html">smbd(8)</ulink> when given a request by a client
1323 to obtain a byte range lock on a region of an open file, and the
1324 request has a time limit associated with it.</para>
1325
1326 <para>If this parameter is set and the lock range requested
1327 cannot be immediately satisfied, Samba 2.2 will internally
1328 queue the lock request, and periodically attempt to obtain
1329 the lock until the timeout period expires.</para>
1330
1331 <para>If this parameter is set to <constant>false</constant>, then
1332 Samba 2.2 will behave as previous versions of Samba would and
1333 will fail the lock request immediately if the lock range
1334 cannot be obtained.</para>
1335
1336 <para>Default: <command>blocking locks = yes</command></para>
1337
1338 </listitem>
1339 </varlistentry>
1340
1341
1342
1343 <varlistentry>
1344 <term><anchor id="BROWSABLE">browsable (S)</term>
1345 <listitem><para>See the <link linkend="BROWSEABLE"><parameter>
1346 browseable</parameter></link>.</para></listitem>
1347 </varlistentry>
1348
1349
1350
1351 <varlistentry>
1352 <term><anchor id="BROWSELIST">browse list (G)</term>
1353 <listitem><para>This controls whether <ulink url="smbd.8.html">
1354 <command>smbd(8)</command></ulink> will serve a browse list to
1355 a client doing a <command>NetServerEnum</command> call. Normally
1356 set to <constant>true</constant>. You should never need to change
1357 this.</para>
1358
1359 <para>Default: <command>browse list = yes</command></para></listitem>
1360 </varlistentry>
1361
1362
1363
1364 <varlistentry>
1365 <term><anchor id="BROWSEABLE">browseable (S)</term>
1366 <listitem><para>This controls whether this share is seen in
1367 the list of available shares in a net view and in the browse list.</para>
1368
1369 <para>Default: <command>browseable = yes</command></para>
1370 </listitem>
1371 </varlistentry>
1372
1373
1374
1375 <varlistentry>
1376 <term><anchor id="CASESENSITIVE">case sensitive (S)</term>
1377 <listitem><para>See the discussion in the section <link
1378 linkend="NAMEMANGLINGSECT">NAME MANGLING</link>.</para>
1379
1380 <para>Default: <command>case sensitive = no</command></para>
1381 </listitem>
1382 </varlistentry>
1383
1384
1385
1386 <varlistentry>
1387 <term><anchor id="CASESIGNAMES">casesignames (S)</term>
1388 <listitem><para>Synonym for <link linkend="CASESENSITIVE">case
1389 sensitive</link>.</para></listitem>
1390 </varlistentry>
1391
1392
1393
1394 <varlistentry>
1395 <term><anchor id="CHANGENOTIFYTIMEOUT">change notify timeout (G)</term>
1396 <listitem><para>This SMB allows a client to tell a server to
1397 "watch" a particular directory for any changes and only reply to
1398 the SMB request when a change has occurred. Such constant scanning of
1399 a directory is expensive under UNIX, hence an <ulink url="smbd.8.html">
1400 <command>smbd(8)</command></ulink> daemon only performs such a scan
1401 on each requested directory once every <parameter>change notify
1402 timeout</parameter> seconds.</para>
1403
1404 <para>Default: <command>change notify timeout = 60</command></para>
1405 <para>Example: <command>change notify timeout = 300</command></para>
1406
1407 <para>Would change the scan time to every 5 minutes.</para></listitem>
1408 </varlistentry>
1409
1410
1411
1412 <varlistentry>
1413 <term><anchor id="CHANGESHARECOMMAND">change share command (G)</term>
1414 <listitem><para>Samba 2.2.0 introduced the ability to dynamically
1415 add and delete shares via the Windows NT 4.0 Server Manager. The
1416 <parameter>change share command</parameter> is used to define an
1417 external program or script which will modify an existing service definition
1418 in <filename>smb.conf</filename>. In order to successfully
1419 execute the <parameter>change share command</parameter>, <command>smbd</command>
1420 requires that the administrator be connected using a root account (i.e.
1421 uid == 0).
1422 </para>
1423
1424 <para>
1425 When executed, <command>smbd</command> will automatically invoke the
1426 <parameter>change share command</parameter> with four parameters.
1427 </para>
1428
1429 <itemizedlist>
1430 <listitem><para><parameter>configFile</parameter> - the location
1431 of the global <filename>smb.conf</filename> file.
1432 </para></listitem>
1433
1434 <listitem><para><parameter>shareName</parameter> - the name of the new
1435 share.
1436 </para></listitem>
1437
1438 <listitem><para><parameter>pathName</parameter> - path to an **existing**
1439 directory on disk.
1440 </para></listitem>
1441
1442 <listitem><para><parameter>comment</parameter> - comment string to associate
1443 with the new share.
1444 </para></listitem>
1445 </itemizedlist>
1446
1447 <para>
1448 This parameter is only used modify existing file shares definitions. To modify
1449 printer shares, use the "Printers..." folder as seen when browsing the Samba host.
1450 </para>
1451
1452 <para>
1453 See also <link linkend="ADDSHARECOMMAND"><parameter>add share
1454 command</parameter></link>, <link linkend="DELETESHARECOMMAND"><parameter>delete
1455 share command</parameter></link>.
1456 </para>
1457
1458 <para>Default: <emphasis>none</emphasis></para>
1459 <para>Example: <command>change share command = /usr/local/bin/addshare</command></para>
1460 </listitem>
1461 </varlistentry>
1462
1463
1464
1465 <varlistentry>
1466 <term><anchor id="CHARACTERSET">character set (G)</term>
1467 <listitem><para>This allows <ulink url="smbd.8.html">smbd</ulink> to map incoming filenames
1468 from a DOS Code page (see the <link linkend="CLIENTCODEPAGE">client
1469 code page</link> parameter) to several built in UNIX character sets.
1470 The built in code page translations are:</para>
1471
1472 <itemizedlist>
1473 <listitem><para><constant>ISO8859-1</constant> : Western European
1474 UNIX character set. The parameter <parameter>client code page</parameter>
1475 <emphasis>MUST</emphasis> be set to code page 850 if the
1476 <parameter>character set</parameter> parameter is set to
1477 <constant>ISO8859-1</constant> in order for the conversion to the
1478 UNIX character set to be done correctly.</para></listitem>
1479
1480 <listitem><para><constant>ISO8859-2</constant> : Eastern European
1481 UNIX character set. The parameter <parameter>client code page
1482 </parameter> <emphasis>MUST</emphasis> be set to code page 852 if
1483 the <parameter> character set</parameter> parameter is set
1484 to <constant>ISO8859-2</constant> in order for the conversion
1485 to the UNIX character set to be done correctly. </para></listitem>
1486
1487 <listitem><para><constant>ISO8859-5</constant> : Russian Cyrillic
1488 UNIX character set. The parameter <parameter>client code page
1489 </parameter> <emphasis>MUST</emphasis> be set to code page
1490 866 if the <parameter>character set </parameter> parameter is
1491 set to <constant>ISO8859-5</constant> in order for the conversion
1492 to the UNIX character set to be done correctly. </para></listitem>
1493
1494 <listitem><para><constant>ISO8859-7</constant> : Greek UNIX
1495 character set. The parameter <parameter>client code page
1496 </parameter> <emphasis>MUST</emphasis> be set to code page
1497 737 if the <parameter>character set</parameter> parameter is
1498 set to <constant>ISO8859-7</constant> in order for the conversion
1499 to the UNIX character set to be done correctly.</para></listitem>
1500
1501 <listitem><para><constant>KOI8-R</constant> : Alternate mapping
1502 for Russian Cyrillic UNIX character set. The parameter
1503 <parameter>client code page</parameter> <emphasis>MUST</emphasis>
1504 be set to code page 866 if the <parameter>character set</parameter>
1505 parameter is set to <constant>KOI8-R</constant> in order for the
1506 conversion to the UNIX character set to be done correctly.</para>
1507 </listitem>
1508 </itemizedlist>
1509
1510 <para><emphasis>BUG</emphasis>. These MSDOS code page to UNIX character
1511 set mappings should be dynamic, like the loading of MS DOS code pages,
1512 not static.</para>
1513
1514 <para>Normally this parameter is not set, meaning no filename
1515 translation is done.</para>
1516
1517 <para>Default: <command>character set = &lt;empty string&gt;</command></para>
1518 <para>Example: <command>character set = ISO8859-1</command></para></listitem>
1519 </varlistentry>
1520
1521
1522
1523 <varlistentry>
1524 <term><anchor id="CLIENTCODEPAGE">client code page (G)</term>
1525 <listitem><para>This parameter specifies the DOS code page
1526 that the clients accessing Samba are using. To determine what code
1527 page a Windows or DOS client is using, open a DOS command prompt
1528 and type the command <command>chcp</command>. This will output
1529 the code page. The default for USA MS-DOS, Windows 95, and
1530 Windows NT releases is code page 437. The default for western
1531 European releases of the above operating systems is code page 850.</para>
1532
1533 <para>This parameter tells <ulink url="smbd.8.html">smbd(8)</ulink>
1534 which of the <filename>codepage.<replaceable>XXX</replaceable>
1535 </filename> files to dynamically load on startup. These files,
1536 described more fully in the manual page <ulink url="make_smbcodepage.1.html">
1537 <command>make_smbcodepage(1)</command></ulink>, tell <command>
1538 smbd</command> how to map lower to upper case characters to provide
1539 the case insensitivity of filenames that Windows clients expect.</para>
1540
1541 <para>Samba currently ships with the following code page files :</para>
1542
1543 <itemizedlist>
1544 <listitem><para>Code Page 437 - MS-DOS Latin US</para></listitem>
1545 <listitem><para>Code Page 737 - Windows '95 Greek</para></listitem>
1546 <listitem><para>Code Page 850 - MS-DOS Latin 1</para></listitem>
1547 <listitem><para>Code Page 852 - MS-DOS Latin 2</para></listitem>
1548 <listitem><para>Code Page 861 - MS-DOS Icelandic</para></listitem>
1549 <listitem><para>Code Page 866 - MS-DOS Cyrillic</para></listitem>
1550 <listitem><para>Code Page 932 - MS-DOS Japanese SJIS</para></listitem>
1551 <listitem><para>Code Page 936 - MS-DOS Simplified Chinese</para></listitem>
1552 <listitem><para>Code Page 949 - MS-DOS Korean Hangul</para></listitem>
1553 <listitem><para>Code Page 950 - MS-DOS Traditional Chinese</para></listitem>
1554 </itemizedlist>
1555
1556 <para>Thus this parameter may have any of the values 437, 737, 850, 852,
1557 861, 932, 936, 949, or 950. If you don't find the codepage you need,
1558 read the comments in one of the other codepage files and the
1559 <command>make_smbcodepage(1)</command> man page and write one. Please
1560 remember to donate it back to the Samba user community.</para>
1561
1562 <para>This parameter co-operates with the <parameter>valid
1563 chars</parameter> parameter in determining what characters are
1564 valid in filenames and how capitalization is done. If you set both
1565 this parameter and the <parameter>valid chars</parameter> parameter
1566 the <parameter>client code page</parameter> parameter
1567 <emphasis>MUST</emphasis> be set before the <parameter>valid
1568 chars</parameter> parameter in the <filename>smb.conf</filename>
1569 file. The <parameter>valid chars</parameter> string will then
1570 augment the character settings in the <parameter>client code page</parameter>
1571 parameter.</para>
1572
1573 <para>If not set, <parameter>client code page</parameter> defaults
1574 to 850.</para>
1575
1576 <para>See also : <link linkend="VALIDCHARS"><parameter>valid
1577 chars</parameter></link>, <link linkend="CODEPAGEDIRECTORY">
1578 <parameter>code page directory</parameter></link></para>
1579
1580 <para>Default: <command>client code page = 850</command></para>
1581 <para>Example: <command>client code page = 936</command></para>
1582 </listitem>
1583 </varlistentry>
1584
1585
1586
1587
1588 <varlistentry>
1589 <term><anchor id="CODEPAGEDIRECTORY">code page directory (G)</term>
1590 <listitem><para>Define the location of the various client code page
1591 files.</para>
1592
1593 <para>See also <link linkend="CLIENTCODEPAGE"><parameter>client
1594 code page</parameter></link></para>
1595
1596 <para>Default: <command>code page directory = ${prefix}/lib/codepages
1597 </command></para>
1598 <para>Example: <command>code page directory = /usr/share/samba/codepages
1599 </command></para>
1600 </listitem>
1601 </varlistentry>
1602
1603
1604
1605
1606
1607 <varlistentry>
1608 <term><anchor id="CODINGSYSTEM">coding system (G)</term>
1609 <listitem><para>This parameter is used to determine how incoming
1610 Shift-JIS Japanese characters are mapped from the incoming <link
1611 linkend="CLIENTCODEPAGE"><parameter>client code page</parameter>
1612 </link> used by the client, into file names in the UNIX filesystem.
1613 Only useful if <parameter>client code page</parameter> is set to
1614 932 (Japanese Shift-JIS). The options are :</para>
1615
1616 <itemizedlist>
1617 <listitem><para><constant>SJIS</constant> - Shift-JIS. Does no
1618 conversion of the incoming filename.</para></listitem>
1619
1620 <listitem><para><constant>JIS8, J8BB, J8BH, J8@B,
1621 J8@J, J8@H </constant> - Convert from incoming Shift-JIS to eight
1622 bit JIS code with different shift-in, shift out codes.</para></listitem>
1623
1624 <listitem><para><constant>JIS7, J7BB, J7BH, J7@B, J7@J,
1625 J7@H </constant> - Convert from incoming Shift-JIS to seven bit
1626 JIS code with different shift-in, shift out codes.</para></listitem>
1627
1628 <listitem><para><constant>JUNET, JUBB, JUBH, JU@B, JU@J, JU@H </constant>
1629 - Convert from incoming Shift-JIS to JUNET code with different shift-in,
1630 shift out codes.</para></listitem>
1631
1632 <listitem><para><constant>EUC</constant> - Convert an incoming
1633 Shift-JIS character to EUC code.</para></listitem>
1634
1635 <listitem><para><constant>HEX</constant> - Convert an incoming
1636 Shift-JIS character to a 3 byte hex representation, i.e.
1637 <constant>:AB</constant>.</para></listitem>
1638
1639 <listitem><para><constant>CAP</constant> - Convert an incoming
1640 Shift-JIS character to the 3 byte hex representation used by
1641 the Columbia AppleTalk Program (CAP), i.e. <constant>:AB</constant>.
1642 This is used for compatibility between Samba and CAP.</para></listitem>
1643 </itemizedlist>
1644
1645 <para>Default: <command>coding system = &lt;empty value&gt;</command>
1646 </para>
1647 </listitem>
1648 </varlistentry>
1649
1650
1651
1652 <varlistentry>
1653 <term><anchor id="COMMENT">comment (S)</term>
1654 <listitem><para>This is a text field that is seen next to a share
1655 when a client does a queries the server, either via the network
1656 neighborhood or via <command>net view</command> to list what shares
1657 are available.</para>
1658
1659 <para>If you want to set the string that is displayed next to the
1660 machine name then see the <link linkend="SERVERSTRING"><parameter>
1661 server string</parameter></link> parameter.</para>
1662
1663 <para>Default: <emphasis>No comment string</emphasis></para>
1664 <para>Example: <command>comment = Fred's Files</command></para></listitem>
1665 </varlistentry>
1666
1667
1668
1669 <varlistentry>
1670 <term><anchor id="CONFIGFILE">config file (G)</term>
1671 <listitem><para>This allows you to override the config file
1672 to use, instead of the default (usually <filename>smb.conf</filename>).
1673 There is a chicken and egg problem here as this option is set
1674 in the config file!</para>
1675
1676 <para>For this reason, if the name of the config file has changed
1677 when the parameters are loaded then it will reload them from
1678 the new config file.</para>
1679
1680 <para>This option takes the usual substitutions, which can
1681 be very useful.</para>
1682
1683 <para>If the config file doesn't exist then it won't be loaded
1684 (allowing you to special case the config files of just a few
1685 clients).</para>
1686
1687 <para>Example: <command>config file = /usr/local/samba/lib/smb.conf.%m
1688 </command></para></listitem>
1689 </varlistentry>
1690
1691
1692
1693 <varlistentry>
1694 <term><anchor id="COPY">copy (S)</term>
1695 <listitem><para>This parameter allows you to "clone" service
1696 entries. The specified service is simply duplicated under the
1697 current service's name. Any parameters specified in the current
1698 section will override those in the section being copied.</para>
1699
1700 <para>This feature lets you set up a 'template' service and
1701 create similar services easily. Note that the service being
1702 copied must occur earlier in the configuration file than the
1703 service doing the copying.</para>
1704
1705 <para>Default: <emphasis>no value</emphasis></para>
1706 <para>Example: <command>copy = otherservice</command></para></listitem>
1707 </varlistentry>
1708
1709
1710
1711 <varlistentry>
1712 <term><anchor id="CREATEMASK">create mask (S)</term>
1713 <listitem><para>A synonym for this parameter is
1714 <link linkend="CREATEMODE"><parameter>create mode</parameter>
1715 </link>.</para>
1716
1717 <para>When a file is created, the necessary permissions are
1718 calculated according to the mapping from DOS modes to UNIX
1719 permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
1720 with this parameter. This parameter may be thought of as a bit-wise
1721 MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis>
1722 set here will be removed from the modes set on a file when it is
1723 created.</para>
1724
1725 <para>The default value of this parameter removes the
1726 'group' and 'other' write and execute bits from the UNIX modes.</para>
1727
1728 <para>Following this Samba will bit-wise 'OR' the UNIX mode created
1729 from this parameter with the value of the <link
1730 linkend="FORCECREATEMODE"><parameter>force create mode</parameter></link>
1731 parameter which is set to 000 by default.</para>
1732
1733 <para>This parameter does not affect directory modes. See the
1734 parameter <link linkend="DIRECTORYMODE"><parameter>directory mode
1735 </parameter></link> for details.</para>
1736
1737 <para>See also the <link linkend="FORCECREATEMODE"><parameter>force
1738 create mode</parameter></link> parameter for forcing particular mode
1739 bits to be set on created files. See also the <link linkend="DIRECTORYMODE">
1740 <parameter>directory mode</parameter></link> parameter for masking
1741 mode bits on created directories. See also the <link linkend="INHERITPERMISSIONS">
1742 <parameter>inherit permissions</parameter></link> parameter.</para>
1743
1744 <para>Note that this parameter does not apply to permissions
1745 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
1746 a mask on access control lists also, they need to set the <link
1747 linkend="SECURITYMASK"><parameter>security mask</parameter></link>.</para>
1748
1749 <para>Default: <command>create mask = 0744</command></para>
1750 <para>Example: <command>create mask = 0775</command></para></listitem>
1751 </varlistentry>
1752
1753
1754
1755 <varlistentry>
1756 <term><anchor id="CREATEMODE">create mode (S)</term>
1757 <listitem><para>This is a synonym for <link linkend="CREATEMASK"><parameter>
1758 create mask</parameter></link>.</para></listitem>
1759 </varlistentry>
1760
1761
1762 <varlistentry>
1763 <term><anchor id="CSCPOLICY">csc policy (S)</term>
1764 <listitem><para>This stands for <emphasis>client-side caching
1765 policy</emphasis>, and specifies how clients capable of offline
1766 caching will cache the files in the share. The valid values
1767 are: manual, documents, programs, disable.</para>
1768
1769 <para>These values correspond to those used on Windows
1770 servers.</para>
1771
1772 <para>For example, shares containing roaming profiles can have
1773 offline caching disabled using <command>csc policy = disable
1774 </command>.</para>
1775
1776 <para>Default: <command>csc policy = manual</command></para>
1777 <para>Example: <command>csc policy = programs</command></para>
1778 </listitem>
1779 </varlistentry>
1780
1781 <varlistentry>
1782 <term><anchor id="DEADTIME">deadtime (G)</term>
1783 <listitem><para>The value of the parameter (a decimal integer)
1784 represents the number of minutes of inactivity before a connection
1785 is considered dead, and it is disconnected. The deadtime only takes
1786 effect if the number of open files is zero.</para>
1787
1788 <para>This is useful to stop a server's resources being
1789 exhausted by a large number of inactive connections.</para>
1790
1791 <para>Most clients have an auto-reconnect feature when a
1792 connection is broken so in most cases this parameter should be
1793 transparent to users.</para>
1794
1795 <para>Using this parameter with a timeout of a few minutes
1796 is recommended for most systems.</para>
1797
1798 <para>A deadtime of zero indicates that no auto-disconnection
1799 should be performed.</para>
1800
1801 <para>Default: <command>deadtime = 0</command></para>
1802 <para>Example: <command>deadtime = 15</command></para></listitem>
1803 </varlistentry>
1804
1805
1806
1807 <varlistentry>
1808 <term><anchor id="DEBUGHIRESTIMESTAMP">debug hires timestamp (G)</term>
1809 <listitem><para>Sometimes the timestamps in the log messages
1810 are needed with a resolution of higher that seconds, this
1811 boolean parameter adds microsecond resolution to the timestamp
1812 message header when turned on.</para>
1813
1814 <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter>
1815 debug timestamp</parameter></link> must be on for this to have an
1816 effect.</para>
1817
1818 <para>Default: <command>debug hires timestamp = no</command></para>
1819 </listitem>
1820 </varlistentry>
1821
1822
1823
1824 <varlistentry>
1825 <term><anchor id="DEBUGPID">debug pid (G)</term>
1826 <listitem><para>When using only one log file for more then one
1827 forked <ulink url="smbd.8.html">smbd</ulink>-process there may be hard to follow which process
1828 outputs which message. This boolean parameter is adds the process-id
1829 to the timestamp message headers in the logfile when turned on.</para>
1830
1831 <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter>
1832 debug timestamp</parameter></link> must be on for this to have an
1833 effect.</para>
1834
1835 <para>Default: <command>debug pid = no</command></para></listitem>
1836 </varlistentry>
1837
1838
1839 <varlistentry>
1840 <term><anchor id="DEBUGTIMESTAMP">debug timestamp (G)</term>
1841 <listitem><para>Samba 2.2 debug log messages are timestamped
1842 by default. If you are running at a high <link linkend="DEBUGLEVEL">
1843 <parameter>debug level</parameter></link> these timestamps
1844 can be distracting. This boolean parameter allows timestamping
1845 to be turned off.</para>
1846
1847 <para>Default: <command>debug timestamp = yes</command></para></listitem>
1848 </varlistentry>
1849
1850
1851
1852 <varlistentry>
1853 <term><anchor id="DEBUGUID">debug uid (G)</term>
1854 <listitem><para>Samba is sometimes run as root and sometime
1855 run as the connected user, this boolean parameter inserts the
1856 current euid, egid, uid and gid to the timestamp message headers
1857 in the log file if turned on.</para>
1858
1859 <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter>
1860 debug timestamp</parameter></link> must be on for this to have an
1861 effect.</para>
1862
1863 <para>Default: <command>debug uid = no</command></para></listitem>
1864 </varlistentry>
1865
1866
1867
1868 <varlistentry>
1869 <term><anchor id="DEBUGLEVEL">debuglevel (G)</term>
1870 <listitem><para>Synonym for <link linkend="LOGLEVEL"><parameter>
1871 log level</parameter></link>.</para>
1872 </listitem>
1873 </varlistentry>
1874
1875
1876
1877 <varlistentry>
1878 <term><anchor id="DEFAULT">default (G)</term>
1879 <listitem><para>A synonym for <link linkend="DEFAULTSERVICE"><parameter>
1880 default service</parameter></link>.</para></listitem>
1881 </varlistentry>
1882
1883
1884
1885 <varlistentry>
1886 <term><anchor id="DEFAULTCASE">default case (S)</term>
1887 <listitem><para>See the section on <link linkend="NAMEMANGLINGSECT">
1888 NAME MANGLING</link>. Also note the <link linkend="SHORTPRESERVECASE">
1889 <parameter>short preserve case</parameter></link> parameter.</para>
1890
1891 <para>Default: <command>default case = lower</command></para>
1892 </listitem>
1893 </varlistentry>
1894
1895
1896
1897 <varlistentry>
1898 <term><anchor id="DEFAULTDEVMODE">default devmode (S)</term>
1899 <listitem><para>This parameter is only applicable to <link
1900 linkend="PRINTOK">printable</link> services. When smbd is serving
1901 Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
1902 server has a Device Mode which defines things such as paper size and
1903 orientation and duplex settings. The device mode can only correctly be
1904 generated by the printer driver itself (which can only be executed on a
1905 Win32 platform). Because smbd is unable to execute the driver code
1906 to generate the device mode, the default behavior is to set this field
1907 to NULL.
1908 </para>
1909
1910 <para>Most problems with serving printer drivers to Windows NT/2k/XP clients
1911 can be traced to a problem with the generated device mode. Certain drivers
1912 will do things such as crashing the client's Explorer.exe with a NULL devmode.
1913 However, other printer drivers can cause the client's spooler service
1914 (spoolsv.exe) to die if the devmode was not created by the driver itself
1915 (i.e. smbd generates a default devmode).
1916 </para>
1917
1918 <para>This parameter should be used with care and tested with the printer
1919 driver in question. It is better to leave the device mode to NULL
1920 and let the Windows client set the correct values. Because drivers do not
1921 do this all the time, setting <command>default devmode = yes</command>
1922 will instruct smbd to generate a default one.
1923 </para>
1924
1925 <para>For more information on Windows NT/2k printing and Device Modes,
1926 see the <ulink url="http://msdn.microsoft.com/">MSDN documentation</ulink>.
1927 </para>
1928
1929 <para>Default: <command>default devmode = no</command></para>
1930 </listitem>
1931 </varlistentry>
1932
1933
1934
1935 <varlistentry>
1936 <term><anchor id="DEFAULTSERVICE">default service (G)</term>
1937 <listitem><para>This parameter specifies the name of a service
1938 which will be connected to if the service actually requested cannot
1939 be found. Note that the square brackets are <emphasis>NOT</emphasis>
1940 given in the parameter value (see example below).</para>
1941
1942 <para>There is no default value for this parameter. If this
1943 parameter is not given, attempting to connect to a nonexistent
1944 service results in an error.</para>
1945
1946 <para>Typically the default service would be a <link linkend="GUESTOK">
1947 <parameter>guest ok</parameter></link>, <link linkend="READONLY">
1948 <parameter>read-only</parameter></link> service.</para>
1949
1950 <para>Also note that the apparent service name will be changed
1951 to equal that of the requested service, this is very useful as it
1952 allows you to use macros like <parameter>%S</parameter> to make
1953 a wildcard service.</para>
1954
1955 <para>Note also that any "_" characters in the name of the service
1956 used in the default service will get mapped to a "/". This allows for
1957 interesting things.</para>
1958
1959
1960 <para>Example:</para>
1961
1962 <para><programlisting>
1963 [global]
1964 default service = pub
1965
1966 [pub]
1967 path = /%S
1968 </programlisting></para>
1969 </listitem>
1970 </varlistentry>
1971
1972
1973
1974 <varlistentry>
1975 <term><anchor id="DELETEPRINTERCOMMAND">delete printer command (G)</term>
1976 <listitem><para>With the introduction of MS-RPC based printer
1977 support for Windows NT/2000 clients in Samba 2.2, it is now
1978 possible to delete printer at run time by issuing the
1979 DeletePrinter() RPC call.</para>
1980
1981 <para>For a Samba host this means that the printer must be
1982 physically deleted from underlying printing system. The <parameter>
1983 deleteprinter command</parameter> defines a script to be run which
1984 will perform the necessary operations for removing the printer
1985 from the print system and from <filename>smb.conf</filename>.
1986 </para>
1987
1988 <para>The <parameter>delete printer command</parameter> is
1989 automatically called with only one parameter: <parameter>
1990 "printer name"</parameter>.</para>
1991
1992
1993 <para>Once the <parameter>delete printer command</parameter> has
1994 been executed, <command>smbd</command> will reparse the <filename>
1995 smb.conf</filename> to associated printer no longer exists.
1996 If the sharename is still valid, then <command>smbd
1997 </command> will return an ACCESS_DENIED error to the client.</para>
1998
1999 <para>See also <link linkend="ADDPRINTERCOMMAND"><parameter>
2000 add printer command</parameter></link>, <link
2001 linkend="printing"><parameter>printing</parameter></link>,
2002 <link linkend="SHOWADDPRINTERWIZARD"><parameter>show add
2003 printer wizard</parameter></link></para>
2004
2005 <para>Default: <emphasis>none</emphasis></para>
2006 <para>Example: <command>deleteprinter command = /usr/bin/removeprinter
2007 </command></para>
2008 </listitem>
2009 </varlistentry>
2010
2011
2012
2013
2014
2015
2016 <varlistentry>
2017 <term><anchor id="DELETEREADONLY">delete readonly (S)</term>
2018 <listitem><para>This parameter allows readonly files to be deleted.
2019 This is not normal DOS semantics, but is allowed by UNIX.</para>
2020
2021 <para>This option may be useful for running applications such
2022 as rcs, where UNIX file ownership prevents changing file
2023 permissions, and DOS semantics prevent deletion of a read only file.</para>
2024
2025 <para>Default: <command>delete readonly = no</command></para></listitem>
2026 </varlistentry>
2027
2028
2029
2030 <varlistentry>
2031 <term><anchor id="DELETESHARECOMMAND">delete share command (G)</term>
2032 <listitem><para>Samba 2.2.0 introduced the ability to dynamically
2033 add and delete shares via the Windows NT 4.0 Server Manager. The
2034 <parameter>delete share command</parameter> is used to define an
2035 external program or script which will remove an existing service
2036 definition from <filename>smb.conf</filename>. In order to successfully
2037 execute the <parameter>delete share command</parameter>, <command>smbd</command>
2038 requires that the administrator be connected using a root account (i.e.
2039 uid == 0).
2040 </para>
2041
2042 <para>
2043 When executed, <command>smbd</command> will automatically invoke the
2044 <parameter>delete share command</parameter> with two parameters.
2045 </para>
2046
2047 <itemizedlist>
2048 <listitem><para><parameter>configFile</parameter> - the location
2049 of the global <filename>smb.conf</filename> file.
2050 </para></listitem>
2051
2052 <listitem><para><parameter>shareName</parameter> - the name of
2053 the existing service.
2054 </para></listitem>
2055 </itemizedlist>
2056
2057 <para>
2058 This parameter is only used to remove file shares. To delete printer shares,
2059 see the <link linkend="DELETEPRINTERCOMMAND"><parameter>delete printer
2060 command</parameter></link>.
2061 </para>
2062
2063 <para>
2064 See also <link linkend="ADDSHARECOMMAND"><parameter>add share
2065 command</parameter></link>, <link linkend="CHANGESHARECOMMAND"><parameter>change
2066 share command</parameter></link>.
2067 </para>
2068
2069 <para>Default: <emphasis>none</emphasis></para>
2070 <para>Example: <command>delete share command = /usr/local/bin/delshare</command></para>
2071
2072 </listitem>
2073 </varlistentry>
2074
2075
2076
2077
2078 <varlistentry>
2079 <term><anchor id="DELETEUSERSCRIPT">delete user script (G)</term>
2080 <listitem><para>This is the full pathname to a script that will
2081 be run <emphasis>AS ROOT</emphasis> by <ulink url="smbd.8.html">
2082 <command>smbd(8)</command></ulink> under special circumstances
2083 described below.</para>
2084
2085 <para>Normally, a Samba server requires that UNIX users are
2086 created for all users accessing files on this server. For sites
2087 that use Windows NT account databases as their primary user database
2088 creating these users and keeping the user list in sync with the
2089 Windows NT PDC is an onerous task. This option allows <command>
2090 smbd</command> to delete the required UNIX users <emphasis>ON
2091 DEMAND</emphasis> when a user accesses the Samba server and the
2092 Windows NT user no longer exists.</para>
2093
2094 <para>In order to use this option, <command>smbd</command> must be
2095 set to <parameter>security = domain</parameter> or <parameter>security =
2096 user</parameter> and <parameter>delete user script</parameter>
2097 must be set to a full pathname for a script
2098 that will delete a UNIX user given one argument of <parameter>%u</parameter>,
2099 which expands into the UNIX user name to delete.</para>
2100
2101 <para>When the Windows user attempts to access the Samba server,
2102 at <emphasis>login</emphasis> (session setup in the SMB protocol)
2103 time, <command>smbd</command> contacts the <link linkend="PASSWORDSERVER">
2104 <parameter>password server</parameter></link> and attempts to authenticate
2105 the given user with the given password. If the authentication fails
2106 with the specific Domain error code meaning that the user no longer
2107 exists then <command>smbd</command> attempts to find a UNIX user in
2108 the UNIX password database that matches the Windows user account. If
2109 this lookup succeeds, and <parameter>delete user script</parameter> is
2110 set then <command>smbd</command> will all the specified script
2111 <emphasis>AS ROOT</emphasis>, expanding any <parameter>%u</parameter>
2112 argument to be the user name to delete.</para>
2113
2114 <para>This script should delete the given UNIX username. In this way,
2115 UNIX users are dynamically deleted to match existing Windows NT
2116 accounts.</para>
2117
2118 <para>See also <link linkend="SECURITYEQUALSDOMAIN">security = domain</link>,
2119 <link linkend="PASSWORDSERVER"><parameter>password server</parameter>
2120 </link>, <link linkend="ADDUSERSCRIPT"><parameter>add user script</parameter>
2121 </link>.</para>
2122
2123 <para>Default: <command>delete user script = &lt;empty string&gt;
2124 </command></para>
2125 <para>Example: <command>delete user script = /usr/local/samba/bin/del_user
2126 %u</command></para></listitem>
2127 </varlistentry>
2128
2129
2130
2131
2132
2133 <varlistentry>
2134 <term><anchor id="DELETEVETOFILES">delete veto files (S)</term>
2135 <listitem><para>This option is used when Samba is attempting to
2136 delete a directory that contains one or more vetoed directories
2137 (see the <link linkend="VETOFILES"><parameter>veto files</parameter></link>
2138 option). If this option is set to <constant>false</constant> (the default) then if a vetoed
2139 directory contains any non-vetoed files or directories then the
2140 directory delete will fail. This is usually what you want.</para>
2141
2142 <para>If this option is set to <constant>true</constant>, then Samba
2143 will attempt to recursively delete any files and directories within
2144 the vetoed directory. This can be useful for integration with file
2145 serving systems such as NetAtalk which create meta-files within
2146 directories you might normally veto DOS/Windows users from seeing
2147 (e.g. <filename>.AppleDouble</filename>)</para>
2148
2149 <para>Setting <command>delete veto files = yes</command> allows these
2150 directories to be transparently deleted when the parent directory
2151 is deleted (so long as the user has permissions to do so).</para>
2152
2153 <para>See also the <link linkend="VETOFILES"><parameter>veto
2154 files</parameter></link> parameter.</para>
2155
2156 <para>Default: <command>delete veto files = no</command></para></listitem>
2157 </varlistentry>
2158
2159
2160
2161
2162 <varlistentry>
2163 <term><anchor id="DENYHOSTS">deny hosts (S)</term>
2164 <listitem><para>Synonym for <link linkend="HOSTSDENY"><parameter>hosts
2165 deny</parameter></link>.</para></listitem>
2166 </varlistentry>
2167
2168
2169
2170
2171 <varlistentry>
2172 <term><anchor id="DFREECOMMAND">dfree command (G)</term>
2173 <listitem><para>The <parameter>dfree command</parameter> setting should
2174 only be used on systems where a problem occurs with the internal
2175 disk space calculations. This has been known to happen with Ultrix,
2176 but may occur with other operating systems. The symptom that was
2177 seen was an error of "Abort Retry Ignore" at the end of each
2178 directory listing.</para>
2179
2180 <para>This setting allows the replacement of the internal routines to
2181 calculate the total disk space and amount available with an external
2182 routine. The example below gives a possible script that might fulfill
2183 this function.</para>
2184
2185 <para>The external program will be passed a single parameter indicating
2186 a directory in the filesystem being queried. This will typically consist
2187 of the string <filename>./</filename>. The script should return two
2188 integers in ASCII. The first should be the total disk space in blocks,
2189 and the second should be the number of available blocks. An optional
2190 third return value can give the block size in bytes. The default
2191 blocksize is 1024 bytes.</para>
2192
2193 <para>Note: Your script should <emphasis>NOT</emphasis> be setuid or
2194 setgid and should be owned by (and writeable only by) root!</para>
2195
2196 <para>Default: <emphasis>By default internal routines for
2197 determining the disk capacity and remaining space will be used.
