1 .\" This manpage has been automatically generated by docbook2man-spec
2 .\" from a DocBook document. docbook2man-spec can be found at:
3 .\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/>
4 .\" Please send any bug reports, improvements, comments, patches,
5 .\" etc. to Steve Cheng <steve@ggi-project.org>.
6 .TH "SMB.CONF" "5" "14 March 2003" "" ""
8 smb.conf \- The configuration file for the Samba suite
11 The \fIsmb.conf\fR file is a configuration
12 file for the Samba suite. \fIsmb.conf\fR contains
13 runtime configuration information for the Samba programs. The
14 \fIsmb.conf\fR file is designed to be configured and
15 administered by the \fBswat(8)\fR
16 program. The complete description of the file format and
17 possible parameters held within are here for reference purposes.
20 The file consists of sections and parameters. A section
21 begins with the name of the section in square brackets and continues
22 until the next section begins. Sections contain parameters of the
27 The file is line-based - that is, each newline-terminated
28 line represents either a comment, a section name or a parameter.
30 Section and parameter names are not case sensitive.
32 Only the first equals sign in a parameter is significant.
33 Whitespace before or after the first equals sign is discarded.
34 Leading, trailing and internal whitespace in section and parameter
35 names is irrelevant. Leading and trailing whitespace in a parameter
36 value is discarded. Internal whitespace within a parameter value
39 Any line beginning with a semicolon (';') or a hash ('#')
40 character is ignored, as are lines containing only whitespace.
42 Any line ending in a '\\' is continued
43 on the next line in the customary UNIX fashion.
45 The values following the equals sign in parameters are all
46 either a string (no quotes needed) or a boolean, which may be given
47 as yes/no, 0/1 or true/false. Case is not significant in boolean
48 values, but is preserved in string values. Some items such as
49 create modes are numeric.
50 .SH "SECTION DESCRIPTIONS"
52 Each section in the configuration file (except for the
53 [global] section) describes a shared resource (known
54 as a "share"). The section name is the name of the
55 shared resource and the parameters within the section define
56 the shares attributes.
58 There are three special sections, [global],
59 [homes] and [printers], which are
60 described under \fBspecial sections\fR. The
61 following notes apply to ordinary section descriptions.
63 A share consists of a directory to which access is being
64 given plus a description of the access rights which are granted
65 to the user of the service. Some housekeeping options are
68 Sections are either file share services (used by the
69 client as an extension of their native file systems) or
70 printable services (used by the client to access print services
71 on the host running the server).
73 Sections may be designated \fBguest\fR services,
74 in which case no password is required to access them. A specified
75 UNIX \fBguest account\fR is used to define access
76 privileges in this case.
78 Sections other than guest services will require a password
79 to access them. The client provides the username. As older clients
80 only provide passwords and not usernames, you may specify a list
81 of usernames to check against the password using the "user ="
82 option in the share definition. For modern clients such as
83 Windows 95/98/ME/NT/2000, this should not be necessary.
85 Note that the access rights granted by the server are
86 masked by the access rights granted to the specified or guest
87 UNIX user by the host system. The server does not grant more
88 access than the host system grants.
90 The following sample section defines a file space share.
91 The user has write access to the path \fI/home/bar\fR.
92 The share is accessed via the share name "foo":
103 The following sample section defines a printable share.
104 The share is readonly, but printable. That is, the only write
105 access permitted is via calls to open, write to and close a
106 spool file. The \fBguest ok\fR parameter means
107 access will be permitted as the default guest user (specified
112 path = /usr/spool/public
120 .SH "SPECIAL SECTIONS"
121 .SS "THE GLOBAL SECTION"
123 parameters in this section apply to the server
124 as a whole, or are defaults for sections which do not
125 specifically define certain items. See the notes
126 under PARAMETERS for more information.
127 .SS "THE HOMES SECTION"
129 If a section called homes is included in the
130 configuration file, services connecting clients to their
131 home directories can be created on the fly by the server.
133 When the connection request is made, the existing
134 sections are scanned. If a match is found, it is used. If no
135 match is found, the requested section name is treated as a
136 user name and looked up in the local password file. If the
137 name exists and the correct password has been given, a share is
138 created by cloning the [homes] section.
140 Some modifications are then made to the newly
144 The share name is changed from homes to
145 the located username.
148 If no path was given, the path is set to
149 the user's home directory.
151 If you decide to use a \fBpath =\fR line
152 in your [homes] section then you may find it useful
153 to use the %S macro. For example :
156 \fBpath = /data/pchome/%S\fR
159 would be useful if you have different home directories
160 for your PCs than for UNIX access.
163 This is a fast and simple way to give a large number
164 of clients access to their home directories with a minimum
168 A similar process occurs if the requested section
169 name is "homes", except that the share name is not
170 changed to that of the requesting user. This method of using
171 the [homes] section works well if different users share
175 The [homes] section can specify all the parameters
176 a normal service section can specify, though some make more sense
177 than others. The following is a typical and suitable [homes]
189 An important point is that if guest access is specified
190 in the [homes] section, all home directories will be
191 visible to all clients \fBwithout a password\fR.
192 In the very unlikely event that this is actually desirable, it
193 would be wise to also specify \fBread only
197 Note that the \fBbrowseable\fR flag for
198 auto home directories will be inherited from the global browseable
199 flag, not the [homes] browseable flag. This is useful as
200 it means setting \fBbrowseable = no\fR in
201 the [homes] section will hide the [homes] share but make
202 any auto home directories visible.
204 .SS "THE PRINTERS SECTION"
206 This section works like [homes],
209 If a [printers] section occurs in the
210 configuration file, users are able to connect to any printer
211 specified in the local host's printcap file.
213 When a connection request is made, the existing sections
214 are scanned. If a match is found, it is used. If no match is found,
215 but a [homes] section exists, it is used as described
216 above. Otherwise, the requested section name is treated as a
217 printer name and the appropriate printcap file is scanned to see
218 if the requested section name is a valid printer share name. If
219 a match is found, a new printer share is created by cloning
220 the [printers] section.
222 A few modifications are then made to the newly created
226 The share name is set to the located printer
230 If no printer name was given, the printer name
231 is set to the located printer name
234 If the share does not permit guest access and
235 no username was given, the username is set to the located
238 Note that the [printers] service MUST be
239 printable - if you specify otherwise, the server will refuse
240 to load the configuration file.
243 Typically the path specified would be that of a
244 world-writeable spool directory with the sticky bit set on
245 it. A typical [printers] entry would look like
251 path = /usr/spool/public
258 All aliases given for a printer in the printcap file
259 are legitimate printer names as far as the server is concerned.
260 If your printing subsystem doesn't work like that, you will have
261 to set up a pseudo-printcap. This is a file consisting of one or
262 more lines like this:
266 alias|alias|alias|alias...
272 Each alias should be an acceptable printer name for
273 your printing subsystem. In the [global] section, specify
274 the new file as your printcap. The server will then only recognize
275 names found in your pseudo-printcap, which of course can contain
276 whatever aliases you like. The same technique could be used
277 simply to limit access to a subset of your local printers.
280 An alias, by the way, is defined as any component of the
281 first entry of a printcap record. Records are separated by newlines,
282 components (if there are more than one) are separated by vertical
286 NOTE: On SYSV systems which use lpstat to determine what
287 printers are defined on the system you may be able to use
288 "printcap name = lpstat" to automatically obtain a list
289 of printers. See the "printcap name" option
294 parameters define the specific attributes of sections.
296 Some parameters are specific to the [global] section
297 (e.g., \fBsecurity\fR). Some parameters are usable
298 in all sections (e.g., \fBcreate mode\fR). All others
299 are permissible only in normal sections. For the purposes of the
300 following descriptions the [homes] and [printers]
301 sections will be considered normal. The letter \fBG\fR
302 in parentheses indicates that a parameter is specific to the
303 [global] section. The letter \fBS\fR
304 indicates that a parameter can be specified in a service specific
305 section. Note that all \fBS\fR parameters can also be specified in
306 the [global] section - in which case they will define
307 the default behavior for all services.
309 parameters are arranged here in alphabetical order - this may
310 not create best bedfellows, but at least you can find them! Where
311 there are synonyms, the preferred synonym is described, others refer
312 to the preferred synonym.
313 .SH "VARIABLE SUBSTITUTIONS"
315 Many of the strings that are settable in the config file
316 can take substitutions. For example the option "path =
317 /tmp/%u" would be interpreted as "path =
318 /tmp/john" if the user connected with the username john.
320 These substitutions are mostly noted in the descriptions below,
321 but there are some general substitutions which apply whenever they
322 might be relevant. These are:
325 the name of the current service, if any.
328 the root directory of the current service,
332 user name of the current service, if any.
335 primary group name of %u.
338 session user name (the user name that the client
339 wanted, not necessarily the same as the one they got).
342 primary group name of %U.
345 the home directory of the user given
352 the Internet hostname that Samba is running
356 the NetBIOS name of the client machine
360 the NetBIOS name of the server. This allows you
361 to change your config based on what the client calls you. Your
362 server can have a "dual personality".
364 Note that this paramater is not available when Samba listens
365 on port 445, as clients no longer send this information
368 the Internet name of the client machine.
371 the name of your NIS home directory server.
372 This is obtained from your NIS auto.map entry. If you have
373 not compiled Samba with the \fB--with-automount\fR
374 option then this value will be the same as %L.
377 the path of the service's home directory,
378 obtained from your NIS auto.map entry. The NIS auto.map entry
379 is split up as "%N:%p".
382 the selected protocol level after
383 protocol negotiation. It can be one of CORE, COREPLUS,
384 LANMAN1, LANMAN2 or NT1.
387 The process id of the current server
391 the architecture of the remote
392 machine. Only some are recognized, and those may not be
393 100% reliable. It currently recognizes Samba, WfWg, Win95,
394 WinNT and Win2k. Anything else will be known as
395 "UNKNOWN". If it gets it wrong then sending a level
396 3 log to samba@samba.org
397 <URL:mailto:samba@samba.org> should allow it to be fixed.
400 The IP address of the client machine.
403 the current date and time.
405 \fB%$(\fIenvvar\fB)\fR
406 The value of the environment variable
409 There are some quite creative things that can be done
410 with these substitutions and other smb.conf options.
414 Samba supports "name mangling" so that DOS and
415 Windows clients can use files that don't conform to the 8.3 format.
416 It can also be set to adjust the case of 8.3 format filenames.
418 There are several options that control the way mangling is
419 performed, and they are grouped here rather than listed separately.
420 For the defaults look at the output of the testparm program.
422 All of these options can be set separately for each service
423 (or globally, of course).
427 \fBmangling method\fR
428 controls the algorithm used for the generating
429 the mangled names. Can take two different values, "hash" and
430 "hash2". "hash" is the default and is the algorithm that has been
431 used in Samba for many years. "hash2" is a newer and considered
432 a better algorithm (generates less collisions) in the names.
433 However, many Win32 applications store the
434 mangled names and so changing to the new algorithm must not be done
435 lightly as these applications may break unless reinstalled.
436 New installations of Samba may set the default to hash2.
439 \fBmangle case = yes/no\fR
440 controls if names that have characters that
441 aren't of the "default" case are mangled. For example,
442 if this is yes then a name like "Mail" would be mangled.
445 \fBcase sensitive = yes/no\fR
446 controls whether filenames are case sensitive. If
447 they aren't then Samba must do a filename search and match on passed
448 names. Default \fBno\fR.
450 \fBdefault case = upper/lower\fR
451 controls what the default case is for new
452 filenames. Default \fBlower\fR.
454 \fBpreserve case = yes/no\fR
455 controls if new files are created with the
456 case that the client passes, or if they are forced to be the
457 "default" case. Default \fByes\fR.
459 \fBshort preserve case = yes/no\fR
460 controls if new files which conform to 8.3 syntax,
461 that is all in upper case and of suitable length, are created
462 upper case, or if they are forced to be the "default"
463 case. This option can be use with "preserve case = yes"
464 to permit long filenames to retain their case, while short names
465 are lowercased. Default \fByes\fR.
467 By default, Samba 2.2 has the same semantics as a Windows
468 NT server, in that it is case insensitive but case preserving.
470 .SH "NOTE ABOUT USERNAME/PASSWORD VALIDATION"
472 There are a number of ways in which a user can connect
473 to a service. The server uses the following steps in determining
474 if it will allow a connection to a specified service. If all the
475 steps fail, then the connection request is rejected. However, if one of the
476 steps succeeds, then the following steps are not checked.
478 If the service is marked "guest only = yes" and the
479 server is running with share-level security ("security = share")
480 then steps 1 to 5 are skipped.
482 If the client has passed a username/password
483 pair and that username/password pair is validated by the UNIX
484 system's password programs then the connection is made as that
485 username. Note that this includes the
486 \\\\server\\service%\fIusername\fR method of passing
489 If the client has previously registered a username
490 with the system and now supplies a correct password for that
491 username then the connection is allowed.
493 The client's NetBIOS name and any previously
494 used user names are checked against the supplied password, if
495 they match then the connection is allowed as the corresponding
498 If the client has previously validated a
499 username/password pair with the server and the client has passed
500 the validation token then that username is used.
502 If a "user = " field is given in the
503 \fIsmb.conf\fR file for the service and the client
504 has supplied a password, and that password matches (according to
505 the UNIX system's password checking) with one of the usernames
506 from the "user =" field then the connection is made as
507 the username in the "user =" line. If one
508 of the username in the "user =" list begins with a
509 \&'@' then that name expands to a list of names in
510 the group of the same name.
512 If the service is a guest service then a
513 connection is made as the username given in the "guest
514 account =" for the service, irrespective of the
516 .SH "COMPLETE LIST OF GLOBAL PARAMETERS"
518 Here is a list of all global parameters. See the section of
519 each parameter for details. Note that some are synonyms.
522 \fIacl compatibility\fR
525 \fIadd printer command\fR
528 \fIadd share command\fR
531 \fIadd user script\fR
534 \fIallow trusted domains\fR
540 \fIannounce version\fR
546 \fIbind interfaces only\fR
552 \fIchange notify timeout\fR
555 \fIchange share command\fR
561 \fIclient code page\fR
564 \fIcode page directory\fR
576 \fIdebug hires timestamp\fR
582 \fIdebug timestamp\fR
594 \fIdefault service\fR
597 \fIdelete printer command\fR
600 \fIdelete share command\fR
603 \fIdelete user script\fR
609 \fIdisable spoolss\fR
615 \fIdomain admin group\fR
618 \fIdomain guest group\fR
627 \fIencrypt passwords\fR
630 \fIenhanced browsing\fR
633 \fIenumports command\fR
639 \fIhide local users\fR
642 \fIhide unreadable\fR
666 \fIlarge readwrite\fR
705 \fIlock spin count\fR
735 \fImachine password timeout\fR
741 \fImangling method\fR
762 \fImax smbd processes\fR
774 \fImessage command\fR
777 \fImin passwd length\fR
780 \fImin password length\fR
789 \fIname resolve order\fR
792 \fInetbios aliases\fR
804 \fInt pipe support\fR
810 \fInt status support\fR
816 \fIobey pam restrictions\fR
819 \fIoplock break wait time\fR
828 \fIpam password change\fR
837 \fIpasswd chat debug\fR
846 \fIpassword server\fR
849 \fIprefered master\fR
852 \fIpreferred master\fR
864 \fIprinter driver file\fR
879 \fIremote announce\fR
882 \fIremote browse sync\fR
885 \fIrestrict anonymous\fR
903 \fIshow add printer wizard\fR
906 \fIsmb passwd file\fR
915 \fIsource environment\fR
924 \fIssl CA certFile\fR
930 \fIssl client cert\fR
936 \fIssl compatibility\fR
942 \fIssl entropy bytes\fR
945 \fIssl entropy file\fR
951 \fIssl hosts resign\fR
954 \fIssl require clientcert\fR
957 \fIssl require servercert\fR
960 \fIssl server cert\fR
972 \fIstat cache size\fR
984 \fItemplate homedir\fR
999 \fItotal print jobs\fR
1002 \fIunix extensions\fR
1005 \fIunix password sync\fR
1008 \fIupdate encrypted\fR
1017 \fIusername level\fR
1026 \fIutmp directory\fR
1032 \fIwinbind cache time\fR
1035 \fIwinbind enum users\fR
1038 \fIwinbind enum groups\fR
1044 \fIwinbind separator\fR
1050 \fIwinbind use default domain\fR
1069 .SH "COMPLETE LIST OF SERVICE PARAMETERS"
1071 Here is a list of all service parameters. See the section on
1072 each parameter for details. Note that some are synonyms.
1084 \fIblocking locks\fR
1096 \fIcase sensitive\fR
1120 \fIdefault devmode\fR
1123 \fIdelete readonly\fR
1126 \fIdelete veto files\fR
1135 \fIdirectory mask\fR
1138 \fIdirectory mode\fR
1141 \fIdirectory security mask\fR
1150 \fIdos filetime resolution\fR
1159 \fIfake directory create times\fR
1165 \fIfollow symlinks\fR
1168 \fIforce create mode\fR
1171 \fIforce directory mode\fR
1174 \fIforce directory security mode\fR
1180 \fIforce security mode\fR
1183 \fIforce unknown acl user\fR
1204 \fIhide dot files\fR
1222 \fIinherit permissions\fR
1228 \fIlevel2 oplocks\fR
1234 \fIlppause command\fR
1240 \fIlpresume command\fR
1273 \fImax connections\fR
1276 \fImax print jobs\fR
1279 \fImin print space\fR
1285 \fInt acl support\fR
1294 \fIoplock contention limit\fR
1336 \fIprinter driver\fR
1339 \fIprinter driver location\fR
1354 \fIqueuepause command\fR
1357 \fIqueueresume command\fR
1372 \fIroot preexec close\fR
1384 \fIshort preserve case\fR
1390 \fIstrict allocate\fR
1393 \fIstrict locking\fR
1402 \fIuse client driver\fR
1423 \fIveto oplock files\fR
1441 \fIwrite cache size\fR
1451 .SH "EXPLANATION OF EACH PARAMETER"
1453 \fBacl compatibility (G)\fR
1454 New in Samba 2.2.8 and above, this string parameter tells
1455 smbd if it should modify any Windows access control lists created
1456 from POSIX access control lists to remove features which are not
1457 supported by Windows 2000 but not supported by the Windows NT ACL edit.
1460 By default this parameter is set automatically by detecting the
1461 client type and is set to "true" if the client is Windows NT.
1463 Default: \fBclient detected\fR
1465 Example: \fBacl compatibility = Win2k\fR
1467 Example: \fBacl compatibility = winnt\fR
1469 \fBadd printer command (G)\fR
1470 With the introduction of MS-RPC based printing
1471 support for Windows NT/2000 clients in Samba 2.2, The MS Add
1472 Printer Wizard (APW) icon is now also available in the
1473 "Printers..." folder displayed a share listing. The APW
1474 allows for printers to be add remotely to a Samba or Windows
1475 NT/2000 print server.
1477 For a Samba host this means that the printer must be
1478 physically added to the underlying printing system. The \fIadd
1479 printer command\fR defines a script to be run which
1480 will perform the necessary operations for adding the printer
1481 to the print system and to add the appropriate service definition
1482 to the \fIsmb.conf\fR file in order that it can be
1483 shared by \fBsmbd(8)\fR
1486 The \fIadd printer command\fR is
1487 automatically invoked with the following parameter (in
1507 \fIWindows 9x driver location\fR
1510 All parameters are filled in from the PRINTER_INFO_2 structure sent
1511 by the Windows NT/2000 client with one exception. The "Windows 9x
1512 driver location" parameter is included for backwards compatibility
1513 only. The remaining fields in the structure are generated from answers
1514 to the APW questions.
1517 Once the \fIadd printer command\fR has
1518 been executed, \fBsmbd\fR will reparse the \fI smb.conf\fR to determine if the share defined by the APW
1519 exists. If the sharename is still invalid, then \fBsmbd
1520 \fRwill return an ACCESS_DENIED error to the client.
1523 See also \fI delete printer command\fR, \fIprinting\fR,
1531 Example: \fBaddprinter command = /usr/bin/addprinter
1534 \fBadd share command (G)\fR
1535 Samba 2.2.0 introduced the ability to dynamically
1536 add and delete shares via the Windows NT 4.0 Server Manager. The
1537 \fIadd share command\fR is used to define an
1538 external program or script which will add a new service definition
1539 to \fIsmb.conf\fR. In order to successfully
1540 execute the \fIadd share command\fR, \fBsmbd\fR
1541 requires that the administrator be connected using a root account (i.e.
1544 When executed, \fBsmbd\fR will automatically invoke the
1545 \fIadd share command\fR with four parameters.
1549 \fIconfigFile\fR - the location
1550 of the global \fIsmb.conf\fR file.
1553 \fIshareName\fR - the name of the new
1557 \fIpathName\fR - path to an **existing**
1561 \fIcomment\fR - comment string to associate
1565 This parameter is only used for add file shares. To add printer shares,
1566 see the \fIadd printer
1570 See also \fIchange share
1571 command\fR, \fIdelete share
1578 Example: \fBadd share command = /usr/local/bin/addshare\fR
1581 \fBadd user script (G)\fR
1582 This is the full pathname to a script that will
1583 be run \fBAS ROOT\fR by smbd(8)
1584 under special circumstances described below.
1586 Normally, a Samba server requires that UNIX users are
1587 created for all users accessing files on this server. For sites
1588 that use Windows NT account databases as their primary user database
1589 creating these users and keeping the user list in sync with the
1590 Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users
1591 \fBON DEMAND\fR when a user accesses the Samba server.
1593 In order to use this option, smbd
1594 must \fBNOT\fR be set to \fIsecurity = share\fR
1595 and \fIadd user script\fR
1596 must be set to a full pathname for a script that will create a UNIX
1597 user given one argument of \fI%u\fR, which expands into
1598 the UNIX user name to create.
1600 When the Windows user attempts to access the Samba server,
1601 at login (session setup in the SMB protocol) time, smbd contacts the \fIpassword server\fR and
1602 attempts to authenticate the given user with the given password. If the
1603 authentication succeeds then \fBsmbd\fR
1604 attempts to find a UNIX user in the UNIX password database to map the
1605 Windows user into. If this lookup fails, and \fIadd user script
1606 \fRis set then \fBsmbd\fR will
1607 call the specified script \fBAS ROOT\fR, expanding
1608 any \fI%u\fR argument to be the user name to create.
1610 If this script successfully creates the user then \fBsmbd
1611 \fRwill continue on as though the UNIX user
1612 already existed. In this way, UNIX users are dynamically created to
1613 match existing Windows NT accounts.
1615 See also \fI security\fR, \fIpassword server\fR,
1619 Default: \fBadd user script = <empty string>
1621 Example: \fBadd user script = /usr/local/samba/bin/add_user
1624 \fBadmin users (S)\fR
1625 This is a list of users who will be granted
1626 administrative privileges on the share. This means that they
1627 will do all file operations as the super-user (root).
1629 You should use this option very carefully, as any user in
1630 this list will be able to do anything they like on the share,
1631 irrespective of file permissions.
1633 Default: \fBno admin users\fR
1635 Example: \fBadmin users = jason\fR
1637 \fBallow hosts (S)\fR
1638 Synonym for \fIhosts allow\fR.
1640 \fBallow trusted domains (G)\fR
1641 This option only takes effect when the \fIsecurity\fR option is set to
1643 If it is set to no, then attempts to connect to a resource from
1644 a domain or workgroup other than the one which smbd is running
1645 in will fail, even if that domain is trusted by the remote server
1646 doing the authentication.
1648 This is useful if you only want your Samba server to
1649 serve resources to users in the domain it is a member of. As
1650 an example, suppose that there are two domains DOMA and DOMB. DOMB
1651 is trusted by DOMA, which contains the Samba server. Under normal
1652 circumstances, a user with an account in DOMB can then access the
1653 resources of a UNIX account with the same account name on the
1654 Samba server even if they do not have an account in DOMA. This
1655 can make implementing a security boundary difficult.
1657 Default: \fBallow trusted domains = yes\fR
1659 \fBannounce as (G)\fR
1660 This specifies what type of server
1662 will announce itself as, to a network neighborhood browse
1663 list. By default this is set to Windows NT. The valid options
1664 are : "NT Server" (which can also be written as "NT"),
1665 "NT Workstation", "Win95" or "WfW" meaning Windows NT Server,
1666 Windows NT Workstation, Windows 95 and Windows for Workgroups
1667 respectively. Do not change this parameter unless you have a
1668 specific need to stop Samba appearing as an NT server as this
1669 may prevent Samba servers from participating as browser servers
1672 Default: \fBannounce as = NT Server\fR
1674 Example: \fBannounce as = Win95\fR
1676 \fBannounce version (G)\fR
1677 This specifies the major and minor version numbers
1678 that nmbd will use when announcing itself as a server. The default
1679 is 4.9. Do not change this parameter unless you have a specific
1680 need to set a Samba server to be a downlevel server.
1682 Default: \fBannounce version = 4.9\fR
1684 Example: \fBannounce version = 2.0\fR
1686 \fBauto services (G)\fR
1687 This is a synonym for the \fIpreload\fR.
1690 This parameter lets you "turn off" a service. If
1691 \fIavailable = no\fR, then \fBALL\fR
1692 attempts to connect to the service will fail. Such failures are
1695 Default: \fBavailable = yes\fR
1697 \fBbind interfaces only (G)\fR
1698 This global parameter allows the Samba admin
1699 to limit what interfaces on a machine will serve SMB requests. If
1700 affects file service smbd(8) and
1701 name service nmbd(8) in slightly
1704 For name service it causes \fBnmbd\fR to bind
1705 to ports 137 and 138 on the interfaces listed in the interfaces parameter. \fBnmbd
1706 \fRalso binds to the "all addresses" interface (0.0.0.0)
1707 on ports 137 and 138 for the purposes of reading broadcast messages.
1708 If this option is not set then \fBnmbd\fR will service
1709 name requests on all of these sockets. If \fIbind interfaces
1710 only\fR is set then \fBnmbd\fR will check the
1711 source address of any packets coming in on the broadcast sockets
1712 and discard any that don't match the broadcast addresses of the
1713 interfaces in the \fIinterfaces\fR parameter list.
1714 As unicast packets are received on the other sockets it allows
1715 \fBnmbd\fR to refuse to serve names to machines that
1716 send packets that arrive through any interfaces not listed in the
1717 \fIinterfaces\fR list. IP Source address spoofing
1718 does defeat this simple check, however so it must not be used
1719 seriously as a security feature for \fBnmbd\fR.
1721 For file service it causes smbd(8)
1722 to bind only to the interface list given in the interfaces parameter. This restricts the networks that
1723 \fBsmbd\fR will serve to packets coming in those
1724 interfaces. Note that you should not use this parameter for machines
1725 that are serving PPP or other intermittent or non-broadcast network
1726 interfaces as it will not cope with non-permanent interfaces.
1728 If \fIbind interfaces only\fR is set then
1729 unless the network address \fB127.0.0.1\fR is added
1730 to the \fIinterfaces\fR parameter list \fBsmbpasswd(8)\fR
1731 and \fBswat(8)\fR may
1732 not work as expected due to the reasons covered below.
1734 To change a users SMB password, the \fBsmbpasswd\fR
1735 by default connects to the \fBlocalhost - 127.0.0.1\fR
1736 address as an SMB client to issue the password change request. If
1737 \fIbind interfaces only\fR is set then unless the
1738 network address \fB127.0.0.1\fR is added to the
1739 \fIinterfaces\fR parameter list then \fB smbpasswd\fR will fail to connect in it's default mode.
1740 \fBsmbpasswd\fR can be forced to use the primary IP interface
1741 of the local host by using its \fI-r remote machine\fR
1742 parameter, with \fIremote machine\fR set
1743 to the IP name of the primary interface of the local host.
1745 The \fBswat\fR status page tries to connect with
1746 \fBsmbd\fR and \fBnmbd\fR at the address
1747 \fB127.0.0.1\fR to determine if they are running.