2198 </emphasis></para>
2199
2200 <para>Example: <command>dfree command = /usr/local/samba/bin/dfree
2201 </command></para>
2202
2203 <para>Where the script dfree (which must be made executable) could be:</para>
2204
2205 <para><programlisting>
2206 #!/bin/sh
2207 df $1 | tail -1 | awk '{print $2" "$4}'
2208 </programlisting></para>
2209
2210 <para>or perhaps (on Sys V based systems):</para>
2211
2212 <para><programlisting>
2213 #!/bin/sh
2214 /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
2215 </programlisting></para>
2216
2217 <para>Note that you may have to replace the command names
2218 with full path names on some systems.</para>
2219 </listitem>
2220 </varlistentry>
2221
2222
2223
2224
2225 <varlistentry>
2226 <term><anchor id="DIRECTORY">directory (S)</term>
2227 <listitem><para>Synonym for <link linkend="PATH"><parameter>path
2228 </parameter></link>.</para></listitem>
2229 </varlistentry>
2230
2231
2232
2233 <varlistentry>
2234 <term><anchor id="DIRECTORYMASK">directory mask (S)</term>
2235 <listitem><para>This parameter is the octal modes which are
2236 used when converting DOS modes to UNIX modes when creating UNIX
2237 directories.</para>
2238
2239 <para>When a directory is created, the necessary permissions are
2240 calculated according to the mapping from DOS modes to UNIX permissions,
2241 and the resulting UNIX mode is then bit-wise 'AND'ed with this
2242 parameter. This parameter may be thought of as a bit-wise MASK for
2243 the UNIX modes of a directory. Any bit <emphasis>not</emphasis> set
2244 here will be removed from the modes set on a directory when it is
2245 created.</para>
2246
2247 <para>The default value of this parameter removes the 'group'
2248 and 'other' write bits from the UNIX mode, allowing only the
2249 user who owns the directory to modify it.</para>
2250
2251 <para>Following this Samba will bit-wise 'OR' the UNIX mode
2252 created from this parameter with the value of the <link
2253 linkend="FORCEDIRECTORYMODE"><parameter>force directory mode
2254 </parameter></link> parameter. This parameter is set to 000 by
2255 default (i.e. no extra mode bits are added).</para>
2256
2257 <para>Note that this parameter does not apply to permissions
2258 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
2259 a mask on access control lists also, they need to set the <link
2260 linkend="DIRECTORYSECURITYMASK"><parameter>directory security mask</parameter></link>.</para>
2261
2262 <para>See the <link linkend="FORCEDIRECTORYMODE"><parameter>force
2263 directory mode</parameter></link> parameter to cause particular mode
2264 bits to always be set on created directories.</para>
2265
2266 <para>See also the <link linkend="CREATEMODE"><parameter>create mode
2267 </parameter></link> parameter for masking mode bits on created files,
2268 and the <link linkend="DIRECTORYSECURITYMASK"><parameter>directory
2269 security mask</parameter></link> parameter.</para>
2270
2271 <para>Also refer to the <link linkend="INHERITPERMISSIONS"><parameter>
2272 inherit permissions</parameter></link> parameter.</para>
2273
2274 <para>Default: <command>directory mask = 0755</command></para>
2275 <para>Example: <command>directory mask = 0775</command></para>
2276 </listitem>
2277 </varlistentry>
2278
2279
2280
2281 <varlistentry>
2282 <term><anchor id="DIRECTORYMODE">directory mode (S)</term>
2283 <listitem><para>Synonym for <link linkend="DIRECTORYMASK"><parameter>
2284 directory mask</parameter></link></para></listitem>
2285 </varlistentry>
2286
2287
2288
2289 <varlistentry>
2290 <term><anchor id="DIRECTORYSECURITYMASK">directory security mask (S)</term>
2291 <listitem><para>This parameter controls what UNIX permission bits
2292 can be modified when a Windows NT client is manipulating the UNIX
2293 permission on a directory using the native NT security dialog
2294 box.</para>
2295
2296 <para>This parameter is applied as a mask (AND'ed with) to
2297 the changed permission bits, thus preventing any bits not in
2298 this mask from being modified. Essentially, zero bits in this
2299 mask may be treated as a set of bits the user is not allowed
2300 to change.</para>
2301
2302 <para>If not set explicitly this parameter is set to 0777
2303 meaning a user is allowed to modify all the user/group/world
2304 permissions on a directory.</para>
2305
2306 <para><emphasis>Note</emphasis> that users who can access the
2307 Samba server through other means can easily bypass this restriction,
2308 so it is primarily useful for standalone "appliance" systems.
2309 Administrators of most normal systems will probably want to leave
2310 it as the default of <constant>0777</constant>.</para>
2311
2312 <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"><parameter>
2313 force directory security mode</parameter></link>, <link
2314 linkend="SECURITYMASK"><parameter>security mask</parameter></link>,
2315 <link linkend="FORCESECURITYMODE"><parameter>force security mode
2316 </parameter></link> parameters.</para>
2317
2318 <para>Default: <command>directory security mask = 0777</command></para>
2319 <para>Example: <command>directory security mask = 0700</command></para>
2320 </listitem>
2321 </varlistentry>
2322
2323
2324
2325 <varlistentry>
2326 <term><anchor id="DISABLESPOOLSS">disable spoolss (G)</term>
2327 <listitem><para>Enabling this parameter will disables Samba's support
2328 for the SPOOLSS set of MS-RPC's and will yield identical behavior
2329 as Samba 2.0.x. Windows NT/2000 clients will downgrade to using
2330 Lanman style printing commands. Windows 9x/ME will be uneffected by
2331 the parameter. However, this will also disable the ability to upload
2332 printer drivers to a Samba server via the Windows NT Add Printer
2333 Wizard or by using the NT printer properties dialog window. It will
2334 also disable the capability of Windows NT/2000 clients to download
2335 print drivers from the Samba host upon demand.
2336 <emphasis>Be very careful about enabling this parameter.</emphasis>
2337 </para>
2338
2339 <para>See also <link linkend="USECLIENTDRIVER">use client driver</link>
2340 </para>
2341
2342 <para>Default : <command>disable spoolss = no</command></para>
2343 </listitem>
2344 </varlistentry>
2345
2346
2347
2348 <varlistentry>
2349 <term><anchor id="DNSPROXY">dns proxy (G)</term>
2350 <listitem><para>Specifies that <ulink url="nmbd.8.html">nmbd(8)</ulink>
2351 when acting as a WINS server and finding that a NetBIOS name has not
2352 been registered, should treat the NetBIOS name word-for-word as a DNS
2353 name and do a lookup with the DNS server for that name on behalf of
2354 the name-querying client.</para>
2355
2356 <para>Note that the maximum length for a NetBIOS name is 15
2357 characters, so the DNS name (or DNS alias) can likewise only be
2358 15 characters, maximum.</para>
2359
2360 <para><command>nmbd</command> spawns a second copy of itself to do the
2361 DNS name lookup requests, as doing a name lookup is a blocking
2362 action.</para>
2363
2364 <para>See also the parameter <link linkend="WINSSUPPORT"><parameter>
2365 wins support</parameter></link>.</para>
2366
2367 <para>Default: <command>dns proxy = yes</command></para></listitem>
2368 </varlistentry>
2369
2370
2371
2372 <varlistentry>
2373 <term><anchor id="DOMAINADMINGROUP">domain admin group (G)</term>
2374 <listitem><para>This parameter is intended as a temporary solution
2375 to enable users to be a member of the "Domain Admins" group when
2376 a Samba host is acting as a PDC. A complete solution will be provided
2377 by a system for mapping Windows NT/2000 groups onto UNIX groups.
2378 Please note that this parameter has a somewhat confusing name. It
2379 accepts a list of usernames and of group names in standard
2380 <filename>smb.conf</filename> notation.
2381 </para>
2382
2383 <para>See also <link linkend="DOMAINGUESTGROUP"><parameter>domain
2384 guest group</parameter></link>, <link linkend="DOMAINLOGONS"><parameter>domain
2385 logons</parameter></link>
2386 </para>
2387
2388 <para>Default: <emphasis>no domain administrators</emphasis></para>
2389 <para>Example: <command>domain admin group = root @wheel</command></para>
2390 </listitem>
2391 </varlistentry>
2392
2393
2394
2395
2396 <varlistentry>
2397 <term><anchor id="DOMAINGUESTGROUP">domain guest group (G)</term>
2398 <listitem><para>This parameter is intended as a temporary solution
2399 to enable users to be a member of the "Domain Guests" group when
2400 a Samba host is acting as a PDC. A complete solution will be provided
2401 by a system for mapping Windows NT/2000 groups onto UNIX groups.
2402 Please note that this parameter has a somewhat confusing name. It
2403 accepts a list of usernames and of group names in standard
2404 <filename>smb.conf</filename> notation.
2405 </para>
2406
2407 <para>See also <link linkend="DOMAINADMINGROUP"><parameter>domain
2408 admin group</parameter></link>, <link linkend="DOMAINLOGONS"><parameter>domain
2409 logons</parameter></link>
2410 </para>
2411
2412 <para>Default: <emphasis>no domain guests</emphasis></para>
2413 <para>Example: <command>domain guest group = nobody @guest</command></para>
2414 </listitem>
2415 </varlistentry>
2416
2417
2418 <varlistentry>
2419 <term><anchor id="DOMAINLOGONS">domain logons (G)</term>
2420 <listitem><para>If set to <constant>true</constant>, the Samba server will serve
2421 Windows 95/98 Domain logons for the <link linkend="WORKGROUP">
2422 <parameter>workgroup</parameter></link> it is in. Samba 2.2 also
2423 has limited capability to act as a domain controller for Windows
2424 NT 4 Domains. For more details on setting up this feature see
2425 the Samba-PDC-HOWTO included in the <filename>htmldocs/</filename>
2426 directory shipped with the source code.</para>
2427
2428 <para>Default: <command>domain logons = no</command></para></listitem>
2429 </varlistentry>
2430
2431
2432
2433 <varlistentry>
2434 <term><anchor id="DOMAINMASTER">domain master (G)</term>
2435 <listitem><para>Tell <ulink url="nmbd.8.html"><command>
2436 nmbd(8)</command></ulink> to enable WAN-wide browse list
2437 collation. Setting this option causes <command>nmbd</command> to
2438 claim a special domain specific NetBIOS name that identifies
2439 it as a domain master browser for its given <link linkend="WORKGROUP">
2440 <parameter>workgroup</parameter></link>. Local master browsers
2441 in the same <parameter>workgroup</parameter> on broadcast-isolated
2442 subnets will give this <command>nmbd</command> their local browse lists,
2443 and then ask <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>
2444 for a complete copy of the browse list for the whole wide area
2445 network. Browser clients will then contact their local master browser,
2446 and will receive the domain-wide browse list, instead of just the list
2447 for their broadcast-isolated subnet.</para>
2448
2449 <para>Note that Windows NT Primary Domain Controllers expect to be
2450 able to claim this <parameter>workgroup</parameter> specific special
2451 NetBIOS name that identifies them as domain master browsers for
2452 that <parameter>workgroup</parameter> by default (i.e. there is no
2453 way to prevent a Windows NT PDC from attempting to do this). This
2454 means that if this parameter is set and <command>nmbd</command> claims
2455 the special name for a <parameter>workgroup</parameter> before a Windows
2456 NT PDC is able to do so then cross subnet browsing will behave
2457 strangely and may fail.</para>
2458
2459 <para>If <link linkend="DOMAINLOGONS"><command>domain logons = yes</command>
2460 </link>, then the default behavior is to enable the <parameter>domain
2461 master</parameter> parameter. If <parameter>domain logons</parameter> is
2462 not enabled (the default setting), then neither will <parameter>domain
2463 master</parameter> be enabled by default.</para>
2464
2465 <para>Default: <command>domain master = auto</command></para></listitem>
2466 </varlistentry>
2467
2468
2469
2470
2471 <varlistentry>
2472 <term><anchor id="DONTDESCEND">dont descend (S)</term>
2473 <listitem><para>There are certain directories on some systems
2474 (e.g., the <filename>/proc</filename> tree under Linux) that are either not
2475 of interest to clients or are infinitely deep (recursive). This
2476 parameter allows you to specify a comma-delimited list of directories
2477 that the server should always show as empty.</para>
2478
2479 <para>Note that Samba can be very fussy about the exact format
2480 of the "dont descend" entries. For example you may need <filename>
2481 ./proc</filename> instead of just <filename>/proc</filename>.
2482 Experimentation is the best policy :-) </para>
2483
2484 <para>Default: <emphasis>none (i.e., all directories are OK
2485 to descend)</emphasis></para>
2486 <para>Example: <command>dont descend = /proc,/dev</command></para>
2487 </listitem>
2488 </varlistentry>
2489
2490
2491
2492 <varlistentry>
2493 <term><anchor id="DOSFILEMODE">dos filemode (S)</term>
2494 <listitem><para> The default behavior in Samba is to provide
2495 UNIX-like behavior where only the owner of a file/directory is
2496 able to change the permissions on it. However, this behavior
2497 is often confusing to DOS/Windows users. Enabling this parameter
2498 allows a user who has write access to the file (by whatever
2499 means) to modify the permissions on it. Note that a user
2500 belonging to the group owning the file will not be allowed to
2501 change permissions if the group is only granted read access.
2502 Ownership of the file/directory is not changed, only the permissions
2503 are modified.</para>
2504
2505 <para>Default: <command>dos filemode = no</command></para>
2506 </listitem>
2507 </varlistentry>
2508
2509
2510
2511 <varlistentry>
2512 <term><anchor id="DOSFILETIMERESOLUTION">dos filetime resolution (S)</term>
2513 <listitem><para>Under the DOS and Windows FAT filesystem, the finest
2514 granularity on time resolution is two seconds. Setting this parameter
2515 for a share causes Samba to round the reported time down to the
2516 nearest two second boundary when a query call that requires one second
2517 resolution is made to <ulink url="smbd.8.html"><command>smbd(8)</command>
2518 </ulink>.</para>
2519
2520 <para>This option is mainly used as a compatibility option for Visual
2521 C++ when used against Samba shares. If oplocks are enabled on a
2522 share, Visual C++ uses two different time reading calls to check if a
2523 file has changed since it was last read. One of these calls uses a
2524 one-second granularity, the other uses a two second granularity. As
2525 the two second call rounds any odd second down, then if the file has a
2526 timestamp of an odd number of seconds then the two timestamps will not
2527 match and Visual C++ will keep reporting the file has changed. Setting
2528 this option causes the two timestamps to match, and Visual C++ is
2529 happy.</para>
2530
2531 <para>Default: <command>dos filetime resolution = no</command></para>
2532 </listitem>
2533 </varlistentry>
2534
2535
2536
2537 <varlistentry>
2538 <term><anchor id="DOSFILETIMES">dos filetimes (S)</term>
2539 <listitem><para>Under DOS and Windows, if a user can write to a
2540 file they can change the timestamp on it. Under POSIX semantics,
2541 only the owner of the file or root may change the timestamp. By
2542 default, Samba runs with POSIX semantics and refuses to change the
2543 timestamp on a file if the user <command>smbd</command> is acting
2544 on behalf of is not the file owner. Setting this option to <constant>
2545 true</constant> allows DOS semantics and <ulink url="smbd.8.html">smbd</ulink> will change the file
2546 timestamp as DOS requires.</para>
2547
2548 <para>Default: <command>dos filetimes = no</command></para></listitem>
2549 </varlistentry>
2550
2551
2552
2553 <varlistentry>
2554 <term><anchor id="ENCRYPTPASSWORDS">encrypt passwords (G)</term>
2555 <listitem><para>This boolean controls whether encrypted passwords
2556 will be negotiated with the client. Note that Windows NT 4.0 SP3 and
2557 above and also Windows 98 will by default expect encrypted passwords
2558 unless a registry entry is changed. To use encrypted passwords in
2559 Samba see the file ENCRYPTION.txt in the Samba documentation
2560 directory <filename>docs/</filename> shipped with the source code.</para>
2561
2562 <para>In order for encrypted passwords to work correctly
2563 <ulink url="smbd.8.html"><command>smbd(8)</command></ulink> must either
2564 have access to a local <ulink url="smbpasswd.5.html"><filename>smbpasswd(5)
2565 </filename></ulink> file (see the <ulink url="smbpasswd.8.html"><command>
2566 smbpasswd(8)</command></ulink> program for information on how to set up
2567 and maintain this file), or set the <link
2568 linkend="SECURITY">security = [server|domain]</link> parameter which
2569 causes <command>smbd</command> to authenticate against another
2570 server.</para>
2571
2572 <para>Default: <command>encrypt passwords = no</command></para></listitem>
2573 </varlistentry>
2574
2575
2576 <varlistentry>
2577 <term><anchor id="ENHANCEDBROWSING">enhanced browsing (G)</term>
2578 <listitem><para>This option enables a couple of enhancements to
2579 cross-subnet browse propagation that have been added in Samba
2580 but which are not standard in Microsoft implementations.
2581 </para>
2582
2583 <para>The first enhancement to browse propagation consists of a regular
2584 wildcard query to a Samba WINS server for all Domain Master Browsers,
2585 followed by a browse synchronization with each of the returned
2586 DMBs. The second enhancement consists of a regular randomised browse
2587 synchronization with all currently known DMBs.</para>
2588
2589 <para>You may wish to disable this option if you have a problem with empty
2590 workgroups not disappearing from browse lists. Due to the restrictions
2591 of the browse protocols these enhancements can cause a empty workgroup
2592 to stay around forever which can be annoying.</para>
2593
2594 <para>In general you should leave this option enabled as it makes
2595 cross-subnet browse propagation much more reliable.</para>
2596
2597 <para>Default: <command>enhanced browsing = yes</command></para>
2598 </listitem>
2599 </varlistentry>
2600
2601
2602 <varlistentry>
2603 <term><anchor id="ENUMPORTSCOMMAND">enumports command (G)</term>
2604 <listitem><para>The concept of a "port" is fairly foreign
2605 to UNIX hosts. Under Windows NT/2000 print servers, a port
2606 is associated with a port monitor and generally takes the form of
2607 a local port (i.e. LPT1:, COM1:, FILE:) or a remote port
2608 (i.e. LPD Port Monitor, etc...). By default, Samba has only one
2609 port defined--<constant>"Samba Printer Port"</constant>. Under
2610 Windows NT/2000, all printers must have a valid port name.
2611 If you wish to have a list of ports displayed (<command>smbd
2612 </command> does not use a port name for anything) other than
2613 the default <constant>"Samba Printer Port"</constant>, you
2614 can define <parameter>enumports command</parameter> to point to
2615 a program which should generate a list of ports, one per line,
2616 to standard output. This listing will then be used in response
2617 to the level 1 and 2 EnumPorts() RPC.</para>
2618
2619 <para>Default: <emphasis>no enumports command</emphasis></para>
2620 <para>Example: <command>enumports command = /usr/bin/listports
2621 </command></para>
2622 </listitem>
2623 </varlistentry>
2624
2625 <varlistentry>
2626 <term><anchor id="EXEC">exec (S)</term>
2627 <listitem><para>This is a synonym for <link linkend="PREEXEC">
2628 <parameter>preexec</parameter></link>.</para></listitem>
2629 </varlistentry>
2630
2631
2632
2633 <varlistentry>
2634 <term><anchor id="FAKEDIRECTORYCREATETIMES">fake directory create times (S)</term>
2635 <listitem><para>NTFS and Windows VFAT file systems keep a create
2636 time for all files and directories. This is not the same as the
2637 ctime - status change time - that Unix keeps, so Samba by default
2638 reports the earliest of the various times Unix does keep. Setting
2639 this parameter for a share causes Samba to always report midnight
2640 1-1-1980 as the create time for directories.</para>
2641
2642 <para>This option is mainly used as a compatibility option for
2643 Visual C++ when used against Samba shares. Visual C++ generated
2644 makefiles have the object directory as a dependency for each object
2645 file, and a make rule to create the directory. Also, when NMAKE
2646 compares timestamps it uses the creation time when examining a
2647 directory. Thus the object directory will be created if it does not
2648 exist, but once it does exist it will always have an earlier
2649 timestamp than the object files it contains.</para>
2650
2651 <para>However, Unix time semantics mean that the create time
2652 reported by Samba will be updated whenever a file is created or
2653 or deleted in the directory. NMAKE finds all object files in
2654 the object directory. The timestamp of the last one built is then
2655 compared to the timestamp of the object directory. If the
2656 directory's timestamp if newer, then all object files
2657 will be rebuilt. Enabling this option
2658 ensures directories always predate their contents and an NMAKE build
2659 will proceed as expected.</para>
2660
2661 <para>Default: <command>fake directory create times = no</command></para>
2662 </listitem>
2663 </varlistentry>
2664
2665
2666
2667 <varlistentry>
2668 <term><anchor id="FAKEOPLOCKS">fake oplocks (S)</term>
2669 <listitem><para>Oplocks are the way that SMB clients get permission
2670 from a server to locally cache file operations. If a server grants
2671 an oplock (opportunistic lock) then the client is free to assume
2672 that it is the only one accessing the file and it will aggressively
2673 cache file data. With some oplock types the client may even cache
2674 file open/close operations. This can give enormous performance benefits.
2675 </para>
2676
2677 <para>When you set <command>fake oplocks = yes</command>, <ulink
2678 url="smbd.8.html"><command>smbd(8)</command></ulink> will
2679 always grant oplock requests no matter how many clients are using
2680 the file.</para>
2681
2682 <para>It is generally much better to use the real <link
2683 linkend="OPLOCKS"><parameter>oplocks</parameter></link> support rather
2684 than this parameter.</para>
2685
2686 <para>If you enable this option on all read-only shares or
2687 shares that you know will only be accessed from one client at a
2688 time such as physically read-only media like CDROMs, you will see
2689 a big performance improvement on many operations. If you enable
2690 this option on shares where multiple clients may be accessing the
2691 files read-write at the same time you can get data corruption. Use
2692 this option carefully!</para>
2693
2694 <para>Default: <command>fake oplocks = no</command></para></listitem>
2695 </varlistentry>
2696
2697
2698
2699 <varlistentry>
2700 <term><anchor id="FOLLOWSYMLINKS">follow symlinks (S)</term>
2701 <listitem><para>This parameter allows the Samba administrator
2702 to stop <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>
2703 from following symbolic links in a particular share. Setting this
2704 parameter to <constant>no</constant> prevents any file or directory
2705 that is a symbolic link from being followed (the user will get an
2706 error). This option is very useful to stop users from adding a
2707 symbolic link to <filename>/etc/passwd</filename> in their home
2708 directory for instance. However it will slow filename lookups
2709 down slightly.</para>
2710
2711 <para>This option is enabled (i.e. <command>smbd</command> will
2712 follow symbolic links) by default.</para>
2713
2714 <para>Default: <command>follow symlinks = yes</command></para></listitem>
2715 </varlistentry>
2716
2717
2718
2719 <varlistentry>
2720 <term><anchor id="FORCECREATEMODE">force create mode (S)</term>
2721 <listitem><para>This parameter specifies a set of UNIX mode bit
2722 permissions that will <emphasis>always</emphasis> be set on a
2723 file created by Samba. This is done by bitwise 'OR'ing these bits onto
2724 the mode bits of a file that is being created or having its
2725 permissions changed. The default for this parameter is (in octal)
2726 000. The modes in this parameter are bitwise 'OR'ed onto the file
2727 mode after the mask set in the <parameter>create mask</parameter>
2728 parameter is applied.</para>
2729
2730 <para>See also the parameter <link linkend="CREATEMASK"><parameter>create
2731 mask</parameter></link> for details on masking mode bits on files.</para>
2732
2733 <para>See also the <link linkend="INHERITPERMISSIONS"><parameter>inherit
2734 permissions</parameter></link> parameter.</para>
2735
2736 <para>Default: <command>force create mode = 000</command></para>
2737 <para>Example: <command>force create mode = 0755</command></para>
2738
2739 <para>would force all created files to have read and execute
2740 permissions set for 'group' and 'other' as well as the
2741 read/write/execute bits set for the 'user'.</para>
2742 </listitem>
2743 </varlistentry>
2744
2745
2746
2747 <varlistentry>
2748 <term><anchor id="FORCEDIRECTORYMODE">force directory mode (S)</term>
2749 <listitem><para>This parameter specifies a set of UNIX mode bit
2750 permissions that will <emphasis>always</emphasis> be set on a directory
2751 created by Samba. This is done by bitwise 'OR'ing these bits onto the
2752 mode bits of a directory that is being created. The default for this
2753 parameter is (in octal) 0000 which will not add any extra permission
2754 bits to a created directory. This operation is done after the mode
2755 mask in the parameter <parameter>directory mask</parameter> is
2756 applied.</para>
2757
2758 <para>See also the parameter <link linkend="DIRECTORYMASK"><parameter>
2759 directory mask</parameter></link> for details on masking mode bits
2760 on created directories.</para>
2761
2762 <para>See also the <link linkend="INHERITPERMISSIONS"><parameter>
2763 inherit permissions</parameter></link> parameter.</para>
2764
2765 <para>Default: <command>force directory mode = 000</command></para>
2766 <para>Example: <command>force directory mode = 0755</command></para>
2767
2768 <para>would force all created directories to have read and execute
2769 permissions set for 'group' and 'other' as well as the
2770 read/write/execute bits set for the 'user'.</para>
2771 </listitem>
2772 </varlistentry>
2773
2774
2775
2776 <varlistentry>
2777 <term><anchor id="FORCEDIRECTORYSECURITYMODE">force directory
2778 security mode (S)</term>
2779 <listitem><para>This parameter controls what UNIX permission bits
2780 can be modified when a Windows NT client is manipulating the UNIX
2781 permission on a directory using the native NT security dialog box.</para>
2782
2783 <para>This parameter is applied as a mask (OR'ed with) to the
2784 changed permission bits, thus forcing any bits in this mask that
2785 the user may have modified to be on. Essentially, one bits in this
2786 mask may be treated as a set of bits that, when modifying security
2787 on a directory, the user has always set to be 'on'.</para>
2788
2789 <para>If not set explicitly this parameter is 000, which
2790 allows a user to modify all the user/group/world permissions on a
2791 directory without restrictions.</para>
2792
2793 <para><emphasis>Note</emphasis> that users who can access the
2794 Samba server through other means can easily bypass this restriction,
2795 so it is primarily useful for standalone "appliance" systems.
2796 Administrators of most normal systems will probably want to leave
2797 it set as 0000.</para>
2798
2799 <para>See also the <link linkend="DIRECTORYSECURITYMASK"><parameter>
2800 directory security mask</parameter></link>, <link linkend="SECURITYMASK">
2801 <parameter>security mask</parameter></link>,
2802 <link linkend="FORCESECURITYMODE"><parameter>force security mode
2803 </parameter></link> parameters.</para>
2804
2805 <para>Default: <command>force directory security mode = 0</command></para>
2806 <para>Example: <command>force directory security mode = 700</command></para>
2807 </listitem>
2808 </varlistentry>
2809
2810
2811
2812
2813 <varlistentry>
2814 <term><anchor id="FORCEGROUP">force group (S)</term>
2815 <listitem><para>This specifies a UNIX group name that will be
2816 assigned as the default primary group for all users connecting
2817 to this service. This is useful for sharing files by ensuring
2818 that all access to files on service will use the named group for
2819 their permissions checking. Thus, by assigning permissions for this
2820 group to the files and directories within this service the Samba
2821 administrator can restrict or allow sharing of these files.</para>
2822
2823 <para>In Samba 2.0.5 and above this parameter has extended
2824 functionality in the following way. If the group name listed here
2825 has a '+' character prepended to it then the current user accessing
2826 the share only has the primary group default assigned to this group
2827 if they are already assigned as a member of that group. This allows
2828 an administrator to decide that only users who are already in a
2829 particular group will create files with group ownership set to that
2830 group. This gives a finer granularity of ownership assignment. For
2831 example, the setting <filename>force group = +sys</filename> means
2832 that only users who are already in group sys will have their default
2833 primary group assigned to sys when accessing this Samba share. All
2834 other users will retain their ordinary primary group.</para>
2835
2836 <para>If the <link linkend="FORCEUSER"><parameter>force user
2837 </parameter></link> parameter is also set the group specified in
2838 <parameter>force group</parameter> will override the primary group
2839 set in <parameter>force user</parameter>.</para>
2840
2841 <para>See also <link linkend="FORCEUSER"><parameter>force
2842 user</parameter></link>.</para>
2843
2844 <para>Default: <emphasis>no forced group</emphasis></para>
2845 <para>Example: <command>force group = agroup</command></para>
2846 </listitem>
2847 </varlistentry>
2848
2849
2850
2851 <varlistentry>
2852 <term><anchor id="FORCESECURITYMODE">force security mode (S)</term>
2853 <listitem><para>This parameter controls what UNIX permission
2854 bits can be modified when a Windows NT client is manipulating
2855 the UNIX permission on a file using the native NT security dialog
2856 box.</para>
2857
2858 <para>This parameter is applied as a mask (OR'ed with) to the
2859 changed permission bits, thus forcing any bits in this mask that
2860 the user may have modified to be on. Essentially, one bits in this
2861 mask may be treated as a set of bits that, when modifying security
2862 on a file, the user has always set to be 'on'.</para>
2863
2864 <para>If not set explicitly this parameter is set to 0,
2865 and allows a user to modify all the user/group/world permissions on a file,
2866 with no restrictions.</para>
2867
2868 <para><emphasis>Note</emphasis> that users who can access
2869 the Samba server through other means can easily bypass this restriction,
2870 so it is primarily useful for standalone "appliance" systems.
2871 Administrators of most normal systems will probably want to leave
2872 this set to 0000.</para>
2873
2874 <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"><parameter>
2875 force directory security mode</parameter></link>,
2876 <link linkend="DIRECTORYSECURITYMASK"><parameter>directory security
2877 mask</parameter></link>, <link linkend="SECURITYMASK"><parameter>
2878 security mask</parameter></link> parameters.</para>
2879
2880 <para>Default: <command>force security mode = 0</command></para>
2881 <para>Example: <command>force security mode = 700</command></para>
2882 </listitem>
2883 </varlistentry>
2884
2885
2886
2887 <varlistentry>
2888 <term><anchor id="FORCEUNKNOWNACLUSER">force unknown acl user (S)</term>
2889 <listitem><para>If this parameter is set, a Windows NT ACL that contains
2890 an unknown SID (security descriptor, or representation of a user or group id)
2891 as the owner or group owner of the file will be silently mapped into the
2892 current UNIX uid or gid of the currently connected user.</para>
2893
2894 <para>This is designed to allow Windows NT clients to copy files and
2895 folders containing ACLs that were created locally on the client machine
2896 and contain users local to that machine only (no domain users) to be
2897 copied to a Samba server (usually with XCOPY /O) and have the unknown
2898 userid and groupid of the file owner map to the current connected user.
2899 This can only be fixed correctly when winbindd allows arbitrary mapping
2900 from any Windows NT SID to a UNIX uid or gid.</para>
2901
2902 <para>Try using this parameter when XCOPY /O gives an ACCESS_DENIED error.
2903 </para>
2904
2905 <para>See also <link linkend="FORCEGROUP"><parameter>force group
2906 </parameter></link></para>
2907
2908 <para>Default: <emphasis>False</emphasis></para>
2909 <para>Example: <command>force unknown acl user = yes</command></para>
2910 </listitem>
2911 </varlistentry>
2912
2913
2914
2915 <varlistentry>
2916 <term><anchor id="FORCEUSER">force user (S)</term>
2917 <listitem><para>This specifies a UNIX user name that will be
2918 assigned as the default user for all users connecting to this service.
2919 This is useful for sharing files. You should also use it carefully
2920 as using it incorrectly can cause security problems.</para>
2921
2922 <para>This user name only gets used once a connection is established.
2923 Thus clients still need to connect as a valid user and supply a
2924 valid password. Once connected, all file operations will be performed
2925 as the "forced user", no matter what username the client connected
2926 as. This can be very useful.</para>
2927
2928 <para>In Samba 2.0.5 and above this parameter also causes the
2929 primary group of the forced user to be used as the primary group
2930 for all file activity. Prior to 2.0.5 the primary group was left
2931 as the primary group of the connecting user (this was a bug).</para>
2932
2933 <para>See also <link linkend="FORCEGROUP"><parameter>force group
2934 </parameter></link></para>
2935
2936 <para>Default: <emphasis>no forced user</emphasis></para>
2937 <para>Example: <command>force user = auser</command></para>
2938 </listitem>
2939 </varlistentry>
2940
2941
2942
2943 <varlistentry>
2944 <term><anchor id="FSTYPE">fstype (S)</term>
2945 <listitem><para>This parameter allows the administrator to
2946 configure the string that specifies the type of filesystem a share
2947 is using that is reported by <ulink url="smbd.8.html"><command>smbd(8)
2948 </command></ulink> when a client queries the filesystem type
2949 for a share. The default type is <constant>NTFS</constant> for
2950 compatibility with Windows NT but this can be changed to other
2951 strings such as <constant>Samba</constant> or <constant>FAT
2952 </constant> if required.</para>
2953
2954 <para>Default: <command>fstype = NTFS</command></para>
2955 <para>Example: <command>fstype = Samba</command></para></listitem>
2956 </varlistentry>
2957
2958
2959
2960 <varlistentry>
2961 <term><anchor id="GETWDCACHE">getwd cache (G)</term>
2962 <listitem><para>This is a tuning option. When this is enabled a
2963 caching algorithm will be used to reduce the time taken for getwd()
2964 calls. This can have a significant impact on performance, especially
2965 when the <link linkend="WIDELINKS"><parameter>wide links</parameter>
2966 </link>parameter is set to <constant>false</constant>.</para>
2967
2968 <para>Default: <command>getwd cache = yes</command></para>
2969 </listitem>
2970 </varlistentry>
2971
2972
2973
2974 <varlistentry>
2975 <term><anchor id="GROUP">group (S)</term>
2976 <listitem><para>Synonym for <link linkend="FORCEGROUP"><parameter>force
2977 group</parameter></link>.</para></listitem>
2978 </varlistentry>
2979
2980
2981
2982 <varlistentry>
2983 <term><anchor id="GUESTACCOUNT">guest account (S)</term>
2984 <listitem><para>This is a username which will be used for access
2985 to services which are specified as <link linkend="GUESTOK"><parameter>
2986 guest ok</parameter></link> (see below). Whatever privileges this
2987 user has will be available to any client connecting to the guest service.
2988 Typically this user will exist in the password file, but will not
2989 have a valid login. The user account "ftp" is often a good choice
2990 for this parameter. If a username is specified in a given service,
2991 the specified username overrides this one.</para>
2992
2993 <para>One some systems the default guest account "nobody" may not
2994 be able to print. Use another account in this case. You should test
2995 this by trying to log in as your guest user (perhaps by using the
2996 <command>su -</command> command) and trying to print using the
2997 system print command such as <command>lpr(1)</command> or <command>
2998 lp(1)</command>.</para>
2999
3000 <para>Default: <emphasis>specified at compile time, usually
3001 "nobody"</emphasis></para>
3002
3003 <para>Example: <command>guest account = ftp</command></para></listitem>
3004 </varlistentry>
3005
3006
3007
3008 <varlistentry>
3009 <term><anchor id="GUESTOK">guest ok (S)</term>
3010 <listitem><para>If this parameter is <constant>yes</constant> for
3011 a service, then no password is required to connect to the service.
3012 Privileges will be those of the <link linkend="GUESTACCOUNT"><parameter>
3013 guest account</parameter></link>.</para>
3014
3015 <para>See the section below on <link linkend="SECURITY"><parameter>
3016 security</parameter></link> for more information about this option.
3017 </para>
3018
3019 <para>Default: <command>guest ok = no</command></para></listitem>
3020 </varlistentry>
3021
3022
3023
3024 <varlistentry>
3025 <term><anchor id="GUESTONLY">guest only (S)</term>
3026 <listitem><para>If this parameter is <constant>yes</constant> for
3027 a service, then only guest connections to the service are permitted.
3028 This parameter will have no effect if <link linkend="GUESTOK">
3029 <parameter>guest ok</parameter></link> is not set for the service.</para>
3030
3031 <para>See the section below on <link linkend="SECURITY"><parameter>
3032 security</parameter></link> for more information about this option.
3033 </para>
3034
3035 <para>Default: <command>guest only = no</command></para></listitem>
3036 </varlistentry>
3037
3038
3039
3040 <varlistentry>
3041 <term><anchor id="HIDEDOTFILES">hide dot files (S)</term>
3042 <listitem><para>This is a boolean parameter that controls whether
3043 files starting with a dot appear as hidden files.</para>
3044
3045 <para>Default: <command>hide dot files = yes</command></para></listitem>
3046 </varlistentry>
3047
3048
3049
3050 <varlistentry>
3051 <term><anchor id="HIDEFILES">hide files(S)</term>
3052 <listitem><para>This is a list of files or directories that are not
3053 visible but are accessible. The DOS 'hidden' attribute is applied
3054 to any files or directories that match.</para>
3055
3056 <para>Each entry in the list must be separated by a '/',
3057 which allows spaces to be included in the entry. '*'
3058 and '?' can be used to specify multiple files or directories
3059 as in DOS wildcards.</para>
3060
3061 <para>Each entry must be a Unix path, not a DOS path and must
3062 not include the Unix directory separator '/'.</para>
3063
3064 <para>Note that the case sensitivity option is applicable
3065 in hiding files.</para>
3066
3067 <para>Setting this parameter will affect the performance of Samba,
3068 as it will be forced to check all files and directories for a match
3069 as they are scanned.</para>
3070
3071 <para>See also <link linkend="HIDEDOTFILES"><parameter>hide
3072 dot files</parameter></link>, <link linkend="VETOFILES"><parameter>
3073 veto files</parameter></link> and <link linkend="CASESENSITIVE">
3074 <parameter>case sensitive</parameter></link>.</para>
3075
3076 <para>Default: <emphasis>no file are hidden</emphasis></para>
3077 <para>Example: <command>hide files =
3078 /.*/DesktopFolderDB/TrashFor%m/resource.frk/</command></para>
3079
3080 <para>The above example is based on files that the Macintosh
3081 SMB client (DAVE) available from <ulink url="http://www.thursby.com">
3082 Thursby</ulink> creates for internal use, and also still hides
3083 all files beginning with a dot.</para></listitem>
3084 </varlistentry>
3085
3086
3087
3088 <varlistentry>
3089 <term><anchor id="HIDELOCALUSERS">hide local users(G)</term>
3090 <listitem><para>This parameter toggles the hiding of local UNIX
3091 users (root, wheel, floppy, etc) from remote clients.</para>
3092
3093 <para>Default: <command>hide local users = no</command></para></listitem>
3094 </varlistentry>
3095
3096
3097
3098 <varlistentry>
3099 <term><anchor id="HIDEUNREADABLE">hide unreadable (S)</term>
3100 <listitem><para>This parameter prevents clients from seeing the
3101 existance of files that cannot be read. Defaults to off.</para>
3102
3103 <para>Default: <command>hide unreadable = no</command></para></listitem>
3104 </varlistentry>
3105
3106
3107
3108 <varlistentry>
3109 <term><anchor id="HOMEDIRMAP">homedir map (G)</term>
3110 <listitem><para>If<link linkend="NISHOMEDIR"><parameter>nis homedir
3111 </parameter></link> is <constant>true</constant>, and <ulink
3112 url="smbd.8.html"><command>smbd(8)</command></ulink> is also acting
3113 as a Win95/98 <parameter>logon server</parameter> then this parameter
3114 specifies the NIS (or YP) map from which the server for the user's
3115 home directory should be extracted. At present, only the Sun
3116 auto.home map format is understood. The form of the map is:</para>
3117
3118 <para><command>username server:/some/file/system</command></para>
3119
3120 <para>and the program will extract the servername from before
3121 the first ':'. There should probably be a better parsing system
3122 that copes with different map formats and also Amd (another
3123 automounter) maps.</para>
3124
3125 <para><emphasis>NOTE :</emphasis>A working NIS client is required on
3126 the system for this option to work.</para>
3127
3128 <para>See also <link linkend="NISHOMEDIR"><parameter>nis homedir</parameter>
3129 </link>, <link linkend="DOMAINLOGONS"><parameter>domain logons</parameter>
3130 </link>.</para>
3131
3132 <para>Default: <command>homedir map = &lt;empty string&gt;</command></para>
3133 <para>Example: <command>homedir map = amd.homedir</command></para>
3134 </listitem>
3135 </varlistentry>
3136
3137
3138
3139
3140
3141 <varlistentry>
3142 <term><anchor id="HOSTMSDFS">host msdfs (G)</term>
3143 <listitem><para>This boolean parameter is only available
3144 if Samba has been configured and compiled with the <command>
3145 --with-msdfs</command> option. If set to <constant>yes</constant>,
3146 Samba will act as a Dfs server, and allow Dfs-aware clients
3147 to browse Dfs trees hosted on the server.</para>
3148
3149 <para>See also the <link linkend="MSDFSROOT"><parameter>
3150 msdfs root</parameter></link> share level parameter. For
3151 more information on setting up a Dfs tree on Samba,
3152 refer to <ulink url="msdfs_setup.html">msdfs_setup.html</ulink>.