1748 Not adding \fB127.0.0.1\fR will cause \fB smbd\fR and \fBnmbd\fR to always show
1749 "not running" even if they really are. This can prevent \fB swat\fR from starting/stopping/restarting \fBsmbd\fR
1752 Default: \fBbind interfaces only = no\fR
1754 \fBblock size (S)\fR
1755 This parameter controls the behavior of smbd(8) when reporting disk free sizes.
1756 By default, this reports a disk block size of 1024 bytes.
1758 Changing this parameter may have some effect on the
1759 efficiency of client writes, this is not yet confirmed. This
1760 parameter was added to allow advanced administrators to change
1761 it (usually to a higher value) and test the effect it has on
1762 client write performance without re-compiling the code. As this
1763 is an experimental option it may be removed in a future release.
1765 Changing this option does not change the disk free reporting
1766 size, just the block size unit reported to the client.
1768 Default: \fBblock size = 1024\fR
1770 Example: \fBblock size = 65536\fR
1772 \fBblocking locks (S)\fR
1773 This parameter controls the behavior of smbd(8) when given a request by a client
1774 to obtain a byte range lock on a region of an open file, and the
1775 request has a time limit associated with it.
1777 If this parameter is set and the lock range requested
1778 cannot be immediately satisfied, Samba 2.2 will internally
1779 queue the lock request, and periodically attempt to obtain
1780 the lock until the timeout period expires.
1782 If this parameter is set to no, then
1783 Samba 2.2 will behave as previous versions of Samba would and
1784 will fail the lock request immediately if the lock range
1787 Default: \fBblocking locks = yes\fR
1790 See the \fI browseable\fR.
1792 \fBbrowse list (G)\fR
1793 This controls whether \fBsmbd(8)\fR will serve a browse list to
1794 a client doing a \fBNetServerEnum\fR call. Normally
1795 set to yes. You should never need to change
1798 Default: \fBbrowse list = yes\fR
1800 \fBbrowseable (S)\fR
1801 This controls whether this share is seen in
1802 the list of available shares in a net view and in the browse list.
1804 Default: \fBbrowseable = yes\fR
1806 \fBcase sensitive (S)\fR
1807 See the discussion in the section NAME MANGLING.
1809 Default: \fBcase sensitive = no\fR
1811 \fBcasesignames (S)\fR
1815 \fBchange notify timeout (G)\fR
1816 This SMB allows a client to tell a server to
1817 "watch" a particular directory for any changes and only reply to
1818 the SMB request when a change has occurred. Such constant scanning of
1819 a directory is expensive under UNIX, hence an \fBsmbd(8)\fR daemon only performs such a scan
1820 on each requested directory once every \fIchange notify
1823 Default: \fBchange notify timeout = 60\fR
1825 Example: \fBchange notify timeout = 300\fR
1827 Would change the scan time to every 5 minutes.
1829 \fBchange share command (G)\fR
1830 Samba 2.2.0 introduced the ability to dynamically
1831 add and delete shares via the Windows NT 4.0 Server Manager. The
1832 \fIchange share command\fR is used to define an
1833 external program or script which will modify an existing service definition
1834 in \fIsmb.conf\fR. In order to successfully
1835 execute the \fIchange share command\fR, \fBsmbd\fR
1836 requires that the administrator be connected using a root account (i.e.
1839 When executed, \fBsmbd\fR will automatically invoke the
1840 \fIchange share command\fR with four parameters.
1844 \fIconfigFile\fR - the location
1845 of the global \fIsmb.conf\fR file.
1848 \fIshareName\fR - the name of the new
1852 \fIpathName\fR - path to an **existing**
1856 \fIcomment\fR - comment string to associate
1860 This parameter is only used modify existing file shares definitions. To modify
1861 printer shares, use the "Printers..." folder as seen when browsing the Samba host.
1864 See also \fIadd share
1865 command\fR, \fIdelete
1872 Example: \fBchange share command = /usr/local/bin/addshare\fR
1875 \fBcharacter set (G)\fR
1876 This allows smbd to map incoming filenames
1877 from a DOS Code page (see the client
1878 code page parameter) to several built in UNIX character sets.
1879 The built in code page translations are:
1883 ISO8859-1 : Western European
1884 UNIX character set. The parameter \fIclient code page\fR
1885 \fBMUST\fR be set to code page 850 if the
1886 \fIcharacter set\fR parameter is set to
1887 ISO8859-1 in order for the conversion to the
1888 UNIX character set to be done correctly.
1891 ISO8859-2 : Eastern European
1892 UNIX character set. The parameter \fIclient code page
1893 \fR\fBMUST\fR be set to code page 852 if
1894 the \fI character set\fR parameter is set
1895 to ISO8859-2 in order for the conversion
1896 to the UNIX character set to be done correctly.
1899 ISO8859-5 : Russian Cyrillic
1900 UNIX character set. The parameter \fIclient code page
1901 \fR\fBMUST\fR be set to code page
1902 866 if the \fIcharacter set \fR parameter is
1903 set to ISO8859-5 in order for the conversion
1904 to the UNIX character set to be done correctly.
1907 ISO8859-7 : Greek UNIX
1908 character set. The parameter \fIclient code page
1909 \fR\fBMUST\fR be set to code page
1910 737 if the \fIcharacter set\fR parameter is
1911 set to ISO8859-7 in order for the conversion
1912 to the UNIX character set to be done correctly.
1915 KOI8-R : Alternate mapping
1916 for Russian Cyrillic UNIX character set. The parameter
1917 \fIclient code page\fR \fBMUST\fR
1918 be set to code page 866 if the \fIcharacter set\fR
1919 parameter is set to KOI8-R in order for the
1920 conversion to the UNIX character set to be done correctly.
1923 \fBBUG\fR. These MSDOS code page to UNIX character
1924 set mappings should be dynamic, like the loading of MS DOS code pages,
1928 Normally this parameter is not set, meaning no filename
1929 translation is done.
1932 Default: \fBcharacter set = <empty string>\fR
1935 Example: \fBcharacter set = ISO8859-1\fR
1938 \fBclient code page (G)\fR
1939 This parameter specifies the DOS code page
1940 that the clients accessing Samba are using. To determine what code
1941 page a Windows or DOS client is using, open a DOS command prompt
1942 and type the command \fBchcp\fR. This will output
1943 the code page. The default for USA MS-DOS, Windows 95, and
1944 Windows NT releases is code page 437. The default for western
1945 European releases of the above operating systems is code page 850.
1947 This parameter tells smbd(8)
1948 which of the \fIcodepage.XXX
1949 \fRfiles to dynamically load on startup. These files,
1950 described more fully in the manual page \fBmake_smbcodepage(1)\fR tell \fB smbd\fR how to map lower to upper case characters to provide
1951 the case insensitivity of filenames that Windows clients expect.
1953 Samba currently ships with the following code page files :
1957 Code Page 437 - MS-DOS Latin US
1960 Code Page 737 - Windows '95 Greek
1963 Code Page 850 - MS-DOS Latin 1
1966 Code Page 852 - MS-DOS Latin 2
1969 Code Page 861 - MS-DOS Icelandic
1972 Code Page 866 - MS-DOS Cyrillic
1975 Code Page 932 - MS-DOS Japanese SJIS
1978 Code Page 936 - MS-DOS Simplified Chinese
1981 Code Page 949 - MS-DOS Korean Hangul
1984 Code Page 950 - MS-DOS Traditional Chinese
1987 Thus this parameter may have any of the values 437, 737, 850, 852,
1988 861, 932, 936, 949, or 950. If you don't find the codepage you need,
1989 read the comments in one of the other codepage files and the
1990 \fBmake_smbcodepage(1)\fR man page and write one. Please
1991 remember to donate it back to the Samba user community.
1994 This parameter co-operates with the \fIvalid
1995 chars\fR parameter in determining what characters are
1996 valid in filenames and how capitalization is done. If you set both
1997 this parameter and the \fIvalid chars\fR parameter
1998 the \fIclient code page\fR parameter
1999 \fBMUST\fR be set before the \fIvalid
2000 chars\fR parameter in the \fIsmb.conf\fR
2001 file. The \fIvalid chars\fR string will then
2002 augment the character settings in the \fIclient code page\fR
2006 If not set, \fIclient code page\fR defaults
2011 chars\fR, \fIcode page directory\fR
2014 Default: \fBclient code page = 850\fR
2017 Example: \fBclient code page = 936\fR
2020 \fBcode page directory (G)\fR
2021 Define the location of the various client code page
2027 Default: \fBcode page directory = ${prefix}/lib/codepages
2029 Example: \fBcode page directory = /usr/share/samba/codepages
2031 \fBcoding system (G)\fR
2032 This parameter is used to determine how incoming
2033 Shift-JIS Japanese characters are mapped from the incoming \fIclient code page\fR
2034 used by the client, into file names in the UNIX filesystem.
2035 Only useful if \fIclient code page\fR is set to
2036 932 (Japanese Shift-JIS). The options are :
2040 SJIS - Shift-JIS. Does no
2041 conversion of the incoming filename.
2044 JIS8, J8BB, J8BH, J8@B,
2045 J8@J, J8@H - Convert from incoming Shift-JIS to eight
2046 bit JIS code with different shift-in, shift out codes.
2049 JIS7, J7BB, J7BH, J7@B, J7@J,
2050 J7@H - Convert from incoming Shift-JIS to seven bit
2051 JIS code with different shift-in, shift out codes.
2054 JUNET, JUBB, JUBH, JU@B, JU@J, JU@H
2055 - Convert from incoming Shift-JIS to JUNET code with different shift-in,
2059 EUC - Convert an incoming
2060 Shift-JIS character to EUC code.
2063 HEX - Convert an incoming
2064 Shift-JIS character to a 3 byte hex representation, i.e.
2068 CAP - Convert an incoming
2069 Shift-JIS character to the 3 byte hex representation used by
2070 the Columbia AppleTalk Program (CAP), i.e. :AB.
2071 This is used for compatibility between Samba and CAP.
2074 Default: \fBcoding system = <empty value>\fR
2078 This is a text field that is seen next to a share
2079 when a client does a queries the server, either via the network
2080 neighborhood or via \fBnet view\fR to list what shares
2083 If you want to set the string that is displayed next to the
2084 machine name then see the \fI server string\fR parameter.
2086 Default: \fBNo comment string\fR
2088 Example: \fBcomment = Fred's Files\fR
2090 \fBconfig file (G)\fR
2091 This allows you to override the config file
2092 to use, instead of the default (usually \fIsmb.conf\fR).
2093 There is a chicken and egg problem here as this option is set
2096 For this reason, if the name of the config file has changed
2097 when the parameters are loaded then it will reload them from
2098 the new config file.
2100 This option takes the usual substitutions, which can
2103 If the config file doesn't exist then it won't be loaded
2104 (allowing you to special case the config files of just a few
2107 Example: \fBconfig file = /usr/local/samba/lib/smb.conf.%m
2110 This parameter allows you to "clone" service
2111 entries. The specified service is simply duplicated under the
2112 current service's name. Any parameters specified in the current
2113 section will override those in the section being copied.
2115 This feature lets you set up a 'template' service and
2116 create similar services easily. Note that the service being
2117 copied must occur earlier in the configuration file than the
2118 service doing the copying.
2120 Default: \fBno value\fR
2122 Example: \fBcopy = otherservice\fR
2124 \fBcreate mask (S)\fR
2125 A synonym for this parameter is
2129 When a file is created, the necessary permissions are
2130 calculated according to the mapping from DOS modes to UNIX
2131 permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
2132 with this parameter. This parameter may be thought of as a bit-wise
2133 MASK for the UNIX modes of a file. Any bit \fBnot\fR
2134 set here will be removed from the modes set on a file when it is
2137 The default value of this parameter removes the
2138 \&'group' and 'other' write and execute bits from the UNIX modes.
2140 Following this Samba will bit-wise 'OR' the UNIX mode created
2141 from this parameter with the value of the \fIforce create mode\fR
2142 parameter which is set to 000 by default.
2144 This parameter does not affect directory modes. See the
2145 parameter \fIdirectory mode
2148 See also the \fIforce
2149 create mode\fR parameter for forcing particular mode
2150 bits to be set on created files. See also the \fIdirectory mode\fR parameter for masking
2151 mode bits on created directories. See also the \fIinherit permissions\fR parameter.
2153 Note that this parameter does not apply to permissions
2154 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
2155 a mask on access control lists also, they need to set the \fIsecurity mask\fR.
2157 Default: \fBcreate mask = 0744\fR
2159 Example: \fBcreate mask = 0775\fR
2161 \fBcreate mode (S)\fR
2162 This is a synonym for \fI create mask\fR.
2164 \fBcsc policy (S)\fR
2165 This stands for \fBclient-side caching
2166 policy\fR, and specifies how clients capable of offline
2167 caching will cache the files in the share. The valid values
2168 are: manual, documents, programs, disable.
2170 These values correspond to those used on Windows
2173 For example, shares containing roaming profiles can have
2174 offline caching disabled using \fBcsc policy = disable
2177 Default: \fBcsc policy = manual\fR
2179 Example: \fBcsc policy = programs\fR
2182 The value of the parameter (a decimal integer)
2183 represents the number of minutes of inactivity before a connection
2184 is considered dead, and it is disconnected. The deadtime only takes
2185 effect if the number of open files is zero.
2187 This is useful to stop a server's resources being
2188 exhausted by a large number of inactive connections.
2190 Most clients have an auto-reconnect feature when a
2191 connection is broken so in most cases this parameter should be
2192 transparent to users.
2194 Using this parameter with a timeout of a few minutes
2195 is recommended for most systems.
2197 A deadtime of zero indicates that no auto-disconnection
2198 should be performed.
2200 Default: \fBdeadtime = 0\fR
2202 Example: \fBdeadtime = 15\fR
2204 \fBdebug hires timestamp (G)\fR
2205 Sometimes the timestamps in the log messages
2206 are needed with a resolution of higher that seconds, this
2207 boolean parameter adds microsecond resolution to the timestamp
2208 message header when turned on.
2210 Note that the parameter \fI debug timestamp\fR must be on for this to have an
2213 Default: \fBdebug hires timestamp = no\fR
2216 When using only one log file for more then one
2217 forked smbdprocess there may be hard to follow which process
2218 outputs which message. This boolean parameter is adds the process-id
2219 to the timestamp message headers in the logfile when turned on.
2221 Note that the parameter \fI debug timestamp\fR must be on for this to have an
2224 Default: \fBdebug pid = no\fR
2226 \fBdebug timestamp (G)\fR
2227 Samba 2.2 debug log messages are timestamped
2228 by default. If you are running at a high \fIdebug level\fR these timestamps
2229 can be distracting. This boolean parameter allows timestamping
2232 Default: \fBdebug timestamp = yes\fR
2235 Samba is sometimes run as root and sometime
2236 run as the connected user, this boolean parameter inserts the
2237 current euid, egid, uid and gid to the timestamp message headers
2238 in the log file if turned on.
2240 Note that the parameter \fI debug timestamp\fR must be on for this to have an
2243 Default: \fBdebug uid = no\fR
2245 \fBdebuglevel (G)\fR
2246 Synonym for \fI log level\fR.
2249 A synonym for \fI default service\fR.
2251 \fBdefault case (S)\fR
2252 See the section on NAME MANGLING. Also note the \fIshort preserve case\fR parameter.
2254 Default: \fBdefault case = lower\fR
2256 \fBdefault devmode (S)\fR
2257 This parameter is only applicable to printable services. When smbd is serving
2258 Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
2259 server has a Device Mode which defines things such as paper size and
2260 orientation and duplex settings. The device mode can only correctly be
2261 generated by the printer driver itself (which can only be executed on a
2262 Win32 platform). Because smbd is unable to execute the driver code
2263 to generate the device mode, the default behavior is to set this field
2266 Most problems with serving printer drivers to Windows NT/2k/XP clients
2267 can be traced to a problem with the generated device mode. Certain drivers
2268 will do things such as crashing the client's Explorer.exe with a NULL devmode.
2269 However, other printer drivers can cause the client's spooler service
2270 (spoolsv.exe) to die if the devmode was not created by the driver itself
2271 (i.e. smbd generates a default devmode).
2273 This parameter should be used with care and tested with the printer
2274 driver in question. It is better to leave the device mode to NULL
2275 and let the Windows client set the correct values. Because drivers do not
2276 do this all the time, setting \fBdefault devmode = yes\fR
2277 will instruct smbd to generate a default one.
2279 For more information on Windows NT/2k printing and Device Modes,
2280 see the MSDN documentation <URL:http://msdn.microsoft.com/>.
2282 Default: \fBdefault devmode = no\fR
2284 \fBdefault service (G)\fR
2285 This parameter specifies the name of a service
2286 which will be connected to if the service actually requested cannot
2287 be found. Note that the square brackets are \fBNOT\fR
2288 given in the parameter value (see example below).
2290 There is no default value for this parameter. If this
2291 parameter is not given, attempting to connect to a nonexistent
2292 service results in an error.
2294 Typically the default service would be a \fIguest ok\fR, \fIread-only\fR service.
2296 Also note that the apparent service name will be changed
2297 to equal that of the requested service, this is very useful as it
2298 allows you to use macros like \fI%S\fR to make
2301 Note also that any "_" characters in the name of the service
2302 used in the default service will get mapped to a "/". This allows for
2310 default service = pub
2318 \fBdelete printer command (G)\fR
2319 With the introduction of MS-RPC based printer
2320 support for Windows NT/2000 clients in Samba 2.2, it is now
2321 possible to delete printer at run time by issuing the
2322 DeletePrinter() RPC call.
2324 For a Samba host this means that the printer must be
2325 physically deleted from underlying printing system. The \fI deleteprinter command\fR defines a script to be run which
2326 will perform the necessary operations for removing the printer
2327 from the print system and from \fIsmb.conf\fR.
2329 The \fIdelete printer command\fR is
2330 automatically called with only one parameter: \fI "printer name"\fR.
2332 Once the \fIdelete printer command\fR has
2333 been executed, \fBsmbd\fR will reparse the \fI smb.conf\fR to associated printer no longer exists.
2334 If the sharename is still valid, then \fBsmbd
2335 \fRwill return an ACCESS_DENIED error to the client.
2337 See also \fI add printer command\fR, \fIprinting\fR,
2343 Example: \fBdeleteprinter command = /usr/bin/removeprinter
2345 \fBdelete readonly (S)\fR
2346 This parameter allows readonly files to be deleted.
2347 This is not normal DOS semantics, but is allowed by UNIX.
2349 This option may be useful for running applications such
2350 as rcs, where UNIX file ownership prevents changing file
2351 permissions, and DOS semantics prevent deletion of a read only file.
2353 Default: \fBdelete readonly = no\fR
2355 \fBdelete share command (G)\fR
2356 Samba 2.2.0 introduced the ability to dynamically
2357 add and delete shares via the Windows NT 4.0 Server Manager. The
2358 \fIdelete share command\fR is used to define an
2359 external program or script which will remove an existing service
2360 definition from \fIsmb.conf\fR. In order to successfully
2361 execute the \fIdelete share command\fR, \fBsmbd\fR
2362 requires that the administrator be connected using a root account (i.e.
2365 When executed, \fBsmbd\fR will automatically invoke the
2366 \fIdelete share command\fR with two parameters.
2370 \fIconfigFile\fR - the location
2371 of the global \fIsmb.conf\fR file.
2374 \fIshareName\fR - the name of
2375 the existing service.
2378 This parameter is only used to remove file shares. To delete printer shares,
2379 see the \fIdelete printer
2383 See also \fIadd share
2384 command\fR, \fIchange
2391 Example: \fBdelete share command = /usr/local/bin/delshare\fR
2394 \fBdelete user script (G)\fR
2395 This is the full pathname to a script that will
2396 be run \fBAS ROOT\fR by \fBsmbd(8)\fR under special circumstances
2399 Normally, a Samba server requires that UNIX users are
2400 created for all users accessing files on this server. For sites
2401 that use Windows NT account databases as their primary user database
2402 creating these users and keeping the user list in sync with the
2403 Windows NT PDC is an onerous task. This option allows \fB smbd\fR to delete the required UNIX users \fBON
2404 DEMAND\fR when a user accesses the Samba server and the
2405 Windows NT user no longer exists.
2407 In order to use this option, \fBsmbd\fR must be
2408 set to \fIsecurity = domain\fR or \fIsecurity =
2409 user\fR and \fIdelete user script\fR
2410 must be set to a full pathname for a script
2411 that will delete a UNIX user given one argument of \fI%u\fR,
2412 which expands into the UNIX user name to delete.
2414 When the Windows user attempts to access the Samba server,
2415 at \fBlogin\fR (session setup in the SMB protocol)
2416 time, \fBsmbd\fR contacts the \fIpassword server\fR and attempts to authenticate
2417 the given user with the given password. If the authentication fails
2418 with the specific Domain error code meaning that the user no longer
2419 exists then \fBsmbd\fR attempts to find a UNIX user in
2420 the UNIX password database that matches the Windows user account. If
2421 this lookup succeeds, and \fIdelete user script\fR is
2422 set then \fBsmbd\fR will all the specified script
2423 \fBAS ROOT\fR, expanding any \fI%u\fR
2424 argument to be the user name to delete.
2426 This script should delete the given UNIX username. In this way,
2427 UNIX users are dynamically deleted to match existing Windows NT
2430 See also security = domain,
2431 \fIpassword server\fR
2432 , \fIadd user script\fR
2435 Default: \fBdelete user script = <empty string>
2437 Example: \fBdelete user script = /usr/local/samba/bin/del_user
2440 \fBdelete veto files (S)\fR
2441 This option is used when Samba is attempting to
2442 delete a directory that contains one or more vetoed directories
2443 (see the \fIveto files\fR
2444 option). If this option is set to no (the default) then if a vetoed
2445 directory contains any non-vetoed files or directories then the
2446 directory delete will fail. This is usually what you want.
2448 If this option is set to yes, then Samba
2449 will attempt to recursively delete any files and directories within
2450 the vetoed directory. This can be useful for integration with file
2451 serving systems such as NetAtalk which create meta-files within
2452 directories you might normally veto DOS/Windows users from seeing
2453 (e.g. \fI.AppleDouble\fR)
2455 Setting \fBdelete veto files = yes\fR allows these
2456 directories to be transparently deleted when the parent directory
2457 is deleted (so long as the user has permissions to do so).
2459 See also the \fIveto
2462 Default: \fBdelete veto files = no\fR
2464 \fBdeny hosts (S)\fR
2465 Synonym for \fIhosts
2468 \fBdfree command (G)\fR
2469 The \fIdfree command\fR setting should
2470 only be used on systems where a problem occurs with the internal
2471 disk space calculations. This has been known to happen with Ultrix,
2472 but may occur with other operating systems. The symptom that was
2473 seen was an error of "Abort Retry Ignore" at the end of each
2476 This setting allows the replacement of the internal routines to
2477 calculate the total disk space and amount available with an external
2478 routine. The example below gives a possible script that might fulfill
2481 The external program will be passed a single parameter indicating
2482 a directory in the filesystem being queried. This will typically consist
2483 of the string \fI./\fR. The script should return two
2484 integers in ASCII. The first should be the total disk space in blocks,
2485 and the second should be the number of available blocks. An optional
2486 third return value can give the block size in bytes. The default
2487 blocksize is 1024 bytes.
2489 Note: Your script should \fBNOT\fR be setuid or
2490 setgid and should be owned by (and writeable only by) root!
2492 Default: \fBBy default internal routines for
2493 determining the disk capacity and remaining space will be used.
2495 Example: \fBdfree command = /usr/local/samba/bin/dfree
2497 Where the script dfree (which must be made executable) could be:
2503 df $1 | tail -1 | awk '{print $2" "$4}'
2508 or perhaps (on Sys V based systems):
2514 /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
2519 Note that you may have to replace the command names
2520 with full path names on some systems.
2526 \fBdirectory mask (S)\fR
2527 This parameter is the octal modes which are
2528 used when converting DOS modes to UNIX modes when creating UNIX
2531 When a directory is created, the necessary permissions are
2532 calculated according to the mapping from DOS modes to UNIX permissions,
2533 and the resulting UNIX mode is then bit-wise 'AND'ed with this
2534 parameter. This parameter may be thought of as a bit-wise MASK for
2535 the UNIX modes of a directory. Any bit \fBnot\fR set
2536 here will be removed from the modes set on a directory when it is
2539 The default value of this parameter removes the 'group'
2540 and 'other' write bits from the UNIX mode, allowing only the
2541 user who owns the directory to modify it.
2543 Following this Samba will bit-wise 'OR' the UNIX mode
2544 created from this parameter with the value of the \fIforce directory mode
2545 \fRparameter. This parameter is set to 000 by
2546 default (i.e. no extra mode bits are added).
2548 Note that this parameter does not apply to permissions
2549 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
2550 a mask on access control lists also, they need to set the \fIdirectory security mask\fR.
2553 directory mode\fR parameter to cause particular mode
2554 bits to always be set on created directories.
2556 See also the \fIcreate mode
2557 \fRparameter for masking mode bits on created files,
2558 and the \fIdirectory
2559 security mask\fR parameter.
2561 Also refer to the \fI inherit permissions\fR parameter.
2563 Default: \fBdirectory mask = 0755\fR
2565 Example: \fBdirectory mask = 0775\fR
2567 \fBdirectory mode (S)\fR
2568 Synonym for \fI directory mask\fR
2570 \fBdirectory security mask (S)\fR
2571 This parameter controls what UNIX permission bits
2572 can be modified when a Windows NT client is manipulating the UNIX
2573 permission on a directory using the native NT security dialog
2576 This parameter is applied as a mask (AND'ed with) to
2577 the changed permission bits, thus preventing any bits not in
2578 this mask from being modified. Essentially, zero bits in this
2579 mask may be treated as a set of bits the user is not allowed
2582 If not set explicitly this parameter is set to 0777
2583 meaning a user is allowed to modify all the user/group/world
2584 permissions on a directory.
2586 \fBNote\fR that users who can access the
2587 Samba server through other means can easily bypass this restriction,
2588 so it is primarily useful for standalone "appliance" systems.
2589 Administrators of most normal systems will probably want to leave
2590 it as the default of 0777.
2592 See also the \fI force directory security mode\fR, \fIsecurity mask\fR,
2593 \fIforce security mode
2596 Default: \fBdirectory security mask = 0777\fR
2598 Example: \fBdirectory security mask = 0700\fR
2600 \fBdisable spoolss (G)\fR
2601 Enabling this parameter will disables Samba's support
2602 for the SPOOLSS set of MS-RPC's and will yield identical behavior
2603 as Samba 2.0.x. Windows NT/2000 clients will downgrade to using
2604 Lanman style printing commands. Windows 9x/ME will be uneffected by
2605 the parameter. However, this will also disable the ability to upload
2606 printer drivers to a Samba server via the Windows NT Add Printer
2607 Wizard or by using the NT printer properties dialog window. It will
2608 also disable the capability of Windows NT/2000 clients to download
2609 print drivers from the Samba host upon demand.
2610 \fBBe very careful about enabling this parameter.\fR
2612 See also use client driver
2614 Default : \fBdisable spoolss = no\fR
2617 Specifies that nmbd(8)
2618 when acting as a WINS server and finding that a NetBIOS name has not
2619 been registered, should treat the NetBIOS name word-for-word as a DNS
2620 name and do a lookup with the DNS server for that name on behalf of
2621 the name-querying client.
2623 Note that the maximum length for a NetBIOS name is 15
2624 characters, so the DNS name (or DNS alias) can likewise only be
2625 15 characters, maximum.
2627 \fBnmbd\fR spawns a second copy of itself to do the
2628 DNS name lookup requests, as doing a name lookup is a blocking
2631 See also the parameter \fI wins support\fR.
2633 Default: \fBdns proxy = yes\fR
2635 \fBdomain admin group (G)\fR
2636 This parameter is intended as a temporary solution
2637 to enable users to be a member of the "Domain Admins" group when
2638 a Samba host is acting as a PDC. A complete solution will be provided
2639 by a system for mapping Windows NT/2000 groups onto UNIX groups.
2640 Please note that this parameter has a somewhat confusing name. It
2641 accepts a list of usernames and of group names in standard
2642 \fIsmb.conf\fR notation.
2645 guest group\fR, \fIdomain
2648 Default: \fBno domain administrators\fR
2650 Example: \fBdomain admin group = root @wheel\fR
2652 \fBdomain guest group (G)\fR
2653 This parameter is intended as a temporary solution
2654 to enable users to be a member of the "Domain Guests" group when
2655 a Samba host is acting as a PDC. A complete solution will be provided
2656 by a system for mapping Windows NT/2000 groups onto UNIX groups.