3153 </para>
3154
3155 <para>Default: <command>host msdfs = no</command></para>
3156 </listitem>
3157 </varlistentry>
3158
3159
3160 <varlistentry>
3161 <term><anchor id="HOSTSALLOW">hosts allow (S)</term>
3162 <listitem><para>A synonym for this parameter is <parameter>allow
3163 hosts</parameter>.</para>
3164
3165 <para>This parameter is a comma, space, or tab delimited
3166 set of hosts which are permitted to access a service.</para>
3167
3168 <para>If specified in the [global] section then it will
3169 apply to all services, regardless of whether the individual
3170 service has a different setting.</para>
3171
3172 <para>You can specify the hosts by name or IP number. For
3173 example, you could restrict access to only the hosts on a
3174 Class C subnet with something like <command>allow hosts = 150.203.5.
3175 </command>. The full syntax of the list is described in the man
3176 page <filename>hosts_access(5)</filename>. Note that this man
3177 page may not be present on your system, so a brief description will
3178 be given here also.</para>
3179
3180 <para>Note that the localhost address 127.0.0.1 will always
3181 be allowed access unless specifically denied by a <link
3182 linkend="HOSTSDENY"><parameter>hosts deny</parameter></link> option.</para>
3183
3184 <para>You can also specify hosts by network/netmask pairs and
3185 by netgroup names if your system supports netgroups. The
3186 <emphasis>EXCEPT</emphasis> keyword can also be used to limit a
3187 wildcard list. The following examples may provide some help:</para>
3188
3189 <para>Example 1: allow all IPs in 150.203.*.*; except one</para>
3190
3191 <para><command>hosts allow = 150.203. EXCEPT 150.203.6.66</command></para>
3192
3193 <para>Example 2: allow hosts that match the given network/netmask</para>
3194
3195 <para><command>hosts allow = 150.203.15.0/255.255.255.0</command></para>
3196
3197 <para>Example 3: allow a couple of hosts</para>
3198
3199 <para><command>hosts allow = lapland, arvidsjaur</command></para>
3200
3201 <para>Example 4: allow only hosts in NIS netgroup "foonet", but
3202 deny access from one particular host</para>
3203
3204 <para><command>hosts allow = @foonet</command></para>
3205
3206 <para><command>hosts deny = pirate</command></para>
3207
3208 <para>Note that access still requires suitable user-level passwords.</para>
3209
3210 <para>See <ulink url="testparm.1.html"><command>testparm(1)</command>
3211 </ulink> for a way of testing your host access to see if it does
3212 what you expect.</para>
3213
3214 <para>Default: <emphasis>none (i.e., all hosts permitted access)
3215 </emphasis></para>
3216
3217 <para>Example: <command>allow hosts = 150.203.5. myhost.mynet.edu.au
3218 </command></para>
3219 </listitem>
3220 </varlistentry>
3221
3222
3223
3224 <varlistentry>
3225 <term><anchor id="HOSTSDENY">hosts deny (S)</term>
3226 <listitem><para>The opposite of <parameter>hosts allow</parameter>
3227 - hosts listed here are <emphasis>NOT</emphasis> permitted access to
3228 services unless the specific services have their own lists to override
3229 this one. Where the lists conflict, the <parameter>allow</parameter>
3230 list takes precedence.</para>
3231
3232 <para>Default: <emphasis>none (i.e., no hosts specifically excluded)
3233 </emphasis></para>
3234
3235 <para>Example: <command>hosts deny = 150.203.4. badhost.mynet.edu.au
3236 </command></para></listitem>
3237 </varlistentry>
3238
3239
3240
3241 <varlistentry>
3242 <term><anchor id="HOSTSEQUIV">hosts equiv (G)</term>
3243 <listitem><para>If this global parameter is a non-null string,
3244 it specifies the name of a file to read for the names of hosts
3245 and users who will be allowed access without specifying a password.
3246 </para>
3247
3248 <para>This is not be confused with <link linkend="HOSTSALLOW">
3249 <parameter>hosts allow</parameter></link> which is about hosts
3250 access to services and is more useful for guest services. <parameter>
3251 hosts equiv</parameter> may be useful for NT clients which will
3252 not supply passwords to Samba.</para>
3253
3254 <para><emphasis>NOTE :</emphasis> The use of <parameter>hosts equiv
3255 </parameter> can be a major security hole. This is because you are
3256 trusting the PC to supply the correct username. It is very easy to
3257 get a PC to supply a false username. I recommend that the
3258 <parameter>hosts equiv</parameter> option be only used if you really
3259 know what you are doing, or perhaps on a home network where you trust
3260 your spouse and kids. And only if you <emphasis>really</emphasis> trust
3261 them :-).</para>
3262
3263 <para>Default: <emphasis>no host equivalences</emphasis></para>
3264 <para>Example: <command>hosts equiv = /etc/hosts.equiv</command></para>
3265 </listitem>
3266 </varlistentry>
3267
3268
3269
3270 <varlistentry>
3271 <term><anchor id="INCLUDE">include (G)</term>
3272 <listitem><para>This allows you to include one config file
3273 inside another. The file is included literally, as though typed
3274 in place.</para>
3275
3276 <para>It takes the standard substitutions, except <parameter>%u
3277 </parameter>, <parameter>%P</parameter> and <parameter>%S</parameter>.
3278 </para>
3279
3280 <para>Default: <emphasis>no file included</emphasis></para>
3281 <para>Example: <command>include = /usr/local/samba/lib/admin_smb.conf
3282 </command></para></listitem>
3283 </varlistentry>
3284
3285
3286
3287 <varlistentry>
3288 <term><anchor id="INHERITACLS">inherit acls (S)</term>
3289 <listitem><para>This parameter can be used to ensure
3290 that if default acls exist on parent directories,
3291 they are always honored when creating a subdirectory.
3292 The default behavior is to use the mode specified
3293 when creating the directory. Enabling this option
3294 sets the mode to 0777, thus guaranteeing that
3295 default directory acls are propagated.
3296 </para>
3297
3298 <para>Default: <command>inherit acls = no</command>
3299 </para></listitem>
3300 </varlistentry>
3301
3302
3303
3304
3305 <varlistentry>
3306 <term><anchor id="INHERITPERMISSIONS">inherit permissions (S)</term>
3307 <listitem><para>The permissions on new files and directories
3308 are normally governed by <link linkend="CREATEMASK"><parameter>
3309 create mask</parameter></link>, <link linkend="DIRECTORYMASK">
3310 <parameter>directory mask</parameter></link>, <link
3311 linkend="FORCECREATEMODE"><parameter>force create mode</parameter>
3312 </link> and <link linkend="FORCEDIRECTORYMODE"><parameter>force
3313 directory mode</parameter></link> but the boolean inherit
3314 permissions parameter overrides this.</para>
3315
3316 <para>New directories inherit the mode of the parent directory,
3317 including bits such as setgid.</para>
3318
3319 <para>New files inherit their read/write bits from the parent
3320 directory. Their execute bits continue to be determined by
3321 <link linkend="MAPARCHIVE"><parameter>map archive</parameter>
3322 </link>, <link linkend="MAPHIDDEN"><parameter>map hidden</parameter>
3323 </link> and <link linkend="MAPSYSTEM"><parameter>map system</parameter>
3324 </link> as usual.</para>
3325
3326 <para>Note that the setuid bit is <emphasis>never</emphasis> set via
3327 inheritance (the code explicitly prohibits this).</para>
3328
3329 <para>This can be particularly useful on large systems with
3330 many users, perhaps several thousand, to allow a single [homes]
3331 share to be used flexibly by each user.</para>
3332
3333 <para>See also <link linkend="CREATEMASK"><parameter>create mask
3334 </parameter></link>, <link linkend="DIRECTORYMASK"><parameter>
3335 directory mask</parameter></link>, <link linkend="FORCECREATEMODE">
3336 <parameter>force create mode</parameter></link> and <link
3337 linkend="FORCEDIRECTORYMODE"><parameter>force directory mode</parameter>
3338 </link>.</para>
3339
3340 <para>Default: <command>inherit permissions = no</command></para>
3341 </listitem>
3342 </varlistentry>
3343
3344
3345
3346 <varlistentry>
3347 <term><anchor id="INTERFACES">interfaces (G)</term>
3348 <listitem><para>This option allows you to override the default
3349 network interfaces list that Samba will use for browsing, name
3350 registration and other NBT traffic. By default Samba will query
3351 the kernel for the list of all active interfaces and use any
3352 interfaces except 127.0.0.1 that are broadcast capable.</para>
3353
3354 <para>The option takes a list of interface strings. Each string
3355 can be in any of the following forms:</para>
3356
3357 <itemizedlist>
3358 <listitem><para>a network interface name (such as eth0).
3359 This may include shell-like wildcards so eth* will match
3360 any interface starting with the substring "eth"</para></listitem>
3361
3362 <listitem><para>an IP address. In this case the netmask is
3363 determined from the list of interfaces obtained from the
3364 kernel</para></listitem>
3365
3366 <listitem><para>an IP/mask pair. </para></listitem>
3367
3368 <listitem><para>a broadcast/mask pair.</para></listitem>
3369 </itemizedlist>
3370
3371 <para>The "mask" parameters can either be a bit length (such
3372 as 24 for a C class network) or a full netmask in dotted
3373 decimal form.</para>
3374
3375 <para>The "IP" parameters above can either be a full dotted
3376 decimal IP address or a hostname which will be looked up via
3377 the OS's normal hostname resolution mechanisms.</para>
3378
3379 <para>For example, the following line:</para>
3380
3381 <para><command>interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
3382 </command></para>
3383
3384 <para>would configure three network interfaces corresponding
3385 to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
3386 The netmasks of the latter two interfaces would be set to 255.255.255.0.</para>
3387
3388 <para>See also <link linkend="BINDINTERFACESONLY"><parameter>bind
3389 interfaces only</parameter></link>.</para>
3390
3391 <para>Default: <emphasis>all active interfaces except 127.0.0.1
3392 that are broadcast capable</emphasis></para>
3393 </listitem>
3394 </varlistentry>
3395
3396
3397
3398 <varlistentry>
3399 <term><anchor id="INVALIDUSERS">invalid users (S)</term>
3400 <listitem><para>This is a list of users that should not be allowed
3401 to login to this service. This is really a <emphasis>paranoid</emphasis>
3402 check to absolutely ensure an improper setting does not breach
3403 your security.</para>
3404
3405 <para>A name starting with a '@' is interpreted as an NIS
3406 netgroup first (if your system supports NIS), and then as a UNIX
3407 group if the name was not found in the NIS netgroup database.</para>
3408
3409 <para>A name starting with '+' is interpreted only
3410 by looking in the UNIX group database. A name starting with
3411 '&' is interpreted only by looking in the NIS netgroup database
3412 (this requires NIS to be working on your system). The characters
3413 '+' and '&' may be used at the start of the name in either order
3414 so the value <parameter>+&amp;group</parameter> means check the
3415 UNIX group database, followed by the NIS netgroup database, and
3416 the value <parameter>&+group</parameter> means check the NIS
3417 netgroup database, followed by the UNIX group database (the
3418 same as the '@' prefix).</para>
3419
3420 <para>The current servicename is substituted for <parameter>%S</parameter>.
3421 This is useful in the [homes] section.</para>
3422
3423 <para>See also <link linkend="VALIDUSERS"><parameter>valid users
3424 </parameter></link>.</para>
3425
3426 <para>Default: <emphasis>no invalid users</emphasis></para>
3427 <para>Example: <command>invalid users = root fred admin @wheel
3428 </command></para>
3429 </listitem>
3430 </varlistentry>
3431
3432
3433
3434 <varlistentry>
3435 <term><anchor id="KEEPALIVE">keepalive (G)</term>
3436 <listitem><para>The value of the parameter (an integer) represents
3437 the number of seconds between <parameter>keepalive</parameter>
3438 packets. If this parameter is zero, no keepalive packets will be
3439 sent. Keepalive packets, if sent, allow the server to tell whether
3440 a client is still present and responding.</para>
3441
3442 <para>Keepalives should, in general, not be needed if the socket
3443 being used has the SO_KEEPALIVE attribute set on it (see <link
3444 linkend="SOCKETOPTIONS"><parameter>socket options</parameter></link>).
3445 Basically you should only use this option if you strike difficulties.</para>
3446
3447 <para>Default: <command>keepalive = 300</command></para>
3448 <para>Example: <command>keepalive = 600</command></para>
3449 </listitem>
3450 </varlistentry>
3451
3452
3453
3454 <varlistentry>
3455 <term><anchor id="KERNELOPLOCKS">kernel oplocks (G)</term>
3456 <listitem><para>For UNIXes that support kernel based <link
3457 linkend="OPLOCKS"><parameter>oplocks</parameter></link>
3458 (currently only IRIX and the Linux 2.4 kernel), this parameter
3459 allows the use of them to be turned on or off.</para>
3460
3461 <para>Kernel oplocks support allows Samba <parameter>oplocks
3462 </parameter> to be broken whenever a local UNIX process or NFS operation
3463 accesses a file that <ulink url="smbd.8.html"><command>smbd(8)</command>
3464 </ulink> has oplocked. This allows complete data consistency between
3465 SMB/CIFS, NFS and local file access (and is a <emphasis>very</emphasis>
3466 cool feature :-).</para>
3467
3468 <para>This parameter defaults to <constant>on</constant>, but is translated
3469 to a no-op on systems that no not have the necessary kernel support.
3470 You should never need to touch this parameter.</para>
3471
3472 <para>See also the <link linkend="OPLOCKS"><parameter>oplocks</parameter>
3473 </link> and <link linkend="LEVEL2OPLOCKS"><parameter>level2 oplocks
3474 </parameter></link> parameters.</para>
3475
3476 <para>Default: <command>kernel oplocks = yes</command></para>
3477 </listitem>
3478 </varlistentry>
3479
3480
3481
3482
3483 <varlistentry>
3484 <term><anchor id="LANMANAUTH">lanman auth (G)</term>
3485 <listitem><para>This parameter determines whether or not <ulink url="smbd.8.html">smbd</ulink> will
3486 attempt to authenticate users using the LANMAN password hash.
3487 If disabled, only clients which support NT password hashes (e.g. Windows
3488 NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS
3489 network client) will be able to connect to the Samba host.</para>
3490
3491 <para>Default : <command>lanman auth = yes</command></para>
3492 </listitem>
3493 </varlistentry>
3494
3495
3496
3497
3498
3499 <varlistentry>
3500 <term><anchor id="LARGEREADWRITE">large readwrite (G)</term>
3501 <listitem><para>This parameter determines whether or not <ulink url="smbd.8.html">smbd</ulink>
3502 supports the new 64k streaming read and write varient SMB requests introduced
3503 with Windows 2000. Note that due to Windows 2000 client redirector bugs
3504 this requires Samba to be running on a 64-bit capable operating system such
3505 as IRIX, Solaris or a Linux 2.4 kernel. Can improve performance by 10% with
3506 Windows 2000 clients. Defaults to off. Not as tested as some other Samba
3507 code paths.
3508 </para>
3509
3510 <para>Default : <command>large readwrite = no</command></para>
3511 </listitem>
3512 </varlistentry>
3513
3514
3515
3516 <varlistentry>
3517 <term><anchor id="LDAPADMINDN">ldap admin dn (G)</term>
3518 <listitem><para>This parameter is only available if Samba has been
3519 configure to include the <command>--with-ldapsam</command> option
3520 at compile time. This option should be considered experimental and
3521 under active development.
3522 </para>
3523
3524 <para>
3525 The <parameter>ldap admin dn</parameter> defines the Distinguished
3526 Name (DN) name used by Samba to contact the <link linkend="LDAPSERVER">ldap
3527 server</link> when retreiving user account information. The <parameter>ldap
3528 admin dn</parameter> is used in conjunction with the admin dn password
3529 stored in the <filename>private/secrets.tdb</filename> file. See the
3530 <ulink url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink> man
3531 page for more information on how to accmplish this.
3532 </para>
3533
3534
3535 <para>Default : <emphasis>none</emphasis></para>
3536 </listitem>
3537 </varlistentry>
3538
3539
3540
3541
3542 <varlistentry>
3543 <term><anchor id="LDAPFILTER">ldap filter (G)</term>
3544 <listitem><para>This parameter is only available if Samba has been
3545 configure to include the <command>--with-ldapsam</command> option
3546 at compile time. This option should be considered experimental and
3547 under active development.
3548 </para>
3549
3550 <para>
3551 This parameter specifies the RFC 2254 compliant LDAP search filter.
3552 The default is to match the login name with the <constant>uid</constant>
3553 attribute for all entries matching the <constant>sambaAccount</constant>
3554 objectclass. Note that this filter should only return one entry.
3555 </para>
3556
3557
3558 <para>Default : <command>ldap filter = (&(uid=%u)(objectclass=sambaAccount))</command></para>
3559 </listitem>
3560 </varlistentry>
3561
3562
3563
3564
3565 <varlistentry>
3566 <term><anchor id="LDAPPORT">ldap port (G)</term>
3567 <listitem><para>This parameter is only available if Samba has been
3568 configure to include the <command>--with-ldapsam</command> option
3569 at compile time. This option should be considered experimental and
3570 under active development.
3571 </para>
3572
3573 <para>
3574 This option is used to control the tcp port number used to contact
3575 the <link linkend="LDAPSERVER"><parameter>ldap server</parameter></link>.
3576 The default is to use the stand LDAPS port 636.
3577 </para>
3578
3579 <para>See Also: <link linkend="LDAPSSL">ldap ssl</link>
3580 </para>
3581
3582 <para>Default : <command>ldap port = 636 ; if ldap ssl = on</command></para>
3583 <para>Default : <command>ldap port = 389 ; if ldap ssl = off</command></para>
3584 </listitem>
3585 </varlistentry>
3586
3587
3588
3589
3590 <varlistentry>
3591 <term><anchor id="LDAPSERVER">ldap server (G)</term>
3592 <listitem><para>This parameter is only available if Samba has been
3593 configure to include the <command>--with-ldapsam</command> option
3594 at compile time. This option should be considered experimental and
3595 under active development.
3596 </para>
3597
3598 <para>
3599 This parameter should contains the FQDN of the ldap directory
3600 server which should be queried to locate user account information.
3601 </para>
3602
3603
3604
3605 <para>Default : <command>ldap server = localhost</command></para>
3606 </listitem>
3607 </varlistentry>
3608
3609
3610
3611
3612 <varlistentry>
3613 <term><anchor id="LDAPSSL">ldap ssl (G)</term>
3614 <listitem><para>This parameter is only available if Samba has been
3615 configure to include the <command>--with-ldapsam</command> option
3616 at compile time. This option should be considered experimental and
3617 under active development.
3618 </para>
3619
3620 <para>
3621 This option is used to define whether or not Samba should
3622 use SSL when connecting to the <link linkend="LDAPSERVER"><parameter>ldap
3623 server</parameter></link>. This is <emphasis>NOT</emphasis> related to
3624 Samba SSL support which is enabled by specifying the
3625 <command>--with-ssl</command> option to the <filename>configure</filename>
3626 script (see <link linkend="SSL"><parameter>ssl</parameter></link>).
3627 </para>
3628
3629 <para>
3630 The <parameter>ldap ssl</parameter> can be set to one of three values:
3631 (a) <constant>on</constant> - Always use SSL when contacting the
3632 <parameter>ldap server</parameter>, (b) <constant>off</constant> -
3633 Never use SSL when querying the directory, or (c) <constant>start_tls</constant>
3634 - Use the LDAPv3 StartTLS extended operation
3635 (RFC2830) for communicating with the directory server.
3636 </para>
3637
3638
3639 <para>Default : <command>ldap ssl = on</command></para>
3640 </listitem>
3641 </varlistentry>
3642
3643
3644
3645
3646 <varlistentry>
3647 <term><anchor id="LDAPSUFFIX">ldap suffix (G)</term>
3648 <listitem><para>This parameter is only available if Samba has been
3649 configure to include the <command>--with-ldapsam</command> option
3650 at compile time. This option should be considered experimental and
3651 under active development.
3652 </para>
3653
3654
3655
3656 <para>Default : <emphasis>none</emphasis></para>
3657 </listitem>
3658 </varlistentry>
3659
3660
3661
3662
3663
3664
3665
3666 <varlistentry>
3667 <term><anchor id="LEVEL2OPLOCKS">level2 oplocks (S)</term>
3668 <listitem><para>This parameter controls whether Samba supports
3669 level2 (read-only) oplocks on a share.</para>
3670
3671 <para>Level2, or read-only oplocks allow Windows NT clients
3672 that have an oplock on a file to downgrade from a read-write oplock
3673 to a read-only oplock once a second client opens the file (instead
3674 of releasing all oplocks on a second open, as in traditional,
3675 exclusive oplocks). This allows all openers of the file that
3676 support level2 oplocks to cache the file for read-ahead only (ie.
3677 they may not cache writes or lock requests) and increases performance
3678 for many accesses of files that are not commonly written (such as
3679 application .EXE files).</para>
3680
3681 <para>Once one of the clients which have a read-only oplock
3682 writes to the file all clients are notified (no reply is needed
3683 or waited for) and told to break their oplocks to "none" and
3684 delete any read-ahead caches.</para>
3685
3686 <para>It is recommended that this parameter be turned on
3687 to speed access to shared executables.</para>
3688
3689 <para>For more discussions on level2 oplocks see the CIFS spec.</para>
3690
3691 <para>Currently, if <link linkend="KERNELOPLOCKS"><parameter>kernel
3692 oplocks</parameter></link> are supported then level2 oplocks are
3693 not granted (even if this parameter is set to <constant>yes</constant>).
3694 Note also, the <link linkend="OPLOCKS"><parameter>oplocks</parameter>
3695 </link> parameter must be set to <constant>true</constant> on this share in order for
3696 this parameter to have any effect.</para>
3697
3698 <para>See also the <link linkend="OPLOCKS"><parameter>oplocks</parameter>
3699 </link> and <link linkend="OPLOCKS"><parameter>kernel oplocks</parameter>
3700 </link> parameters.</para>
3701
3702 <para>Default: <command>level2 oplocks = yes</command></para>
3703 </listitem>
3704 </varlistentry>
3705
3706
3707
3708
3709
3710 <varlistentry>
3711 <term><anchor id="LMANNOUNCE">lm announce (G)</term>
3712 <listitem><para>This parameter determines if <ulink url="nmbd.8.html">
3713 <command>nmbd(8)</command></ulink> will produce Lanman announce
3714 broadcasts that are needed by OS/2 clients in order for them to see
3715 the Samba server in their browse list. This parameter can have three
3716 values, <constant>true</constant>, <constant>false</constant>, or
3717 <constant>auto</constant>. The default is <constant>auto</constant>.
3718 If set to <constant>false</constant> Samba will never produce these
3719 broadcasts. If set to <constant>true</constant> Samba will produce
3720 Lanman announce broadcasts at a frequency set by the parameter
3721 <parameter>lm interval</parameter>. If set to <constant>auto</constant>
3722 Samba will not send Lanman announce broadcasts by default but will
3723 listen for them. If it hears such a broadcast on the wire it will
3724 then start sending them at a frequency set by the parameter
3725 <parameter>lm interval</parameter>.</para>
3726
3727 <para>See also <link linkend="LMINTERVAL"><parameter>lm interval
3728 </parameter></link>.</para>
3729
3730 <para>Default: <command>lm announce = auto</command></para>
3731 <para>Example: <command>lm announce = yes</command></para>
3732 </listitem>
3733 </varlistentry>
3734
3735
3736
3737 <varlistentry>
3738 <term><anchor id="LMINTERVAL">lm interval (G)</term>
3739 <listitem><para>If Samba is set to produce Lanman announce
3740 broadcasts needed by OS/2 clients (see the <link linkend="LMANNOUNCE">
3741 <parameter>lm announce</parameter></link> parameter) then this
3742 parameter defines the frequency in seconds with which they will be
3743 made. If this is set to zero then no Lanman announcements will be
3744 made despite the setting of the <parameter>lm announce</parameter>
3745 parameter.</para>
3746
3747 <para>See also <link linkend="LMANNOUNCE"><parameter>lm
3748 announce</parameter></link>.</para>
3749
3750 <para>Default: <command>lm interval = 60</command></para>
3751 <para>Example: <command>lm interval = 120</command></para>
3752 </listitem>
3753 </varlistentry>
3754
3755
3756
3757 <varlistentry>
3758 <term><anchor id="LOADPRINTERS">load printers (G)</term>
3759 <listitem><para>A boolean variable that controls whether all
3760 printers in the printcap will be loaded for browsing by default.
3761 See the <link linkend="PRINTERSSECT">printers</link> section for
3762 more details.</para>
3763
3764 <para>Default: <command>load printers = yes</command></para></listitem>
3765 </varlistentry>
3766
3767
3768
3769
3770 <varlistentry>
3771 <term><anchor id="LOCALMASTER">local master (G)</term>
3772 <listitem><para>This option allows <ulink url="nmbd.8.html"><command>
3773 nmbd(8)</command></ulink> to try and become a local master browser
3774 on a subnet. If set to <constant>false</constant> then <command>
3775 nmbd</command> will not attempt to become a local master browser
3776 on a subnet and will also lose in all browsing elections. By
3777 default this value is set to <constant>true</constant>. Setting this value to <constant>true</constant> doesn't
3778 mean that Samba will <emphasis>become</emphasis> the local master
3779 browser on a subnet, just that <command>nmbd</command> will <emphasis>
3780 participate</emphasis> in elections for local master browser.</para>
3781
3782 <para>Setting this value to <constant>false</constant> will cause <command>nmbd</command>
3783 <emphasis>never</emphasis> to become a local master browser.</para>
3784
3785 <para>Default: <command>local master = yes</command></para>
3786 </listitem>
3787 </varlistentry>
3788
3789
3790
3791 <varlistentry>
3792 <term><anchor id="LOCKDIR">lock dir (G)</term>
3793 <listitem><para>Synonym for <link linkend="LOCKDIRECTORY"><parameter>
3794 lock directory</parameter></link>.</para></listitem>
3795 </varlistentry>
3796
3797
3798
3799 <varlistentry>
3800 <term><anchor id="LOCKDIRECTORY">lock directory (G)</term>
3801 <listitem><para>This option specifies the directory where lock
3802 files will be placed. The lock files are used to implement the
3803 <link linkend="MAXCONNECTIONS"><parameter>max connections</parameter>
3804 </link> option.</para>
3805
3806 <para>Default: <command>lock directory = ${prefix}/var/locks</command></para>
3807 <para>Example: <command>lock directory = /var/run/samba/locks</command>
3808 </para></listitem>
3809 </varlistentry>
3810
3811
3812
3813 <varlistentry>
3814 <term><anchor id="LOCKSPINCOUNT">lock spin count (G)</term>
3815 <listitem><para>This parameter controls the number of times
3816 that smbd should attempt to gain a byte range lock on the
3817 behalf of a client request. Experiments have shown that
3818 Windows 2k servers do not reply with a failure if the lock
3819 could not be immediately granted, but try a few more times
3820 in case the lock could later be aquired. This behavior
3821 is used to support PC database formats such as MS Access
3822 and FoxPro.
3823 </para>
3824
3825 <para>Default: <command>lock spin count = 2</command>
3826 </para></listitem>
3827 </varlistentry>
3828
3829
3830
3831
3832 <varlistentry>
3833 <term><anchor id="LOCKSPINTIME">lock spin time (G)</term>
3834 <listitem><para>The time in microseconds that smbd should
3835 pause before attempting to gain a failed lock. See
3836 <link linkend="LOCKSPINCOUNT"><parameter>lock spin
3837 count</parameter></link> for more details.
3838 </para>
3839
3840 <para>Default: <command>lock spin time = 10</command>
3841 </para></listitem>
3842 </varlistentry>
3843
3844
3845
3846 <varlistentry>
3847 <term><anchor id="LOCKING">locking (S)</term>
3848 <listitem><para>This controls whether or not locking will be
3849 performed by the server in response to lock requests from the
3850 client.</para>
3851
3852 <para>If <command>locking = no</command>, all lock and unlock
3853 requests will appear to succeed and all lock queries will report
3854 that the file in question is available for locking.</para>
3855
3856 <para>If <command>locking = yes</command>, real locking will be performed
3857 by the server.</para>
3858
3859 <para>This option <emphasis>may</emphasis> be useful for read-only
3860 filesystems which <emphasis>may</emphasis> not need locking (such as
3861 CDROM drives), although setting this parameter of <constant>no</constant>
3862 is not really recommended even in this case.</para>
3863
3864 <para>Be careful about disabling locking either globally or in a
3865 specific service, as lack of locking may result in data corruption.
3866 You should never need to set this parameter.</para>
3867
3868 <para>Default: <command>locking = yes</command></para>
3869 </listitem>
3870 </varlistentry>
3871
3872
3873
3874 <varlistentry>
3875 <term><anchor id="LOGFILE">log file (G)</term>
3876 <listitem><para>This option allows you to override the name
3877 of the Samba log file (also known as the debug file).</para>
3878
3879 <para>This option takes the standard substitutions, allowing
3880 you to have separate log files for each user or machine.</para>
3881
3882 <para>Example: <command>log file = /usr/local/samba/var/log.%m
3883 </command></para></listitem>
3884 </varlistentry>
3885
3886
3887
3888 <varlistentry>
3889 <term><anchor id="LOGLEVEL">log level (G)</term>
3890 <listitem><para>The value of the parameter (an integer) allows
3891 the debug level (logging level) to be specified in the
3892 <filename>smb.conf</filename> file. This is to give greater
3893 flexibility in the configuration of the system.</para>
3894
3895 <para>The default will be the log level specified on
3896 the command line or level zero if none was specified.</para>
3897
3898 <para>Example: <command>log level = 3</command></para></listitem>
3899 </varlistentry>
3900
3901
3902
3903 <varlistentry>
3904 <term><anchor id="LOGONDRIVE">logon drive (G)</term>
3905 <listitem><para>This parameter specifies the local path to
3906 which the home directory will be connected (see <link
3907 linkend="LOGONHOME"><parameter>logon home</parameter></link>)
3908 and is only used by NT Workstations. </para>
3909
3910 <para>Note that this option is only useful if Samba is set up as a
3911 logon server.</para>
3912
3913 <para>Default: <command>logon drive = z:</command></para>
3914 <para>Example: <command>logon drive = h:</command></para>
3915 </listitem>
3916 </varlistentry>
3917
3918
3919
3920 <varlistentry>
3921 <term><anchor id="LOGONHOME">logon home (G)</term>
3922 <listitem><para>This parameter specifies the home directory
3923 location when a Win95/98 or NT Workstation logs into a Samba PDC.
3924 It allows you to do </para>
3925
3926 <para><prompt>C:\> </prompt><userinput>NET USE H: /HOME</userinput>
3927 </para>
3928
3929 <para>from a command prompt, for example.</para>
3930
3931 <para>This option takes the standard substitutions, allowing
3932 you to have separate logon scripts for each user or machine.</para>
3933
3934 <para>This parameter can be used with Win9X workstations to ensure
3935 that roaming profiles are stored in a subdirectory of the user's
3936 home directory. This is done in the following way:</para>
3937
3938 <para><command>logon home = \\%N\%U\profile</command></para>
3939
3940 <para>This tells Samba to return the above string, with
3941 substitutions made when a client requests the info, generally
3942 in a NetUserGetInfo request. Win9X clients truncate the info to
3943 \\server\share when a user does <command>net use /home</command>
3944 but use the whole string when dealing with profiles.</para>
3945
3946 <para>Note that in prior versions of Samba, the <link linkend="LOGONPATH">
3947 <parameter>logon path</parameter></link> was returned rather than
3948 <parameter>logon home</parameter>. This broke <command>net use
3949 /home</command> but allowed profiles outside the home directory.
3950 The current implementation is correct, and can be used for
3951 profiles if you use the above trick.</para>
3952
3953 <para>This option is only useful if Samba is set up as a logon
3954 server.</para>
3955
3956 <para>Default: <command>logon home = "\\%N\%U"</command></para>
3957 <para>Example: <command>logon home = "\\remote_smb_server\%U"</command>
3958 </para></listitem>
3959 </varlistentry>
3960
3961
3962 <varlistentry>
3963 <term><anchor id="LOGONPATH">logon path (G)</term>
3964 <listitem><para>This parameter specifies the home directory
3965 where roaming profiles (NTuser.dat etc files for Windows NT) are
3966 stored. Contrary to previous versions of these manual pages, it has
3967 nothing to do with Win 9X roaming profiles. To find out how to
3968 handle roaming profiles for Win 9X system, see the <link linkend="LOGONHOME">
3969 <parameter>logon home</parameter></link> parameter.</para>
3970
3971 <para>This option takes the standard substitutions, allowing you
3972 to have separate logon scripts for each user or machine. It also
3973 specifies the directory from which the "Application Data",
3974 (<filename>desktop</filename>, <filename>start menu</filename>,
3975 <filename>network neighborhood</filename>, <filename>programs</filename>
3976 and other folders, and their contents, are loaded and displayed on
3977 your Windows NT client.</para>
3978
3979 <para>The share and the path must be readable by the user for
3980 the preferences and directories to be loaded onto the Windows NT
3981 client. The share must be writeable when the user logs in for the first
3982 time, in order that the Windows NT client can create the NTuser.dat
3983 and other directories.</para>
3984
3985 <para>Thereafter, the directories and any of the contents can,
3986 if required, be made read-only. It is not advisable that the
3987 NTuser.dat file be made read-only - rename it to NTuser.man to
3988 achieve the desired effect (a <emphasis>MAN</emphasis>datory
3989 profile). </para>
3990
3991 <para>Windows clients can sometimes maintain a connection to
3992 the [homes] share, even though there is no user logged in.
3993 Therefore, it is vital that the logon path does not include a
3994 reference to the homes share (i.e. setting this parameter to
3995 \%N\%U\profile_path will cause problems).</para>
3996
3997 <para>This option takes the standard substitutions, allowing
3998 you to have separate logon scripts for each user or machine.</para>
3999
4000 <para>Note that this option is only useful if Samba is set up
4001 as a logon server.</para>
4002
4003 <para>Default: <command>logon path = \\%N\%U\profile</command></para>
4004 <para>Example: <command>logon path = \\PROFILESERVER\PROFILE\%U</command></para>
4005 </listitem>
4006 </varlistentry>
4007
4008
4009
4010 <varlistentry>
4011 <term><anchor id="LOGONSCRIPT">logon script (G)</term>
4012 <listitem><para>This parameter specifies the batch file (.bat) or
4013 NT command file (.cmd) to be downloaded and run on a machine when
4014 a user successfully logs in. The file must contain the DOS
4015 style CR/LF line endings. Using a DOS-style editor to create the
4016 file is recommended.</para>
4017
4018 <para>The script must be a relative path to the [netlogon]
4019 service. If the [netlogon] service specifies a <link linkend="PATH">
4020 <parameter>path</parameter></link> of <filename>/usr/local/samba/netlogon
4021 </filename>, and <command>logon script = STARTUP.BAT</command>, then
4022 the file that will be downloaded is:</para>
4023
4024 <para><filename>/usr/local/samba/netlogon/STARTUP.BAT</filename></para>
4025
4026 <para>The contents of the batch file are entirely your choice. A
4027 suggested command would be to add <command>NET TIME \\SERVER /SET
4028 /YES</command>, to force every machine to synchronize clocks with
4029 the same time server. Another use would be to add <command>NET USE
4030 U: \\SERVER\UTILS</command> for commonly used utilities, or <command>
4031 NET USE Q: \\SERVER\ISO9001_QA</command> for example.</para>
4032
4033 <para>Note that it is particularly important not to allow write
4034 access to the [netlogon] share, or to grant users write permission
4035 on the batch files in a secure environment, as this would allow
4036 the batch files to be arbitrarily modified and security to be
4037 breached.</para>
4038
4039 <para>This option takes the standard substitutions, allowing you
4040 to have separate logon scripts for each user or machine.</para>
4041
4042 <para>This option is only useful if Samba is set up as a logon
4043 server.</para>
4044
4045 <para>Default: <emphasis>no logon script defined</emphasis></para>
4046 <para>Example: <command>logon script = scripts\%U.bat</command></para>
4047 </listitem>
4048 </varlistentry>
4049
4050
4051
4052 <varlistentry>
4053 <term><anchor id="LPPAUSECOMMAND">lppause command (S)</term>
4054 <listitem><para>This parameter specifies the command to be
4055 executed on the server host in order to stop printing or spooling
4056 a specific print job.</para>
4057
4058 <para>This command should be a program or script which takes
4059 a printer name and job number to pause the print job. One way
4060 of implementing this is by using job priorities, where jobs
4061 having a too low priority won't be sent to the printer.</para>
4062
4063 <para>If a <parameter>%p</parameter> is given then the printer name
4064 is put in its place. A <parameter>%j</parameter> is replaced with
4065 the job number (an integer). On HPUX (see <parameter>printing=hpux
4066 </parameter>), if the <parameter>-p%p</parameter> option is added
4067 to the lpq command, the job will show up with the correct status, i.e.
4068 if the job priority is lower than the set fence priority it will
4069 have the PAUSED status, whereas if the priority is equal or higher it
4070 will have the SPOOLED or PRINTING status.</para>
4071
4072 <para>Note that it is good practice to include the absolute path
4073 in the lppause command as the PATH may not be available to the server.</para>
4074
4075 <para>See also the <link linkend="PRINTING"><parameter>printing
4076 </parameter></link> parameter.</para>
4077
4078 <para>Default: Currently no default value is given to
4079 this string, unless the value of the <parameter>printing</parameter>
4080 parameter is <constant>SYSV</constant>, in which case the default is :</para>
4081
4082 <para><command>lp -i %p-%j -H hold</command></para>
4083
4084 <para>or if the value of the <parameter>printing</parameter> parameter
4085 is <constant>SOFTQ</constant>, then the default is:</para>
4086
4087 <para><command>qstat -s -j%j -h</command></para>
4088
4089 <para>Example for HPUX: <command>lppause command = /usr/bin/lpalt
4090 %p-%j -p0</command></para>
4091 </listitem>
4092 </varlistentry>
4093
4094
4095
4096 <varlistentry>
4097 <term><anchor id="LPQCACHETIME">lpq cache time (G)</term>
4098 <listitem><para>This controls how long lpq info will be cached
4099 for to prevent the <command>lpq</command> command being called too
4100 often. A separate cache is kept for each variation of the <command>
4101 lpq</command> command used by the system, so if you use different
4102 <command>lpq</command> commands for different users then they won't
4103 share cache information.</para>
4104
4105 <para>The cache files are stored in <filename>/tmp/lpq.xxxx</filename>
4106 where xxxx is a hash of the <command>lpq</command> command in use.</para>
4107
4108 <para>The default is 10 seconds, meaning that the cached results
4109 of a previous identical <command>lpq</command> command will be used
4110 if the cached data is less than 10 seconds old. A large value may
4111 be advisable if your <command>lpq</command> command is very slow.</para>
4112
4113 <para>A value of 0 will disable caching completely.</para>
4114
4115 <para>See also the <link linkend="PRINTING"><parameter>printing
4116 </parameter></link> parameter.</para>
4117
4118 <para>Default: <command>lpq cache time = 10</command></para>
4119 <para>Example: <command>lpq cache time = 30</command></para>
4120 </listitem>
4121 </varlistentry>
4122
4123
4124
4125 <varlistentry>
4126 <term><anchor id="LPQCOMMAND">lpq command (S)</term>
4127 <listitem><para>This parameter specifies the command to be
4128 executed on the server host in order to obtain <command>lpq
4129 </command>-style printer status information.</para>
4130
4131 <para>This command should be a program or script which
4132 takes a printer name as its only parameter and outputs printer
4133 status information.</para>
4134
4135 <para>Currently nine styles of printer status information
4136 are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ.
4137 This covers most UNIX systems. You control which type is expected
4138 using the <parameter>printing =</parameter> option.</para>
4139
4140 <para>Some clients (notably Windows for Workgroups) may not
4141 correctly send the connection number for the printer they are
4142 requesting status information about. To get around this, the
4143 server reports on the first printer service connected to by the
4144 client. This only happens if the connection number sent is invalid.</para>
4145
4146 <para>If a <parameter>%p</parameter> is given then the printer name
4147 is put in its place. Otherwise it is placed at the end of the
4148 command.</para>
4149
4150 <para>Note that it is good practice to include the absolute path
4151 in the <parameter>lpq command</parameter> as the <envar>$PATH
4152 </envar> may not be available to the server. When compiled with
4153 the CUPS libraries, no <parameter>lpq command</parameter> is
4154 needed because smbd will make a library call to obtain the
4155 print queue listing.</para>
4156
4157 <para>See also the <link linkend="PRINTING"><parameter>printing
4158 </parameter></link> parameter.</para>
4159
4160 <para>Default: <emphasis>depends on the setting of <parameter>
4161 printing</parameter></emphasis></para>
4162
4163 <para>Example: <command>lpq command = /usr/bin/lpq -P%p</command></para>
4164 </listitem>
4165 </varlistentry>
4166
4167
4168
4169 <varlistentry>
4170 <term><anchor id="LPRESUMECOMMAND">lpresume command (S)</term>
4171 <listitem><para>This parameter specifies the command to be
4172 executed on the server host in order to restart or continue
4173 printing or spooling a specific print job.</para>
4174
4175 <para>This command should be a program or script which takes
4176 a printer name and job number to resume the print job. See
4177 also the <link linkend="LPPAUSECOMMAND"><parameter>lppause command
4178 </parameter></link> parameter.</para>
4179
4180 <para>If a <parameter>%p</parameter> is given then the printer name
4181 is put in its place. A <parameter>%j</parameter> is replaced with
4182 the job number (an integer).</para>
4183
4184 <para>Note that it is good practice to include the absolute path
4185 in the <parameter>lpresume command</parameter> as the PATH may not
4186 be available to the server.</para>
4187
4188 <para>See also the <link linkend="PRINTING"><parameter>printing
4189 </parameter></link> parameter.</para>
4190
4191 <para>Default: Currently no default value is given
4192 to this string, unless the value of the <parameter>printing</parameter>
4193 parameter is <constant>SYSV</constant>, in which case the default is :</para>
4194
4195 <para><command>lp -i %p-%j -H resume</command></para>
4196
4197 <para>or if the value of the <parameter>printing</parameter> parameter
4198 is <constant>SOFTQ</constant>, then the default is:</para>
4199
4200 <para><command>qstat -s -j%j -r</command></para>
4201
4202 <para>Example for HPUX: <command>lpresume command = /usr/bin/lpalt
4203 %p-%j -p2</command></para>
4204 </listitem>
4205 </varlistentry>
4206
4207
4208
4209 <varlistentry>
4210 <term><anchor id="LPRMCOMMAND">lprm command (S)</term>
4211 <listitem><para>This parameter specifies the command to be
4212 executed on the server host in order to delete a print job.</para>
4213
4214 <para>This command should be a program or script which takes
4215 a printer name and job number, and deletes the print job.</para>
4216
4217 <para>If a <parameter>%p</parameter> is given then the printer name
4218 is put in its place. A <parameter>%j</parameter> is replaced with
4219 the job number (an integer).</para>
4220
4221 <para>Note that it is good practice to include the absolute
4222 path in the <parameter>lprm command</parameter> as the PATH may not be
4223 available to the server.</para>
4224
4225 <para>See also the <link linkend="PRINTING"><parameter>printing
4226 </parameter></link> parameter.</para>
4227
4228 <para>Default: <emphasis>depends on the setting of <parameter>printing
4229 </parameter></emphasis></para>
4230
4231 <para>Example 1: <command>lprm command = /usr/bin/lprm -P%p %j
4232 </command></para>
4233 <para>Example 2: <command>lprm command = /usr/bin/cancel %p-%j
4234 </command></para></listitem>
4235 </varlistentry>
4236
4237
4238
4239 <varlistentry>
4240 <term><anchor id="MACHINEPASSWORDTIMEOUT">machine password timeout (G)</term>
4241 <listitem><para>If a Samba server is a member of a Windows
4242 NT Domain (see the <link linkend="SECURITYEQUALSDOMAIN">security = domain</link>)
4243 parameter) then periodically a running <ulink url="smbd.8.html">
4244 smbd(8)</ulink> process will try and change the MACHINE ACCOUNT
4245 PASSWORD stored in the TDB called <filename>private/secrets.tdb
4246 </filename>. This parameter specifies how often this password
4247 will be changed, in seconds. The default is one week (expressed in
4248 seconds), the same as a Windows NT Domain member server.</para>
4249
4250 <para>See also <ulink url="smbpasswd.8.html"><command>smbpasswd(8)
4251 </command></ulink>, and the <link linkend="SECURITYEQUALSDOMAIN">
4252 security = domain</link>) parameter.</para>
4253
4254 <para>Default: <command>machine password timeout = 604800</command></para>
4255 </listitem>
4256 </varlistentry>
4257
4258
4259 <varlistentry>
4260 <term><anchor id="MAGICOUTPUT">magic output (S)</term>
4261 <listitem><para>This parameter specifies the name of a file
4262 which will contain output created by a magic script (see the
4263 <link linkend="MAGICSCRIPT"><parameter>magic script</parameter></link>
4264 parameter below).</para>
4265
4266 <para>Warning: If two clients use the same <parameter>magic script
4267 </parameter> in the same directory the output file content
4268 is undefined.</para>
4269
4270 <para>Default: <command>magic output = &lt;magic script name&gt;.out
4271 </command></para>
4272
4273 <para>Example: <command>magic output = myfile.txt</command></para>
4274 </listitem>
4275 </varlistentry>
4276
4277
4278
4279 <varlistentry>
4280 <term><anchor id="MAGICSCRIPT">magic script (S)</term>
4281 <listitem><para>This parameter specifies the name of a file which,
4282 if opened, will be executed by the server when the file is closed.
4283 This allows a UNIX script to be sent to the Samba host and
4284 executed on behalf of the connected user.</para>
4285
4286 <para>Scripts executed in this way will be deleted upon
4287 completion assuming that the user has the appropriate level
4288 of privilege and the file permissions allow the deletion.</para>
4289
4290 <para>If the script generates output, output will be sent to
4291 the file specified by the <link linkend="MAGICOUTPUT"><parameter>
4292 magic output</parameter></link> parameter (see above).</para>
4293
4294 <para>Note that some shells are unable to interpret scripts
4295 containing CR/LF instead of CR as
4296 the end-of-line marker. Magic scripts must be executable
4297 <emphasis>as is</emphasis> on the host, which for some hosts and
4298 some shells will require filtering at the DOS end.</para>
4299
4300 <para>Magic scripts are <emphasis>EXPERIMENTAL</emphasis> and
4301 should <emphasis>NOT</emphasis> be relied upon.</para>
4302
4303 <para>Default: <emphasis>None. Magic scripts disabled.</emphasis></para>
4304 <para>Example: <command>magic script = user.csh</command></para>
4305 </listitem>
4306 </varlistentry>
4307
4308
4309
4310 <varlistentry>
4311 <term><anchor id="MANGLECASE">mangle case (S)</term>
4312 <listitem><para>See the section on <link linkend="NAMEMANGLINGSECT">
4313 NAME MANGLING</link></para>
4314
4315 <para>Default: <command>mangle case = no</command></para>
4316 </listitem>
4317 </varlistentry>
4318
4319
4320 <varlistentry>
4321 <term><anchor id="MANGLEDMAP">mangled map (S)</term>
4322 <listitem><para>This is for those who want to directly map UNIX
4323 file names which cannot be represented on Windows/DOS. The mangling
4324 of names is not always what is needed. In particular you may have
4325 documents with file extensions that differ between DOS and UNIX.
4326 For example, under UNIX it is common to use <filename>.html</filename>
4327 for HTML files, whereas under Windows/DOS <filename>.htm</filename>
4328 is more commonly used.</para>
4329
4330 <para>So to map <filename>html</filename> to <filename>htm</filename>
4331 you would use:</para>
4332
4333 <para><command>mangled map = (*.html *.htm)</command></para>
4334
4335 <para>One very useful case is to remove the annoying <filename>;1
4336 </filename> off the ends of filenames on some CDROMs (only visible
4337 under some UNIXes). To do this use a map of (*;1 *;).</para>
4338
4339 <para>Default: <emphasis>no mangled map</emphasis></para>
4340 <para>Example: <command>mangled map = (*;1 *;)</command></para>
4341 </listitem>
4342 </varlistentry>
4343
4344
4345 <varlistentry>
4346 <term><anchor id="MANGLEDNAMES">mangled names (S)</term>
4347 <listitem><para>This controls whether non-DOS names under UNIX
4348 should be mapped to DOS-compatible names ("mangled") and made visible,
4349 or whether non-DOS names should simply be ignored.</para>
4350
4351 <para>See the section on <link linkend="NAMEMANGLINGSECT">
4352 NAME MANGLING</link> for details on how to control the mangling process.</para>
4353
4354 <para>If mangling algorithm "hash" is used then the mangling algorithm is as follows:</para>
4355
4356 <itemizedlist>
4357 <listitem><para>The first (up to) five alphanumeric characters
4358 before the rightmost dot of the filename are preserved, forced
4359 to upper case, and appear as the first (up to) five characters
4360 of the mangled name.</para></listitem>
4361
4362 <listitem><para>A tilde "~" is appended to the first part of the mangled
4363 name, followed by a two-character unique sequence, based on the
4364 original root name (i.e., the original filename minus its final
4365 extension). The final extension is included in the hash calculation
4366 only if it contains any upper case characters or is longer than three
4367 characters.</para>
4368
4369 <para>Note that the character to use may be specified using
4370 the <link linkend="MANGLINGCHAR"><parameter>mangling char</parameter>
4371 </link> option, if you don't like '~'.</para></listitem>
4372
4373 <listitem><para>The first three alphanumeric characters of the final
4374 extension are preserved, forced to upper case and appear as the
4375 extension of the mangled name. The final extension is defined as that
4376 part of the original filename after the rightmost dot. If there are no
4377 dots in the filename, the mangled name will have no extension (except
4378 in the case of "hidden files" - see below).</para></listitem>
4379
4380 <listitem><para>Files whose UNIX name begins with a dot will be
4381 presented as DOS hidden files. The mangled name will be created as
4382 for other filenames, but with the leading dot removed and "___" as
4383 its extension regardless of actual original extension (that's three
4384 underscores).</para></listitem>
4385 </itemizedlist>
4386
4387 <para>The two-digit hash value consists of upper case
4388 alphanumeric characters.</para>
4389
4390 <para>This algorithm can cause name collisions only if files
4391 in a directory share the same first five alphanumeric characters.
4392 The probability of such a clash is 1/1300.</para>
4393
4394 <para>If mangling algorithm "hash2" is used then the mangling algorithm is as follows:</para>
4395
4396 <itemizedlist>
4397 <listitem><para>The first alphanumeric character
4398 before the rightmost dot of the filename is preserved, forced
4399 to upper case, and appears as the first character of the mangled name.
4400 </para></listitem>
4401
4402 <listitem><para>A base63 hash of 5 characters is generated and the
4403 first 4 characters of that hash are appended to the first character.
4404 </para></listitem>
4405
4406 <listitem><para>A tilde "~" is appended to the first part of the mangled
4407 name, followed by the final character of the base36 hash of the name.
4408 </para>
4409
4410 <para>Note that the character to use may be specified using
4411 the <link linkend="MANGLINGCHAR"><parameter>mangling char</parameter>
4412 </link> option, if you don't like '~'.</para></listitem>
4413
4414 <listitem><para>The first three alphanumeric characters of the final
4415 extension are preserved, forced to upper case and appear as the
4416 extension of the mangled name. The final extension is defined as that
4417 part of the original filename after the rightmost dot. If there are no
4418 dots in the filename, the mangled name will have no extension (except
4419 in the case of "hidden files" - see below).</para></listitem>
4420
4421 <listitem><para>Files whose UNIX name begins with a dot will be
4422 presented as DOS hidden files. The mangled name will be created as
4423 for other filenames, but with the leading dot removed and "___" as
4424 its extension regardless of actual original extension (that's three
4425 underscores).</para></listitem>
4426 </itemizedlist>
4427
4428 <para>The name mangling (if enabled) allows a file to be
4429 copied between UNIX directories from Windows/DOS while retaining
4430 the long UNIX filename. UNIX files can be renamed to a new extension
4431 from Windows/DOS and will retain the same basename. Mangled names
4432 do not change between sessions.</para>
4433
4434 <para>Default: <command>mangled names = yes</command></para>
4435 </listitem>
4436 </varlistentry>
4437
4438
4439
4440 <varlistentry>
4441 <term><anchor id="MANGLEDSTACK">mangled stack (G)</term>
4442 <listitem><para>This parameter controls the number of mangled names
4443 that should be cached in the Samba server <ulink url="smbd.8.html">
4444 smbd(8)</ulink>.</para>
4445
4446 <para>This stack is a list of recently mangled base names
4447 (extensions are only maintained if they are longer than 3 characters
4448 or contains upper case characters).</para>
4449
4450 <para>The larger this value, the more likely it is that mangled
4451 names can be successfully converted to correct long UNIX names.
4452 However, large stack sizes will slow most directory accesses. Smaller
4453 stacks save memory in the server (each stack element costs 256 bytes).
4454 </para>
4455
4456 <para>It is not possible to absolutely guarantee correct long
4457 filenames, so be prepared for some surprises!</para>
4458
4459 <para>Default: <command>mangled stack = 50</command></para>
4460 <para>Example: <command>mangled stack = 100</command></para>
4461 </listitem>
4462 </varlistentry>
4463
4464
4465
4466
4467 <varlistentry>
4468 <term><anchor id="MANGLINGCHAR">mangling char (S)</term>
4469 <listitem><para>This controls what character is used as
4470 the <emphasis>magic</emphasis> character in <link
4471 linkend="NAMEMANGLINGSECT">name mangling</link>. The default is a '~'
4472 but this may interfere with some software. Use this option to set
4473 it to whatever you prefer.</para>
4474
4475 <para>Default: <command>mangling char = ~</command></para>
4476 <para>Example: <command>mangling char = ^</command></para>
4477 </listitem>
4478 </varlistentry>
4479
4480
4481 <varlistentry>
4482 <term><anchor id="MANGLINGMETHOD">mangling mathod(G)</term>
4483 <listitem><para> controls the algorithm used for the generating
4484 the mangled names. Can take two different values, "hash" and
4485 "hash2". "hash" is the default and is the algorithm that has been
4486 used in Samba for many years. "hash2" is a newer and considered
4487 a better algorithm (generates less collisions) in the names.
4488 However, many Win32 applications store the mangled names and so
4489 changing to the new algorithm must not be done
4490 lightly as these applications may break unless reinstalled.
4491 New installations of Samba may set the default to hash2.</para>
4492 <para>Default: <command>mangling method = hash</command></para>
4493 <para>Example: <command>mangling method = hash2</command></para>
4494 </listitem>
4495 </varlistentry>
4496
4497
4498
4499 <varlistentry>
4500 <term><anchor id="MAPARCHIVE">map archive (S)</term>
4501 <listitem><para>This controls whether the DOS archive attribute
4502 should be mapped to the UNIX owner execute bit. The DOS archive bit
4503 is set when a file has been modified since its last backup. One
4504 motivation for this option it to keep Samba/your PC from making
4505 any file it touches from becoming executable under UNIX. This can
4506 be quite annoying for shared source code, documents, etc...</para>
4507
4508 <para>Note that this requires the <parameter>create mask</parameter>
4509 parameter to be set such that owner execute bit is not masked out
4510 (i.e. it must include 100). See the parameter <link linkend="CREATEMASK">
4511 <parameter>create mask</parameter></link> for details.</para>
4512
4513 <para>Default: <command>map archive = yes</command></para>
4514 </listitem>
4515 </varlistentry>
4516
4517
4518
4519 <varlistentry>
4520 <term><anchor id="MAPHIDDEN">map hidden (S)</term>
4521 <listitem><para>This controls whether DOS style hidden files
4522 should be mapped to the UNIX world execute bit.</para>
4523
4524 <para>Note that this requires the <parameter>create mask</parameter>
4525 to be set such that the world execute bit is not masked out (i.e.
4526 it must include 001). See the parameter <link linkend="CREATEMASK">
4527 <parameter>create mask</parameter></link> for details.</para>
4528
4529 <para>Default: <command>map hidden = no</command></para>
4530 </listitem>
4531 </varlistentry>
4532
4533
4534 <varlistentry>
4535 <term><anchor id="MAPSYSTEM">map system (S)</term>
4536 <listitem><para>This controls whether DOS style system files
4537 should be mapped to the UNIX group execute bit.</para>
4538
4539 <para>Note that this requires the <parameter>create mask</parameter>
4540 to be set such that the group execute bit is not masked out (i.e.
4541 it must include 010). See the parameter <link linkend="CREATEMASK">
4542 <parameter>create mask</parameter></link> for details.</para>
4543
4544 <para>Default: <command>map system = no</command></para>
4545 </listitem>
4546 </varlistentry>
4547
4548
4549 <varlistentry>
4550 <term><anchor id="MAPTOGUEST">map to guest (G)</term>
4551 <listitem><para>This parameter is only useful in <link linkend="SECURITY">
4552 security</link> modes other than <parameter>security = share</parameter>
4553 - i.e. <constant>user</constant>, <constant>server</constant>,
4554 and <constant>domain</constant>.</para>
4555
4556 <para>This parameter can take three different values, which tell
4557 <ulink url="smbd.8.html">smbd(8)</ulink> what to do with user
4558 login requests that don't match a valid UNIX user in some way.</para>
4559
4560 <para>The three settings are :</para>
4561
4562 <itemizedlist>
4563 <listitem><para><constant>Never</constant> - Means user login
4564 requests with an invalid password are rejected. This is the
4565 default.</para></listitem>
4566
4567 <listitem><para><constant>Bad User</constant> - Means user
4568 logins with an invalid password are rejected, unless the username
4569 does not exist, in which case it is treated as a guest login and
4570 mapped into the <link linkend="GUESTACCOUNT"><parameter>
4571 guest account</parameter></link>.</para></listitem>
4572
4573 <listitem><para><constant>Bad Password</constant> - Means user logins
4574 with an invalid password are treated as a guest login and mapped
4575 into the <link linkend="GUESTACCOUNT">guest account</link>. Note that
4576 this can cause problems as it means that any user incorrectly typing
4577 their password will be silently logged on as "guest" - and
4578 will not know the reason they cannot access files they think
4579 they should - there will have been no message given to them
4580 that they got their password wrong. Helpdesk services will
4581 <emphasis>hate</emphasis> you if you set the <parameter>map to
4582 guest</parameter> parameter this way :-).</para></listitem>
4583 </itemizedlist>
4584
4585 <para>Note that this parameter is needed to set up "Guest"
4586 share services when using <parameter>security</parameter> modes other than
4587 share. This is because in these modes the name of the resource being
4588 requested is <emphasis>not</emphasis> sent to the server until after
4589 the server has successfully authenticated the client so the server
4590 cannot make authentication decisions at the correct time (connection
4591 to the share) for "Guest" shares.</para>
4592
4593 <para>For people familiar with the older Samba releases, this
4594 parameter maps to the old compile-time setting of the <constant>
4595 GUEST_SESSSETUP</constant> value in local.h.</para>
4596
4597 <para>Default: <command>map to guest = Never</command></para>
4598 <para>Example: <command>map to guest = Bad User</command></para>
4599 </listitem>
4600 </varlistentry>
4601
4602
4603
4604 <varlistentry>
4605 <term><anchor id="MAXCONNECTIONS">max connections (S)</term>
4606 <listitem><para>This option allows the number of simultaneous
4607 connections to a service to be limited. If <parameter>max connections
4608 </parameter> is greater than 0 then connections will be refused if
4609 this number of connections to the service are already open. A value
4610 of zero mean an unlimited number of connections may be made.</para>
4611
4612 <para>Record lock files are used to implement this feature. The
4613 lock files will be stored in the directory specified by the <link
4614 linkend="LOCKDIRECTORY"><parameter>lock directory</parameter></link>
4615 option.</para>
4616
4617 <para>Default: <command>max connections = 0</command></para>
4618 <para>Example: <command>max connections = 10</command></para>
4619 </listitem>
4620 </varlistentry>
4621
4622
4623
4624 <varlistentry>
4625 <term><anchor id="MAXDISKSIZE">max disk size (G)</term>
4626 <listitem><para>This option allows you to put an upper limit
4627 on the apparent size of disks. If you set this option to 100
4628 then all shares will appear to be not larger than 100 MB in
4629 size.</para>
4630
4631 <para>Note that this option does not limit the amount of
4632 data you can put on the disk. In the above case you could still
4633 store much more than 100 MB on the disk, but if a client ever asks
4634 for the amount of free disk space or the total disk size then the
4635 result will be bounded by the amount specified in <parameter>max
4636 disk size</parameter>.</para>
4637
4638 <para>This option is primarily useful to work around bugs
4639 in some pieces of software that can't handle very large disks,
4640 particularly disks over 1GB in size.</para>
4641
4642 <para>A <parameter>max disk size</parameter> of 0 means no limit.</para>
4643
4644 <para>Default: <command>max disk size = 0</command></para>
4645 <para>Example: <command>max disk size = 1000</command></para>
4646 </listitem>
4647 </varlistentry>
4648
4649
4650
4651 <varlistentry>
4652 <term><anchor id="MAXLOGSIZE">max log size (G)</term>
4653 <listitem><para>This option (an integer in kilobytes) specifies
4654 the max size the log file should grow to. Samba periodically checks
4655 the size and if it is exceeded it will rename the file, adding
4656 a <filename>.old</filename> extension.</para>
4657
4658 <para>A size of 0 means no limit.</para>
4659
4660 <para>Default: <command>max log size = 5000</command></para>
4661 <para>Example: <command>max log size = 1000</command></para>
4662 </listitem>
4663 </varlistentry>
4664
4665
4666
4667 <varlistentry>
4668 <term><anchor id="MAXMUX">max mux (G)</term>
4669 <listitem><para>This option controls the maximum number of
4670 outstanding simultaneous SMB operations that Samba tells the client
4671 it will allow. You should never need to set this parameter.</para>
4672
4673 <para>Default: <command>max mux = 50</command></para>
4674 </listitem>
4675 </varlistentry>
4676
4677
4678
4679 <varlistentry>
4680 <term><anchor id="MAXOPENFILES">max open files (G)</term>
4681 <listitem><para>This parameter limits the maximum number of
4682 open files that one <ulink url="smbd.8.html">smbd(8)</ulink> file
4683 serving process may have open for a client at any one time. The
4684 default for this parameter is set very high (10,000) as Samba uses
4685 only one bit per unopened file.</para>
4686
4687 <para>The limit of the number of open files is usually set
4688 by the UNIX per-process file descriptor limit rather than
4689 this parameter so you should never need to touch this parameter.</para>
4690
4691 <para>Default: <command>max open files = 10000</command></para>
4692 </listitem>
4693 </varlistentry>
4694
4695
4696
4697 <varlistentry>
4698 <term><anchor id="MAXPRINTJOBS">max print jobs (S)</term>
4699 <listitem><para>This parameter limits the maximum number of
4700 jobs allowable in a Samba printer queue at any given moment.
4701 If this number is exceeded, <ulink url="smbd.8.html"><command>
4702 smbd(8)</command></ulink> will remote "Out of Space" to the client.
4703 See all <link linkend="TOTALPRINTJOBS"><parameter>total
4704 print jobs</parameter></link>.
4705 </para>
4706
4707 <para>Default: <command>max print jobs = 1000</command></para>
4708 <para>Example: <command>max print jobs = 5000</command></para>
4709 </listitem>
4710 </varlistentry>
4711
4712
4713 <varlistentry>
4714 <term><anchor id="MAXPROTOCOL">max protocol (G)</term>
4715 <listitem><para>The value of the parameter (a string) is the highest
4716 protocol level that will be supported by the server.</para>
4717
4718 <para>Possible values are :</para>
4719 <itemizedlist>
4720 <listitem><para><constant>CORE</constant>: Earliest version. No
4721 concept of user names.</para></listitem>
4722
4723 <listitem><para><constant>COREPLUS</constant>: Slight improvements on
4724 CORE for efficiency.</para></listitem>
4725
4726 <listitem><para><constant>LANMAN1</constant>: First <emphasis>
4727 modern</emphasis> version of the protocol. Long filename
4728 support.</para></listitem>
4729
4730 <listitem><para><constant>LANMAN2</constant>: Updates to Lanman1 protocol.
4731 </para></listitem>
4732
4733 <listitem><para><constant>NT1</constant>: Current up to date version of
4734 the protocol. Used by Windows NT. Known as CIFS.</para></listitem>
4735 </itemizedlist>
4736
4737 <para>Normally this option should not be set as the automatic
4738 negotiation phase in the SMB protocol takes care of choosing
4739 the appropriate protocol.</para>
4740
4741 <para>See also <link linkend="MINPROTOCOL"><parameter>min
4742 protocol</parameter></link></para>
4743
4744 <para>Default: <command>max protocol = NT1</command></para>
4745 <para>Example: <command>max protocol = LANMAN1</command></para>
4746 </listitem>
4747 </varlistentry>
4748
4749
4750
4751 <varlistentry>
4752 <term><anchor id="MAXSMBDPROCESSES">max smbd processes (G)</term>
4753 <listitem><para>This parameter limits the maximum number of
4754 <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>
4755 processes concurrently running on a system and is intended
4756 as a stopgap to prevent degrading service to clients in the event
4757 that the server has insufficient resources to handle more than this
4758 number of connections. Remember that under normal operating
4759 conditions, each user will have an <ulink url="smbd.8.html">smbd</ulink> associated with him or her
4760 to handle connections to all shares from a given host.
4761 </para>
4762
4763 <para>Default: <command>max smbd processes = 0</command> ## no limit</para>
4764 <para>Example: <command>max smbd processes = 1000</command></para>
4765 </listitem>
4766 </varlistentry>
4767
4768
4769
4770
4771 <varlistentry>
4772 <term><anchor id="MAXTTL">max ttl (G)</term>
4773 <listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)</ulink>
4774 what the default 'time to live' of NetBIOS names should be (in seconds)
4775 when <command>nmbd</command> is requesting a name using either a
4776 broadcast packet or from a WINS server. You should never need to
4777 change this parameter. The default is 3 days.</para>
4778
4779 <para>Default: <command>max ttl = 259200</command></para>
4780 </listitem>
4781 </varlistentry>
4782
4783
4784
4785 <varlistentry>
4786 <term><anchor id="MAXWINSTTL">max wins ttl (G)</term>
4787 <listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)
4788 </ulink> when acting as a WINS server (<link linkend="WINSSUPPORT">
4789 <parameter>wins support = yes</parameter></link>) what the maximum
4790 'time to live' of NetBIOS names that <command>nmbd</command>
4791 will grant will be (in seconds). You should never need to change this
4792 parameter. The default is 6 days (518400 seconds).</para>
4793
4794 <para>See also the <link linkend="MINWINSTTL"><parameter>min
4795 wins ttl</parameter></link> parameter.</para>
4796
4797 <para>Default: <command>max wins ttl = 518400</command></para>
4798 </listitem>
4799 </varlistentry>
4800
4801
4802
4803 <varlistentry>
4804 <term><anchor id="MAXXMIT">max xmit (G)</term>
4805 <listitem><para>This option controls the maximum packet size
4806 that will be negotiated by Samba. The default is 65535, which
4807 is the maximum. In some cases you may find you get better performance
4808 with a smaller value. A value below 2048 is likely to cause problems.
4809 </para>
4810
4811 <para>Default: <command>max xmit = 65535</command></para>
4812 <para>Example: <command>max xmit = 8192</command></para>
4813 </listitem>
4814 </varlistentry>
4815
4816
4817
4818 <varlistentry>
4819 <term><anchor id="MESSAGECOMMAND">message command (G)</term>
4820 <listitem><para>This specifies what command to run when the
4821 server receives a WinPopup style message.</para>
4822
4823 <para>This would normally be a command that would
4824 deliver the message somehow. How this is to be done is
4825 up to your imagination.</para>
4826
4827 <para>An example is:</para>
4828
4829 <para><command>message command = csh -c 'xedit %s;rm %s' &</command>
4830 </para>
4831
4832 <para>This delivers the message using <command>xedit</command>, then
4833 removes it afterwards. <emphasis>NOTE THAT IT IS VERY IMPORTANT
4834 THAT THIS COMMAND RETURN IMMEDIATELY</emphasis>. That's why I
4835 have the '&' on the end. If it doesn't return immediately then
4836 your PCs may freeze when sending messages (they should recover
4837 after 30 seconds, hopefully).</para>
4838
4839 <para>All messages are delivered as the global guest user.
4840 The command takes the standard substitutions, although <parameter>
4841 %u</parameter> won't work (<parameter>%U</parameter> may be better
4842 in this case).</para>
4843
4844 <para>Apart from the standard substitutions, some additional
4845 ones apply. In particular:</para>
4846
4847 <itemizedlist>
4848 <listitem><para><parameter>%s</parameter> = the filename containing
4849 the message.</para></listitem>
4850
4851 <listitem><para><parameter>%t</parameter> = the destination that
4852 the message was sent to (probably the server name).</para></listitem>
4853
4854 <listitem><para><parameter>%f</parameter> = who the message
4855 is from.</para></listitem>
4856 </itemizedlist>
4857
4858 <para>You could make this command send mail, or whatever else
4859 takes your fancy. Please let us know of any really interesting
4860 ideas you have.</para>
4861
4862
4863 <para>Here's a way of sending the messages as mail to root:</para>
4864
4865 <para><command>message command = /bin/mail -s 'message from %f on
4866 %m' root &lt; %s; rm %s</command></para>
4867
4868 <para>If you don't have a message command then the message
4869 won't be delivered and Samba will tell the sender there was
4870 an error. Unfortunately WfWg totally ignores the error code
4871 and carries on regardless, saying that the message was delivered.
4872 </para>
4873
4874 <para>If you want to silently delete it then try:</para>
4875
4876 <para><command>message command = rm %s</command></para>
4877
4878 <para>Default: <emphasis>no message command</emphasis></para>
4879 <para>Example: <command>message command = csh -c 'xedit %s;
4880 rm %s' &</command></para>
4881 </listitem>
4882 </varlistentry>
4883
4884
4885
4886
4887 <varlistentry>
4888 <term><anchor id="MINPASSWDLENGTH">min passwd length (G)</term>
4889 <listitem><para>Synonym for <link linkend="MINPASSWORDLENGTH">
4890 <parameter>min password length</parameter></link>.</para>
4891 </listitem>
4892 </varlistentry>
4893
4894
4895
4896 <varlistentry>
4897 <term><anchor id="MINPASSWORDLENGTH">min password length (G)</term>
4898 <listitem><para>This option sets the minimum length in characters
4899 of a plaintext password that <command>smbd</command> will accept when performing
4900 UNIX password changing.</para>
4901
4902 <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter>unix
4903 password sync</parameter></link>, <link linkend="PASSWDPROGRAM">
4904 <parameter>passwd program</parameter></link> and <link
4905 linkend="PASSWDCHATDEBUG"><parameter>passwd chat debug</parameter>
4906 </link>.</para>
4907
4908 <para>Default: <command>min password length = 5</command></para>
4909 </listitem>
4910 </varlistentry>
4911
4912
4913
4914 <varlistentry>
4915 <term><anchor id="MINPRINTSPACE">min print space (S)</term>
4916 <listitem><para>This sets the minimum amount of free disk
4917 space that must be available before a user will be able to spool
4918 a print job. It is specified in kilobytes. The default is 0, which
4919 means a user can always spool a print job.</para>
4920
4921 <para>See also the <link linkend="PRINTING"><parameter>printing
4922 </parameter></link> parameter.</para>
4923
4924 <para>Default: <command>min print space = 0</command></para>
4925 <para>Example: <command>min print space = 2000</command></para>
4926 </listitem>
4927 </varlistentry>
4928
4929
4930
4931
4932 <varlistentry>
4933 <term><anchor id="MINPROTOCOL">min protocol (G)</term>
4934 <listitem><para>The value of the parameter (a string) is the
4935 lowest SMB protocol dialect than Samba will support. Please refer
4936 to the <link linkend="MAXPROTOCOL"><parameter>max protocol</parameter></link>
4937 parameter for a list of valid protocol names and a brief description
4938 of each. You may also wish to refer to the C source code in
4939 <filename>source/smbd/negprot.c</filename> for a listing of known protocol
4940 dialects supported by clients.</para>
4941
4942 <para>If you are viewing this parameter as a security measure, you should
4943 also refer to the <link linkend="LANMANAUTH"><parameter>lanman
4944 auth</parameter></link> parameter. Otherwise, you should never need
4945 to change this parameter.</para>
4946
4947 <para>Default : <command>min protocol = CORE</command></para>
4948 <para>Example : <command>min protocol = NT1</command> # disable DOS
4949 clients</para>
4950 </listitem>
4951 </varlistentry>
4952
4953
4954
4955
4956 <varlistentry>
4957 <term><anchor id="MINWINSTTL">min wins ttl (G)</term>
4958 <listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)</ulink>
4959 when acting as a WINS server (<link linkend="WINSSUPPORT"><parameter>
4960 wins support = yes</parameter></link>) what the minimum 'time to live'
4961 of NetBIOS names that <command>nmbd</command> will grant will be (in
4962 seconds). You should never need to change this parameter. The default
4963 is 6 hours (21600 seconds).</para>
4964
4965 <para>Default: <command>min wins ttl = 21600</command></para>
4966 </listitem>
4967 </varlistentry>
4968
4969
4970
4971
4972 <varlistentry>
4973 <term><anchor id="MSDFSROOT">msdfs root (S)</term>
4974 <listitem><para>This boolean parameter is only available if
4975 Samba is configured and compiled with the <command>
4976 --with-msdfs</command> option. If set to <constant>yes</constant>,
4977 Samba treats the share as a Dfs root and allows clients to browse
4978 the distributed file system tree rooted at the share directory.