2657 Please note that this parameter has a somewhat confusing name. It
2658 accepts a list of usernames and of group names in standard
2659 \fIsmb.conf\fR notation.
2662 admin group\fR, \fIdomain
2665 Default: \fBno domain guests\fR
2667 Example: \fBdomain guest group = nobody @guest\fR
2669 \fBdomain logons (G)\fR
2670 If set to yes, the Samba server will serve
2671 Windows 95/98 Domain logons for the \fIworkgroup\fR it is in. Samba 2.2 also
2672 has limited capability to act as a domain controller for Windows
2673 NT 4 Domains. For more details on setting up this feature see
2674 the Samba-PDC-HOWTO included in the \fIhtmldocs/\fR
2675 directory shipped with the source code.
2677 Default: \fBdomain logons = no\fR
2679 \fBdomain master (G)\fR
2680 Tell \fB nmbd(8)\fR to enable WAN-wide browse list
2681 collation. Setting this option causes \fBnmbd\fR to
2682 claim a special domain specific NetBIOS name that identifies
2683 it as a domain master browser for its given \fIworkgroup\fR. Local master browsers
2684 in the same \fIworkgroup\fR on broadcast-isolated
2685 subnets will give this \fBnmbd\fR their local browse lists,
2686 and then ask \fBsmbd(8)\fR
2687 for a complete copy of the browse list for the whole wide area
2688 network. Browser clients will then contact their local master browser,
2689 and will receive the domain-wide browse list, instead of just the list
2690 for their broadcast-isolated subnet.
2692 Note that Windows NT Primary Domain Controllers expect to be
2693 able to claim this \fIworkgroup\fR specific special
2694 NetBIOS name that identifies them as domain master browsers for
2695 that \fIworkgroup\fR by default (i.e. there is no
2696 way to prevent a Windows NT PDC from attempting to do this). This
2697 means that if this parameter is set and \fBnmbd\fR claims
2698 the special name for a \fIworkgroup\fR before a Windows
2699 NT PDC is able to do so then cross subnet browsing will behave
2700 strangely and may fail.
2702 If \fBdomain logons = yes\fR
2703 , then the default behavior is to enable the \fIdomain
2704 master\fR parameter. If \fIdomain logons\fR is
2705 not enabled (the default setting), then neither will \fIdomain
2706 master\fR be enabled by default.
2708 Default: \fBdomain master = auto\fR
2710 \fBdont descend (S)\fR
2711 There are certain directories on some systems
2712 (e.g., the \fI/proc\fR tree under Linux) that are either not
2713 of interest to clients or are infinitely deep (recursive). This
2714 parameter allows you to specify a comma-delimited list of directories
2715 that the server should always show as empty.
2717 Note that Samba can be very fussy about the exact format
2718 of the "dont descend" entries. For example you may need \fI ./proc\fR instead of just \fI/proc\fR.
2719 Experimentation is the best policy :-)
2721 Default: \fBnone (i.e., all directories are OK
2724 Example: \fBdont descend = /proc,/dev\fR
2726 \fBdos filemode (S)\fR
2727 The default behavior in Samba is to provide
2728 UNIX-like behavior where only the owner of a file/directory is
2729 able to change the permissions on it. However, this behavior
2730 is often confusing to DOS/Windows users. Enabling this parameter
2731 allows a user who has write access to the file (by whatever
2732 means) to modify the permissions on it. Note that a user
2733 belonging to the group owning the file will not be allowed to
2734 change permissions if the group is only granted read access.
2735 Ownership of the file/directory is not changed, only the permissions
2738 Default: \fBdos filemode = no\fR
2740 \fBdos filetime resolution (S)\fR
2741 Under the DOS and Windows FAT filesystem, the finest
2742 granularity on time resolution is two seconds. Setting this parameter
2743 for a share causes Samba to round the reported time down to the
2744 nearest two second boundary when a query call that requires one second
2745 resolution is made to \fBsmbd(8)\fR
2748 This option is mainly used as a compatibility option for Visual
2749 C++ when used against Samba shares. If oplocks are enabled on a
2750 share, Visual C++ uses two different time reading calls to check if a
2751 file has changed since it was last read. One of these calls uses a
2752 one-second granularity, the other uses a two second granularity. As
2753 the two second call rounds any odd second down, then if the file has a
2754 timestamp of an odd number of seconds then the two timestamps will not
2755 match and Visual C++ will keep reporting the file has changed. Setting
2756 this option causes the two timestamps to match, and Visual C++ is
2759 Default: \fBdos filetime resolution = no\fR
2761 \fBdos filetimes (S)\fR
2762 Under DOS and Windows, if a user can write to a
2763 file they can change the timestamp on it. Under POSIX semantics,
2764 only the owner of the file or root may change the timestamp. By
2765 default, Samba runs with POSIX semantics and refuses to change the
2766 timestamp on a file if the user \fBsmbd\fR is acting
2767 on behalf of is not the file owner. Setting this option to yes allows DOS semantics and smbd will change the file
2768 timestamp as DOS requires.
2770 Default: \fBdos filetimes = no\fR
2772 \fBencrypt passwords (G)\fR
2773 This boolean controls whether encrypted passwords
2774 will be negotiated with the client. Note that Windows NT 4.0 SP3 and
2775 above and also Windows 98 will by default expect encrypted passwords
2776 unless a registry entry is changed. To use encrypted passwords in
2777 Samba see the file ENCRYPTION.txt in the Samba documentation
2778 directory \fIdocs/\fR shipped with the source code.
2780 In order for encrypted passwords to work correctly
2781 \fBsmbd(8)\fR must either
2782 have access to a local \fIsmbpasswd(5)
2783 \fR program for information on how to set up
2784 and maintain this file), or set the security = [server|domain] parameter which
2785 causes \fBsmbd\fR to authenticate against another
2788 Default: \fBencrypt passwords = no\fR
2790 \fBenhanced browsing (G)\fR
2791 This option enables a couple of enhancements to
2792 cross-subnet browse propagation that have been added in Samba
2793 but which are not standard in Microsoft implementations.
2795 The first enhancement to browse propagation consists of a regular
2796 wildcard query to a Samba WINS server for all Domain Master Browsers,
2797 followed by a browse synchronization with each of the returned
2798 DMBs. The second enhancement consists of a regular randomised browse
2799 synchronization with all currently known DMBs.
2801 You may wish to disable this option if you have a problem with empty
2802 workgroups not disappearing from browse lists. Due to the restrictions
2803 of the browse protocols these enhancements can cause a empty workgroup
2804 to stay around forever which can be annoying.
2806 In general you should leave this option enabled as it makes
2807 cross-subnet browse propagation much more reliable.
2809 Default: \fBenhanced browsing = yes\fR
2811 \fBenumports command (G)\fR
2812 The concept of a "port" is fairly foreign
2813 to UNIX hosts. Under Windows NT/2000 print servers, a port
2814 is associated with a port monitor and generally takes the form of
2815 a local port (i.e. LPT1:, COM1:, FILE:) or a remote port
2816 (i.e. LPD Port Monitor, etc...). By default, Samba has only one
2817 port defined--"Samba Printer Port". Under
2818 Windows NT/2000, all printers must have a valid port name.
2819 If you wish to have a list of ports displayed (\fBsmbd
2820 \fRdoes not use a port name for anything) other than
2821 the default "Samba Printer Port", you
2822 can define \fIenumports command\fR to point to
2823 a program which should generate a list of ports, one per line,
2824 to standard output. This listing will then be used in response
2825 to the level 1 and 2 EnumPorts() RPC.
2827 Default: \fBno enumports command\fR
2829 Example: \fBenumports command = /usr/bin/listports
2832 This is a synonym for \fIpreexec\fR.
2834 \fBfake directory create times (S)\fR
2835 NTFS and Windows VFAT file systems keep a create
2836 time for all files and directories. This is not the same as the
2837 ctime - status change time - that Unix keeps, so Samba by default
2838 reports the earliest of the various times Unix does keep. Setting
2839 this parameter for a share causes Samba to always report midnight
2840 1-1-1980 as the create time for directories.
2842 This option is mainly used as a compatibility option for
2843 Visual C++ when used against Samba shares. Visual C++ generated
2844 makefiles have the object directory as a dependency for each object
2845 file, and a make rule to create the directory. Also, when NMAKE
2846 compares timestamps it uses the creation time when examining a
2847 directory. Thus the object directory will be created if it does not
2848 exist, but once it does exist it will always have an earlier
2849 timestamp than the object files it contains.
2851 However, Unix time semantics mean that the create time
2852 reported by Samba will be updated whenever a file is created or
2853 or deleted in the directory. NMAKE finds all object files in
2854 the object directory. The timestamp of the last one built is then
2855 compared to the timestamp of the object directory. If the
2856 directory's timestamp if newer, then all object files
2857 will be rebuilt. Enabling this option
2858 ensures directories always predate their contents and an NMAKE build
2859 will proceed as expected.
2861 Default: \fBfake directory create times = no\fR
2863 \fBfake oplocks (S)\fR
2864 Oplocks are the way that SMB clients get permission
2865 from a server to locally cache file operations. If a server grants
2866 an oplock (opportunistic lock) then the client is free to assume
2867 that it is the only one accessing the file and it will aggressively
2868 cache file data. With some oplock types the client may even cache
2869 file open/close operations. This can give enormous performance benefits.
2871 When you set \fBfake oplocks = yes\fR, \fBsmbd(8)\fR will
2872 always grant oplock requests no matter how many clients are using
2875 It is generally much better to use the real \fIoplocks\fR support rather
2876 than this parameter.
2878 If you enable this option on all read-only shares or
2879 shares that you know will only be accessed from one client at a
2880 time such as physically read-only media like CDROMs, you will see
2881 a big performance improvement on many operations. If you enable
2882 this option on shares where multiple clients may be accessing the
2883 files read-write at the same time you can get data corruption. Use
2884 this option carefully!
2886 Default: \fBfake oplocks = no\fR
2888 \fBfollow symlinks (S)\fR
2889 This parameter allows the Samba administrator
2890 to stop \fBsmbd(8)\fR
2891 from following symbolic links in a particular share. Setting this
2892 parameter to no prevents any file or directory
2893 that is a symbolic link from being followed (the user will get an
2894 error). This option is very useful to stop users from adding a
2895 symbolic link to \fI/etc/passwd\fR in their home
2896 directory for instance. However it will slow filename lookups
2899 This option is enabled (i.e. \fBsmbd\fR will
2900 follow symbolic links) by default.
2902 Default: \fBfollow symlinks = yes\fR
2904 \fBforce create mode (S)\fR
2905 This parameter specifies a set of UNIX mode bit
2906 permissions that will \fBalways\fR be set on a
2907 file created by Samba. This is done by bitwise 'OR'ing these bits onto
2908 the mode bits of a file that is being created or having its
2909 permissions changed. The default for this parameter is (in octal)
2910 000. The modes in this parameter are bitwise 'OR'ed onto the file
2911 mode after the mask set in the \fIcreate mask\fR
2912 parameter is applied.
2914 See also the parameter \fIcreate
2915 mask\fR for details on masking mode bits on files.
2917 See also the \fIinherit
2918 permissions\fR parameter.
2920 Default: \fBforce create mode = 000\fR
2922 Example: \fBforce create mode = 0755\fR
2924 would force all created files to have read and execute
2925 permissions set for 'group' and 'other' as well as the
2926 read/write/execute bits set for the 'user'.
2928 \fBforce directory mode (S)\fR
2929 This parameter specifies a set of UNIX mode bit
2930 permissions that will \fBalways\fR be set on a directory
2931 created by Samba. This is done by bitwise 'OR'ing these bits onto the
2932 mode bits of a directory that is being created. The default for this
2933 parameter is (in octal) 0000 which will not add any extra permission
2934 bits to a created directory. This operation is done after the mode
2935 mask in the parameter \fIdirectory mask\fR is
2938 See also the parameter \fI directory mask\fR for details on masking mode bits
2939 on created directories.
2941 See also the \fI inherit permissions\fR parameter.
2943 Default: \fBforce directory mode = 000\fR
2945 Example: \fBforce directory mode = 0755\fR
2947 would force all created directories to have read and execute
2948 permissions set for 'group' and 'other' as well as the
2949 read/write/execute bits set for the 'user'.
2951 \fBforce directory\fR
2952 This parameter controls what UNIX permission bits
2953 can be modified when a Windows NT client is manipulating the UNIX
2954 permission on a directory using the native NT security dialog box.
2956 This parameter is applied as a mask (OR'ed with) to the
2957 changed permission bits, thus forcing any bits in this mask that
2958 the user may have modified to be on. Essentially, one bits in this
2959 mask may be treated as a set of bits that, when modifying security
2960 on a directory, the user has always set to be 'on'.
2962 If not set explicitly this parameter is 000, which
2963 allows a user to modify all the user/group/world permissions on a
2964 directory without restrictions.
2966 \fBNote\fR that users who can access the
2967 Samba server through other means can easily bypass this restriction,
2968 so it is primarily useful for standalone "appliance" systems.
2969 Administrators of most normal systems will probably want to leave
2972 See also the \fI directory security mask\fR, \fIsecurity mask\fR,
2973 \fIforce security mode
2976 Default: \fBforce directory security mode = 0\fR
2978 Example: \fBforce directory security mode = 700\fR
2980 \fBforce group (S)\fR
2981 This specifies a UNIX group name that will be
2982 assigned as the default primary group for all users connecting
2983 to this service. This is useful for sharing files by ensuring
2984 that all access to files on service will use the named group for
2985 their permissions checking. Thus, by assigning permissions for this
2986 group to the files and directories within this service the Samba
2987 administrator can restrict or allow sharing of these files.
2989 In Samba 2.0.5 and above this parameter has extended
2990 functionality in the following way. If the group name listed here
2991 has a '+' character prepended to it then the current user accessing
2992 the share only has the primary group default assigned to this group
2993 if they are already assigned as a member of that group. This allows
2994 an administrator to decide that only users who are already in a
2995 particular group will create files with group ownership set to that
2996 group. This gives a finer granularity of ownership assignment. For
2997 example, the setting \fIforce group = +sys\fR means
2998 that only users who are already in group sys will have their default
2999 primary group assigned to sys when accessing this Samba share. All
3000 other users will retain their ordinary primary group.
3002 If the \fIforce user
3003 \fRparameter is also set the group specified in
3004 \fIforce group\fR will override the primary group
3005 set in \fIforce user\fR.
3010 Default: \fBno forced group\fR
3012 Example: \fBforce group = agroup\fR
3014 \fBforce security mode (S)\fR
3015 This parameter controls what UNIX permission
3016 bits can be modified when a Windows NT client is manipulating
3017 the UNIX permission on a file using the native NT security dialog
3020 This parameter is applied as a mask (OR'ed with) to the
3021 changed permission bits, thus forcing any bits in this mask that
3022 the user may have modified to be on. Essentially, one bits in this
3023 mask may be treated as a set of bits that, when modifying security
3024 on a file, the user has always set to be 'on'.
3026 If not set explicitly this parameter is set to 0,
3027 and allows a user to modify all the user/group/world permissions on a file,
3028 with no restrictions.
3030 \fBNote\fR that users who can access
3031 the Samba server through other means can easily bypass this restriction,
3032 so it is primarily useful for standalone "appliance" systems.
3033 Administrators of most normal systems will probably want to leave
3036 See also the \fI force directory security mode\fR,
3037 \fIdirectory security
3038 mask\fR, \fI security mask\fR parameters.
3040 Default: \fBforce security mode = 0\fR
3042 Example: \fBforce security mode = 700\fR
3044 \fBforce unknown acl user (S)\fR
3045 If this parameter is set, a Windows NT ACL that contains
3046 an unknown SID (security descriptor, or representation of a user or group id)
3047 as the owner or group owner of the file will be silently mapped into the
3048 current UNIX uid or gid of the currently connected user.
3050 This is designed to allow Windows NT clients to copy files and
3051 folders containing ACLs that were created locally on the client machine
3052 and contain users local to that machine only (no domain users) to be
3053 copied to a Samba server (usually with XCOPY /O) and have the unknown
3054 userid and groupid of the file owner map to the current connected user.
3055 This can only be fixed correctly when winbindd allows arbitrary mapping
3056 from any Windows NT SID to a UNIX uid or gid.
3058 Try using this parameter when XCOPY /O gives an ACCESS_DENIED error.
3060 See also \fIforce group
3062 Default: \fBFalse\fR
3064 Example: \fBforce unknown acl user = yes\fR
3066 \fBforce user (S)\fR
3067 This specifies a UNIX user name that will be
3068 assigned as the default user for all users connecting to this service.
3069 This is useful for sharing files. You should also use it carefully
3070 as using it incorrectly can cause security problems.
3072 This user name only gets used once a connection is established.
3073 Thus clients still need to connect as a valid user and supply a
3074 valid password. Once connected, all file operations will be performed
3075 as the "forced user", no matter what username the client connected
3076 as. This can be very useful.
3078 In Samba 2.0.5 and above this parameter also causes the
3079 primary group of the forced user to be used as the primary group
3080 for all file activity. Prior to 2.0.5 the primary group was left
3081 as the primary group of the connecting user (this was a bug).
3083 See also \fIforce group
3085 Default: \fBno forced user\fR
3087 Example: \fBforce user = auser\fR
3090 This parameter allows the administrator to
3091 configure the string that specifies the type of filesystem a share
3092 is using that is reported by \fBsmbd(8)
3093 \fR when a client queries the filesystem type
3094 for a share. The default type is NTFS for
3095 compatibility with Windows NT but this can be changed to other
3096 strings such as Samba or FAT
3099 Default: \fBfstype = NTFS\fR
3101 Example: \fBfstype = Samba\fR
3103 \fBgetwd cache (G)\fR
3104 This is a tuning option. When this is enabled a
3105 caching algorithm will be used to reduce the time taken for getwd()
3106 calls. This can have a significant impact on performance, especially
3107 when the \fIwide links\fR
3108 parameter is set to no.
3110 Default: \fBgetwd cache = yes\fR
3113 Synonym for \fIforce
3116 \fBguest account (S)\fR
3117 This is a username which will be used for access
3118 to services which are specified as \fI guest ok\fR (see below). Whatever privileges this
3119 user has will be available to any client connecting to the guest service.
3120 Typically this user will exist in the password file, but will not
3121 have a valid login. The user account "ftp" is often a good choice
3122 for this parameter. If a username is specified in a given service,
3123 the specified username overrides this one.
3125 One some systems the default guest account "nobody" may not
3126 be able to print. Use another account in this case. You should test
3127 this by trying to log in as your guest user (perhaps by using the
3128 \fBsu -\fR command) and trying to print using the
3129 system print command such as \fBlpr(1)\fR or \fB lp(1)\fR.
3131 Default: \fBspecified at compile time, usually
3134 Example: \fBguest account = ftp\fR
3137 If this parameter is yes for
3138 a service, then no password is required to connect to the service.
3139 Privileges will be those of the \fI guest account\fR.
3141 See the section below on \fI security\fR for more information about this option.
3143 Default: \fBguest ok = no\fR
3145 \fBguest only (S)\fR
3146 If this parameter is yes for
3147 a service, then only guest connections to the service are permitted.
3148 This parameter will have no effect if \fIguest ok\fR is not set for the service.
3150 See the section below on \fI security\fR for more information about this option.
3152 Default: \fBguest only = no\fR
3154 \fBhide dot files (S)\fR
3155 This is a boolean parameter that controls whether
3156 files starting with a dot appear as hidden files.
3158 Default: \fBhide dot files = yes\fR
3161 This is a list of files or directories that are not
3162 visible but are accessible. The DOS 'hidden' attribute is applied
3163 to any files or directories that match.
3165 Each entry in the list must be separated by a '/',
3166 which allows spaces to be included in the entry. '*'
3167 and '?' can be used to specify multiple files or directories
3168 as in DOS wildcards.
3170 Each entry must be a Unix path, not a DOS path and must
3171 not include the Unix directory separator '/'.
3173 Note that the case sensitivity option is applicable
3176 Setting this parameter will affect the performance of Samba,
3177 as it will be forced to check all files and directories for a match
3178 as they are scanned.
3181 dot files\fR, \fI veto files\fR and \fIcase sensitive\fR.
3183 Default: \fBno file are hidden\fR
3185 Example: \fBhide files =
3186 /.*/DesktopFolderDB/TrashFor%m/resource.frk/\fR
3188 The above example is based on files that the Macintosh
3189 SMB client (DAVE) available from
3190 Thursby <URL:http://www.thursby.com> creates for internal use, and also still hides
3191 all files beginning with a dot.
3193 \fBhide local users(G)\fR
3194 This parameter toggles the hiding of local UNIX
3195 users (root, wheel, floppy, etc) from remote clients.
3197 Default: \fBhide local users = no\fR
3199 \fBhide unreadable (S)\fR
3200 This parameter prevents clients from seeing the
3201 existance of files that cannot be read. Defaults to off.
3203 Default: \fBhide unreadable = no\fR
3205 \fBhomedir map (G)\fR
3207 \fRis yes, and \fBsmbd(8)\fR is also acting
3208 as a Win95/98 \fIlogon server\fR then this parameter
3209 specifies the NIS (or YP) map from which the server for the user's
3210 home directory should be extracted. At present, only the Sun
3211 auto.home map format is understood. The form of the map is:
3213 \fBusername server:/some/file/system\fR
3215 and the program will extract the servername from before
3216 the first ':'. There should probably be a better parsing system
3217 that copes with different map formats and also Amd (another
3220 \fBNOTE :\fRA working NIS client is required on
3221 the system for this option to work.
3223 See also \fInis homedir\fR
3224 , \fIdomain logons\fR
3227 Default: \fBhomedir map = <empty string>\fR
3229 Example: \fBhomedir map = amd.homedir\fR
3231 \fBhost msdfs (G)\fR
3232 This boolean parameter is only available
3233 if Samba has been configured and compiled with the \fB --with-msdfs\fR option. If set to yes,
3234 Samba will act as a Dfs server, and allow Dfs-aware clients
3235 to browse Dfs trees hosted on the server.
3237 See also the \fI msdfs root\fR share level parameter. For
3238 more information on setting up a Dfs tree on Samba,
3239 refer to msdfs_setup.html
3241 Default: \fBhost msdfs = no\fR
3243 \fBhosts allow (S)\fR
3244 A synonym for this parameter is \fIallow
3247 This parameter is a comma, space, or tab delimited
3248 set of hosts which are permitted to access a service.
3250 If specified in the [global] section then it will
3251 apply to all services, regardless of whether the individual
3252 service has a different setting.
3254 You can specify the hosts by name or IP number. For
3255 example, you could restrict access to only the hosts on a
3256 Class C subnet with something like \fBallow hosts = 150.203.5.
3257 \fR\&. The full syntax of the list is described in the man
3258 page \fIhosts_access(5)\fR. Note that this man
3259 page may not be present on your system, so a brief description will
3262 Note that the localhost address 127.0.0.1 will always
3263 be allowed access unless specifically denied by a \fIhosts deny\fR option.
3265 You can also specify hosts by network/netmask pairs and
3266 by netgroup names if your system supports netgroups. The
3267 \fBEXCEPT\fR keyword can also be used to limit a
3268 wildcard list. The following examples may provide some help:
3270 Example 1: allow all IPs in 150.203.*.*; except one
3272 \fBhosts allow = 150.203. EXCEPT 150.203.6.66\fR
3274 Example 2: allow hosts that match the given network/netmask
3276 \fBhosts allow = 150.203.15.0/255.255.255.0\fR
3278 Example 3: allow a couple of hosts
3280 \fBhosts allow = lapland, arvidsjaur\fR
3282 Example 4: allow only hosts in NIS netgroup "foonet", but
3283 deny access from one particular host
3285 \fBhosts allow = @foonet\fR
3287 \fBhosts deny = pirate\fR
3289 Note that access still requires suitable user-level passwords.
3291 See \fBtestparm(1)\fR
3292 for a way of testing your host access to see if it does
3295 Default: \fBnone (i.e., all hosts permitted access)
3297 Example: \fBallow hosts = 150.203.5. myhost.mynet.edu.au
3299 \fBhosts deny (S)\fR
3300 The opposite of \fIhosts allow\fR
3301 - hosts listed here are \fBNOT\fR permitted access to
3302 services unless the specific services have their own lists to override
3303 this one. Where the lists conflict, the \fIallow\fR
3304 list takes precedence.
3306 Default: \fBnone (i.e., no hosts specifically excluded)
3308 Example: \fBhosts deny = 150.203.4. badhost.mynet.edu.au
3310 \fBhosts equiv (G)\fR
3311 If this global parameter is a non-null string,
3312 it specifies the name of a file to read for the names of hosts
3313 and users who will be allowed access without specifying a password.
3315 This is not be confused with \fIhosts allow\fR which is about hosts
3316 access to services and is more useful for guest services. \fI hosts equiv\fR may be useful for NT clients which will
3317 not supply passwords to Samba.
3319 \fBNOTE :\fR The use of \fIhosts equiv
3320 \fRcan be a major security hole. This is because you are
3321 trusting the PC to supply the correct username. It is very easy to
3322 get a PC to supply a false username. I recommend that the
3323 \fIhosts equiv\fR option be only used if you really
3324 know what you are doing, or perhaps on a home network where you trust
3325 your spouse and kids. And only if you \fBreally\fR trust
3328 Default: \fBno host equivalences\fR
3330 Example: \fBhosts equiv = /etc/hosts.equiv\fR
3333 This allows you to include one config file
3334 inside another. The file is included literally, as though typed
3337 It takes the standard substitutions, except \fI%u
3338 \fR, \fI%P\fR and \fI%S\fR.
3340 Default: \fBno file included\fR
3342 Example: \fBinclude = /usr/local/samba/lib/admin_smb.conf
3344 \fBinherit acls (S)\fR
3345 This parameter can be used to ensure
3346 that if default acls exist on parent directories,
3347 they are always honored when creating a subdirectory.
3348 The default behavior is to use the mode specified
3349 when creating the directory. Enabling this option
3350 sets the mode to 0777, thus guaranteeing that
3351 default directory acls are propagated.
3353 Default: \fBinherit acls = no\fR
3355 \fBinherit permissions (S)\fR
3356 The permissions on new files and directories
3357 are normally governed by \fI create mask\fR, \fIdirectory mask\fR, \fIforce create mode\fR
3359 directory mode\fR but the boolean inherit
3360 permissions parameter overrides this.
3362 New directories inherit the mode of the parent directory,
3363 including bits such as setgid.
3365 New files inherit their read/write bits from the parent
3366 directory. Their execute bits continue to be determined by
3369 and \fImap system\fR
3372 Note that the setuid bit is \fBnever\fR set via
3373 inheritance (the code explicitly prohibits this).
3375 This can be particularly useful on large systems with
3376 many users, perhaps several thousand, to allow a single [homes]
3377 share to be used flexibly by each user.
3379 See also \fIcreate mask
3380 \fR, \fI directory mask\fR, \fIforce create mode\fR and \fIforce directory mode\fR
3383 Default: \fBinherit permissions = no\fR
3385 \fBinterfaces (G)\fR
3386 This option allows you to override the default
3387 network interfaces list that Samba will use for browsing, name
3388 registration and other NBT traffic. By default Samba will query
3389 the kernel for the list of all active interfaces and use any
3390 interfaces except 127.0.0.1 that are broadcast capable.
3392 The option takes a list of interface strings. Each string
3393 can be in any of the following forms:
3397 a network interface name (such as eth0).
3398 This may include shell-like wildcards so eth* will match
3399 any interface starting with the substring "eth"
3402 an IP address. In this case the netmask is
3403 determined from the list of interfaces obtained from the
3410 a broadcast/mask pair.
3413 The "mask" parameters can either be a bit length (such
3414 as 24 for a C class network) or a full netmask in dotted
3418 The "IP" parameters above can either be a full dotted
3419 decimal IP address or a hostname which will be looked up via
3420 the OS's normal hostname resolution mechanisms.
3423 For example, the following line:
3426 \fBinterfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
3429 would configure three network interfaces corresponding
3430 to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
3431 The netmasks of the latter two interfaces would be set to 255.255.255.0.
3438 Default: \fBall active interfaces except 127.0.0.1
3439 that are broadcast capable\fR
3442 \fBinvalid users (S)\fR
3443 This is a list of users that should not be allowed
3444 to login to this service. This is really a \fBparanoid\fR
3445 check to absolutely ensure an improper setting does not breach
3448 A name starting with a '@' is interpreted as an NIS
3449 netgroup first (if your system supports NIS), and then as a UNIX
3450 group if the name was not found in the NIS netgroup database.
3452 A name starting with '+' is interpreted only
3453 by looking in the UNIX group database. A name starting with
3454 \&'&' is interpreted only by looking in the NIS netgroup database
3455 (this requires NIS to be working on your system). The characters
3456 \&'+' and '&' may be used at the start of the name in either order
3457 so the value \fI+&group\fR means check the
3458 UNIX group database, followed by the NIS netgroup database, and
3459 the value \fI&+group\fR means check the NIS
3460 netgroup database, followed by the UNIX group database (the
3461 same as the '@' prefix).
3463 The current servicename is substituted for \fI%S\fR.
3464 This is useful in the [homes] section.
3466 See also \fIvalid users
3469 Default: \fBno invalid users\fR
3471 Example: \fBinvalid users = root fred admin @wheel
3474 The value of the parameter (an integer) represents
3475 the number of seconds between \fIkeepalive\fR
3476 packets. If this parameter is zero, no keepalive packets will be
3477 sent. Keepalive packets, if sent, allow the server to tell whether
3478 a client is still present and responding.
3480 Keepalives should, in general, not be needed if the socket
3481 being used has the SO_KEEPALIVE attribute set on it (see \fIsocket options\fR).
3482 Basically you should only use this option if you strike difficulties.
3484 Default: \fBkeepalive = 300\fR
3486 Example: \fBkeepalive = 600\fR
3488 \fBkernel oplocks (G)\fR
3489 For UNIXes that support kernel based \fIoplocks\fR
3490 (currently only IRIX and the Linux 2.4 kernel), this parameter
3491 allows the use of them to be turned on or off.
3493 Kernel oplocks support allows Samba \fIoplocks
3494 \fRto be broken whenever a local UNIX process or NFS operation
3495 accesses a file that \fBsmbd(8)\fR
3496 has oplocked. This allows complete data consistency between
3497 SMB/CIFS, NFS and local file access (and is a \fBvery\fR
3500 This parameter defaults to on, but is translated
3501 to a no-op on systems that no not have the necessary kernel support.
3502 You should never need to touch this parameter.
3504 See also the \fIoplocks\fR
3505 and \fIlevel2 oplocks
3508 Default: \fBkernel oplocks = yes\fR
3510 \fBlanman auth (G)\fR
3511 This parameter determines whether or not smbd will
3512 attempt to authenticate users using the LANMAN password hash.
3513 If disabled, only clients which support NT password hashes (e.g. Windows
3514 NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS
3515 network client) will be able to connect to the Samba host.
3517 Default : \fBlanman auth = yes\fR
3519 \fBlarge readwrite (G)\fR
3520 This parameter determines whether or not smbd
3521 supports the new 64k streaming read and write varient SMB requests introduced
3522 with Windows 2000. Note that due to Windows 2000 client redirector bugs
3523 this requires Samba to be running on a 64-bit capable operating system such
3524 as IRIX, Solaris or a Linux 2.4 kernel. Can improve performance by 10% with
3525 Windows 2000 clients. Defaults to on. Windows NT 4.0 only supports
3526 read version of this call, and ignores the write version.
3528 Default : \fBlarge readwrite = yes\fR
3530 \fBldap admin dn (G)\fR
3531 This parameter is only available if Samba has been
3532 configure to include the \fB--with-ldapsam\fR option
3533 at compile time. This option should be considered experimental and
3534 under active development.
3536 The \fIldap admin dn\fR defines the Distinguished
3537 Name (DN) name used by Samba to contact the ldap
3538 server when retreiving user account information. The \fIldap
3539 admin dn\fR is used in conjunction with the admin dn password
3540 stored in the \fIprivate/secrets.tdb\fR file. See the
3541 \fBsmbpasswd(8)\fR man
3542 page for more information on how to accmplish this.
3544 Default : \fBnone\fR
3546 \fBldap filter (G)\fR
3547 This parameter is only available if Samba has been
3548 configure to include the \fB--with-ldapsam\fR option
3549 at compile time. This option should be considered experimental and
3550 under active development.
3552 This parameter specifies the RFC 2254 compliant LDAP search filter.
3553 The default is to match the login name with the uid
3554 attribute for all entries matching the sambaAccount
3555 objectclass. Note that this filter should only return one entry.
3557 Default : \fBldap filter = (&(uid=%u)(objectclass=sambaAccount))\fR
3560 This parameter is only available if Samba has been
3561 configure to include the \fB--with-ldapsam\fR option
3562 at compile time. This option should be considered experimental and
3563 under active development.
3565 This option is used to control the tcp port number used to contact
3566 the \fIldap server\fR.
3567 The default is to use the stand LDAPS port 636.
3571 Default : \fBldap port = 636 ; if ldap ssl = on\fR
3573 Default : \fBldap port = 389 ; if ldap ssl = off\fR
3575 \fBldap server (G)\fR
3576 This parameter is only available if Samba has been
3577 configure to include the \fB--with-ldapsam\fR option
3578 at compile time. This option should be considered experimental and
3579 under active development.
3581 This parameter should contains the FQDN of the ldap directory
3582 server which should be queried to locate user account information.
3584 Default : \fBldap server = localhost\fR
3587 This parameter is only available if Samba has been
3588 configure to include the \fB--with-ldapsam\fR option
3589 at compile time. This option should be considered experimental and
3590 under active development.
3592 This option is used to define whether or not Samba should
3593 use SSL when connecting to the \fIldap
3594 server\fR. This is \fBNOT\fR related to
3595 Samba SSL support which is enabled by specifying the
3596 \fB--with-ssl\fR option to the \fIconfigure\fR
3597 script (see \fIssl\fR).
3599 The \fIldap ssl\fR can be set to one of three values:
3600 (a) on - Always use SSL when contacting the
3601 \fIldap server\fR, (b) off -
3602 Never use SSL when querying the directory, or (c) start_tls
3603 - Use the LDAPv3 StartTLS extended operation
3604 (RFC2830) for communicating with the directory server.
3606 Default : \fBldap ssl = on\fR
3608 \fBldap suffix (G)\fR
3609 This parameter is only available if Samba has been
3610 configure to include the \fB--with-ldapsam\fR option
3611 at compile time. This option should be considered experimental and
3612 under active development.
3614 Default : \fBnone\fR
3616 \fBlevel2 oplocks (S)\fR
3617 This parameter controls whether Samba supports
3618 level2 (read-only) oplocks on a share.
3620 Level2, or read-only oplocks allow Windows NT clients
3621 that have an oplock on a file to downgrade from a read-write oplock
3622 to a read-only oplock once a second client opens the file (instead
3623 of releasing all oplocks on a second open, as in traditional,
3624 exclusive oplocks). This allows all openers of the file that
3625 support level2 oplocks to cache the file for read-ahead only (ie.
3626 they may not cache writes or lock requests) and increases performance
3627 for many accesses of files that are not commonly written (such as
3628 application .EXE files).
3630 Once one of the clients which have a read-only oplock
3631 writes to the file all clients are notified (no reply is needed
3632 or waited for) and told to break their oplocks to "none" and
3633 delete any read-ahead caches.
3635 It is recommended that this parameter be turned on
3636 to speed access to shared executables.
3638 For more discussions on level2 oplocks see the CIFS spec.
3640 Currently, if \fIkernel
3641 oplocks\fR are supported then level2 oplocks are
3642 not granted (even if this parameter is set to yes).
3643 Note also, the \fIoplocks\fR
3644 parameter must be set to yes on this share in order for
3645 this parameter to have any effect.
3647 See also the \fIoplocks\fR
3648 and \fIkernel oplocks\fR
3651 Default: \fBlevel2 oplocks = yes\fR
3653 \fBlm announce (G)\fR
3654 This parameter determines if \fBnmbd(8)\fR will produce Lanman announce
3655 broadcasts that are needed by OS/2 clients in order for them to see
3656 the Samba server in their browse list. This parameter can have three
3658 auto. The default is auto.
3659 If set to no Samba will never produce these
3660 broadcasts. If set to yes Samba will produce
3661 Lanman announce broadcasts at a frequency set by the parameter
3662 \fIlm interval\fR. If set to auto
3663 Samba will not send Lanman announce broadcasts by default but will
3664 listen for them. If it hears such a broadcast on the wire it will
3665 then start sending them at a frequency set by the parameter
3668 See also \fIlm interval
3671 Default: \fBlm announce = auto\fR
3673 Example: \fBlm announce = yes\fR
3675 \fBlm interval (G)\fR
3676 If Samba is set to produce Lanman announce
3677 broadcasts needed by OS/2 clients (see the \fIlm announce\fR parameter) then this
3678 parameter defines the frequency in seconds with which they will be
3679 made. If this is set to zero then no Lanman announcements will be
3680 made despite the setting of the \fIlm announce\fR
3686 Default: \fBlm interval = 60\fR
3688 Example: \fBlm interval = 120\fR
3690 \fBload printers (G)\fR
3691 A boolean variable that controls whether all
3692 printers in the printcap will be loaded for browsing by default.
3693 See the printers section for
3696 Default: \fBload printers = yes\fR
3698 \fBlocal master (G)\fR
3699 This option allows \fB nmbd(8)\fR to try and become a local master browser
3700 on a subnet. If set to no then \fB nmbd\fR will not attempt to become a local master browser
3701 on a subnet and will also lose in all browsing elections. By
3702 default this value is set to yes. Setting this value to yes doesn't
3703 mean that Samba will \fBbecome\fR the local master
3704 browser on a subnet, just that \fBnmbd\fR will \fB participate\fR in elections for local master browser.
3706 Setting this value to no will cause \fBnmbd\fR
3707 \fBnever\fR to become a local master browser.
3709 Default: \fBlocal master = yes\fR
3712 Synonym for \fI lock directory\fR.
3714 \fBlock directory (G)\fR
3715 This option specifies the directory where lock
3716 files will be placed. The lock files are used to implement the
3717 \fImax connections\fR
3720 Default: \fBlock directory = ${prefix}/var/locks\fR
3722 Example: \fBlock directory = /var/run/samba/locks\fR
3724 \fBlock spin count (G)\fR
3725 This parameter controls the number of times
3726 that smbd should attempt to gain a byte range lock on the
3727 behalf of a client request. Experiments have shown that
3728 Windows 2k servers do not reply with a failure if the lock
3729 could not be immediately granted, but try a few more times
3730 in case the lock could later be aquired. This behavior
3731 is used to support PC database formats such as MS Access
3734 Default: \fBlock spin count = 2\fR
3736 \fBlock spin time (G)\fR
3737 The time in microseconds that smbd should
3738 pause before attempting to gain a failed lock. See
3740 count\fR for more details.
3742 Default: \fBlock spin time = 10\fR
3745 This controls whether or not locking will be
3746 performed by the server in response to lock requests from the
3749 If \fBlocking = no\fR, all lock and unlock
3750 requests will appear to succeed and all lock queries will report
3751 that the file in question is available for locking.
3753 If \fBlocking = yes\fR, real locking will be performed
3756 This option \fBmay\fR be useful for read-only
3757 filesystems which \fBmay\fR not need locking (such as
3758 CDROM drives), although setting this parameter of no
3759 is not really recommended even in this case.
3761 Be careful about disabling locking either globally or in a
3762 specific service, as lack of locking may result in data corruption.
3763 You should never need to set this parameter.
3765 Default: \fBlocking = yes\fR
3768 This option allows you to override the name
3769 of the Samba log file (also known as the debug file).
3771 This option takes the standard substitutions, allowing
3772 you to have separate log files for each user or machine.
3774 Example: \fBlog file = /usr/local/samba/var/log.%m
3777 The value of the parameter (an integer) allows
3778 the debug level (logging level) to be specified in the
3779 \fIsmb.conf\fR file. This is to give greater
3780 flexibility in the configuration of the system.
3782 The default will be the log level specified on
3783 the command line or level zero if none was specified.
3785 Example: \fBlog level = 3\fR
3787 \fBlogon drive (G)\fR
3788 This parameter specifies the local path to
3789 which the home directory will be connected (see \fIlogon home\fR)
3790 and is only used by NT Workstations.
3792 Note that this option is only useful if Samba is set up as a
3795 Default: \fBlogon drive = z:\fR
3797 Example: \fBlogon drive = h:\fR
3799 \fBlogon home (G)\fR
3800 This parameter specifies the home directory
3801 location when a Win95/98 or NT Workstation logs into a Samba PDC.
3804 C:\\> \fBNET USE H: /HOME\fR
3806 from a command prompt, for example.
3808 This option takes the standard substitutions, allowing
3809 you to have separate logon scripts for each user or machine.
3811 This parameter can be used with Win9X workstations to ensure
3812 that roaming profiles are stored in a subdirectory of the user's
3813 home directory. This is done in the following way:
3815 \fBlogon home = \\\\%N\\%U\\profile\fR
3817 This tells Samba to return the above string, with
3818 substitutions made when a client requests the info, generally
3819 in a NetUserGetInfo request. Win9X clients truncate the info to
3820 \\\\server\\share when a user does \fBnet use /home\fR
3821 but use the whole string when dealing with profiles.
3823 Note that in prior versions of Samba, the \fIlogon path\fR was returned rather than
3824 \fIlogon home\fR. This broke \fBnet use
3825 /home\fR but allowed profiles outside the home directory.
3826 The current implementation is correct, and can be used for
3827 profiles if you use the above trick.
3829 This option is only useful if Samba is set up as a logon
3832 Default: \fBlogon home = "\\\\%N\\%U"\fR
3834 Example: \fBlogon home = "\\\\remote_smb_server\\%U"\fR
3836 \fBlogon path (G)\fR
3837 This parameter specifies the home directory
3838 where roaming profiles (NTuser.dat etc files for Windows NT) are
3839 stored. Contrary to previous versions of these manual pages, it has
3840 nothing to do with Win 9X roaming profiles. To find out how to
3841 handle roaming profiles for Win 9X system, see the \fIlogon home\fR parameter.
3843 This option takes the standard substitutions, allowing you
3844 to have separate logon scripts for each user or machine. It also
3845 specifies the directory from which the "Application Data",
3846 (\fIdesktop\fR, \fIstart menu\fR,
3847 \fInetwork neighborhood\fR, \fIprograms\fR
3848 and other folders, and their contents, are loaded and displayed on
3849 your Windows NT client.
3851 The share and the path must be readable by the user for
3852 the preferences and directories to be loaded onto the Windows NT
3853 client. The share must be writeable when the user logs in for the first
3854 time, in order that the Windows NT client can create the NTuser.dat
3855 and other directories.
3857 Thereafter, the directories and any of the contents can,
3858 if required, be made read-only. It is not advisable that the
3859 NTuser.dat file be made read-only - rename it to NTuser.man to
3860 achieve the desired effect (a \fBMAN\fRdatory
3863 Windows clients can sometimes maintain a connection to
3864 the [homes] share, even though there is no user logged in.
3865 Therefore, it is vital that the logon path does not include a
3866 reference to the homes share (i.e. setting this parameter to
3867 \\%N\\%U\\profile_path will cause problems).
3869 This option takes the standard substitutions, allowing
3870 you to have separate logon scripts for each user or machine.
3872 Note that this option is only useful if Samba is set up
3875 Default: \fBlogon path = \\\\%N\\%U\\profile\fR
3877 Example: \fBlogon path = \\\\PROFILESERVER\\PROFILE\\%U\fR
3879 \fBlogon script (G)\fR
3880 This parameter specifies the batch file (.bat) or
3881 NT command file (.cmd) to be downloaded and run on a machine when
3882 a user successfully logs in. The file must contain the DOS
3883 style CR/LF line endings. Using a DOS-style editor to create the
3884 file is recommended.
3886 The script must be a relative path to the [netlogon]
3887 service. If the [netlogon] service specifies a \fIpath\fR of \fI/usr/local/samba/netlogon
3888 \fR, and \fBlogon script = STARTUP.BAT\fR, then
3889 the file that will be downloaded is:
3891 \fI/usr/local/samba/netlogon/STARTUP.BAT\fR
3893 The contents of the batch file are entirely your choice. A
3894 suggested command would be to add \fBNET TIME \\\\SERVER /SET
3895 /YES\fR, to force every machine to synchronize clocks with
3896 the same time server. Another use would be to add \fBNET USE
3897 U: \\\\SERVER\\UTILS\fR for commonly used utilities, or \fB NET USE Q: \\\\SERVER\\ISO9001_QA\fR for example.
3899 Note that it is particularly important not to allow write
3900 access to the [netlogon] share, or to grant users write permission
3901 on the batch files in a secure environment, as this would allow
3902 the batch files to be arbitrarily modified and security to be
3905 This option takes the standard substitutions, allowing you
3906 to have separate logon scripts for each user or machine.
3908 This option is only useful if Samba is set up as a logon
3911 Default: \fBno logon script defined\fR
3913 Example: \fBlogon script = scripts\\%U.bat\fR
3915 \fBlppause command (S)\fR
3916 This parameter specifies the command to be
3917 executed on the server host in order to stop printing or spooling
3918 a specific print job.
3920 This command should be a program or script which takes
3921 a printer name and job number to pause the print job. One way
3922 of implementing this is by using job priorities, where jobs
3923 having a too low priority won't be sent to the printer.
3925 If a \fI%p\fR is given then the printer name
3926 is put in its place. A \fI%j\fR is replaced with
3927 the job number (an integer). On HPUX (see \fIprinting=hpux
3928 \fR), if the \fI-p%p\fR option is added
3929 to the lpq command, the job will show up with the correct status, i.e.
3930 if the job priority is lower than the set fence priority it will
3931 have the PAUSED status, whereas if the priority is equal or higher it
3932 will have the SPOOLED or PRINTING status.
3934 Note that it is good practice to include the absolute path
3935 in the lppause command as the PATH may not be available to the server.
3937 See also the \fIprinting
3940 Default: Currently no default value is given to
3941 this string, unless the value of the \fIprinting\fR
3942 parameter is SYSV, in which case the default is :
3944 \fBlp -i %p-%j -H hold\fR
3946 or if the value of the \fIprinting\fR parameter
3947 is SOFTQ, then the default is:
3949 \fBqstat -s -j%j -h\fR
3951 Example for HPUX: \fBlppause command = /usr/bin/lpalt
3954 \fBlpq cache time (G)\fR
3955 This controls how long lpq info will be cached
3956 for to prevent the \fBlpq\fR command being called too
3957 often. A separate cache is kept for each variation of the \fB lpq\fR command used by the system, so if you use different
3958 \fBlpq\fR commands for different users then they won't
3959 share cache information.
3961 The cache files are stored in \fI/tmp/lpq.xxxx\fR
3962 where xxxx is a hash of the \fBlpq\fR command in use.
3964 The default is 10 seconds, meaning that the cached results
3965 of a previous identical \fBlpq\fR command will be used
3966 if the cached data is less than 10 seconds old. A large value may
3967 be advisable if your \fBlpq\fR command is very slow.
3969 A value of 0 will disable caching completely.
3971 See also the \fIprinting
3974 Default: \fBlpq cache time = 10\fR
3976 Example: \fBlpq cache time = 30\fR
3978 \fBlpq command (S)\fR
3979 This parameter specifies the command to be
3980 executed on the server host in order to obtain \fBlpq
3981 \fR-style printer status information.
3983 This command should be a program or script which
3984 takes a printer name as its only parameter and outputs printer
3987 Currently nine styles of printer status information
3988 are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ.
3989 This covers most UNIX systems. You control which type is expected
3990 using the \fIprinting =\fR option.
3992 Some clients (notably Windows for Workgroups) may not
3993 correctly send the connection number for the printer they are
3994 requesting status information about. To get around this, the
3995 server reports on the first printer service connected to by the
3996 client. This only happens if the connection number sent is invalid.
3998 If a \fI%p\fR is given then the printer name
3999 is put in its place. Otherwise it is placed at the end of the
4002 Note that it is good practice to include the absolute path
4003 in the \fIlpq command\fR as the \fB$PATH
4004 \fRmay not be available to the server. When compiled with
4005 the CUPS libraries, no \fIlpq command\fR is
4006 needed because smbd will make a library call to obtain the
4007 print queue listing.
4009 See also the \fIprinting
4012 Default: \fBdepends on the setting of \fI printing\fB\fR
4014 Example: \fBlpq command = /usr/bin/lpq -P%p\fR
4016 \fBlpresume command (S)\fR
4017 This parameter specifies the command to be
4018 executed on the server host in order to restart or continue
4019 printing or spooling a specific print job.
4021 This command should be a program or script which takes
4022 a printer name and job number to resume the print job. See
4023 also the \fIlppause command
4026 If a \fI%p\fR is given then the printer name
4027 is put in its place. A \fI%j\fR is replaced with
4028 the job number (an integer).
4030 Note that it is good practice to include the absolute path
4031 in the \fIlpresume command\fR as the PATH may not
4032 be available to the server.
4034 See also the \fIprinting
4037 Default: Currently no default value is given
4038 to this string, unless the value of the \fIprinting\fR
4039 parameter is SYSV, in which case the default is :
4041 \fBlp -i %p-%j -H resume\fR
4043 or if the value of the \fIprinting\fR parameter
4044 is SOFTQ, then the default is:
4046 \fBqstat -s -j%j -r\fR
4048 Example for HPUX: \fBlpresume command = /usr/bin/lpalt
4051 \fBlprm command (S)\fR
4052 This parameter specifies the command to be
4053 executed on the server host in order to delete a print job.
4055 This command should be a program or script which takes
4056 a printer name and job number, and deletes the print job.
4058 If a \fI%p\fR is given then the printer name
4059 is put in its place. A \fI%j\fR is replaced with
4060 the job number (an integer).
4062 Note that it is good practice to include the absolute
4063 path in the \fIlprm command\fR as the PATH may not be
4064 available to the server.
4066 See also the \fIprinting
4069 Default: \fBdepends on the setting of \fIprinting
4071 Example 1: \fBlprm command = /usr/bin/lprm -P%p %j
4073 Example 2: \fBlprm command = /usr/bin/cancel %p-%j
4075 \fBmachine password timeout (G)\fR
4076 If a Samba server is a member of a Windows
4077 NT Domain (see the security = domain)
4078 parameter) then periodically a running smbd(8) process will try and change the MACHINE ACCOUNT
4079 PASSWORD stored in the TDB called \fIprivate/secrets.tdb
4080 \fR\&. This parameter specifies how often this password
4081 will be changed, in seconds. The default is one week (expressed in
4082 seconds), the same as a Windows NT Domain member server.
4084 See also \fBsmbpasswd(8)
4085 \fR and the security = domain) parameter.
4087 Default: \fBmachine password timeout = 604800\fR
4089 \fBmagic output (S)\fR
4090 This parameter specifies the name of a file
4091 which will contain output created by a magic script (see the
4095 Warning: If two clients use the same \fImagic script
4096 \fRin the same directory the output file content
4099 Default: \fBmagic output = <magic script name>.out
4101 Example: \fBmagic output = myfile.txt\fR
4103 \fBmagic script (S)\fR
4104 This parameter specifies the name of a file which,
4105 if opened, will be executed by the server when the file is closed.
4106 This allows a UNIX script to be sent to the Samba host and
4107 executed on behalf of the connected user.
4109 Scripts executed in this way will be deleted upon
4110 completion assuming that the user has the appropriate level
4111 of privilege and the file permissions allow the deletion.
4113 If the script generates output, output will be sent to
4114 the file specified by the \fI magic output\fR parameter (see above).
4116 Note that some shells are unable to interpret scripts
4117 containing CR/LF instead of CR as
4118 the end-of-line marker. Magic scripts must be executable
4119 \fBas is\fR on the host, which for some hosts and
4120 some shells will require filtering at the DOS end.
4122 Magic scripts are \fBEXPERIMENTAL\fR and
4123 should \fBNOT\fR be relied upon.
4125 Default: \fBNone. Magic scripts disabled.\fR
4127 Example: \fBmagic script = user.csh\fR
4129 \fBmangle case (S)\fR
4130 See the section on NAME MANGLING
4132 Default: \fBmangle case = no\fR
4134 \fBmangled map (S)\fR
4135 This is for those who want to directly map UNIX
4136 file names which cannot be represented on Windows/DOS. The mangling
4137 of names is not always what is needed. In particular you may have
4138 documents with file extensions that differ between DOS and UNIX.
4139 For example, under UNIX it is common to use \fI.html\fR
4140 for HTML files, whereas under Windows/DOS \fI.htm\fR
4141 is more commonly used.
4143 So to map \fIhtml\fR to \fIhtm\fR
4146 \fBmangled map = (*.html *.htm)\fR
4148 One very useful case is to remove the annoying \fI;1
4149 \fRoff the ends of filenames on some CDROMs (only visible
4150 under some UNIXes). To do this use a map of (*;1 *;).
4152 Default: \fBno mangled map\fR
4154 Example: \fBmangled map = (*;1 *;)\fR
4156 \fBmangled names (S)\fR
4157 This controls whether non-DOS names under UNIX
4158 should be mapped to DOS-compatible names ("mangled") and made visible,
4159 or whether non-DOS names should simply be ignored.
4161 See the section on NAME MANGLING for details on how to control the mangling process.
4163 If mangling algorithm "hash" is used then the mangling algorithm is as follows:
4167 The first (up to) five alphanumeric characters
4168 before the rightmost dot of the filename are preserved, forced
4169 to upper case, and appear as the first (up to) five characters
4170 of the mangled name.
4173 A tilde "~" is appended to the first part of the mangled
4174 name, followed by a two-character unique sequence, based on the
4175 original root name (i.e., the original filename minus its final
4176 extension). The final extension is included in the hash calculation
4177 only if it contains any upper case characters or is longer than three
4180 Note that the character to use may be specified using
4181 the \fImangling char\fR
4182 option, if you don't like '~'.
4185 The first three alphanumeric characters of the final
4186 extension are preserved, forced to upper case and appear as the
4187 extension of the mangled name. The final extension is defined as that
4188 part of the original filename after the rightmost dot. If there are no
4189 dots in the filename, the mangled name will have no extension (except
4190 in the case of "hidden files" - see below).
4193 Files whose UNIX name begins with a dot will be
4194 presented as DOS hidden files. The mangled name will be created as
4195 for other filenames, but with the leading dot removed and "___" as
4196 its extension regardless of actual original extension (that's three
4200 The two-digit hash value consists of upper case
4201 alphanumeric characters.
4204 This algorithm can cause name collisions only if files
4205 in a directory share the same first five alphanumeric characters.
4206 The probability of such a clash is 1/1300.
4209 If mangling algorithm "hash2" is used then the mangling algorithm is as follows:
4214 The first alphanumeric character
4215 before the rightmost dot of the filename is preserved, forced
4216 to upper case, and appears as the first character of the mangled name.
4219 A base63 hash of 5 characters is generated and the
4220 first 4 characters of that hash are appended to the first character.
4223 A tilde "~" is appended to the first part of the mangled
4224 name, followed by the final character of the base36 hash of the name.
4226 Note that the character to use may be specified using
4227 the \fImangling char\fR
4228 option, if you don't like '~'.
4231 The first three alphanumeric characters of the final
4232 extension are preserved, forced to upper case and appear as the
4233 extension of the mangled name. The final extension is defined as that
4234 part of the original filename after the rightmost dot. If there are no
4235 dots in the filename, the mangled name will have no extension (except
4236 in the case of "hidden files" - see below).
4239 Files whose UNIX name begins with a dot will be
4240 presented as DOS hidden files. The mangled name will be created as
4241 for other filenames, but with the leading dot removed and "___" as
4242 its extension regardless of actual original extension (that's three
4246 The name mangling (if enabled) allows a file to be
4247 copied between UNIX directories from Windows/DOS while retaining
4248 the long UNIX filename. UNIX files can be renamed to a new extension
4249 from Windows/DOS and will retain the same basename. Mangled names
4250 do not change between sessions.
4253 Default: \fBmangled names = yes\fR
4256 \fBmangled stack (G)\fR
4257 This parameter controls the number of mangled names
4258 that should be cached in the Samba server smbd(8)
4260 This stack is a list of recently mangled base names
4261 (extensions are only maintained if they are longer than 3 characters
4262 or contains upper case characters).