4979 Dfs links are specified in the share directory by symbolic
4980 links of the form <filename>msdfs:serverA\shareA,serverB\shareB
4981 </filename> and so on. For more information on setting up a Dfs tree
4982 on Samba, refer to <ulink url="msdfs_setup.html">msdfs_setup.html
4983 </ulink>.</para>
4984
4985 <para>See also <link linkend="HOSTMSDFS"><parameter>host msdfs
4986 </parameter></link></para>
4987
4988 <para>Default: <command>msdfs root = no</command></para>
4989 </listitem>
4990 </varlistentry>
4991
4992
4993 <varlistentry>
4994 <term><anchor id="NAMERESOLVEORDER">name resolve order (G)</term>
4995 <listitem><para>This option is used by the programs in the Samba
4996 suite to determine what naming services to use and in what order
4997 to resolve host names to IP addresses. The option takes a space
4998 separated string of name resolution options.</para>
4999
5000 <para>The options are :"lmhosts", "host", "wins" and "bcast". They
5001 cause names to be resolved as follows :</para>
5002
5003 <itemizedlist>
5004 <listitem><para><constant>lmhosts</constant> : Lookup an IP
5005 address in the Samba lmhosts file. If the line in lmhosts has
5006 no name type attached to the NetBIOS name (see the <ulink
5007 url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
5008 any name type matches for lookup.</para></listitem>
5009
5010 <listitem><para><constant>host</constant> : Do a standard host
5011 name to IP address resolution, using the system <filename>/etc/hosts
5012 </filename>, NIS, or DNS lookups. This method of name resolution
5013 is operating system depended for instance on IRIX or Solaris this
5014 may be controlled by the <filename>/etc/nsswitch.conf</filename>
5015 file. Note that this method is only used if the NetBIOS name
5016 type being queried is the 0x20 (server) name type, otherwise
5017 it is ignored.</para></listitem>
5018
5019 <listitem><para><constant>wins</constant> : Query a name with
5020 the IP address listed in the <link linkend="WINSSERVER"><parameter>
5021 wins server</parameter></link> parameter. If no WINS server has
5022 been specified this method will be ignored.</para></listitem>
5023
5024 <listitem><para><constant>bcast</constant> : Do a broadcast on
5025 each of the known local interfaces listed in the <link
5026 linkend="INTERFACES"><parameter>interfaces</parameter></link>
5027 parameter. This is the least reliable of the name resolution
5028 methods as it depends on the target host being on a locally
5029 connected subnet.</para></listitem>
5030 </itemizedlist>
5031
5032 <para>Default: <command>name resolve order = lmhosts host wins bcast
5033 </command></para>
5034 <para>Example: <command>name resolve order = lmhosts bcast host
5035 </command></para>
5036
5037 <para>This will cause the local lmhosts file to be examined
5038 first, followed by a broadcast attempt, followed by a normal
5039 system hostname lookup.</para>
5040 </listitem>
5041 </varlistentry>
5042
5043
5044
5045
5046 <varlistentry>
5047 <term><anchor id="NETBIOSALIASES">netbios aliases (G)</term>
5048 <listitem><para>This is a list of NetBIOS names that <ulink
5049 url="nmbd.8.html">nmbd(8)</ulink> will advertise as additional
5050 names by which the Samba server is known. This allows one machine
5051 to appear in browse lists under multiple names. If a machine is
5052 acting as a browse server or logon server none
5053 of these names will be advertised as either browse server or logon
5054 servers, only the primary name of the machine will be advertised
5055 with these capabilities.</para>
5056
5057 <para>See also <link linkend="NETBIOSNAME"><parameter>netbios
5058 name</parameter></link>.</para>
5059
5060 <para>Default: <emphasis>empty string (no additional names)</emphasis></para>
5061 <para>Example: <command>netbios aliases = TEST TEST1 TEST2</command></para>
5062 </listitem>
5063 </varlistentry>
5064
5065
5066
5067 <varlistentry>
5068 <term><anchor id="NETBIOSNAME">netbios name (G)</term>
5069 <listitem><para>This sets the NetBIOS name by which a Samba
5070 server is known. By default it is the same as the first component
5071 of the host's DNS name. If a machine is a browse server or
5072 logon server this name (or the first component
5073 of the hosts DNS name) will be the name that these services are
5074 advertised under.</para>
5075
5076 <para>See also <link linkend="NETBIOSALIASES"><parameter>netbios
5077 aliases</parameter></link>.</para>
5078
5079 <para>Default: <emphasis>machine DNS name</emphasis></para>
5080 <para>Example: <command>netbios name = MYNAME</command></para>
5081 </listitem>
5082 </varlistentry>
5083
5084
5085
5086 <varlistentry>
5087 <term><anchor id="NETBIOSSCOPE">netbios scope (G)</term>
5088 <listitem><para>This sets the NetBIOS scope that Samba will
5089 operate under. This should not be set unless every machine
5090 on your LAN also sets this value.</para>
5091 </listitem>
5092 </varlistentry>
5093
5094
5095 <varlistentry>
5096 <term><anchor id="NISHOMEDIR">nis homedir (G)</term>
5097 <listitem><para>Get the home share server from a NIS map. For
5098 UNIX systems that use an automounter, the user's home directory
5099 will often be mounted on a workstation on demand from a remote
5100 server. </para>
5101
5102 <para>When the Samba logon server is not the actual home directory
5103 server, but is mounting the home directories via NFS then two
5104 network hops would be required to access the users home directory
5105 if the logon server told the client to use itself as the SMB server
5106 for home directories (one over SMB and one over NFS). This can
5107 be very slow.</para>
5108
5109 <para>This option allows Samba to return the home share as
5110 being on a different server to the logon server and as
5111 long as a Samba daemon is running on the home directory server,
5112 it will be mounted on the Samba client directly from the directory
5113 server. When Samba is returning the home share to the client, it
5114 will consult the NIS map specified in <link linkend="HOMEDIRMAP">
5115 <parameter>homedir map</parameter></link> and return the server
5116 listed there.</para>
5117
5118 <para>Note that for this option to work there must be a working
5119 NIS system and the Samba server with this option must also
5120 be a logon server.</para>
5121
5122 <para>Default: <command>nis homedir = no</command></para>
5123 </listitem>
5124 </varlistentry>
5125
5126
5127
5128 <varlistentry>
5129 <term><anchor id="NTACLSUPPORT">nt acl support (S)</term>
5130 <listitem><para>This boolean parameter controls whether
5131 <ulink url="smbd.8.html">smbd(8)</ulink> will attempt to map
5132 UNIX permissions into Windows NT access control lists.
5133 This parameter was formally a global parameter in releases
5134 prior to 2.2.2.</para>
5135
5136 <para>Default: <command>nt acl support = yes</command></para>
5137 </listitem>
5138 </varlistentry>
5139
5140
5141
5142 <varlistentry>
5143 <term><anchor id="NTPIPESUPPORT">nt pipe support (G)</term>
5144 <listitem><para>This boolean parameter controls whether
5145 <ulink url="smbd.8.html">smbd(8)</ulink> will allow Windows NT
5146 clients to connect to the NT SMB specific <constant>IPC$</constant>
5147 pipes. This is a developer debugging option and can be left
5148 alone.</para>
5149
5150 <para>Default: <command>nt pipe support = yes</command></para>
5151 </listitem>
5152 </varlistentry>
5153
5154
5155
5156 <varlistentry>
5157 <term><anchor id="NTSMBSUPPORT">nt smb support (G)</term>
5158 <listitem><para>This boolean parameter controls whether <ulink
5159 url="smbd.8.html">smbd(8)</ulink> will negotiate NT specific SMB
5160 support with Windows NT/2k/XP clients. Although this is a developer
5161 debugging option and should be left alone, benchmarking has discovered
5162 that Windows NT clients give faster performance with this option
5163 set to <constant>no</constant>. This is still being investigated.
5164 If this option is set to <constant>no</constant> then Samba offers
5165 exactly the same SMB calls that versions prior to Samba 2.0 offered.
5166 This information may be of use if any users are having problems
5167 with NT SMB support.</para>
5168
5169 <para>You should not need to ever disable this parameter.</para>
5170
5171 <para>Default: <command>nt smb support = yes</command></para>
5172 </listitem>
5173 </varlistentry>
5174
5175
5176
5177 <varlistentry>
5178 <term><anchor id="NTSTATUSSUPPORT">nt status support (G)</term>
5179 <listitem><para>This boolean parameter controls whether <ulink
5180 url="smbd.8.html">smbd(8)</ulink> will negotiate NT specific status
5181 support with Windows NT/2k/XP clients. This is a developer
5182 debugging option and should be left alone.
5183 If this option is set to <constant>no</constant> then Samba offers
5184 exactly the same DOS error codes that versions prior to Samba 2.2.3
5185 reported.</para>
5186
5187 <para>You should not need to ever disable this parameter.</para>
5188
5189 <para>Default: <command>nt status support = yes</command></para>
5190 </listitem>
5191 </varlistentry>
5192
5193
5194
5195 <varlistentry>
5196 <term><anchor id="NULLPASSWORDS">null passwords (G)</term>
5197 <listitem><para>Allow or disallow client access to accounts
5198 that have null passwords. </para>
5199
5200 <para>See also <ulink url="smbpasswd.5.html">smbpasswd (5)</ulink>.</para>
5201
5202 <para>Default: <command>null passwords = no</command></para>
5203 </listitem>
5204 </varlistentry>
5205
5206
5207
5208
5209 <varlistentry>
5210 <term><anchor id="OBEYPAMRESTRICTIONS">obey pam restrictions (G)</term>
5211 <listitem><para>When Samba 2.2 is configured to enable PAM support
5212 (i.e. --with-pam), this parameter will control whether or not Samba
5213 should obey PAM's account and session management directives. The
5214 default behavior is to use PAM for clear text authentication only
5215 and to ignore any account or session management. Note that Samba
5216 always ignores PAM for authentication in the case of <link
5217 linkend="ENCRYPTPASSWORDS"><parameter>encrypt passwords = yes</parameter>
5218 </link>. The reason is that PAM modules cannot support the challenge/response
5219 authentication mechanism needed in the presence of SMB password encryption.
5220 </para>
5221
5222 <para>Default: <command>obey pam restrictions = no</command></para>
5223 </listitem>
5224 </varlistentry>
5225
5226
5227
5228
5229
5230 <varlistentry>
5231 <term><anchor id="ONLYUSER">only user (S)</term>
5232 <listitem><para>This is a boolean option that controls whether
5233 connections with usernames not in the <parameter>user</parameter>
5234 list will be allowed. By default this option is disabled so that a
5235 client can supply a username to be used by the server. Enabling
5236 this parameter will force the server to only user the login
5237 names from the <parameter>user</parameter> list and is only really
5238 useful in <link linkend="SECURITYEQUALSSHARE">shave level</link>
5239 security.</para>
5240
5241 <para>Note that this also means Samba won't try to deduce
5242 usernames from the service name. This can be annoying for
5243 the [homes] section. To get around this you could use <command>user =
5244 %S</command> which means your <parameter>user</parameter> list
5245 will be just the service name, which for home directories is the
5246 name of the user.</para>
5247
5248 <para>See also the <link linkend="USER"><parameter>user</parameter>
5249 </link> parameter.</para>
5250
5251 <para>Default: <command>only user = no</command></para>
5252 </listitem>
5253 </varlistentry>
5254
5255
5256
5257
5258 <varlistentry>
5259 <term><anchor id="ONLYGUEST">only guest (S)</term>
5260 <listitem><para>A synonym for <link linkend="GUESTONLY"><parameter>
5261 guest only</parameter></link>.</para>
5262 </listitem>
5263 </varlistentry>
5264
5265
5266
5267 <varlistentry>
5268 <term><anchor id="OPLOCKBREAKWAITTIME">oplock break wait time (G)</term>
5269 <listitem><para>This is a tuning parameter added due to bugs in
5270 both Windows 9x and WinNT. If Samba responds to a client too
5271 quickly when that client issues an SMB that can cause an oplock
5272 break request, then the network client can fail and not respond
5273 to the break request. This tuning parameter (which is set in milliseconds)
5274 is the amount of time Samba will wait before sending an oplock break
5275 request to such (broken) clients.</para>
5276
5277 <para><emphasis>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
5278 AND UNDERSTOOD THE SAMBA OPLOCK CODE</emphasis>.</para>
5279
5280 <para>Default: <command>oplock break wait time = 0</command></para>
5281 </listitem>
5282 </varlistentry>
5283
5284
5285 <varlistentry>
5286 <term><anchor id="OPLOCKCONTENTIONLIMIT">oplock contention limit (S)</term>
5287 <listitem><para>This is a <emphasis>very</emphasis> advanced
5288 <ulink url="smbd.8.html">smbd(8)</ulink> tuning option to
5289 improve the efficiency of the granting of oplocks under multiple
5290 client contention for the same file.</para>
5291
5292 <para>In brief it specifies a number, which causes <ulink url="smbd.8.html">smbd</ulink> not to
5293 grant an oplock even when requested if the approximate number of
5294 clients contending for an oplock on the same file goes over this
5295 limit. This causes <command>smbd</command> to behave in a similar
5296 way to Windows NT.</para>
5297
5298 <para><emphasis>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
5299 AND UNDERSTOOD THE SAMBA OPLOCK CODE</emphasis>.</para>
5300
5301 <para>Default: <command>oplock contention limit = 2</command></para>
5302 </listitem>
5303 </varlistentry>
5304
5305
5306
5307
5308
5309 <varlistentry>
5310 <term><anchor id="OPLOCKS">oplocks (S)</term>
5311 <listitem><para>This boolean option tells <command>smbd</command> whether to
5312 issue oplocks (opportunistic locks) to file open requests on this
5313 share. The oplock code can dramatically (approx. 30% or more) improve
5314 the speed of access to files on Samba servers. It allows the clients
5315 to aggressively cache files locally and you may want to disable this
5316 option for unreliable network environments (it is turned on by
5317 default in Windows NT Servers). For more information see the file
5318 <filename>Speed.txt</filename> in the Samba <filename>docs/</filename>
5319 directory.</para>
5320
5321 <para>Oplocks may be selectively turned off on certain files with a
5322 share. See the <link linkend="VETOOPLOCKFILES"><parameter>
5323 veto oplock files</parameter></link> parameter. On some systems
5324 oplocks are recognized by the underlying operating system. This
5325 allows data synchronization between all access to oplocked files,
5326 whether it be via Samba or NFS or a local UNIX process. See the
5327 <parameter>kernel oplocks</parameter> parameter for details.</para>
5328
5329 <para>See also the <link linkend="KERNELOPLOCKS"><parameter>kernel
5330 oplocks</parameter></link> and <link linkend="LEVEL2OPLOCKS"><parameter>
5331 level2 oplocks</parameter></link> parameters.</para>
5332
5333 <para>Default: <command>oplocks = yes</command></para>
5334 </listitem>
5335 </varlistentry>
5336
5337
5338
5339 <varlistentry>
5340 <term><anchor id="OSLEVEL">os level (G)</term>
5341 <listitem><para>This integer value controls what level Samba
5342 advertises itself as for browse elections. The value of this
5343 parameter determines whether <ulink url="nmbd.8.html">nmbd(8)</ulink>
5344 has a chance of becoming a local master browser for the <parameter>
5345 WORKGROUP</parameter> in the local broadcast area.</para>
5346
5347 <para><emphasis>Note :</emphasis>By default, Samba will win
5348 a local master browsing election over all Microsoft operating
5349 systems except a Windows NT 4.0/2000 Domain Controller. This
5350 means that a misconfigured Samba host can effectively isolate
5351 a subnet for browsing purposes. See <filename>BROWSING.txt
5352 </filename> in the Samba <filename>docs/</filename> directory
5353 for details.</para>
5354
5355 <para>Default: <command>os level = 20</command></para>
5356 <para>Example: <command>os level = 65 </command></para>
5357 </listitem>
5358 </varlistentry>
5359
5360
5361
5362 <varlistentry>
5363 <term><anchor id="OS2DRIVERMAP">os2 driver map (G)</term>
5364 <listitem><para>The parameter is used to define the absolute
5365 path to a file containing a mapping of Windows NT printer driver
5366 names to OS/2 printer driver names. The format is:</para>
5367
5368 <para>&lt;nt driver name&gt; = &lt;os2 driver
5369 name&gt;.&lt;device name&gt;</para>
5370
5371 <para>For example, a valid entry using the HP LaserJet 5
5372 printer driver would appear as <command>HP LaserJet 5L = LASERJET.HP
5373 LaserJet 5L</command>.</para>
5374
5375 <para>The need for the file is due to the printer driver namespace
5376 problem described in the <ulink url="printer_driver2.html">Samba
5377 Printing HOWTO</ulink>. For more details on OS/2 clients, please
5378 refer to the <ulink url="OS2-Client-HOWTO.html">OS2-Client-HOWTO
5379 </ulink> containing in the Samba documentation.</para>
5380
5381 <para>Default: <command>os2 driver map = &lt;empty string&gt;
5382 </command></para>
5383 </listitem>
5384 </varlistentry>
5385
5386
5387 <varlistentry>
5388 <term><anchor id="PAMPASSWORDCHANGE">pam password change (G)</term>
5389 <listitem><para>With the addition of better PAM support in Samba 2.2,
5390 this parameter, it is possible to use PAM's password change control
5391 flag for Samba. If enabled, then PAM will be used for password
5392 changes when requested by an SMB client instead of the program listed in
5393 <link linkend="PASSWDPROGRAM"><parameter>passwd program</parameter></link>.
5394 It should be possible to enable this without changing your
5395 <link linkend="PASSWDCHAT"><parameter>passwd chat</parameter></link>
5396 parameter for most setups.
5397 </para>
5398
5399 <para>Default: <command>pam password change = no</command></para>
5400
5401 </listitem>
5402 </varlistentry>
5403
5404
5405 <varlistentry>
5406 <term><anchor id="PANICACTION">panic action (G)</term>
5407 <listitem><para>This is a Samba developer option that allows a
5408 system command to be called when either <ulink url="smbd.8.html">
5409 smbd(8)</ulink> or <ulink url="nmbd.8.html">nmbd(8)</ulink>
5410 crashes. This is usually used to draw attention to the fact that
5411 a problem occurred.</para>
5412
5413 <para>Default: <command>panic action = &lt;empty string&gt;</command></para>
5414 <para>Example: <command>panic action = "/bin/sleep 90000"</command></para>
5415 </listitem>
5416 </varlistentry>
5417
5418
5419 <varlistentry>
5420 <term><anchor id="PASSWDCHAT">passwd chat (G)</term>
5421 <listitem><para>This string controls the <emphasis>"chat"</emphasis>
5422 conversation that takes places between <ulink
5423 url="smbd.8.html">smbd</ulink> and the local password changing
5424 program to change the user's password. The string describes a
5425 sequence of response-receive pairs that <ulink url="smbd.8.html">
5426 smbd(8)</ulink> uses to determine what to send to the
5427 <link linkend="PASSWDPROGRAM"><parameter>passwd program</parameter>
5428 </link> and what to expect back. If the expected output is not
5429 received then the password is not changed.</para>
5430
5431 <para>This chat sequence is often quite site specific, depending
5432 on what local methods are used for password control (such as NIS
5433 etc).</para>
5434 <para>Note that this parameter only is only used if the <link
5435 linkend="UNIXPASSWORDSYNC"><parameter>unix
5436 password sync</parameter></link> parameter is set to <constant>yes</constant>. This
5437 sequence is then called <emphasis>AS ROOT</emphasis> when the SMB password
5438 in the smbpasswd file is being changed, without access to the old
5439 password cleartext. This means that root must be able to reset the user's password
5440 without knowing the text of the previous password. In the presence of NIS/YP,
5441 this means that the <link linkend="PASSWDPROGRAM">passwd program</link> must be
5442 executed on the NIS master.
5443 </para>
5444
5445
5446 <para>The string can contain the macro <parameter>%n</parameter> which is substituted
5447 for the new password. The chat sequence can also contain the standard
5448 macros <constant>\n</constant>, <constant>\r</constant>, <constant>
5449 \t</constant> and <constant>\s</constant> to give line-feed,
5450 carriage-return, tab and space. The chat sequence string can also contain
5451 a '*' which matches any sequence of characters.
5452 Double quotes can be used to collect strings with spaces
5453 in them into a single string.</para>
5454
5455 <para>If the send string in any part of the chat sequence
5456 is a full stop ".", then no string is sent. Similarly,
5457 if the expect string is a full stop then no string is expected.</para>
5458
5459 <para>If the <link linkend="PAMPASSWORDCHANGE"><parameter>pam
5460 password change</parameter></link> parameter is set to true, the chat pairs
5461 may be matched in any order, and success is determined by the PAM result,
5462 not any particular output. The \n macro is ignored for PAM conversions.
5463 </para>
5464
5465 <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter>unix password
5466 sync</parameter></link>, <link linkend="PASSWDPROGRAM"><parameter>
5467 passwd program</parameter></link> ,<link linkend="PASSWDCHATDEBUG">
5468 <parameter>passwd chat debug</parameter></link> and <link linkend="PAMPASSWORDCHANGE">
5469 <parameter>pam password change</parameter></link>.</para>
5470
5471 <para>Default: <command>passwd chat = *new*password* %n\n
5472 *new*password* %n\n *changed*</command></para>
5473 <para>Example: <command>passwd chat = "*Enter OLD password*" %o\n
5474 "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password
5475 changed*"</command></para>
5476 </listitem>
5477 </varlistentry>
5478
5479
5480
5481 <varlistentry>
5482 <term><anchor id="PASSWDCHATDEBUG">passwd chat debug (G)</term>
5483 <listitem><para>This boolean specifies if the passwd chat script
5484 parameter is run in <emphasis>debug</emphasis> mode. In this mode the
5485 strings passed to and received from the passwd chat are printed
5486 in the <ulink url="smbd.8.html">smbd(8)</ulink> log with a
5487 <link linkend="DEBUGLEVEL"><parameter>debug level</parameter></link>
5488 of 100. This is a dangerous option as it will allow plaintext passwords
5489 to be seen in the <command>smbd</command> log. It is available to help
5490 Samba admins debug their <parameter>passwd chat</parameter> scripts
5491 when calling the <parameter>passwd program</parameter> and should
5492 be turned off after this has been done. This option has no effect if the
5493 <link linkend="PAMPASSWORDCHANGE"><parameter>pam password change</parameter></link>
5494 paramter is set. This parameter is off by default.</para>
5495
5496
5497 <para>See also <link linkend="PASSWDCHAT"><parameter>passwd chat</parameter>
5498 </link>, <link linkend="PAMPASSWORDCHANGE"><parameter>pam password change</parameter>
5499 </link>, <link linkend="PASSWDPROGRAM"><parameter>passwd program</parameter>
5500 </link>.</para>
5501
5502 <para>Default: <command>passwd chat debug = no</command></para>
5503 </listitem>
5504 </varlistentry>
5505
5506
5507
5508 <varlistentry>
5509 <term><anchor id="PASSWDPROGRAM">passwd program (G)</term>
5510 <listitem><para>The name of a program that can be used to set
5511 UNIX user passwords. Any occurrences of <parameter>%u</parameter>
5512 will be replaced with the user name. The user name is checked for
5513 existence before calling the password changing program.</para>
5514
5515 <para>Also note that many passwd programs insist in <emphasis>reasonable
5516 </emphasis> passwords, such as a minimum length, or the inclusion
5517 of mixed case chars and digits. This can pose a problem as some clients
5518 (such as Windows for Workgroups) uppercase the password before sending
5519 it.</para>
5520
5521 <para><emphasis>Note</emphasis> that if the <parameter>unix
5522 password sync</parameter> parameter is set to <constant>true
5523 </constant> then this program is called <emphasis>AS ROOT</emphasis>
5524 before the SMB password in the <ulink url="smbpasswd.5.html">smbpasswd(5)
5525 </ulink> file is changed. If this UNIX password change fails, then
5526 <command>smbd</command> will fail to change the SMB password also
5527 (this is by design).</para>
5528
5529 <para>If the <parameter>unix password sync</parameter> parameter
5530 is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis>
5531 for <emphasis>ALL</emphasis> programs called, and must be examined
5532 for security implications. Note that by default <parameter>unix
5533 password sync</parameter> is set to <constant>false</constant>.</para>
5534
5535 <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter>unix
5536 password sync</parameter></link>.</para>
5537
5538 <para>Default: <command>passwd program = /bin/passwd</command></para>
5539 <para>Example: <command>passwd program = /sbin/npasswd %u</command>
5540 </para>
5541 </listitem>
5542 </varlistentry>
5543
5544
5545
5546 <varlistentry>
5547 <term><anchor id="PASSWORDLEVEL">password level (G)</term>
5548 <listitem><para>Some client/server combinations have difficulty
5549 with mixed-case passwords. One offending client is Windows for
5550 Workgroups, which for some reason forces passwords to upper
5551 case when using the LANMAN1 protocol, but leaves them alone when
5552 using COREPLUS! Another problem child is the Windows 95/98
5553 family of operating systems. These clients upper case clear
5554 text passwords even when NT LM 0.12 selected by the protocol
5555 negotiation request/response.</para>
5556
5557 <para>This parameter defines the maximum number of characters
5558 that may be upper case in passwords.</para>
5559
5560 <para>For example, say the password given was "FRED". If <parameter>
5561 password level</parameter> is set to 1, the following combinations
5562 would be tried if "FRED" failed:</para>
5563
5564 <para>"Fred", "fred", "fRed", "frEd","freD"</para>
5565
5566 <para>If <parameter>password level</parameter> was set to 2,
5567 the following combinations would also be tried: </para>
5568
5569 <para>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</para>
5570
5571 <para>And so on.</para>
5572
5573 <para>The higher value this parameter is set to the more likely
5574 it is that a mixed case password will be matched against a single
5575 case password. However, you should be aware that use of this
5576 parameter reduces security and increases the time taken to
5577 process a new connection.</para>
5578
5579 <para>A value of zero will cause only two attempts to be
5580 made - the password as is and the password in all-lower case.</para>
5581
5582 <para>Default: <command>password level = 0</command></para>
5583 <para>Example: <command>password level = 4</command></para>
5584 </listitem>
5585 </varlistentry>
5586
5587
5588
5589 <varlistentry>
5590 <term><anchor id="PASSWORDSERVER">password server (G)</term>
5591 <listitem><para>By specifying the name of another SMB server (such
5592 as a WinNT box) with this option, and using <command>security = domain
5593 </command> or <command>security = server</command> you can get Samba
5594 to do all its username/password validation via a remote server.</para>
5595
5596 <para>This option sets the name of the password server to use.
5597 It must be a NetBIOS name, so if the machine's NetBIOS name is
5598 different from its Internet name then you may have to add its NetBIOS
5599 name to the lmhosts file which is stored in the same directory
5600 as the <filename>smb.conf</filename> file.</para>
5601
5602 <para>The name of the password server is looked up using the
5603 parameter <link linkend="NAMERESOLVEORDER"><parameter>name
5604 resolve order</parameter></link> and so may resolved
5605 by any method and order described in that parameter.</para>
5606
5607 <para>The password server much be a machine capable of using
5608 the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
5609 user level security mode.</para>
5610
5611 <para><emphasis>NOTE:</emphasis> Using a password server
5612 means your UNIX box (running Samba) is only as secure as your
5613 password server. <emphasis>DO NOT CHOOSE A PASSWORD SERVER THAT
5614 YOU DON'T COMPLETELY TRUST</emphasis>.</para>
5615
5616 <para>Never point a Samba server at itself for password
5617 serving. This will cause a loop and could lock up your Samba
5618 server!</para>
5619
5620 <para>The name of the password server takes the standard
5621 substitutions, but probably the only useful one is <parameter>%m
5622 </parameter>, which means the Samba server will use the incoming
5623 client as the password server. If you use this then you better
5624 trust your clients, and you had better restrict them with hosts allow!</para>
5625
5626 <para>If the <parameter>security</parameter> parameter is set to
5627 <constant>domain</constant>, then the list of machines in this
5628 option must be a list of Primary or Backup Domain controllers for the
5629 Domain or the character '*', as the Samba server is effectively
5630 in that domain, and will use cryptographically authenticated RPC calls
5631 to authenticate the user logging on. The advantage of using <command>
5632 security = domain</command> is that if you list several hosts in the
5633 <parameter>password server</parameter> option then <command>smbd
5634 </command> will try each in turn till it finds one that responds. This
5635 is useful in case your primary server goes down.</para>
5636
5637 <para>If the <parameter>password server</parameter> option is set
5638 to the character '*', then Samba will attempt to auto-locate the
5639 Primary or Backup Domain controllers to authenticate against by
5640 doing a query for the name <constant>WORKGROUP&lt;1C&gt;</constant>
5641 and then contacting each server returned in the list of IP
5642 addresses from the name resolution source. </para>
5643
5644 <para>If the <parameter>security</parameter> parameter is
5645 set to <constant>server</constant>, then there are different
5646 restrictions that <command>security = domain</command> doesn't
5647 suffer from:</para>
5648
5649 <itemizedlist>
5650 <listitem><para>You may list several password servers in
5651 the <parameter>password server</parameter> parameter, however if an
5652 <command>smbd</command> makes a connection to a password server,
5653 and then the password server fails, no more users will be able
5654 to be authenticated from this <command>smbd</command>. This is a
5655 restriction of the SMB/CIFS protocol when in <command>security = server
5656 </command> mode and cannot be fixed in Samba.</para></listitem>
5657
5658 <listitem><para>If you are using a Windows NT server as your
5659 password server then you will have to ensure that your users
5660 are able to login from the Samba server, as when in <command>
5661 security = server</command> mode the network logon will appear to
5662 come from there rather than from the users workstation.</para></listitem>
5663 </itemizedlist>
5664
5665 <para>See also the <link linkend="SECURITY"><parameter>security
5666 </parameter></link> parameter.</para>
5667
5668 <para>Default: <command>password server = &lt;empty string&gt;</command>
5669 </para>
5670 <para>Example: <command>password server = NT-PDC, NT-BDC1, NT-BDC2
5671 </command></para>
5672 <para>Example: <command>password server = *</command></para>
5673 </listitem>
5674 </varlistentry>
5675
5676
5677
5678 <varlistentry>
5679 <term><anchor id="PATH">path (S)</term>
5680 <listitem><para>This parameter specifies a directory to which
5681 the user of the service is to be given access. In the case of
5682 printable services, this is where print data will spool prior to
5683 being submitted to the host for printing.</para>
5684
5685 <para>For a printable service offering guest access, the service
5686 should be readonly and the path should be world-writeable and
5687 have the sticky bit set. This is not mandatory of course, but
5688 you probably won't get the results you expect if you do
5689 otherwise.</para>
5690
5691 <para>Any occurrences of <parameter>%u</parameter> in the path
5692 will be replaced with the UNIX username that the client is using
5693 on this connection. Any occurrences of <parameter>%m</parameter>
5694 will be replaced by the NetBIOS name of the machine they are
5695 connecting from. These replacements are very useful for setting
5696 up pseudo home directories for users.</para>
5697
5698 <para>Note that this path will be based on <link linkend="ROOTDIR">
5699 <parameter>root dir</parameter></link> if one was specified.</para>
5700
5701 <para>Default: <emphasis>none</emphasis></para>
5702 <para>Example: <command>path = /home/fred</command></para>
5703 </listitem>
5704 </varlistentry>
5705
5706
5707
5708
5709 <varlistentry>
5710 <term><anchor id="PIDDIRECTORY">pid directory (G)</term>
5711 <listitem><para>This option specifies the directory where pid
5712 files will be placed. </para>
5713
5714 <para>Default: <command>pid directory = ${prefix}/var/locks</command></para>
5715 <para>Example: <command>pid directory = /var/run/</command>
5716 </para></listitem>
5717 </varlistentry>
5718
5719
5720
5721 <varlistentry>
5722 <term><anchor id="POSIXLOCKING">posix locking (S)</term>
5723 <listitem><para>The <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>
5724 daemon maintains an database of file locks obtained by SMB clients.
5725 The default behavior is to map this internal database to POSIX
5726 locks. This means that file locks obtained by SMB clients are
5727 consistent with those seen by POSIX compliant applications accessing
5728 the files via a non-SMB method (e.g. NFS or local file access).
5729 You should never need to disable this parameter.</para>
5730
5731 <para>Default: <command>posix locking = yes</command></para>
5732 </listitem>
5733 </varlistentry>
5734
5735
5736
5737
5738 <varlistentry>
5739 <term><anchor id="POSTEXEC">postexec (S)</term>
5740 <listitem><para>This option specifies a command to be run
5741 whenever the service is disconnected. It takes the usual
5742 substitutions. The command may be run as the root on some
5743 systems.</para>
5744
5745 <para>An interesting example may be to unmount server
5746 resources:</para>
5747
5748 <para><command>postexec = /etc/umount /cdrom</command></para>
5749
5750 <para>See also <link linkend="PREEXEC"><parameter>preexec</parameter>
5751 </link>.</para>
5752
5753 <para>Default: <emphasis>none (no command executed)</emphasis>
5754 </para>
5755
5756 <para>Example: <command>postexec = echo \"%u disconnected from %S
5757 from %m (%I)\" &gt;&gt; /tmp/log</command></para>
5758 </listitem>
5759 </varlistentry>
5760
5761
5762
5763 <varlistentry>
5764 <term><anchor id="POSTSCRIPT">postscript (S)</term>
5765 <listitem><para>This parameter forces a printer to interpret
5766 the print files as PostScript. This is done by adding a <constant>%!
5767 </constant> to the start of print output.</para>
5768
5769 <para>This is most useful when you have lots of PCs that persist
5770 in putting a control-D at the start of print jobs, which then
5771 confuses your printer.</para>
5772
5773 <para>Default: <command>postscript = no</command></para>
5774 </listitem>
5775 </varlistentry>
5776
5777
5778
5779 <varlistentry>
5780 <term><anchor id="PREEXEC">preexec (S)</term>
5781 <listitem><para>This option specifies a command to be run whenever
5782 the service is connected to. It takes the usual substitutions.</para>
5783
5784 <para>An interesting example is to send the users a welcome
5785 message every time they log in. Maybe a message of the day? Here
5786 is an example:</para>
5787
5788 <para><command>preexec = csh -c 'echo \"Welcome to %S!\" |
5789 /usr/local/samba/bin/smbclient -M %m -I %I' & </command></para>
5790
5791 <para>Of course, this could get annoying after a while :-)</para>
5792
5793 <para>See also <link linkend="PREEXECCLOSE"><parameter>preexec close
5794 </parameter</link> and <link linkend="POSTEXEC"><parameter>postexec
5795 </parameter></link>.</para>
5796
5797 <para>Default: <emphasis>none (no command executed)</emphasis></para>
5798 <para>Example: <command>preexec = echo \"%u connected to %S from %m
5799 (%I)\" &gt;&gt; /tmp/log</command></para>
5800 </listitem>
5801 </varlistentry>
5802
5803
5804
5805 <varlistentry>
5806 <term><anchor id="PREEXECCLOSE">preexec close (S)</term>
5807 <listitem><para>This boolean option controls whether a non-zero
5808 return code from <link linkend="PREEXEC"><parameter>preexec
5809 </parameter></link> should close the service being connected to.</para>
5810
5811 <para>Default: <command>preexec close = no</command></para>
5812 </listitem>
5813 </varlistentry>
5814
5815
5816 <varlistentry>
5817 <term><anchor id="PREFERREDMASTER">preferred master (G)</term>
5818 <listitem><para>This boolean parameter controls if <ulink
5819 url="nmbd.8.html">nmbd(8)</ulink> is a preferred master browser
5820 for its workgroup.</para>
5821
5822 <para>If this is set to <constant>true</constant>, on startup, <command>nmbd</command>
5823 will force an election, and it will have a slight advantage in
5824 winning the election. It is recommended that this parameter is
5825 used in conjunction with <command><link linkend="DOMAINMASTER"><parameter>
5826 domain master</parameter></link> = yes</command>, so that <command>
5827 nmbd</command> can guarantee becoming a domain master.</para>
5828
5829 <para>Use this option with caution, because if there are several
5830 hosts (whether Samba servers, Windows 95 or NT) that are preferred
5831 master browsers on the same subnet, they will each periodically
5832 and continuously attempt to become the local master browser.
5833 This will result in unnecessary broadcast traffic and reduced browsing
5834 capabilities.</para>
5835
5836 <para>See also <link linkend="OSLEVEL"><parameter>os level</parameter>
5837 </link>.</para>
5838
5839 <para>Default: <command>preferred master = auto</command></para>
5840 </listitem>
5841 </varlistentry>
5842
5843
5844
5845 <varlistentry>
5846 <term><anchor id="PREFEREDMASTER">prefered master (G)</term>
5847 <listitem><para>Synonym for <link linkend="PREFERREDMASTER"><parameter>
5848 preferred master</parameter></link> for people who cannot spell :-).</para>
5849 </listitem>
5850 </varlistentry>
5851
5852
5853
5854 <varlistentry>
5855 <term><anchor id="PRELOAD">preload</term>
5856 <listitem><para>This is a list of services that you want to be
5857 automatically added to the browse lists. This is most useful
5858 for homes and printers services that would otherwise not be
5859 visible.</para>
5860
5861 <para>Note that if you just want all printers in your
5862 printcap file loaded then the <link linkend="LOADPRINTERS">
5863 <parameter>load printers</parameter></link> option is easier.</para>
5864
5865 <para>Default: <emphasis>no preloaded services</emphasis></para>
5866
5867 <para>Example: <command>preload = fred lp colorlp</command></para>
5868 </listitem>
5869 </varlistentry>
5870
5871
5872 <varlistentry>
5873 <term><anchor id="PRESERVECASE">preserve case (S)</term>
5874 <listitem><para> This controls if new filenames are created
5875 with the case that the client passes, or if they are forced to
5876 be the <link linkend="DEFAULTCASE"><parameter>default case
5877 </parameter></link>.</para>
5878
5879 <para>Default: <command>preserve case = yes</command></para>
5880
5881 <para>See the section on <link linkend="NAMEMANGLINGSECT">NAME
5882 MANGLING</link> for a fuller discussion.</para>
5883 </listitem>
5884 </varlistentry>
5885
5886
5887
5888 <varlistentry>
5889 <term><anchor id="PRINTCOMMAND">print command (S)</term>
5890 <listitem><para>After a print job has finished spooling to
5891 a service, this command will be used via a <command>system()</command>
5892 call to process the spool file. Typically the command specified will
5893 submit the spool file to the host's printing subsystem, but there
5894 is no requirement that this be the case. The server will not remove
5895 the spool file, so whatever command you specify should remove the
5896 spool file when it has been processed, otherwise you will need to
5897 manually remove old spool files.</para>
5898
5899 <para>The print command is simply a text string. It will be used
5900 verbatim after macro substitutions have been made:</para>
5901
5902 <para>s, %p - the path to the spool
5903 file name</para>
5904
5905 <para>%p - the appropriate printer
5906 name</para>
5907
5908 <para>%J - the job
5909 name as transmitted by the client.</para>
5910
5911 <para>%c - The number of printed pages
5912 of the spooled job (if known).</para>
5913
5914 <para>%z - the size of the spooled
5915 print job (in bytes)</para>
5916
5917 <para>The print command <emphasis>MUST</emphasis> contain at least
5918 one occurrence of <parameter>%s</parameter> or <parameter>%f
5919 </parameter> - the <parameter>%p</parameter> is optional. At the time
5920 a job is submitted, if no printer name is supplied the <parameter>%p
5921 </parameter> will be silently removed from the printer command.</para>
5922
5923 <para>If specified in the [global] section, the print command given
5924 will be used for any printable service that does not have its own
5925 print command specified.</para>
5926
5927 <para>If there is neither a specified print command for a
5928 printable service nor a global print command, spool files will
5929 be created but not processed and (most importantly) not removed.</para>
5930
5931 <para>Note that printing may fail on some UNIXes from the
5932 <constant>nobody</constant> account. If this happens then create
5933 an alternative guest account that can print and set the <link
5934 linkend="GUESTACCOUNT"><parameter>guest account</parameter></link>
5935 in the [global] section.</para>
5936
5937 <para>You can form quite complex print commands by realizing
5938 that they are just passed to a shell. For example the following
5939 will log a print job, print the file, then remove it. Note that
5940 ';' is the usual separator for command in shell scripts.</para>
5941
5942 <para><command>print command = echo Printing %s &gt;&gt;
5943 /tmp/print.log; lpr -P %p %s; rm %s</command></para>
5944
5945 <para>You may have to vary this command considerably depending
5946 on how you normally print files on your system. The default for
5947 the parameter varies depending on the setting of the <link linkend="PRINTING">
5948 <parameter>printing</parameter></link> parameter.</para>
5949
5950 <para>Default: For <command>printing = BSD, AIX, QNX, LPRNG
5951 or PLP :</command></para>
5952 <para><command>print command = lpr -r -P%p %s</command></para>
5953
5954 <para>For <command>printing = SYSV or HPUX :</command></para>
5955 <para><command>print command = lp -c -d%p %s; rm %s</command></para>
5956
5957 <para>For <command>printing = SOFTQ :</command></para>
5958 <para><command>print command = lp -d%p -s %s; rm %s</command></para>
5959
5960 <para>For printing = CUPS : If SAMBA is compiled against
5961 libcups, then <link linkend="PRINTING">printcap = cups</link>
5962 uses the CUPS API to
5963 submit jobs, etc. Otherwise it maps to the System V
5964 commands with the -oraw option for printing, i.e. it
5965 uses <command>lp -c -d%p -oraw; rm %s</command>.