4264 The larger this value, the more likely it is that mangled
4265 names can be successfully converted to correct long UNIX names.
4266 However, large stack sizes will slow most directory accesses. Smaller
4267 stacks save memory in the server (each stack element costs 256 bytes).
4269 It is not possible to absolutely guarantee correct long
4270 filenames, so be prepared for some surprises!
4272 Default: \fBmangled stack = 50\fR
4274 Example: \fBmangled stack = 100\fR
4276 \fBmangling char (S)\fR
4277 This controls what character is used as
4278 the \fBmagic\fR character in name mangling. The default is a '~'
4279 but this may interfere with some software. Use this option to set
4280 it to whatever you prefer.
4282 Default: \fBmangling char = ~\fR
4284 Example: \fBmangling char = ^\fR
4286 \fBmangling mathod(G)\fR
4287 controls the algorithm used for the generating
4288 the mangled names. Can take two different values, "hash" and
4289 "hash2". "hash" is the default and is the algorithm that has been
4290 used in Samba for many years. "hash2" is a newer and considered
4291 a better algorithm (generates less collisions) in the names.
4292 However, many Win32 applications store the mangled names and so
4293 changing to the new algorithm must not be done
4294 lightly as these applications may break unless reinstalled.
4295 New installations of Samba may set the default to hash2.
4297 Default: \fBmangling method = hash\fR
4299 Example: \fBmangling method = hash2\fR
4301 \fBmap archive (S)\fR
4302 This controls whether the DOS archive attribute
4303 should be mapped to the UNIX owner execute bit. The DOS archive bit
4304 is set when a file has been modified since its last backup. One
4305 motivation for this option it to keep Samba/your PC from making
4306 any file it touches from becoming executable under UNIX. This can
4307 be quite annoying for shared source code, documents, etc...
4309 Note that this requires the \fIcreate mask\fR
4310 parameter to be set such that owner execute bit is not masked out
4311 (i.e. it must include 100). See the parameter \fIcreate mask\fR for details.
4313 Default: \fBmap archive = yes\fR
4315 \fBmap hidden (S)\fR
4316 This controls whether DOS style hidden files
4317 should be mapped to the UNIX world execute bit.
4319 Note that this requires the \fIcreate mask\fR
4320 to be set such that the world execute bit is not masked out (i.e.
4321 it must include 001). See the parameter \fIcreate mask\fR for details.
4323 Default: \fBmap hidden = no\fR
4325 \fBmap system (S)\fR
4326 This controls whether DOS style system files
4327 should be mapped to the UNIX group execute bit.
4329 Note that this requires the \fIcreate mask\fR
4330 to be set such that the group execute bit is not masked out (i.e.
4331 it must include 010). See the parameter \fIcreate mask\fR for details.
4333 Default: \fBmap system = no\fR
4335 \fBmap to guest (G)\fR
4336 This parameter is only useful in security modes other than \fIsecurity = share\fR
4337 - i.e. user, server,
4340 This parameter can take three different values, which tell
4341 smbd(8) what to do with user
4342 login requests that don't match a valid UNIX user in some way.
4344 The three settings are :
4348 Never - Means user login
4349 requests with an invalid password are rejected. This is the
4353 Bad User - Means user
4354 logins with an invalid password are rejected, unless the username
4355 does not exist, in which case it is treated as a guest login and
4356 mapped into the \fI guest account\fR.
4359 Bad Password - Means user logins
4360 with an invalid password are treated as a guest login and mapped
4361 into the guest account. Note that
4362 this can cause problems as it means that any user incorrectly typing
4363 their password will be silently logged on as "guest" - and
4364 will not know the reason they cannot access files they think
4365 they should - there will have been no message given to them
4366 that they got their password wrong. Helpdesk services will
4367 \fBhate\fR you if you set the \fImap to
4368 guest\fR parameter this way :-).
4371 Note that this parameter is needed to set up "Guest"
4372 share services when using \fIsecurity\fR modes other than
4373 share. This is because in these modes the name of the resource being
4374 requested is \fBnot\fR sent to the server until after
4375 the server has successfully authenticated the client so the server
4376 cannot make authentication decisions at the correct time (connection
4377 to the share) for "Guest" shares.
4380 For people familiar with the older Samba releases, this
4381 parameter maps to the old compile-time setting of the GUEST_SESSSETUP value in local.h.
4384 Default: \fBmap to guest = Never\fR
4387 Example: \fBmap to guest = Bad User\fR
4390 \fBmax connections (S)\fR
4391 This option allows the number of simultaneous
4392 connections to a service to be limited. If \fImax connections
4393 \fRis greater than 0 then connections will be refused if
4394 this number of connections to the service are already open. A value
4395 of zero mean an unlimited number of connections may be made.
4397 Record lock files are used to implement this feature. The
4398 lock files will be stored in the directory specified by the \fIlock directory\fR
4401 Default: \fBmax connections = 0\fR
4403 Example: \fBmax connections = 10\fR
4405 \fBmax disk size (G)\fR
4406 This option allows you to put an upper limit
4407 on the apparent size of disks. If you set this option to 100
4408 then all shares will appear to be not larger than 100 MB in
4411 Note that this option does not limit the amount of
4412 data you can put on the disk. In the above case you could still
4413 store much more than 100 MB on the disk, but if a client ever asks
4414 for the amount of free disk space or the total disk size then the
4415 result will be bounded by the amount specified in \fImax
4418 This option is primarily useful to work around bugs
4419 in some pieces of software that can't handle very large disks,
4420 particularly disks over 1GB in size.
4422 A \fImax disk size\fR of 0 means no limit.
4424 Default: \fBmax disk size = 0\fR
4426 Example: \fBmax disk size = 1000\fR
4428 \fBmax log size (G)\fR
4429 This option (an integer in kilobytes) specifies
4430 the max size the log file should grow to. Samba periodically checks
4431 the size and if it is exceeded it will rename the file, adding
4432 a \fI.old\fR extension.
4434 A size of 0 means no limit.
4436 Default: \fBmax log size = 5000\fR
4438 Example: \fBmax log size = 1000\fR
4441 This option controls the maximum number of
4442 outstanding simultaneous SMB operations that Samba tells the client
4443 it will allow. You should never need to set this parameter.
4445 Default: \fBmax mux = 50\fR
4447 \fBmax open files (G)\fR
4448 This parameter limits the maximum number of
4449 open files that one smbd(8) file
4450 serving process may have open for a client at any one time. The
4451 default for this parameter is set very high (10,000) as Samba uses
4452 only one bit per unopened file.
4454 The limit of the number of open files is usually set
4455 by the UNIX per-process file descriptor limit rather than
4456 this parameter so you should never need to touch this parameter.
4458 Default: \fBmax open files = 10000\fR
4460 \fBmax print jobs (S)\fR
4461 This parameter limits the maximum number of
4462 jobs allowable in a Samba printer queue at any given moment.
4463 If this number is exceeded, \fB smbd(8)\fR will remote "Out of Space" to the client.
4467 Default: \fBmax print jobs = 1000\fR
4469 Example: \fBmax print jobs = 5000\fR
4471 \fBmax protocol (G)\fR
4472 The value of the parameter (a string) is the highest
4473 protocol level that will be supported by the server.
4475 Possible values are :
4479 CORE: Earliest version. No
4480 concept of user names.
4483 COREPLUS: Slight improvements on
4484 CORE for efficiency.
4487 LANMAN1: First \fB modern\fR version of the protocol. Long filename
4491 LANMAN2: Updates to Lanman1 protocol.
4494 NT1: Current up to date version of
4495 the protocol. Used by Windows NT. Known as CIFS.
4498 Normally this option should not be set as the automatic
4499 negotiation phase in the SMB protocol takes care of choosing
4500 the appropriate protocol.
4507 Default: \fBmax protocol = NT1\fR
4510 Example: \fBmax protocol = LANMAN1\fR
4513 \fBmax smbd processes (G)\fR
4514 This parameter limits the maximum number of
4516 processes concurrently running on a system and is intended
4517 as a stopgap to prevent degrading service to clients in the event
4518 that the server has insufficient resources to handle more than this
4519 number of connections. Remember that under normal operating
4520 conditions, each user will have an smbd associated with him or her
4521 to handle connections to all shares from a given host.
4523 Default: \fBmax smbd processes = 0\fR ## no limit
4525 Example: \fBmax smbd processes = 1000\fR
4528 This option tells nmbd(8)
4529 what the default 'time to live' of NetBIOS names should be (in seconds)
4530 when \fBnmbd\fR is requesting a name using either a
4531 broadcast packet or from a WINS server. You should never need to
4532 change this parameter. The default is 3 days.
4534 Default: \fBmax ttl = 259200\fR
4536 \fBmax wins ttl (G)\fR
4537 This option tells nmbd(8)
4538 when acting as a WINS server ( \fIwins support = yes\fR) what the maximum
4539 \&'time to live' of NetBIOS names that \fBnmbd\fR
4540 will grant will be (in seconds). You should never need to change this
4541 parameter. The default is 6 days (518400 seconds).
4544 wins ttl\fR parameter.
4546 Default: \fBmax wins ttl = 518400\fR
4549 This option controls the maximum packet size
4550 that will be negotiated by Samba. The default in Samba 2.2.6 is
4551 now 16644 (changed from 65535 in earlier releases) which matches
4552 Windows 2000. This allows better performance with Windows NT clients.
4553 The maximum is 65535. In some cases you may find you get better performance
4554 with a smaller value. A value below 2048 is likely to cause problems.
4556 Default: \fBmax xmit = 16644\fR
4558 Example: \fBmax xmit = 8192\fR
4560 \fBmessage command (G)\fR
4561 This specifies what command to run when the
4562 server receives a WinPopup style message.
4564 This would normally be a command that would
4565 deliver the message somehow. How this is to be done is
4566 up to your imagination.
4570 \fBmessage command = csh -c 'xedit %s;rm %s' &\fR
4572 This delivers the message using \fBxedit\fR, then
4573 removes it afterwards. \fBNOTE THAT IT IS VERY IMPORTANT
4574 THAT THIS COMMAND RETURN IMMEDIATELY\fR. That's why I
4575 have the '&' on the end. If it doesn't return immediately then
4576 your PCs may freeze when sending messages (they should recover
4577 after 30 seconds, hopefully).
4579 All messages are delivered as the global guest user.
4580 The command takes the standard substitutions, although \fI %u\fR won't work (\fI%U\fR may be better
4583 Apart from the standard substitutions, some additional
4584 ones apply. In particular:
4588 \fI%s\fR = the filename containing
4592 \fI%t\fR = the destination that
4593 the message was sent to (probably the server name).
4596 \fI%f\fR = who the message
4600 You could make this command send mail, or whatever else
4601 takes your fancy. Please let us know of any really interesting
4605 Here's a way of sending the messages as mail to root:
4608 \fBmessage command = /bin/mail -s 'message from %f on
4609 %m' root < %s; rm %s\fR
4612 If you don't have a message command then the message
4613 won't be delivered and Samba will tell the sender there was
4614 an error. Unfortunately WfWg totally ignores the error code
4615 and carries on regardless, saying that the message was delivered.
4618 If you want to silently delete it then try:
4621 \fBmessage command = rm %s\fR
4624 Default: \fBno message command\fR
4627 Example: \fBmessage command = csh -c 'xedit %s;
4631 \fBmin passwd length (G)\fR
4632 Synonym for \fImin password length\fR.
4634 \fBmin password length (G)\fR
4635 This option sets the minimum length in characters
4636 of a plaintext password that \fBsmbd\fR will accept when performing
4637 UNIX password changing.
4640 password sync\fR, \fIpasswd program\fR and \fIpasswd chat debug\fR
4643 Default: \fBmin password length = 5\fR
4645 \fBmin print space (S)\fR
4646 This sets the minimum amount of free disk
4647 space that must be available before a user will be able to spool
4648 a print job. It is specified in kilobytes. The default is 0, which
4649 means a user can always spool a print job.
4651 See also the \fIprinting
4654 Default: \fBmin print space = 0\fR
4656 Example: \fBmin print space = 2000\fR
4658 \fBmin protocol (G)\fR
4659 The value of the parameter (a string) is the
4660 lowest SMB protocol dialect than Samba will support. Please refer
4661 to the \fImax protocol\fR
4662 parameter for a list of valid protocol names and a brief description
4663 of each. You may also wish to refer to the C source code in
4664 \fIsource/smbd/negprot.c\fR for a listing of known protocol
4665 dialects supported by clients.
4667 If you are viewing this parameter as a security measure, you should
4668 also refer to the \fIlanman
4669 auth\fR parameter. Otherwise, you should never need
4670 to change this parameter.
4672 Default : \fBmin protocol = CORE\fR
4674 Example : \fBmin protocol = NT1\fR # disable DOS
4677 \fBmin wins ttl (G)\fR
4678 This option tells nmbd(8)
4679 when acting as a WINS server (\fI wins support = yes\fR) what the minimum 'time to live'
4680 of NetBIOS names that \fBnmbd\fR will grant will be (in
4681 seconds). You should never need to change this parameter. The default
4682 is 6 hours (21600 seconds).
4684 Default: \fBmin wins ttl = 21600\fR
4686 \fBmsdfs root (S)\fR
4687 This boolean parameter is only available if
4688 Samba is configured and compiled with the \fB --with-msdfs\fR option. If set to yes,
4689 Samba treats the share as a Dfs root and allows clients to browse
4690 the distributed file system tree rooted at the share directory.
4691 Dfs links are specified in the share directory by symbolic
4692 links of the form \fImsdfs:serverA\\shareA,serverB\\shareB
4693 \fRand so on. For more information on setting up a Dfs tree
4694 on Samba, refer to msdfs_setup.html
4697 See also \fIhost msdfs
4699 Default: \fBmsdfs root = no\fR
4701 \fBname resolve order (G)\fR
4702 This option is used by the programs in the Samba
4703 suite to determine what naming services to use and in what order
4704 to resolve host names to IP addresses. The option takes a space
4705 separated string of name resolution options.
4707 The options are :"lmhosts", "host", "wins" and "bcast". They
4708 cause names to be resolved as follows :
4712 lmhosts : Lookup an IP
4713 address in the Samba lmhosts file. If the line in lmhosts has
4714 no name type attached to the NetBIOS name (see the lmhosts(5) for details) then
4715 any name type matches for lookup.
4718 host : Do a standard host
4719 name to IP address resolution, using the system \fI/etc/hosts
4720 \fR, NIS, or DNS lookups. This method of name resolution
4721 is operating system depended for instance on IRIX or Solaris this
4722 may be controlled by the \fI/etc/nsswitch.conf\fR
4723 file. Note that this method is only used if the NetBIOS name
4724 type being queried is the 0x20 (server) name type, otherwise
4728 wins : Query a name with
4729 the IP address listed in the \fI wins server\fR parameter. If no WINS server has
4730 been specified this method will be ignored.
4733 bcast : Do a broadcast on
4734 each of the known local interfaces listed in the \fIinterfaces\fR
4735 parameter. This is the least reliable of the name resolution
4736 methods as it depends on the target host being on a locally
4740 Default: \fBname resolve order = lmhosts host wins bcast
4743 Example: \fBname resolve order = lmhosts bcast host
4746 This will cause the local lmhosts file to be examined
4747 first, followed by a broadcast attempt, followed by a normal
4748 system hostname lookup.
4751 \fBnetbios aliases (G)\fR
4752 This is a list of NetBIOS names that nmbd(8) will advertise as additional
4753 names by which the Samba server is known. This allows one machine
4754 to appear in browse lists under multiple names. If a machine is
4755 acting as a browse server or logon server none
4756 of these names will be advertised as either browse server or logon
4757 servers, only the primary name of the machine will be advertised
4758 with these capabilities.
4763 Default: \fBempty string (no additional names)\fR
4765 Example: \fBnetbios aliases = TEST TEST1 TEST2\fR
4767 \fBnetbios name (G)\fR
4768 This sets the NetBIOS name by which a Samba
4769 server is known. By default it is the same as the first component
4770 of the host's DNS name. If a machine is a browse server or
4771 logon server this name (or the first component
4772 of the hosts DNS name) will be the name that these services are
4778 Default: \fBmachine DNS name\fR
4780 Example: \fBnetbios name = MYNAME\fR
4782 \fBnetbios scope (G)\fR
4783 This sets the NetBIOS scope that Samba will
4784 operate under. This should not be set unless every machine
4785 on your LAN also sets this value.
4787 \fBnis homedir (G)\fR
4788 Get the home share server from a NIS map. For
4789 UNIX systems that use an automounter, the user's home directory
4790 will often be mounted on a workstation on demand from a remote
4793 When the Samba logon server is not the actual home directory
4794 server, but is mounting the home directories via NFS then two
4795 network hops would be required to access the users home directory
4796 if the logon server told the client to use itself as the SMB server
4797 for home directories (one over SMB and one over NFS). This can
4800 This option allows Samba to return the home share as
4801 being on a different server to the logon server and as
4802 long as a Samba daemon is running on the home directory server,
4803 it will be mounted on the Samba client directly from the directory
4804 server. When Samba is returning the home share to the client, it
4805 will consult the NIS map specified in \fIhomedir map\fR and return the server
4808 Note that for this option to work there must be a working
4809 NIS system and the Samba server with this option must also
4812 Default: \fBnis homedir = no\fR
4814 \fBnt acl support (S)\fR
4815 This boolean parameter controls whether
4816 smbd(8) will attempt to map
4817 UNIX permissions into Windows NT access control lists.
4818 This parameter was formally a global parameter in releases
4821 Default: \fBnt acl support = yes\fR
4823 \fBnt pipe support (G)\fR
4824 This boolean parameter controls whether
4825 smbd(8) will allow Windows NT
4826 clients to connect to the NT SMB specific IPC$
4827 pipes. This is a developer debugging option and can be left
4830 Default: \fBnt pipe support = yes\fR
4832 \fBnt smb support (G)\fR
4833 This boolean parameter controls whether smbd(8) will negotiate NT specific SMB
4834 support with Windows NT/2k/XP clients. Although this is a developer
4835 debugging option and should be left alone, benchmarking has discovered
4836 that Windows NT clients give faster performance with this option
4837 set to no. This is still being investigated.
4838 If this option is set to no then Samba offers
4839 exactly the same SMB calls that versions prior to Samba 2.0 offered.
4840 This information may be of use if any users are having problems
4841 with NT SMB support.
4843 You should not need to ever disable this parameter.
4845 Default: \fBnt smb support = yes\fR
4847 \fBnt status support (G)\fR
4848 This boolean parameter controls whether smbd(8) will negotiate NT specific status
4849 support with Windows NT/2k/XP clients. This is a developer
4850 debugging option and should be left alone.
4851 If this option is set to no then Samba offers
4852 exactly the same DOS error codes that versions prior to Samba 2.2.3
4855 You should not need to ever disable this parameter.
4857 Default: \fBnt status support = yes\fR
4859 \fBnull passwords (G)\fR
4860 Allow or disallow client access to accounts
4861 that have null passwords.
4863 See also smbpasswd (5)
4865 Default: \fBnull passwords = no\fR
4867 \fBobey pam restrictions (G)\fR
4868 When Samba 2.2 is configured to enable PAM support
4869 (i.e. --with-pam), this parameter will control whether or not Samba
4870 should obey PAM's account and session management directives. The
4871 default behavior is to use PAM for clear text authentication only
4872 and to ignore any account or session management. Note that Samba
4873 always ignores PAM for authentication in the case of \fIencrypt passwords = yes\fR
4874 \&. The reason is that PAM modules cannot support the challenge/response
4875 authentication mechanism needed in the presence of SMB password encryption.
4877 Default: \fBobey pam restrictions = no\fR
4880 This is a boolean option that controls whether
4881 connections with usernames not in the \fIuser\fR
4882 list will be allowed. By default this option is disabled so that a
4883 client can supply a username to be used by the server. Enabling
4884 this parameter will force the server to only use the login
4885 names from the \fIuser\fR list and is only really
4886 useful in share level
4889 Note that this also means Samba won't try to deduce
4890 usernames from the service name. This can be annoying for
4891 the [homes] section. To get around this you could use \fBuser =
4892 %S\fR which means your \fIuser\fR list
4893 will be just the service name, which for home directories is the
4896 See also the \fIuser\fR
4899 Default: \fBonly user = no\fR
4901 \fBonly guest (S)\fR
4902 A synonym for \fI guest only\fR.
4904 \fBoplock break wait time (G)\fR
4905 This is a tuning parameter added due to bugs in
4906 both Windows 9x and WinNT. If Samba responds to a client too
4907 quickly when that client issues an SMB that can cause an oplock
4908 break request, then the network client can fail and not respond
4909 to the break request. This tuning parameter (which is set in milliseconds)
4910 is the amount of time Samba will wait before sending an oplock break
4911 request to such (broken) clients.
4913 \fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
4914 AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR.
4916 Default: \fBoplock break wait time = 0\fR
4918 \fBoplock contention limit (S)\fR
4919 This is a \fBvery\fR advanced
4920 smbd(8) tuning option to
4921 improve the efficiency of the granting of oplocks under multiple
4922 client contention for the same file.
4924 In brief it specifies a number, which causes smbd not to
4925 grant an oplock even when requested if the approximate number of
4926 clients contending for an oplock on the same file goes over this
4927 limit. This causes \fBsmbd\fR to behave in a similar
4930 \fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
4931 AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR.
4933 Default: \fBoplock contention limit = 2\fR
4936 This boolean option tells \fBsmbd\fR whether to
4937 issue oplocks (opportunistic locks) to file open requests on this
4938 share. The oplock code can dramatically (approx. 30% or more) improve
4939 the speed of access to files on Samba servers. It allows the clients
4940 to aggressively cache files locally and you may want to disable this
4941 option for unreliable network environments (it is turned on by
4942 default in Windows NT Servers). For more information see the file
4943 \fISpeed.txt\fR in the Samba \fIdocs/\fR
4946 Oplocks may be selectively turned off on certain files with a
4947 share. See the \fI veto oplock files\fR parameter. On some systems
4948 oplocks are recognized by the underlying operating system. This
4949 allows data synchronization between all access to oplocked files,
4950 whether it be via Samba or NFS or a local UNIX process. See the
4951 \fIkernel oplocks\fR parameter for details.
4953 See also the \fIkernel
4954 oplocks\fR and \fI level2 oplocks\fR parameters.
4956 Default: \fBoplocks = yes\fR
4959 This integer value controls what level Samba
4960 advertises itself as for browse elections. The value of this
4961 parameter determines whether nmbd(8)
4962 has a chance of becoming a local master browser for the \fI WORKGROUP\fR in the local broadcast area.
4964 \fBNote :\fRBy default, Samba will win
4965 a local master browsing election over all Microsoft operating
4966 systems except a Windows NT 4.0/2000 Domain Controller. This
4967 means that a misconfigured Samba host can effectively isolate
4968 a subnet for browsing purposes. See \fIBROWSING.txt
4969 \fRin the Samba \fIdocs/\fR directory
4972 Default: \fBos level = 20\fR
4974 Example: \fBos level = 65 \fR
4976 \fBos2 driver map (G)\fR
4977 The parameter is used to define the absolute
4978 path to a file containing a mapping of Windows NT printer driver
4979 names to OS/2 printer driver names. The format is:
4981 <nt driver name> = <os2 driver
4984 For example, a valid entry using the HP LaserJet 5
4985 printer driver would appear as \fBHP LaserJet 5L = LASERJET.HP
4988 The need for the file is due to the printer driver namespace
4989 problem described in the Samba
4990 Printing HOWTO For more details on OS/2 clients, please
4991 refer to the OS2-Client-HOWTO
4992 containing in the Samba documentation.
4994 Default: \fBos2 driver map = <empty string>
4996 \fBpam password change (G)\fR
4997 With the addition of better PAM support in Samba 2.2,
4998 this parameter, it is possible to use PAM's password change control
4999 flag for Samba. If enabled, then PAM will be used for password
5000 changes when requested by an SMB client instead of the program listed in
5001 \fIpasswd program\fR.
5002 It should be possible to enable this without changing your
5004 parameter for most setups.
5006 Default: \fBpam password change = no\fR
5008 \fBpanic action (G)\fR
5009 This is a Samba developer option that allows a
5010 system command to be called when either smbd(8)
5011 crashes. This is usually used to draw attention to the fact that
5014 Default: \fBpanic action = <empty string>\fR
5016 Example: \fBpanic action = "/bin/sleep 90000"\fR
5018 \fBpasswd chat (G)\fR
5019 This string controls the \fB"chat"\fR
5020 conversation that takes places between smbd and the local password changing
5021 program to change the user's password. The string describes a
5022 sequence of response-receive pairs that smbd(8) uses to determine what to send to the
5023 \fIpasswd program\fR
5024 and what to expect back. If the expected output is not
5025 received then the password is not changed.
5027 This chat sequence is often quite site specific, depending
5028 on what local methods are used for password control (such as NIS
5031 Note that this parameter only is only used if the \fIunix
5032 password sync\fR parameter is set to yes. This
5033 sequence is then called \fBAS ROOT\fR when the SMB password
5034 in the smbpasswd file is being changed, without access to the old
5035 password cleartext. This means that root must be able to reset the user's password
5036 without knowing the text of the previous password. In the presence of NIS/YP,
5037 this means that the passwd program must be
5038 executed on the NIS master.
5040 The string can contain the macro \fI%n\fR which is substituted
5041 for the new password. The chat sequence can also contain the standard
5042 macros \\n, \\r, \\t and \\s to give line-feed,
5043 carriage-return, tab and space. The chat sequence string can also contain
5044 a '*' which matches any sequence of characters.
5045 Double quotes can be used to collect strings with spaces
5046 in them into a single string.
5048 If the send string in any part of the chat sequence
5049 is a full stop ".", then no string is sent. Similarly,
5050 if the expect string is a full stop then no string is expected.
5053 password change\fR parameter is set to yes, the chat pairs
5054 may be matched in any order, and success is determined by the PAM result,
5055 not any particular output. The \\n macro is ignored for PAM conversions.
5057 See also \fIunix password
5058 sync\fR, \fI passwd program\fR , \fIpasswd chat debug\fR and \fIpam password change\fR.
5060 Default: \fBpasswd chat = *new*password* %n\\n
5061 *new*password* %n\\n *changed*\fR
5063 Example: \fBpasswd chat = "*Enter OLD password*" %o\\n
5064 "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password
5067 \fBpasswd chat debug (G)\fR
5068 This boolean specifies if the passwd chat script
5069 parameter is run in \fBdebug\fR mode. In this mode the
5070 strings passed to and received from the passwd chat are printed
5071 in the smbd(8) log with a
5073 of 100. This is a dangerous option as it will allow plaintext passwords
5074 to be seen in the \fBsmbd\fR log. It is available to help
5075 Samba admins debug their \fIpasswd chat\fR scripts
5076 when calling the \fIpasswd program\fR and should
5077 be turned off after this has been done. This option has no effect if the
5078 \fIpam password change\fR
5079 paramter is set. This parameter is off by default.
5081 See also \fIpasswd chat\fR
5082 , \fIpam password change\fR
5083 , \fIpasswd program\fR
5086 Default: \fBpasswd chat debug = no\fR
5088 \fBpasswd program (G)\fR
5089 The name of a program that can be used to set
5090 UNIX user passwords. Any occurrences of \fI%u\fR
5091 will be replaced with the user name. The user name is checked for
5092 existence before calling the password changing program.
5094 Also note that many passwd programs insist in \fBreasonable
5095 \fRpasswords, such as a minimum length, or the inclusion
5096 of mixed case chars and digits. This can pose a problem as some clients
5097 (such as Windows for Workgroups) uppercase the password before sending
5100 \fBNote\fR that if the \fIunix
5101 password sync\fR parameter is set to yes
5102 then this program is called \fBAS ROOT\fR
5103 before the SMB password in the smbpasswd(5)
5104 file is changed. If this UNIX password change fails, then
5105 \fBsmbd\fR will fail to change the SMB password also
5106 (this is by design).
5108 If the \fIunix password sync\fR parameter
5109 is set this parameter \fBMUST USE ABSOLUTE PATHS\fR
5110 for \fBALL\fR programs called, and must be examined
5111 for security implications. Note that by default \fIunix
5112 password sync\fR is set to no.
5117 Default: \fBpasswd program = /bin/passwd\fR
5119 Example: \fBpasswd program = /sbin/npasswd %u\fR
5121 \fBpassword level (G)\fR
5122 Some client/server combinations have difficulty
5123 with mixed-case passwords. One offending client is Windows for
5124 Workgroups, which for some reason forces passwords to upper
5125 case when using the LANMAN1 protocol, but leaves them alone when
5126 using COREPLUS! Another problem child is the Windows 95/98
5127 family of operating systems. These clients upper case clear
5128 text passwords even when NT LM 0.12 selected by the protocol
5129 negotiation request/response.
5131 This parameter defines the maximum number of characters
5132 that may be upper case in passwords.
5134 For example, say the password given was "FRED". If \fI password level\fR is set to 1, the following combinations
5135 would be tried if "FRED" failed:
5137 "Fred", "fred", "fRed", "frEd","freD"
5139 If \fIpassword level\fR was set to 2,
5140 the following combinations would also be tried:
5142 "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..
5146 The higher value this parameter is set to the more likely
5147 it is that a mixed case password will be matched against a single
5148 case password. However, you should be aware that use of this
5149 parameter reduces security and increases the time taken to
5150 process a new connection.
5152 A value of zero will cause only two attempts to be
5153 made - the password as is and the password in all-lower case.
5155 Default: \fBpassword level = 0\fR
5157 Example: \fBpassword level = 4\fR
5159 \fBpassword server (G)\fR
5160 By specifying the name of another SMB server (such
5161 as a WinNT box) with this option, and using \fBsecurity = domain
5162 \fRor \fBsecurity = server\fR you can get Samba
5163 to do all its username/password validation via a remote server.
5165 This option sets the name of the password server to use.
5166 It must be a NetBIOS name, so if the machine's NetBIOS name is
5167 different from its Internet name then you may have to add its NetBIOS
5168 name to the lmhosts file which is stored in the same directory
5169 as the \fIsmb.conf\fR file.
5171 The name of the password server is looked up using the
5173 resolve order\fR and so may resolved
5174 by any method and order described in that parameter.
5176 The password server much be a machine capable of using
5177 the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
5178 user level security mode.
5180 \fBNOTE:\fR Using a password server
5181 means your UNIX box (running Samba) is only as secure as your
5182 password server. \fBDO NOT CHOOSE A PASSWORD SERVER THAT
5183 YOU DON'T COMPLETELY TRUST\fR.
5185 Never point a Samba server at itself for password
5186 serving. This will cause a loop and could lock up your Samba
5189 The name of the password server takes the standard
5190 substitutions, but probably the only useful one is \fI%m
5191 \fR, which means the Samba server will use the incoming
5192 client as the password server. If you use this then you better
5193 trust your clients, and you had better restrict them with hosts allow!
5195 If the \fIsecurity\fR parameter is set to
5196 domain, then the list of machines in this
5197 option must be a list of Primary or Backup Domain controllers for the
5198 Domain or the character '*', as the Samba server is effectively
5199 in that domain, and will use cryptographically authenticated RPC calls
5200 to authenticate the user logging on. The advantage of using \fB security = domain\fR is that if you list several hosts in the
5201 \fIpassword server\fR option then \fBsmbd
5202 \fRwill try each in turn till it finds one that responds. This
5203 is useful in case your primary server goes down.
5205 If the \fIpassword server\fR option is set
5206 to the character '*', then Samba will attempt to auto-locate the
5207 Primary or Backup Domain controllers to authenticate against by
5208 doing a query for the name WORKGROUP<1C>
5209 and then contacting each server returned in the list of IP
5210 addresses from the name resolution source.
5212 If the \fIsecurity\fR parameter is
5213 set to server, then there are different
5214 restrictions that \fBsecurity = domain\fR doesn't
5219 You may list several password servers in
5220 the \fIpassword server\fR parameter, however if an
5221 \fBsmbd\fR makes a connection to a password server,
5222 and then the password server fails, no more users will be able
5223 to be authenticated from this \fBsmbd\fR. This is a
5224 restriction of the SMB/CIFS protocol when in \fBsecurity = server
5225 \fRmode and cannot be fixed in Samba.
5228 If you are using a Windows NT server as your
5229 password server then you will have to ensure that your users
5230 are able to login from the Samba server, as when in \fB security = server\fR mode the network logon will appear to
5231 come from there rather than from the users workstation.
5234 See also the \fIsecurity
5238 Default: \fBpassword server = <empty string>\fR
5241 Example: \fBpassword server = NT-PDC, NT-BDC1, NT-BDC2
5244 Example: \fBpassword server = *\fR
5248 This parameter specifies a directory to which
5249 the user of the service is to be given access. In the case of
5250 printable services, this is where print data will spool prior to
5251 being submitted to the host for printing.
5253 For a printable service offering guest access, the service
5254 should be readonly and the path should be world-writeable and
5255 have the sticky bit set. This is not mandatory of course, but
5256 you probably won't get the results you expect if you do
5259 Any occurrences of \fI%u\fR in the path
5260 will be replaced with the UNIX username that the client is using
5261 on this connection. Any occurrences of \fI%m\fR
5262 will be replaced by the NetBIOS name of the machine they are
5263 connecting from. These replacements are very useful for setting
5264 up pseudo home directories for users.
5266 Note that this path will be based on \fIroot dir\fR if one was specified.
5270 Example: \fBpath = /home/fred\fR
5272 \fBpid directory (G)\fR
5273 This option specifies the directory where pid
5274 files will be placed.
5276 Default: \fBpid directory = ${prefix}/var/locks\fR
5278 Example: \fBpid directory = /var/run/\fR
5280 \fBposix locking (S)\fR
5282 daemon maintains an database of file locks obtained by SMB clients.
5283 The default behavior is to map this internal database to POSIX
5284 locks. This means that file locks obtained by SMB clients are
5285 consistent with those seen by POSIX compliant applications accessing
5286 the files via a non-SMB method (e.g. NFS or local file access).
5287 You should never need to disable this parameter.
5289 Default: \fBposix locking = yes\fR
5292 This option specifies a command to be run
5293 whenever the service is disconnected. It takes the usual
5294 substitutions. The command may be run as the root on some
5297 An interesting example may be to unmount server
5300 \fBpostexec = /etc/umount /cdrom\fR
5302 See also \fIpreexec\fR
5305 Default: \fBnone (no command executed)\fR
5307 Example: \fBpostexec = echo \\"%u disconnected from %S
5308 from %m (%I)\\" >> /tmp/log\fR
5310 \fBpostscript (S)\fR
5311 This parameter forces a printer to interpret
5312 the print files as PostScript. This is done by adding a %!
5313 to the start of print output.
5315 This is most useful when you have lots of PCs that persist
5316 in putting a control-D at the start of print jobs, which then
5317 confuses your printer.
5319 Default: \fBpostscript = no\fR
5322 This option specifies a command to be run whenever
5323 the service is connected to. It takes the usual substitutions.
5325 An interesting example is to send the users a welcome
5326 message every time they log in. Maybe a message of the day? Here
5329 \fBpreexec = csh -c 'echo \\"Welcome to %S!\\" |
5330 /usr/local/samba/bin/smbclient -M %m -I %I' & \fR
5332 Of course, this could get annoying after a while :-)
5334 See also \fIpreexec close
5338 Default: \fBnone (no command executed)\fR
5340 Example: \fBpreexec = echo \\"%u connected to %S from %m
5341 (%I)\\" >> /tmp/log\fR
5343 \fBpreexec close (S)\fR
5344 This boolean option controls whether a non-zero
5345 return code from \fIpreexec
5346 \fRshould close the service being connected to.
5348 Default: \fBpreexec close = no\fR
5350 \fBpreferred master (G)\fR
5351 This boolean parameter controls if nmbd(8) is a preferred master browser
5354 If this is set to yes, on startup, \fBnmbd\fR
5355 will force an election, and it will have a slight advantage in
5356 winning the election. It is recommended that this parameter is
5357 used in conjunction with \fB\fI domain master\fB = yes\fR, so that \fB nmbd\fR can guarantee becoming a domain master.
5359 Use this option with caution, because if there are several
5360 hosts (whether Samba servers, Windows 95 or NT) that are preferred
5361 master browsers on the same subnet, they will each periodically
5362 and continuously attempt to become the local master browser.
5363 This will result in unnecessary broadcast traffic and reduced browsing
5366 See also \fIos level\fR
5369 Default: \fBpreferred master = auto\fR
5371 \fBprefered master (G)\fR
5372 Synonym for \fI preferred master\fR for people who cannot spell :-).
5375 This is a list of services that you want to be
5376 automatically added to the browse lists. This is most useful
5377 for homes and printers services that would otherwise not be
5380 Note that if you just want all printers in your
5381 printcap file loaded then the \fIload printers\fR option is easier.
5383 Default: \fBno preloaded services\fR
5385 Example: \fBpreload = fred lp colorlp\fR
5387 \fBpreserve case (S)\fR
5388 This controls if new filenames are created
5389 with the case that the client passes, or if they are forced to
5390 be the \fIdefault case
5393 Default: \fBpreserve case = yes\fR
5395 See the section on NAME
5396 MANGLING for a fuller discussion.
5398 \fBprint command (S)\fR
5399 After a print job has finished spooling to
5400 a service, this command will be used via a \fBsystem()\fR
5401 call to process the spool file. Typically the command specified will
5402 submit the spool file to the host's printing subsystem, but there
5403 is no requirement that this be the case. The server will not remove
5404 the spool file, so whatever command you specify should remove the
5405 spool file when it has been processed, otherwise you will need to
5406 manually remove old spool files.
5408 The print command is simply a text string. It will be used
5409 verbatim after macro substitutions have been made:
5411 s, %p - the path to the spool
5414 %p - the appropriate printer
5418 name as transmitted by the client.
5420 %c - The number of printed pages
5421 of the spooled job (if known).
5423 %z - the size of the spooled
5424 print job (in bytes)
5426 The print command \fBMUST\fR contain at least
5427 one occurrence of \fI%s\fR or \fI%f
5428 \fR- the \fI%p\fR is optional. At the time
5429 a job is submitted, if no printer name is supplied the \fI%p
5430 \fRwill be silently removed from the printer command.
5432 If specified in the [global] section, the print command given
5433 will be used for any printable service that does not have its own
5434 print command specified.
5436 If there is neither a specified print command for a
5437 printable service nor a global print command, spool files will
5438 be created but not processed and (most importantly) not removed.
5440 Note that printing may fail on some UNIXes from the
5441 nobody account. If this happens then create
5442 an alternative guest account that can print and set the \fIguest account\fR
5443 in the [global] section.
5445 You can form quite complex print commands by realizing
5446 that they are just passed to a shell. For example the following
5447 will log a print job, print the file, then remove it. Note that
5448 \&';' is the usual separator for command in shell scripts.
5450 \fBprint command = echo Printing %s >>
5451 /tmp/print.log; lpr -P %p %s; rm %s\fR
5453 You may have to vary this command considerably depending
5454 on how you normally print files on your system. The default for
5455 the parameter varies depending on the setting of the \fIprinting\fR parameter.
5457 Default: For \fBprinting = BSD, AIX, QNX, LPRNG
5460 \fBprint command = lpr -r -P%p %s\fR
5462 For \fBprinting = SYSV or HPUX :\fR
5464 \fBprint command = lp -c -d%p %s; rm %s\fR
5466 For \fBprinting = SOFTQ :\fR
5468 \fBprint command = lp -d%p -s %s; rm %s\fR
5470 For printing = CUPS : If SAMBA is compiled against
5471 libcups, then printcap = cups
5472 uses the CUPS API to
5473 submit jobs, etc. Otherwise it maps to the System V
5474 commands with the -oraw option for printing, i.e. it
5475 uses \fBlp -c -d%p -oraw; rm %s\fR.
5476 With \fBprinting = cups\fR,
5477 and if SAMBA is compiled against libcups, any manually
5478 set print command will be ignored.
5480 Example: \fBprint command = /usr/local/samba/bin/myprintscript
5484 Synonym for \fIprintable\fR.
5487 If this parameter is yes, then
5488 clients may open, write to and submit spool files on the directory
5489 specified for the service.
5491 Note that a printable service will ALWAYS allow writing
5492 to the service path (user privileges permitting) via the spooling
5493 of print data. The \fIread only
5494 \fRparameter controls only non-printing access to
5497 Default: \fBprintable = no\fR
5500 Synonym for \fI printcap name\fR.
5502 \fBprintcap name (G)\fR
5503 This parameter may be used to override the
5504 compiled-in default printcap name used by the server (usually \fI /etc/printcap\fR). See the discussion of the [printers] section above for reasons
5505 why you might want to do this.
5507 To use the CUPS printing interface set \fBprintcap name = cups
5508 \fR\&. This should be supplemented by an addtional setting
5509 printing = cups in the [global]
5510 section. \fBprintcap name = cups\fR will use the
5511 "dummy" printcap created by CUPS, as specified in your CUPS
5514 On System V systems that use \fBlpstat\fR to
5515 list available printers you can use \fBprintcap name = lpstat
5516 \fRto automatically obtain lists of available printers. This
5517 is the default for systems that define SYSV at configure time in
5518 Samba (this includes most System V based systems). If \fI printcap name\fR is set to \fBlpstat\fR on
5519 these systems then Samba will launch \fBlpstat -v\fR and
5520 attempt to parse the output to obtain a printer list.
5522 A minimal printcap file would look something like this:
5535 where the '|' separates aliases of a printer. The fact
5536 that the second alias has a space in it gives a hint to Samba
5537 that it's a comment.
5539 \fBNOTE\fR: Under AIX the default printcap
5540 name is \fI/etc/qconfig\fR. Samba will assume the
5541 file is in AIX \fIqconfig\fR format if the string
5542 \fIqconfig\fR appears in the printcap filename.
5544 Default: \fBprintcap name = /etc/printcap\fR
5546 Example: \fBprintcap name = /etc/myprintcap\fR
5548 \fBprinter admin (S)\fR
5549 This is a list of users that can do anything to
5550 printers via the remote administration interfaces offered by MS-RPC
5551 (usually using a NT workstation). Note that the root user always
5554 Default: \fBprinter admin = <empty string>\fR
5556 Example: \fBprinter admin = admin, @staff\fR
5558 \fBprinter driver (S)\fR
5559 \fBNote :\fRThis is a deprecated
5560 parameter and will be removed in the next major release
5561 following version 2.2. Please see the instructions in
5562 the Samba 2.2. Printing
5563 HOWTO for more information
5564 on the new method of loading printer drivers onto a Samba server.
5566 This option allows you to control the string
5567 that clients receive when they ask the server for the printer driver
5568 associated with a printer. If you are using Windows95 or Windows NT
5569 then you can use this to automate the setup of printers on your
5572 You need to set this parameter to the exact string (case
5573 sensitive) that describes the appropriate printer driver for your
5574 system. If you don't know the exact string to use then you should
5575 first try with no \fI printer driver\fR option set and the client will
5576 give you a list of printer drivers. The appropriate strings are
5577 shown in a scroll box after you have chosen the printer manufacturer.
5582 Example: \fBprinter driver = HP LaserJet 4L\fR
5584 \fBprinter driver file (G)\fR
5585 \fBNote :\fRThis is a deprecated
5586 parameter and will be removed in the next major release
5587 following version 2.2. Please see the instructions in
5588 the Samba 2.2. Printing
5589 HOWTO for more information
5590 on the new method of loading printer drivers onto a Samba server.
5592 This parameter tells Samba where the printer driver
5593 definition file, used when serving drivers to Windows 95 clients, is
5594 to be found. If this is not set, the default is :
5596 \fISAMBA_INSTALL_DIRECTORY
5597 /lib/printers.def\fR
5599 This file is created from Windows 95 \fImsprint.inf
5600 \fRfiles found on the Windows 95 client system. For more
5601 details on setting up serving of printer drivers to Windows 95
5602 clients, see the outdated documentation file in the \fIdocs/\fR
5603 directory, \fIPRINTER_DRIVER.txt\fR.
5605 See also \fI printer driver location\fR.
5607 Default: \fBNone (set in compile).\fR
5609 Example: \fBprinter driver file =
5610 /usr/local/samba/printers/drivers.def\fR
5612 \fBprinter driver location (S)\fR
5613 \fBNote :\fRThis is a deprecated
5614 parameter and will be removed in the next major release
5615 following version 2.2. Please see the instructions in
5616 the Samba 2.2. Printing
5617 HOWTO for more information
5618 on the new method of loading printer drivers onto a Samba server.
5620 This parameter tells clients of a particular printer
5621 share where to find the printer driver files for the automatic
5622 installation of drivers for Windows 95 machines. If Samba is set up
5623 to serve printer drivers to Windows 95 machines, this should be set to
5625 \fB\\\\MACHINE\\PRINTER$\fR
5627 Where MACHINE is the NetBIOS name of your Samba server,
5628 and PRINTER$ is a share you set up for serving printer driver
5629 files. For more details on setting this up see the outdated documentation
5630 file in the \fIdocs/\fR directory, \fI PRINTER_DRIVER.txt\fR.
5632 See also \fI printer driver file\fR.
5636 Example: \fBprinter driver location = \\\\MACHINE\\PRINTER$
5638 \fBprinter name (S)\fR
5639 This parameter specifies the name of the printer
5640 to which print jobs spooled through a printable service will be sent.
5642 If specified in the [global] section, the printer
5643 name given will be used for any printable service that does
5644 not have its own printer name specified.
5646 Default: \fBnone (but may be lp
5649 Example: \fBprinter name = laserwriter\fR
5652 Synonym for \fI printer name\fR.
5655 This parameters controls how printer status
5656 information is interpreted on your system. It also affects the
5657 default values for the \fIprint command\fR,
5658 \fIlpq command\fR, \fIlppause command
5659 \fR, \fIlpresume command\fR, and
5660 \fIlprm command\fR if specified in the
5663 Currently nine printing styles are supported. They are
5670 To see what the defaults are for the other print
5671 commands when using the various options use the testparm(1) program.
5673 This option can be set on a per printer basis
5675 See also the discussion in the [printers] section.
5677 \fBprofile acls (S)\fR
5678 This boolean parameter was added to fix the problems that people have been
5679 having with storing user profiles on Samba shares from Windows 2000 or
5680 Windows XP clients. New versions of Windows 2000 or Windows XP service
5681 packs do security ACL checking on the owner and ability to write of the
5682 profile directory stored on a local workstation when copied from a Samba
5683 share. When not in domain mode with winbindd then the security info copied
5684 onto the local workstation has no meaning to the logged in user (SID) on
5685 that workstation so the profile storing fails. Adding this parameter
5686 onto a share used for profile storage changes two things about the
5687 returned Windows ACL. Firstly it changes the owner and group owner
5688 of all reported files and directories to be BUILTIN\\Administrators,
5689 BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly
5690 it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to
5691 every returned ACL. This will allow any Windows 2000 or XP workstation
5692 user to access the profile. Note that if you have multiple users logging
5693 on to a workstation then in order to prevent them from being able to access
5694 each others profiles you must remove the "Bypass traverse checking" advanced
5695 user right. This will prevent access to other users profile directories as
5696 the top level profile directory (named after the user) is created by the
5697 workstation profile code and has an ACL restricting entry to the directory
5698 tree to the owning user.
5700 If you didn't understand the above text, you probably should not set
5703 Default \fBprofile acls = no\fR
5706 Synonym for \fImax protocol\fR.
5709 Synonym for \fIguest
5712 \fBqueuepause command (S)\fR
5713 This parameter specifies the command to be
5714 executed on the server host in order to pause the printer queue.
5716 This command should be a program or script which takes
5717 a printer name as its only parameter and stops the printer queue,
5718 such that no longer jobs are submitted to the printer.
5720 This command is not supported by Windows for Workgroups,
5721 but can be issued from the Printers window under Windows 95
5724 If a \fI%p\fR is given then the printer name
5725 is put in its place. Otherwise it is placed at the end of the command.
5727 Note that it is good practice to include the absolute
5728 path in the command as the PATH may not be available to the
5731 Default: \fBdepends on the setting of \fIprinting
5733 Example: \fBqueuepause command = disable %p\fR
5735 \fBqueueresume command (S)\fR
5736 This parameter specifies the command to be
5737 executed on the server host in order to resume the printer queue. It
5738 is the command to undo the behavior that is caused by the
5739 previous parameter (\fI queuepause command\fR).
5741 This command should be a program or script which takes
5742 a printer name as its only parameter and resumes the printer queue,
5743 such that queued jobs are resubmitted to the printer.
5745 This command is not supported by Windows for Workgroups,
5746 but can be issued from the Printers window under Windows 95
5749 If a \fI%p\fR is given then the printer name
5750 is put in its place. Otherwise it is placed at the end of the
5753 Note that it is good practice to include the absolute
5754 path in the command as the PATH may not be available to the
5757 Default: \fBdepends on the setting of \fIprinting\fB\fR
5759 Example: \fBqueuepause command = enable %p
5762 This boolean parameter controls whether smbd(8) will support the "Read
5763 Block Multiplex" SMB. This is now rarely used and defaults to
5764 no. You should never need to set this
5767 Default: \fBread bmpx = no\fR
5770 This is a list of users that are given read-only
5771 access to a service. If the connecting user is in this list then
5772 they will not be given write access, no matter what the \fIread only\fR
5773 option is set to. The list can include group names using the
5774 syntax described in the \fI invalid users\fR parameter.
5776 See also the \fI write list\fR parameter and the \fIinvalid users\fR
5779 Default: \fBread list = <empty string>\fR
5781 Example: \fBread list = mary, @students\fR
5784 An inverted synonym is \fIwriteable\fR.
5786 If this parameter is yes, then users
5787 of a service may not create or modify files in the service's
5790 Note that a printable service (\fBprintable = yes\fR)
5791 will \fBALWAYS\fR allow writing to the directory
5792 (user privileges permitting), but only via spooling operations.
5794 Default: \fBread only = yes\fR
5797 This parameter controls whether or not the server
5798 will support the raw read SMB requests when transferring data
5801 If enabled, raw reads allow reads of 65535 bytes in
5802 one packet. This typically provides a major performance benefit.
5804 However, some clients either negotiate the allowable
5805 block size incorrectly or are incapable of supporting larger block
5806 sizes, and for these clients you may need to disable raw reads.
5808 In general this parameter should be viewed as a system tuning
5809 tool and left severely alone. See also \fIwrite raw\fR.
5811 Default: \fBread raw = yes\fR
5814 The option \fIread size\fR
5815 affects the overlap of disk reads/writes with network reads/writes.
5816 If the amount of data being transferred in several of the SMB
5817 commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
5818 than this value then the server begins writing the data before it
5819 has received the whole packet from the network, or in the case of
5820 SMBreadbraw, it begins writing to the network before all the data
5821 has been read from disk.
5823 This overlapping works best when the speeds of disk and
5824 network access are similar, having very little effect when the
5825 speed of one is much greater than the other.
5827 The default value is 16384, but very little experimentation
5828 has been done yet to determine the optimal value, and it is likely
5829 that the best value will vary greatly between systems anyway.
5830 A value over 65536 is pointless and will cause you to allocate
5831 memory unnecessarily.
5833 Default: \fBread size = 16384\fR
5835 Example: \fBread size = 8192\fR
5837 \fBremote announce (G)\fR
5838 This option allows you to setup nmbd(8) to periodically announce itself
5839 to arbitrary IP addresses with an arbitrary workgroup name.
5841 This is useful if you want your Samba server to appear
5842 in a remote workgroup for which the normal browse propagation
5843 rules don't work. The remote workgroup can be anywhere that you
5844 can send IP packets to.
5848 \fBremote announce = 192.168.2.255/SERVERS
5849 192.168.4.255/STAFF\fR
5851 the above line would cause \fBnmbd\fR to announce itself
5852 to the two given IP addresses using the given workgroup names.
5853 If you leave out the workgroup name then the one given in
5855 parameter is used instead.
5857 The IP addresses you choose would normally be the broadcast
5858 addresses of the remote networks, but can also be the IP addresses
5859 of known browse masters if your network config is that stable.
5861 See the documentation file \fIBROWSING.txt\fR
5862 in the \fIdocs/\fR directory.
5864 Default: \fBremote announce = <empty string>
5866 \fBremote browse sync (G)\fR
5867 This option allows you to setup nmbd(8) to periodically request
5868 synchronization of browse lists with the master browser of a Samba
5869 server that is on a remote segment. This option will allow you to
5870 gain browse lists for multiple workgroups across routed networks. This
5871 is done in a manner that does not work with any non-Samba servers.
5873 This is useful if you want your Samba server and all local
5874 clients to appear in a remote workgroup for which the normal browse
5875 propagation rules don't work. The remote workgroup can be anywhere
5876 that you can send IP packets to.
5880 \fBremote browse sync = 192.168.2.255 192.168.4.255
5882 the above line would cause \fBnmbd\fR to request
5883 the master browser on the specified subnets or addresses to
5884 synchronize their browse lists with the local server.
5886 The IP addresses you choose would normally be the broadcast
5887 addresses of the remote networks, but can also be the IP addresses
5888 of known browse masters if your network config is that stable. If
5889 a machine IP address is given Samba makes NO attempt to validate
5890 that the remote machine is available, is listening, nor that it
5891 is in fact the browse master on its segment.
5893 Default: \fBremote browse sync = <empty string>
5895 \fBrestrict anonymous (G)\fR
5896 This is a boolean parameter. If it is yes, then
5897 anonymous access to the server will be restricted, namely in the
5898 case where the server is expecting the client to send a username,
5899 but it doesn't. Setting it to yes will force these anonymous
5900 connections to be denied, and the client will be required to always
5901 supply a username and password when connecting. Use of this parameter
5902 is only recommended for homogeneous NT client environments.
5904 This parameter makes the use of macro expansions that rely
5905 on the username (%U, %G, etc) consistent. NT 4.0
5906 likes to use anonymous connections when refreshing the share list,
5907 and this is a way to work around that.
5909 When restrict anonymous is yes, all anonymous connections
5910 are denied no matter what they are for. This can effect the ability
5911 of a machine to access the Samba Primary Domain Controller to revalidate
5912 its machine account after someone else has logged on the client
5913 interactively. The NT client will display a message saying that
5914 the machine's account in the domain doesn't exist or the password is
5915 bad. The best way to deal with this is to reboot NT client machines
5916 between interactive logons, using "Shutdown and Restart", rather
5917 than "Close all programs and logon as a different user".
5919 Default: \fBrestrict anonymous = no\fR
5922 Synonym for \fIroot directory"\fR.
5925 Synonym for \fIroot directory"\fR.
5927 \fBroot directory (G)\fR
5928 The server will \fBchroot()\fR (i.e.
5929 Change its root directory) to this directory on startup. This is
5930 not strictly necessary for secure operation. Even without it the
5931 server will deny access to files not in one of the service entries.
5932 It may also check for, and deny access to, soft links to other
5933 parts of the filesystem, or attempts to use ".." in file names
5934 to access other directories (depending on the setting of the \fIwide links\fR
5937 Adding a \fIroot directory\fR entry other
5938 than "/" adds an extra level of security, but at a price. It
5939 absolutely ensures that no access is given to files not in the
5940 sub-tree specified in the \fIroot directory\fR
5941 option, \fBincluding\fR some files needed for
5942 complete operation of the server. To maintain full operability
5943 of the server you will need to mirror some system files
5944 into the \fIroot directory\fR tree. In particular
5945 you will need to mirror \fI/etc/passwd\fR (or a
5946 subset of it), and any binaries or configuration files needed for
5947 printing (if required). The set of files that must be mirrored is
5948 operating system dependent.
5950 Default: \fBroot directory = /\fR
5952 Example: \fBroot directory = /homes/smb\fR
5954 \fBroot postexec (S)\fR
5955 This is the same as the \fIpostexec\fR
5956 parameter except that the command is run as root. This
5957 is useful for unmounting filesystems
5958 (such as CDROMs) after a connection is closed.
5960 See also \fI postexec\fR.
5962 Default: \fBroot postexec = <empty string>
5964 \fBroot preexec (S)\fR
5965 This is the same as the \fIpreexec\fR
5966 parameter except that the command is run as root. This
5967 is useful for mounting filesystems (such as CDROMs) when a
5968 connection is opened.