5966 With <command>printing = cups</command>,
5967 and if SAMBA is compiled against libcups, any manually
5968 set print command will be ignored.</para>
5969
5970
5971 <para>Example: <command>print command = /usr/local/samba/bin/myprintscript
5972 %p %s</command></para>
5973 </listitem>
5974 </varlistentry>
5975
5976
5977
5978 <varlistentry>
5979 <term><anchor id="PRINTOK">print ok (S)</term>
5980 <listitem><para>Synonym for <link linkend="PRINTABLE">
5981 <parameter>printable</parameter></link>.</para>
5982 </listitem>
5983 </varlistentry>
5984
5985
5986
5987
5988 <varlistentry>
5989 <term><anchor id="PRINTABLE">printable (S)</term>
5990 <listitem><para>If this parameter is <constant>yes</constant>, then
5991 clients may open, write to and submit spool files on the directory
5992 specified for the service. </para>
5993
5994 <para>Note that a printable service will ALWAYS allow writing
5995 to the service path (user privileges permitting) via the spooling
5996 of print data. The <link linkend="WRITEABLE"><parameter>writeable
5997 </parameter></link> parameter controls only non-printing access to
5998 the resource.</para>
5999
6000 <para>Default: <command>printable = no</command></para>
6001 </listitem>
6002 </varlistentry>
6003
6004
6005
6006 <varlistentry>
6007 <term><anchor id="PRINTCAP">printcap (G)</term>
6008 <listitem><para>Synonym for <link linkend="PRINTCAPNAME"><parameter>
6009 printcap name</parameter></link>.</para>
6010 </listitem>
6011 </varlistentry>
6012
6013
6014
6015
6016 <varlistentry>
6017 <term><anchor id="PRINTCAPNAME">printcap name (G)</term>
6018 <listitem><para>This parameter may be used to override the
6019 compiled-in default printcap name used by the server (usually <filename>
6020 /etc/printcap</filename>). See the discussion of the <link
6021 linkend="PRINTERSSECT">[printers]</link> section above for reasons
6022 why you might want to do this.</para>
6023
6024 <para>To use the CUPS printing interface set <command>printcap name = cups
6025 </command>. This should be supplemented by an addtional setting
6026 <link linkend="PRINTING">printing = cups</link> in the [global]
6027 section. <command>printcap name = cups</command> will use the
6028 "dummy" printcap created by CUPS, as specified in your CUPS
6029 configuration file.
6030 </para>
6031
6032 <para>On System V systems that use <command>lpstat</command> to
6033 list available printers you can use <command>printcap name = lpstat
6034 </command> to automatically obtain lists of available printers. This
6035 is the default for systems that define SYSV at configure time in
6036 Samba (this includes most System V based systems). If <parameter>
6037 printcap name</parameter> is set to <command>lpstat</command> on
6038 these systems then Samba will launch <command>lpstat -v</command> and
6039 attempt to parse the output to obtain a printer list.</para>
6040
6041 <para>A minimal printcap file would look something like this:</para>
6042
6043 <para><programlisting>
6044 print1|My Printer 1
6045 print2|My Printer 2
6046 print3|My Printer 3
6047 print4|My Printer 4
6048 print5|My Printer 5
6049 </programlisting></para>
6050
6051 <para>where the '|' separates aliases of a printer. The fact
6052 that the second alias has a space in it gives a hint to Samba
6053 that it's a comment.</para>
6054
6055 <para><emphasis>NOTE</emphasis>: Under AIX the default printcap
6056 name is <filename>/etc/qconfig</filename>. Samba will assume the
6057 file is in AIX <filename>qconfig</filename> format if the string
6058 <filename>qconfig</filename> appears in the printcap filename.</para>
6059
6060 <para>Default: <command>printcap name = /etc/printcap</command></para>
6061 <para>Example: <command>printcap name = /etc/myprintcap</command></para>
6062 </listitem>
6063 </varlistentry>
6064
6065
6066
6067
6068
6069 <varlistentry>
6070 <term><anchor id="PRINTERADMIN">printer admin (S)</term>
6071 <listitem><para>This is a list of users that can do anything to
6072 printers via the remote administration interfaces offered by MS-RPC
6073 (usually using a NT workstation). Note that the root user always
6074 has admin rights.</para>
6075
6076 <para>Default: <command>printer admin = &lt;empty string&gt;</command>
6077 </para>
6078 <para>Example: <command>printer admin = admin, @staff</command></para>
6079 </listitem>
6080 </varlistentry>
6081
6082
6083
6084
6085
6086 <varlistentry>
6087 <term><anchor id="PRINTERDRIVER">printer driver (S)</term>
6088 <listitem><para><emphasis>Note :</emphasis>This is a deprecated
6089 parameter and will be removed in the next major release
6090 following version 2.2. Please see the instructions in
6091 the <ulink url="printer_driver2.html">Samba 2.2. Printing
6092 HOWTO</ulink> for more information
6093 on the new method of loading printer drivers onto a Samba server.
6094 </para>
6095
6096 <para>This option allows you to control the string
6097 that clients receive when they ask the server for the printer driver
6098 associated with a printer. If you are using Windows95 or Windows NT
6099 then you can use this to automate the setup of printers on your
6100 system.</para>
6101
6102 <para>You need to set this parameter to the exact string (case
6103 sensitive) that describes the appropriate printer driver for your
6104 system. If you don't know the exact string to use then you should
6105 first try with no <link linkend="PRINTERDRIVER"><parameter>
6106 printer driver</parameter></link> option set and the client will
6107 give you a list of printer drivers. The appropriate strings are
6108 shown in a scroll box after you have chosen the printer manufacturer.</para>
6109
6110 <para>See also <link linkend="PRINTERDRIVERFILE"><parameter>printer
6111 driver file</parameter></link>.</para>
6112
6113 <para>Example: <command>printer driver = HP LaserJet 4L</command></para>
6114 </listitem>
6115 </varlistentry>
6116
6117
6118
6119 <varlistentry>
6120 <term><anchor id="PRINTERDRIVERFILE">printer driver file (G)</term>
6121 <listitem><para><emphasis>Note :</emphasis>This is a deprecated
6122 parameter and will be removed in the next major release
6123 following version 2.2. Please see the instructions in
6124 the <ulink url="printer_driver2.html">Samba 2.2. Printing
6125 HOWTO</ulink> for more information
6126 on the new method of loading printer drivers onto a Samba server.
6127 </para>
6128
6129 <para>This parameter tells Samba where the printer driver
6130 definition file, used when serving drivers to Windows 95 clients, is
6131 to be found. If this is not set, the default is :</para>
6132
6133 <para><filename><replaceable>SAMBA_INSTALL_DIRECTORY</replaceable>
6134 /lib/printers.def</filename></para>
6135
6136 <para>This file is created from Windows 95 <filename>msprint.inf
6137 </filename> files found on the Windows 95 client system. For more
6138 details on setting up serving of printer drivers to Windows 95
6139 clients, see the outdated documentation file in the <filename>docs/</filename>
6140 directory, <filename>PRINTER_DRIVER.txt</filename>.</para>
6141
6142 <para>See also <link linkend="PRINTERDRIVERLOCATION"><parameter>
6143 printer driver location</parameter></link>.</para>
6144
6145 <para>Default: <emphasis>None (set in compile).</emphasis></para>
6146
6147 <para>Example: <command>printer driver file =
6148 /usr/local/samba/printers/drivers.def</command></para>
6149 </listitem>
6150 </varlistentry>
6151
6152
6153
6154
6155 <varlistentry>
6156 <term><anchor id="PRINTERDRIVERLOCATION">printer driver location (S)</term>
6157 <listitem><para><emphasis>Note :</emphasis>This is a deprecated
6158 parameter and will be removed in the next major release
6159 following version 2.2. Please see the instructions in
6160 the <ulink url="printer_driver2.html">Samba 2.2. Printing
6161 HOWTO</ulink> for more information
6162 on the new method of loading printer drivers onto a Samba server.
6163 </para>
6164
6165 <para>This parameter tells clients of a particular printer
6166 share where to find the printer driver files for the automatic
6167 installation of drivers for Windows 95 machines. If Samba is set up
6168 to serve printer drivers to Windows 95 machines, this should be set to</para>
6169
6170 <para><command>\\MACHINE\PRINTER$</command></para>
6171
6172 <para>Where MACHINE is the NetBIOS name of your Samba server,
6173 and PRINTER$ is a share you set up for serving printer driver
6174 files. For more details on setting this up see the outdated documentation
6175 file in the <filename>docs/</filename> directory, <filename>
6176 PRINTER_DRIVER.txt</filename>.</para>
6177
6178 <para>See also <link linkend="PRINTERDRIVERFILE"><parameter>
6179 printer driver file</parameter></link>.</para>
6180
6181 <para>Default: <command>none</command></para>
6182 <para>Example: <command>printer driver location = \\MACHINE\PRINTER$
6183 </command></para>
6184 </listitem>
6185 </varlistentry>
6186
6187
6188
6189 <varlistentry>
6190 <term><anchor id="PRINTERNAME">printer name (S)</term>
6191 <listitem><para>This parameter specifies the name of the printer
6192 to which print jobs spooled through a printable service will be sent.</para>
6193
6194 <para>If specified in the [global] section, the printer
6195 name given will be used for any printable service that does
6196 not have its own printer name specified.</para>
6197
6198 <para>Default: <emphasis>none (but may be <constant>lp</constant>
6199 on many systems)</emphasis></para>
6200
6201 <para>Example: <command>printer name = laserwriter</command></para>
6202 </listitem>
6203 </varlistentry>
6204
6205
6206 <varlistentry>
6207 <term><anchor id="PRINTER">printer (S)</term>
6208 <listitem><para>Synonym for <link linkend="PRINTERNAME"><parameter>
6209 printer name</parameter></link>.</para>
6210 </listitem>
6211 </varlistentry>
6212
6213
6214
6215 <varlistentry>
6216 <term><anchor id="PRINTING">printing (S)</term>
6217 <listitem><para>This parameters controls how printer status
6218 information is interpreted on your system. It also affects the
6219 default values for the <parameter>print command</parameter>,
6220 <parameter>lpq command</parameter>, <parameter>lppause command
6221 </parameter>, <parameter>lpresume command</parameter>, and
6222 <parameter>lprm command</parameter> if specified in the
6223 [global] section.</para>
6224
6225 <para>Currently nine printing styles are supported. They are
6226 <constant>BSD</constant>, <constant>AIX</constant>,
6227 <constant>LPRNG</constant>, <constant>PLP</constant>,
6228 <constant>SYSV</constant>, <constant>HPUX</constant>,
6229 <constant>QNX</constant>, <constant>SOFTQ</constant>,
6230 and <constant>CUPS</constant>.</para>
6231
6232 <para>To see what the defaults are for the other print
6233 commands when using the various options use the <ulink
6234 url="testparm.1.html">testparm(1)</ulink> program.</para>
6235
6236 <para>This option can be set on a per printer basis</para>
6237
6238 <para>See also the discussion in the <link linkend="PRINTERSSECT">
6239 [printers]</link> section.</para>
6240 </listitem>
6241 </varlistentry>
6242
6243
6244
6245
6246 <varlistentry>
6247 <term><anchor id="PROTOCOL">protocol (G)</term>
6248 <listitem><para>Synonym for <link linkend="MAXPROTOCOL">
6249 <parameter>max protocol</parameter></link>.</para></listitem>
6250 </varlistentry>
6251
6252
6253
6254
6255 <varlistentry>
6256 <term><anchor id="PUBLIC">public (S)</term>
6257 <listitem><para>Synonym for <link linkend="GUESTOK"><parameter>guest
6258 ok</parameter></link>.</para>
6259 </listitem>
6260 </varlistentry>
6261
6262
6263
6264 <varlistentry>
6265 <term><anchor id="QUEUEPAUSECOMMAND">queuepause command (S)</term>
6266 <listitem><para>This parameter specifies the command to be
6267 executed on the server host in order to pause the printer queue.</para>
6268
6269 <para>This command should be a program or script which takes
6270 a printer name as its only parameter and stops the printer queue,
6271 such that no longer jobs are submitted to the printer.</para>
6272
6273 <para>This command is not supported by Windows for Workgroups,
6274 but can be issued from the Printers window under Windows 95
6275 and NT.</para>
6276
6277 <para>If a <parameter>%p</parameter> is given then the printer name
6278 is put in its place. Otherwise it is placed at the end of the command.
6279 </para>
6280
6281 <para>Note that it is good practice to include the absolute
6282 path in the command as the PATH may not be available to the
6283 server.</para>
6284
6285 <para>Default: <emphasis>depends on the setting of <parameter>printing
6286 </parameter></emphasis></para>
6287 <para>Example: <command>queuepause command = disable %p</command></para>
6288 </listitem>
6289 </varlistentry>
6290
6291
6292
6293 <varlistentry>
6294 <term><anchor id="QUEUERESUMECOMMAND">queueresume command (S)</term>
6295 <listitem><para>This parameter specifies the command to be
6296 executed on the server host in order to resume the printer queue. It
6297 is the command to undo the behavior that is caused by the
6298 previous parameter (<link linkend="QUEUEPAUSECOMMAND"><parameter>
6299 queuepause command</parameter></link>).</para>
6300
6301 <para>This command should be a program or script which takes
6302 a printer name as its only parameter and resumes the printer queue,
6303 such that queued jobs are resubmitted to the printer.</para>
6304
6305 <para>This command is not supported by Windows for Workgroups,
6306 but can be issued from the Printers window under Windows 95
6307 and NT.</para>
6308
6309 <para>If a <parameter>%p</parameter> is given then the printer name
6310 is put in its place. Otherwise it is placed at the end of the
6311 command.</para>
6312
6313 <para>Note that it is good practice to include the absolute
6314 path in the command as the PATH may not be available to the
6315 server.</para>
6316
6317 <para>Default: <emphasis>depends on the setting of <link
6318 linkend="PRINTING"><parameter>printing</parameter></link></emphasis>
6319 </para>
6320
6321 <para>Example: <command>queuepause command = enable %p
6322 </command></para>
6323 </listitem>
6324 </varlistentry>
6325
6326
6327
6328 <varlistentry>
6329 <term><anchor id="READBMPX">read bmpx (G)</term>
6330 <listitem><para>This boolean parameter controls whether <ulink
6331 url="smbd.8.html">smbd(8)</ulink> will support the "Read
6332 Block Multiplex" SMB. This is now rarely used and defaults to
6333 <constant>no</constant>. You should never need to set this
6334 parameter.</para>
6335
6336 <para>Default: <command>read bmpx = no</command></para>
6337 </listitem>
6338 </varlistentry>
6339
6340
6341
6342
6343 <varlistentry>
6344 <term><anchor id="READLIST">read list (S)</term>
6345 <listitem><para>This is a list of users that are given read-only
6346 access to a service. If the connecting user is in this list then
6347 they will not be given write access, no matter what the <link
6348 linkend="WRITEABLE"><parameter>writeable</parameter></link>
6349 option is set to. The list can include group names using the
6350 syntax described in the <link linkend="INVALIDUSERS"><parameter>
6351 invalid users</parameter></link> parameter.</para>
6352
6353 <para>See also the <link linkend="WRITELIST"><parameter>
6354 write list</parameter></link> parameter and the <link
6355 linkend="INVALIDUSERS"><parameter>invalid users</parameter>
6356 </link> parameter.</para>
6357
6358 <para>Default: <command>read list = &lt;empty string&gt;</command></para>
6359 <para>Example: <command>read list = mary, @students</command></para>
6360 </listitem>
6361 </varlistentry>
6362
6363
6364
6365 <varlistentry>
6366 <term><anchor id="READONLY">read only (S)</term>
6367 <listitem><para>Note that this is an inverted synonym for <link
6368 linkend="WRITEABLE"><parameter>writeable</parameter></link>.</para>
6369 </listitem>
6370 </varlistentry>
6371
6372
6373
6374 <varlistentry>
6375 <term><anchor id="READRAW">read raw (G)</term>
6376 <listitem><para>This parameter controls whether or not the server
6377 will support the raw read SMB requests when transferring data
6378 to clients.</para>
6379
6380 <para>If enabled, raw reads allow reads of 65535 bytes in
6381 one packet. This typically provides a major performance benefit.
6382 </para>
6383
6384 <para>However, some clients either negotiate the allowable
6385 block size incorrectly or are incapable of supporting larger block
6386 sizes, and for these clients you may need to disable raw reads.</para>
6387
6388 <para>In general this parameter should be viewed as a system tuning
6389 tool and left severely alone. See also <link linkend="WRITERAW">
6390 <parameter>write raw</parameter></link>.</para>
6391
6392 <para>Default: <command>read raw = yes</command></para>
6393 </listitem>
6394 </varlistentry>
6395
6396
6397 <varlistentry>
6398 <term><anchor id="READSIZE">read size (G)</term>
6399 <listitem><para>The option <parameter>read size</parameter>
6400 affects the overlap of disk reads/writes with network reads/writes.
6401 If the amount of data being transferred in several of the SMB
6402 commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
6403 than this value then the server begins writing the data before it
6404 has received the whole packet from the network, or in the case of
6405 SMBreadbraw, it begins writing to the network before all the data
6406 has been read from disk.</para>
6407
6408 <para>This overlapping works best when the speeds of disk and
6409 network access are similar, having very little effect when the
6410 speed of one is much greater than the other.</para>
6411
6412 <para>The default value is 16384, but very little experimentation
6413 has been done yet to determine the optimal value, and it is likely
6414 that the best value will vary greatly between systems anyway.
6415 A value over 65536 is pointless and will cause you to allocate
6416 memory unnecessarily.</para>
6417
6418 <para>Default: <command>read size = 16384</command></para>
6419 <para>Example: <command>read size = 8192</command></para>
6420 </listitem>
6421 </varlistentry>
6422
6423
6424
6425 <varlistentry>
6426 <term><anchor id="REMOTEANNOUNCE">remote announce (G)</term>
6427 <listitem><para>This option allows you to setup <ulink
6428 url="nmbd.8.html">nmbd(8)</ulink> to periodically announce itself
6429 to arbitrary IP addresses with an arbitrary workgroup name.</para>
6430
6431 <para>This is useful if you want your Samba server to appear
6432 in a remote workgroup for which the normal browse propagation
6433 rules don't work. The remote workgroup can be anywhere that you
6434 can send IP packets to.</para>
6435
6436 <para>For example:</para>
6437
6438 <para><command>remote announce = 192.168.2.255/SERVERS
6439 192.168.4.255/STAFF</command></para>
6440
6441 <para>the above line would cause <command>nmbd</command> to announce itself
6442 to the two given IP addresses using the given workgroup names.
6443 If you leave out the workgroup name then the one given in
6444 the <link linkend="WORKGROUP"><parameter>workgroup</parameter></link>
6445 parameter is used instead.</para>
6446
6447 <para>The IP addresses you choose would normally be the broadcast
6448 addresses of the remote networks, but can also be the IP addresses
6449 of known browse masters if your network config is that stable.</para>
6450
6451 <para>See the documentation file <filename>BROWSING.txt</filename>
6452 in the <filename>docs/</filename> directory.</para>
6453
6454 <para>Default: <command>remote announce = &lt;empty string&gt;
6455 </command></para>
6456 </listitem>
6457 </varlistentry>
6458
6459
6460
6461 <varlistentry>
6462 <term><anchor id="REMOTEBROWSESYNC">remote browse sync (G)</term>
6463 <listitem><para>This option allows you to setup <ulink
6464 url="nmbd.8.html">nmbd(8)</ulink> to periodically request
6465 synchronization of browse lists with the master browser of a Samba
6466 server that is on a remote segment. This option will allow you to
6467 gain browse lists for multiple workgroups across routed networks. This
6468 is done in a manner that does not work with any non-Samba servers.</para>
6469
6470 <para>This is useful if you want your Samba server and all local
6471 clients to appear in a remote workgroup for which the normal browse
6472 propagation rules don't work. The remote workgroup can be anywhere
6473 that you can send IP packets to.</para>
6474
6475 <para>For example:</para>
6476
6477 <para><command>remote browse sync = 192.168.2.255 192.168.4.255
6478 </command></para>
6479
6480 <para>the above line would cause <command>nmbd</command> to request
6481 the master browser on the specified subnets or addresses to
6482 synchronize their browse lists with the local server.</para>
6483
6484 <para>The IP addresses you choose would normally be the broadcast
6485 addresses of the remote networks, but can also be the IP addresses
6486 of known browse masters if your network config is that stable. If
6487 a machine IP address is given Samba makes NO attempt to validate
6488 that the remote machine is available, is listening, nor that it
6489 is in fact the browse master on its segment.</para>
6490
6491 <para>Default: <command>remote browse sync = &lt;empty string&gt;
6492 </command></para>
6493 </listitem>
6494 </varlistentry>
6495
6496
6497
6498
6499 <varlistentry>
6500 <term><anchor id="RESTRICTANONYMOUS">restrict anonymous (G)</term>
6501 <listitem><para>This is a boolean parameter. If it is <constant>true</constant>, then
6502 anonymous access to the server will be restricted, namely in the
6503 case where the server is expecting the client to send a username,
6504 but it doesn't. Setting it to <constant>true</constant> will force these anonymous
6505 connections to be denied, and the client will be required to always
6506 supply a username and password when connecting. Use of this parameter
6507 is only recommended for homogeneous NT client environments.</para>
6508
6509 <para>This parameter makes the use of macro expansions that rely
6510 on the username (%U, %G, etc) consistent. NT 4.0
6511 likes to use anonymous connections when refreshing the share list,
6512 and this is a way to work around that.</para>
6513
6514 <para>When restrict anonymous is <constant>true</constant>, all anonymous connections
6515 are denied no matter what they are for. This can effect the ability
6516 of a machine to access the Samba Primary Domain Controller to revalidate
6517 its machine account after someone else has logged on the client
6518 interactively. The NT client will display a message saying that
6519 the machine's account in the domain doesn't exist or the password is
6520 bad. The best way to deal with this is to reboot NT client machines
6521 between interactive logons, using "Shutdown and Restart", rather
6522 than "Close all programs and logon as a different user".</para>
6523
6524 <para>Default: <command>restrict anonymous = no</command></para>
6525 </listitem>
6526 </varlistentry>
6527
6528
6529
6530 <varlistentry>
6531 <term><anchor id="ROOT">root (G)</term>
6532 <listitem><para>Synonym for <link linkend="ROOTDIRECTORY">
6533 <parameter>root directory"</parameter></link>.</para>
6534 </listitem>
6535 </varlistentry>
6536
6537
6538
6539 <varlistentry>
6540 <term><anchor id="ROOTDIR">root dir (G)</term>
6541 <listitem><para>Synonym for <link linkend="ROOTDIRECTORY">
6542 <parameter>root directory"</parameter></link>.</para>
6543 </listitem>
6544 </varlistentry>
6545
6546
6547 <varlistentry>
6548 <term><anchor id="ROOTDIRECTORY">root directory (G)</term>
6549 <listitem><para>The server will <command>chroot()</command> (i.e.
6550 Change its root directory) to this directory on startup. This is
6551 not strictly necessary for secure operation. Even without it the
6552 server will deny access to files not in one of the service entries.
6553 It may also check for, and deny access to, soft links to other
6554 parts of the filesystem, or attempts to use ".." in file names
6555 to access other directories (depending on the setting of the <link
6556 linkend="WIDELINKS"><parameter>wide links</parameter></link>
6557 parameter).</para>
6558
6559 <para>Adding a <parameter>root directory</parameter> entry other
6560 than "/" adds an extra level of security, but at a price. It
6561 absolutely ensures that no access is given to files not in the
6562 sub-tree specified in the <parameter>root directory</parameter>
6563 option, <emphasis>including</emphasis> some files needed for
6564 complete operation of the server. To maintain full operability
6565 of the server you will need to mirror some system files
6566 into the <parameter>root directory</parameter> tree. In particular
6567 you will need to mirror <filename>/etc/passwd</filename> (or a
6568 subset of it), and any binaries or configuration files needed for
6569 printing (if required). The set of files that must be mirrored is
6570 operating system dependent.</para>
6571
6572 <para>Default: <command>root directory = /</command></para>
6573 <para>Example: <command>root directory = /homes/smb</command></para>
6574 </listitem>
6575 </varlistentry>
6576
6577
6578
6579 <varlistentry>
6580 <term><anchor id="ROOTPOSTEXEC">root postexec (S)</term>
6581 <listitem><para>This is the same as the <parameter>postexec</parameter>
6582 parameter except that the command is run as root. This
6583 is useful for unmounting filesystems
6584 (such as CDROMs) after a connection is closed.</para>
6585
6586 <para>See also <link linkend="POSTEXEC"><parameter>
6587 postexec</parameter></link>.</para>
6588
6589 <para>Default: <command>root postexec = &lt;empty string&gt;
6590 </command></para>
6591 </listitem>
6592 </varlistentry>
6593
6594 <varlistentry>
6595 <term><anchor id="ROOTPREEXEC">root preexec (S)</term>
6596 <listitem><para>This is the same as the <parameter>preexec</parameter>
6597 parameter except that the command is run as root. This
6598 is useful for mounting filesystems (such as CDROMs) when a
6599 connection is opened.</para>
6600
6601 <para>See also <link linkend="PREEXEC"><parameter>
6602 preexec</parameter></link> and <link linkend="PREEXECCLOSE">
6603 <parameter>preexec close</parameter></link>.</para>
6604
6605 <para>Default: <command>root preexec = &lt;empty string&gt;
6606 </command></para>
6607 </listitem>
6608 </varlistentry>
6609
6610
6611
6612 <varlistentry>
6613 <term><anchor id="ROOTPREEXECCLOSE">root preexec close (S)</term>
6614 <listitem><para>This is the same as the <parameter>preexec close
6615 </parameter> parameter except that the command is run as root.</para>
6616
6617 <para>See also <link linkend="PREEXEC"><parameter>
6618 preexec</parameter></link> and <link linkend="PREEXECCLOSE">
6619 <parameter>preexec close</parameter></link>.</para>
6620
6621 <para>Default: <command>root preexec close = no</command></para>
6622 </listitem>
6623 </varlistentry>
6624
6625
6626 <varlistentry>
6627 <term><anchor id="SECURITY">security (G)</term>
6628 <listitem><para>This option affects how clients respond to
6629 Samba and is one of the most important settings in the <filename>
6630 smb.conf</filename> file.</para>
6631
6632 <para>The option sets the "security mode bit" in replies to
6633 protocol negotiations with <ulink url="smbd.8.html">smbd(8)
6634 </ulink> to turn share level security on or off. Clients decide
6635 based on this bit whether (and how) to transfer user and password
6636 information to the server.</para>
6637
6638
6639 <para>The default is <command>security = user</command>, as this is
6640 the most common setting needed when talking to Windows 98 and
6641 Windows NT.</para>
6642
6643 <para>The alternatives are <command>security = share</command>,
6644 <command>security = server</command> or <command>security = domain
6645 </command>.</para>
6646
6647 <para>In versions of Samba prior to 2.0.0, the default was
6648 <command>security = share</command> mainly because that was
6649 the only option at one stage.</para>
6650
6651 <para>There is a bug in WfWg that has relevance to this
6652 setting. When in user or server level security a WfWg client
6653 will totally ignore the password you type in the "connect
6654 drive" dialog box. This makes it very difficult (if not impossible)
6655 to connect to a Samba service as anyone except the user that
6656 you are logged into WfWg as.</para>
6657
6658 <para>If your PCs use usernames that are the same as their
6659 usernames on the UNIX machine then you will want to use
6660 <command>security = user</command>. If you mostly use usernames
6661 that don't exist on the UNIX box then use <command>security =
6662 share</command>.</para>
6663
6664 <para>You should also use <command>security = share</command> if you
6665 want to mainly setup shares without a password (guest shares). This
6666 is commonly used for a shared printer server. It is more difficult
6667 to setup guest shares with <command>security = user</command>, see
6668 the <link linkend="MAPTOGUEST"><parameter>map to guest</parameter>
6669 </link>parameter for details.</para>
6670
6671 <para>It is possible to use <command>smbd</command> in a <emphasis>
6672 hybrid mode</emphasis> where it is offers both user and share
6673 level security under different <link linkend="NETBIOSALIASES">
6674 <parameter>NetBIOS aliases</parameter></link>. </para>
6675
6676 <para>The different settings will now be explained.</para>
6677
6678
6679 <para><anchor id="SECURITYEQUALSSHARE"><emphasis>SECURITY = SHARE
6680 </emphasis></para>
6681
6682 <para>When clients connect to a share level security server they
6683 need not log onto the server with a valid username and password before
6684 attempting to connect to a shared resource (although modern clients
6685 such as Windows 95/98 and Windows NT will send a logon request with
6686 a username but no password when talking to a <command>security = share
6687 </command> server). Instead, the clients send authentication information
6688 (passwords) on a per-share basis, at the time they attempt to connect
6689 to that share.</para>
6690
6691 <para>Note that <command>smbd</command> <emphasis>ALWAYS</emphasis>
6692 uses a valid UNIX user to act on behalf of the client, even in
6693 <command>security = share</command> level security.</para>
6694
6695 <para>As clients are not required to send a username to the server
6696 in share level security, <command>smbd</command> uses several
6697 techniques to determine the correct UNIX user to use on behalf
6698 of the client.</para>
6699
6700 <para>A list of possible UNIX usernames to match with the given
6701 client password is constructed using the following methods :</para>
6702
6703 <itemizedlist>
6704 <listitem><para>If the <link linkend="GUESTONLY"><parameter>guest
6705 only</parameter></link> parameter is set, then all the other
6706 stages are missed and only the <link linkend="GUESTACCOUNT">
6707 <parameter>guest account</parameter></link> username is checked.
6708 </para></listitem>
6709
6710 <listitem><para>Is a username is sent with the share connection
6711 request, then this username (after mapping - see <link
6712 linkend="USERNAMEMAP"><parameter>username map</parameter></link>),
6713 is added as a potential username.</para></listitem>
6714
6715 <listitem><para>If the client did a previous <emphasis>logon
6716 </emphasis> request (the SessionSetup SMB call) then the
6717 username sent in this SMB will be added as a potential username.
6718 </para></listitem>
6719
6720 <listitem><para>The name of the service the client requested is
6721 added as a potential username.</para></listitem>
6722
6723 <listitem><para>The NetBIOS name of the client is added to
6724 the list as a potential username.</para></listitem>
6725
6726 <listitem><para>Any users on the <link linkend="USER"><parameter>
6727 user</parameter></link> list are added as potential usernames.
6728 </para></listitem>
6729 </itemizedlist>
6730
6731 <para>If the <parameter>guest only</parameter> parameter is
6732 not set, then this list is then tried with the supplied password.
6733 The first user for whom the password matches will be used as the
6734 UNIX user.</para>
6735
6736 <para>If the <parameter>guest only</parameter> parameter is
6737 set, or no username can be determined then if the share is marked
6738 as available to the <parameter>guest account</parameter>, then this
6739 guest user will be used, otherwise access is denied.</para>
6740
6741 <para>Note that it can be <emphasis>very</emphasis> confusing
6742 in share-level security as to which UNIX username will eventually
6743 be used in granting access.</para>
6744
6745 <para>See also the section <link linkend="VALIDATIONSECT">
6746 NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
6747
6748 <para><anchor id="SECURITYEQUALSUSER"><emphasis>SECURITY = USER
6749 </emphasis></para>
6750
6751 <para>This is the default security setting in Samba 2.2.
6752 With user-level security a client must first "log-on" with a
6753 valid username and password (which can be mapped using the <link
6754 linkend="USERNAMEMAP"><parameter>username map</parameter></link>
6755 parameter). Encrypted passwords (see the <link linkend="ENCRYPTPASSWORDS">
6756 <parameter>encrypted passwords</parameter></link> parameter) can also
6757 be used in this security mode. Parameters such as <link linkend="USER">
6758 <parameter>user</parameter></link> and <link linkend="GUESTONLY">
6759 <parameter>guest only</parameter></link> if set are then applied and
6760 may change the UNIX user to use on this connection, but only after
6761 the user has been successfully authenticated.</para>
6762
6763 <para><emphasis>Note</emphasis> that the name of the resource being
6764 requested is <emphasis>not</emphasis> sent to the server until after
6765 the server has successfully authenticated the client. This is why
6766 guest shares don't work in user level security without allowing
6767 the server to automatically map unknown users into the <link
6768 linkend="GUESTACCOUNT"><parameter>guest account</parameter></link>.
6769 See the <link linkend="MAPTOGUEST"><parameter>map to guest</parameter>
6770 </link> parameter for details on doing this.</para>
6771
6772 <para>See also the section <link linkend="VALIDATIONSECT">
6773 NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
6774
6775 <para><anchor id="SECURITYEQUALSSERVER"><emphasis>SECURITY = SERVER
6776 </emphasis></para>
6777
6778 <para>In this mode Samba will try to validate the username/password
6779 by passing it to another SMB server, such as an NT box. If this
6780 fails it will revert to <command>security = user</command>, but note
6781 that if encrypted passwords have been negotiated then Samba cannot
6782 revert back to checking the UNIX password file, it must have a valid
6783 <filename>smbpasswd</filename> file to check users against. See the
6784 documentation file in the <filename>docs/</filename> directory
6785 <filename>ENCRYPTION.txt</filename> for details on how to set this
6786 up.</para>
6787
6788 <para><emphasis>Note</emphasis> that from the client's point of
6789 view <command>security = server</command> is the same as <command>
6790 security = user</command>. It only affects how the server deals
6791 with the authentication, it does not in any way affect what the
6792 client sees.</para>
6793
6794 <para><emphasis>Note</emphasis> that the name of the resource being
6795 requested is <emphasis>not</emphasis> sent to the server until after
6796 the server has successfully authenticated the client. This is why
6797 guest shares don't work in user level security without allowing
6798 the server to automatically map unknown users into the <link
6799 linkend="GUESTACCOUNT"><parameter>guest account</parameter></link>.
6800 See the <link linkend="MAPTOGUEST"><parameter>map to guest</parameter>
6801 </link> parameter for details on doing this.</para>
6802
6803 <para>See also the section <link linkend="VALIDATIONSECT">
6804 NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
6805
6806 <para>See also the <link linkend="PASSWORDSERVER"><parameter>password
6807 server</parameter></link> parameter and the <link
6808 linkend="ENCRYPTPASSWORDS"><parameter>encrypted passwords</parameter>
6809 </link> parameter.</para>
6810
6811 <para><anchor id="SECURITYEQUALSDOMAIN"><emphasis>SECURITY = DOMAIN
6812 </emphasis></para>
6813
6814 <para>This mode will only work correctly if <ulink
6815 url="smbpasswd.8.html">smbpasswd(8)</ulink> has been used to add this
6816 machine into a Windows NT Domain. It expects the <link
6817 linkend="ENCRYPTPASSWORDS"><parameter>encrypted passwords</parameter>
6818 </link> parameter to be set to <constant>true</constant>. In this
6819 mode Samba will try to validate the username/password by passing
6820 it to a Windows NT Primary or Backup Domain Controller, in exactly
6821 the same way that a Windows NT Server would do.</para>
6822
6823 <para><emphasis>Note</emphasis> that a valid UNIX user must still
6824 exist as well as the account on the Domain Controller to allow
6825 Samba to have a valid UNIX account to map file access to.</para>
6826
6827 <para><emphasis>Note</emphasis> that from the client's point
6828 of view <command>security = domain</command> is the same as <command>security = user
6829 </command>. It only affects how the server deals with the authentication,
6830 it does not in any way affect what the client sees.</para>
6831
6832 <para><emphasis>Note</emphasis> that the name of the resource being
6833 requested is <emphasis>not</emphasis> sent to the server until after
6834 the server has successfully authenticated the client. This is why
6835 guest shares don't work in user level security without allowing
6836 the server to automatically map unknown users into the <link
6837 linkend="GUESTACCOUNT"><parameter>guest account</parameter></link>.