5970 See also \fI preexec\fR and \fIpreexec close\fR.
5972 Default: \fBroot preexec = <empty string>
5974 \fBroot preexec close (S)\fR
5975 This is the same as the \fIpreexec close
5976 \fRparameter except that the command is run as root.
5978 See also \fI preexec\fR and \fIpreexec close\fR.
5980 Default: \fBroot preexec close = no\fR
5983 This option affects how clients respond to
5984 Samba and is one of the most important settings in the \fI smb.conf\fR file.
5986 The option sets the "security mode bit" in replies to
5987 protocol negotiations with smbd(8)
5988 to turn share level security on or off. Clients decide
5989 based on this bit whether (and how) to transfer user and password
5990 information to the server.
5992 The default is \fBsecurity = user\fR, as this is
5993 the most common setting needed when talking to Windows 98 and
5996 The alternatives are \fBsecurity = share\fR,
5997 \fBsecurity = server\fR or \fBsecurity = domain
6000 In versions of Samba prior to 2.0.0, the default was
6001 \fBsecurity = share\fR mainly because that was
6002 the only option at one stage.
6004 There is a bug in WfWg that has relevance to this
6005 setting. When in user or server level security a WfWg client
6006 will totally ignore the password you type in the "connect
6007 drive" dialog box. This makes it very difficult (if not impossible)
6008 to connect to a Samba service as anyone except the user that
6009 you are logged into WfWg as.
6011 If your PCs use usernames that are the same as their
6012 usernames on the UNIX machine then you will want to use
6013 \fBsecurity = user\fR. If you mostly use usernames
6014 that don't exist on the UNIX box then use \fBsecurity =
6017 You should also use \fBsecurity = share\fR if you
6018 want to mainly setup shares without a password (guest shares). This
6019 is commonly used for a shared printer server. It is more difficult
6020 to setup guest shares with \fBsecurity = user\fR, see
6021 the \fImap to guest\fR
6022 parameter for details.
6024 It is possible to use \fBsmbd\fR in a \fB hybrid mode\fR where it is offers both user and share
6025 level security under different \fINetBIOS aliases\fR.
6027 The different settings will now be explained.
6031 When clients connect to a share level security server they
6032 need not log onto the server with a valid username and password before
6033 attempting to connect to a shared resource (although modern clients
6034 such as Windows 95/98 and Windows NT will send a logon request with
6035 a username but no password when talking to a \fBsecurity = share
6036 \fRserver). Instead, the clients send authentication information
6037 (passwords) on a per-share basis, at the time they attempt to connect
6040 Note that \fBsmbd\fR \fBALWAYS\fR
6041 uses a valid UNIX user to act on behalf of the client, even in
6042 \fBsecurity = share\fR level security.
6044 As clients are not required to send a username to the server
6045 in share level security, \fBsmbd\fR uses several
6046 techniques to determine the correct UNIX user to use on behalf
6049 A list of possible UNIX usernames to match with the given
6050 client password is constructed using the following methods :
6055 only\fR parameter is set, then all the other
6056 stages are missed and only the \fIguest account\fR username is checked.
6059 Is a username is sent with the share connection
6060 request, then this username (after mapping - see \fIusername map\fR),
6061 is added as a potential username.
6064 If the client did a previous \fBlogon
6065 \fRrequest (the SessionSetup SMB call) then the
6066 username sent in this SMB will be added as a potential username.
6069 The name of the service the client requested is
6070 added as a potential username.
6073 The NetBIOS name of the client is added to
6074 the list as a potential username.
6077 Any users on the \fI user\fR list are added as potential usernames.
6080 If the \fIguest only\fR parameter is
6081 not set, then this list is then tried with the supplied password.
6082 The first user for whom the password matches will be used as the
6086 If the \fIguest only\fR parameter is
6087 set, or no username can be determined then if the share is marked
6088 as available to the \fIguest account\fR, then this
6089 guest user will be used, otherwise access is denied.
6092 Note that it can be \fBvery\fR confusing
6093 in share-level security as to which UNIX username will eventually
6094 be used in granting access.
6097 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
6103 This is the default security setting in Samba 2.2.
6104 With user-level security a client must first "log-on" with a
6105 valid username and password (which can be mapped using the \fIusername map\fR
6106 parameter). Encrypted passwords (see the \fIencrypted passwords\fR parameter) can also
6107 be used in this security mode. Parameters such as \fIuser\fR and \fIguest only\fR if set are then applied and
6108 may change the UNIX user to use on this connection, but only after
6109 the user has been successfully authenticated.
6112 \fBNote\fR that the name of the resource being
6113 requested is \fBnot\fR sent to the server until after
6114 the server has successfully authenticated the client. This is why
6115 guest shares don't work in user level security without allowing
6116 the server to automatically map unknown users into the \fIguest account\fR.
6117 See the \fImap to guest\fR
6118 parameter for details on doing this.
6121 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
6124 \fBSECURITY = SERVER
6127 In this mode Samba will try to validate the username/password
6128 by passing it to another SMB server, such as an NT box. If this
6129 fails it will revert to \fBsecurity = user\fR, but note
6130 that if encrypted passwords have been negotiated then Samba cannot
6131 revert back to checking the UNIX password file, it must have a valid
6132 \fIsmbpasswd\fR file to check users against. See the
6133 documentation file in the \fIdocs/\fR directory
6134 \fIENCRYPTION.txt\fR for details on how to set this
6138 \fBNote\fR that from the client's point of
6139 view \fBsecurity = server\fR is the same as \fB security = user\fR. It only affects how the server deals
6140 with the authentication, it does not in any way affect what the
6144 \fBNote\fR that the name of the resource being
6145 requested is \fBnot\fR sent to the server until after
6146 the server has successfully authenticated the client. This is why
6147 guest shares don't work in user level security without allowing
6148 the server to automatically map unknown users into the \fIguest account\fR.
6149 See the \fImap to guest\fR
6150 parameter for details on doing this.
6153 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
6156 See also the \fIpassword
6157 server\fR parameter and the \fIencrypted passwords\fR
6161 \fBSECURITY = DOMAIN
6164 This mode will only work correctly if smbpasswd(8) has been used to add this
6165 machine into a Windows NT Domain. It expects the \fIencrypted passwords\fR
6166 parameter to be set to yes. In this
6167 mode Samba will try to validate the username/password by passing
6168 it to a Windows NT Primary or Backup Domain Controller, in exactly
6169 the same way that a Windows NT Server would do.
6172 \fBNote\fR that a valid UNIX user must still
6173 exist as well as the account on the Domain Controller to allow
6174 Samba to have a valid UNIX account to map file access to.
6177 \fBNote\fR that from the client's point
6178 of view \fBsecurity = domain\fR is the same as \fBsecurity = user
6179 \fR\&. It only affects how the server deals with the authentication,
6180 it does not in any way affect what the client sees.
6183 \fBNote\fR that the name of the resource being
6184 requested is \fBnot\fR sent to the server until after
6185 the server has successfully authenticated the client. This is why
6186 guest shares don't work in user level security without allowing
6187 the server to automatically map unknown users into the \fIguest account\fR.
6188 See the \fImap to guest\fR
6189 parameter for details on doing this.
6192 \fBBUG:\fR There is currently a bug in the
6193 implementation of \fBsecurity = domain\fR with respect
6194 to multi-byte character set usernames. The communication with a
6195 Domain Controller must be done in UNICODE and Samba currently
6196 does not widen multi-byte user names to UNICODE correctly, thus
6197 a multi-byte username will not be recognized correctly at the
6198 Domain Controller. This issue will be addressed in a future release.
6201 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
6204 See also the \fIpassword
6205 server\fR parameter and the \fIencrypted passwords\fR
6209 Default: \fBsecurity = USER\fR
6212 Example: \fBsecurity = DOMAIN\fR
6215 \fBsecurity mask (S)\fR
6216 This parameter controls what UNIX permission
6217 bits can be modified when a Windows NT client is manipulating
6218 the UNIX permission on a file using the native NT security
6221 This parameter is applied as a mask (AND'ed with) to
6222 the changed permission bits, thus preventing any bits not in
6223 this mask from being modified. Essentially, zero bits in this
6224 mask may be treated as a set of bits the user is not allowed
6227 If not set explicitly this parameter is 0777, allowing
6228 a user to modify all the user/group/world permissions on a file.
6230 \fBNote\fR that users who can access the
6231 Samba server through other means can easily bypass this
6232 restriction, so it is primarily useful for standalone
6233 "appliance" systems. Administrators of most normal systems will
6234 probably want to leave it set to 0777.
6236 See also the \fIforce directory security mode\fR,
6238 security mask\fR, \fIforce security mode\fR parameters.
6240 Default: \fBsecurity mask = 0777\fR
6242 Example: \fBsecurity mask = 0770\fR
6244 \fBserver string (G)\fR
6245 This controls what string will show up in the
6246 printer comment box in print manager and next to the IPC connection
6247 in \fBnet view\fR. It can be any string that you wish
6248 to show to your users.
6250 It also sets what will appear in browse lists next
6251 to the machine name.
6253 A \fI%v\fR will be replaced with the Samba
6256 A \fI%h\fR will be replaced with the
6259 Default: \fBserver string = Samba %v\fR
6261 Example: \fBserver string = University of GNUs Samba
6264 \fBset directory (S)\fR
6265 If \fBset directory = no\fR, then
6266 users of the service may not use the setdir command to change
6269 The \fBsetdir\fR command is only implemented
6270 in the Digital Pathworks client. See the Pathworks documentation
6273 Default: \fBset directory = no\fR
6275 \fBshare modes (S)\fR
6276 This enables or disables the honoring of
6277 the \fIshare modes\fR during a file open. These
6278 modes are used by clients to gain exclusive read or write access
6281 These open modes are not directly supported by UNIX, so
6282 they are simulated using shared memory, or lock files if your
6283 UNIX doesn't support shared memory (almost all do).
6285 The share modes that are enabled by this option are
6287 DENY_READ, DENY_WRITE,
6288 DENY_NONE and DENY_FCB.
6290 This option gives full share compatibility and enabled
6293 You should \fBNEVER\fR turn this parameter
6294 off as many Windows applications will break if you do so.
6296 Default: \fBshare modes = yes\fR
6298 \fBshort preserve case (S)\fR
6299 This boolean parameter controls if new files
6300 which conform to 8.3 syntax, that is all in upper case and of
6301 suitable length, are created upper case, or if they are forced
6302 to be the \fIdefault case
6303 \fR\&. This option can be use with \fBpreserve case = yes\fR
6304 to permit long filenames to retain their case, while short
6307 See the section on NAME MANGLING.
6309 Default: \fBshort preserve case = yes\fR
6311 \fBshow add printer wizard (G)\fR
6312 With the introduction of MS-RPC based printing support
6313 for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will
6314 appear on Samba hosts in the share listing. Normally this folder will
6315 contain an icon for the MS Add Printer Wizard (APW). However, it is
6316 possible to disable this feature regardless of the level of privilege
6317 of the connected user.
6319 Under normal circumstances, the Windows NT/2000 client will
6320 open a handle on the printer server with OpenPrinterEx() asking for
6321 Administrator privileges. If the user does not have administrative
6322 access on the print server (i.e is not root or a member of the
6323 \fIprinter admin\fR group), the OpenPrinterEx()
6324 call fails and the client makes another open call with a request for
6325 a lower privilege level. This should succeed, however the APW
6326 icon will not be displayed.
6328 Disabling the \fIshow add printer wizard\fR
6329 parameter will always cause the OpenPrinterEx() on the server
6330 to fail. Thus the APW icon will never be displayed. \fB Note :\fRThis does not prevent the same user from having
6331 administrative privilege on an individual printer.
6333 See also \fIaddprinter
6334 command\fR, \fIdeleteprinter command\fR, \fIprinter admin\fR
6336 Default :\fBshow add printer wizard = yes\fR
6338 \fBsmb passwd file (G)\fR
6339 This option sets the path to the encrypted
6340 smbpasswd file. By default the path to the smbpasswd file
6341 is compiled into Samba.
6343 Default: \fBsmb passwd file = ${prefix}/private/smbpasswd
6345 Example: \fBsmb passwd file = /etc/samba/smbpasswd
6347 \fBsocket address (G)\fR
6348 This option allows you to control what
6349 address Samba will listen for connections on. This is used to
6350 support multiple virtual interfaces on the one server, each
6351 with a different configuration.
6353 By default Samba will accept connections on any
6356 Example: \fBsocket address = 192.168.2.20\fR
6358 \fBsocket options (G)\fR
6359 This option allows you to set socket options
6360 to be used when talking with the client.
6362 Socket options are controls on the networking layer
6363 of the operating systems which allow the connection to be
6366 This option will typically be used to tune your Samba
6367 server for optimal performance for your local network. There is
6368 no way that Samba can know what the optimal parameters are for
6369 your net, so you must experiment and choose them yourself. We
6370 strongly suggest you read the appropriate documentation for your
6371 operating system first (perhaps \fBman setsockopt\fR
6374 You may find that on some systems Samba will say
6375 "Unknown socket option" when you supply an option. This means you
6376 either incorrectly typed it or you need to add an include file
6377 to includes.h for your OS. If the latter is the case please
6378 send the patch to samba@samba.org <URL:mailto:samba@samba.org>.
6380 Any of the supported socket options may be combined
6381 in any way you like, as long as your OS allows it.
6383 This is the list of socket options currently settable
6418 Those marked with a \fB'*'\fR take an integer
6419 argument. The others can optionally take a 1 or 0 argument to enable
6420 or disable the option, by default they will be enabled if you
6421 don't specify 1 or 0.
6424 To specify an argument use the syntax SOME_OPTION = VALUE
6425 for example \fBSO_SNDBUF = 8192\fR. Note that you must
6426 not have any spaces before or after the = sign.
6429 If you are on a local network then a sensible option
6433 \fBsocket options = IPTOS_LOWDELAY\fR
6436 If you have a local network then you could try:
6439 \fBsocket options = IPTOS_LOWDELAY TCP_NODELAY\fR
6442 If you are on a wide area network then perhaps try
6443 setting IPTOS_THROUGHPUT.
6446 Note that several of the options may cause your Samba
6447 server to fail completely. Use these options with caution!
6450 Default: \fBsocket options = TCP_NODELAY\fR
6453 Example: \fBsocket options = IPTOS_LOWDELAY\fR
6456 \fBsource environment (G)\fR
6457 This parameter causes Samba to set environment
6458 variables as per the content of the file named.
6460 If the value of this parameter starts with a "|" character
6461 then Samba will treat that value as a pipe command to open and
6462 will set the environment variables from the output of the pipe.
6464 The contents of the file or the output of the pipe should
6465 be formatted as the output of the standard Unix \fBenv(1)
6466 \fRcommand. This is of the form :
6468 Example environment entry:
6470 \fBSAMBA_NETBIOS_NAME = myhostname\fR
6472 Default: \fBNo default value\fR
6474 Examples: \fBsource environment = |/etc/smb.conf.sh
6476 Example: \fBsource environment =
6477 /usr/local/smb_env_vars\fR
6480 This variable is part of SSL-enabled Samba. This
6481 is only available if the SSL libraries have been compiled on your
6482 system and the configure option \fB--with-ssl\fR was
6483 given at configure time.
6485 This variable enables or disables the entire SSL mode. If
6486 it is set to no, the SSL-enabled Samba behaves
6487 exactly like the non-SSL Samba. If set to yes,
6488 it depends on the variables \fI ssl hosts\fR and \fIssl hosts resign\fR whether an SSL
6489 connection will be required.
6491 Default: \fBssl = no\fR
6493 \fBssl CA certDir (G)\fR
6494 This variable is part of SSL-enabled Samba. This
6495 is only available if the SSL libraries have been compiled on your
6496 system and the configure option \fB--with-ssl\fR was
6497 given at configure time.
6499 This variable defines where to look up the Certification
6500 Authorities. The given directory should contain one file for
6501 each CA that Samba will trust. The file name must be the hash
6502 value over the "Distinguished Name" of the CA. How this directory
6503 is set up is explained later in this document. All files within the
6504 directory that don't fit into this naming scheme are ignored. You
6505 don't need this variable if you don't verify client certificates.
6507 Default: \fBssl CA certDir = /usr/local/ssl/certs
6509 \fBssl CA certFile (G)\fR
6510 This variable is part of SSL-enabled Samba. This
6511 is only available if the SSL libraries have been compiled on your
6512 system and the configure option \fB--with-ssl\fR was
6513 given at configure time.
6515 This variable is a second way to define the trusted CAs.
6516 The certificates of the trusted CAs are collected in one big
6517 file and this variable points to the file. You will probably
6518 only use one of the two ways to define your CAs. The first choice is
6519 preferable if you have many CAs or want to be flexible, the second
6520 is preferable if you only have one CA and want to keep things
6521 simple (you won't need to create the hashed file names). You
6522 don't need this variable if you don't verify client certificates.
6524 Default: \fBssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem
6526 \fBssl ciphers (G)\fR
6527 This variable is part of SSL-enabled Samba. This
6528 is only available if the SSL libraries have been compiled on your
6529 system and the configure option \fB--with-ssl\fR was
6530 given at configure time.
6532 This variable defines the ciphers that should be offered
6533 during SSL negotiation. You should not set this variable unless
6534 you know what you are doing.
6536 \fBssl client cert (G)\fR
6537 This variable is part of SSL-enabled Samba. This
6538 is only available if the SSL libraries have been compiled on your
6539 system and the configure option \fB--with-ssl\fR was
6540 given at configure time.
6542 The certificate in this file is used by \fBsmbclient(1)\fR if it exists. It's needed
6543 if the server requires a client certificate.
6545 Default: \fBssl client cert = /usr/local/ssl/certs/smbclient.pem
6547 \fBssl client key (G)\fR
6548 This variable is part of SSL-enabled Samba. This
6549 is only available if the SSL libraries have been compiled on your
6550 system and the configure option \fB--with-ssl\fR was
6551 given at configure time.
6553 This is the private key for \fBsmbclient(1)\fR It's only needed if the
6554 client should have a certificate.
6556 Default: \fBssl client key = /usr/local/ssl/private/smbclient.pem
6558 \fBssl compatibility (G)\fR
6559 This variable is part of SSL-enabled Samba. This
6560 is only available if the SSL libraries have been compiled on your
6561 system and the configure option \fB--with-ssl\fR was
6562 given at configure time.
6564 This variable defines whether OpenSSL should be configured
6565 for bug compatibility with other SSL implementations. This is
6566 probably not desirable because currently no clients with SSL
6567 implementations other than OpenSSL exist.
6569 Default: \fBssl compatibility = no\fR
6571 \fBssl egd socket (G)\fR
6572 This variable is part of SSL-enabled Samba. This
6573 is only available if the SSL libraries have been compiled on your
6574 system and the configure option \fB--with-ssl\fR was
6575 given at configure time.
6577 This option is used to define the location of the communiation socket of
6578 an EGD or PRNGD daemon, from which entropy can be retrieved. This option
6579 can be used instead of or together with the \fIssl entropy file\fR
6580 directive. 255 bytes of entropy will be retrieved from the daemon.
6584 \fBssl entropy bytes (G)\fR
6585 This variable is part of SSL-enabled Samba. This
6586 is only available if the SSL libraries have been compiled on your
6587 system and the configure option \fB--with-ssl\fR was
6588 given at configure time.
6590 This parameter is used to define the number of bytes which should
6591 be read from the \fIssl entropy
6592 file\fR If a -1 is specified, the entire file will
6595 Default: \fBssl entropy bytes = 255\fR
6597 \fBssl entropy file (G)\fR
6598 This variable is part of SSL-enabled Samba. This
6599 is only available if the SSL libraries have been compiled on your
6600 system and the configure option \fB--with-ssl\fR was
6601 given at configure time.
6603 This parameter is used to specify a file from which processes will
6604 read "random bytes" on startup. In order to seed the internal pseudo
6605 random number generator, entropy must be provided. On system with a
6606 \fI/dev/urandom\fR device file, the processes
6607 will retrieve its entropy from the kernel. On systems without kernel
6608 entropy support, a file can be supplied that will be read on startup
6609 and that will be used to seed the PRNG.
6614 See \fI ssl hosts resign\fR.
6616 \fBssl hosts resign (G)\fR
6617 This variable is part of SSL-enabled Samba. This
6618 is only available if the SSL libraries have been compiled on your
6619 system and the configure option \fB--with-ssl\fR was
6620 given at configure time.
6622 These two variables define whether Samba will go
6623 into SSL mode or not. If none of them is defined, Samba will
6624 allow only SSL connections. If the \fIssl hosts\fR variable lists
6625 hosts (by IP-address, IP-address range, net group or name),
6626 only these hosts will be forced into SSL mode. If the \fI ssl hosts resign\fR variable lists hosts, only these
6627 hosts will \fBNOT\fR be forced into SSL mode. The syntax for these two
6628 variables is the same as for the \fI hosts allow\fR and \fIhosts deny\fR pair of variables, only
6629 that the subject of the decision is different: It's not the access
6630 right but whether SSL is used or not.
6632 The example below requires SSL connections from all hosts
6633 outside the local net (which is 192.168.*.*).
6635 Default: \fBssl hosts = <empty string>\fR
6637 \fBssl hosts resign = <empty string>\fR
6639 Example: \fBssl hosts resign = 192.168.\fR
6641 \fBssl require clientcert (G)\fR
6642 This variable is part of SSL-enabled Samba. This
6643 is only available if the SSL libraries have been compiled on your
6644 system and the configure option \fB--with-ssl\fR was
6645 given at configure time.
6647 If this variable is set to yes, the
6648 server will not tolerate connections from clients that don't
6649 have a valid certificate. The directory/file given in \fIssl CA certDir\fR
6650 and \fIssl CA certFile
6651 \fRwill be used to look up the CAs that issued
6652 the client's certificate. If the certificate can't be verified
6653 positively, the connection will be terminated. If this variable
6654 is set to no, clients don't need certificates.
6655 Contrary to web applications you really \fBshould\fR
6656 require client certificates. In the web environment the client's
6657 data is sensitive (credit card numbers) and the server must prove
6658 to be trustworthy. In a file server environment the server's data
6659 will be sensitive and the clients must prove to be trustworthy.
6661 Default: \fBssl require clientcert = no\fR
6663 \fBssl require servercert (G)\fR
6664 This variable is part of SSL-enabled Samba. This
6665 is only available if the SSL libraries have been compiled on your
6666 system and the configure option \fB--with-ssl\fR was
6667 given at configure time.
6669 If this variable is set to yes, the
6671 will request a certificate from the server. Same as
6673 clientcert\fR for the server.
6675 Default: \fBssl require servercert = no\fR
6677 \fBssl server cert (G)\fR
6678 This variable is part of SSL-enabled Samba. This
6679 is only available if the SSL libraries have been compiled on your
6680 system and the configure option \fB--with-ssl\fR was
6681 given at configure time.
6683 This is the file containing the server's certificate.
6684 The server \fBmust\fR have a certificate. The
6685 file may also contain the server's private key. See later for
6686 how certificates and private keys are created.
6688 Default: \fBssl server cert = <empty string>
6690 \fBssl server key (G)\fR
6691 This variable is part of SSL-enabled Samba. This
6692 is only available if the SSL libraries have been compiled on your
6693 system and the configure option \fB--with-ssl\fR was
6694 given at configure time.
6696 This file contains the private key of the server. If
6697 this variable is not defined, the key is looked up in the
6698 certificate file (it may be appended to the certificate).
6699 The server \fBmust\fR have a private key
6700 and the certificate \fBmust\fR
6701 match this private key.
6703 Default: \fBssl server key = <empty string>
6705 \fBssl version (G)\fR
6706 This variable is part of SSL-enabled Samba. This
6707 is only available if the SSL libraries have been compiled on your
6708 system and the configure option \fB--with-ssl\fR was
6709 given at configure time.
6711 This enumeration variable defines the versions of the
6712 SSL protocol that will be used. ssl2or3 allows
6713 dynamic negotiation of SSL v2 or v3, ssl2 results
6714 in SSL v2, ssl3 results in SSL v3 and
6715 tls1 results in TLS v1. TLS (Transport Layer
6716 Security) is the new standard for SSL.
6718 Default: \fBssl version = "ssl2or3"\fR
6720 \fBstat cache (G)\fR
6721 This parameter determines if smbd(8) will use a cache in order to
6722 speed up case insensitive name mappings. You should never need
6723 to change this parameter.
6725 Default: \fBstat cache = yes\fR
6727 \fBstat cache size (G)\fR
6728 This parameter determines the number of
6729 entries in the \fIstat cache\fR. You should
6730 never need to change this parameter.
6732 Default: \fBstat cache size = 50\fR
6735 This enables or disables logging of connections
6736 to a status file that smbstatus(1)
6739 With this disabled \fBsmbstatus\fR won't be able
6740 to tell you what connections are active. You should never need to
6741 change this parameter.
6743 Default: \fBstatus = yes\fR
6745 \fBstrict allocate (S)\fR
6746 This is a boolean that controls the handling of
6747 disk space allocation in the server. When this is set to yes
6748 the server will change from UNIX behaviour of not committing real
6749 disk storage blocks when a file is extended to the Windows behaviour
6750 of actually forcing the disk system to allocate real storage blocks
6751 when a file is created or extended to be a given size. In UNIX
6752 terminology this means that Samba will stop creating sparse files.
6753 This can be slow on some systems.
6755 When strict allocate is no the server does sparse
6756 disk block allocation when a file is extended.
6758 Setting this to yes can help Samba return
6759 out of quota messages on systems that are restricting the disk quota
6762 Default: \fBstrict allocate = no\fR
6764 \fBstrict locking (S)\fR
6765 This is a boolean that controls the handling of
6766 file locking in the server. When this is set to yes
6767 the server will check every read and write access for file locks, and
6768 deny access if locks exist. This can be slow on some systems.
6770 When strict locking is no the server does file
6771 lock checks only when the client explicitly asks for them.
6773 Well-behaved clients always ask for lock checks when it
6774 is important, so in the vast majority of cases \fBstrict
6775 locking = no\fR is preferable.
6777 Default: \fBstrict locking = no\fR
6779 \fBstrict sync (S)\fR
6780 Many Windows applications (including the Windows
6781 98 explorer shell) seem to confuse flushing buffer contents to
6782 disk with doing a sync to disk. Under UNIX, a sync call forces
6783 the process to be suspended until the kernel has ensured that
6784 all outstanding data in kernel disk buffers has been safely stored
6785 onto stable storage. This is very slow and should only be done
6786 rarely. Setting this parameter to no (the
6787 default) means that smbd ignores the Windows applications requests for
6788 a sync call. There is only a possibility of losing data if the
6789 operating system itself that Samba is running on crashes, so there is
6790 little danger in this default setting. In addition, this fixes many
6791 performance problems that people have reported with the new Windows98
6792 explorer shell file copies.
6794 See also the \fIsync
6795 always>\fR parameter.
6797 Default: \fBstrict sync = no\fR
6800 This parameter is now unused in Samba (2.2.5 and above).
6801 It used strip trailing dots off UNIX filenames but was not correctly implmented.
6802 In Samba 2.2.5 and above UNIX filenames ending in a dot are invalid Windows long
6803 filenames (as they are in Windows NT and above) and are mangled to 8.3 before
6804 being returned to a client.
6806 Default: \fBstrip dot = no\fR
6808 \fBsync always (S)\fR
6809 This is a boolean parameter that controls
6810 whether writes will always be written to stable storage before
6811 the write call returns. If this is no then the server will be
6812 guided by the client's request in each write call (clients can
6813 set a bit indicating that a particular write should be synchronous).
6814 If this is yes then every write will be followed by a \fBfsync()
6815 \fRcall to ensure the data is written to disk. Note that
6816 the \fIstrict sync\fR parameter must be set to
6817 yes in order for this parameter to have
6820 See also the \fIstrict
6823 Default: \fBsync always = no\fR
6826 This parameter maps how Samba debug messages
6827 are logged onto the system syslog logging levels. Samba debug
6828 level zero maps onto syslog LOG_ERR, debug
6829 level one maps onto LOG_WARNING, debug level
6830 two maps onto LOG_NOTICE, debug level three
6831 maps onto LOG_INFO. All higher levels are mapped to LOG_DEBUG.