6838 See the <link linkend="MAPTOGUEST"><parameter>map to guest</parameter>
6839 </link> parameter for details on doing this.</para>
6840
6841 <para><emphasis>BUG:</emphasis> There is currently a bug in the
6842 implementation of <command>security = domain</command> with respect
6843 to multi-byte character set usernames. The communication with a
6844 Domain Controller must be done in UNICODE and Samba currently
6845 does not widen multi-byte user names to UNICODE correctly, thus
6846 a multi-byte username will not be recognized correctly at the
6847 Domain Controller. This issue will be addressed in a future release.</para>
6848
6849 <para>See also the section <link linkend="VALIDATIONSECT">
6850 NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
6851
6852 <para>See also the <link linkend="PASSWORDSERVER"><parameter>password
6853 server</parameter></link> parameter and the <link
6854 linkend="ENCRYPTPASSWORDS"><parameter>encrypted passwords</parameter>
6855 </link> parameter.</para>
6856
6857 <para>Default: <command>security = USER</command></para>
6858 <para>Example: <command>security = DOMAIN</command></para>
6859 </listitem>
6860 </varlistentry>
6861
6862
6863
6864 <varlistentry>
6865 <term><anchor id="SECURITYMASK">security mask (S)</term>
6866 <listitem><para>This parameter controls what UNIX permission
6867 bits can be modified when a Windows NT client is manipulating
6868 the UNIX permission on a file using the native NT security
6869 dialog box.</para>
6870
6871 <para>This parameter is applied as a mask (AND'ed with) to
6872 the changed permission bits, thus preventing any bits not in
6873 this mask from being modified. Essentially, zero bits in this
6874 mask may be treated as a set of bits the user is not allowed
6875 to change.</para>
6876
6877 <para>If not set explicitly this parameter is 0777, allowing
6878 a user to modify all the user/group/world permissions on a file.
6879 </para>
6880
6881 <para><emphasis>Note</emphasis> that users who can access the
6882 Samba server through other means can easily bypass this
6883 restriction, so it is primarily useful for standalone
6884 "appliance" systems. Administrators of most normal systems will
6885 probably want to leave it set to <constant>0777</constant>.</para>
6886
6887 <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE">
6888 <parameter>force directory security mode</parameter></link>,
6889 <link linkend="DIRECTORYSECURITYMASK"><parameter>directory
6890 security mask</parameter></link>, <link linkend="FORCESECURITYMODE">
6891 <parameter>force security mode</parameter></link> parameters.</para>
6892
6893 <para>Default: <command>security mask = 0777</command></para>
6894 <para>Example: <command>security mask = 0770</command></para>
6895 </listitem>
6896 </varlistentry>
6897
6898
6899 <varlistentry>
6900 <term><anchor id="SERVERSTRING">server string (G)</term>
6901 <listitem><para>This controls what string will show up in the
6902 printer comment box in print manager and next to the IPC connection
6903 in <command>net view</command>. It can be any string that you wish
6904 to show to your users.</para>
6905
6906 <para>It also sets what will appear in browse lists next
6907 to the machine name.</para>
6908
6909 <para>A <parameter>%v</parameter> will be replaced with the Samba
6910 version number.</para>
6911
6912 <para>A <parameter>%h</parameter> will be replaced with the
6913 hostname.</para>
6914
6915 <para>Default: <command>server string = Samba %v</command></para>
6916
6917 <para>Example: <command>server string = University of GNUs Samba
6918 Server</command></para>
6919 </listitem>
6920 </varlistentry>
6921
6922
6923
6924 <varlistentry>
6925 <term><anchor id="SETDIRECTORY">set directory (S)</term>
6926 <listitem><para>If <command>set directory = no</command>, then
6927 users of the service may not use the setdir command to change
6928 directory.</para>
6929
6930 <para>The <command>setdir</command> command is only implemented
6931 in the Digital Pathworks client. See the Pathworks documentation
6932 for details.</para>
6933
6934 <para>Default: <command>set directory = no</command></para>
6935 </listitem>
6936 </varlistentry>
6937
6938
6939
6940 <varlistentry>
6941 <term><anchor id="SHAREMODES">share modes (S)</term>
6942 <listitem><para>This enables or disables the honoring of
6943 the <parameter>share modes</parameter> during a file open. These
6944 modes are used by clients to gain exclusive read or write access
6945 to a file.</para>
6946
6947 <para>These open modes are not directly supported by UNIX, so
6948 they are simulated using shared memory, or lock files if your
6949 UNIX doesn't support shared memory (almost all do).</para>
6950
6951 <para>The share modes that are enabled by this option are
6952 <constant>DENY_DOS</constant>, <constant>DENY_ALL</constant>,
6953 <constant>DENY_READ</constant>, <constant>DENY_WRITE</constant>,
6954 <constant>DENY_NONE</constant> and <constant>DENY_FCB</constant>.
6955 </para>
6956
6957 <para>This option gives full share compatibility and enabled
6958 by default.</para>
6959
6960 <para>You should <emphasis>NEVER</emphasis> turn this parameter
6961 off as many Windows applications will break if you do so.</para>
6962
6963 <para>Default: <command>share modes = yes</command></para>
6964 </listitem>
6965 </varlistentry>
6966
6967
6968
6969 <varlistentry>
6970 <term><anchor id="SHORTPRESERVECASE">short preserve case (S)</term>
6971 <listitem><para>This boolean parameter controls if new files
6972 which conform to 8.3 syntax, that is all in upper case and of
6973 suitable length, are created upper case, or if they are forced
6974 to be the <link linkend="DEFAULTCASE"><parameter>default case
6975 </parameter></link>. This option can be use with <link
6976 linkend="PRESERVECASE"><command>preserve case = yes</command>
6977 </link> to permit long filenames to retain their case, while short
6978 names are lowered. </para>
6979
6980 <para>See the section on <link linkend="NAMEMANGLINGSECT">
6981 NAME MANGLING</link>.</para>
6982
6983 <para>Default: <command>short preserve case = yes</command></para>
6984 </listitem>
6985 </varlistentry>
6986
6987
6988
6989 <varlistentry>
6990 <term><anchor id="SHOWADDPRINTERWIZARD">show add printer wizard (G)</term>
6991 <listitem><para>With the introduction of MS-RPC based printing support
6992 for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will
6993 appear on Samba hosts in the share listing. Normally this folder will
6994 contain an icon for the MS Add Printer Wizard (APW). However, it is
6995 possible to disable this feature regardless of the level of privilege
6996 of the connected user.</para>
6997
6998 <para>Under normal circumstances, the Windows NT/2000 client will
6999 open a handle on the printer server with OpenPrinterEx() asking for
7000 Administrator privileges. If the user does not have administrative
7001 access on the print server (i.e is not root or a member of the
7002 <parameter>printer admin</parameter> group), the OpenPrinterEx()
7003 call fails and the client makes another open call with a request for
7004 a lower privilege level. This should succeed, however the APW
7005 icon will not be displayed.</para>
7006
7007 <para>Disabling the <parameter>show add printer wizard</parameter>
7008 parameter will always cause the OpenPrinterEx() on the server
7009 to fail. Thus the APW icon will never be displayed. <emphasis>
7010 Note :</emphasis>This does not prevent the same user from having
7011 administrative privilege on an individual printer.</para>
7012
7013 <para>See also <link linkend="ADDPRINTERCOMMAND"><parameter>addprinter
7014 command</parameter></link>, <link linkend="DELETEPRINTERCOMMAND">
7015 <parameter>deleteprinter command</parameter></link>, <link
7016 linkend="PRINTERADMIN"><parameter>printer admin</parameter></link></para>
7017
7018 <para>Default :<command>show add printer wizard = yes</command></para>
7019 </listitem>
7020 </varlistentry>
7021
7022
7023
7024
7025 <varlistentry>
7026 <term><anchor id="SMBPASSWDFILE">smb passwd file (G)</term>
7027 <listitem><para>This option sets the path to the encrypted
7028 smbpasswd file. By default the path to the smbpasswd file
7029 is compiled into Samba.</para>
7030
7031 <para>Default: <command>smb passwd file = ${prefix}/private/smbpasswd
7032 </command></para>
7033
7034 <para>Example: <command>smb passwd file = /etc/samba/smbpasswd
7035 </command></para>
7036 </listitem>
7037 </varlistentry>
7038
7039
7040
7041
7042 <varlistentry>
7043 <term><anchor id="SOCKETADDRESS">socket address (G)</term>
7044 <listitem><para>This option allows you to control what
7045 address Samba will listen for connections on. This is used to
7046 support multiple virtual interfaces on the one server, each
7047 with a different configuration.</para>
7048
7049 <para>By default Samba will accept connections on any
7050 address.</para>
7051
7052 <para>Example: <command>socket address = 192.168.2.20</command>
7053 </para>
7054 </listitem>
7055 </varlistentry>
7056
7057
7058
7059 <varlistentry>
7060 <term><anchor id="SOCKETOPTIONS">socket options (G)</term>
7061 <listitem><para>This option allows you to set socket options
7062 to be used when talking with the client.</para>
7063
7064 <para>Socket options are controls on the networking layer
7065 of the operating systems which allow the connection to be
7066 tuned.</para>
7067
7068 <para>This option will typically be used to tune your Samba
7069 server for optimal performance for your local network. There is
7070 no way that Samba can know what the optimal parameters are for
7071 your net, so you must experiment and choose them yourself. We
7072 strongly suggest you read the appropriate documentation for your
7073 operating system first (perhaps <command>man setsockopt</command>
7074 will help).</para>
7075
7076 <para>You may find that on some systems Samba will say
7077 "Unknown socket option" when you supply an option. This means you
7078 either incorrectly typed it or you need to add an include file
7079 to includes.h for your OS. If the latter is the case please
7080 send the patch to <ulink url="mailto:samba@samba.org">
7081 samba@samba.org</ulink>.</para>
7082
7083 <para>Any of the supported socket options may be combined
7084 in any way you like, as long as your OS allows it.</para>
7085
7086 <para>This is the list of socket options currently settable
7087 using this option:</para>
7088
7089 <itemizedlist>
7090 <listitem><para>SO_KEEPALIVE</para></listitem>
7091 <listitem><para>SO_REUSEADDR</para></listitem>
7092 <listitem><para>SO_BROADCAST</para></listitem>
7093 <listitem><para>TCP_NODELAY</para></listitem>
7094 <listitem><para>IPTOS_LOWDELAY</para></listitem>
7095 <listitem><para>IPTOS_THROUGHPUT</para></listitem>
7096 <listitem><para>SO_SNDBUF *</para></listitem>
7097 <listitem><para>SO_RCVBUF *</para></listitem>
7098 <listitem><para>SO_SNDLOWAT *</para></listitem>
7099 <listitem><para>SO_RCVLOWAT *</para></listitem>
7100 </itemizedlist>
7101
7102 <para>Those marked with a <emphasis>'*'</emphasis> take an integer
7103 argument. The others can optionally take a 1 or 0 argument to enable
7104 or disable the option, by default they will be enabled if you
7105 don't specify 1 or 0.</para>
7106
7107 <para>To specify an argument use the syntax SOME_OPTION = VALUE
7108 for example <command>SO_SNDBUF = 8192</command>. Note that you must
7109 not have any spaces before or after the = sign.</para>
7110
7111 <para>If you are on a local network then a sensible option
7112 might be</para>
7113 <para><command>socket options = IPTOS_LOWDELAY</command></para>
7114
7115 <para>If you have a local network then you could try:</para>
7116 <para><command>socket options = IPTOS_LOWDELAY TCP_NODELAY</command></para>
7117
7118 <para>If you are on a wide area network then perhaps try
7119 setting IPTOS_THROUGHPUT. </para>
7120
7121 <para>Note that several of the options may cause your Samba
7122 server to fail completely. Use these options with caution!</para>
7123
7124 <para>Default: <command>socket options = TCP_NODELAY</command></para>
7125 <para>Example: <command>socket options = IPTOS_LOWDELAY</command></para>
7126 </listitem>
7127 </varlistentry>
7128
7129
7130
7131
7132 <varlistentry>
7133 <term><anchor id="SOURCEENVIRONMENT">source environment (G)</term>
7134 <listitem><para>This parameter causes Samba to set environment
7135 variables as per the content of the file named.</para>
7136
7137 <para>If the value of this parameter starts with a "|" character
7138 then Samba will treat that value as a pipe command to open and
7139 will set the environment variables from the output of the pipe.</para>
7140
7141 <para>The contents of the file or the output of the pipe should
7142 be formatted as the output of the standard Unix <command>env(1)
7143 </command> command. This is of the form :</para>
7144 <para>Example environment entry:</para>
7145 <para><command>SAMBA_NETBIOS_NAME = myhostname</command></para>
7146
7147 <para>Default: <emphasis>No default value</emphasis></para>
7148 <para>Examples: <command>source environment = |/etc/smb.conf.sh
7149 </command></para>
7150
7151 <para>Example: <command>source environment =
7152 /usr/local/smb_env_vars</command></para>
7153 </listitem>
7154 </varlistentry>
7155
7156
7157
7158 <varlistentry>
7159 <term><anchor id="SSL">ssl (G)</term>
7160 <listitem><para>This variable is part of SSL-enabled Samba. This
7161 is only available if the SSL libraries have been compiled on your
7162 system and the configure option <command>--with-ssl</command> was
7163 given at configure time.</para>
7164
7165 <para>This variable enables or disables the entire SSL mode. If
7166 it is set to <constant>no</constant>, the SSL-enabled Samba behaves
7167 exactly like the non-SSL Samba. If set to <constant>yes</constant>,
7168 it depends on the variables <link linkend="SSLHOSTS"><parameter>
7169 ssl hosts</parameter></link> and <link linkend="SSLHOSTSRESIGN">
7170 <parameter>ssl hosts resign</parameter></link> whether an SSL
7171 connection will be required.</para>
7172
7173 <para>Default: <command>ssl = no</command></para>
7174 </listitem>
7175 </varlistentry>
7176
7177
7178
7179 <varlistentry>
7180 <term><anchor id="SSLCACERTDIR">ssl CA certDir (G)</term>
7181 <listitem><para>This variable is part of SSL-enabled Samba. This
7182 is only available if the SSL libraries have been compiled on your
7183 system and the configure option <command>--with-ssl</command> was
7184 given at configure time.</para>
7185
7186 <para>This variable defines where to look up the Certification
7187 Authorities. The given directory should contain one file for
7188 each CA that Samba will trust. The file name must be the hash
7189 value over the "Distinguished Name" of the CA. How this directory
7190 is set up is explained later in this document. All files within the
7191 directory that don't fit into this naming scheme are ignored. You
7192 don't need this variable if you don't verify client certificates.</para>
7193
7194 <para>Default: <command>ssl CA certDir = /usr/local/ssl/certs
7195 </command></para>
7196 </listitem>
7197 </varlistentry>
7198
7199
7200
7201 <varlistentry>
7202 <term><anchor id="SSLCACERTFILE">ssl CA certFile (G)</term>
7203 <listitem><para>This variable is part of SSL-enabled Samba. This
7204 is only available if the SSL libraries have been compiled on your
7205 system and the configure option <command>--with-ssl</command> was
7206 given at configure time.</para>
7207
7208 <para>This variable is a second way to define the trusted CAs.
7209 The certificates of the trusted CAs are collected in one big
7210 file and this variable points to the file. You will probably
7211 only use one of the two ways to define your CAs. The first choice is
7212 preferable if you have many CAs or want to be flexible, the second
7213 is preferable if you only have one CA and want to keep things
7214 simple (you won't need to create the hashed file names). You
7215 don't need this variable if you don't verify client certificates.</para>
7216
7217 <para>Default: <command>ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem
7218 </command></para>
7219 </listitem>
7220 </varlistentry>
7221
7222
7223
7224 <varlistentry>
7225 <term><anchor id="SSLCIPHERS">ssl ciphers (G)</term>
7226 <listitem><para>This variable is part of SSL-enabled Samba. This
7227 is only available if the SSL libraries have been compiled on your
7228 system and the configure option <command>--with-ssl</command> was
7229 given at configure time.</para>
7230
7231 <para>This variable defines the ciphers that should be offered
7232 during SSL negotiation. You should not set this variable unless
7233 you know what you are doing.</para>
7234 </listitem>
7235 </varlistentry>
7236
7237
7238 <varlistentry>
7239 <term><anchor id="SSLCLIENTCERT">ssl client cert (G)</term>
7240 <listitem><para>This variable is part of SSL-enabled Samba. This
7241 is only available if the SSL libraries have been compiled on your
7242 system and the configure option <command>--with-ssl</command> was
7243 given at configure time.</para>
7244
7245 <para>The certificate in this file is used by <ulink url="smbclient.1.html">
7246 <command>smbclient(1)</command></ulink> if it exists. It's needed
7247 if the server requires a client certificate.</para>
7248
7249 <para>Default: <command>ssl client cert = /usr/local/ssl/certs/smbclient.pem
7250 </command></para>
7251 </listitem>
7252 </varlistentry>
7253
7254
7255
7256 <varlistentry>
7257 <term><anchor id="SSLCLIENTKEY">ssl client key (G)</term>
7258 <listitem><para>This variable is part of SSL-enabled Samba. This
7259 is only available if the SSL libraries have been compiled on your
7260 system and the configure option <command>--with-ssl</command> was
7261 given at configure time.</para>
7262
7263 <para>This is the private key for <ulink url="smbclient.1.html">
7264 <command>smbclient(1)</command></ulink>. It's only needed if the
7265 client should have a certificate. </para>
7266
7267 <para>Default: <command>ssl client key = /usr/local/ssl/private/smbclient.pem
7268 </command></para>
7269 </listitem>
7270 </varlistentry>
7271
7272
7273
7274 <varlistentry>
7275 <term><anchor id="SSLCOMPATIBILITY">ssl compatibility (G)</term>
7276 <listitem><para>This variable is part of SSL-enabled Samba. This
7277 is only available if the SSL libraries have been compiled on your
7278 system and the configure option <command>--with-ssl</command> was
7279 given at configure time.</para>
7280
7281 <para>This variable defines whether OpenSSL should be configured
7282 for bug compatibility with other SSL implementations. This is
7283 probably not desirable because currently no clients with SSL
7284 implementations other than OpenSSL exist.</para>
7285
7286 <para>Default: <command>ssl compatibility = no</command></para>
7287 </listitem>
7288 </varlistentry>
7289
7290
7291 <varlistentry>
7292 <term><anchor id="SSLEGDSOCKET">ssl egd socket (G)</term>
7293 <listitem><para>This variable is part of SSL-enabled Samba. This
7294 is only available if the SSL libraries have been compiled on your
7295 system and the configure option <command>--with-ssl</command> was
7296 given at configure time.</para>
7297
7298 <para>
7299 This option is used to define the location of the communiation socket of
7300 an EGD or PRNGD daemon, from which entropy can be retrieved. This option
7301 can be used instead of or together with the <link
7302 linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link>
7303 directive. 255 bytes of entropy will be retrieved from the daemon.
7304 </para>
7305
7306 <para>Default: <emphasis>none</emphasis></para>
7307 </listitem>
7308 </varlistentry>
7309
7310
7311 <varlistentry>
7312 <term><anchor id="SSLENTROPYBYTES">ssl entropy bytes (G)</term>
7313 <listitem><para>This variable is part of SSL-enabled Samba. This
7314 is only available if the SSL libraries have been compiled on your
7315 system and the configure option <command>--with-ssl</command> was
7316 given at configure time.</para>
7317
7318 <para>
7319 This parameter is used to define the number of bytes which should
7320 be read from the <link linkend="SSLENTROPYFILE"><parameter>ssl entropy
7321 file</parameter></link> If a -1 is specified, the entire file will
7322 be read.
7323 </para>
7324
7325 <para>Default: <command>ssl entropy bytes = 255</command></para>
7326 </listitem>
7327 </varlistentry>
7328
7329
7330
7331 <varlistentry>
7332 <term><anchor id="SSLENTROPYFILE">ssl entropy file (G)</term>
7333 <listitem><para>This variable is part of SSL-enabled Samba. This
7334 is only available if the SSL libraries have been compiled on your
7335 system and the configure option <command>--with-ssl</command> was
7336 given at configure time.</para>
7337
7338 <para>
7339 This parameter is used to specify a file from which processes will
7340 read "random bytes" on startup. In order to seed the internal pseudo
7341 random number generator, entropy must be provided. On system with a
7342 <filename>/dev/urandom</filename> device file, the processes
7343 will retrieve its entropy from the kernel. On systems without kernel
7344 entropy support, a file can be supplied that will be read on startup
7345 and that will be used to seed the PRNG.
7346 </para>
7347
7348 <para>Default: <emphasis>none</emphasis></para>
7349 </listitem>
7350 </varlistentry>
7351
7352
7353
7354 <varlistentry>
7355 <term><anchor id="SSLHOSTS">ssl hosts (G)</term>
7356 <listitem><para>See <link linkend="SSLHOSTSRESIGN"><parameter>
7357 ssl hosts resign</parameter></link>.</para>
7358 </listitem>
7359 </varlistentry>
7360
7361
7362 <varlistentry>
7363 <term><anchor id="SSLHOSTSRESIGN">ssl hosts resign (G)</term>
7364 <listitem><para>This variable is part of SSL-enabled Samba. This
7365 is only available if the SSL libraries have been compiled on your
7366 system and the configure option <command>--with-ssl</command> was
7367 given at configure time.</para>
7368
7369 <para>These two variables define whether Samba will go
7370 into SSL mode or not. If none of them is defined, Samba will
7371 allow only SSL connections. If the <link linkend="SSLHOSTS">
7372 <parameter>ssl hosts</parameter></link> variable lists
7373 hosts (by IP-address, IP-address range, net group or name),
7374 only these hosts will be forced into SSL mode. If the <parameter>
7375 ssl hosts resign</parameter> variable lists hosts, only these
7376 hosts will <emphasis>NOT</emphasis> be forced into SSL mode. The syntax for these two
7377 variables is the same as for the <link linkend="HOSTSALLOW"><parameter>
7378 hosts allow</parameter></link> and <link linkend="HOSTSDENY">
7379 <parameter>hosts deny</parameter></link> pair of variables, only
7380 that the subject of the decision is different: It's not the access
7381 right but whether SSL is used or not. </para>
7382
7383 <para>The example below requires SSL connections from all hosts
7384 outside the local net (which is 192.168.*.*).</para>
7385
7386 <para>Default: <command>ssl hosts = &lt;empty string&gt;</command></para>
7387 <para><command>ssl hosts resign = &lt;empty string&gt;</command></para>
7388
7389 <para>Example: <command>ssl hosts resign = 192.168.</command></para>
7390 </listitem>
7391 </varlistentry>
7392
7393
7394
7395 <varlistentry>
7396 <term><anchor id="SSLREQUIRECLIENTCERT">ssl require clientcert (G)</term>
7397 <listitem><para>This variable is part of SSL-enabled Samba. This
7398 is only available if the SSL libraries have been compiled on your
7399 system and the configure option <command>--with-ssl</command> was
7400 given at configure time.</para>
7401
7402 <para>If this variable is set to <constant>yes</constant>, the
7403 server will not tolerate connections from clients that don't
7404 have a valid certificate. The directory/file given in <link
7405 linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter>
7406 </link> and <link linkend="SSLCACERTFILE"><parameter>ssl CA certFile
7407 </parameter></link> will be used to look up the CAs that issued
7408 the client's certificate. If the certificate can't be verified
7409 positively, the connection will be terminated. If this variable
7410 is set to <constant>no</constant>, clients don't need certificates.
7411 Contrary to web applications you really <emphasis>should</emphasis>
7412 require client certificates. In the web environment the client's
7413 data is sensitive (credit card numbers) and the server must prove
7414 to be trustworthy. In a file server environment the server's data
7415 will be sensitive and the clients must prove to be trustworthy.</para>
7416
7417 <para>Default: <command>ssl require clientcert = no</command></para>
7418 </listitem>
7419 </varlistentry>
7420
7421
7422
7423 <varlistentry>
7424 <term><anchor id="SSLREQUIRESERVERCERT">ssl require servercert (G)</term>
7425 <listitem><para>This variable is part of SSL-enabled Samba. This
7426 is only available if the SSL libraries have been compiled on your
7427 system and the configure option <command>--with-ssl</command> was
7428 given at configure time.</para>
7429
7430 <para>If this variable is set to <constant>yes</constant>, the
7431 <ulink url="smbclient.1.html"><command>smbclient(1)</command>
7432 </ulink> will request a certificate from the server. Same as
7433 <link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require
7434 clientcert</parameter></link> for the server.</para>
7435
7436 <para>Default: <command>ssl require servercert = no</command>
7437 </para>
7438 </listitem>
7439 </varlistentry>
7440
7441 <varlistentry>
7442 <term><anchor id="SSLSERVERCERT">ssl server cert (G)</term>
7443 <listitem><para>This variable is part of SSL-enabled Samba. This
7444 is only available if the SSL libraries have been compiled on your
7445 system and the configure option <command>--with-ssl</command> was
7446 given at configure time.</para>
7447
7448 <para>This is the file containing the server's certificate.
7449 The server <emphasis>must</emphasis> have a certificate. The
7450 file may also contain the server's private key. See later for
7451 how certificates and private keys are created.</para>
7452
7453 <para>Default: <command>ssl server cert = &lt;empty string&gt;
7454 </command></para>
7455 </listitem>
7456 </varlistentry>
7457
7458
7459 <varlistentry>
7460 <term><anchor id="SSLSERVERKEY">ssl server key (G)</term>
7461 <listitem><para>This variable is part of SSL-enabled Samba. This
7462 is only available if the SSL libraries have been compiled on your
7463 system and the configure option <command>--with-ssl</command> was
7464 given at configure time.</para>
7465
7466 <para>This file contains the private key of the server. If
7467 this variable is not defined, the key is looked up in the
7468 certificate file (it may be appended to the certificate).
7469 The server <emphasis>must</emphasis> have a private key
7470 and the certificate <emphasis>must</emphasis>
7471 match this private key.</para>
7472
7473 <para>Default: <command>ssl server key = &lt;empty string&gt;
7474 </command></para>
7475 </listitem>
7476 </varlistentry>
7477
7478
7479 <varlistentry>
7480 <term><anchor id="SSLVERSION">ssl version (G)</term>
7481 <listitem><para>This variable is part of SSL-enabled Samba. This
7482 is only available if the SSL libraries have been compiled on your
7483 system and the configure option <command>--with-ssl</command> was
7484 given at configure time.</para>
7485
7486 <para>This enumeration variable defines the versions of the
7487 SSL protocol that will be used. <constant>ssl2or3</constant> allows
7488 dynamic negotiation of SSL v2 or v3, <constant>ssl2</constant> results
7489 in SSL v2, <constant>ssl3</constant> results in SSL v3 and
7490 <constant>tls1</constant> results in TLS v1. TLS (Transport Layer
7491 Security) is the new standard for SSL.</para>
7492
7493 <para>Default: <command>ssl version = "ssl2or3"</command></para>
7494 </listitem>
7495 </varlistentry>
7496
7497
7498
7499 <varlistentry>
7500 <term><anchor id="STATCACHE">stat cache (G)</term>
7501 <listitem><para>This parameter determines if <ulink
7502 url="smbd.8.html">smbd(8)</ulink> will use a cache in order to
7503 speed up case insensitive name mappings. You should never need
7504 to change this parameter.</para>
7505
7506 <para>Default: <command>stat cache = yes</command></para>
7507 </listitem>
7508 </varlistentry>
7509
7510 <varlistentry>
7511 <term><anchor id="STATCACHESIZE">stat cache size (G)</term>
7512 <listitem><para>This parameter determines the number of
7513 entries in the <parameter>stat cache</parameter>. You should
7514 never need to change this parameter.</para>
7515
7516 <para>Default: <command>stat cache size = 50</command></para>
7517 </listitem>
7518 </varlistentry>
7519
7520
7521
7522 <varlistentry>
7523 <term><anchor id="STATUS">status (G)</term>
7524 <listitem><para>This enables or disables logging of connections
7525 to a status file that <ulink url="smbstatus.1.html">smbstatus(1)</ulink>
7526 can read.</para>
7527
7528 <para>With this disabled <command>smbstatus</command> won't be able
7529 to tell you what connections are active. You should never need to
7530 change this parameter.</para>
7531
7532 <para>Default: <command>status = yes</command></para>
7533 </listitem>
7534 </varlistentry>
7535
7536
7537
7538 <varlistentry>
7539 <term><anchor id="STRICTALLOCATE">strict allocate (S)</term>
7540 <listitem><para>This is a boolean that controls the handling of
7541 disk space allocation in the server. When this is set to <constant>yes</constant>
7542 the server will change from UNIX behaviour of not committing real
7543 disk storage blocks when a file is extended to the Windows behaviour
7544 of actually forcing the disk system to allocate real storage blocks
7545 when a file is created or extended to be a given size. In UNIX
7546 terminology this means that Samba will stop creating sparse files.
7547 This can be slow on some systems.</para>
7548
7549 <para>When strict allocate is <constant>no</constant> the server does sparse
7550 disk block allocation when a file is extended.</para>
7551
7552 <para>Setting this to <constant>yes</constant> can help Samba return
7553 out of quota messages on systems that are restricting the disk quota
7554 of users.</para>
7555
7556 <para>Default: <command>strict allocate = no</command></para>
7557 </listitem>
7558 </varlistentry>
7559
7560
7561
7562 <varlistentry>
7563 <term><anchor id="STRICTLOCKING">strict locking (S)</term>
7564 <listitem><para>This is a boolean that controls the handling of
7565 file locking in the server. When this is set to <constant>yes</constant>
7566 the server will check every read and write access for file locks, and
7567 deny access if locks exist. This can be slow on some systems.</para>
7568
7569 <para>When strict locking is <constant>no</constant> the server does file
7570 lock checks only when the client explicitly asks for them.</para>
7571
7572 <para>Well-behaved clients always ask for lock checks when it
7573 is important, so in the vast majority of cases <command>strict
7574 locking = no</command> is preferable.</para>
7575
7576 <para>Default: <command>strict locking = no</command></para>
7577 </listitem>
7578 </varlistentry>
7579
7580
7581
7582 <varlistentry>
7583 <term><anchor id="STRICTSYNC">strict sync (S)</term>
7584 <listitem><para>Many Windows applications (including the Windows
7585 98 explorer shell) seem to confuse flushing buffer contents to
7586 disk with doing a sync to disk. Under UNIX, a sync call forces
7587 the process to be suspended until the kernel has ensured that
7588 all outstanding data in kernel disk buffers has been safely stored
7589 onto stable storage. This is very slow and should only be done
7590 rarely. Setting this parameter to <constant>no</constant> (the
7591 default) means that <ulink url="smbd.8.html">smbd</ulink> ignores the Windows applications requests for
7592 a sync call. There is only a possibility of losing data if the
7593 operating system itself that Samba is running on crashes, so there is
7594 little danger in this default setting. In addition, this fixes many
7595 performance problems that people have reported with the new Windows98
7596 explorer shell file copies.</para>
7597
7598 <para>See also the <link linkend="SYNCALWAYS"><parameter>sync
7599 always></parameter></link> parameter.</para>
7600
7601 <para>Default: <command>strict sync = no</command></para>
7602 </listitem>
7603 </varlistentry>
7604
7605
7606 <varlistentry>
7607 <term><anchor id="STRIPDOT">strip dot (G)</term>
7608 <listitem><para>This parameter is now unused in Samba (2.2.5 and above).
7609 It used strip trailing dots off UNIX filenames but was not correctly implmented.
7610 In Samba 2.2.5 and above UNIX filenames ending in a dot are invalid Windows long
7611 filenames (as they are in Windows NT and above) and are mangled to 8.3 before
7612 being returned to a client.</para>
7613
7614 <para>Default: <command>strip dot = no</command></para>
7615 </listitem>
7616 </varlistentry>
7617
7618
7619
7620 <varlistentry>
7621 <term><anchor id="SYNCALWAYS">sync always (S)</term>
7622 <listitem><para>This is a boolean parameter that controls
7623 whether writes will always be written to stable storage before
7624 the write call returns. If this is <constant>false</constant> then the server will be
7625 guided by the client's request in each write call (clients can
7626 set a bit indicating that a particular write should be synchronous).
7627 If this is <constant>true</constant> then every write will be followed by a <command>fsync()
7628 </command> call to ensure the data is written to disk. Note that
7629 the <parameter>strict sync</parameter> parameter must be set to
7630 <constant>yes</constant> in order for this parameter to have
7631 any affect.</para>
7632
7633 <para>See also the <link linkend="STRICTSYNC"><parameter>strict
7634 sync</parameter></link> parameter.</para>
7635
7636 <para>Default: <command>sync always = no</command></para>
7637 </listitem>
7638 </varlistentry>
7639
7640
7641
7642 <varlistentry>
7643 <term><anchor id="SYSLOG">syslog (G)</term>
7644 <listitem><para>This parameter maps how Samba debug messages
7645 are logged onto the system syslog logging levels. Samba debug
7646 level zero maps onto syslog <constant>LOG_ERR</constant>, debug
7647 level one maps onto <constant>LOG_WARNING</constant>, debug level
7648 two maps onto <constant>LOG_NOTICE</constant>, debug level three
7649 maps onto LOG_INFO. All higher levels are mapped to <constant>
7650 LOG_DEBUG</constant>.</para>
7651
7652 <para>This parameter sets the threshold for sending messages
7653 to syslog. Only messages with debug level less than this value
7654 will be sent to syslog.</para>
7655
7656 <para>Default: <command>syslog = 1</command></para>
7657 </listitem>
7658 </varlistentry>
7659
7660
7661
7662 <varlistentry>
7663 <term><anchor id="SYSLOGONLY">syslog only (G)</term>
7664 <listitem><para>If this parameter is set then Samba debug
7665 messages are logged into the system syslog only, and not to
7666 the debug log files.</para>
7667
7668 <para>Default: <command>syslog only = no</command></para>
7669 </listitem>
7670 </varlistentry>
7671
7672
7673
7674 <varlistentry>
7675 <term><anchor id="TEMPLATEHOMEDIR">template homedir (G)</term>
7676 <listitem><para>When filling out the user information for a Windows NT
7677 user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon
7678 uses this parameter to fill in the home directory for that user.
7679 If the string <parameter>%D</parameter> is present it is substituted
7680 with the user's Windows NT domain name. If the string <parameter>%U
7681 </parameter> is present it is substituted with the user's Windows
7682 NT user name.</para>
7683
7684 <para>Default: <command>template homedir = /home/%D/%U</command></para>
7685 </listitem>
7686 </varlistentry>
7687
7688
7689
7690 <varlistentry>
7691 <term><anchor id="TEMPLATESHELL">template shell (G)</term>
7692 <listitem><para>When filling out the user information for a Windows NT
7693 user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon
7694 uses this parameter to fill in the login shell for that user.</para>
7695
7696 <para>Default: <command>template shell = /bin/false</command></para>
7697 </listitem>
7698 </varlistentry>
7699
7700
7701
7702 <varlistentry>
7703 <term><anchor id="TIMEOFFSET">time offset (G)</term>
7704 <listitem><para>This parameter is a setting in minutes to add
7705 to the normal GMT to local time conversion. This is useful if
7706 you are serving a lot of PCs that have incorrect daylight
7707 saving time handling.</para>
7708
7709 <para>Default: <command>time offset = 0</command></para>
7710 <para>Example: <command>time offset = 60</command></para>
7711 </listitem>
7712 </varlistentry>
7713
7714
7715
7716 <varlistentry>
7717 <term><anchor id="TIMESERVER">time server (G)</term>
7718 <listitem><para>This parameter determines if <ulink url="nmbd.8.html">
7719 nmbd(8)</ulink> advertises itself as a time server to Windows
7720 clients.</para>
7721
7722 <para>Default: <command>time server = no</command></para>
7723 </listitem>
7724 </varlistentry>
7725
7726
7727 <varlistentry>
7728 <term><anchor id="TIMESTAMPLOGS">timestamp logs (G)</term>
7729 <listitem><para>Synonym for <link linkend="DEBUGTIMESTAMP"><parameter>
7730 debug timestamp</parameter></link>.</para>
7731 </listitem>
7732 </varlistentry>
7733
7734
7735
7736
7737
7738 <varlistentry>
7739 <term><anchor id="TOTALPRINTJOBS">total print jobs (G)</term>
7740 <listitem><para>This parameter accepts an integer value which defines
7741 a limit on the maximum number of print jobs that will be accepted
7742 system wide at any given time. If a print job is submitted
7743 by a client which will exceed this number, then <ulink url="smbd.8.html">smbd</ulink> will return an
7744 error indicating that no space is available on the server. The
7745 default value of 0 means that no such limit exists. This parameter
7746 can be used to prevent a server from exceeding its capacity and is
7747 designed as a printing throttle. See also
7748 <link linkend="MAXPRINTJOBS"><parameter>max print jobs</parameter</link>.
7749 </para>
7750
7751 <para>Default: <command>total print jobs = 0</command></para>
7752 <para>Example: <command>total print jobs = 5000</command></para>
7753 </listitem>
7754 </varlistentry>
7755
7756
7757
7758
7759 <varlistentry>
7760 <term><anchor id="UNIXEXTENSIONS">unix extensions(G)</term>
7761 <listitem><para>This boolean parameter controls whether Samba
7762 implments the CIFS UNIX extensions, as defined by HP.
7763 These extensions enable Samba to better serve UNIX CIFS clients
7764 by supporting features such as symbolic links, hard links, etc...
7765 These extensions require a similarly enabled client, and are of
7766 no current use to Windows clients.</para>
7767
7768 <para>Default: <command>unix extensions = no</command></para>
7769 </listitem>
7770 </varlistentry>
7771
7772
7773
7774
7775 <varlistentry>
7776 <term><anchor id="UNIXPASSWORDSYNC">unix password sync (G)</term>
7777 <listitem><para>This boolean parameter controls whether Samba
7778 attempts to synchronize the UNIX password with the SMB password
7779 when the encrypted SMB password in the smbpasswd file is changed.
7780 If this is set to <constant>true</constant> the program specified in the <parameter>passwd
7781 program</parameter>parameter is called <emphasis>AS ROOT</emphasis> -
7782 to allow the new UNIX password to be set without access to the
7783 old UNIX password (as the SMB password change code has no
7784 access to the old password cleartext, only the new).</para>
7785
7786 <para>See also <link linkend="PASSWDPROGRAM"><parameter>passwd
7787 program</parameter></link>, <link linkend="PASSWDCHAT"><parameter>
7788 passwd chat</parameter></link>.</para>
7789
7790 <para>Default: <command>unix password sync = no</command></para>
7791 </listitem>
7792 </varlistentry>
7793
7794
7795
7796 <varlistentry>
7797 <term><anchor id="UPDATEENCRYPTED">update encrypted (G)</term>
7798 <listitem><para>This boolean parameter allows a user logging
7799 on with a plaintext password to have their encrypted (hashed)
7800 password in the smbpasswd file to be updated automatically as
7801 they log on. This option allows a site to migrate from plaintext
7802 password authentication (users authenticate with plaintext
7803 password over the wire, and are checked against a UNIX account
7804 database) to encrypted password authentication (the SMB
7805 challenge/response authentication mechanism) without forcing
7806 all users to re-enter their passwords via smbpasswd at the time the
7807 change is made. This is a convenience option to allow the change over
7808 to encrypted passwords to be made over a longer period. Once all users
7809 have encrypted representations of their passwords in the smbpasswd
7810 file this parameter should be set to <constant>no</constant>.</para>
7811
7812 <para>In order for this parameter to work correctly the <link
7813 linkend="ENCRYPTPASSWORDS"><parameter>encrypt passwords</parameter>
7814 </link> parameter must be set to <constant>no</constant> when
7815 this parameter is set to <constant>yes</constant>.</para>
7816
7817 <para>Note that even when this parameter is set a user
7818 authenticating to <command>smbd</command> must still enter a valid
7819 password in order to connect correctly, and to update their hashed
7820 (smbpasswd) passwords.</para>
7821
7822 <para>Default: <command>update encrypted = no</command></para>
7823 </listitem>
7824 </varlistentry>
7825
7826
7827 <varlistentry>
7828 <term><anchor id="USECLIENTDRIVER">use client driver (S)</term>
7829 <listitem><para>This parameter applies only to Windows NT/2000
7830 clients. It has no affect on Windows 95/98/ME clients. When
7831 serving a printer to Windows NT/2000 clients without first installing
7832 a valid printer driver on the Samba host, the client will be required
7833 to install a local printer driver. From this point on, the client
7834 will treat the print as a local printer and not a network printer
7835 connection. This is much the same behavior that will occur
7836 when <command>disable spoolss = yes</command>. </para>
7837
7838 <para>The differentiating
7839 factor is that under normal circumstances, the NT/2000 client will
7840 attempt to open the network printer using MS-RPC. The problem is that
7841 because the client considers the printer to be local, it will attempt
7842 to issue the OpenPrinterEx() call requesting access rights associated
7843 with the logged on user. If the user possesses local administator rights
7844 but not root privilegde on the Samba host (often the case), the OpenPrinterEx()
7845 call will fail. The result is that the client will now display an "Access
7846 Denied; Unable to connect" message in the printer queue window (even though
7847 jobs may successfully be printed). </para>
7848
7849 <para>If this parameter is enabled for a printer, then any attempt
7850 to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped
7851 to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx()
7852 call to succeed. <emphasis>This parameter MUST not be able enabled
7853 on a print share which has valid print driver installed on the Samba
7854 server.</emphasis></para>
7855
7856 <para>See also <link linkend="DISABLESPOOLSS">disable spoolss</link>
7857 </para>
7858
7859 <para>Default: <command>use client driver = no</command></para>
7860 </listitem>
7861 </varlistentry>
7862
7863
7864
7865 <varlistentry>
7866 <term><anchor id="USEMMAP">use mmap (G)</term>
7867 <listitem><para>This global parameter determines if the tdb internals of Samba can
7868 depend on mmap working correctly on the running system. Samba requires a coherent
7869 mmap/read-write system memory cache. Currently only HPUX does not have such a
7870 coherent cache, and so this parameter is set to <constant>false</constant> by
7871 default on HPUX. On all other systems this parameter should be left alone. This
7872 parameter is provided to help the Samba developers track down problems with
7873 the tdb internal code.
7874 </para>
7875
7876 <para>Default: <command>use mmap = yes</command></para>
7877 </listitem>
7878 </varlistentry>
7879
7880
7881
7882
7883 <varlistentry>
7884 <term><anchor id="USERHOSTS">use rhosts (G)</term>
7885 <listitem><para>If this global parameter is <constant>true</constant>, it specifies
7886 that the UNIX user's <filename>.rhosts</filename> file in their home directory
7887 will be read to find the names of hosts and users who will be allowed
7888 access without specifying a password.</para>
7889
7890 <para><emphasis>NOTE:</emphasis> The use of <parameter>use rhosts
7891 </parameter> can be a major security hole. This is because you are
7892 trusting the PC to supply the correct username. It is very easy to
7893 get a PC to supply a false username. I recommend that the <parameter>
7894 use rhosts</parameter> option be only used if you really know what
7895 you are doing.</para>
7896
7897 <para>Default: <command>use rhosts = no</command></para>
7898 </listitem>
7899 </varlistentry>
7900
7901
7902
7903 <varlistentry>
7904 <term><anchor id="USER">user (S)</term>
7905 <listitem><para>Synonym for <link linkend="USERNAME"><parameter>
7906 username</parameter></link>.</para>
7907 </listitem>
7908 </varlistentry>
7909
7910
7911
7912 <varlistentry>
7913 <term><anchor id="USERS">users (S)</term>
7914 <listitem><para>Synonym for <link linkend="USERNAME"><parameter>
7915 username</parameter></link>.</para>
7916 </listitem>
7917 </varlistentry>
7918
7919
7920 <varlistentry>
7921 <term><anchor id="USERNAME">username (S)</term>
7922 <listitem><para>Multiple users may be specified in a comma-delimited
7923 list, in which case the supplied password will be tested against
7924 each username in turn (left to right).</para>
7925
7926 <para>The <parameter>username</parameter> line is needed only when
7927 the PC is unable to supply its own username. This is the case
7928 for the COREPLUS protocol or where your users have different WfWg
7929 usernames to UNIX usernames. In both these cases you may also be
7930 better using the \\server\share%user syntax instead.</para>
7931
7932 <para>The <parameter>username</parameter> line is not a great
7933 solution in many cases as it means Samba will try to validate
7934 the supplied password against each of the usernames in the
7935 <parameter>username</parameter> line in turn. This is slow and
7936 a bad idea for lots of users in case of duplicate passwords.
7937 You may get timeouts or security breaches using this parameter
7938 unwisely.</para>
7939
7940 <para>Samba relies on the underlying UNIX security. This
7941 parameter does not restrict who can login, it just offers hints
7942 to the Samba server as to what usernames might correspond to the
7943 supplied password. Users can login as whoever they please and
7944 they will be able to do no more damage than if they started a
7945 telnet session. The daemon runs as the user that they log in as,
7946 so they cannot do anything that user cannot do.</para>
7947
7948 <para>To restrict a service to a particular set of users you
7949 can use the <link linkend="VALIDUSERS"><parameter>valid users
7950 </parameter></link> parameter.</para>
7951
7952 <para>If any of the usernames begin with a '@' then the name
7953 will be looked up first in the NIS netgroups list (if Samba
7954 is compiled with netgroup support), followed by a lookup in
7955 the UNIX groups database and will expand to a list of all users
7956 in the group of that name.</para>
7957
7958 <para>If any of the usernames begin with a '+' then the name
7959 will be looked up only in the UNIX groups database and will
7960 expand to a list of all users in the group of that name.</para>
7961
7962 <para>If any of the usernames begin with a '&'then the name
7963 will be looked up only in the NIS netgroups database (if Samba
7964 is compiled with netgroup support) and will expand to a list
7965 of all users in the netgroup group of that name.</para>
7966
7967 <para>Note that searching though a groups database can take
7968 quite some time, and some clients may time out during the
7969 search.</para>
7970
7971 <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT
7972 USERNAME/PASSWORD VALIDATION</link> for more information on how
7973 this parameter determines access to the services.</para>
7974
7975 <para>Default: <command>The guest account if a guest service,
7976 else &lt;empty string&gt;.</command></para>
7977
7978 <para>Examples:<command>username = fred, mary, jack, jane,
7979 @users, @pcgroup</command></para>
7980 </listitem>
7981 </varlistentry>
7982
7983
7984
7985 <varlistentry>
7986 <term><anchor id="USERNAMELEVEL">username level (G)</term>
7987 <listitem><para>This option helps Samba to try and 'guess' at
7988 the real UNIX username, as many DOS clients send an all-uppercase
7989 username. By default Samba tries all lowercase, followed by the
7990 username with the first letter capitalized, and fails if the
7991 username is not found on the UNIX machine.</para>
7992
7993 <para>If this parameter is set to non-zero the behavior changes.
7994 This parameter is a number that specifies the number of uppercase
7995 combinations to try while trying to determine the UNIX user name. The
7996 higher the number the more combinations will be tried, but the slower
7997 the discovery of usernames will be. Use this parameter when you have
7998 strange usernames on your UNIX machine, such as <constant>AstrangeUser
7999 </constant>.</para>
8000
8001 <para>Default: <command>username level = 0</command></para>
8002 <para>Example: <command>username level = 5</command></para>
8003 </listitem>
8004 </varlistentry>
8005
8006
8007
8008 <varlistentry>
8009 <term><anchor id="USERNAMEMAP">username map (G)</term>
8010 <listitem><para>This option allows you to specify a file containing
8011 a mapping of usernames from the clients to the server. This can be
8012 used for several purposes. The most common is to map usernames
8013 that users use on DOS or Windows machines to those that the UNIX
8014 box uses. The other is to map multiple users to a single username
8015 so that they can more easily share files.</para>
8016
8017 <para>The map file is parsed line by line. Each line should
8018 contain a single UNIX username on the left then a '=' followed
8019 by a list of usernames on the right. The list of usernames on the
8020 right may contain names of the form @group in which case they
8021 will match any UNIX username in that group. The special client
8022 name '*' is a wildcard and matches any name. Each line of the
8023 map file may be up to 1023 characters long.</para>
8024
8025 <para>The file is processed on each line by taking the
8026 supplied username and comparing it with each username on the right
8027 hand side of the '=' signs. If the supplied name matches any of
8028 the names on the right hand side then it is replaced with the name
8029 on the left. Processing then continues with the next line.</para>
8030
8031 <para>If any line begins with a '#' or a ';' then it is
8032 ignored</para>
8033
8034 <para>If any line begins with an '!' then the processing
8035 will stop after that line if a mapping was done by the line.
8036 Otherwise mapping continues with every line being processed.
8037 Using '!' is most useful when you have a wildcard mapping line
8038 later in the file.</para>
8039
8040 <para>For example to map from the name <constant>admin</constant>
8041 or <constant>administrator</constant> to the UNIX name <constant>
8042 root</constant> you would use:</para>
8043
8044 <para><command>root = admin administrator</command></para>
8045
8046 <para>Or to map anyone in the UNIX group <constant>system</constant>
8047 to the UNIX name <constant>sys</constant> you would use:</para>
8048
8049 <para><command>sys = @system</command></para>
8050
8051 <para>You can have as many mappings as you like in a username
8052 map file.</para>
8053
8054
8055 <para>If your system supports the NIS NETGROUP option then
8056 the netgroup database is checked before the <filename>/etc/group
8057 </filename> database for matching groups.</para>
8058
8059 <para>You can map Windows usernames that have spaces in them
8060 by using double quotes around the name. For example:</para>
8061
8062 <para><command>tridge = "Andrew Tridgell"</command></para>
8063
8064 <para>would map the windows username "Andrew Tridgell" to the
8065 unix username "tridge".</para>
8066
8067 <para>The following example would map mary and fred to the
8068 unix user sys, and map the rest to guest. Note the use of the
8069 '!' to tell Samba to stop processing if it gets a match on
8070 that line.</para>
8071
8072 <para><programlisting>
8073 !sys = mary fred
8074 guest = *
8075 </programlisting></para>
8076
8077 <para>Note that the remapping is applied to all occurrences
8078 of usernames. Thus if you connect to \\server\fred and <constant>
8079 fred</constant> is remapped to <constant>mary</constant> then you
8080 will actually be connecting to \\server\mary and will need to
8081 supply a password suitable for <constant>mary</constant> not
8082 <constant>fred</constant>. The only exception to this is the
8083 username passed to the <link linkend="PASSWORDSERVER"><parameter>
8084 password server</parameter></link> (if you have one). The password
8085 server will receive whatever username the client supplies without
8086 modification.</para>
8087
8088 <para>Also note that no reverse mapping is done. The main effect
8089 this has is with printing. Users who have been mapped may have
8090 trouble deleting print jobs as PrintManager under WfWg will think
8091 they don't own the print job.</para>
8092
8093 <para>Default: <emphasis>no username map</emphasis></para>
8094 <para>Example: <command>username map = /usr/local/samba/lib/users.map
8095 </command></para>
8096 </listitem>
8097 </varlistentry>
8098
8099
8100
8101 <varlistentry>
8102 <term><anchor id="UTMP">utmp (G)</term>
8103 <listitem><para>This boolean parameter is only available if
8104 Samba has been configured and compiled with the option <command>
8105 --with-utmp</command>. If set to <constant>true</constant> then Samba will attempt
8106 to add utmp or utmpx records (depending on the UNIX system) whenever a
8107 connection is made to a Samba server. Sites may use this to record the
8108 user connecting to a Samba share.</para>
8109
8110 <para>See also the <link linkend="UTMPDIRECTORY"><parameter>
8111 utmp directory</parameter></link> parameter.</para>
8112
8113 <para>Default: <command>utmp = no</command></para>
8114 </listitem>
8115 </varlistentry>
8116
8117
8118
8119 <varlistentry>
8120 <term><anchor id="UTMPDIRECTORY">utmp directory(G)</term>
8121 <listitem><para>This parameter is only available if Samba has
8122 been configured and compiled with the option <command>
8123 --with-utmp</command>. It specifies a directory pathname that is
8124 used to store the utmp or utmpx files (depending on the UNIX system) that
8125 record user connections to a Samba server. See also the <link linkend="UTMP">
8126 <parameter>utmp</parameter></link> parameter. By default this is
8127 not set, meaning the system will use whatever utmp file the
8128 native system is set to use (usually
8129 <filename>/var/run/utmp</filename> on Linux).</para>
8130
8131 <para>Default: <emphasis>no utmp directory</emphasis></para>
8132 </listitem>
8133 </varlistentry>
8134
8135
8136
8137 <varlistentry>
8138 <term><anchor id="VALIDCHARS">valid chars (G)</term>
8139 <listitem><para>The option allows you to specify additional
8140 characters that should be considered valid by the server in
8141 filenames. This is particularly useful for national character
8142 sets, such as adding u-umlaut or a-ring.</para>
8143
8144 <para>The option takes a list of characters in either integer
8145 or character form with spaces between them. If you give two
8146 characters with a colon between them then it will be taken as
8147 an lowercase:uppercase pair.</para>
8148
8149 <para>If you have an editor capable of entering the characters
8150 into the config file then it is probably easiest to use this
8151 method. Otherwise you can specify the characters in octal,
8152 decimal or hexadecimal form using the usual C notation.</para>
8153
8154 <para>For example to add the single character 'Z' to the charset
8155 (which is a pointless thing to do as it's already there) you could
8156 do one of the following</para>
8157
8158 <para><programlisting>
8159 valid chars = Z
8160 valid chars = z:Z
8161 valid chars = 0132:0172
8162 </programlisting></para>
8163
8164 <para>The last two examples above actually add two characters,
8165 and alter the uppercase and lowercase mappings appropriately.</para>
8166
8167 <para>Note that you <emphasis>MUST</emphasis> specify this parameter
8168 after the <parameter>client code page</parameter> parameter if you
8169 have both set. If <parameter>client code page</parameter> is set after
8170 the <parameter>valid chars</parameter> parameter the <parameter>valid
8171 chars</parameter> settings will be overwritten.</para>
8172
8173 <para>See also the <link linkend="CLIENTCODEPAGE"><parameter>client
8174 code page</parameter></link> parameter.</para>
8175
8176 <para>Default: <emphasis>Samba defaults to using a reasonable set
8177 of valid characters for English systems</emphasis></para>
8178
8179 <para>Example: <command>valid chars = 0345:0305 0366:0326 0344:0304
8180 </command></para>
8181
8182 <para>The above example allows filenames to have the Swedish
8183 characters in them.</para>
8184
8185 <para><emphasis>NOTE:</emphasis> It is actually quite difficult to
8186 correctly produce a <parameter>valid chars</parameter> line for
8187 a particular system. To automate the process <ulink
8188 url="mailto:tino@augsburg.net">tino@augsburg.net</ulink> has written
8189 a package called <command>validchars</command> which will automatically
8190 produce a complete <parameter>valid chars</parameter> line for
8191 a given client system. Look in the <filename>examples/validchars/
8192 </filename> subdirectory of your Samba source code distribution
8193 for this package.</para>
8194 </listitem>
8195 </varlistentry>
8196
8197
8198
8199 <varlistentry>
8200 <term><anchor id="VALIDUSERS">valid users (S)</term>
8201 <listitem><para>This is a list of users that should be allowed
8202 to login to this service. Names starting with '@', '+' and '&'
8203 are interpreted using the same rules as described in the
8204 <parameter>invalid users</parameter> parameter.</para>
8205
8206 <para>If this is empty (the default) then any user can login.
8207 If a username is in both this list and the <parameter>invalid
8208 users</parameter> list then access is denied for that user.</para>
8209
8210 <para>The current servicename is substituted for <parameter>%S
8211 </parameter>. This is useful in the [homes] section.</para>
8212
8213 <para>See also <link linkend="INVALIDUSERS"><parameter>invalid users
8214 </parameter></link></para>
8215
8216 <para>Default: <emphasis>No valid users list (anyone can login)
8217 </emphasis></para>
8218
8219 <para>Example: <command>valid users = greg, @pcusers</command></para>
8220 </listitem>
8221 </varlistentry>
8222
8223
8224
8225
8226 <varlistentry>
8227 <term><anchor id="VETOFILES">veto files(S)</term>
8228 <listitem><para>This is a list of files and directories that
8229 are neither visible nor accessible. Each entry in the list must
8230 be separated by a '/', which allows spaces to be included
8231 in the entry. '*' and '?' can be used to specify multiple files
8232 or directories as in DOS wildcards.</para>
8233
8234 <para>Each entry must be a unix path, not a DOS path and
8235 must <emphasis>not</emphasis> include the unix directory
8236 separator '/'.</para>
8237
8238 <para>Note that the <parameter>case sensitive</parameter> option
8239 is applicable in vetoing files.</para>
8240
8241 <para>One feature of the veto files parameter that it
8242 is important to be aware of is Samba's behaviour when
8243 trying to delete a directory. If a directory that is
8244 to be deleted contains nothing but veto files this
8245 deletion will <emphasis>fail</emphasis> unless you also set
8246 the <parameter>delete veto files</parameter> parameter to
8247 <parameter>yes</parameter>.</para>
8248
8249 <para>Setting this parameter will affect the performance
8250 of Samba, as it will be forced to check all files and directories
8251 for a match as they are scanned.</para>
8252
8253 <para>See also <link linkend="HIDEFILES"><parameter>hide files
8254 </parameter></link> and <link linkend="CASESENSITIVE"><parameter>
8255 case sensitive</parameter></link>.</para>
8256
8257 <para>Default: <emphasis>No files or directories are vetoed.
8258 </emphasis></para>
8259
8260 <para>Examples:<programlisting>
8261 ; Veto any files containing the word Security,
8262 ; any ending in .tmp, and any directory containing the
8263 ; word root.
8264 veto files = /*Security*/*.tmp/*root*/
8265
8266 ; Veto the Apple specific files that a NetAtalk server
8267 ; creates.
8268 veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
8269 </programlisting></para>
8270 </listitem>
8271 </varlistentry>
8272
8273
8274 <varlistentry>
8275 <term><anchor id="VETOOPLOCKFILES">veto oplock files (S)</term>
8276 <listitem><para>This parameter is only valid when the <link
8277 linkend="OPLOCKS"><parameter>oplocks</parameter></link>
8278 parameter is turned on for a share. It allows the Samba administrator
8279 to selectively turn off the granting of oplocks on selected files that
8280 match a wildcarded list, similar to the wildcarded list used in the
8281 <link linkend="VETOFILES"><parameter>veto files</parameter></link>
8282 parameter.</para>
8283
8284 <para>Default: <emphasis>No files are vetoed for oplock
8285 grants</emphasis></para>
8286
8287 <para>You might want to do this on files that you know will
8288 be heavily contended for by clients. A good example of this
8289 is in the NetBench SMB benchmark program, which causes heavy
8290 client contention for files ending in <filename>.SEM</filename>.
8291 To cause Samba not to grant oplocks on these files you would use
8292 the line (either in the [global] section or in the section for
8293 the particular NetBench share :</para>
8294
8295 <para>Example: <command>veto oplock files = /*.SEM/
8296 </command></para>
8297 </listitem>
8298 </varlistentry>
8299
8300
8301
8302 <varlistentry>
8303 <term><anchor id="VFSOBJECT">vfs object (S)</term>
8304 <listitem><para>This parameter specifies a shared object file that
8305 is used for Samba VFS I/O operations. By default, normal
8306 disk I/O operations are used but these can be overloaded
8307 with a VFS object. The Samba VFS layer is new to Samba 2.2 and
8308 must be enabled at compile time with --with-vfs.</para>
8309
8310 <para>Default : <emphasis>no value</emphasis></para>
8311 </listitem>
8312 </varlistentry>
8313
8314
8315
8316
8317 <varlistentry>
8318 <term><anchor id="VFSOPTIONS">vfs options (S)</term>
8319 <listitem><para>This parameter allows parameters to be passed
8320 to the vfs layer at initialization time. The Samba VFS layer
8321 is new to Samba 2.2 and must be enabled at compile time
8322 with --with-vfs. See also <link linkend="VFSOBJECT"><parameter>
8323 vfs object</parameter></link>.</para>
8324
8325 <para>Default : <emphasis>no value</emphasis></para>
8326 </listitem>
8327 </varlistentry>
8328
8329
8330
8331 <varlistentry>
8332 <term><anchor id="VOLUME">volume (S)</term>
8333 <listitem><para> This allows you to override the volume label
8334 returned for a share. Useful for CDROMs with installation programs
8335 that insist on a particular volume label.</para>
8336
8337 <para>Default: <emphasis>the name of the share</emphasis></para>
8338 </listitem>
8339 </varlistentry>
8340
8341
8342
8343 <varlistentry>
8344 <term><anchor id="WIDELINKS">wide links (S)</term>
8345 <listitem><para>This parameter controls whether or not links
8346 in the UNIX file system may be followed by the server. Links
8347 that point to areas within the directory tree exported by the
8348 server are always allowed; this parameter controls access only
8349 to areas that are outside the directory tree being exported.</para>
8350
8351 <para>Note that setting this parameter can have a negative
8352 effect on your server performance due to the extra system calls
8353 that Samba has to do in order to perform the link checks.</para>
8354
8355 <para>Default: <command>wide links = yes</command></para>
8356 </listitem>
8357 </varlistentry>
8358
8359
8360
8361
8362 <varlistentry>
8363 <term><anchor id="WINBINDCACHETIME">winbind cache time (G)</term>
8364 <listitem><para>This parameter specifies the number of seconds the
8365 <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon will cache
8366 user and group information before querying a Windows NT server
8367 again.</para>
8368
8369 <para>Default: <command>winbind cache type = 15</command></para>
8370 </listitem>
8371 </varlistentry>
8372
8373
8374 <varlistentry>
8375 <term><anchor id="WINBINDENUMUSERS">winbind enum users (G)</term>
8376 <listitem><para>On large installations using
8377 <ulink url="winbindd.8.html">winbindd(8)</ulink> it may be
8378 necessary to suppress the enumeration of users through the
8379 <command> setpwent()</command>,
8380 <command>getpwent()</command> and
8381 <command>endpwent()</command> group of system calls. If
8382 the <parameter>winbind enum users</parameter> parameter is
8383 false, calls to the <command>getpwent</command> system call
8384 will not return any data. </para>
8385
8386 <para><emphasis>Warning:</emphasis> Turning off user
8387 enumeration may cause some programs to behave oddly. For
8388 example, the finger program relies on having access to the
8389 full user list when searching for matching
8390 usernames. </para>
8391
8392 <para>Default: <command>winbind enum users = yes </command></para>
8393 </listitem>
8394 </varlistentry>
8395
8396 <varlistentry>
8397 <term><anchor id="WINBINDENUMGROUPS">winbind enum groups (G)</term>
8398 <listitem><para>On large installations using
8399 <ulink url="winbindd.8.html">winbindd(8)</ulink> it may be
8400 necessary to suppress the enumeration of groups through the
8401 <command> setgrent()</command>,
8402 <command>getgrent()</command> and
8403 <command>endgrent()</command> group of system calls. If
8404 the <parameter>winbind enum groups</parameter> parameter is
8405 false, calls to the <command>getgrent()</command> system
8406 call will not return any data. </para>
8407
8408 <para><emphasis>Warning:</emphasis> Turning off group
8409 enumeration may cause some programs to behave oddly.
8410 </para>
8411
8412 <para>Default: <command>winbind enum groups = yes </command>
8413 </para></listitem>
8414 </varlistentry>
8415
8416
8417 <varlistentry>
8418 <term><anchor id="WINBINDGID">winbind gid (G)</term>
8419 <listitem><para>The winbind gid parameter specifies the range of group
8420 ids that are allocated by the <ulink url="winbindd.8.html">
8421 winbindd(8)</ulink> daemon. This range of group ids should have no
8422 existing local or NIS groups within it as strange conflicts can
8423 occur otherwise.</para>
8424
8425 <para>Default: <command>winbind gid = &lt;empty string&gt;
8426 </command></para>
8427
8428 <para>Example: <command>winbind gid = 10000-20000</command></para>
8429 </listitem>
8430 </varlistentry>
8431
8432
8433 <varlistentry>
8434 <term><anchor id="WINBINDSEPARATOR">winbind separator (G)</term>
8435 <listitem><para>This parameter allows an admin to define the character
8436 used when listing a username of the form of <replaceable>DOMAIN
8437 </replaceable>\<replaceable>user</replaceable>. This parameter
8438 is only applicable when using the <filename>pam_winbind.so</filename>
8439 and <filename>nss_winbind.so</filename> modules for UNIX services.
8440 </para>
8441
8442 <para>Please note that setting this parameter to + causes problems
8443 with group membership at least on glibc systems, as the character +
8444 is used as a special character for NIS in /etc/group.</para>
8445
8446 <para>Default: <command>winbind separator = '\'</command></para>
8447 <para>Example: <command>winbind separator = +</command></para>
8448 </listitem>
8449 </varlistentry>
8450
8451
8452
8453
8454 <varlistentry>
8455 <term><anchor id="WINBINDUID">winbind uid (G)</term>
8456 <listitem><para>The winbind gid parameter specifies the range of group
8457 ids that are allocated by the <ulink url="winbindd.8.html">
8458 winbindd(8)</ulink> daemon. This range of ids should have no
8459 existing local or NIS users within it as strange conflicts can
8460 occur otherwise.</para>
8461
8462 <para>Default: <command>winbind uid = &lt;empty string&gt;
8463 </command></para>
8464
8465 <para>Example: <command>winbind uid = 10000-20000</command></para>
8466 </listitem>
8467 </varlistentry>
8468
8469
8470 <varlistentry>
8471 <term>winbind use default domain</term>
8472
8473 <term><anchor id="WINBINDUSEDEFAULTDOMAIN">winbind use default domain</term>
8474 <listitem><para>This parameter specifies whether the <ulink url="winbindd.8.html">
8475 winbindd(8)</ulink>
8476 daemon should operate on users without domain component in their username.
8477 Users without a domain component are treated as is part of the winbindd server's
8478 own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail
8479 function in a way much closer to the way they would in a native unix system.</para>
8480
8481 <para>Default: <command>winbind use default domain = &lt;falseg&gt;
8482 </command></para>
8483 <para>Example: <command>winbind use default domain = true</command></para>
8484 </listitem>
8485 </varlistentry>
8486
8487
8488 <varlistentry>
8489 <term><anchor id="WINSHOOK">wins hook (G)</term>
8490 <listitem><para>When Samba is running as a WINS server this
8491 allows you to call an external program for all changes to the
8492 WINS database. The primary use for this option is to allow the
8493 dynamic update of external name resolution databases such as
8494 dynamic DNS.</para>
8495
8496 <para>The wins hook parameter specifies the name of a script
8497 or executable that will be called as follows:</para>
8498
8499 <para><command>wins_hook operation name nametype ttl IP_list
8500 </command></para>
8501
8502 <itemizedlist>
8503 <listitem><para>The first argument is the operation and is one
8504 of "add", "delete", or "refresh". In most cases the operation can
8505 be ignored as the rest of the parameters provide sufficient
8506 information. Note that "refresh" may sometimes be called when the
8507 name has not previously been added, in that case it should be treated
8508 as an add.</para></listitem>
8509
8510 <listitem><para>The second argument is the NetBIOS name. If the
8511 name is not a legal name then the wins hook is not called.
8512 Legal names contain only letters, digits, hyphens, underscores
8513 and periods.</para></listitem>
8514
8515 <listitem><para>The third argument is the NetBIOS name
8516 type as a 2 digit hexadecimal number. </para></listitem>
8517
8518 <listitem><para>The fourth argument is the TTL (time to live)
8519 for the name in seconds.</para></listitem>
8520
8521 <listitem><para>The fifth and subsequent arguments are the IP
8522 addresses currently registered for that name. If this list is
8523 empty then the name should be deleted.</para></listitem>
8524 </itemizedlist>
8525
8526 <para>An example script that calls the BIND dynamic DNS update
8527 program <command>nsupdate</command> is provided in the examples
8528 directory of the Samba source code. </para>
8529 </listitem>
8530 </varlistentry>
8531
8532
8533
8534
8535
8536 <varlistentry>
8537 <term><anchor id="WINSPROXY">wins proxy (G)</term>
8538 <listitem><para>This is a boolean that controls if <ulink
8539 url="nmbd.8.html">nmbd(8)</ulink> will respond to broadcast name
8540 queries on behalf of other hosts. You may need to set this
8541 to <constant>yes</constant> for some older clients.</para>
8542
8543 <para>Default: <command>wins proxy = no</command></para>
8544 </listitem>
8545 </varlistentry>
8546
8547
8548
8549
8550 <varlistentry>
8551 <term><anchor id="WINSSERVER">wins server (G)</term>
8552 <listitem><para>This specifies the IP address (or DNS name: IP
8553 address for preference) of the WINS server that <ulink url="nmbd.8.html">
8554 nmbd(8)</ulink> should register with. If you have a WINS server on
8555 your network then you should set this to the WINS server's IP.</para>
8556
8557 <para>You should point this at your WINS server if you have a
8558 multi-subnetted network.</para>
8559
8560 <para><emphasis>NOTE</emphasis>. You need to set up Samba to point
8561 to a WINS server if you have multiple subnets and wish cross-subnet
8562 browsing to work correctly.</para>
8563
8564 <para>See the documentation file <filename>BROWSING.txt</filename>
8565 in the docs/ directory of your Samba source distribution.</para>
8566
8567 <para>Default: <emphasis>not enabled</emphasis></para>
8568 <para>Example: <command>wins server = 192.9.200.1</command></para>
8569 </listitem>
8570 </varlistentry>
8571
8572
8573
8574 <varlistentry>
8575 <term><anchor id="WINSSUPPORT">wins support (G)</term>
8576 <listitem><para>This boolean controls if the <ulink url="nmbd.8.html">
8577 nmbd(8)</ulink> process in Samba will act as a WINS server. You should
8578 not set this to <constant>true</constant> unless you have a multi-subnetted network and
8579 you wish a particular <command>nmbd</command> to be your WINS server.
8580 Note that you should <emphasis>NEVER</emphasis> set this to <constant>true</constant>
8581 on more than one machine in your network.</para>
8582
8583 <para>Default: <command>wins support = no</command></para>
8584 </listitem>
8585 </varlistentry>
8586
8587
8588
8589 <varlistentry>
8590 <term><anchor id="WORKGROUP">workgroup (G)</term>
8591 <listitem><para>This controls what workgroup your server will
8592 appear to be in when queried by clients. Note that this parameter
8593 also controls the Domain name used with the <link
8594 linkend="SECURITYEQUALSDOMAIN"><command>security = domain</command></link>
8595 setting.</para>
8596
8597 <para>Default: <emphasis>set at compile time to WORKGROUP</emphasis></para>
8598 <para>Example: <command>workgroup = MYGROUP</command></para>
8599 </listitem>
8600 </varlistentry>
8601
8602
8603
8604
8605 <varlistentry>
8606 <term><anchor id="WRITABLE">writable (S)</term>
8607 <listitem><para>Synonym for <link linkend="WRITEABLE"><parameter>
8608 writeable</parameter></link> for people who can't spell :-).</para>
8609 </listitem>
8610 </varlistentry>
8611
8612
8613
8614 <varlistentry>
8615 <term><anchor id="WRITECACHESIZE">write cache size (S)</term>
8616 <listitem><para>If this integer parameter is set to non-zero value,
8617 Samba will create an in-memory cache for each oplocked file
8618 (it does <emphasis>not</emphasis> do this for
8619 non-oplocked files). All writes that the client does not request
8620 to be flushed directly to disk will be stored in this cache if possible.
8621 The cache is flushed onto disk when a write comes in whose offset
8622 would not fit into the cache or when the file is closed by the client.
8623 Reads for the file are also served from this cache if the data is stored
8624 within it.</para>
8625
8626 <para>This cache allows Samba to batch client writes into a more
8627 efficient write size for RAID disks (i.e. writes may be tuned to
8628 be the RAID stripe size) and can improve performance on systems
8629 where the disk subsystem is a bottleneck but there is free
8630 memory for userspace programs.</para>
8631
8632 <para>The integer parameter specifies the size of this cache
8633 (per oplocked file) in bytes.</para>
8634
8635 <para>Default: <command>write cache size = 0</command></para>
8636 <para>Example: <command>write cache size = 262144</command></para>
8637
8638 <para>for a 256k cache size per file.</para>
8639 </listitem>
8640 </varlistentry>
8641
8642
8643
8644
8645
8646 <varlistentry>
8647 <term><anchor id="WRITELIST">write list (S)</term>
8648 <listitem><para>This is a list of users that are given read-write
8649 access to a service. If the connecting user is in this list then
8650 they will be given write access, no matter what the <link
8651 linkend="WRITEABLE"><parameter>writeable</parameter></link>
8652 option is set to. The list can include group names using the
8653 @group syntax.</para>
8654
8655 <para>Note that if a user is in both the read list and the
8656 write list then they will be given write access.</para>
8657
8658 <para>See also the <link linkend="READLIST"><parameter>read list
8659 </parameter></link> option.</para>
8660
8661 <para>Default: <command>write list = &lt;empty string&gt;
8662 </command></para>
8663
8664 <para>Example: <command>write list = admin, root, @staff
8665 </command></para>
8666 </listitem>
8667 </varlistentry>
8668
8669
8670
8671
8672
8673 <varlistentry>
8674 <term><anchor id="WRITEOK">write ok (S)</term>
8675 <listitem><para>Synonym for <link linkend="WRITEABLE"><parameter>
8676 writeable</parameter></link>.</para>
8677 </listitem>
8678 </varlistentry>
8679
8680
8681
8682 <varlistentry>
8683 <term><anchor id="WRITERAW">write raw (G)</term>
8684 <listitem><para>This parameter controls whether or not the server
8685 will support raw write SMB's when transferring data from clients.
8686 You should never need to change this parameter.</para>
8687
8688 <para>Default: <command>write raw = yes</command></para>
8689 </listitem>
8690 </varlistentry>
8691
8692
8693
8694 <varlistentry>
8695 <term><anchor id="WRITEABLE">writeable (S)</term>
8696 <listitem><para>An inverted synonym is <link linkend="READONLY">
8697 <parameter>read only</parameter></link>.</para>
8698
8699 <para>If this parameter is <constant>no</constant>, then users
8700 of a service may not create or modify files in the service's
8701 directory.</para>
8702
8703 <para>Note that a printable service (<command>printable = yes</command>)
8704 will <emphasis>ALWAYS</emphasis> allow writing to the directory
8705 (user privileges permitting), but only via spooling operations.</para>
8706
8707 <para>Default: <command>writeable = no</command></para>
8708 </listitem>
8709 </varlistentry>
8710
8711
8712 </variablelist>
8713
8714 </refsect1>
8715
8716 <refsect1>
8717 <title>WARNINGS</title>
8718
8719 <para>Although the configuration file permits service names
8720 to contain spaces, your client software may not. Spaces will
8721 be ignored in comparisons anyway, so it shouldn't be a
8722 problem - but be aware of the possibility.</para>
8723
8724 <para>On a similar note, many clients - especially DOS clients -
8725 limit service names to eight characters. <ulink url="smbd.8.html">smbd(8)
8726 </ulink> has no such limitation, but attempts to connect from such
8727 clients will fail if they truncate the service names. For this reason
8728 you should probably keep your service names down to eight characters
8729 in length.</para>
8730
8731 <para>Use of the [homes] and [printers] special sections make life
8732 for an administrator easy, but the various combinations of default
8733 attributes can be tricky. Take extreme care when designing these
8734 sections. In particular, ensure that the permissions on spool
8735 directories are correct.</para>
8736 </refsect1>
8737
8738 <refsect1>
8739 <title>VERSION</title>
8740
8741 <para>This man page is correct for version 2.2 of
8742 the Samba suite.</para>
8743 </refsect1>
8744
8745 <refsect1>
8746 <title>SEE ALSO</title>
8747 <para><ulink url="samba.7.html">samba(7)</ulink>,
8748 <ulink url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink>,
8749 <ulink url="swat.8.html"><command>swat(8)</command></ulink>,
8750 <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>,
8751 <ulink url="nmbd.8.html"><command>nmbd(8)</command></ulink>,
8752 <ulink url="smbclient.1.html"><command>smbclient(1)</command></ulink>,
8753 <ulink url="nmblookup.1.html"><command>nmblookup(1)</command></ulink>,
8754 <ulink url="testparm.1.html"><command>testparm(1)</command></ulink>,
8755 <ulink url="testprns.1.html"><command>testprns(1)</command></ulink>
8756 </para>
8757 </refsect1>
8758
8759 <refsect1>
8760 <title>AUTHOR</title>
8761
8762 <para>The original Samba software and related utilities
8763 were created by Andrew Tridgell. Samba is now developed
8764 by the Samba Team as an Open Source project similar
8765 to the way the Linux kernel is developed.</para>
8766
8767 <para>The original Samba man pages were written by Karl Auer.
8768 The man page sources were converted to YODL format (another
8769 excellent piece of Open Source software, available at
8770 <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
8771 ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
8772 release by Jeremy Allison. The conversion to DocBook for
8773 Samba 2.2 was done by Gerald Carter</para>
8774 </refsect1>
8775
8776 </refentry>
Samba GIT mirror