6833 This parameter sets the threshold for sending messages
6834 to syslog. Only messages with debug level less than this value
6835 will be sent to syslog.
6837 Default: \fBsyslog = 1\fR
6839 \fBsyslog only (G)\fR
6840 If this parameter is set then Samba debug
6841 messages are logged into the system syslog only, and not to
6842 the debug log files.
6844 Default: \fBsyslog only = no\fR
6846 \fBtemplate homedir (G)\fR
6847 When filling out the user information for a Windows NT
6848 user, the winbindd(8) daemon
6849 uses this parameter to fill in the home directory for that user.
6850 If the string \fI%D\fR is present it is substituted
6851 with the user's Windows NT domain name. If the string \fI%U
6852 \fRis present it is substituted with the user's Windows
6855 Default: \fBtemplate homedir = /home/%D/%U\fR
6857 \fBtemplate shell (G)\fR
6858 When filling out the user information for a Windows NT
6859 user, the winbindd(8) daemon
6860 uses this parameter to fill in the login shell for that user.
6862 Default: \fBtemplate shell = /bin/false\fR
6864 \fBtime offset (G)\fR
6865 This parameter is a setting in minutes to add
6866 to the normal GMT to local time conversion. This is useful if
6867 you are serving a lot of PCs that have incorrect daylight
6868 saving time handling.
6870 Default: \fBtime offset = 0\fR
6872 Example: \fBtime offset = 60\fR
6874 \fBtime server (G)\fR
6875 This parameter determines if
6876 nmbd(8) advertises itself as a time server to Windows
6879 Default: \fBtime server = no\fR
6881 \fBtimestamp logs (G)\fR
6882 Synonym for \fI debug timestamp\fR.
6884 \fBtotal print jobs (G)\fR
6885 This parameter accepts an integer value which defines
6886 a limit on the maximum number of print jobs that will be accepted
6887 system wide at any given time. If a print job is submitted
6888 by a client which will exceed this number, then smbd will return an
6889 error indicating that no space is available on the server. The
6890 default value of 0 means that no such limit exists. This parameter
6891 can be used to prevent a server from exceeding its capacity and is
6892 designed as a printing throttle. See also
6893 \fImax print jobs\fR.
6895 Default: \fBtotal print jobs = 0\fR
6897 Example: \fBtotal print jobs = 5000\fR
6899 \fBunix extensions(G)\fR
6900 This boolean parameter controls whether Samba
6901 implments the CIFS UNIX extensions, as defined by HP.
6902 These extensions enable Samba to better serve UNIX CIFS clients
6903 by supporting features such as symbolic links, hard links, etc...
6904 These extensions require a similarly enabled client, and are of
6905 no current use to Windows clients.
6907 Default: \fBunix extensions = no\fR
6909 \fBunix password sync (G)\fR
6910 This boolean parameter controls whether Samba
6911 attempts to synchronize the UNIX password with the SMB password
6912 when the encrypted SMB password in the smbpasswd file is changed.
6913 If this is set to yes the program specified in the \fIpasswd
6914 program\fRparameter is called \fBAS ROOT\fR -
6915 to allow the new UNIX password to be set without access to the
6916 old UNIX password (as the SMB password change code has no
6917 access to the old password cleartext, only the new).
6920 program\fR, \fI passwd chat\fR.
6922 Default: \fBunix password sync = no\fR
6924 \fBupdate encrypted (G)\fR
6925 This boolean parameter allows a user logging
6926 on with a plaintext password to have their encrypted (hashed)
6927 password in the smbpasswd file to be updated automatically as
6928 they log on. This option allows a site to migrate from plaintext
6929 password authentication (users authenticate with plaintext
6930 password over the wire, and are checked against a UNIX account
6931 database) to encrypted password authentication (the SMB
6932 challenge/response authentication mechanism) without forcing
6933 all users to re-enter their passwords via smbpasswd at the time the
6934 change is made. This is a convenience option to allow the change over
6935 to encrypted passwords to be made over a longer period. Once all users
6936 have encrypted representations of their passwords in the smbpasswd
6937 file this parameter should be set to no.
6939 In order for this parameter to work correctly the \fIencrypt passwords\fR
6940 parameter must be set to no when
6941 this parameter is set to yes.
6943 Note that even when this parameter is set a user
6944 authenticating to \fBsmbd\fR must still enter a valid
6945 password in order to connect correctly, and to update their hashed
6946 (smbpasswd) passwords.
6948 Default: \fBupdate encrypted = no\fR
6950 \fBuse client driver (S)\fR
6951 This parameter applies only to Windows NT/2000
6952 clients. It has no affect on Windows 95/98/ME clients. When
6953 serving a printer to Windows NT/2000 clients without first installing
6954 a valid printer driver on the Samba host, the client will be required
6955 to install a local printer driver. From this point on, the client
6956 will treat the print as a local printer and not a network printer
6957 connection. This is much the same behavior that will occur
6958 when \fBdisable spoolss = yes\fR.
6961 factor is that under normal circumstances, the NT/2000 client will
6962 attempt to open the network printer using MS-RPC. The problem is that
6963 because the client considers the printer to be local, it will attempt
6964 to issue the OpenPrinterEx() call requesting access rights associated
6965 with the logged on user. If the user possesses local administator rights
6966 but not root privilegde on the Samba host (often the case), the OpenPrinterEx()
6967 call will fail. The result is that the client will now display an "Access
6968 Denied; Unable to connect" message in the printer queue window (even though
6969 jobs may successfully be printed).
6971 If this parameter is enabled for a printer, then any attempt
6972 to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped
6973 to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx()
6974 call to succeed. \fBThis parameter MUST not be able enabled
6975 on a print share which has valid print driver installed on the Samba
6978 See also disable spoolss
6980 Default: \fBuse client driver = no\fR
6983 This global parameter determines if the tdb internals of Samba can
6984 depend on mmap working correctly on the running system. Samba requires a coherent
6985 mmap/read-write system memory cache. Currently only HPUX does not have such a
6986 coherent cache, and so this parameter is set to no by
6987 default on HPUX. On all other systems this parameter should be left alone. This
6988 parameter is provided to help the Samba developers track down problems with
6989 the tdb internal code.
6991 Default: \fBuse mmap = yes\fR
6993 \fBuse rhosts (G)\fR
6994 If this global parameter is yes, it specifies
6995 that the UNIX user's \fI.rhosts\fR file in their home directory
6996 will be read to find the names of hosts and users who will be allowed
6997 access without specifying a password.
6999 \fBNOTE:\fR The use of \fIuse rhosts
7000 \fRcan be a major security hole. This is because you are
7001 trusting the PC to supply the correct username. It is very easy to
7002 get a PC to supply a false username. I recommend that the \fI use rhosts\fR option be only used if you really know what
7005 Default: \fBuse rhosts = no\fR
7008 Synonym for \fI username\fR.
7011 Synonym for \fI username\fR.
7014 Multiple users may be specified in a comma-delimited
7015 list, in which case the supplied password will be tested against
7016 each username in turn (left to right).
7018 The \fIusername\fR line is needed only when
7019 the PC is unable to supply its own username. This is the case
7020 for the COREPLUS protocol or where your users have different WfWg
7021 usernames to UNIX usernames. In both these cases you may also be
7022 better using the \\\\server\\share%user syntax instead.
7024 The \fIusername\fR line is not a great
7025 solution in many cases as it means Samba will try to validate
7026 the supplied password against each of the usernames in the
7027 \fIusername\fR line in turn. This is slow and
7028 a bad idea for lots of users in case of duplicate passwords.
7029 You may get timeouts or security breaches using this parameter
7032 Samba relies on the underlying UNIX security. This
7033 parameter does not restrict who can login, it just offers hints
7034 to the Samba server as to what usernames might correspond to the
7035 supplied password. Users can login as whoever they please and
7036 they will be able to do no more damage than if they started a
7037 telnet session. The daemon runs as the user that they log in as,
7038 so they cannot do anything that user cannot do.
7040 To restrict a service to a particular set of users you
7041 can use the \fIvalid users
7044 If any of the usernames begin with a '@' then the name
7045 will be looked up first in the NIS netgroups list (if Samba
7046 is compiled with netgroup support), followed by a lookup in
7047 the UNIX groups database and will expand to a list of all users
7048 in the group of that name.
7050 If any of the usernames begin with a '+' then the name
7051 will be looked up only in the UNIX groups database and will
7052 expand to a list of all users in the group of that name.
7054 If any of the usernames begin with a '&'then the name
7055 will be looked up only in the NIS netgroups database (if Samba
7056 is compiled with netgroup support) and will expand to a list
7057 of all users in the netgroup group of that name.
7059 Note that searching though a groups database can take
7060 quite some time, and some clients may time out during the
7063 See the section NOTE ABOUT
7064 USERNAME/PASSWORD VALIDATION for more information on how
7065 this parameter determines access to the services.
7067 Default: \fBThe guest account if a guest service,
7068 else <empty string>.\fR
7070 Examples:\fBusername = fred, mary, jack, jane,
7073 \fBusername level (G)\fR
7074 This option helps Samba to try and 'guess' at
7075 the real UNIX username, as many DOS clients send an all-uppercase
7076 username. By default Samba tries all lowercase, followed by the
7077 username with the first letter capitalized, and fails if the
7078 username is not found on the UNIX machine.
7080 If this parameter is set to non-zero the behavior changes.
7081 This parameter is a number that specifies the number of uppercase
7082 combinations to try while trying to determine the UNIX user name. The
7083 higher the number the more combinations will be tried, but the slower
7084 the discovery of usernames will be. Use this parameter when you have
7085 strange usernames on your UNIX machine, such as AstrangeUser
7088 Default: \fBusername level = 0\fR
7090 Example: \fBusername level = 5\fR
7092 \fBusername map (G)\fR
7093 This option allows you to specify a file containing
7094 a mapping of usernames from the clients to the server. This can be
7095 used for several purposes. The most common is to map usernames
7096 that users use on DOS or Windows machines to those that the UNIX
7097 box uses. The other is to map multiple users to a single username
7098 so that they can more easily share files.
7100 The map file is parsed line by line. Each line should
7101 contain a single UNIX username on the left then a '=' followed
7102 by a list of usernames on the right. The list of usernames on the
7103 right may contain names of the form @group in which case they
7104 will match any UNIX username in that group. The special client
7105 name '*' is a wildcard and matches any name. Each line of the
7106 map file may be up to 1023 characters long.
7108 The file is processed on each line by taking the
7109 supplied username and comparing it with each username on the right
7110 hand side of the '=' signs. If the supplied name matches any of
7111 the names on the right hand side then it is replaced with the name
7112 on the left. Processing then continues with the next line.
7114 If any line begins with a '#' or a ';' then it is
7117 If any line begins with an '!' then the processing
7118 will stop after that line if a mapping was done by the line.
7119 Otherwise mapping continues with every line being processed.
7120 Using '!' is most useful when you have a wildcard mapping line
7123 For example to map from the name admin
7124 or administrator to the UNIX name root you would use:
7126 \fBroot = admin administrator\fR
7128 Or to map anyone in the UNIX group system
7129 to the UNIX name sys you would use:
7133 You can have as many mappings as you like in a username
7136 If your system supports the NIS NETGROUP option then
7137 the netgroup database is checked before the \fI/etc/group
7138 \fRdatabase for matching groups.
7140 You can map Windows usernames that have spaces in them
7141 by using double quotes around the name. For example:
7143 \fBtridge = "Andrew Tridgell"\fR
7145 would map the windows username "Andrew Tridgell" to the
7146 unix username "tridge".
7148 The following example would map mary and fred to the
7149 unix user sys, and map the rest to guest. Note the use of the
7150 \&'!' to tell Samba to stop processing if it gets a match on
7161 Note that the remapping is applied to all occurrences
7162 of usernames. Thus if you connect to \\\\server\\fred and fred is remapped to mary then you
7163 will actually be connecting to \\\\server\\mary and will need to
7164 supply a password suitable for mary not
7165 fred. The only exception to this is the
7166 username passed to the \fI password server\fR (if you have one). The password
7167 server will receive whatever username the client supplies without
7170 Also note that no reverse mapping is done. The main effect
7171 this has is with printing. Users who have been mapped may have
7172 trouble deleting print jobs as PrintManager under WfWg will think
7173 they don't own the print job.
7175 Default: \fBno username map\fR
7177 Example: \fBusername map = /usr/local/samba/lib/users.map
7179 \fBuse sendfile (S)\fR
7180 If this parameter is yes, and Samba
7181 was built with the --with-sendfile-support option, and the underlying operating
7182 system supports sendfile system call, then some SMB read calls (mainly ReadAndX
7183 and ReadRaw) will use the more efficient sendfile system call for files that
7184 are exclusively oplocked. This may make more efficient use of the system CPU's
7185 and cause Samba to be faster. This is off by default as it's effects are unknown
7188 Default: \fBuse sendfile = no\fR
7191 This boolean parameter is only available if
7192 Samba has been configured and compiled with the option \fB --with-utmp\fR. If set to yes then Samba will attempt
7193 to add utmp or utmpx records (depending on the UNIX system) whenever a
7194 connection is made to a Samba server. Sites may use this to record the
7195 user connecting to a Samba share.
7197 See also the \fI utmp directory\fR parameter.
7199 Default: \fButmp = no\fR
7201 \fButmp directory(G)\fR
7202 This parameter is only available if Samba has
7203 been configured and compiled with the option \fB --with-utmp\fR. It specifies a directory pathname that is
7204 used to store the utmp or utmpx files (depending on the UNIX system) that
7205 record user connections to a Samba server. See also the \fIutmp\fR parameter. By default this is
7206 not set, meaning the system will use whatever utmp file the
7207 native system is set to use (usually
7208 \fI/var/run/utmp\fR on Linux).
7210 Default: \fBno utmp directory\fR
7212 \fBvalid chars (G)\fR
7213 The option allows you to specify additional
7214 characters that should be considered valid by the server in
7215 filenames. This is particularly useful for national character
7216 sets, such as adding u-umlaut or a-ring.
7218 The option takes a list of characters in either integer
7219 or character form with spaces between them. If you give two
7220 characters with a colon between them then it will be taken as
7221 an lowercase:uppercase pair.
7223 If you have an editor capable of entering the characters
7224 into the config file then it is probably easiest to use this
7225 method. Otherwise you can specify the characters in octal,
7226 decimal or hexadecimal form using the usual C notation.
7228 For example to add the single character 'Z' to the charset
7229 (which is a pointless thing to do as it's already there) you could
7230 do one of the following
7236 valid chars = 0132:0172
7241 The last two examples above actually add two characters,
7242 and alter the uppercase and lowercase mappings appropriately.
7244 Note that you \fBMUST\fR specify this parameter
7245 after the \fIclient code page\fR parameter if you
7246 have both set. If \fIclient code page\fR is set after
7247 the \fIvalid chars\fR parameter the \fIvalid
7248 chars\fR settings will be overwritten.
7250 See also the \fIclient
7251 code page\fR parameter.
7253 Default: \fBSamba defaults to using a reasonable set
7254 of valid characters for English systems\fR
7256 Example: \fBvalid chars = 0345:0305 0366:0326 0344:0304
7258 The above example allows filenames to have the Swedish
7261 \fBNOTE:\fR It is actually quite difficult to
7262 correctly produce a \fIvalid chars\fR line for
7263 a particular system. To automate the process tino@augsburg.net <URL:mailto:tino@augsburg.net> has written
7264 a package called \fBvalidchars\fR which will automatically
7265 produce a complete \fIvalid chars\fR line for
7266 a given client system. Look in the \fIexamples/validchars/
7267 \fRsubdirectory of your Samba source code distribution
7270 \fBvalid users (S)\fR
7271 This is a list of users that should be allowed
7272 to login to this service. Names starting with '@', '+' and '&'
7273 are interpreted using the same rules as described in the
7274 \fIinvalid users\fR parameter.
7276 If this is empty (the default) then any user can login.
7277 If a username is in both this list and the \fIinvalid
7278 users\fR list then access is denied for that user.
7280 The current servicename is substituted for \fI%S
7281 \fR\&. This is useful in the [homes] section.
7283 See also \fIinvalid users
7285 Default: \fBNo valid users list (anyone can login)
7287 Example: \fBvalid users = greg, @pcusers\fR
7290 This is a list of files and directories that
7291 are neither visible nor accessible. Each entry in the list must
7292 be separated by a '/', which allows spaces to be included
7293 in the entry. '*' and '?' can be used to specify multiple files
7294 or directories as in DOS wildcards.
7296 Each entry must be a unix path, not a DOS path and
7297 must \fBnot\fR include the unix directory
7300 Note that the \fIcase sensitive\fR option
7301 is applicable in vetoing files.
7303 One feature of the veto files parameter that it
7304 is important to be aware of is Samba's behaviour when
7305 trying to delete a directory. If a directory that is
7306 to be deleted contains nothing but veto files this
7307 deletion will \fBfail\fR unless you also set
7308 the \fIdelete veto files\fR parameter to
7311 Setting this parameter will affect the performance
7312 of Samba, as it will be forced to check all files and directories
7313 for a match as they are scanned.
7315 See also \fIhide files
7316 \fRand \fI case sensitive\fR.
7318 Default: \fBNo files or directories are vetoed.
7323 ; Veto any files containing the word Security,
7324 ; any ending in .tmp, and any directory containing the
7326 veto files = /*Security*/*.tmp/*root*/
7328 ; Veto the Apple specific files that a NetAtalk server
7330 veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
7334 \fBveto oplock files (S)\fR
7335 This parameter is only valid when the \fIoplocks\fR
7336 parameter is turned on for a share. It allows the Samba administrator
7337 to selectively turn off the granting of oplocks on selected files that
7338 match a wildcarded list, similar to the wildcarded list used in the
7342 Default: \fBNo files are vetoed for oplock
7345 You might want to do this on files that you know will
7346 be heavily contended for by clients. A good example of this
7347 is in the NetBench SMB benchmark program, which causes heavy
7348 client contention for files ending in \fI.SEM\fR.
7349 To cause Samba not to grant oplocks on these files you would use
7350 the line (either in the [global] section or in the section for
7351 the particular NetBench share :
7353 Example: \fBveto oplock files = /*.SEM/
7355 \fBvfs object (S)\fR
7356 This parameter specifies a shared object file that
7357 is used for Samba VFS I/O operations. By default, normal
7358 disk I/O operations are used but these can be overloaded
7359 with a VFS object. The Samba VFS layer is new to Samba 2.2 and
7360 must be enabled at compile time with --with-vfs.
7362 Default : \fBno value\fR
7364 \fBvfs options (S)\fR
7365 This parameter allows parameters to be passed
7366 to the vfs layer at initialization time. The Samba VFS layer
7367 is new to Samba 2.2 and must be enabled at compile time
7368 with --with-vfs. See also \fI vfs object\fR.
7370 Default : \fBno value\fR
7373 This allows you to override the volume label
7374 returned for a share. Useful for CDROMs with installation programs
7375 that insist on a particular volume label.
7377 Default: \fBthe name of the share\fR
7379 \fBwide links (S)\fR
7380 This parameter controls whether or not links
7381 in the UNIX file system may be followed by the server. Links
7382 that point to areas within the directory tree exported by the
7383 server are always allowed; this parameter controls access only
7384 to areas that are outside the directory tree being exported.
7386 Note that setting this parameter can have a negative
7387 effect on your server performance due to the extra system calls
7388 that Samba has to do in order to perform the link checks.
7390 Default: \fBwide links = yes\fR
7392 \fBwinbind cache time (G)\fR
7393 This parameter specifies the number of seconds the
7394 winbindd(8) daemon will cache
7395 user and group information before querying a Windows NT server
7398 Default: \fBwinbind cache type = 15\fR
7400 \fBwinbind enum users (G)\fR
7401 On large installations using
7402 winbindd(8) it may be
7403 necessary to suppress the enumeration of users through the
7405 \fBgetpwent()\fR and
7406 \fBendpwent()\fR group of system calls. If
7407 the \fIwinbind enum users\fR parameter is
7408 no, calls to the \fBgetpwent\fR system call
7409 will not return any data.
7411 \fBWarning:\fR Turning off user
7412 enumeration may cause some programs to behave oddly. For
7413 example, the finger program relies on having access to the
7414 full user list when searching for matching
7417 Default: \fBwinbind enum users = yes \fR
7419 \fBwinbind enum groups (G)\fR
7420 On large installations using
7421 winbindd(8) it may be
7422 necessary to suppress the enumeration of groups through the
7424 \fBgetgrent()\fR and
7425 \fBendgrent()\fR group of system calls. If
7426 the \fIwinbind enum groups\fR parameter is
7427 no, calls to the \fBgetgrent()\fR system
7428 call will not return any data.
7430 \fBWarning:\fR Turning off group
7431 enumeration may cause some programs to behave oddly.
7433 Default: \fBwinbind enum groups = yes \fR
7435 \fBwinbind gid (G)\fR
7436 The winbind gid parameter specifies the range of group
7437 ids that are allocated by the winbindd(8) daemon. This range of group ids should have no
7438 existing local or NIS groups within it as strange conflicts can
7441 Default: \fBwinbind gid = <empty string>
7443 Example: \fBwinbind gid = 10000-20000\fR
7445 \fBwinbind separator (G)\fR
7446 This parameter allows an admin to define the character
7447 used when listing a username of the form of \fIDOMAIN
7448 \fR\\\fIuser\fR. This parameter
7449 is only applicable when using the \fIpam_winbind.so\fR
7450 and \fInss_winbind.so\fR modules for UNIX services.
7452 Please note that setting this parameter to + causes problems
7453 with group membership at least on glibc systems, as the character +
7454 is used as a special character for NIS in /etc/group.
7456 Default: \fBwinbind separator = '\\'\fR
7458 Example: \fBwinbind separator = +\fR
7460 \fBwinbind uid (G)\fR
7461 The winbind gid parameter specifies the range of group
7462 ids that are allocated by the winbindd(8) daemon. This range of ids should have no
7463 existing local or NIS users within it as strange conflicts can
7466 Default: \fBwinbind uid = <empty string>
7468 Example: \fBwinbind uid = 10000-20000\fR
7470 \fBwinbind use default domain\fR
7472 \fBwinbind use default domain\fR
7473 This parameter specifies whether the winbindd(8)
7474 daemon should operate on users without domain component in their username.
7475 Users without a domain component are treated as is part of the winbindd server's
7476 own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail
7477 function in a way much closer to the way they would in a native unix system.
7479 Default: \fBwinbind use default domain = <no>
7481 Example: \fBwinbind use default domain = yes\fR
7484 When Samba is running as a WINS server this
7485 allows you to call an external program for all changes to the
7486 WINS database. The primary use for this option is to allow the
7487 dynamic update of external name resolution databases such as
7490 The wins hook parameter specifies the name of a script
7491 or executable that will be called as follows:
7493 \fBwins_hook operation name nametype ttl IP_list
7497 The first argument is the operation and is one
7498 of "add", "delete", or "refresh". In most cases the operation can
7499 be ignored as the rest of the parameters provide sufficient
7500 information. Note that "refresh" may sometimes be called when the
7501 name has not previously been added, in that case it should be treated
7505 The second argument is the NetBIOS name. If the
7506 name is not a legal name then the wins hook is not called.
7507 Legal names contain only letters, digits, hyphens, underscores
7511 The third argument is the NetBIOS name
7512 type as a 2 digit hexadecimal number.
7515 The fourth argument is the TTL (time to live)
7516 for the name in seconds.
7519 The fifth and subsequent arguments are the IP
7520 addresses currently registered for that name. If this list is
7521 empty then the name should be deleted.
7524 An example script that calls the BIND dynamic DNS update
7525 program \fBnsupdate\fR is provided in the examples
7526 directory of the Samba source code.
7529 \fBwins proxy (G)\fR
7530 This is a boolean that controls if nmbd(8) will respond to broadcast name
7531 queries on behalf of other hosts. You may need to set this
7532 to yes for some older clients.
7534 Default: \fBwins proxy = no\fR
7536 \fBwins server (G)\fR
7537 This specifies the IP address (or DNS name: IP
7538 address for preference) of the WINS server that nmbd(8) should register with. If you have a WINS server on
7539 your network then you should set this to the WINS server's IP.
7541 You should point this at your WINS server if you have a
7542 multi-subnetted network.
7544 \fBNOTE\fR. You need to set up Samba to point
7545 to a WINS server if you have multiple subnets and wish cross-subnet
7546 browsing to work correctly.
7548 See the documentation file \fIBROWSING.txt\fR
7549 in the docs/ directory of your Samba source distribution.
7551 Default: \fBnot enabled\fR
7553 Example: \fBwins server = 192.9.200.1\fR
7555 \fBwins support (G)\fR
7556 This boolean controls if the
7557 nmbd(8) process in Samba will act as a WINS server. You should
7558 not set this to yes unless you have a multi-subnetted network and
7559 you wish a particular \fBnmbd\fR to be your WINS server.
7560 Note that you should \fBNEVER\fR set this to yes
7561 on more than one machine in your network.
7563 Default: \fBwins support = no\fR
7566 This controls what workgroup your server will
7567 appear to be in when queried by clients. Note that this parameter
7568 also controls the Domain name used with the \fBsecurity = domain\fR
7571 Default: \fBset at compile time to WORKGROUP\fR
7573 Example: \fBworkgroup = MYGROUP\fR
7576 Synonym for \fI writeable\fR for people who can't spell :-).
7578 \fBwrite cache size (S)\fR
7579 If this integer parameter is set to non-zero value,
7580 Samba will create an in-memory cache for each oplocked file
7581 (it does \fBnot\fR do this for
7582 non-oplocked files). All writes that the client does not request
7583 to be flushed directly to disk will be stored in this cache if possible.
7584 The cache is flushed onto disk when a write comes in whose offset
7585 would not fit into the cache or when the file is closed by the client.
7586 Reads for the file are also served from this cache if the data is stored
7589 This cache allows Samba to batch client writes into a more
7590 efficient write size for RAID disks (i.e. writes may be tuned to
7591 be the RAID stripe size) and can improve performance on systems
7592 where the disk subsystem is a bottleneck but there is free
7593 memory for userspace programs.
7595 The integer parameter specifies the size of this cache
7596 (per oplocked file) in bytes.
7598 Default: \fBwrite cache size = 0\fR
7600 Example: \fBwrite cache size = 262144\fR
7602 for a 256k cache size per file.
7604 \fBwrite list (S)\fR
7605 This is a list of users that are given read-write
7606 access to a service. If the connecting user is in this list then
7607 they will be given write access, no matter what the \fIread only\fR
7608 option is set to. The list can include group names using the
7611 Note that if a user is in both the read list and the
7612 write list then they will be given write access.
7614 See also the \fIread list
7617 Default: \fBwrite list = <empty string>
7619 Example: \fBwrite list = admin, root, @staff
7622 Inverted synonym for \fI read only\fR.
7625 This parameter controls whether or not the server
7626 will support raw write SMB's when transferring data from clients.
7627 You should never need to change this parameter.
7629 Default: \fBwrite raw = yes\fR
7632 Inverted synonym for \fI read only\fR.
7635 Although the configuration file permits service names
7636 to contain spaces, your client software may not. Spaces will
7637 be ignored in comparisons anyway, so it shouldn't be a
7638 problem - but be aware of the possibility.
7640 On a similar note, many clients - especially DOS clients -
7641 limit service names to eight characters. smbd(8)
7642 has no such limitation, but attempts to connect from such
7643 clients will fail if they truncate the service names. For this reason
7644 you should probably keep your service names down to eight characters
7647 Use of the [homes] and [printers] special sections make life
7648 for an administrator easy, but the various combinations of default
7649 attributes can be tricky. Take extreme care when designing these
7650 sections. In particular, ensure that the permissions on spool
7651 directories are correct.
7654 This man page is correct for version 2.2 of
7669 The original Samba software and related utilities
7670 were created by Andrew Tridgell. Samba is now developed
7671 by the Samba Team as an Open Source project similar
7672 to the way the Linux kernel is developed.
7674 The original Samba man pages were written by Karl Auer.
7675 The man page sources were converted to YODL format (another
7676 excellent piece of Open Source software, available at
7677 ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0
7678 release by Jeremy Allison. The conversion to DocBook for
7679 Samba 2.2 was done by Gerald Carter